JP2018022248A - Log analysis system, log analysis method and log analysis device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a log analysis system, a log analysis method and a log analysis device which address a case where a relation among events is partially missing.SOLUTION: A log analysis system for analyzing log information includes: a relation tree structuring part for determining whether there is a causal relation in an occurrence of a plurality of events on the basis of log information including the plurality of events and structuring a graph structure by setting each event as a node and adding an edge among nodes corresponding to the events when there is a causal relation; a relation tree suspicion degree calculation part for determining whether a tree defined by the graph structure is a tree which has generated a certain event designated regarding the event designated and calculating a degree of likelihood on the basis of determination conditions concerning an event structuring each tree and determination conditions concerning structural characteristics of the tree in the determination of whether it is the tree which has generated the designated event; and a result output part for outputting the graph structure compensating the causal relation as a result by adding the degree of likelihood.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a log analysis system, a log analysis method, and a log analysis apparatus, and is suitably applied to, for example, a log analysis system that prevents recurrence of similar or identical alerts.

  In order to protect the organization's system, when an abnormality occurs in the system due to an external attack, etc., not only is the abnormality detected promptly and recovery is attempted, but the cause of the abnormality is investigated and countermeasures are taken. Therefore, it is important to prevent the recurrence of similar abnormalities. The system analyzes the recorded log in order to find the abnormality and investigate the cause of the abnormality.

  As an attack whose damage has been increasing in recent years, for example, there is an attack in which an attacker alters a Web site normally used by a target and causes an abnormality in a computer of a person who browses. In many cases, in this attack, when a target accesses a Web site that has been tampered with, a redirect that is not intended by the target occurs multiple times, and finally leads to a malware distribution site that is exploited by the attacker. When a person who browses acquires malware on the site where the derived malware is distributed, and installs the malware on the computer of the person who viewed the malware, an attack by the malware is performed in the system of the organization from the computer of the viewer.

  In such an attack, an attacker may set up multiple malware distribution sites and randomly navigate to one of them. Therefore, when an abnormality due to such an attack is detected, not only access to individual malware distribution sites is blocked, but access to the websites is temporarily detected by discovering altered websites. It is important to take measures to prevent recurrence such as blocking or prompting recovery by notifying the administrator of the Web site of falsification.

  In other words, for example, when an alert indicating that malware has been downloaded occurs, it is necessary to investigate how the access occurred based on the communication log, etc., and identify the website that became the entrance. There is.

  On the other hand, since recent organizational systems are composed of a wide variety of devices and applications, a large number of system logs can be used to identify the cause of abnormalities by tracing the causal relationship between events described in the log. It is necessary to investigate the security log and it takes a long time.

  As one of log analysis systems that facilitate the analysis of the relationship between such information, Patent Document 1 holds information as a graph structure and sets an initial value designated as a node that is a base point of a search condition. An invention is disclosed that efficiently obtains information that cannot be easily reached in an existing search by setting and propagating while decreasing at a constant rate, and finally outputting a node set that exceeds the threshold value as a search result Has been.

JP 2010-191902 A

  According to Patent Document 1, since the relationship between information can be held and clustered as a graph structure, information related to the search target information can be extracted transitively. Therefore, by using this technique, it is possible to trace a graph structure that can be configured based on the relationship between events described in the log, and to efficiently investigate the cause of occurrence. For example, in the case of normal HTTP (Hyper Text Transfer Protocol) transitions, it is possible to record the HTTP header REFERER (hereinafter referred to as a referrer), which is communication transition source information, in a communication log of a proxy server or the like. is there.

  However, the information described in the log often lacks a partial relationship between events. For example, if the communication protocol changes midway or transitions that exploit the vulnerability of the browser, the referrer is not included in the communication header, so information about the transition source cannot be left as a log. The graph structure will be interrupted.

  In order to solve such a problem, in the present invention, the log analysis system is a log analysis system for analyzing log information, and whether there is a causal relationship between occurrences of a plurality of events based on log information including a plurality of events. A relationship tree construction that constructs a graph structure by determining whether or not each event is a node and adding an edge between nodes corresponding to the event when a causal relationship exists And for any specified event, determine whether the tree specified in the graph structure is the tree that generated the specified event, and whether it is the tree that generated the specified event In the judgment, the relationship tree suspicious degree that calculates the degree of probability based on the judgment conditions related to the events constituting each tree and the judgment conditions related to the structural features of the tree A calculation unit, taking into account the likelihood degree of and to and an result output unit for outputting a graph structure supplemented with causality as the result.

  In the present invention, the log analysis method is a log analysis method in a log analysis system for analyzing log information, and the log analysis system includes a relationship tree construction unit, a relationship tree suspiciousness calculation unit, a result A first step of determining whether there is a causal relationship of occurrence of a plurality of events based on log information including a plurality of events, and a relationship tree; A second step of constructing a graph structure by adding an edge between nodes corresponding to the event when the construction unit sets each individual event as one node and a causal relationship exists; A third step in which the sex tree suspiciousness degree calculation unit determines whether, for any specified event, the tree defined by the graph structure is a tree that has generated the specified event; In determining whether the tree has caused the specified event, a degree of probability is calculated based on a determination condition regarding an event constituting each tree and a determination condition regarding a structural feature of the tree. The steps are provided.

  In the present invention, the log analysis device is a log analysis device that analyzes log information, and determines whether or not there is a causal relationship between occurrences of a plurality of events based on log information including a plurality of events. A relationship tree construction unit that constructs a graph structure by adding an edge between nodes corresponding to the event when a single event is made a node and a causal relationship exists. For any given event, it is determined whether the tree specified in the graph structure is the tree that generated the specified event, and in determining whether the tree that generated the specified event is A relationship tree suspiciousness calculator that calculates the degree of certainty based on the judgment conditions related to the events that make up the tree and the judgment conditions related to the structural features of the tree, and the degree of likelihood Taking into account, and to include the result output unit for outputting a graph structure supplemented with causality as the result.

  According to the present invention, it is possible to realize a log analysis system, a log analysis method, and a log analysis device corresponding to a case where the relationship between events is partially lost.

It is a figure which shows the system configuration | structure by embodiment of this invention. It is a figure which shows the log which is the analysis object by embodiment of this invention. It is a flowchart which shows the process sequence of the analysis process by embodiment of this invention. It is a process result of the relationship tree construction process of the surrounding event by embodiment of this invention. It is a flowchart which shows the process sequence of a suspicious degree calculation process by embodiment of this invention. It is a structure analysis rule by embodiment of this invention. It is a history collation rule by an embodiment of the invention. It is a process result of a suspicious degree calculation process by embodiment of this invention. It is a flowchart which shows the process sequence of the suspiciousness confirmation process by embodiment of this invention. It is a process result of the suspiciousness confirmation process by embodiment of this invention. It is a flowchart which shows the process sequence of the relationship tree preservation | save process by embodiment of this invention. It is a processing result of the relationship tree preservation | save process by embodiment of this invention.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

(1) Configuration of Log Analysis System According to this Embodiment In FIG. 1, reference numeral 1 denotes a log analysis system according to this embodiment as a whole. In the log analysis system 1, a proxy server or the like that inputs log information 200 to be analyzed is connected to the log analysis device 100 via a network 141, and a storage medium 171 can be connected to the log analysis device 100. . The storage medium 171 is an IC card, a USB memory, or the like and has portability.

  The proxy server and log analysis device 100 is a computer device including information resources such as a CPU (Central Processing Unit) and a memory, and is configured by, for example, an open system server or a mainframe computer. In the log analysis device 100, a memory 110, an external storage device 120, a CPU 130, a communication device 140, an input device 150, an output device 160, and a reading device 170 are connected via an interface 180.

  The external storage device 120 is an HDD (Hard Disk Drive) or the like, and when performing log analysis by the log analysis function, the relationship tree history information 121, the structure analysis rule table 122, and the history matching rule table 123, which are tables to be referred to. Is provided. The relationship tree history information 121, the structure analysis rule table 122, and the history matching rule table 123 may be provided in the memory 110.

  The memory 110 includes an analysis request input unit 111, a relationship tree construction unit 112, a past history management unit 1113, a relationship tree suspicious degree calculation unit 114, a peripheral information acquisition unit 115, a confirmation information acquisition unit 116, and a suspiciousness confirmation unit 117. And a result output unit 118. These are programs necessary for realizing the log analysis function, and may be loaded directly into the memory 110 or may be stored in the external storage device 120 or the storage medium 171 and executed by the CPU 130. The A medium for causing the CPU 130 to execute the program is not limited to the external storage device 120 and the storage medium 171, and may be any available medium, and may be a carrier wave or a digital signal that propagates through the network 141.

  The communication device 140 communicates with other devices via a network 141 such as the Internet or a LAN. The input device 150 is a keyboard, a mouse, or the like, and the output device 160 is a monitor, a printer, or the like. The reading device 170 connects the storage medium 171 and reads the contents.

  The analysis request input unit 111 accepts an analysis request input by the user using the log analysis apparatus 100 through the input device 150. The user inputs an event to be analyzed. At this time, the user may send the log information 200 to the log analysis apparatus 100. The log information 200 may be sent periodically in advance. The log information 200 may be input to the log analysis device 100 via the network 141 or may be input to the log analysis device 100 via the storage medium 171.

  When the analysis request input unit 111 receives an analysis request, the log analysis device 100 starts log analysis processing for analyzing the log information 200. When a security alert (hereinafter referred to as an alert) occurs due to a suspicious operation or the like, the system may mechanically analyze the event that caused the alert.

  As the log analysis processing, the relationship tree construction unit 112 analyzes the relationship between events of the log information 200. The relationship refers to a relationship in which an event described in the log information 200 is a trigger for causing another event similarly described in the log information 200. The relationship tree information is a graph structure (hereinafter referred to as a tree) constructed by using individual events as nodes and relationships as edges. When the relationship tree information is constructed on the basis of the log information 200, not all events are related to each other. Therefore, a plurality of relationship trees that are not connected to each other (not related). Information is built.

  The past history management unit 113 stores the relationship tree information constructed by the relationship tree construction unit 112 in the relationship tree history information 121 and stores it. Thus, the relationship tree information constructed by the relationship tree construction unit 112 can be used later.

  The relationship tree suspiciousness degree calculation unit 114 calculates the probability (hereinafter referred to as “suspicious degree”) of the cause of the event to be analyzed in the relationship tree constructed by the relationship tree construction unit 112. If the amount of the relationship tree information constructed by the relationship tree construction unit 112 is large, the relationship tree information to be calculated by the relationship tree suspiciousness degree computation unit 114 may be narrowed down.

  For example, the calculation target may be only related to events around the event to be analyzed. The peripheral event is an event around the event to be analyzed, for example, an event having the same user ID as the event to be analyzed. In addition, it may be a log of an event whose processing start time is close (such as within 1 second) to the event subject to log analysis, or an event log only for a period of one month or one year before the event occurs Also good.

  The peripheral information acquisition unit 115 provides additional information (user ID and processing start time) for specifying peripheral information (hereinafter referred to as a peripheral event) for analyzing the event contents of the log information 200 as log information 200. Get from. The peripheral information acquisition unit 115 is not essential for the present embodiment, but by using the peripheral information acquisition unit 115, only related events are analyzed (events to be analyzed are narrowed down). Rapid analysis is possible. In particular, when the amount of log information 200 is enormous, it is desirable to perform processing in the peripheral information acquisition unit 115 to reduce analysis processing costs.

The peripheral information acquisition unit 115 also obtains threat information and DNS (Domain
Name System) registration information or the like may be acquired, and the relationship tree suspiciousness degree calculation unit 114 may provide the information to the relationship tree suspicious degree calculation unit 114 when calculating the suspicious degree. For this reason, the log analyzer 100 is preferably connected to the Internet.

  The confirmation information acquisition unit 116 acquires information such as the contents of the Web content used in the suspiciousness confirmation process performed by the suspiciousness confirmation unit 117 from the Internet or the like. The confirmation information acquisition unit 116 is not essential for the present embodiment, but is necessary when performing suspiciousness confirmation processing. For this reason, the log analyzer 100 is preferably connected to the Internet.

  The suspiciousness confirmation unit 117 performs suspiciousness confirmation processing. The suspiciousness confirmation unit 117 is not an indispensable function for the present embodiment, but the suspiciousness confirmation unit 117 is used to confirm the actual operation with the operating environment according to the suspicious part of the log information 200. It is possible to provide more accurate information by the user.

  The result output unit 118 outputs the analysis result of the information requested through the analysis request input unit 111 to the user of the log analysis system 1 through the output device 160.

  The relationship tree history information 121 stores the relationship tree information that has already been analyzed as a history, and this relationship tree history information 121 is used in the suspiciousness confirmation process performed by the suspiciousness confirmation unit 117. Note that the relationship tree suspiciousness degree calculation unit 114 uses the relationship tree history information 121 to calculate the suspicious degree. The suspicious degree is represented by an integer value, and the larger the numerical value, the more suspicious.

  The structure analysis rule table 122 is a table that defines rules for how to determine the suspicious degree of the relationship tree information, and collates the relationship tree history information 121. The structural analysis rule table 122 is used in the suspiciousness confirmation process performed by the suspiciousness confirmation unit 117. The relationship tree suspiciousness degree calculation unit 114 calculates the suspicious degree using the structure analysis rule table 122.

  The history matching rule table 123 is a table that defines rules for how to determine the suspicious degree of the relationship tree information, and matches the relationship tree history information 121. The history matching rule table 123 is used in the suspiciousness confirmation process performed by the suspiciousness confirmation unit 117. The relationship tree suspiciousness degree calculation unit 114 also uses the history collation rule table 123 to calculate the suspicious degree.

(2) Log Analysis Function The log analysis function according to the present embodiment analyzes the input log information 200 by performing various processes with reference to the rule table, and outputs an analysis result.

(2-1) Log The log information 200 analyzed in the present embodiment has a typical structure output by the proxy server as shown in FIG. 2, and stores a log of each event. Each event log includes a log number column 201, an access source IP address column 202, an access destination URL column 203, a user ID column 204, a referer column 205, a user agent column 206, and a response byte count column 207.

  The log number column 201 stores a log number assigned to distinguish the log of each event, and numbers are assigned in order of “log1”, “log2”,... The access source IP address column 202 stores the IP address of the access source, for example, the IP address of the IPv4 protocol such as “1.1.1.1”. The access destination URL 203 column stores the access destination URL, for example, in the format “a.com/1.html”.

  The user ID column 204 stores a user ID of authentication information included in an HTTP authentication header or the like, and is stored in a format such as “aaaaaa”, for example. The referrer column 205 stores a referrer that is one of HTTP headers indicating the transition source of each event, and is stored in the same format as the access destination URL column 203. When the referrer is “−”, it indicates that the referrer is not included in the HTTP header.

  The user agent column 206 stores a user agent indicating which application and version of each event is executed, and is stored in a format such as “app_A; ver_1”. The response byte count column 207 stores the number of bytes returned from the server by each event, and is stored in a format such as “300”.

  When constructing the relationship tree information, the access destination URL and the referrer are used as the relationship. In other words, in the event where the values of the access destination URL and the referrer match, the former event is assumed to be the cause (transition source) of the latter event.

  For example, the referrer of log 5 is “a.com/02/2.html”, which matches “a.com/02/2.html” which is the access destination URL of log 3. From this, the transition source of log5 is log3.

(2-2) Analysis Processing FIG. 3 shows a processing procedure of analysis processing for analyzing the log information 200 based on the relationship. The analysis process builds relationship tree information having a clear relationship (such as an event in which the values of the access destination URL and the referrer match), and a plurality of relationship tree information that does not seem to have a relationship. In addition, we establish a standard (suspicious degree) as a guideline and discover a relationship (causal relationship).

  In practice, when an event to be analyzed is input, the analysis request input unit 111 sets the input event as an analysis target event and determines an investigation target event (SP301). The analysis request input unit 111 may mechanically set the event that caused the security alert as the target event. In the following description, it is assumed that the investigation target event is an event recorded in log 6 that causes an alert such as a security alert.

  When an analysis target event is determined by the analysis request input unit 111, the peripheral information acquisition unit 115 narrows down events to be analyzed in the log information 200 and identifies the peripheral event (SP302). In the following description, the investigation target is narrowed down to events having the user ID “aaaaaa”.

  When a peripheral event is specified by the peripheral information acquisition unit 115, the relationship tree construction unit 112 constructs a relationship tree between the narrowed events (SP303). Specifically, an edge is added from the transition source to the transition destination so that an arrow is drawn from log3 to log5 in the relationship tree t2 in FIG.

  FIG. 4A to FIG. 4D show the relationship tree information created by narrowing down the investigation target to the event having the user ID “aaaaaa”. The relationship tree information is given identification names t1 to t4. The relationship tree t1 shown in FIG. 4A will be described as an example. The communication (event) recorded as log1 is the transition source, and the communication recorded as log2 to log4 occurs. Furthermore, the communication recorded as log 5 is generated with the communication recorded as log 3 as the transition source. Further, as shown in the relationship tree t2 in FIG. 4B, the alert information is also displayed as the relationship tree information.

  The relationship trees t1 to t4 created by the relationship tree construction unit 112 are appropriately stored in the relationship tree history information 121 by the past history management unit 113.

  When the relationship tree construction unit 112 creates the relationship trees t1 to t4, the relationship tree suspicious degree calculation unit 114 performs suspicious degree calculation processing for calculating the suspicious degrees of the relationship trees t1 to t4 (SP304).

  FIG. 5 shows a processing procedure of the suspicious degree calculation processing. In the suspicious degree calculation process, the suspicious communication (event) is specified by referring to the structural analysis rule table 122 and the history matching rule table 123 which are rule tables.

  In practice, the relationship tree suspiciousness degree calculation unit 114 determines whether there is unprocessed relationship tree information in which the investigation target event is not included in the node (SP501). When the relationship tree suspiciousness degree calculation unit 114 obtains a negative result in this determination, the suspiciousness degree calculation process ends. Whether or not it is unprocessed is determined, for example, by providing a processing completion flag in the relationship tree information.

  On the other hand, if the relationship tree suspiciousness degree calculation unit 114 obtains a positive result in the determination at step SP501, the relationship tree suspicious degree calculation unit 114 selects one of the unprocessed relationship trees. (SP502). At this time, the suspiciousness value of the selected relationship tree information is set to 0 as an initial value.

  For the relationship tree information selected by the relationship tree suspiciousness degree calculation unit 114, the relationship tree suspicious degree calculation unit 114 performs a tree structure analysis process based on the structure of the relationship tree information (SP503). The structure analysis rule table 122 is used for the tree structure analysis process. In the tree structure analysis process, a suspicious degree is added by each rule in order to find a suspicious structure and determine the suspicious degree. In this embodiment, when judging from the structure, the suspicious degree is only added, but a general and safe structure may be found and subtracted.

  FIG. 6 shows the contents of the structure analysis rule table 122. Each structural analysis rule is stored in the structural analysis rule table 122, and each rule includes a rule number column 601, a determination condition column 602, a processing column 603, and a suspiciousness degree determination column 604.

  The rule number column 601 stores a rule number assigned to distinguish each rule, and “s1”, “s2”,... Are assigned numbers in descending order of suspiciousness degree in the suspiciousness degree judgment field 604. ing. The determination condition column 602 stores determination conditions for determining a suspicious structure. The processing column 603 stores the processing content for performing the determination. In the present embodiment, the contents of the determination condition column 602 and the processing column 603 are described in natural language for explanation. The suspiciousness degree determination column 604 defines how to increase or decrease the suspicious degree of which related tree information when processing is performed and the condition is satisfied.

  Specifically, the rule s1 is a rule for investigating whether or not the access destination of the event included in the relationship tree information to be analyzed is determined to be suspicious at a site that discloses threat information. is there. Since the relationship tree information that matches this rule is likely to contain a malicious communication log, this embodiment defines that the suspicious degree of the relationship tree information is greatly increased (suspicious) +5) degree.

  The rule s2 is a rule for determining whether the country of the domain indicating the access destination location information has changed in the middle of the relationship tree information. In redirect transition to a malicious site, the transition destination often changes to a foreign site from the middle of the transition, and in this embodiment, if this rule is met, the suspicious degree of the relationship tree information is increased moderately Defined (+2 for suspicious degree).

  The rule s3 is a rule for determining whether or not one or more events whose DNS registration date of the access destination domain is less than one year are included. Malignant sites are often shallower after being registered in the DNS, and in this embodiment, the degree of suspiciousness is defined to be moderately increased if this rule is met (+2 for suspiciousness).

  The rule s4 is a rule for determining whether or not communication in which two or more redirect transitions have occurred is included in the relationship tree information. Unlike the page transition in normal web page browsing, the redirect transition does not acquire a resource file or the like. In other words, by examining the order of the tree structure, it is possible to examine the possibility that redirection has occurred. Since redirection may occur not only for malicious communication but also for normal communication, in this embodiment, it is defined that the suspicious degree is raised to a small degree when this rule is met (+1 for suspicious degree). .

  For example, in the present embodiment, by checking the rules s2 to s4, if all the rules match, even if they do not match the rule s1, the degree of suspiciousness increases as if it matches the rule s1. (+5) Judgment is made. In this way, even if it is an unknown malignant site by using a plurality of rules, it is possible to analyze the degree of suspiciousness in detail using the tree structure and surrounding information.

  When the relationship tree suspiciousness degree calculation unit 114 calculates the suspicious degree in the tree structure analysis process, the relationship tree suspiciousness degree calculation unit 114 further performs history matching processing (SP504). The history matching rule table 123 is used for the history matching process. In the history matching process, the suspicious degree is subtracted by each rule in order to check the suspicious degree by collating histories having no problems in the past. In this embodiment, when the determination is made from the history, the suspicious degree is only subtracted. However, the suspicious degree may be added by checking the history of problems in the past.

  FIG. 7 shows the contents of the history matching rule table 123. Each history matching rule is stored in the history matching rule table 123, and each rule includes a rule number column 701, a determination condition column 702, a processing column 703, and a suspiciousness degree determination column 704.

  The rule number column 701 stores a rule number assigned to distinguish each rule, and “r1”, “r2”,... Are assigned numbers in descending order of the suspiciousness degree in the suspiciousness degree judging field 704. ing. The determination condition column 702 stores determination conditions for determining a safe history. The processing column 703 stores the processing content for performing the determination. In the present embodiment, the contents of the determination condition column 702 and the processing column 703 are described in natural language for explanation. The suspiciousness degree determination column 704 defines how to increase or decrease the suspiciousness degree of which related tree information when processing is performed and the condition is satisfied.

  Specifically, the rule r1 is a case where an alert is not generated even though the same access destination as the communication included in the relation tree information to be analyzed is accessed in the relation tree history information 121. This is a rule for determining whether or not there is. Since the relationship tree information that matches this rule has a high possibility of being irrelevant to malignant communication, this embodiment defines that the degree of suspiciousness is lowered (−1 for the degree of suspiciousness).

  The rule r2 is a rule that matches the rule r1 and determines whether the occurrence date of the event in the relationship tree history information 121 is within one day. Since it is not known when tampering by an attacker will occur, for example, if an alert has not occurred in less than a day, this embodiment defines that the degree of suspiciousness is further reduced (suspicious) Degree -1).

  In addition, when the rule r3 matches the rule r1 and the value of the user agent of the corresponding event in the relationship tree history information 121 is the same, the access is performed using the same condition (browser). Regardless, there are cases where no alert has occurred. For this reason, in this Embodiment, it defines so that a suspicious degree may be lowered | hung further (it is -1 to a suspicious degree). This is because a recent malicious site is aimed at a specific browser or the like, and may not attack other than the targeted browser (that is, no alert is generated).

  Note that the above-described rules are examples, and other rules can be used in combination.

  As shown in FIGS. 8A to 8D, the calculation result of the suspiciousness degree calculation process is displayed by displaying the suspicious degree of the relationship tree information and the rule number of the rule that matches as the breakdown of the suspicious degree in the relationship tree information. Also good.

  Specifically, the relationship tree t1 shown in FIG. 8A matches the rules s2 and s4 of the structural analysis rule table 122 as shown as the reason for suspiciousness, so the suspicious degree becomes +3. Further, the relationship tree t2 illustrated in FIG. 8B is a tree including the analysis target event, and thus is not subject to the suspicious degree determination. The relationship tree t3 shown in FIG. 8C and t4 shown in FIG. 8D are the same as the relationship tree t1.

  As described above, from the suspicious degree calculation process, it can be known that the relationship tree t1 is the most suspicious series of communication (event).

  After the relationship tree suspiciousness degree calculation unit 114 performs the suspicious degree calculation process, the suspiciousness confirmation part 117 performs the suspiciousness confirmation process (SP305).

  FIG. 9 shows a processing procedure of the suspiciousness confirmation processing. The suspiciousness confirmation process confirms whether or not an alert is actually generated by performing a process with a high suspicious degree.

  In practice, the suspiciousness confirmation unit 117 determines whether there is unprocessed relationship tree information in which the investigation target event is not included in the node (SP901). When the suspiciousness confirmation unit 117 obtains a negative result in this determination, the suspiciousness confirmation process ends. Whether or not it is unprocessed is determined, for example, by providing a processing completion flag in the relationship tree information.

  In contrast, when the suspiciousness confirmation unit 117 obtains a positive result in the determination at step SP901, the suspiciousness confirmation unit 117 selects one of the unprocessed relationship tree information having a high suspicious degree ( SP902). At this time, if the relationship tree information having a high suspicious degree is preferentially selected, the time until an alert is actually generated can be shortened.

  When the suspiciousness confirmation unit 117 selects unprocessed relationship tree information with a high suspicious degree, the suspiciousness confirmation unit 117 acquires the root node (event serving as a base point) of the relationship tree information (SP903). . The suspiciousness confirmation unit 117 acquires a request header including an access destination URL that is an access destination of the event from the acquired root node.

  When acquiring the request header including the access destination URL that is the access destination of the event, the suspiciousness confirmation unit 117 uses the confirmation information acquisition unit 116 to make the request header the same as the log of the event to the access destination URL. (SP904), the suspiciousness confirmation unit 117 returns to step SP901.

  The suspiciousness confirmation unit 117 determines whether an alert is generated again by access using the same security mechanism as the log that generated the alert (SP905). If the suspiciousness confirmation unit 117 obtains a negative result in this determination, the suspiciousness confirmation unit 117 confirms that the structure of the relationship tree information between the log of the event and the actual operation and the number of response bytes are different. The suspiciousness degree of the relationship tree information is incremented by 1 (SP906), and the suspiciousness confirmation unit 117 returns to step SP901.

  On the other hand, if the suspiciousness confirmation unit 117 obtains a positive result in the determination at step SP905, the suspiciousness confirmation unit 117 associates the relationship tree information with the relationship tree information including the event that generated the alert (SP907). The sex confirmation unit 117 returns to step SP901. Thus, it is assumed that the relationship tree information, which is a group of events that cause the log that generated the alert, has been discovered.

  When the alert occurs, the relationship tree information, which is a group of events, is discovered and the causal relationship is discovered. Therefore, when the alert occurs, the suspiciousness confirmation unit 117 performs suspiciousness confirmation processing. May be terminated. It should be noted that without actually generating an alert, it is possible to just estimate that a high suspicious degree is the cause of the alert.

  When the suspiciousness confirmation processing by the suspiciousness confirmation unit 117 ends, the result output unit 118 outputs the result of the analysis processing (SP306).

  FIG. 10 shows an output result display output by the result output unit 118. The output result display includes a log number 1001 of the log of the event to be analyzed, a suspicious degree of each relation tree information, a relation tree list 1002 displaying an outline of the analysis result, and a suspicious degree calculation processing result to a suspiciousness confirmation process. The analysis result drawing area 1003 reflecting the confirmation result is included.

  The analysis result drawing area 1003 is a drawing area for the user to select from the relationship tree list 1002 and browse the details of the analysis result of the selected relationship information tree. In the present embodiment, by supplementing the missing causal relationship, two relationship trees t1 and t2 that are actually causal are connected and drawn. This makes it possible to know the progress of the analysis. By browsing this output, the user can easily know which other event caused an abnormal event such as an alert to be analyzed.

(2-3) Relationship tree storage processing The relationship tree information used in the suspiciousness calculation processing is appropriately stored in the relationship tree history information 121 before the suspiciousness calculation processing. You may implement at another timing as a batch process. In this case, the target event is not narrowed down.

  FIG. 11 shows the processing procedure of the relationship tree saving process. In the relationship tree saving process, the relationship tree information is stored in the relationship tree history information 121.

  In practice, the relationship tree construction unit 112 constructs a relationship tree between events (SP1101). After the relationship tree construction unit 112 constructs a relationship tree between events, the past history management unit 113 stores the relationship tree information in the relationship tree history information 121 (SP1102).

  The result of the relationship tree saving process is shown in FIG. FIG. 12 shows the relationship tree history tr1. Relationship tree information including log9 and log10 is displayed.

(3) Effect of this Embodiment As described above, in the log analysis system 1 of this embodiment, the suspicious degree is set based on the rule between the relation tree information for each grouped event that can be traced from the referrer. By making an estimate and generating an alert by actual operation, the missing causal relationship can be confirmed and compensated. As a result, the time required for analysis can be shortened.

  DESCRIPTION OF SYMBOLS 1 ... Log analysis system, 100 ... Log analysis apparatus, 111 ... Analysis request input part, 112 ... Relationship tree construction part, 113 ... Past history management part, 114 ... Relation tree suspicious degree calculation part, 115... Peripheral information acquisition unit 116... Confirmation information acquisition unit 117. Suspiciousness confirmation unit 118. Result output unit 121... Relation tree history information 122. ... History matching rule table, 141 ... Network, 200 ... Log information.

Claims (15)

A log analysis system for analyzing log information,
Based on log information including a plurality of events, determine whether there is a causal relationship between the occurrence of a plurality of events,
A relationship tree construction unit for constructing a graph structure by making each one event one node and adding an edge between the nodes corresponding to the event when the causal relationship exists; ,
For any specified event, determine whether the tree specified in the graph structure is the tree that generated the specified event,
The relationship for calculating the degree of probability based on the determination conditions related to the events constituting each tree and the determination conditions related to the structural features of the tree in determining whether the tree has caused the specified event Sex tree suspiciousness calculation section,
A log analysis system comprising: a result output unit that outputs the graph structure as a result, taking into account the degree of certainty and supplementing the causal relationship. The log analysis system according to claim 1, further comprising: a suspiciousness confirmation unit that supplements the causal relationship by actually confirming a suspicious operation. The log analysis system according to claim 1, further comprising: a peripheral information acquisition unit that narrows down the event to be analyzed under a predetermined condition. The result output from the result output unit is:
A relationship tree list displaying the degree of certainty of the graph structure and an overview of the analysis results;
The log analysis system according to claim 1, further comprising: an analysis result drawing area in which details of the graph structure selected from the relationship tree list are displayed. The event includes location information of an access destination and location information of a transition source,
The relationship tree suspiciousness degree calculation unit, when the location information of the access destination is changing in the middle of the graph structure, changes the degree of the probability of the graph structure to a direction to determine that it is suspicious. The log analysis system according to 1. The event includes location information of an access destination and location information of a transition source,
The relationship tree suspiciousness degree calculation unit changes the degree of the probability of the graph structure to a direction in which it is determined to be suspicious when two or more redirect transitions occur in the graph structure. Log analysis system described in. The event comprises agent information used for access,
The relationship tree suspiciousness degree calculation unit is the same agent information as the specified event, the same access destination as the specified event, and when there is no suspicious action in the graph structure, The log analysis system according to claim 1, wherein the degree of likelihood of the graph structure is changed to a direction in which it is determined that the graph structure is not suspicious. A log analysis method in a log analysis system for analyzing log information,
The log analysis system includes a relationship tree construction unit, a relationship tree suspicious degree calculation unit, and a result output unit,
A first step in which the relationship tree construction unit determines whether there is a causal relationship of occurrence of a plurality of events based on log information including a plurality of events;
The relationship tree construction unit makes each one event one node, and when the causal relationship exists, adds an edge between the nodes corresponding to the event, thereby creating a graph structure. A second step to build,
A third step in which the relationship tree suspiciousness degree calculating unit determines, for any specified event, whether the tree specified by the graph structure is a tree that has generated the specified event;
In determining whether the relationship tree suspiciousness degree calculation unit is a tree that has generated the specified event, a determination condition regarding the event constituting each tree, and a determination condition regarding a structural feature of the tree, A fourth step of calculating the degree of certainty based on;
A log analysis method comprising: a fifth step in which the result output unit outputs, as a result, the graph structure in which the causality is supplemented, taking into account the degree of certainty. The log analysis system has a suspiciousness confirmation unit,
The log analysis method according to claim 8, further comprising a sixth step in which the suspiciousness confirmation unit supplements the causal relationship by actually confirming a suspicious operation. The log analysis system has a peripheral information acquisition unit,
The log analysis method according to claim 8, further comprising: a sixth step of narrowing down the event to be analyzed by the peripheral information acquisition unit according to a predetermined condition. The result output by the result output unit has a relationship tree information list and an analysis result drawing area,
A sixth step in which the result output unit displays the degree of certainty of the graph structure and a summary of analysis results in a relationship tree list;
The log analysis method according to claim 8, wherein the result output unit includes a seventh step of displaying details of the graph structure selected from the relationship tree list in an analysis result drawing area. The event includes location information of an access destination and location information of a transition source,
The relationship tree suspiciousness degree calculation unit changes the degree of likelihood of the graph structure to a direction for determining that the suspicious degree is suspicious when the location information of the access destination changes in the middle of the graph structure. The log analysis method according to claim 8, further comprising a step. The event includes location information of an access destination and location information of a transition source,
The relationship tree suspiciousness degree calculation unit changes a degree of the probability of the graph structure to a direction to determine that the graph structure is suspicious when the redirect transition occurs twice or more in the graph structure. The log analysis method according to claim 8, further comprising a step. The event has agent information used for access,
The relationship tree suspiciousness degree calculation unit is the same agent information as the specified event, the same access destination as the specified event, and when there is no suspicious action in the graph structure, The log analysis method according to claim 8, further comprising a sixth step of changing the degree of likelihood of the graph structure in a direction in which it is determined that the graph structure is not suspicious. A log analyzer for analyzing log information,
Based on log information including a plurality of events, determine whether there is a causal relationship between the occurrence of a plurality of events,
A relationship tree construction unit for constructing a graph structure by making each one event one node and adding an edge between the nodes corresponding to the event when the causal relationship exists; ,
For any specified event, determine whether the tree specified in the graph structure is the tree that generated the specified event,
The relationship for calculating the degree of probability based on the determination conditions related to the events constituting each tree and the determination conditions related to the structural features of the tree in determining whether the tree has caused the specified event Sex tree suspiciousness calculation section,
A log analysis apparatus comprising: a result output unit that outputs the graph structure with the causality as a result, taking into account the degree of certainty.

Images