Method and apparatus for monitoring network
US-10397248-B2 · Aug 27, 2019 · US
Infection-spreading attack detection system and method, and program
US11895146B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11895146-B2 |
| Application number | US-201915734669-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 3, 2019 |
| Priority date | Jun 4, 2018 |
| Publication date | Feb 6, 2024 |
| Grant date | Feb 6, 2024 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Provided is an infection-spreading attack detection system and method, as well as a program enabling an occurrence of an infection-spreading attack to be detected with high accuracy. A first feature amount is calculated based on traffic information on a packet transferred by a transfer device, and M partial address space(s) are identified to be a monitoring target based on the first feature amount. A second feature amount is calculated for each of the M partial address space(s) based on the traffic information related to the M partial address space(s). Abnormality detection determination is performed on each of the M partial address space(s) based on the second feature amount. Whether the infection-spreading attack has occurred is determined by evaluating M determination results.
First claim
Opening claim text (preview).
The invention claimed is: 1. An infection-spreading attack detection system for detecting an occurrence of an infection-spreading attack in a network including a transfer device that transfers a packet, the infection-spreading attack detection system comprising: a first feature amount derivation unit, including one or more hardware processors, configured to acquire first traffic information on the packet transferred by the transfer device, and to derive based on the first traffic information a first feature amount of traffic for each of a plurality of partial address spaces formed by subdividing an address space of the packet; a monitoring target determination unit, including one or more hardware processors, configured to determine based on the first feature amount derived by the first feature amount derivation unit M partial address space(s) to be a monitoring target out of the partial address spaces; a second feature amount derivation unit, including one or more hardware processors, configured to acquire second traffic information on the packet transferred by the transfer device having, as a destination or a source, an address within the M partial address space(s) determined by the monitoring target determination unit, and to derive based on the second traffic information a second feature amount of the traffic for each of the M partial address space(s); and a detection unit, including one or more hardware processors, configured to determine whether the second feature amount derived by the second feature amount derivation unit satisfies a predetermined detection condition for each of the M partial address space(s), and, by evaluating M determination results to determine whether an infection-spreading attack has occurred. 2. The infection-spreading attack detection system according to claim 1 , wherein the detection unit is configured to determine that the infection-spreading attack has occurred in the partial address spaces satisfying the detection conditions when a number of the partial address spaces satisfying the detection condition is equal to or larger than a predetermined threshold N, where (N≤M). 3. The infection-spreading attack detection system according to claim 1 , wherein the monitoring target determination unit is configured to determine based on the first feature amount predetermined M partial address space(s) having a relative small amount of traffic to be a monitoring target. 4. The infection-spreading attack detection system according to claim 1 , wherein the monitoring target determination unit is configured to determine based on the first feature amount and a relative or absolute threshold M partial address space(s) to be a monitoring target. 5. The infection-spreading attack detection system according to claim 1 , wherein the monitoring target determination unit is configured to set an access control list to the transfer device for acquiring the second traffic information by the transfer device. 6. The infection-spreading attack detection system according to claim 1 , wherein the detection unit is configured to, when an infection-spreading attack is determined to have occurred, set the transfer device to transfer the packet having, as a destination or a source, an address within the M partial address space(s) to a predetermined security device. 7. An infection-spreading attack detection method of detecting an occurrence of an infection-spreading attack in a network including a transfer device that transfers a packet, the method comprising: acquiring, by a first feature amount derivation unit, first traffic information on the packet transferred by the transfer device, and deriving based on the first traffic information a first feature amount of traffic for each of a plurality of partial address spaces formed by subdividing an address space of the packet; determining, by a monitoring target determination unit, based on the first feature amount derived by the first feature amount derivation unit M partial address space(s) to be a monitoring target out of the plurality of partial address spaces; acquiring, by a second feature amount derivation unit, second traffic information on the packet transferred by the transfer device having as a destination or a source, an address within the M partial address space(s) determined by the monitoring target determination unit, and deriving based on the second traffic information a second feature amount of the traffic for each of the M partial address space(s); and determining, by a detection unit, whether the second feature amount derived by the second feature amount derivation unit satisfies a predetermined detection condition for each of the M partial address space(s), and, by evaluating M determination results, determining whether an infection-spreading attack has occurred. 8. The infection-spreading attack detection method according to claim 7 , further comprising: determining, by the detection unit, that the infection-spreading attack has occurred in the partial address spaces satisfying the detection conditions when a number of the partial address spaces satisfying the detection condition is equal to or larger than a predetermined threshold N, where (N≤M). 9. The infection-spreading attack detection method according to claim 7 , further comprising: determining, by the monitoring target determination unit, based on the first feature amount predetermined M partial address space(s) having a relative small amount of traffic to be a monitoring target. 10. The infection-spreading attack detection method according to claim 7 , further comprising: determining, by the monitoring target determination unit, based on the first feature amount and a relative or absolute threshold M partial address space(s) to be a monitoring target. 11. The infection-spreading attack detection method according to claim 7 , further comprising: setting, by the monitoring target determination unit, an access control list to the transfer device for acquiring the second traffic information by the transfer device. 12. The infection-spreading attack detection method according to claim 7 , further comprising: setting, by the detection unit, when an infection-spreading attack is determined to have occurred, the transfer device to transfer the packet having, as a destination or a source, an address within the M partial address space(s) to a predetermined security device. 13. A non-transitory computer readable medium storing one or more instructions for detecting an occurrence of an infection-spreading attack in a network including a transfer device that transfers a packet, the one or more instructions causing a computer to execute: acquiring, by a first feature amount derivation unit, first traffic information on the packet transferred by the transfer device, and deriving based on the first traffic information a first feature amount of traffic for each of a plurality of partial address spaces formed by subdividing an address space of the packet; determining, by a monitoring target determination unit, based on the first feature amount derived by the first feature amount derivation unit M partial address space(s) to be a monitoring target out of the plurality of partial address spaces; acquiring, by a second feature amount derivation unit, second traffic information on the packet transferred by the transfer device having as a destination or a source, an address within the M partial address space(s) determined by the monitoring target determination unit, and deriving based on the second traffic information a second feature amount of the traffic for each of the M partial address space(s); and determining, by a detection unit, whether
Assignees
Inventors
Classifications
- H04L63/145Primary
the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms · CPC title
Traffic logging, e.g. anomaly detection · CPC title
Vulnerability analysis · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11895146B2 cover?
- Provided is an infection-spreading attack detection system and method, as well as a program enabling an occurrence of an infection-spreading attack to be detected with high accuracy. A first feature amount is calculated based on traffic information on a packet transferred by a transfer device, and M partial address space(s) are identified to be a monitoring target based on the first feature amo…
- Who is the assignee on this patent?
- Nippon Telegraph & Telephone
- What technology area does this patent fall under?
- Primary CPC classification H04L63/145. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Feb 06 2024 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 7 related publications on this page (citations in our corpus or others sharing the same primary CPC).