US 11,943,243 B2
Anomaly detection method and anomaly detection device
Takamitsu Sasaki, Osaka (JP); Tomoyuki Haga, Nara (JP); Daiki Tanaka, Hiroshima (JP); Makoto Yamada, Kyoto (JP); Hisashi Kashima, Kyoto (JP); and Takeshi Kishikawa, Osaka (JP)
Assigned to PANASONIC INTELLECTUAL PROPERTY CORPORATION OF AMERICA, Torrance, CA (US)
Filed by Panasonic Intellectual Property Corporation of America, Torrance, CA (US)
Filed on May 17, 2021, as Appl. No. 17/322,371.
Application 17/322,371 is a continuation of application No. PCT/JP2020/012301, filed on Mar. 19, 2020.
Claims priority of application No. 2019-067627 (JP), filed on Mar. 29, 2019.
Prior Publication US 2021/0273966 A1, Sep. 2, 2021
Int. Cl. G06F 11/00 (2006.01); G06F 12/14 (2006.01); G06F 12/16 (2006.01); G08B 23/00 (2006.01); H04L 9/40 (2022.01); H04L 12/40 (2006.01)
CPC H04L 63/1425 (2013.01) [H04L 12/40 (2013.01); H04L 63/1466 (2013.01); H04L 2012/40215 (2013.01); H04L 2463/142 (2013.01)] 11 Claims
OG exemplary drawing
 
1. An anomaly detection method that, in a communication network system, determines whether each of frames, which are contained in observation data constituted by a collection of frames transmitted and received over the communication network system and observed in a predetermined period, is anomalous, and outputs an anomalous part of a payload in a frame determined to be anomalous, the anomaly detection method comprising:
obtaining a data distribution of a plurality of feature amounts pertaining to a part of the payload included in the frame, the part being at least one bit;
detecting whether or not the frame contained in the observation data is anomalous; and
outputting the anomalous part; and
determining an anomaly type,
wherein in the obtaining, the data distribution is obtained for a collection of frames that are transmitted and received over the communication network system, the collection being obtained at a different timing from a timing at which the observation data is obtained,
in the detecting, a difference between the data distribution obtained in the obtaining and a data distribution of a feature amount extracted from the frame contained in the observation data is calculated, and the frame is determined to be an anomalous frame when the frame has a feature amount for which the difference is at least a predetermined value,
in the outputting, when a frame determined to be an anomalous frame in the detecting is present, an anomaly contribution level is calculated for the plurality of feature amounts that have been extracted from the anomalous frame, and an anomalous payload part is output, the anomalous payload part being at least one part in the payload that corresponds to a feature amount for which the anomaly contribution level is at least a predetermined value, and
in the determining of the anomaly type, an anomalous payload part length is specified based on the anomalous payload part, and the anomaly type is determined according to the anomalous payload part length.