| CPC H04L 63/1441 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1425 (2013.01); H04L 63/1433 (2013.01)] | 15 Claims |
|
1. A suspicious communication detection apparatus comprising:
a memory storing:
a database in which information extracted from encrypted communications is managed separately as communications from an outside of an organization to an inside of the organization and as communications from the inside of the organization to the outside of the organization;
a machine learning model that receives features of an encrypted communication and that determines whether the encrypted communication is a suspicious communication; and
instructions; and
a processor configured to execute the instructions to:
refer to the database by using information about a received encrypted communication;
enter obtained features about the received encrypted communication to the machine learning model;
determine whether the received encrypted communication is a suspicious communication;
store the determination result for the suspiciousness in the database; and
perform, based on a determination result of an encrypted communication from the inside of the organization to the outside of the organization, a redetermination on a determination result of an encrypted communication from the outside of the organization to the inside of the organization, the determination result being stored in the database,
wherein the database includes an encrypted communication information management table that manages session information about encrypted communications, an encrypted communication feature management table that manages features generated from encrypted communications, and an encrypted communication flag management table that manages flags of encrypted communications determined as suspicious communications.
|