US 12,437,061 B2
Log generation apparatus, abnormality detection system, log generation method, and non-transitory computer readable medium
Daichi Hasumi, Tokyo (JP)
Assigned to NEC CORPORATION, Tokyo (JP)
Appl. No. 18/574,401
Filed by NEC Corporation, Tokyo (JP)
PCT Filed Jul. 2, 2021, PCT No. PCT/JP2021/025188
§ 371(c)(1), (2) Date Dec. 27, 2023,
PCT Pub. No. WO2023/276154, PCT Pub. Date Jan. 5, 2023.
Prior Publication US 2024/0338436 A1, Oct. 10, 2024
Int. Cl. G06F 21/00 (2013.01); G06F 21/55 (2013.01)
CPC G06F 21/552 (2013.01) 11 Claims
OG exemplary drawing
 
1. An abnormality detection system comprising:
a log generation apparatus; and
an abnormality detection apparatus configured to detect an abnormality by using a user operation log group,
wherein the log generation apparatus comprises:
at least one first memory storing first instructions; and
at least one first processor configured to execute the first instructions to:
collect input operation logs in which an operation event of an input device is recorded;
collect information logs in which a process event related to processing performed by an information apparatus connected to the input device is recorded, the information logs being different from the input operation logs;
generate, based on the information logs and the input operation logs, a user operation log including identification information of an application, the application being one which is inferred from the input operation logs and for which the processing is performed; and
generate, as a log group for detecting an abnormality, the user operation log group including the user operation logs arranged in an order according to times of occurrences of operation events or process events,
and wherein the abnormality detection apparatus comprises:
at least one second memory storing second instructions; and
at least one second processor configured to execute the second instructions to:
collect a plurality of user operation log groups;
extract, for each of the user operation log groups, a user operation log included in a window indicating a predetermined period from the user operation log group;
calculate similarity between the user operation log groups by using at least identification information of an application included in user operation logs constituting a respective user operation log group and a type of an input operation included in the user operation logs, including
calculating similarity between each pair of the user operation log groups based on window similarity between the user operation logs of the pair of the user operation log groups included in the window extracted for each of the user operation log groups; and
determine whether an abnormality is detected or not based on the similarity between the user operation log groups.