US 12,452,266 B2
Abnormal communication discrimination apparatus, abnormal communication discrimination method, and abnormal communication response system
Mayuko Tanaka, Tokyo (JP)
Assigned to HITACHI, LTD., Tokyo (JP)
Filed by Hitachi, Ltd., Tokyo (JP)
Filed on Nov. 29, 2023, as Appl. No. 18/523,207.
Claims priority of application No. 2022-205896 (JP), filed on Dec. 22, 2022.
Prior Publication US 2024/0214400 A1, Jun. 27, 2024
Int. Cl. H04L 9/40 (2022.01); H04L 41/22 (2022.01)
CPC H04L 63/1416 (2013.01) [H04L 41/22 (2013.01); H04L 63/1425 (2013.01)] 6 Claims
OG exemplary drawing
 
1. An abnormal communication discrimination apparatus that discriminates a cause of abnormal communication detected in a monitoring target system in which an apparatus operates,
the abnormal communication discrimination apparatus further comprising:
a storage section for retaining therein
an eventual feature table that retains therein records each of which stores, for each abnormal communication detection event, a discrimination event class indicative of whether abnormal communication is caused by a cyber-attack or by a failure of the apparatus of the monitoring target system, and
a statistical feature table that retains therein records each of which stores, for each condition in which a statistical amount of abnormal communication holds, a discrimination event class indicative of whether abnormal communication is caused by a cyber-attack or by a failure of the apparatus of the monitoring target system,
receiving abnormal communication detection information from an abnormal communication detection information transmission section in the monitoring target system,
an eventual evaluation section, calculating, on a basis of the received abnormal communication detection information, an eventual evaluation value from each number of records to which the abnormal communication detection events of the eventual feature table are applicable and in which a value of the discrimination event class indicates whether abnormal communication is caused by a cyber-attack or by a failure of the apparatus of the monitoring target system,
a statistical evaluation section, calculating a statistical amount of abnormal communication from the received abnormal communication detection information, and
on a basis of the calculated statistical amount of abnormal communication, a statistical evaluation value from each number of records each of which satisfies a condition that a statistical amount of abnormal communication of the statistical feature table holds, the each number indicating whether abnormal communication is caused by a cyber-attack or by a failure of the apparatus of the monitoring target system, and
an abnormal communication class discrimination section, calculating, on a basis of the eventual evaluation value and the statistical evaluation value, a discrimination result evaluation value indicative of whether abnormal communication is caused by a cyber-attack or by a failure of the apparatus of the monitoring target system, and performing, on a basis of the discrimination result evaluation value, discrimination of whether abnormal communication is caused by a cyber-attack or by a failure of the apparatus of the monitoring target system.