Abstract: A traffic sensor includes processing circuitry configured to calculate a degree of spread of a range of normal communication indicated by a normal communication model for each of the normal communication model for detecting abnormal communication of an Internet of Things (IoT) device learned for each of the IoT device to be monitored, classify a normal communication model in which the degree of spread is less than a predetermined value as a normal communication model of an IoT device of a first model, and classify a normal communication model in which the degree of spread is equal to or greater than the predetermined value as a normal communication model of an IoT device of a second model, detect abnormal communication in the IoT device by using the normal communication model of the IoT device of the first model, and extract a feature amount.

Abstract: An analysis server accumulates an alert of communication determined not to be normal communication on the basis of a model indicating a feature of normal communication in a storage unit. Then, the analysis server performs clustering of alerts obtained by excluding an alert having a different category variable from communication data used for learning of the model from the accumulated alerts by using a feature amount of communication included in the alert. Thereafter, the analysis server determines, for each cluster generated by clustering, whether or not the cluster includes the same type of alert. Then, the analysis server outputs a result of clustering and a determination result as to whether or not each cluster includes the same type of alert.

Abstract: A detecting device includes a memory, and processing circuitry coupled to the memory and configured to collect communication information from a communication device, have a model learn a characteristic of the communication information by the communication device using the communication information collected for each of the communication devices, and input communication information on a detection target to the model, detect whether the communication information on the detection target indicates abnormal communication on the basis of an output result from the model, and have the model relearn at the learning when the number of detected abnormalities about the communication information during a predetermined evaluation period exceeds a first threshold value.

Abstract: An analysis server acquires observation information including a transmission source IP address, a transmission source MAC address, a transmission destination IP address, and a transmission destination MAC address in communication from each of sensing devices. The analysis server estimates a topology of a network on the basis of the acquired observation information. On the basis of the estimated topology, an analysis server creates a monitoring list indicating communication that is a target for transmission of the observation information for each sensing device such that any one sensing device on a path of the communication transmits the observation information of the communication for each piece of communication in the network, and transmits the monitoring list to the sensing device. Thereafter, each sensing device transmits the observation information of the communication to the analysis server on the basis of the monitoring list.

Abstract: An analysis device includes processing circuitry configured to acquire, from each network traffic sensor that monitors communication of an Internet of Things (IoT) device, a normal communication model that is used for monitoring the communication and indicates a characteristic of normal communication of the IoT device, cluster a normal communication model group of a same feature among acquired normal communication model groups, calculate a majority cluster that is a cluster having a largest number of normal communication models by using a result of the clustering, and calculate an average model of the normal communication model group belonging to the majority cluster, and notify the network traffic sensor serving as an acquisition source of the normal communication model of attribution information indicating whether or not the normal communication model belongs to the majority cluster and the average model.

Abstract: A creation device includes processing circuitry configured to collect pieces of information about IoT (Internet of Things) apparatuses connected to IoT gateways, and white lists stored in the IoT gateways, the white lists specifying content of communication allowed for each of the IoT apparatuses, calculate a feature value showing communication features of IoT apparatuses for each of the IoT gateways, and degrees of similarity in the feature value among the IoT gateways, based on the collected pieces of information about the IoT apparatuses, and extract, if any of the calculated similarity degrees is equal to or above a predetermined threshold, pieces of white list information about IoT apparatuses to mutually complement white lists stored in IoT gateways, from pieces of white list information about IoT apparatuses included in the white lists.

Abstract: An identifying device (10) includes a preprocessing (11) that extracts a communication connection pattern including a set of a communication source identifier and a communication destination identifier from traffic data, a comparing unit (131) that adds an ID to a communication connection pattern group including a new communication connection pattern not included in a whitelist when the new communication connection pattern is present in the communication connection pattern group, a graph feature amount generating unit (14) that generates a graph feature amount of the communication connection pattern group to which the ID has been added and adds this ID to the graph feature amount, an abnormality determining unit (16) that determines whether the generated graph feature amount is normal using a model (161) having learned the graph feature amount, and an identifying unit (132) that retrieves a new communication.

Abstract: A collection unit (15a) collects information on IoT devices connected to IoT gateways and white lists of the IoT devices, retained by the IoT gateways. An extraction unit (15b) extracts white lists of IoT devices that satisfies a prescribed condition related to the number of the IoT devices of each model or the number of installed locations of the IoT devices of each model from the collected white lists of the IoT devices using the collected information on the IoT devices so as to create a tentative white list. A coupling unit (15c) couples the created tentative white list and the white lists retained by the respective IoT gateways together so as to create a white list applied to the respective IoT gateways.

Abstract: In a communication network system (1), each of a plurality of management devices (20) generates an individual whitelist, which is individually generated in each of a plurality of management devices (20), and is related to a communication destination of an IoT device (30A) connected to an own management device, and uploads a generated individual whitelist to a server device (10), the server device collects the plurality of individual whitelists uploaded from each of the plurality of management devices (20), generates an aggregated whitelist that is an aggregated result of the plurality of individual whitelists, and distributes the generated aggregated whitelist to each of the plurality of management devices (20), and each of the plurality of management devices (20) acquires the aggregated whitelist distributed from the server device (10), and updates the individual whitelist generated by an own management device based on the aggregated whitelist.

Abstract: Provided is an IoT GW (10), including a learning unit (131) configured to create, for each IoT device connected to the IoT GW (10), a normal communication model (122) that has learned a normal communication pattern of the IoT device; and a determination unit (132) configured to: determine, for learning by the learning unit (131), whether to interrupt, finish, continue, and resume learning based on a load of a learning environment; and control learning processing by the learning unit (131) based on a result of determination.

Abstract: A determination apparatus according to a first embodiment collects information regarding communication performed by an IoT device. The determination apparatus extracts patterns used for detecting unauthorized communication performed by the IoT device from information that has been collected. Also, the determination apparatus approximates a change in the cumulative value of the number of patterns to a function that expresses a predetermined curve, thereby calculating the degree of convergence of the change. Also, the determination apparatus determines whether or not the degree of convergence is no less than a predetermined value.

Abstract: A communication control apparatus includes a collection control unit, an analysis unit, and a coordination unit. The collection control unit collects communication performed with a device connected to a subordinate network, and controls communication performed by the device based on a first control condition; The analysis unit analyzes the communication collected by the collection control unit to extract device identification information indicating characteristics of the communication performed by the device. The analysis unit specifies a device name of the device and the first control condition corresponding to a normal communication range extracted from the device identification information, based on the device identification information.

Abstract: Provided is an IoT GW (10), including a learning unit (131) configured to create, for each IoT device connected to the IoT GW (10), a normal communication model (122) that has learned a normal communication pattern of the IoT device; and a determination unit (132) configured to: determine, for learning by the learning unit (131), whether to interrupt, finish, continue, and resume learning based on a load of a learning environment; and control learning processing by the learning unit (131) based on a result of determination.

Abstract: A communication terminal apparatus includes processing circuitry configured to collect communication of an application and control the communication of the application based on a first control condition, analyze the communication collected to determine whether the application is a communication control target, and generate the first control condition based on a normal communication range of the application that is the communication control target, and transmit at least a part of first shared information including identification information about the application and the first control condition to a second communication terminal apparatus that is different from the communication terminal apparatus.

Abstract: A creation device includes processing circuitry configured to collect pieces of information about IoT (Internet of Things) apparatuses connected to IoT gateways, and white lists stored in the IoT gateways, the white lists specifying content of communication allowed for each of the IoT apparatuses, calculate a feature value showing communication features of IoT apparatuses for each of the IoT gateways, and degrees of similarity in the feature value among the IoT gateways, based on the collected pieces of information about the IoT apparatuses, and extract, if any of the calculated similarity degrees is equal to or above a predetermined threshold, pieces of white list information about IoT apparatuses to mutually complement white lists stored in IoT gateways, from pieces of white list information about IoT apparatuses included in the white lists.

Abstract: A determination apparatus according to a first embodiment collects information regarding communication performed by an IoT device. The determination apparatus extracts patterns used for detecting unauthorized communication performed by the IoT device from information that has been collected. Also, the determination apparatus approximates a change in the cumulative value of the number of patterns to a function that expresses a predetermined curve, thereby calculating the degree of convergence of the change. Also, the determination apparatus determines whether or not the degree of convergence is no less than a predetermined value.

Abstract: An identifying device (10) includes a preprocessing (11) that extracts a communication connection pattern including a set of a communication source identifier and a communication destination identifier from traffic data, a comparing unit (131) that adds an ID to a communication connection pattern group including a new communication connection pattern not included in a whitelist when the new communication connection pattern is present in the communication connection pattern group, a graph feature amount generating unit (14) that generates a graph feature amount of the communication connection pattern group to which the ID has been added and adds this ID to the graph feature amount, an abnormality determining unit (16) that determines whether the generated graph feature amount is normal using a model (161) having learned the graph feature amount, and an identifying unit (132) that retrieves a new communication.

Abstract: A security measure invalidation prevention device includes an acquisition unit that acquires invalidated security point information about an invalidated security point among security points each having a measure function performing a security measure on a node connected to a network. The invalidated security point has a measure function to be invalidated. The device also includes a determination unit that determines whether a security event to be addressed with the measure function of the invalidated security point is present on the basis of the invalidated security point information acquired by the acquisition unit. The device further includes an extraction unit that extracts a security point to which the measure function of the invalidated security point can be shifted when the determination unit determines that the security event is present.

Abstract: A specifying device receives detection information from a security device that detects hacking into a network or an activity of a terminal related to infection, and specifies a state of the terminal from information of the terminal and content of activity of the terminal included in the detection information. The specifying device specifies, when specifying that the terminal is in the state of being infected with malware, a terminal that may be infected before performing the content of the activity of the terminal included in the detection information based on connection information stored in a configuration information storage device, and specifies a terminal located on a route, along which the infected terminal is likely to be used for hacking or for infection of the terminal in the future, as a candidate for an infected terminal likely to be infected.

Abstract: A communication control apparatus includes a collection control unit, an analysis unit, and a coordination unit. The collection control unit collects communication performed with a device connected to a subordinate network, and controls communication performed by the device based on a first control condition; The analysis unit analyzes the communication collected by the collection control unit to extract device identification information indicating characteristics of the communication performed by the device. The analysis unit specifies a device name of the device and the first control condition corresponding to a normal communication range extracted from the device identification information, based on the device identification information.