Log analyzing system and method
First Claim
1. A log analyzing system which analyzes a log of communications of a control device, the log analyzing system comprising:
- a network device which receives a plurality of communication packets corresponding to the communications of the control device from a network; and
a monitoring device which monitors the plurality of communication packets to the network device including reception times and reception sizes of the plurality of communication packets,wherein the monitoring device is programmed to;
create time series data indicating respective reception times and receptions sizes of the plurality of communication packets,frequency convert the time series data to generate information of respective frequencies and strength of the plurality of communication packets based on the respective reception times and receptions sizes of the plurality of communication packets,extract an abnormal pattern by determining a difference between the frequency-converted time series data and a predetermined stable pattern representing communication in a state of no unauthorized access, andinverse frequency convert the extracted abnormal pattern to acquire one or more respective times and sizes of one or more abnormal communication packets among the plurality of communication packets, andoutput the one or more abnormal communication packets including the respective times and sizes thereof.
1 Assignment
0 Petitions
Accused Products
Abstract
Proposed are a log analyzing system and a log analyzing method capable of more effectively defending a control system from unauthorized access. The log analyzing system which analyzes a communication log of a control device comprises a network device which receives a communication packet corresponding to the communication log from a network, and a monitoring device which monitors communication to the network device, wherein the monitoring device obtains a difference between a communication pattern of the communication packet and a stable pattern, which is a pattern of a communication in a state of no unauthorized access, restores the communication packet based on the difference, and notifies the restored communication packet.
-
Citations
6 Claims
-
1. A log analyzing system which analyzes a log of communications of a control device, the log analyzing system comprising:
-
a network device which receives a plurality of communication packets corresponding to the communications of the control device from a network; and a monitoring device which monitors the plurality of communication packets to the network device including reception times and reception sizes of the plurality of communication packets, wherein the monitoring device is programmed to; create time series data indicating respective reception times and receptions sizes of the plurality of communication packets, frequency convert the time series data to generate information of respective frequencies and strength of the plurality of communication packets based on the respective reception times and receptions sizes of the plurality of communication packets, extract an abnormal pattern by determining a difference between the frequency-converted time series data and a predetermined stable pattern representing communication in a state of no unauthorized access, and inverse frequency convert the extracted abnormal pattern to acquire one or more respective times and sizes of one or more abnormal communication packets among the plurality of communication packets, and output the one or more abnormal communication packets including the respective times and sizes thereof. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A log analyzing method in a log analyzing system which analyzes a log of communications of a control device,
wherein the log analyzing system includes: -
a network device which receives a plurality of communication packets corresponding to the communications of the control device from a network; and a monitoring device which monitors the plurality of communication to the network device, the log analyzing method comprising; creating time series data indicating respective reception times and receptions sizes of the plurality of communication packets, frequency converting the time series data to generate information of respective frequencies and strength of the plurality of communication packets based on the respective reception times and receptions sizes of the plurality of communication packets, extracting an abnormal pattern by determining a difference between the frequency-converted time series data and a predetermined stable pattern representing communication in a state of no unauthorized access, and inverse frequency converting the extracted abnormal pattern to acquire one or more respective times and sizes of one or more abnormal communication packets among the plurality of communication packets, and outputting the one or more abnormal communication packets including the respective times and sizes thereof.
-
Specification