The invention relates to an inference apparatus and an inference method for performing inference for deriving a hypothesis with respect to observed events, and further relates to a computer-readable recording medium having recorded thereon a program for realizing the apparatus and method.
In the cyber security, when a certain event is observed in a system of an organization, for example, whether the observed event has been caused by a cyber-attack needs to be determined. A method of applying abduction is promising as a method for realizing such determination.
Abduction is inference for deriving a best hypothesis with respect to observed events using inference knowledge (plurality of rules) given by logical formulas and an event that has been observed (observed event). A case where abduction is applied to the above-described determination as to whether or not a cyber-attack has been executed on a system will be described as an example. Whether or not there was a cyber-attack is determined by deriving a hypothesis using rules prepared in advance for the system and the observed event.
Moreover, abduction includes weighted abduction disclosed in Non-Patent Document 1 for specifying a best hypothesis from a plurality of hypothesis candidates. In the weighted abduction, weights are assigned to rules, and costs are assigned to observed events. Next, in the weighted abduction, hypothesis candidates are generated by performing a backward reasoning operation with respect to the weighted rules and the observed events with cost. Also, in the weighted abduction, a cost is calculated for each hypothesis candidate by performing a unification operation, and a hypothesis is specified from the generated hypothesis candidates based on the calculated costs. Note that, with respect to the hypothesis candidates, the costs indicate that the smaller the cost is, the hypothesis is better. The hypothesis candidate with a minimum cost is also referred to as a solution hypothesis.
Non-Patent Document 1: J. R. Hobbs, M. Stickel, P. Martin, and D. Edwards, “Interpretation as abduction”, Artificial Intelligence, Vol. 63, pp. 69-142, 1993.
However, logical formulas are used in abduction, and therefore a numerical relationship cannot be handled. For example, numerical relationships are desired to be reflected on abduction in cases such as a case where, when a plurality of evidences (observed events) are obtained, it is desired that the closer the times at which evidences are obtained, the evidences are regarded to be more related to each other, and in a case where, when evidences of the same type are obtained, it is desired to adopt an evidence that is observed earlier. However, the numerical relationship is difficult to be represented by a logical formula.
An example object of the invention, as one aspect, is to provide an inference apparatus, an inference method and a computer-readable recording medium, with which a numerical relationship can be reflected on abduction.
In order to achieve the example object described above, an inference apparatus according to an example aspect includes:
Also, in order to achieve the example object described above, an inference method according to an example aspect includes:
Furthermore, in order to achieve the example object described above, a computer-readable recording medium according to an example aspect includes a program recorded on the computer-readable recording medium, the program including instructions that cause the computer to carry out:
As one aspect, it is possible to reflect numerical relationships on abduction.
First, an outline will be described for facilitating understanding of the example embodiments described below.
In the following example embodiments, cyber security is taken as an example, and the fact that a numerical relationship is difficult to be represented in weighted abduction will be described using
Note that, in the example embodiments, a description will be given taking cyber security as an example, but the technique described in the example embodiments can also be applied to fields other than cyber security.
First, using
The example in
t
1, t2
In the example in
Next, in the example in
However, in the example in
When the solution 1 and the solution 2 are compared, in the solution 1, the terms of the observation literal A(T1) and the observation literal B(T1) are both T1, and the terms of the observation literal C(T2) and the observation literal B(T2) are both T2, in contrast, in the solution 2, the terms of the observation literal A(T1) and the observation literal B(T2) are different, and the terms of the observation literal C(T2) and the observation literal B(T1) are also different. In such a case, a combination in which the times at which evidences have been observed are close is desired to be preferentially selected, that is, it is appropriate that the solution 1 in which the terms of the observation literals are the same is regarded as best.
Therefore, a method is conceivable for regarding the solution 1 as best using a logical formula. For example, rules as shown in Formula 3 are prepared. In Formula 3, A(t1) and B(t2) are requested as evidences of X(n), and furthermore a case where the values of the terms are the same (t1 = t2) and a case where the values of the terms are different (t1 ! = t2) are also considered.
Also, weights are adjusted such that the evaluation by an evaluation function is improved when the rule in the first line in Formula 3 is used relative to when the rule in the second line in Formula 3 is used.
However, if the number of literals in antecedents of rules is increased, the number of rules explosively increases. For example, as a result of merely increasing the number of literals (A(t1), B(t2), and C(t3)) of antecedents to three, the number of rules is increased as shown in Formula 4, if sameness and difference of terms (t1, t2, t3) are considered.
Therefore, when the number of rules is increased, the search space for solution is expanded, and the inference calculation time increases. Also, when the number of rules is increased, the cost for maintaining the rules also increases.
Furthermore, as described above, when logical formulas are used, because logical formulas can only handle true or not, whether or not the terms are the same can only be handled. Therefore, a continuous numerical value indicating the closeness in time cannot be handled. As a result, when a plurality of observation literals are unified, a combination of observation literals in which the values of the terms thereof are close cannot be preferentially selected.
Next, the fact that attack means cannot be arranged in the order of first appearance with only using weighted abduction will be described using
The example shown in
In the example in
Next, in the example in
However, the solution 3 and the solution 4 that achieve a minimum cost are generated. The reason why the solution 3 and the solution 4 are generated is because, in the example in
Moreover, it is because that the evidences A, B, and C, which are observed events, can only be regarded to be the same as one of evidences A, B, and C that are derived from the attack means X, or regarded to be the same as one of evidences A, B, and C that are derived from the attack means Y.
When the solution 3 and the solution 4 are compared, in the solution 3, the term of the observation literal A(T1) is T1 and the term of the observation literal C(T2) is T2, in contrast, in the solution 4, the term of the observation literal A(T3) is T3, and the term of the observation literal C(T2) is T2. In such a case, because the attack means X and Y are actually executed in the order of X→Y→X, it is appropriate that the solution 3 in which the attack means X and Y are arranged in the order of first appearance X→Y is regarded as best. Note that the solution 4 is not appropriate because the attack means X and Y are arranged in the order of Y→X.
Therefore, a method is conceivable for regarding the solution 3 as best using a logical formula. For example, a case where a sequence (time) of executing attack means is included in the rule is considered.
However, if the number of literals in antecedents of rules is increased, the number of rules explosively increases. For example, as a result of merely increasing the number of literals (A(t1), B(t2), C(t2), and B(t3)) of antecedents to four, if the sequence (temporal sequence) of t1, t2, and t3 is considered, the number of rules increases.
Also, if the temporal sequence is increased, the number of rules further increases. Therefore, when the number of rules is increased, the solution search space is expanded, and the inference calculation time increases. Also, when the number of rules is increased, the cost for maintaining the rules also increases.
Furthermore, as described above, when logical formulas are used, because logical formulas can only handle true or not, whether or not the terms are the same can only be handled. Therefore, the temporal sequence, which is a continuous numerical value, cannot be handled. As a result, when a plurality of observation literals are unified, the literals cannot be preferentially selected in the order of first appearance.
Through such a process, the inventor has found a problem that a numerical relationship cannot be reflected with only the weighted inference disclosed in Non-Patent Document 1 and the like. Also, the inventor has derived a means for solving the problem.
That is, the inventor has derived a means for, when a plurality of observation literals are unified, preferentially selecting a combination in which the values of the terms of observation literals are close, or a means for preferentially selecting a combination in which attack means are arranged in the order of first appearance. As a result, the numerical relationship can be reflected on abduction.
Hereinafter, the example embodiments will be described with reference to the drawings. Note that, in the drawings described below, the elements that have the same or corresponding functions are given the same reference numerals and description thereof may not be repeated.
The configuration of an inference apparatus according to the example embodiment will be described using
An inference apparatus 10 shown in
Among these units, the abduction unit 11 executes abduction by applying inference knowledge including a plurality of rules that are represented by logical formulas to an observation logical formula that represents an observed fact using a logical formula. The replacing unit 12 replaces one observation literal of a solution hypothesis generated by abduction with another observation literal having a predicate that is the same as the predicate of the one observation literal.
In the example embodiment, as a result of using the abduction unit 11 and the replacing unit 12, as described above, a numerical relationship can be reflected on the abduction.
The configuration of the inference apparatus 10 in the example embodiment will be more specifically described using
As shown in
The inference apparatus 10 includes the abduction unit 11, the replacing unit 12, a selecting unit 13, and an output information generating unit 14. The inference apparatus 10 is an information processing apparatus such as a server computer or a personal computer on which a programmable device such as a CPU (Central Processing Unit) or an FPGA (Field-Programmable Gate Array) or both of the programmable devices are mounted, for example. Note that the details of the inference apparatus 10 will be described later.
The storage apparatus 20 includes observation logical formulas 21 and inference knowledge 22. The storage apparatus 20 is a database or a storage, a server computer, or the like. The observation logical formulas 21 are obtained by representing observed facts by logical formulas (conjunctions of first-order predicate logic literals). The inference knowledge 22 includes a plurality of rules (logical formula set) represented by logical formulas.
The storage apparatus 20 is provided outside the inference apparatus 10 in the example in
The output apparatus 30 acquires later-described output information that is converted, by the output information generating unit 14, into a format that can be output, and outputs images, audio and the like generated based on this output information. The output apparatus 30 is an image display apparatus that uses liquid crystal, organic EL (ElectroLuminescence) or a CRT (Cathode Ray Tube). Furthermore, the image display apparatus may include an audio output apparatus such as a speaker, and the like. Note that the output apparatus 30 may also be a printing device such as a printer.
The inference apparatus will be described.
The abduction unit 11 executes weighted abduction by, specifically, applying inference knowledge stored in the storage apparatus 20 shown in
The replacing unit 12, specifically, replaces an observation literal that is unified with a hypothesis literal of a solution hypothesis generated by the weighted abduction with another observation literal having a predicate that is the same as the predicate of the observation literal. Note that, when the aforementioned replacement is performed, if the costs of observation literals having the same predicate are the same, the overall cost of the solution does not change.
Also, the replacing unit 12, if a hypothesis literal derived from an observation literal is unified, replaces the observation literal with another observation literal having a predicate that is the same as the predicate of the observation literal.
Moreover, if a term included in an observation literal to be replaced corresponds to a term that is in common between a plurality of literals of the rule, the replacing unit 12 replaces the observation literal with another observation literal including a term corresponding to the term in common.
Therefore, it is possible to replace the observation literal A(T1,X) corresponding to the hypothesis literal A(t1,x) with another observation literal having the same predicate, independently from observation literals B(T2,Y) and C(T3,Y,Z) that have different predicates.
For example, the observation literal A(T1,X) can be replaced with an observation literal A(T1,X1), A(T1,X2), A(T3,X3), or the like that has the same predicate.
The term y of a hypothesis literal B(t2,y) is also included in C(t3,y,z), which is confirmed by referring to the rule in Formula 6, and therefore gives influence on other observation literals. The term z of the hypothesis literal C(t3,y,z) is not included in the hypothesis literals A(t1,x) and B(t2,y), which is confirmed by referring to the rule in Formula 6, and therefore does not give influence on other observation literals.
Therefore, when the observation literal B(T2,Y) and the observation literal C(T3,Y,Z) are replaced, these literals need to be replaced with other observation literals including a term corresponding to the term Y in common. That is, the observation literal B(T2,Y) and the observation literal C(T3,Y,Z) cannot be independently replaced, and a combination in which both of the literals can be replaced needs to be considered.
For example, the observation literal B(T2,Y) and the observation literal C(T3,Y,Z) can be replaced with combinations such as a combination between an observation literal B(T2,Y1) and an observation literal C(T3,Y1,Z1) that include a term Y1 in common and a combination between the observation literal B(T2,Y1) and an observation literal C(T3,Y1,Z3) that include the term Y1 in common, for example. However, an observation literal C(T3,Y2,Z1) does not include the term Y1 in common, and therefore replacement is not possible in a combination between the observation literal B(T2,Y1) and the observation literal C(T3,Y2,Z1).
The selecting unit 13 evaluates each of the generated replacement combinations between observation literals using an evaluation function expressing a numerical relationship, and selects a combination for which the evaluation result matches a preset condition.
The output information generating unit 14 generates output information for causing the output apparatus 30 to output the result of abduction, the generated replacement combinations between observation literals, the evaluation function, an evaluation result for each combination, and the like, and outputs the output information to the output apparatus 30.
The replacing unit 12, first, extracts observation literals. In the example in
Next, the replacing unit 12 generates, with respect to the observation literals A(T1), B(T2), C(T3), B(T1), C(T2), and goal(N), combinations of observation literals that can be replaced with other observation literals having the same predicate, as shown in Formula 9.
Here, B(T2)→B(T1) represents that the left side of the arrow indicates an observation literal B(T2) in the solution shown in
Next, the selecting unit 13 obtains an evaluation result using an evaluation function for each of the generated combinations of the observation literals to be replaced. The selecting unit 13 selects a combination for which the evaluation result matches a condition.
Regarding the evaluation function, when a hypothesis in which closeness in time is achieved is to be obtained, for example, evaluation is performed using an evaluation function such as evaluation result R = (closeness in time between evidences A and B related to X) + (closeness in time between evidences B and C related to Y). In the example in
Next, the selecting unit 13 selects, from the evaluation results (evaluation values: R1 to R4), a combination corresponding to an evaluation result that matches a preset condition, for example, a combination corresponding to the smallest evaluation value R4.
According to Example 1, with respect to the evidences A and B related to the attack means X and the evidences C and B related to the attack means Y, a hypothesis in which closeness in time is achieved can be obtained.
The replacing unit 12, first, extracts observation literals. In the example in
Next, the replacing unit 12 generates combinations of observation literals to be replaced. In the example in
Here, A(T3)→A(T1) represents that the left side of the arrow indicates a solution observation literal A(T3) shown in
Next, the selecting unit 13 obtains an evaluation result using an evaluation function for each of the generated combinations of the observation literals to be replaced. The selecting unit 13 selects a combination for which the evaluation result matches a condition.
Regarding the evaluation function, when a hypothesis in which closeness in time is achieved is to be obtained, for example, evaluation is performed using an evaluation function such as evaluation result R = (time of X portion) + (time of Y portion). In the example in
Next, the selecting unit 13 selects a combination corresponding to an evaluation result, from the evaluation results (evaluation values: R1 to R4), that matches a preset condition, for example, a combination corresponding to the smallest evaluation value R2.
As described above, according to Example 2, a hypothesis in which the attack means X and Y are in the order of first appearance can be obtained.
Next, operations of the inference apparatus in the example embodiment will be described using
As shown in
Next, the replacing unit 12 extracts, in the result of weighted abduction, observation literals (step A2).
Next, the replacing unit 12 generates combinations of observation literals to be replaced (step A3). Note that, in step A3, the replacing unit 12 refers to a plurality of rules of the inference knowledge, and determines whether the extracted observation literals include a term that is in common with another observation literal. Thereafter, if the term included in an observation literal to be replaced corresponds to a term in common between a plurality literals of the rules, the replacing unit 12 replaces the observation literal to be replaced with another observation literal including a term corresponding to the term in common.
Next, the selecting unit 13 obtains an evaluation result for each combination using an evaluation function, and selects a combination for which the evaluation result matches a condition (step A4).
As described above, according to the example embodiment, a numerical relationship can be reflected on abduction, while retaining logical consistency, using a result obtained by the abduction.
Also, the number of rules is not increased, and the solution search space is not expanded, and therefore the inference calculation time can be suppressed compared with the case where the number of rules is increased. Also, in general, maintenance needs to be performed such that created rules are not in contradiction with each other, but since the number of rules is not increased, the rule maintenance cost can also be suppressed.
Also, the numerical relationship is evaluated after performing abduction, and therefore the evaluation function for the numerical relationship can be freely designed without receiving constraints of logical inference.
Also, a method is also conceivable in which, after obtaining a plurality of solution hypotheses that achieve a minimum cost by performing abduction, a desired solution hypothesis is selected considering a numerical relationship. However, depending on the method of abduction, there are cases where a plurality of times of abduction need to be performed in order to obtain a plurality of solution hypotheses. In contrast, according to the example embodiment, one solution hypothesis need only be obtained, and therefore abduction need only be performed once. Accordingly, a plurality of times of abduction need not be performed, and therefore processing time can be reduced.
The program according to an embodiment may be a program that causes a computer to execute steps A1 to A4 shown in
Also, the program according to the embodiment may be executed by a computer system constructed by a plurality of computers. In this case, for example, each computer may function as any of the abduction unit 11, the replacement unit 12, the selection unit 13 and the output information generating unit 14.
Here, a computer that realizes an inference apparatus by executing the program according to an example embodiment will be described with reference to
As shown in
The CPU 111 opens the program (code) according to this example embodiment, which has been stored in the storage device 113, in the main memory 112 and performs various operations by executing the program in a predetermined order. The main memory 112 is typically a volatile storage device such as a DRAM (Dynamic Random Access Memory). Also, the program according to this example embodiment is provided in a state being stored in a computer-readable recording medium 120. Note that the program according to this example embodiment may be distributed on the Internet, which is connected through the communications interface 117. Note that the recording medium 120 is a non-volatile recording medium.
Also, other than a hard disk drive, a semiconductor storage device such as a flash memory can be given as a specific example of the storage device 113. The input interface 114 mediates data transmission between the CPU 111 and an input device 118, which may be a keyboard or mouse. The display controller 115 is connected to a display device 119, and controls display on the display device 119.
The data reader/writer 116 mediates data transmission between the CPU 111 and the recording medium 120, and executes reading of a program from the recording medium 120 and writing of processing results in the computer 110 to the recording medium 120. The communications interface 117 mediates data transmission between the CPU 111 and other computers.
Also, general-purpose semiconductor storage devices such as CF (Compact Flash (registered trademark)) and SD (Secure Digital), a magnetic recording medium such as a Flexible Disk, or an optical recording medium such as a CD-ROM (Compact Disk Read-Only Memory) can be given as specific examples of the recording medium 120.
Also, instead of a computer in which a program is installed, the event analysis support apparatus 1 according to this example embodiment can also be realized by using hardware corresponding to each unit. Furthermore, a portion of the event analysis support apparatus 1 may be realized by a program, and the remaining portion realized by hardware.
Furthermore, the following supplementary notes are disclosed regarding the example embodiments described above. Some portion or all of the example embodiments described above can be realized according to (supplementary note 1) to (supplementary note 15) described below, but the below description does not limit the invention.
An inference apparatus comprising:
The inference apparatus according to Supplementary Note 1,
wherein the replacement unit replaces an observation literal unified with a hypothesis literal of the solution hypothesis with another observation literal including a predicate that is the same as the predicate of the observation literal.
The inference apparatus according to Supplementary Note 1,
wherein the replacement unit, if a hypothesis literal derived from an observation literal is unified, replaces the observation literal with another observation literal including a predicate that is the same as the predicate of the observation literal.
The inference apparatus according to any one of Supplementary Notes 1 to 3,
wherein the replacement unit, if a term included in the observation literal to be replaced corresponds to a term that is in common between a plurality of literals of the rules, replaces the observation literal with another observation literal including a term corresponding to the term that is in common.
The inference apparatus according to any one of Supplementary Notes 1 to 4, further comprising:
a selection unit that selects a combination that matches a preset condition using an evaluation function expressing a numerical relationship, for each generated replacement combination of the observation literals.
An inference method comprising:
The inference method according to Supplementary Note 6,
wherein, in the replacement step, an observation literal unified with a hypothesis literal of the solution hypothesis is replaced with another observation literal including a predicate that is the same as the predicate of the observation literal.
The inference method according to Supplementary Note 6,
wherein, in the replacement step, if a hypothesis literal derived from an observation literal is unified, the observation literal is replaced with another observation literal including a predicate that is the same as the predicate of the observation literal.
The inference method according to any one of Supplementary Notes 6 to 8,
wherein, in the replacement step, if a term included in the observation literal to be replaced corresponds to a term that is in common between a plurality of literals of the rules, the observation literal is replaced with another observation literal including a term corresponding to the term that is in common.
The inference method according to any one of Supplementary Notes 6 to 9, further comprising:
a selection step of selecting a combination that matches a preset condition using an evaluation function expressing a numerical relationship, for each generated replacement combination of the observation literals.
A computer-readable recording medium that includes a program including instructions recorded thereon, the instructions causing a computer to carry out:
The computer-readable recording medium according to Supplementary Note 11,
wherein, in the replacement step, an observation literal unified with a hypothesis literal of the solution hypothesis is replaced with another observation literal including a predicate that is the same as the predicate of the observation literal.
The computer-readable recording medium according to Supplementary Note 11,
wherein, in the replacement step, if a hypothesis literal derived from an observation literal is unified, the observation literal is replaced with another observation literal including a predicate that is the same as the predicate of the observation literal.
The computer-readable recording medium according to any one of Supplementary Notes 11 to 13,
wherein, in the replacement step, if a term included in the observation literal to be replaced corresponds to a term that is in common between a plurality of literals of the rules, the observation literal is replaced with another observation literal including a term corresponding to the term that is in common.
The computer-readable recording medium according to any one of Supplementary Notes 11 to 14, the program further including instructions that cause the computer to carry out
a selection step of selecting a combination that matches a preset condition using an evaluation function expressing a numerical relationship, for each generated replacement combination of the observation literals.
Although the invention of this application has been described with reference to exemplary embodiments, the invention of this application is not limited to the above exemplary embodiments. Within the scope of the invention of this application, various changes that can be understood by those skilled in the art can be made to the configuration and details of the invention of this application.
As described above, according to the invention, it is possible to reflect numerical relationships on abduction. The invention is useful in fields where it is necessary to abduction.
10
11
12
13
14
20
21
22
30
110
111
112
113
114
115
116
117
118
119
120
121
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2020/023767 | 6/17/2020 | WO |