JP2001308918A - Attack path tracing system and router - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an attack path tracing system that can efficiently trace an attacker onto a server. SOLUTION: In the attack path tracing system that traces a transmission path of attack data used to attack a server connected to a network via a router, an information providing server 500 is provided with a data mark attaching section 502 that attaches an identifier to data received from a data input section 501, a communication processing section 505 transmits the data with the identifier attached thereto to the network, the router 700 is provided with a mark detection section 703 that detects the identifier from passing data and with a detection result storage section 704 that stores a result of detection by the mark detection section 703, and a manager confirms data stored in the detection result storage section 704 to easily investigate the attack path.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

[0001] 1. Field of the Invention [0002] The present invention relates to a system for tracking an attack path of an attacker in a computer network.

[0002]

2. Description of the Related Art FIG. 16 shows a general configuration of a computer network system represented by the current Internet. The network system includes a plurality of distributed managed networks (hereinafter, sites) 101 (10).
1b, 101c) by a router 102. Each site 101, 101b, 101c
, A plurality of hosts 103 are connected. In particular, a host that provides a service on a network in response to a request from a remote user is referred to as a server 104.

[0003] FIG. 17 shows a WWW (WWW) among servers.
old Wide Web) server, FTP (Fil)
e Transfer Protocol) server, etc.
It shows a general configuration of a server (hereinafter, an information providing server) 200 that provides information to a user via a network. The information providing server 200 includes a data input unit 201, a data storage unit 202, and a data output unit 20.
3. It is composed of communication processing means 204 and network 205.

[0004] Next, the operation of the information providing server will be described. The information provider inputs information to be provided using a keyboard or other data input means 201. The input data is stored in the server by the data storage unit 202. The stored data is output to the data output means 2
The data is sent to the communication processing unit 204 through the communication unit 03, output from the communication processing unit 204 to the network 205, and provided to the user of the server.

FIG. 18 shows a general configuration of a conventional router device 300. The router device 300 includes a receiving unit 301, a routing control unit 302, and a transmitting unit 3.
03, a receiving network 304, and a transmitting network 305.

Next, the operation of the router will be described. The data sent to the router via the receiving network 304 is received by the receiving means 301. next,
Based on the destination address in the data, the routing control means 302 sends the data to the sending network 3
05 is determined, and data is transmitted through the transmission means 303 connected to the transmission side network 305.

[0007]

A conventional computer network system is configured as described above.
A person who attempts to attack the information providing server (hereinafter, an attacker) generally secures anonymity by using a plurality of hosts as a stepping stone, and then attacks the target server, as shown in FIG. A similar effect can be obtained by using not only a normal terminal but also a multi-stage proxy server as a stepping stone.

[0008] For this reason, even if an attack is detected on the information providing server, it can be known that the attack is only performed from the nearest steppingstone host. In order to specify it, the hosts 404 and 405, which were used as steps, had to be checked retrospectively. Therefore, there is a problem that since it is necessary to cooperate with all of the sites used as a springboard, tracking an attacker takes time and costs.

[0009] The present invention has been made to solve the above-mentioned problems, and a specific mark is added to data output from an information providing server, and the data is detected by a remote router, so that the data is detected. This is an attack path tracking system that can omit the work of identifying a springboard host included between a router and an information providing server, and can reduce the time and cost required for identifying an attacker.

[0010]

According to the present invention, there is provided an attack route tracing system for tracing a transmission route of attack data which attacks a server connected to a network via a router device, wherein the server comprises: A data input section for inputting data, a data mark adding section for adding an identifier to the input data, a data storage section for storing the input data, and reading and reading the data stored in the data storage section. A data output unit that outputs the data, and a communication processing unit that transmits the data output from the data output unit to a network, the router device detects the identifier from the passing data, a mark detection unit, A detection result storage unit for storing the detection result detected by the mark detection unit.

The data mark adding unit adds an identifier before storing the input data in the data storage unit.

[0012] The data mark adding section adds an identifier to an invalid area of the input data.

The data mark adding section converts the identifier into a comment format in the data format constituting the input data, and adds the converted identifier to the input data.

The data mark adding section adds an identifier to a predetermined position of the image data when the input data is image data.

The server further includes an intrusion detection unit for detecting that the attack data has entered the server, and a tracing instruction for tracing the intrusion source to the server when the intrusion detection unit detects the intrusion of the attack data. And a tracking command output unit that outputs the tracking command to the router device.

The router further inputs a tracking command output from the tracking command output unit, and outputs a mark detection start request for starting identifier detection to the mark detecting unit based on the input tracking command. Equipped with a detection control unit
The mark detection unit receives a mark detection start request from the detection control unit, and starts detecting an identifier in response to the input mark detection start request.

The detection control section outputs a mark detection stop request for stopping detection of an identifier to the mark detection section based on a predetermined condition, and the mark detection section issues a mark detection stop request from the detection control section. It is characterized in that detection of an identifier is stopped in response to an input and a mark detection stop request input.

The data mark adding unit adds an identifier before transmitting data by the communication processing unit.

The server further detects that the attack data has entered the server, and outputs a mark addition start request to start adding an identifier to the data mark adding unit when the intrusion of the attack data is detected. Equipped with a detector,
The data mark adding unit includes a mark addition control unit that receives a mark addition start request output from the intrusion detection unit, and controls to start adding an identifier based on the input mark addition start request. It is characterized by having.

The intrusion detection unit outputs a mark addition stop request for stopping addition of an identifier to the mark addition control unit based on a predetermined condition.
The apparatus is characterized in that a mark addition stop request from the intrusion detection unit is input, and based on the input mark addition stop request, the addition of the identifier is stopped.

The intrusion detection unit generates an identifier corresponding to the mark addition start request, and outputs the mark addition request and the generated identifier to the mark addition control unit. Inputting the identifier generated by the intrusion detection unit, and adding the input identifier to the data. The server further includes an identifier generated from the intrusion detection unit when the intrusion detection unit detects the intrusion of the attack data. And a tracking command output unit for outputting a tracking command for tracking an intrusion source to the server and an input identifier to the router device.The router device further includes a mark detection start request from the tracking command output unit. An identifier addition request is generated by inputting the identifier and the input identifier is detected based on the input mark detection start request. And an inspection control unit that outputs the child to the mark detection unit.The mark detection unit further receives the identifier addition request and the identifier output from the inspection control unit, and responds to the input identifier addition request. An identifier storage unit for storing the input identifier on the basis of the identifier, and a mark detection execution unit for detecting from the data passing the identifier stored in the identifier storage unit.

The intrusion detection unit is configured to, based on a predetermined condition, transmit a mark addition stop request for stopping addition of an identifier and an identifier corresponding to the mark addition stop request to the mark addition control unit and the tracking command output unit. The mark addition control unit inputs the mark addition stop request and the identifier, controls the addition of the input identifier based on the input mark stop request, and outputs the tracking command output. The unit receives a mark addition stop request and an identifier from the intrusion detection unit, generates a mark detection stop request to stop detection of the input identifier based on the input mark addition stop request, and generates the mark detection stop request. The inspection control unit outputs the mark detection stop request and the identifier to the router device, and inputs the mark detection stop request and the identifier from the tracking command output unit. Based on the detection stop request, an identifier deletion request for deleting the input identifier is output to the identifier storage unit, and the identifier storage unit inputs the identifier deletion request and the identifier from the inspection control unit and receives the input. The input identifier is deleted based on the identifier deletion request.

An attack route tracking system according to the present invention comprises:
In an attack path tracing system for tracing a transmission path of attack data that attacks a server connected to a network via a router device, the server includes a data input unit for inputting data, and a data storage for storing the input data. A data output unit that reads the data stored in the data storage unit and outputs the read data; a response mark addition unit that adds an identifier to the data output by the data output unit; and a response mark addition unit. A communication processing unit for inputting data and transmitting the input data to a network, wherein the router device is configured to detect the identifier from the passing data, and a detection result detected by the mark detection unit. And a detection result storage unit for storing

The response mark adding section is provided in the communication processing section.

[0025] A router device according to the present invention is a router device connected to a network to which data is transmitted, wherein the router device comprises: a mark detection unit for detecting an arbitrary identifier from the transmitted data; And a detection result storage unit for storing the detection result detected in (1).

[0026]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiment 1 In this embodiment, as an example of an attack path tracking system that tracks a transmission path of attack data that attacks a server connected to a network via a router device, an identifier (identification number) is assigned to transmitted data.
er)) will be described to track the attack route.

FIG. 1 is a diagram showing an information providing server (server) 500 in the configuration diagram showing an embodiment of the present invention.
This device includes a data input unit 501, a data mark adding unit 5
02, a data storage unit 503, a data output unit 504, a communication processing unit 505, and a network 506.

The data input section 501 inputs data. The data mark adding unit 502 adds an identifier to the input data. The data storage unit 503 stores the input data. The data output unit 504 reads the data stored in the data storage unit 503 and outputs the read data. The communication processing unit 505 includes the data output unit 5
04 is transmitted to the network.

In this embodiment and the following embodiments, an information providing server 50 for providing information is used as a server.
0 will be described as an example. However, it is not limited to the information providing server.

FIG. 2 is a diagram showing a data mark adding unit 502 in the configuration diagram showing one embodiment of the present invention. This means comprises a data type identifying unit 601, an executable file mark adding unit 602, and an HTML file. (Hyper Text M
(Archup Language) file mark adding section 603 and image file mark adding section 604.

The data type identification section 601 identifies the data type of the input file. In this embodiment, the case of an execution file, an HTML file, and an image file will be described, but the present invention is not limited to these. Executable file mark adding unit 602, HTML file mark adding unit 603, image file mark adding unit 60
No. 4 adds an identifier to each corresponding file.

In this specification, an identifier and an identification I
D means the same thing, all of which are identifiable marks in this attack path tracking system. In this embodiment, a case will be described in which the data mark adding unit 502 adds an identifier before storing the input data in the data storage unit 503.

FIG. 3 is a diagram showing a router device 700 in the configuration diagram showing one embodiment of the present invention. This device comprises a receiving network 701, a receiving unit 702, and a mark detecting unit 7.
03, detection result storage unit 704, routing control unit 70
5, a transmission unit 706, and a transmission-side network 707.

The mark detection unit 703 detects an identifier from the passing data. The mark detection unit 703 stores the detected identifier. The stored identifier is set in advance by the user. The detection result storage unit 704 stores the detection result detected by the mark detection unit 703.

FIG. 4 shows an embodiment of the present invention.
9 shows an example of a mark adding method by the file mark adding unit 602 for execution.

FIG. 5 shows an embodiment of the present invention.
9 illustrates an example of a mark adding method by the HTML file mark adding unit 603.

FIG. 6 shows an embodiment of the present invention.
9 illustrates an example of a mark adding method by the image file mark adding unit 604.

The operation of this embodiment will be described below with reference to the drawings. First, the operation of the information providing server will be described. The information provider inputs data using the data input unit 501. The input data is sent to the data mark adding unit 502, where the identification ID is included in the data.
(Identifiable mark) is embedded. The identification ID is
This is data for identifying that the data is output from the information providing server 500. The data in which the identification ID is embedded is stored by the data storage unit 503. Thereafter, the data is output to the network 506 via the data output unit 504 and the communication processing unit 505 as in the conventional case.

Next, the operation of the data mark adding unit 502 will be described. The data input to the data mark adding unit 502 is identified by the data type identifying unit 601, sent to the mark adding unit corresponding to the type, embedded with an identification ID corresponding to the data type, and output.

In this embodiment, the data mark adding unit 5
02, the execution file mark adding unit 602 and the H
Although the TML file mark adding unit 603 and the image file mark adding unit 604 are used, it is of course possible to prepare a mark adding unit for other data types.

Next, an executable file mark adding unit 602 is provided.
Will be described with reference to FIG. It is assumed that the executable file mark adding unit 602 in the present embodiment targets a file having the following format. In the execution file 801 shown in FIG. 4, when the start is address 0, character strings irrelevant to the execution are stored in addresses 4e to 73 in hexadecimal. In the present embodiment, the identification ID 802 is embedded in this area,
The attached execution file 803 is output.

It goes without saying that the file may have a format other than the above. It is sufficient that the executable file mark adding unit 602 knows in advance the format of the file.

Next, an HTML file mark adding unit 6
The operation 03 will be described with reference to FIG. HTML file mark adding unit 603 in the present embodiment
Receives the HTML file 901, inserts a tag ignored in HTML into the file, and embeds the identification ID 902 in the tag. In the present embodiment, comment tags are used as ignored tags. Finally, the HTML file 903 with the identification ID is output.

Next, an image file mark adding unit 604 is provided.
Will be described with reference to FIG. The image file mark addition unit 604 in the present embodiment is based on JPEG as the image format. JPEG
(Joint Photographic codin
g Experts Group), Applic
It is possible to embed arbitrary data in the data segment area without affecting the image.
1002 is embedded in the original image 1001, and an image file 1003 with identification ID is output.

Next, the operation of the router 700 will be described. As with the conventional router, data received from the receiving network 701 by the receiving unit 702 is input to the mark detecting unit 703 here. Mark detector 7
In step 03, a search is made as to whether or not there is a portion that matches the previously stored identification ID in the data stream expressed as an octet sequence.

If there is a match, the destination address of the data and the reception time are stored in the detection result storage unit 704 as the detection result. Then the data is
As before, the routing control unit 705 and the transmission unit 706
Is output to the transmission-side network 707 via

As described above, the detection result storage unit 704
The detection result including the transmission destination address and the reception time stored in is used by the administrator at a later date to confirm that it is not a false detection, which is useful for tracking. In addition, at the time of detection, an e-mail or other communication means may be used to notify the administrator of the detection from the router device.

As described above, by embedding data that can be distinguished from other data into the information sent to the attacker and detecting it by the router on the way, the stepping host between the information providing server and the router can be used. Has the effect that it is not necessary to go back the route.

The administrator can read the detection result stored in the detection result storage unit 704 and confirm that the detection result is not erroneous, and then use it for tracking the attack route.

Embodiment 2 7 and 8 show another embodiment of the present invention, in which a router can perform a mark detection process only when an information providing server detects an attack. It is. Thereby, there is an effect that the processing amount of the router in normal times can be reduced as compared with the first embodiment.

FIG. 7 is a diagram showing the information providing server 1100 according to the present embodiment.
1, data mark adding unit 1102, data storage unit 110
3, a data output unit 1104, a communication processing unit 1105, an intrusion detection unit 1106, a tracking command output unit 1107, and a network 1108.

The information providing server 1100 has the following components added to the information providing server 500 of FIG.
The intrusion detection unit 1106 detects that attack data has entered the information providing server 1100.

The tracking command output unit 1107 includes the intrusion detection unit 1
When the intrusion of the attack data is detected, the tracking instruction to trace the intrusion source to the information providing server 1100 is output to the router device. When the tracking command output unit 1107 stops detecting the attack data by the intrusion detection unit 1106,
Alternatively, based on a predetermined condition, a stop command indicating the tracking of the intrusion source to the server is output to the router device. A tracking command and a stop command output from the tracking command output unit 1107 may be indicated as control commands.

The other components are the same as those described in the first embodiment with reference to FIG.

FIG. 8 shows a router 1200 according to the present embodiment.
01, a reception unit 1202, a detection control unit 1203, a mark detection unit 1204, a detection result storage unit 1205, a routing control unit 1206, a transmission unit 1207, and a transmission side network 1208.

The router 1200 differs from the router 700 described in the first embodiment with reference to FIG. 3 in the following points. The detection control unit 1203 includes the tracking command output unit 1
The tracking command output from 107 is input, and a mark detection start request for starting detection of an identifier is output to the mark detecting unit based on the input tracking command. Further, the detection control unit 1203 outputs a mark detection stop request for stopping detection of the identifier to the mark detection unit 1204 based on a predetermined condition.

The mark detecting section 1204 has the following functions in addition to the functions described in the first embodiment. A mark detection start request is input from the detection control unit 1203, and detection of an identifier is started from passing data according to the input mark detection start request. Detection control unit 120
3, a mark detection stop request is input, and detection of the identifier is stopped by the input mark detection stop request. The other components are the same as those described with reference to FIG. 3 in the first embodiment.

Next, the operation will be described. First,
The operation of the information providing server 1100 will be described. The point that a mark is added to the input data and the data is output to the network in response to a request from the user is the same as the information providing server 500 of the first embodiment (1101 to 110).
5, 1108).

In addition, in this embodiment, the intrusion detecting section 11
06 constantly monitors the network 1108 and monitors for intrusion of attack data from attackers. When the intrusion detection unit 1106 detects the intrusion of the attack data, the tracking instruction output unit 1107 sends a control instruction indicating the start of mark detection to the router 1200.

When a certain period of time has elapsed or when the intrusion detection unit 1106 detects the end of the attack, a control command indicating stop of mark detection is sent from the tracking command output unit to the router 1200.

Next, the operation of the router 1200 will be described. In normal times, the mark detection unit 1204 of the router 1200 is in a state where the mark detection processing is not performed.
Therefore, in normal times, the router 1200 according to the present embodiment is used.
Is generally equivalent to the router device 300 in the conventional example.

Here, when the information providing server 1100 according to the present embodiment detects an attack and sends a control command indicating the start of mark detection to the router 1200, the command is discriminated from normal data by the receiving unit 1202. Then, it is sent to the detection control unit 1203.

Next, the detection control unit 1203 sends a mark detection start request to the mark detection unit 1204. The mark detection unit 1204 that has received the mark detection start request performs the processing according to the first embodiment.
The same processing as the mark detection unit 703 is performed.

Thereafter, when a control command indicating stop of mark detection is sent from the tracking command output unit 1107 of the information providing server 1100, the command is sent to the detection control unit 1203 via the receiving unit 1202. In response to this, the detection control unit 1203 sends a mark detection stop request to the mark detection unit 1204. Mark detection unit 1 receiving a mark detection stop request
204 stops the mark detection processing,
The whole is equivalent to the router device 300 in the conventional example.

In the present embodiment, the information providing server 110
Although the intrusion detection unit 1106 and the tracking command output unit 1107 are arranged in the network 0, they can be arranged as independent hosts on the network to centrally monitor a plurality of information providing servers in the site. It is.

Embodiment 3 FIG. 9 shows still another embodiment of the present invention. In the information providing server according to the first embodiment, a mark is added at the time of data transmission instead of adding a mark at the time of storing data. It was made.

Thus, WWW (World Wid)
e-Web) CGI (Common Gate)
It is possible to add a mark to dynamically generated data, such as a way interface). In addition, it is possible to embed dynamic data such as transmission time in addition to the identification ID, so that it is easy to identify later whether the data is transmitted by an attack.

FIG. 9 shows an information providing server 1300 according to the present embodiment. This information providing server 13
00 is a data input unit 1301, a data storage unit 130
2. Data output unit 1303, data mark adding unit 130
4, a communication processing unit 1305 and a network 1306. Each component is the same as that described in Embodiment 1 with reference to FIG.

The configuration of data mark adding section 1304 is the same as that of data mark adding section 502 described in Embodiment 1 with reference to FIG. The router device is the same as router device 700 described in Embodiment 1 with reference to FIG.

Next, the operation will be described. As in the conventional example, data input from the data input unit 1301 is stored in the data storage unit 1302. In response to a request from the user, the data extracted through the data output unit 1303 is added with a mark by the data mark adding unit 1304, and then output to the network 1306 through the communication processing unit 1305.

Embodiment 4 FIGS. 10 and 11 show still another embodiment of the present invention. By adding an intrusion detection unit to the information providing server 1300 in the third embodiment, a mark is added to transmission data in normal times. It is possible not to be.

As a result, since no mark is added to data transmitted in normal times, all data detected by the router device can be determined to be data transmitted when the information providing server is attacked. There is an effect that it is easier to specify an attack route.

FIG. 10 shows an information providing server 1400 according to the present embodiment. Information providing server 14
00 is a data input unit 1401, a data storage unit 140
2. Data output unit 1403, data mark adding unit 140
4, a communication processing unit 1405, an intrusion detection unit 1406, and a network 1407.

The information providing server 1400 has the following components added to the information providing server 500 of FIG.
The intrusion detection unit 1406 detects that attack data has entered the server, and outputs a mark addition start request to start adding an identifier to the data mark addition unit 1404 when the intrusion of attack data is detected. Also, the intrusion detection unit 14
06 outputs a mark addition stop request to stop adding an identifier to the mark addition control unit 1501 based on a predetermined condition. The other components are the same as those described in the first embodiment with reference to FIG.

FIG. 11 shows the data mark adding unit 1404 according to the present embodiment. The data mark adding unit 1404 has a configuration in which a mark addition control unit 1501 is added to the configuration (1502 to 1505) of the data mark adding unit 502 in the first embodiment.

A mark addition control section 1501 is added to the data mark addition section 1404. The mark addition control unit 1501 receives the mark addition start request output from the intrusion detection unit 1406, and controls to start adding an identifier based on the input mark addition start request. In addition, the mark addition control unit 1501
A mark addition stop request from 406 is input, and based on the input mark addition stop request, control is performed to stop adding an identifier. The components other than the above are the same as those in the first embodiment.
Is the same as that described with reference to FIG.

Next, the operation will be described. As in the third embodiment, data input through the data input unit 1401 is stored in the data storage unit 1402, and the data mark adding unit 1404 is output through the data output unit 1403.
After that, the data is output to the network 1407 via the communication processing unit 1405.

However, in the present embodiment, the third embodiment
Unlike in normal times, the data mark adding unit 1404
Since the mark addition control unit 1501 has set “mark addition stop state”, no mark is added to the output data. Therefore, the information providing server of the present embodiment behaves similarly to the information providing server 200 of the conventional example.

The intrusion detection unit 1406 operates the information providing server 14
Upon detecting an attack on 00, the intrusion detection unit 1406 sends a mark addition start request to the data mark addition unit 1404. The mark addition control unit 1501 that has received the mark addition start request changes the state of the data mark addition unit 1404 to the “mark addition state”, and thereafter, the data mark addition unit 1404 adds a mark to the output data. become.

After that, when the intrusion detection unit 1406 detects that the attack on the information providing server 1400 has ended, the intrusion detection unit 1406 sends a mark addition stop request to the data mark addition unit 1404. The mark addition control unit 1501 that has received the mark addition stop request changes the state of the data mark addition unit 1404 to the “mark addition stop state”.
Stops adding the mark.

Embodiment 5 12, 13, and 14
Shows another embodiment of the present invention.
In the present embodiment, a data mark is added by changing the identification ID every time an attack is detected. Therefore, even when a plurality of attacks are received, analyzing the detection result of the router device later has an effect that it is easy to determine which attack corresponds to the data that has passed through the router device.

FIG. 12 shows an information providing server 1600 according to the present embodiment. Information providing server 16
00 is a data input unit 1601, a data storage unit 160
2. Data output unit 1603, data mark adding unit 160
4, a communication processing unit 1605, an intrusion detection unit 1606, a tracking command output unit 1607, and a network 1608.

FIG. 13 shows a data mark adding unit 1604 according to the present embodiment. The data mark adding unit 1604 is different from the configuration (1701 to 1705) of the data mark adding unit 1404 in the fourth embodiment in that the identification I
The configuration is such that a D control unit (identifier control unit) 1706 is added.

The information providing server 1600 is similar to that of the fourth embodiment.
Information providing server 1400 described with reference to FIG.
The following points are different. The intrusion detection unit 1606 generates an identifier corresponding to the mark addition start request, and compares the mark addition request and the generated identifier with the mark addition control unit 1701.
And a tracking command output unit 1607. Further, the intrusion detection unit 1606 sends a mark addition stop request for stopping addition of an identifier and an identifier corresponding to the mark addition stop request to the mark addition control unit 1701 and the tracking command output unit 1607 based on a predetermined condition. Output.

The mark addition control section 1701 inputs the identifier generated from the intrusion detection section 1606 and adds the input identifier to the data. The mark addition control unit 17
Reference numeral 01 inputs a mark addition stop request and an identifier, and controls to stop adding the input identifier based on the input mark stop request.

The tracking command output unit 1607 is provided with the intrusion detection unit 1
When the intrusion of the attack data is detected by the 606, the identifier generated from the intrusion detection unit 1606 is input, and a tracking instruction for tracing the intrusion source to the server and the input identifier are output to the router device. Further, the tracking command output unit 1607 receives the mark addition stop request and the identifier from the intrusion detection unit 1606, and issues a mark detection stop request for stopping detection of the input identifier based on the input mark addition stop request. The generated mark detection stop request and the generated identifier are output to the router device.

The other components are the same as those described with reference to FIGS. 10 and 11 in the fifth embodiment.

FIG. 14 shows a router 1800 according to the present embodiment. The router device 1800
Receiving unit 1801, inspection control unit 1802, mark detection unit 1
803, an ID storage unit (identifier storage unit) 1804, a mark detection execution unit 1805, a detection result storage unit 1806, a routing control unit 1807, a transmission unit 1808, a reception network 1809, and a transmission network 1810.

The router 1800 differs from the router 700 described in the first embodiment with reference to FIG. 3 in the following points. The inspection control unit 1802 is configured to output the tracking command output unit 1
607, a mark detection start request and an identifier are input, an identifier addition request (identification ID addition) is generated based on the input mark detection start request, and the generated identifier addition request is generated. And the identifier are output to the mark detection unit 1803. In addition, the inspection control unit 18
In step 02, a mark detection stop request and an identifier are input from the tracking command output unit 1607, and an identifier deletion request (identification ID deletion) for deleting the input identifier is stored based on the input mark detection stop request. Output to the unit 1804.

The mark detection unit 1803 further performs the identification I
A D accumulation unit 1804 and a mark detection execution unit 1805 are provided. The identification ID storage unit 1804 receives the identifier addition request and the identifier output from the inspection control unit 1802, and stores the input identifier based on the input identifier addition request. Also, the identifier storage unit 1804 receives the identifier deletion request and the identifier from the inspection control unit 1802, and deletes the input identifier based on the input identifier deletion request.

The mark detection execution unit 1805 detects the identifier stored in the identifier storage unit 1804 from the data passing therethrough. The other components are the same as those described with reference to FIG. 3 in the first embodiment.

Next, the operation will be described. Information providing server 1
600 outputs data to the network without adding a mark in normal times, as in the fourth embodiment. Also, the router 1800 does not inspect the mark in normal times, as in the second embodiment. When the intrusion detection unit 1606 detects an attack on the information providing server 1600, a mark addition start request is sent to the data mark addition unit 1604, and an identification ID
Send.

In the data mark adding unit 1604, the mark adding control unit 1701 receiving the mark adding start request
However, as in the fourth embodiment, the internal state is set to a “mark added state”. On the other hand, the identification ID is the identification ID control unit 170
6, the identification ID control unit 1706 resets the identification ID used by each mark adding unit (1703 to 1705) when adding a mark.

After sending the mark addition start request and the identification ID to the data mark addition unit 1604, the intrusion detection unit 1606
The tracking command output unit 1607 is called using the newly determined identification ID as an input. As a result, the tracking command output unit sends the control command indicating the identification ID addition request to the router 1800.
Send to

Identification ID transmitted to router 1800
The control command representing the addition request is input to the inspection control unit 1802 via the receiving unit 1801 of the router 1800.
The inspection control unit sends an identification ID addition request to the identification ID storage unit 1804 in the mark detection unit 1803, and
Register D.

On the other hand, every time data is input, the mark detection execution unit 1805 in the mark detection unit
It is checked whether or not the ID stored in the D storage unit 1804 is included in the data. If no identification ID is included in the identification ID storage unit 1804, the mark detection execution unit does not perform the mark detection process.
The subsequent operation is the same as in the first embodiment.

Thereafter, when the intrusion detection unit 1606 detects that the attack on the information providing server 1600 has stopped, it sends a mark addition stop request to the data mark addition unit 1604 as in the fourth embodiment. At the same time, a control command indicating an ID deletion request is sent to the router device through the tracking command output unit 1607.

Identification ID transmitted to router 1800
A control command indicating a deletion request is input to the inspection control unit 1802 via the receiving unit 1801 of the router device 1800.
The inspection control unit sends an identification ID deletion request to the identification ID storage unit 1804 in the mark detection unit 1803, and
Delete D from registration. Thereby, the router device 180
A value of 0 means that the identification ID will not be detected thereafter.

Embodiment 6 FIG. FIG. 15 shows still another embodiment of the present invention, in which an identification ID is embedded in a response message transmitted to the other party during communication processing, instead of embedding the identification ID in data. (Response mark). As a result, when the attacker checks the communication message on the screen or the like, there is an effect that tracking can be performed even if the data is processed by the stepping host on the way. Further, there is an effect that tracking can be performed even in communication that does not involve data output, such as a TELNET session.

FIG. 15 shows an information providing server 1900 in the present embodiment. Information providing server 1
Reference numeral 900 denotes a data input unit 1901, a data storage unit 190
2, a data output unit 1903, a communication processing unit 1904, a response mark adding unit 1905, and a network 1906.

The information providing server 1100 is obtained by removing the mark data adding unit 502 from the information providing server 500 of FIG. 1 and adding the following components. The response mark adding unit 1905 adds an identifier to the data output by the data output unit 1903. In this embodiment, the response mark adding unit 1905 is provided in the communication processing unit 1904. The response mark adding unit 1905 adds an identifier to a part such as a response message other than the data input from the data input unit 1901. The other components are the same as those described in the first embodiment with reference to FIG.

The following description is based on the premise that the router is the same as that described in the first embodiment with reference to FIG.

Next, the operation will be described. Similarly to the conventional example, data input through the data input unit 1901 is stored in the data storage unit 1902, and the data output unit 1902 stores the data.
After passing through 903, the data is input to the communication processing unit 1904. The communication processing unit 1904 converts the input data into a message conforming to the communication protocol and outputs the message to the network 1906. At this time, an identification ID is incorporated into the message by the response mark adding unit 1905 so as not to violate the transmission data or communication protocol.

In the present embodiment, communication processing section 190
4 describes the operation of the response mark adding unit 1905 when processing the HTTP protocol. In this case, the response mark adding unit 1905 determines that Se in the HTTP response
By describing the identification ID in the t-Cookie header,
It can be used as a response mark.

In the present embodiment, communication processing section 190
4 describes the operation of the response mark adding unit 1905 when processing the TELNET protocol. in this case,
The response mark adding unit 1905 occasionally inserts an output into the original response message as if another user executed a message-all notification command such as “wall” on the information providing server.

Of course, the third embodiment is different from the third embodiment.
It is also possible to carry out the applications described in ５. Also,
In the above description, the response mark adding unit 1905 is the communication processing unit 1
Although the case in which the data mark 904 is provided in 904 has been described, the present invention is not limited to this, and a configuration in which the data mark adding unit 1304 in FIG. Further, the configuration shown in FIG. 15 may be further provided with a data mark adding unit.

The data mark adding unit and the response mark adding unit may coexist in one server. Therefore, the communication processing units of the first to fifth embodiments may be provided with a response mark adding unit.

[0108]

According to the attack route tracking system according to the present invention, it is not necessary to investigate the route of the stepping host arranged between the server and the router.

Further, according to the present invention, it is possible to cause a router to execute a detection process for detecting an identifier when attack data enters a server.

According to the present invention, dynamic data such as transmission time can be added to an identifier.

According to the present invention, the identifier is added only at the time of the attack, so that the efficiency of the attack route can be specified more efficiently.

According to the present invention, even when a plurality of attacks are received, it is possible to distinguish them by the identifier, so that the route can be tracked for each attack.

According to the present invention, the identifier can be added to the response message transmitted to the other party during the communication processing without adding the identifier to the data.

[Brief description of the drawings]

FIG. 1 is a block diagram showing an example of a configuration of an information providing server according to a first embodiment of the present invention.

FIG. 2 is a block diagram showing an example of a configuration of a data mark adding unit according to the first embodiment of the present invention.

FIG. 3 is a block diagram showing an example of the configuration of the router device according to the first embodiment of the present invention.

FIG. 4 is a diagram showing an example of adding a mark to an execution file.

FIG. 5 is a diagram showing an example of adding a mark to an HTML file.

FIG. 6 is a diagram showing an example of adding a mark to an image file.

FIG. 7 is a block diagram showing an example of a configuration of an information providing server according to the first embodiment of the present invention.

FIG. 8 is a block diagram showing an example of a configuration of an information providing server according to a second embodiment of the present invention.

FIG. 9 is a block diagram showing an example of a configuration of a router device according to a second embodiment of the present invention.

FIG. 10 is a block diagram showing an example of a configuration of an information providing server according to a third embodiment of the present invention.

FIG. 11 is a block diagram showing an example of a configuration of an information providing server according to a fourth embodiment of the present invention.

FIG. 12 is a block diagram showing an example of a configuration of an information providing server according to a fifth embodiment of the present invention.

FIG. 13 is a block diagram showing an example of a configuration of a data mark adding unit according to the fifth embodiment of the present invention.

FIG. 14 is a block diagram showing an example of a configuration of a router device according to a fifth embodiment of the present invention.

FIG. 15 is a block diagram showing an example of a configuration of an information providing server according to a sixth embodiment of the present invention.

FIG. 16 is a diagram showing an example of the configuration of a general network system.

FIG. 17 is a block diagram showing an example of the configuration of a conventional information providing server (server device).

FIG. 18 is a block diagram showing an example of a configuration of a conventional router device.

FIG. 19 is a diagram illustrating an example of an attack route of a server on a network.

[Explanation of symbols]

101, 101b, 101c sites, 102, 300
Router, 103 host, 104 server, 201
Data input means, 202 data storage means, 203 data output means, 204 communication processing means, 301 receiving means, 302 routing control means, 303 transmitting means, 304 receiving network, 305 transmitting network, 200, 500, 1100, 1300, 140
0,1600,1900 Information providing server, 501,1
101, 1301, 1401, 1601, 1901 Data input unit, 502, 1102, 1304, 1404
1604 Data mark addition unit, 503, 1103, 1
302, 1402, 1602, 1902 Data storage unit, 504, 1104, 1303, 1403, 160
3,1903 Data output unit, 505, 1105, 13
05, 1405, 1605, 1904 Communication processing unit, 2
05,506,1108,1306,1407,160
8, 1906 network, 601 data type identification unit, 602, 1503, 1703 paired execution file mark addition unit, 603, 1504 paired HTML file mark addition unit, 604, 1505, 1705 paired image file mark addition unit, 700, 1200, 1800 Router device, 701, 1201, 1809 receiving network, 702, 1202, 1801 receiving unit, 703
1204, 1803 mark detection unit, 704, 120
5,1806 Detection result storage unit, 705, 1206-1
807 routing controller, 706, 1207, 18
08 transmission unit, 707, 1208, 1810 transmission side network, 801 execution file, 802, 902,
1002 Identification ID (identifier), 803 Execution file with identification ID, 901 HTML file, 903 HTML file with identification ID, 1001 original image, 10
03 Image file with identification ID, 1106, 140
6,1606 Intrusion detection unit, 1107, 1607 Tracking command output unit, 1203 Detection control unit, 1501, 170
1 mark addition control section, 1502, 1702 file type identification section, 1704 paired compressed file mark addition section, 1706 identification ID control section (identifier control section), 18
02 inspection control unit, 1804 identification ID storage unit (identifier storage unit), 1805 mark detection execution unit, 1905 response mark addition unit.

Claims (16)

[Claims] 1. An attack route tracking system for tracking a transmission route of attack data that attacks a server connected to a network via a router device, the server comprising: a data input unit for inputting data; A data mark adding unit that adds an identifier to the data, a data storage unit that stores input data, a data output unit that reads data stored in the data storage unit, and outputs the read data, A communication processing unit that transmits the output data to a network, wherein the router device includes a mark detection unit that detects the identifier from passing data, and a detection result that stores a detection result detected by the mark detection unit. An attack route tracking system comprising a storage unit. 2. The attack route tracking system according to claim 1, wherein the data mark adding unit adds an identifier before storing the input data in the data storage unit. 3. The attack route tracking system according to claim 1, wherein said data mark adding unit adds an identifier to an invalid area of the input data. 4. The data mark adding section converts an identifier into a comment format in a data format constituting the input data, and adds the converted identifier to the input data. The attack route tracking system according to claim 1. 5. The attack route tracking system according to claim 1, wherein the data mark adding unit adds an identifier to a predetermined position of the image data when the input data is image data. 6. The server further comprising: an intrusion detection unit configured to detect that attack data has entered the server; and an intrusion detection unit configured to detect intrusion of the attack data by the intrusion detection unit.
2. The attack route tracking system according to claim 1, further comprising: a tracking command output unit that outputs a tracking command for tracking an intrusion source to the server to the router device. 7. The router device further inputs a tracking command output from the tracking command output unit,
A detection control unit that outputs a mark detection start request to start detection of an identifier to the mark detection unit based on the input tracking instruction, wherein the mark detection unit receives a mark detection start request from the detection control unit 7. The attack path tracking system according to claim 6, wherein the detection of the identifier is started in response to the input mark detection start request. 8. The detection control unit outputs a mark detection stop request to stop detection of an identifier to a mark detection unit based on a predetermined condition, and the mark detection unit stops the mark detection from the detection control unit. 7. The method according to claim 6, further comprising: inputting a request, and stopping the detection of the identifier according to the input mark detection stop request.
The attack path tracking system described. 9. The attack route tracking system according to claim 1, wherein the data mark adding unit adds an identifier before transmitting data by the communication processing unit. 10. The server further detects that intrusion of attack data into the server, and outputs a mark addition start request to start adding an identifier to the data mark addition unit when the intrusion of attack data is detected. The data mark adding unit receives a mark addition start request output from the intrusion detection unit, and controls to start adding an identifier based on the input mark addition start request. The attack route tracking system according to claim 1, further comprising a mark addition control unit that performs marking. 11. The intrusion detection unit outputs a mark addition stop request for stopping addition of an identifier to the mark addition control unit based on a predetermined condition. 11. The attack route tracking system according to claim 10, wherein a mark addition stop request is input, and based on the input mark addition stop request, the addition of the identifier is controlled to be stopped. 12. The intrusion detection unit generates an identifier corresponding to a mark addition start request, and outputs the mark addition request and the generated identifier to the mark addition control unit. The identifier generated by the intrusion detection unit is input, and the input identifier is added to the data. The server further includes, when the intrusion detection unit detects intrusion of attack data,
A tracking command for inputting the identifier generated from the intrusion detection unit and tracking a source of intrusion into the server; and a tracking instruction output unit for outputting the input identifier to the router device, the router device further comprising: A mark detection start request and an identifier are input from the command output unit, an identifier addition request is generated based on the input mark detection start request, and the generated identifier addition request and the identifier are generated. To the mark detection unit, the mark detection unit further inputs the identifier addition request and the identifier output from the inspection control unit, based on the input identifier addition request An identifier storage unit that stores the input identifier, and a mark detection execution unit that detects from data passing the identifier stored in the identifier storage unit. Attack path tracking system of claim 10, wherein the was e. 13. The mark intrusion detection unit outputs a mark addition stop request for stopping addition of an identifier and an identifier corresponding to the mark addition stop request, based on a predetermined condition, to the mark addition control unit and the tracking command output. The mark addition control unit inputs the mark addition stop request and the identifier, controls the stop of the addition of the input identifier based on the input mark stop request, and performs the tracking. The command output unit receives the mark addition stop request and the identifier from the intrusion detection unit, and generates a mark detection stop request for stopping detection of the input identifier based on the input mark addition stop request. Output the mark detection stop request and the identifier to the router device, the inspection control unit inputs the mark detection stop request and the identifier from the tracking command output unit, and the input Based on the mark detection stop request, an identifier deletion request for deleting the input identifier is output to the identifier storage unit, and the identifier storage unit inputs the identifier deletion request and the identifier from the inspection control unit and receives the input. 13. The attack route tracking system according to claim 12, wherein the input identifier is deleted based on the identifier deletion request. 14. An attack path tracing system for tracing a transmission path of attack data for attacking a server connected to a network via a router device, wherein the server comprises: a data input unit for inputting data; A data storage unit for storing data, a data output unit for reading data stored in the data storage unit, and outputting the read data, a response mark adding unit for adding an identifier to the data output by the data output unit, A communication processing unit for inputting data from the response mark adding unit and transmitting the input data to the network, wherein the router device includes: a mark detection unit that detects the identifier from passing data; An attack route tracking system, comprising: a detection result storage unit that stores a detected detection result. 15. The attack route tracking system according to claim 14, wherein said response mark adding unit is provided in a communication processing unit. 16. A router connected to a network to which data is transmitted, the router comprising: a mark detector for detecting an arbitrary identifier from transmitted data; and a detection result detected by the mark detector. And a detection result storage unit for storing a search result.