JP2003167786A - Network monitoring system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To quickly find out the alteration of a file, even if an external computer makes an unauthorized access to a WWW server in a company to alter the file, and automatically restore it to the state before alteration. <P>SOLUTION: The external computer 1 is freely accessible to the WWW server 3, but not accessible to a backup server 7. The backup server 7 stores the backup file of the WWW server 3. The file updating date and file capacity of the WWW server 3 are periodically compared with the state stored in a non-disclosure server 6 that is a database server. When the file of the WWW server 3 is changed by the external computer 1, the comparison result of the data is not matched, and the changed file of the WWW server 3 is substituted by the backup file stored in the backup server 7. Accordingly, the file of the WWW server 3 is automatically restored to the file before change. <P>COPYRIGHT: (C)2003,JPO

Description

Description: BACKGROUND OF THE INVENTION 1. Field of the Invention
Failure to install WWW (World Wide Web) server
Regarding the network monitoring system that monitors the correct operation,
To monitor the WWW server for external tampering
And automatic repairs to further maintain security functions
Related to network monitoring systems
You. [0002] Conventionally, a company network via the Internet has been used.
To block unauthorized access to the network,
At the entrance to the corporate network
(Fire Wall) ”is installed.
You. Such a firewall is
Access restrictions for packets from any external source
By blocking malicious packets
Work is protected from unauthorized access. But
Hackers, etc.
Because there are some unauthorized access that can be
Network monitoring system in the corporate network
Addressing these unauthorized access. [0003] Hereinafter, a conventional network monitoring system will be described.
Therefore, the method of detecting unauthorized access
A method of blocking access will be specifically described. FIG.
Legacy for monitoring unauthorized access on corporate networks
1 is a configuration diagram of a network monitoring system. That is,
This figure shows the WWW server in the corporate network.
A network for implementing general unauthorized access countermeasures
2 shows the concept of a work monitoring system. In the figure,
Business network is accessed from external computer 1
In-house LAN (Local Area Network) 9
WWW server 3 from unauthorized attack from Internet 10 side
DMZ which is an information management unit to protect which public server
(DeMilitarized Zone) 8.
The corporate network and Internet
Install firewall 2 at the point of contact with
From the external computer 1 including the
Access is restricted. [0004] Usually, the corporate network is a firewall.
In principle, external access is blocked by rule 2.
The first segment (that is, the in-house LAN 9)
-Both the network 10 and the first segment (in-house LAN 9)
From the second segment (ie, DMZ
8) and is managed separately. The former is in the same premises
Used as an in-house LAN 9 that composes a network
The latter is the WWW site where the homepage of the company is located.
Server 3 and FT where download files are located
P (File Transfer Protocol) server (not shown),
A mail server that accepts external mail (shown
As a separate segment for installing public servers such as
Used. The Internet 10 and the second segment
Between DMZ 8 and in-house LAN 9 as the first segment
Is provided with a firewall 2. And
Firewall 2 is home page for DMZ8
HTTP (Hyper Text Transfer Protocol) used for browsing
ol) Port and SMTP used for sending and receiving e-mail
(Simple Mail Transfer protocol)
Access only. In addition, firewall 2
Is an external computer, including hackers,
To prevent unauthorized access by blocking all access from Data 1
I am responding. In other words, the network provided in DMZ8
The monitoring device 4 checks packets flowing through the corporate network.
Inspection and if an invalid packet is detected,
Notification to the client 2 and reject the reception of the illegal packet.
You. [0006] Thus, the corporate network is a DMZ8.
And security management divided into two
Is that the WWW server 3 in the DMZ 8 is restricted
However, access from the external computer 1 is possible.
Therefore, evil such as hacks contained in the external computer 1
May be attacked by a third party
It is. For example, a hacker lurking in the external computer 1
WWW server 3 far exceeds server throughput
If a large number of HTTP connection request packets are sent,
Since the packet itself is a "legal" packet,
After passing through the wall 2, it reaches the WWW server 3 in the DMZ 8.
The WWW server 3 is overloaded as a result
And may go down. [0007] Therefore, the internal LAN 9 and the WWW server 3
If the DMZ8 to be installed is divided,
Network is hidden from the external computer 1
Even if attacked, only WWW server 3 will damage
Thus, damage to the in-house LAN 9 is prevented. Ma
Also, the WWW server 3 is connected to the private server 6 in the in-house LAN 9.
The original is placed, and the work of updating the information is basically in-house LAN
The 9 side responds and puts a copy of the original on the WWW server 3
In such a case, the WWW server 3 is broken by the attack.
Even if destroyed, it can be recovered quickly. [0008] By the way, a message from the external computer 1
To specify the application that passes the information to the WWW server 3
As a rule, "port number" for each function (application)
Is defined as a unique number called WW
When sending a request message to the application of the W server 3,
The port number is also sent together with the request content. And W
On the WW server 3 side, the port number in the received request message
And match the port number that matches the received port number.
Pass the request message to the application that has it. For example, Ho
HTTP (Hyper T
ext Transfer Protocol) port number is “80”
FTP used to download / upload files
Is determined to be "21". Accordingly
To access the WWW server 3 and browse the homepage
If the port number is “8” from the external computer 1
0 ”and a request message will be sent.
You. In this way, the message to the target application
Is being delivered. In this way, the firewall 2
For WWW server 3 in DMZ8,
Only allow access to the HTTP port used for browsing
Yes, all external access to company LAN 9 is blocked
And respond to unauthorized access from outside. Toes
And the corporate network is DMZ8 and in-house LAN9
The security management is divided into WWW
A public server such as the server 3 is used to open the homepage.
Access to the general public (external computer 1)
To be attacked by malicious third parties
This is because there is a fear. As described above, the WWW server 3 is connected to the external computer.
Elements that are vulnerable to being attacked by
Built-in, and against attacks from external computer 1
Is relatively vulnerable, so if there is unauthorized access
Needs a mechanism that can respond quickly. This is currently
Network monitoring device 4 to solve such problems
Install and send packets flowing through the network
(A credit unit). This network
The network monitoring device 4 flows on the DMZ 8 network.
Captures packets and pre-registers unauthorized access
Check for unauthorized access using methods such as pattern analysis
It is carried out. Then, the network monitoring device 4 is illegal.
If access is detected, an e-mail or a separate
By means of a monitor display (not shown) for monitoring
Reporting to the supervisor. Also, network
The monitoring device 4 sends an unauthorized packet to the firewall 2.
Control to block access from the packet sender address
In some cases. [0011] Unauthorized access is mainly based on server applications.
Software related to the security part of the application software
This is done by exploiting a bug (security hole). soft
100% removal of bugs in software
It is impossible for developers to understand
Security holes may exist.
It is conceivable that they attack with aiming at the part. As a practical matter, on the Internet 10
Automatically discovers security holes and exploits them
Software that deprives application software management rights of flooding
And these softwares are malicious for unauthorized access.
Have been used. Security hole search and server management
In order to obtain illegal rights, the target server computer must be
On the other hand, taking control of application software
Port numbers in request statements (commands) that allow
And send a message to all application software in the server.
Is often used. If an application with a security hole
Application software, if available.
Malware receives a hidden request message at the software port
There is a high possibility that
By starting the system, the WWW server 3 is connected to the external computer 1.
Will be deprived of administrative rights. However, originally, homepage
Other than the "80" port used to browse
Messages are frequently sent to ports.
For the most part, it is distinguished from normal browsing access.
Suspicious access detected by network monitoring device
Will be done. Therefore, if unauthorized access is detected,
If the session is blocked,
IP (Internet Protocol) address of unauthorized access source
Request for communication interruption from the server, monitoring console (not shown)
Notification of f. By such a method, DMZ8
Damage from attacks on WWW server 3 installed in Japan
It is aimed at prevention. [0014] However, the prior art
Various problems that cannot be dealt with by unauthorized access monitoring methods
is there. In other words, countermeasure information on security holes
Indicates that the server application user
Security measures are determined to prevent damage
First, from the application developer side,
It is announced to the general user of the computer 1. Therefore, general
Everyone (including hackers), including users, is secure
It is easy to obtain countermeasure information on Tihole.
Wear. However, in practice, all users (external computer
1) is the same as when security hole countermeasure information was released.
Later, security measures are not taken immediately.
No. As a result, hackers lurking in the external computer 1
Aiming for security holes that have been identified
Without being discovered by the network monitoring device 4,
It is also possible to strangely enter the WWW server 3 illegally
You. [0015] In addition, the password for the administrator in some way
Was stolen and used an authorized password to become an administrator
If spoofed, WWW server 3 and network supervisor
It is very difficult for both viewing devices 4 to detect unauthorized intrusion.
It becomes difficult. In some cases, external computers of general users
For the first time since Data 1 accessed to browse the homepage
Tampering may be found. In fact, companies and government offices W
In the WW server, cases of such unauthorized access are
Many have been reported. By such unauthorized access
The content that has been tampered with is the company's financial information, stock information, etc.
In some cases, large-scale damage may occur.
You. The present invention has been made in view of such circumstances.
And its purpose is to update files
The date and time, file capacity, etc. are stored in advance, and
If the file has been rewritten, the backup file
Even after replacement or tampering, it immediately returns to the state before tampering.
The old thing prevents damage from tampering.
To provide a network monitoring system that can
You. Means for Solving the Problems To solve the above problems,
For this purpose, the network monitoring system of the present invention
A predetermined network connected to an external computer via the network
Network (eg private network)
In network monitoring systems that monitor legitimate access
Network is connected to an external
WWW server open to computer and external computer
Data is private to the WWW server
Database server that stores the originals of the
Data is private and exists in the WWW server.
Files that are the same as the backup files
WWW
The server operates for a certain period after the data recording start procedure.
File monitor that periodically monitors its own file contents
Viewing means and file monitoring by this file monitoring means
When the file is updated, the date and time
File information including file capacity and database server
File comparison means for comparing with file information;
If the comparison results by the file comparison means do not match,
Changes using the files stored on the backup server
Falsification repair means to repair the contents of the file
It is characterized by having. That is, the network monitoring system of the present invention
According to the system, by any chance access from external computers
Therefore, even if the data of the WWW server is falsified,
File contents of WW server and database server (non-public
By comparing the file contents of the
If the file contents do not match, the WWW server
It can be determined that the access has been made correctly. This and
If you record the tampered area,
Server to the WWW server
By transferring the file to the
Files can be repaired automatically. by this,
To Server Administrator Using Password Obtained Incorrectly
Spoofing is quickly discovered and the data
Location can be quickly restored. The network monitoring system of the present invention
In addition to the above invention, the WWW server
When the contents of your file are changed,
A file containing the date and time of the file that was
File information storage means for storing file information;
Between the file contents and the database server file contents
If the comparison results match, the normal
And compare the contents of both files.
If the results do not match, record the changed file contents.
Change file recording means. Hereinafter, the present invention will be described with reference to the drawings.
The network monitoring system will be described in detail. Departure
Ming's network monitoring system is installed in the network.
The file contents of the WWW server and the private server
Compare file contents of a database server
The date and time of file update in the WWW server and the file
File capacity is monitored regularly. by this,
Unauthorized alteration of WWW server from external computer
Is constantly monitored. If tampering has taken place
The backup file on the WWW server.
Depending on the backup server
By replacing the file contents, the WWW server
Automatically restore file contents to the file contents before falsification
be able to. FIG. 1 shows unauthorized access of a corporate network.
Network monitoring system of the present invention for monitoring network
FIG. In other words, this diagram shows the corporate network
Monitors unauthorized access to WWW server 3 within
Network that realizes automatic restoration if it is accessed correctly
2 illustrates the concept of a network monitoring system. The present invention shown in FIG.
The configuration of the network monitoring system shown in FIG.
What is different from the system configuration of
Save backup data of WWW server 3
When the regular access is performed, the data is
Equipped with a backup server 7 for backing up data
And that the WWW server 3 has detected and
Application software for automatic repair of tampering
It is to be equipped with. In FIG. 1, the corporate network is a DM
The segment is divided into Z8 and in-house LAN9.
Then, the Internet 10 and the corporate network (DM
Firewall 2 at the contact point between Z8 and in-house LAN 9)
Is installed and access from external computer 1 is restricted.
Has been blocking unauthorized access to the corporate network
You. In DMZ8, there is a company homepage.
WWW server 3 that can be accessed from outside
Unauthorized access from computer 1 to corporate network
Network monitoring device 4 for monitoring
You. Further, a file of the WWW server 3 is connected to the in-house LAN 9.
Private server, a database server with the original
Server 6 and the WWW server 3 installed in the DMZ 8
File with the exact same content as the file
Store and back up data of WWW server 3 if necessary
Backup to prevent tampering with the WWW server 3.
And a backup server 7. The WWW server 3 has a WWW server.
3 In cooperation with its own application software,
WWW server for detecting and automatically repairing tampered parts
Application software of the third type has been introduced. did
Therefore, first, the application of such WWW server 3
The main functions of the application software will be described. In other words, this
Application software of the WWW server 3
Both have the following several functions. First, data recording on the WWW server 3 is started.
After the initial procedure, the WWW server 3
File monitoring function to monitor file contents regularly
Have. Second, when file monitoring is performed, W
The file in the WW server 3 and the private server 6 (that is,
Database server) and compare the files
File comparison function. Third, WWW server 3
When the file contents of the
Files such as date and time of file update and file capacity
Equipped with a "File Information Save Function" to save file information
ing. Fourth, file contents of the WWW server 3 and non-public
Open Server 6 (that is, database server) files
If the result of comparison with the content matches, give a constraint
Operation as usual, and file contents of both
If the result of the comparison does not match, exit from the WWW server 3.
Change file by the change operation performed by the operator before leaving
"Change file recording function" for recording No.
5, the file contents of the WWW server 3 and the private server 6
(That is, the ratio of the file contents of the database server)
If the comparison results do not match, the operator is the WWW server 3
Immediately after exiting, the files on the backup server 7
Use to repair the contents of files that have been modified (falsified)
It has a “falsification repair function”. FIG. 2 shows the network monitoring system shown in FIG.
FIG. 2 is a block diagram functionally illustrating a configuration diagram of a system. Toes
FIG. 2 shows application functions of the WWW server 3.
It is a block diagram constituted as a means. In FIG.
Network monitoring system is for homepage browsing
WWW server open to external computer 1
Access from computer 3 and external computer 1
Into the corporate network (DMZ8 and in-house LAN9)
Firewall 2 that blocks unauthorized access and external
Unauthorized access from computer 1 to corporate network
Network monitoring device 4 for monitoring and WWW server 3
A non-public database server that stores the original data
Open server 6 and the files existing in WWW server 3
Of which, at least to display a predetermined homepage
A backup that stores necessary files for falsification repair
Server 7. The WWW server 3 is a WWW server
3 for a certain period after the data recording start procedure
A file for periodically monitoring the file contents of the WW server 3
File monitoring means 11 and when file monitoring is performed, WW
The file in the W server 3 and the private server 6 (that is,
File to be compared with the file in the database server)
The file contents of the comparison means 12 and the WWW server 3 are changed
File that was eventually backed up
Save file information such as date and time and file size
The file information storage means 13 and the file of the WWW server 3
Content and private server 6 (that is, database server
B) If the comparison result with the file content of
Normal operation without giving
If the comparison result of the file contents of
Change operation performed by the operator before exiting from server 3
Change file recording means 14 for recording change files
And the file contents of the WWW server 3 and the private server 6
(That is, the ratio of the file contents of the database server)
If the comparison results do not match, the operator is the WWW server 3
Immediately after exiting, the files on the backup server 7
Use to repair the contents of files that have been modified (falsified)
Falsification (falsification) repairing means 15. Next, the present invention will be described with reference to a flowchart.
Network monitoring system detects file falsification
Explains the flow of operation when performing file and file automatic repair
I do. FIG. 3 shows a network monitoring system according to the present invention.
Operation when the system detects falsification of files and automatically repairs them.
It is a flowchart which shows a flow. This flowchart
In the case of, the specified change operation by the external computer is completed.
The entered file is legitimate
Show the flow of the operation of comparing and judging whether or not tampering is detected
I have. Hereinafter, the operation according to the flowchart shown in FIG.
Explain the work. In this application, always
File monitoring means 11 in the background with WWW server 3
I regularly monitor the files inside. At this time,
Each time an access is made by the computer 1,
First, file comparison processing by the file comparison means 12
Is performed. This means that files are monitored regularly.
First, by the file monitoring means 11, the WW
File information in the W server 3 is read periodically
(Step S1). Then, the file comparison means 12
The read WWW server 3 file and the private server
6 (database server)
Comparison with the file. At this time, the private server 6
(Database server) files and W
The object to be compared with the file of the WW server 3 is a file
Update date and time and file size (that is,
File information such as file size (step S
2). Thus, the file comparison means 12
Is the file of the WWW server 3 and the private server 6 (data
Database server) and perform comparison processing (step
Step S3), if the file information of both servers matches
If (YES in step S3), the process proceeds to step S1.
The file monitoring means 11 returns
Continue to monitor information regularly. Such regular monitoring
The processing is performed as needed at predetermined time intervals. In addition, an operation from the external computer 1
When the file contents of the WWW server 3 are changed
Indicates that the file information storage unit 13 stores the changed file
Save file information such as the date and time of
You. Therefore, the file contents of the WWW server 3 are changed.
When the file information is saved, the WWW server 3
File update date and file size stored in column 13
File information such as the private server 6 (database
Will not match the file information of the server). like this
The file contents of the WWW server 3 and the private server 6
(That is, the ratio of the file contents of the database server)
If the comparison results do not match (NO in step S3)
If the change file recording means 14 is the WWW server 3
Changes made by the operator before exiting.
The file is recorded (step S4). That is, when such a change operation is performed,
In this case, it is possible that an unauthorized access person has entered the WWW server 3.
It is expected that the property is extremely high. Therefore, tampering
The recovery means 15 sends the WWW to the backup server 7.
Request the original file corresponding to the modified file on server 3
(Step S5). And the backup server 7
Saves the file that is
Server 7 to the WWW server to replace the file
U. As a result, the file content of the WWW server 3 becomes
Restores the contents of the file before the change was made (step
Step S6). That is, the external computer 1
Access to WWW server 3 via network 10
In the case, the WWW server 3 determines whether or not the
Monitor file update date and file size regularly
You. On the other hand, the private server 6, which is a database server,
Since the original of the file of WWW server 3 is stored,
Date and time of file update and file capacity of WWW server 3
Is the file information of the original recorded on the private server 6.
It is compared with the news at any time. As a result, the WWW server 3
Judgment that file update date and file size have been changed
Unauthorized access from external computer 1
Is deemed to have been tampered with by the WWW server
3 to store backup data based on the request from
Backup server 7 is
And send the file for repair. This allows the server
While being able to detect impersonation to the administrator,
Falsified files can be automatically repaired. As described above, the network of the present invention is
Network monitoring system is a traditional network monitoring system
Add a backup server to the
Backup server stores the backup data of the WWW server.
I have. Therefore, if hackers or the like
If the WWW server data has been tampered with, the WWW server
Where the data was tampered with and stored on the backup server
Using the data, the data in the tampered area is automatically converted to the original data.
Can be repaired. Or, of the WWW server
If part of the data has been tampered with, the WWW server may have been tampered with
Stored on the backup server without recording the location
Rewrite all data of WWW server with data
It can be automatically repaired. That is, the network monitoring system of the present invention
According to the system, the file contents and database of the WWW server
The file contents of the server (private server)
If the files do not match, WWW
It is assumed that the server has been accessed illegally. And
Backup files that contain backup files
Normal file transfer from backup server to WWW server
To repair the file. At this time, unauthorized access
Process in the background without the
Automatically records the contents of all operations and changes.
Immediately after the legitimate access user exits the WWW server and before tampering
Can be automatically restored to the state. Therefore, the present invention
By applying a network monitoring system,
Damages to unauthorized access to servers in business
It can be kept to a minimum.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a configuration diagram of a network monitoring system of the present invention for monitoring unauthorized access of a corporate network. FIG. 2 is a functional block diagram of the configuration of the network monitoring system shown in FIG. 1; FIG. 3 is a flowchart showing a flow of an operation when the network monitoring system according to the present invention performs falsification detection and automatic restoration of data. FIG. 4 is a configuration diagram of a conventional network monitoring system for monitoring unauthorized access of a corporate network. [Description of Signs] 1 external computer, 2 firewall, 3W
WW server, 4 network monitoring device, 6 private server, 7 backup server, 8 DMZ (DeMilita
9 Internal LAN, 10 Internet, 11 File monitoring means, 12 File comparison means, 13 File information storage means, 14 Changed file recording means, 15 Falsification recovery means.

Claims (1)

Claims: 1. A network monitoring system for monitoring unauthorized access to a predetermined network connected to an external computer via the Internet, wherein the network is connected to the external computer via the Internet. A WWW server to be disclosed; and a WWW server that is not disclosed to the external computer,
A database server for storing an original file of a WW server;
A backup server that stores the same file as a file existing in the WWW server for backup, and the WWW server periodically monitors its own file content for a certain period after the data recording start procedure. A file monitoring unit that performs file monitoring by the file monitoring unit, and a file comparison unit that compares file information including an update date and time and a file capacity of its own file with file information of the database server; A network monitoring system comprising: a falsification repairing means for repairing the contents of the changed file by using the file stored in the backup server when the comparison result by the file comparing means does not match. .