JP2003204358A - Intrusion detector, intrusion detection method, and intrusion detection program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent an unexpected defeat through carelessness by executing analysis processing at high speed even if it does not perform packet analysis in parallel. <P>SOLUTION: An intrusion detector is provided with a traffic monitoring means (6) which observes the traffic of a network (2) where a packet (4) flows and outputs an observed traffic value, and a packet analysis means (7) which decides on which analysis item to perform unfair access analysis based on the observed traffic value outputted by the above traffic monitoring means (6), and performs unfair access analysis as to a packet that the above traffic monitoring means has observed. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a computer network system, and more particularly to an unauthorized access detection device, an unauthorized access detection method, and an unauthorized access detection program for ensuring security by detecting unauthorized access from the outside. is there.

[0002]

2. Description of the Related Art FIG. 10 shows, for example, Japanese Patent Laid-Open No. 2001-946.
The conventional unauthorized access detection device shown in No. 02 intends to divide the analysis process for each packet type. In FIG. 10, the packet acquisition units 1003a to 1003n acquire packets 1002a to 1002n transmitted via the network 1001, and the packet storage unit 1004 temporarily records all of them. Next, the packet storage unit 1004 analyzes each recorded packet by a predetermined algorithm, classifies the packet into a plurality of types, and sends the packets to the packet analysis units 1005a to 1005n corresponding to the types. The packet analysis units 1005a to 1005n are provided for each packet type (classification). Then, the classified packets are respectively analyzed by appropriate analysis units 1005a to 1005n.
When the packet is analyzed with respect to a predetermined analysis item and is determined to be an unauthorized packet, the characteristics thereof are recorded in the unauthorized access database 1006, and the determination result is notified.
7 to notify the system administrator 1008. By doing so, the analysis processing is parallelized and the load is distributed to perform the analysis processing at a high speed to prevent the packet acquisition unit from dropping packets.

[0003]

As described above, in the conventional unauthorized access detection device, a plurality of analysis units perform analysis processing according to the type of packet. Therefore, in order to speed up the processing and prevent packet drops in the conventional example, implementation on a multi-task OS is a prerequisite.
Further, it is necessary to provide the packet analysis units in parallel.

The present invention has been made in order to solve the above problems, and an object of the present invention is to perform analysis processing at high speed without preventing packet analysis in parallel and prevent dropped packets. .

[0005]

An intrusion detection device according to the present invention observes traffic of a network through which a packet flows, and a traffic monitoring means for outputting an observed traffic value and an unauthorized access analysis of whether the packet is an unauthorized access packet. Packet analysis means for performing a predetermined analysis item, determining which analysis item to perform the unauthorized access analysis based on the observed traffic value output by the traffic monitoring means, and the packet observed by the traffic monitoring means. And packet analysis means for performing unauthorized access analysis.

Further, the unauthorized intrusion detection device according to the present invention is
The packet analysis means has an analysis item list composed of a plurality of analysis items and an analysis flag corresponding to each analysis item, which is either set or unset, and the observation traffic output by the packet monitoring means. Depending on the magnitude relationship between the value and the observed traffic threshold which is a predetermined threshold, it is determined whether to analyze the unauthorized access analysis or to analyze the unauthorized access for all analysis items depending on the state of the analysis flag in the above analysis item list. It is something that is done.

An unauthorized intrusion detection device according to the present invention is
The packet analysis means is configured to perform the unauthorized access analysis only on the analysis item having the analysis flag set in the analysis item list when the observed traffic value is equal to or more than the observed traffic threshold value.

The unauthorized intrusion detection device according to the present invention is
The packet analysis means further includes a priority order storage means, and the packet analysis means includes an analysis item list including a plurality of analysis items each having one of a plurality of levels of priority order, and the observed traffic value is In the case where the priority is equal to or higher than the observation traffic threshold, the unauthorized access analysis is performed on the analysis item having the higher priority than the priority stored in the priority storage means.

An unauthorized intrusion detection device according to the present invention is
The packet analysis means has a plurality of observation traffic thresholds each having a different value, and has an analysis item list including a plurality of analysis items each of which is given one of a plurality of priority levels, According to the relationship between the observed traffic value and the plurality of observed traffic thresholds, which priority order analysis item is to be analyzed for unauthorized access is determined.

The unauthorized intrusion detection device according to the present invention is
The packet analysis means has an analysis item list including a plurality of analysis items, a category to which each analysis item belongs, and an analysis flag corresponding to each category and being in a state of either setting or non-setting. Depending on the magnitude relationship between the observed traffic value output by the monitoring means and the observed traffic threshold that is a predetermined threshold, determine the category of the analysis item to be analyzed for unauthorized access depending on the state of the analysis flag in the above analysis item list, or perform all analysis. It decides whether to analyze unauthorized access for an item.

The unauthorized intrusion detection device according to the present invention is
An analysis standby buffer is further provided, and the packet monitoring means outputs the traffic observed within a sampling period of a predetermined length as an observation traffic value at each end of the sampling period, and the analysis standby buffer is provided with the analysis standby buffer during the sampling period. The packet observed by the packet monitoring means is stored, and the stored packet is transmitted to the packet analysis means every time the sampling period ends.

Further, the unauthorized intrusion detection device according to the present invention is
Filtering information storage means and filtering means are further provided, and the filtering information storage means stores filtering information for determining whether or not to transmit a packet flowing through a network to the traffic monitoring means, and the filtering means, With reference to the filtering information storage means, it is determined whether or not to transmit to the traffic monitoring means depending on whether or not any of the filtering information is included in the header information part of the packet flowing through the network, The packet monitoring means observes traffic in which a packet is transmitted from the filtering means to the packet monitoring means and outputs an observed traffic value, and the packet analysis means uses the observed traffic value output by the traffic monitoring means. Based It determines whether to perform an unauthorized access analysis for any analysis item, in which to perform an unauthorized access analysis of packets which the traffic monitoring means has observed.

The unauthorized intrusion detection device according to the present invention is
The unauthorized access notification unit further includes an unauthorized access notification unit and a notification content storage unit. The unauthorized access notification unit issues an unauthorized access detection notification according to an instruction of the packet analysis unit when the unauthorized access packet is detected by the analysis unit. When the unauthorized access packet is transmitted to the outside, the notification content storage means stores the unauthorized content when the unauthorized access packet is detected by the packet analysis means, and when the unauthorized packet is detected by the packet analysis means, the unauthorized access packet is detected. If notification content verification is performed to verify whether the detected unauthorized content, which is the unauthorized content, is stored in the notification content storage means, and if the same unauthorized content as the detected unauthorized content is stored in the notification content storage means, The same fraudulent content as the detected fraudulent content is displayed above without instructing the fraudulent notification means to send the fraud detection notification. Not stored in the knowledge content storage means, in which the illegal contents said detectable and so issues an instruction for transmitting a fraud detection notifies the unauthorized access notification means stores in said illegal content storage means.

The unauthorized intrusion detection device according to the present invention is
The fraud content is the name of the analysis item in which fraud was detected.

The unauthorized intrusion detection device according to the present invention is
As a result of detecting the unauthorized access packet and verifying the notification record, the packet analysis means, if the unauthorized content of the unauthorized access packet is stored in the notification content storage means, sends the unauthorized access notification means to the unauthorized access detection means. It is configured such that the instruction to transmit is not issued and the unauthorized content of the unauthorized access packet is deleted from the notification content storage means.

An unauthorized intrusion detection device according to the present invention is
The packet analysis means is configured to delete the illegal content from the notification content storage means when a predetermined time has elapsed since the illegal content was stored in the notification content storage means.

The unauthorized intrusion detection device according to the present invention is
When the notification record verification is performed a predetermined number of times on the same fraud detection content, the packet analysis means deletes the fraud content same as the fraud detection content from the notification content storage means.

The unauthorized intrusion detection device according to the present invention is
The traffic monitoring means observes the number of packets per unit time flowing through the network as the traffic of the network, and outputs the observed number of packets per unit time as an observed traffic value, and the packet analysis means comprises the network analyzer. A predetermined value of the number of packets per unit time flowing through is used as the observation traffic threshold value.

The unauthorized intrusion detection device according to the present invention is
The traffic monitoring means observes a data amount per unit time flowing through the network as traffic of the network, outputs the observed data amount per unit time flowing through the network as an observed traffic value, and the packet analyzing means. In the above, the predetermined value of the data amount per unit time flowing through the network is used as the observation traffic threshold.

The unauthorized intrusion detection device according to the present invention is
The traffic monitoring means observes a time interval of packets flowing through the network as traffic of the network, outputs a time interval of packets flowing through the observed network as an observed traffic value, and the packet analysis means determines the network A predetermined value of the number of packets flowing per unit time is set as the above-mentioned observed traffic threshold, and the shorter the time interval of packets flowing through the network, the larger the traffic.

The unauthorized intrusion detection method according to the present invention is
A traffic monitoring step of observing the traffic of the network through which the packet flows and outputting the observed traffic value, and a packet analysis step of performing an unauthorized access analysis of whether the packet is an unauthorized access packet for a predetermined analysis item, wherein the traffic monitoring means comprises: A packet analysis step of determining which analysis item to perform the unauthorized access analysis based on the output observed traffic value and performing the unauthorized access analysis on the packet observed by the traffic monitoring means.

An intrusion detection program according to the present invention is an intrusion detection program for causing a computer to execute the following (a) traffic monitoring step and (b) packet analysis step. (A) a traffic monitoring step of observing the traffic of the network through which the packet flows and outputting the observed traffic value; (b) a packet analysis step of performing an unauthorized access analysis of whether the packet is an unauthorized access packet for a predetermined analysis item. A packet analysis step of determining which analysis item to perform the unauthorized access analysis based on the observed traffic value output by the traffic monitoring means, and performing the unauthorized access analysis on the packet observed by the traffic monitoring means.

[0023]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiment 1. Embodiment 1 will be described with reference to FIGS. 1 and 2. FIG. 1 is a block diagram of a system including an intrusion detection device according to this embodiment, and FIG. 2 is a diagram of an analysis item list according to this embodiment.

In FIG. 1, 1 is an intrusion detection device, 2 is a network to which this intrusion detection device is connected, 3 is a system administrator who manages the intrusion detection device 1, 4 is a packet flowing through the network, and 5 is the above. Communication means for transmitting and receiving packets 4 to and from the network 2, 6 for packet monitoring means for monitoring the amount of acquired packets, 7 for packet analyzing means for judging whether the received packets are illegal, and 8 for illegal Access notification means for notifying the system administrator 3 when there is such a packet, and 9 is an input means for the system administrator 3 to input various setting items and the like to the intrusion detection device 1, a keyboard, a monitor. Etc. The packet 4 is composed of a header information part and a data part as is well known, and a source address, a destination address, a protocol number, etc. are recorded in the header information part.

FIG. 2 is a diagram showing an analysis item list 11 held by the packet analysis means 7. As shown in FIG. 2, the analysis item list 11 has a table format including a plurality of analysis items 12 and an analysis flag 13 indicating 0 or 1 corresponding thereto. The system administrator 3 can input via the input means 9 which item is to be an analysis item and which analysis item has an analysis flag to be set (1). The states where the analysis flag is 0 or 1 are called non-setting and setting, respectively.

Each unit of the intrusion detection device 1 operates by a CPU (not shown) according to an intrusion detection program stored in a storage device (not shown). Further, the packet monitoring means 6 and the packet analysis means 7 are composed of dedicated hardware or programs stored in the storage device and a memory (not shown). Analysis item list 11
Are stored in the storage device.

Next, the operation will be described. First, the intrusion detection device 1 receives the packet 4 from the external network 2 through the communication means 5, and then the packet monitoring means 6 counts the number of packets received per unit time. Next, the packet analysis means 7 refers to the analysis item list 11 and analyzes whether or not the received packet 4 is illegal. This analysis is called unauthorized access analysis.

An example of the analysis method will be described. The analysis methods can be broadly classified into pattern matching and statistical methods. First, an example of pattern matching will be described. For example, if the analysis item indicates a buffer overflow attack on the mail server,
Analyze whether the packet has the following pattern. TCP header part Destination port number = 25 (indicating that it is SMTP) Judge whether the argument of smtp command below TCP data part is 128 bytes or more. "Helo""mailfrom:""rcptto:""vrfy""expn" Next, an example of the statistical method will be described. For example, if the analysis item indicates a SYN flood attack, it is analyzed whether or not there are a certain number (for example, 100) or more of the following packets within a certain period of time (for example, 10 seconds). Destination address of IP header part is common SYN flag of TCP header part is 1, SYN flag is 0 In the above two examples, analysis item 12 assumes an identifier for identifying an attack, and the identifier is It is assigned by the user for each attack, but it does not have to be an identifier. In the case of pattern matching, it may be information for pattern matching such as an analysis method (information indicating analysis by pattern matching), a port number, an address, and a character string. In the case of the statistical method, information for extracting the packet to be counted (information indicating that analysis is performed by the statistical method, and in the above example, the address, SYN and ACK flag states,
The monitoring time (fixed time) and the number of collections (fixed number) may be used.

At the time of this analysis, for example, assuming that the threshold value of the number of packets to be acquired is 100 per second, the packet analysis unit 7 receives the number of packets received from the packet monitoring unit 6 in the past 1 second (the number of packets acquired per unit time). ) Received,
When the number of packets acquired per unit time is less than 100, the packet analysis unit 7 analyzes all analysis items 12. Hereinafter, this is referred to as all-item analysis. On the other hand, when 100 or more packets have been received in the past 1 second, the packet analysis unit 7
Does not analyze all the analysis items 12 in the analysis item list 11, but analyzes only the items for which the analysis flag 13 is set (the items for which the analysis flag 13 indicates 1).
Hereinafter, this is referred to as selective analysis. As is clear from the above description, the packet monitoring unit 6 sends the packet 4 to the packet analysis unit 7 and the unit time packet acquisition number. The system administrator 3 can also input the packet acquisition number threshold value via the input means 9.

The packet monitoring means 6 is the traffic monitoring means in the present invention. The period during which the packet monitoring means 6 counts the number of packets is called a sampling period, and the length of the sampling period is called a sampling time. The unit time packet acquisition number is the observation traffic value in the present invention, and the packet acquisition number threshold value is the observation traffic threshold value in the present invention. Whether the analysis by the packet analysis means 7 is the all-item analysis or the selective analysis is called an analysis mode. The step of counting and outputting the packet acquisition number per unit time by the packet monitoring means 6 is the traffic monitoring step of the present invention, and the step of the unauthorized access analysis means performing the unauthorized access analysis in the analysis mode based on the packet acquisition number threshold is the packet of the present invention. This is an analysis step.

As described above, it is possible for the system administrator 3 to input via the input means 9 which item is to be an analysis item and which analysis item has an analysis flag to be set. Further, the system administrator 3 can also input the packet acquisition number threshold value via the input means 9.

If an unauthorized packet is detected as a result of the analysis by the packet analysis means 7, the unauthorized access notification means 8 notifies the system administrator 3 by e-mail or the like according to the instruction of the packet analysis means 7. This notification is called a “fraud detection notification”, and this unauthorized packet is called an unauthorized access packet. The fraud detection notification includes “fraud detection analysis item” indicating the analysis item in which the unauthorized access is detected.

As described above, when the load on the network increases (traffic increases) and the threshold value (packet acquisition number threshold value) specified in advance is exceeded, only the specified analysis item specified in advance is analyzed. As a result, the analysis time per packet can be shortened, dropped packets can be prevented, and some analysis can be performed on all packets. Then the analysis can be performed in real time. As a result, it is possible to solve the problem that the unauthorized access cannot be detected because the dropped packet includes the unauthorized packet.

In the above description, the sampling time is set to 1 second, and the unit time packet acquisition number (packet acquisition number / second) is calculated from the packet acquisition number during this period, but the sampling time is not limited to this, and the unit The number of time packets acquired = the number of packets acquired within the sampling time / the number of packets acquired per unit time may be calculated from the sampling time. For example, if the sampling time is shortened, the number of analysis items can be finely adjusted.

In the above description, the system administrator 3 inputs each setting item (analysis item, analysis flag, packet acquisition number threshold, etc.), but a fixed value may be set in advance. In this case, the system administrator 3 does not need to input the setting items, which simplifies the operation. Further, among the above setting items, those having a fixed value and those which can be set by the system administrator 3 may be mixed. The sampling time of the packet monitoring means 6 may also be input by the system administrator 3.

In the above description, the analysis items in the analysis item list 11 are analyzed with respect to the analysis items when the received amount of packets per unit time (the number of packet acquisitions per unit time) exceeds the threshold value (threshold number of packet acquisitions) specified in advance. Flag 13 to 0,
Although two states are set as 1 or not to be analyzed, the state is not limited to two states. In consideration of the execution environment, the degree of influence when attacked, the degree of importance, etc., as shown in FIG. 3, each analysis item is set with a multi-step priority order 14 such as 1, 2, 3, 4, and 5. If the unit time packet acquisition count exceeds the packet acquisition count threshold, for example, the priority is set to 3 or less (3, 2, 1), that is, only the analysis items with the priority higher than 3 are analyzed. Good. Alternatively, it may be set such that only the analysis items having the priority of 3 or more are analyzed. In this case, the system administrator 3 sets the priority of each analysis item through the input means 9. Further, the system administrator 3 also sets the number of (or higher) priority analysis items to be analyzed through the input means 9 and stores them in a priority storage means (not shown) in the packet analysis means 7. The packet analysis means 7 refers to it.

In the above description, each analysis item 12
Although the example in which the analysis flag 13 or the priority order 14 is set has been described, the analysis item 12 is classified into the category 15 such as the program analysis item, the protocol analysis item, and the impact analysis item as shown in FIG. You may classify and may set the analysis flag 13 for every category.
The category and analysis flag of each analysis item may be fixed in advance, or one or both of them may be input by the system administrator 3 from the input means 9.

In the above description, the number of packets received (threshold number of packets) is only one, but there may be a plurality of thresholds. For example, the packet acquisition number threshold (packet acquisition number / second) is set to X1, X2, X3, X4 (X1 <
X2 <X3 <X4) is set, and the priorities 1 to 5 in the analysis item list of FIG. 3 are associated with these, and if the unit time packet acquisition number is less than X1, priorities 1 to 5, that is, all analyzes Items are analyzed. If X1 or more and less than X2, analysis items of priority 1 to 4, analysis items of priority 1 to 3 if X2 or more and less than X3, priority 1 or 2 if X3 or more and less than X4. If the analysis items are X4 or higher and the analysis items have the priority 1, the analysis items can be set so that as many analysis items as possible can be analyzed according to the network load. The plurality of packet acquisition number thresholds may be set by the system administrator 3 from the input means 9 at the same time when the above-mentioned priorities are set, or may be fixed in advance.

Although the packet monitoring means 6 counts the packets in the above description, the communication means 5 counts the packets and the packet monitoring means 6 checks the number of received packets periodically (the time interval T is not limited). Then, the unit time packet acquisition number = the number of received packets / the time interval T may be converted into the unit time packet acquisition number and transmitted to the packet analysis means 7. In this case, the packet monitoring means 6
Resets the count each time the check is completed, regardless of the check result.

Further, regarding the threshold value, the number of packets is used in the above description, but the processed data size may be reflected in the threshold value. For example, the size of received packets may be counted instead of the number of received packets, and the total size of received data per unit time (for example, bits / second) may be set as the threshold value. Further, both the number of packets and the reception size may be thresholds. In that case, they may be combined such that both are satisfied or either one is satisfied.
Of course, a plurality of packet acquisition number thresholds X1, X2, X3, and X4 may be held for the number of packets and the data size, and a fine threshold value may be set by combining them.

Further, in the above description, the packet acquisition number threshold value is the number of received packets per unit time or the data size, but the threshold value for determining all-item analysis or selective analysis is determined by the time interval of each packet. You may.
For example, if the threshold is set to 1/100 seconds and the packet time interval exceeds this threshold (packet interval threshold) (when the time interval is long), all items are analyzed, and the packet time interval is less than or equal to the packet interval threshold (time interval is In the case of (short case), selective analysis may be used. For that purpose, the packet monitoring means 6 is provided with a packet interval measuring means (not shown) including a timer for measuring the time interval of each packet. By doing so, it is possible to switch the mode of the unauthorized access analysis every time one packet is received, and it is possible to prevent the packet from being dropped.

Embodiment 2. The second embodiment will be described with reference to FIG. In the first embodiment, since the packet counted by the packet monitoring unit 6 during a certain sampling period is transmitted to the packet analysis unit 7 as it is, the packet is determined by the unit time packet acquisition number of the previous sampling period. It is analyzed in the analysis mode. Therefore, if traffic increases and the number of packets acquired per unit time goes from below the packet acquisition threshold to above the packet acquisition threshold, packets above the packet acquisition threshold can be temporarily analyzed in the all-item analysis mode. Yes, packets may be dropped. In this embodiment, an example will be described in which a packet is temporarily stored in a buffer before being analyzed by the packet analysis means to prevent the packet from being dropped.

In FIG. 5, parts that are the same as or correspond to those in the first embodiment are assigned the same reference numerals and description thereof will be omitted. The operation of each unit is the same as that of the first embodiment except the following description. Reference numeral 21 in FIG. 5 is an analysis standby buffer composed of a memory for temporarily storing the packets counted by the packet monitoring means 6 before transmitting them to the packet analysis means 7. The analysis standby buffer 21 has a capacity capable of storing packets for 1 second (the sampling time of the packet monitoring means 6 in this embodiment) at the time of maximum traffic of the network 2.

The packet monitoring means 6 sequentially accumulates the packets 4 counted during the sampling period in the analysis waiting buffer 21 from the start of the sampling period. At the end of the sampling period, the packet analysis unit 7 receives the unit time packet acquisition number from the packet monitoring unit 6, and determines the analysis mode depending on whether the unit time packet acquisition number exceeds the packet acquisition number threshold value. At the same time, the packets are sequentially read from the analysis standby buffer 21 and analyzed. In FIG. 5, the arrow directly connected from the packet monitoring means 6 to the packet analysis means 7 is information on the number of packets acquired per unit time transmitted from the packet monitoring means 6, and the packet to be analyzed is the packet monitoring means 6 →
The data is sent in the order of the analysis waiting buffer 21 and the packet analysis means 7.

Also in this embodiment, the first embodiment
Similarly, the system administrator 3 can input via the input means 9 which items are to be set as analysis items and which analysis items are to be set as analysis flags. The system administrator 3 can also input the acquisition number threshold value via the input means 9. At the time of this input, each setting item (analysis item, analysis flag, packet acquisition number threshold) and the processing capacity of the packet analysis means 7 must satisfy the following conditions (1) and (2). (1) The packet analysis unit 7 has a processing speed sufficient to analyze all analysis items for all packets, if the number of packets per unit time is up to the packet acquisition threshold value (100 packets per second in the above example). (2) The packet analysis unit 7 analyzes the analysis flag 1 for all packets in the maximum traffic of the network 2.
The processing speed is sufficient to analyze all analysis items 12 for which 3 is set.

If the above conditions (1) and (2) are not satisfied, packets may be dropped. Therefore, when the system administrator 3 inputs each setting item, the packet analysis means 7 calculates whether or not the above conditions (1) and (2) are satisfied, and if either condition is not satisfied, the input means is used. A warning is issued to the system administrator 3 through 9. The system administrator 3 receiving this warning changes one of the setting items interactively until the warning disappears. The processing time required for each processing item may be used for the above calculation.

By using the analysis standby buffer 21 as described above, each packet counted by the packet monitoring means 6 for determining the analysis mode is analyzed in the analysis mode determined by counting the packet. Therefore, the packet analysis unit 7 can reliably deal with the fluctuation of the traffic, and the packet drop can be prevented. In addition, since each packet 4 is temporarily stored in the analysis waiting buffer 21, it is possible to leave a processing log.

In the above description, the analysis waiting buffer 2
1 has been described as having a capacity of 1 second when the network 2 has the maximum traffic, that is, a capacity of the sampling time, but by shortening the sampling time,
The capacity of the analysis standby buffer 2 can be reduced.
However, if the sampling time is shortened, the frequency of reviewing the analysis mode in the packet analysis means 7 (changing the analysis mode or confirming that it does not need to be changed) becomes high, so the capacity of the analysis standby buffer 21 and the sampling time are reduced. It is necessary to consider each other before making a decision. Further, although the buffer 21 is a memory in the above description, any other device such as a disk device may be used as long as it can store information.

Embodiment 3. Embodiment 3 FIG. 6 and FIG.
Will be explained. In the first and second embodiments, the dropout of the packet is prevented by narrowing down the analysis items, but here, an example of preventing the dropout of the packet by narrowing down the packet to be analyzed will be described.

In FIG. 6, parts that are the same as or correspond to those in the first embodiment are assigned the same reference numerals and description thereof will be omitted. The operation of each unit is the same as that of the first embodiment except the following description. Reference numeral 31 is a filtering means for performing a filtering operation on the packet acquired by the communication means 5, 32 is a filtering information storage means for storing the filtering information table 33 of FIG. 7 which is referred to when the filtering means 31 performs the filtering operation. is doing. As shown in FIG. 7, the filtering information table 33 includes a source address, a destination address, a protocol (AR) of each packet.
P / IP / ICMP / UDP / TCP other), source port number (udp.t
cp), the destination port number (udp.tcp), and the like are classified into filtering information categories 34, which are categories of the filtering information 35. The filtering information 35 is included in the header information part of the packet 4. This filtering information table 33 is for setting conditions for extracting packets that need to be analyzed for unauthorized access, and can be input by the system administrator 3 via the input means 9.

The filtering means 31 detects the source address, destination address, protocol, etc. of the packet 4 acquired by the communication means 5 and refers to the filtering information table 23 to check the packet 4 if it matches any of the filtering information 35. Send to means 6. The subsequent operation is similar to that of the first embodiment, and the analysis mode in the packet analysis means 7 is determined by the number of packets acquired per unit time, and the unauthorized access analysis is performed.

As described above, since the filtering means 31 is provided and the unauthorized access analysis is performed only on the packets matching the filtering information, it is possible to drop the packets which need the unauthorized access analysis even if the network traffic becomes higher. It can be prevented.

In the above description, the filtering means 3
1 has described the example in which the unauthorized access analysis is performed if it matches any of the filtering information 35. For example, a plurality of filtering information categories such as a source address and a destination address are designated, and the designated filtering information category is designated. Unauthorized access analysis may be performed on only packets that have matching filtering information for all. The filtering information category to specify is 1
You can choose one. The system administrator 3 can specify the filtering information category by using the input unit 9. As a result, even if the traffic of the network becomes higher, it is possible to prevent the packet for which the unauthorized access analysis is necessary from being dropped.

In the above description, the packet that matches the filtering information is used as the analysis target. Conversely, the packet that does not match the filtering information may be the analysis target, or the packets that do not match may be combined.

Embodiment 4. Embodiment 4 will be described with reference to FIGS. 8 and 9. FIG. 8 is a configuration diagram of a system including the intrusion detection device according to this embodiment. In the above-described first to third embodiments, an example has been described in which the analysis items or packets targeted for analysis are narrowed down by the load of the received packet to prevent the packet drop. However, for example, if this intrusion detection device 1 is equipped with a single CPU, even if the analysis items and packets are narrowed down, if a specific unauthorized access is repeatedly received, an action (mail / warning) Notification, communication by original protocol, recording in log file, etc.) becomes a load,
The original process (packet acquisition, analysis) cannot be performed, and packets may be dropped. In this embodiment, an example of preventing packet drop when a specific unauthorized access is received many times will be shown.

In FIG. 8, those parts which are the same as or correspond to those in FIG. 1 of the first embodiment are designated by the same reference numerals, and description thereof will be omitted.
The operation of each unit is the same as that of the first embodiment except the following description. In FIG. 8, reference numeral 41 denotes a notification content storage means including a memory for storing the content notified from the unauthorized access notification means 8 to the system administrator 3 as a result of the unauthorized access analysis of the packet analysis means 7. An unauthorized access record 42 as shown in 9 is stored. The unauthorized access record 42 stores the unauthorized access numbers 43, which are numbers assigned to the unauthorized access in the past, and the analysis items to which the unauthorized content 44 of each unauthorized access relates.

The operation will be described. When the packet analysis unit 7 determines that there is an unauthorized access, as in the first embodiment, the system administrator 3 receives the unauthorized access notification unit 8 from the unauthorized access notification unit 8.
To notify. The notification (fraud detection notification) includes a “fraud detection analysis item” indicating an analysis item in which an unauthorized access is detected. At this time, the notification content storage unit 41 stores the fraud detection analysis item. . At the time of this storage, the unauthorized access record 42 of FIG. 9 is added with the unauthorized access number of the maximum unauthorized access number + 1 so far, and the unauthorized access analysis items (for example, analysis items A, B, etc.) It is stored as 44.

After that, when the packet analysis means 7 determines again that there is an unauthorized access, the notification content storage means 41 is referred to, and the content of the unauthorized access (detected unauthorized content) is stored in the unauthorized access record 42. Verify whether or not it matches the incorrect content (for example, whether the analysis items match), and if there is a matching analysis item,
The unauthorized access notification means 8 is not instructed to notify the system administrator 3. At the same time, this unauthorized content and the unauthorized access number P corresponding thereto are deleted from the unauthorized access record 42, and the number of unauthorized access exceeding P is incremented by one. This is called unauthorized access record deletion. If there is no matching analysis item, the unauthorized access notification means 8 notifies the system administrator 3 of the detected unauthorized access, and the notification content storage means 41 newly stores the notification content. This is called unauthorized access record registration. Verification of the unauthorized access record 42 by the packet analysis means 7 referring to the notification content storage means 41 is called notification record verification.

As described above, when a specific unauthorized access is repeated, it is possible to omit the notification process to the system administrator of the unauthorized access for the next unauthorized access. The CPU processing can be reduced and the processing can be sent to the packet acquisition processing and the analysis processing.

In the above description, the unauthorized access record 4
2 shows an example in which a plurality of unauthorized accesses are recorded, but only one unauthorized access may be recorded. In this case, the unauthorized access number is not necessary and only the unauthorized contents may be stored.

Further, in the above example, the notification processing regarding the same unauthorized access can be omitted only once, but when the unauthorized access is newly recorded in the unauthorized access record 42, the time when the unauthorized access is performed on the unauthorized content 44. Is recorded, and the same unauthorized access is repeated within the fixed time T1 (elapsed time), the notification is made without notification.
You may make it notify only when it exceeds. Unauthorized access record deletion is performed for the unauthorized access that has passed the predetermined time T1 (predetermined time) since the first unauthorized access. The fixed time T1 is referred to as an unauthorized access notification stop time.

Alternatively, the number of times of unauthorized access may be used. For this purpose, when the same unauthorized access is repeated, the number of times of unauthorized access is recorded in the unauthorized content 44, and when the number of times is less than the fixed number Q, the notification may not be performed. If the number of times exceeds a certain number Q (predetermined number), the unauthorized access record is deleted.
This fixed number Q is called the unauthorized access notification stop count.

The unauthorized access notification suspension time T1 and the unauthorized access suspension notification count Q can be input from the input means 9 to the packet analysis means 7 by the system administrator 3.
In this way, by changing the timing and the number of times of notification according to the content of the notification, it becomes possible to finely execute or stop the notification processing.

The above-mentioned unauthorized access notification suspension time T1
The number of unauthorized access stop notifications Q is determined by the analysis item, and may not be constant for each analysis item.

In the above description, the unauthorized access record deletion is performed by the packet analysis means 7, but it may be performed by the notification content storage means 41. In this case, the unauthorized access notification stop time T1 and the unauthorized access stop notification count Q may be input from the input means 9 to the notification content storage means 41 by the system administrator 3.

Further, in order to more reliably prevent dropped packets, the unauthorized access notification means 8 and the notification content storage means 41 may be managed by different CPUs to distribute the processing.

[0067]

As described above, according to the present invention, which analysis item is to be subjected to the unauthorized access analysis is determined according to the network traffic, so that there is an effect that an unauthorized packet is not dropped.

Further, according to the present invention, since the analysis waiting buffer is provided, there is an effect that the packet analyzing means can surely deal with the fluctuation of the traffic.

Further, according to the present invention, since the packets are narrowed down by the filtering means, it is possible to prevent the missed packets.

Further, according to the present invention, it is possible to reduce the CPU processing even when a specific unauthorized access is repeated.

[Brief description of drawings]

FIG. 1 is a configuration diagram of a system including an intrusion detection device according to a first embodiment of the present invention.

FIG. 2 is a diagram of an analysis item list according to the first embodiment of the present invention.

FIG. 3 is a diagram of an analysis item list according to another embodiment of the first embodiment of the present invention.

FIG. 4 is a diagram of an analysis item list according to another embodiment of the first embodiment of the present invention.

FIG. 5 is a configuration diagram of a system including an intrusion detection device according to a second embodiment of the present invention.

FIG. 6 is a configuration diagram of a system including an intrusion detection device according to a third embodiment of the present invention.

FIG. 7 is a diagram of a filtering information table according to the third embodiment of the present invention.

FIG. 8 is a diagram of a filtering information table according to the fourth embodiment of the present invention.

FIG. 9 is a diagram of an unauthorized access record according to the fourth embodiment of the present invention.

FIG. 10 is a block diagram of a conventional intrusion detection system.

[Explanation of symbols]

1 intrusion detection device, 2 network, 3 system administrator, 4 packets, 5 communication means, 6 packet monitoring means, 7 packet analysis means, 8 unauthorized access notification means, 9 input, 4 packets, 11
Analysis item list, 12 analysis items, 13 analysis flags, 14 priority, 15 categories, 21
Analysis standby buffer, 31 filtering means, 3
2 filtering information storage means, 33 filtering information table, filtering information category,
35 Filtering Information, 41 Notification Content Storage Means, 42 Unauthorized Access Records, 43 Unauthorized Access Numbers, 44 Unauthorized Content 44, 1001 Network, 1002a-1002n Packets, 1003
a to 1003n packet acquisition unit, 1004 packet storage unit, 1005a to 1005n packet analysis unit, 1006 unauthorized access database, 100
7 Notification section, 1008 System administrator

Claims (18)

[Claims] 1. A traffic monitoring means for observing traffic of a network through which a packet flows and outputting an observed traffic value, and a packet analysis means for carrying out an unauthorized access analysis on whether a packet is an unauthorized access packet or not for a predetermined analysis item. A packet analysis means for deciding which analysis item to perform the unauthorized access analysis based on the observed traffic value output by the traffic monitoring means, and performing an unauthorized access analysis for the packet observed by the traffic monitoring means. An unauthorized intrusion detection device characterized by the above. 2. The packet analysis means includes an analysis item list including a plurality of analysis items and an analysis flag corresponding to each analysis item and being in a set or non-set state. Depending on the size relationship between the observed traffic value output by the and the observed traffic threshold that is a predetermined threshold, determine the analysis item to be analyzed for unauthorized access according to the state of the analysis flag in the above analysis item list, or unauthorized access for all analysis items The intrusion detection device according to claim 1, wherein it is determined whether to analyze. 3. The packet analysis means, when the observed traffic value is equal to or more than the observed traffic threshold value, performs the unauthorized access analysis only on the analysis item for which an analysis flag is set in the analysis item list. The unauthorized access detection device according to claim 2, 4. A priority order storage means is further provided, and the packet analysis means has an analysis item list including a plurality of analysis items each of which is given one of a plurality of priority levels, The unauthorized access analysis is performed on an analysis item having a higher priority than the priority stored in the priority storage means when the observed traffic value is equal to or higher than the observed traffic threshold. Intrusion detection device. 5. The packet analysis means has a plurality of observation traffic thresholds each having a different value, and an analysis item list including a plurality of analysis items to which any one of a plurality of levels of priority is assigned. The unauthorized intrusion detection device according to claim 1, further comprising: determining the priority analysis item to be analyzed for unauthorized access based on the relationship between the observed traffic value and the plurality of observed traffic thresholds. 6. The packet analysis means includes an analysis item list including a plurality of analysis items, a category to which each analysis item belongs, and an analysis flag corresponding to each category and set or not set. The category of the analysis item to be subjected to the unauthorized access analysis is determined by the state of the analysis flag in the analysis item list according to the magnitude relationship between the observation traffic value output by the packet monitoring means and the observation traffic threshold value which is a predetermined threshold value. The intrusion detection device according to claim 1, wherein it is determined whether or not to perform unauthorized access analysis for all analysis items. 7. An analysis standby buffer is further provided, and the packet monitoring means outputs the traffic observed within a sampling period of a predetermined length as an observed traffic value at each end of the sampling period, and the analysis standby buffer is The packet observed by the packet monitoring means is stored within a sampling period, and the stored packet is transmitted to the packet analyzing means at each end of the sampling period.
To the unauthorized intrusion detection device according to claim 6. 8. A filtering information storage means and a filtering means are further provided, wherein the filtering information storage means stores filtering information for determining whether to transmit a packet flowing through a network to the traffic monitoring means, Whether or not the filtering means refers to the filtering information storage means and transmits to the traffic monitoring means depending on whether or not any of the filtering information is included in the header information part of the packet flowing through the network. The packet monitoring means observes traffic in which packets are transmitted from the filtering means to the packet monitoring means and outputs an observed traffic value, and the packet analysis means outputs the traffic monitoring means. Observation tiger It determines whether to perform an unauthorized access analysis for any analysis item based on Ikku value, intrusion detection apparatus according to claim 1, characterized in that the illegal access analysis of packets which the traffic monitoring means has observed. 9. The unauthorized access detection device according to claim 1, further comprising an unauthorized access notification unit and a notification content storage unit, wherein the unauthorized access notification unit is the analysis unit. When an unauthorized access packet is detected by the means, a fraud detection notification is transmitted to the outside of the fraud detecting device according to an instruction of the packet analysis means, and the notification content storage means detects the unauthorized access packet by the packet analysis means. When the unauthorized access packet is detected, the packet analysis unit stores the unauthorized content at the time and verifies whether the detected unauthorized content, which is the unauthorized content of the unauthorized access packet, is stored in the notification content storage unit. If verification is performed and the same fraudulent content as the detected fraudulent content is stored in the notification content storage means, the fraudulent content If the same illegal content as the detected illegal content is not stored in the notification content storage means without giving an instruction to the informing means to transmit the injustice detection notification, the detected illegal content is stored in the injustice content storage means. An intrusion detection device characterized by issuing an instruction to the unauthorized access notification means to transmit an intrusion detection notification. 10. The intrusion detection device according to claim 9, wherein the injustice content is an analysis item name in which an injustice is detected. 11. The packet analysis means detects the unauthorized access packet and performs notification record verification, and as a result, when the unauthorized content of the unauthorized access packet is stored in the notification content storage means, the unauthorized access notification means. 10. The method according to claim 9 or 1, wherein the unauthorized content of the unauthorized access packet is deleted from the notification content storage means without issuing an instruction to send an unauthorized access notification to the unauthorized access packet.
The intrusion detection device described in 0. 12. The packet analyzing means deletes the illegal content from the notification content storing means when a predetermined time has elapsed after the illegal content is stored in the notification content storing means. The unauthorized access detection device according to any one of claims 9 to 11. 13. The packet analysis means deletes the same fraudulent content as the fraud detection content from the notification content storage means when the notification record verification is performed a predetermined number of times for the same fraud detection content. The unauthorized intrusion detection device according to any one of claims 9 to 11. 14. The traffic monitoring means observes the number of packets per unit time flowing through the network as traffic of the network, outputs the observed number of packets per unit time as an observed traffic value, and analyzes the packet. The intrusion detection device according to any one of claims 1 to 13, wherein the means sets a predetermined value of the number of packets per unit time flowing through the network as the observation traffic threshold value. 15. The traffic monitoring means observes a data amount per unit time flowing through the network as traffic of the network, and outputs the observed data amount per unit time flowing through the network as an observed traffic value. The intrusion detection device according to any one of claims 1 to 13, wherein the packet analysis unit sets a predetermined value of a data amount per unit time flowing through the network as the observation traffic threshold value. . 16. The traffic monitoring means observes a time interval of packets flowing through the network as traffic of the network, and outputs a time interval of packets observed through the network as an observed traffic value, and the packet analyzing means. The method is characterized in that a predetermined value of the number of packets flowing through the network per unit time is set as the observed traffic threshold value, and that the shorter the time interval of the packets flowing through the network is, the larger the traffic is. The unauthorized access detection device according to any one of 13 above. 17. A traffic monitoring step of observing traffic of a network through which a packet flows and outputting an observed traffic value, and a packet analysis step of performing an unauthorized access analysis on whether or not the packet is an unauthorized access packet for a predetermined analysis item, A packet analysis step of determining which analysis item to perform the unauthorized access analysis based on the observed traffic value output by the traffic monitoring means, and performing an unauthorized access analysis on the packet observed by the traffic monitoring means. An intrusion detection method characterized by. 18. An intrusion detection program for causing a computer to execute the following (a) traffic monitoring step and (b) packet analysis step. (A) a traffic monitoring step of observing the traffic of the network through which the packet flows and outputting the observed traffic value; (b) a packet analysis step of performing an unauthorized access analysis of whether the packet is an unauthorized access packet for a predetermined analysis item. A packet analysis step of determining which analysis item to perform the unauthorized access analysis based on the observed traffic value output by the traffic monitoring means, and performing the unauthorized access analysis on the packet observed by the traffic monitoring means.