JP2005085158A - Improper access detector, and abnormal data detecting method over computer network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To protect a server by automatically analyzing an internal structure of packet data passing through a network on a real time basis, identifying a packet including abnormal data, and detecting an unknown attack, with respect to an unknown attack pattern of packet data which cannot be digitized easily. <P>SOLUTION: A directed graph structure creating/processing part 104 creates a directed graph structure, by using a character string of request data received from a character string breakdown processing part 103 as one unit, or it carries out an update processing with regard to a corresponding character string. An evaluation processing part 105 refers to the directed graph structure, in coordination with the directed graph structure creating/processing part 104, calculates the appearance frequency, in units of segmented data of request data received by a network interface 101 to carry out evaluation, and sends information (determination information of an abnormal value/normal value) of the evaluation to a transfer control part 106. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an unauthorized access detection apparatus and an abnormal data detection method for protecting a Web server and the like from unknown attacks that cannot be prevented by a firewall in the Internet.

  In the Internet, there are a variety of attacks that cannot be prevented by firewalls, but among them, there are particularly many attacks aimed at security holes on the Web server, that is, software bugs and vulnerabilities. There is a problem that software such as CGI (Common Gateway Interface) on the Web server that interprets and executes only a specific character string in the HTTP request causes a buffer overflow or an unexpected operation. In order to respond to attacks targeting software vulnerabilities on web servers, many intrusion detection systems relay and analyze HTTP requests sent from clients to web servers at the application layer, and make known attacks in advance. Compared with the signature (attack pattern file) that stores the features, the session server relay is blocked when there is a match, thereby protecting the Web server.

  However, the above-described conventional technology has a problem that the Web server cannot be protected from an unknown attack that is not stored in the signature.

  On the other hand, for the purpose of detecting attacks that are not described in the signature, statistical information of normal packet data that is not attacks is collected, and based on this data, statistical analysis is performed on the packet data that passes through. There is a technique for distinguishing packets that are different from data. Detecting an abnormal packet by this method is called an anomalous cushion.

This anomaly detection is generally realized by analyzing the statistical distribution of data that can be simply quantified such as packet length and access frequency, and by applying various learning algorithms to this. Research to improve analysis accuracy is being conducted.
JP 2002-063084 A

  As described above, in the attack detection on the computer network, in order to protect the server from unknown attack patterns, collect statistical information of data that can be quantified such as the length of packet data and the access frequency. A technique for analyzing statistical distribution and finding abnormal packets has been developed.

  However, there are attack patterns that cannot be detected only with abnormal values of data that can be quantified simply, and more accurate unknown attack detection processing is required.

  In addition, statistical processing and learning processing increase the load of system resources and cause a problem in processing speed in actual operation. In addition, IDS (intrusion detection system) type attack detection has a problem of allowing a packet to pass through, and firewall type attack detection has a problem of reducing the network bandwidth.

  An object of the present invention is to provide an unauthorized access detection apparatus and an abnormal data detection method on a computer network that can efficiently detect an unknown attack pattern of packet data that cannot be easily quantified by anomaly detection.

  The present invention realizes a system that identifies a packet containing abnormal data and automatically protects a server from a network attack by automatically analyzing the internal structure of packet data passing through a network in real time. In general, packet data sent to a computer server is a request for requesting some service (HTTP request), and has a syntax structure defined by RFC (request for comments) or the like. However, there are cases where the extended syntax is specified for the convenience of applications running on the server, and there are specifications that cannot be parsed strictly. In addition, depending on the server, there are many requests in which only a specific character string at a specific location is recognized as a normal request.

  The present invention learns the syntax structure of a request and constructs an appropriate character string database through classification of character classes and extraction of the correlation of character string contexts.

  The statistical information has a property that the accuracy of statistical analysis improves as the number of populations subjected to statistical processing increases. However, as the population increases, the load of statistical analysis processing increases, making it difficult to analyze packets in real time.

  For this reason, the present invention is characterized in that the analysis level is changed in accordance with the amount of data scale handled locally, such as phase transition.

  According to the present invention, for an unknown attack pattern of packet data that cannot be easily quantified, the attack pattern can be efficiently detected by anomaly detection.

  An embodiment of the present invention will be described below with reference to the drawings.

  FIG. 1 shows the configuration of an unauthorized access detection apparatus according to an embodiment of the present invention that realizes an unknown attack defense system in a network system.

  The unauthorized access detection device 3 that implements the unknown attack defense system is interposed between the Web server 2 to be attacked and the network 1, and receives access data (request data) by packet transfer input via the network 1. By detecting an unknown attack pattern, the Web server 2 is protected from the unknown attack pattern. The client PC 4 accesses the Web server 2 via the network 1. The unauthorized access detection device 3 may be inserted between the Web server 2 and the network 1 by either an intercept type or a filter type, but here, a configuration as a filter type is shown as an example.

  The unauthorized access detection device 3 includes a network interface 101, a request data extraction unit 102, a character string decomposition processing unit 103, a directed graph structure generation / processing unit 104, an evaluation processing unit 105, a transfer control unit 106, a network interface 107, and an initialization processing unit 111. , A directed graph structure data storage unit 112, a separator definition information file 121, a tracing data storage unit 122, and the like.

  The network interface 101 receives packet data sent to the Web server 2 via the network 1 and passes the received packet data to the request data extraction unit 102.

  The request data extraction unit 102 extracts request data (HTTP request) from the packet received by the network interface 101, and delivers the extracted request data to the character string decomposition processing unit 103.

  The character string decomposition processing unit 103 classifies (cuts) the request data received from the request data extraction unit 102 with reference to the separator characters defined in the separator definition information file 121, and generates and processes the segmented character strings. Passed to the unit 104.

  The directed graph structure generation / processing unit 104 generates a tree-structured directed graph structure having nodes and directed edges by using the character string of the request data received from the character string decomposition processing unit 103 as a unit, and further applies. Update processing (path update processing) for the character string is executed (see FIGS. 2B and 3).

  The evaluation processing unit 105 is linked to the directed graph structure generation / processing unit 104, refers to the directed graph structure processed by the directed graph structure generation / processing unit 104, and is divided into data units of request data received by the network interface 101. The appearance control frequency is calculated and evaluated, and information on the evaluation (abnormal value / normal value determination information indicating whether the threshold value is regarded as a normal range or an abnormal range) is transferred to the transfer control unit 106.

  The transfer control unit 106 controls transmission / discard (or suspension) of request data received by the network interface 101 based on the evaluation information (abnormal value / normal value determination information) received from the evaluation processing unit 105. That is, if the evaluation information is an abnormal value, the corresponding request data is discarded without being passed to the network interface 107 (or retained in the storage means), and if the evaluation information is a normal value, the corresponding request data is transferred to the network interface. Pass to 107.

  The network interface 107 transfers the request data passed by the transfer control of the transfer control unit 106 to the Web server 2.

  The initialization processing unit 111 uses the tracing data held in the tracing data storage unit 122 to perform initialization (initialization processing) when processing the directed graph structure in the directed graph structure generation / processing unit 104, and to perform the directed graph structure. The function of setting the graph pointer that traces to the entry (root node) is realized.

  The directed graph structure data storage unit 112 holds data of a directed graph structure learned in advance, and realizes a function of presetting the directed graph structure generation / processing unit 104 in the initialization process.

  2 and 3 are for explaining the processing operations of the directed graph structure generation / processing unit 104 and the evaluation processing unit 105, respectively. FIG. 2A shows an example of request data (request line). FIG. 2B shows an example of a directed graph structure of a tree structure according to the request line of FIG. 2A, and FIG. 3 shows a processing procedure. In FIG. 3, the separator character included in the request data is also handled as one separated character string.

  Here, the operation in the unauthorized access detection apparatus of the present invention will be described with reference to the respective drawings.

  In the unauthorized access detection device 3, the network interface 101 receives packet data sent to the Web server 2 via the network 1, and passes the received packet data to the request data extraction unit 102. The request data extraction unit 102 extracts request data (HTTP request) from the packet received by the network interface 101, and delivers the extracted request data to the character string decomposition processing unit 103.

  The character string decomposition processing unit 103 classifies (cuts) the request data received from the request data extraction unit 102 with reference to the separator characters defined in the separator definition information file 121, and generates and processes the segmented character strings. Passed to the unit 104. At this time, examples of the separator character defined in the separator definition information file 121 include “” '｀ () {} [];, = |, and “? Space” shown in FIG. . Each time the character string decomposition processing unit 103 finds these separator characters defined in the separator definition information file 121, it decomposes (sorts) the request data. Then, the divided character strings are transferred to the directed graph structure generation / processing unit 104.

  The directed graph structure generation / processing unit 104 generates a directed tree structure of a tree structure using a pointer in response to a character string of request data received from the character string decomposition processing unit 103, or an update process for the corresponding character string ( Appearance frequency update processing) is executed (see FIGS. 2B and 3).

  At this time, in the initialization processing step, the directed graph structure generation / processing unit 104 sets the graph pointer to the root node as shown in FIG. 2B (step S11 in FIG. 3). This process is executed under the control of the initialization processing unit 111.

  When there is an input character string (s) to be processed for the request data (Yes in step S12 in FIG. 3), the directed graph structure generation / processing unit 104 generates a graph with respect to the input character string (s) using a graph pointer. Tracing (see FIG. 2B), it is searched whether or not a node having the same character string as the inputted character string (s) exists at the destination of the pointer that follows the graph (step S13 in FIG. 3).

  Here, when a node having the same character string as the input character string (s) exists at the destination of the pointer that follows the graph (Yes in step S13 in FIG. 3), the edge of the path leading to (passing through) the node is determined. The counter value (edge_count) is incremented (step S14 in FIG. 3). Thereafter, processing for calculating the appearance frequency (freq) of the character string and evaluation of the appearance frequency are executed by the evaluation processing unit 105 (step S15 in FIG. 3). The processing of the evaluation processing unit 105 will be described later.

  After the above processing, the directed graph structure generation / processing unit 104 subsequently moves to the destination node of the graph pointer (step S16 in FIG. 3), and increments the counter value (node_count) of the node pointed to by the graph pointer (step S17 in FIG. 3). ).

  In this way, the input character string (s) is traced by the graph pointer, and a node having the same character string as the input character string (s) exists at the destination of the pointer that follows the graph. The directed graph structure update process (steps S12 to S17) is repeatedly executed. In this process, the separator character is also handled as an input character string, and is subject to update processing.

  On the other hand, when the input character string (s) is traced by a graph pointer, and a node having the same character string as the input character string (s) does not exist at the destination of the pointer that follows the graph (see FIG. 3 Step S13 No), using the graph pointer, the node of the input character string (s) and the edge (edge) to the input character string (s) are created, and the counter value (edge_count) of the edge of the edge is set After setting the counter value (node_count) of the above node to “0” (step S18 in FIG. 3), the counter value (node_count) of the newly created node pointed to by the graph pointer is incremented (“1”). FIG. 3 step S17).

  As described above, the directed graph structure generation / processing unit 104 executes the directed graph structure generation processing or update processing (appearance frequency update processing) for all the character strings of the request data.

  By repetitively generating and updating the directed graph structure as described above, as a countermeasure when the directed graph structure becomes complex, use a suitable threshold to avoid grouping of the directed graph structure by grouping nodes. be able to. That is, when the number of directed edges that jump out from one node exceeds a certain threshold, the destination nodes are grouped according to the contents of all the destination nodes. Examples of grouping at this time include grouping for numerical values, grouping for identifiers, and grouping for symbol characters. For example, grouping is performed according to numerical groups or numerical value ranges. Alternatively, grouping is performed on character strings including alphabets, numbers, or specific symbols starting with alphabets.

  The evaluation processing unit 105 calculates the appearance frequency (freq) and evaluates the appearance frequency with reference to the directed graph structure created and managed by the directed graph structure generation / processing unit 104 (step S15 in FIG. 3).

  The basic processing here is to calculate the appearance frequency of the path that follows the directed graph structure, and the calculated result is abnormally small, has already been learned as an attack, or compared to the frequency of the nearby path An extremely small value is detected as abnormal data.

  In this process, an example of calculating the appearance frequency (freq) executed by the evaluation processing unit 105 and an example of evaluating the appearance frequency are described below.

  The appearance frequency (freq) is initially set to “0” in the initialization step, and every time the graph pointer is advanced, the calculation “freq + = (log (edge_count) −log (node_count))” is performed. Here, edge_count is the number of appearances of the moving directed edge, and node_cont is the number of appearances of the node pointed to by the pointer before the movement. The log calculation can be executed at high speed by a bit manipulation instruction or the like when a rough value is sufficient. As an example of the evaluation function at this time, for example, an expression of (freq <−10 || min (other_freq−freq)> 5 || edge−> marked_anomaly) is used. Here, other_freq is a freq in the case of moving from the node before moving the graph pointer to another directed edge, and edge-> marked_anomaly is a path to the directed edge as abnormal data by learning. It is a flag indicating that it is marked. Note that learning here is performed by, for example, inquiring an administrator.

  The evaluation processing unit 105 refers to the directed graph structure processed by the directed graph structure generation / processing unit 104 to calculate and evaluate the appearance frequency of the request data received by the network interface 101 in the divided data units, Information on the evaluation (abnormal value / normal value determination information indicating whether the threshold value is regarded as a normal range or an abnormal range) is sent to the transfer control unit 106.

  The transfer control unit 106 controls transmission / discard (or suspension) of request data received by the network interface 101 based on the evaluation information (abnormal value / normal value determination information) received from the evaluation processing unit 105. For example, if the evaluation information is an abnormal value, the corresponding request data is discarded without being passed to the network interface 107 (or retained in the storage means and presented to the administrator). Pass the request data to the network interface 107. Specifically, the packet received by the network interface 101 is buffered, and the buffered packet is discarded or transmitted to the network interface 107. The network interface 107 transfers the request data passed by the transfer control of the transfer control unit 106 to the Web server 2.

  As described above, according to the embodiment of the present invention, packet data that cannot be easily quantified by automatically analyzing the internal structure of packet data passing through the network in real time and identifying packets containing abnormal data. The unknown attack pattern can be detected and the server can be protected.

The block diagram which shows the structure of the unauthorized access detection apparatus which concerns on embodiment of this invention. The figure which shows an example of the request data for explaining operation | movement of the unauthorized access detection apparatus which concerns on embodiment of this invention, and an example of the directed group structure according to the data content. The flowchart which shows the process sequence of the unauthorized access detection apparatus which concerns on embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Network, 2 ... Web server, 3 ... Unauthorized access detection apparatus, 4 ... Client PC, 101 ... Network interface, 102 ... Request data extraction part, 103 ... Character string decomposition | disassembly processing part, 104 ... Directed graph structure production | generation / processing part, 105: Evaluation processing unit, 106: Transfer control unit, 107: Network interface, 111: Initialization processing unit, 112: Directed graph structure data storage unit, 121 ... Separator definition information file, 122 ... Tracing data storage unit.

Claims (4)

Processing means for inputting access data handled by the network, dividing the data by a predefined character set, and generating and managing a directed graph structure having nodes and directed edges of the divided character string;
An unauthorized access detection apparatus comprising: processing means for detecting an abnormality of the input access data from an appearance frequency of a path traced by the directed graph structure with reference to the directed graph structure.   The unauthorized access detection apparatus according to claim 1, further comprising processing means for grouping the nodes with respect to the directed graph structure.   When an abnormality is detected in the input access data, the administrator is notified of the abnormality, and in accordance with the notification from the administrator, an interface means with the administrator for marking the edge of the directed graph as abnormal The unauthorized access detection device according to claim 1, further comprising: Entering access data handled by the computer network;
Dividing the input access data by a predefined character set;
Generating a directed graph structure having nodes and directed edges for the divided character string;
Tracing the directed graph structure, and when there is a node having the same character string as the character string for the divided character string, updating and managing the number of times the node and the directed edge that have reached the destination are traced;
And a method of detecting an abnormality of the inputted access data from an appearance frequency of a path traced by the directed graph structure.

Images