JP2010146457A - Information processing system and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing system and program for extracting detailed information about fraudulent practice executed with arbitrary timing. <P>SOLUTION: A log generation module 12 detects system call processing issued by a process operating on a computer to an operating system and generates a first log including file identification information for identifying a file to which file operation has been performed and process identification information for identifying a process to which file operation is performed. Also, the log generation module 12 generates a second log including process identification information for identifying a process to which the process operation has been performed and execution content information showing contents executed by the process. A log analysis module 15 extracts a log from the first log on the basis of the file identification information detected by an instruction detection system and extracts a log from the second log on the basis of the process identification information included in the extracted log. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information processing system for processing log information generated on a computer. The present invention also relates to a program for causing a computer to function as the information processing system.

  Mechanisms that detect and prevent malware infections and attacks by fraud are widely used. Examples include a host-type intrusion detection system (for example, see Non-Patent Document 1) that detects falsification of a terminal system, and an unauthorized process detection system (for example, see Non-Patent Document 2) that detects an unauthorized process.

  The host-type intrusion detection system detects falsification of a system file by saving the normal state of files and directories of a monitored terminal and periodically checking consistency. The unauthorized process detection system focuses on the feature that a terminal infected with malware sends an unintended packet automatically or by external control regardless of the user's keyboard or mouse operation. The communication characteristics in the state are profiled, and the communication not corresponding to this is determined as abnormal, and an unauthorized process is detected.

It also hooks system call processing issued by the process on the terminal to the OS (operating system) for the purpose of analyzing attack methods and understanding the status of information leakage when fraud or information leakage occurs. There is a system for collecting and analyzing logs (see, for example, Non-Patent Document 3).
Hideaki Ihara, “Tripwire for Linux”, Ohm Corporation, 2001. Keisuke Takemori and Yu Miyake, “Virus infection detection focusing on packets sent from non-operational hosts”, Information Processing Research Reports CSEC36, 2007. "Information leakage countermeasure InfoTrace series │ Top", [online], Soliton Systems KK, 2008, [December 11, 2008 search], Internet <URL: http://www.soliton.co.jp/products/ pc_security / infotrace / index.html>

  According to the host-type intrusion detection system and the unauthorized process detection system, it is possible to detect file tampering and unauthorized processes running on the terminal as a result of the attack. It is not possible to obtain detailed information such as which process performed what process on which file. In addition, since audits by these systems are performed intermittently, it is impossible to detect an attack that completes generation and deletion of files and processes between audits.

  On the other hand, the log collection / analysis tool can obtain the information “when and which file is which process”, but cannot obtain the information “what operation has been performed”.

  The present invention has been made in view of the above-described problems, and an object thereof is to provide an information processing system and a program that can extract detailed information of an illegal act executed at an arbitrary timing.

  The present invention has been made to solve the above-described problems, and detects a system call issued by a process operating on a computer to an operating system and identifies a file on which a file operation has been performed. First log generation means for generating a first log including information and process identification information for identifying a process that has performed the file operation; and the process identification information for identifying a process in which a process operation has been performed; Second log generation means for generating a second log including execution content information indicating the contents executed by the process; storage means for storing the first log and the second log; and an intrusion detection system. The log is extracted from the first log stored by the storage unit based on the file identification information detected by, and is included in the extracted log Based on the serial process identification information, an information processing system, characterized in that said storage means is provided with an extraction means for extracting a log from the second log to be stored.

  Further, the present invention detects a system call process issued to an operating system by a process operating on a computer, and includes file identification information for identifying a file on which a file operation has been performed, and a process on which the file operation has been performed. First log generation means for generating a first log including process identification information to be identified, the process identification information for identifying a process in which a process operation has been performed, and execution content information indicating the content executed by the process Based on the process identification information detected by the unauthorized process detection system, second log generation means for generating a second log including the storage means for storing the first log and the second log, , Extracting a log from the second log stored in the storage unit, and based on the process identification information included in the extracted log Is an information processing system comprising the extraction means for extracting a log from said first log the storage means stores.

  The information processing apparatus according to the present invention displays the file identification information in a first area based on the log extracted by the extraction unit, and associates the process identification information with the file identification information in a second area. And display means for displaying the execution content information.

  In the information processing apparatus of the present invention, the first log and the second log further include time information, and the display unit further includes the file identification information and the process identification information based on the time information. The order of displaying the execution content information is controlled.

  Moreover, this invention is a program for functioning a computer as said information processing system.

  According to the present invention, at the timing when the system call process is detected, a first log including file identification information and process identification information and a second log including process identification information and execution content information are generated. Further, based on the file identification information detected by the intrusion detection system or the process identification information detected by the unauthorized process detection system, a log having common process identification information is extracted from the first log and the second log. By referring to this log, file identification information, process identification information, and execution content information can be acquired. As described above, it is possible to extract the detailed information of the fraudulent act executed at an arbitrary timing.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of a log analysis system which is an embodiment of the information processing system of the present invention. This log analysis system easily extracts details of fraud by associating an operation that changes the state of a file with a process that executes the operation. To achieve this, hook system call processing to generate logs related to file operations (file creation / modification / deletion) and logs related to process operations (process creation / deletion). A system for integrated analysis is provided.

  A log generation module 12 is provided in the kernel portion of the OS 11 that operates on the terminal to be monitored. The log generation module 12 is a system call issued to the OS 11 when the processes 10a, 10b, and 10c as various application processes access the hardware 13 such as the storage device 13a, the input device 13b, and the output device 13c. Generate a log by hooking the process.

  Linux (registered trademark) is implemented with Linux (registered trademark) Security Module (LSM), which is a framework for extending security functions in the kernel. In LSM, when a file or process is operated, a monitoring point is provided to call a security verification mechanism defined by the user to verify authority and generate a log. The hook for system call processing of this log analysis system is implemented as a security verification mechanism at the monitoring point of LSM.

  The log generated by the log generation module 12 is stored and stored in the log storage unit 14. The log storage unit 14 may be a part of the storage device 13a included in the monitoring target terminal, or may be a part of a storage device included in a terminal different from the monitoring target. The log analysis module 15 analyzes the log stored in the log storage unit 14 and generates a fraud log 100 that is a log related to fraud. When the log analysis module 15 analyzes the log, information detected by the host-type intrusion detection system 16 or the unauthorized process detection system 17 is used.

  The display processing unit 18 performs information processing necessary for displaying the contents indicated by the fraud log 100, generates display data including image data, and outputs the display data to the display unit 19. The display unit 19 displays the contents indicated by the fraud log 100 based on the display data. As a result, information such as “when and what process performed what operation on which file” is visualized. The display unit 19 may be a part of the output device 13c, or may be a part of an output device included in a terminal different from the monitoring target.

  Next, details of the log generated by the log generation module 12 will be described. The LSM has monitoring points for about 160 processes such as file processing, program execution processing, and communication processing. In the present embodiment, the log generation module 12 generates a file system log using monitoring points related to file operations, and generates a process system log using monitoring points related to process operations.

  FIG. 2 shows a list of monitoring points that generate logs. Monitoring points such as “inode_create” that monitors file generation, “inode_delete” that monitors file deletion, and “file_permission” that monitors file reading and writing generate file logs. Further, “bprm_check_security”, which is a monitoring point for monitoring the execution of the program, generates a process log.

  3 and 4 show information included in the log. Information included in the log generated by the log generation module 12 is roughly classified into header information and monitoring point specific information. FIG. 3 shows the contents of the header information. The header information is information recorded in common for the file system log and the process system log. Specifically, the time 300 when the log was recorded, the name 302 of the monitoring point, the ID 304 (pid) of the process that performed the process, the user ID 306 (uid), the group ID 308 (gid), the ID 310 (parent) of the parent process, The parent process name 312 (parent cmd) and the command name 314 which is the name of the process that performed the processing are recorded.

  The monitoring point specific information is information recorded for each monitoring point according to the argument information passed to the hook process. FIG. 4 shows the contents of the monitoring point specific information. 4A, 4B, and 4C show the contents of the monitoring point specific information of the file system log, and FIG. 4D shows the contents of the monitoring point specific information of the process system log.

  FIG. 4A shows information recorded by “inode_create” that monitors file generation. Information 400 (inode_num) is a unique identifier assigned to the file. Information 402 (fowner) is a unique identifier indicating the owner of the file. Information 404 (fgrp) is a unique identifier indicating the group to which the file belongs. Information 406 (path) is the name of the file to be operated.

  FIG. 4B shows information recorded by “inode_delete” for monitoring file deletion. The monitoring point specific information shown in FIG. 4B includes the information 400, 402, 404 described above.

  FIG. 4C shows information recorded by “file_permission” for monitoring reading and writing of a file. The monitoring point specific information shown in FIG. 4C includes information 408 (mode) for identifying reading / writing on a file in addition to the information 400, 402, 404, 406 described above. The value of the information 408 is a value unique to the OS, but it is possible to grasp the operation content by reading this value.

  FIG. 4D shows information recorded by “bprm_check_security” for monitoring the execution of the program. Information 410 (e_uid) and information 412 (e_gid) are information recorded in order to detect fraudulent behavior by detecting the behavior of the program being executed with different privileges, namely setuid and setgid, respectively. Information 410 (e_uid) is an identifier indicating a user corresponding to a privilege when the program is executed as a privileged user different from the normally assigned authority. The information 412 (e_gid) is an identifier indicating a group corresponding to a privilege when the program is executed as a privileged group different from the normally assigned authority. Information 414 (filename) is a command name indicating the content executed by the process (execution content information).

  Next, a log analysis method by the log analysis module 15 will be described. First, a first analysis method for analyzing a log using information detected by the host-type intrusion detection system 16 will be described. FIG. 5 shows the first analysis method.

  In the first analysis method, the log analysis module 15 uses the falsification detection information 500 that is the name of a file that the host-type intrusion detection system 16 has detected falsification. The log analysis module 15 reads the file system log 520 from the log storage unit 14 and searches the file system log 520 using the alteration detection information 500 as the search key 510 of the file name (information 406 in FIG. 4). By this search, the log analysis module 15 extracts a log 530 whose file name matches the search key 510 from the file system log 520.

  Subsequently, the log analysis module 15 reads the process system log 550 from the log storage unit 14, and uses the process ID (ID 304 in FIG. 3) recorded in the log 530 extracted from the file system log 520 as the search key 540. The process system log 550 is searched. By this search, the log analysis module 15 extracts a log 560 whose process ID matches the search key 540 from the process system log 550. The logs 530 and 550 extracted as described above are stored and stored in the storage device 13a, the log storage unit 14, or a storage device different from these.

  By integrating the two logs extracted from the file system log and the process system log by the first analysis method and arranging them in time series, transition of the executed process regarding the alteration detected by the host-type intrusion detection system 16; It is possible to grasp the operation contents performed on the file of the terminal in association with each other. In particular, it is possible to obtain information such as “when, which file, which process, what operation, and in what procedure”.

  Next, a second analysis method for analyzing a log using information detected by the unauthorized process detection system 17 will be described. FIG. 6 shows a second analysis method.

  In the second analysis method, the log analysis module 15 uses the unauthorized process information 600 that is the name of the unauthorized process detected by the unauthorized process detection system 17. The log analysis module 15 reads the process system log 620 from the log storage unit 14 and searches the process system log 620 using the unauthorized process information 600 as the search key 610 for the process name (information 414 in FIG. 4). By this search, the log analysis module 15 extracts a log 630 whose process name matches the search key 610 from the process system log 620.

  Subsequently, the log analysis module 15 reads the file system log 650 from the log storage unit 14 and uses the process ID (ID 304 in FIG. 3) recorded in the log 630 extracted from the process system log 620 as the search key 640. The file system log 650 is searched. By this search, the log analysis module 15 extracts a log 660 whose process ID matches the search key 640 from the file system log 650. The logs 630 and 650 extracted as described above are stored and stored in the storage device 13a, the log storage unit 14, or a storage device different from these.

  By integrating the two logs extracted from the file system log and process system log by the second analysis method and arranging them in time series, the transition of the executed process regarding the behavior of the unauthorized process detected by the unauthorized process detection system 17 And the operation content performed on the file of the terminal can be associated with each other. In particular, it is possible to obtain information such as “when, which file, which process, what operation, and in what procedure”.

  Next, a method for visualizing the contents of two logs obtained by the above analysis method will be described. By this visualization, the security administrator can easily monitor and analyze the behavior of attacks on the terminal due to malware and fraudulent acts.

  FIG. 7 shows the contents displayed on the display unit 19. The contents of the log are displayed in two layers. The layers are divided into a file information display layer 700 and a process information display layer 710 associated with the type of log to be collected. The file information display layer 700 displays information on the file on which the file operation has been performed, and the process information display layer 710 displays information on the process on which the file operation has been performed. By dividing the file and process into different layers and expressing them, the relationship between the monitoring targets becomes clear.

  The file information display layer 700 includes a file information display layer 700a for displaying information on files (system files) in the system directory, and a file information display layer 700b for displaying information on files (normal files) in the user's home directory. Divided into In addition to this, it is also possible to improve visibility of access detection to important files by providing sections according to importance, such as areas described in the policy file of the host-type intrusion detection system 16 and other areas. It is.

  FIG. 7 shows that a process 720 having a process name “bash” and a process ID 401 and a process 721 having a process name “bash” and a process ID 808 performed file operations. In addition to these processes 720 and 721, the process information display layer 710 displays a process 722 that is the parent process of these processes 720 and 721, the process name is “init”, and the process ID is 1. .

  The file information display layer 700a displays a file 730 whose file name is “/ etc / passwd”, and the file information display layer 700b displays a file 731 whose file name is “home / foo / testfile.txt”. The The process 720 executes a command whose command name is “passwd.hoge” for the file 730. The process 721 executes a command with a command name “vi / home / foo / testfile.txt” on the file 731.

  A line is drawn between the process 720 and the file 730 so as to connect the two, and similarly, a line is drawn between the process 721 and the file 731 so as to connect both. These lines clarify the relationship between the process and the file that is the target of the file operation by that process.

  Information necessary for visualization shown in FIG. 7 is an operation start time, an operation end time, an operation source process name, an operation source process ID, a parent process name, a parent process ID, a command name, and an operated file name.

  The operation start time / operation end time is the start time / end time of the operation to be visualized. Actually, the contents of the log are displayed by animation. The operation start time / operation end time is used for controlling the display timing of the animation.

  The operation source process name is the name of the process that performed the file operation. In FIG. 7, “bash” is the operation source process name. The operation source process ID is an identifier of the process that performed the file operation. In FIG. 7, “401” and “808” are operation source process IDs.

  The parent process name is the name of the parent process of the operation source process. In FIG. 7, “init” is the parent process name. The parent process ID is an identifier of the parent process. In FIG. 7, “1” is the parent process ID.

  The command name is a name of a command executed by the operation source process on the operation target file. In FIG. 7, “passwd.hoge” and “vi / home / foo / testfile.txt” are command names. The operated file name is a name of a file to be operated. In FIG. 7, “/ etc / passwd” and “home / foo / testfile.txt” are operation file names.

  Next, a method for visualizing the above information by animation will be described. FIG. 8 shows the flow of processing for acquiring the above information from the log extracted by the analysis method described above. Hereinafter, the process of acquiring the above information will be described with reference to FIG.

  The display processing unit 18 refers to the process ID (pid) included in the file system log and the process system log header information (FIG. 3) extracted by the analysis method shown in FIG. 5 or FIG. Then, a log having a matching process ID is extracted (step S100). Here, it is assumed that a plurality of fraudulent acts are detected, and it is assumed that two kinds of logs are extracted for each of the fraudulent acts by the analysis method shown in FIG. 5 or FIG. Therefore, in step S100, two types of logs that are considered to be related to the same file operation are extracted based on the process ID.

  The process ID is information that is unique to each process that is currently operating at a point in time, but is not guaranteed to be information that is unique to each process at a different point in time. For this reason, even if the same process ID is recorded, the log extracted in step S100 may not be a log related to the same file operation. Therefore, in the subsequent processing, a log relating to the same file operation is specified, and various information is acquired from the log.

  The display processing unit 18 refers to the time included in the header information of the log extracted in step S100, and acquires “start time” and “end time” from the first and last recorded logs, respectively (step S101). Subsequently, the display processing unit 18 extracts a process-related log recorded by “bprm_check_security” that monitors execution of the program from the logs extracted in step S100 (step S102). The display processing unit 18 acquires the information recorded in the command (cmd) included in the log header information (FIG. 3) extracted in step S102 as the “operation source process name” (step S103), and the process ID (pid). ) Is acquired as the “operation source process ID” (step S104).

  Further, the display processing unit 18 acquires the information recorded in the parent process command (parent cmd) included in the log header information (FIG. 3) extracted in step S102 as the “parent process name” (step S105), The information recorded in the parent process ID (parent) is acquired as “parent process ID” (step S106). Subsequently, the display processing unit 18 acquires information recorded in the command name (filename) included in the monitoring point specific information (FIG. 4) extracted in step S102 as the “command name” (step S107).

  Finally, the display processing unit 18 refers to the information recorded in the command (cmd) included in the header information (FIG. 3) of the file system log among the logs extracted in step S100, and the “operation” acquired in step S103. Extract the log that contains the command that matches the "original process name". Since the file system log and the process system log are associated by the “command name”, various information can be obtained from the log related to the same file operation. The display processing unit 18 extracts the information recorded in the file name (path) included in the monitoring point specific information (FIG. 4) of the extracted log as an “operated file name” (step S108).

  Through the above processing, a log related to the same file operation can be extracted from the file system log and the process system log, and various information recorded in the log can be acquired. By performing the process shown in FIG. 8, for example, information related to the operation of the file 730 in FIG. 7 is acquired, and by performing the process shown in FIG. 8 again, for example, information related to the operation of the file 731 in FIG. Is done. The acquired information is associated with each other, and finally integrated in chronological order, resulting in the fraud log 100 shown in FIG.

  Next, a method for visualizing the contents of the log by animation will be described with reference to FIGS. 9 and 10. 9 and 10 show the contents displayed on the display unit 19. In the following description, the information shown in FIG. 7 is displayed as an example. The display processing unit 18 generates display data including image data for displaying the information acquired by the processing illustrated in FIG. 8 and outputs the display data to the display unit 19. The display unit 19 displays an image based on the display data. When the display processing unit 18 repeatedly updates the image data and outputs it to the display unit 19, the display unit 19 displays an animation in which the display content continuously changes.

  First, the display processing unit 18 generates display data for displaying an initial image. FIG. 9A shows an initial state. A file information display layer 700 and a process information display layer 710 are displayed. Regarding the file information display layer 700, the file information display layer 700a that displays system files and the file information display layer 700b that displays normal files are displayed in different colors.

  The display processing unit 18 refers to the information associated with the earliest “start time”, and displays the information of the file 731 and the information of the process 721 that performed the file operation, as shown in FIG. 9B. Display data to generate. Subsequently, the display processing unit 18 refers to the information associated with the second earliest “start time”, and as shown in FIG. 10A, the information of the file 730 and the process 720 that performed the file operation. The display data for additionally displaying the information of is generated. As for the file operation related to the file 731, the line indicating the file operation disappears after a lapse of a certain time as shown in FIG. By displaying such an animation, the security administrator can visually obtain information on “when, which file, which process, what operation, and what procedure was executed”. it can.

  As described above, according to the present embodiment, since the file system log and the process system log are generated at the timing when the system call process is detected, the information on the fraudulent act executed at an arbitrary timing is recorded in the log. Can do. Further, as shown in FIGS. 5 and 6, by extracting a log having a common process ID from the file system log and the process system log, information such as time, file name, process name, process execution contents, etc. Can be obtained. As described above, it is possible to extract detailed information on the fraudulent acts executed at an arbitrary timing.

  Further, when extracting the log, by using the name of the file detected by the host-type intrusion detection system 16 or the name of the unauthorized process detected by the unauthorized process detection system 17, information corresponding to the attack is obtained. It can be extracted efficiently.

  In addition, the relationship between the file and the process that performed the file operation on the file is visually clarified by associating and displaying the file and process information related to the file operation based on the extracted log. can do. Furthermore, by displaying the animation shown in FIGS. 9 and 10, the procedure of file operation can be clarified visually.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, the above-described log generation method and analysis method can be used as a core technique for realizing applications such as malware detection on a terminal and fraud detection to a terminal via a network.

  Further, a program for realizing the operation and function of the information processing system (log analysis system) is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read and executed by the computer. May be.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of the log analysis system by one Embodiment of this invention. It is a reference diagram showing a list of monitoring points in one embodiment of the present invention. It is a reference figure which shows the information contained in the log in one Embodiment of this invention. It is a reference figure which shows the information contained in the log in one Embodiment of this invention. FIG. 6 is a reference diagram illustrating a log analysis method according to an embodiment of the present invention. FIG. 6 is a reference diagram illustrating a log analysis method according to an embodiment of the present invention. It is a reference figure which shows the state which visualized the content of the log in one Embodiment of this invention. It is a flowchart which shows the flow of the process which acquires information required for visualization from the log in one Embodiment of this invention. It is a reference figure which shows the animation which displays the content of the log in one Embodiment of this invention. It is a reference figure which shows the animation which displays the content of the log in one Embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 11 ... OS, 12 ... Log generation module, 13 ... Hardware, 13a ... Storage device, 13b ... Input device, 13c ... Output device, 14 ... Log storage part, DESCRIPTION OF SYMBOLS 15 ... Log analysis module, 16 ... Intrusion detection system, 17 ... Unauthorized process detection system, 18 ... Display processing part, 19 ... Display part

Claims (5)

File identification information for identifying a file on which a file operation has been performed by detecting a system call process issued to an operating system by a process operating on a computer, and process identification information for identifying a process in which the file operation has been performed First log generation means for generating a first log including:
Second log generation means for generating a second log including the process identification information for identifying a process in which a process operation has been performed and execution content information indicating the content executed by the process;
Storage means for storing the first log and the second log;
Based on the file identification information detected by the intrusion detection system, a log is extracted from the first log stored by the storage unit, and the storage unit stores the log based on the process identification information included in the extracted log. Extracting means for extracting a log from the second log;
An information processing system comprising: File identification information for identifying a file on which a file operation has been performed by detecting a system call process issued to an operating system by a process operating on a computer, and process identification information for identifying a process in which the file operation has been performed First log generation means for generating a first log including:
Second log generation means for generating a second log including the process identification information for identifying a process in which a process operation has been performed and execution content information indicating the content executed by the process;
Storage means for storing the first log and the second log;
Based on the process identification information detected by the unauthorized process detection system, a log is extracted from the second log stored by the storage unit, and based on the process identification information included in the extracted log, the storage unit Extracting means for extracting a log from the first log to be stored;
An information processing system comprising:   Based on the log extracted by the extraction means, the file identification information is displayed in a first area, the process identification information is displayed in a second area in association with the file identification information, and the execution content information is displayed. The information processing system according to claim 1, further comprising display means for performing display. The first log and the second log further include time information,
The information processing system according to claim 3, wherein the display unit further controls an order of displaying the file identification information, the process identification information, and the execution content information based on the time information.   The program for functioning a computer as an information processing system in any one of Claims 1-4.

Images