JP2015222471A - Malicious communication pattern detecting device, malicious communication pattern detecting method, and malicious communication pattern detecting program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect when an attacker attempts to transmit a command to a malware even via a legitimate site, as highly malicious communication, and shorten analysis time required for the detection.SOLUTION: A malicious communication pattern detecting device extracts a communication pattern which indicates a transition state of a communication destination from respective communication logs of a malware-infected terminal and a monitoring target NW terminal. Then, the malicious communication pattern detecting device extracts a feature quantity of a malware communication pattern extracted from the communication log of the malware-infected terminal and a feature quantity of a monitoring target NW communication pattern extracted from the monitoring target NW communication log, and registers the feature quantities in a detection model. The malicious communication pattern detecting device applies the detection model to communication of the monitoring target NW that is a detection target, and calculates a degree of maliciousness of the communication based on an extent of similarity to the malware communication pattern and an extent of similarity to the monitoring target NW communication pattern.

Description

  The present invention relates to a malignant communication pattern detection apparatus, a malignant communication pattern detection method, and a malignant communication pattern detection program.

  In recent years, malicious programs (hereinafter referred to as “malware”) that cause threats such as information leaks and unauthorized access have become increasingly popular. Malware receives instructions from an attacker via a server or the like after infection and causes threats such as attacks and information leakage. At that time, it is confirmed that there is an attacker who sends a command to malware through a commonly used hosting service or social networking service (see Non-Patent Document 1).

  The increase in the number of discovered malware is also remarkable, and it has been reported that one new malware appears in a few seconds (see Non-Patent Document 2). For this reason, it is not possible to prevent threats caused by malware only by countermeasures at the endpoint such as anti-virus software. Therefore, a technique for reducing the threat of malware by analyzing communication data and identifying a terminal infected with malware has attracted attention (see Non-Patent Document 3).

  As a method for detecting terminals infected with malware, information on the communication destination that communicates when malware is executed is held as a blacklist, and it is infected with malware depending on whether or not communication is made to a communication destination that is listed on the blacklist. In general, a method of detecting a terminal that has been used is performed. There is also a technique for detecting a terminal infected with malware based on the state transition of communication data confirmed by malware analysis (see Patent Document 1).

Japanese Patent No. 5009244

Chasing CnC Servers-False positives, [online], [Search March 12, 2014], Internet <URL: http://www.fireeye.com/blog/technical/botnet-activities-research/2010/09/ chasing-cnc-servers-part-2.html> McAfee Threat Report: 1st quarter 2013, [online], [searched September 3, 2013], Internet <URL: http://www.mcafee.com/japan/media/mcafeeb2b/international/japan/pdf /threatreport/threatreport13q1.pdf> Sebastian Garcia et al., Survey on network-based botnet detection methods, Security and communication networks 2013, [online], [March 13, 2014 search], Internet <URL: http://onlinelibrary.wiley.com/doi/ 10.1002 / sec.800 / full>

  However, the above conventional technique has the following problems. In other words, communication destinations when the above-described malware is executed include communication destinations that are harmless and often accessed in general. For this reason, if all communication destinations obtained by analyzing malware are blacklisted, false detections frequently occur. Although it is conceivable to use a site that is commonly accessed as a whitelist and suppress blacklisting, in such a case, an attacker who sends instructions to the malware via a commonly accessed site Missed communication. Further, in the case of the method described in Patent Document 1 described above, a large amount of time is required for analysis because a huge amount of communication data itself is an analysis target.

  Therefore, the present invention solves the above-mentioned problem, and even when an attacker tries to send a command to malware via a site that is often accessed, this is detected as a highly malignant communication. And reducing the time required for analysis for detection.

  In order to solve the above-described problem, the present invention is based on communication logs of a terminal infected with malware and a terminal of a monitoring target network, and a first communication destination of the terminal among a series of communication destinations of the terminals. A communication pattern extraction unit that extracts a communication pattern indicating a pair with a second communication destination that is a subsequent communication destination, and a feature of a malware communication pattern that is a communication pattern extracted from a communication log of a terminal infected with the malware To acquire the feature amount of the monitoring target network communication pattern, which is a communication pattern extracted from the communication log of the terminal of the monitoring target network, and detect the malignant communication using the acquired feature amount of each communication pattern A feature amount extraction unit to be registered in the detection model, an input unit that receives an input of a communication log of communication to be detected, The feature amount of the malware communication pattern and the feature amount of the monitoring target network communication pattern for the detection target communication pattern that is a communication pattern extracted from the communication log of the communication to be known are acquired from the detection model, and A malignancy calculation unit that calculates a higher malignancy value of the detection target communication pattern as the feature amount of the acquired malware communication pattern is larger and the feature amount of the acquired monitored network communication pattern is smaller. It is characterized by.

  According to the present invention, even when an attacker tries to send a command to malware through a site that is generally accessed, this is detected as a highly malignant communication, and for detection The time required for the analysis can be reduced.

FIG. 1 is a diagram showing an outline of processing of the malignant communication pattern detection apparatus. FIG. 2 is a diagram illustrating the configuration of the malignant communication pattern detection apparatus. FIG. 3 is a diagram for explaining extraction of communication patterns. FIG. 4 is a diagram illustrating a configuration example of the detection model. FIG. 5 is a diagram for explaining extraction of malware repeating pattern feature amounts. FIG. 6 is a diagram for explaining a communication pair and a communication generation interval. FIG. 7 is a diagram illustrating a processing procedure of the communication pattern extraction unit. FIG. 8 is a diagram illustrating a processing procedure of the model data extraction unit. FIG. 9 is a diagram illustrating a processing procedure of the occurrence interval similarity calculation unit. FIG. 10 is a diagram illustrating a processing procedure of the malignancy degree calculation unit. FIG. 11 is a diagram illustrating a computer that executes a malicious communication pattern detection program.

(Overview)
Hereinafter, modes (embodiments) for carrying out the present invention will be described. The present invention is not limited to this embodiment. First, the outline | summary of the malignant communication pattern detection apparatus 10 of this embodiment is demonstrated using FIG.

  The malignant communication pattern detection apparatus 10 is an apparatus that outputs a communication malignancy of a terminal of a monitoring target network (NW) to be detected as a detection result. This malignancy is a value indicating a high possibility of communication from a terminal infected with malware. The grade of malignancy is calculated as follows.

  First, the malignant communication pattern detection apparatus 10 acquires a malware analysis log that is a communication log of a terminal infected with malware and a monitoring target NW log (a model monitoring target NW log) that is a communication log of a terminal of the monitoring target NW. To do. The communication log is, for example, a communication log obtained by a communication device of the monitoring target NW, and includes information such as a series of communication destinations from the communication source terminal and the time when communication with each communication destination occurs. The malignant communication pattern detection apparatus 10 generates a detection model with reference to the malware analysis log and the monitoring target NW log. This detection model is a model used for detection of a malignant communication pattern. A communication pattern feature amount (malware communication pattern feature amount) of malware communication (communication from a terminal infected with malware) and a communication pattern of the monitoring target NW Feature amount (monitoring target NW communication pattern feature amount) and information on the occurrence interval of each communication pattern (communication pattern occurrence interval information).

  Thereafter, the malignant communication pattern detection apparatus 10 calculates the malignancy of the communication pattern appearing in the detection target NW log (that is, the new monitoring target NW log) using the generated detection model. Specifically, the malignant communication pattern detection device 10 refers to the detection model, determines how much the communication pattern included in the monitoring target NW log to be detected is similar to the communication pattern of malware communication, and for the model. The degree of malignancy of the communication pattern is calculated by scoring how much the communication pattern of the communication indicated in the monitoring target NW log is similar. Then, the calculated malignancy is output as a detection result.

  Here, the malignant communication pattern detection apparatus 10 increases the malignancy as the communication pattern of the monitoring target NW log to be detected is similar to the communication pattern of the malware communication, and the communication shown in the model monitoring target NW log ( The malignancy is lowered as the communication pattern is similar to normal communication. Thereby, the malignant communication pattern detection apparatus 10 can detect a communication pattern similar to malware communication and not similar to normal communication as a communication pattern having a high malignancy.

  Further, when the malignant communication pattern detection device 10 analyzes how much the monitoring target NW log to be detected is similar to the communication (normal communication) indicated in the malware communication and the model monitoring target NW log, the communication pattern Is used. This communication pattern is for a series of communication destinations from the communication source terminal indicated in the communication log, to which communication destination the terminal has communicated to which communication destination, and to each communication destination. This is information indicating the communication time interval. This makes it possible to analyze how much the communication to be detected is similar to malware communication and normal communication in consideration of the transition of the communication destination and the time required for the transition to the communication destination. The calculation accuracy of can be improved. As a result, for example, even when an attacker is trying to send a command to malware via a site that is often accessed, this can be detected as highly malignant communication. Furthermore, since the malignant communication pattern detection apparatus 10 uses the communication log in the above analysis, the time required for the analysis can be reduced as compared with the communication data itself.

(Constitution)
Next, the malignant communication pattern detection apparatus 10 will be described. As shown in FIG. 2, the malignant communication pattern detection device 10 includes a detection model generation unit 11 and a detection unit 12.

  The detection model generation unit 11 generates a detection model using the malware analysis log and the monitoring target NW log.

  The malware analysis log is a communication log of a terminal infected with malware obtained by malware analysis, and is obtained, for example, by actually operating malware collected in a honeypot. In addition, each entry of the communication log included in the malware analysis log includes, for example, an analysis ID set for each malware analysis, a communication destination of the malware, a communication occurrence time, and the like. They are arranged in the order they were done. The malware analysis ID is composed of a character string based on a random number or time, such as a Linux (registered trademark) uuidgen command. This malware analysis log may include, in addition to the communication log, a registry access or file access log obtained by malware analysis.

  The monitoring target NW log is a communication log acquired when communication from the monitoring target NW to the outside is performed by a communication device such as a FireWall or WebProxy of the monitoring target NW, and the IP (Internet Protocol) of the communication source terminal. ) Address, communication destination, communication time, etc. are included and are arranged in the order of communication. This monitoring target NW log is accumulated in advance for a predetermined period. The malware analysis log and the monitoring target NW log are stored in a predetermined area of a storage unit (not shown) of the malignant communication pattern detection device 10.

  The communication destination in the malware analysis log and the monitoring target NW log is, for example, the IP address of the communication destination, the entire URL (Uniform Resource Locator), the URL excluding the query string, the FQDN (Fully Qualified Domain Name), the URL path portion, etc. It is.

  The detection model generation unit 11 includes a communication pattern extraction unit 111 and a model data extraction unit 112.

  The communication pattern extraction unit 111 extracts a communication pattern from the malware analysis log and the monitoring target NW log. The communication pattern extracted from the malware analysis log is called a malware communication pattern, and the communication pattern extracted from the monitoring target NW log is called a monitoring target NW communication pattern.

  For example, as shown in FIG. 3, the communication pattern extraction unit 111 generates a communication log indicating that the communication destinations from the communication source terminal are A, B, and C, and the communication destinations appear in the order of A → B → C. When acquired, a communication destination pair (communication pair of a trigger communication destination and a related communication destination) appearing within a predetermined time window (T) is extracted as a communication pattern for this communication log. The starting point of this time window is the time when communication from the communication source terminal to the trigger communication destination occurs. The trigger communication destination is the first communication destination (first communication destination) constituting the communication pair, and the related communication destination is a communication destination (second communication) excluding the trigger communication destination that appears in the time window. First). For example, the communication pattern extraction unit 111 shifts the time window (T) from the communication log shown in FIG. 3 and shifts the three communications A → B, A → C, and B → C included in the time window (T). A pair is extracted as a communication pattern. Although not shown here, the communication pattern extraction unit 111 also records information on the time interval of each communication pair (A → B, A → C, B → C) in the communication pattern. As a result of shifting the time window in the above processing, when only one communication destination is included in the time window, that is, when there is no related communication destination of the trigger communication destination, the related communication of the trigger communication destination It is assumed that a communication pattern with no destination is extracted. The value of the time window (T) can be appropriately set by the administrator of the malignant communication pattern detection apparatus 10 or the like.

  The communication pattern extraction unit 111 performs the above processing on both the malware analysis log and the monitoring target NW log.

  The model data extraction unit 112 acquires feature amounts of the malware communication pattern and the monitoring target NW communication pattern obtained by the communication pattern extraction unit 111, and registers the acquired feature amounts in the detection model as model data. The feature quantity of the malware communication pattern is called a malware communication pattern feature quantity, and the feature quantity of the monitoring target NW communication pattern is called a monitoring target NW communication pattern feature quantity.

In the detection model, malware communication pattern feature amounts, monitoring target NW communication pattern feature amounts, and communication pattern occurrence interval information are registered as model data. As illustrated in FIG. 4, the malware communication pattern feature amount includes, for example, a malware repeated pattern feature amount (M _freq ), and the monitoring target NW communication pattern feature amount includes an NW log frequent pattern feature amount (L _freq ), pattern Intra-relationship strength feature quantity (L _redir ). The communication pattern occurrence interval information includes malware communication pattern occurrence interval information and monitoring target NW communication pattern occurrence interval information. The malware communication pattern occurrence interval information is represented by, for example, the average value (μ _m ) and standard deviation (σ _m ) of the occurrence interval of malware communication, and the monitoring target NW communication pattern occurrence interval information is, for example, the communication of the monitoring target NW It is expressed by an average value (μ _l ) and a standard deviation (σ _l ) of the occurrence interval. The model data of this detection model is stored in a predetermined area of a storage unit (not shown) of the malignant communication pattern detection device 10.

  The detection unit 12 in FIG. 2 calculates the malignancy of the communication pattern of the communication log to be detected with reference to the detection model. The detection unit 12 includes a communication pattern extraction unit 121, an occurrence interval similarity calculation unit 122, and a malignancy degree calculation unit 123.

  The communication pattern extraction unit 121 extracts a communication pattern from a communication log to be detected. The communication log to be detected is input from an input unit (not shown) of the malignant communication pattern detection device 10. The communication pattern extraction method is the same as that of the communication pattern extraction unit 111 of the detection model generation unit 11, and thus the description thereof is omitted.

  The occurrence interval similarity calculation unit 122 refers to the communication pattern occurrence interval information of the detection model, and to what extent the communication pattern of the communication log to be detected is similar to the occurrence interval of the malware communication pattern. A value (occurrence interval similarity) indicating how similar to the occurrence interval of the NW communication pattern is calculated.

  The malignancy calculating unit 123 calculates the malignancy of the communication pattern of the communication log to be detected with reference to the detection model. Specifically, the detection unit 12 refers to the detection model, the size of the malware communication pattern feature amount of the communication pattern of the communication log to be detected (the communication log of the monitoring target NW log), and the monitoring target The size of the NW communication pattern feature amount is acquired. And the detection part 12 calculates the malignancy of the communication pattern of the communication log used as a detection target using each acquired feature-value and the occurrence interval similarity calculated by the occurrence interval similarity calculation part 122. FIG. Then, the malignancy calculator 123 outputs the calculated malignancy as a detection result.

  Details of the detection model generation unit 11 and the detection unit 12 will be described later using a flowchart.

(Processing procedure)
Hereinafter, the processing procedure of the malignant communication pattern detection apparatus 10 will be described.

(Communication pattern extraction unit of detection model generation unit)
First, the processing procedure of the communication pattern extraction unit 111 of the detection model generation unit 11 will be described with reference to FIG. The communication pattern extraction unit 111 performs the following processing on the malware analysis log and the monitoring target NW communication log.

  First, the communication pattern extraction unit 111 determines whether the processing target is a malware analysis log or a monitoring target NW log (S1). If the processing target is a malware analysis log (Yes in S1) The malware analysis ID is set as a transmission source identifier (identification information of the communication source terminal) (S4). On the other hand, when the processing target is a monitoring target NW communication log (No in S1 → Yes in S2), the communication pattern extraction unit 111 sets a transmission source IP address as a transmission source identifier (S3). If the processing target is neither the malware analysis log nor the monitoring target NW communication log (No in S2), the process ends.

  When there is a transmission source identifier that has not yet been extracted (No in S5), the communication pattern extraction unit 111 reads one of the transmission source identifiers from which this communication pattern has not been extracted. The identifier is set (S6), and the communication log of the sender identifier is read (S7). Then, when the communication pattern extraction unit 111 reads the communication log, the communication pattern extraction unit 111 sets an index indicating the start point of extracting the communication pattern in the first entry of the communication log (S8). On the other hand, the communication pattern extraction unit 111 ends the process if there is no transmission source identifier from which communication patterns are not extracted (No in S5).

  After S8, the communication pattern extraction unit 111 reads the communication destination and time listed in the entry for which the index is set, and sets the communication destination listed in the entry for which the index is set as the trigger communication destination. (S9). Next, the communication pattern extraction unit 111 reads the subsequent entries after the entry in which the index is set. Then, the communication pattern extraction unit 111 sets all communication destinations that appear within a predetermined time (for example, time window (T)) from the time when communication with the trigger communication destination occurs as a related communication destination. A communication pair of the destination and each related communication destination is set as a communication pattern (S10).

  At this time, the communication pattern extraction unit 111 acquires, for each communication pattern, an occurrence interval (time interval) between the trigger communication destination of the communication pattern and each related communication destination, and each communication pattern and the acquired trigger communication destination And the generation intervals between the related communication destinations are transferred to the model data extraction unit 112 (S11).

  For example, if communication with the communication destinations B and C appears within the time window (T) after communication with the communication destination A appears, the trigger communication destination becomes the communication destination A, and A → B and A → C. Two communication pairs are set as communication patterns, and the communication pairs of the two communication patterns and the generation intervals of the communication pairs are transferred to the model data extraction unit 112.

  After S11, if there is an entry for which no index is set in the communication log (S12: Yes), the communication pattern extraction unit 111 increments the index by 1 (S13) and returns to S9. On the other hand, if there is no entry for which no index is set in the communication log (No in S12), the process returns to S5.

  In this way, the communication pattern extraction unit 111 extracts a communication pattern from the malware analysis log and the monitoring target NW communication log.

  When the communication pattern extraction unit 111 reads the monitoring target NW log, first, the communication pattern of the malware communication log is acquired, and thereafter, the communication pattern extraction unit 111 includes communication pairs appearing in the communication pattern from the monitoring target NW log. A communication pattern may be extracted. Thus, by limiting the communication patterns extracted from the monitoring target NW log, it is possible to reduce the time required for the communication pattern extraction processing from the monitoring target NW log.

  Although not described, the communication pattern extraction unit 121 of the detection unit 12 also extracts a communication pattern in the same procedure for the monitoring target NW log to be detected. Then, the communication pattern extraction unit 121 transfers the extracted communication pattern to the occurrence interval similarity calculation unit 122 and the malignancy degree calculation unit 123.

(Model data extraction unit)
Next, the processing procedure of the model data extraction unit 112 of the detection model generation unit 11 will be described with reference to FIG. First, the model data extraction unit 112 extracts a malware communication pattern feature quantity from the malware communication pattern.

The model data extraction unit 112 reads the malware communication pattern extracted by the communication pattern extraction unit 111 (S21), and the communication pattern is included in the malware communication log within a predetermined time for each communication pattern included in the malware communication pattern. A result obtained by dividing the number of transmission source identifiers that have been confirmed to be present a predetermined number of times or more by the number of transmission source identifiers for which the communication pattern has been confirmed is acquired as a malware repetitive pattern feature (M _freq ) (S22).

For example, let us consider a case where the model data extraction unit 112 extracts a malware repetition pattern feature (M _freq ) from a communication log of malware communication illustrated in FIG. In FIG. 5, T1 is a time window for acquiring a communication pair, and T2 is a time window for counting the number of appearances of the communication pair. In this case, the model data extraction unit 112 determines that the communication pattern (for example, the communication pair A → B that appears within the time window (T1)) is within a predetermined time (for example, the time window (T2)) from the malware communication log. The number of source identifiers that have been confirmed to exist for a predetermined number of times (for example, three times) or more is acquired. Further, the model data extraction unit 112 acquires the number of transmission source identifiers for which the communication pattern (for example, a communication pair of A → B) is confirmed from the malware communication log. Then, the model data extraction unit 112 determines the number of transmission source identifiers that have been confirmed that the communication pattern (for example, the communication pair A → B) is present more than a predetermined number of times within a predetermined time in the malware communication log. Divide by the number of sender identifiers for which the communication pattern was confirmed. The model data extraction unit 112 acquires a result of executing such processing for each communication pair of the malware communication pattern as a malware repetitive pattern feature (M _freq ). Note that the value of the time window (T1, T2) and the value of the number of times the communication pattern exists (for example, 3 times) can be set as appropriate by the administrator of the malignant communication pattern detection apparatus 10 or the like.

The malware repetitive pattern feature (M _freq ) acquired in this way captures the operation of the malware repeatedly trying to communicate with the server for receiving instructions from the attacker, and this feature is large. Means that the communication pattern is characteristic of malware.

Returning to the description of FIG. After S22, the model data extraction unit 112 acquires the average value (μ _m ) and standard deviation (σ _m ) of the occurrence interval of the communication pattern for each communication pattern of the malware communication pattern as malware communication pattern occurrence interval information ( S23). Then, the model data extraction unit 112 registers the malware repetition pattern feature amount (M _freq ) acquired in S22 and the malware communication pattern occurrence interval information (μ _m , σ _m ) acquired in S23 in the detection model (S24). After S24, if there is no unprocessed malware communication pattern (No in S25), the process proceeds to S26, and if there is an unprocessed malware communication pattern (Yes in S25), the process returns to S22.

In S26, the model data extraction unit 112 reads the monitoring target NW communication pattern. Then, the model data extraction unit 112 divides the number of transmission source identifiers for which the communication pattern is confirmed for each communication pattern of the read monitoring target NW communication pattern by the number of transmission source identifiers included in the monitoring target NW log. The result is acquired as an NW log frequent pattern feature amount (L _freq ) (S27).

For example, the model data extraction unit 112 acquires the number of transmission source identifiers whose communication patterns (A → B) have been confirmed in the monitoring target NW communication pattern. Then, the model data extraction unit 112 divides the number of transmission source identifiers for which the communication pattern (A → B) is confirmed by the number of transmission source identifiers included in the monitoring target NW log. The model data extraction unit 112 acquires a result obtained by executing such processing for each communication pattern of the monitoring target NW communication pattern as an NW log frequent pattern feature (L _freq ).

The NW log frequent pattern feature quantity (L _freq ) acquired in this way is a quantification of the degree to which each communication pattern that appears in the monitoring target NW communication pattern generally occurs in the monitoring target NW. A large feature value means that the communication pattern is confirmed from many terminals in the monitoring target NW. For example, in the example described above, the fact that the NW log frequent pattern feature (L _freq ) relating to the communication pattern (A → B) is large is confirmed by the communication pattern (A → B) from many terminals of the monitoring target NW. Means that That is, assuming that there are few malware-infected terminals in the monitoring target NW, the large feature value means that there is a low possibility of occurrence when the communication pattern is infected with malware.

Returning to the description of FIG. For each communication pattern of the monitoring target NW communication pattern, the model data extraction unit 112 divides the number of confirmed communication patterns by the number of confirmed trigger communication destinations, and the intra-pattern relevance in the monitoring target NW log It is acquired as an intensity feature quantity (L _redir ) (S28).

For example, the model data extraction unit 112 acquires the number of confirmed communication patterns (A → B) in the monitoring target NW communication pattern. In addition, the model data extraction unit 112 acquires the number of trigger communication destinations (A) of the communication pattern (A → B) confirmed as the communication destination in the monitoring target NW communication pattern. Then, the model data extraction unit 112 divides the number of confirmed communication patterns by the number of confirmed trigger communication destinations. The model data extraction unit 112 acquires a result of executing such processing for each communication pattern of the monitoring target NW communication pattern as an intra-pattern relevance strength feature quantity (L _redir ). This feature amount represents the probability that communication with the related communication destination (for example, B) is confirmed when the trigger communication destination (for example, A) is confirmed. For example, the communication with A) is an index representing the probability of causing communication with the related communication destination (for example, B). In other words, the intra-pattern relevance strength feature quantity (L _redir ) is, for example, a communication destination that always occurs when going to a certain communication destination such as HTTP (HyperText Transfer Protocol) in the monitoring target NW or reading of an image. It is an index that quantifies the relationship.

  Assuming that there are few malware-infected terminals in the monitored NW, this large feature value is a communication pattern that is likely to occur in normal communication, and this communication pattern can occur when infected with malware. It means that the nature is low.

The model data extraction unit 112 calculates, for each communication pattern of the monitoring target NW communication pattern, an average value (μ _l ) and standard deviation (σ _l ) of the generation interval of the communication pattern, and generates the monitoring target NW communication pattern generation Obtained as interval information (S29). For example, for each communication pattern (for example, A → B, A → C, B → C), the model data extraction unit 112 calculates the average value (μ _l ) and standard deviation (μ _l ) of the occurrence intervals of the respective communication patterns. And is obtained as monitoring target NW communication pattern generation interval information.

The model data extraction unit 112 detects the acquired NW log frequent pattern feature quantity (L _freq ), intra-pattern relevance strength feature quantity (L _redir ), and monitoring target NW communication pattern generation interval information (μ _l , σ _l ). The model is registered (S30). The model data extraction unit 112 returns to S27 if there is an unprocessed monitoring target NW communication pattern (Yes in S31), and ends the process if there is no unprocessed communication pattern (No in S31). To do.

(Occurrence interval similarity calculation unit)
Next, the processing procedure of the occurrence interval similarity calculation unit 122 will be described with reference to FIG. The occurrence interval similarity calculation unit 122 reads the communication pattern (the communication pair and the generation interval of the communication pair) of the monitoring target NW log to be inspected as the detection target communication pattern from the communication pattern extraction unit 121 of the detection unit 12 ( S41). Further, the occurrence interval similarity calculation unit 122 determines, from the detection model, malware communication pattern occurrence interval information (μ _m , σ _m ) corresponding to the detection target communication pattern and monitoring target NW communication pattern occurrence interval information (μ _l , σ _l ) is read (S42).

Then, the occurrence interval similarity calculation unit 122 uses the read malware communication pattern occurrence interval information (μ _m , σ _m ) and the monitoring target NW communication pattern occurrence interval information (μ _l , σ _l ) to detect For the communication pattern, the similarity between the occurrence intervals of the malware communication pattern and the monitoring target NW communication pattern is calculated (S43).

Specifically, the occurrence interval similarity calculation unit 122 calculates the similarity of the malware communication pattern generation interval with respect to the detection target communication pattern using the malware communication pattern generation interval information (μ _m , σ _m ). In addition, the occurrence interval similarity calculation unit 122 calculates the similarity of the monitoring target NW communication pattern generation interval with respect to the detection target communication pattern using the monitoring target NW communication pattern generation interval information (μ _l , σ _l ). Here, each similarity is calculated by, for example, the following equation (1).

  Here, Sim (d) is the similarity when the occurrence interval of a certain communication pattern is d, σ is the standard deviation of the occurrence interval of each communication pattern, and μ is the average of the occurrence intervals of each communication pattern Value. However, the maximum value of Sim (d) is 1, and when it exceeds 1, Sim (d) = 1. When d−μ is 0, Sim (d) = 1.

  As described above, the occurrence interval similarity calculation unit 122 can calculate the communication pattern similarity in consideration of the occurrence interval of communication appearing in the communication pattern. For example, as illustrated in FIG. 6, when the communication pairs (A → B, A → C, B → C) appearing in the communication log are the same, but the communication generation intervals are different, the occurrence interval similarity calculation unit 122. In consideration of the communication occurrence interval, the similarity value between the two communication patterns is calculated to be low.

(Grade level calculator)
Next, the processing procedure of the malignancy calculation unit 123 will be described with reference to FIG. The malignancy calculation unit 123 reads the communication pattern of the monitoring target NW log to be inspected (communication pair and the generation interval of the communication pair) as a detection target communication pattern from the communication pattern extraction unit 121 (S51).

  Further, the malignancy calculation unit 123 generates the similarity of the generation intervals corresponding to the detection target communication patterns from the occurrence interval similarity calculation unit 122 (that is, the similarities of the malware communication pattern generation interval and the monitoring target NW communication pattern generation interval). Is acquired (S52).

Further, the malignancy calculation unit 123 calculates the malware repeated pattern feature (M _freq ), the NW log frequent pattern feature (L _freq ), and the intra-pattern relevance strength feature (L) corresponding to the communication pattern from the detection model. _redir ) is read (S53). Then, the malignancy calculator 123 calculates the malignancy of the detection target communication pattern based on the read feature quantities (S54). As for the malignancy, when the occurrence interval similarity of the malware communication pattern is large, the smaller the occurrence interval similarity of the monitoring target NW communication pattern is, the larger the value of the malware repeat pattern feature (M _freq ) is, The smaller the value of the quantity (L _freq ), and the smaller the value of the intra-pattern related strength feature quantity (L _redir ), the larger the value. The grade of malignancy is calculated by the following formula (2), for example.

In Equation (2), Score is the malignancy, Sim _m is the occurrence interval similarity to the malware communication pattern, Sim _l is the occurrence interval similarity to the monitored NW communication pattern, M _freq is the malware repetitive pattern feature, and L _freq is The NW log frequent pattern feature amount, L _redir indicates the intra-pattern related strength feature amount.

  That is, when calculating the malignancy of the detection target communication pattern, the malignancy calculation unit 123 calculates the malignancy higher as it resembles the malware communication pattern, and lowers the malignancy as resembling the monitoring target NW communication pattern. calculate.

  The malignancy calculating unit 123 may calculate the malignancy by weighting each feature amount. In addition, the communication pattern extraction unit 121 extracts a communication pattern using the URL, FQDN, path, and the like indicated in the communication log as a communication destination, and the malignancy calculation unit 123 uses the communication pattern such as URL, FQDN, path, etc. The degree may be calculated. The URL used here may be a URL without a query string.

  Then, after calculating the malignancy of each of the URL, FQDN, and path communication patterns, the malignancy calculation unit 123 outputs a value obtained by adding the calculated malignancy as the malignancy of the detection target communication pattern. Good. The grade of malignancy here is calculated by the following formula (3), for example.

The Score _{m in the} expression (3) is a malignancy of each of the communication patterns of URL, FQDN, and Path. Note that the malignancy calculation unit 123 may calculate the Score (malignancy) by weighting the Score _m when calculating the Score (malignancy) according to the equation (3). By doing in this way, the malignancy degree judged comprehensively about the communication pattern extracted from various viewpoints, such as URL, FQDN, Path (path), is computable.

(Other embodiments)
In the above-described embodiment, the malignant communication pattern detection apparatus 10 calculates the malignancy without using the malware communication pattern generation interval information (μ _m , σ _m ) and the monitoring target NW communication pattern generation interval information (μ _l , σ _l ). May be. That is, the detection unit 12 does not include the occurrence interval similarity calculation unit 122, and the malignancy calculation unit 123 includes the malware repetitive pattern feature amount (M _freq ) and the NW log frequent pattern feature amount (L _freq ) corresponding to the detection target communication pattern. ) And the intra-pattern relationship strength feature quantity (L _redir ) may be used to calculate the malignancy of the detection target communication pattern.

  Furthermore, although the detection model generation part 11 and the detection part 12 were demonstrated as what is equipped in the same apparatus, you may each implement | achieve by a separate apparatus.

(program)
It is also possible to create a program that describes the processing executed by the malignant communication pattern detection apparatus 10 according to the above embodiment in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed to execute the same processing as in the above embodiment. An example of a computer that executes a malignant communication pattern detection program that realizes the same function as that of the malignant communication pattern detection apparatus 10 will be described below.

  FIG. 11 is a diagram illustrating a computer that executes a malicious communication pattern detection program. As shown in FIG. 11, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network. Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 11, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each table described in the above embodiment is stored in the hard disk drive 1090 or the memory 1010, for example.

  Further, the malicious communication pattern detection program is stored in the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described, for example. Specifically, a program module describing each process executed by the malicious communication pattern detection apparatus 10 described in the above embodiment is stored in the hard disk drive 1090.

  Data used for information processing by the malignant communication pattern detection program is stored as program data, for example, in the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the malicious communication pattern detection program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and the CPU 1020 via the disk drive 1100 or the like. May be read. Alternatively, the program module 1093 and the program data 1094 related to the malicious communication pattern detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the network interface 1070 is stored. It may be read by the CPU 1020 via

DESCRIPTION OF SYMBOLS 10 Malignant communication pattern detection apparatus 11 Detection model production | generation part 12 Detection part 111,121 Communication pattern extraction part 112 Model data extraction part 122 Occurrence interval similarity calculation part 123 Malignancy degree calculation part

Claims (9)

From the communication logs of the terminals infected with malware and the terminals of the monitored network, the first communication destination of the terminal and the second communication destination that is the subsequent communication destination among the series of communication destinations of the respective terminals. A communication pattern extraction unit that extracts a communication pattern indicating a pair with
A feature amount of a malware communication pattern which is a communication pattern extracted from a communication log of a terminal infected with the malware, and a feature amount of a monitored network communication pattern which is a communication pattern extracted from a communication log of a terminal of the monitored network A feature amount extraction unit that performs acquisition and registers the feature amount of each acquired communication pattern in a detection model for detecting malignant communication;
An input unit for receiving an input of a communication log of communication to be detected;
For the detection target communication pattern that is a communication pattern extracted from the communication log of the communication to be detected, the feature amount of the malware communication pattern and the feature amount of the monitoring target network communication pattern are acquired from the detection model, A malignancy calculating unit that calculates a higher malignancy value of the detection target communication pattern as the feature amount of the acquired malware communication pattern is larger and the feature amount of the acquired monitoring target network communication pattern is smaller; A malignant communication pattern detection apparatus comprising: The communication pattern further includes information regarding an occurrence interval of communication between the first communication destination and the second communication destination,
The feature amount extraction unit obtains a feature amount of a communication occurrence interval in the malware communication pattern as a feature amount of the malware communication pattern in the detection model, and as a feature amount of the monitored network communication pattern Furthermore, the feature quantity of the communication occurrence interval in the monitored network communication pattern is acquired,
The malignant communication pattern detection device further includes:
With reference to the feature quantity of the occurrence interval of each communication in the detection model, the similarity between the occurrence interval of communication of the detection target communication pattern and the occurrence interval of communication of the malware communication pattern, and the monitoring target network communication pattern An occurrence interval similarity calculation unit for calculating the similarity of communication occurrence intervals;
The malignancy calculation unit further increases the similarity of the calculated communication interval of the malware communication pattern, and the lower the similarity of the calculated communication interval of the monitored network communication pattern. The malignant communication pattern detection apparatus according to claim 1, wherein the malignancy degree value is calculated high.   In the communication log of the terminal infected with the malware, for each communication pattern included in the malware communication pattern, the feature amount extraction unit within a predetermined time as a feature amount of the malware communication pattern in the detection model The malignant communication pattern detection apparatus according to claim 1, wherein a malware repetitive pattern feature amount that is a value indicating a degree of repeated appearance is acquired.   The feature amount extraction unit, as a feature amount of the monitoring target network communication pattern in the detection model, for each communication pattern included in the monitoring target network communication pattern, in the communication log of the terminal of the monitoring target network, The malignant communication pattern detection device according to claim 1, wherein a network log frequent pattern feature amount that is a value indicating a degree of appearance is acquired.   The feature amount extraction unit includes, as a feature amount of the monitoring target network communication pattern in the detection model, for each communication pattern included in the monitoring target network communication pattern, in the communication log of the terminal of the monitoring target network, the communication pattern. After the communication to the first communication destination shown, the relevance strength feature amount in the pattern, which is a value indicating the rate of occurrence of communication to the second communication destination shown in the communication pattern, is acquired The malignant communication pattern detection apparatus according to any one of claims 1 to 4.   The said communication pattern extraction part extracts the communication pattern which appears in the said malware communication pattern acquired previously, when extracting the said monitoring object network communication pattern, The any one of Claims 1-5 characterized by the above-mentioned. The malignant communication pattern detection apparatus according to item 1.   The malignancy calculation unit includes a communication pattern in which a URL (Uniform Resource Locator) is extracted from the communication log as the communication destination, a communication pattern in which FQDN (Fully Qualified Domain Name) is extracted as the communication destination, and a URL path The malignancy is calculated for at least one of the communication patterns extracted as the communication destination, and a value obtained by integrating the malignancy of the calculated communication pattern is calculated. The malignant communication pattern detection device described in 1. From the communication logs of the terminals infected with malware and the terminals of the monitored network, the first communication destination of the terminal and the second communication destination that is the subsequent communication destination among the series of communication destinations of the respective terminals. Extracting a communication pattern indicating a pair with;
A feature amount of a malware communication pattern which is a communication pattern extracted from a communication log of a terminal infected with the malware, and a feature amount of a monitored network communication pattern which is a communication pattern extracted from a communication log of a terminal of the monitored network Performing acquisition, and registering the acquired feature amount of each communication pattern in a detection model for detecting malignant communication;
Receiving an input of a communication log of communication to be detected;
For the detection target communication pattern that is a communication pattern extracted from the communication log of the communication to be detected, the feature amount of the malware communication pattern and the feature amount of the monitoring target network communication pattern are acquired from the detection model, Calculating the malignancy value of the detection target communication pattern higher as the characteristic amount of the acquired malware communication pattern is larger and as the characteristic amount of the acquired monitored network communication pattern is smaller. A characteristic malignant communication pattern detection method. From the communication logs of the terminals infected with malware and the terminals of the monitored network, the first communication destination of the terminal and the second communication destination that is the subsequent communication destination among the series of communication destinations of the respective terminals. Extracting a communication pattern indicating a pair with;
A feature amount of a malware communication pattern which is a communication pattern extracted from a communication log of a terminal infected with the malware, and a feature amount of a monitored network communication pattern which is a communication pattern extracted from a communication log of a terminal of the monitored network Performing acquisition, and registering the acquired feature amount of each communication pattern in a detection model for detecting malignant communication;
Receiving an input of a communication log of communication to be detected;
For the detection target communication pattern that is a communication pattern extracted from the communication log of the communication to be detected, the feature amount of the malware communication pattern and the feature amount of the monitoring target network communication pattern are acquired from the detection model, Causing the computer to execute a step of calculating a higher malignancy value of the detection target communication pattern as the characteristic amount of the acquired malware communication pattern is larger and as the characteristic amount of the acquired monitored network communication pattern is smaller. A malignant communication pattern detection program characterized by the above.

Images