JP2019135680A - Information processing apparatus, information processing system, control method, and program - Google Patents

Abstract

To easily identify a malicious email.SOLUTION: A rule information acquisition unit 302 acquires determination rule information stored in a determination rule DB in a storage unit 300, and further acquires exclusion rule information stored in an exclusion rule DB in the storage unit 300. Thereafter, a mail acquisition unit 304 identifies, as a targeted attack mail, an e-mail transmitted from the same sender to a plurality of recipients, the e-mail satisfying the determination rule information and not satisfying the exclusion rule information.SELECTED DRAWING: Figure 4

Description

  The present invention relates to a method for specifying a targeted attack mail.

  With the development of network technology, a variety of information has been distributed, and there are very convenient tools for providing such information to many users.

  For example, it is possible to obtain a resource desired by the user by clicking a URL for specifying the location of a resource such as HTML or an image on the Internet.

  However, recently, by exploiting the convenience of such tools and illegally accessing resources, damages such as infection with viruses and the need for large payments have occurred.

  As an example of damage resulting from the abuse of such a tool, an email with a URL specifying the location of an unauthorized resource is sent to a corporate user unilaterally, the user opens the email, and the email is mistakenly sent. Damage has occurred, such as clicking on the URL.

  Therefore, as a method for solving such a problem, the characteristics of the received e-mail are stored, and the similarity between the characteristics of the newly received e-mail and the characteristics of the e-mail received in the past is lower than the reference value. In this case, a technique for specifying the target attack mail is disclosed (for example, see Patent Document 1).

JP 2013-236308 A

  In recent years, as a targeted attack mail, there is a so-called scattered attack mail in which the same or similar electronic mail is sent to an email address of many employees to an organization such as a company.

  However, in the technology described in Patent Document 1, the newly received e-mail is determined to determine the validity of the newly received e-mail by obtaining the similarity to the previously received e-mail. No description or suggestion has been made about the identification of all of the emails that have been spread within the organization, as in the case of a disseminated attack email.

  Therefore, when receiving a distributed attack email, the system administrator, etc. must identify the employee who received the distributed attack email, etc., and quickly grasp and deal with it. The technique described in Document 1 cannot solve such a problem.

  Therefore, an object of the present invention is to provide an information processing apparatus, an information processing system, a control method, and a program that can easily identify a malicious electronic mail.

The present invention for solving the above-described problem is an information processing apparatus that controls reception of an electronic mail, wherein a specifying means for specifying the same or similar electronic mail and an electronic mail specified by the specifying means are within a predetermined period. Determining means for determining whether or not to be received at a predetermined number or more different destinations, and executing means for executing an action related to the e-mail when it is determined that the information is received by the determining means. Features.
It is provided with.

  According to the present invention, there is an effect that a malicious electronic mail can be easily specified.

It is a block diagram which shows schematic structure of an information processing system. It is a block diagram which shows schematic structure of the hardware of an access relay apparatus, a mail relay apparatus, a mail server, an external server, and a client terminal. It is a block diagram which shows the function structure of a mail relay apparatus. It is a flowchart which shows the specific process of a target type | mold attack mail. It is a block diagram which shows the structure of each table.

DESCRIPTION OF EMBODIMENTS Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 shows a schematic configuration diagram of an information processing system according to an embodiment of the present invention.

  As shown in FIG. 1, the information processing system 100 according to the present embodiment includes a configuration including an access relay device 102, a mail server 104, a mail relay device 106, client terminals 108 (provided with at least one), and a LAN 110. And connected to the external server 114 via the wide area network 112.

  The access relay device 102 is a device that functions as an information processing device, and relays between the client terminal 108 and the external server 114 that performs data communication via the wide area network 112.

  Further, the access relay apparatus 102 controls communication of the data according to a relay control rule for determining whether to relay or not relay data transmitted / received between the client terminal 108 and the external server 114. ing.

  The mail server 104 is an information processing apparatus used for sending and receiving e-mails, and has functions such as e-mail address management and storing e-mails sent to the e-mail addresses. Yes.

  The mail relay apparatus 106 performs a transmission control process for an electronic mail transmitted from the mail server 104 or the client terminal 108 by using the transmission control rule, and performs a reception control process for an electronic mail transmitted from the external server 114 as described later. This is done using a reception control rule.

  Further, the mail relay apparatus 106 accepts an input of a transmission control rule (reception control rule) used for an e-mail transmission control process (reception control process) or transmits in response to a request from a user who operates the client terminal 108. As a result of the control process (reception control process), an input (audit input) for transmission (reception) and transmission prohibition (reception prohibition) for an electronic mail whose transmission (reception) has been suspended is accepted.

  Further, the mail relay apparatus 106 identifies an unauthorized e-mail from e-mails already received in response to a request from a user who operates the client terminal 108, and gives a warning notification to an administrator or a recipient. .

  The client terminal 108 is a terminal device operated by a user who exchanges e-mails using a mail address managed by the mail server 104.

  The client terminal 108 is also a terminal device that provides various contents and the like provided from the external server 114 to the user.

  Further, the client terminal 108 can refer to and register the relay control rule, the transmission control rule, and the reception control rule stored in the access relay device 102 and the mail relay device 106 via the LAN 110.

  The external server 114 is a device that provides various contents to the user, and is installed by a service provider or an individual user, or installed as a mail server owned by an external user. To do.

  Next, FIG. 2 illustrates an example of a hardware configuration of an information processing apparatus applicable to the access relay apparatus 102, the mail server 104, the mail relay apparatus 106, and the client terminal 108.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 202 or the external memory 211 is necessary to realize a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program of the CPU 201, or a function executed by each server or each PC. Various programs to be described later are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program or the like necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display device such as a CRT display (CRT) 210.

  In FIG. 2, although described as CRT 210, the display device is not limited to the CRT, but may be another display device such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is connected via an adapter to a hard disk (HD), flexible disk (FD), or PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, and the like. The access to the external memory 211 such as a compact flash (registered trademark) memory is controlled.

  A communication I / F controller 208 is connected to and communicates with an external device via a network (for example, the LAN 110 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the CRT 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. In addition, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the CRT 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary.

  Furthermore, definition files and various information tables used when executing the program are also stored in the external memory 211, and a detailed description thereof will be described later.

  Next, the functional configuration of the mail relay apparatus 106 will be described with reference to FIG. Details of each function will be described with reference to a flowchart and the like described later.

  The mail relay device 106 includes a storage unit 300, a rule information acquisition unit 302, a mail acquisition unit 304, and an operation unit 306.

  The storage unit 300 stores and manages rules for controlling the reception of e-mails, rules for specifying targeted attack e-mails, information on public addresses, information on received e-mails, and the like.

  The rule information acquisition unit 302 acquires information related to a rule for specifying a targeted attack mail stored and managed by the storage unit 300, and the mail acquisition unit 304 stores information related to an email stored and managed by the storage unit 300. get.

  The operation unit 306 executes an action defined for the rule corresponding to the specified e-mail specified as the target attack mail.

  Next, the target attack mail specifying process will be described with reference to the flowchart shown in FIG.

  In step S100, the rule information acquisition unit 302 acquires determination rule information used when determining whether or not the electronic mail is a target-type attack mail from the determination rule DB (see FIG. 5) in the storage unit 300.

  The top row of FIG. 5 shows the configuration of the determination rule DB. An ID for uniquely identifying a determination rule for determining whether an e-mail is a targeted attack mail is received within a predetermined time. In order to identify the e-mail, in order to identify the number of e-mails received within the predetermined time range and the predetermined time, the number of e-mails indicating the number of e-mails and the ID of the public address When it corresponds to the public address ID to be shown, the attack classification for identifying the feature of the targeted attack mail, and the determination rule, it includes an action indicating an operation for the electronic mail.

  FIG. 5 shows an example of a determination rule. For example, as in the uppermost record, the ID is 1, the time range is 10 minutes, the number of emails is 100, the public address ID is NULL (details will be described later), Assume that the attack classification is 2 or 3, and the action is automatically reflected in the filtering rule and stored in the determination rule DB.

  This determination rule is when 100 or more e-mails are received within 10 minutes, and these e-mails are given a forged URL as a feature of the targeted attack, or When an e-mail is attached with a file that is regarded as a double extension (details will be described later), the filtering condition is automatically set to filter incoming e-mail as an action related to the e-mail. Has been shown to do.

  As an example of filtering conditions, by setting the address of the sender of the email specified as the targeted attack email as a condition, if the sender sends an email after the setup, It is possible to take measures such as holding the mail uniquely or deleting it.

  The public address ID corresponds to the ID stored in the public address list DB shown on the left of the third row from the top in FIG.

  The public address list DB has a configuration including an ID for uniquely identifying a public address and a public address indicating the public address.

  This public address indicates, for example, an address that is disclosed to the public regarding inquiries to the company's public relations, personnel, etc., and customer service.

  Further, the attack category corresponds to the ID stored in the target type attack category DB shown in the third row from the top in FIG.

  The target-type attack classification DB stores information on the reason why it is determined to be the target-type attack mail according to the rule for determining whether the received e-mail is the target-type attack mail, and the reason The ID includes a configuration including an ID for uniquely identifying an attack content corresponding to the reason.

  With such a determination rule, it is possible to identify a particularly distributed attack email among the target-type attack emails.

  In addition, as shown in the second row from the top row, the time range is 3 minutes, the number of e-mails is 3, the public address ID is 3, the attack category is NULL, the action is notified to the administrator, the recipient is notified, the homepage It is assumed that the display is stored in the determination rule DB.

  This record is used when 3 or more e-mails are received within 3 minutes, and the e-mail address of the recipient includes a public address specified from the public address ID. The information indicating that the targeted attack mail has been transmitted is displayed on the homepage established by the company, which notifies the receiver and the receiver that the targeted attack mail has been transmitted.

  The public address itself is likely to be the target of targeted attack emails, and frequent exchanges between senders and receivers using public addresses are rare. It is possible to set a smaller value compared to the record from the upper stage.

  As for the public address ID, it is possible to store a plurality of IDs. For example, as a destination where the sender is unlikely to send an e-mail within a predetermined time, it relates to a product that is not highly related to each other. When an e-mail is transmitted to the window for contact with a job and a job seeker, the possibility of a targeted attack e-mail is high, and thus such e-mail can be specified.

  In this case, it is possible to set a plurality of values for the public address ID without setting the number of e-mails in the determination rule DB.

  Similarly, such a determination rule makes it possible to specify a particularly distributed attack mail among the target-type attack mail.

  In step S102, the rule information acquisition unit 302 proceeds to step S104 when it is determined that the determination rule information is acquired as a result of acquiring the determination rule information in step S100, and ends the process when it is not determined that acquisition is possible.

  In step S104, the rule information acquisition unit 302 considers the target attack email as an exception even if the email is specified as the target attack email by the determination rule from the exclusion rule DB (see FIG. 5) in the storage unit 300. Exclusion rule information for determining not to hesitate is acquired.

  The configuration from the top level to the second level in FIG. 5 shows the configuration of the exclusion rule DB. As an exception, the exclusion rule DB uniquely identifies an exclusion determination rule for determining that it is not regarded as a targeted attack mail. ID, a sender indicating the address of the e-mail sender, a receiver indicating the address of the e-mail receiver, and a subject of the e-mail.

  FIG. 5 shows an example of the exclusion determination rule. For example, as in the uppermost record, the sender's address is “news-week example. net, and the subject is “weakly magazine”, even if it is an e-mail specified as a target attack mail by the determination rule, it is not regarded as a target attack mail.

  Also, as in the second record from the top, the sender's address is news-daily example. net and the recipient's address is sales canon-its. co. jp, if the subject is a word including “day” at the beginning, even an e-mail specified as a target attack mail by the determination rule is not regarded as a target attack mail.

  These exclusion judgment rules send a large number of identical or similar e-mails from a specific safe sender such as an e-mail magazine or news within a predetermined time, so these e-mails are regarded as targeted attack e-mails. By not hesitating, it is possible to reduce the time and effort for specifying the targeted attack email.

  In step S106, the rule information acquisition unit 302 determines whether or not the exclusion determination rule information has been acquired in step S104. If it is not determined that the rule has been acquired, the process proceeds to step S108. Then, the process proceeds to step S110.

  In step S108, the mail acquisition unit 304 acquires information related to the email from the mail log DB (see FIG. 5) in the storage unit 300 based on the determination rule information acquired by the rule information acquisition unit 302 in step S100.

  The lowermost part of FIG. 5 shows the configuration of a mail log DB that stores information on already received e-mails. An ID for uniquely identifying an e-mail and a reception date and time indicating the time when the e-mail was received. , Comprising an attack category identifying the sender of the email, the recipient of the email, the subject of the email, and the characteristics of the targeted attack.

  Regarding the attack category, as described above, when receiving an e-mail, information on the reason for determining that it is a target attack mail according to a rule for determining whether it is a target attack mail is provided. I remember it.

  In this step, first, among the emails stored in the mail log DB, the sender's address is the same, the subject is the same or similar, the text is the same or similar, or all these conditions, or The e-mails satisfying any combination of conditions and further satisfying the condition that the recipient addresses are different or the recipient addresses may be the same are specified.

  Then, if the email is specified under such conditions and further satisfies the determination rule information, the information about the email is acquired as the targeted attack email.

  For example, if the uppermost record in FIG. 5 is applied as the determination rule information, 100 or more items are received in 10 minutes and the attack classification is 2 or 3, so the mail log DB is sent as shown in FIG. The attacker example. As the e-mails with different recipients, IDs 1 to 7... are specified, and the reception date and time of the specified e-mails has been received more than 100 times within 10 minutes, and the attack classification is 2 or 3 Get information about your email.

  On the other hand, when the record in the second row from the top in FIG. 5 is applied as the determination rule information, since three or more public address IDs are 3 within 3 minutes, the sender of the mail log DB can take the attacker example. . As the e-mails with different recipients, IDs 1 to 7... are specified, and the reception date and time of the specified e-mails are received within 3 minutes, and the sender is the support. canon-its. co. Get information about jp's email.

  In step S110, the mail acquisition unit 304 stores the mail log in the storage unit 300 based on the determination rule information acquired by the rule information acquisition unit 302 in step S100 and the exclusion determination rule information acquired by the rule information acquisition unit 302 in step S104. Information about electronic mail is acquired from the DB.

  In this step, first, an e-mail is specified from the mail log DB in the storage unit 300 based on the determination rule information. However, since the same process as in step S108 is performed, the description is omitted.

  Subsequently, for an email specified according to the determination rule information, an email satisfying the exclusion determination rule information is not regarded as a target attack email, and an email not satisfying the exclusion determination rule information is defined as a target attack email. Considering it, information about the electronic mail is acquired from the mail log DB.

  For example, when the uppermost record in FIG. 5 is applied as the exclusion determination rule information, the sender of the e-mail specified according to the determination rule information is “news-week example. net and the subject is “weakly magazine”, the e-mail is not regarded as a target-type attack e-mail, but the sender of the e-mail identified according to the determination rule information is “news-week example. If it is not a net or the subject is not a weekly magazine, the electronic mail is regarded as a targeted attack mail.

  On the other hand, when the second record from the top in FIG. 5 is applied as the exclusion determination rule information, the sender of the e-mail specified according to the determination rule information is news-daily example. net and the recipient's address is sales canon-its. co. jp, if the subject is a word including “day” at the beginning, the e-mail is not regarded as a target-type attack mail, but the sender of the e-mail specified according to the determination rule information is “news-daily example. net or the address of the recipient is sales canon-its. co. If it is not jp, or if the subject is not a word including “day” at the beginning, the electronic mail is regarded as a targeted attack mail.

  In step S112, the operation unit 306 executes an action in the determination rule satisfied by the e-mail with respect to the e-mail acquired from the mail log DB as the target attack mail by the mail acquisition unit 304 in step S108 or step S110.

  When performing this action, after extracting information specifying a resource such as a URL attached to an e-mail regarded as a targeted attack e-mail and transmitting it to the access relay apparatus 102, the access relay apparatus 102 By registering information identifying the resource in itself, it is possible to control the relay of the communication when the client terminal 108 accesses the resource of the external server 114.

  As described above, according to the present invention, it is possible to easily identify malicious electronic mail.

  It should be noted that the configuration and contents of the various data described above are not limited to this, and it goes without saying that the various data and configurations are configured according to the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as a method, a program, a recording medium, or the like.

  Further, the program in the present invention is a program that allows a computer to execute the processing method of the flowchart shown in FIG.

  As described above, a recording medium that records a program that implements the functions of the above-described embodiments is supplied to a system or apparatus, and a computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can also be achieved by executing the reading.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk, solid state drive, or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (operating system) operating on the computer based on an instruction of the program is actually It goes without saying that a case where the function of the above-described embodiment is realized by performing part or all of the processing and the processing is included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Needless to say, the present invention can also be applied to a case where the object is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention.

  In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 Information Processing System 102 Access Relay Device 104 Mail Server 106 Mail Relay Device 108 Client Terminal 110 LAN
112 Wide area network 114 External server

Claims (13)

An information processing apparatus that controls reception of an email,
A specific means of identifying identical or similar emails;
Determining means for determining whether or not the e-mail specified by the specifying means is received at a predetermined number or more different destinations in a predetermined period;
If it is determined that the information is received by the determination means, an execution means for executing an action related to the e-mail;
An information processing apparatus comprising:   The information processing apparatus according to claim 1, wherein the determination unit determines whether or not the different destination includes a predetermined destination.   The information processing apparatus according to claim 1, wherein the determination unit determines whether or not the different destinations are received including a predetermined different destination.   The information processing apparatus according to claim 1, wherein the determination unit determines whether or not the different destination is received at a predetermined different destination.   3. The execution unit according to claim 2, wherein when the e-mail having the predetermined destination is included, the execution unit executes an action related to the e-mail even if the predetermined period or the predetermined period is not satisfied. 5. The information processing apparatus according to any one of items 4 to 4.   The information processing apparatus according to claim 1, wherein the execution unit executes an action for holding the electronic mail. Comprising an acquisition means for acquiring information identifying a resource attached to an e-mail;
The information processing apparatus according to claim 1, wherein the execution unit executes an action for controlling reception of an e-mail having information specifying the resource acquired by the acquisition unit. .   The said execution means registers the information which specifies the resource acquired by the said acquisition means to the relay control apparatus which relay-controls the access to the said resource using the information which specifies a resource, The said identification means is characterized by the above-mentioned. Information processing device. An information processing system in which a mail relay device that controls reception of an email and an access relay device that relays and controls access to resources are connected so as to be communicable,
The mail relay device
A specific means of identifying identical or similar emails;
Determining means for determining whether or not the e-mail specified by the specifying means is received at a predetermined number or more different destinations in a predetermined period;
If it is determined that the information is received by the determination means, an acquisition means for acquiring information identifying a resource attached to the email;
With
The access relay device
Storage means for storing information identifying the resource acquired by the acquisition means;
Control means for controlling access to the resource based on the information stored in the storage means;
An information processing system comprising: A method of controlling an information processing apparatus for controlling reception of an email,
The information processing apparatus includes:
A specific step of identifying identical or similar emails;
A determination step of determining whether or not the e-mail specified by the specifying step is received at a predetermined number or more different destinations in a predetermined period;
If it is determined to be received by the determination step, an execution step of executing an action related to the e-mail;
A method for controlling an information processing apparatus, characterized by: A program that can be read and executed by an information processing device that controls reception of an email,
The information processing apparatus;
A specific means of identifying identical or similar emails;
Determining means for determining whether or not the e-mail specified by the specifying means is received at a predetermined number or more different destinations in a predetermined period;
If it is determined that the information is received by the determination means, an execution means for executing an action related to the e-mail;
Program to make it function. A control method for an information processing system in which a mail relay device that controls reception of electronic mail and an access relay device that relays and controls access to resources are connected so as to be communicable,
The mail relay device
A specific step of identifying identical or similar emails;
A determination step of determining whether or not the e-mail specified by the specifying step is received at a predetermined number or more different destinations in a predetermined period;
If it is determined that the information is received by the determination step, an acquisition step of acquiring information for specifying the resource given to the e-mail;
Run
The access relay device
A storage step of storing information identifying the resource acquired by the acquisition step;
A control step of controlling access to the resource based on the information stored in the storage step;
The control method of the information processing system characterized by performing this. In an information processing system that is connected so that a mail relay device that controls the reception of electronic mail and an access relay device that relays and controls access to resources can communicate with each other,
The mail relay device is
A specific means of identifying identical or similar emails;
Determining means for determining whether or not the e-mail specified by the specifying means is received at a predetermined number or more different destinations in a predetermined period;
If it is determined that the information is received by the determination means, an acquisition means for acquiring information identifying a resource attached to the email;
To function,
The access relay device;
Storage means for storing information identifying the resource acquired by the acquisition means;
Control means for controlling access to resources based on information stored in the storage means;
Program to make it function.

Images