JP4914468B2 - Unauthorized information detection system and unauthorized attack source search system - Google Patents

Description

  The present invention relates to an unauthorized information detection system and an unauthorized attack source search system that determine whether information transmitted through an Internet line is appropriate information or unauthorized information such as (D) DoS.

In recent years, a denial-of-service attack that targets a certain company or organization and transmits a large amount of unauthorized communications (packets) has become a problem. Such (D) DoS attacks generally interfere with other necessary communications by sending a large number of connection requests exceeding the processing capacity of the server at once, or by filling up the communication line capacity with unnecessary communications. However, it may interfere with normal business operations, or increase the access time to the provider and the communication time to the telecommunications company for the charge-based user, and increase the payment fee. This is a so-called (D) DoS attack.

  The (D) DoS attack is an attack method that sends a very large number of packets exceeding the processing capability of the attack target device and network, and disables the target service.

  Therefore, the source address (source address) included in the header part of each packet is managed, and communication from the address that sent such a (D) DoS attack is never received, and communication to the source is made. There can be seen a service with a prevention function such as sending back a packet indicating termination.

  However, such a prevention service has a problem that when a (D) DoS attack is sent from a different source address, reception of the (D) DoS attack cannot be rejected.

  On the other hand, if a (D) DoS attack that has been rejected is sent back to the sender that sends such a (D) DoS attack, the capacity of the server and the network will be exceeded. Therefore, the actual situation is that the sender has countered the situation by randomly forging the Source address, changing the addresses of a large number of packets, and sending a (D) DoS attack to a specific destination address. is there.

  On the other hand, for example, in Patent Document 1, for an unspecified number of e-mails, an account-specific mail header / content rewriting in which the To address (destination address) included in the header portion of the e-mail data format is preset. According to the definition, the received e-mail is rewritten and then retransmitted (transferred) to the rewritten mail address to distribute the load on the specific mail server.

  Further, in Patent Document 2, it is determined whether or not a large amount of unknown information is included in the From address of the e-mails transmitted at the same time. If the From address includes a large amount of unknown information, A sent mail is replied to the From address of a large number of sent emails, and only the email that can be replied is received as a proper email.

JP 2003-318987 A JP 2003-234784 A

  By the way, since the source address can be easily forged and changed, it is very difficult to predict and deal with a large number of source addresses in advance.

  In addition, because it is difficult to distinguish (D) DoS attacks from normal communications at the individual packet level, detection using some threshold value is being considered.However, depending on the characteristics and usage of the target network, Because it changes greatly, high detection accuracy cannot be expected.

  In addition, since (D) DoS attack is difficult to distinguish from normal communication, there is a possibility that normal communication transmission and reception may be blocked by wrong judgment.

  In this way, in the conventional technology, the criteria for determining (D) DoS attacks are complicated, so it is necessary to receive small-scale (D) DoS attacks that are difficult to detect, or refuse to receive necessary communications. There was a problem such as.

  In order to solve the above problems, the present invention aims to provide a fraud attack detection and its tracking system capable of easily determining whether or not there is a fraud attack such as (D) DoS attack. To do.

The invention according to claim 1 monitors two or more fields {F1,..., Fn} (n: a natural number of 2 or more) from individual fields in the header of a packet transmitted through the Internet line. Set to the target, and composed of a combination of the values of the fields {F1,..., Fn} as the value of the field to be monitored, and the number of values of the field to be monitored reached a predetermined number within a certain time case a illegal information detection system that determines that performed illegal attacks, if you set the "source address" field Fx (1 ≦ x ≦ n) , the number of values of Fx 2 An unauthorized information detection system that detects an unauthorized attack by (D) Dos when the number of values of the monitored field reaches a predetermined number within a certain time as described above . Further, as the value of the field, for example, the following can be raised.
Version header length
ToS
Full length Identification flag Fragment offset
Time to Live
Protocol Header Checksum Source address Destination address Optional Port

The number of values in a certain field is, for example, a field value “source address”, a distinguishable source address: a1 (= Ichiro), a2 (= Jiro), a3 (= Saburo),... When there is an (= nero), the number of field values is n.

Further, as an arbitrary combination of two or more field values, for example, a field value is configured by a combination of “source address” and “destination address” as a field value.
First, as described above, it is assumed that there are a1 (= Ichiro), a2 (= Jiro), a3 (= Saburo),... Assuming that there are mk types of arrival addresses for ak (k = 1 to n), the number of field values constituted by a combination of a plurality of fields in this case is Σmk (k = 1 to n).

  In the invention according to claim 2, a fraud attack is performed when the number of hops based on the TTL value in the header of a packet transmitted through the Internet line is out of a predetermined value range. 5. The unauthorized information detection system according to claim 4, wherein the unauthorized information detection system is determined to be.

  If the source address in the header of the packet is not spoofed but is legitimate, the number of hops is almost a fixed value, so by setting a predetermined value range in advance, When the number of hops is out of the predetermined value range, it can be determined that an unauthorized attack is being performed.

  According to a third aspect of the present invention, there is provided a fraud attack source characterized in that the fraudulent information detection system according to any one of the first and second aspects is installed at a plurality of locations on the Internet to search for a fraud attack source. It is a search system.

  Install fraudulent information detection systems at multiple locations on the Internet to determine whether a fraud attack is taking place at each location. For example, when a fraud attack is detected at two observation points, it can be determined that the fraud attack has passed through a path connecting the two observation points, so it is determined whether a fraud attack is being performed at multiple observation points. Thus, it is possible to trace the route through which the unauthorized attack has passed and search for the sender of the unauthorized attack.

According to the fraudulent information detection system of the present invention, when a large number of packets are transmitted at the same time, when the number of certain field values in the header of the packet reaches a predetermined number within a certain time, the packets are transmitted substantially synchronously. When the number of source addresses reaches a predetermined number , it is troublesome to perform reception permission setting or reception rejection setting for a specific source address by determining the large number of packets as (D) DoS attack packets It is possible to recognize and track that a (D) DoS attack has been sent without setting.

It is a conceptual diagram of the (D) DoS attack detection and its tracking system of this invention. (A) is an explanatory diagram of a packet data format, (B) is a graph showing an example of the traffic volume in a time series, and (C) is a graph showing an example of the number of packet addresses in a time series. It is a conceptual diagram which shows a packet search. It is a conceptual diagram which shows the system of the internet.

As described above, the DoS attack is an attack method in which a very large number of packets exceeding the processing capability are sent to the attack target device, and the target service is disabled.
This DoS attack has the following characteristics.

For example, the source address, which is one of the values in the field in the header, blocks a DoS attack by filtering packets that are forged source addresses (for which a fake address is used). In general, the source address of the DoS attack is selected at random.

  DoS is detected by the following method because a very large number of packets are transmitted.

  The first method is a method of counting the number of attack packets or illegal packets. It is difficult to determine what kind of packet is invalid. This is because each packet used for the DoS attack is a normal packet.

  The second method is a method of counting all detected packets (including attack packets). Network traffic changes dynamically from moment to moment. Therefore, simply because the amount of network traffic has increased, it cannot be pointed out that the phenomenon is due to a DoS attack. If the traffic volume is already saturated, the traffic volume does not increase even if there is a DoS attack.

  On the other hand, in the method according to this embodiment, the DoS attack detection method is a method of counting the traffic source addresses. If the attacker chooses a source address randomly, the number of source addresses observed should also increase. In a certain time interval, a plurality of packets having such a source address are usually observed for one source address. However, during an attack, generally only one attack packet is observed for one (forged) source address. In this way, a DoS attack can be detected.

  It consists of source address, destination address and other information / data. Count packets at time intervals. For example, as shown in FIG. 3, a means for observing a packet is provided on a route between a network (Net 1) and an attack destination (Target), and the packet may be observed there. Examples of such means include devices such as a sniffer and a passive probe.

Devices such as sniffers and passive probes can observe all packets, and these devices can count the following values.
Total number of packets Number of packets with a specific source address Number of packets with a specific destination address Number of packets per source address Number of packets per destination address Number of packets of a specific type Can be collected at intervals.

  Next, the Dos attack tracking method will be described.

  As a DoS attack source tracking method, firstly, there is a method of checking a path of an illegal packet (packet tracking). However, it is necessary to know what kind of packet is invalid.

  Second, there is a method for checking a traffic pattern. However, this method is inaccurate.

  On the other hand, the embodiment of the present invention is a method for checking a change in the number of addresses observed on a route. The following pattern, which is assumed to be observed at all transit points, is observed.

Time (arbitrary unit) Number of packets Number of source addresses 1 1000 50
2 800 60
3 900 57
4 1200 64
5 50 30
6 1500 530
7 1800 550
8 1700 570
9 800 80
10 900 65
In the above, at times 6, 7, and 8, the number of source addresses increases with the number of packets. There, a DoS attack is made.

  On the other hand, as shown in FIG. 4, a sniffer Sn (n = 1, 2, 3,...) Is placed on each route of the Internet, and the DoS attack is made on which route by comparing the observation results there. You can know if you are. If the route is blocked, the DoS attack source can be traced, and the route may be blocked as necessary. Further, a predetermined packet from the route may be blocked.

In the present invention, the following values are exemplified as field values when an IPv4 protocol packet is taken as an example.

Version area

Header length area

ToS area

Full length area

Identification area

Flag area

Fragment offset area

Time to Live area

Protocol area

Header checksum area

Source address area

Destination address area

Options area

Port area

  In the present invention, the number of individual values in these fields may be detected. Further, the number of cases may be detected using any combination of two or more values of these individual fields as field values.

An example is shown below.
A category is a property that can classify packets defined by one or a plurality of header areas.
(Category example) For the convenience of all packets whose protocol area is TCP, a category called “Total category” is defined. All packets belong to this category.

  Conventional statistical analysis methods have been based on sample values such as the number of all observed packets and the number of observed packets for a certain category from the packets observed by a monitor or a survey device.

Etc…

Etc ...

このようにパケットの数の分布からカテゴリの数の分布を作成する方法のことをカテゴリ変換“C-Transform” と呼ぶ。 In the statistical analysis in category transformation (C-Transform), focus on the number of categories to which the detected packet belongs. In the above example, the number of categories for each protocol area is as follows.

The method of creating the distribution of the number of categories from the distribution of the number of packets in this way is called category conversion “C-Transform”.

  The maximum number of categories that a category created by the sum of several header areas can take depends on the combined width of the areas. For example, in the case of a category created with an area having a total width of 4 bits, the maximum number of categories is 16 (2 to the 4th power).

However, there are header areas that cannot have values other than predefined ones, such as the Version area and Protocol area in the IP header (ASSIGNED NUMBERS, RFC
790). Therefore, meaningful categories that can be created from such areas are limited.

  Also, categorical transformation (C-Transform) from areas that can take very large values, such as source and destination addresses with a width of 32 bits (4294967296), will provide particularly interesting statistics.

  In the present invention, when the number of categories of information on the Internet line reaches a predetermined value, the information is recognized as illegal information. It also improves the efficiency of detection and tracking by effectively using the number of hops.

(Detection method)
The number of categories, the number of packets, and the traffic are defined as follows. 1 ... i are values arranged in time series.
Number of categories: C1, .... Ci, ....
Number of packets: P1, .... Pi, ....
Traffic: O1, .... Oi, ....
At this time, detection is performed under the following conditions.

a>Ci> T

b. Ci / Ci + 1> T

c. Ci / {Pi | Oi}> T
Here, T is a threshold value. T is a fixed value or a value calculated from traffic data. For example, T = FX
Like movingAverageOfStatistic (in a, b, c above), it is obtained by multiplying the moving average of the above values a, b, c by some number F.
F is a fixed value or a value calculated from traffic data. For example, F = AX
It may be calculated using standard deviation as in standardDeviationOfStatistic.

A is a constant

  In the Internet, in order to prevent infinite circulation of information, when the number of HOP (hop) becomes 0 based on the value of the TTL (Time to Live) field of the header, the information is dropped from the Internet. ing. By the way, when a certain source information is indicated, it is not spoofed and the number of HOPs is almost determined when it is normal. Therefore, when the number of HOPs in the case of actually sent spoof information is different from the determined number of HOPs, the information can be determined as illegal information.

  Next, an embodiment of the (D) DoS attack detection and tracking system of the present invention will be described with reference to the drawings.

FIG. 1 is a diagram showing a (D) DoS attack detection and tracking system thereof according to the present invention. In FIG. 1, 1 is an Internet line, 2 is a computer body of a transmission source connected to the Internet line 1, 3 is a receiving computer connected to the Internet line 1, and 4 is between the Internet line 1 and the receiving computer 3. It is the communication monitoring apparatus connected to.

The communication monitoring device 4 is connected to a network. However, if the receiving computer 3 is a server or the like, the server may be used as the communication monitoring device 4.
In this case, reception means reception of communication for the port assigned by the server, and reception for determination is not included. When the receiving computer 3 is a provider-owned mail server, a mail receiving terminal (for example, a personal computer) is connected through another Internet line.

  Usually, as shown in FIG. 2 (A), a packet transmitted from the transmitting computer 2 has a source address 12 corresponding to a transmission source address in the header part 11 of the packet data format 10 of the packet constituting the communication. A Destination address 13 corresponding to a transmission destination address (reception side address) is included.

  The communication monitoring device 4 monitors the number of transmitted values or the number of packets and the number of cases of the source address 12.

  For example, when normal transmission / reception is assumed, the number of values transmitted from the transmission source computer 2 to the reception side computer 3 is one, for example, from another transmission side computer (not shown) at about the same time. Is transmitted to the receiving computer 3, the number of values and the source address 12 increase in a one-to-one proportion.

  Further, for example, a specific normal communication may accidentally become a large capacity. In this case, in the detection based on the conventional communication amount, it may be erroneously determined that it is illegal only with that amount as a problem.

  This problem is particularly prominent in servers that operate popular content where many communications gather, and it is very difficult to distinguish between normal communications and (D) DoS attacks.

  In such a case, the mail monitoring device 4 determines that a larger number of packets than the normal communication amount have been transmitted as indicated by the peak P1 in FIG.

  However, since the source address 12 of each packet is common or occupied by a specific group, the packet is officially received. In addition, when the number of categories is within a predetermined number (for example, less than 10), the reception may be permitted.

  On the other hand, in the case where a large number of packets are transmitted to the receiving computer 3 with the source address (Source address 12) disguised at random, although the packets are actually transmitted from one transmitting computer 2, communication is performed. In the monitoring device 4, as indicated by the peaks P2 and P3 in FIGS. 2B and 2C, the amount of communication (or the number of packets) becomes larger than that during normal communication transmission and reception, and at the same time, each of the packets. The source address 12 of the source also increases at substantially the same time.

  Therefore, when the traffic (or the number of packets) exceeds a predetermined number (for example, 100), the number of source addresses 12 is also a predetermined number (for example, 90) or a predetermined rate (for example, the number of packets) at substantially the same time. If it exceeds 90%), the reception is rejected.

  It should be noted that the setting of the predetermined number of communication cases (or the number of packets) transmitted within a certain time corresponding to simultaneous simultaneous transmission and the predetermined number of source addresses depends on the processing capacity of the server and the capacity of the network. Or according to the type of business of the owner of the receiving computer 3.

  For example, when the type of business of the owner of the receiving computer 3 is an Internet search service or ticket sales, it is assumed that many people are flooded with access to search requests, popular travel plans, and event contents. .

  Accordingly, in these industries, it can be assumed that there is a large amount of communication on a daily basis. Therefore, a predetermined value (number of cases) may be set in consideration of the average number of received cases.

  In addition, even if there is a flood of such access, it is assumed that a large amount of information will be sent at the exact same time (instantaneous) equivalent to a (D) DoS attack. Therefore, it is possible to cope with setting changes such as shortening the setting for a certain period of time.

  In addition, it is possible to search for illegal attack sources.

  Further, it is possible to determine the determined illegal attack destination even if the specific server is not in the vicinity and is an intermediate point of the network.

DESCRIPTION OF SYMBOLS 1 ... Internet line 2 ... Transmission side computer 3 ... Reception side computer 4 ... Communication monitoring apparatus (determination means)

Claims (3)

Two or more fields {F1,..., Fn} (n: a natural number of 2 or more) are set as monitoring targets from the individual fields in the header of the packet transmitted through the Internet line, and the monitoring target field Is configured by combining the values of the fields {F1,..., Fn}, and when the number of values of the monitored field reaches a predetermined number within a predetermined time, an illegal attack is performed. it determined that an illegal information detection system,
When the “source address” field is set to Fx (1 ≦ x ≦ n), when the number of Fx values is 2 or more and the number of values of the monitored field reaches a predetermined number within a certain time (D) An unauthorized information detection system characterized by detecting an unauthorized attack by Dos .   It is characterized in that it is determined that an unauthorized attack is being performed when the number of hops based on the TTL value in the header of a packet transmitted through the Internet line is out of a predetermined value range. The unauthorized information detection system according to claim 1.   A fraud attack source search system characterized in that the fraud information detection system according to claim 1 or 2 is installed at a plurality of locations on the Internet to search for a fraud attack transmission source.

Images