JP5952219B2 - File monitoring cycle control device, file monitoring cycle control system, file monitoring cycle control method, and file monitoring cycle control program - Google Patents

Description

  The present invention relates to a file monitoring cycle control device, a file monitoring cycle control system, a file monitoring cycle control method, and a file monitoring cycle control program.

  In recent years, with the spread of the Internet, cyber attacks on servers that manage personal information and distribute applications are increasing rapidly. Typical examples of cyber attacks include DDoS (Distributed Denial of Services) attacks using malware, which is an attack tool program used by attackers to gain unauthorized access to legitimate users' servers and terminals, spam transmission, and information theft. Can be mentioned. Many of these attacks are executed in such a manner that an existing personal computer or server is hijacked and used as a springboard to attack other personal computers or servers.

  Conventionally, in order to cope with these threats, a firewall function and a transfer data monitoring function are implemented in a packet transfer apparatus such as a router. By implementing such a function, a server monitoring function is built in the packet transfer apparatus and arranged in the front stage of the server. The packet transfer device is used to realize access control for controlling communication in accordance with the contents of transmitted / received data and the contents of the packet header.

  In the above access control technology, a security vendor that develops a server monitoring function analyzes known software vulnerabilities and malware. The security vendor then signs a pattern of a transmission message that an attacker may transmit to a server or the like for an attack. The security vendor then constructs a server monitoring function to filter outgoing messages that match the signature. As a result, the server or the like can be protected from unauthorized access by an attacker.

  In addition, it has been proposed to place a decoy server intentionally loaded with vulnerable software under the server monitoring function, and monitor access to the decoy server by the server monitoring function. Thus, the server monitoring function detects the behavior when the decoy server downloads a program such as malware used when an attacker gains unauthorized access to the application providing server, for example. Then, the server monitoring function specifies the request destination requested by the decoy server as a site for downloading malware. A list of sites and the like identified as sites for downloading malware by the server monitoring function is set as a black list. Then, a black list is input to a customer server or a firewall function or a security appliance arranged at the boundary between the customer server and the network. This can prevent the customer server from being infected with malware.

Satoshi Yagi, Naoto Tanimoto, Takeo Haruo, Mitsutoshi Ito, “Malware Download Site Lifetime Monitoring Method for Websites”, IEICE Technical Report, vol. 110, no. 78, IA2010-14, pp. 75-80, June 2010

  However, the period for malware download sites is limited. Further, since a general Web site is often abused as a site for downloading malware, an administrator of the Web site that has been abused may find and remove the malware. In addition, attackers can frequently change sites for downloading malware in order to avoid blacklist attack protection. As described above, when there is a site where the malware placement location is changed and the malware is no longer placed, it is necessary to remove the site from the blacklist from the viewpoint of providing other services.

  However, when an attacker actively changes the location of malware to another site, the defender cannot detect an attack using the malware until a new site for downloading malware is found. However, if the file is frequently reacquired to confirm whether it is malware or not, the defender cannot detect the attack itself, resulting in detection failure. On the other hand, if the defender does not frequently check whether malware continues to be deployed, it will not be possible to confirm the change of the malware placement location, and even sites that are no longer malware download sites will be blacklisted. It will be. As a result, the defender erroneously detects an access that is not an attack as an attack.

  An embodiment of the disclosure has been made in view of the above, and an object thereof is to reduce the probability that monitoring of an unauthorized file provider is detected by adjusting an unauthorized file monitoring period.

  In order to solve the above-described problems and achieve the object, the file monitoring cycle control device according to the disclosed embodiment extracts a unified resource position specifier that specifies an illegal file placement location, and designates the unified resource position Identified by a monitoring unit that monitors files placed in the child, a counting unit that detects transmissions to the server of instructions that include a predetermined uniform resource location specifier, and counts the number of transmissions, and a predetermined uniform resource location specifier And a setting unit that sets a monitoring cycle of the file to be transmitted according to the number of transmissions.

  In addition, the file monitoring cycle control system according to the disclosed embodiment extracts a unified resource location specifier that specifies an illegal file placement location, and monitors a file placed in the unified resource location designator. And a file monitoring cycle control device for controlling the monitoring cycle of the files arranged in the unified resource position specifier. The file monitoring cycle control device detects transmission to the server of an instruction including a unified resource location specifier, counts the number of transmissions, and the monitoring cycle of the file specified by the unified resource location designator And a setting unit configured to set according to the number of times. The monitoring device is characterized in that it acquires a file placed in the unified resource location specifier in accordance with the monitoring period set by the setting unit, and extracts the presence / absence and difference of the file.

  Further, the file monitoring cycle control method according to the disclosed embodiment extracts a unified resource location specifier that specifies an illegal file placement location, and monitors a file placed in the unified resource location designator; The file monitoring cycle control system includes a file monitoring cycle control device that controls a monitoring cycle of files arranged in the unified resource position specifier. The file monitoring cycle control device detects the transmission of the instruction including the unified resource location specifier to the server and counts the number of transmissions, and the file monitoring cycle control device is identified by the unified resource location designator. The monitoring process of the file to be set according to the number of transmissions, and the monitoring device acquires the file placed in the unified resource location specifier according to the monitoring period set in the setting process, And a detection step of detecting presence / absence and difference.

  Further, the file monitoring cycle control program according to the disclosed embodiment detects a transmission to the server of an instruction including a unified resource location specifier that specifies an illegal file placement location, and counts the number of transmissions; A setting step for setting the monitoring cycle of the file specified by the unified resource location specifier according to the number of transmissions, and a file arranged in the unified resource location specifier according to the monitoring cycle set in the setting step, And causing the computer to execute a detection step of detecting the presence / absence of the file and a difference.

  The disclosed file monitoring cycle control device, file monitoring cycle control system, file monitoring cycle control method, and file monitoring cycle control program adjust the monitoring cycle of an unauthorized file and the probability that monitoring is detected by an unauthorized file provider It has the effect of lowering.

FIG. 1 is a diagram illustrating an example of a configuration of a file monitoring cycle control system according to the first embodiment. FIG. 2 is a diagram illustrating an example of a configuration of a monitoring unit included in the file monitoring cycle control device according to the first embodiment. FIG. 3 is a diagram illustrating an example of a configuration of a cycle control unit included in the file monitoring cycle control device according to the first embodiment. FIG. 4 is a diagram illustrating an example of a structure of a monitoring target list included in the file monitoring cycle control device according to the first embodiment. FIG. 5 is a diagram illustrating an example of a structure of a monitoring cycle data table provided in the file monitoring cycle control apparatus according to the first embodiment. FIG. 6 is a diagram for explaining a monitoring cycle and a monitoring cycle calculation process in the first embodiment. FIG. 7 is a diagram for explaining an example of processing for registering a unified resource location specifier in the monitoring cycle data table by the monitoring cycle control processing in the first embodiment. FIG. 8 is a diagram for explaining an example of processing in which the number of accesses of the unified resource location specifier is registered by the monitoring cycle control processing in the first embodiment. FIG. 9 is a diagram for explaining an example of a process in which the monitoring cycle data table is updated by the monitoring cycle control process in the first embodiment. FIG. 10 is a diagram for describing an example of a process in which a monitoring period is notified by the monitoring period control process in the first embodiment. FIG. 11 is a flowchart illustrating an example of the flow of the monitoring cycle control process in the first embodiment. FIG. 12 is a diagram illustrating an example of a configuration of a network model in which the file monitoring cycle control system according to the embodiment operates. FIG. 13 is a diagram showing that the information processing by the file monitoring cycle control program, which is a program for executing a series of processes by the file monitoring cycle control system, is specifically realized using a computer.

  Hereinafter, embodiments of a file monitoring cycle control device, a file monitoring cycle control system, a file monitoring cycle control method, and a file monitoring cycle control program according to the present invention will be described in detail with reference to the drawings. In addition, this invention is not limited by this embodiment.

(First embodiment)
FIG. 1 is a diagram illustrating an example of a configuration of a file monitoring cycle control system according to the first embodiment. With reference to FIG. 1, an example of the configuration of the file monitoring cycle control system 1 according to the first embodiment will be described.

  In FIG. 1, a file monitoring cycle control device 10 is arranged on the boundary between two networks. Details of the file monitoring cycle control device 10 will be described later.

  The file monitoring cycle control device 10 is connected to the terminal devices 20A to 20C and the file servers 30A to 30C via the network 40.

  The terminal devices 20A to 20C are terminals used by attackers. The attacker transmits an illegal command to the attack target device via the terminal devices 20A to 20C. Further, the attacker places malware used for the attack on the arbitrary file server via the terminal devices 20A to 20C.

  The file servers 30A to 30C are servers that store malware or the like used by an attacker for an attack. The file servers 30A to 30C correspond to transfer protocols represented by the ftp protocol and http protocol, and host # 1 is assigned as the host name. In order for the terminal devices 20A to 20C, the server 50 (described later), and the decoy server 60 (described later) to access the file server 30A, as a uniform resource locator (URL), for example, http: // host # 1 / dB / dC / file-a shall be specified.

  The network 40 implements data communication from the terminal devices 20A to 20C and the file servers 30A to 30C. The type of the network 40 is not particularly limited. For example, the Internet 40, a local area network (LAN), a wide area network (WAN), or the like can be used as a medium for an unauthorized attack using the terminal devices 20A to 20C and the file servers 30A to 30C. If it is.

  The file monitoring cycle control device 10 is also connected to the server 50 and the decoy server 60 via the network 70.

  The server 50 has a function of providing a service to a user using an application. For example, the server 50 is a Web server and provides a user with a blog, a bulletin board, a social network service, and the like by a Web application.

  In the first embodiment, it is assumed that the server 50 is a device of an attacked person who receives an attack via the terminal devices 20A to 20C used by the attacker.

  When an attacker infects the server 50 with malware, the attacker first transmits a command for acquiring, for example, malware placed on the file server 30A from the terminal device 20A to the server 50, for example. When the software of the server 50 is vulnerable, the server 50 executes a command from an attacker to acquire and execute malware. As a result, the server 50 is infected with malware.

  The decoy server 60 is arranged to protect the server 50 from attacks. In the example of FIG. 1, the decoy server 60 may be a device called a honeypot. The decoy server 60 is equipped with vulnerable software, collects attacks, and downloads files from the file servers 30A to 30C and the like according to instructions described in the attacks. For example, the decoy server 60 downloads malware from the file server 30A. The decoy server 60 is intentionally loaded with vulnerable software, and the downloaded software is often malware.

  By placing the decoy server 60, a list of unified resource location specifiers (hereinafter also referred to as blacklists) of file servers used for distributing malware is generated, and the files placed on the file server, The command from the attacker when the file is acquired can be acquired.

  In the example of FIG. 1, for convenience of explanation, three terminal devices and file servers used by the attacker for the attack are shown, and one defensive decoy server is shown. However, in an actual network environment, the present invention is not limited to the illustrated example, and there are usually a plurality of attackers, attackees, file servers, and decoy servers. The file monitoring cycle control system 1 of the present embodiment is not limited to the example shown in FIG. 1, and can be applied to a network environment where a plurality of attackers, decoy servers, and the like exist.

[Example of Configuration of File Monitoring Periodic Control Device 10]
Further, an example of the configuration of the file monitoring cycle control device 10 will be described with reference to FIG. The file monitoring cycle control device 10 includes a control unit 100 and a storage unit 200. The control unit 100 controls processing and operation of each unit of the file monitoring cycle control device 10. The storage unit 200 stores information used for processing in the file monitoring cycle control device 10, information generated as a result of processing, and the like.

  The control unit 100 includes a transfer unit 110, a detection unit 120, a monitoring unit 130, and a cycle control unit 140.

  The transfer unit 110 realizes a data transfer function between the network 40 and the network 70.

  In the first embodiment, it is assumed that the file monitoring cycle control device 10 includes a transfer unit 110, and the transfer unit 110 realizes a data transfer function. However, the present invention is not limited to this, and the data transfer function may be realized by another device by separating the data transfer function from other functions of the file monitoring cycle control device 10.

  For example, a home gateway or the like arranged at the boundary between the home network and the Internet may be connected to the file monitoring cycle control device 10 so as to be communicable, and the data transfer function may be implemented in the home gateway. The data transfer function may be realized by a relay device called a gateway or a proxy arranged at the boundary between the hosting environment, the data center, and the corporate network and the Internet. In addition to functions such as a security appliance and a firewall, a data transfer function may be implemented in a switch, a router, and the like, and may be arranged so as to be communicable with the file monitoring cycle control device 10.

  The detection unit 120 is connected to the transfer unit 110 or the server 50. The detection unit 120 extracts a unified resource location specifier corresponding to the file servers 30 </ b> A to 30 </ b> C from the access received by the transfer unit 110 or the access received by the server 50. The detection unit 120 notifies the monitoring unit 130 of the extracted unified resource location specifier. In this way, the detection unit 120 realizes the file server detection function, detects the file servers 30A to 30C accessing the server 50, and identifies the files stored in the file servers 30A to 30C by the unified resource position specifier. To do.

  In the first embodiment, the file monitoring cycle control device 10 includes a detection unit 120, and the detection unit 120 implements a file server detection function. However, the present invention is not limited to this, and the file server detection function may be separated from other functions of the file monitoring cycle control device 10 and mounted on another device. Further, the transfer unit 110 and the detection unit 120 may be separated from the file monitoring cycle control device 10 and mounted as a module in another device. Further, the function of the detection unit 120 may be incorporated in the server 50. Moreover, you may comprise so that unified resource position designators, such as file server 30A-30C, may be extracted from the log of the server 50. FIG. In this case, the detection unit 120 may be provided in the server 50.

  The detection unit 120 lists the extracted unified resource location specifiers. The detection unit 120 further sends the generated list, the file acquired from the file server, the received command, that is, information that may be a command from the attacker, and the like to the monitoring unit 130.

  When the file server detection function is incorporated in another device or server 50, the monitoring unit 130 accesses the device or server 50 and acquires a list, a file, a command, and the like. Further, when the unified resource location specifier of the file server is directly extracted from the log of the server 50, the monitoring unit 130 and the server 50 may be connected and the unified resource location specifier may be extracted from the log of the server 50. The operator can also manually input information by extracting the unified resource location specifier from the log of the server 50. In this case, it is not necessary to provide another device or detection unit 120 for realizing the file server detection function, and it is not necessary to connect the file server detection function and the monitoring unit 130.

  The monitoring unit 130 is connected to the detection unit 120 and realizes a file monitoring function. An example of the structure of the monitoring unit 130 will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of a configuration of the monitoring unit 130 included in the file monitoring cycle control apparatus 10 according to the first embodiment.

  The monitoring unit 130 includes a change detection unit 131, a list update unit 132, a cycle setting unit 133, and an analysis unit 134.

  The change detection unit 131 acquires from the detection unit 120 a list of unified resource location specifiers for files on the file servers 30A to 30C. Then, the change detection unit 131 tries to acquire the file of the unified resource location specifier registered in the list, and detects the presence / absence of the file and the change of the file. The change detection unit 131 performs file acquisition and detection for each monitoring period set by the period setting unit 133 described later.

  When the change detection unit 131 detects that a file has disappeared or a change in the file, the list update unit 132 excludes the unified resource location specifier corresponding to the file from the monitoring target. In addition, when the analysis unit 134 detects and notifies a new illegal file, the list update unit 132 registers the unified resource location specifier of the file as a monitoring target. Specifically, the list update unit 132 updates the monitoring target list 201 described later.

  The period setting unit 133 sets a period (hereinafter, also referred to as “monitoring period”) for acquiring a file of the unified resource position specifier for each unified resource position specifier registered in the monitoring target list 201. The period setting unit 133 registers the set monitoring period in the monitoring target list 201. The period setting unit 133 sets a monitoring period set as a default value in advance before the monitoring period is notified by the period control unit 140 described later. When the monitoring period is notified by the period control unit 140, the period setting unit 133 sets a monitoring period corresponding to the notification and registers it in the monitoring target list 201.

  The analysis unit 134 detects malware from the file acquired by the detection unit 120 and identifies a unified resource location specifier in which the malware is arranged. The analysis unit 134 determines whether the acquired file is malware using, for example, anti-virus software or a malware dynamic analysis function implemented in the file monitoring cycle control device 10. If it is determined as malware, the analysis unit 134 notifies the list update unit 132 and registers the unified resource location specifier corresponding to the file in the monitoring target list 201. In addition, when the change detection unit 131 detects a file change, the analysis unit 134 determines whether the changed file is malware.

  Next, the cycle control unit 140 will be described with reference to FIG. FIG. 3 is a diagram illustrating an example of a configuration of the cycle control unit 140 included in the file monitoring cycle control device 10 according to the first embodiment.

  The cycle control unit 140 includes a target acquisition unit 141, a counting unit 142, a cycle calculation unit 143, and a cycle setting unit 144.

  The target acquisition unit 141 collects the unified resource location specifier currently being monitored from the monitoring unit 130. In addition, the target acquisition unit 141 collects the monitoring cycle of each unified resource location specifier from the monitoring unit 130. For example, the target acquisition unit 141 may acquire a unified resource location specifier and a monitoring cycle from the monitoring target list 201 managed and updated by the monitoring unit 130. In addition, the target acquisition unit 141 notifies the counting unit 142 of the collected unified resource position specifier and the monitoring period. The target acquisition unit 141 may be configured to periodically collect the unified resource location specifier from the monitoring unit 130 or the monitoring target list 201. In addition, when the monitoring unit 130 registers or deletes the unified resource location specifier in the monitoring target list 201, the target acquisition unit 141 receives a notification from the monitoring unit 130 and changes to the monitoring target list 201 in response to the notification. You may comprise so that it may access.

  The counting unit 142 collects the number of accesses in which each unified resource location specifier is described from the detection unit 120 or the server 50. In addition, the counting unit 142 notifies the cycle calculation unit 143 of the collected information. The counting unit 142 may be configured to collect the number of accesses periodically. The counting unit 142 is configured to receive a notification from the detection unit 120 or the server 50 when the detection unit 120 or the server 50 detects an access in which the unified resource location specifier that is the monitoring target is described. Also good. Alternatively, the operator may acquire the access number from the detection unit 120 or the log of the server 50 and manually input the acquired access number to the counting unit 142. In this case, the counting unit 142 may not be configured to communicate with the detection unit 120 or the server 50. The collected number of accesses is registered in the monitoring cycle data table 202 (described later).

  The period calculation unit 143 receives the notification of the number of accesses from the counting unit 142, and calculates the monitoring period according to the notified number of accesses. Alternatively, the cycle calculation unit 143 may be configured to read the number of accesses from the monitoring cycle data table 202 and calculate the monitoring cycle. Alternatively, the cycle calculation unit 143 may be configured to receive a notification from the counting unit 142 when the number of accesses reaches a predetermined number. The cycle calculation unit 143 notifies the cycle setting unit 144 of the calculated monitoring cycle and the unified resource position specifier to which the monitoring cycle is applied. Details of the monitoring cycle calculation process will be described later. The period calculation unit 143 also receives notification from the target acquisition unit 141 of the unified resource location specifier that is newly monitored.

  The cycle setting unit 144 notifies the monitoring unit 130 of the monitoring cycle and the unified resource location specifier notified from the cycle calculation unit 143 and sets them in the monitoring target list 201 as a new monitoring cycle.

  As described above, the file monitoring cycle control apparatus 10 according to the first embodiment detects the number of accesses in which a predetermined unified resource location specifier is described among accesses to the server 50, and according to the number of accesses. , A period for monitoring a file arranged in the unified resource position specifier is set.

[Example of information stored in storage unit 200]
Next, information stored in the storage unit 200 will be described with reference to FIGS. 4 and 5. FIG. 4 is a diagram illustrating an example of the structure of the monitoring target list 201 provided in the file monitoring cycle control apparatus 10 according to the first embodiment. FIG. 5 is a diagram illustrating an example of the structure of the monitoring cycle data table 202 provided in the file monitoring cycle control apparatus 10 according to the first embodiment. The storage unit 200 stores a monitoring target list 201 and a monitoring cycle data table 202.

  As illustrated in FIG. 4, the monitoring target list 201 stores a unified resource location specifier that is currently monitored and a monitoring period of a file arranged in the unified resource location specifier. For example, in the example shown in FIG. 4, “1000” is set as the “monitoring period” corresponding to “http: // host # 1 / dA / dB / dC / file-a” stored as “monitoring target”. It is remembered. In addition, “500” is stored as the “monitoring cycle” corresponding to “http: // host # 5 / d-V / d-D / d-H / file-c” stored as “monitoring target”. Further, “1500” is stored as the “monitoring period” corresponding to “http: // host # 7 / d-N / d-O / d-R / file-q” stored as “monitoring target”.

  The monitoring target list 201 is updated by the list update unit 132 when the change detection unit 131 of the monitoring unit 130 detects a file change or the like. Among the unified resource location specifiers detected by the detection unit 120, the unified resource location designator determined by the analysis unit 134 not to be the malware placement location is not registered in the monitoring target list 201.

  The monitoring cycle registered in the monitoring target list 201 is set to a predetermined default value when the corresponding unified resource location specifier is registered for the first time. After the control by the cycle control unit 140 is started, the cycle setting unit 133 sets the monitoring cycle according to the monitoring cycle notified by the cycle control unit 140 (cycle setting unit 144).

  Next, as shown in FIG. 5, the monitoring cycle data table 202 is an access that is notified by the counting unit 142 in the current monitoring cycle and the previous monitoring cycle for each unified resource position specifier that is monitored by the monitoring unit 130. And the number of accesses detected during the current monitoring period. Furthermore, the monitoring cycle data table 202 includes an area for describing the next monitoring cycle and a timer for managing the elapsed time from the previous monitoring time of each unified resource position specifier.

  The timer may employ a revolver format or the like so that all entries are managed by one timer. In this case, a timer function may be provided in the cycle control unit 140, and a timer dedicated to the monitoring cycle data table 202 may not be provided.

  In the first embodiment, the number of accesses detected in the immediately preceding monitoring period is used when calculating the monitoring period. However, the present invention is not limited to this, and all past access histories or any part of the past access histories may be used. In this case, the monitoring cycle data table 202 is configured so that all past access histories (number of accesses) can be described. Further, the number of past accesses may be managed for each monitoring period and used as time-series data. In this case, the monitoring cycle data table 202 is configured so that past monitoring cycles and the number of accesses in the cycle can be described in association with each other.

[Monitoring period calculation process]
Next, the monitoring cycle and the monitoring cycle calculation process will be further described with reference to FIG. FIG. 6 is a diagram for explaining a monitoring cycle and a monitoring cycle calculation process in the first embodiment.

  As shown in FIG. 6, it is assumed that the monitoring period 301 and the monitoring period 302 have elapsed along the time axis up to the present, and the monitoring period 303 is currently in progress. At the time of calculating the current monitoring cycle, the monitoring cycle data table 202 describes the number of accesses 312 that is the number of accesses in the monitoring cycle 302 and the number of accesses 311 in the monitoring cycle 301 immediately before.

  When the number of accesses 312 in the monitoring period 302 is greater than the number of accesses 311 in the immediately preceding monitoring period 301, the period calculating unit 143 determines the difference between the monitoring periods 301 and 302 and the difference between the number of accesses 311 and 312. Based on the above, the monitoring cycle 303 is calculated. For example, when the number of accesses increases by a predetermined number or more, the monitoring cycle is lengthened by a predetermined length. When the calculation is completed, the cycle calculation unit 143 registers the calculated monitoring cycle in the monitoring cycle data table 202 as the next monitoring cycle.

  When the predetermined cycle ends and the monitoring cycle data table 202 is updated, the cycle calculation unit 143 deletes the number of accesses 311 in the monitoring cycle 301 and information on the monitoring cycle 301 from the monitoring cycle data table 202. Then, the cycle calculation unit 143 registers the monitoring cycle 302 and the number of accesses 312 in the monitoring cycle data table 202 as data of the immediately preceding monitoring cycle. Then, the period calculation unit 143 registers the newly calculated monitoring period 303 and the number of accesses 313 detected during the period in the monitoring period data table 202 as data of the current monitoring period.

  Here, the number of accesses in the immediately preceding cycle is used in calculating the monitoring cycle. However, the present invention is not limited to this, and as described above, when other access numbers such as the total number of accesses in the past are used, the calculation method is changed accordingly. Alternatively, a method may be employed in which a moving average of the number of accesses in time series is calculated and the monitoring cycle is increased or decreased according to the increase or decrease.

[Registration of unified resource location specifier in monitoring cycle data table 202]
Next, with reference to FIG. 7, a process when a unified resource location specifier is registered in the monitoring cycle data table 202 will be described. FIG. 7 is a diagram for explaining an example of processing for registering the unified resource location specifier in the monitoring cycle data table 202 by the monitoring cycle control processing in the first embodiment.

  In the example of FIG. 7, the target acquisition unit 141 of the cycle control unit 140 receives a notification of the unified resource location specifier to be monitored from the monitoring unit 130 ((1) in FIG. 7). The target acquisition unit 141 sends the notified information of the unified resource position specifier to the period calculation unit 143 ((2) in FIG. 7). The period calculation unit 143 registers the notified unified resource position specifier and the corresponding monitoring period in the monitoring period data table 202 ((3) in FIG. 7). When there is a unified resource location specifier that is newly monitored, the monitoring unit 130 may notify the target acquisition unit 141 sequentially, or may periodically notify new monitoring target information.

  The target acquisition unit 141 is configured not to receive a notification of the unified resource location specifier from the monitoring unit 130 but to receive a notification of the newly detected unified resource location specifier from the detection unit 120 or the server 50. May be. In this case, the unified resource location specifier corresponding to the malware may be detected by a functional unit other than the analysis unit 134 of the monitoring unit 130.

[Registering the number of accesses to the monitoring cycle data table 202]
Next, a process when the number of accesses is registered in the monitoring cycle data table 202 will be described with reference to FIG. FIG. 8 is a diagram for explaining an example of processing in which the number of accesses of the unified resource location specifier is registered by the monitoring cycle control processing in the first embodiment.

  When the counting unit 142 is notified of the number of accesses of the unified resource location specifier from the detection unit 120 or the server 50 ((1) in FIG. 8), the counting unit 142 indicates the number of accesses notified to the corresponding entry in the monitoring cycle data table 202. Addition ((2) in FIG. 8). That is, the counting unit 142 adds the notified access count to the access count registered as the access count of the current monitoring cycle corresponding to the unified resource location specifier in the monitoring cycle data table 202.

  Note that the detection unit 120 or the server 50 may notify the access every time the corresponding access is detected, or may notify a plurality of accesses detected after performing the access detection for a predetermined period.

  The calculation of the monitoring period is basically performed once every monitoring period. However, if the next monitoring cycle can be calculated when the number of accesses is newly added, the monitoring cycle is recalculated after receiving the notification, and the calculated cycle is set as the next monitoring cycle. May be. For example, a difference from the immediately preceding period may be calculated by newly adding the number of accesses, and the next monitoring cycle may be calculated at that point if the number of accesses has increased. Further, only when the calculated difference exceeds a predetermined value, the next monitoring cycle may be calculated at that time. Further, when the increase or decrease in the number of accesses exceeds a predetermined number, the next monitoring cycle may be calculated at that time. Note that when determining whether or not the difference in the number of accesses has increased, the number of accesses per unit time may be compared. For example, it may be determined whether the number of accesses per second is increasing.

[Update of monitoring cycle data table 202]
Next, processing when the monitoring cycle data table 202 is updated will be described with reference to FIG. FIG. 9 is a diagram for explaining an example of processing in which the monitoring cycle data table 202 is updated by the monitoring cycle control processing in the first embodiment.

  It is assumed that there is an entry for a uniform resource position specifier whose corresponding timer value is changed from 1 to 0 among the uniform resource position specifiers registered in the monitoring cycle data table 202 at a certain time. When the timer reaches 0, the cycle calculation unit 143 notifies the cycle setting unit 144 of the unified resource location specifier and the next monitoring cycle ((1) in FIG. 9). In addition, the cycle calculation unit 143 moves the cycle described in the next monitoring cycle entry to the current monitoring cycle entry in the monitoring cycle data table 202 and clears the number of accesses in the current monitoring cycle to 0. ((2) in FIG. 9). Then, the next monitoring cycle is newly described. At this time, the next monitoring cycle to be newly described is a next monitoring cycle calculated when it is assumed that the number of accesses in the current monitoring cycle is zero.

[Notification of next monitoring cycle]
Next, processing for notifying the monitoring unit 130 of the monitoring cycle will be described with reference to FIG. FIG. 10 is a diagram for describing an example of a process in which a monitoring period is notified by the monitoring period control process in the first embodiment.

  Notification of the monitoring cycle is executed by the cycle setting unit 144. Specifically, the cycle setting unit 144 notifies the monitoring unit 130 of the unified resource location specifier and the monitoring cycle applied to the unified resource location designator ((1) in FIG. 10). When the monitoring unit 130 receives the notification, the cycle setting unit 133 appropriately updates the monitoring cycle registered in the monitoring target list 201.

[Flow of monitoring cycle control processing]
Next, an example of the flow of the monitoring cycle control process realized by the cycle controller 140 will be described with reference to FIG. FIG. 11 is a flowchart illustrating an example of the flow of the monitoring cycle control process in the first embodiment.

  First, the target acquisition unit 141 acquires from the monitoring unit 130 a unified resource location specifier that is currently monitored and a monitoring cycle corresponding to the unified resource location designator (step S1101). Information acquired by the target acquisition unit 141 is registered in the monitoring cycle data table 202. Then, with the start of the monitoring cycle, counting by the timer is started in association with each unified resource position specifier (step S1102). The counting unit 142 collects the number of accesses in which each unified resource location specifier described in the detection unit 120 or the server 50 is described (step S1103). The collected number of accesses is registered in the monitoring cycle data table 202.

  When the difference between the number of accesses in the current monitoring period and the number of accesses in the immediately preceding monitoring period satisfies a predetermined condition, the period calculating unit 143 calculates the next monitoring period based on the number of accesses (step S1104). . The next monitoring cycle is registered in the monitoring cycle data table 202 (step S1105). When the next cycle starts, that is, when the timer reaches 0 (Yes at step S1106), the monitoring cycle data table is updated to notify the monitoring unit 130 of the cycle, and the process returns to step S1102 for the next monitoring. Start counting the period. If the next cycle has not started (No at Step S1106), the process returns to Step S1103 and the process is repeated.

  By repeating the processing of FIG. 11 for each unified resource location specifier registered in the monitoring cycle data table 202, a monitoring cycle corresponding to the number of accesses is set. In the first embodiment, when the number of accesses in which a predetermined uniform resource location specifier is described increases, the monitoring cycle is set longer. This is because, when the number of accesses is large, it is considered that attacks using the unified resource location specifier are being actively performed, and it is not necessary to monitor frequently. Also, when an attack is being actively carried out, it is performed with an emphasis on detection of the attack itself, not monitoring.

  However, in setting the monitoring cycle, different setting methods may be employed depending on the state change of the attacker and the type of attack. For example, when the number of accesses is increasing, the monitoring cycle may be set short in consideration of the possibility that the state of the monitoring target has changed. Further, when the number of accesses is decreasing, it may be determined that attacks are decreasing and the monitoring cycle may be set longer.

[Effect of the file monitoring cycle control system according to the first embodiment]
As described above, in the file monitoring cycle control system according to the first embodiment, the file monitoring cycle control device extracts a unified resource location specifier that specifies an illegal file placement location, and sets the unified resource location designator as the unified resource location designator. Identified by a monitoring unit that monitors files to be arranged, a counting unit that detects the transmission of a command including a predetermined uniform resource location specifier to the server and counts the number of transmissions, and a predetermined uniform resource location specifier A setting unit that sets a file monitoring cycle according to the number of transmissions. For this reason, it is possible to reduce the probability that monitoring by an unauthorized file provider is detected by adjusting the monitoring period of unauthorized files. In addition, the monitoring cycle can be controlled according to the behavior of the accessor.

(Second Embodiment)
Next, as a second embodiment, an example in which the monitoring period is adjusted based on the number of accesses to the decoy server 60 will be described. Since the configuration of the file monitoring cycle control system according to the second embodiment is the same as that of the file monitoring cycle control system according to the first embodiment, illustration is omitted and common components are denoted by common reference numerals.

  In the first embodiment, the monitoring cycle is set according to the number of accesses detected by the server 50 or the detection unit 120. In contrast, the file monitoring cycle control system according to the second embodiment sets the monitoring cycle according to the number of accesses received by the decoy server 60. Specifically, the monitoring cycle is set in accordance with the number of attacks received by the decoy server 60 per unit time and in which a predetermined unified resource location specifier is described.

  In the second embodiment, a monitoring device equipped with the functions of the transfer unit 110, the detection unit 120, and the monitoring unit 130 and a file monitoring cycle control device equipped with the function of the cycle control unit 140 may be provided separately.

  Note that the position where an attack in which a predetermined unified resource position specifier is described is detected is not limited to the position of the decoy server 60, and a detection unit may be provided at an arbitrary position on the network.

[Effects of Second Embodiment]
As described above, the file monitoring cycle control system according to the second embodiment further includes a decoy server that detects an illegal command to the server. Then, the counting unit counts the number of attacks per unit time in which the unified resource position specifier in which the file that the decoy server is instructed to acquire by an illegal instruction is described. The setting unit sets the monitoring cycle of the file instructed to acquire according to the number of attacks per unit time counted by the counting unit. Then, the monitoring device (corresponding to the transfer unit 110, the detection unit 120, and the monitoring unit 130) acquires a file arranged in the unified resource location specifier according to the monitoring period set by the setting unit, Extract the difference. For this reason, it is possible to reduce the probability that monitoring by an unauthorized file provider is detected by adjusting the monitoring period of unauthorized files.

  Further, since the cycle can be determined using the decoy server 60, the number of accesses from the file monitoring cycle control device 10 to the server 50 and the data transfer to the file monitoring cycle control device 10 can be reduced. Detailed attack detection becomes possible. In addition, it is possible to avoid a situation in which malware whose confirmation has been detected by the attacker is relocated to another site. As a result, it is possible to avoid a situation in which an attack using malware placed on a new site cannot be detected, and it is possible to suppress detection omissions in defense using a black list.

(Third embodiment)
Although the embodiments of the present invention have been described so far, the present invention may be implemented in other embodiments besides the above-described embodiments. Other embodiments will be described below.

[System configuration]
Of all the processes described in the present embodiment, all or part of the processes described as being automatically performed can be performed manually, or all of the processes described as being performed manually or A part can be automatically performed by a known method. For example, the extraction of the unified resource position specifier and the setting of the default value of the monitoring cycle may be performed manually by the operator. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  The constituent elements of the file monitoring cycle control system and the file monitoring cycle control apparatus shown in the drawings are functionally conceptual and need not be physically configured as shown in the drawings. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part of the distribution / integration may be functionally or physically distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. For example, in the example illustrated in FIG. 1, the transfer unit 110, the detection unit 120, the monitoring unit 130, and the cycle control unit 140 are described as components of the control unit 100 of one device. However, the transfer unit 110, the detection unit 120, the monitoring unit 130, and the cycle control unit 140 may be implemented as independent devices. In that case, among the information stored in the storage unit 200, information used for processing in the transfer unit 110, the detection unit 120, the monitoring unit 130, and the cycle control unit 140 may be stored in different devices. .

  FIG. 12 is a diagram illustrating an example of a configuration of a network model in which the file monitoring cycle control system according to the embodiment operates. For example, as shown in FIG. 12, a plurality of networks on the boundary between the network 2 where the attacker's terminal 2 and the file server 3 used for the attack are arranged and the network Y where the attacked server 4 is arranged The function may be arranged as a separate device. In the example of FIG. 12, the file monitoring cycle control function 5, the file monitoring function 6, the file server detection function 7, and the data transfer function 8 are realized as separate devices. The file monitoring cycle control function 5, the file monitoring function 6, the file server detection function 7, and the data transfer function 8 in FIG. 12 correspond to the cycle control unit 140, the monitoring unit 130, the detection unit 120, and the transfer unit 110 in FIG. .

[program]
FIG. 13 is a diagram showing that the information processing by the file monitoring cycle control program, which is a program for executing a series of processes by the file monitoring cycle control system, is specifically realized using a computer. As illustrated in FIG. 13, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive 1080, and a network interface 1070. Each part of the computer 1000 is connected by a bus 1100.

  The memory 1010 includes a ROM 1011 and a RAM 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System).

  Here, as illustrated in FIG. 13, the hard disk drive 1080 stores, for example, an OS 1081, an application program 1082, a program module 1083, and program data 1084. That is, the file monitoring cycle control program according to the disclosed embodiment is stored in, for example, the hard disk drive 1080 as the program module 1083 in which a command to be executed by the computer 1000 is described. For example, the program module 1083 in which each procedure for executing the same information processing as each unit of the control unit 100 is described is stored in the hard disk drive 1080.

  Further, data used for information processing by the file monitoring cycle control program, such as data stored in the storage unit 200, is stored as, for example, the hard disk drive 1080 as the program data 1084. Then, the CPU 1020 reads the program module 1083 and program data 1084 stored in the hard disk drive 1080 to the RAM 1012 as necessary, and executes various procedures.

  The program module 1083 and the program data 1084 related to the file monitoring cycle control program are not limited to being stored in the hard disk drive 1080. For example, the program module 1083 and the program data 1084 may be stored in a removable storage medium. In this case, the CPU 1020 reads data via a removable storage medium such as a disk drive. Similarly, the program module 1083 and the program data 1084 related to the file monitoring cycle control program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). May be. In this case, the CPU 1020 reads various data by accessing another computer via the network interface 1070.

[Others]
Note that the file monitoring cycle control program described in this embodiment can be distributed via a network such as the Internet. The file monitoring cycle control program may be recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, or a DVD, and executed by being read from the recording medium by the computer. it can.

DESCRIPTION OF SYMBOLS 1 File monitoring period control system 10 File monitoring period control apparatus 20A-20C Terminal device 30A-30C File server 40, 70 Network 50 Server 60 Decoy server 100 Control part 110 Transfer part 120 Detection part 130 Monitoring part 131 Change detection part 132 List update Unit 133 cycle setting unit 134 analysis unit 140 cycle control unit 141 target acquisition unit 142 counting unit 143 cycle calculation unit 144 cycle setting unit 200 storage unit 201 monitoring target list (black list)
202 Monitoring cycle data table 1000 Computer 1010 Memory 1011 ROM
1012 RAM
1020 CPU
1070 Network interface 1080 Hard disk drive 1081 OS
1082 Application program 1083 Program module 1084 Program data 1100 Bus

Claims (8)

A monitoring unit that extracts a unified resource location specifier that identifies an illegal file placement location and monitors a file placed in the unified resource location designator;
A counter that detects transmission to the server of an instruction including a predetermined uniform resource location specifier and counts the number of transmissions;
A setting unit for setting a monitoring cycle of the file specified by the predetermined uniform resource position specifier according to the number of transmissions;
A file monitoring cycle control device comprising:   The file monitoring cycle control device according to claim 1, wherein the setting unit sets a longer monitoring cycle of the file in accordance with an increase in the number of transmissions. A monitoring device that extracts a unified resource location specifier that identifies the location of an illegal file and monitors a file placed in the unified resource location designator;
A file monitoring cycle control device for controlling a monitoring cycle of a file arranged in the uniform resource location specifier;
A file monitoring cycle control system comprising:
The file monitoring cycle control device includes:
A counter that detects transmission to the server of an instruction including the uniform resource locator and counts the number of transmissions;
A setting unit that sets a monitoring cycle of the file specified by the uniform resource location specifier in accordance with the number of transmissions;
With
The monitoring device
A file monitoring cycle control system that acquires a file arranged in the unified resource location specifier in accordance with a monitoring cycle set by the setting unit, and extracts the presence / absence and difference of the file.   The file monitoring cycle control system according to claim 3, wherein the setting unit sets a longer monitoring cycle of the file in accordance with an increase in the number of transmissions. A decoy server for detecting an illegal command to the server;
The counting unit counts the number of attacks per unit time in which a unified resource location specifier in which a file that the decoy server is instructed to acquire by the illegal instruction is described,
The setting unit sets a monitoring cycle of a file instructed to be acquired according to the number of attacks per unit time counted by the counting unit,
The said monitoring apparatus acquires the file arrange | positioned at the said uniform resource position designator according to the monitoring period which the said setting part set, and extracts the presence or absence of the said file, and a difference. File monitoring cycle control system. A monitoring device that extracts a unified resource location specifier that identifies the location of an illegal file and monitors a file placed in the unified resource location designator;
A file monitoring cycle control device for controlling a monitoring cycle of a file arranged in the uniform resource location specifier;
A file monitoring cycle control method executed by a file monitoring cycle control system comprising:
The file monitoring cycle control device detects a transmission of an instruction including the uniform resource location specifier to a server and counts the number of transmissions;
The file monitoring cycle control device is configured to set a monitoring cycle of a file specified by the unified resource location specifier according to the number of transmissions;
The monitoring device acquires a file arranged in the unified resource position specifier according to the monitoring period set in the setting step, and detects a presence and a difference of the file,
A file monitoring cycle control method comprising: A counting step for detecting transmission to the server of an instruction including a unified resource location specifier that identifies an illegal file placement location, and counting the number of transmissions;
A setting step of setting a monitoring cycle of the file specified by the uniform resource location specifier according to the number of transmissions;
A detection step of obtaining a file arranged in the unified resource location specifier according to the monitoring period set in the setting step, and detecting the presence and the difference of the file,
File monitoring cycle control program for causing a computer to execute.   A file monitoring cycle control program for causing a computer to function as the file monitoring cycle control device according to claim 1.

Images