JP6105792B1 - Information processing apparatus, information processing method, and program - Google Patents

Abstract

In analyzing a communication log, a target is narrowed down and an efficient analysis is performed. A communication analyzer includes a communication log acquisition unit for acquiring a communication log of communication detected within a target period on a network to be monitored, and a predetermined for detecting problematic communication. A list storage unit 25 that stores a plurality of classification lists for which the conditions are set, and extracts communication logs satisfying a predetermined condition set in the classification list from the acquired communication logs for each classification list, A classification list application unit 24 that outputs information indicating the correlation of the application results of the classification list. The classification list application unit 24 includes, as information indicating the correlation, one of the extraction results of each list included in the extraction result of any list specified based on the criteria set for detecting specific communication. Outputs information related to communication log information. [Selection] Figure 2

Description

  The present invention relates to an information processing apparatus, an information processing method, and a program.

  A large amount of data is communicated and processed in various information systems using an information communication network such as the Internet (hereinafter simply referred to as a network). On the other hand, problems such as unauthorized access to devices such as servers and various terminal devices operating on the network and unauthorized information leakage from the server may occur.

  As a technique for monitoring information communication on a network in order to suppress damage caused by unauthorized communication, for example, Patent Document 1 discloses a database storing a list of normal communication signatures, communication data, and communication. An extraction circuit that extracts data of a predetermined length as a comparison target data from a predetermined position of the acquired communication data so that a data signature is included, and masks data other than the communication data signature among the extracted comparison target data A mask circuit that performs a search, a search circuit that retrieves a signature of communication data included in the masked comparison target data from a database, and a warning when a communication data that does not match a signature of normal communication stored in the database is detected. A bot detection device including a processing execution circuit is disclosed.

JP 2009-164712 A

  In information processing that analyzes a large amount of communication logs and extracts processing with specific properties (for example, problematic communication), such as monitoring information communication on a network, communication that is usually acquired as an analysis target The amount of log data is enormous. On the other hand, there are only a few communication logs related to a process having a specific property to be extracted or a process that may be possible. Therefore, it is widely requested in various fields of information processing to appropriately narrow down the analysis target communication log and analyze it efficiently regardless of communication inspection.

  It is an object of the present invention to narrow down a target and perform an efficient analysis in analyzing a communication log.

For this purpose, the present invention provides an acquisition means for acquiring a communication log of communication detected within a target period on a network to be monitored, and a predetermined condition for detecting problematic communication. Storage means for storing a plurality of set lists, and log extraction means for extracting, for each list, communication logs satisfying the predetermined conditions set in the list among communication logs acquired by the acquisition means And output means for outputting information indicating the correlation of the extraction results extracted for each list by the log extracting means, the output means as information indicating the correlation, In the extraction result, information and relevance of one communication log included in the extraction result of any list specified based on the criteria set for detecting a specific communication To provide an information processing apparatus and outputs the information.
In addition, importance levels for detecting unauthorized communication are set in advance in each of the lists, and the output unit includes one of the lists included in the extraction result of any list specified based on the importance levels. It may output information having relevance to the information of the communication log.
Further, the information related to the information of the one communication log may be information indicating a communication log related to the information of the one communication log.
The information having the relevance to the information of the one communication log may be information indicating a communication log having the same communication destination as the communication destination of the one communication log.
The present invention also includes a step of obtaining a communication log of communication detected within a target period on a network to be monitored, and a plurality of predetermined conditions for detecting problematic communication. A step of acquiring a list, a step of extracting a communication log satisfying the predetermined condition set in the list among the acquired communication logs, and an extraction extracted for each list Outputting information indicating a correlation of results, and the outputting step is set to detect a specific communication in the extraction result of each list by the extracting step as the information indicating the correlation It outputs information related to the information of one communication log included in the extraction result of any list specified based on the criteria. Also an information processing method to provide.
Further, according to the present invention, a function for acquiring a communication log of communication detected within a target period on a monitoring target network and a predetermined condition for detecting problematic communication are set in the computer. A function of reading a plurality of lists from the storage unit, a function of extracting the communication logs satisfying the predetermined conditions set in the list among the acquired communication logs, and for each list The function of outputting the information indicating the correlation of the extracted results is realized, and the output function detects specific communication in the extraction result of each list by the extracting function as the information indicating the correlation. To output information related to the information of one communication log included in the extraction result of any list specified based on the criteria set to Programs that symptoms are also provided.

  According to the present invention, in analyzing a communication log, it is possible to narrow down a target and perform an efficient analysis.

It is a figure showing the example of whole composition of the computer system to which this embodiment is applied. It is the block diagram which showed the function structural example of the communication analyzer which concerns on this Embodiment. It is the figure which showed an example of the hardware constitutions of the computer suitable for applying a communication analyzer. It is the flowchart which showed an example of the procedure of the whole process for detecting unauthorized communication using a communication analyzer. (A), (b) is a figure which shows the example of an output of the result of having applied the classification list to the communication log made into analysis object. (A), (b) is a figure which shows the example of an output of the result of having applied the classification list to the communication log made into analysis object. It is a figure which shows the example of an output of the generation | occurrence | production situation in each classification | category list of the applicable communication log. It is the flowchart which showed an example of the procedure of the process which specifies an analysis process and unauthorized communication. It is the flowchart which showed an example of the procedure of the process which performs the deep investigation of unauthorized communication. It is a figure which shows an example of the communication log displayed in order to identify the generation | occurrence | production factor of unauthorized communication. (A), (b) is a figure for demonstrating an example of the output result which narrowed down the communication log based on the original unauthorized communication, and applied the classification list. It is a figure for demonstrating an example of the investigation procedure of another unauthorized communication. It is the flowchart which showed an example of the procedure of the process which investigates another unauthorized communication.

Embodiments of the present invention will be described below in detail with reference to the accompanying drawings.
<System configuration>
First, a computer system to which this embodiment is applied will be described. FIG. 1 is a diagram showing an example of the overall configuration of a computer system to which the present embodiment is applied. As shown in the figure, in this computer system, client terminals 10a, 10b, and 10c are connected to an in-house LAN (Local Area Network) 50. The communication analysis device 20 and the communication data storage device 30 are connected to both the in-house LAN 50 and the Internet 60. Further, the attacker server 40 is connected to the Internet 60.

  The client terminals 10a, 10b, and 10c are computers used by users, and are realized by, for example, personal computers, workstations, and other computer devices. In the present embodiment, it is assumed that the client terminals 10a, 10b, and 10c may be infected with malware. Here, malware is a general term for malicious software and malicious code created with the intention of performing illegal and harmful operations. For example, a bot that is one type of malware, after infecting a computer, connects to a control server called a C & C (command and control) server, waits for instructions from the attacker, and performs processing as directed on the infected computer. Execute.

  Although FIG. 1 shows the client terminals 10a, 10b, and 10c, they may be referred to as client terminals 10 when it is not necessary to distinguish them. Although only three client terminals 10 are shown in FIG. 1, the number of client terminals 10 is not limited to the three illustrated.

  The communication analyzer 20 monitors the network between the company LAN 50 and the Internet 60, processes (analyzes) a communication log (history) of communication detected on the monitored network, and outputs an analysis result. . The output analysis result is for detecting unauthorized communication such as unauthorized access from the outside and unauthorized information leakage from the inside. Further, the communication log to be analyzed is stored in the communication data storage device 30. The communication analysis device 20 performs communication from the communication data storage device 30 as an analysis target, for example, triggered by an operation of an analyst (analyst). Obtain logs and perform analysis.

  In this embodiment, the communication analysis device 20 acquires the communication log from the communication data storage device 30. For example, the communication analysis device 20 is inline on the communication line between the in-house LAN 50 and the Internet 60. The communication analysis device 20 may store the communication log. Further, the communication analysis device 20 may be provided in a communication device such as a gateway, or may be provided independently of the communication device. In the present embodiment, the communication analysis device 20 is used as an example of the information processing device.

  The communication data storage device 30 stores communication flowing on the network between the in-house LAN 50 and the Internet 60 as a communication log. The stored communication log is, for example, a log generated by a proxy server (not shown) installed so as to be accessed when the client terminal 10 accesses the Internet 60 via the in-house LAN 50. In addition, for example, a log generated by a security system such as IDS (Intrusion Detection System) or IPS (Intrusion Prevention System) connected to the in-house LAN 40 or a device equipped with software such as a firewall is also saved as a communication log. Is done.

  In addition to the communication log, the communication data storage device 30 also stores packet data that flows on the network between the in-house LAN 50 and the Internet 60. Here, the communication log records communication on the network, and the communication log includes, for example, information on the communication destination, information on the communication source, and information such as the date and time when the communication was performed. On the other hand, the packet data includes information that cannot be grasped from the communication log, such as the contents of actually exchanged files and image data.

  The attacker server 40 is a server to which the client terminal 10 infected with malware is a communication connection destination, and is operated by the attacker. For example, when the client terminal 10 is infected with a bot, the attacker server 40 corresponds to a connection control server to which the client terminal 10 is connected in order to wait for an instruction from the attacker. Further, although only one attacker server 40 is shown in FIG. 1, it is assumed that there may be two or more attacker servers 40.

  The in-house LAN 50 is a network in which computers and printers in a company are connected by a dedicated line, and data can be transmitted and received between them.

  The Internet 60 is a huge network that connects networks all over the world using TCP / IP (Transmission Control Protocol / Internet Protocol).

  In the present embodiment, when the client terminal 10 is infected with malware, the client terminal 10 performs processing by connecting to an unauthorized server such as the attacker server 40. Therefore, the communication analysis device 20 according to the present embodiment targets the network between the in-house LAN 50 and the Internet 60, analyzes the communication log of communication detected on the monitored network, and obtains the analysis result. Output. The communication detected on the network to be monitored by the analysis of the communication analyzer 20 is classified into troubled communication and troubleless communication. Here, problematic communications include those that are clearly illegal communications and those that may be unauthorized communications (communications that cannot be identified as problematic communications). The analyst can analyze the problematic communication based on the analysis result output from the communication analysis device 20 and determine whether the communication is unauthorized.

<Functional configuration of communication analyzer>
Next, the functional configuration of the communication analyzer 20 will be described. FIG. 2 is a block diagram illustrating a functional configuration example of the communication analysis device 20 according to the present embodiment.

  As illustrated, the communication analysis device 20 includes a display unit 21, a communication log acquisition unit 22, a communication log shaping unit 23, a classification list application unit 24, a list storage unit 25, a detailed information acquisition unit 26, And an unauthorized communication investigation unit 27.

  The display unit 21 displays various types of information such as analysis results obtained by the communication analyzer 20 on the screen. The display unit 21 receives an operation input from an analyst for the screen.

  The communication log acquisition unit 22 as an example of an acquisition unit targets a network between the in-house LAN 50 and the Internet 60 and acquires a communication log of communication detected on the network to be monitored from the communication data storage device 30. To do. Here, the communication log acquisition unit 22 acquires a communication log detected within the target period, for example, using a period specified by an analyst or a predetermined period as an acquisition target period.

  The communication log shaping unit 23 arranges the format of the communication log so that the analysis process can be executed on the communication log acquired by the communication log acquisition unit 22. In addition, the communication log shaping unit 23 excludes or deletes information unnecessary for analysis from information included in the communication log.

  The classification list application unit 24 as an example of the log extraction unit and the output unit applies the classification list to the communication log shaped by the communication log shaping unit 23. The classification list application unit 24 displays the application result of the classification list on the display unit 21 for each classification list. In addition, the classification list application unit 24 displays information indicating the correlation of application results for each classification list on the display unit 21. The displayed information is used by an analyst to identify unauthorized communication. The classification list is a list in which predetermined conditions (hereinafter referred to as classification conditions) for detecting problematic communication are set, and are created in advance by an analyst or the like. Details of the classification list will be described later. In the present embodiment, a classification list is used as an example of a list in which predetermined conditions are set.

  The list storage unit 25 as an example of a storage unit stores a plurality of classification lists.

The detailed information acquisition unit 26 as an example of an extracting unit acquires detailed information regarding a communication log with a possibility of unauthorized communication. Here, the detailed information acquisition unit 26 collects information on communication destinations in a communication log having a possibility of unauthorized communication, for example. Further, the detailed information acquisition unit 26 acquires packet data corresponding to a communication log with a possibility of unauthorized communication from the communication data storage device 30. The information on the communication destination and the information on the packet data are used by an analyst to identify unauthorized communication.
Further, when the analyst identifies unauthorized communication, the detailed information acquisition unit 26 collects information on the identified unauthorized communication and conducts a deep investigation of unauthorized communication. In the deep survey, information on the source of unauthorized communications, information about the occurrence period, and the cause of the occurrence are collected.

  The unauthorized communication investigation unit 27 investigates the presence or absence of another unauthorized communication based on the unauthorized communication specified by the analyst.

<Hardware configuration example of communication analyzer>
Next, the hardware configuration of the communication analyzer 20 according to the present embodiment will be described. FIG. 3 is a diagram illustrating an example of a hardware configuration of a computer suitable for applying the communication analysis device 20. As shown in the figure, the communication analysis device 20 includes a CPU (Central Processing Unit) 20a that is a calculation means and a memory 20c that is a main storage means. As external devices, a hard disk drive (HDD) 20g, a network interface 20f, a display mechanism 20d including a display device, an audio mechanism 20h, an input device 20i such as a keyboard and a mouse, and the like are provided.

  In the configuration example shown in FIG. 3, the memory 20c and the display mechanism 20d are connected to the CPU 20a via the system controller 20b. The network interface 20f, the magnetic disk device 20g, the audio mechanism 20h, and the input device 20i are connected to the system controller 20b via the I / O controller 20e. Each component is connected by various buses such as a system bus and an input / output bus.

  In FIG. 3, the magnetic disk device 20g stores an OS program and application programs. These programs are read into the memory 20c and executed by the CPU 20a, thereby realizing the functions of the functional units of the communication analyzer 20 according to the present embodiment.

  FIG. 3 merely exemplifies a hardware configuration of a computer suitable for application of the present embodiment. The present embodiment can be widely applied to information processing apparatuses capable of analyzing communication logs, and the present embodiment is not realized only with the illustrated configuration.

<Overall procedure for detecting unauthorized communications>
Next, an overall processing procedure for detecting unauthorized communication using the communication analyzer 20 will be described. FIG. 4 is a flowchart illustrating an example of a procedure of overall processing for detecting unauthorized communication using the communication analysis device 20.

  First, based on the input of the analyst, the communication analysis device 20 performs presetting for analyzing the communication log (step 1). Next, the communication analyzer 20 acquires a communication log to be analyzed from the communication data storage device 30 based on the presetting, and shapes the acquired communication log (step 2). Then, the communication analysis device 20 applies the classification list to the formatted communication log and executes analysis processing (step 3). By executing this analysis process, the analysis result is displayed.

  Thereafter, the analyst confirms the displayed analysis result and identifies unauthorized communication (step 4). Next, the communication analyzer 20 narrows down to the communication log identified as unauthorized communication in step 4 and performs a deep investigation (step 5). Here, detailed information related to unauthorized communication is collected, and the occurrence period and cause of the unauthorized communication are determined. Next, the communication analyzer 20 investigates the presence or absence of another unauthorized communication using the unauthorized communication identified in step 4 as a key (step 6). If another unauthorized communication is found here, the communication analyzer 20 performs a deep investigation on another unauthorized communication as in step 5. Then, this processing flow ends.

In this manner, the communication analysis device 20 executes the analysis process based on the communication log acquired from the communication data storage device 30 and displays the analysis result. Then, the analyst confirms the displayed analysis result and identifies unauthorized communication. In addition, the communication analyzer 20 performs a deep investigation of unauthorized communication specified by the analyst. Furthermore, the communication analyzer 20 investigates the presence or absence of another unauthorized communication using the unauthorized communication specified by the analyst as a key.
Below, each step shown in FIG. 4 will be described in more detail.

<Step 1: Pre-setting>
The presetting shown in step 1 of FIG. 4 will be described in detail. In this pre-setting, the type of communication log to be analyzed and the log format are specified by the input of the analyst, and the classification list used in the analysis process is specified.

Specifically, based on the input of the analyst, the communication analysis device 20 may select any type of communication log to be analyzed, such as a proxy log (proxy server communication log) or a firewall communication log. Specify whether to analyze the communication log. In addition, the communication analysis device 20 can specify, for example, a standard for describing the date and time (such as the Western calendar or the Japanese calendar), format specification, and IP address notation (notation system) as the log format of the communication log to be analyzed. Specify.
Furthermore, the types of communication logs that can be applied to the classification list used in the analysis processing are determined for each list. Therefore, when the analyst specifies according to the type of communication log to be analyzed, the communication analysis device 20 specifies a classification list to be used in the analysis process from among a plurality of classification lists.

  In addition to the presetting, for example, the communication analysis device 20 may specify, for example, a period to be analyzed, that is, a communication log from when the generated date and time is to be analyzed (hereinafter referred to as “analysis target”). The period set as an analysis target is referred to as a total analysis period), and the use / non-use of a white list described later is designated.

<Step 2: Formatting the communication log>
The shaping of the communication log shown in step 2 of FIG. 4 will be described in detail. In the communication log shaping process, first, the communication log acquisition unit 22 acquires, from the communication data storage device 30, the type of communication log designated by the presetting from among the communication logs generated within the entire analysis period. Then, the communication log shaping unit 23 performs shaping processing on the acquired communication log.

  In the shaping process, the format of the communication log is adjusted based on a rule specified by an analyst in advance or a predetermined rule. For example, the date and time of occurrence in the communication log, the source IP address, the destination IP address, etc. are arranged in a common format. In addition, for example, information that is not used for analysis processing is deleted from information included in the communication log that is not related to detection of unauthorized communication. Further, for example, for communication using TCP, which is a connection-type protocol, a process of combining a data request and a response in response to a single communication log is performed.

  Further, when the setting for using the white list is performed in advance in Step 1, the communication log shaping unit 23 applies the white list to the communication log. This white list is created in advance by an analyst or the like, and is a list in which communication without problems is registered. For example, information such as an external IP address and a host name (domain name) having no problem is registered in the white list. By applying the white list, a communication log having information matching the white list information is excluded from the analysis target. In other words, the white list is a list for leaving communication with no problem by excluding communication with no problem from the communication to be analyzed. That is, the white list can be regarded as a classification list in which a classification condition is set such that a communication log including the same information as the registered information is excluded and a problematic communication log is detected.

<Step 3: Analysis processing>
The analysis process shown in step 3 of FIG. 4 will be described in detail. In this analysis process, the classification list is applied to the communication log shaped in step 2, and information for detecting unauthorized communication is output. The classification list applied in the analysis process is specified by the presetting in step 1 among a plurality of classification lists created in advance. Here, as the classification list, for example, information related to problematic communication is registered, and a list (hereinafter referred to as a black list) in which a classification condition for extracting a communication log including the same information as the registered information is defined. Called). In addition, as the classification list, for example, a communication log including items (fields) designated as useful for the determination of unauthorized communication in consideration of the characteristics of communication that the analyst has identified as unauthorized communication so far There is also a list (hereinafter, referred to as a field extraction list) in which a classification condition for extracting “.

  The information related to problematic communication registered in the black list is, for example, information on spyware, which is software that collects information about users and transmits the information to the outside, information on adware, which is software for advertising purposes, and the like. For example, a list of information on public proxies is also used as a black list. The public proxy is a relay server (proxy server) that is open to the public and can be used freely by anyone. Further, as the black list, a list in which information on communication with a problem uniquely collected by an analyst, information on communication determined to have a problem in the analysis so far, and the like may be used.

  In the field extraction list, for example, a classification condition of “sort communication destination hosts in order of appearance count for communication logs using the POST method in HTTP (Hypertext Transfer Protocol) communication” is defined. In another field extraction list, for example, a classification condition of “sorting the communication source host and the communication destination host in the order of the number of appearances for a communication log using the GET method or the POST method in HTTP communication” is defined.

  In the classification list, the importance level for detecting unauthorized communication is set according to the contents of the classification list. The importance is set, for example, in three stages of “high”, “medium”, and “low”. In the case of a blacklist, for example, since the information of problematic communication that is independently collected by an analyst has high reliability that can be determined to be fraudulent, the blacklist is set to have a high importance level. In addition, for example, a classification list that may contain legitimate communications that are used for purposes other than attacks or a classification list that has a low impact, set the importance level to medium or low. Also good.

In the case of a field extraction list, for example, for a communication with a high possibility of unauthorized communication, the field extraction list that defines such a classification condition is set to “high” importance. On the other hand, for example, for a communication with a low possibility of unauthorized communication, the field extraction list that defines such a classification condition is set to “low” in importance.
Furthermore, the POST method and the GET method of HTTP communication are generally used as requests sent to a Web server, for example, but are often used as illegal processing when infected with malware. Based on this, the importance of the field extraction list is set.

  Then, the classification list application unit 24 applies the classification list to the formatted communication log and outputs the application result for each classification list. Here, in each classification list, a type of communication log to which the classification list can be applied, and a communication log field necessary for applying the classification list are set. Therefore, when applying the classification list, the classification list application unit 24 extracts a type of communication log to which the classification list can be applied from the communication log after shaping. Furthermore, the classification list application unit 24 collects information on the fields necessary for applying the classification list from each extracted communication log, determines whether the collected information matches the classification conditions, Output the application result.

  For example, when a black list is applied as a classification list, the classification list application unit 24 extracts a type of communication log to which the black list can be applied from the communication log after shaping. Further, the classification list application unit 24 collects information on fields necessary for applying the black list from each extracted communication log. Then, the classification list application unit 24 sequentially determines for each communication log whether or not the collected field information of each communication log matches the information of the black list. As a result, the classification list application unit 24 extracts a communication log including the same information as the information of the black list for each black list, and has a large number of appearances (the number of communication logs recorded in the analysis target period). Output in order from the top.

  Further, for example, when a field extraction list is applied as a classification list, the classification list application unit 24 first converts the communication log after shaping to HTTP, SSL, FTP (File Transfer Protocol), DNS (Domain Name System), or the like. Create a base file for each protocol used in communication. In this base file, fields that may be used for analysis are set for each protocol among the fields of the communication log. That is, the classification list application unit 24 classifies the formatted communication log by protocol, extracts fields that may be used for analysis from each communication log according to the protocol, and creates a base file for each protocol. .

  Further, the classification list application unit 24 further divides the base file as necessary to create an intermediate file. For example, in HTTP communication, a method such as a GET method or a POST method is used, but this method may be used as an element of a classification condition. Therefore, in order to perform analysis efficiently, an intermediate file is also created by further dividing the HTTP base file by method.

  Then, the classification list application unit 24 extracts a type of communication log to which the field extraction list can be applied from the formatted communication log (here, a base file or an intermediate file). Further, the classification list application unit 24 collects field information necessary for applying the field extraction list from each extracted communication log. Then, the classification list application unit 24 sequentially determines for each communication log whether the collected field information of each communication log matches the classification conditions of the field extraction list. As a result, the classification list application unit 24 extracts communication logs satisfying the classification condition for each field extraction list, and outputs the communication logs arranged in descending order from the top.

  FIGS. 5A and 5B are diagrams illustrating an output example of a result of applying a classification list to a communication log to be analyzed. Here, an output result obtained by applying a black list having a medium degree of importance is shown. In the example shown in FIG. 5A, “host name (communication destination host name)” is set as a field necessary for applying the blacklist. As a result, as shown in the figure, the “appearance count” and “host name” of the communication log are output in association with each other, and are displayed in order from the communication log with the highest appearance count.

  For example, number 1 indicates a communication log whose communication destination host name is “aaa.abcd0.jp”. Here, in the black list in the example shown in FIG. 5A, information indicating that the communication destination host name includes “abcd0.jp”, for example, is registered as information on the problematic communication. , The communication log of number 1 is extracted. The number of appearances of this communication log is “13482”, and 13482 corresponding communication logs exist in the communication log to be analyzed. Further, in the example shown in FIG. 5 (a), an underline is added to the matching location so that the analyst can easily recognize the location that matches the blacklist information ("abcd0.jp" in the communication log of number 1). Pulled and displayed. However, the display is not limited to the underlined display. For example, it may be displayed in a color different from the other part (for example, red when the other part is black), or the character may be enlarged and displayed. Also good.

  FIG. 5B also shows an output result of applying another black list having an importance level of “medium”. Here, as a field necessary for applying the black list, “URL (Uniform Resource) Locator) ”is set. As a result, as shown in the figure, “number of appearances” and “URL” of the communication log are output in association with each other, and are displayed in order from the communication log with the highest number of appearances. For example, number 1 indicates a communication log whose communication destination URL is “http://ccc.abcd1.net/00/11”. Here, in the black list in the example illustrated in FIG. 5B, information indicating that the communication destination URL includes “abcd1.net”, for example, is registered as information on the problematic communication. The communication log of number 1 is extracted. The number of appearances of this communication log is “2733”, and there are 2733 corresponding communication logs in the communication log to be analyzed.

  FIGS. 6A and 6B are also diagrams illustrating an output example of a result of applying the classification list to the communication log to be analyzed. FIG. 6A shows an output result of applying a field extraction list that defines a classification condition of “sort host names (host names of communication destinations in order of appearance number for communication logs using the GET method in HTTP communication)”. Indicates. As shown in the figure, the “appearance count” and “host name” of the communication log are output in association with each other, and are displayed in order from the communication log with the highest appearance count.

  For example, number 1 indicates a communication log whose host name is “aaa.office.sample1.com”. Although no method is displayed, the GET method is used. The number of appearances of this communication log is “2909737”, and there are 2909737 corresponding communication logs in the communication log to be analyzed.

  FIG. 6B shows an output to which a field extraction list that defines a classification condition of “sort communication source IP addresses and communication destination hosts in order of appearance count for communication logs using the GET method in HTTP communication” is applied. Results are shown. As shown in the figure, “number of appearances”, “source IP address”, “method”, and “destination host (host name)” of the communication log are output in association with each other. Displayed in order.

<Step 4: Identification of unauthorized communication>
The process for identifying unauthorized communication shown in step 4 of FIG. 4 will be described. In the process of identifying unauthorized communication, the analyst confirms the output content of step 3 and identifies the communication determined to be unauthorized. Here, in step 3, as described above, the analysis result of the classification list applied to the communication log to be analyzed is output. When the analyst selects the communication log indicated in the analysis result, the selected result is selected. With respect to the communication log, information indicating a correlation between application results of a plurality of different classification lists is output. In other words, for the communication log selected by the analyst, information indicating how a communication log having the same communication destination as that of the communication log is generated in each classification list is output. The analyst confirms the output contents and identifies the unauthorized communication.

  In addition, the detailed information acquisition unit 26 collects information on communication destinations in a communication log with a possibility of unauthorized communication in order for an analyst to identify unauthorized communication. Here, the display unit 21 is an input interface that accepts collection of communication destination information. When the analyst selects one of the communication logs displayed on the display unit 21, information on the communication destination in the selected communication log is collected. Specifically, when the analyst selects one of the communication logs, the detailed information acquisition unit 26, for example, actually connects to the communication destination in the communication log, and whether the communication is still possible or the communication destination Collect information such as whether the site still exists at the present time.

  Furthermore, the detailed information acquisition unit 26 acquires packet data corresponding to the communication log from the communication data storage device 30 as necessary. Again, the display unit 21 is an input interface that accepts acquisition of packet data corresponding to the communication log. Specifically, when the analyst selects to acquire packet data with a certain communication log, the detailed information acquisition unit 26 acquires packet data from the communication data storage device 30. As a result, the analyst can check the contents of the packet data and determine whether or not there is an illegal file or image included in the packet data.

  In this way, the analyst determines whether the communication to be analyzed is unauthorized communication based on the situation determined from the analysis results of the plurality of classification lists and the communication destination and packet data information in the communication log. Make a final decision on whether or not. Here, there are cases where it is not possible to determine at this time whether or not the communication is unauthorized, or that it is determined that communication is normal (non-illegal communication). For this reason, in the process of step 4, the communication to be analyzed is classified into one of three types: one determined as illegal communication, one that cannot be determined at present whether or not it is illegal communication, and one determined as normal communication.

And about what is judged to be unauthorized communication, the process of the following step 5 and step 6 is performed. In addition, when it is determined that the communication is unauthorized, the communication information may be added to the black list used in the analysis processing in Step 3.
In addition, those that cannot be determined at the present time as to whether or not they are unauthorized communications are subject to continuous monitoring and added to the follow-up observation list. Whether or not communication to the same communication destination as the communication log recorded in the follow-up observation list occurs when analysis is performed on communication logs of a period different from the entire analysis period this time, etc. Is confirmed. By continuously monitoring in this way, it is finally determined that the communication is illegal or normal.
Furthermore, for information that is determined to be normal communication, the communication information may be added to the white list used in the shaping in Step 2.

The process for identifying unauthorized communication in step 4 will be described with a specific example.
First, in the application result of the black list shown in FIG. 5A, the communication log of the host name “malware.abcd4.jp” is extracted as the communication log of the number 280. Further, in the application result of the black list shown in FIG. 5B, the communication log of URL “http://malware.abcd4.jp/” is extracted as the communication log of number 350. These indicate common communication destinations, both of which are the number of occurrences of 57 cases, and the presence is confirmed on the 280th line in FIG. 5A and on the 350th line in FIG. 5B. However, it cannot be said that the communication destination has such a large number of appearances as compared with other communication logs at the top. Further, since the importance level of these blacklists is “medium”, it is not determined as a communication log of unauthorized communication at the stage of extraction. Therefore, in the blacklist application results shown in FIGS. 5A and 5B, the analyst can still determine whether this communication destination (host name: malware.abcd4.jp) relates to unauthorized communication. Absent.

  On the other hand, communication logs corresponding to “malware.abcd4.jp” are also extracted from other classification lists. For example, in the field extraction list shown in FIG. 6A, the corresponding communication log is extracted at the number 1532. In the field extraction list shown in FIG. 6B, the corresponding communication log is extracted with the number 9866. Here, when the analyst selects the communication log of “malware.abcd4.jp” indicated as the application result of the black list, the classification list application unit 24 uses “ For the communication log corresponding to “malware.abcd4.jp”, the occurrence status in each classification list of the communication log having the same communication destination is output.

  FIG. 7 is a diagram illustrating an output example of the occurrence status in each classification list of the corresponding communication log. As shown in the figure, for the communication log corresponding to “malware.abcd4.jp”, six classification lists of numbers 1 to 6 corresponded. Here, the classification lists of numbers 1 and 2 are the black lists shown in FIGS. 5 (a) and 5 (b). The classification lists numbered 3 to 6 are field extraction lists, which correspond to the field extraction lists of four GET sequences. Here, “List 3” of number 3 and “List 4” of number 4 are the field extraction lists shown in FIGS. 6A and 6B, respectively. In addition, “List 5” of No. 5 is a field extraction in which a classification condition of “sorting communication source IP address, communication destination host, and URL in order of appearance number for communication logs using the GET method in HTTP communication” is defined. It is a list. Further, “list 6” of number 6 is a field extraction list in which a classification condition “sort URLs in order of appearance count for communication logs using the GET method in HTTP communication” is defined.

From this output result, for “malware.abcd4.jp”, for example, only HTTP GET communication is occurring, and since the source IP address is “172.29.36.209”, there is only one, so anyone can view it. It is determined that it is not a site. For example, since there is only one type of URL pattern, it is determined that the possibility of web browsing is low.
That is, only the blacklist analysis result shown in FIG. 5 may be a communication in which an individual is browsing the site, and it cannot be determined whether the communication is related to unauthorized communication. However, from the output result of other classification lists, it is determined that the possibility of communication for browsing the site by an individual is low and the possibility of unauthorized communication is high.

  Furthermore, considering the situation when the detailed information acquisition unit 26 actually accesses the URL “http://malware.abcd4.jp” of the communication destination, the analyst may finally determine the unauthorized communication. did it. In other words, it is determined that the client terminal 10 accessing “malware.abcd4.jp” has a high possibility of being infected with malware.

  In this way, the analyst can obtain information that cannot be determined from a certain classification list by checking the communication log extracted from a certain classification list together with the analysis results of other classification lists. . Further, the analyst considers information such as a communication destination as necessary, and finally determines whether or not the target communication is unauthorized communication.

  In the example shown in FIG. 7, information indicating the correlation between the application results of each classification list is output for the communication log shown as the application result of the black list. However, the analyst indicates the application result of the field extraction list. When the selected communication log is selected, information indicating the correlation of the application result of each classification list is output for the communication log. In addition, as the information indicating the correlation, the occurrence status in all applicable classification lists is shown, but only a part of the classification list, for example, the occurrence status in the black list (numbers 1 and 2 in the example of FIG. 7) It may be indicated or only the occurrence status in the field extraction list (numbers 3 to 6 in the example of FIG. 7) may be indicated.

  Furthermore, the classification list application unit 24 outputs information indicating the correlation of the classification list application results for the communication logs satisfying a certain condition among the communication logs extracted from the classification list regardless of the input of the analyst. It's also good. For example, the classification list application unit 24 can determine whether communication logs with the number of appearances equal to or less than a predetermined number of communication logs included in the application result of any classification list are related to unauthorized communication. As a result, the occurrence status in each classification list may be output. In addition, for example, the classification list application unit 24 applies a classification list having a certain importance or less (for example, a classification list having a medium or low importance in the case of a classification list having a medium or less importance). The occurrence status in each classification list may be output on the assumption that the communication log included in the result cannot be determined whether it is related to unauthorized communication.

  The analysis process in step 3 and the process for specifying unauthorized communication in step 4 will be described with reference to a flowchart. FIG. 8 is a flowchart illustrating an example of the procedure of the analysis process and the process of specifying unauthorized communication.

  First, when the communication log is shaped in step 2, the classification list application unit 24 acquires from the list storage unit 25 a classification list designated for use in the analysis process (step 101). Then, the classification list application unit 24 applies the classification list to the formatted communication log (step 102). Here, for each acquired classification list, the classification list application unit 24 extracts applicable types of communication logs from the formatted communication log, collects information on fields necessary for applying the classification list, and classifies the classification list. It is determined whether or not the classification condition is met. Then, the classification list application unit 24 outputs the analysis result for each classification list and displays it on the display unit 21.

  Next, for example, when the analyst confirms the analysis result based on the classification list and selects a communication log that cannot yet be determined whether it relates to unauthorized communication, the classification list application unit 24 selects each classification list of the selected communication log. Is displayed on the display unit 21 (step 103). Here, the classification list application unit 24 extracts a communication log having the same communication destination as the communication log selected by the analyst from the analysis result of the classification list, and generates the extracted communication log. The status is displayed on the display unit 21.

Further, when the analyst performs input for collecting communication destination information in the communication log or input for acquiring packet data, the detailed information acquisition unit 26 acquires information about the communication destination and stores the packet data in the communication data. Obtained from the device 30 (step 104). The acquired information is displayed on the display unit 21. Then, this processing flow ends.
Thus, based on the output contents by the classification list application unit 24 and the detailed information acquisition unit 26, the analyst makes a final determination as to whether or not the communication to be analyzed is unauthorized communication.

<Step 5: Deep investigation of unauthorized communications>
The illegal digging investigation shown in Step 5 of FIG. 4 will be described. In the deep investigation of unauthorized communication, detailed information is collected only on the communication log determined as unauthorized communication in step 4. If there are a plurality of items determined to be unauthorized communication in step 4, the process of step 5 is performed for each unauthorized communication.

First, the detailed information acquisition unit 26 extracts a communication log of the communication determined to be unauthorized communication in step 4 from the analysis target communication log. And the detailed information acquisition part 26 acquires the generation date of each extracted communication log, and specifies the generation | occurrence | production period of this unauthorized communication. The occurrence period is a period from the time when the first illegal communication occurs to the time when the last illegal communication occurs within the entire analysis period.
Further, the detailed information acquisition unit 26 specifies a communication source of unauthorized communication. Specifically, the detailed information acquisition unit 26 collects information on the IP address and host of the communication source, that is, information on the client terminal 10 that is the communication source, in the communication log of unauthorized communication. There may be one or more client terminals 10 as communication sources.

  Further, the detailed information acquisition unit 26 collects information for specifying the cause of the unauthorized communication. Here, it is considered that the unauthorized communication is caused by some kind of communication, for example, the client terminal 10 accesses an unauthorized Web page that downloads malware. That is, it is considered that some kind of communication that causes unauthorized communication is being performed immediately before the time when the unauthorized communication first occurred. Therefore, the detailed information acquisition unit 26 is detected within a predetermined time in the communication log of the communication performed from the client terminal 10 that is the communication source of the unauthorized communication, going back from the time when the unauthorized communication first occurred. Collect the communication log of the communication.

  The deep investigation of unauthorized communication in step 5 will be described with reference to a flowchart. FIG. 9 is a flowchart illustrating an example of a procedure for performing a deep investigation of unauthorized communication.

  First, in step 4, when an analyst performs input for designating a communication log of communication that is determined to be unauthorized communication, the detailed information acquisition unit 26 determines that communication that has been determined to be unauthorized communication from the analysis target communication log. The communication log is extracted (step 201). Then, the detailed information acquisition unit 26 acquires the occurrence date and time of the extracted communication log, and specifies the generation period of unauthorized communication (step 202). Next, the detailed information acquisition unit 26 collects information on the client terminal 10 that is the communication source of the unauthorized communication (step 203). Information about the generation period and the communication source client terminal 10 is displayed on the display unit 21.

  Further, the detailed information acquisition unit 26 is detected within a predetermined time immediately before the time when the illegal communication first occurred in the communication log of the communication performed from the client terminal 10 that is the communication source of the unauthorized communication. Collect communication logs (step 204). The collected communication log information is displayed on the display unit 21. Then, this processing flow ends.

  Next, processing for identifying the cause of unauthorized communication based on the communication log will be described with a specific example. FIG. 10 is a diagram illustrating an example of a communication log displayed to identify the cause of the unauthorized communication. Here, the communication log of the number 13 is an unauthorized communication to the host “mal.example.com”, and is a communication log when the first communication is performed with respect to the host “mal.example.com”. A communication log near the time when the communication log with the number 13 is detected is displayed. Actually, a communication log at a specific time before and after the time when the unauthorized communication first occurred is displayed. FIG. 10 shows a part of the communication log. In addition, in order to identify the cause of unauthorized communication, it is sufficient to have a communication log detected before the time when the unauthorized communication first occurred. Is grasped in more detail.

  In the example shown in FIG. 10, when the communication log generated before the communication log with the number 13 is confirmed, the communication to the host of the communication log with the number 6 has occurred only once. Here, when the communication analyzer 20 is actually connected to the URL “http://malware2.downloadsite.com/it/xxxxxxx.jpg” of the communication destination of the number 6, it is found that it is a malware download communication. . Further, for example, based on the result of the communication analyzer 20 actually connecting to the communication destinations of a plurality of communication logs such as Nos. 1 to 5 generated before the No. 6 communication log, the analyst The cause of the unauthorized communication and the impact damage are determined.

<Step 6: Investigation of another illegal communication>
Another illegal communication investigation shown in step 6 of FIG. 4 will be described. In another unauthorized communication investigation, the presence / absence of another unauthorized communication is investigated using the key determined as unauthorized communication in Step 4 (hereinafter referred to as the original unauthorized communication) as a key.

  As described above, the occurrence of unauthorized communication is considered to be some kind of communication that causes the unauthorized communication. However, when the client terminal 10 performs such communication, not only one unauthorized communication but also another unauthorized communication occurs. May occur. For example, when the client terminal 10 is guided to the attacker server 40 in order to access an unauthorized Web page, the client terminal 10 may be guided to another server of the attacker in addition to the attacker server 40. In this case, in addition to unauthorized communication accessing the attacker server 40, unauthorized communication accessing another server of the attacker also occurs. Therefore, the unauthorized communication investigation unit 27 investigates whether there is another unauthorized communication that has the same communication source as the original unauthorized communication and has an occurrence time close to that of the original unauthorized communication.

  Specifically, the unauthorized communication investigation unit 27 performs the analysis process of step 3 by narrowing down to communication logs in which the client terminal 10 that is the original communication source of the unauthorized communication is the communication source. In addition, another unauthorized communication has the same infection source as that of the original unauthorized communication. Therefore, the occurrence status such as occurrence frequency and occurrence timing is considered to be similar to the original unauthorized communication. For this reason, a period for specifying another unauthorized communication (hereinafter sometimes referred to as a specific period), that is, a period to be analyzed in the communication log is set based on the occurrence state of the original unauthorized communication. And the process of step 4 is performed with respect to the result of this analysis process, and another unauthorized communication is specified.

  In other words, the specific period is specified based on the generation period from the time when the original unauthorized communication occurred first to the time when it last occurred in the client terminal 10 that is the communication source of the original unauthorized communication. The specific period is set, for example, in units of one week, in units of days, or in units of days of the week, based on the original occurrence status of unauthorized communication. The specific period is set according to a predetermined rule by the unauthorized communication investigation unit 27 or is set by an analyst's input.

  Here, in the analysis process of step 3 performed to identify the original unauthorized communication, all communication logs in the entire analysis period are targeted. On the other hand, in the analysis process performed to identify another unauthorized communication, the client terminal 10 that is the original communication source of the unauthorized communication is narrowed down to the communication log that is the communication source, and the analysis target period (that is, the identification target) (Period) is also set according to the state of occurrence of the unauthorized communication. Therefore, the analysis result by the analysis process of step 6 is different from the analysis result by the analysis process of step 3 performed to identify the original unauthorized communication.

  For example, in the result of analysis processing performed to identify the original unauthorized communication, the communication log of another unauthorized communication is not displayed at the top of any black list and classification list, and the analyst cannot be found. is there. In such a case, by performing analysis processing with the communication log narrowed down, a communication log of another unauthorized communication may be displayed at the top of the black list or classification list. As a result, a communication log of another unauthorized communication that has not been noticed in the analysis process performed to identify the original unauthorized communication is noticed, and the possibility of being detected increases.

  A process for identifying another unauthorized communication will be described with a specific example. Here, in step 4, for example, it is assumed that the communication whose URL is “http://www.malsample1.net/abcdefg/post.php” is specified as the original unauthorized communication. With respect to this original unauthorized communication, the IP address of the communication source client terminal 10 was “192.168.100.100”. In addition, when the occurrence of the original unauthorized communication was confirmed, it occurred between 12:10 on January 10, 2015 and 19:30 on January 31, 2015.

  From these pieces of information, as another investigation of unauthorized communication, the unauthorized communication investigation unit 27 is a communication log in which the client terminal 10 of “192.168.100.100” is the communication source, and the occurrence period is January 10, 2015 12 From 10 minutes to January 31, 2015, extract communication logs at 19:30. Then, the classification list application unit 24 applies the classification list to the extracted communication log. In the analysis processing here, only a part of the classification list, for example, the field extraction list may be applied.

  FIGS. 11A and 11B are diagrams for explaining an example of an output result in which a classification list is applied by narrowing down a communication log based on the original unauthorized communication. Here, FIGS. 11A and 11B are both field extraction lists that define a classification condition of “sorting communication source IP addresses and URLs in order of appearance count for communication logs using the POST method in HTTP communication”. The output result of applying is shown, but the communication log to be applied is different. FIG. 11A is an output example targeting all communication logs in all analysis periods, and FIG. 11B is an output example targeting communication logs narrowed down based on the original unauthorized communication. .

  In the example shown in FIG. 11A, the communication logs of numbers 1 to 6 are displayed in the order of the most appearances, and these are communication logs of communication that is not illegal. On the other hand, in the example shown in FIG. 11B, numbers 1 to 5 are communication logs of communication that is not illegal, but the communication log of number 6 relates to unauthorized communication. That is, by narrowing down the communication log based on the original unauthorized communication, a communication log related to another unauthorized communication having the same infection source as that of the original unauthorized communication is displayed at the top. With respect to the communication log of number 6, the analyst determines whether or not the communication is unauthorized by confirming the application result of another classification list. Further, communication destination information is collected and packet data is acquired, and finally it is determined whether or not the communication is unauthorized.

  Here, the original unauthorized communication URL “http://www.malsample1.net/abcdefg/post.php” and another unauthorized communication URL “http://www.malexample2.net/abcdefg/post.php”. "/Abcdefg/post.php" below the host "www.malsample1.net", that is, a URI portion indicating a file path is common. The file path indicates the location of a resource (file) inside a communication destination such as a server. In HTTP communication, the file path represents a directory name and a file name in a public area of the server. Here, for example, an attacker may prepare a plurality of unauthorized sites using a similar mechanism. That is, for example, when a plurality of malwares are infected, a plurality of unauthorized communications with different URLs occur, but a plurality of unauthorized communications may occur with some URI parts in common such as a file path. In other words, as a tendency of creating malware, some URI parts may be common in a plurality of unauthorized communications generated by malware. Therefore, for the communication log of number 6, since the URI portion of the communication destination is the same as the URI portion of the original unauthorized communication destination, it may be determined that the possibility of unauthorized communication is high.

  Further, the unauthorized communication investigation unit 27 may investigate whether or not a communication log including the communication destination URL “/abcdefg/post.php” exists in addition to the communication log number 6. And, for example, `` http: //www.xxx.yyy.zzz/abcdefg/post.php '', `` http://www.xyz.xyz.co/abcdefg/post.php '', `` http: // aaa .bbb.ccc / abcdefg / post.php "," http: //eee.fff.ggg/abcdefg/post.php ", etc. If there is a communication log with the URL as the communication destination, there is a possibility of unauthorized communication You may judge.

  In addition, when an attacker creates malware, for example, the description of the file path is not completely the same as described above, but the URL may be configured by changing a part of the description of the file path. Therefore, when including the same URI portion of the URL that is the communication destination of the original unauthorized communication, the communication is not limited to determining that the possibility of unauthorized communication is high, but the original unauthorized communication and the URI portion. If they are similar, it may be determined that the possibility of unauthorized communication is high.

  Furthermore, the portion of interest in the original unauthorized communication is not limited to the URI portion indicating the file path that is a part of the URL. For example, the entire URL that is the communication destination of the original unauthorized communication, the host name, You may pay attention to header information, such as a simple substance and HTTP request method. For example, when focusing on the host name, it is determined that the possibility of unauthorized communication is high for a communication log including the same host name of the URL that is the communication destination of the original unauthorized communication.

  Thus, when paying attention to the information included in the communication log of the original unauthorized communication, the analyst considers the tendency that malware is created, and in the information included in the communication log, Focus on the part that follows the creation tendency of the malware whose characteristics are shown, in other words, information that may be determined according to the malware created by the attacker. And it is judged that possibility of unauthorized communication is high about the communication log containing the same information as the characteristic part (part along the creation tendency of malware) of the communication log of unauthorized communication.

  Further, the analyst may pay attention to the occurrence state of the original unauthorized communication. The occurrence status indicates a communication occurrence tendency such as a period, a time zone, and a communication interval at which communication occurs.

  For example, the above five communications ((1) “http://www.malexample2.net/abcdefg/post.php”) in which the URI part of the communication destination is the same as the URI part of the original illegal communication destination. , (2) `` http: //www.xxx.yyy.zzz/abcdefg/post.php '', (3) `` http://www.xyz.xyz.co/abcdefg/post.php '', (4) Check "http: //aaa.bbb.ccc/abcdefg/post.php", (5) "http: //eee.fff.ggg/abcdefg/post.php"), focusing on the point of interest Is done.

For example, the communication of (1) to (4) has some points of interest in the communication log compared to the original communication log of unauthorized communication, and the tendency for communication to occur is almost the same. It was. However, the communication of (5) was different from the communication of (1) to (4), although there was a part in which the point of interest was in common with the original communication log of unauthorized communication. In other words, the communication fact that the occurrence situation is different between the communication of (1) to (4) and the communication of (5) was found.
From the above, in all communications of (1) to (5), the point of interest and the state of occurrence of communication did not completely match, but the information along the malware creation tendency Since there are many points that match, and there are many suspicious parts of the information about the host that is the communication destination, in this case, it was determined that the communication was illegal. Moreover, in addition to the fact that there was unauthorized communication in addition to the original unauthorized communication, it is possible to grasp the entire unauthorized communication status, so that it was possible to grasp the entire status and confirm the influence within a specific period.

  FIG. 12 is a diagram for explaining an example of another unauthorized communication investigation procedure. In the example shown in FIG. 12, it is assumed that the unauthorized communication A is identified as the original unauthorized communication in Step 4 and the unauthorized communication B and the unauthorized communication C are identified as another unauthorized communication in Step 6. Further, it is assumed that the unauthorized communication A occurs from the client terminal 10a, the unauthorized communication B occurs from the client terminal 10a and the client terminal 10b, and the unauthorized communication C occurs from the client terminal 10b.

  First, when the unauthorized communication A is identified in step 4, the unauthorized communication investigation unit 27 sets the specified period 1 based on the occurrence state of the unauthorized communication A. Next, the unauthorized communication investigating unit 27 narrows down the communication logs detected in the specific period 1 to the communication logs in which the client terminal 10a that is the communication source of the unauthorized communication A is the communication source, and analyzes in step 3 Execute the process. Based on the analysis result, the analyst performs the process of step 4 to identify the unauthorized communication B as another unauthorized communication. Subsequently, the process of step 5 is performed for the unauthorized communication B, and the generation period, the generation factor, and the like are specified.

  The unauthorized communication B specified here has occurred in the specified period 1 with the client terminal 10a as the communication source, but the unauthorized communication B may have occurred with another client terminal 10 as the communication source. is there. Therefore, the communication analyzer 20 extracts the communication log of the unauthorized communication B from all the communication logs for all analysis periods. Thereby, in addition to the client terminal 10a, the client terminal 10b is specified as a communication source of the unauthorized communication B.

Next, the unauthorized communication investigation unit 27 investigates the presence or absence of another unauthorized communication based on the unauthorized communication B identified as another unauthorized communication.
Specifically, the unauthorized communication investigation unit 27 sets the specific period 2 based on the state of occurrence of unauthorized communication B with the client terminal 10a as the communication source. Then, the unauthorized communication investigation unit 27 narrows down the communication logs detected in the specific period 2 to the communication logs in which the client terminal 10a that is the communication source of the unauthorized communication B is the communication source, and performs the analysis process of step 3 Execute.
Similarly, the unauthorized communication investigation unit 27 sets the specific period 3 based on the state of occurrence of unauthorized communication B using the client terminal 10b as a communication source. Then, the unauthorized communication investigation unit 27 narrows down the communication logs detected in the specific period 3 to the communication log in which the client terminal 10b that is the communication source of the unauthorized communication B is the communication source, and performs the analysis process of step 3 Execute.

Based on these analysis results, the analyst performs the process of step 4. As a result, another unauthorized communication is not identified in the specific period 2, but in the specific period 3, the unauthorized communication C is newly specified as another unauthorized communication. Subsequently, the process of step 5 is performed on the unauthorized communication C, and the generation period, the generation factor, etc. are specified.
Further, the communication analysis device 20 may also investigate the presence or absence of another unauthorized communication by specifying a communication source and a specific period for this unauthorized communication C.

  In this way, the unauthorized communication investigation unit 27 investigates the presence or absence of another unauthorized communication using the original unauthorized communication identified in step 4 as a key. When another unauthorized communication is specified, the unauthorized communication investigation unit 27 may investigate the presence / absence of another unauthorized communication using the identified other unauthorized communication as a key. That is, the unauthorized communication investigation unit 27 may repeatedly execute a process of investigating the presence or absence of another unauthorized communication using another unauthorized communication as a key.

In the example shown in FIG. 11, the example in which the communication log is narrowed down and analyzed based on the original unauthorized communication has been described. However, the characteristics of the communication log for unauthorized communication ( That is, a communication log that includes the same information as that in the malware creation tendency) may be searched to investigate the presence or absence of another unauthorized communication. In this case, when the original unauthorized communication is identified in step 4, the unauthorized communication investigation unit 27 includes, for example, the URL of the communication destination in the communication logs of all the analysis periods, and the URL that is the communication destination of the original unauthorized communication. A communication log including the same URI part is extracted. Then, the unauthorized communication investigation unit 27 displays the information of the extracted communication log and displays it in the order of appearance frequency, displays the application result of the classification list, etc. Judgment is made.
This survey method takes more time than the method of narrowing down to a specific period and reducing the amount of communication logs required for analysis to make a quick decision. However, the results of this survey are omitted for all communication logs. This is useful when making decisions for the purpose of eliminating problems. In addition, if the period is not limited, the entire scope of the influence of unauthorized communication may be clarified.

  Another unauthorized communication investigation in step 6 will be described with reference to a flowchart. FIG. 13 is a flowchart illustrating an example of a procedure of processing for investigating another unauthorized communication.

  First, in step 5, after a deep investigation of unauthorized communication is performed, for example, when an analyst makes an input for investigating another unauthorized communication using the original unauthorized communication as a key, the unauthorized communication investigation unit 27 A specific period is set based on the state of occurrence of unauthorized communication (step 301). Here, the information on the occurrence period specified in step 202 of FIG. 9 is used for the original occurrence state of unauthorized communication. In addition, the unauthorized communication investigation unit 27 acquires information of the client terminal 10 that is the communication source of the original unauthorized communication (step 302). Here, the information collected in step 203 in FIG. 9 is used as the information of the original unauthorized communication client terminal 10.

  Next, the unauthorized communication investigation unit 27 extracts a communication log in which the client terminal 10 that is the communication source of the original unauthorized communication is the communication source from among the communication logs detected during the specific period (step 303). Then, the classification list application unit 24 applies the classification list to the extracted communication log (step 304). Here, for example, the same classification list used in the analysis processing for specifying the original unauthorized communication is applied. Then, the classification list application unit 24 outputs the analysis result for each classification list and displays it on the display unit 21.

  Next, the analyst performs the process of step 4 to identify another unauthorized communication. Then, when the analyst makes an input for designating a communication log of another unauthorized communication, the detailed information acquisition unit 26 executes the deep investigation in step 5 for another unauthorized communication (step 305). Then, this processing flow ends. Thereafter, the unauthorized communication investigation unit 27 starts the process of step 301 based on the information related to another unauthorized communication acquired in step 305 and investigates whether there is another unauthorized communication. Also good.

  In addition, when there are a plurality of client terminals 10 that are the communication sources of the original unauthorized communication, the processing in steps 301 to 305 is performed for each client terminal 10 that is the communication source.

  The program for realizing the embodiment of the present invention is a computer-readable recording medium such as a magnetic recording medium (magnetic tape, magnetic disk, etc.), an optical recording medium (optical disk, etc.), a magneto-optical recording medium, or a semiconductor memory. Can be provided in a state stored in the memory. It can also be provided using communication means such as the Internet.

  Moreover, although this invention was demonstrated using embodiment, the technical scope of this invention is not limited to the said embodiment. It will be apparent to those skilled in the art that various modifications and alternative embodiments can be made without departing from the spirit and scope of the invention.

10a, 10b, 10c ... Client terminal, 20 ... Communication analyzer, 21 ... Display unit, 22 ... Communication log acquisition unit, 23 ... Communication log shaping unit, 24 ... Classification list application unit, 25 ... List storage unit, 26 ... Details Information acquisition unit, 27 ... unauthorized communication investigation unit, 30 ... communication data storage device, 40 ... attacker server

Claims (5)

An acquisition means for acquiring a communication log of communication detected within a target period on the network to be monitored;
Storage means for storing a plurality of lists in which predetermined conditions for detecting problematic communication are set;
Among the communication logs acquired by the acquisition means, log extraction means for extracting, for each list, communication logs that satisfy the predetermined conditions set in the list;
Output means for outputting information indicating the correlation of the extraction results extracted for each list by the log extraction means;
Each of the lists is preset with a degree of importance for detecting a specific communication,
The output means includes, as information indicating the correlation, information of one communication log included in an extraction result of any list specified based on the importance in the extraction result of each list by the log extraction means; An information processing apparatus that outputs information having relevance. The information processing apparatus according to claim 1 , wherein the information related to the information of the one communication log is information indicating a communication log related to the information of the one communication log. The information processing apparatus according to claim 2 , wherein the information related to the information of the one communication log is information indicating a communication log having the same communication destination as the communication destination of the one communication log. . Obtaining a communication log of communication detected within a target period on the network to be monitored;
Obtaining a plurality of lists set with predetermined conditions for detecting problematic communications;
Extracting the communication log satisfying the predetermined condition set in the list among the acquired communication logs for each list;
Outputting information indicating a correlation of extraction results extracted for each list,
Each of the lists is preset with a degree of importance for detecting a specific communication,
In the outputting step, as information indicating the correlation, information of one communication log included in the extraction result of any list specified based on the importance in the extraction result of each list by the extracting step An information processing method characterized by outputting information having relevance to the information. On the computer,
A function to obtain communication logs of communications detected within the target period on the monitored network;
A function of reading a plurality of lists set with predetermined conditions for detecting problematic communication from the storage unit;
Among the acquired communication logs, a function of extracting a communication log that satisfies the predetermined condition set in the list for each list;
A function of outputting information indicating a correlation between extraction results extracted for each list, and
Each of the lists is preset with a degree of importance for detecting a specific communication,
The output function is information of one communication log included in the extraction result of any list specified based on the importance in the extraction result of each list by the extracting function as information indicating the correlation A program characterized by outputting information having relevance to.

Images