JP2004086880A - Warning system, wide range network protection system, illegal access track method, illegal access detection system, security management method and attack protection method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To strengthen and heighten level of coordination for monitoring illegal access, and to strengthen and heighten level of coordination for access control when detecting. <P>SOLUTION: This system is used for protecting a wide area network having a plurality of connection points to outside networks from illegal access. This system comprises a system for detecting illegal access at respective connection points and notifying warning information, a means for storing the notified warning information, a monitor for extracting access state of the network from communication contents at every connection point, and a means for storing the extracted access state. Additionally, it comprises a gate node provided to every connection point and executing access control, a system for analyzing and notifying invasion path of the detected illegal access on the basis of the stored access state and warning information, a means for generating an access control rule at the gate node on the basis of the analyzed invasion path and the warning information, and a means for distributing it to the gate node. <P>COPYRIGHT: (C)2004,JPO

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a security system, a wide area network protection system, an unauthorized access tracking method, an unauthorized access detection system, a security management method, and an attack protection method, and is particularly applicable to a security management system and method related to a wide area intranet. is there.
[0002]
For example, the present invention can be applied to security management for protecting a network from attacks such as cyber terrorism and unauthorized access aimed at functional failure or function stoppage in seven important infrastructure fields specified by the government.
[0003]
[Prior art]
In recent years, the openness of networks and the interconnection of networks have been advanced, and the degree of dependence on networks in social activities has increased, and threats such as unauthorized access to network systems and cyber terrorism aimed at so-called critical infrastructure have increased.
[0004]
However, in general, the operation method for security management of a network system or the like differs depending on each site on the network, and the method of responding to an incident in a network system such as a company scale formed by a wide area intranet. However, there are many cases in which the bases that should respond quickly and unifiedly to security cases are different. In other words, in the so-called security management method, at present, individual variations occur in the security management area for the entire network system. Note that the base refers to an access point opened to the user and an interconnection point with another IP network in the network system.
[0005]
Conventionally, as a security management technology for an access control system, for example, a method has been devised in which a firewall is arranged at each site, and a system administrator centrally manages the access control policy of the firewall distributed at each site from a remote location. Have been.
[0006]
However, this method is not necessarily linked to the observed attack, and is not sufficient as a unified security response.
[0007]
Also, a method has been devised in which an intrusion detection system (IDS: Intrusion Detection System) is distributed and arranged, and each IDS is centrally managed.
[0008]
This is also based on the premise that the detection function of the conventional IDS is independent for each base, and only monitors the warnings issued by the IDS in a unified manner. Some of the commercially available IDS products also implement a defense function such as blocking communication after detecting an attack, but this only works individually with the routers and firewalls at the base, and is based on the observed attacks. In conjunction with the access control function, no attempt has been made to defend the security management area of the entire network system based on a unified policy.
[0009]
Further, the sharing of protection policy information between different network systems is not performed as well.
[0010]
[Problems to be solved by the invention]
In recent years, the openness of networks and the widening of the area by interconnecting network systems, and further, the adoption of IT in Japan by the e-Japan strategy promoted by the government are being accelerated. This indicates that social activities are moving in a direction depending on the network system (network infrastructure). The fact that social activities themselves depend on the network infrastructure also means that, in the event that unauthorized access or the like is performed and security security is harmed, the extent of the damage spreads. It also means that threats from organized cyber terrorism and the like will increase.
[0011]
In particular, in a network system formed by a wide area intranet having a plurality of external connection points, protection measures by access control are all localized, and unified security management of the entire network infrastructure cannot be performed. It tends to fall, and the following problems occur.
[0012]
(1) Security management is not unified by each base.
[0013]
(2) It is difficult to execute a unified policy that assumes cyber attacks.
[0014]
(3) Protection policies are not shared between different network infrastructures.
[0015]
In a company-wide network system, one site within the wide area intranet does not detect any particular attack, so even if it looks safe, another site may have already been attacked or performed reconnaissance acts that can be regarded as a sign of it. If detected, there arises a problem of what kind of operation should be performed as the whole wide area intranet. In addition, there is a concern that a threat may emerge through a gap between a method of responding to a security incident and a method of managing a protection policy and exploiting the unification of security management.
[0016]
In a network system that forms a wide-area intranet where each site has an access point to an external network such as the Internet, security measures such as firewalls and IDSs are introduced at each site, and unauthorized access is monitored at each site. This may lead to securing a local security level at each site.
[0017]
However, since this is based on the detection of unauthorized intrusion by local observation, it is necessary to have a security case and a company-wide response system that may be a cyber terrorist attacking the entire wide area intranet with each base as an entrance They cannot overlook a wide range of incidents or even detect attacks. In this case, since unified access control linked to an attack observed at a certain base cannot be performed for the entire wide area intranet, it cannot be said to be an effective defense means as a security management method. If an external attack or a symptom of a server belonging to a certain base is detected, other servers that provide similar services may also be targets of the attack. It is difficult to secure the overall security level unless a uniform policy for the entire wide area intranet is applied so that no gap is created in the network system, such as restricting access to similar services belonging to the base.
[0018]
We also want to avoid shutting down the operation and services of the wide area intranet as much as possible. However, if there is a possibility that an attack that is assumed to be an extremely dangerous situation may be made, it is necessary to perform operations such as checking the security of the entire wide area intranet. It is also necessary to investigate and protect such incident information, which is constantly being announced by information providers such as CERT / CC and JPCERT / CC. It is more efficient to share protection policies for immediate action at each location than to create a protection policy for access control for protection by investigating each system administrator individually. . The same can be said between different wide area intranets.
[0019]
As described above, it is often thought that the introduction of a commercially available firewall or IDS is effective in the range of the conventional technology, but it is not enough by itself and involves the operation of security management controlled within the security management area. Safety can only be assured. Also, in a network system formed by a company-wide intranet, if each site has a connection point to an external network, not only security management at each site but also the entire network system as a security management area Unified security management is required. To do so, it is necessary to create a response system and a highly reliable coordination mechanism so as not to increase the operating costs of the network system.
[0020]
The present invention aims at providing a system and method capable of achieving enhanced and advanced cooperation in monitoring unauthorized access and enhanced and advanced cooperation in access control at the time of detection. It was done.
[0021]
Another object of the present invention is to provide a system and method for executing a unified protection policy regarding access control assuming a cyber terrorist attack, targeting security management of the entire network system.
[0022]
Another object of the present invention is to provide a system and method for sharing and cooperating with effective sharing of information effective for security management between different network systems.
[0023]
Still another object of the present invention is to provide an individual technology capable of realizing the above-described system and method.
[0024]
[Means for Solving the Problems]
A first aspect of the present invention is a wide area network protection system for protecting a wide area network having a plurality of connection points with an external network from unauthorized access, and (a) detecting unauthorized access at each of the connection points and generating alarm information. An unauthorized access detection system for notification, (b) alarm information storage means for storing the notified alarm information, and (c) extracting a communication activity as an access status of the wide area network from communication contents at each of the connection points. An activity monitor, (d) a communication activity storage means for storing the extracted communication activity, (e) a gate node provided at each of the connection points for executing access control, and (f) a gate node provided from the unauthorized access detection system. Based on the alarm information, the communication activity stored by the communication activity storage means is stored. An intrusion route analysis system that analyzes the detected intrusion route of unauthorized access based on the activity and the alarm information, and notifies the analysis result; and (g) the intrusion route analysis system based on the intrusion route analysis result and the alarm information. Protection policy generating means for generating an individual filtering policy as an access control rule; and (h) protection policy distributing means for distributing the individual filtering policy to the gate node. (I) At a plurality of connection points in the wide area network, Access control is performed.
[0025]
According to a second aspect of the present invention, there is provided a security system having one or more of the wide area network protection systems according to the first aspect of the invention as self-security domains, and a security center connected to each of the wide area network protection systems, B) The protection policy distributing means distributes an individual filtering policy also to the security center, and (b) the security center transmits (b-1) an individual filtering policy from the wide area network protection system in the self security domain. (B) general-purpose protection policy conversion means for converting the general-purpose filtering policy into a general-purpose filtering policy, and (b-2) general-purpose protection policy distribution means for distributing the general-purpose filtering policy to the wide area network protection system in the self-monitoring domain. Each of the wide area network protection systems receives the received generic file. The data ring policy has an individual protection policy conversion means for converting the individual filtering policy according to its own wide area network, which comprises carrying out the access control across between (d) a plurality of wide area networks.
[0026]
A third aspect of the present invention is a security system having a plurality of security centers that hierarchically manage one or a plurality of wide area networks having connection points with an external network, wherein each of the security centers is connected to another security center. And access control rules exchanging means for exchanging access control rules for avoiding unauthorized access, and sharing the access control rules.
[0027]
The unauthorized access tracking method according to the fourth aspect of the present invention is to transfer information of communication activity, which is an access status of a certain wide area network, between different wide area networks and / or across different security domains which are directed to a plurality of wide area networks. By notifying and tracking the communication activity, the network located farthest from the path viewed from the network on the victim side that has received the unauthorized access and its edge node are specified.
[0028]
According to a fifth aspect of the present invention, in the unauthorized access detection system provided at the connection point with the external network, the first intrusion detection device of the abnormality detection method and the second intrusion detection device of the unauthorized detection method are combined with each other. One intrusion detection device is connected in series so as to come to the external network side, and the first and second intrusion detection devices are operated in parallel.
[0029]
According to a sixth aspect of the present invention, in an unauthorized access detection system provided at a connection point with an external network, a first intrusion detection device of an anomaly detection method, a gate node for executing access control, and a second intrusion detection method are provided. Are connected in series in this order such that the first intrusion detection device comes to the external network side.
[0030]
A seventh aspect of the present invention is an unauthorized access detection system for detecting unauthorized access to a wide area network having an external network and a plurality of connection points, and (a) access source information and access of a plurality of connection points Based on the degree of relevance determined by the difference between the previous information and the chronological simultaneity, an information classification means for classifying a plurality of pieces of access information at each connection point, and (b) relevance of the classified access information, An unauthorized access determining means for determining that an unauthorized access has been made when a plurality of highly relevant accesses exist; and (c) combining an access to a plurality of connection points in a wide area network to establish an attack. It is characterized by detecting a wide-area attack.
[0031]
An eighth aspect of the present invention is a wide area network protection system for protecting a wide area network having a plurality of connection points with an external network from unauthorized access, wherein (a) detecting an unauthorized access at each of the connection points, An unauthorized access detection system for notifying alarm information including access destination information, access source information, and detection time concerning access; (b) alarm information storage means for storing the notified alarm information; (D) each time alarm information is notified from the unauthorized access detection system, compares the notified alarm information with the accumulated alarm information, and compares the notified alarm information with the accumulated alarm information. Alarm information classifying means for classifying alarm information based on the degree of relevance determined by the difference between the information and the information of the access destination and the synchronization of the detection time; (F) an unauthorized access determining means for estimating the relevance of a plurality of unauthorized accesses based on the classification result and determining that wide-area unauthorized access has been performed when there are a plurality of highly related accesses; Protection policy generating means for generating an individual filtering policy as an access control rule in the gate node based on the determination and the alarm information; and (g) protection policy distributing means for distributing the individual filtering policy to the gate node. And (h) combining an unauthorized access to a plurality of connection points in a wide area network to detect a wide area attack in which an attack is established, and performing access control at the connection points.
[0032]
A ninth aspect of the present invention is a wide area network protection system for protecting a wide area network having a plurality of connection points with an external network from unauthorized access, wherein (a) access to the wide area network is determined based on communication contents at each of the connection points. An activity monitor for extracting a communication activity that is a situation and includes information on an access destination, information on an access source and detection times thereof; (b) communication activity storage means for storing the extracted communication activity; (D) each time a communication activity is extracted from the activity monitor, a comparison is made between the extracted communication activity and the accumulated communication activity, and information on the access source is provided. And the degree of relevance determined by the difference in access destination information A communication activity classifying means for classifying communication activities based on the synchronization of known times; and (e) a plurality of communication activities having a high relevance by estimating the relevance of the plurality of communication activities based on the classification result. Unauthorized access determining means for determining that wide-area unauthorized access has been performed, and (f) a protection policy for generating an individual filtering policy as an access control rule in the gate node based on the determination and the communication activity. Generating means and (g) protection policy distributing means for distributing the generated individual filtering policy to the gate node, and (h) combining access to a plurality of connection points in the wide area network to form a wide area where an attack is established. To detect dynamic attacks and enforce access control at connection points And it features.
[0033]
According to a tenth aspect of the present invention, there is provided an unauthorized access tracking method for tracking a source of an unauthorized access to any site in a network, wherein (a) a communication activity which is an access status at each site is extracted; An activity map is generated by linking the communication activities extracted at the bases, (c) a communication activity corresponding to alarm information relating to unauthorized access is searched, and (d) a trajectory of the activity map relating to the searched communication activity. The intrusion route is detected based on
[0034]
An eleventh aspect of the present invention relates to a security management method based on access control of a wide area network, comprising: (a) alarm information from a certain base indicating that an unauthorized access has been detected, and communication activity indicating the access status of communication at each base. (B) generate an access control rule for eliminating access to each site in the wide area network, and (c) apply the access control rule to the gate of each site. Distribute to nodes.
[0035]
The twelfth aspect of the present invention is a security management method based on access control of a wide area network, wherein (a) protection processing for sending an access control rule for excluding access to each site in the wide area network; Tracking processing to track the route to which access was added, (c) alert processing to perform reverse scanning for network search toward the source of unauthorized access, and (d) attack toward the source of unauthorized access (E) transmitting and receiving necessary information in each of the above-described processes between bases in the wide area network, between the bases, and the wide area network.
[0036]
A thirteenth aspect of the present invention is an attack protection method for protecting against a distributed denial of service such as a DDoS attack. It exchanges information within its own security domain and also exchanges information among multiple security domains, and (b) tracks the source of distributed denial of service by coordinating the exchanged communication activities. The present invention is characterized in that a network located far from the network and an edge node in the network are specified to exclude access.
[0037]
BEST MODE FOR CARRYING OUT THE INVENTION
(A) Embodiment
Hereinafter, an embodiment of a security system and a wide area network protection system according to the present invention will be described in detail with reference to the drawings.
[0038]
(A-1) Outline description of the embodiment
(A-1-1) Configuration of system and security management area
FIG. 1 is a block diagram showing an overall configuration image of the cooperative security system of the embodiment. FIG. 1 also shows a mutual relationship between the cooperative security system and the wide area intranet protection system (wide area network protection system). I have.
[0039]
FIG. 2 is a block diagram showing an image of the internal configuration of each wide area intranet protection system in FIG.
[0040]
When a certain network system is formed by a wide area intranet and each site has a different access point, the security area is referred to as a “management domain” with respect to access control of the network system. Also, a management domain in a state where such a network system (wide area intranet) is interconnected by some external network (for example, the Internet) is referred to as a “security domain”.
[0041]
In other words, in the cooperative alerting system of this embodiment, in a model in which certain wide-area intranets are connected to each other by an open (security-uncontrolled) network such as the Internet, there is an alert in which the management domains are in a hierarchical relationship. Included in the domain.
[0042]
It should be noted that the intranet in the present invention does not cover only an intranet indicating a network in a company that cannot be accessed from outside, but covers all IP networks.
[0043]
An example of the security domain of the cooperative security system shown in FIG. 1 is that a central monitoring center 1A, 1B,..., 1C is provided in a wide area intranet A, B,. .., 2C corresponding to C are arranged in parallel, and the management domains 2A, 2B,.
[0044]
The management domains 2A, 2B,..., 2C of the wide area intranets A, B,..., C (corresponding to the respective elliptical areas in FIG. 1) are unified access by the corresponding central monitoring centers 1A, 1B,. The environment is such that security management for control can be executed.
[0045]
, 2C (in FIG. 1, located above each central monitoring center 1A, 1B,..., 1C), the cyber terrorism alert center 3 includes the management domains 2A, 2B, ... In order to perform security management relating to overall access control in 2C, a security domain is formed, and attack information and protection policies are exchanged with each central monitoring center 1A, 1B,. Do the sharing.
[0046]
Further, the cyber terrorism alert center 3 exchanges attack information and protection policies with the alert centers 3x on other similar alert domains, and shares information.
[0047]
In addition, the cyber terrorism alert center 3 is provided with an attack information and valid information from an information center (information providing organization; for example, JPCERT / CC in Japan, IPA security center (information processing promotion business association), etc.) 4 concerning unauthorized access and cyber terrorism cases. In addition to being able to receive information on safeguarding means, it is also possible to provide information to the information center 4.
[0048]
3 and 4 show the relationship between the management domain and the alert domain.
[0049]
FIG. 3 and FIG. 4 are diagrams illustrating a range (management domain) for executing unified policy management in each network system (wide area intranet) and a policy control between the wide area intranet to realize a cooperative security system. It shows the scope of coordination (warning domain) and the relationship of coordinating policy control among a plurality of vigilance domains, and complements FIG.
[0050]
FIG. 3 shows a hierarchical structure of a management domain and a security domain as a range of each security management area of the cooperative security system and the wide area intranet protection system.
[0051]
FIG. 4 shows a plurality of cooperative security systems in which security domains (each corresponding to a cyber terrorism security center) that bundle security management areas (management domains) between wide area intranet protection systems cooperate with each other. It shows the configuration.
[0052]
(A-1-2) Configuration of Wide Area Intranet Protection System
FIG. 2 is a block diagram showing an image of the internal configuration of each of the wide area intranet protection systems 5A to 5C in FIG. 1 taking the wide area intranet protection system 5A as an example.
[0053]
The network (wide area intranet) shown in FIG. 2 (corresponding to 2A in FIG. 1) has four bases (A1 / GN, A2 / GN, A3 / GN) having a plurality of access points connected to an external network such as the Internet. , A4 / GN), and shows a general wide-area intranet in which those sites are interconnected by an internal network. The access point at each base is connected to a public line due to geographical restrictions, for example, and provides business services provided by this network. In this case, the range of the management domain is the entire wide area intranet including the four bases shown in FIG.
[0054]
The central monitoring center 1A shown in FIG. 2 (and FIG. 1) performs overall security management of the wide area intranet. The central monitoring center 1A manages access control of each of the bases A1 / GN, A2 / GN, A3 / GN, and A4 / GN, and executes an activity monitor 10 disposed at each base to execute security management in the management domain. The security management information necessary for access control is exchanged between the unauthorized access detection system 11 and the gate node 12.
[0055]
The central monitoring center 1A includes at least a communication activity monitoring system 1A-1, an intrusion route analysis system 1A-2, a protection policy management system 1A-3, and a data storage system 1A-4.
[0056]
The communication activity monitoring system 1A-1 collects communication activities and the like notified from the activity monitors 10 arranged at the bases A1 / GN,..., A4 / GN ((1)), and attaches the communication activities to the communication activities. The stored information is stored in the data storage system 1A-4, and the status and attributes of the communication activity are monitored.
[0057]
Although details will be described later, in this specification, the state of access to the wide area intranet, which can be determined from the communication content, is called “communication activity”.
[0058]
The intrusion route analysis system 1A-2 receives a warning (3) from the unauthorized access detection system 11 located at each base A1 / GN,..., A4 / GN regarding the detection of the attack (2) and manages the protection policy. Based on the analysis instruction from the system 1A-3, the intrusion route is analyzed based on the information included in the alarm sent from the unauthorized access detection system 11 and the communication activity collected by the communication activity monitoring system 1A-1 ((4)). ) And notifies the protection result to the protection policy management system 1A-3.
[0059]
When receiving the alarm (3) from the unauthorized access detection system 11, the protection policy management system 1A-3 stores it in the data storage system 1A-4, and based on the information included in the alert, detects the detected unauthorized access. Is determined, and when it is determined that the risk level is high, the intrusion route analysis system 1A-2 is instructed to analyze the intrusion route. Then, based on the intrusion route analysis result (4) from the intrusion route analysis system 1A-2 and the information included in the alarm, the information is distributed to the gate nodes 12 located at the bases A1 / GN,..., A4 / GN. In this case, a filtering policy relating to access control is generated and distributed to each gate node 12 ((5)).
[0060]
The filtering policy is for instructing the gate node 12 to perform an access control for excluding a specific access, for example, by denying access (Refuse) or ignoring access (Drop).
[0061]
The data storage system 1A-4 is for storing various data.
[0062]
In this embodiment, an example is described in which the protection policy management system 1A-3 receives and accumulates alarms and instructs analysis, but the present invention is not limited to this. The system 1A-2 may receive and accumulate alarms and analyze the intrusion route.
[0063]
Each of the bases A1 / GN,..., A4 / GN in the wide area intranet has a connection point (access point) with one or a plurality of external networks. As described above, the activity monitor 10, the unauthorized access detection system 11, and the gate node 12 are arranged at each of the bases A1 / GN,..., A4 / GN.
[0064]
The unauthorized access detection system 11 performs intrusion detection at an access point. The activity monitor 10 monitors the state of access (communication activity) to the wide area intranet 1A from the communication contents. The gate node 12 is located at a boundary point between each base and the internal network, and is a relay device that can disconnect communication based on a filtering policy.
[0065]
FIG. 5 is a block diagram showing an example of a hardware configuration arranged at each base A1 / GN,..., A4 / GN.
[0066]
In FIG. 5, at each base An / GN (n is 1 to 4) in FIG. 2, an external network such as a public network or an Internet network and an internal network system are connected via a router 20, a gate node 12, and a firewall 22. Indicates that it is connected. The router 20 and the firewall 22 are similar to known ones.
[0067]
The gate node 12 is a relay device capable of disconnecting communication based on the protection policy as described above, and as shown in FIG. 22, a first transmitting / receiving unit 61 for transmitting / receiving a signal, a second transmitting / receiving unit 62, A storage unit 63 for storing signals is provided. The signals received by the first or second transmission / reception units 61 and 62 are determined, stored in the storage unit 63, and stored in the storage unit 63 based on the received filtering policy. And a control unit 64 for controlling disconnection of communication depending on whether or not to send the transmitted signal to the other transmitting / receiving unit.
[0068]
As shown in FIG. 5, each site is provided with an activity monitor 10, an abnormality detection (AD) unit 23, and a fraud detection (MD) unit 24.
[0069]
The activity monitor 10 is a line monitor that can extract information related to communication activity from packet information on a communication path. As shown in FIG. 23, the signal monitor 71 detects a signal on the communication path. It comprises a signal storage unit 72 for storing, and a control unit 73 for controlling the above configuration and transmitting communication activity to the central monitoring center 1A. When transmitting the communication activity, information for specifying the activity monitor serving as the transmission source or information for specifying the gate node at the base where the activity monitor is arranged may be attached.
[0070]
Here, the arrangement of the activity monitors 10 is not limited to this, and may be the arrangement of the activity monitors 10 ′ indicated by broken lines, or both. Further, the activity monitor may be arranged in the gate node 12.
[0071]
The AD device 23 detects, for example, unknown attacks and signs on a communication path between the router 20 and the gate node 12, and the MD device 24 includes, for example, a device between the gate node 12 and the firewall 22. A known attack is specified by using a communication path as a detection target.
[0072]
The unauthorized access detection system may be constituted by either the AD device 23 or the MD device 24, or may be constituted by both the AD device 23 and the MD device 24. And the gate node 12. The AD device 23 and the MD device 24 are similar to known devices.
[0073]
In addition, when an unauthorized access detection system detects an attack (illegal access), as an alert, the danger level of the attack (high, low, etc.), the name of the attack (name of the individually defined attack), the source and destination of the attack Information, attack protocol type, attack detection time, etc. are notified to the central monitoring center. It should be noted that information specifying the unauthorized access detection system as the transmission source or information specifying the gate node of the base where the unauthorized access detection system is located may be attached to the alarm.
[0074]
The gate node 12, the activity monitor 10, the AD device 23, the MD device 24, and the like are connected to the above-described central monitoring center 1A (for example, via a second router 25, a router 1A-5 (FIG. 2), and a dedicated line). 2) and can exchange information with the central monitoring center 1A.
[0075]
Various servers such as a Web server 26, a mail server 27, and a DNS (Domain Name System) server 28 are connected to the firewall 22.
[0076]
(A-1-3) Outline of operation of wide area intranet protection system
Next, an outline of the operation of the wide area intranet protection system will be described with reference to FIG. 1, FIG. 2, and FIG.
[0077]
Step S1: In the wide area intranet A having a plurality of access points, the activity monitors 10 arranged at each of the bases A1 / GN to A4 / GN constantly monitor the access status (communication activity), and each time the access status changes. The communication activity monitoring system 1A-1 of the central monitoring center 1A is notified of the changed communication activity.
[0078]
In the communication activity monitoring system 1A-1 in the central monitoring center 1A, the activity monitor 10 which is the notification source of the communication activity transmitted from the activity monitors 10 arranged in all the bases A1 / GN to A4 / GN is specified. The information is stored in the data storage system 1A-4 in association with the information to be performed (the information may be stored in association with the information specifying the gate node 12 of the base where the activity monitor 10 is arranged), and based on the stored communication activity. Then, the attributes of the communication activities passing through all the bases A1 / GN to A4 / GN in the management domain 2A (FIG. 1), and the occurrence and disappearance of the communication activities are monitored, and the access status of the entire wide area intranet A is grasped.
[0079]
Step S2-1: When the unauthorized access detection system 11 arranged at the access point of a certain base An / GN detects an unauthorized access such as an attack or information suspected of the attack, the unauthorized access detection system 11 outputs Information about the danger level (high, low, etc.) of the detected unauthorized access, information of the access source and access destination (source IP address, source port number, destination IP address, destination port number, etc.) Address, etc.), protocol type, detection time, etc. are notified to the protection policy management system 1A-3 in the central monitoring center 1A. Upon receiving the notification, the protection policy management system 1A-3 stores the received alarm in the data storage system 1A-4 in association with the information specifying the unauthorized access detection system 11 that has sent the notification (the unauthorized access detection system 11A). May be stored in association with the information specifying the gate node 12 of the base where the is located), and if the danger level is determined to be low based on the danger level, it is left as it is and the danger level is determined to be high In this case (for example, when the risk level of the attack included in the alarm indicates “high”), the instructing route analyzing system 1A-2 is instructed to analyze the intruding route.
[0080]
Step S2-2: In the intrusion route analysis system 1A-2 in the central monitoring center 1A instructed to analyze, the intrusion route analysis system 1A-2 refers to the data storage system 1A-4 and communicates with the communication activity of the entire wide area intranet A sent from the activity monitor 10. Based on the information on the alarm transmitted from the unauthorized access detection system 11, the intrusion route in the wide area intranet A through which the communication activity related to the detected unauthorized access has passed is analyzed.
[0081]
For example, the communication activity is compared with the information included in the alarm, and the communication activity having the same detection time or within a predetermined time, and the communication activity having the same attribute as the access source / access destination information and the protocol type is extracted. By specifying the gate node 12 through which the regarded communication activity has passed, it is possible to determine a passage route in the wide area intranet A, that is, an intrusion route. As the analysis result, information (address or the like) for specifying the specified gate node 12 is notified.
[0082]
This is because, in a very wide-area network such as the Internet, a certain server is hijacked by an attacker, and operations that falsify the IP address of the transmission source (address spoofing of a host that has been used as a springboard or IP spoofing) are performed. However, this means that it is possible to determine the route (intrusion route) through which the communication has actually passed by judging the attributes of the communication activity, which is effective as a so-called Internet source tracking and reverse detection technology. is there.
[0083]
Step S3: In the protection policy management system 1A-3 in the central monitoring center 1A, the analysis result of the intrusion route from the intrusion route analysis system 1A-2 is stored in the data storage system 1A-4, and the data storage system 1A-4. , Generating a filtering policy to be distributed to the gate nodes 12 located at the bases A1 / GN,..., A4 / GN based on the analysis result of the intrusion route and the information included in the alarm, Store it and distribute it to each gate node 12.
[0084]
At this time, as the filtering policy distributed to each gate node 12, a separate filtering policy may be generated for each of the gate node that has become the direct intrusion route and the gate node that has deviated from the intrusion route.
[0085]
For example, there is a filtering policy in which a gate node that has become a direct intrusion route is closed until security is confirmed, and a gate node that deviates from the direct intrusion route is denied access from the source of the attack. Is also good.
[0086]
Further, for example, in order to close the entire wide area intranet A from the external network, a filtering policy such as closing may be generated and distributed to all gate nodes.
[0087]
Furthermore, for example, if a filtering policy has been distributed to each gate node before, the filtering policy is managed so that the filtering policy can be optimized so that the cancellation of the running filtering policy and the inconsistency between the filtering policies can be eliminated, and the generation and management of the filtering policy can be performed. You may make it distribute.
[0088]
As described above, in the wide area intranet protection system 5A, the security management relating to the access control that has been individually performed in each of the bases A1 / GN,... "Monitoring of communication activity in a wide area intranet", "Analysis of intrusion routes", and "Access to each site based on the analysis results" for efficient security management of the entire network infrastructure that can not be done by local defense of Control related management "can be performed.
[0089]
(A-1-4) Information exchange between the central monitoring center and the cyber terrorism alert center
Next, information exchange between the central monitoring center 1A of the wide area intranet protection system and the cyber terrorism alert center 3 will be described with reference to FIGS.
[0090]
The cyber terrorism alert center 3 is used to store received information, exchange information with a DB server for storing information in advance and other components, generate / distribute / manage general-purpose protection policies, and analyze information. It consists of a management server for performing.
[0091]
As described above, each central monitoring center (for example, 1A) has information (communication activity) regarding the access status notified from each base (A1 / GN,..., A4 / GN) in the wide area intranet (A). In addition, alarms regarding detected unauthorized access, information regarding intrusion routes, and a filtering policy as a protection policy for them are managed.
[0092]
The cyber terrorism alert center 3 receives a notification of a filtering policy distributed by the central monitoring center based on an alarm regarding unauthorized access detected in the management domain of each central monitoring center under its jurisdiction. In the example of FIG. 1, the protection policies A and B notified from the central monitoring centers 1A and 1B to the cyber terrorism alert center 3 correspond to the protection policies A and B. The notification from the central monitoring center to the cyber terrorism alert center is notified when the central monitoring center distributes the filtering policy to the gate nodes.
[0093]
Upon receiving the notification from the central monitoring centers 1A and 1B, the cyber terrorism alert center 3 applies the notified filtering policies A and B to information that can be distributed to another management domain (the central monitoring center 1C in FIG. 1). To collect only the information including the type of detected attack and the source of the traceable attack, and distribute the filtering policy used by each of the central monitoring centers 1A and 1B. The address of the previous gate node is converted into the removed information, which is distributed as a general-purpose filtering policy to each of the central monitoring centers 1A, 1B, and 1C.
[0094]
As a result, in the wide area intranet C managed by the central monitoring center 1C, even if no actual harm is detected, the general filtering policy is eventually shared.
[0095]
(A-1-5) Handling of general-purpose protection policy in the management domain
Next, the handling of the general-purpose protection policy from the cyber terrorism alert center in the management domain will be described using a general-purpose filtering policy as an example with reference to FIGS.
[0096]
The general-purpose filtering policy distributed from the cyber terrorism security center 3 is converted into generalized information in the cyber terrorism security center 3 by removing the address information and the like of the distribution destination gate node. In the protection policy management system of 1C, upon receiving the general-purpose filtering policy, the address information on each of the wide area intranets A,..., C is added and converted into a filtering policy (individual filtering policy). 12 (FIG. 2).
[0097]
As described above, the general-purpose filtering policy is converted into an individual filtering policy that can be distributed to the gate node 12 in its own management domain in the protection policy management system of each central monitoring center 1A,. Be distributed.
[0098]
At this time, the protection policy management system of the central monitoring centers 1A,..., 1C manages the filtering policy so as to match and optimize the relationship with the previously distributed filtering policy. For example, if the filtering policy is the same as the already distributed filtering policy, the second distribution is omitted. Further, for example, when the access control range of the filtering policy distributed last time is wide and the access control range is likely to be narrowed by a newly generated individual filtering policy, the narrowing of the access control range is avoided.
[0099]
(A-1-6) Information exchange between cyber terrorism alert centers
Next, information exchange between the cyber terrorism alert center 3 and another cyber terrorism alert center 3x will be described using a filtering policy as an example with reference to FIG.
[0100]
As described above, when receiving the filtering policy (individual filtering policy) from within the self-monitoring domain, the cyber terrorism alert center 3 determines the validity based on whether or not the filtering policy has already been distributed. A general-purpose filtering policy is generated based on the filtering policy and distributed to the central monitoring centers 1A to 1C in the self-monitoring domain (the validity may be determined after the general-purpose filtering policy is generated).
[0101]
Further, the cyber terrorism security center 3 exchanges general protection policies accumulated in each other's security domains with another similar cyber terrorism security center (the other security center in FIG. 1) 3x, The validity is determined based on whether or not it has already been distributed, a general-purpose protection policy that is valid in the self-monitoring domain is extracted, and the policy is distributed to each central monitoring center under the control.
[0102]
Each central monitoring center (1A,..., 1C) adds individual information to the general-purpose protection policy distributed from the upper-level cyber terrorism alert center 3 (FIG. 1), and sets each gate node as a protection policy (individual protection policy). 12 (FIG. 2).
[0103]
(A-1-7) Information exchange between the information center and cyber terrorism alert center
Next, information exchange between an information center for providing information on a security case (so-called incident information) and a cyber terrorism alert center will be described with reference to FIG.
[0104]
Cyber terrorism alert center 3 is provided by an information center of another organization for providing information on security cases (for example, JPCERT / CC in Japan and IPA Security Center (Information Processing Promotion Association), and CERT / CC in the United States). Collect attack information on illegal access cases and cyber terrorism incidents as well as information on their protection as necessary. Then, a general-purpose protection policy is generated based on the policy, distributed to the central monitoring centers 1A to 1C in the self-monitoring domain, and the general-purpose protection policy is exchanged with another security center 3x. Alternatively, it instructs the central monitoring centers 1A to 1C in the self-monitoring domain to start detecting a wide-area attack based on the information.
[0105]
As a result, information is distributed to each security domain and the subordinate management domains, so that information necessary for defense related to access control can be effectively used.
[0106]
(A-2) Detailed description of main functions of the embodiment
FIG. 7 shows the main functions of the system of the embodiment in a centralized monitoring center and a cyber terrorism alert center.
[0107]
The main functions of the central monitoring center are:
(1) Collection and monitoring of communication activity status (communication activity) on the network
(2) Processing based on hybrid IDS monitoring that combines fraud detection and abnormality detection
(3) Attack and activity tracking on wide area intranet (intrusion route analysis)
4) Generation of protection policy (individual protection policy) for wide area intranet and distribution to gate nodes
(5) Convert general-purpose protection policies from the upper security center into protection policies (individual protection policies)
The central monitoring center has a function realizing unit for these functions.
[0108]
The key functions of the Cyber Terrorism Alert Center include:
(1) Collection and analysis of protection policies (individual protection policies) from the lower central monitoring center
(2) Generating and distributing general-purpose protection policies based on various analysis results
(3) Transfer of general-purpose protection policies between security centers and coordinated activity tracking
(4) Collecting and providing information on cyber terrorism from information centers, security centers, etc.
The cyber terrorism alert center has a unit that realizes these functions.
[0109]
(A-2-1) Main functions of the central monitoring center
Hereinafter, the main functions of the central monitoring center 1A will be described using the central monitoring center 1A shown in FIGS. 1 and 2 as an example.
[0110]
(1) Collection and monitoring of communication activity status (communication activity) on the network
The communication activity monitoring system 1A-1 of the central monitoring center 1A constantly monitors the access status (communication activity) of the communication provided from the activity monitor 10 and passing through each of the bases A1 / GN,..., A4 / GN. The analysis system 1 </ b> A- 2 can analyze the intrusion route based on the communication activity passing through the base in the wide area intranet A and the alarm of the unauthorized access detection system 11.
[0111]
(2) Processing based on hybrid IDS monitoring that combines fraud detection and abnormality detection
The unauthorized access detection system 11 can perform advanced unauthorized access detection by being configured as a hybrid IDS that combines unauthorized detection and abnormality detection, and is sent as a warning from the unauthorized access detection system 11 at the central monitoring center 1A. The intrusion route is analyzed based on the information. Furthermore, even if the unauthorized access detection system 11 cannot regard the attack as an attack or determines that the danger level is low, the central monitoring center 1A analyzes the information and distributes it. It also detects unauthorized access that can be regarded as an attack (wide-area attack detection), and generates and distributes a protection policy based on this.
[0112]
(3) Attack and activity tracking on wide area intranet (intrusion route analysis)
The intrusion route analysis system 1A-2 uses the communication activity collected by the communication activity monitoring system 1A-1 of the central monitoring center 1A and information sent as an alert from the unauthorized access detection system 11 to use the wide area intranet through which the attack has passed. Analyze the path in A. As a result, even if a host or the like in the wide area intranet A is used as a springboard and the address information of the source is spoofed, the source of the attack is analyzed (reverse detection) within the range of the network where communication activity can be observed. Is possible.
[0113]
4) Generation of protection policy (individual protection policy) for wide area intranet and distribution to gate nodes
The protection policy management system 1A-3 relies on the information sent as an alarm from the unauthorized access detection system 11 and the information sent as the analysis result of the intrusion route analysis system 1A-2 to determine each gate node on the wide area intranet A. Then, a protection policy (individual protection policy) including the address information of the T.12 is generated and distributed to each gate node 12 (at this time, also distributed to a higher-level cyber terrorism alert center).
[0114]
Further, the protection policy management system 1A-3 centrally manages the protection policies distributed to all gate nodes 12 on the wide area intranet A so that there is no conflict between the protection policies in the wide area intranet A.
[0115]
(5) Convert general-purpose protection policies from the upper security center into protection policies (individual protection policies)
It receives a general-purpose protection policy distributed from the cyber terrorism security center 3 in the security domain to which the wide area intranet A belongs, converts it into a protection policy (individual protection policy) that can be distributed to each gate node 12, and distributes the policy. In addition, it is applied to the management of the protection policy similar to the function (4).
[0116]
(A-2-2) Cyber terrorism alert center (cooperative alert system)
Hereinafter, the main functions of the cyber terrorism alert center will be described using the cyber terror alert center 3 shown in FIGS. 1 and 2 as an example.
[0117]
(1) Collection and analysis of protection policy (individual protection policy) from lower central monitoring center Distribution of protection policy (individual protection policy) from each central monitoring center 1A-1C in the security domain managed by cyber terrorism security center 3 Upon receipt, the information is accumulated in the own cyber terrorism alert center 3 and the accumulated protection policy is analyzed.
[0118]
(2) Generating and distributing general-purpose protection policies based on various analysis results
The protection policy (individual protection policy) distributed from each of the central monitoring centers 1A to 1C is analyzed, the validity is determined based on whether or not the centralized monitoring center has been distributed. In the case of 1A, if the information is valid in 1B, 1C), a general-purpose protection policy is generated by removing the address of the individual server targeted by the attack, the address information of the individual gate node, and the like. It is distributed to the monitoring centers (1B, 1C).
[0119]
(3) Transfer of general-purpose protection policies between security centers and coordinated activity tracking
It accumulates a general-purpose protection policy generated and distributed in the self-guard domain and a general-purpose protection policy generated and distributed based on information on cases collected from other information organizations, and a cyber terrorism security center 3x other than the self-guard domain. (When generating and distributing a general-purpose protection policy, it is also distributed to cyber terrorism alert centers 3x other than the self-warning domain).
[0120]
A new general-purpose protection policy may be received and accumulated from another cyber terrorism security center 3x, and may be exchanged with another cyber-terrorism security center (forwarding (transferring) of the general-purpose protection policy). ). The validity of a new general-purpose protection policy received from another cyber terrorism alert center 3x is determined based on whether or not it has been distributed. If it is valid for the self-warning domain, it is sent to each central monitoring center 1A-1C under its control. Distribute as a protection policy.
[0121]
Collaborative activity tracking distributes a protection policy received from one central monitoring center (eg, 1A) in the self-monitoring domain to a central monitoring center (eg, 1B, 1C) in another management domain, and distributes the distributed central monitoring center (eg, 1B, 1C). For example, 1B, 1C) searches for a communication activity having the same attribute in the self-managed domain based on the protection policy, and if the communication activity exists, notifies the cyber terrorism alert center 3 of the fact. Send to This makes it possible to trace the source of the communication activity having the attribute detected in one management domain across another management domain. Further, from the viewpoint of defense, it is more effective to apply a protection method such as closure on a network closer to the transmission source in terms of minimizing damage. In particular, in the case of a denial of service (DoS attack) or the like, if it is known that a transmission source passes through another management domain, it is more effective as a defense means to apply a closing procedure at a gate node closer to the transmission source.
[0122]
The above-mentioned tracking function will be described later in more detail with reference to FIG.
[0123]
(4) Collecting and providing information on cyber terrorism from information centers, security centers, etc.
It collects attack information and protection measures from other information organizations such as information centers and security centers that provide information on cyber terrorism cases and unauthorized access cases, and accumulates them as general-purpose protection policies.
[0124]
The stored general-purpose protection policy is converted into an expression format that allows other information organizations to use the information, and information is provided.
[0125]
(A-3) Description of Individual Technology in Embodiment
Among the individual technologies applied in the embodiment, the intrusion detection technology, the intrusion route analysis technology, the protection policy management technology, and the technology for sending and receiving cooperative policy information are supplementarily described below.
[0126]
(A-3-1) Attack detection method for efficient defense (intrusion detection technology)
(A-3-1-1) Attack classification to be detected
As attacks to be detected, (1) actions similar to network exploration such as port scanning, (2) unauthorized access actions (known attacks using protocol parameters or unknown attacks equivalent thereto), (3) DoS attacks and DDoS Attack, (4) Worm-type computer virus infection activities, etc.
[0127]
(A-3-1-2) Local attack detection
As a local attack detection method at each base, the first method or the second method described below is applied.
[0128]
In the first method, as shown in FIG. 9, a fraud detection device (MD) 24 and an abnormality detection device (AD) 23 can be used together at each site to perform highly sensitive attack detection, and a worm-type It is designed to enable detection of computer virus activity attacks.
[0129]
In FIG. 9, an anomaly detection device (AD) 23 detects a sign of an attack or an unknown attack at a network observation point by using a detection engine (detection rule, etc.) 23E, and detects fraud. The device (MD) 24 detects (identifies) a known attack with reference to a database 24D in which pattern information of the known attack is stored. Here, as the fraud detection device (MD) 24 and the abnormality detection device (AD) 23, existing devices can be applied. However, the information provided by the protection policy or the like is immediately reflected in the database 24D and the detection engine 23E, and the improper detection device (MD) 24 and the abnormality detection device (AD) 23 operate in parallel while being connected in series. Is different from the prior art.
[0130]
In the first method, the fraud detection device (MD) 24 and the abnormality detection device (AD) 23 are provided on the same side as the external network or the internal network with respect to a gate node (not shown).
[0131]
In the second method, at each site, as shown in FIG. 10, a fraud detection device (MD) 24, a gate node 12, and an abnormality detection device (AD) 23 are used together to realize more sensitive attack detection. It is what it was.
[0132]
In the second method, it is possible to control such that only traffic conforming to a filtering policy from a central monitoring center (not shown) flows into the internal network by a traffic filter function (communication disconnection function) of the gate node 12. In the first method, all traffic is observed at the network observation point, and there is a possibility that an attack that does not affect the internal network may be detected.
[0133]
By applying the second method, at the network observation point 1 on the external network side, all traffic is observed to observe a wide range of signs of an attack. At the network observation point 2 on the internal network side, attack noise is removed. It is also possible to observe only attacks related to the security policy of the internal network.
[0134]
As described above, by combining the gate nodes 12, anomaly detection (anomaly detection) is used for detecting a sign of an attack, the gate node 12 is used for narrowing an attack (removal of attack noise), and fraud detection (misuse detection) is used for an attack. Since a mechanism can be used to specify the security, it is possible to detect attacks for more efficient defense in security management.
[0135]
(A-3-1-3) Wide-area attack detection (distributed attack detection)
In one local monitoring by the unauthorized access detection system, even if the access is not regarded as an attack or the unauthorized access is determined to have a low risk level, the relevance is analyzed as a wide area distributed network as shown in FIG. By doing so, it can be detected as an unauthorized access with a high risk level. The wide-area attack detection in the wide-area intranet detects a wide-area attack based on communication activity or an alarm collected from each base by the central monitoring center.
[0136]
Detection of a wide-area attack is performed constantly, periodically, or as needed (when a wide-area attack is detected in another alert domain or an administrative domain, or when frequent unauthorized access is detected, and the like). Shall be.
[0137]
A wide-area attack related to access that is not regarded as an attack is detected by the communication activity monitoring system comparing the newly received communication activity with the accumulated communication activity, classifying the communication activity, and determining the degree of risk. The communication activities to be compared are premised on that the activity states of newly received and accumulated communication activities are performed for communication activities during connection-type connection establishment.
[0138]
More specifically, when the detection of a wide-area attack is started, the communication activity monitoring system refers to the data storage system storing the communication activity when a new communication activity [a] is notified from the activity monitor, The notified communication activity [an] and the activity endpoint and the protocol type of one or a plurality of communication activities [b] detected from the detection time of the communication activity [a] to a predetermined time [t] before are notified. Every time the communication is performed, the communication activity [bn] having the same protocol type is compared with that of the source IP address and the destination IP address by comparing the communication activity [bn] with that of [an]. Classify according to. Further, the communication activity [b] is classified together with information (such as an address) specifying the gate node located at the base to which the communication activity [b] has been notified.
[0139]
FIG. 11B shows the classification according to the match / mismatch between the source IP address and the destination IP address. The degree of relevance is A when the source and destination are the same, and the degree of relevance is when the source is the same and the destination is different. B, a case where the transmission source is different and the destination is the same, is defined as a degree of association C, and a case where the source and destination are different is defined as an association degree D, and the communication activity [bn] is classified together with information specifying the gate node.
[0140]
After the classification of the communication activity [bn] is completed, the communication activity [bn] from the same gate node is counted as one by using the information specifying the gate node for each degree of association, so that all the communication activities [bn] are counted. bn] and the number Y of the communication activities [bn] classified into the degrees of association A, B and C, and the ratio Z of the number Y to the number X is calculated. (The above process is repeated each time a new communication activity [a] is received.) Then, if the ratio Z is equal to or more than a predetermined ratio (for example, 50%), it is determined that the attack is a wide-area attack, and To the protection policy management system.
[0141]
Note that, in the above example, an example in which a new communication activity [a] notified from the activity monitor is compared with the communication activity [b] has been described. [C] (e.g., one determined to have a high risk) is used, and each time a new communication activity [a] is notified, the communication activity [c] is compared with the communication activity [b]. It does not matter.
[0142]
Wide-area attacks related to unauthorized access determined to have a low risk level are detected by the protection policy management system by comparing, classifying, and determining the level of alerts sent from the unauthorized access detection system.
[0143]
More specifically, the protection policy management system stores information on alarms received from the unauthorized access detection system in the data storage system. When detection of a wide-area attack is started, a new alarm [a] is notified. Each time, the stored alarm-related information is referred to, and the notified alarm [an] and one or more alarms [b] detected during a predetermined time [t] from the detection time of the alarm [a]. And compares the information of the access source and the access destination and the protocol type included in the above (the one to be compared with [an] is referred to as an alarm [bn]), and outputs the alarm [bn] having the same protocol type as the access source IP address. Classification is made according to the match / mismatch of the access destination IP address. Further, the alarm [b] is classified together with information (such as an address) specifying the gate node located at the base to which the alarm [b] has been notified.
[0144]
The classification of the alarm [bn] and the processing after the completion of the classification are performed in the same manner as described above, except that the communication activity of the detection regarding the access that is not regarded as an attack is replaced with the alarm, and the ratio Z is obtained. If it is (for example, 50%) or more, it is determined that the attack is a wide-area attack.
[0145]
In the processing after determining that the attack is a wide-area attack, the determination for an access that is not regarded as an attack is the same as the determination for an unauthorized access that is determined to have a low risk level. A filtering policy is generated based on the determined communication activity or alert, and is distributed to gate nodes classified into relevance levels A, B, and C. It should be noted that the filtering policy may be distributed including the gate nodes classified into the relevance D, or a common filtering policy may be generated / distributed even if different filtering policies are generated / distributed according to the relevance. It does not matter.
[0146]
(A-3-2) Tracking method using communication activity identification (tracking technique)
Next, a description will be given of a detail of the communication activity and a tracking method for identifying communication activity and attack detection related to the same attack and grasping a route through which the attack passes.
[0147]
In the prior art, only the existence of the communication connection or only the data transfer amount (traffic amount) is measured, and the measured data is accumulated, and the tracking investigation at the time of detecting an attack is performed manually.
[0148]
(A-3-2-1) Definition of access status (communication activity) model
In the embodiment, as shown in FIG. 12, the occurrence of communication activity means that a connection has been established at an observation point on the network, that some traffic has been observed from an inactive state, or that a packet has passed. Say that it was detected.
[0149]
Further, the disappearance of the communication activity means, as shown in FIG. 12, that a connection is cut off at a certain observation point on the network, or that traffic whose occurrence is observed is not observed for a certain period of time.
[0150]
After the occurrence of the communication activity, the communication state is managed by the communication activity at the node where the traffic is observed.
[0151]
This embodiment is intended for both connection-oriented (connection-oriented) and connectionless-type networks, and is also intended for communication modes in which connection-type and connectionless-type differ depending on the protocol layer. Management of communication activities by various definitions.
[0152]
(A-3-2-2) Definition of communication activity
The communication activity is information on the state of access to the wide area intranet, and is information including an activity end point, a protocol type, and a detection time (an activity type and an activity state may be added thereto). Here, the activity endpoint, the protocol type, the detection time, the activity type, and the activity state are collectively called an activity attribute.
[0153]
The information on the activity end point is information on the address of the end point of the generated communication, and uses a source IP address, a source port number, a destination IP address, a destination port number, and the like regarding the access source and the access destination.
[0154]
The protocol type is information on the type of communication protocol applied in the communication of the traffic, and uses, for example, an IANA number.
[0155]
The activity type is information on the type of connection between endpoints, such as connection type, connectionless reply type, connectionless one-way type (complete connectionless type), and the like. Considering the above, the above two types are handled as connectionless type.
[0156]
The activity state is information related to the state of the connection, and includes (i) a connection type (TCP) connection state (for example, establishment, establishment, disconnection, disconnection), and (ii) a connectionless reply state (for example, (Response state of response, no response state), (iii) connectionless type one-way communication state (for example, no response), and the like.
[0157]
The detection time is information on the time when the activity monitor detects the above information.
[0158]
In the above, an example has been described in which the information of the protocol layers 3 and 4 is used as the information of the activity attribute. However, information of another protocol layer or the like may be included in the information of the activity attribute. In other words, it may be any protocol layer information collected and managed by the central monitoring center.
[0159]
(A-3-2-3) Overlay analysis of communication activity
In response to the alarm from the unauthorized access detection system (11 in FIG. 2), the intrusion route analysis system (1A-2 in FIG. 2) matches the protocol type from the communication activity with the same detection time or within a predetermined time, In addition, extracting communication activity whose activity end point matches the information of the access source / access destination and specifying a gate node through which the communication activity has passed is called a communication activity overlay analysis.
[0160]
As shown in FIG. 13, the communication activity obtained by the activity monitor 10 arranged at each base is transmitted to the communication activity monitoring system (1A-1 in FIG. 2), and the data storage system 1A-4 in the central monitoring center. Then, the information is accumulated in association with the information (IP address or the like) identifying the activity monitor 10 that has become the transmission source (or accumulated in association with the information (IP address or the like) identifying the gate node). Then, based on the alarm from the unauthorized access detection system (11 in FIG. 2), the intrusion route analysis system (1A-2 in FIG. 2) superimposes and analyzes the communication activity to determine the communication activity related to the alarm. Identify the gate node that passed. The intrusion route analysis system refers to network map information (so-called network configuration map) relating to the arrangement of gate nodes in the monitoring target and their connections, which is stored in the data storage system in advance, and places the specified gate nodes on the network map information. Then, the path P is reflected, the path P is specified, and an activity map indicating an intrusion route on the network to be managed is created.
[0161]
When specifying the gate node located at the base from the information for specifying the activity monitor, it is necessary to store in advance the information for associating these with the data storage system.
[0162]
For example, as shown in FIG. 14, it is a trajectory on a map in which communication activities from the bases A1 / GN, A2 / GN, and A5 / GN are superimposed and analyzed, reflected on network map information, and connected. An activity map (FIG. 14) is created by overwriting the path P.
[0163]
The protocol for notifying the central monitoring center of the communication activity may be arbitrary, and a dedicated communication line may be applied. Further, if a packet adopting dynamic routing can be identified as the same communication activity by attribute definition, all of the plurality of paths may be written in the activity map.
[0164]
(A-3-2-4) Tracking of attack source
The intrusion route analysis system (1A-2 in FIG. 2) creates an activity map, and then, based on the arrangement of the gate nodes, from among the gate nodes that have passed the communication activity that has been regarded as unauthorized access, The located gate node (hereinafter, referred to as an edge node) is extracted (referred to as edge node determination) and reflected on the activity map.
[0165]
For example, in the example of the activity map of FIG. 14, the unauthorized access detection system (IDS) 11 located at the base A5 / GN detects the unauthorized access, and based on the alarm from the unauthorized access detection system 11, central monitoring (not shown) The intrusion route analysis system of the center creates an activity map, determines that the gate node located at the boundary with the external network at the base A1 / GN is the edge node EN, and reflects the edge node EN on the activity map.
[0166]
Note that the intrusion route analysis system notifies information (such as an IP address) for specifying the specified gate node and edge node as a result of analyzing the intrusion route.
[0167]
In addition, when a plurality of unauthorized access detection systems react to the same attack, a plurality of processes for analyzing the same edge node are generated. Only edge node determination processing based on the first alarm from the access detection system may be executed, and it may be prevented that edge node determination is performed in parallel.
[0168]
(A-3-3) Policy generation (protection policy management technology)
Next, a method of generating and managing a filtering policy and other protection policies to be distributed to gate nodes will be described.
[0169]
(A-3-3-1) Policy notation
As shown in FIG. 15, the notation method of the protection policy is as follows: policy ID, effective date and time, policy expiration date, policy type (policy type), policy endpoint, action type, policy application type, counter attack reference ID, policy authentication card, The extended information is a component of the information, and its contents may differ depending on the type of protection policy. The policy authentication card is added as an option and is not essential.
[0170]
Identification information (identification number) of the protection policy is inserted into the policy ID (No). The policy ID may be arbitrarily determined by the source of the protection policy or the like. However, it is preferable that the policy ID include information for distinguishing between a general-purpose protection policy and an individual protection policy.
[0171]
A time stamp at which the protection policy becomes effective is inserted in the policy effective date and time.
[0172]
In the policy expiration date, the protection policy is an indefinite protection policy whose expiration date is indefinite, or, if it is finite, its expiration date (time stamp) is inserted.
[0173]
In the policy type (policy type), information indicating whether the protection policy is a filtering (Filtering) policy, a tracking (Tracking) policy, a security (Scanning) policy, or an attack (Offensive) policy is inserted.
[0174]
The policy endpoint includes a source IP address (source IP address), which is information of an access source of communication activity, a destination IP address (destination IP address), which is information of an access destination, regarding an access to which a protection policy is applied. , The protocol type of the communication protocol is inserted.
[0175]
The action type defines the access control for the access that specifies the condition at the policy endpoint, and denies access (Refuse), ignores the access (Drop), allows access (Accept), disconnects the network (NetworkClose), and releases the previous protection policy. (PolicyOff), action type information such as change of detection notification condition (Configure Indication), etc. are inserted.
[0176]
In the policy application type, information that specifies the application destination of the protection policy (for example, to which gate node the filtering policy should be applied) is inserted. In this specification, for example, it is possible to specify all the gate nodes in the wide area intranet or the security domain.
[0177]
In the counter attack reference ID, a reference number of the counter attack specified by the information provider such as a CVE number or a CERT number is inserted.
[0178]
In order to prevent counterfeiting, an authentication certificate of the cyber terrorism alert center (see 3 in FIG. 1) or a central monitoring center (see 1A to 1C in FIG. 1) that issued the protection policy is inserted into the policy authentication card. .
[0179]
In the extension area, information specific to various protection policies is inserted as needed.
[0180]
Note that the coding system and encoding method for expressing the policy are not limited. Further, as elements of the protection policy, other elements such as the distribution destination of the protection policy (for example, a type of a gate node to which a filtering policy is to be given) are replaced with the elements shown in FIG. It may be provided in addition to the elements described above.
[0181]
(A-3-3-3) Protection policy type
The protection policy includes a filtering policy, a tracking policy, an alert policy, an attack policy, and the like.
[0182]
The filtering policy is an access control rule applied for the purpose of avoiding an attack.
[0183]
The tracing policy is a tracing rule for analyzing an intrusion route related to an unauthorized access in other management domains and tracing a route in which an attack is performed. The tracking rules use the communication activity collected at the edge nodes.
[0184]
The security policy is for monitoring with security, and is a rule for extracting an IP address of a security target (a server or the like) that can be an attack source in the future and an attack capability. The rule indicates a scanning pattern for the object to be watched. The security policy is generated in the cyber terrorism security center, and is used for generating a scanning packet from a scanning pattern, transmitting the packet to the security target, and monitoring the response.
[0185]
The attack policy is a counter attack (Counter Attack) rule (a short-time attack) when the attack source is known. In order to apply the attack policy, it is necessary to provide a server equipped with an attack function (such as an attack tool) according to the attack policy.
[0186]
The configuration of each of the above policies will be described in each policy configuration in (A-3-4-2).
[0187]
(A-3-3-4) Detection of inconsistency in protection policy
In this embodiment, there is no protection policy corresponding to the cancellation policy. Therefore, each gate node or the like observes the policy expiration date, and releases the protection policy when the policy expiration date elapses, for example.
[0188]
When the duplication of the same protection policy is detected, only one of the sites is valid. Non-identical, but narrower protection policies if, for example, only the policy expiration date is different, only the scope of the gate node applied is different, or if there is an information inclusion relationship between multiple protection policies May be prioritized. Conversely, a wide range of protection policies may be prioritized, and the protection policy to be prioritized may be changed depending on the policy type.
[0189]
If the protection policy contains no credentials or the credentials are invalid, the protection policy may be treated as invalid.Even if the credentials are absent or invalid, the protection policy should be treated as valid. May be.
[0190]
(A-3-4) Conversion of individual protection policy / general-purpose protection policy
Next, the conversion between the individual protection policy and the general protection policy executed by the central monitoring center will be described.
[0191]
(A-3-4-1) Individual protection policy and general-purpose protection policy
As shown in FIG. 15 described above, the information elements of the protection policy include a policy ID, an effective date and time, a policy expiration date, a policy type, a policy endpoint, an action type, a policy application type, a counter attack reference ID, a policy authentication card, and the like. is there.
[0192]
The individual protection policy includes all the protection policy information elements shown in FIG. 15 and is information to be distributed from each central monitoring center to the gate node to be managed. That is, the individual protection policy is protection policy information that also includes individual information (such as the originating / destination IP address) of the system.
[0193]
As shown in FIG. 16, the general-purpose protection policy is protection policy information that excludes (masks) the destination IP address (destination IP address), effective date and time, and policy application type of the policy endpoint from the information elements of the protection policy. .
[0194]
That is, in the conversion from the individual protection policy to the general-purpose protection policy, the mask element shown in FIG. 16 may be excluded, and this is performed in the cyber terrorism alert center.
[0195]
Conversely, the conversion from the general-purpose protection policy to the individual protection policy is performed at the central monitoring center (see 1B in FIG. 1) simply by adding the mask element. As the effective date and time, for example, the date and time converted into the individual protection policy by the central monitoring center may be inserted. In the policy application type, for example, the ID of the gate node to which the protection policy is to be distributed is inserted in the wide area intranet. For example, a default value predetermined for the wide area intranet is inserted into the destination IP address (destination IP address) of the policy endpoint.
[0196]
(A-3-4-2) Configuration of each protection policy
FIG. 17 is an explanatory diagram showing differences in policy elements (or individual protection policies and general-purpose protection policies) depending on the types of protection policies.
[0197]
The filtering policy is protection policy information for avoiding an attack. As shown in FIG. 17A, the policy ID, the effective date and time, the policy expiration date, the policy type, the policy endpoint, the action type, the policy application type, and the counter attack reference ID and policy authentication card (policy authentication card is optional). 17A, the effective date and time, the destination IP address of the policy endpoint, and the policy application type are masked (in the collaborative activity tracking, the issuance date and time, the policy endpoint The destination IP address is masked).
[0198]
The tracking policy is protection policy information for “searching for communication activity X within the search range”, and as shown in FIG. 17B, policy ID, effective date and time, policy expiration date, policy type, policy application type, It consists of a counter attack reference ID, a policy authentication card, and an extended area (the policy authentication card is optional). In response to the tracking policy, the cyber terrorism alert center or the central monitoring center responds to the request source with information on the gate node that has observed the communication activity within the management range. Therefore, the communication activity X collected in the edge node is provided in the extension area. The general-purpose tracking policy is as shown in FIG.
[0199]
An alert policy is a protection policy for alert conditions. For this reason, as shown in FIG. 17C, an IP address to be guarded is provided in the extension area to specify a guard condition. The general-purpose alert policy is as shown in FIG.
[0200]
The attack policy is a protection policy for “performing Y against X and attacking (counterattack)”. Therefore, as shown in FIG. 17D, attack conditions are provided in the extended area. The general-purpose attack policy is as shown in FIG.
[0201]
The configuration of the alert policy (general-purpose policy) for activity cooperative tracking, which is transferred to a different alert domain, may be as described above. It may be provided with an element or the like that incorporates information such as information.
[0202]
(A-3-5) Detailed description of cooperative activity tracking function
FIG. 8 shows an image of the cooperative activity tracking function in the cooperative alert system. In FIG. 8, the same or corresponding parts as those in FIG. 1 are denoted by the same or corresponding reference numerals.
[0203]
The management domains A and B belonging to the security domain managed by the cyber terrorism security center 3 (FIG. 1) (corresponding to the elliptical portions indicated by the wide area intranets A and B in FIG. 8) are respectively assigned to the central monitoring centers 1A and 1B. It shall be managed. In the management domains A and B, the five functions described above for the central monitoring centers 1A and 1B, (1) collection and monitoring of communication activity, (2) processing based on hybrid IDS monitoring, (3) intrusion route analysis, and (5) 4) Protection policy (individual protection policy) generation / distribution, and (5) Individual conversion of general-purpose protection policy shall operate.
[0204]
The cyber terrorism alert center 3 realizes the cooperative activity tracking function in the alert domain by the following three means (parts (1) to (3) in the cyber terror alert center 3 in FIG. 8).
[0205]
The management domain in the alerting domain cooperates and cooperates with each other to track communication activity, so that the management domain is called a cooperative activity tracking function.
[0206]
(1) Generating and distributing general-purpose tracking policies
The central monitoring center 1A belonging to the alert domain (FIG. 8) analyzes the intrusion route (3) based on the alarm about the unauthorized access detection (2) from the unauthorized access detection system, generates a filtering policy, and distributes it to the gate node. 4) At this time, the protection policy management system generates a tracking policy and distributes it to the cyber terrorism alert center 3 together with the intrusion route analysis result and the filtering policy.
[0207]
The tracking policy has the communication activity collected at the edge node in the management domain A related to the alarm, and the cyber terrorism alert center that receives the information accumulates information and generates a general-purpose tracking policy, and sends the information to the central monitoring center 1B. To distribute.
[0208]
▲ 2 ▼ Create activity map
The protection policy management system of the central monitoring center 1B that has received the general-purpose tracking policy instructs the intrusion route analysis system to analyze the intrusion route based on the general-purpose tracking policy. The intrusion route analysis system refers to the data storage system based on the activity end point, protocol type, and detection time of the communication activity specified by the general-purpose tracking policy, and attempts to extract the communication activity that matches these data. The same or within a predetermined time is extracted). Then, when the communication activity is extracted, the gate node at the base where the activity monitor collecting the extracted communication activity is located and the edge node are specified. When the protection policy management system receives notification of the presence or absence of the corresponding communication activity from the intrusion route analysis system and, if any, the analysis result (information for identifying the extracted gate node and edge node), the protection policy management system sends a response to the tracking policy. And notify the Cyber Terrorism Security Center.
[0209]
In the tracking policy response, when the communication activity indicated by the general tracking policy exists in the management domain B, it indicates that the attack detected in the management domain A has passed through the management domain B as a route, Indicates that the tracking was successful. If the communication activity does not exist in the management domain B, it means that it cannot be tracked because the communication activity does not pass through the management domain B as a route.
[0210]
In the cyber terrorism alert center 3, the intrusion route analysis result received from the central monitoring center 1A and the tracking policy response received from the central monitoring center 1B are stored in advance, and the arrangement of the gate nodes in the self-guard domain and their An activity map is created by reflecting it on the network map information related to the connection, and an edge node is extracted based on the activity map and reflected on the activity map.
[0211]
If the communication activity of the attack passes through the management domain B as an upstream route, it is possible to apply access control such as closing a passage point on the management domain B (a corresponding gate node in the management domain B). This is more effective in minimizing damage than applying access control in the management domain A. That is, when an attack is detected, a pass point that is further upstream of the attack (in FIG. 8, the management domain B Access control by the gate node indicated by B2 / GN above) is more effective in the sense of preventing spread to other management domains other than the management domain A.
[0212]
(3) Filtering policy generation and distribution
By creating an activity map, if the pass point (edge node) of the attack located at the most upstream position in the security domain can be determined in a management domain other than the management domain in which the attack was detected, the cyber terrorism security center 3 performs tracking. A general-purpose filtering policy for a successful management domain (in FIG. 8, management domain B) is generated and distributed.
[0213]
At the same time, the source of the tracking policy (central monitoring center A) is notified of the tracking result indicating whether or not the tracking was successful.
[0214]
In the generation / distribution of the general-purpose filtering policy, a general-purpose filtering policy is generated in which the address of an individual gate node (within the management domain A) is removed from the filtering policy (individual filtering policy) used in the management domain A. The central monitoring center 1B performs individual conversion such as adding address information of individual gate nodes on the management domain B, and distributes them to the gate nodes (B2 / GN in FIG. 8). The gate node B2 / GN applies access control indicated by the filtering policy (individual filtering policy), and performs a process such as closing.
[0215]
(A-3-6) DDoS Attack Defense by Cooperative Activity Tracking (Technology for Transferring Cooperative Policy Information for DDoS Attack)
Next, a method of defending a DDoS attack by cooperative activity tracking, in other words, a technique of transmitting and receiving cooperative policy information to a DDoS attack will be described.
[0216]
(A-3-6-1) Typical DDoS attack model
As shown in FIG. 18, an attack model such as Trino and TFN known as typical DDoS attack software has a hierarchical attack system including a client 50, a master 51, and a large number of daemons 52.
[0217]
(A-3-6-2) Analysis of edge node in security domain
As shown in FIG. 19, by exchanging communication activities among the management domains (central monitoring centers) A, B, and C, an edge node (intrusion point; Ingress Point) in the security domain is analyzed, and the edge node is analyzed. Distribute the filtering policy to. In the intrusion route analysis, a network located farthest from the damaged network (management domain) and its edge node are detected.
[0218]
In the example of FIG. 19, the central monitoring center 1A analyzes the edge node of the DDoS attack by exchanging communication activities among the management domains (central monitoring centers) A, B, and C, and sends a filtering policy to the cyber terrorism alert center 3. In this case, the cyber terrorism alert center 3 converts the information into a general-purpose filtering policy and gives it to each of the central monitoring centers 1B and 1C so that the edge node performs filtering.
[0219]
(A-3-6-3) Edge node tracking between security domains
As shown in FIG. 20, an edge node is tracked between security domains (security terrorism security centers) by exchanging communication activities between security domains, and a filtering policy is applied.
[0220]
In the example of FIG. 20, the communication domain between the security domains (cyber terrorism security centers) A and B is exchanged to detect an intrusion point of the DDoS attack in the management domain A in the security domain A, track the edge node, and trace the cyber node. The case where the terrorism alert center 3B causes the central monitoring center 1B under its control to execute the filtering policy on the edge node is shown.
[0221]
(A-3-7) Cooperative Policy Transfer Protocol (Cooperative Policy Information Transfer Technology)
Next, an outline of a cooperative policy transfer protocol in the embodiment, in other words, an outline of a cooperative policy information transfer technique will be described.
[0222]
(A-3-7-1) Basic sequence (Alert system)
FIG. 21 shows an example of a basic sequence related to transmission and reception of an alert (alarm) system.
[0223]
Between the central monitoring center 1 and the gate node 12 and between the cyber terrorism alert center 3 and the central monitoring center 1, a session is opened, authentication is performed, and a key (Key) for exchanging information is exchanged (T1, T2). .
[0224]
Thereafter, the unauthorized access detection system 11 at the base where the gate node 12 is located gives the central monitoring center 1 an alert message in accordance with the prescribed format (T3).
[0225]
The central monitoring center 1 which has received it effectively returns an acknowledgment (Ack) to the gate node 12 (T4), and gives an alert (alarm) message according to a prescribed format to the cyber terrorism alert center 3 (T5). ).
[0226]
The cyber terrorism alert center 3 that has received it effectively returns an acknowledgment (Ack) to the central monitoring center 1 (T6). Upon receiving the acknowledgment for the alert message, the central monitoring center 1 transmits an individual protection policy (Delivery Original Policy) for transmitting the delivery to the gate node 12 (T7), and waits for an acknowledgment (Ack) from the gate node 12 (A7). T8), the individual protection policy notifying the delivery is transmitted to the cyber terrorism alert center 3 (T9). The cyber terrorism alert center 3 returns an acknowledgment (Ack) to the central monitoring center 1 in response to the effective reception of the protection policy (T10).
[0227]
Thereafter, a process of disconnecting a session between the central monitoring center 1 and the gate node 12 and a session between the cyber terrorism alert center 3 and the central monitoring center 1 are executed (T11, T12).
[0228]
A session is established between the cyber terrorism alert center 3 and another cyber terrorism alert center 3x, authentication is performed, and a key (Key) for exchanging information is exchanged (T13). A general protection policy (Delivery General Policy) that conveys the delivery is transmitted to another cyber terrorism alert center 3x (T14), and the other cyber terrorism alert center 3x sends an acknowledgment (Ack) to the valid reception of the protection policy. Reply to cyber terrorism alert center 3 (T15).
[0229]
Thereafter, a session disconnection process between the cyber terrorism alert center 3 and another cyber terrorism alert center 3x is executed (T16).
[0230]
As described above, the protection policy information can be exchanged (transferred) between the cyber terrorism monitoring center 3 and the central monitoring center 1 or between the cyber terrorism monitoring center 3 and another cyber terrorism monitoring center 3x. It is natural that the process shown in FIG. 21 may be started by a gate node under the control of a central monitoring center under the control of another cyber terrorism alert center 3x.
[0231]
(A-3-7-2) Alert information item
Items of the alert information transmitted and received in the sequence described above with reference to FIG. 21 include (1) message-ID, (2) detection event (attack danger level, attack name, information on the access source and access destination of the attack). , Attack protocol type, etc.), (3) detection time, (4) detection history (number of detections, etc.), (5) identification information of the detection source gate node and unauthorized access detection system (IDS). .
[0232]
(A-3-7-3) Acknowledge (or Nack) information item
The information items of the acknowledgment (which may function as a knuckle) transmitted and received in the sequence described above with reference to FIG. 21 include: (1) message-ID targeted for acknowledgment; (2) center identification or gate node identification information. , {Circle around (3)} reason codes.
[0233]
(A-3-7-4) Query (Query; inquiry) related information items (service outside the security center)
Although not shown in FIG. 21, the cyber terrorism alert centers 3 and 3x can inquire (inquire) an external information center or the like (outside the alert center) for an attack or the like, and the external information center or the like alerts the cyber terrorism. An attack or the like can be inquired to the centers 3 and 3x.
[0234]
The sequence at this time is not shown, but when the cyber terrorism security center 3, 3x makes an inquiry to an external information center or the like, a session is established between the cyber terrorism security center 3, 3x and the external information center (authentication). , Including key exchange), transmission of query-related information for inquiries to external information centers and the like, replies to cyber terrorism alert centers 3, 3x, disconnection of sessions, and the like. When an external information center or the like makes an inquiry to the cyber terrorism security centers 3 and 3x, a session is established between the cyber terrorism security centers 3 and 3x and the external information center (including authentication and key exchange), and the cyber terrorism security center is set up. For example, transmission of query information for inquiry to the center 3, reply to an external information center or the like, disconnection of a session, and the like.
[0235]
Items of query information used in such a sequence include (1) message-ID, (2) query type (query type; search, location inquiry, etc.), (3) search result, location information (downloadable URL etc.).
[0236]
(A-4) Effects of the embodiment
According to the above embodiment, the following effects can be obtained.
[0237]
Security management for access control can be performed at each site in a single wide area intranet.
[0238]
It is possible to exchange incident information and a protection policy (policy relating to access control) between a plurality of wide area intranets having different management domains, and to perform security management regarding access control across the plurality of wide area intranets.
[0239]
In addition, security management relating to access control can be performed between a plurality of security domains. Here, in hierarchical security management, protection policy information can be shared.
[0240]
Further, security management for access control based on the latest incident information can be always performed between a plurality of wide area intranets in the same security domain.
[0241]
Furthermore, a general-purpose protection policy is generated by utilizing information from the information center, and exchanges are made between cyber terrorism alert centers, so that security management related to access control based on the latest incident information is always performed between different alert domains. Can be implemented.
[0242]
Also, when an attack observed in one wide area intranet protection system is passing through another wide area intranet protection system, for example, by adding communication activity to information exchanged between multiple central monitoring centers and cyber terrorism alert centers But you can trace the source of the attack.
[0243]
Similarly, by including communication activity in information exchanged between a plurality of cyber terrorism alert centers, it is possible to track the source of an attack that spans a plurality of different alert domains.
[0244]
By superimposing and analyzing the communication activity between the sites under the same central monitoring center, it is possible to track the source of an attack that spans a plurality of different sites.
[0245]
A local arrangement of an unauthorized intrusion detection device of the fraud detection method and an intrusion detection device of the anomaly detection method, or a serial arrangement of an unauthorized intrusion detection device of the fraud detection method, a gate node, and an intrusion detection device of the abnormality detection method, Advanced intrusion detection can be performed at a typical observation point.
[0246]
It is possible to detect not only a local attack but also an attack that is established by combining attacks on a plurality of access points using the entire wide area intranet.
[0247]
By generating the activity map, it is possible to track an unauthorized access using a so-called stepping-stone via a plurality of servers that have entered the network, and an unauthorized access using a false transmission address.
[0248]
Using the alert information and communication activity indicating that an unauthorized access attack has been detected, an access control rule that restricts connection to each site in the wide area intranet is automatically generated and sent to the gate node located at each site. Distribution can provide security management techniques for access control within a wide area intranet.
[0249]
Further, it is possible to provide a security management technique using a filtering policy, a tracking policy, a security policy, and an attack policy.
[0250]
By using a collaborative tracking technique, DDoS attacks can be more effectively defended.
[0251]
(B) Other embodiments
It should be noted that the type of the wide area network (such as the wide area intranet) which is a security management target according to the present invention is not limited. For example, the present invention can be applied to a system in which each management domain is an intranet for each prefecture and the security domain is all municipalities (nationwide).
[0252]
【The invention's effect】
As described above, according to the present invention, it is possible to achieve enhanced and advanced cooperation for monitoring unauthorized access and enhanced and advanced cooperation for access control at the time of detection. It is possible to provide a system and method for implementing a unified protection policy regarding access control assuming a cyber terrorist attack. Further, it is possible to provide a system that cooperates and shares information effective for security management between different network systems. Furthermore, it is possible to provide an individual technology capable of realizing the above-described system and method.
[Brief description of the drawings]
FIG. 1 is a block diagram illustrating an overall configuration image of a cooperative alerting system according to an embodiment.
FIG. 2 is a block diagram showing a configuration image of a wide area intranet protection system of the embodiment.
FIG. 3 is an explanatory diagram (1) of a relationship between a security domain and a management domain according to the embodiment;
FIG. 4 is an explanatory diagram (2) of a relationship between an alert domain and a management domain according to the embodiment;
FIG. 5 is a block diagram illustrating an example of a hardware configuration arranged at a base according to the embodiment.
FIG. 6 is an explanatory diagram of an operation outline of the wide area intranet protection system of the embodiment.
FIG. 7 is an explanatory diagram of functions of a central monitoring center and a cyber terrorism alert center according to the embodiment.
FIG. 8 is an explanatory diagram of a cooperative activity tracking function of the embodiment.
FIG. 9 is an explanatory diagram of a first local attack detection method according to the embodiment;
FIG. 10 is an explanatory diagram of a second local attack detection method according to the embodiment;
FIG. 11 is an explanatory diagram of a wide-area attack detection method according to the embodiment.
FIG. 12 is an explanatory diagram of a definition of a communication activity (activity) model according to the embodiment.
FIG. 13 is an explanatory diagram of an activity model according to the embodiment.
FIG. 14 is an explanatory diagram of an activity map according to the embodiment.
FIG. 15 is an explanatory diagram of a policy notation method (policy card) of the embodiment.
FIG. 16 is an explanatory diagram of a difference between individual / general-purpose protection policies of the embodiment.
FIG. 17 is an explanatory diagram of a data structure for each protection policy according to the embodiment.
FIG. 18 is an explanatory diagram of an attack model of a DDoS attack.
FIG. 19 is an explanatory diagram of a tracking method in a security domain at the time of a DDoS attack according to the embodiment.
FIG. 20 is an explanatory diagram of a tracking method between alert domains during a DDoS attack according to the embodiment.
FIG. 21 is a sequence diagram of a cooperative policy transfer protocol of the embodiment.
FIG. 22 is a block diagram illustrating an example of an internal configuration of a gate node according to the embodiment.
FIG. 23 is a block diagram illustrating an example of an internal configuration of an activity monitor according to the embodiment.
[Explanation of symbols]
1A to 1C: Central monitoring center of management domain,
1A-1: Communication activity monitoring system,
1A-2: Intrusion route analysis system,
1A-3: protection policy management system,
2A to 2C: management domain,
3, 3x ... Cyber terrorism alert center,
4 ... information center,
5A-5C: Wide area intranet protection system,
10 Activity monitor,
11 ... Unauthorized access detection system
12 gate node.

Claims (25)

A wide area network protection system for protecting a wide area network having a plurality of connection points with external networks from unauthorized access,
An unauthorized access detection system that detects unauthorized access at each of the above connection points and notifies alarm information;
Alarm information storage means for storing the notified alarm information,
An activity monitor for extracting communication activity that is an access status of the wide area network from communication content at each of the connection points;
Communication activity storage means for storing the extracted communication activity;
A gate node provided at each of the connection points to execute access control;
Based on the alarm information from the unauthorized access detection system, based on the communication activity and the alarm information stored in the communication activity storage means, analyze the intrusion route of the detected unauthorized access, and notify the analysis result of the intrusion route analysis. A protection policy generating means for generating an individual filtering policy as an access control rule in the gate node based on a system and an intrusion route analysis result and the alarm information;
Protection policy distribution means for distributing an individual filtering policy to the gate node,
A wide area network protection system, wherein access control is performed at a plurality of connection points in the wide area network. 2. The wide area network protection system according to claim 1, wherein the intrusion route analysis system is provided at a connection point where the communication activity having the same information as the information included in the alarm information is searched, and the searched communication activity is extracted. A wide area network protection system characterized by analyzing an intrusion route by specifying a specified gate node, and notifying information about the specified gate node as a result of the analysis. 3. The wide area network protection system according to claim 2, wherein the intrusion route analysis system is configured to detect the edge node based on the information on the specified gate node and the network map information on the arrangement of the gate nodes and their connection stored in advance. A wide area network protection system characterized by analyzing an intrusion route by specifying the information, and notifying information about the specified gate node and edge node as a result of the analysis. The wide area network protection system according to claim 1, 2 or 3,
The wide area network protection system according to claim 1, wherein said protection policy generation means generates an individual filtering policy having information designating communication to exclude access according to a gate node to be distributed. The wide area network protection system according to any one of claims 1 to 4,
The alarm information, at least regarding the detected unauthorized access, information of the access source, information of the access destination, the protocol type and the detection time, is configured,
The wide area network protection system according to claim 1, wherein the communication activity includes at least information of an access source, information of an access destination, a protocol type, and a detection time of these in communication contents. 6. The wide area network protection system according to claim 5, wherein the intrusion route analysis system includes the communication information having the same detection time as the detection time included in the alarm information or having a detection time within a predetermined time in the alarm information. A wide area network protection system characterized by searching for communication activity in which information of an access source, information of an access destination and a protocol type to be accessed match. The wide area network protection system according to claim 5 or 6,
The protection policy generation means generates, as the communication for eliminating the access, an individual filtering policy for specifying communication in which information of an access source, information of an access destination, and a protocol type included in the alarm information match. Wide area network protection system. The wide area network protection system according to any one of claims 1 to 7,
The unauthorized access detection system includes a first intrusion detection device using an abnormality detection method, the gate node, and a second intrusion detection device using an improper detection method. A wide area network protection system that is connected in series in this order. A security system comprising the wide area network protection system according to any one of claims 1 to 8 as one or more self-guard domains, and a security center connected to each of the wide area network protection systems,
The protection policy distribution means distributes an individual filtering policy to the alert center,
The above security center,
General-purpose protection policy conversion means for converting an individual filtering policy from the wide area network protection system in the self-guard domain into a general-purpose filtering policy,
General-purpose protection policy distribution means for distributing a general-purpose filtering policy to the wide area network protection system in the self-guard domain,
Each of the above wide area network protection systems
The individual protection policy conversion means for converting the received general-purpose filtering policy into an individual filtering policy relating to its own wide area network,
An alerting system for performing access control across a plurality of wide area networks. A security system comprising a plurality of security centers according to claim 9 and connecting the security centers with each other,
The above-mentioned general-purpose protection policy distribution means distributes a general-purpose filtering policy to other alert centers,
The security system according to claim 9, wherein access control is performed between a plurality of security domains. Each of the above security centers
External information capturing means for capturing incident information and / or a defense method from an information center that provides information;
A general-purpose protection policy generation unit that generates a general-purpose protection policy for an event that is or is likely to be affected over a wide area based on the captured information,
The security system according to claim 9, wherein access control based on incident information is performed between a plurality of wide area networks in the same security domain. Providing communication activity distribution means for adding communication activity to information distributed among the plurality of wide area network protection systems via the security center;
11. The security center according to claim 9, further comprising an unauthorized access source tracking means for tracking the source of unauthorized access over a plurality of wide area networks within the same security domain by superimposing communication activities. 12. The alert system according to any one of claims 11 to 11. Each of the above security centers,
Second communication activity distribution means for adding communication activity to information distributed between the opposing alert center,
11. The security system according to claim 10, further comprising a second unauthorized access source tracking unit that tracks the source of unauthorized access across a plurality of security domains by superimposing communication activities. The alert system according to claim 9,
The wide area network protection system
First notification means for notifying the security center of the analysis result of the intrusion route analysis system;
A tracking policy generating means for generating an individual tracking policy for instructing the security center to analyze an intrusion route in the security domain for the detected unauthorized access;
A second intrusion route analysis for analyzing an intrusion route of an unauthorized access detected by another wide area network protection system based on the received general purpose tracking policy and the stored communication activity based on the general purpose tracking policy from the security center. System and
A second notifying unit for notifying the security center of an analysis result of the second intrusion route analysis system;
The above security center
A general tracking policy conversion means for converting the received individual tracking policy into a general tracking policy,
A generic tracking policy distribution means for distributing the generic tracking policy to other wide area network protection systems;
A third intrusion route analysis system for analyzing an intrusion route of an unauthorized access in its own management domain based on analysis results received from the first notification unit and the second notification unit;
Second general-purpose protection policy generation means for generating a general-purpose filter rig policy based on the analysis result of the third intrusion route analysis system;
A second general-purpose protection policy distributing means for distributing the filtering policy to the wide area network protection system in the management domain. An alerting system having a plurality of alerting centers for hierarchically managing one or more wide area networks having connection points with external networks in a hierarchical manner,
Wherein each of the security centers has access control rule exchange means for exchanging access control rules for avoiding unauthorized access with another security center, and shares the access control rules. system. Information of communication activity, which is the access status of a certain wide area network, is notified between different wide area networks, and / or a plurality of wide area networks, and across different alert domains,
A method for tracing an unauthorized access, characterized by specifying the network located farthest on the route from the network of the victim who has received the unauthorized access, and its edge node by making the communication activity the tracking target. In the unauthorized access detection system provided at the connection point with the external network,
A first intrusion detection device of anomaly detection method and a second intrusion detection device of the fraud detection method are connected in series so that the first intrusion detection device comes to the external network side, An unauthorized access detection system, wherein the second intrusion detection device is operated in parallel. In the unauthorized access detection system provided at the connection point with the external network,
The first intrusion detection device of the anomaly detection method, the gate node that performs access control, and the second intrusion detection device of the fraud detection method are configured such that the first intrusion detection device comes to the external network side. An unauthorized access detection system characterized by being connected in series in this order. An unauthorized access detection system for detecting unauthorized access to an external network and a wide area network having a plurality of connection points,
Information classification means for classifying a plurality of pieces of access information at each connection point based on the degree of relevance determined by the difference between the information of the access source and the information of the access destination of the access to the plurality of connection points and the chronological similarity,
An unauthorized access determination unit that analogizes the relevance of the classified access information and determines that an unauthorized access has been made when a plurality of highly relevant accesses exist,
An unauthorized access detection system characterized by detecting a wide-area attack in which an attack is established by combining accesses to a plurality of connection points in a wide-area network. A wide area network protection system for protecting a wide area network having a plurality of connection points with external networks from unauthorized access,
An unauthorized access detection system that detects unauthorized access at each of the connection points and notifies alarm information including information of an access destination regarding the unauthorized access, information of an access source, and a detection time;
Alarm information storage means for storing the notified alarm information,
A gate node provided at each of the connection points to execute access control;
Each time alarm information is notified from the unauthorized access detection system, the notified alarm information is compared with the stored alarm information, and the relevance and detection time determined by the difference between the access source information and the access destination information are determined. Alarm information classifying means for classifying alarm information based on gender;
Based on the above classification result, by estimating the relevance of a plurality of unauthorized access, when there is a plurality of highly relevant access, unauthorized access determination means to determine that a wide area unauthorized access has been made,
Based on the determination and the alarm information, a protection policy generating unit that generates an individual filtering policy that is an access control rule in the gate node,
Protection policy distribution means for distributing an individual filtering policy to the gate node,
A wide area network protection system characterized by detecting a wide area attack in which an attack is established by combining unauthorized access to a plurality of connection points in a wide area network, and performing access control at the connection points. A wide area network protection system for protecting a wide area network having a plurality of connection points with external networks from unauthorized access,
An activity monitor for extracting the communication activity including the access status of the wide area network from the communication content at each of the connection points, the information of the access destination, the information of the access source, and the detection times thereof;
Communication activity storage means for storing the extracted communication activity;
A gate node provided at each of the connection points to execute access control;
Each time a communication activity is extracted from the activity monitor, the extracted communication activity is compared with the accumulated communication activity to determine the degree of relevance and the synchronization of the detection time determined by the difference between the information of the access source and the information of the access destination. Communication activity classifying means for classifying communication activity based on the communication activity;
Based on the above classification result, by estimating the relevance of a plurality of communication activities, when there is a plurality of highly relevant communication activities, unauthorized access determination means to determine that a wide area unauthorized access has been made,
Based on the determination and the communication activity, a protection policy generating unit that generates an individual filtering policy that is an access control rule in the gate node,
Protection policy distribution means for distributing the generated individual filtering policy to the gate node,
A wide area network protection system characterized by detecting a wide area attack in which an attack is established by combining accesses to a plurality of connection points in a wide area network, and performing access control at the connection points. An unauthorized access tracking method that tracks the source of unauthorized access to any location on the network,
Extract the communication activity that is the access status at each base,
Generate an activity map that connects communication activities extracted at multiple locations,
Search for communication activity corresponding to alarm information about unauthorized access,
An unauthorized access tracking method, wherein an intrusion route is detected based on a trajectory of the activity map relating to the searched communication activity. A security management method based on access control of a wide area network,
Based on the alarm information from a certain base indicating that unauthorized access has been detected and information on the communication activity that is the communication access status at each base, determine the base from which access is to be excluded,
Generate an access control rule that excludes access to each site in the wide area network,
A security management method comprising: distributing the access control rules to gate nodes at each site. A security management method based on access control of a wide area network,
A protection process for sending an access control rule that excludes access to each site in the wide area network;
A tracking process for tracking the route of the unauthorized access;
Vigilance processing to perform reverse scanning for the purpose of network search toward the source of unauthorized access;
Security management, including a counterattack process for sending attack information toward the source of unauthorized access, and exchanging necessary information for each of the above processes between bases in the wide area network, between the bases and the wide area network. Method. An attack protection method for protecting against a distributed denial of service such as a DDoS attack,
The communication activity, which is the communication access status at each base in the wide area network, is exchanged within the security domain to which the multiple wide area networks belong, and is also exchanged between the multiple security domains,
By coordinating exchanged communication activities, the source of distributed denial of service can be tracked,
An attack protection method characterized by identifying a network located farthest from a damaged network and an edge node in the network to eliminate access.

Images