JP2004336130A - Network state monitoring system and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network state monitoring system with high reliability. <P>SOLUTION: The network state monitoring system collects alerts generated from a plurality of IDS 31, generates a model cross-referencing an alert output pattern to an action with respect to the output pattern, and provides the model to the fault detecting apparatus 35 of each local system 21. The fault detecting apparatus 35 checks history actually issued, compares the model with a combination between a newly generated alert and the past alert and detects a fault on the basis of the result of comparison. There are models that correlate the combination of output alerts with actions and correlates the issued orders of alerts with actions or the like. When the combination with the actual alert is coincident with any model, the action specified in the model is carried out, and when it is non-coincident, an alarm is issued. Further, a present alert issue state is estimated on the basis of the issue state of alerts in an ordinary state and when the estimation is greatly different, an alarm is issued. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to network monitoring technology.
[0002]
[Prior art]
2. Description of the Related Art An IDS (Intrusion Detection System) that detects various attacks on a network and generates an alert has been developed and used (for example, Patent Document 1). The IDS generates an alert when any attack occurs on a device on the network.
[0003]
However, conventional IDSs are designed to be sensitive to attacks in order to keep the facts of the attack out of sight. Therefore, even in normal operation, a large amount of alerts are continuously output from the IDS. Therefore, in the field of security management, filtering is performed so that only alerts having a harmful effect are displayed on a monitoring device to notify a security manager. Filtered alerts have been discarded. It is thought that important information is asleep in the discarded alert, but its use has not been established.
[0004]
Further, in order to effectively utilize an alert issued from an IDS, a plurality of detection patterns corresponding to an intrusion pattern are prepared, and a fraud is detected by comparing the generated alert with the detection pattern. 1. The monitoring system disclosed in Patent Document 1 has a problem that an intrusion pattern that does not match a detection pattern prepared in advance cannot be detected.
[0005]
[Patent Document 1]
JP-A-2002-342276
[0006]
Conventionally, information output from a firewall device or each network device arranged on a network cannot be effectively used for managing a network state. Also, in the past, an overview of the entire information system was used to determine whether it was used properly, was used abnormally at some sites, or was used abnormally as a whole. , The method to grasp is not established.
[0007]
[Problems to be solved by the invention]
The present invention has been made in view of the above circumstances, and has as its object to provide a highly reliable network state monitoring system.
[0008]
[Means for Solving the Problems]
To achieve the above object, a network condition monitoring system according to a first aspect of the present invention comprises:
Intrusion detection means that is located on the network, detects attacks on the network, and generates an alert when an attack is detected;
Alert information collecting means for collecting information identifying an alert generated by the plurality of intrusion detecting means,
Model storage means for storing a model that associates an output pattern of an alert generated based on information about an alert collected by the alert information collection means with an action for the output pattern,
An alert history information acquisition unit for acquiring history information of an alert that has occurred,
The combination of alerts specified by the alert history information acquired by the alert history information acquisition unit is compared with the model stored in the model storage unit, and if any of the models matches, the registered action And if it does not match any of the models, an abnormality detection means for detecting an abnormality,
It is characterized by having.
[0009]
For example, the model storage unit stores the combination of the output type of alert and the action in association with each other, and the abnormality detection unit specifies the attacker and the type of alert when a new alert is generated. Then, from the alert history information stored in the alert history information acquiring means, the type of alert issued by the attacker in the past is obtained, and the combination of the type of alert issued by the attacker in the past and the current If the combination with the type of the alert matches any of the combinations of the types of the alerts stored in the model storage means, the registered action is executed. Notify an error.
[0010]
For example, the model storage unit stores the order of the type of the output alert and the action in association with each other, and the abnormality detection unit specifies the attacker and the type of the alert when a new alert occurs. Then, from the alert history information stored in the alert history information acquiring means, the order of the types of alerts issued by the attacker in the past is obtained, and the alert issued by the attacker in the past and the current alert are determined. If the order of the type matches any of the order of the types of alerts stored in the model storage means, the registered action is executed. Notice.
[0011]
For example, the model storage unit stores a model of a time transition of the output amount of the alert, and the abnormality detection unit stores the amount of the alert acquired by the alert history information acquiring unit and the time transition of the output amount of the alert. The model is compared, and an abnormality is notified based on the comparison result.
[0012]
Classification means for classifying (clustering) alert generators based on the type of alert that has occurred may be arranged. Further, a means for determining the type and amount of an alert that has occurred for each alert generator, and a classification means for classifying alert generators having the same tendency into the same category based on the type and amount of the determined alert are provided. It may be arranged.
[0013]
A communication amount measuring unit for measuring the communication amount is further arranged, the model storage unit stores a model of the time transition of the communication amount, and the abnormality detecting unit includes the communication amount measured by the communication amount measuring unit. A comparison may be made with the model of the time change of the communication traffic, and an abnormality may be notified based on the comparison result.
[0014]
An access amount measuring unit for measuring an access amount is further arranged, the model storage unit stores a model of a time transition of the access amount, and the abnormality detecting unit stores the access amount measured by the access amount measuring unit. A model may be compared with the time change model of the access amount, and an abnormality may be notified based on the comparison result.
[0015]
To achieve the above object, a network condition monitoring system according to a second aspect of the present invention comprises:
An alert information collection unit that collects information on an alert that has occurred from a plurality of intrusion detection units that generate an alert when a network attack is detected;
Model generation means for generating a model that associates an alert output pattern with an action for the output pattern based on the alert information collected by the alert information collection means,
Alert history generation means for generating history information of the generated alert based on the information of the alert collected by the alert information collection means,
It is characterized by having.
[0016]
For example, the alert information collecting means collects information on alerts generated by the intrusion detecting means arranged in a plurality of local systems, and the model generating means includes a plurality of local systems collected by the alert information collecting means. Based on the information on the alert that has occurred, means for generating a model that associates an output pattern of the alert with an action for the output pattern, means for generating history information of the alert that has occurred, and an abnormality detection device of each local system. Transmission means for providing the generated model and the history information.
[0017]
To achieve the above object, a network condition monitoring system according to a third aspect of the present invention comprises:
An alert receiving means for receiving an alert generated from an intrusion detecting means for detecting an attack on the network;
Model storage means for storing a model that associates the output pattern of the alert with an action for the output pattern,
Alert history storage means for storing history information of alerts generated by the intrusion detection means,
Alert information generated from the new alert received by the alert receiving means and the alert history stored in the alert history storage means is compared with a model stored in the model storage means, and any one of the models is compared. If it matches, the registered action is executed, and if it does not match any model, an abnormality detecting means for detecting an abnormality,
It is characterized by having.
[0018]
In order to achieve the above object, a computer program according to a fourth aspect of the present invention comprises:
Computer or group of computers,
An alert information collection unit that collects information on generated alerts from multiple intrusion detection units that generate alerts when network attacks are detected,
Model generation means for generating a model that associates an alert output pattern with an action for the output pattern based on the alert information collected by the alert information collection means,
Alert history generation means for generating history information of the generated alert based on the information of the alert collected by the alert information collection means,
It is characterized by functioning as
[0019]
To achieve the above object, a computer program according to a fifth aspect of the present invention comprises:
Model storage means for storing a model that associates an alert output pattern with an action for the output pattern,
Alert history storage means for storing history information of the alerts that have occurred,
Alert receiving means for receiving alerts from intrusion detection means for detecting attacks on the network,
Alert information generated from the new alert received by the alert receiving means and the alert history stored in the alert history storage means is compared with a model stored in the model storage means, and any one of the models is compared. If it does not match any of the models, execute the registered action.
Function as
[0020]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, a network system including a network state monitoring system according to an embodiment of the present invention will be described.
[0021]
The network system 11 according to this embodiment is connected to a plurality of local systems 21 (21-1 to 21-n) via a WAN (wide area network) 25, as shown in FIG. Cyber attack response center 23 provided.
[0022]
Each local system 21 includes one or a plurality of intrusion detection systems (IDS; Intrusion Detection System) 31, a firewall 33, an abnormality detection device 35, a router 37, and one or a plurality of network devices 39.
[0023]
Each of the IDSs 31 abnormally generates an alert (alert information) indicating an attack source IP address, a port number, an attack target IP address, a port number, the content of the attack, and the like when a device in the local system 21 is attacked. Output to the detection device 35.
[0024]
The abnormality detection device 35 determines the presence or absence of an abnormality in the local system 21 based on the alert output from the IDS 31, and collects information on the generated alert to notify the cyber attack center 23. Further, it detects a system abnormality in the local system 21 and collects the information to notify the cyber attack center 23.
[0025]
As shown in FIG. 2, the abnormality detection device 35 includes a control unit 111, a storage unit 112, a communication unit 113, an input unit 114, and a display unit 115.
[0026]
The control unit 111 includes a processor and the like, and performs an abnormality detection operation described later according to an operation program stored in the storage unit 112.
The storage unit 112 stores 1) an alert output pattern model, 2) an alert output sequential pattern model, 3) attacker information 1 and 2, and 4) a time transition model together with an operation program of the control unit 111.
[0027]
Here, 1) the alert output pattern model is a model that associates a combination of alert types with an action corresponding to the combination, as shown in FIG. Defines that when an alert of the type corresponding to “conclusion” is generated, the corresponding “action” is executed when an alert of the type with the previous flag “1” is output. I do.
[0028]
Also, 2) the alert output sequential pattern model is a model that associates a combination of alert types with an action corresponding to the alert type in consideration of the output order, as shown in FIG. 3B. Define that the corresponding "action" is executed when an alert occurs in the registered order.
[0029]
3) The attacker information 1 is information indicating which type of alert has been generated for each attacker, as shown in FIG. As shown in FIG. 3D, the attacker information 2 is information indicating the order in which alerts are generated for each attacker.
[0030]
Further, 4) the time transition model is, as shown in FIGS. 4A to 4C, a model for estimating the total amount of alerts output from the IDS 31, a packet amount (traffic amount; communication amount) determined by the router 37 and the like. ), And a model for predicting the amount of access (total amount of access). For example, this model predicts the total amount of alerts, the amount of communication packets (traffic amount; communication amount), and the amount of access based on past results with one day, one week, one hour, etc. as one time slot. .
[0031]
The communication unit 113 performs communication via various devices in the local system 21 and the WAN 25 via a LAN (local area network). The input unit 114 inputs various information, commands, and the like. The display unit 115 displays various information.
[0032]
The firewall 33 shown in FIG. 1 protects the local system 21 from the outside by restricting various accesses passing therethrough according to conditions or replacing the contents. For example, by looking at the IP address of the external partner, control (packet filtering) of permitting or not permitting passage is performed. Also, control (application gateway) of permitting or not permitting passage is performed in accordance with the protocol (http, SMTP, ftp, telnet, etc.) to be accessed and the access direction (from the local system to the outside or vice versa). Http is a protocol for transmitting and receiving home pages. SMTP is a protocol for sending Internet mail. ftp is a protocol for file transfer. telnet is a protocol for logging in to a server and performing operations. Further, the firewall 33 acquires the history of the session such as telnet, ftp, etc., and provides the history information to the abnormality detection device 35.
[0033]
The router 37 enables communication between the local system 21 and the external WAN 25. The router 37 measures the communication amount (total packet amount; traffic amount) between the local system 21 and the outside, and provides it to the abnormality detection device 35.
[0034]
The network device 39 includes a client terminal, a server device, and the like, and accesses each other inside the local system 21 and communicates with the outside via the firewall 33 and the router 37. The status of access by the network device 39 and access to the network device is monitored by the IDS 31.
[0035]
On the other hand, the cyber attack response center 23 updates the model stored in the storage unit 112 of each abnormality detection device 35 of each local system 21 as appropriate and monitors the entire network. It includes a system (IDS) 31, an abnormality detection device 35, a firewall 33, a router 37, a monitoring device 41, an attacker management system 43, and a DB (database) server 45.
[0036]
The intrusion detection devices (IDS) 31 to the router 37 are substantially the same as those arranged in the local system 21.
The monitoring device 41 is a device that monitors the network condition of the entire system and each local system 21. For example, in a batch process, a data mining process using regression analysis or the like is performed to generate the various models described above. Then, the data is distributed to the abnormality detection device 35 of each local system 21 at midnight or the like.
The attacker management system 43 registers an attacker to be watched based on a clustering result of attackers (classification of attackers performing attacks having the same tendency) described later.
[0037]
The DB server 45 stores a history of alerts issued from the IDSs 31 of the local systems 21, a history of notification of abnormality detection output from the abnormality detection device 35 of the local systems 21, a log of firewalls 33 of the local systems 21. Information such as the output history of the access frequency and the total amount of communication packets output from the routers 37 of the local systems 21 is accumulated, and the history is acquired. The DB server 45 also accumulates information on system failures that have occurred in each local system 21.
[0038]
Next, a monitoring operation by the network state monitoring system having the above configuration will be described.
First, the abnormality detection operation by the abnormality detection device 35 in each local system 21 will be described with reference to the flowcharts of FIGS.
[0039]
First, upon detecting an attack on any device in the local system 21, the IDS 31 detects the time of occurrence, the attacker (IP address and port number), the attacked device (IP address and port number), and the content of the attack. , Etc., and issue an alert. This alert is transmitted to the control unit 111 via the communication unit 113 of the abnormality detection device 35.
[0040]
The control unit 111 starts the abnormality detection processing shown in the flowchart of FIG. 5 in response to the alert, and first specifies the content of the alert (attacker, attack target, type of alert) (step S11).
Next, the number of alerts in the current time slot is incremented by one (step S12).
Subsequently, abnormality detection is performed based on the alert output pattern (step S13).
Subsequently, abnormality detection is performed based on the sequential pattern of the alert output (step S14).
[0041]
Next, the abnormality detection processing based on the alert output pattern in step S13 will be described with reference to FIG.
First, the attacker information 1 stored in the storage unit 112 shown in FIG. 3C is searched using the attacker of the alert specified in step S11 as a key, and what kind of alert has been generated in the past by the attacker That is, the alert generation history is specified (step S21).
[0042]
Next, it is determined whether or not the combination of the specified past alert history and the current alert is registered in the alert output pattern model shown in FIG. 3A (step S22). That is, it is determined whether the current alert is “conclusion” and a combination of alerts based on the past alert occurrence history is registered in the alert output pattern model (step S22).
[0043]
If it is registered, the action (ignore or alarm generation) set in the model is executed (step S23).
On the other hand, if not registered, an alarm is generated (step S24).
[0044]
Next, it is determined whether or not the current alert is registered in the attacker information 1 (step S25), and if not, the alert is registered (step S26).
[0045]
The above operation will be described based on a specific example. For example, the attacker information 1 immediately before a certain alert is generated has the contents shown in FIG. 3C and the alert output pattern model has the contents shown in FIG. In this state, it is assumed that the alert C by the attacker β has occurred.
[0046]
The control unit 111 searches the attacker information 1 using the attacker β as a key, and obtains (1, 0, 0, 1...) For (Alerts A, B, C, D. S21). (Note that the flag “1” indicates that the alert has occurred in the past).
[0047]
Next, based on the determined past alert, it is determined whether or not the pattern resulting from the current alert matches any of the patterns registered in the alert output pattern model of FIG. Step S22). Then, it is determined that the pattern matches the pattern shown in the third row of FIG. Therefore, the action “alarm” set in the row is executed, and an alarm indicating an abnormality is issued in step S23.
[0048]
Subsequently, it is determined whether or not the current alert is registered in the attacker information 1 (step S25). In this example, since no flag is set in the combination of the attacker β and the alert C in FIG. 3C, a new flag is set and the attacker information 1 is set to (1, 0, 1, 1). ..) (step S26).
[0049]
Note that, if the pattern resulting from the current alert does not match any of the patterns registered in the alert output pattern model of FIG. 3A on the condition of the determined past alert (step S22; No) ), An alarm is issued in step S24.
[0050]
Next, the abnormality detection processing based on the sequential pattern of the alert output in step S14 will be described with reference to FIG.
First, the attacker information 2 shown in FIG. 3D is searched using the attacker of the alert identified in step S11 as a key, and the order in which the attacker has generated an alert in the past is identified ( Step S31).
[0051]
Next, the alert that has occurred this time is added to the end of the history (sequence) of the retrieved alert, and a new alert sequence is generated (step S32).
[0052]
Next, for the generated alert sequence, all possible sequential patterns of the alert are created (step S33). Assuming that a sequence of n alerts exists, first, two arbitrary alerts are extracted and these sequential patterns are created. Next, three sequential patterns are created by extracting three arbitrary patterns. . . . The same processing is repeated until n pieces are extracted and a sequential pattern is created.
[0053]
Next, it is determined whether or not each of the sequential patterns that can be taken by the alert generated in step S33 matches one of the sequential models shown in FIG. 3B (step S34).
If there is a match, the action (ignore or issue alarm) set in the model is executed (step S35). If a plurality of possible sequential patterns match the model, an action is executed for each of them.
[0054]
On the other hand, if there is no match, an alarm is generated (step S36). If there is more than one that does not match, an alarm is generated for each.
Next, the current alert is registered in the attacker information 2 (step S37).
[0055]
The above operation will be described in a specific example. For example, the attacker information 2 immediately before a certain alert is generated has the content as shown in FIG. 3D, and the alert output sequential pattern model has the content as shown in FIG. It is assumed that an alert C by the attacker β has occurred in this state.
[0056]
Then, the control unit 111 determines that the attacker is β and the alert is C (step S11), searches the attacker information 2 using the attacker β as a key (step S31), and The sequence of the attack (alert A, alert D in this example) is determined. Next, the current alert is added to the end of this alert sequence, and a sequence (alert A, alert D, alert C) is obtained (step S32).
[0057]
This alert sequence is developed into possible sequential patterns (step S33), and four sequential patterns shown in FIG. 8A are obtained.
Next, it is determined whether any of the patterns matches any of the sequential models (step S34). In this example, since the pattern on the fourth line (alert A, alert D, alert C) matches the pattern on the third line of the alert output sequential pattern model, the action “alarm” registered therein is executed ( Step S35). Subsequently, the current alert is added to the attacker information 2 and updated as shown in FIG. 8B (step S37).
[0058]
If one of the possible sequential patterns shown in FIG. 8A does not match any of the alert output sequential pattern models in FIG. 3B (step S34; No), the alarm is issued in step S36. Issued at
[0059]
This is the end of the description of the operation of the abnormality detection device 35 when an alert has occurred.
[0060]
On the other hand, the control unit 111 of the abnormality detection device 35 executes the process shown in FIG. 9 at a timing when a time slot preset based on the time transition model ends, in accordance with a timer interrupt or the like.
[0061]
First, it is determined which of the time slots on the time transition model the current time belongs to (step S41).
[0062]
Next, the number of alerts of the current time slot (counted in step S12) stored in the storage unit 112 is read (step S42), and the time transition alert model ( FIG. 4A is read (step S43), and it is determined whether or not the number of alerts is out of the prediction range (step S44). For example, if the actual number of alerts is in the range of 2/3 to 4/3 of the number of alerts predicted by the prediction model, it is determined that this is within the prediction range. It is determined that it is out of the prediction range. If the actual number of alerts deviates from the prediction range, an alarm is generated (step S45). On the other hand, if it is within the prediction range, for example, nothing is performed.
[0063]
Next, the history of the packet input / output amount (number) is obtained by inquiring of the router 37 (step S46), and the time transition prediction model of the packet input / output amount shown in FIG. ), It is determined whether or not the actual number of packets in the current time slot is out of the prediction range (step S48). For example, if the actual number of packets is in the range of 2/3 to 4/3 of the number of packets predicted by the prediction model, it is determined that this is within the prediction range. It is determined that it is out of the prediction range. If the actual number of packets deviates from the prediction range, an alarm is generated (step S49), and if it is within the prediction range, nothing is done.
[0064]
Next, an inquiry is made to the firewall 33 to obtain the actual access frequency (amount) such as telnet, ftp, etc. in the current time slot (step S50), and the access amount of the access amount shown in FIG. The prediction model is read (step S51), and it is determined whether or not the access frequency is out of the prediction range (step S52). For example, if the actual access frequency is in the range of 2/3 to 4/3 of the access frequency predicted by the prediction model, it is determined that this is within the prediction range. It is determined that it is out of the prediction range. If the actual access frequency deviates from the predicted range, an alarm is generated (step S53). On the other hand, if it is within the prediction range, nothing is done.
[0065]
This is the end of the current interrupt processing.
[0066]
Next, the operation of the cyber attack handling center 23 will be described.
As described above, the cyber attack handling center 23 has roughly two functions. The first is a process of appropriately updating the model stored in the storage unit 112 of each of the abnormality detection devices 35 described above, and the second is a process of monitoring the entire local system 21.
[0067]
First, a process of generating and distributing a model will be described with reference to FIG. The DB server 45 accesses the abnormality detection devices 35 of all the local systems 21 at midnight or the like, and obtains all log information (alert log, packet input / output amount, number of error packets, unpermitted traffic and permitted However, a log when there is a session such as telnet, login, ftp, information on the amount of incoming / outgoing packets, the number of error packets, etc.) and information on an abnormality that has occurred in the local system 21 are acquired (step S61).
[0068]
On the other hand, the monitoring device 41 associates a set of alerts with the result of the log collected and accumulated by the DB server 45 using a data mining technique (step S62). Here, the alert set includes, for example, both a combination of alert types (order does not matter) and an alert sequence (order matters).
[0069]
Next, the monitoring device 41 compares the result of the combination of alerts with an arbitrarily set criterion, and if the result is equal to or greater than the criterion (critical), sets “occurrence of alarm” as an action, and the result is less than the criterion. If (minor), "ignore" is set as the action (step S63). For example, if it is determined that a serious result higher than the standard occurs (probably high) after a certain combination of alerts is established, “alarm generation” is set as the action. Conversely, if it is determined that no abnormality occurs (probability is high) even if a certain combination of alerts is established, “ignore” is set as the action.
[0070]
Further, the monitoring device 41 sorts and organizes the history of the alerts by attacker, and updates the attacker information 1 and the attacker information 2 (step S64).
[0071]
Further, based on the collected alert history, the amount of communication packets, the amount of error packets, the amount of access, and the like, the monitoring device 41 causes each of the local systems 21 to generate an amount of an alert that will occur in a specified period in the future, The expected values of the amount and the access amount are obtained (step S65). When calculating the expected value, the month, the day, the day of the week, and the like are considered. This is due to the fact that attackers have a tendency to launch attacks continuously for a certain period of time, a tendency to launch attacks simultaneously by multiple attackers, and a tendency to launch attacks on specific days and times. It was done. In this way, a time transition model is generated. Such a prediction can be made by, for example, regression analysis in which month, day, day of the week, and the like are added to the explanatory variables.
[0072]
In this way, an alert output pattern model, an alert output sequential pattern model, and three time transition models are generated and distributed to each abnormality detection device 35 (step S66). Each abnormality detection device 35 receives these models and stores them in the storage unit 112.
[0073]
On the other hand, as shown in FIG. 11, the attacker management system 43 receives a log of alert information from the DB server 45 (step S71).
[0074]
Next, as shown in FIG. 11, the types of alerts and the manner in which the alert is generated for each attacker are summarized as shown in FIG. 12, and the manner in which the alert is generated is vectorized (step S72). That is, a vector having the number of occurrences of each type of alert as an element is generated. Vectorize how each attacker generates an alert. The generated vector is called a feature vector. For example, in the case of the attacker α in FIG. 12, a feature vector of (24, 20, 0, 0) is obtained. Next, the attacker is clustered using the feature vector (step S73). That is, the similarity of each feature vector is obtained (for example, an inner product between unit vectors of the feature vector is obtained, and a product having a small inner product can be determined to be similar), and an attacker who performs a similar attack based on a predetermined criterion. As one unit, and classify the attackers. Further, as illustrated in FIG. 13, the clustered attackers are visualized (step S74) and displayed on the display device in response to the request of the operator (step S75). By looking at the classification result, the security administrator can grasp the characteristics of the attacker, pick up the attacker who needs attention, and use it for future monitoring methods. By performing such processing, for example, it can be easily determined that the attackers α and γ in FIG. 12 are similar.
[0075]
In addition, a method of vectorizing a method of generating an alert is arbitrary. For example, each attacker can be represented by the number of alerts generated per unit time.
[0076]
The monitoring device 41 monitors the entire network, detects an alarm signal from each local system 21, and determines an abnormal state of each local system 21 and the entire network. In other words, an overview of the information system is used to determine whether it is being used properly, whether it is being used abnormally at some sites, or whether it is being used abnormally as a whole. I do. Then, if necessary, the threshold value of the abnormality detection of each local system 21 is corrected, and the security (network condition) of the entire system is adjusted.
[0077]
For example, when the monitoring device 41 is notified of an abnormal state from the abnormality detecting device 35 of a specific local system 21-k, the monitoring device 41 determines the network condition of the local system 21-k (how much the information system is in a safe state). Indicating that the signature of the IDS 31 of the local system 21-k (a pattern of the characteristic of the packet assumed to be an attack) is switched to a signature for a more dangerous state. In response to this instruction, the IDS 31 of the local system 21-k switches the signature.
[0078]
Further, the monitoring device 41 raises the network condition of the present information system, for example, when an abnormal state is notified from a specific number or more of the local systems 21, for example, two or more local systems 21. , An instruction to switch the signature of the IDS 31 of each local system 21 to a signature for a more dangerous state. In response to this instruction, the IDS 31 of each local system 21 switches signatures.
[0079]
As described above, the monitoring device 41 gives an overview of the entire information system, and determines whether the information system is used properly, is used abnormally at some sites, or is used abnormally as a whole. If it is used normally, maintain the status (or lower the network condition), and if some sites are abnormally used If necessary, raise the level of the network condition of the local site, and if it is being used abnormally as a whole, raise the network condition of the entire information system and improve the security of the information system as appropriate. Can be.
[0080]
As described above, according to the present embodiment, the log of the alert output of the IDS 31 is used to represent an alert output pattern model, an alert output sequential pattern model, an alert output amount transition model, and the like. Can detect an abnormality in how the alert of the IDS 31 is output, and can execute a corresponding action.
In addition, when an alert is generated, if an alert output log of the IDS 31 does not correspond to any of the alert output pattern model and the alert output sequential pattern model, the alert is notified of the abnormality, and the log is registered in the pattern model. Not detect abnormalities.
[0081]
In addition, the traffic (packet amount) of each local system 21 can be modeled to detect anomalies in traffic at each site.
Furthermore, using the accumulated log of the firewall 33, the state of the information system in a steady state (frequency of Telnet, ftp session, etc.) can be modeled to detect an abnormality in the frequency of the session.
[0082]
Furthermore, by monitoring the entire system with the monitoring device and determining the network condition of the entire system, it is possible to uniformly instruct actions such as a change in the signature of the IDS 31 and a change in the rule of the firewall 33.
Further, by classifying the attackers by the feature vector of the alert, it is easy to specify the attackers to be watched.
[0083]
The present invention is not limited to the above embodiment, and various modifications and applications are possible.
[0084]
In addition, by installing a program for executing the above-described operation on a computer or a group of computers from a medium (flexible disk, CD-ROM, or the like) storing the above-described mouse pointer utility program, the above-described program is installed. A computer or the like that executes the processing can be configured. In the case where the above-described functions are realized by the sharing of the OS or the joint use of the OS and the application, only the portion other than the OS may be stored in the medium.
[0085]
Note that it is also possible to modulate a carrier with a program signal and distribute it via communication.
[0086]
【The invention's effect】
As described above, according to the present invention, a highly reliable network state monitoring system can be provided.
[Brief description of the drawings]
FIG. 1 is a diagram illustrating a configuration example of a network including a monitoring system according to an embodiment of the present invention.
FIG. 2 is a diagram illustrating a configuration example of the abnormality detection device illustrated in FIG. 1;
FIG. 3 is a diagram illustrating an example of data stored in an abnormality monitoring device.
FIG. 4 is a diagram showing an example of data stored in the abnormality monitoring device.
FIG. 5 is a flowchart illustrating an operation of the abnormality detection device when an alert is generated from the IDS.
FIG. 6 is a flowchart for explaining an abnormality detection operation based on the alert output pattern model in the flowchart of FIG. 5;
FIG. 7 is a flowchart for explaining an abnormality detection operation based on a sequential pattern model of an alert output in the flowchart of FIG. 5;
8A is a diagram for explaining a process for obtaining a sequential pattern that can be taken by an alert executed in step S33 of FIG. 7, and FIG. 8B is a diagram showing an updated state of the attacker information 2; It is.
FIG. 9 is a flowchart illustrating an abnormality detection process based on a time transition model.
FIG. 10 is a diagram for explaining a model update process.
FIG. 11 is a diagram illustrating a process of clustering attackers.
FIG. 12 is a diagram illustrating a process of clustering attackers.
FIG. 13 is a diagram illustrating an example in which an attacker is clustered and visualized.
[Explanation of symbols]
21 Local system
23 Cyber Attack Response Center
33 Firewall
35 Anomaly detection device
37 router
41 Monitoring device
43 Attacker Management System
45 DB server

Claims (13)

Intrusion detection means that is located on the network, detects attacks on the network, and generates an alert when an attack is detected;
Alert information collecting means for collecting information identifying an alert generated by the plurality of intrusion detecting means,
Model storage means for storing a model that associates an output pattern of an alert generated based on information about an alert collected by the alert information collection means with an action for the output pattern,
An alert history information acquisition unit for acquiring history information of an alert that has occurred,
The combination of alerts specified by the alert history information acquired by the alert history information acquisition unit is compared with the model stored in the model storage unit, and if any of the models matches, the registered action And if it does not match any of the models, an abnormality detection means for detecting an abnormality,
A network condition monitoring system comprising: The model storage means stores the combination of the output alert type and the action in association with each other,
The abnormality detecting means, when a new alert is generated, identifies the attacker and the type of the alert, and from the alert history information stored in the alert history information acquiring means, causes the attacker to issue the alert in the past. The combination of the type of alert issued by the attacker in the past and the combination of the current alert type is determined as one of the combinations of the types of alerts stored in the model storage means. If they match, execute the registered action, and if they do not match, notify the abnormality,
The network status monitoring system according to claim 1, wherein: The model storage unit stores the order of the type of the output alert and the action in association with each other,
The abnormality detecting means, when a new alert is generated, identifies the attacker and the type of the alert, and from the alert history information stored in the alert history information acquiring means, causes the attacker to issue the alert in the past. The order of the types of the alerts obtained is obtained, and the order of the types of the alerts issued by the attacker in the past and the current alerts matches one of the orders of the types of the alerts stored in the model storage means. In that case, execute the registered action, and if none of them match, notify the abnormality,
The network status monitoring system according to claim 1 or 2, wherein: The model storage means stores a model of a time transition of the output amount of the alert,
The abnormality detection unit compares the amount of the alert acquired by the alert history information acquisition unit with a model of the time transition of the output amount of the alert, and notifies an abnormality based on the comparison result.
The network status monitoring system according to claim 1, 2 or 3, wherein: The network status monitoring system according to any one of claims 1 to 4, further comprising a classification unit configured to classify an alert generator based on a type of the generated alert. Means for determining the type and amount of alerts generated for each alert generator, and classification means for classifying, based on the determined type and amount of alerts, those who generate alerts of the same tendency into the same classification The network condition monitoring system according to any one of claims 1 to 4, further comprising: Further comprising a communication amount measuring means for measuring the communication amount,
The model storage means stores a model of the time transition of the traffic,
The abnormality detecting unit compares the traffic measured by the traffic measuring unit with a model of the time transition of the traffic, and notifies an abnormality based on the comparison result.
The network status monitoring system according to claim 1, wherein: Further comprising an access amount measuring means for measuring the access amount,
The model storage means stores a model of a time transition of the access amount,
The abnormality detection unit compares the access amount measured by the access amount measurement unit with a model of the time transition of the access amount, and notifies an abnormality based on the comparison result.
The network status monitoring system according to any one of claims 1 to 7, wherein: An alert information collection unit that collects information on an alert that has occurred from a plurality of intrusion detection units that generate an alert when a network attack is detected;
Model generation means for generating a model that associates an alert output pattern with an action for the output pattern based on the alert information collected by the alert information collection means,
Alert history generation means for generating history information of the generated alert based on the information of the alert collected by the alert information collection means,
A network condition monitoring system comprising: The alert information collecting means collects information on alerts generated by intrusion detection means arranged in a plurality of local systems,
The model generation unit generates a model that associates an alert output pattern with an action corresponding to the output pattern based on information on alerts generated in the plurality of local systems collected by the alert information collection unit. Means for generating history information of the generated alert, and transmission means for providing the generated model and history information to the abnormality detection device of each local system,
The network status monitoring system according to claim 9, wherein: An alert receiving means for receiving an alert generated from an intrusion detecting means for detecting an attack on the network;
Model storage means for storing a model that associates the output pattern of the alert with an action for the output pattern,
Alert history storage means for storing history information of alerts generated by the intrusion detection means,
Alert information generated from the new alert received by the alert receiving means and the alert history stored in the alert history storage means is compared with a model stored in the model storage means, and any one of the models is compared. If it matches, the registered action is executed, and if it does not match any model, an abnormality detecting means for detecting an abnormality,
A network condition monitoring system comprising: Computer or group of computers,
An alert information collection unit that collects information on generated alerts from multiple intrusion detection units that generate alerts when network attacks are detected,
Model generation means for generating a model that associates an alert output pattern with an action for the output pattern based on the alert information collected by the alert information collection means,
Alert history generation means for generating history information of the generated alert based on the information of the alert collected by the alert information collection means,
Computer program to function as. Computer or group of computers,
Model storage means for storing a model that associates an alert output pattern with an action for the output pattern,
Alert history storage means for storing history information of the alerts that have occurred,
Alert receiving means for receiving alerts from intrusion detection means for detecting attacks on the network,
Alert information generated from the new alert received by the alert receiving means and the alert history stored in the alert history storage means is compared with a model stored in the model storage means, and any one of the models is compared. If it does not match any of the models, execute the registered action.
Computer program to function as.

Images