JP2005333200A - Device and program for monitoring unauthorized communication - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an unauthorized communication monitoring device capable of early discovering an attack from a computer infected with a worm to the other computer, and an unauthorized communication monitoring program. <P>SOLUTION: A NIDS 8 allocates an unused IP address notified from a DHCP server 7 to interface hardware and starts the monitoring of a packet signal transmitted to the IP address. For example, when a host computer 2 infected with a worm transmits an ARP request signal designating the unused IP address, the NIDS 8 replies a unique MAC address to the host computer 2 if the corresponding IP address is allocated to the interface hardware. By this, the host computer 2 transmits an attack packet signal to the MAC address of the NIDS 8. Therefore, the NIDS 8 determines whether it is an unauthorized packet signal or not, and notifies a manager of the occurrence of security invasion if the acquired packet signal is the unauthorized signal. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an unauthorized communication monitoring apparatus and an unauthorized communication monitoring program for monitoring unauthorized access from an arbitrary computer connected to a computer network to another computer.

  Conventionally, for example, a network intrusion detection system (NIDS), which is a network-based intrusion detection system, is often used to monitor a security breach that occurs via a computer network. The NIDS monitors the packet signal passing through the computer network, determines that a security breach has occurred when an illegal feature is found in the packet signal, and notifies the administrator, for example, of the occurrence of the security breach. In addition, when it is determined that a security breach has occurred, various measures are taken to minimize damage caused by unauthorized access.

  Specifically, for example, in the technique described in Patent Document 1, a 罠 terminal is installed in the internal network, and at the gateway, it is determined whether or not the received connection request packet is an access by a legitimate user, and the connection request packet Is not an access by a legitimate user, that is, when an unauthorized access from an external network is detected, the connection request packet (unauthorized access) is guided to a certain terminal instead of a normal host. Thereby, the trap terminal can identify the unauthorized access terminal by collecting information on the unauthorized access terminal.

  For example, in the technology described in Patent Document 2, a regular server and a virtual decoy server are operated on a network, and an unauthorized intrusion monitoring unit of the regular server monitors an input data packet to establish a communication session. It is determined whether or not the communication session is by an unauthorized intruder, and when the communication session is by an unauthorized intruder, that is, when unauthorized access to a legitimate server is detected, the communication session is taken over by the virtual decoy server. In this way, by using a virtual decoy server to behave as if unauthorized access has succeeded for an unauthorized intruder, unauthorized access to a legitimate server can be prevented.

  For example, in the technique described in Patent Document 3, a pseudo server is arranged on the network, and when the monitoring device monitors traffic on the network and detects illegal traffic, it arrives at the router later. Directs all illegal packets to be transferred to the pseudo server. In addition, the pseudo server returns data that does not have any problem even if it is acquired for unauthorized access. Thus, the session can be continued for a long time, and the source can be traced by following the path of the illegal packet during that time.

Further, for example, in the technology described in Patent Document 4, as an initial state of the switching hub, all input signals from the port connected to the client are set to be output only to the port connected to the DHCP server. In the DHCP server, if it is confirmed that the input signal from the port to which the client is connected is a signal from a MAC (Media Access Control) address permitted to connect, network information such as an IP (Internet Protocol) address Is given to the client and communication with other ports is permitted. On the other hand, if the input signal from the port to which the client is connected cannot be confirmed as a signal from the MAC address to which connection is permitted, A method of disabling communication with other ports without returning a response is disclosed. As a result, a client not authenticated by the DHCP server cannot access another port.
Japanese Patent Laid-Open No. 2002-199024 JP 2002-111727 A JP 2000-26183 A JP 2003-338826 A

  By the way, one of the things that should be detected by the conventional NIDS is a worm that is infected via a computer network. When a worm infects a certain host computer, in order to search for the next host computer to be infected, it sequentially generates attack target IP addresses according to a certain rule, and connects to the port used by the IP address worm for infection. By making a request, the host computer on which the port used for infection is open is examined (this action is called horizontal port scanning). When a host computer with an open port for infection is found, an attack for infection is performed on that port.

  However, in the conventional NIDS, such a horizontal port scan packet signal (connection request packet signal using a specific port for a large number of host computers) and an attack packet signal used for infection are connected to a port to which the NIDS is connected. If it does not flow, there is a problem that the worm cannot be detected.

  In other words, in the techniques disclosed in Patent Document 1 to Patent Document 3 described above, if an unauthorized access can be detected by a monitoring unit or a monitoring device that monitors unauthorized access, Although measures can be taken to identify the source of access and measures to prevent leakage of important information from legitimate servers, the above measures can be implemented if a worm attack cannot be detected. Therefore, there is a problem that worm infection cannot be stopped. Note that the technique disclosed in Patent Document 4 described above is intended to authenticate using a DHCP server, block unauthorized access, and acquire a legitimate signal. Although it is not trying to detect worms and can stop worm infections, the first infected worm may be left undetected.

  The reason why the worm attack cannot be detected by the prior art will be described in more detail below. Specifically, as shown in FIG. 7, when the worm-infected host computer 51 attacks the host computers 58, 59, 60, 61 of another external computer network B centered on the hub 62, for example, Since the packet signal for horizontal port scanning first reaches the router 57 connecting the local computer network A centering on the hub 55 to which the worm-infected host computer is connected and the external computer network B, the NIDS 56 is connected to the hub 55 and the router. If it is connected to the network 57, all connection request packet signals transmitted by the worm-infected host computer 51 can be captured in the NIDS 56, so that the worm can be detected.

  On the other hand, as shown in FIG. 8, when an attack is directed to the host computers 52, 53, and 54 of the local computer network A to which the worm-infected host computer 51 is connected, a shared hub is used as the connection hub 55. Then, the attack packet signal to the existing host computers 52, 53, 54 reaches the network interface of the NIDS 56, but when the switching hub is used as the connection hub 55, the attack packet signal is the NIDS 56 Since the network interface is not reached, there is a problem that the attack packet signal cannot be detected even though the attack by the worm-infected host computer 51 is occurring.

  In addition, since the worm-infected host computer 51 generates an IP address at random and performs an attack, it has the property of trying to send a packet signal addressed to a nonexistent host computer. In NIDS, connection requests addressed to a large number of IP addresses. It is possible to detect the presence of a worm based on whether or not an error has occurred. For this reason, it is desirable that a connection request packet signal addressed to an unused IP address can be captured by NIDS. However, even if a shared hub is used as a connection hub, when the worm-infected host computer 51 attacks the local computer network A, access to an unused IP address is performed by the first ARP (Address Since the MAC address of the host computer to be infected next corresponding to the IP address cannot be obtained at the stage of Resolution Protocol (address resolution by the address resolution protocol), an attack packet signal is sent from the worm-infected host computer 51. However, there is a problem that the information for determining the worm infectious action by the NIDS 56 is reduced, making it difficult to detect the worm.

  The present invention has been made in view of the above problems, and an unauthorized communication monitoring apparatus and an unauthorized communication monitoring program capable of early detection of an attack from a computer infected with a worm to another computer regardless of the form of the computer network. The purpose is to provide.

  In order to solve the above problems, an unauthorized communication monitoring apparatus according to the invention of claim 1 is an unauthorized communication monitoring apparatus that monitors unauthorized access from any computer connected to a computer network to another computer, Of the network layer addresses uniquely assigned to the computer for identifying the computer on the computer network, unused address management means for storing the unused network layer address, and an interface device for the computer network An unused address setting means for allocating an unused network layer address to the interface device, and a communication request signal transmitted by designating the network layer address from the arbitrary computer on the computer network The address comparison means for comparing the unused network layer address assigned to the interface device with the network layer address specified by the communication request signal, and as a result of the comparison by the address comparison means, When the network layer address specified by the communication request signal is included in the allocated unused network layer address, the interface device is connected to the arbitrary computer that has transmitted the communication request signal. A physical address notifying means for notifying a physical address for identifying the uniquely assigned hardware; and a communication signal transmitted by designating the physical address from the arbitrary computer; Unauthorized communication judgment that determines whether the signal is a communication signal Characterized by comprising a means.

  In the unauthorized communication monitoring apparatus having the above configuration, the unused address setting unit assigns an unused network layer address stored in the unused address management unit to the interface device with the computer network. When a communication request signal transmitted by designating a network layer address from an arbitrary computer is received, an unused network layer address assigned to the interface device is compared with the network layer address specified by the communication request signal. Compare with If the network layer address specified by the communication request signal is included in the unused network layer address assigned to the interface device as a result of the comparison by the address comparing means, the physical address notifying means A physical address for identifying hardware uniquely assigned to the interface device is notified to any computer that has transmitted the communication signal, and a communication signal transmitted by designating the physical address is transmitted from the arbitrary computer. If it is received, it is determined by the unauthorized communication determination means whether or not the communication signal is an appropriate communication signal. Thereby, it is possible to determine whether or not the communication signal for the unused network layer address is an appropriate communication signal by the unauthorized communication determination unit.

  The unauthorized communication monitoring apparatus according to a second aspect of the present invention is the unauthorized communication monitoring apparatus according to the first aspect, wherein the unused address management means assigns the network layer address to the computer connected to the computer network. From the above, an unassigned network layer address that is not scheduled within a predetermined time is acquired as an unused network layer address.

  In the unauthorized communication monitoring apparatus having the above-described configuration, the unused address management unit acquires a network layer address that is not scheduled to be assigned to a computer within a predetermined time from an external server as an unused network layer address. By properly monitoring the communication signal for the network layer address properly assigned to the computer and the communication signal to be monitored for the unused network layer address by monitoring the communication signal for the used network layer address. Can do.

  An unauthorized communication monitoring apparatus according to a third aspect of the present invention is the unauthorized communication monitoring apparatus according to the first aspect, wherein the unused address management means assigns the network layer address to the computer connected to the computer network. An allocation unit is provided, and a network layer address that is not scheduled to be allocated within a predetermined time by the address allocation unit is stored as an unused network layer address.

  In the unauthorized communication monitoring apparatus having the above configuration, the unused address management means stores the network layer address that is not scheduled to be assigned to the computer within a predetermined time by the address assigning means as an unused network layer address. By properly monitoring the communication signal for the network layer address properly assigned to the computer and the communication signal to be monitored for the unused network layer address by monitoring the communication signal for the used network layer address. Can do.

  An unauthorized communication monitoring apparatus according to a fourth aspect of the present invention is the illegal communication monitoring apparatus according to the third aspect, wherein the address assigning means can assign a predetermined number of the network layer addresses to the computer. The network address is managed as a layer address, and the excess exceeding the predetermined number is managed as the unassigned network layer address. When the number of assignable network layer addresses becomes insufficient, the assignable network layer address The network layer address that is not scheduled to be allocated is managed as the assignable network layer address after at least the predetermined time has elapsed since the number is insufficient.

  The unauthorized communication monitoring apparatus having the above configuration can assign a network layer address that was not scheduled to be assigned to the computer after at least a predetermined time has elapsed since the number of network layer addresses that can be assigned to the computer is insufficient. By using the network layer address, the communication signal for the network layer address properly assigned to the computer is prevented from being sent to the unauthorized communication monitoring device by the network layer address cache function in each device connected to the computer network. can do.

  The unauthorized communication monitoring device according to claim 5 is the unauthorized communication monitoring device according to claim 4, wherein the address assigning means returns the network layer address that has already been assigned to the computer. The returned network layer address is managed as the assignable network layer address after at least the predetermined time has elapsed since the return.

  When the network layer address that has already been assigned to the computer is returned, the unauthorized communication monitoring device having the above-described configuration can return the returned network layer address to another computer after at least a predetermined time has elapsed after the return. As a network layer address that can be assigned to the network, it is possible to prevent a communication failure caused by a network layer address cache function in each device connected to the computer network.

  An unauthorized communication monitoring program according to a sixth aspect of the invention is an unauthorized communication monitoring program for causing a computer as a monitoring device to execute processing for monitoring unauthorized access from any computer connected on a computer network to another computer. An unused address for assigning an unused network layer address to an interface device with the computer network among network layer addresses uniquely assigned to the computer for identifying the computer on the computer network A setting process and a communication request signal transmitted from the arbitrary computer on the computer network by designating the network layer address are received, and the unused network assigned to the interface device is received. Among the unused network layer addresses assigned to the interface device as a result of the address comparison process comparing the work layer address and the network layer address specified by the communication request signal, and the comparison by the address comparison process When the network layer address specified by the communication request signal is included, the hardware uniquely assigned to the interface device is identified for the arbitrary computer that has transmitted the communication request signal. Physical address notification processing for notifying a physical address, and unauthorized communication for receiving a communication signal transmitted from the arbitrary computer by specifying the physical address and determining whether the communication signal is an appropriate communication signal The determination processing is executed by a computer having a monitoring device. To.

According to the unauthorized communication monitoring apparatus according to claim 1 and the unauthorized communication monitoring program according to claim 6, whether or not the communication signal for the unused network layer address is an appropriate communication signal, an unused network All communication signals for the layer address can be determined by unauthorized communication determining means or unauthorized communication determining processing.
Therefore, because attacks from computers infected with worms include many attacks that specify unused network layer addresses, by detecting unauthorized access to unused network layer addresses, Regardless of the form of the computer network, it is possible to realize an unauthorized communication monitoring apparatus and an unauthorized communication monitoring program that can detect an attack from a computer infected with a worm to another computer at an early stage.

According to the unauthorized communication monitoring apparatus according to claim 2 and the unauthorized communication monitoring apparatus according to claim 3, a communication signal for a network layer address that is legitimately assigned to a computer and a monitoring target for an unused network layer address The communication signal can be accurately distinguished and monitored.
Therefore, it is possible to realize an unauthorized communication monitoring apparatus capable of accurately detecting unauthorized access to an unused network layer address. In particular, according to the unauthorized communication monitoring device according to claim 2, by acquiring information on an unused network layer address from an external server, it is specialized in determining a communication signal, and can efficiently and quickly become a worm. An effect is obtained that it is possible to realize an unauthorized communication monitoring device capable of detecting an attack from an infected computer to another computer.

According to the unauthorized communication monitoring apparatus of claim 4, a communication signal for a network layer address that is legitimately assigned to a computer is transmitted to the unauthorized communication monitoring apparatus by a network layer address cache function in each device connected to the computer network. It can be prevented from being transmitted.
Therefore, it is possible to accurately acquire only the communication signal to be monitored with respect to the unused network layer address that should be determined whether or not it is appropriate, and to prevent a decrease in the efficiency of the monitoring operation in the unauthorized communication monitoring device. It is possible to realize an unauthorized communication monitoring device that can determine a communication signal for an unused network layer address in a short time and detect an attack from another computer infected with a worm at an early stage. .

According to the unauthorized communication monitoring apparatus of the fifth aspect, it is possible to prevent a communication failure caused by a network layer address cache function in each device connected to the computer network.
Accordingly, it is possible to prevent an unauthorized communication monitoring apparatus capable of accurately detecting an attack from a computer infected with a worm to prevent the monitoring of a communication signal for an unused network layer address due to a communication failure. The effect of being able to be obtained.

  Embodiments of the present invention will be described below with reference to the drawings.

FIG. 1 is a block diagram showing a configuration of a local computer network 1 including an unauthorized communication monitoring apparatus according to an embodiment of the present invention.
In FIG. 1, a local computer network 1 including an unauthorized communication monitoring device of this embodiment includes a host computer 2, 3, 4, 5 constituting the local computer network 1, and a host computer 2, An IP (Internet Protocol) address is dynamically assigned to a hub 6 that collects signal lines from 3, 4, and 5 and a host computer that constitutes the local computer network 1, and is already assigned to a host computer in the local computer network 1. And a DHCP (Dynamic Host Configuration Protocol) server 7 that manages IP addresses that are in use and IP addresses that are not in use. The IP address is one of the network layer addresses for identifying the host computer on the computer network in the network layer protocol of the OSI reference model, and is used when the Internet protocol is used as the network layer protocol. .

  Further, the local computer network 1 monitors a packet signal passing through the local computer network 1 in the same manner as a normal NIDS (Network Intrusion Detection system), and when an illegal feature is found in the passing packet signal. Determines that a security breach has occurred, and further acquires all packet signals addressed to unused IP addresses that are not assigned to the host computers 2, 3, 4, and 5, and the acquired packet signal has illegal characteristics. If a security breach has occurred, it is determined that a security breach has occurred. If it is determined that a security breach has occurred, a NIDS 8 is provided to notify the administrator or the like of the occurrence of the security breach.

For simplification of explanation, the number of host computers constituting the local computer network 1 is four, but the host computers can be connected to the local computer network 1 by the number of available IP addresses.
Further, the form of the local computer network 1 is not limited to a computer network based on wired communication, but may include a computer network based on wireless communication.

Next, the operation of the local computer network 1 including the unauthorized communication monitoring device of this embodiment will be described.
First, an IP address management method by the DHCP server 7 will be described. In a normal DHCP server, an IP address range (assignable IP address) that can be assigned when there is an IP address assignment request from a client host such as the host computer 2, 3, 4, 5, etc., and already assigned IP addresses (assigned IP addresses) are managed. However, in addition to the normal DHCP server function, the DHCP server 7 further manages IP addresses that the DHCP server 7 has that cannot be assigned for a while as “IP addresses that are not scheduled to be assigned”, A function of introducing and managing a state of “scheduled IP address” as an intermediate state when changing “unassigned IP address” to “assignable IP address” is provided.

That is, in the DHCP server 7, the IP address has the following four states, and the DHCP server 7 manages the states.
(1) “Assigned IP address” = IP address already assigned to the host computer and used (in use) on the local computer network 1.
(2) “assignable IP address” = an IP address that has not yet been assigned to the host computer, but can be assigned immediately if there is an IP address assignment request from the host computer.
(3) “Assigned IP address” = an IP address that cannot be assigned to a host computer yet, but becomes an “assignable IP address” after a predetermined time has elapsed.
(4) “Unassigned IP address” = an IP address that is not scheduled to be assigned within a certain time (at least within the above-mentioned fixed time)
The “certain time” described in (3) of the IP address management state in the DHCP server 7 will be described in detail later.

  FIG. 2 shows the state transition of the IP address managed by the DHCP server 7. In FIG. 2, the state transition among “assigned IP address: IP1”, “assignable IP address: IP2”, “assigned scheduled IP address: IP3”, “unassigned IP address: IP4” is performed from the client host. When there is an IP address assignment request to the DHCP server 7, one of “assignable IP addresses: IP2” is selected and assigned to the requested client host. The assigned IP address is managed as “assigned IP address: IP1” in the DHCP server 7 together with information of the assigned client host (for example, a MAC address). The MAC (Media Access Control) address is a physical address for identifying the hardware uniquely assigned to the interface hardware (interface device) for computer network connection.

  On the other hand, when the client host returns the IP address, after the time (for example, about 30 minutes) for clearing the contents of the ARP (Address Resolution Protocol) cache of each device constituting the local computer network 1 has elapsed, “ “Assigned IP address: IP1” is changed to “assignable IP address: IP2”. The ARP cache is a table in which each device stores an IP address obtained by the latest ARP resolution and a corresponding MAC address. The “certain time” described in (3) of the IP address management state in the DHCP server 7 described above is a time longer than the time (for example, about 30 minutes) when the contents of the ARP cache of each device are cleared. To do.

  As described above, the “assigned IP address: IP1” is not immediately changed to the “assignable IP address: IP2”, but is changed to the “assignable IP address: IP2” after a predetermined time has elapsed. It is possible to clear the contents of the ARP cache of each device constituting the IP address, and assign the IP address to the client host while the correspondence between the previous IP address and the MAC address is stored in the ARP cache. It becomes possible to prevent communication failure due to.

  On the other hand, in the DHCP server 7, when the number of “assignable IP addresses: IP 2” increases due to an IP address being returned from the client host or the like, an extra “assignable IP address: IP 2” is assigned to the “scheduled assignment”. “None IP address: IP4”. In this case, the state of the IP address can be changed immediately.

  Specifically, there are various methods for classifying the “assignable IP address: IP2” and the “unassigned IP address: IP4”. As a simple method, the IP in the range assigned by the DHCP server 7 can be used. There is a method in which only a predetermined number of IP addresses are always set to “assignable IP address: IP2” from among addresses (hereinafter referred to as DHCP addresses). In this method, when there is an IP address assignment request from the client host, assignment is immediately made from “assignable IP address: IP2”, and the number of “assignable IP address: IP2” is a predetermined number. If it falls below, one of the “unassigned IP address: IP4” is changed to “assignable IP address: IP2” to make up for the shortage.

  However, when the number of “assignable IP addresses: IP2” is less than the predetermined number and it is desired to change “assignable IP address: IP4” to “assignable IP address: IP2”, “assignable IP address: IP2: Change "IP4" to "assigned IP address: IP3" once, wait for a time (for example, about 30 minutes) until the ARP cache is cleared, and then change to "assignable IP address: IP2" .

  As described above, the local computer network 1 is configured by setting the “assignable IP address: IP3” to the “assigned IP address: IP3” state for a certain period of time without changing the “assignable IP address: IP4” immediately to the “assignable IP address: IP2”. It is possible to clear the contents of the ARP cache of each device, and since the correspondence between the previous IP address and the MAC address is stored in the ARP cache, the packet signal for the IP address that is properly assigned to the client host Can be prevented from being transmitted to the NIDS 8 and treated as a monitoring target packet signal for an unused IP address.

Next, the initial setting process in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment will be specifically described. FIG. 3 is a sequence diagram showing an initial setting processing operation in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment.
In FIG. 3, first, the DHCP server 7 stores the DHCP address and the number of assignable IP addresses shown in Table 1 below inputted by the administrator of the local computer network 1 (step S1).

  Next, the DHCP server 7 divides the input DHCP address into a predetermined number of “assignable IP addresses” and other “unassigned IP addresses” as shown in Table 2 below (step S2). ).

Then, the DHCP server 7 notifies the NIDS 8 of a list of “IP addresses not scheduled to be allocated” (step S3).
On the other hand, the NIDS 8 assigns the “unassigned IP address” notified from the DHCP server 7 shown in Table 3 below to the interface hardware for connecting the computer network of the NIDS 8 (step S4), and sends it to an unused IP address ( Monitoring of the packet signal transmitted to the host computer that does not exist is started (step S5).

Next, the IP address assignment process to the client host in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment will be specifically described. FIG. 4 is a sequence diagram showing the IP address assignment processing operation to the client host in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment.
In FIG. 4, the DHCP server 7 receives an IP address assignment request from a client host such as the host computer 2, 3, 4, 5, etc. (step S 11), for example, from an assignable IP address (192.168.8.0. 10) is assigned (step S12).

  Then, as shown in Table 4 below, the DHCP server 7 changes (192.168.0.10) of the “assignable IP address” to “assigned IP address” (step S13), (192.168.0.20) in “None IP address” is changed to “Scheduled IP address” (step S14), and four states “IP address that can be assigned”, “IP address that is not scheduled to be assigned”, “ “Allocation scheduled IP address” and “allocated IP address” are managed.

On the other hand, the DHCP server 7 notifies the NIDS 8 of the information of the IP address (192.168.0.20) changed to “assigned scheduled IP address” (step S15).
Then, the NIDS 8 deletes the “assigned scheduled IP address” (192.168.0.20) notified from the DHCP server 7 from the interface hardware for connecting the computer network of the NIDS 8 as shown in Table 5 below. (Step S16), monitoring of the packet signal transmitted to the “assigned IP address” (192.168.0.20) is stopped (Step S17).

  As shown in Table 6 below, the DHCP server 7 changes the “assigned scheduled IP address” (192.168.0.20) to “assignable IP address” after a predetermined time (the effective period of the ARP cache) has elapsed. By changing (step S18), the number of “assignable IP addresses” is kept at ten.

Next, the IP address return processing from the client host in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment will be specifically described. FIG. 5 is a sequence diagram showing the IP address return processing operation from the client host in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment.
In FIG. 5, the DHCP server 7 returns, for example, an IP address (192.168.0.10) from the client host such as the host computer 2, 3, 4, 5 or the like (step S21). As shown in FIG. 6, after the predetermined time (the ARP cache validity period) has elapsed, the “assigned IP address” (192.168.0.10) is changed to the “assignable IP address” (step S22).

  Further, since the number of “assignable IP addresses” is 11, the DHCP server 7 assigns “assignable IP addresses” (192.168.0.20) to “assignment schedule” as shown in Table 8 below. "None IP address" (step S23).

  On the other hand, the DHCP server 7 notifies the NIDS 8 of the information of the IP address (192.168.0.20) changed to “IP address not to be allocated” (step S24). Then, as shown in Table 9 below, the NIDS 8 assigns the “unassigned IP address” (192.168.0.20) notified from the DHCP server 7 to the interface hardware for connecting the computer network of the NIDS 8 (Step S25), the monitoring of the packet signal transmitted to “IP address not scheduled to be allocated” (192.168.0.20) is resumed (Step S26).

Next, an illegal packet signal monitoring process in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment will be described in detail. FIG. 6 is a sequence diagram showing an illegal packet signal monitoring processing operation in the local computer network 1 including the unauthorized communication monitoring apparatus of this embodiment.
In FIG. 6, for example, a host computer 2 infected with a worm sends an ARP request packet signal designating an unused IP address (192.168.0.20), for example, to a local computer network including host computers 3 to 5 and NIDS 8. 1 is broadcasted to the device connected to 1 (steps S31 and S32).

At this time, the NIDS 8 that has received the ARP request packet signal specifying the IP address (192.168.0.20) from the host computer 2 infected with the worm checks the IP address assigned to its interface hardware. (Step S33).
Then, as shown in Table 10 below, when the corresponding IP address is assigned to its own interface hardware, the NIDS 8 stores the MAC address (ab: 12: 34: 56: 78: 90 unique to the interface hardware). ARP reply packet signal set with () is returned to the requesting host computer 2 (step S34).

  At this time, the host computers 3 to 5 ignore the received ARP request packet signal (step S35) because they are not ARP requests for the IP addresses assigned to their own interface hardware.

On the other hand, the host computer 2 that has received the ARP reply packet signal from the NIDS 8 sets the MAC address of the NIDS 8 to the destination MAC address of the attack packet signal transmitted for the purpose of infection, and transmits the attack packet signal (step S36).
The NIDS 8 obtains an attack packet signal transmitted from the host computer 2 to the “unassigned IP address”, that is, to an unused IP address (addressed to a non-existing host computer), and is it an illegal packet signal? It is determined whether or not (step S37).
If it is determined that the acquired attack packet signal is an illegal packet signal, it is recognized as an attack from the host computer 2 infected with the worm, and an alarm for notifying the administrator of the occurrence of a security breach Is output (step S38).

  In the above-described embodiment, the unauthorized communication monitoring apparatus is configured by the NIDS 8 that monitors the illegal packet signal transmitted by the worm and the DHCP server 7 that manages the IP address on the computer network. Further, the unauthorized communication monitoring apparatus may be realized by a plurality of computers such as the DHCP server 7 and the NIDS 8, or may be realized by a single computer by combining all functions into one.

  In the above-described embodiment, the NIDS 8 is configured to acquire information on unused IP addresses from the DHCP server 7, but in a computer network that does not need to dynamically assign IP addresses to host computers, Since the function of the DHCP server 7 is no longer necessary, the NIDS 8 does not acquire information on unused IP addresses from the DHCP server 7 and stores it in the NIDS 8 in advance, thereby realizing an unauthorized communication monitoring device only by the NIDS 8 You may do it.

  In the above-described embodiment, both the normal NIDS function and the function of monitoring a packet signal addressed to an unused IP address not assigned to the host computer are assigned to the NIDS 8, but the NIDS 8 is assigned to the host computer. Only a function of monitoring a packet signal addressed to an unused IP address that is not assigned may be used, and a normal NIDS function may be executed by a dedicated intrusion detection system.

  In the above-described embodiment, the NIDS 8 process corresponding to the above-described steps S3, S15, and S24 corresponds to an unused address management unit. Further, the processes in steps S4, S16, and S25 described above correspond to unused address setting means. Further, the process in step S33 described above corresponding to the process in step S31 described above corresponds to the address comparison unit. Further, the processing in step S34 described above corresponds to physical address notification means. Further, the processing in steps S5, S17, and S26 described above, and the processing in step S37 that is executed in response to the processing in step S36 described above correspond to unauthorized communication determination means. In addition, the processing in steps S1 and S2 described above and the processing in steps S12, S13, S14, S18, S22, and S23 executed corresponding to the processing in steps S11 and S21 described above correspond to address assignment means. To do.

  Further, a program for realizing the functions of the above-described DHCP server 7 and NIDS 8 is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read into a computer system and executed to execute DHCP. You may make it implement | achieve the function of the server 7 and NIDS8. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer system” includes a WWW system having a homepage providing environment (or display environment).

  The “computer-readable recording medium” refers to a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a storage device such as a hard disk built in the computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  As described above, according to the unauthorized communication monitoring apparatus of the present embodiment, when the DHCP server 7 receives an IP address assignment request from a client host such as the host computer 2, 3, 4, 5, for example, “assignment” One IP address is assigned from “Possible IP address”. Further, the DHCP server 7 notifies the NIDS 8 that monitors a packet signal for an unused IP address of an “unassigned IP address” that is not scheduled within a predetermined time as an unused IP address. Then, the NIDS 8 assigns the “unassigned IP address” notified from the DHCP server 7 to the interface hardware for computer network connection of the NIDS 8 and sends it to an unused IP address (to a non-existing host computer). Start monitoring the packet signal.

  On the other hand, since the host computer 2 infected with the worm broadcasts an ARP request packet signal designating an unused IP address to devices connected to the local computer network 1 including the host computers 3 to 5 and the NIDS 8, Upon receiving the ARP request packet signal designating an unused IP address, the NIDS 8 checks the IP address assigned to its own interface hardware, and the corresponding IP address is assigned to its own interface hardware. Then, an ARP reply packet signal in which a MAC address unique to the interface hardware is set is returned to the requesting host computer 2.

  As a result, the host computer 2 that has received the ARP reply packet signal from the NIDS 8 sets and transmits the MAC address of the NIDS 8 in the attack packet signal to be transmitted for the purpose of infection, so that the NIDS 8 has an “unassigned IP address”, That is, an attack packet signal transmitted to an unused IP address (addressed to a nonexistent host computer) can be acquired, and it can be determined whether or not the packet is an illegal packet signal. If the acquired attack packet signal is an illegal packet signal, it is recognized as an attack from the host computer 2 infected with the worm, and an alarm for notifying the administrator of the occurrence of a security breach is output. Will be able to.

  Therefore, for example, an attack from a host computer 2 infected with a worm to another computer includes many attacks that specify an unused network layer address. Therefore, unauthorized access to an unused network layer address is detected. Thus, regardless of the form of the computer network, it is possible to detect an attack from a computer infected with the worm to another computer at an early stage.

  Further, the DHCP server 7 manages a predetermined number of DHCP addresses as “assignable IP addresses” that can be assigned to the client host, and manages an excessive number exceeding the predetermined number as “unassigned IP addresses”. When the number of “assignable IP addresses” is insufficient, “unassigned IP address” is set as “assigned scheduled IP address”, and after a certain period of time, “assigned scheduled IP address” is changed to “assignable IP address”. By using “address”, it is possible to prevent a communication signal for an IP address properly assigned to the client host from being transmitted to the NIDS 8 by the IP address cache function in each device connected to the local computer network 1. it can.

  Further, when an IP address that has already been assigned to the client host is returned, after a predetermined time has passed since the return, the returned IP address is set as an “assignable IP address”, thereby allowing the local computer network It is possible to prevent a communication failure that occurs due to the IP address cache function in each device connected to 1.

  Therefore, it is possible to accurately acquire only the communication signal to be monitored with respect to the unused IP address that should be determined whether or not it is appropriate, thereby preventing the efficiency of the monitoring operation from being lowered, and being accurately and in a short time. It is possible to determine the communication signal for the IP address and to detect an attack from a computer infected with the worm to another computer at an early stage. Furthermore, it is possible to prevent the monitoring of communication signals for unused IP addresses from being interrupted due to a communication failure, and to accurately detect an attack from a computer infected with a worm to another computer.

It is a block diagram which shows the structure of the local computer network 1 containing the unauthorized communication monitoring apparatus of one Example of this invention. It is a figure which shows the state transition of the IP address managed in the DHCP server 7 of the Example. It is a sequence diagram which shows the initial setting process operation in the local computer network 1 containing the unauthorized communication monitoring apparatus of the Example. It is a sequence diagram which shows the IP address allocation process operation | movement to the client host in the local computer network 1 containing the unauthorized communication monitoring apparatus of the Example. It is a sequence diagram which shows the IP address return process operation | movement from the client host in the local computer network 1 containing the unauthorized communication monitoring apparatus of the Example. It is a sequence diagram which shows the monitoring process operation | movement of the unauthorized packet signal in the local computer network 1 containing the unauthorized communication monitoring apparatus of the Example. It is a figure which shows the worm's infection act with respect to another network segment. It is a figure which shows the worm's infection act with respect to a local computer network.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Local computer network 2, 3, 4, 5 ... Host computer 6 ... Hub 7 ... DHCP server 8 ... NIDS

Claims (6)

An unauthorized communication monitoring device that monitors unauthorized access from another computer connected to a computer network to another computer,
Unused address management means for storing the unused network layer address among the network layer addresses uniquely assigned to the computer for identifying the computer on the computer network;
An interface device with the computer network;
An unused address setting means for assigning an unused network layer address to the interface device;
The communication request signal transmitted by designating the network layer address from the arbitrary computer on the computer network is received, and is designated by the unused network layer address assigned to the interface device and the communication request signal. Address comparison means for comparing the network layer address;
As a result of the comparison by the address comparison means, if the network layer address specified by the communication request signal is included in the unused network layer address assigned to the interface device, the communication request signal is transmitted. A physical address notifying unit for notifying the arbitrary computer of the physical address for identifying the hardware uniquely assigned to the interface device;
An unauthorized communication determination unit that receives a communication signal transmitted by designating the physical address from the arbitrary computer and determines whether the communication signal is an appropriate communication signal is provided. Unauthorized communication monitoring device. The unused address management means assigns an unused network layer address that is not scheduled to be allocated within a predetermined time from a server that allocates the network layer address to the computer connected to the computer network. The unauthorized communication monitoring apparatus according to claim 1, wherein The unused address management means includes address assignment means for assigning the network layer address to the computer connected to the computer network, and an unassigned network layer address that is not scheduled to be assigned within a predetermined time by the address assignment means. The unauthorized communication monitoring apparatus according to claim 1, wherein the unauthorized communication monitoring apparatus is stored as an unused network layer address. The address assigning means manages a predetermined number of the network layer addresses as assignable network layer addresses that can be assigned to the computer, and manages an excess exceeding the predetermined number as the unassigned network layer address. If the number of allocatable network layer addresses becomes insufficient, the network layer address without the allocation schedule can be allocated after at least the predetermined time has elapsed since the number of allocatable network layer addresses becomes insufficient. 4. The unauthorized communication monitoring apparatus according to claim 3, wherein the unauthorized communication monitoring apparatus is managed as a network layer address. In the case where the network layer address that has already been assigned to the computer is returned, the address assigning means assigns the returned network layer address to the assignable network after at least the predetermined time has elapsed since the return. 5. The unauthorized communication monitoring apparatus according to claim 4, wherein the unauthorized communication monitoring apparatus is managed as a layer address. An unauthorized communication monitoring program for causing a computer serving as a monitoring device to execute processing for monitoring unauthorized access from another computer connected to a computer network to another computer,
An unused address setting process for assigning an unused network layer address to an interface device with the computer network among network layer addresses uniquely assigned to the computer to identify the computer on the computer network;
The communication request signal transmitted by designating the network layer address from the arbitrary computer on the computer network is received, and is designated by the unused network layer address assigned to the interface device and the communication request signal. Address comparison processing for comparing the network layer address,
If the network layer address specified by the communication request signal is included in the unused network layer address assigned to the interface device as a result of the comparison by the address comparison process, the communication request signal is transmitted. A physical address notification process for notifying the arbitrary computer of the physical address for identifying hardware uniquely assigned to the interface device;
Receives a communication signal transmitted by designating the physical address from the arbitrary computer, and executes an unauthorized communication determination process for determining whether or not the communication signal is an appropriate communication signal to a computer having a monitoring device An unauthorized communication monitoring program characterized in that

Images