JP2006004343A - Intrusion detecting device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To set an optimum signature by previously and automatically investigating a constitution of an internal network. <P>SOLUTION: The intrusion detecting device detects an intrusion from an external network by connecting one or more terminals to an internal network. The intrusion detecting device comprises a signature means for storing signature information for predicting intrusion, an internal network constitution detecting means for detecting the constitution of the internal network, a signature optimizing means for appropriately setting the signature information to the internal network based on the signature information stored by the signature means and the constitution of the internal network detected by the internal network constitution detecting means, an intrusion detection engine means for detecting the intrusion from the external network based on the signature information to the internal network set by the signature optimizing means, and a handling processing means for performing handling processing based on the information detected by the intrusion detection engine means. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an intrusion detection apparatus that detects an unauthorized intrusion using a signature for a packet flowing on a network.

  For example, Japanese Patent Application Laid-Open No. 2001-350678 is a conventional intrusion detection device for solving the problem that a necessary detection rule must be set in advance. Based on the above, it is disclosed that the IP address table 10 and the unauthorized intrusion determination rule table 15 are updated, and intrusion detection is executed according to these updated tables.

JP 2001-350678 A

  A conventional intrusion detection device sets a rule for investigating and detecting an application running on a packet destination server when a packet with an IP address not registered in the table flows. In the case of an inline type intrusion detection device, it takes time to investigate, and there has been a problem that it cannot be carried out because packet transfer becomes too slow.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to automatically investigate the internal network configuration in advance and set an optimal signature.

  An intrusion detection apparatus according to the present invention is an intrusion detection apparatus that connects one or more terminals to an internal network and detects an intrusion from an external network, and stores signature information for which intrusion is predicted, Signature information for the internal network based on internal network configuration detection means for detecting the configuration of the internal network, signature information stored by the signature means, and configuration of the internal network detected by the internal network configuration detection means A signature optimizing unit that appropriately sets the intrusion detection engine unit that detects an intrusion from the external network based on signature information for the internal network set by the signature optimizing unit, and the intrusion detection engine unit Detected information In which and a coping process means for executing a dealing process based.

  As described above, according to the present invention, there is an effect that an optimum signature can be easily set.

Embodiment 1 FIG.
FIG. 1 is a system configuration diagram showing the configuration of the present invention. In FIG. 1, an intrusion detection device 1 and terminals 2 to 5 are connected by an internal network 6 within the user's jurisdiction, and the intrusion detection device 1 is also connected to an external network outside the user's jurisdiction where an attacker exists. Yes. The intrusion detection apparatus 1 also includes a filter unit 10 that performs filtering of received packets, a signature optimization unit 13 that optimizes a signature based on information of the internal network configuration detection unit 11 and the signature unit 12, and the signature optimization unit 13 An intrusion detection engine unit 14 that detects an intrusion based on information from the intrusion detection unit, and a countermeasure processing unit 15 that executes a countermeasure process based on information from the intrusion detection engine unit 14.
Here, it is assumed that the signature information of the signature unit 12 and the information of the handling processing corresponding to the signature of the handling processing unit 15 are registered in advance. The coping process here is, for example, sending a TCP reset to the attack source terminal or setting the source IP address in a filter to prevent next access. It is also assumed that the filtering information of the filter unit 10 is set in advance.

  In FIG. 1, a WWW server is operating at the terminal 2 having an IP address 10.10.0.1 subnet mask 255.255.255.0 (hereinafter referred to as 10.10.0.1/24). The MAIL server is operating at the terminal 3 with the IP address 10.10.0.2/24, the WWW server is operating at the terminal 4 with the IP address 10.10.1.1.24. No server is operating in the terminal 5 of 10.1.2 / 24.

Next, the operation will be described.
FIG. 2 is a processing flow at the time of initial setting of the intrusion detection apparatus 1. The operation at the time of initial setting will be described using the flow of FIG.
First, for example, 10.10.0.0/16 is set in advance as the internal network (step S11).

  Next, the internal network configuration detection unit 11 searches for all terminals in the internal network set in step S11 (step S12). For example, ping is performed for all terminals, and an IP address list as shown in FIG.

  Next, the internal network configuration detection unit 11 investigates whether or not the server application used in the signature unit 12 is operating for all the ports of the searched terminal (step S13). For example, for all the ports, whether the server application used in the signature unit 12 is operating is investigated by waiting for a response by simulating a client request, and the IP address, application, and port as shown in FIG. Create an application list that shows the relationship with the number. In the example of FIG. 4, the MAIL server and the WWW server are registered in advance in the signature unit 12. If conditions such as OS are described in the signature section 12, it is also investigated.

Next, the signature optimizing unit 13 creates a signature list indicating the relationship between the network address and the signature rule type as shown in FIG. 5 based on the information of the application list of FIG. 4 (step S14).
The signature list as shown in FIG. 5 is created, for example, periodically by the signature optimization unit 13 or based on an instruction from the user.

FIG. 6 is a process flow showing a process when a packet is transmitted to the intrusion detection apparatus 1. The operation when a packet is transmitted to the intrusion detection device 1 will be described using the flow of FIG.
First, the intrusion detection device 1 receives a packet from the external network 7 (step S21).

  The filter unit 10 checks whether or not the received packet matches a preset filtering condition (Yes in step S22), discards the received packet and ends the processing (step S23). .

  If the received packet does not match the filtering condition (No in step S22), the intrusion detection engine unit 14 performs signature analysis (step S24). The intrusion detection engine unit 14 checks whether or not the received packet matches the signature registered in the signature list of FIG.

  If the received packet does not match the signature registered in the signature list of FIG. 5 as a result of the signature analysis by the intrusion search engine unit 14, and no intrusion is detected (No in step S25), the received packet is relayed. To end the process (step S26).

  When the received packet matches the signature registered in the signature list of FIG. 5 and an intrusion is detected (Yes in step S25), the received packet is processed according to the countermeasure process registered in advance in the countermeasure processing unit 15 and terminated. (Step S27).

  For example, if the received packet is a WWW request to the terminal 3, since it corresponds to the top condition in the signature list of FIG. 5 from the IP address and port number, it is checked whether or not it matches the WWW server rule. If they do not match, it is checked whether they match with other signatures in the signature list of FIG. Since the third condition from the top in the signature list of FIG. 5 corresponds to all, it is checked whether or not it matches other rules. If none of the signature rules registered in the signature list of FIG. 5 matches, the received packet is relayed to the internal network 6. If the signature rule matches one of the signature rules registered in the signature list of FIG. 5, the received packet is processed according to the countermeasure processing registered in advance in the countermeasure processing unit 15.

As described above, since the configuration of the internal network can be examined in advance, an optimal signature can be easily set.
In addition, since it is possible to investigate the service in advance rather than accessing the destination device when receiving a packet, it can be applied to an inline intrusion detection system without requiring time for packet relay. It is.

  In addition, since the signature optimization unit 13 creates the signature list, unnecessary rules are omitted, and it is not necessary to search for extra rules when receiving a packet, so that the performance of the intrusion detection device can be improved.

  In addition, it is possible to prevent a security hole from occurring due to a user forgetting to set a rule.

  The IP address list, application list, and signature list in the first embodiment may be stored by the internal nutwork configuration detection unit 11 or may be stored by another configuration.

Embodiment 2. FIG.
In the first embodiment, the configuration of the internal network is investigated in advance and an appropriate signature is set. In the second embodiment, the performance is set to the user at the stage where the signature is set. Will be described.
FIG. 7 is a system configuration diagram showing the configuration in the second embodiment. Reference numeral 16 in FIG. 7 denotes a performance measurement unit that outputs the performance of the network configuration to the user based on the conditions input by the user and the rules set in the signature unit. Other components denoted by the same reference numerals as those in FIG. 1 are the same as those in the first embodiment.

Next, the operation will be described.
FIG. 8 is a processing flow at the time of initial setting according to the second embodiment. The operation at the time of initial setting will be described using the flow of FIG.

In FIG. 8, the operations in steps S11 to S14 are the same as those in the first embodiment, and a description thereof will be omitted.
As described in the first embodiment, the signature list indicating the relationship between the network address and the type of signature rule as shown in FIG. 5 is created by the operations in steps S11 to S14.

  Next, the performance measurement unit 16 sets a condition (required performance) for how much packets flow to the intrusion detection system 1 with respect to the network shown in the signature list of FIG. 5 (step S35). .

Then, the performance measurement unit 16 calculates the performance in the network configuration from the processing time of each rule in the signature list measured in advance and the condition set in step S35 (step S36). For example, in the example of FIG. 5, the processing time per received packet is calculated by summing the processing time of the WWW server rule, the MAIL server rule, and other rules by individually adding the ratio set in step S35. To the outside (user).
Since the operation when a packet is transmitted to the intrusion detection device 1 is the same as that of the first embodiment, description thereof is omitted.

  As described above, the configuration of the internal network can be investigated in advance, and by calculating the performance for the investigated network, it is possible to extract performance problems before actual operation.

Note that the condition (required performance) in step S35 only needs to be set by the performance measurement unit 16. The condition itself can be input by the user or stored in a table in advance, based on predetermined parameters. It may be changed.
Also, a table for storing the set conditions may be stored in the signature list of FIG. 5, or another table may be provided and stored.

Embodiment 3 FIG.
In the second embodiment, the performance for a set signature is output to the user. In the third embodiment, a case where a network configuration improvement plan is further output to the user will be described.
FIG. 9 is a system configuration diagram showing the configuration in the third embodiment. In FIG. 9, 17 is an internal network optimizing unit that calculates the configuration of the internal network so as to satisfy the conditions input by the user, and 8 is a terminal. Other components denoted by the same reference numerals as those in FIG. 7 are the same as those in the second embodiment.

Next, the operation will be described.
FIG. 10 is a processing flow at the time of initial setting according to the third embodiment. The operation at the time of initial setting will be described using the flow of FIG.

  In FIG. 10, as in the first embodiment, 10.10.0.0/16 is set in advance as the internal network (step S11), and the internal network configuration detection unit 11 sets the internal network set in step S11. 11 is created to create an IP address list as shown in FIG. 11 (step S12), and the internal network configuration detection unit 11 is used by the signature unit 12 for all ports of the searched terminals. 12 is created by creating an application list as shown in FIG. 12 (step S13), and the internal network configuration detecting unit 11 is based on the information in the application list shown in FIG. Such a signature list is created (step S14).

  Then, as in the second embodiment, conditions (required performance) for how much packets flow to the intrusion detection system 1 are set for the network shown in the signature list of FIG. S35), the performance measurement unit 16 calculates the performance in the network configuration from the processing time of each rule in the signature list measured in advance and the condition set in step S35 (step S36).

  The internal network optimization unit 17 compares the condition set in step S35 with the performance calculated in step S36. If the condition set in step S36 is satisfied (Yes in step S47), the internal network optimization unit 17 performs the processing as it is. Exit.

If the condition set in step S36 is not satisfied (No in step S47), the internal network optimization unit 17 calculates a network configuration that satisfies the condition set in step S36 (step S48). The internal network optimizing unit 17 performs a change so that the same application rules are put together so that the signature rules in FIG. 13 are not wasted as much as possible. In this case, one condition can be deleted by changing the IP addresses of the terminals 3 and 4 as shown in FIG. By outputting the network configuration calculated by the internal network optimization unit 17 to the user, for example, the user changes the network configuration, and after changing the network configuration, the flow in FIG.
Since the operation when a packet is transmitted to the intrusion detection device 1 is the same as that of the first embodiment, description thereof is omitted.

  As described above, the performance of the intrusion detection device can be improved by calculating the configuration of the internal network so as to satisfy the set required performance.

  In the third embodiment, the case where the internal network optimization unit 17 calculates the network configuration that satisfies the condition, outputs the changed network configuration to the user, and the user changes the network configuration has been described. If the network configuration calculated by the internal network optimization unit 17 can be changed, the present invention is not limited to this. The network configuration may be changed based on the calculation result of the network configuration by the internal network optimization unit 17 without using a user. The effect of can be obtained.

System configuration diagram showing the configuration of the present invention in Embodiment 1 Processing flow at the time of initial setting in the first embodiment IP address list in the first embodiment Application list in the first embodiment Signature list in the first embodiment Processing flow showing processing when a packet is transmitted to intrusion detection device 1 in the first exemplary embodiment System configuration diagram showing the configuration of the present invention in the second embodiment Processing flow at the time of initial setting in the second embodiment System configuration diagram showing the configuration of the present invention in the third embodiment Processing flow at the time of initial setting in the third embodiment IP address list in the third embodiment Application list in the third embodiment Signature list in the third embodiment Signature list after modification in the third embodiment

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Intrusion detection apparatus 2, 3, 4, 5, 8 Terminal 6 Internal network 7 External network 10 Filter part 11 Internal network structure detection part 12 Signature part 13 Signature optimization part 14 Intrusion detection engine part 15 Countermeasure processing part 16 Performance measurement part 17 Internal Network Optimization Department

Claims (3)

An intrusion detection device that connects one or more terminals to an internal network and detects an intrusion from an external network,
Signature means for storing signature information for which intrusion is expected;
Internal network configuration detecting means for detecting the configuration of the internal network;
Signature optimization means for appropriately setting signature information for the internal network based on the signature information stored by the signature means and the internal network configuration detected by the internal network configuration detection means;
Intrusion detection engine means for detecting an intrusion from the external network based on signature information for the internal network set by the signature optimization means;
An intrusion detection apparatus comprising: a countermeasure processing unit that executes a countermeasure process based on information detected by the intrusion detection engine unit.   Performance measurement means for setting the required performance of packet processing and calculating performance in the internal network configuration based on the set required performance and the signature information for the internal network set by the signature optimization means The intrusion detection apparatus according to claim 1, further comprising:   3. The internal network optimization means for comparing the required performance with the calculated performance in the internal network configuration and calculating an appropriate internal network configuration based on the comparison result. Intrusion detection device.

Images