JP2007011628A - Signature distribution device and signature distribution system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem wherein existing signature-based unauthorized access and virus detection requires detection devices to have all necessary signatures and is difficult to implement on devices with fewer CPU and memory resources such as networked electric household appliances. <P>SOLUTION: A signature distribution device 4000 for distributing signatures against computer viruses or unauthorized access comprises a communication control part 4001 for establishing communication, and a distribution terminal decision part 4002 for deciding signature destinations according to a detection source address A001 included in a detection result message A000 indicating the detection of a computer virus or unauthorized access. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a signature distribution apparatus and a signature distribution system, and more particularly to a method for distributing a signature file used by an IDS or a virus scan program to devices connectable to a network.

  In recent years, the number of devices connected to a network has been dramatically increased against the background of the maintenance of ADSL networks and optical fiber networks and the enhancement of various network services.

  In particular, in addition to conventional workstations and personal computers, mobile terminals such as mobile phones, game consoles, and home appliances that have network functions are also connected to the network for data communication. It has become to.

  As the number of network devices increases, the number of network device vulnerabilities discovered is also increasing dramatically.

  In addition, devices that do not have a network security function are connected to the network, or the users of each device perform network device settings and operations without knowledge of network security. Network security issues are becoming more prominent.

  Examples of network security issues include computer viruses that infect and propagate devices that exploit network device vulnerabilities, device vulnerabilities and user setting errors, and take control of network devices. There is unauthorized access such as stealing or destroying the data recorded inside.

  Currently, such security problems are often detected and filtered by devices located in the middle of the network, such as routers, firewalls, and intrusion detection systems. These may be provided as a service by a service company such as a provider.

  Recently, however, the spread of P2P (Peer to Peer), the increase in encrypted communication, and the increase in communication between end devices using IPv6 (Internet Protocol version 6) are expected. It is necessary to detect and prevent unauthorized access.

  For end devices with abundant resources such as workstations and personal computers, measures may be taken on the end device side by a virus scan program.

  Japanese Laid-Open Patent Publication No. 2002-189634 (Patent Document 1) discloses a method of detecting computer viruses and unauthorized access that are currently commonly used.

This document has a table of signature data (called a word list in the document) that characterizes computer viruses and unauthorized access in advance. When the device receives data from the network, the received data is scanned for data that matches the signature data in the table. If there is a match with the signature data in the table, a security warning is generated, and if there is no match, it is determined that there is no problem.
JP 2002-189634 A

  When the method disclosed in Patent Document 1 described above is used, it is possible to detect the signature data registered in the table, but regarding computer viruses and unauthorized access other than those included in the table. Has the problem that it cannot generate security warnings. Therefore, in order to reduce this detection omission, it is necessary to register a large amount of signature data in the table.

  However, some end devices, including Internet home appliances, operate on a very small amount of memory or storage media, unlike workstations and personal computers, so it is difficult to have a large amount of signature data. There was a problem that leaks became very large.

  In addition, even if a large amount of storage can be allocated to the table for detection, it is necessary to scan all the signature data in the table to scan the received data and the signature data in the table. However, it requires a great deal of computing resources.

  Some of the end devices, including Internet home appliances, are often composed of computing devices with poor computing capabilities, and almost all computing resources will be devoted to this scanning. There was also the problem of even having a great influence.

  In order to solve these problems, there has been a problem that signature data possessed by the end device must always be minimized.

  In addition, the signature distribution method used by conventional virus scanners, etc. is configured to distribute all kinds of signatures from the server, and there are also signatures related to computer viruses that do not affect the infection depending on the type of end device. I remember it. For this reason, a signature that is not related to the end device itself is also held, and there is a problem that storage resources are consumed wastefully.

  The present invention has been made to solve the above-mentioned problems, and it is possible to minimize the distribution of signature data for detecting and removing computer viruses or detecting and preventing unauthorized access. An object is to provide a distribution device.

  In order to solve the above-described problem, a signature distribution apparatus according to claim 1 of the present invention provides a detection source address, which is an address of the information analysis apparatus, and the information analysis from an information analysis apparatus that detects a computer virus or unauthorized access. A signature distribution apparatus that receives a detection result including information on a computer virus or unauthorized access detected by the apparatus via a network, and distributes a signature for detecting / removing the computer virus or detecting / protecting unauthorized access via the network The communication control unit for communicating with the terminal on the network, and the detection result from the information analysis device that detects the computer virus or unauthorized access, based on the detection source address included in the detection result, The distribution destination of the signature A distribution terminal determining unit that determines a number or a plurality of end devices, wherein the communication control unit distributes the signature to the one or more end devices determined as a signature distribution destination by the distribution terminal determination unit. It is characterized by.

  This makes it possible to distribute signatures to end devices for which computer viruses or unauthorized access has been detected more than once. For this reason, signatures can be used to detect and remove computer viruses or to detect and prevent unauthorized access. Data distribution can be minimized, and as a result, the signature of the end device can be reduced, and the load on the original function of the end device can be reduced.

  A signature distribution apparatus according to claim 2 of the present invention is the signature distribution apparatus according to claim 1, further comprising a neighboring network information storage unit that stores information on a network adjacent to the network including the information analysis apparatus. The distribution terminal determination unit searches the neighboring network information storage unit for a network adjacent to the network including the information analysis apparatus that has detected the computer virus or unauthorized access, and includes one or more included in the searched neighboring network The end device is determined as a signature distribution destination.

  This makes it possible to efficiently detect and remove computer viruses or detect and prevent unauthorized access in end devices. That is, it is expected that the detected computer virus or unauthorized access remains in the end device close to the information analysis apparatus that has detected the computer virus or unauthorized access on the network. By distributing a signature to a group of end devices that are close to each other, it is possible to efficiently detect and remove a computer virus or detect and prevent unauthorized access by using the distributed signature.

  A signature distribution apparatus according to claim 3 of the present invention is the signature distribution apparatus according to claim 2, wherein the signature distribution apparatus according to the infectivity of the detected computer virus or the influence level of the detected unauthorized access. An influence range determination unit that determines a range on the network to be distributed is further provided, and the distribution terminal determination unit uses the end device in the network range determined by the influence range determination unit as a signature distribution destination. It is characterized by determining.

  As a result, the distribution range of the signature is determined in accordance with the degree of influence of the detected computer virus or unauthorized access. Therefore, the signature is distributed to end devices that are highly necessary, and the end devices are not required. Signature distribution can be avoided. As a result, the end device only has to store the signature only when the necessity is high, and thus the signature of the end device can be minimized.

  The signature distribution apparatus according to claim 4 of the present invention is the signature distribution apparatus according to claim 2, wherein the end device information storage unit stores device specific information indicating a specific device configuration of each end device on the network. And the detection result also includes information on an affected device of the end device indicating a device configuration affected by the detected computer virus infection or unauthorized access, and the distribution terminal determining unit includes the computer Of the end devices close to the information analysis device that has detected a virus or unauthorized access on the network, the end device having the device configuration indicated by the affected device information in the detection result is searched from the end device information storage unit, Determining the one or more searched end devices as distribution destinations of signatures; And features.

  As a result, the signature can be distributed only to an end device having a device configuration such as an OS or hardware that is easily affected by a detected computer virus or unauthorized access.

  A signature distribution apparatus according to claim 5 of the present invention is the signature distribution apparatus according to claim 1, further comprising a service registration terminal storage unit for recording device instruction information indicating an end device subscribed to a specific service. In addition, the distribution terminal determination unit determines one or more end devices to which a signature should be distributed from among the end devices indicated by the device designation information stored in the service registration terminal storage unit. And

  Thereby, a signature can be distributed only to an end device subscribed to a specific service.

  Further, a signature distribution apparatus according to claim 6 of the present invention further includes a device scanning unit that detects a service operating in an end device having a specified address in the signature distribution device according to claim 1, The detection result also includes impact service information indicating a service affected by the detected computer virus or unauthorized access, and the distribution terminal determination unit is performed by each end device detected by the device scan unit. Among the existing services, one or a plurality of end devices that perform a service that matches the service indicated by the affected service information in the detection result are determined as signature distribution destinations.

  As a result, the signature can be distributed only to an end device that provides a service that is susceptible to the effects of detected computer viruses or unauthorized access.

  The signature distribution apparatus according to claim 7 of the present invention is the signature distribution apparatus according to claim 4, wherein the end device information storage unit stores physical position information of the end device. An information storage unit, wherein the detection result includes physical location information of the information analysis device, and the distribution terminal determination unit includes a physical location of the information analysis device included in the detection result Based on the information, the end device physical position information storage unit is searched for one or a plurality of end devices that are physically close to the information analysis apparatus, and the searched one or more end devices are retrieved from the signature. The distribution destination is determined.

  Thus, the signature can be distributed to an end device that is physically close to one or more end devices determined as a signature distribution destination from the detection source address included in the detection result.

  The signature distribution apparatus according to claim 8 of the present invention is the signature distribution apparatus according to claim 1, wherein the detection result is received by a terminal infected with the computer virus or an attack of unauthorized access. Including the infection / intrusion terminal information for identifying the terminal that is present, and the distribution terminal determination unit is infected with a computer virus based on the infection / intrusion terminal information included in the detection result, Alternatively, one or a plurality of end devices subjected to an unauthorized access attack, and end devices in the vicinity thereof are identified and determined as signature distribution destinations.

  As a result, since the signature is distributed to the end device that has already been infected or illegally accessed by the computer virus and its neighboring end devices, it is possible to contain the computer virus and unauthorized access. In addition, since containment is performed between the infected end device and its neighboring end devices, it is not necessary to distribute signatures to other end devices, so end device resources can be used efficiently. .

  The signature distribution apparatus according to claim 9 of the present invention includes an end device resource information storage unit that stores resource information of the end device, and the distribution terminal determination unit is stored in the end device resource information storage unit. Of the one or more end devices determined as the distribution destination of the signature based on the resource information that is present, simple signatures are used for end devices with few resources, and details are given for end devices with sufficient resources. It is characterized by deciding to distribute a signature.

  This makes it possible to distribute signatures that place less burden on devices to end devices with fewer resources, so that end devices can detect, remove, or illegally access computer viruses without compromising the original functions of the end devices. Can be detected and prevented.

  In addition, the signature distribution apparatus according to claim 10 of the present invention transmits a packet for measuring the resource of the device to the end device at least once, and the status of the network to the end device is determined based on the response result and the response time. A device resource measuring unit that measures the resource of the included end device, and the distribution terminal determining unit is configured to determine the signature distribution destination as the distribution destination of the signature based on the measurement result by the device resource measuring unit. Of the end devices, it is determined to distribute a simple signature to an end device having few resources, and to distribute a detailed signature to an end device having sufficient resources.

  This enables distribution of signatures based on device resources without changing data on the signature distribution device side even if device upgrades or downgrades, device replacements, etc. occur on the end device side. Can do.

  The signature distribution apparatus according to claim 11 of the present invention is the signature distribution apparatus according to claim 2, further comprising an end device communication amount measurement unit that measures the frequency of communication and the amount of communication data of the end device, The distribution terminal determination unit is configured for an end device having a small communication amount among the one or more end devices determined as a distribution destination of the signature based on a result of measurement by the end device communication amount measurement unit. A simple signature is determined to be distributed to an end device with a large amount of communication.

  As a result, it is possible to distribute a detailed signature to an end device having a large amount of communication that is considered to have a high risk of computer viruses and unauthorized access by much data transmission / reception.

  The signature distribution apparatus according to claim 12 of the present invention is the signature distribution apparatus according to claim 1, wherein the distribution terminal determination unit determines a signature to be deleted from the distributed signatures, and determines the determination. Identifying one or more end devices having the signature, and the communication control unit transmits a message instructing deletion of the signature to the one or more end devices identified by the distribution terminal determining unit. It is characterized by.

  As a result, the signature of the end device can be minimized, and the resources of the end device can be used more efficiently.

  According to a thirteenth aspect of the present invention, there is provided a signature distribution system that detects a computer virus or unauthorized access, and transmits a detection result including information on a detected source address and detected computer virus or unauthorized access via a network. Apparatus, distribution signature storage unit for storing distribution signature for detecting / disinfecting computer virus or detecting / protecting unauthorized access, and detected computer included in detection result of information analysis apparatus Based on information related to viruses or unauthorized access, an information collection device that selects a distribution signature from the distribution signature storage unit, and a detection source address included in a detection result of the information analysis device, the information collection device Selected distribution system A signature distribution device that determines a transmission destination of a nature, and a plurality of ends that receive the distribution signature from the signature distribution device and detect and remove computer viruses and detect and prevent unauthorized access using the distribution signature The signature distribution apparatus receives the detection result from a communication control unit for communicating with a terminal on a network and the information analysis apparatus that detects the computer virus or unauthorized access, and is included in the detection result And a distribution terminal determining unit that determines one or a plurality of end devices that are signature distribution destinations based on the detected source address, and the communication control unit has determined the signature distribution destination by the distribution terminal determination unit The signature is distributed to the one or more end devices. To.

  This makes it possible to distribute signatures to end devices for which computer viruses or unauthorized access has been detected more than once. For this reason, signatures can be used to detect and remove computer viruses or to detect and prevent unauthorized access. Data distribution can be minimized, and as a result, the signature of the end device can be reduced, and the load on the original function of the end device can be reduced.

  According to the signature distribution system of the present invention, it is possible to reduce the signature data of the end device itself in order to detect, remove, and prevent computer viruses and unauthorized access, thereby reducing the load on the original function of the end device. Can do.

  In addition, since signature data for a computer virus or unauthorized access detected once or more by the information analysis device is distributed to the end device, there is no useless signature stored in the end device, and detection errors are reduced.

  In addition, because signatures are distributed taking into account factors such as the location where a computer virus or unauthorized access is detected, the type of computer virus or unauthorized access, and the environment of the end device, only the signatures required by each end device are distributed. It can be selectively held, and the influence on the resource of the end device can be minimized.

  In addition, by deleting signatures on end devices in consideration of the detection results of computer viruses and unauthorized access and time factors related to the detection, it is possible to delete signatures on end devices, making the environment of end devices safer. It can be done after reaching a state.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. In addition, this invention is not limited by this embodiment.
(Embodiment 1)
The signature distribution system according to Embodiment 1 of the present invention will be described below.

FIG. 1 shows a basic configuration of a signature distribution system according to the first embodiment.
The signature distribution system according to the first embodiment includes an information analysis device 1000 that detects a computer virus or unauthorized access, an information collection device 2000 that selects a distribution signature based on the detection contents of the information analysis device 1000, a computer virus A distribution signature storage unit 3000 that stores a distribution signature for detecting / disinfecting or detecting / preventing unauthorized access, and a signature distribution device 4000 that determines a distribution destination of the distribution signature selected by the information collection device 2000. And an end device 5000 that detects and removes a computer virus or detects and prevents unauthorized access using a signature transmitted from the signature distribution device 4000.

Below, each component is demonstrated in detail.
First, the information analysis apparatus 1000 will be described with reference to FIG.

  The information analysis apparatus 1000 shown in FIG. 3 includes a communication control unit 1001 that performs communication with an external network, and an infection / attack detection signature storage that records data (detection signature) for detecting computer viruses and unauthorized access. An infection / attack determination unit 1002 that detects whether a computer virus or unauthorized access is included in the data received by the communication control unit using data stored in the signature storage unit for infection / attack detection And.

The operation of the information analysis apparatus 1000 having such a configuration will be described.
When the communication data is received by the communication control unit 1001, the received communication data is output to the infection / attack determination unit 1002.

  The infection / attack determination unit 1002 compares the received communication data with the data stored in the infection / attack detection signature storage unit 1003 to detect computer viruses and unauthorized access. As a result, when a computer virus or unauthorized access is detected in the infection / attack determination unit 1002, a detection result message A000 is transmitted from the communication control unit 1001 to the information collection device 2000.

  The detection result message A000 includes a detection source address A001 and detection information A002 as shown in FIG.

  The detection source address A001 includes the IP address and subnet mask information of the information analysis apparatus 1000 that has detected a computer virus or unauthorized access, and indicates the network address of the information analysis apparatus 1000.

  The detection information A002 is a code representing the type of computer virus or unauthorized access detected by the infection / attack determination unit 1002. The detection information A002 may include a plurality of codes indicating the type of computer virus or unauthorized access.

Next, the distribution signature storage unit 3000 will be described with reference to FIG.
The distribution signature storage unit 3000 is a database for storing signature data, and is a database having data records having the structure shown in FIG.

  The data record includes a signature ID field 3001 for storing a signature ID that can uniquely identify a signature, data or program code for detecting and removing a computer virus, or data for detecting and preventing unauthorized access, or It is composed of a set of records having a signature data field 3003 for storing a program code and a signature correspondence information field 3002 for storing information on a computer virus that can be detected and removed by signature data or information on unauthorized access that can be detected and prevented.

The operation of the distribution signature storage unit 3000 having such a data record will be described.
When a distribution signature search request is received from the information collection device 2000, a search in the database is performed in response to the search request. At this time, the signature correspondence information is the main key as the search key. As a result of the search, a matching record is returned to the information collecting apparatus 2000.

  Information related to a plurality of computer viruses and unauthorized access may be recorded in the signature correspondence information field 3002, and a plurality of signature data may be recorded in the signature data field 3003. Further, when a plurality of records are searched as a result of searching in the database of the distribution signature storage unit 3000, information on all records may be returned to the information collecting apparatus 2000.

Next, the information collection device 2000 will be described with reference to FIG.
An information collecting apparatus 2000 shown in FIG. 5 includes a communication control unit 2001 for performing communication, and a distribution signature determining unit 2002 that searches for data in the distribution signature storage unit 3000.

  The operation of the information collecting apparatus 2000 having such a configuration will be described with reference to FIG. FIG. 8 shows a specific example of the signature distribution system of the present invention.

  The communication control unit 2001 receives the detection result message A000 from the information analysis unit 1000 and outputs it to the distribution signature determination unit 2002.

  In the distribution signature judgment unit 2002, based on the detection information A002 of computer virus or unauthorized access included in the detection result message A000, for detection / disinfection of the corresponding computer virus, or for detection / protection of unauthorized access Signature data is retrieved from the distribution signature storage unit 3000. The signature distribution apparatus 4000 is notified of the retrieved signature data and the detection result message A000.

Next, the signature distribution apparatus 4000 will be described with reference to FIG.
The signature distribution apparatus 4000 shown in FIG. 6 includes a communication control unit 4001 for performing communication, and a distribution terminal determination unit 4002 that determines a distribution destination of distribution signature data received from the information collection apparatus 2000.

The operation of the signature distribution apparatus 4000 having such a configuration will be described.
The distribution terminal determination unit 4002 receives the detection result message A000 and the signature data from the information collection device 2000, and determines the distribution destination of the signature data based on the detection source address A001 included in the detection result message A000.

  The communication control unit 4001 transmits signature data to the end device 5000 determined as the distribution destination of the signature by the distribution terminal determination unit 4002.

  The detection result message A000 may be received directly from the information analysis apparatus 1000, not from the information collection apparatus 2000.

Next, the end device 5000 will be described with reference to FIG.
The end device 5000 shown in FIG. 7 includes a communication control unit 5001 for performing communication, a signature storage unit 5003 for storing signature data for detecting and removing computer viruses, or detecting and preventing unauthorized access, and signature storage. A signature control unit 5002 that controls data in the unit 5003, and a computer virus detection and removal that detects and removes a computer virus by using signature data for detecting and removing the computer virus stored in the signature storage unit 5003 Unit 5004, and an intrusion detection / protection unit 5005 that detects and prevents unauthorized access using signature data for detecting and preventing unauthorized access stored in the signature storage unit 5003.

An operation of the end device 5000 having such a configuration will be described.
The communication control unit 5001 receives signature data distributed from the signature distribution device 4000. The received signature data is stored in the signature storage unit 5003 under the control of the signature control unit 5002.

  The computer virus detection / removal unit 5004 detects and removes the computer virus in the end device 5000 using signature data for detecting and removing the computer virus stored in the signature storage unit 5003.

  The intrusion detection / protection unit 5005 detects and prevents unauthorized access in the end device 5000 using signature data for detecting and preventing unauthorized access stored in the signature storage unit 5003.

  Then, after removing the computer virus or preventing unauthorized access, the data in the signature storage unit 5003 that is determined to be unnecessary by the signature control unit 5002 is deleted.

  The computer virus detection / disinfection unit 5004 and the intrusion detection / protection unit 5005 may have only one of them.

  The deletion of data in the signature storage unit 5003 by the signature control unit 5002 may be triggered by a deletion message from an external device.

  Further, the deletion of data in the signature storage unit 5003 by the signature control unit 5002 may be deleted by FIFO (deletion method in the stored order).

  Further, the deletion of data in the signature storage unit 5003 by the signature control unit 5002 may be deleted by LRU (a method of deleting from the least used one).

  In addition, deletion of data in the signature storage unit 5003 by the signature control unit 5002 may be performed by a deletion method after a certain time has elapsed.

  Further, the deletion of data in the signature storage unit 5003 by the signature control unit 5002 may be triggered by the fact that the processing in the computer virus detection / removal unit 5004 has ended (the virus has been removed by the corresponding signature data). good.

  Further, the deletion of data in the signature storage unit 5003 by the signature control unit 5002 may be triggered by the end of the processing in the intrusion detection / protection unit 5005 (detection / protection of intrusion by corresponding signature data). good.

The overall flow of the signature distribution system according to the first embodiment will be described below.
The information analysis apparatus 1000 detects a computer virus or unauthorized access and transmits a detection result message A000 to the information collection apparatus 2000.

  Based on the detection result message A000 transmitted from the information analysis apparatus 1000, the information collection apparatus 2000 transmits the corresponding signature data retrieved from the distribution signature storage unit 3000 to the signature distribution apparatus 4000.

  Then, the signature distribution apparatus 4000 receives the signature data and the detection result message A000 transmitted from the information collection apparatus 2000, and from the detection source address A001 included in the detection result message A000, the end device 5000 that is the distribution destination of the signature data. To decide. At this time, the distribution terminal determination unit 4002 in the signature distribution device 4000 determines the signature distribution destination address by combining the IP address and subnet mask information included in the detection source address A001. For example, IP address = xxx. xxx. xxx. 100 and subnet mask = 255.255.255.0, the signature distribution destination address is xxx. xxx. xxx. 1-xxx. xxx. xxx. The range is 254. Xxx. xxx. xxx. 0 and xxx. xxx. xxx. Since 255 is a special address, it is not included in the distribution target.

  Upon receiving the signature data, the end device 5000 stores the received signature data in the signature storage unit 5003, and performs detection / disinfection of computer viruses and detection / protection of unauthorized access based on the stored signature data. When the signature data is no longer necessary, the received signature data is deleted from the signature storage unit 5003. Timing for deleting a signature includes a case where a certain time has elapsed since the signature was stored in the signature storage unit, and a case where a certain time has elapsed since the detection of a computer virus or unauthorized access due to the signature. As a result, the signature data 3003 possessed by the end device 5000 itself can be suppressed to a small amount, so that the load on the original function of the end device 5000 can be reduced. In addition, since signature data 3003 for a computer virus or unauthorized access detected once or more by the information analysis apparatus 1000 is distributed, there is no unnecessary signature stored in the end device 5000, and detection errors are reduced.

  Here, FIG. 8 shows an example of a network configuration. The signature distribution system in the network having such a configuration will be described below.

  The network shown in FIG. 8 includes a server 6000, routers 7000, 7100, 7200, 7300, and 7400, an information analysis apparatus 1000, and an end device 5000. The server 6000 includes the information collection device 2000, the distribution signature storage unit 3000, and the signature distribution device 4000 described above.

  In the network having such a configuration, for example, the information analysis apparatus 1000 connected to the router 7100 has one of the end devices 5000 connected to the router 7200 infected with a computer virus, or an unauthorized access attack. When it is detected that the server 6000 is received, the detection result is notified to the server 6000 via the router 7100 and the router 7000.

  The server 6000 distributes the signature to the end device 5000 in the network A to which the router 7100 belongs based on the notified detection result.

  In the signature distribution system according to the first embodiment, the information analysis apparatus 1000 that detects a computer virus or unauthorized access and notifies the detection result message A000 and the distribution signature storage unit 3000 based on the detection result message A000. Based on the information collection device 2000 that searches for the corresponding signature and the detection source address included in the detection result message A000, the distribution destination of the signature searched by the information collection device 2000 is determined. Since a signature distribution device 4000 that transmits signatures to a plurality of end devices is provided, signature data for a computer virus or unauthorized access detected once or more by the information analysis device is distributed to the end devices. For this reason, there is no signature stored in the end device, and detection omissions are reduced.

  Also, the end device 5000 detects and removes computer viruses based on the stored signatures and detects and prevents unauthorized access, and deletes the stored signatures when they are no longer needed. By suppressing the signature data held by the device to a small amount, it is possible to further reduce the load on the original function of the end device.

(Embodiment 2)
The signature distribution system according to the second embodiment of the present invention will be described below.
The signature distribution system according to the second embodiment includes a signature distribution apparatus 4100 shown in FIG. 9 instead of the signature distribution apparatus 4000 in the signature distribution system according to the first embodiment.

  The configuration of the signature distribution device 4100 is shown in FIG. In the figure, the same components as those in FIG. 6 are denoted by the same reference numerals.

  A signature distribution apparatus 4100 illustrated in FIG. 9 includes a communication control unit 4001, a distribution terminal determination unit 4101, and a neighborhood network information storage unit 4102.

  The distribution terminal determination unit 4101 receives the detection result message A000 and the signature data notified from the information collection device 2000, and determines the distribution destination of the signature data.

  The neighboring network information storage unit 4102 stores information on a network that is adjacent to the network including the information analysis apparatus 1000.

The operation of the signature distribution apparatus 4100 having such a configuration will be described.
The distribution terminal determination unit 4101 receives the detection result message A000 and signature data from the information collection device 2000. Then, based on the detection source address A001 included in the detection result message A000, an end device to which the signature data is distributed is determined. Further, a network near the network including the information analysis apparatus 1000 that has detected a computer virus or unauthorized access is searched from the nearby network information storage unit 4102, and one or more end devices included in the searched nearby network are signed. Determine as the data distribution destination. Signature data is transmitted via the communication control unit 4001 to the address of the end device 5000 determined here.

  Note that there may be a plurality of neighboring networks searched from the neighboring network information storage unit 4102. In this case, a plurality of networks included in a plurality of networks adjacent to the network including the information analysis apparatus 1000 that has detected a computer virus or unauthorized access. The signature data will be distributed to the end devices.

Here, the neighboring network information will be described with reference to FIG.
For example, the information analysis apparatus 1000 connected to the router 7200 detects that any of the end devices 5000 connected to the router 7200 is infected with a computer virus or under an unauthorized access attack. In such a case, the server 6000 is notified via the router 7100 and the router 7000.

  In the server 6000, based on the detection result notified from the information analysis apparatus 1000 connected to the router 7200, the server 6000 can reach not only the network B to which the router 7200 belongs but also the router 7200 that can be reached within one hop. The signature is also distributed to a network adjacent to the network B, for example, an end device 5000 included in the network C or the network D.

  As a result, computer viruses and unauthorized access are detected, and it is expected that the computer virus and unauthorized access will remain in the end device close to the information analysis apparatus 1000 on the network. , Can be effectively removed and defended.

  In such a signature distribution system of the second embodiment, when the signature distribution apparatus 4100 receives a detection result and a signature from the information collection apparatus 2000, a network adjacent to the detection source address A001 included in the detection result message A000 Since one or a plurality of end devices included in the searched neighboring network are determined as signature distribution destinations by searching from the network storage unit 4102, the information analysis apparatus that has detected a computer virus or unauthorized access is connected to the network. The signature can be distributed to end device groups close to. In addition, it is expected that the detected computer virus and unauthorized access remain in the end device group close to the information analysis apparatus 1000 that has detected the computer virus and unauthorized access on the network, but the distributed signature is used. Can be efficiently detected, disinfected and protected.

(Embodiment 3)
The signature distribution system according to the third embodiment of the present invention will be described below.
The signature distribution system according to the third embodiment is replaced with the distribution signature storage unit 3000 and the signature distribution apparatus 4000 in the signature distribution system according to the first embodiment, and the distribution signature storage unit 3100 and FIG. The signature distribution apparatus 4200 shown in FIG.

  The distribution signature storage unit 3100 is a database having data records having the structure shown in FIG. 10, and the data record includes a signature ID field 3001, a signature correspondence information field 3002, a signature data field 3003, and infectivity / impact information. It consists of a set of records having a field 3101. In the figure, the same components as those in FIG.

  The infectivity / impact level information field 3101 stores information related to the infectivity, the degree of influence of computer viruses, the degree of success of unauthorized access, and the degree of influence described in the signature correspondence information field 3002. For example, anti-virus software vendors that are expressed in several stages such as low, middle, high, etc. Computer virus risk, infectivity, damage, number of infection reports, security holes released by OS vendors, security vendors, and public organizations Risk level / damage etc.

  FIG. 11 shows the configuration of signature distribution apparatus 4200 according to the third embodiment. In the figure, the same components as those in FIG. 9 are denoted by the same reference numerals.

  A signature distribution apparatus 4200 shown in FIG. 11 includes a communication control unit 4001, a neighborhood network information storage unit 4102, a distribution terminal determination unit 4201, and an influence range determination unit 4202.

  The distribution terminal determination unit 4201 receives the detection result message A000, infectivity / impact level information, and signature data notified from the information collection device 2000, and determines a distribution destination of the signature data.

  The influence range determination unit 4202 determines a range where the signature should be distributed from the infectivity / influence degree information 3101.

Next, the operation will be described.
The distribution terminal determination unit 4201 receives the detection result message A000, infectivity / impact information, and signature data transmitted from the information collection device 2000. Then, the influence range determination unit 4202 determines the influence range of the infectivity of a computer virus or unauthorized access based on the received infectivity / impact level information. The end device determined by the influence range determination unit 4202 and within the range affected by the infectivity of the computer virus or the unauthorized access is determined as the end device to which the signature should be distributed in the network.

  Then, the communication control unit 4001 transmits a signature to the end device 5000 determined as a distribution destination by the distribution terminal determination unit 4201.

Here, the distribution range of the signature will be described with reference to FIG.
For example, consider a case where the information analysis apparatus 1000 connected to the router 7400 detects a computer virus or unauthorized access. When it is determined that the range of influence of the detected computer virus infectivity or unauthorized access is narrow, the signature is distributed to the end device 5000 connected to the router 7400. On the other hand, when it is determined that the infectivity of the detected computer virus or the influence of unauthorized access is wide, not only the end device 5000 connected to the router 7400 but also a network close to the network D to which the router 7400 belongs, for example, The signature is also distributed to the end device 5000 included in the network B to which the router 7200 belongs, which corresponds to the layer one above the network D. For example, when the infectivity of a computer virus detected on the network D is low, the signature is distributed only to the end device 5000 belonging to the network D. When the infectivity of the computer virus detected in the network D is medium, the signature is distributed not only to the end terminal 5000 belonging to the network D but also to the end device 5000 belonging to the network B to which the router 4700 belongs. Furthermore, when the infectivity of the computer virus detected in the network D is high, the signature is distributed to the end devices 5000 belonging to all the networks from the network A to the network D.

  In such a signature distribution system according to the third embodiment, since the distribution range of the signature is changed according to the infectivity and influence range of the computer virus or unauthorized access detected by the information analysis apparatus 1000, Signature data can be distributed to a wide range of end devices if the force is large, and to a narrow range of end devices if the influence is small. As a result, signatures are distributed to end devices that are highly needed in response to detected computer viruses or unauthorized access, and signatures are not distributed to end devices that are not necessary. Necessary signatures can be efficiently stored.

(Embodiment 4)
The signature distribution system according to the fourth embodiment of the present invention will be described below.
The signature distribution system according to the fourth embodiment is different from the signature distribution system 3000 and the signature distribution apparatus 4000 in the signature distribution system according to the first embodiment, in that the distribution signature storage unit 3200 shown in FIG. The signature distribution apparatus 4300 shown in FIG.

  The distribution signature storage unit 3200 is a database having a data record having the structure shown in FIG. 12. The data record includes a signature ID field 3001, a signature correspondence information field 3002, a signature data field 3003, and an affected device information field 3201. Consists of a set of records. In the figure, the same components as those in FIG.

  The affected device information field 3201 stores affected device information such as an OS, its version or architecture that is affected by a computer virus or unauthorized access described in the signature correspondence information.

  The configuration of the signature distribution apparatus 4300 is shown in FIG. In the figure, the same components as those in FIG. 9 are denoted by the same reference numerals.

  A signature distribution apparatus 4300 shown in FIG. 13 includes a communication control unit 4001, a neighboring network information storage unit 4102, a distribution terminal determination unit 4301, and an end device information storage unit 4310.

  The distribution terminal determination unit 4301 receives the detection result message A000, the affected device information, and the signature data notified from the information collection device 2000, and determines the distribution destination of the signature data.

  The end device information storage unit 4310 stores device-specific information such as the OS of the end device, its version, and architecture. The end device information stored in the end device information storage unit 4310 includes an end device ID 4311, OS information 4312, and architecture information 4313 that can uniquely identify the end device, as shown in FIG.

Next, the operation will be described.
The distribution terminal determination unit 4301 receives the detection result message A000, the affected device information, and the signature data from the information collection device 2000. Then, based on the detection source address A001 included in the received detection result message A000, an end device group close to the information analysis apparatus 1000 that has detected a computer virus or unauthorized access is identified on the network. Further, in the identified end device group, based on the device specific information recorded in the end device information storage unit 4310 and the affected device information, the end device affected by the computer virus or unauthorized access is searched, The searched end device is determined as a signature distribution destination.

  The communication control unit 4001 transmits a signature to the end device 5000 determined as a distribution destination by the distribution terminal determination unit 4201.

  In such a signature distribution system of the fourth embodiment, an OS affected by a computer virus or unauthorized access among one or a plurality of end devices close to the information analysis apparatus 1000 that has detected a computer virus or unauthorized access on the network. Since the end device 5000 having hardware and hardware is searched, and the signature is distributed only to the end device 5000 obtained as a result of the search, the end device has only the minimum necessary signature, and is infected. And intrusion can be prevented, and the resources of the end device can be used efficiently.

(Embodiment 5)
The signature distribution system according to the fifth embodiment of the present invention will be described below.
The signature distribution system of the fifth embodiment includes a signature distribution apparatus 4400 shown in FIG. 15 instead of the signature distribution apparatus 4000 in the signature distribution system of the first embodiment.

  The configuration of signature distribution apparatus 4400 is shown in FIG. In the figure, the same components as those in FIG. 9 are denoted by the same reference numerals.

  A signature distribution apparatus 4400 shown in FIG. 15 includes a communication control unit 4001, a distribution terminal determination unit 4401, and a service registration information storage unit 4410.

  The distribution terminal determination unit 4401 receives the detection result message A000 and signature data from the information collection device 2000, and determines the distribution destination of the signature data.

  The service registration terminal storage unit 4410 records information such as a network address of an end device subscribed to a specific service.

  15 shows the case where the service registration information storage unit 4410 is provided in the signature distribution apparatus 4400, it may be provided outside the signature distribution apparatus 4400.

Next, the operation will be described.
The distribution terminal determination unit 4401 receives the detection result message A000 and the signature data from the information collection device 2000. Based on the information stored in the service registration terminal storage unit 4410 based on the detection source address A001 included in the received detection result message A000, among the end devices subscribed to the specific service, One or a plurality of end devices having the same network address as the information analysis apparatus 1000 that has detected a computer virus or unauthorized access are determined, and the determined one or a plurality of end devices are determined as distribution destinations of signature data.

  The communication control unit 4001 transmits signature data to the end device determined as a distribution destination by the distribution terminal determination unit 4401.

  In such a signature distribution system according to the fifth embodiment, when the distribution terminal determination unit 4401 in the signature distribution apparatus 4400 determines the distribution destination of the signature, the signature distribution system from among the end devices subscribed to a specific service is selected. Since one or a plurality of end devices to be distributed are determined, a service is provided by an ISP or ASP, and a signature distribution service can be provided only to subscribers of the service.

(Embodiment 6)
The signature distribution system according to the sixth embodiment of the present invention will be described below.
The signature distribution system according to the sixth embodiment is different from the signature distribution system 3000 and the signature distribution apparatus 4000 in the signature distribution system according to the first embodiment, in that the distribution signature storage unit 3300 and the distribution signature storage unit 3300 illustrated in FIG. The signature distribution apparatus 4500 shown in FIG.

  The distribution signature storage unit 3300 is a database having a data record having the structure shown in FIG. 16, and the data record includes a signature ID field 3001, a signature correspondence information field 3002, a signature data field 3003, and an influence service information field 3301. Consists of a set of records. In the figure, the same components as those in FIG.

  The influence service information field 3301 stores the influence service information indicating the service affected by the computer virus or unauthorized access described in the signature correspondence information and its version.

  The configuration of the signature distribution device 4500 is shown in FIG. In the figure, the same constituent elements as those in FIG.

  A signature distribution apparatus 4500 shown in FIG. 17 includes a communication control unit 4001, a distribution terminal determination unit 4501, and a device scanning unit 4502.

  The distribution terminal determination unit 4501 receives the detection result message A000, the affected service information, and the signature data notified from the information collection device 2000, and determines the distribution destination of the signature data.

  The device scanning unit 4502 detects a service performed by the end device such as a port scan for the end device having the address determined by the distribution terminal determining unit 4501.

Next, the operation will be described.
The distribution terminal determination unit 4501 receives the detection result message A000, the affected service information, and the signature data from the information collection device 2000, and specifies the distribution destination of the signature data based on the detection source address included in the detection result message A000. To do.

  The device scanning unit 4502 detects a service provided by each of the end devices specified by the distribution terminal determination unit 4501, and selects one or a plurality of end devices performing a service that matches the service indicated by the affected service information. Search for.

  The communication control unit 4001 distributes the signature to one or a plurality of end devices searched by the device scanning unit 4502.

  In such a signature distribution system of the sixth embodiment, the service performed by each of the one or more end devices 5000 determined as the distribution destination of the signature by the distribution terminal determination unit 4501 is retrieved and received from the information collection device 200. The signature is distributed only to one or more end devices that provide services that match the services indicated by the affected service information. The signature data is distributed only to the end device that is receiving the service. As a result, the end device has only the necessary signature more efficiently.

(Embodiment 7)
The signature distribution system according to the seventh embodiment of the present invention will be described below.
The signature distribution system according to the seventh embodiment includes a signature distribution apparatus 4600 shown in FIG. 18 instead of the signature distribution apparatus 4000 in the signature distribution system according to the first embodiment.

  The configuration of the signature distribution device 4600 is shown in FIG. In the figure, the same components as those in FIG. 9 are denoted by the same reference numerals.

  A signature distribution apparatus 4600 shown in FIG. 18 includes a communication control unit 4001, a neighboring network information storage unit 4102, a distribution terminal determination unit 4601, and an end device physical location information storage unit 4610.

  The distribution terminal determination unit 4601 receives the detection result message A100 and signature data from the information collection device 2000, and determines a distribution destination of the signature data.

  The end device physical position information storage unit 4610 stores information indicating the physical position of the end device.

  FIG. 19 shows a detection result message A100 notified from the information analysis apparatus 1000 to the information collection apparatus 2000. This detection result message A100 includes a detection source address A001, detection information A002, and detection source physical coordinates A101.

  FIG. 20 shows end device information stored in the end device physical position information storage unit 4610. This end device information includes an end device ID 4311, OS information 4312, architecture information 4313, and physical location information 4611.

  The physical position information 4611 represents physical position information of the end device. For example, it is the latitude / longitude information obtained from the address of the place where the end device is installed or GPS. Note that the end device ID 4311, the OS information 4312, and the architecture information 4313 are the same as those in the end device information shown in FIG.

Next, the operation will be described.
The distribution terminal determination unit 4601 receives the detection result message A100 and signature data from the information collection device 2000. Then, based on the detection source physical coordinates A101 included in the received detection result message A100, one or more physically close to the information analysis apparatus 1000 that detected the computer virus or unauthorized access from the end device physical position information storage unit 4610. End devices are searched, and the searched end device or devices are determined as signature distribution destinations.

  The communication control unit 4001 transmits signature data to the end device determined as a distribution destination by the distribution terminal determination unit 4601.

  For example, when a personal computer is infected with a computer virus, a signature is distributed to a mobile phone registered at the same address as the personal computer. In this way, when data is exchanged between a personal computer and a mobile phone using a memory card, it is possible to prevent a computer virus from being transmitted from the personal computer to the mobile phone via the memory card. it can.

  In such a signature distribution system according to the seventh embodiment, the physical position information of the information analysis device 1000 is added to the detection result transmitted from the information analysis device 1000 to the information collection device 2000, and the signature is distributed. Since the signature is distributed to one or more end devices that are physically close to the detection source address when determining the destination, it spreads in the vicinity of the information analysis apparatus 1000 that detected a computer virus or unauthorized access. An end device that is physically close to the information analysis apparatus 1000 has a signature for a computer virus or unauthorized access, and the end that is distant on the network but physically close to the information analysis apparatus that detected the computer virus or unauthorized access The device is a floppy disk or memory. Over de, it can be prevented from being computer virus infection or illegal access via physical media such as CD-R.

(Embodiment 8)
The signature distribution system according to the eighth embodiment of the present invention will be described below.
The signature distribution system according to the eighth embodiment includes an information analysis apparatus 1100 shown in FIG. 22 instead of the information analysis apparatus 1000 in the signature distribution system according to the first embodiment.

  The configuration of the information analysis apparatus 1100 is shown in FIG. In the figure, the same components as those in FIG.

  The information analysis apparatus 1100 shown in FIG. 22 includes a communication control unit 1001, an infection / attack determination unit 1002, an infection / attack detection signature storage unit 1003, and an infection / attack terminal identification unit 1101.

  The infection / attack terminal identification unit 1101 is one or more end devices that are infected with a computer virus or under an unauthorized access attack when the infection / attack determination unit 1002 detects a computer virus or unauthorized access. , And its neighboring end devices.

  The detection result message notified from the information analysis apparatus 1100 to the information collection apparatus 2000 has a configuration as shown in FIG. In the figure, the same components as those in FIG.

  The detection result message A200 shown in FIG. 21 includes a detection source address A001, detection information A002, and infection / intrusion terminal information A201. The infection / terminal information A201 indicates information related to the terminal identified by the infection / attack terminal identifying unit 1101.

Next, the operation will be described.
The infection / attack terminal identification unit 1101 identifies a terminal infected with the computer virus or a terminal subjected to an unauthorized access attack in conjunction with detection of a computer virus or unauthorized access by the infection / attack determination unit 1002. Then, a detection result message A200 including the specified terminal information A201 including infection / intrusion terminal information A201 and information A001 and A002 regarding the detection result of a computer virus or unauthorized access is transmitted to the information collection device 2000.

  The information collection device 2000 searches the distribution signature storage unit 3000 for signatures for countermeasures against intrusion such as virus removal, rootkit deletion, and terminal function lock based on the detection information A002 included in the detection result message A200. Then, the retrieved signature is transmitted to the signature distribution device 4000 together with the detection source address A001 and the infected / intrusion terminal information A201.

  The signature distribution device 4000 identifies the infected / intrusion terminal and its neighboring end devices based on the detection address received from the information collection device 2000, and distributes the signature received from the information collection device 2000 to the identified end devices. To do.

  In the signature distribution system according to the eighth embodiment, the signature is distributed to one or a plurality of end devices that have already been infected or infiltrated and neighboring end devices. Containment (prevention of infection and spread).

  Further, by performing containment between the infected end device and its neighboring terminals, it is not necessary to distribute signatures to other end devices, and the resources of the end device can be used efficiently.

(Embodiment 9)
The signature distribution system according to the ninth embodiment of the present invention will be described below.
The signature distribution system according to the ninth embodiment replaces the distribution signature storage unit 3000 and the signature distribution apparatus 4000 in the signature distribution system according to the first embodiment described above, and distributes the signature storage unit 3400 and the distribution signature storage unit 3400 shown in FIG. The signature distribution apparatus 4700 shown in FIG.

  The distribution signature storage unit 3400 is a database having a data record having the structure shown in FIG. 23. The data record includes a signature ID 3001, a signature correspondence information 3002, an affected device information field 3201, a simple signature information field 3401, and a detailed signature. It consists of a set of records having an information field 3402. In the figure, the same components as those in FIG.

  The simple signature information field 3401 stores simple signature data that does not consume memory resources or CPU resources, such as detecting only a corresponding computer virus or unauthorized access.

  The detailed signature information field 3402 stores detailed signature data that consumes memory resources and CPU resources but performs higher-level processing such as removal and defense against the corresponding computer virus or unauthorized access.

  The configuration of the signature distribution device 4700 is shown in FIG. In the figure, the same components as those in FIG. 9 are denoted by the same reference numerals.

  A signature distribution apparatus 4700 shown in FIG. 24 includes a communication control unit 4001, a neighboring network information storage unit 4102, a distribution terminal determination unit 4701, and an end device resource information storage unit 4710.

  The distribution terminal determination unit 4701 receives the detection result message A000, the affected device information, and the signature data notified from the information collection device 2000, and determines the distribution destination of the signature data.

  The end device resource information storage unit 4710 stores resource information such as the memory mounted on the end device and the processing capability of the CPU. The end device information stored in the end device resource information storage unit 4710 includes an end device ID 4311, OS information 4312, architecture information 4313, and device resource information 4711 that can uniquely identify the end device, as shown in FIG. It is a waste.

  The device resource information 4711 is information indicating resources such as the installed memory of the end device and the processing capability of the CPU. For example, information such as the CPU MIPS value, the operation clock frequency, the capacity of the mounted memory, and the cache capacity is stored. Note that the end device ID 4311, the OS information 4312, and the architecture information 4313 are the same as those in FIG.

Next, the operation will be described.
The distribution terminal determination unit 4701 receives the detection result message A000, the affected device information, the simple signature data, and the detailed signature data from the information collection device 2000. Then, based on the detection source address A001 included in the received detection result message A000, an end device group close to the information analysis apparatus 1000 that has detected a computer virus or unauthorized access is identified on the network. Furthermore, the distribution destination of the simple signature data or the detailed signature data is determined based on the resource information stored in the end device resource information storage unit 4710 in the specified end device group. It is determined that simple signature data is distributed to an end device with few resources, and detailed signature data is distributed to an end device with sufficient resources. For example, when the usable memory capacity is as small as 1 megabyte or less, or when the processing capacity of the CPU is poor, simple signature data is transmitted to the end device, and the usable memory is several hundred megabytes or more. Detailed signature data is transmitted to an end device having sufficient processing capacity.

  Based on the determination by the distribution terminal determination unit 4701, the communication control unit 4001 transmits simple signature data or detailed signature data to the end device that is the distribution destination.

  In such a signature distribution system according to the ninth embodiment, the distribution terminal determination unit 4701 distributes the data stored in the simple signature data field to the end device with few resources based on the resource information of the end device 5000. However, since it is decided to distribute the data stored in the detailed signature data field to end devices with sufficient resources, it is possible to detect and remove computer viruses on the end devices without impairing the original functions of the end devices. , Can detect and prevent unauthorized access.

(Embodiment 10)
The signature distribution system according to the tenth embodiment of the present invention will be described below.
The signature distribution system according to the tenth embodiment includes a signature distribution apparatus 4800 shown in FIG. 26 in place of the signature distribution apparatus 4700 in the signature distribution system according to the ninth embodiment.

The configuration of signature distribution apparatus 4800 is shown in FIG.
A signature distribution apparatus 4800 shown in FIG. 26 includes a communication control unit 4001, a distribution terminal determination unit 4801, and a device resource measurement unit 4802.

The distribution terminal determination unit 4801 receives the detection result message A000 and signature data from the information collection device 2000, and determines a distribution destination of the signature data.
The device resource measurement unit 4802 measures the resource of the end device.

Next, the operation will be described.
The distribution terminal determination unit 4801 receives the detection result message A000 and the signature data from the information collection device 2000. Then, the distribution destination of the signature data is determined based on the detection source address A001 included in the received detection result message A000.

  The device resource measurement unit 4802 transmits a packet for measuring the resource of the end device to the end device determined as a distribution destination by the distribution terminal determination unit 4801 at least once, and the response result and response time to the end device Measure end-device resources, including network conditions.

  As a result of the resource measurement by the device resource measurement unit 4802, the communication control unit 4001 transmits simple signature data to an end device with few resources and detailed signature data to an end device with sufficient resources. For example, as a result of resource measurement, when the usable memory capacity is as low as 1 megabyte or less, or when a certain process takes several times longer than the standard, simple signature data is sent to the end device and used Detailed signature data is transmitted to an end device that has a possible memory of several hundred megabytes or more and requires a time less than a fraction of the standard time for a certain process.

  In such a signature distribution system according to the tenth embodiment, the resource is measured by the device resource measuring unit 4802 for the end device determined as the distribution destination, and as a result, the simple signature is applied to the end device having few resources. Distributes data and distributes detailed signature data to end devices with sufficient resources, so even if device updates or downgrades, device replacement, etc. occur on the end device side, signature distribution Signature distribution based on device resources can be performed without changing data on the device side.

(Embodiment 11)
The signature distribution system according to the eleventh embodiment of the present invention will be described below.
The signature distribution system according to the eleventh embodiment includes a signature distribution apparatus 4900 shown in FIG. 27 instead of the signature distribution apparatus 4700 in the signature distribution system according to the ninth embodiment.

The configuration of the signature distribution apparatus 4900 is shown in FIG.
A signature distribution apparatus 4900 shown in FIG. 27 includes a communication control unit 4001, a distribution terminal determination unit 4901, and a device communication amount measurement unit 4902.

The distribution terminal determination unit 4901 receives the detection result message A000 and the signature data from the information collection device 2000, and determines a distribution destination of the signature data.
The device communication amount measurement unit 4902 measures the communication amount of the end device.

Next, the operation will be described.
The distribution terminal determination unit 4901 receives the detection result message A000 and the signature data from the information collection device 2000. Then, based on the detection source address A001 included in the received detection result message A000, the distribution destination of the signature data is determined.

  The device communication amount measurement unit 4902 measures the communication amount of the end device for the end device determined as the distribution destination by the distribution terminal determination unit 4901.

  The communication control unit 4001 transmits simple signature data to an end device with a small amount of communication and detailed signature data to an end device with a large amount of communication as a result of measuring the amount of communication by the device communication amount measurement unit 4902. To do. For example, an end device that only communicates several times a day, transmits simple signature data to an end device whose communication data size is about several tens of kilobytes, and performs communication several times an hour Alternatively, detailed signature data is transmitted to an end device that communicates or maintains very large data in one communication.

  In such a signature distribution system according to the eleventh embodiment, the communication amount measurement unit 4902 measures the communication amount for the end device determined as the distribution destination, and as a result, for the end device having a large communication amount. Detailed signature data is distributed to end devices with low traffic, so simple signature data is distributed, so there is a large amount of traffic that seems to have a high risk of computer viruses and unauthorized access. Signatures can be distributed to devices that can be used to disinfect and defend against computer viruses or unauthorized access.

(Embodiment 12)
The signature distribution system according to the eleventh embodiment of the present invention will be described below.
The signature distribution system according to the eleventh embodiment includes an information analysis apparatus 1200 shown in FIG. 28 in place of the information analysis apparatus 1000 in the signature distribution system according to the first embodiment.

The configuration of the information analysis apparatus 1200 is shown in FIG.
28 includes a communication control unit 1001, an infection / attack determination unit 1002, an infection / attack detection signature storage unit 1003, and a signature deletion determination unit 1201.

  The signature deletion determination unit 1201 determines whether it is necessary to use a signature for a computer virus or unauthorized access. The communication control unit 1001, infection / attack determination unit 1002, and infection / attack detection signature storage unit 1003 are the same as those shown in FIG.

Next, the operation will be described.
In the information analysis apparatus 1200, the signature deletion determination unit 1201 determines whether or not it is necessary to use a previously distributed signature. Then, as a result of the determination, an erasure message for erasing a signature that is determined to be unnecessary because it is no longer detected by the infection / attack determination unit 1002 is transmitted to the information collection device 2000 via the communication control unit 1001.

  When the information collection device 2000 receives the erasure message, it transmits it to the signature distribution device 4000.

  The signature distribution device 4000 identifies the end device 5000 that stores the signature to be deleted included in the deletion message, and transmits the deletion message.

  When the end device 5000 receives the delete message, the end device 5000 deletes the signature included in the received delete message from the signature storage unit 5003.

  In such a signature distribution system according to the twelfth embodiment, since the signature determined to be unnecessary by the signature deletion determination unit 1201 of the information analysis device 1200 is deleted from the signature storage unit 5003 of the end device 5000, the end device 5000 The signatures possessed by can be minimized and resources of the end equipment can be used more efficiently.

(Embodiment 13)
The signature distribution system according to the thirteenth embodiment of the present invention will be described below.
The signature distribution system according to the thirteenth embodiment includes an information analysis apparatus 1300 shown in FIG. 29 instead of the information analysis apparatus 1000 in the signature distribution system according to the first embodiment.

  The configuration of the information analysis apparatus 1300 is shown in FIG. In the figure, the same components as those in FIG.

  An information analysis apparatus 1300 shown in FIG. 29 includes a communication control unit 1001, an infection / attack determination unit 1002, an infection / attack detection signature storage unit 1003, a signature deletion determination unit 1301, and a continuation detection determination unit 1302. .

  The signature deletion determination unit 1301 determines whether it is necessary to use a signature for a computer virus or unauthorized access.

  The continuous detection determination unit 1302 determines whether the infection / attack determination unit 1002 continuously detects a computer virus or unauthorized access.

Next, the operation will be described.
In the information analysis apparatus 1300, the continuation detection determination unit 1302 determines whether a computer virus and unauthorized access previously detected by the infection / attack determination unit 1002 are continuously detected. As a result of the determination, when it is determined that the detection is not continuously performed, the signature deletion determination unit 1301 collects information about deletion of the corresponding computer virus or a signature related to unauthorized access via the communication control unit 1001. To device 2000.

  When the information collection device 2000 receives the erasure message, it transmits it to the signature distribution device 4000.

  The signature distribution device 4000 identifies the end device 5000 that stores the signature to be deleted, which is included in the deletion message, and transmits the deletion message.

  When the end device 5000 receives the delete message, the end device 5000 deletes the signature included in the received delete message from the signature storage unit 5003.

  In such a signature distribution system according to the thirteenth embodiment, since a computer virus or unauthorized access is not continuously detected and unnecessary signatures are deleted, the end device is in a safer state and the end device is more secure. The signature can be deleted from the device. In addition, the signature of the end device 5000 can be minimized, and resources of the end device can be used more efficiently.

(Embodiment 14)
The signature distribution system according to the fourteenth embodiment of the present invention will be described below.
The signature distribution system according to the fourteenth embodiment includes an information analysis apparatus 1400 shown in FIG. 30 instead of the information analysis apparatus 1000 in the signature distribution system according to the first embodiment.

  The configuration of the information analysis apparatus 1400 is shown in FIG. In the figure, the same components as those in FIG. 29 are denoted by the same reference numerals.

  30 includes a communication control unit 1001, an infection / attack determination unit 1002, an infection / attack detection signature storage unit 1003, a continuation detection determination unit 1302, a signature deletion determination unit 1401, and an deletion determination timer 1402. It is provided.

  The signature deletion determination unit 1401 determines whether it is necessary to use a signature for a computer virus or unauthorized access.

  The erasure determination timer 1402 measures the elapsed time after the infection / attack determination unit 1002 detects a computer virus or unauthorized access. A fixed reference time that is compared with the measurement time of the timer is set for the erasure determination timer 1402.

Next, the operation will be described.
In the information analysis apparatus 1400, when the infection / attack determination unit 1002 detects a computer virus and unauthorized access, the elapsed time since the detection is detected by the deletion determination timer 1402. Further, the continuation detection determination unit 1302 determines whether the infection / attack determination unit 1002 continuously detects computers and unauthorized access.

  Then, the signature deletion determination unit 1401 determines that the computer virus or the unauthorized virus measured by the deletion determination timer 1402 is in a state where the continuous detection determination unit 1302 determines that a computer virus or unauthorized access is not continuously detected. When the elapsed time after detecting unauthorized access is equal to or longer than the reference time set for the timer, a communication control unit sends an erasure message to the effect that the computer virus or signature related to unauthorized access is deleted. The information is transmitted to the information collection device 2000 via 1001.

  When the information collection device 2000 receives the erasure message, it transmits it to the signature distribution device 4000.

  The signature distribution device 4000 identifies the end device 5000 that stores the signature to be deleted, which is included in the deletion message, and transmits the deletion message.

  When the end device 5000 receives the delete message, the end device 5000 deletes the signature included in the received delete message from the signature storage unit 5003.

  In such a signature distribution system according to the fourteenth embodiment, even for a computer virus having a latent period or a time-onset computer virus, the signature is deleted after a time interval that is safe from detection. The signature can be deleted from the end device while the end device is safer.

(Embodiment 15)
The signature distribution system according to the fifteenth embodiment of the present invention will be described below.
The signature distribution system of the fifteenth embodiment includes an information analysis apparatus 1500 shown in FIG. 31 instead of the information analysis apparatus 1000 in the signature distribution system of the ninth embodiment.

  The configuration of the information analysis device 1500 is shown in FIG. In the figure, the same components as those in FIG. 30 are denoted by the same reference numerals.

  31 includes a communication control unit 1001, an infection / attack determination unit 1002, an infection / attack detection signature storage unit 1003, a continuation detection determination unit 1302, an erasure determination timer 1402, a signature erasure determination unit 1501, and A warning determination timer 1502 is provided.

  The signature deletion determination unit 1501 determines that it is not necessary to use a signature for a computer virus or unauthorized access.

  The warning determination timer 1502 measures an elapsed time after the infection / attack determination unit 1002 detects a computer virus or unauthorized access. Note that a fixed reference time to be compared with the measurement time of the timer is set for the warning determination timer 1502, and the reference time for the timer 1502 is set for the erasure determination timer 1402. The time is shorter than the reference time.

Next, the operation will be described.
In the system of this embodiment, when the information analysis device 1500 detects a computer virus and unauthorized access by the infection / attack determination unit 1002, the information distribution device 4000 notifies the information collection device 2000 of a detection result message, and the signature distribution device 4000 is the end device 5000. Distribute detailed signature data for.

  In the information analysis apparatus 1500, the continuation detection determination unit 1302 determines whether the infection / attack determination unit 1002 continuously detects computers and unauthorized access. Further, the elapsed time since the detection is measured by the erasure determination timer 1402 and the warning determination timer 1502. The signature deletion determination unit 1501 has detected the computer virus or the unauthorized access measured by the warning determination timer 1502 in a state where the continuous detection determination unit 1302 determines that the detection is not continuously detected. When the elapsed time is equal to or longer than the reference time set for the timer, it is determined that the detailed signature data is no longer necessary, and a warning message to the effect that the simple signature data is to be replaced is notified to the information collecting apparatus 2000.

  When the information collection device 2000 receives the warning message, the information collection device 2000 retrieves the corresponding simple signature data from the distribution signature storage unit 3000 and transmits it to the signature distribution device 4000.

  The signature distribution device 4000 determines a distribution destination of the simple signature data received from the information collection device 2000 based on the warning message, and distributes the simple signature data to the determined end device 5000.

  When the end device 5000 receives the simple signature data, the end device 5000 deletes the detailed signature data currently stored and then stores the simple signature data.

  Further, in the information analysis apparatus 1500, the signature deletion determination unit 1501 determines that the computer virus or the measurement is performed by the deletion determination timer 1402 while the continuous detection determination unit 1302 determines that the detection is not continuously detected. When the elapsed time after detecting unauthorized access is equal to or longer than the reference time set for the timer, a communication control unit sends an erasure message to the effect that the computer virus or signature related to unauthorized access is deleted. The information is transmitted to the information collection device 2000 via 1001.

  When the information collection device 2000 receives the erasure message, it transmits it to the signature distribution device 4000.

  The signature distribution device 4000 identifies the end device 5000 that stores the signature to be deleted, which is included in the deletion message, and transmits the deletion message.

  When the end device 5000 receives the delete message, the end device 5000 deletes the signature included in the received delete message from the signature storage unit 5003.

  In such a signature distribution system according to the fifteenth embodiment, the end equipment with a high risk is detected with a simple signature, and the end equipment with a high risk is detected with a detailed signature as before. Since defense is performed, resources can be used more efficiently and end devices can be used safely.

  In the first to fifteenth embodiments, the end device side determines whether the signature of the end device is unnecessary, and erases the signature that is determined to be unnecessary. The signature distribution device 4000 determines a signature to be deleted among the distributed signatures, identifies one or a plurality of end devices having the determined signature, and transmits a message instructing the deletion of the signature Thus, the end device may delete the signature.

  The signature distribution system according to the present invention can distribute virus scanners to network devices and distribute signatures to intrusion detection systems as efficient signature distribution. It is useful for protecting against unauthorized access.

  It is also useful as a method for selecting a signature possessed by a network device and a method for minimizing the resource consumption of the device.

It is a basic block diagram of the signature distribution system of Embodiment 1 of this invention. In the signature distribution system of Embodiment 1 of this invention, the detection result message output from an information analysis device is shown. It is a figure which shows the structure of the information analysis apparatus in the signature distribution system of Embodiment 1 of this invention. It is a figure which shows the database which comprises the signature storage part for distribution in the signature distribution system of Embodiment 1 of this invention. It is a figure which shows the structure of the information collection device in the signature distribution system of Embodiment 1 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 1 of this invention. It is a figure which shows the structure of the end apparatus in the signature distribution system of Embodiment 1 of this invention. It is a figure which shows the specific example of the signature distribution system of Embodiment 1 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 2 of this invention. It is a figure which shows the database which comprises the signature storage part for distribution in the signature distribution system of Embodiment 3 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 3 of this invention. It is a figure which shows the database which comprises the signature storage part for distribution in the signature distribution system of Embodiment 4 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 4 of this invention. It is a figure which shows the end apparatus information memorize | stored in the end apparatus information storage part which comprises the signature distribution apparatus of Embodiment 4 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 5 of this invention. It is a figure which shows the database which comprises the signature storage part for distribution in the signature distribution system of Embodiment 6 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 6 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 7 of this invention. In the signature distribution system of Embodiment 7 of this invention, it is a figure which shows the detection result message output from an information analysis device. It is a figure which shows the end apparatus information memorize | stored in the end apparatus physical location information storage part which comprises the signature distribution apparatus of Embodiment 7 of this invention. In the signature distribution system of Embodiment 8 of this invention, it is a figure which shows the detection result message output from an information analysis device. It is a figure which shows the structure of the information analysis apparatus in the signature distribution system of Embodiment 8 of this invention. It is a figure which shows the database which comprises the signature storage part for distribution in the signature distribution system of Embodiment 9 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 9 of this invention. It is a figure which shows the end apparatus information memorize | stored in the end apparatus resource information storage part which comprises the signature distribution apparatus of Embodiment 9 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 10 of this invention. It is a figure which shows the structure of the signature distribution apparatus in the signature distribution system of Embodiment 11 of this invention. It is a figure which shows the structure of the information analysis apparatus in the signature distribution system of Embodiment 12 of this invention. It is a figure which shows the structure of the information analysis apparatus in the signature distribution system of Embodiment 13 of this invention. It is a figure which shows the structure of the information analysis apparatus in the signature distribution system of Embodiment 14 of this invention. It is a figure which shows the structure of the information analysis apparatus in the signature distribution system of Embodiment 15 of this invention.

Explanation of symbols

1000 Information Analysis Device 1001 Communication Control Unit 1002 Infection / Attack Determination Unit 1003 Infection / Attack Detection Signature Storage Unit 1100 Information Analysis Device 1101 for Distributing Taking Account of Infected Devices 1101 Infection / Attack Terminal Identification Unit 1200 Signature Information analysis apparatus 1201 for deleting signatures Signature deletion determination unit 1300 Information analysis apparatus for deleting signatures based on continuous detection results 1301 Signature deletion determination unit 1302 for deleting signatures based on continuous detection results 1400 Continuous detection determination unit 1400 Information analysis device for deleting signature by timer 1401 Signature deletion determination unit for deleting signature by timer 1402 Delete determination timer 1500 Information for deleting signature by stepwise timer Signature removal determining unit 1502 alert determination timer 2000 information collecting apparatus 2001 signature storage unit 3001 signature ID for the communication control unit 2002 distribution signature judging unit 3000 distribution for the deletion of the signature by the analysis unit 1501 stepwise timer
3002 Signature Corresponding Information 3003 Signature Data 3100 Distribution Signature Storage Unit for Distribution Considering the Influence of Detection Results 3101 Infectivity / Influence Level Information 3200 Distribution Signature Storage for Distributing Considering the Influence Device of Detection Results Unit 3201 Affected device information 3300 Distribution signature storage unit 3301 for distribution taking into consideration the operation service in the device 3301 Affected service information 3400 Distribution signature storage unit 3401 for distribution taking into account device resources Signature data 3402 Detailed signature data 4000 Signature distribution device 4001 Communication control unit 4002 Distribution terminal determination unit 4100 Signature distribution device 4101 for distribution to the vicinity of the detection source 4101 Distribution terminal determination unit 41 for distribution to the vicinity of the detection source 2 Neighboring network information storage unit 4200 Signature distribution device for performing distribution in consideration of the influence of the detection result 4201 Distribution terminal determining unit for performing distribution in consideration of the influence of the detection result 4202 Influence range determination unit 4300 Influence device of the detection result Distributing apparatus for performing distribution in consideration of the distribution 4301 Distribution terminal determining unit for performing distribution in consideration of the influence device of the detection result 4310 End device information storage unit 4311 End device ID
4312 OS information 4313 Architecture information 4400 Signature distribution device for distribution in consideration of registration service 4401 Distribution terminal determination unit for distribution in consideration of registration service 4410 Service registration terminal storage unit 4500 Operation on device Signature distribution device for distribution considering service 4501 Distribution terminal determination unit for distribution considering operation service in device 4502 Device scan unit 4600 Distribution taking physical position into consideration Signature distribution device 4601 Distribution terminal determination unit 4610 for distribution taking physical position into consideration 4610 End device information storage unit 4611 for performing distribution taking physical position into consideration 4611 Physical position information 4700 Considering device resources Signature distribution for distribution Device 4701 Distributing terminal determination unit for performing distribution in consideration of device resources 4710 End device information storage unit for performing distribution in consideration of device resources 4711 Device resource information 4800 Distributing in consideration of device resources Signature distribution device 2
4801 Distribution terminal determination unit 2 for performing distribution in consideration of device resources
4802 Device resource measurement unit 5000 End device 5001 Communication control unit 5002 Signature control unit 5003 Signature storage unit 5004 Computer virus detection / disinfection unit 5005 Intrusion detection / protection unit A000 Detection result message A001 Detection source address A002 Detection information A100 Considering physical location Detection result message for performing distribution A101 Detection source physical coordinates A200 Detection result message for performing distribution taking into account an infected device A201 Infected / intrusion terminal information

Claims (13)

A detection result including a detection source address that is an address of the information analysis device and information relating to the computer virus or unauthorized access detected by the information analysis device is received from the information analysis device that detects a computer virus or unauthorized access via the network. A signature distribution device that distributes a signature for detecting and removing the computer virus or detecting and preventing unauthorized access via a network,
A communication control unit for communicating with a terminal on the network;
A distribution terminal determination unit that receives a detection result from the information analysis apparatus that has detected the computer virus or unauthorized access, and determines one or more end devices to which a signature is distributed based on a detection source address included in the detection result And comprising
The communication control unit distributes a signature to the one or more end devices determined by the distribution terminal determination unit as a signature distribution destination;
The signature distribution apparatus characterized by the above-mentioned. The signature distribution apparatus according to claim 1,
A neighbor network information storage unit for storing information of a network adjacent to the network including the information analysis device;
The distribution terminal determining unit searches a network adjacent to the network including the information analysis device that has detected the computer virus or unauthorized access from the neighboring network information storage unit, and includes one or a plurality of networks included in the searched neighboring network Determine the end device as the signature distribution destination.
The signature distribution apparatus characterized by the above-mentioned. The signature distribution device according to claim 2,
According to the infectivity of the detected computer virus or the degree of influence of the detected unauthorized access, further comprising an influence range determination unit that determines a range on the network to which the signature is to be distributed,
The distribution terminal determination unit determines the end device within the network range determined by the influence range determination unit as a signature distribution destination;
The signature distribution apparatus characterized by the above-mentioned. The signature distribution device according to claim 2,
An end device information storage unit that stores device-specific information indicating a unique device configuration of each end device on the network;
The detection result also includes affected device information of the end device indicating a device configuration affected by the detected computer virus infection or unauthorized access,
The distribution terminal determination unit selects an end device having a device configuration indicated by the affected device information in the detection result among the end devices close to the information analysis apparatus that has detected the computer virus or unauthorized access on the network. Searching from the end device information storage unit, and determining the searched end device or devices as signature distribution destinations.
The signature distribution apparatus characterized by the above-mentioned. The signature distribution apparatus according to claim 1,
A service registration terminal storage unit for recording device instruction information indicating an end device subscribed to a specific service;
The distribution terminal determination unit determines one or more end devices to which a signature should be distributed from among the end devices indicated by the device designation information stored in the service registration terminal storage unit.
The signature distribution apparatus characterized by the above-mentioned. The signature distribution apparatus according to claim 1,
A device scanning unit that detects a service operating on an end device having a specified address is further provided.
The detection result also includes impact service information indicating a service affected by the detected computer virus or unauthorized access,
The distribution terminal determination unit includes one or a plurality of end users performing a service that matches the service indicated by the affected service information in the detection result among the services performed by each end device detected by the device scan unit. Determine the device as the signature distribution destination,
The signature distribution apparatus characterized by the above-mentioned. The signature distribution device according to claim 4, wherein
The end device information storage unit includes an end device physical position information storage unit that stores physical position information of the end device,
The detection result also includes physical position information of the information analysis device,
The distribution terminal determination unit determines one or more end devices that are physically close to the information analysis device based on the physical position information of the information analysis device included in the detection result, as the end device. Search from the physical location information storage unit, and determine the searched end device or devices as a signature distribution destination.
The signature distribution apparatus characterized by the above-mentioned. The signature distribution apparatus according to claim 1,
The detection result includes infection / intrusion terminal information for identifying a terminal infected with the computer virus or a terminal subjected to the unauthorized access attack,
The distribution terminal determination unit, based on the infection / intrusion terminal information included in the detection result, has one or more end devices infected with a computer virus or under an unauthorized access attack, and the vicinity thereof Identify the end device of and determine where to distribute the signature.
The signature distribution apparatus characterized by the above-mentioned. The signature distribution device according to claim 2,
An end device resource information storage unit for storing resource information of the end device;
The distribution terminal determination unit, for the end device with less resources among the one or more end devices determined as the distribution destination of the signature based on the resource information stored in the end device resource information storage unit Decide to distribute simple signatures to end devices that have sufficient resources,
The signature distribution apparatus characterized by the above-mentioned. The signature distribution device according to claim 2,
A device resource measuring unit that transmits a packet for measuring the resource of the device to the end device at least once, and measures a resource of the end device including a network state up to the end device based on a response result and a response time; Prepared,
The distribution terminal determination unit, based on the measurement result by the device resource measurement unit, provides a simple signature for an end device with few resources among the one or more end devices determined as the distribution destination of the signature. Decide to distribute detailed signatures to end devices with sufficient resources,
The signature distribution apparatus characterized by the above-mentioned. The signature distribution device according to claim 2,
An end device communication amount measuring unit for measuring the communication frequency and communication data amount of the end device;
The distribution terminal determination unit is configured for an end device having a small communication amount among the one or more end devices determined as a distribution destination of the signature based on a result of measurement by the end device communication amount measurement unit. Decide to distribute simple signatures and detailed signatures to end devices with heavy traffic.
The signature distribution apparatus characterized by the above-mentioned. The signature distribution apparatus according to claim 1,
The distribution terminal determination unit determines a signature to be deleted from among the distributed signatures, identifies one or more end devices having the determined signature,
The communication control unit transmits a message instructing deletion of the signature to one or more end devices specified by the distribution terminal determination unit;
The signature distribution apparatus characterized by the above-mentioned. An information analysis device that detects a computer virus or unauthorized access, and transmits a detection result including information on a detected source address and detected computer virus or unauthorized access via a network;
A distribution signature storage unit for storing a distribution signature for detecting and removing a computer virus, or detecting and preventing unauthorized access;
An information collection device for selecting a distribution signature from the distribution signature storage unit based on information on the detected computer virus or unauthorized access included in the detection result of the information analysis device;
A signature distribution device that determines a transmission destination of a distribution signature selected by the information collection device based on a detection source address included in a detection result of the information analysis device;
A plurality of end devices that receive the distribution signature from the signature distribution device, detect and remove computer viruses, and detect and prevent unauthorized access using the distribution signature;
The signature distribution device includes:
A communication control unit for communicating with a terminal on the network;
Distribution terminal determination that receives the detection result from the information analysis device that has detected the computer virus or unauthorized access, and determines one or more end devices that are the distribution destination of the signature based on the detection source address included in the detection result With
The communication control unit distributes a signature to the one or more end devices determined by the distribution terminal determination unit as a signature distribution destination;
Signature distribution system characterized by that.

Images