JP2007226368A - Electronic mail traffic observation device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To specify a device relating to the transmission of virus or junk mail for which the improvement of security countermeasures is required. <P>SOLUTION: This electronic mail traffic observation device is configured to decide whether or not a transmission origin IP address extracted by a traffic trace program to decide traffic for transferring unauthorized electronic mail, and to specify a transmission origin, a virus trace program to decide electronic mail to which virus is attached, and to specify the transmission origin and a junk mail trace program to decide electronic mail pertinent to junk mail, and to specify the transmission origin is concerned in the transmission of unauthorized electronic mail to multi-points, concerned in the continuous transmission of unauthorized electronic mail, or concerned in the transmission of unauthorized electronic mail by a plurality of methods, and to, when it is decided that the transmission origin ID address is concerned in the transmission of the unauthorized electronic mail in any of those above mentioned three steps, transmit the transmitting situation of unauthorized electronic mail to an organization for managing the transmission origin IP address. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a technology for specifying a device related to transmission of a virus or spam using electronic mail in a system including an electronic computer connected to a network.

  In recent years, in corporate information systems, measures against the spread of viruses and spam using electronic mail have become an important issue.

  Conventionally, as a method for preventing the spread of viruses using e-mail, anti-virus software is used to detect and remove computer viruses and repair from infection. In addition, as a method of preventing junk e-mails, junk e-mail is detected and discarded by using junk e-mail countermeasure software that determines the subject of e-mails and the presence / absence of specific character strings in the text. ing.

  For example, Patent Document 1 discloses a technique related to virus detection.

Japanese Patent Laid-Open No. 06-337781

  As information systems using Internet technology are used as infrastructure for corporate activities, not only the detection and removal and disposal of viruses and junk e-mails on the e-mail recipient side, but also virus and junk e-mail transmission devices and relay devices It is necessary to take countermeasures against the spread by identifying and improving the security measures of the devices involved in the transmission of spam viruses, which are viruses and spam.

  However, when taking measures against the spread of viruses and junk e-mails using the above-mentioned conventional technology, the corresponding computer virus and junk e-mail tools are applied to the e-mail receiving side, and only detection, removal and disposal are performed. As a result, there is a problem that the security measures of the devices involved in the transmission of viruses and junk mail have not been improved, and the transmission of viruses and junk mail itself cannot be suppressed.

  The present invention provides a technique for identifying a device involved in the transmission of a virus or spam that requires improvement of security measures in order to solve the above-described problems.

In order to solve the above-described problems, the present invention is achieved by using the following means as a traffic observation method related to electronic mail in a network system composed of one or more devices using an electronic computer.
(1) Identification of illegal email source by traffic analysis If the destination port number of the packet that constitutes traffic is other than port number 25 used for email transfer, SMTP (Simple Mail Transfer Protocol) command is included in the traffic Is determined to determine whether or not the e-mail is the forwarded traffic. If the SMTP command is mixed in the data part of the packet, it is determined that this traffic is not a normal email forwarding operation, that is, an illegal email forwarding traffic, and the packet header By identifying the sender IP address from the URL, the unauthorized email sender is identified.
(2) Identification of the sender of the email with the virus attached A computer virus countermeasure tool is applied to the received email to determine whether the email is contaminated with a virus. When a virus is mixed in the e-mail, the e-mail source attached with the virus is specified by extracting the source IP address that has transmitted the packet to the system from the packet header.
(3) Identification of the sender of the e-mail that is determined to be junk e-mail A junk e-mail countermeasure tool is applied to the received e-mail to determine whether the e-mail falls under junk e-mail. When it is determined that the e-mail corresponds to the junk mail, the e-mail source determined to be the junk mail is specified by extracting the source IP address that has transmitted the packet to the system from the packet header.
(4) Notification of illegal e-mail transmission status to the source organization Monitors the transmission of illegal e-mail such as viruses and spam from the source IP address extracted in the above three steps. Next, when observing illegal e-mail transmissions at multiple points, when observing continuous illegal e-mail transmissions at any of the three steps, or from among the three steps, a plurality of senders When an unauthorized e-mail transmission is observed by a specific method, the organization managing the sender IP address is notified of the status of the unauthorized e-mail transmission.

  Specifically, an e-mail traffic observation device according to the present invention is a system comprising an electronic computer connected to a network, and means for identifying an unauthorized e-mail source by traffic analysis and an e-mail source attached with a virus. And means for specifying an e-mail sender determined to be junk mail.

  Further, a means for determining traffic according to the protocol using whether or not the command is used only in the corresponding protocol, a means for calculating the result as the degree of protocol-likeness, and a means for displaying the degree of protocol-likeness And is provided.

  Further, a means for determining whether or not the sender is involved in sending illegal emails to multiple points, a means for judging whether or not the sender is involved in sending illegal emails continuously, And means for determining whether or not it is involved in the transmission of unauthorized e-mails by a plurality of methods.

  Means for displaying the total number of packets observed for each destination port number, the total number of observed emails for each virus name, and the total number of spam messages observed for each domain name as observation results involving a specific source Is provided.

  In addition, when the means for determining whether or not it is involved in the sending of an unauthorized e-mail is determined to be involved in the sending situation of an unauthorized e-mail, the e-mail is sent to the organization that manages the sender. A means for notifying the transmission status of the telephone is provided.

  The means for displaying the observation results is the same as the means for displaying the observation results at multiple points in a list for each observation method, and the means for displaying a list of the sources of illegal emails that have been observed. Provided means to change the display method when the original appears in the observation results of multiple points, and means to change the display method when the same source appears in the observation results of multiple observation methods It is characterized by.

  By these means, identify the devices involved in sending illegal e-mails such as viruses and junk mails in the target network system, and notify the organization that manages the devices to make recommendations for improving the security measures of the devices can do.

  That is, according to the present invention, it is possible to identify a device that is involved in the transmission of viruses and spam mails, and when the identified sender observes the transmission of unauthorized emails at multiple points, When observing the sending of e-mails or observing the sending of illegal e-mails using multiple methods, it is possible to notify the organization that manages the source IP address of the sending status of illegal e-mails. Become.

  According to the present invention, it is possible to identify a device involved in the transmission of a virus or a junk mail.

  In addition, it is possible to notify the transmission status of unauthorized e-mails.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 3 is a schematic diagram of an e-mail traffic observation network system to which the present invention is applied. An electronic mail traffic observation device 301 and electronic computers such as server devices (302a, 302b) and client devices (302c, 302d, 302e) are connected via a network (303a, 303b). The traffic observation device 301b has a configuration in which a server device (302b) mechanism is incorporated in the device. In this embodiment, the configuration is such that the email traffic monitoring device 1 (301a) collects the observation results of the other email traffic monitoring device 2 (301b).

  FIG. 1 is a schematic configuration diagram of an email traffic observation apparatus 301. The email traffic observation device 301 includes a CPU 101, a memory 102, an external storage device 103 such as a hard disk device, a communication device 104 connected to a network, an input device 105 such as a keyboard and a mouse, a display device 106 such as a display, and an FD. It can be constructed on an electronic computer provided with an access reader 107 for data in a portable storage medium and an interface 108 for managing data transmission / reception between the above-described components. The external storage device 103 includes a configuration information management program 132 for constructing the electronic mail traffic observation device 301 on an electronic computer, a traffic trace program 133 operating on the device, a virus trace program 134, a junk mail trace program 135, etc. Is stored. The CPU 101 executes the configuration information management program 132 loaded on the memory, thereby performing process control of the entire electronic mail traffic observation apparatus. The packet monitoring unit 112 detects the arrival of the received packet, and the communication control program 131 transfers the received packet to the next relay destination via the input control unit 111. The input control unit 111 controls the input device 105 and the display device 106 to receive an instruction from the administrator of the electronic mail traffic observation device and display the output. The configuration information management program 132 detects illegal e-mails such as viruses and junk mails in conjunction with these packet monitoring unit 112, input control unit 111, traffic trace program 133, virus trace program 134, and junk mail trace program 135. And the source IP address is specified. In addition, the observation status notification program 136 observes the transmission of unauthorized emails at multiple points, observes the transmission of unauthorized emails continuously, or sends unauthorized emails using multiple sender identification methods. When observing, the organization that manages the source IP address is notified of the status of unauthorized e-mail transmission.

  FIG. 2 is a schematic configuration diagram of an electronic computer 302 that uses a network system such as a client device or a server device. Here, components having the same functions as those of the electronic mail traffic observation apparatus 301 shown in FIG. The external storage device 103 of the client / server device 302 stores an application program 137, a communication control program 131, and a configuration information management program 132 that run on the device. The CPU 101 executes the configuration information management program 132 loaded on the memory to control the process of the entire client / server apparatus, and executes the application program 137 under the process control, so that the server apparatus (302) Provide individual services that you have.

  FIG. 4 shows an example of a database that determines whether or not the e-mail is transferred traffic. This database is stored as a part of the traffic trace program 133 of the e-mail traffic observation device (301). Column 401 is a list of commands used in the SMTP protocol, and column 402 is "SMTP specific" indicating that the command is a command used only in the SMTP protocol, or a command used in other protocols. "Not SMPT specific" indicating that

  The operation of the traffic trace program 133 of the electronic mail traffic observation apparatus (301) having the above-described configuration will be described with reference to FIGS. 5 to 6 and FIGS.

  FIG. 13 is a flowchart for determining the likelihood of the SMTP protocol of the data stored in the packet data portion in the traffic trace program 133 on the e-mail traffic observation device (301). In step S1301, the data portion stored in the data portion of the packet received by the packet monitoring unit 112 is extracted. In step S1302, it is determined whether or not a command described as “SMTP-specific” in column 402 is stored in the extracted data part among the SMTP commands described in column 401. If the data portion includes a command described as “SMTP-specific” in column 402, it is determined that the received packet is a packet that is transferring an e-mail, and the packet is involved in SMTP protocol communication. “High” is set as the degree of likelihood of the SMTP protocol indicating the scale of whether or not (S1304). In step S1303, it is determined whether or not a command described as “not unique to SMTP” in column 402 is stored in the extracted data portion among the SMTP commands described in column 401. If the data portion includes a command described as “not SMTP-specific” in column 402, it is determined that the received packet is a packet that is assumed to be an e-mail transfer, and the SMTP protocol “Medium” is set as the likelihood (S1305). When the SMTP command described in the column 401 is not included in the data part, it does not correspond to any of steps S1302 and S1303, and “low” is set as the degree of SMTP protocol likelihood (S1306).

  FIG. 12 is a flow diagram for determining the traffic from the traffic trace program 133 on the electronic mail traffic observation apparatus (301) and determining the traffic for transferring the illegal electronic mail, and identifying the source. When the packet monitoring unit 112 detects the arrival of the received packet, it delivers the packet to the traffic trace program 133, extracts the destination and source IP address from the packet header (S1201), and extracts the destination and source port number (S1202). . In step S1203, it is determined whether the destination port number extracted in S1202 is other than port number 25 used for e-mail transfer. If the destination port number is 25, it is determined that the e-mail transfer is regular, and as a regular e-mail transfer process, the frequency calculation of the number of packets is added in the traffic trace information aggregation process (S1206). On the other hand, if the destination port number is other than 25, it is determined that the traffic is not a normal email forwarding operation, that is, an unauthorized email forwarding traffic (S1203) and stored in the packet data portion. The degree of the likelihood of the SMTP protocol of the received data is determined (S1204). In step S1204, according to the flow shown in FIG. 13, the degree of SMTP protocol likelihood is set, which indicates a measure of whether or not the received packet is a packet involved in SMTP protocol communication. Step S1205 is a procedure for specifying the IP address of a device that is sending an unauthorized e-mail, and the source IP address in the packet header extracted in S1201 is the transmission of the device that is sending an unauthorized e-mail. After setting as the source IP address, after adding the frequency calculation for each source IP address and destination port number in the traffic trace information aggregation process (S1206) as an unauthorized email transfer process, in this embodiment, The count result is transferred to the email traffic observation apparatus 1 (301a).

  FIG. 5 is a screen display example of the traffic trace information focusing on the specific IP address output by the traffic trace information aggregation process (S1206) of the traffic trace program 133 of the email traffic observation apparatus 1 (301a). The IP address (71) is one of the source IP addresses extracted in step S1201 of the traffic trace program 133, and the graphs and tables displayed here are the results of the aggregation processing related to the IP address. The display area (502) is an area for outputting the aggregation processing result related to the IP address observed in each of the email traffic observation devices 1 and 2 (301). The graph (503) represents the transition of the observed number of packets every day, and is displayed taking into account the three levels of the SMTP protocol-likeness determined in step S1204. The table (504) displays the total number of observed packets for each destination port number extracted in step S1202 for the graph display period.

  FIG. 6 is a screen display example of traffic trace information for multiple points output by the traffic trace information aggregation process (S1206) of the email traffic observation apparatus 1 (301a). The display area (601) is an area for outputting the total processing results for all data observed in the respective email traffic observation devices 1 and 2 (301). The graph (602) represents the transition of the observed number of packets per day, and is displayed taking into account three levels of the SMTP protocol-likeness determined in step S1204. The table shows the number of packets (604) for each source IP address (603) observed in each of the email traffic observation devices 1 and 2 (301). The notification (605) is a button for instructing an organization that manages the transmission source IP address to notify the transmission status of an unauthorized electronic mail. A thick frame (606) indicates that the selected IP address was also observed on other email traffic monitoring devices, and only when a pointer such as a cursor was placed on the IP address. The thickness of the border of the corresponding cell has been changed. Further, when the IP address is selected with the cursor, the traffic trace information focusing on the specific IP address shown in FIG. 5 is displayed.

  7 to 8 and FIG. 14, the operation of the virus trace program 134 of the electronic mail traffic observation apparatus (301) configured as described above will be described.

  FIG. 14 is a flowchart for determining a sender by determining an email attached with a virus in the virus trace program 134 on the email traffic monitoring device (301). When the packet monitoring unit 112 detects the arrival of the received packet, the packet is delivered to the virus trace program 134, and the source IP address is extracted from the packet header (S1401). In step S1402, after extracting the data part stored in the data part of the packet, a computer virus countermeasure tool is applied to determine whether or not the received packet contains a virus. If there is no virus contamination, it is determined that it is a regular email transfer, and a frequency count of the number of packets is added in the virus trace information tabulation process (S1406) as a regular email transfer process. On the other hand, if it is determined that there is a virus contamination, it is determined that a virus is attached to the email associated with the received packet, and the virus name specified by the computer virus tool is extracted (S1404). Step S1405 is a procedure for identifying the IP address of the device that is sending the virus-attached e-mail, and sending the e-mail with the sender IP address in the packet header extracted in S1401 After setting as the sender IP address of the device, add the frequency calculation for each sender IP address and each virus name in the virus trace information aggregation process (S1406) as an unauthorized email transfer process, and then implement this In the example, the count result is transferred to the electronic mail traffic observation apparatus 1 (301a).

  FIG. 7 is a screen display example of virus trace information focusing on the specific IP address output by the virus trace information aggregation process (S1406) of the virus trace program 134 of the email traffic monitoring device 1 (301a). The IP address (701) is one of the source IP addresses extracted in step S1401 of the virus trace program 134, and the graphs and tables displayed here are the results of the tabulation processing related to the IP address. The display area (702) is an area for outputting an aggregation processing result related to the IP address observed in each of the email traffic observation devices 1 and 2 (301). A graph (703) displays the transition of the number of emails attached with the virus observed every day. The table (704) displays the total number of observed emails for each virus name extracted in step S1404 for the graph display period.

  FIG. 8 is a screen display example of virus trace information for multiple points output by the virus trace information aggregation process (S1406) of the email traffic monitoring device 1 (301a). The display area (801) is an area for outputting a totaling processing result for all data observed in each of the email traffic observation devices 1 and 2 (301). A graph (802) displays the transition of the number of e-mails attached with viruses observed every day. The table shows the number of e-mails (804) attached with viruses for each source IP address (803) observed in each of the e-mail traffic observation devices 1 and 2 (301). The notification (805) is a button for instructing an organization that manages the transmission source IP address to notify the transmission status of an unauthorized electronic mail. A thick frame (806) indicates that the selected IP address was also observed on other email traffic monitoring devices, and only when a pointer such as a cursor was placed on the IP address. The thickness of the border of the corresponding cell has been changed. Further, when the IP address is selected with the cursor, virus trace information focusing on the specific IP address shown in FIG. 7 is displayed.

  The operation of the junk mail trace program 135 of the electronic mail traffic observation device (301) having the above-described configuration will be described with reference to FIGS.

  FIG. 15 is a flowchart for determining an e-mail corresponding to the junk mail and identifying a sender in the junk mail trace program 135 on the e-mail traffic observation device (301). When the packet monitoring unit 112 detects the arrival of the received packet, the packet is delivered to the junk mail trace program 135, and the source IP address is extracted from the packet header (S1501). In step S1502, the data part stored in the data part of the packet is extracted, and then a junk mail countermeasure tool is applied to determine whether the e-mail sent in the received packet corresponds to the junk mail. To do. If it is not a junk mail, it is determined that the e-mail is a regular e-mail transfer, and a frequency calculation of the number of packets is added in a junk mail trace information aggregation process (S1506) as a normal e-mail transfer process. On the other hand, if it is determined that it corresponds to the spam mail, the domain name is extracted from the mail address of the spam mail (S1504). Step S1505 is a procedure for identifying the IP address of the device that is sending spam, and the source IP address of the packet header extracted in S1501 is the source IP of the device that is sending illegal email After setting as an address, after adding the frequency calculation for each source IP address and each domain name in the spam mail trace information aggregation process (S1506) as an unauthorized e-mail transfer process, The count result is transferred to the email traffic observation apparatus 1 (301a).

  FIG. 9 is a screen display example of junk mail trace information focusing on the specific IP address output by the junk mail trace information aggregation process (S1506) of the junk mail trace program 135 of the e-mail traffic monitoring device 1 (301a). The IP address (901) is one of the source IP addresses extracted in step S1501 of the junk mail trace program 135, and the graphs and tables displayed here are the results of the aggregation processing related to the IP address. The display area (902) is an area for outputting the aggregation processing result related to the IP address observed in each of the email traffic observation devices 1 and 2 (301). The graph (903) displays the transition of the number of spam messages observed every day. The table (904) displays the total number of spams observed for each domain name extracted in step S1504 for the graph display period.

  FIG. 10 is a screen display example of junk mail trace information for multiple points output by the junk mail trace information aggregation process (S1506) of the e-mail traffic observation device 1 (301a). The display area (1001) is an area for outputting the total processing results for all data observed in the respective email traffic observation devices 1 and 2 (301). The graph (1002) displays the transition of the number of spam messages observed every day. The table shows the number of spam mails (1004) for each source IP address (1003) observed in each of the email traffic observation devices 1 and 2 (301). The notification (1005) is a button for instructing an organization that manages the transmission source IP address to notify an unauthorized e-mail transmission status. A thick frame (1006) indicates that the selected IP address was also observed on other email traffic monitoring devices, and only when a pointer such as a cursor is placed on the IP address. The thickness of the border of the corresponding cell has been changed. Furthermore, when the IP address is selected with the cursor, the junk mail trace information focusing on the specific IP address shown in FIG. 9 is displayed.

  FIG. 11 and FIG. 16 describe a notification procedure by pressing a button (605, 805, 1005) for instructing an organization that manages a transmission source IP address to notify an unauthorized email transmission status.

  FIG. 11 shows information that is transmitted when the observation status notification program 136 on the email traffic observation device 1 (301a) notifies the organization that manages the source IP address of the transmission status of an unauthorized email. The IP address (1101) is the source IP address selected by the buttons (605, 805, 1005) for instructing the transmission status notification. The row direction is the type of information to be sent, and the column direction is for each email traffic observation device (1105). Traffic trace information (1102), virus trace information (1103), and spam mail trace information (1104) The type of information is notified. In this embodiment, the total number of packets observed for each destination port number as traffic trace information (504), the total number of emails observed for each virus name as virus trace information (704), and the spam name for each domain name as spam trace information Notify the total number of spam messages observed (904).

  FIG. 16 is a flowchart for notifying the organization that manages the sender IP address of the sending status of an unauthorized email in the monitoring status notification program 136 on the email traffic monitoring device 1 (301a). In step S1601, the observation status notification program 136 executed by pressing the button (605, 805, 1005) for instructing the transmission status notification of an illegal email is the traffic trace information and virus trace collected since the previous execution. Source IP address is extracted from information and spam mail trace information. Next, in step S1602, it is determined whether or not the extracted source IP address is involved in sending an unauthorized e-mail to multiple points. In step S1603, it is determined whether or not it is involved in continuous unauthorized e-mail transmission. In step S1604, it is determined whether or not it is involved in the transmission of unauthorized e-mail by a plurality of methods. If it is determined in any of the above three steps that it is involved in sending an unauthorized email, in step S1605, the organization managing the sender IP address is sent as an unauthorized email sending status as shown in FIG. The observation information presented in is sent.

According to the present embodiment, there are the following effects.
(1) Equipped with three methods for identifying the source of unauthorized emails by traffic analysis, the identification of email sources with viruses attached, and the identification of email sources identified as spam Therefore, it can be observed from a more bird's-eye view across multiple sites.
(2) The data stored in the packet data part is determined by the SMTP protocol determiner, and the result is output as the degree of SMTP protocol uniqueness. Therefore, it is possible to determine the SMTP protocol regardless of the port number.

Email traffic monitoring device Client / server device Schematic diagram of a system to which an e-mail traffic observation device is applied in the embodiment A database that determines whether email is traffic being forwarded Displaying traffic trace information focusing on a specific IP address Displaying traffic trace information for multiple locations Display of virus trace information focusing on specific IP address Display of virus trace information for multiple sites Display of spam mail trace information focusing on specific IP address Display of spam mail trace information for multiple points Database storing service transfer type service selection status Traffic trace program operation flow Flow for determining the level of SMTP protocol Virus trace program operation flow Operation flow of junk mail trace program Operation flow of observation status notification program

Explanation of symbols

S1601: Step of extracting the source IP address from the aggregated information
S1602: Step for judging illegal e-mail transmission to multiple points
S1603: Steps for determining continuous unauthorized email transmission
S1604: Step of judging unauthorized e-mail transmission by multiple methods
S1605: Step of notifying an illegal e-mail transmission status to the organization of the source IP address

Claims (6)

In a system consisting of computers connected to a network, means for identifying an unauthorized e-mail source by traffic analysis, means for identifying an e-mail source attached with a virus, and e-mail transmission determined to be spam An e-mail traffic observation device characterized by comprising means for identifying the origin. 2. The system according to claim 1, wherein means for determining traffic according to the protocol using whether or not the command is used only in the protocol, means for calculating the result as a degree of the protocol, and the protocol likeness An e-mail traffic observation device, characterized in that it is provided with means for displaying as a degree of. In the system according to claim 1, means for determining whether or not the sender is involved in sending illegal emails to multiple points, and whether or not the sender is involved in sending illegal emails continuously And a means for determining whether or not it is involved in sending out illegal emails by a plurality of methods. 2. The system according to claim 1, wherein the observed results involving a specific source include the total number of packets observed for each destination port number, the total number of emails observed for each virus name, and the observed spam mail for each domain name. An e-mail traffic observation device characterized in that means for displaying the total number is provided. In the method of determining whether or not involved in sending an unauthorized email according to claim 3,
An apparatus for observing an email traffic characterized by providing means for notifying an organization managing a sender of an outgoing status of an unauthorized email when it is determined that the organization is involved in an outgoing status of an unauthorized email. In the method of displaying the observation results according to claim 4, means for displaying a list of observation results at multiple points for each observation method, means for displaying a list of sources of illegal emails observed, Means to change the display method when the same source appears in multi-point observation results, and means to change the display method when the same source appears in observation results of multiple observation methods An e-mail traffic observation device provided.

Images