JP2007323428A - Bot detection apparatus, bot detection method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication system surely detecting computers having a high possibility of bot infection. <P>SOLUTION: The communication system 10 stores communication data inputted from an external network 12 to an internal network 12 in the same period and transmitted from the same transmitting source to a plurality of computers 15 as temporary command communication information and determines the computers 15 having transmitted the communication data from the inner network 14 to the external network 2 in the same period as computers having a high possibility of bot infection. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for detecting a computer in which an illegal program is embedded.

  Japanese Patent Application Laid-Open No. 2004-151867 holds all currently known computer virus data patterns, and when communication data is received, the received communication data is once taken into a buffer, and the acquired communication data is held in the computer A technique for preventing a computer virus from entering a computer by comparing with a virus data pattern is disclosed. With this technique, when a new computer virus appears, it is possible to prevent the invasion of a new computer virus by obtaining a corresponding new data pattern.

  Further, in Patent Document 2, an IDS (intrusion detection device) is installed in a network to be monitored, and a plurality of unauthorized intrusion patterns (methods) are registered in advance in the IDS, and communication data flowing through the network is recorded. There is disclosed a technique for monitoring and intercepting communication from an unauthorized intruder or notifying an administrator of a warning when it matches a registered unauthorized intrusion pattern.

  Viruses, worms, and the like are known as programs that perform unauthorized processing on computers. In recent years, new malicious programs called bots have appeared. The bot has a feature of having a concealment function and a self-updating function, and a feature that the scale of infection is small, there are many variants, and it is remotely operated by a malicious commander. Computers infected with bots can be used as a web server for publishing spam mail transmission and relay, DoS (Denial of Services) and DDoS (Distributed Denial of Service) attacks, or phishing sites, depending on the computer operated by the commander. It is a big social problem because it is used for fraudulent acts.

JP-A-6-337781 JP 2002-342276 A

  In order to detect a bot, it is necessary to create a data pattern corresponding to a large number of variants that occur daily. Bot specimens are often required to create data patterns, but bots characterized by a small scale of infection provide few specimens and provide data patterns for detecting many variants. There is a problem that it is not. As a result, the creation of the data pattern goes after the occurrence of the bot, and when the data pattern is created, the bot may have updated itself to a new bot, and the data pattern cannot be detected. . As described above, there are cases where a computer infected with a bot cannot be found with the same countermeasures as those of conventional viruses and worms.

  The present invention has been made in view of the above circumstances, and an object of the present invention is to reliably detect a computer having a high possibility of being infected with a bot.

  In order to solve the above problem, the present invention provides communication data that has flowed from an external network to an internal network at the same time, and communication data transmitted from the same transmission source to a plurality of computers as temporary command communication information. Among the computers that are the destinations of the stored temporary command communication information, the computer that sent the communication data from the internal network to the external network at the same time is determined as the computer that is likely to be infected with the bot To do.

  For example, the first aspect of the present invention is a bot detection device provided between an external network and an internal network, and acquires inward data that is communication data flowing from the external network into the internal network. The inward data acquisition means for outputting the acquired inward data together with the inward data acquisition date and time that is information indicating the date and time when the inward data is acquired, and the inward direction transmitted from the same transmission source within a predetermined time difference Inward communication information storage means for grouping data and storing inward destination addresses, which are destination IP addresses included in the inward data, in association with a group ID for identifying the group, from the internal network to the external network Obtain outgoing data that is outflow communication data, and use the obtained outgoing data as the outgoing data. The inward communication information when the outward data acquisition means outputs the outgoing data together with the outward data acquisition date that is information indicating the acquired date, and when the outward data and the outward data acquisition date are output from the outward data acquisition means. Referring to the storage means, when the source IP address included in the outward data is stored as the inward destination address in the inward communication information storage means, the inward stored together with the inward destination address Response time calculation means for calculating a response time that is the difference between the data acquisition date and the outward data acquisition date, the calculated response time, the inward destination address, and information indicating the destination of the outward data Including outgoing destination information and the group ID stored in the inward communication information storage means in association with the inward destination address. With reference to the response time storage means to store and the response time storage means, the inbound destination address in which the group ID and the outward destination information are the same and the difference in response time is within a predetermined value is extracted and extracted There is provided a bot detection device comprising: bot information output means for outputting an inward destination address as an IP address of a bot-infected computer which is a computer having a high possibility of being infected with a bot.

  According to a second aspect of the present invention, there is provided a bot detection method in a bot detection device provided between an external network and an internal network, wherein the bot detection device transmits communication data flowing from the external network into the internal network. And an inward data acquisition step of outputting the acquired inward data together with an inward data acquisition date and time, which is information indicating the date and time when the inward data is acquired, from the same source. Are grouped and the inbound destination address, which is the destination IP address included in the inbound data, is associated with the group ID for identifying the group in the inbound communication information storage means. Inbound communication information storage step to store and communication data that flows from the internal network to the external network And the outward data acquisition step for outputting the acquired outward data together with the outward data acquisition date and time, which is information indicating the date and time when the outward data was acquired, and the outward data acquisition step. When the outgoing data and the outgoing data acquisition date and time are output, the inbound communication information storage means is referred to, and the source IP address included in the outward data is stored in the inward communication information storage means. A response time calculating step for calculating a response time that is a difference between the inward data acquisition date and time stored together with the inward destination address and the outward data acquisition date and time, and the calculated response The time, the inbound destination address, the outbound destination information including information indicating the destination of the outbound data, and the inbound destination address. A response time storage step of storing in the response time storage means in association with the group ID stored in the inward communication information storage means in association with the response time storage means, and referring to the response time storage means. An inward destination address having the same direction destination information and a response time difference within a predetermined value is extracted, and the extracted inbound destination address is used as an IP address of a computer that is likely to be infected with the bot. There is provided a bot detection method characterized by executing an output bot information output step.

  According to a third aspect of the present invention, there is provided a program for controlling a bot detection device provided between an external network and an internal network, the communication data flowing from the external network to the internal network. Inward data acquisition means for acquiring the inward data, and outputting the acquired inward data together with the inward data acquisition date and time, which is information indicating the date and time when the inward data is acquired, from the same source Inward communication information storage means for grouping inward data transmitted within a time difference and storing an inbound destination address that is a destination IP address included in the inward data in association with a group ID for identifying the group Obtained and acquired outward data, which is communication data that flows from the internal network to the external network The outward data and the outward data acquisition date are output from the outward and inward data acquisition means for outputting the orientation data together with the outward data acquisition date and time that is information indicating the date and time when the outward data is acquired. If the source IP address included in the outward data is stored as the inward destination address in the inward communication information storage means with reference to the inward communication information storage means, Response time calculation means for calculating a response time that is a difference between the inward data acquisition date and time stored together with the address and the outward data acquisition date and time, and the calculated response time as the inward destination address and the outward direction Outbound destination information including information indicating the destination of the data and the inbound communication information storage means in association with the inbound destination address Referring to the response time storage means for storing the information in association with the group ID and the response time storage means, the group ID and the outward destination information are the same, and the inbound destination is within a predetermined value in the response time difference. A program is provided that functions as a bot information output unit that extracts an address and outputs the extracted inward destination address as an IP address of a bot-infected computer that is likely to be infected with a bot To do.

  According to the present invention, it is possible to reliably detect a computer that is likely to be infected with a bot.

  Embodiments of the present invention will be described below.

  FIG. 1 is a system configuration diagram illustrating the configuration of a communication system 10 according to an embodiment of the present invention. The communication system 10 includes a bot detection device 20 provided between an external network 12 such as the Internet and an internal network 14 such as an in-house LAN (Local Area Network). A plurality of computers 15 are connected to the internal network 14, and each computer 15 transmits / receives communication data to / from other communication devices connected to the external network 12 via the internal network 14 and the bot detection device 20. .

  The command computer 11 infects the computer 15 with the bot by sending communication data including a program for embedding the bot to the computer 15 via the external network 12. In addition, the command computer 11 illegally controls an IRC (Internet Relay Chat) server 13 and the like via the external network 12 to infect the bot with communication data including a command for starting an unauthorized process. Send to. The command computer 11 may be tailored as a command server that sends commands to a computer infected with a bot by illegally controlling a Web server other than the IRC server 13.

  The computer 15 infected with the bot waits for an instruction from the instruction computer 11 by accessing a predetermined IRC server 13 according to the program of the bot. Then, the computer 15 infected with the bot in response to a command from the command computer 11 infects the other computer 15 with the bot, performs a DoS attack on a specific Web server, or spams an unspecified e-mail address. Perform illegal acts such as sending emails.

  The bot detection device 20 monitors communication data between the external network 12 and the internal network 14, so that the command communication flowing from the external network 12 to the internal network 14 and the internal network 14 responds to the command communication. From the relationship with the response communication that flows out to the external network 12, the computer 15 that is likely to be infected with the bot is detected, and the detection result is output.

  FIG. 2 is a block diagram illustrating a detailed functional configuration of the bot detection device 20. The bot detection device 20 includes an inward data acquisition unit 21, a communication information registration unit 22, a communication information storage unit 23, an outward data acquisition unit 24, a response time calculation unit 25, a response time storage unit 26, and a bot information output unit 27. Is provided.

  The inward data acquisition unit 21 is information indicating the inward data that is communication data flowing from the external network 12 to the internal network 14, and the acquired inward data is information indicating the date and time when the inward data is acquired. It outputs to the communication information registration part 22 with direction data acquisition date.

  For example, as illustrated in FIG. 3, the communication information storage unit 23 includes, for each inward transmission source information 231 including ID 230 that is an identifier for grouping inward communication and information indicating the transmission source of the inward data. One or more inbound destination addresses 233 that are destination IP addresses included in the inward data and the inward data acquisition date and time 232 are stored.

  In the present embodiment, the inbound transmission source information includes an inward transmission source address that is a transmission source IP address included in the inward data, an inward transmission source port number that is a transmission source port number included in the inward data, And inward data information that is information related to the payload included in the inward data. Inward data information is data of a predetermined amount (for example, 5 bytes) from the beginning of the payload included in the inward data.

  When the communication information registration unit 22 acquires the inward data and the inward data acquisition date / time from the inward data acquisition unit 21, the communication information registration unit 22 refers to the communication information storage unit 23, and the time difference from the data acquisition date / time is a predetermined value ( In this example, it is determined whether or not the inward data acquisition date / time within 5 seconds) is stored in the communication information storage unit 23.

  When an inward data acquisition date and time within which the time difference from the data acquisition date and time acquired from the inward data acquisition unit 21 is within a predetermined value is stored in the communication information storage unit 23, the communication information registration unit 22 Whether the inward transmission source information stored in the communication information storage unit 23 in association with the acquisition date / time matches the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21 Determine.

  When the inward transmission source information stored in the communication information storage unit 23 matches the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21, the communication information registration unit 22 The inward data acquisition date and time received together with the inward data in association with the inward transmission source information included in the inward data acquired from the orientation data acquisition unit 21 and the ID corresponding to the inward transmission source information An inward destination address included in the orientation data is additionally registered in the communication information storage unit 23.

  On the other hand, when the inward data acquisition date and time within a predetermined value is not stored in the communication information storage unit 23 or stored in the communication information storage unit 23, the time difference from the data acquisition date and time acquired from the inward data acquisition unit 21 is within a predetermined value. If the inward transmission source information that is set does not match the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21, the communication information registration unit 22 acquires from the inward data acquisition unit 21. The inward data acquisition date and time and the inward destination address included in the inward data are associated with the inward source information included in the inward data acquired from the inward data acquisition unit 21 and the newly assigned ID. New registration is performed in the information storage unit 23.

  In this way, the communication information registration unit 22 sets the inward data acquisition date and time and the inward destination address of the inward data having the same inward source information flowing from the external network 12 to the internal network 14 at the same time. Group by ID. Thereby, the communication information registration unit 22 can collect information on inward data transmitted from the same transmission source to the computer 15 in the internal network 14 at the same time. In the information collected in this way, there is a high possibility that the command information transmitted from the IRC server 13 to the computer 15 infected with the bot is included. In the following, based on the information stored in the communication information storage unit 23, processing for detecting a computer 15 that is more likely to be infected with a bot is performed.

  In the present embodiment, a predetermined amount (for example, 5 bytes) of data from the beginning of the payload included in the inward data is described as an example of the inward data information. This is because the first bytes of the payload often store data determined for each application such as version information, and the fact that a predetermined amount of data matches from the beginning of the payload is homogeneous communication data. This is because the possibility is high.

  As another example, inward data information is obtained by performing predetermined operations on a part of inward data payload data, all inward data payload data, and inward data payload data. It may be a characteristic value (for example, a hash value) or a value indicating the data amount of the payload of inward data.

  In the present embodiment, the inward source information includes an inward source address, an inward source port number, and inward data information. As another example, the inward source information The inward data information may not be included. Thereby, even if it is a case where it is camouflaged that it is different communication data by changing a part of payload, communication information registration part 22 flows inward from external network 12 to internal network 14 at the same time. Inward data having the same transmission source address and inward transmission source port number can be grouped as communication data transmitted from the same transmission source.

  The outward data acquisition unit 24 acquires outward data that is communication data that flows out from the internal network 14 to the external network 12, and the acquired outward data is information indicating the date and time when the outward data is acquired. It outputs to response time calculation part 25 with direction data acquisition date and time.

  When the response time calculation unit 25 acquires the outward data and the outward data acquisition date and time from the outward data acquisition unit 24, the response time calculation unit 25 refers to the communication information storage unit 23 and transmits the transmission source IP included in the acquired outward data. It is determined whether the address is stored in the communication information storage unit 23 as an inward destination address.

  When the transmission source IP address included in the acquired outward data is stored as the inward destination address in the communication information storage unit 23, the response time calculation unit 25 stores the communication information in association with the inward destination address. A response time that is a difference between the inward data acquisition date and time stored in the unit 23 and the outward data acquisition date and time is calculated.

  Then, the response time calculating unit 25 associates the calculated response time with the inbound destination address, the outbound destination information including information indicating the destination of the outbound data, and the inbound communication in association with the inbound destination address. The ID stored in the information storage unit 23 and the outward data acquisition date and time are stored in the response time storage unit 26.

  The response time storage unit 26 includes a plurality of records 265 as illustrated in FIG. 4, for example. Each record 265 stores a field 260 for storing an ID, a field 261 for storing an inbound destination address, a field 262 for storing outbound destination information, a field 263 for storing a response time, and an outbound data acquisition date and time. Field 264 is included. In the response time storage unit 26, the records are stored in order from the oldest data acquisition date and time.

  In this embodiment, the outward destination information includes an outward destination address that is a destination IP address included in the outward data, an outward destination port number that is a destination port number included in the outward data, and the outward data. Outbound data information that is information related to the payload included in is included. The outward data information is a predetermined amount (for example, 5 bytes) of data from the beginning of the payload included in the outward data.

  The bot information output unit 27 refers to the response time storage unit 26 and is stored in a record in which the ID and the outward destination information are the same and the difference in response time is within a predetermined value (for example, within 5 seconds). The inward destination address is extracted, and the extracted inbound destination address is output to the administrator of the internal network 14 as the IP address of the bot-infected computer that is a computer 15 that is likely to be infected with the bot.

  The bot information output unit 27 outputs the IP address of the bot-infected computer to the outside by, for example, displaying on a display device, printing on paper or the like via a printing device, or storing in an external recording device such as a hard disk. May be.

  As described above, the bot detection device 20 changes the computer 15 that transmits the outward data to the same destination among the computers 15 that have received the inward data from the same transmission source at the same time. Is determined. Thereby, the bot detection apparatus 20 can specify the computer 15 that exhibits a behavior specific to the bot-infected computer, such as performing a DoS attack against a specific server after receiving the command.

  In the present embodiment, a predetermined amount (for example, 5 bytes) of data from the beginning of the payload included in the outward data has been described as an example of outward data information, but the present invention is not limited to this. The outward data information is, for example, a characteristic value obtained by performing a predetermined operation on partial data of the outward data payload, all data of the outward data payload, and all data of the outward data payload ( For example, it may be a hash value) or a value indicating the data amount of the payload of outward data.

  In this embodiment, the outward destination information includes an outward destination address, an outward destination port number, and outward data information. As another example, the outward destination information includes outward data. Information may not be included. This makes it possible to output bot information even if it is disguised as different communication data by changing part of the payload, or even a password brute force attack that attempts to input a password multiple times against a specific server. The unit 27 can determine the outward data in which the outward destination address and the outward destination port number match as the outward data transmitted from the bot-infected computer to the same destination.

  In the present embodiment, the bot information output unit 27 determines the inbound destination address having the same ID and outward destination information and the difference in response time within a predetermined value as the IP address of the bot-infected computer. However, as another example, the bot information output unit 27 may determine, as the IP address of the bot-infected computer, an inward destination address having the same ID and a difference in response time within a predetermined value. Thereby, even when a plurality of bot-infected computers transmit spam mails via different mail servers, the bot information output unit 27 can detect the IP address of the bot-infected computer.

  FIG. 5 is a hardware configuration diagram illustrating a hardware configuration of the information processing device 30 that realizes the function of the bot detection device 20. The information processing apparatus 30 includes a central processing unit (CPU) 31, a random access memory (RAM) 32, a read only memory (ROM) 33, a hard disk drive (HDD) 34, a communication interface 35, an input / output interface 36, and a media interface 37. Is provided.

  The CPU 31 operates based on programs stored in the ROM 33 and the HDD 34 and controls each unit. The ROM 33 stores a boot program executed by the CPU 31 when the information processing apparatus 30 is started up, a program depending on the hardware of the information processing apparatus 30, and the like.

  The HDD 34 stores programs executed by the CPU 31, data used by the CPU 31, and the like. The communication interface 35 receives data from other devices via the external network 12 or the internal network 14 and sends the data to the CPU 31, and transmits data generated by the CPU 31 to other devices via these networks.

  The CPU 31 controls an input / output device such as a keyboard, a mouse, and an LCD (Liquid Crystal Display) via the input / output interface 36. The CPU 31 acquires data from a keyboard, a mouse, or the like via the input / output interface 36. Further, the CPU 31 outputs the generated data to the LCD or the like via the input / output interface 36.

  The media interface 37 reads a program or data stored in the recording medium 38 and provides it to the RAM 32. A program provided to the CPU 31 via the RAM 32 is stored in the recording medium 38. The program is read from the recording medium 38, installed in the information processing apparatus 30 via the RAM 32, and executed by the CPU 31.

  The HDD 34 stores data in the communication information storage unit 23 and the response time storage unit 26. A program installed and executed in the information processing apparatus 30 includes the information processing apparatus 30, the inward data acquisition unit 21, the communication information registration unit 22, the outward data acquisition unit 24, the response time calculation unit 25, and the bot information output. It functions as the unit 27.

  The recording medium 38 is, for example, an optical recording medium such as DVD or PD, a magneto-optical recording medium such as MO, a tape medium, a magnetic recording medium, or a semiconductor memory. The information processing apparatus 30 reads these programs from the recording medium 38 and executes them, but as another example, these programs may be acquired from other apparatuses via a communication medium. The communication medium refers to the external network 12 or the internal network 14 or a digital signal or carrier wave that propagates through them.

  FIG. 6 is a flowchart illustrating inward data registration processing by the bot detection device 20. For example, at a predetermined timing such as when the power is turned on, the bot detection device 20 starts the inward data registration process shown in this flowchart.

  First, the inward data acquisition unit 21 determines whether or not inward data has been received (S100). When the inward data has not been received (S100: No), the inward data acquisition unit 21 repeats step 100 until the inward data is received. When the inward data is received (S100: Yes), the inward data acquisition unit 21 outputs the inward data acquisition date and time together with the received inward data to the communication information registration unit 22 (S101).

  Next, the communication information registration unit 22 refers to the communication information storage unit 23 based on the inward data acquisition date / time received from the inward data acquisition unit 21, and the time difference from the inward data acquisition date / time is a predetermined value (for example, It is determined whether or not there is a data acquisition date and time within 5 seconds (S102). When a data acquisition date / time within which the time difference from the inward data acquisition date / time acquired from the inward data acquisition unit 21 is within a predetermined value exists in the communication information storage unit 23 (S102: Yes), the communication information registration unit 22 The inward transmission source information stored in the communication information storage unit 23 in association with the inward data acquisition date and time matches the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21. It is determined whether or not (S103).

  When the inward transmission source information stored in the communication information storage unit 23 matches the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21 (S103: Yes), communication information registration The unit 22 associates the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21 and the ID corresponding to the inward transmission source information with the inward data received together with the inward data. The acquisition date and time and the inward destination address included in the inward data are additionally registered in the communication information storage unit 23 (S104), and the inward data acquisition unit 21 executes the process shown in step 100 again.

  On the other hand, when there is no data acquisition date / time within the communication information storage unit 23 whose time difference from the inward data acquisition date / time acquired from the inward data acquisition unit 21 is within a predetermined value (S102: No), or the communication information storage unit When the inward transmission source information stored in 23 does not match the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21 (S103: No), the communication information registration unit 22 The inward data acquisition date and time acquired from the inward data acquisition unit 21 and the inward destination address included in the inward data are updated with the inward transmission source information included in the inward data acquired from the inward data acquisition unit 21 and newly Newly registering in the communication information storage unit 23 in association with the assigned ID (S107), the inward data acquisition unit 21 performs the process shown in step 100 again. To.

  FIG. 7 is a flowchart illustrating response time calculation processing by the bot detection device 20. For example, at a predetermined timing such as when the power is turned on, the bot detection device 20 starts the response time calculation process shown in this flowchart.

  First, the outward data acquisition unit 24 determines whether or not outward data has been received (S200). When the outward data is not received (S200: No), the outward data acquisition unit 24 repeats Step 200 until the outward data is received. When the outward data is received (S200: Yes), the outward data acquisition unit 24 outputs the outward data acquisition date and time to the response time calculation unit 25 together with the received outward data (S201).

  Next, the response time calculation unit 25 refers to the communication information storage unit 23, and the transmission source IP address included in the outward data acquired from the outward data acquisition unit 24 is stored in the communication information storage unit 23. It is determined whether it is stored as (S202). When the transmission source IP address included in the outward data acquired from the outward data acquisition unit 24 is not stored as the inward destination address in the communication information storage unit 23 (S202: No), the outward data acquisition unit 24 The process shown in step 200 is executed again.

  When the transmission source IP address included in the outward data acquired from the outward data acquisition unit 24 is stored as the inward destination address in the communication information storage unit 23 (S202: Yes), the response time calculation unit 25 A response time that is a difference between the inward data acquisition date and time stored in the communication information storage unit 23 in association with the inward destination address and the outward data acquisition date and time is calculated (S203).

  Then, the response time calculating unit 25 associates the calculated response time with the inbound destination address, the outbound destination information including information indicating the destination of the outbound data, and the inbound communication in association with the inbound destination address. The ID stored in the information storage unit 23 and the outward data acquisition date and time are stored in the response time storage unit 26 (S204), and the outward data acquisition unit 24 executes the process shown in step 200 again.

  FIG. 8 is a flowchart illustrating bot determination processing by the bot detection device 20. The bot detection device every predetermined time (1 hour) or at a predetermined timing such as when the amount of data in the response time storage unit 26 exceeds a predetermined value (80% of the storage capacity of the response time storage unit 26). 20 starts the bot determination process shown in this flowchart.

  First, the bot information output unit 27 refers to the outward data acquisition date and time of each record stored in the response time storage unit 26, and among the records read from the previous response time storage unit 26, the latest record Records within a predetermined time (for example, 5 seconds) are identified (S300). Then, the bot information output unit 27 reads a predetermined number of records from the oldest record among the identified records from the response time storage unit 26 (S301).

  In this way, by reading the record back by a predetermined time, the bot information output unit 27 can reliably detect the record whose response time is within the predetermined time. If there is no record within a predetermined time (for example, 5 seconds) from the latest record, the bot information output unit 27 reads a predetermined number of records from the latest record among the previously read records in step 301.

  Next, the bot information output unit 27 selects one unselected record from the read records (S302), and the difference from the response time included in the selected record is within a predetermined value (for example, 5 seconds). It is determined whether or not there is a record having the response time in the response time storage unit 26 (S303). If there is no record in the response time storage unit 26 that has a response time within a predetermined value that is different from the response time included in the selected record (S303: No), the bot information output unit 27 performs processing shown in step 307. Execute.

  If there is a record in the response time storage unit 26 that has a response time that is within a predetermined value from the response time included in the selected record (S303: Yes), the bot information output unit 27 extracts the corresponding record. Then, it is determined whether or not the extracted record has the same ID and outward destination information as the record selected in step 302 (S305). If the extracted record does not have the same ID and outward destination information as the record selected in step 302 (S305: No), the bot information output unit 27 executes the process shown in step 307.

  If the extracted record has the same ID and outward destination information as the record selected in step 302 (S305: Yes), the bot information output unit 27 uses the inward destination address included in the corresponding record as the bot-infected computer. (S306), it is determined whether or not there is an unselected record among the records read in step 301 (S307).

  If there is an unselected record among the records read in step 301 (S307: Yes), the bot information output unit 27 executes the process shown in step 302 again. If there is no unselected record (S307: No), the bot detection device 20 ends the bot determination process shown in this flowchart.

  As is clear from the above description, according to the communication system 10 of this embodiment, it is possible to reliably detect a computer that is highly likely to be infected with a bot.

  The present invention is not limited to the above-described embodiments, and various modifications are possible within the scope of the gist.

  FIG. 9 is a system configuration diagram illustrating another form of the communication system 10. Except for the points described below, in FIG. 9, the components denoted by the same reference numerals as those in FIG. 1 have the same or similar functions as those in FIG.

  The plurality of data collection devices 50 are provided for each internal network 14 and monitor communication data between the corresponding internal network 14 and the external network 12. The bot determination device 40 identifies the IP address of the bot-infected computer based on information received from each data collection device 50 via the external network 12.

  FIG. 10 is a block diagram illustrating a detailed functional configuration of the data collection device 50. The data collection device 50 includes an inward data acquisition unit 51 and an outward data acquisition unit 52.

  The inward data acquisition unit 51 acquires inward data flowing from the external network 12 to the internal network 14, and the acquired inward data is sent to the external network 12 together with the inward data acquisition date and time corresponding to the inward data. To the bot determination device 40.

  The outward data acquisition unit 52 acquires outward data that flows out from the internal network 14 to the external network 12, and sends the acquired outward data to the external network 12 together with the outward data acquisition date and time corresponding to the outward data. To the bot determination device 40.

  FIG. 11 is a block diagram illustrating a detailed functional configuration of the bot determination device 40. The bot determination device 40 includes a communication information registration unit 22, a communication information storage unit 23, a response time calculation unit 25, a response time storage unit 26, and a bot information output unit 27. Except for the points described below, in FIG. 11, the components denoted by the same reference numerals as those in FIG. 2 have the same or similar functions as those in FIG.

  The communication information registration unit 22 receives inward data and inward data acquisition date and time from each data collection device 50 via the external network 12. Then, as described with reference to FIG. 2, the communication information registration unit 22 performs processing for registering the received inward data and the inward data acquisition date and time in the communication information storage unit 23.

  The response time calculation unit 25 receives outward data and outward data acquisition date and time from each data collection device 50 via the external network 12. Then, as described in FIG. 2, the response time calculation unit 25 performs a response time calculation process using the received outward data and the outward data acquisition date and time.

  In this embodiment, since the IP address of the bot-infected computer is detected based on the information acquired from the plurality of data collection devices 50, only one bot-infected computer exists in each internal network 14. However, when there are a plurality of bot-infected computers in the entire communication system 10, the bot determination device 40 can detect the IP address of the bot-infected computer.

  In the above-described embodiment, the bot information output unit 27 outputs the IP address of the bot-infected computer. As another example, the bot information output unit 27 stores the IP address together with the IP address in the response time storage unit 26. The communication information storage unit 23 is referred to based on the received ID, and the inward transmission source address included in the inward transmission source information associated with the ID and stored in the communication information storage unit 23 is designated as a command. The IP address of the IRC server 13 controlled by the computer 11 or the command computer 11 may be further output.

  In this case, the bot detection device 20 instructs the firewall provided between the external network 12 and the internal network 14 to specify the IP address of the command computer 11 or the IRC server 13 controlled by the command computer 11. You may make it further provide the inward rule change function which changes the communication control rule of the said firewall so that the inward data used as a transmission source may be blocked. Thereby, the bot detection device 20 can block the command communication transmitted from the command computer to the bot-infected computer, and can render the bot-infected computer harmless.

  In addition, the bot detection device 20 instructs the firewall provided between the external network 12 and the internal network 14 to block the outward data transmitted from the bot-infected computer to the external network 12. An outward rule changing function for changing the communication control rule may be further provided. Thereby, the bot detection device 20 can block the outward data transmitted from the bot-infected computer in accordance with an instruction from the command computer, and can render the bot-infected computer harmless.

  As another example, when the IP address of the bot-infected computer is output from the bot information output unit 27, the bot detection device 20 indicates that the computer corresponding to the IP address is infected with the bot. You may make it further provide the warning function which notifies a warning message. A computer in the internal network can display a warning message transmitted from the bot detection device 20 on the screen by always starting a messenger service, which is a standard function of Windows (registered trademark), for example. This allows users of bot-infected computers to know that the computer they are using is infected with the bot, and to prevent unauthorized access due to the bot by disconnecting the communication cable, or It is possible to take measures such as removing the bot by formatting the hard disk and reinstalling the OS and application software.

  In the above-described embodiment, the configuration in which the bot detection device 20 is provided between the external network 12 and the internal network 14 has been described as an example, but the present invention is not limited thereto. As another form, the bot detection device 20 may be connected only to the internal network and may detect a computer 15 that is likely to be infected with the bot by monitoring communication data flowing in the internal network. Good. This avoids risks such as a decrease in communication speed due to the processing performance of the bot detection device 20 becoming a bottleneck, and interruption of communication between the external network 12 and the internal network 14 due to a failure of the bot detection device 20. Can do.

1 is a system configuration diagram illustrating a configuration of a communication system 10 according to an embodiment of the present invention. 2 is a block diagram illustrating a detailed functional configuration of a bot detection device 20. FIG. 4 is an explanatory diagram illustrating a data structure stored in a communication information storage unit 23. FIG. It is explanatory drawing which illustrates the data structure stored in the response time storage part. 2 is a hardware configuration diagram illustrating a hardware configuration of an information processing device 30 that realizes the function of the bot detection device 20. FIG. 5 is a flowchart illustrating inward data registration processing by the bot detection device 20. 4 is a flowchart illustrating a response time calculation process by the bot detection device 20. 4 is a flowchart illustrating a bot determination process performed by the bot detection device 20. 2 is a system configuration diagram illustrating another form of the communication system 10. FIG. 3 is a block diagram illustrating a detailed functional configuration of a data collection device 50. FIG. 3 is a block diagram illustrating a detailed functional configuration of a bot determination device 40. FIG.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Communication system, 11 ... Command computer, 12 ... External network, 13 ... IRC server, 14 ... Internal network, 15 ... Computer, 20 ... Bot detection apparatus, 21 ... Inward data acquisition unit, 22 ... Communication information registration unit, 23 ... Communication information storage unit, 230 ... ID, 231 ... Inward transmission source information, 232 ... Inward data Acquisition date and time, 233 ... Inward destination address, 24 ... Outward data acquisition unit, 25 ... Response time calculation unit, 26 ... Response time storage unit, 27 ... Bot information output unit, 30 ... Information processing device 31 ... CPU, 32 ... RAM, 33 ... ROM, 34 ... HDD, 35 ... Communication interface, 36 ... Input / output interface, 37 ... Medi Interface, 38 ... recording medium, 40 ... bot determining device 50 ... data collection device, 51 ... inward data acquisition unit, 52 ... outward data acquisition unit

Claims (11)

A bot detection device provided between an external network and an internal network,
The inward data that is communication data flowing into the internal network from the external network is acquired, and the acquired inward data is output together with the inward data acquisition date and time that is information indicating the date and time when the inward data is acquired. Orientation data acquisition means;
Inbound data transmitted from the same source within a predetermined time difference is grouped, and the inbound destination address that is the destination IP address included in the inbound data is stored in association with the group ID for identifying the group. Inward communication information storage means,
External data that is communication data flowing out from the internal network to the external network is acquired, and the acquired external data is output together with the external data acquisition date and time that is information indicating the date and time when the external data is acquired Inward data acquisition means;
When the outward data and the outward data acquisition date and time are output from the outward data acquisition means, the source IP address included in the outward data is referred to by referring to the inward communication information storage means Response time that is the difference between the inward data acquisition date and time stored together with the inward destination address and the outward data acquisition date and time when stored as an inward destination address in the inward communication information storage means A response time calculating means for calculating
The calculated response time is stored in the inbound communication information storage unit in association with the inbound destination address, the outbound destination information including information indicating the destination of the outbound data, and the inbound destination address. Response time storage means for storing in association with the group ID being performed;
With reference to the response time storage means, the inbound destination address having the same group ID and the outward destination information and having a response time difference within a predetermined value is extracted, and the extracted inbound destination address is A bot detection device comprising: bot information output means for outputting as an IP address of a bot-infected computer, which is a computer likely to be infected with a bot. The bot detection device according to claim 1,
The inward communication information storage means includes
In addition to the inward destination address, inward source information including information indicating the source of inward data including the inward destination address is further stored in association with the group ID,
The bot detection device
When the inward data and the inward data acquisition date and time are output from the inward data acquisition means, refer to the inward communication information storage means,
The inward transmission information of the inward data exists in the inward communication information storage means, and the inward communication information is stored in association with the inward data acquisition date and time and the inward transmission source information. When the difference between the inward data acquisition date and time stored in the means is within a predetermined value, the inward destination address and the inward data acquisition date and time included in the inward data are set to the inward data of the inward data. In association with the transmission source information and the group ID corresponding to the inward transmission source information, additionally register in the inward communication information storage means,
When the inward transmission information of the inward data does not exist in the inward communication information storage means, or the inward communication information associated with the inward data acquisition date and time and the inward transmission source information In any case where the difference with any of the inward data acquisition date and time stored in the storage means is not within a predetermined value, the inward destination address and the inward data acquisition date and time included in the inward data, The bot detection further comprising inward communication information registration means for newly registering in the inward communication information storage means in association with the inward transmission source information of the inward data and the newly assigned group ID apparatus. The bot detection device according to claim 2,
The inward source information is
A bot detection device comprising a source IP address and a source port number of the inward data. The bot detection device according to claim 2,
The inward source information is
A bot detection device comprising: a source IP address of the inward data, a source port number, and a part or feature value of the payload of the inward data. The bot detection device according to claim 3 or 4,
The bot information output means includes
The transmission source IP address included in the inbound transmission source information stored in the inbound communication information storage unit in association with the group ID stored in the response time storage unit together with the IP address, A bot detection device further outputting the IP address of a command computer for controlling the bot-infected computer. The bot detection device according to claim 5,
When the IP address of the command computer is output from the bot information output means, instructing a firewall provided between the external network and the internal network to send inward data with the IP address as a transmission source The bot detection device further comprising inward rule changing means for changing the communication control rule of the firewall so as to block the firewall. The bot detection device according to any one of claims 1 to 6,
The outward destination information is
A bot detection device comprising a destination IP address, a destination port number of the outward data, and a part or feature value of the outward data payload. The bot detection device according to any one of claims 1 to 7,
When the IP address of the bot-infected computer is output from the bot information output means, it further comprises warning means for notifying a warning message indicating that the bot is infected to the computer corresponding to the IP address. A featured bot detection device. The bot detection device according to any one of claims 1 to 8,
When the IP address of the bot-infected computer is output from the bot information output means, it instructs a firewall provided between the external network and the internal network, and uses the IP address as a transmission source. The bot detection device further comprising outward rule changing means for changing the communication control rule of the firewall so as to block data. A bot detection method in a bot detection device provided between an external network and an internal network,
The bot detection device includes:
The inward data that is communication data flowing into the internal network from the external network is acquired, and the acquired inward data is output together with the inward data acquisition date and time that is information indicating the date and time when the inward data is acquired. An orientation data acquisition step;
Inward data transmitted from the same source within a predetermined time difference is grouped, and the inbound destination address that is the destination IP address included in the inward data is associated with the group ID that identifies the group. An inward communication information storage step of storing one or more in the direction communication information storage means;
External data that is communication data flowing out from the internal network to the external network is acquired, and the acquired external data is output together with the external data acquisition date and time that is information indicating the date and time when the external data is acquired An inward data acquisition step;
When the outward data and the outward data acquisition date / time are output in the outward data acquisition step, a source IP address included in the outward data is referred to by referring to the inward communication information storage unit. When stored as an inward destination address in the direction communication information storage means, a response time that is a difference between the inward data acquisition date and time stored together with the inward destination address and the outward data acquisition date and time A response time calculating step to calculate;
The calculated response time is stored in the inbound communication information storage unit in association with the inbound destination address, outbound destination information including information indicating the destination of the outbound data, and the inbound destination address. A response time storage step of storing in the response time storage means in association with the group ID being
With reference to the response time storage means, the inbound destination address having the same group ID and the outward destination information and having a response time difference within a predetermined value is extracted, and the extracted inbound destination address is And a bot information output step of outputting as an IP address of a computer having a high possibility of being infected with the bot. A program for controlling a bot detection device provided between an external network and an internal network,
The bot detection device;
The inward data that is communication data flowing into the internal network from the external network is acquired, and the acquired inward data is output together with the inward data acquisition date and time that is information indicating the date and time when the inward data is acquired. Orientation data acquisition means,
Inbound data transmitted from the same source within a predetermined time difference is grouped, and the inbound destination address that is the destination IP address included in the inbound data is stored in association with the group ID for identifying the group. Inward communication information storage means,
External data that is communication data flowing out from the internal network to the external network is acquired, and the acquired external data is output together with the external data acquisition date and time that is information indicating the date and time when the external data is acquired Inward data acquisition means,
When the outward data and the outward data acquisition date and time are output from the outward data acquisition means, the source IP address included in the outward data is referred to by referring to the inward communication information storage means Response time that is the difference between the inward data acquisition date and time stored together with the inward destination address and the outward data acquisition date and time when stored as an inward destination address in the inward communication information storage means Response time calculating means for calculating
The calculated response time is stored in the inbound communication information storage unit in association with the inbound destination address, the outbound destination information including information indicating the destination of the outbound data, and the inbound destination address. A response time storage unit that stores the group ID in association with the group ID, and the response time storage unit, the group ID and the outward destination information are the same, and the difference between the response times is a predetermined value Inward destination address is extracted, and the extracted inward destination address is made to function as a bot information output means for outputting the IP address of a bot-infected computer that is a computer likely to be infected with a bot. Program.

Images