JP2008060954A - Communication control method and communication control processor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To effectively block an attack by a BOT based on characteristics of the BOT. <P>SOLUTION: This communication control method includes a step of analyzing communication log data stored in a log storage part, performing communication according to a prescribed protocol to an optional stage to specify an address of a communication partner who performs operations for explicitly or implicitly canceling communication processes at the back of the optional stage and a step of registering the specified address of the communication partner in a block object list which is a list of communication partners to whom the communication is blocked. There are BOTS for performing various operations, however, since usually there is scarcely the case, for example, of forcibly stopping procedures at the optional stage or left until the BOT is in time-out, it is determined to be infected with the BOT. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a technique for blocking communication by a bot (BOT) which is a program that waits for a command from the outside and performs malicious operations according to the command.

Conventionally, many techniques exist for measures against spam mail and spam mail. For example, Japanese Patent Application Laid-Open No. 2004-199505, Japanese Patent Application Laid-Open No. 2004-173315, and Japanese Patent Application Laid-Open No. 2002-64531 disclose a technique for dealing with an email attack on the server side. This is a technology that prevents a mail that has been sent out from being delivered to a destination user.
Japanese Patent Laid-Open No. 2004-199505 JP 2004-173315 A JP 2002-64531 A

  For example, a BOT that has been instructed by a malicious person starts an attack on, for example, a mail server, but as the infection to the BOT spreads, the mail server becomes a heavy load to deal with the BOT and normal mail delivery is delayed. Problems occur. However, in many cases, BOT does not perform an attack that can be clearly understood as an attack, and it has not been able to cope with it conventionally. In addition, infection with BOT has many variants and is deformed or concealed by itself, so it is difficult to remove it with a personal computer (PC).

  Accordingly, an object of the present invention is to provide a technique for effectively dealing with BOT.

  Another object of the present invention is to provide a technique for effectively blocking attacks by the BOT based on the characteristics of the BOT.

  The communication control method according to the present invention analyzes the communication log data stored in the log storage unit, performs communication according to a predetermined protocol up to an arbitrary stage, and explicitly specifies a communication procedure after the arbitrary stage or A step of specifying an address of a communication partner that is performing an operation of implicitly discarding, and a step of registering the address of the specified communication partner in a blocking target list that is a list of communication partners to block communication Including.

  Some BOTs perform various actions. For example, if you forcibly stop a procedure at any stage or leave it until a timeout occurs, there is almost no normal case. It is determined that you are doing.

  In addition, the determination step for determining whether the ratio or number of addresses registered in the block target list within a preset address range is equal to or greater than a preset threshold value, and the determination result of the determination step is positive. In some cases, the method may further include a step of registering the address range or an unregistered address in the address range in the block target list.

  For example, if a PC infected with BOT connects to the Internet or disconnects from the Internet instead of being always connected, the IP address is assigned each time, so it is effective to specify only one IP address. May be thin. By performing the processing as described above, it becomes possible to cope with such a case.

  Further, it is determined whether the address range or the ratio or number of addresses registered in the block target list within a second address range wider than the preset address range is equal to or greater than a preset second threshold. A second determination step; and a step of registering the second address range or an unregistered address in the second address range in the block target list if the determination result of the second determination step is affirmative It may be included.

  Even if the infection spreads further, the load described above is not increased due to unauthorized communication by performing the processing as described above.

  The registration date and time or the expiration date may be registered together with the address or address range in the blocking target list. In that case, scan the block target list, identify the address or address range to be excluded from the block target list based on the registration date or expiration date and the current date and time, and specify the specified address or address range from the block target list. A step of exclusion may be further included. This is to cope with the case where the BOT is removed. Note that the valid period in the block target list may be variable depending on the address.

  In addition, the threshold value described above may be set for each address or address range specified based on a region. This is because BOT infection is known to have regional characteristics.

  The method according to the present invention may be implemented by a combination of computer hardware and a program. This program may be a storage medium such as a flexible disk, a CD-ROM, a magneto-optical disk, a semiconductor memory, a hard disk, or the like. Stored in the device. Moreover, it may be distributed as a digital signal via a network or the like. The intermediate processing result is temporarily stored in a storage device such as a main memory.

  According to the present invention, it is possible to effectively cope with BOT.

  Further, according to another aspect of the present invention, an attack by BOT can be effectively blocked based on the characteristics of BOT.

  FIG. 1 shows a system outline diagram according to an embodiment of the present invention. Connected to the network 1 such as the Internet are a PC infected with the BOT 31, a PC not infected with the BOT 31, the mail server 7, and the communication control processing device 5 that performs the main processing in this embodiment. Has been.

  The communication control processing device 5 includes a block list generation unit 51 including a BOT attack detection unit 511 that detects an attack from the BOT 31, a block list update unit 52, and a block list correction unit 53. Further, the communication control processing device 5 manages a blocking list storage unit 54 that stores a blocking list.

  The mail server 7 manages a log storage unit 71 that stores a log of the operation and a blocking list storage unit 73. The mail server 7 stores a log of communication with, for example, a PC connected to the network 1 in the log storage unit 71. In addition, it is confirmed whether the IP address of the connection requesting PC is registered in the block list in the block list storage unit 73. If registered, the connection is rejected. The block list storage unit 73 stores the latest block list stored in the block list storage unit 54 of the communication control processing device 5.

  The mail server 7 is connected to the network 1 via a communication device 9 such as a router, and the function of the communication control processing device 5 may be included in the communication device 9 or the mail server 7. In addition, the log storage unit 71 may be included in the communication device 9. Further, it may be included in other log accumulation servers in the same network. Note that the communication device 9 may have the block list storage unit 73 to determine whether to block or pass communication.

  Next, processing contents of the communication control processing device 5 will be described with reference to FIGS. First, the cut-off list generation unit 51 accepts input of setting of a network division rate, a contamination rate as a threshold value, and a network integration rate from a user, and stores them in a storage device such as a main memory (FIG. 2: step S1).

  The network division ratio is a ratio for dividing one network. For example, in the case of 1/4, for 202.248.20.0/24, from 202.248.20.0 to 63, from 202.248.2.64 to 127, from 202.248.20.128 191 and 202.248.20.192 to 255.

  The contamination rate is a threshold value for determining whether to block the entire corresponding address range. For example, as shown in FIG. 3, the contamination rate is registered for each address range. For example, in response to the reality that there are many attacks by the BOT 31 from a predetermined area, a lower contamination rate is set for the range of IP addresses assigned to the predetermined area, and IP assigned to other areas is set. A high contamination rate may be set for the address range. In some cases, one or three or more contamination rates are set instead of two. Also, the address range may be set based on factors other than the region.

  Furthermore, the network integration rate is a threshold value with respect to the ratio of the address range registered in the blocking list for determining whether or not to register one entire network in the blocking list. For example, when 1/2 is set for 202.248.20.0/24 and two address ranges are registered, the entire 202.248.20.0/24 is registered in the blocking list.

  Next, the blocking list generation unit 51 acquires, for example, data in the log storage unit 71 of the mail server 7 and extracts an unprocessed log and a log related to the unprocessed log (for example, a log having the same IP address) ( Step S3).

  Then, the BOT attack detection unit 511 of the block list generation unit 51 determines whether the attack is due to the BOT 31 (step S5). Normally, when the communication log is analyzed, it can be seen that the PC not infected with the BOT 31 and the mail server 7 communicate with each other according to the communication procedure shown in FIG. However, the following description is merely an example. That is, (1) The PC side performs SMTP (Simple Mail Transfer Protocol) connection to the mail server 7. (2) Then, the mail server 7 returns 220 <mail server name> ESMTP. (3) Next, the PC side transmits HELO <source host name> to the mail server 7. (4) In response, the mail server 7 returns 250 <source host name>. (5) The PC side transmits MAIL FROM: <source mail address> to the mail server 7. (6) On the other hand, the mail server 7 has 250 <source mail address>. . . Reply Sender ok. (7) Further, the PC side transmits RCPT TO: <destination mail address> to the mail server 7. (8) On the other hand, the mail server 7 receives 250 <destination mail address>. . . Reply “Recipient ok”. (9) Then, the PC side transmits DATA to the mail server 7. (10) In response, the mail server 7 returns 354 Enter mail, end with “.” On a line by itself. (11) Then, the PC side sends From: <source header address>, To: <destination header address>, Subject: <title>, (blank line), (mail body), and “.” To the mail server 7. Send to. (12) In response to this, the mail server 7 returns 250 Ok. (13) Thereafter, the PC side transmits a QUIT. (14) In response to this, the mail server 7 returns 221 Bye. The mail is transmitted in such a procedure.

  On the other hand, in the case of an attack by the BOT 31, it is assumed that normal communication is assumed and communication is performed according to the communication procedure as usual until an arbitrary stage, and the communication procedure at a stage after the arbitrary stage is explicitly or implicitly performed. Abandon. That is, the QUIT is suddenly transmitted on the PC side or left unattended to cause a timeout. Furthermore, the session itself may be disconnected on the PC side without prior notice.

  Specifically, a phenomenon as shown in FIG. 5 is extracted from the log. However, the following explanation is only an example. (1) The PC side performs SMTP (Simple Mail Transfer Protocol) connection to the mail server 7. (2) Then, the mail server 7 returns 220 <mail server name> ESMTP. (3) Next, the PC side transmits HELO <source host name> to the mail server 7. (4) In response, the mail server 7 returns 250 <source host name>. (5) The PC side transmits MAIL FROM: <source mail address> to the mail server 7. (6) On the other hand, the mail server 7 has 250 <source mail address>. . . Reply Sender ok. (7) Further, the PC side transmits RCPT TO: <destination mail address> to the mail server 7. (8) On the other hand, the mail server 7 receives 250 <destination mail address>. . . Reply “Recipient ok”. The process up to this point is the same as the normal case described above. However, after this, the BOT 31 does not issue the next command at all while holding the session, and the BOT 31 that is the connection source issues a QUIT and disconnects over time. In this case, a session that is long enough not to time out on the mail server 7 side is held, the resources of the mail server 7 are consumed, and the processing is explicitly terminated without meaning.

  Further, the phenomenon as shown in FIG. 6 is also extracted from the log. However, the following explanation is only an example. (1) The PC side performs SMTP (Simple Mail Transfer Protocol) connection to the mail server 7. (2) Then, the mail server 7 returns 220 <mail server name> ESMTP. (3) Next, the PC side transmits HELO <source host name> to the mail server 7. (4) In response, the mail server 7 returns 250 <source host name>. The process up to this point is the same as the normal case described above. However, after this, since the BOT 31 holds the session and does not issue the next command at all, the mail server 7 disconnects the session after a time-out time on the mail server 7 side.

  In this way, since the communication procedure after that is abandoned at an arbitrary stage, the phenomenon that the resources of the mail server 7 are consumed unnecessarily is specified. If such a phenomenon can be extracted from the log, the connection source IP address and the current time are registered in the block list of the block list storage unit 54 (step S7). Then, the process proceeds to step S9.

  The blocking list is data as shown in FIG. 7, for example. That is, the start address, end address, and registration time are registered. However, in step S7, as shown in the first record to the fourth record, the start address and the registration time are registered, and the end address is not registered.

  On the other hand, when the BOT attack detection unit 511 cannot identify the BOT attack from the unprocessed log and the related log, the process proceeds to step S9.

  That is, the blocking list generation unit 51 determines, for example, whether there is no unprocessed log and the process should be terminated (step S9), and if not, the process returns to step S3. If the process is completed, the process is terminated.

  In this way, since the IP address that is the source of the BOT attack is registered in the blocking list, the communication device 9 such as the router or the mail server 7 can block the connection according to the blocking list. . That is, it is possible to suppress the consumption of useless resources.

  Next, the block list update process by the block list update unit 52 will be described with reference to FIG. First, the blocking list update unit 52 specifies an address range to be processed (step S11). Each address range specified by the network division ratio set in step S1 and already registered in the blocking list (including the address range included in the network if the entire network is registered) The unprocessed address range other than is the processing target.

  Then, the blocking list in the blocking list storage unit 54 is scanned, the IP addresses included in the specified address range are counted, and IP addresses exceeding the contamination rate set in step S1 are registered in the blocking list. It is judged (step S13). For example, if the network division ratio is 1/4 in the example described above, 64 IP addresses are included in one address range. If the contamination rate is ½, when 33 or more IP addresses are registered in the blocking list, the determination in step S13 proceeds to the Yes route. As shown in FIG. 3, the contamination rate may vary depending on the address range, and therefore, the determination is made based on the corresponding contamination rate.

  When it is determined that an IP address exceeding the contamination rate is registered in the blocking list in the specified address range, the address range to be processed and the current time are registered in the blocking list (step S15). In the example of FIG. 7, for example, in the first record to the fourth record, etc., if the IP address is registered so as to exceed the contamination rate in the address range from 202.248.20.0 to 202.248.20.63. As in the eleventh record, a start address 202.248.20.0, an end address 202.248.20.63, and a registration time 200607728170000 are registered. In the specified address range, if an IP address exceeding the contamination rate is not registered in the blocking list, the process proceeds to step S25.

  Further, the IP address included in the address range to be processed and registered in the block list is deleted from the block list (step S17). In the example of FIG. 7, the first to fourth records and the like are deleted.

  Next, the blocking list is scanned, the address range record included in the network to which the address range to be processed belongs is specified, and the registered address range is equal to or higher than the preset network integration rate. It is judged (step S19). For example, when the network integration rate is ½ and data such as the sixth and seventh records in FIG. 7 is registered, the network integration rate is equal to or higher than that of 202.248.21.0/24. Address range is registered.

  If the address range included in the network to which the processing target address range belongs is equal to or higher than the network integration rate in the blocking list, the entire network and the current time are added to the blocking list (step S21). For example, corresponding to data such as the sixth and seventh records in FIG. 7, the entire network of 202.248.21.0/24 (from 202.248.21.0 to 202.248) as in the thirteenth record. 21.255) and current time 20060728143559 are registered. On the other hand, when the address range included in the network to which the processing target address range belongs is less than the network integration rate in the blocking list, the process proceeds to step S25.

  Then, the record of the address range included in the network added in step S21 is deleted from the blocking list (step S23). In the seventh example, the sixth and seventh records are deleted.

  Thereafter, the process returns to step S11 and repeats the process until a process end event occurs such as an instruction to end the process (step S25).

  By performing the processing as described above, it becomes possible to cope with the case where the number of PCs infected with the BOT 31 increases or the address of the PC infected with the BOT 31 fluctuates.

  However, with only the processing of FIG. 8, once registered in the blocking list, the connection to the mail server 7 is always blocked, and communication cannot be performed even if the BOT 31 can be removed. Therefore, a blocking list correction process as shown in FIG. 9 is performed.

  First, the cutoff list correction unit 53 receives an expiration date setting from the user and stores it in a storage device such as a main memory (step S31). A plurality of types of expiration dates may be set. That is, a relatively short expiration date is set for the individual IP address registered in the blocking list for the first time, and the individual IP address registered in the blocking list more than once (for example, the individual IP address related to the record deleted in step S37) A relatively long expiration date may be set for (stored separately in the list).

  Then, one registration record is read from the block list in the block list storage unit 54 (step S33). Then, it is determined from the registration time, current time, and expiration date data of the registration record whether the registration record has passed its expiration date (step S35). If it is determined that the expiration date has passed, the registration record acquired in step S33 is deleted from the blocking list (step S37). On the other hand, if it is within the expiration date, the process proceeds to step S39.

  The process returns to step S33 and repeats the process until an event for ending the process occurs (step S39).

  By performing such processing, when the BOT 31 is removed, the connection to the mail server 7 can be resumed.

  The block list generation process, the block list update process, and the block list correction process are executed asynchronously.

  Although the embodiment of the present invention has been described above, the present invention is not limited to this. For example, the registration time registered in the blocking list shown in FIG. 7 may register the expiration date itself. Further, although an example in which the start address and the end address are clearly shown is shown, the address may be registered by other expression methods. Further, the blocking list update process may not be performed. Furthermore, although the example which interrupts | blocks the connection to the mail server 7 is shown, this Embodiment is applicable also to another computer.

  There are other types of attacks on the BOT 31. If possible, the log data stored in the log storage unit 71 is analyzed, and a predetermined number according to the SMTP is set while keeping an interval of a predetermined time shorter than the timeout time. You may make it identify the address of the communication partner who is performing the operation | movement which advances the above communication procedure, and you may make it register in a block | list.

  The pollution rate and network integration rate may be numbers instead of rates.

  The PC, the mail server 7, and the communication control processing device 5 are computer devices as shown in FIG. 10, and include a memory 2501 (storage device), a CPU 2503 (processing device), a hard disk drive (HDD) 2505, and a display device 2509. A display control unit 2507 connected to the computer, a drive device 2513 for a removable disk 2511, an input device 2515, and a communication control unit 2517 for connecting to a network are connected by a bus 2519. An operating system (OS: Operating System) and an application program for performing processing in the present embodiment are stored in the HDD 2505, and are read from the HDD 2505 to the memory 2501 when executed by the CPU 2503. If necessary, the CPU 2503 controls the display control unit 2507, the communication control unit 2517, and the drive device 2513 to perform necessary operations. Further, data in the middle of processing is stored in the memory 2501 and stored in the HDD 2505 if necessary. In the embodiment of the present invention, an application program for performing the processing described above is stored in the removable disk 2511 and distributed, and is installed in the HDD 2505 from the drive device 2513. In some cases, the HDD 2505 may be installed via a network such as the Internet and the communication control unit 2517. Such a computer apparatus realizes various functions as described above by organically cooperating hardware such as the CPU 2503 and the memory 2501 described above, the OS, and necessary application programs.

  The communication device 9 such as a router also does not have the HDD 2505 and the drive device 2513, but additionally has a network connection function, a routing function, and the like necessary for the communication device 9.

It is a figure for demonstrating the system outline | summary which concerns on embodiment of this invention. It is a figure which shows the processing flow of an interruption | blocking list production | generation process. It is a figure which shows an example of a contamination rate table. It is a figure which shows the procedure of normal SMTP processing. It is a figure which shows the example of the procedure of the SMTP process at the time of a BOT attack. It is a figure which shows the other example of the procedure of the SMTP process at the time of a BOT attack. It is a figure which shows an example of the interruption | blocking list | wrist. It is a figure which shows the processing flow of an interruption | blocking list update process. It is a figure which shows the processing flow of an interruption | blocking list correction process. It is a functional block diagram of a computer.

Explanation of symbols

1 Network 31 BOT
DESCRIPTION OF SYMBOLS 5 Communication control processing apparatus 7 Mail server 9 Communication apparatus 51 Blocking list production | generation part 52 Blocking list update part 53 Blocking list correction part 54 Blocking list storage part 511 BOT attack detection part 71 Log storage part 73 Blocking list storage part

Claims (7)

An operation of analyzing the communication log data stored in the log storage unit, performing communication according to a predetermined protocol up to an arbitrary stage, and explicitly or implicitly discarding a communication procedure after the arbitrary stage Identifying the address of the communication partner you are going to,
Registering the address of the identified communication partner in a blocking target list that is a list of communication partners to block communication;
A communication control method for causing a computer to execute the method. A determination step of determining whether a ratio or number of addresses registered in the block target list within a preset address range is equal to or greater than a preset threshold;
If the determination result of the determination step is affirmative, registering the address range or an unregistered address in the address range in the blocking target list;
The communication control method according to claim 1, further comprising: It is determined whether the address range or the ratio or number of addresses registered in the block target list within a second address range wider than the preset address range is equal to or greater than a preset second threshold. A second determination step;
If the determination result of the second determination step is affirmative, registering the second address range or an unregistered address in the second address range in the blocking target list;
The communication control method according to claim 2, further comprising: In the block target list, a registration date or expiration date is registered together with the address or the address range,
Scan the block target list, identify an address or address range to be excluded from the block target list based on the registration date or the expiration date and the current date and time, and specify the address or address specified from the block target list The communication control method according to claim 1, further comprising a step of excluding the range. The communication control method according to claim 2, wherein the threshold is set for each address or address range specified based on a region.   A program for causing a computer to execute the communication control method according to any one of claims 1 to 5. An operation of analyzing the communication log data stored in the log storage unit, performing communication according to a predetermined protocol up to an arbitrary stage, and explicitly or implicitly discarding a communication procedure after the arbitrary stage A means of identifying the address of the communication partner being performed;
Means for registering the address of the specified communication partner in a blocking target list which is a list of communication partners to block communication;
A communication control processing device.

Images