JP2009044216A - Method and system for constraining spread of information flowed out to network - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method and a system for constraining further spread of information flowed out to a network without increasing the network load. <P>SOLUTION: The method comprises a step in which a monitoring system searches a computer exhibiting a file on a P2P network upon receiving a request for constraining spread of information flowed out to the network and acquiring IP address information which is used by the computer thus searched for network connection, and a step for making connection to a computer of the IP address information thus acquired and judging whether that computer is a specific computer exhibiting a file of key information identical to the information flowed out to the network or not, and if it is the specific computer, switching the IP address information of the specific computer to a period shorter than the dynamic switching period of the IP address information of other computer which is not exhibiting a file of key information identical to the information flowed out to the network. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  In the present invention, when personal information recorded in a computer infected with a virus that exploits P2P (Peer to Peer) or internal company information leaks to the network, the leaked information is further transmitted on the P2P network. The present invention relates to a method and system for suppressing diffusion.

“Winny” is known as a typical software using P2P (Peer to Peer).
Viruses that exploit "Winny" have spread since around 2004, and when victims are infected with viruses, such as by executing infected files, personal information and corporate internal materials will leak onto the P2P network.
An outline of the operation at the time of virus infection will be described with reference to the conceptual diagram of FIG.
(1) When a file infected with a virus is executed on the computer of an infected person, the computer is infected with the virus. The virus then collects document files, mailboxes, screenshots, etc. (depending on the virus variant) on the infected computer and creates a compressed file.
(2) Thereafter, the created file is stored in a public folder (varies depending on virus variants).
(3) The “Winny” setting file is edited (created if the file does not exist), and the above-mentioned folder for publication is registered. The files in the registered folder are published in accordance with Winny's specification “publish files in the folder defined in the setting file to the Winny network”.
Other “Winny” users can obtain a desired file in a public folder by sending a transfer request.

The concept of “Winny” file sharing will be described with reference to FIG.
(1) “Winny” converts a file stored in the upload folder into a cache and stores it in the cache folder.
(2) Create information called “key” that summarizes information about cache files.
(3) “Key information” is transferred to other nodes (computers using Winny), and each node performs this process, thereby spreading “key information”.
(4) When another node searches for a file, this “key information” is referred to. When the file being found is found, the IP address information of the file owning node included in the “key information” (5) After the file is transferred, the transfer destination node publishes the downloaded file as a cache (a cache file may be created in addition to the download cache).
As a result, even if the publisher of the original file deletes the file, as long as the cache file remains on the Winny network (or republishes the file downloaded by a third party), the file can be obtained from the Winny network. It becomes a state.

As described above, when a file is obtained using Winny, it is necessary to connect to a file owner computer based on “key information”.
“Key information” flows in an encrypted state on the Winny network, but the procedure for decrypting the contents of the encrypted communication is known, “It is not possible to investigate who owns the file” The original problem is solved.
As described above, when a user computer using P2P software such as “Winny” is infected with a virus that exploits the function of P2P software, personal information collected by the virus leaks to the network, and over time Spread to multiple computers.
For this reason, even if the virus is removed from the user computer from which the information is leaked, it is only possible to prevent new spread from the user computer, and information that has already spread to other computers cannot be deleted. Therefore, even after the virus is removed, the information spread from other computers.
Also, even if the owner of the other computer asks for cooperation and successfully deletes the spread file, unless all owners respond, the files that were not deleted will be propagated again, which makes no sense. .
For this reason, recovery of leaked information is virtually impossible except in special cases such as early detection and handling.

On the other hand, the following Non-Patent Document 1 discloses a technique for preventing diffusion of leaked information.
The technology disclosed in Non-Patent Document 1 prepares a dummy file, creates “false key information” in which the location of the dummy file is recorded with the same unique number (hash value) as the leaked information, It is a mechanism to send a large amount of it on the network, give "fake key information" to the user who wants to obtain the leaked file, download a dummy file, and try to suppress the spread of genuine leaked information is there.

http://www.asahi.com/komimi/TKY200706140166.html

  However, according to the technique disclosed in Non-Patent Document 1 described above, as long as the leaked information exists on the network, the “fake key information” must continue to flow, which increases the network load. is there.

  An object of the present invention is to provide a network outflow information diffusion suppression method and system capable of suppressing further diffusion of outflowed information without increasing the network load.

In order to achieve the above object, the network outflow information diffusion suppression method according to the present invention is the monitoring system that receives the network outflow information diffusion suppression request,
Searching for a computer publishing a file on the P2P network, obtaining the IP address information used by the searched computer for network connection, connecting to the computer having the obtained IP address information, It is determined whether it is a specific computer that discloses the same key information file as the network outflow information. If it is a specific computer, the IP address information of the specific computer is the same as the network outflow information. The key information file is switched to a cycle shorter than the dynamic switching cycle of the IP address information of another computer that does not disclose the key information file.

  In addition, the network outflow information diffusion suppression system according to the present invention searches for a computer publishing a file on the P2P network after receiving a network outflow information diffusion suppression request, and the searched computer is connected to the network. A first computer that obtains the IP address information being used, and a specific computer that is connected to the computer of the obtained IP address information and that the computer discloses the same key information file as the network outflow information If it is a specific computer, the IP address information of the specific computer is the dynamic information of the IP address information of other computers that do not disclose the same key information file as the network outflow information. Second means for switching to a cycle shorter than the switching cycle is provided. And wherein the door.

According to the present invention, since the IP address information of a specific computer that discloses leaked information is switched to a cycle shorter than the dynamic switching cycle of the IP address information of other computers that do not disclose leaked information, Fewer opportunities to connect to other computers.
As a result, the leaked information will not be erased, but even if a download request is made to a specific computer holding the leaked information, the probability of connection failure increases, and a situation where the leaked information is difficult to spread is created. Things will be possible. If the diffusion speed falls, it becomes easy to narrow down the P2P software users who own the file, and a secondary action of individually requesting a response from the leaked individual / organization becomes possible.
In addition, since the IP address is frequently switched for a user who publishes a file, the communication efficiency decreases when using the P2P software. However, if the corresponding file is not held, these effects are lost. Therefore, it is also possible to expect the effect of promoting the voluntary deletion of leaked information to solve the problem.

DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings.
FIG. 1 is a system configuration diagram showing an embodiment of the present invention.
In FIG. 1, reference numeral 101 denotes an applicant who has made a request for suppression of outflow information. The definition of the applicant 101 is “a user whose information in a computer used due to virus infection has leaked” or “an organization to which the user belongs”.
When the applicant 101 notices the leakage of information due to information written on the bulletin board on the Internet or the fact that he / she has been infected with a computer virus himself, the applicant 101 considers the importance of the information and Judge whether to request application.
If it is determined that the application is requested, the applicant 101 collects information necessary for searching for the relevant information on the P2P network (such as file name, hash information, and collection of the sample of the leaked file if possible). Create a prescribed document.
Here, the file sample is an outflow file collected from a computer infected with a virus.
In order to prevent false applications aimed at disrupting system operation, the application will be in a form that allows the identity of the applicant to be confirmed.

In FIG. 1, a monitoring system that suppresses further spreading of outflow information includes an application receiving device 102, a monitoring device 103, a distributing device 104, and a monitoring agent 105 of a telecommunications carrier (provider).
The application receiving apparatus 102 is an apparatus that receives information collected for searching outflow information from the applicant 101.
The monitoring device 103 is a device that collects IP address information and the like of P2P software users existing on the network and transmits the collected result to the monitoring agent 105 through the Internet 106.
The distribution device 104 is a device that distributes the key information of the outflow information file applied by the applicant 101 to the monitoring agent 105 through the Internet 106.
The monitoring agent 105 connects to each of the P2P soft user computers received from the monitoring device 103, and searches whether the same key information file as the key information received from the distribution device 104, that is, whether outflow information is held and disclosed. In the case of a P2P software user's computer holding outflow information, it is a device that shortens the dynamic switching period so that its IP address information changes frequently.

FIG. 2 is a detailed configuration diagram of the application receiving apparatus 102, and FIG. 3 is a flowchart showing an application receiving procedure.
The applicant 101 creates a predetermined request form and submits it to the application window 201 (steps 301 and 302). A request form from the applicant 101 is received at the application window 201. When accepting the application, the operator of the application window confirms whether the person or organization related to the information that the applicant 101 has leaked. This is to prevent interference such as application of a large amount of false information by a third party.
If it is confirmed that there is no problem in the application contents, the submitted information is registered in the application DB 203 from the registration terminal 202 (steps 303 and 304). If the required information is not available, return the request form to the applicant.

For example, information as illustrated in FIG. 4A is registered in the application DB 203.
The registered contents can be searched and displayed by the search terminal 204. The registered contents are valid for system operation such as “the correspondence between the submitted hash information and the corresponding file is correct” by the reviewing organization 205, such as “the corresponding file contains personal information”. The reason is examined (step 305).
If there is no problem as a result of the examination, it is registered in the file information DB 207 using the registration terminal 206 (step 306). Information as shown in FIG. 4B is registered in the file information DB 207. However, if there is a problem, a document of reasons for refusal is created (step 307) and returned to the applicant (step 308).

FIG. 5 is a detailed configuration diagram of the monitoring apparatus 103, which includes a P2P compatible program 501 and a node DB 502. FIG. 6 is a flowchart showing processing of the monitoring apparatus 103.
The connection unit 5011 of the P2P compatible program 501 performs communication based on the “Winny” specification and connects to the user computer 503 of other P2P software on the Internet.
The user computer 503 of the P2P software distributes information of other P2P nodes owned by the own node (information of the P2P user computer (IP address, port number, etc.)) to the connection unit 5011 of the P2P compatible program 501 of the connection source. .
Here, in the present embodiment, since the number of node information collections is emphasized, key information relating to files flowing on the P2P network is not collected at this stage, and the node information is disconnected from the connection destination node as soon as the node information is obtained. The node information thus transferred is transferred to the registration unit 5012.

Further, the node information obtained at the same time is used to connect to another node, and the process of obtaining the node information is repeated.
That is, the information in the node information DB 502 is read (step 601), and if the P2P node information is registered, the computer is connected to another P2P user computer indicated by the P2P node information (step 603). The node information of other P2P users is received (step 604), registered in the node information DB 502 (step 605), and unless the timeout time set by the timer that defines the search time has been reached (step 606), this time The node information of the received node information is connected to another computer, and the node information of the P2P user held by the computer is obtained and registered in the node information DB 502. If the timeout time set by the timer that defines the search time has been reached, the process returns to step 601 and the same processing is repeated.
As a result, the node information of the user computer of the P2P software is searched until the timeout time of the timer is reached and registered in the node information DB 502.
A user computer of P2P software registered in the node information DB 502 is a candidate for holding outflow information.

FIG. 4C shows an example of registration information in the node information DB 502.
The registration information in the node information DB 502 includes a registration ID, an IP address, a port number, and a detection date.
If the IP address acquired from the user computer of P2P software is included in the non-monitoring IP address range set by each telecommunications carrier described later, registration is not performed.

FIG. 7 is a detailed configuration diagram of the distribution apparatus 104.
The distribution device 104 includes a file information distribution unit 1041, a monitoring agent information management unit 1042, and a node information distribution unit 1043.
As shown in the flowchart of FIG. 8, the file information distribution unit 1041 monitors the file information DB 207 registered in the application receiving apparatus 102, reads the hash information of the file when adding information (steps 801 and 802), and stores the file list. It is updated (step 803) and distributed to the monitoring agent 105 of each telecommunications carrier (step 804). Then, after waiting for a certain time, the process returns to step 801 and the same operation is repeated.
That is, when hash information of new outflow information is registered, a process of immediately delivering to the monitoring agent 105 is performed.
The monitoring agent information management unit 1042 receives “IP address range allocated by each telecommunications carrier” from each monitoring agent 105 and reflects it in the IP address table 1044.
That is, as shown in the flowchart of FIG. 9, when information on the IP address range allocated by each telecommunications carrier is received from each monitoring agent 105 (steps 901 to 904),
The IP address range information is reflected in the IP address table 1044.

As shown in the flowchart of FIG. 10, when receiving a request from the monitoring agent 105, the node information distribution unit 1043 searches the IP address table 1044 for an IP address range corresponding to the monitoring agent 105 (step 1001 to 1004), the node information DB 502 created by the monitoring apparatus 103 is searched for new information (step 1005), and a list of the searched node information is distributed to the monitoring agent 105 (step 1006, 1007).
That is, new node information to be monitored is distributed by the monitoring agent 105 of each telecommunications carrier.

FIG. 11 is a detailed configuration diagram of the monitoring agent 105. A monitoring agent 105 is installed for each telecommunications carrier participating in this system.
The monitoring agent 105 includes an allocated IP management unit 1101, a file search unit 1102, a P2P compatible program 1103, and an assigned IP management unit 1104.
As shown in the flowchart of FIG. 12, the allocated IP management unit 1101 checks the IP address allocated from the NIC (Network Information Management Center) 1105 or the like (Step 1201), and when the address range is changed (Step 1202). ), And sends the changed IP address range to the monitoring agent information management unit 1042 of the distribution apparatus 104.
The P2P compatible program 1103 periodically transmits a request to the distribution apparatus 104 and receives node information of the user computer 1106 of P2P software under its own organization management. Then, using the IP address and port number included in the received node information, the user actually connects to the user's computer, and obtains information on the file (file name / hash information, etc.) owned. The obtained file information is transferred to the file search unit 1102.

As shown in the flowchart of FIG. 13A, the file search unit 1102 receives a list of hash information of the outflow information file to be monitored from the distribution apparatus 104 (step 1301). Specifically, as shown in the flowchart of FIG. 13B, the file information distribution unit 1041 of the distribution apparatus 104 is inquired (step 1305), and it is determined whether there is additional information of the outflow information file to be monitored. Is reflected in the hash list (step 1307), and after waiting for a certain time, the inquiry of the outflow information file to be monitored is made again (step 1308).
Then, the file information held by the user computer of each P2P software is acquired from the P2P compatible program 1103 (step 1302).
Specifically, as shown in FIG. 13C, after obtaining a node information list of the P2P software user computer from the node information distribution unit 1043 of the distribution apparatus 104 (step 1310), the node information is read (step 1311). It is determined whether or not an unexamined node remains to determine whether or not the outflow information file is held (step 1312). If there is an unexamined node, a connection is made to the unexamined node (step 1313) Is obtained (step 1314), and is compared with the hash list received from the file information distribution unit 1041 (step 1315), and a file having the same key information as the key information existing in the hash list is obtained. If the file is held, the assigned IP management unit is designated as the “file holder subject to diffusion suppression”. Transfers the corresponding user information (quarantine list) to 104 (step 1316,1317).

As shown in the flowchart of FIG. 14, the assigned IP management unit 1104 reads the quarantine list (step 1401), cancels the IP address assigned to the computer of the “file holder subject to diffusion suppression”, Reassignment is performed to the set IP address range dedicated to isolation (steps 1402 and 1403).
In this IP address range, the time for assigning the IP address to the P2P user holding the outflow information file is shortened by the setting of DHCP (Dynamic Host Configuration Protocol). That is, the switching cycle of dynamically switching IP addresses is shortened.

Thereby, the IP address of the user computer of the P2P software holding the outflow information file is frequently switched. As a result, it is disclosed that the corresponding node holds the outflow information file on the P2P network, and even if another node tries to download the outflow information file based on the information, the IP address information does not match, or Since the IP address changes during the download and is disconnected, the download of the outflow information file becomes difficult. As a result, the spread of the outflow information file is suppressed.
In addition, at the timing of reassigning the IP address, the P2P compatible program 1103 checks again whether it owns the outflow information file to be monitored. When the outflow information file no longer exists, it is released from the IP address range for isolation, and the conventional IP address assignment is performed. Therefore, since the P2P software user can use the file as long as it does not have a problematic file, it can be expected to voluntarily delete the problematic file when a problem occurs.

In the above embodiment, the monitoring device 103 searches for node information of the user computer of P2P software. However, the monitoring agent 105 may search the node information.
Further, although the monitoring agent searches whether or not the outflow information file is held, it may be searched by the monitoring device. In short, it can be configured such that the functions are appropriately distributed and processed among the devices constituting the monitoring system.

It is a system configuration figure showing an embodiment of a diffusion control system of network outflow information concerning the present invention. It is a detailed block diagram of the application apparatus in FIG. It is a flowchart of the application process of the application apparatus in FIG. It is a figure which shows the example of the information registered into application DB, file information DB, and node information DB. It is a detailed block diagram of the monitoring apparatus in FIG. It is a flowchart which shows the process of the monitoring apparatus in FIG. It is a detailed block diagram of the distribution apparatus shown in FIG. It is a flowchart which shows the process of the file information delivery part of a distribution apparatus. It is a flowchart which shows the process of the monitoring agent information management part of a distribution apparatus. It is a flowchart which shows the process of the node information delivery part of a distribution apparatus. It is a detailed block diagram of a monitoring agent. It is a flowchart which shows the process of the allocation IP management part of a monitoring agent. It is a flowchart which shows the process of the file search part of a monitoring agent. It is a flowchart which shows the process of the allocated IP management part of a monitoring agent. It is explanatory drawing which shows the operation | movement outline | summary at the time of the infection of the computer virus which abused Winny. It is explanatory drawing which shows the operation | movement outline | summary of Winny file transfer.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 101 ... Applicant, 102 ... Application apparatus, 103 ... Monitoring apparatus, 104 ... Distributing apparatus, 105 ... Monitoring agent, 207 ... File information DB, 501 ... P2P compatible program, 502 ... Node information DB, 1041 ... File information distribution part, 1042 ... Monitoring agent information management unit, 1043 ... Node information distribution unit, 1101 ... Allocation IP management unit, 1102 ... File search unit, 1104 ... Allocation IP management unit.

Claims (2)

A monitoring system that has received a request to suppress the spread of network outflow information
Searching for a computer publishing a file on the P2P network, obtaining the IP address information used by the searched computer for network connection, connecting to the computer having the obtained IP address information, It is determined whether it is a specific computer that discloses the same key information file as the network outflow information. If it is a specific computer, the IP address information of the specific computer is the same as the network outflow information. A method for suppressing the spread of network outflow information, comprising the step of switching to a period shorter than the dynamic switching period of the IP address information of other computers that do not disclose the key information file.   A first means for searching for a computer publishing a file on the P2P network after receiving a network outflow information diffusion suppression request, and obtaining IP address information used by the searched computer for network connection; , Connect to the computer with the obtained IP address information, determine whether the computer is a specific computer that has released the same key information file as the network outflow information, and if it is a specific computer, Second means for switching the IP address information of the specific computer to a cycle shorter than the dynamic switching cycle of the IP address information of another computer that does not disclose the same key information file as the network outflow information; Network outflow information diffusion suppression system characterized by

Images