JP2010092174A - Method, device and program for detecting fraudulence, and information processing system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To monitor up to the inside of a system in detail. <P>SOLUTION: A information processor includes a rule DB for storing behavior information for specifying a behavior showing illegal attack or intrusion. Then, the information processor collects various pieces of information generated by each module inside a process executed by a computer system showing the device, and monitors a behavior showing any illegal attack or intrusion on the basis of the collected various pieces of information. Meanwhile, when the collected various pieces of information are matched with behavior information stored in the rule DB, the information processor detects that any illegal attack or intrusion has occurred. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a fraud detection method, a fraud detection device, a fraud detection program, and an information processing system for detecting an unauthorized attack or intrusion on a computer system.

  Conventionally, malicious programs (malware such as viruses and worms) that invade by attacking security holes such as computer system vulnerabilities have become socially important problems regardless of individuals or companies.

  This unauthorized program takes control of the computer, destroys data stored in the computer, transmits unauthorized data to the outside, and performs a new attack action against a third party using the intruded computer. For example, a plurality of modules are operating in a process executed by a computer system, and when a vulnerability exists in this module, an attack and intrusion targeting the corresponding module are performed.

  For such malicious programs, there is HIDS (Host Based Intrusion Detection System) as a method to detect attacks and intrusions by monitoring the internal behavior of the system, and various detection methods based on behavior monitoring in process units are proposed. Has been. Another method has been proposed to detect access control by monitoring unauthorized file I / O events and process creation events, but it detects attacks and intrusions that do not involve file I / O and process creation events. Can not.

  Recently, detection methods using statistical information such as system calls in the system, the number of API (Application Programming Interface) reads, and function call sequences have been proposed (see Non-Patent Documents 1 and 2). Specifically, as shown in FIG. 10, one process executes a plurality of APIs, and each API executes a plurality of System Calls. In this case, in Non-Patent Documents 1 and 2, as shown in FIG. 11, an API monitor is executed between the process and the API, and a system call monitor is executed between the API and the system call (System Call). These monitors detect attacks and intrusions.

  In addition, as a technique for detecting attacks and intrusions specialized for Web browsers that have become widely used due to the widespread use of the Internet, a signature base such as snort distributed under the GPL (GNU Public License) is also available. There has been proposed a technology that realizes detection by the browser level and protects the browser from contents including an attack code (see Non-Patent Document 3).

“Intrusion detection using sequences of system calls”, Journal of Computer Security 1998, [online], [searched September 22, 2008], Internet <http://www.cs.unm.edu/~steveah/jcs- accepted.pdf> “Native API Based Windows (registered trademark) Anomaly Intrusion Detection Method Using SVM”, IEEE International Conference on Sensor Networks, Ubiquitous, and Trustworthy Computing 2006, [online], [searched September 22, 2008], Internet <http: //ieeexplore.ieee.org/iel5/10902/34301/01636219.pdf?tp=&isnumber=&arnumber=1636219> “Firekeeper”, [online], [searched September 22, 2008], Internet <http://firekeeper.mozdev.org>

  However, the above-described conventional technique has a problem that it is impossible to monitor in detail the inside of the system. Specifically, in Non-Patent Documents 1 and 2, since the behavior of APIs and system call calls for each process executed in the system is monitored, the behavior of the internal state of processes such as local function calls and local variables is monitored. Can not be monitored.

  In other words, in behavior monitoring such as API and system call invocation implemented in Non-Patent Documents 1 and 2, abnormalities (injustices) are detected by mixing API and system call invocations from multiple modules within the same process. Accuracy is reduced. Similarly, in Non-Patent Document 3, since the behavior of each Web browser is monitored, the behavior of various script execution environments inside the Web browser cannot be monitored.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and a fraud detection method, a fraud detection device, a fraud detection program, and an information processing that enable detailed monitoring of the inside of the system. The purpose is to provide a system.

  In order to solve the above-described problems and achieve the object, the present invention is a fraud detection method for detecting an unauthorized attack or intrusion on a computer system, and for each module in a process executed in the computer system, An information collecting step for collecting various information generated by the module, and a monitoring step for monitoring, for each module, behavior indicating an unauthorized attack or intrusion based on the various information collected by the information collecting step. It is characterized by including.

  According to the present invention, it is possible to monitor the inside of the system in detail. Furthermore, it is possible to quickly and accurately detect unauthorized programs that execute unauthorized attacks and intrusions.

  Exemplary embodiments of a fraud detection method, a fraud detection device, a fraud detection program, and an information processing system according to the present invention will be described below in detail with reference to the accompanying drawings. In the following, the outline of the information processing apparatus (information processing system) according to the present embodiment, the configuration of the information processing apparatus, and the flow of processing will be described in order, and finally various modifications to the present embodiment will be described.

[Outline of information processing equipment]
First, the outline of the information processing apparatus (information processing system) will be described with reference to FIG. FIG. 1 is a diagram for explaining an overview of the information processing apparatus according to the first embodiment. Note that the information processing apparatus shown here is an apparatus that executes the “fraud detection method” described in the claims disclosed by the present application.

  The information processing apparatus disclosed in the present application is a computer system that executes arithmetic processing according to a program. For example, a server apparatus that provides services to users such as a Web server, a content server, and a DNS server is used personally. Devices such as personal computer systems, network devices such as routers and L3 switches.

  As a result of the widespread use of the Internet, the information processing apparatus described above has greatly increased the chances of exchanging information with known third party apparatuses, and as a result, has increased the chance of exchanging information with malicious third parties. An information processing apparatus in which an unauthorized program is executed by such a malicious third party not only executes unauthorized processing, but also a LAN to which the apparatus is connected (for example, an in-house LAN or a home Various problems occur, such as other illegal devices (such as LAN) and new fraudulent acts using the device as a springboard. Such a problem is not only a personal problem, but has led to a large social problem (crime), which is a very large problem. For this reason, companies that have information processing devices such as various servers are eagerly desired to quickly and accurately detect unauthorized programs that execute unauthorized attacks and intrusions.

  An illegal attack means that a computer system is caused to perform an unintended operation different from the process that it originally intends to execute, and an intrusion means an unintended operation by an attack. To take control of part or all of the system.

  Therefore, as described above, the information processing apparatus according to the first embodiment is an apparatus that executes arithmetic processing according to a program, and can monitor in detail up to the inside of the system. It is possible to detect a malicious program to be executed quickly and accurately.

  Specifically, as illustrated in FIG. 1, the information processing apparatus according to the first embodiment inserts a monitor (for example, a monitoring program) for each module in a process executed by the computer system. The information processing apparatus collects various types of information generated by the module using this monitor, and monitors the behavior indicating an unauthorized attack or intrusion for each module. Furthermore, the information processing apparatus according to the first embodiment detects the occurrence of an unauthorized attack or intrusion based on various information collected by the monitor.

  By doing in this way, the information processing apparatus according to the first embodiment has detailed information regarding the inside of the system that “module A of process A calls system call 1 and module B calls system call 2 and system call 3”. Information can be acquired. Therefore, the information processing apparatus according to the first embodiment enables detailed monitoring up to the inside of the system by collecting various kinds of information generated by the modules for each module inside the process executed in the computer system. Furthermore, it is possible to quickly and accurately detect a malicious program that executes an unauthorized attack or intrusion.

[Configuration of information processing device]
Next, the configuration of the information processing apparatus shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating the configuration of the information processing apparatus according to the first embodiment. As shown in FIG. 2, the information processing apparatus 1 includes a control program such as an OS (Operating System), a program that defines various processing procedures, and an internal memory for storing necessary data, and is executed. A plurality of processes (process 10, process 20...), A storage unit 30, and a detection unit 33 are included. Since the basic configuration of the process 10 and the process 20 is the same, only the process 10 will be described here.

  The process 10 includes a plurality of modules (module A11a, module B11b,...) And a monitor (monitor 15a, monitor 15b,...) For each module, and is executed by the information processing apparatus 1. It is. The illustrated modules and monitors are merely examples, and are not limited to the illustrated numbers, and the numbers are different for each process.

  The module A 11a and the module B 11b are program parts loaded into the space of the process 10 at the time of program execution. For example, DLL (Dynamic Link Library) corresponds to this. Further, the module A 11a and the module B 11b call and execute an API according to an instruction from the process 10, and the API calls and executes a system call.

  The monitor 15a is a program for monitoring the behavior embedded (inserted) in the module, and has a monitoring unit 16 and a control unit 17 inside as shown in FIG. Since the monitor 15b has the same configuration as the monitor 15a, detailed description is omitted here. FIG. 3 is a diagram illustrating the internal configuration of the monitor.

  The monitoring unit 16 collects various types of information generated by the module for each module in the process executed by the computer system, and based on the collected information, displays a behavior indicating an unauthorized attack or intrusion for each module. Monitor. Specifically, the monitoring unit 16 collects API calls and system call calls of the process 10 as information generated by the module A11a of the process 10 executed by the information processing apparatus 1, and stores them in the accumulation DB 31 described later. . And the monitoring part 16 monitors the event which generate | occur | produces when module A11a operate | moves based on the information accumulate | stored in accumulation | storage DB31, and the state change of CPU or memory.

  As information generated by the module A11a of the process 10 executed in the information processing apparatus 1, for example, the monitoring unit 16 obtains the module type, the type of the called function, the argument value, the read source address, the time stamp, and the like. The acquired information and the process and module that output the information are associated with each other and stored in the accumulation DB 31.

  When the detection unit 33, which will be described later, detects that an unauthorized attack or intrusion has occurred, the control unit 17 specifies control content corresponding to behavior information that matches the detected unauthorized attack or intrusion from the rule DB 32. Then, the specified control content is executed. Specifically, when the control content specified from the rule DB 32 is “blocking control”, the control unit 17 stops the operation of the module or process in which the injustice is detected by the detection unit 33.

  In addition, when the control content specified from the rule DB 32 is “log output”, the control unit 17 outputs logs of modules and functions executed in a predetermined area (for example, / temp or temporary area). To do. Further, when the control content specified from the rule DB 32 is “notify administrator (XXX@AAA.com)”, the control unit 17 activates the mailer and sends the mail address (XXX@AAA.com) to To notify that a module or process has been compromised or intruded. Here, as information to be notified to the administrator, a module or a process in which fraud is detected by the detection unit 33 is notified.

  Returning to FIG. 2, the storage unit 30 stores address information and routing information for network communication, data and programs necessary for various processes, and includes an accumulation DB 31 and a rule DB 32.

  The accumulation DB 31 stores information collected for each module by the monitoring units of the monitor 15a and the monitor 15b. Specifically, as shown in FIG. 4, the storage DB 31 collects the contents collected in association with “process” and “module” indicating the collection source (source) of the information collected by each monitoring unit. “Information” indicating “” is stored. For example, the storage DB 31 stores “process 10, module A, called function name (function A)” or “process 20, module B, called function name (function Z) and arguments as“ process, module, information ”. (ZZ) "and the like are stored.

  FIG. 4 is a diagram illustrating an example of information stored in the accumulation DB. In FIG. 4, information collected in one table is managed by storing it in association with “process” or “module”, but a different table is provided for each process or module. You may make it do.

  The rule DB 32 stores behavior information for specifying behavior indicating an illegal attack or intrusion and control contents executed when an illegal attack or intrusion occurs. In other words, the rule DB 32 stores information that predefines APIs and system call types that should not be called in a normal state. Specifically, as shown in FIG. 5, the rule DB 32 associates “process” and “module” with “behavior information” for specifying behavior indicating an unauthorized attack or intrusion, an unauthorized attack or intrusion. The “control content” to be executed when this occurs is stored.

  For example, the rule DB 32 includes “process 10, module A, called function name (function B), cutoff control” and “process 20, module X, called function” as “process, module, behavior information, control content”. “Name (function Z) and argument (ZZ), log output”, “process 10, module B, function B followed by function ZZ, shutdown control / log output”, and the like are stored.

  In addition to information such as whether a specific function has been called or whether a function argument is correct, the rule DB 32 calls a function call such as “function B is called after function A”. A sequence (call sequence) can also be stored. The rule DB 32 can also store threshold values such as character string information, a cumulative value of the character string and the character string length as behavior information, and by doing so, a function of a script execution environment that dynamically secures the character string By monitoring this, unauthorized processing can be detected.

  Further, the rule DB 32 can store, for example, “notify the administrator (XXX@AAA.com)” as the control content, and in this case, the control unit 17 can store the mailer. To notify the email address (XXX@AAA.com) that an unauthorized attack or intrusion has occurred in the module or process. The rule DB 32 can also store a plurality of control contents (for example, shut-off control and log output) in association with one behavior information.

  FIG. 5 is a diagram illustrating an example of information stored in the rule DB. In FIG. 5, information collected in one table is managed. However, a different table may be provided and stored for each process or each module.

  When the various information collected by the monitoring unit 16 matches the behavior information stored in the rule DB 32 that stores the behavior information that identifies the behavior indicating an unauthorized attack or intrusion, Detect that an intrusion has occurred. Specifically, the detection unit 33 refers to each record stored in the accumulation DB 31 and each record in the rule DB 32, and when the information stored in the accumulation DB 31 is also stored in the rule DB 32, Detects attacks and intrusions.

  Referring to FIGS. 4 and 5, “process 10, module A, called function name (function A)” stored in the accumulation DB 31 in FIG. 4 is not stored in the rule DB 32 in FIG. Therefore, the detection unit 33 recognizes that this information is in a normal state. Further, “process 20, module B, called function name (function Z) and argument (ZZ)” stored in the accumulation DB 31 of FIG. 4 has the same contents (the third line of FIG. 5) as the rule DB 32 of FIG. ) Is stored, the detection unit 33 detects that an unauthorized attack or intrusion has occurred.

  The detection unit 33 that has detected that an unauthorized attack or intrusion has occurred outputs the detected unauthorized content “process 20, module B, called function name (function Z) and argument (ZZ)” to the control unit 17. . Receiving this, the control unit 17 specifies the control content (in the above example, “notify the administrator (XXX@AAA.com)”) based on the received information, and executes the specified control content.

[Processing by information processing device]
Next, processing by the information processing apparatus will be described with reference to FIG. FIG. 6 is a flowchart illustrating the flow of processing in the information processing apparatus according to the first embodiment.

  As illustrated in FIG. 6, the information processing apparatus 1 executes various modules in the process (Yes in step S101), acquires various types of information for each module and stores them in the storage DB 31 using a monitor incorporated in the executed module. Accumulated and stored (step S102).

  Subsequently, the information processing apparatus 1 compares the information accumulated in the accumulation DB 31 in step S102 with the behavior information stored in the rule DB 32 (step S103), and determines whether or not the information matches the behavior information (step S103). S104).

  If the stored information matches the behavior information (Yes at Step S104), the information processing apparatus 1 specifies control information corresponding to the behavior information from the rule DB 32 (Step S105), and executes the specified control information. (Step S106).

  On the other hand, when the accumulated information does not match the behavior information (No at Step S104), the information processing apparatus 1 ends the process. Note that the processes in steps S101 to S106 described above are repeatedly executed until the activated module is completed. In addition, the repetition timing can be arbitrarily set such as a predetermined cycle (for example, every 5 minutes) or every time new information is collected and accumulated.

[Effects of Example 1]
As described above, according to the first embodiment, various types of information generated by the module are collected for each module in the process executed by the computer system, and an illegal attack or intrusion is performed based on the collected information. Can be monitored for each module. As a result, it is possible to monitor in detail the inside of the system.

  Further, according to the first embodiment, when the collected various information matches the behavior information stored in the rule DB 32 that stores the behavior information specifying the behavior indicating the illegal attack or intrusion, It can be detected that an intrusion has occurred. As a result, unauthorized attacks and intrusions can be detected quickly and accurately.

  Further, according to the first embodiment, when it is detected that an unauthorized attack or intrusion has occurred, the control content corresponding to the behavior information matching the detected unauthorized attack or intrusion is specified from the rule DB 32, The specified control content can be executed. As a result, an appropriate response can be performed quickly, and secondary damage due to unauthorized processing can be prevented.

  By the way, the information processing apparatus disclosed in the present embodiment can exert the same effect on attacks and intrusions targeting the Web browser. Therefore, in the second embodiment, a case will be described in which the information processing apparatus 1 is used to detect an attack and intrusion targeting a Web browser.

[Outline of Information Processing Apparatus (Example 2)]
Attacks and intrusions targeting Web browsers are performed in combination with techniques that exploit the Web browser script execution environment. On the other hand, although the Web browser itself has a setting that restricts part or all of the script execution environment, it is a factor that significantly reduces the convenience of Web browsing.

  In response to such attacks targeting Web browsers, the information processing device disclosed in the present application monitors the behavior of script execution environments such as java (registered trademark) scripts and VBScripts inside Web browsers. Detect intrusions. That is, the information processing apparatus according to the second embodiment monitors an API, a system call, or a local function call from the script execution environment in order to monitor the behavior of the script execution environment and extract behavior information. Note that “monitoring a local function call” indicates that when an EIP (instruction pointer) points to the start address of a specific function, it is determined that the function has been called.

  By doing so, the information processing apparatus according to the second embodiment, for example, is not a “heap layout operation” that exploits a script execution environment in combination with an attack that exploits some vulnerability or an attack that exploits a vulnerability. It is possible to detect attacks and intrusions targeting Web browsers such as “script malware (java (registered trademark) script Malware)” that perform malicious operations based on the specifications of the above.

  The script execution environment is a module that processes the script language. For example, “jscript.dll (java (registered trademark) script)” or “vbscript.dll (module that processes VBscript)” To do. In addition, as described above, the “heap layout operation” is an exploitation of the script execution environment in combination with an attack that exploits some vulnerability. For example, there is a technique called “HeapSpray”. Specifically, these methods operate the memory playout from the script execution environment in advance, and after exploiting the vulnerability, move the EIP (instruction pointer) to the location on the memory where the operation was performed and execute any instruction It is used to make it. Since this improves the stability of the attack, it is frequently executed in such a combination.

  In addition, as described above, “script malware” is not an attack that exploits vulnerability, but performs malicious operations based on the specification of the script language. For example, “script (registered trademark) script” Port scan "exists. This "java (registered trademark) script port scan" executes a port scan when java (registered trademark) script is executed, and the java (registered trademark) script read from the Internet side is ported to the network on the intranet side. Perform a scan. By this attack, the survival status of the host (various servers) on the intranet side can be grasped outside.

  The information processing apparatus according to the second embodiment can detect attacks and intrusions targeting the Web browser such as the above-mentioned “heap layout operation” and “script malware”.

[Configuration of information processing device]
Next, the configuration of the information processing apparatus according to the second embodiment will be described with reference to FIG. FIG. 7 is a block diagram illustrating the configuration of the information processing apparatus according to the second embodiment. As shown in FIG. 7, the information processing apparatus 1 includes a control program such as an OS (Operating System), a program that defines various processing procedures, and an internal memory for storing necessary data, and is executed. A plurality of Web browsers (Web browser 50, Web browser 60...), A storage unit 70, and a detection unit 73 are included. Since the web browser 50 and the web browser 60 have the same basic configuration, only the web browser 50 will be described here.

  The web browser 50 includes a plurality of scripts (script A51a, script B51b...) And a monitor (monitor 55a, monitor 55b...) For each script. The illustrated scripts and monitors are examples, and are not limited to the illustrated numbers, and the numbers are different for each script.

  The script A 51a and the script B 51b are script environments executed by the Web browser 50. For example, jscript.dll and vbscript.dll correspond to this. The monitor 55a is a program for monitoring the behavior embedded (inserted) in the module, and has a monitoring unit 56 and a control unit 57 in the same manner as in the first embodiment. Since the monitor 55b has the same configuration as the monitor 55a, detailed description is omitted here.

  The monitoring unit 56 collects various types of information generated by the script for each script inside the Web browser executed by the computer system, and based on the collected information, displays behaviors indicating unauthorized attacks and intrusions for each script. To monitor. Specifically, the monitoring unit 56 includes, as information generated by the script A 51a of the Web browser 50 executed in the information processing apparatus 1, “page frame URL, called function name, argument information, time stamp” and the like. Collected and stored in an accumulation DB 31 to be described later. And the monitoring part 56 monitors the event which generate | occur | produces when script A51a operate | moves based on the information accumulate | stored in accumulation | storage DB71.

  This obtains information for each page frame, obtains a call sequence of the called function by sorting the called function and its argument value, and sorting by time stamp (sorting information stored in the accumulation DB 71). Is possible. In addition, for example, when it is necessary to detect the attack by comparing the accumulated string of characters reserved and the threshold, such as "HeapSpray", the threshold will be used when web browsing is always continued. Therefore, it is possible to detect an illegal page (URL) that performs an attack or intrusion by detecting an attack or intrusion for each page.

  Similarly to the first embodiment, when the detection unit 73 described later detects that an unauthorized attack or intrusion has occurred, the control unit 57 performs control corresponding to behavior information that matches the detected unauthorized attack or intrusion. The content is specified from the rule DB 72, and the specified control content is executed. Specifically, when the control content specified from the rule DB 72 is “blocking control”, the control unit 57 stops the operation of the module or the process in which the detection unit 73 detects the injustice.

  Similar to the first embodiment, the storage unit 70 stores address information and routing information for performing network communication, data and programs necessary for various processes, and includes an accumulation DB 71 and a rule DB 72.

  The accumulation DB 71 stores information collected for each script by each monitoring unit of the monitor 55a and the monitor 55b. Specifically, as shown in FIG. 8, the accumulation DB 71 is collected in association with “Web browser” and “script” indicating the collection source (source) of information collected by each monitoring unit. Stores “information” indicating the contents. For example, the storage DB 71 stores “Web browser 50, script X, called function name (function X)” or “Web browser 60, script X, called function name (function Y) as“ Web browser, script, information ”. ) And argument (ZZ) "and the like are stored.

  FIG. 8 is a diagram illustrating an example of information stored in the accumulation DB. As in the first embodiment, in FIG. 8, information collected in one table is managed by storing it in association with “Web browser” or “script”. Different tables may be provided and stored.

  Similar to the first embodiment, the rule DB 72 stores behavior information for specifying behavior indicating an illegal attack or intrusion and control contents executed when an illegal attack or intrusion occurs. Specifically, as shown in FIG. 9, the rule DB 72 associates “Web browser” and “script” with “behavior information” for identifying behaviors indicating unauthorized attacks and intrusions, Stores the “control contents” to be executed when an intrusion occurs.

  For example, the rule DB 72 includes “Web browser 50, script X, −, blocking control” or “Web browser 60, script X, called function name (function Z)” as “Web browser, script, behavior information, control content”. , None ", etc. FIG. 9 is a diagram illustrating an example of information stored in the rule DB. Further, as in the first embodiment, information collected in one table is managed in FIG. 9, but a different table may be provided and stored for each process or each module.

  Here, the behavior information being “-” indicates that the process is not executed when it is normal. For example, in the “Web browser 50, script X, −, blocking control” described above, “Web browser 50 "does not execute" script X ". That is, when “Web browser 50” executes “script X”, it is not necessary to acquire detailed information, which indicates an illegal process.

  Note that the rule DB 72 is also similar to the rule DB 32 of the first embodiment, in addition to information such as whether a specific function has been called or whether a function argument is incorrect, a function call sequence (call sequence), a character string It is also possible to store threshold values such as information, a character string, and a cumulative value of the character string length. In addition to the information described above, the rule DB 32 stores, for example, “notify the administrator (XXX@AAA.com)” or a combination of a plurality of pieces of control information in the same manner as the rule DB 32 of the first embodiment. You can also keep it.

  When the various information collected by the monitoring unit 56 matches the behavior information stored in the rule DB 72 that stores behavior information specifying behavior indicating an illegal attack or intrusion, the detection unit 73 Detect that an intrusion has occurred. Specifically, the detection unit 73 refers to each record stored in the accumulation DB 71 and each record in the rule DB 72, and when the information stored in the accumulation DB 71 is also stored in the rule DB 72, Detects attacks and intrusions.

  Referring to FIGS. 8 and 9, “Web browser 50, script X, called function name (function X)” stored in the storage DB 71 in FIG. 8 is stored in the rule DB 72 in FIG. 50, script X,-, blocking control "is stored, the detection unit 73 detects that an unauthorized attack or intrusion has occurred. As described above, since it is impossible for the “Web browser 50” to execute the “script X” during normal operation, a monitor cannot be incorporated into the “script X”. For such a case, not only the script in the Web browser but also the monitor is incorporated in association with the Web browser. By doing so, it is possible to detect that an unauthorized attack or intrusion has occurred even when a script that is not executed is executed.

  Further, the detection unit 73 has the same contents as the “Web browser 60, script X, called function name (function Y) and argument (ZZ)” stored in the accumulation DB 71 in FIG. 8 in the rule DB 72 in FIG. Since it is not stored, the detection unit 33 determines that this information is normal processing.

[Effects of Example 2]
As described above, according to the second embodiment, the detailed behavior of the system can be grasped, and accurate abnormality detection can be performed. It can also prevent attacks using a script execution environment in a web browser and infection with malware. In addition, by focusing on the script execution environment used for attacks and intrusions to the Web browser in this way, noise caused by the operation of other modules inside the Web browser (for example, the HTML processing engine) is reduced Information on the target location can be extracted and detected, and attack and intrusion blocking can be dynamically controlled (for example, forced termination of the process).

  In the case of the conventional method, the above-mentioned “it is possible to extract and detect the information of the target portion with less noise” was confused with APIs and system call calls from a plurality of modules in the process. In such an information processing apparatus, such a confusion does not occur. Therefore, as described above, “information can be extracted and detected in a target portion with“ low noise ””. For example, conventionally, an abnormal behavior performed by a specific module and a normal operation of another module cannot be distinguished from each other, and are viewed as a process behavior collectively. In this application, since the behavior can be monitored for each module, there is no confusion with the operation of other normal modules.

  Further, as described above, attacks using the script execution environment include “attack against vulnerability (for example, heap layout operation)” and “script malware”. In the “attack against vulnerability”, the web browser reads the content in which the attack code that exploits the vulnerability of the web browser is embedded, and the script execution environment executes it to allow the attack and allow intrusion. Web browser vulnerabilities here include not only Web browser vulnerabilities but also BHO (Browser Helper Object) vulnerabilities such as plug-ins. When attacking against vulnerabilities, a method is also used in which the attack is executed stably by manipulating the memory layout using the script execution environment.

  Techniques that increase the success rate of attacks against vulnerabilities to web browsers (for example, “HeapSpray” and “Heap Feng Shui”) by illegally manipulating the memory layout using the script execution environment By embedding a character string containing an illegal instruction code in the heap area, the malicious instruction code embedded earlier is executed after taking control by exploiting the vulnerability of the Web browser.

  By monitoring a function of the script execution environment that dynamically secures a character string against such an unusual behavior used for such an attack, an illegal process can be detected. For example, in “HeapSpray”, when securing a character string, a large number of strings with the same contents are secured, so the string information given as an argument of the function that secures the string is acquired and secured. Is detected based on whether the accumulated value of the similarity or the character string length exceeds the threshold (for example, when the threshold is exceeded, an abnormality is detected).

  In addition, the above-mentioned “reserve character string” means, specifically, when securing a character string of length N, an area that can store a character string of length N in the memory is secured. Is a character string. For example, when a character string object “str” is substituted for “Array () array” of “java (registered trademark) script”, the API “HeapAlloc ( ) "Is called to reserve an area on the memory.

  In addition, “script malware” does not attack web browser vulnerabilities, but operates by script detection and acts as an attack. Such attacks cannot be prevented by controlling file input / output and process generation because they operate in memory without creating files or creating processes. On the other hand, with regard to packet transmission instructions issued by the script execution environment, It is possible to determine whether or not the communication destination is given as an argument of a function that performs this.

  For example, in a method called “java (registered trademark) script Portscan”, a web browser can port an intranet by reading an invalid “java (registered trademark) script” set in an external web server. I will scan. At this time, if the communication destination of the packet transmission command issued from “java (registered trademark) script” is an intranet address, or if a packet is transmitted to a plurality of intranet addresses, It is possible to detect attacks and intrusions on web browsers as likely.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. Therefore, as shown below, (1) monitor configuration, (2) third-party device, (3) application example, (4) system configuration, etc., (5) different embodiments will be described by dividing them into programs. .

(1) Monitor Configuration For example, the configuration of the monitor illustrated in the first or second embodiment is not limited to this, and for example, only the monitoring unit can be configured inside the monitor. In addition, the monitor itself can be configured outside the process (in the information processing apparatus).

(2) Third Party Device The fraud detection device disclosed in the present application is not necessarily incorporated in the information processing device, and may be a separate body from the information processing device (arithmetic processing device).

(3) Application Examples The fraud detection device disclosed in the present application can be used as a honeypot that can determine whether a web page is dangerous by detecting an attack on a web browser, as specifically described in a specific example. .

(4) System Configuration, etc. Also, all or some of the processes described as being automatically performed among the processes described in the present embodiment can be performed manually. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters (for example, FIG. 4, FIG. 5, FIG. 8, FIG. 9, etc.) shown in the above-mentioned documents and drawings are specially noted. It can be changed arbitrarily unless you want to.

  Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. It can be configured by integrating (for example, integrating a monitoring unit and a control unit). Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(5) Program The fraud detection method described in the present embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the fraud detection method, the fraud detection device, the fraud detection program, and the information processing system according to the present invention are useful for detecting unauthorized attacks and intrusions on a computer system, and particularly the details of the inside of the system. Suitable for monitoring.

1 is a diagram for explaining an overview of an information processing apparatus according to a first embodiment; 1 is a block diagram illustrating a configuration of an information processing apparatus according to a first embodiment. It is the figure which illustrated the internal structure of the monitor. It is a figure which shows the example of the information memorize | stored in accumulation | storage DB. It is a figure which shows the example of the information memorize | stored in rule DB. 3 is a flowchart illustrating a flow of processing in the information processing apparatus according to the first embodiment. FIG. 10 is a block diagram illustrating a configuration of an information processing apparatus according to a second embodiment. It is a figure which shows the example of the information memorize | stored in accumulation | storage DB. It is a figure which shows the example of the information memorize | stored in rule DB. It is a figure for demonstrating a prior art. It is a figure for demonstrating a prior art.

Explanation of symbols

1 Information processing device 10 Process 11a Module A
11b Module B
15a, 55a Monitor 15b, 55b Monitor 16, 56 Monitoring unit 17, 57 Control unit 20 Process 30, 70 Storage unit 31, 71 Storage DB
32, 72 Rule DB
33, 73 Detector 50, 60 Web browser 51a Script A
51b Script B

Claims (10)

A fraud detection method for detecting unauthorized attacks and intrusions on computer systems,
An information collecting step for collecting various information generated by the module for each module in the process executed in the computer system;
Based on various information collected by the information collecting step, a monitoring step for monitoring the behavior indicating the unauthorized attack or intrusion for each module;
A fraud detection method characterized by including   When the various information collected by the information collecting step matches the behavior information stored in the behavior information storage unit that stores the behavior information specifying the behavior indicating the unauthorized attack or intrusion, the unauthorized attack or The fraud detection method according to claim 1, further comprising a detection step of detecting that an intrusion has occurred. The behavior information storage unit further stores control contents executed in association with the behavior information when the unauthorized attack or intrusion occurs,
When the detection process detects that an unauthorized attack or intrusion has occurred, the control information corresponding to the behavior information that matches the detected unauthorized attack or intrusion is identified from the behavior information storage unit and identified. The fraud detection method according to claim 2, further comprising a control execution step of executing control contents.   The fraud detection method according to claim 3, wherein a monitor that executes the information collection step, the monitoring step, and the control execution step is inserted into the process for each module. A fraud detection device that detects unauthorized attacks and intrusions on a computer system,
Information collecting means for collecting various information generated by the module for each module in the process executed in the computer system;
Based on various information collected by the information collecting means, monitoring means for monitoring the behavior indicating the unauthorized attack or intrusion for each module;
A fraud detection device characterized by comprising: Behavior information storage means for storing behavior information for identifying behavior indicating the unauthorized attack or intrusion;
And a detecting means for detecting that the unauthorized attack or intrusion has occurred when various information collected by the information collecting means matches the behavior information stored in the behavior information storage section. The fraud detection apparatus according to claim 5, wherein A fraud detection program that executes on a computer to detect unauthorized attacks and intrusions on a computer system,
An information collection procedure for collecting various information generated by the module for each module in the process executed in the computer system;
Based on various information collected by the information collection procedure, a monitoring procedure for monitoring the behavior indicating the unauthorized attack or intrusion for each module;
A fraud detection program characterized by causing a computer to execute.   When the various information collected by the information collecting step matches the behavior information stored in the behavior information storage unit that stores the behavior information specifying the behavior indicating the unauthorized attack or intrusion, the unauthorized attack or The fraud detection program according to claim 7, further comprising a detection step of detecting that an intrusion has occurred. An information processing system that detects unauthorized attacks and intrusions on computer systems,
Information collecting means for collecting various information generated by the module for each module in the process executed in the computer system;
Based on various information collected by the information collecting means, monitoring means for monitoring the behavior indicating the unauthorized attack or intrusion for each module;
An information processing system comprising: Behavior information storage means for storing behavior information for identifying behavior indicating the unauthorized attack or intrusion;
And a detecting means for detecting that the unauthorized attack or intrusion has occurred when various information collected by the information collecting means matches the behavior information stored in the behavior information storage section. The information processing system according to claim 9.

Images