JP2010186427A - Information processing apparatus and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processing apparatus capable of suppressing communications with others than a communication device having performed remote access, and a program. <P>SOLUTION: Control contents applied for communications with an external communication device are recorded in a communication control table. A system call management part 100 obtains an IP address of a communication device having performed remote access and delivers the IP address to a file writing management part 121 when detecting a system call issuing a kernel of OS as the process regarding the remote access accesses a file. The file writing management part 121 records the control contents indicating suppression of communications with others than the communication device having the IP address to a communication control table. A communication control part 150 controls communications with the external communication device based on the control contents of the communication control table. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to an information processing apparatus that performs processing related to remote access. The present invention also relates to a program for causing a computer to function as the information processing apparatus.

  In order to monitor the behavior of a remote intruder who enters a network device such as a server by remote access, a honeypot (see, for example, Non-Patent Document 1) that is intentionally set to easily enter is drawing attention. Many remote intruders access files in honeypots in order to steal information from honeypots or use malicious code as a springboard. One of the requirements for this honeypot is to prevent the invaded honeypot itself from sending out attack packets (outbound packets) to the outside.

Yusuke Tahara, “Network Crisis Management Using Honeypots” [online], January 19, 2002, [Search January 30, 2009], Internet <URL: http://www.atmarkit.co. jp / fsecurity / special / 13honey / honey01.html>

  As a typical technique for suppressing the transmission of attack packets to the outside, there is a technique for discarding packets by using a firewall. However, with this method, it is necessary to set a rule in the firewall to reject outgoing packets to the remote intruder, and the remote intruder was swallowed in the honeypot to send the packet to the remote intruder. You cannot monitor the behavior when. Therefore, a mechanism is desired that allows communication with a remote intruder while suppressing communication with outside the remote intruder.

  The present invention has been made in view of the above-described problems, and an object thereof is to provide an information processing apparatus and a program capable of suppressing communication with a communication apparatus other than a remote access apparatus.

  The present invention has been made in order to solve the above-described problem, and includes a storage unit that stores control contents applied to communication performed with an external communication device, and a process related to remote access when an OS accesses a file. When a system call issued to the kernel is detected, a system call management unit that obtains an IP address of the communication apparatus that has performed the remote access from the process and passes it to the processing unit, and an IP passed from the system call management unit Communication for controlling communication performed with an external communication device in accordance with the control content stored in the storage means and the control content stored in the storage means for indicating control content indicating suppression of communication with a communication device other than the communication device having an address And an information processing apparatus including a control unit.

  In the information processing apparatus of the present invention, the processing unit counts the number of packets transmitted to the communication device having the IP address passed from the system call management unit, and the number of the packets is equal to or greater than a predetermined value. In this case, a control content indicating that communication with a device other than the communication device having the IP address is suppressed is stored in the storage unit.

  In the information processing apparatus of the present invention, the processing unit counts the number of packets using a specific port among packets transmitted to the communication device having the IP address passed from the system call management unit. It is characterized by that.

  In the information processing apparatus of the present invention, when the communication device having the IP address passed from the system call management unit terminates remote access, the processing unit rejects the remote access from the communication device. The control content to be shown is stored in the storage means.

  The present invention is also a program for causing a computer to function as the information processing apparatus.

  According to the present invention, when a system call issued to the OS kernel when a process related to remote access accesses a file is detected, communication with a communication device other than the remote access device is suppressed. Since communication is controlled according to the control content, communication with a communication device other than the remote access device can be suppressed.

It is a block diagram which shows the structure of the information processing apparatus by the 1st Embodiment of this invention. FIG. 6 is a reference diagram illustrating a process when writing to a file in the information processing apparatus according to the first embodiment of the present invention. It is a flowchart which shows the procedure of the process which the information processing apparatus by the 1st Embodiment of this invention performs. It is a reference figure which shows the content of the communication control table in the 1st Embodiment of this invention. It is a reference figure which shows the content of the communication control table in the 1st Embodiment of this invention. It is a block diagram which shows the structure of the information processing apparatus by the 2nd Embodiment of this invention. It is a flowchart which shows the procedure of the process which the information processing apparatus by the 2nd Embodiment of this invention performs. It is a flowchart which shows the procedure of the process which the information processing apparatus by the 2nd Embodiment of this invention performs. It is a flowchart which shows the procedure of the process which the information processing apparatus by the 2nd Embodiment of this invention performs.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
First, a first embodiment of the present invention will be described. FIG. 1 shows the configuration of the information processing apparatus according to the present embodiment. The kernel 10 forms the basis of an operating system (OS) that operates on the information processing apparatus, and includes a system call management unit 100, a management table 110, a processing unit 120, a file writing unit 130, a communication unit 140, and a communication control unit. 150.

  The kernel 10 having these configurations is started when the CPU reads an OS program into a memory (RAM) and executes it, and includes a CPU and memory resources. That is, the kernel 10 shown in FIG. 1 includes a CPU resource that executes a process for realizing a function as a kernel, and an area allocated to a memory for executing the process.

  The system call management unit 100 manages system calls issued when processes generated on the information processing apparatus make various requests to the kernel 10. The management table 110 is generally a table called sys_call_table [], and records information indicating a processing program (kernel function) to be called when a request is received from a process by a system call.

  The processing unit 120 includes a file write management unit 121. The file write management unit 121 has a function of a hook_write () function that is a kernel function defined in the present embodiment, and performs a process to be described later when the process requests the kernel 10 to write a file. Execute. The file writing unit 130 is a kernel function generally called a sys_write () function, and writes to a file.

  The communication unit 140 is a kernel function generally called a sys_socketcall () function, and performs communication with an external communication device when the process requests the kernel 10 from the outside. The communication control unit 150 controls communication performed by the communication unit 140.

  The storage device 20 is an HDD (hard disk drive), a flash memory, or the like, and stores various files.

  Next, the operation of the information processing apparatus according to the present embodiment will be described. FIG. 2 shows a state of processing when a communication device (remote intruder) such as a PC logs in to the information processing device remotely using a program such as SSH (Secure SHell) and writes the file. . The remote login process 30, which is a process generated on the information processing apparatus by remote login, issues a file write request to the kernel 10 in order to write to the file. When the system call management unit 100 of the kernel 10 receives a write request to a file, the system call management unit 100 refers to the management table 110 and transfers the processing to the processing program indicated by the management table 110.

  In the management table 110, for each request, information indicating a processing program corresponding to the request is recorded. In the conventional operation, since the file writing unit 130 responds to a write request to a file, the process is transferred to the file writing unit 130. However, in the present embodiment, the management table 110 is rewritten in advance, and the file write management unit 121 corresponds to a write request to a file. For this reason, when the kernel 10 receives a write request to a file, the process is transferred to the file write management unit 121.

  The file write management unit 121 executes the process defined in the present embodiment, and then passes the process to the file write unit 130. The file writing unit 130 executes writing on the file, and then returns the processing result to the file writing management unit 121. The file write management unit 121 returns the processing result to the remote login process 30.

  FIG. 3 shows a detailed procedure of processing executed by the file writing management unit 121 from when the processing is transferred from the system call management unit 100 to when the processing is transferred to the file writing unit 130. When the remote login process 30 issues a system call indicating a file write request to the kernel 10, the system call management unit 100 that has detected the system call refers to the management table 110, and sends a file write management unit 121. Deliver the processing. As a result, the processing shifts to the file write management unit 121 (step S100).

  The file write management unit 121 requests the system call management unit 100 to acquire a file name. The system call management unit 100 acquires a file name from the remote login process 30 and passes it to the file write management unit 121 (step S105). The file writing management unit 121 determines whether or not the file name matches the file name (access log name) of the access log stored in the storage device 20 (step S110).

  At the time of login, a write request for the access log is made. If the acquired file name matches the access log name, the file write management unit 121 requests the system call management unit 100 to acquire the file name, process ID, and IP address of the remote intruder. The system call management unit 100 acquires the file name, process ID, and IP address from the remote login process 30 and passes them to the file write management unit 121 (step S115). The file write management unit 121 reads the communication control table from the storage device 20, edits the communication control table based on the IP address acquired from the system call management unit 100, and stores the edited communication control table in the storage device 20 ( Step S120). The contents of the communication control table and the editing method thereof will be described later.

  Subsequently, the file write management unit 121 passes the acquired file name, process ID, and IP address to the file write unit 130 and passes the process to the file write unit 130. Thereby, the process shifts to the file writing unit 130 (step S125). The file writing unit 130 records the file name, process ID, and IP address in association with the access log stored in the storage device 20.

  On the other hand, when the file name acquired in step S105 does not match the access log name, the file writing management unit 121 passes the file name acquired from the system call management unit 100 to the file writing unit 130 and processes it to the file writing unit 130. Hand over. Thereby, the process shifts to the file writing unit 130 (step S125). The file writing unit 130 writes to a file having the acquired file name among the files stored in the storage device 20.

  The communication control table is a table in which control contents applied to communication performed with an external communication device are recorded, and is generally called iptable. FIG. 4 shows an example of the contents of the communication control table before the file write management unit 121 edits in step S120 of FIG. As shown in FIG. 4, in the communication control table, the source IP that is the source IP address of the packet, the destination IP that is the destination IP address of the packet, the service name, and the processing content are associated with each other. . “Honeypot IP” in the figure indicates the IP address of the information processing apparatus, and “ANY” indicates that it is arbitrary.

  When a process issues a system call indicating a communication request with an external communication device to the kernel 10, the system call management unit 100 that detects the system call refers to the management table 110 and performs processing on the communication unit 140. Deliver. At this time, the system call management unit 100 acquires the IP address of the communication partner from the process, and passes the IP address to the communication unit 140. The communication unit 140 starts communication with a communication device having the IP address.

  Further, the communication control unit 150 reads the communication control table from the storage device 20, and controls the communication unit 140 so as to permit / reject packet transmission / reception according to the contents of the communication control table. Although the packet transmitted to and received from all communication devices is basically discarded by the setting 420, the settings 400 and 410 are applied with priority over the setting 420. Therefore, as indicated by the setting 410, any external communication device can transmit a packet (Inbound packet) to the information processing device of the present embodiment and perform remote access.

  FIG. 5 shows an example of the contents of the communication control table after the file write management unit 121 has edited in step S120 of FIG. The file write management unit 121 updates the source IP in the setting 410 of FIG. 4 with the IP address of the remote intruder acquired from the system call management unit 100 to obtain the setting 500. As a result, only a remote intruder can remotely access the information processing apparatus of this embodiment. In addition, the file writing management unit 121 adds a setting 510. Thus, only transmission of packets (outbound packets) to remote intruders is permitted, and packets to other communication devices are discarded, so that attack packets are not transmitted to other communication devices.

  It is necessary to prevent a remote intruder from performing a destructive attack when a malicious user finds out that the information processing apparatus of this embodiment is a honeypot. Therefore, in the present embodiment and the second embodiment described later, the following may be performed.

  When a remote intruder logs out to terminate remote access, that information is recorded in the access log. Therefore, according to the procedure similar to the procedure shown in FIG. 3, the file writing management unit 121 sets the processing content of the setting 500 in FIG. 5 to “reject” when detecting the logout of the remote intruder. As a result, after the remote intruder terminates the remote access, the same remote intruder cannot remotely access the information processing apparatus of the present embodiment again.

Alternatively, by rewriting the communication control table while the remote intruder is logged in, only the currently logged-in communication session is allowed, but a setting for rejecting the establishment of all other communication sessions may be performed. As a result, after the remote intruder terminates the remote access, the same remote intruder cannot remotely access the information processing apparatus of the present embodiment again. To make this setting, a setting corresponding to the following command may be made.
# iptables -A INPUT -m state --state ESTABLISHED, RELATED -j ACCEPT
# iptables -A INPUT -j REJECT

  As described above, according to the present embodiment, the system call management unit 100 detects a system call issued to the kernel 10 when a process related to remote access accesses the access log during login, and the file write management unit 121. Edits the communication control table so as to include control contents indicating that communication with devices other than the remote access device is suppressed. As a result, it is possible to perform control in real time to suppress communication with a communication device other than the remote access device. Further, by preventing remote access again after logout by the same remote intruder, it is possible to prevent the spread of an attack using the information processing apparatus of the present embodiment as a stepping stone.

(Second Embodiment)
Next, a second embodiment of the present invention will be described. As shown in the first embodiment, it is possible to completely prevent the leakage of attack packets by rewriting the communication control table immediately after the remote intruder logs in. However, a malicious user may be suspicious if transmission of a packet from a device that has successfully intruded to another communication device is not permitted to some extent. Therefore, in the present embodiment, control is performed to allow a certain amount of packet transmission to another communication apparatus immediately after the remote intruder logs in.

  FIG. 6 shows the configuration of the information processing apparatus according to the present embodiment. The difference from the first embodiment is that a communication management unit 122 is added to the processing unit 120. The communication management unit 122 has a function of a hook_socketcall () function that is a kernel function defined in the present embodiment, and executes processing described later when communication with the outside is requested from the process to the kernel 10. To do.

  FIG. 7 shows a detailed procedure of processing executed by the file writing management unit 121 from when the processing is transferred from the system call management unit 100 to when the processing is transferred to the file writing unit 130. Compared with the procedure shown in FIG. 3, step S120 for editing the communication control table is deleted. Others are similar to the procedure shown in FIG.

  When a process issues a system call indicating a communication request with an external communication device to the kernel 10, the system call management unit 100 that detects the system call refers to the management table 110. In this embodiment, the management table 110 is rewritten in advance, and the communication management unit 122 corresponds to a communication request with an external communication device. For this reason, when the kernel 10 receives a communication request with an external communication device, the processing is transferred to the communication management unit 122.

  The system call management unit 100 acquires the IP address of the communication partner from the process, and passes the IP address to the communication management unit 122. The communication management unit 122 passes the IP address to the communication unit 140 to start communication with the communication device having the IP address, and executes the processing shown in FIG.

  First, the communication management unit 122 reads the access log from the storage device 20, and determines whether or not the IP address acquired from the system call management unit 100 matches the IP address recorded in the access log (step). S200). If the IP address acquired from the system call management unit 100 does not match any IP address recorded in the access log, communication with another person who is not a remote intruder to be monitored in this embodiment is performed. The process shown in FIG.

  On the other hand, when the IP address acquired from the system call management unit 100 matches one of the IP addresses recorded in the access log, communication with the remote intruder is performed. Therefore, the communication management unit 122 counts packets (Outbound packets) transmitted to the remote intruder (step S205). Subsequently, the communication management unit 122 determines whether or not the count number is equal to or greater than a predetermined threshold (step S210). If the count number is less than the predetermined threshold, the process returns to step S205, and packet counting is continued.

  On the other hand, when the count number is equal to or greater than the predetermined threshold, the communication management unit 122 edits the communication control table based on the IP address acquired from the system call management unit 100 and stores the edited communication control table in the storage device 20. (Step S215). The editing contents of the communication control table are the same as the editing contents described with reference to FIGS. As a result, transmission of packets to other communication devices including the remote intruder is permitted until the number of packets exceeds a predetermined value. After the number of packets exceeds the predetermined value, communication other than the remote intruder Transmission of the packet to the device is rejected.

  The communication management unit 122 may perform the process shown in FIG. 9 instead of the process shown in FIG. The procedure shown in FIG. 9 will be described below. Compared with the procedure shown in FIG. 8, steps S220 and S225 are added in the procedure shown in FIG.

  In step S200, when the IP address acquired from the system call management unit 100 matches one of the IP addresses recorded in the access log, the communication management unit 122 determines the destination from the packet transmitted to another communication device. Port (Destination Port) is acquired (step S220). Subsequently, the communication management unit 122 determines whether or not the acquired destination port is a preset dangerous port (step S225). The dangerous ports are, for example, Port 25 used for sending spam mail, Ports 135 to 139 used by viruses, and Ports 1433 to 1434 used by worms targeting SQL servers.

  If the destination port is not a dangerous port, the process returns to step S220. On the other hand, if the destination port is a dangerous port, the process proceeds to step S205. The subsequent procedure is the same as the procedure shown in FIG. Therefore, according to the procedure shown in FIG. 9, transmission of packets to other communication devices including remote intruders is permitted until the number of packets using dangerous ports exceeds a predetermined value. After the number of packets using the Port exceeds a predetermined value, transmission of packets to communication devices other than the remote intruder is rejected.

  As described above, according to the present embodiment, the communication management unit 122 performs control to allow transmission of packets to other communication devices to some extent immediately after a remote intruder logs in. As a result, it is possible to make it difficult for a malicious user to notice that the information processing apparatus of the present embodiment is a honeypot.

  By applying the information processing apparatus according to the first and second embodiments described above to the honeypot, it is possible to monitor the behavior of the remote intruder. In addition, the information processing apparatus according to the present embodiment can be applied to a system having a purpose of permitting access only to a specific remote user.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operations and functions of the information processing apparatus may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  DESCRIPTION OF SYMBOLS 10 ... Kernel, 20 ... Storage device (storage means), 100 ... System call management unit (system call management unit), 110 ... Management table, 120 ... Processing unit (processing unit), 121: File writing management unit, 122: Communication management unit, 130: File writing unit, 140: Communication unit, 150: Communication control unit

Claims (5)

Storage means for storing control contents applied to communication performed with an external communication device;
When a system call issued to the OS kernel when a process related to remote access accesses a file is detected, the system call obtains the IP address of the communication device that performed the remote access from the process and passes it to the processing means Management means;
The processing means for storing in the storage means a control content indicating that communication with a device other than the communication device having the IP address passed from the system call management means is suppressed;
Communication control means for controlling communication performed with an external communication device according to the control content stored in the storage means;
An information processing apparatus comprising:   The processing means counts the number of packets transmitted to the communication device having the IP address passed from the system call management means, and has the IP address when the number of the packets exceeds a predetermined value. The information processing apparatus according to claim 1, wherein control content indicating that communication with a device other than the communication device is suppressed is stored in the storage unit.   3. The processing unit according to claim 2, wherein the processing unit counts the number of packets using a specific port among packets transmitted to the communication device having the IP address passed from the system call management unit. Information processing device.   The processing means stores, in the storage means, control contents indicating that when a communication device having an IP address passed from the system call management means terminates remote access, the remote access from the communication device is rejected. The information processing apparatus according to claim 1, wherein the information processing apparatus is an information processing apparatus.   The program for functioning a computer as an information processing apparatus in any one of Claims 1-4.

Images