JP2011101172A - Worm infection source specification system, specification method and specification program, agent, and manager computer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a worm infection source specifications system, and so on, capable of specifying a worm specification source and the route thereof, by reducing the throughput of each computer. <P>SOLUTION: An agent computer 21, or the like, includes a packet-inspecting means 251 for inspecting a communication packet and recording the communication packet as a communication log temporary table; a signature management table 261 for storing a condition for detecting communication by a worm and a signature ID corresponding to the condition; communication log aggregating means 202 and 203 for aggregating communications having the same transmission source, destination network and signature ID from contents of the communication log temporary table for generating a communication log transmission table; and a communication log transmitting means 254 for transmitting the communication log transmission table. A manager computer 20 includes a communication log storing means 201 for storing the content received from the agent computer as a communication log management table, and a worm infection source specifying means 202 for specifying a worm infection terminal from data recorded in the communication log management table. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to specifying a worm infection source and its route on a computer network, and more particularly to reducing the load on a computer device and network related to the process of specifying the infection source and route.

  Computer networks have become an important infrastructure for society and corporations, and at the same time, damage caused by malicious programs that spread infection through the networks, that is, computer viruses in a broad sense, has become serious. In this specification, among computer viruses in a broad sense, a program file that does not require a host file and that can be executed independently by itself is called a worm.

  This worm performs illegal actions such as DoS attack (Denial of Service attack), spam mail transmission, leakage of confidential data, etc. As a result, for example, it is excessive for a specific web server or e-mail server. Damage such as a network failure caused by a load has actually occurred. This may cause business problems for businesses or loss of social credibility. If a computer device infected with a worm (hereinafter referred to as the source of infection) is connected to the corporate network, the computer device is quickly It is necessary to identify and take appropriate measures.

  However, worms have emerged with subspecies and new species one after another, and the techniques to spread the infection have become more sophisticated year by year, so worm countermeasures have to be “wet pretend”. Security and convenience are in a trade-off relationship, and worms can even be infected by flaws in the security policy that has been set. For this reason, it is extremely difficult to completely prevent infection by worms.

  Use IPS (Intrusion Prevention System) for worms that cannot be detected by existing anti-virus technologies or worms that are infected with defective security settings, such as firewalls and terminals connected to the network. It is common practice to collect communication logs in a server computer, perform correlation analysis, etc., detect abnormal communication, and specify the infection route and source.

  In relation to this, there are the following technical documents. Patent Document 1 describes an infection prevention system in which information of each terminal is collected by an IP node scope, and the monitor system detects a worm from the collected information. Patent Document 2 describes a worm determination device that detects a worm by detecting communication corresponding to a predetermined detection condition from communication log data. Patent Document 3 describes a worm propagation monitoring system that captures and records illegal communication packets and identifies their propagation paths.

JP 2007-109247 A Japanese Patent No. 4051020 Japanese Patent No. 4235907

  However, the amount of communication logs stored in each device connected to the network is enormous. In order to detect a communication satisfying a specific condition and detect a worm infection from this, a huge load is imposed on the computer apparatus in charge of this process.

  In addition, transferring this enormous log between devices via the network also imposes a load on the entire network. If there is a worm-infected device on the network, even if that device communicates an abnormal number of times or capacity, it compresses the bandwidth of the network and imposes an excessive load on other devices. It is not realistic to transfer a huge log.

  None of the above-mentioned patent documents 1 to 3 describe the reduction of the amount of data transferred and the amount of processing in each computer, so these techniques cannot solve the above problems. .

  An object of the present invention is to provide a worm infection source identification system that can reduce the amount of data transferred on a network and the processing amount of each computer related to detection processing to identify the worm infection source and its route, To provide a specific method and a specific program, an agent, and a manager computer.

  In order to achieve the above object, a worm infection source identification system according to the present invention is a worm infection source identification system that detects that a worm-infected terminal, which is a computer device infected with a worm, is connected to a computer network, An agent computer that collects information about the worm-infected terminal and a manager computer that receives the information collected by the agent computer and identifies the worm-infected terminal, and the agent computer inspects communication packets on the computer network and inspects them. Packet inspection means for recording the result as a communication log temporary table, a signature management table preliminarily storing a condition for detecting communication by a worm and a signature ID corresponding thereto, and the source of the contents of the communication log temporary table To A communication log aggregating unit that aggregates communications having the same network and signature ID to create a communication log transmission table; and a communication log transmission unit that transmits the communication log transmission table to a manager computer. .

  In order to achieve the above object, an agent computer according to the present invention is an agent computer that collects information about a worm-infected terminal, which is a computer device infected with a worm, and transmits the information to a manager computer. Packet inspection means for inspecting and recording the inspection result as a communication log temporary table, a signature management table preliminarily storing conditions for detecting communication by a worm and a signature ID corresponding thereto, and contents of the communication log temporary table Communication log aggregating means for aggregating communications having the same source, destination network, and signature ID from the above to create a communication log transmission table; and a communication log transmission means for transmitting the communication log transmission table to the manager computer; Have The features.

  To achieve the above object, a manager computer according to the present invention is a manager computer that detects that a worm-infected terminal, which is a computer device infected with a worm, is connected to a computer network, and is connected to the same computer network. Communication log storage means for storing information about the worm-infected terminal received from the agent computer as a communication log management table, and infection indicating the worm infection route by identifying the worm-infected terminal from the data recorded in the communication log management table And a worm infection source identifying means for creating a route list.

  In order to achieve the above object, a worm infection source identification method according to the present invention includes a manager computer that detects that a worm-infected terminal, which is a computer device infected with a worm, is connected to a computer network, and information about the worm-infected terminal. A worm infection source identification system comprising an agent computer that collects and transmits the information to a manager computer, wherein the agent computer stores in advance a condition for detecting communication by the worm and a corresponding signature ID in a signature management table, The agent computer inspects the communication packet on the computer network, the agent computer compares the communication packet with the signature management table to identify the signature ID, and the agent computer The inspection result is recorded as a communication log temporary table, and the agent computer creates a communication log transmission table by aggregating communications with the same source, destination network, and signature ID from the contents of the communication log temporary table. Then, the agent computer transmits the communication log transmission table to the manager computer, the manager computer stores the contents of the communication log transmission table received from the agent computer as a communication log management table, and the manager computer manages the communication log. A worm-infected terminal is identified from the data recorded in the table, and an infection route list indicating the infection route of the worm is created.

  In order to achieve the above object, a worm infection source identification program according to the present invention includes a manager computer that detects that a worm-infected terminal, which is a computer device infected with a worm, is connected to a computer network, and information on the worm-infected terminal. In the worm infection source identification system comprising an agent computer that collects and transmits the information to the manager computer, the agent computer stores a condition for detecting communication by the worm and a corresponding signature ID in the signature management table in advance. A procedure for inspecting a communication packet on the network, a procedure for checking a communication packet against a signature management table to identify a signature ID, a procedure for recording a communication packet inspection result as a communication log temporary table, and a communication A procedure for creating a communication log transmission table by aggregating communications with the same source, destination network and signature ID from the contents of the temporary table, and a procedure for transmitting the communication log transmission table to the manager computer. It is made to perform.

  In order to achieve the above object, another worm infection source identification program according to the present invention includes a manager computer that detects that a worm-infected terminal that is a computer device infected with a worm is connected to a computer network, and a worm-infected terminal. A worm infection source identifying system comprising an agent computer that collects information about and sends it to a manager computer, the manager computer storing information on the worm-infected terminal received from the agent computer as a communication log management table; A procedure for identifying a worm-infected terminal from data recorded in the communication log management table and creating an infection route list indicating the infection route of the worm is executed.

  As described above, the present invention is configured such that the agent computer aggregates the communication logs and transmits the collected logs to the manager computer, and the manager computer identifies the worm-infected terminal from there, so that both the agent computer and the manager computer have a processing amount. To reduce the amount of data transferred. This makes it possible to identify the source of worm infection and its route by reducing the amount of data transferred over the network and the processing amount of each computer involved in detection processing. Source identification systems, identification methods and programs, agents and manager computers can be provided.

It is explanatory drawing which shows the structure of the computer network which concerns on the 1st Embodiment of this invention. It is explanatory drawing which shows the structure as hardware of each computer apparatus shown in FIG. It is explanatory drawing which shows the structure as software of the manager program shown in FIG. It is explanatory drawing which shows the structure as software of the agent program shown in FIG. FIG. 5 is an explanatory diagram showing a data configuration of a signature management table shown in FIG. 4. FIG. 5 is an explanatory diagram illustrating a data configuration of an exception information management table illustrated in FIG. 4. FIG. 5 is an explanatory diagram showing a data configuration of a network management table shown in FIG. 4. FIG. 5 is an explanatory diagram illustrating a data configuration of a communication log temporary table illustrated in FIG. 4. FIG. 5 is an explanatory diagram illustrating a data configuration of a communication log aggregation table and a communication log transmission table illustrated in FIG. 4. It is explanatory drawing which shows the data structure of the agent computer information table shown in FIG. It is explanatory drawing which shows the data structure of the communication log management table shown in FIG. 5 is a flowchart showing an operation in which the packet inspection unit shown in FIG. 4 inspects a received packet and stores a communication log in a communication log temporary table. FIG. 5 is a flowchart illustrating an operation in which the communication log primary aggregation unit illustrated in FIG. 4 periodically refers to the communication log temporary table and aggregates the communication logs into the communication log aggregation table. Operation in which the communication log secondary aggregation means shown in FIG. 4 periodically refers to the communication log aggregation table and aggregates the communication log in the communication log transmission table, and the communication log transmission means transmits the communication log transmission table to the manager computer. It is a flowchart which shows. FIG. 5 is an explanatory diagram illustrating a data configuration of a communication log transmission table illustrated in FIG. 4. FIG. 4 is a flowchart showing an operation in which the communication log storage means shown in FIG. 3 receives the contents of a communication log transmission table sent from an agent computer and stores it in the communication log management table. This is an example in which information necessary for specifying the worm infection source and infection route is extracted from the communication log management table shown in FIG. It is a flowchart which shows the operation | movement which the NW arrival list | wrist produces | generates from the extracted communication log management table by the worm infection source identification means 202 shown in FIG. It is explanatory drawing which shows the NW arrival list | wrist produced with respect to each (1-5) of communication log ID of the extracted communication log management table shown in FIG. It is a flowchart which shows the operation | movement in which the worm infection source identification means shown in FIG. 3 creates an infection route list from the NW arrival list. It is explanatory drawing which shows the infection route list created by the process shown in FIG. 20 with respect to the NW arrival list. It is a flowchart which shows the operation | movement which the infection route map creation means 203 shown in FIG. 3 produces an infection route list from an infection route list, and outputs the infection source and infection route of a worm to an infection route map. It is explanatory drawing which shows the infection route figure created from the infection route list shown in FIG. 21 by the process shown in FIG. It is explanatory drawing which shows the structure of the computer network which concerns on the 2nd Embodiment of this invention. It is explanatory drawing which shows the structure as software of each agent computer shown in FIG. FIG. 25 is an explanatory diagram showing a data configuration of a network management table shown in FIG. 24.

(First embodiment)
Hereinafter, the structure of the 1st Embodiment of this invention is demonstrated based on attached FIGS. 1-4.
First, the basic content of the present embodiment will be described, and then more specific content will be described.
The worm infection source identification system according to the present embodiment is a worm infection source identification system that detects that a worm-infected terminal, which is a computer device infected with a worm, is connected to the computer network 1. This system includes agent computers 21, 22, and 23 that collect information about a worm-infected terminal, and a manager computer 20 that receives information collected by the agent computer and identifies a worm-infected terminal. The agent computers 21, 22, 23 inspect the communication packet on the computer network and record the inspection result as the communication log temporary table 264, the condition for detecting the communication by the worm, and the signature corresponding thereto. Communication log aggregating means 202 that creates a communication log transmission table 266 by aggregating communications having the same source ID, destination network, and signature ID from the contents of the signature management table 261 storing the ID and the communication log temporary table. To 203, and a communication log transmission means 254 for transmitting the communication log transmission table to the manager computer.

  Here, the communication log aggregating means of the agent computer counts the communication with the same source, destination network and signature ID from the contents of the communication log temporary table, counts the number of destination IPs, The communication log primary aggregation unit (communication log primary aggregation means 252) to be created and the communication having the same source, destination network, and signature ID are aggregated from the contents of the communication log aggregation table to determine the number of destination IPs. And a communication log secondary aggregating unit (communication log secondary aggregating means 253) that adds up and creates a communication log transmission table. In addition, the communication log primary aggregation unit has a function of deleting, from the communication log temporary table, data that has passed a timeout time stored in advance in the signature management table.

  Further, the agent computer has an exception information management table 262 that stores communication contents that are not targeted for detection of the worm-infected terminal, and the packet inspection unit 251 stores the communication packet inspection result in the exception information management table. The communication with the stored contents is excluded and recorded in the communication log temporary table.

  One manager computer 20 stores the communication log storage means 201 that stores the contents of the communication log transmission table received from the agent computer as the communication log management table 212, and identifies the worm-infected terminal from the data recorded in the communication log management table. And a worm infection source identifying means 202 for creating an infection route list 218 indicating the infection route of the worm.

  The worm infection source identifying unit 202 of the manager computer identifies a worm-infected terminal from at least one of the number of user IDs and the number of destination IPs of communication packets recorded in the communication log management table 212. The manager computer has an infection route diagram creation means 203 that creates and outputs an infection route diagram 219 that illustrates the date and route when the worm spreads in the computer network from the infection route list 218.

With the above configuration, this worm infection source identification system can reduce the processing amount of each computer and identify the worm infection source and its infection route.
Hereinafter, this will be described in more detail.

  FIG. 1 is an explanatory diagram showing a configuration of a computer network 1 according to the first embodiment of the present invention. In the computer network 1, a plurality of LANs (Local Area Networks) configured by connecting computer devices to each other according to a communication standard such as Ethernet (registered trademark) are further mutually connected by a router that is a network device that relays data. Connected to and configured.

  The computer network 1 can be divided into three LANs: a first segment 11, a second segment 12, and a third segment 13, and the first router 41 transfers data between the first segment 11 and the second segment 12. Relay. The second router 42 relays data between the second segment 12 and the third segment 13.

  The third segment 13 includes a manager computer 20 that is a computer device that manages the operation of worm infection detection in the entire computer network 1 and an agent that is a computer device that performs the operation of worm infection detection based on control from the manager computer 20. A computer 23 is connected.

  Connected to the second segment 12 is an agent computer 22 which is a computer device that performs an operation of detecting a worm infection based on control from the manager computer 20. Connected to the first segment 11 are an agent computer 21 that is a computer device that performs an operation of detecting a worm infection based on control from the manager computer 20 and a worm-infected terminal 30 that is a computer device infected with the worm. . In addition to the manager computer 20, agent computer, and worm infected terminal 30, clients 31, 32,... That are a plurality of computer devices are connected to each segment.

  Here, the IP address range allocated to the first segment 11 is “192.168.3.0/24”. Similarly, the IP address range allocated to the second segment 12 is “192.168.4.0/24”, and the IP address range allocated to the third segment 13 is “192.168.5.0/24”. is there. An IP address is assigned to each computer belonging to each segment from these ranges.

  Among them, the IP address of the worm-infected terminal 30 is “192.168.3.1”, the IP address of the agent computer 21 is “192.168.3.254”, and the IP address of the agent computer 22 is “192.168.”. .4.254 ”, the IP address of the agent computer 23 is“ 192.168.5.5.254 ”, and the IP address of the manager computer 20 is“ 192.168.5.1 ”. Each of the clients 31, 32,... Is assigned an IP address that does not correspond to the manager computer 20, agent computers 21, 22, 23, and worm-infected terminal 30 in the above address range.

  In this embodiment, one agent computer is arranged in each segment delimited by the router. One manager computer is arranged for the entire computer network 1. In addition, it is desirable to perform communication between the manager computer and the agent computer by encryption, but since this encryption method itself is not within the scope of the present invention, a known encryption method can be applied.

  However, actual operation is not always the same as this example. The agent computer may be installed on any device as long as it can monitor communication of the corresponding network and can communicate with the manager computer. One computer device can be an agent computer corresponding to a plurality of manager computers.

  FIG. 2 is an explanatory diagram showing the hardware configuration of the manager computer 20 and the agent computers 21 to 23 shown in FIG. Each of the manager computer 20 and the agent computers 21 to 23 is a processor 101 that is a computing device that executes a computer program, storage means 102 that stores programs and data, and data that is connected to the computer network 1 to other computer devices. A communication unit 103 that performs communication and an output unit 104 (such as a display or a printer) that outputs a result to a user are provided. Since the agent computers 21 to 23 all have the same configuration, only the detailed configuration of the agent computer 21 is illustrated. In the present embodiment, the output means 104 of the agent computers 21 to 23 is not used, so this is not shown.

  The processor 101 executes each program described later. Various data used in the operation is stored in the storage unit 102. Hereinafter, a program executed on the manager computer 20 is referred to as a manager program 200. A program executed by each of the agent computers 21, 22, and 23 is referred to as an agent program 250.

  FIG. 3 is an explanatory diagram showing the software configuration of the manager program 200 shown in FIG. The manager program 200 periodically acquires data from agent computers registered in the agent computer information table 211 on the storage means 102 and stores the data in the communication log management table 212 on the storage means 102; The worm infection source identifying means for periodically referring to the communication log management table 212 on the storage means 102 to identify the infection source and infection route of the worm and storing these identification results in the infection route list 218 on the storage means 102 202, and an infection route diagram creation unit 203 that creates an infection route diagram 219 from the generated information and outputs the infection route diagram 219 to the output unit 104.

  The storage unit 102 also stores an initial setting file 271 that stores initial setting parameters of the manager program 200. The initial setting parameters here are a worm detection condition and a worm detection interval.

  The worm detection condition is a numerical value for each of the number of user IDs and the number of destination IPs, which is a condition for determining whether or not to identify a worm infection source. For each of the number of user IDs and the number of destination IPs in the communication log management table 212, a threshold value for determining whether or not to specify a worm infection source is set here. Initial values are set such that the number of user IDs> 1 and the number of destination IPs> 1. A plurality of conditions can be specified, and a period to be inspected can be specified for each condition. The worm detection interval is an interval at which the worm infection source identification unit 202 checks the communication log management table 212 and performs a worm infection source identification process.

  FIG. 4 is an explanatory diagram showing the software configuration of the agent program 250 shown in FIG. The agent program 250 includes a packet inspection unit 251 that inspects communication packets received by the communication unit 103 from other devices, a communication log primary aggregation unit 252 and a communication log secondary aggregation unit 253 that aggregate inspection results of the communication packets. And communication log transmission means 254 for transmitting the aggregated communication log to the manager program 200.

  The packet inspection unit 251 inspects the communication packet with reference to the signature management table 261 and the exception information management table 262 on the storage unit 102, and stores the inspection result in the communication log temporary table 264 on the storage unit 102. The communication log primary aggregation unit 252 periodically checks the communication log temporary table 264 on the storage unit 102 while referring to the signature management table 261 and the network management table 263 on the storage unit 102, and the signature management is included therein. Those exceeding the threshold set in the table 261 are recorded in the communication log aggregation table 265 on the storage means 102.

  The communication log primary aggregation unit 252 further deletes those recorded in the communication log aggregation table 265 on the storage unit 102 and exceeding the timeout value set in the signature management table 261 on the storage unit 102. Then, the communication log secondary aggregation unit 253 creates a communication log transmission table 266 that further aggregates the communication log aggregation table 265 on the storage unit 102. The communication log transmission unit 254 transmits the communication log transmission table 266 to the manager program 200.

  The storage unit 102 also stores an initial setting file 271 that stores initial setting parameters of the agent program 250. The initial setting parameters here are a communication log temporary table check interval and a communication log aggregation table check interval.

  The communication log primary aggregation unit 252 periodically checks the communication log temporary table 264 based on the value of the communication log temporary table check interval, and deletes the entry based on the threshold value and the check timeout column of the signature management table 261. Alternatively, the data is aggregated in the communication log aggregation table 265. By deleting the referred entries from the communication log temporary table 264 after aggregation, resource consumption of the agent computer is reduced.

  The communication log secondary aggregation means 253 periodically checks the communication log aggregation table 265 based on the value of the communication log aggregation table check interval, further aggregates the entries in the communication log aggregation table 265, and transmits the communication log. A table 266 is assumed.

  FIG. 5 is an explanatory diagram showing the data structure of the signature management table 261 shown in FIG. The agent program 250 has the authority to change the recorded data in the signature management table 261 as necessary. The signature management table 261 can be referred to and changed from the manager program 200 by instructing each agent computer.

  The signature management table 261 records the following contents. The signature ID 261a is an ID for uniquely identifying the type of worm or the type of attack by the worm (this is called a signature). The packet inspection unit 251 compares the received packet with the received packet in order from the smallest signature ID 261a for each protocol described later.

  The identification name 261b is an identification name of each signature. This can be named arbitrarily. The protocol 261c is the name of a protocol to be inspected, for example, TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), or the like.

  The rule 261d indicates a communication content rule to be inspected. For example, in the case of “destination port = 80”, communication with respect to this port is an inspection target. In addition, it is also possible to detect e-mail transmission by setting the protocol 261c as “TCP”, the rule 261d as “destination port = 25”, and “RCPT TO:% UNIQ_ID%”. % UNIQ_ID% is user-specific identification information that is included in the received packet and specified at the time of e-mail transmission. This is a user ID (264c) included in a communication log temporary table 264 described later. If the protocol 261c is “ICMP” and the rule 261d is “type = 8”, an echo request (ping command) can be detected.

  The threshold value 261e is a numerical value serving as a reference for determining whether or not the worm is an unauthorized attack. When the communication log primary aggregation means 252 updates the communication log temporary table 264 described later, the communication log primary table 264 compares the number of attacks in the corresponding row of the communication log temporary table 264 with the threshold 261e, and the number of attacks performed within a unit time is the threshold. It is confirmed whether or not it exceeds 261e, and if it exceeds, the data of the corresponding row is collected in the communication log aggregation table 265. Details of this operation will be described later.

  The inspection timeout number of seconds 261f is a set value of the number of seconds until the communication registered in the communication log temporary table 264 is deleted therefrom. When the communication log primary aggregation means 252 updates the communication log temporary table 264, it compares the data registration time of the corresponding row of the communication log temporary table 264 with the inspection timeout number of seconds 261f, and after the data is registered. If the elapsed time exceeds the inspection timeout number of seconds 261f, the corresponding line is deleted from the communication log temporary table 264.

  It is desirable to register the following entry at the end of the signature management table 261 so that the packet inspection unit 251 can capture the packet without missing it. The identifier 261b is “other $ {uniq_num}”, the protocol 261c is “TCP”, the rule 261d is “destination port = $ {dst_port}”, the threshold 261e is “1”, and the inspection timeout number of seconds 261f is “1”. . uniq_num is a variable representing a unique number, and dst_port is a variable representing a destination port number. It is desirable to set the same rule when the protocol 261c is UDP or ICMP.

  In order to deal with unknown worms, all of the communications assumed as worm operations may be registered in advance in the signature management table 261, or communications in which the packet inspection means 251 is not registered in the signature management table 261. It is also possible to add a new entry by dynamically assigning an ID and an identification name at the timing at which is detected.

  FIG. 6 is an explanatory diagram showing the data structure of the exception information management table 262 shown in FIG. The agent program 250 has the authority to change the recorded data of the exception information management table 262 as necessary. The exception information management table 262 records the following contents. The ID 262a is an ID for uniquely identifying registered exception information. The transmission source address 262b, the destination address 262c, and the protocol 262d are the transmission source address, the destination address, and the protocol, respectively, of the communication to be treated as an exception. The rule 262e indicates attributes other than those described above for communication targeted for exception handling.

  In the exception information management table 262, communication that is clearly unrelated to the worm, such as communication that occurs when printing using a network printer, is registered. The packet inspection unit 251 compares the captured communication with the entry in the exception information management table 262 before comparing the captured communication with the entry in the signature management table 261, and this communication corresponds to the entry in the exception information management table 262. If you want to, stop the inspection of the communication captured here. This saves machine resources.

  FIG. 7 is an explanatory diagram showing a data configuration of the network management table 263 shown in FIG. The agent program 250 has the authority to change the recording data of the network management table 263 as necessary. The manager program 200 can also refer to the network management table 263 by instructing each agent computer.

  The network management table 263 records the following contents. The network ID 263a is an ID for uniquely specifying a registered network address. The network address 263b represents a range of IP addresses belonging to each network ID 263a.

  The first segment 11 has a network ID 263a = “1” and a network address 263b = “192.168.3.0/24”. Similarly, the second segment 12 has a network ID 263a = “2” and a network address 263b = “192.168.4.0/24”, and the third segment 13 has a network ID 263a = “3” and a network address 263b = “ 192.168.5.0/24 ".

  FIG. 8 is an explanatory diagram showing the data structure of the communication log temporary table 264 shown in FIG. The agent program 250 has the authority to change the recorded data in the communication log temporary table 264 as necessary. The communication log temporary table 264 records the following contents. The transmission source IP 264a and the destination IP 264b indicate the IP addresses of the transmission source and the destination, respectively, of the communication captured by the packet inspection unit 251.

  The user ID 264c indicates the character string when the communication captured by the packet inspection unit 251 includes a character string indicating the user. If there is no character string indicating the user, it becomes empty data (null). The signature ID 264d indicates the signature ID 261a of the signature management table 261 corresponding to the captured communication.

  The registration time 264e indicates the time when the data corresponding to this row is first registered in the communication log temporary table 264. The number of attacks 264f indicates the number of times communication with the same transmission source IP 264a, destination IP 264b, user ID 264c, and signature ID 264d has been performed since the data was first registered in the communication log temporary table 264.

  FIG. 9 is an explanatory diagram showing the data structure of the communication log aggregation table 265 and the communication log transmission table 266 shown in FIG. The agent program 250 has the authority to change the recorded data in the communication log aggregation table 265 and the communication log transmission table 266 as necessary.

  The communication log aggregation table 265 records the following contents. The transmission source IP 265 a is a transmission source IP address of communication captured by the packet inspection unit 251. The destination NW 265b is an ID that can uniquely identify the destination network address of the communication captured by the packet inspection unit 251. In this case, the communication log primary aggregation unit 252 refers to the network management table 263 and registers the value of the corresponding network ID 263a. In this specification, “network” may be abbreviated as “NW”.

  The destination IP number 265c indicates the total number of destination IP addresses included in the communication captured by the packet inspection unit 251. When the communication log primary aggregation means 252 aggregates communication logs from the communication log temporary table 264 or the communication log aggregation table 265, the number of unique destination IP addresses of the communication log is totalized and registered.

  The user ID number 265d indicates the number of unique character strings indicating users included in the communication captured by the packet inspection unit 251. When the communication log primary aggregation means 252 aggregates communication logs from the communication log temporary table 264 or the communication log aggregation table 265, the number of communication log user IDs is totalized and registered.

  The signature ID 265e is a signature ID of the signature management table 261 corresponding to the communication captured by the packet inspection unit 251. The detection time 265f is the time when the communication indicated by the signature ID 265e is started. The registration time 265g is the time when the communication log primary aggregation unit 252 aggregates the entries in the communication log temporary table 264 or the communication log aggregation table 265 and registers the corresponding data.

  The number of attacks 265h indicates the number of times communication with the same source IP 265a, destination NW 265b, and signature ID 265e has been performed from the start of communication corresponding to the signature ID 265e to the time of registration time 265g.

  Since the communication log transmission table 266 also has the same data structure as the communication log aggregation table 265, these are the transmission source IP 266a, destination NW 266b, destination IP number 266c, user ID number 266d, signature ID 266e, detection time 266f, The registration time is 266 g and the number of attacks is 266 h. A specific example of data in the communication log transmission table 266 will be described later.

  FIG. 10 is an explanatory diagram showing the data structure of the agent computer information table 211 shown in FIG. The manager program 200 has the authority to change the recorded data in the agent computer information table 211 as necessary. The manager program 200 receives a communication log only from the agent computer registered in the agent computer information table 212.

  The agent computer information table 211 records the following contents. The agent computer ID 211a is an ID for uniquely identifying a registered agent computer. The agent computer IP211b is an IP address of the agent computer.

  The administrator mail address 211c is the mail address of the administrator of the agent computer. The monitoring target NW 211d is an ID that can uniquely identify the monitoring target network. The communication log storage unit 201 registers the value of the corresponding network ID 263a by referring to the network management table 263.

  FIG. 11 is an explanatory diagram showing the data structure of the communication log management table 212 shown in FIG. The manager program 200 has the authority to change the recorded data in the communication log management table 212 as necessary. The communication log storage unit 201 adds the IP address of the agent computer from which data is acquired to the communication log acquired from the agent computer, and records it as the communication log management table 212.

  The communication log management table 212 records the following contents. The agent computer IP 212a is the IP address of the agent computer that transmitted the corresponding data, and is added by the communication log storage unit 201 as described above. Other than this, since it has data having the same contents as the communication log aggregation table 265 shown in FIG. 9, these are the transmission source IP 212b, the destination NW 212c, the destination IP number 212d, the user ID number 212e, the signature ID 212f, and the detection time 212g, respectively. The registration time is 212h and the number of attacks is 212i. The contents that these data mean are also the same as the data of the same name in the communication log aggregation table 265.

  The infection route list 218 shown in FIG. 3 stores a record of communication by the worm identified by the worm infection source identification unit 202, and this data configuration will be described later.

  Hereinafter, in the description of this embodiment, the worm infection source refers to the worm-infected terminal 30 that causes the worm infection to spread in the computer network 1. Further, the worm infection route means a route indicating between which terminals or networks between which the communication presumed to have occurred is performed.

(Communication log storage and aggregation)
FIG. 12 is a flowchart showing an operation in which the packet inspection unit 251 shown in FIG. 4 inspects the received packet and stores the communication log in the communication log temporary table 264. The packet inspection unit 251 performs the operation shown in FIG. 12 for each received packet.

  The packet inspection means 251 that has received the communication (step S301) first determines whether or not the received packet originates from the own network (source) (step S302). If the source is not the local network, the process ends here. If the source is the local network, the process proceeds to step S303 and the process is continued. Since the operation of inspecting the received packet is performed only when the transmission source is the local network, the machine resource of the agent computer can be saved.

  When the transmission source is the local network, the packet inspection unit 251 compares the received packet with the exception information management table 262 and confirms whether an entry corresponding to the content of the received packet is registered as exception information (step). S303). If registered as exception information, the process ends here.

  If it is not registered as exception information, the packet inspection unit 251 further compares the received packet with the signature information table 261 to check whether there is an entry corresponding to the content of the received packet (step S304). If there is no corresponding entry, the process ends here.

  If there is a corresponding entry, the packet inspection unit 251 confirms the rule 261d of the signature management table 261, and a rule including the user ID (for example, rule 261d with signature ID 261a = “4” in the example shown in FIG. 12). It is checked whether or not “UNIQ_ID” indicating a unique user ID is defined (step S305). If defined, a user ID is acquired according to the rule (step S306), and the process proceeds to step S307. If not defined, the process proceeds to step S307 as it is.

  Subsequently, the packet inspection unit 251 searches the communication log temporary table 264 using the source IP address and destination IP address of the received packet, the user ID acquired in step S306, and the signature ID acquired in step S304 as keys, and the same contents. It is checked whether an entry already exists (step S307).

  If there is no entry having the same content, the packet inspection unit 251 creates a new entry in the communication log temporary table 264 with the source IP address 264a, destination IP address 264b, user ID 264c, and signature ID 264d (step S308). At this time, the initial values of the registration time 264e and the number of attacks 264f are set to zero. When the creation of a new entry is completed, the process proceeds to step S309. If there is an entry having the same content, the process proceeds to step S309.

  Subsequently, the packet inspection means 251 increments the attack number 264f of the corresponding entry by 1 (step S309), and the received packet inspection process is completed. When a new entry is created in step S308, the number of attacks 264f = “0” of the new entry is set to “1”. FIG. 8 shows an example of the communication log temporary table 264 after this packet inspection process is executed.

  FIG. 13 is a flowchart showing an operation in which the communication log primary aggregation unit 252 shown in FIG. 4 aggregates communication logs in the communication log aggregation table 265 by periodically referring to the communication log temporary table 264. The communication log primary aggregation unit 252 confirms the communication log temporary table 264 in order from the top, and performs communication log aggregation processing shown in step S402 and subsequent steps only on unreferenced entries (step S401).

  First, the communication log primary aggregation means 252 is the same network as the entry being referred to in the temporary communication log table 264, the source IP address 264a, the user ID 264c, and the signature ID 264d, and the destination IP address 264b is the same network (network). An entry is extracted (determined with reference to the management table 263) (step S402), and the communication log primary aggregation unit 252 confirms this in order from the top, and performs communication log aggregation processing shown in step S404 and subsequent steps (step S403). ).

  The communication log primary aggregation means 252 searches the signature management table 261 using the signature ID 264d (261a) of the entry being referenced as the key for the attack number 264f of the entry being referenced, and compares it with the extracted threshold value 261e. (Step S404). If the number of attacks 264f ≧ threshold 261e, the process proceeds to step S405. If the number of attacks 264f <threshold 261e, the process proceeds to step S409.

  The communication log primary aggregation means 252 searches the communication log aggregation table 265 using the network address to which the source IP address 264a, signature ID 264d and destination IP address 264b of the entry being referred to belong as a key, and whether there is an entry with the same contents. It is confirmed whether or not (step S405). If there is no entry with the same content, the process proceeds to step S406. If an entry with the same content exists, the process proceeds to step S407.

  If no entry with the same content exists in step S405, a new entry with the corresponding content is created on the communication log aggregation table 265 (step S406). At that time, the source IP 265a records the source IP 264a of the entry being referred to in the communication log temporary table 264. The destination NW 265b records the network address to which the destination IP 264b of the entry being referred to in the communication log temporary table 264 belongs.

  The destination IP number 265c records the number (the initial value is 1) obtained by counting the unique destination IP 264b. The number of user IDs 265d records the number of unique user IDs 264c (the initial value is 1 when the user ID is acquired, and 0 when the user ID is not acquired). The signature ID 265e, the detection time 265f, and the attack number 265h record the signature ID 264d, the registration time 264e, and the attack number 264f of the entry being referred to in the communication log temporary table 264, respectively. The registration time 265g is the current time when this processing is performed.

  If there is an entry having the same content in step S405, the communication log primary aggregation means 252 has the destination IP number 265c, user ID number 265d, detection time 265f, registration time 265g, attack number of the entry on the communication log aggregation table 265. Each 265h is updated (step S407). The specific contents of these data updates will be described in detail from the next line.

  When the destination IP 264b being referred to in the communication log temporary table 264 is not counted, the destination IP number 265c in the corresponding row of the communication log aggregation table 265 is incremented by one. Similarly, when the user ID 264c being referred to is not counted, the user ID number 265d in the corresponding row of the communication log aggregation table 265 is incremented by one. At this time, the destination IP address and user ID of the communication log being referred to may be appropriately cached in a memory or the like so that the same destination IP 264b and user ID 264c are not counted twice.

  The detection time 265f of the corresponding line in the communication log aggregation table 265 is compared with the registration time 264e being referenced in the communication log temporary table 264, and the older time is set as the detection time 265f. In addition, the registration time 265g of the corresponding line is the current time at the time when this process is performed. Then, the attack number 264f of the communication log being referred to is added to the attack number 265h of the corresponding line. The above is the details of the processing in step S407. After step S406 or step S407 ends, the process proceeds to step S408.

  On the other hand, if the attack number 264f <threshold value 261e in step S404, the communication log primary aggregation unit 252 determines the elapsed time from the registration time 264e of the entry being referred to the present time and the signature ID 264d (261a) of the entry being referenced. The value of the inspection timeout seconds 261f of the rows extracted by searching the signature management table 261 using the key is compared, and it is determined whether or not the elapsed time ≧ the inspection timeout seconds 261f is satisfied (step S408). If elapsed time ≧ inspection timeout number of seconds 261f, it means that time-out has occurred, and the process proceeds to step S409. If elapsed time <inspection timeout number of seconds 261f, the process proceeds to step S410.

  If timed out in step S408, or if an entry in the communication log aggregation table 265 is added or updated, the corresponding entry in the communication log temporary table 264 being referred to is deleted (step S409).

  In the example shown in FIG. 9, the communication log aggregation table 265 aggregated through this process from the communication log temporary table 264 shown in FIG. For example, the first six entries in FIG. 8 are aggregated into the first entry in FIG. That is, the six communications with different destination IP addresses 264b are judged to be communications (attack) with the same contents originating from the same source IP address 264a, and the destination IP number 265c = “6”. Attacks of the same content are grouped into one entry.

  The communication log usually has an enormous amount of data, and machine resources are wasted just by detecting an attack by a worm by referring to the communication log. In the present embodiment, the communication log is aggregated from the communication log temporary table 264 to the communication log aggregation table 265 by the processing described above, and the referred communication log is deleted from the communication log temporary table 264. Thus, the consumption of machine resources of the agent computer can be suppressed.

  14, the communication log secondary aggregation means 253 shown in FIG. 4 periodically refers to the communication log aggregation table 265 and aggregates the communication logs in the communication log transmission table 266, and the communication log transmission means 254 is used for communication log transmission. 7 is a flowchart showing an operation for transmitting a table 266 to the manager computer 20. The communication log secondary aggregation unit 253 confirms the communication log aggregation table 265 in order from the top, and performs communication log aggregation processing after step S502 only on unreferenced communication logs (step S501).

  The communication log secondary aggregation unit 253 extracts a communication log in which the entry being referred to in the communication log aggregation table 265 is the same as the source IP address 265a, the destination NW 265b, and the signature ID 265e (step S502), and the communication log secondary aggregation is performed. The means 253 confirms this in order from the top, and performs communication log aggregation processing shown after step S504 (step S503).

  The communication log secondary aggregation means 253 searches the communication log transmission table 265 using the source IP address 265a, destination NW 265b, and signature ID 265e of the entry being referred to in the communication log aggregation table 265 as keys, and there is an entry having the same content. It is confirmed whether or not to perform (step S504). If there is no entry having the same content, the process proceeds to step S505, and if it exists, the process proceeds to step S506.

  If there is no entry having the same content in step S504, the communication log secondary aggregation means 253 creates a new entry in the communication log transmission table 266 (step S505). At this time, the source IP address 266a, destination NW 266b, destination IP number 266c, user ID number 266d, signature ID 266e, detection time 266f, attack number 266h are the source IP address 265a of the entry being referred to in the communication log aggregation table 265. The destination NW 265b, the destination IP number 265c, the user ID number 265d, the signature ID 265e, the detection time 265f, and the attack number 265h are recorded as they are. The registration time 266g is the current time when this processing is performed.

  If there is an entry having the same content in step S504, the communication log secondary aggregation means 253 determines the number of destination IPs 266c, the number of user IDs 266d, the detection time 266f, the registration time 266g, and the number of attacks in the corresponding row of the communication log transmission table 266. Each of 266h is updated (step S506). The specific contents of these data updates will be described in detail from the next line.

  The destination IP number 265c and the user ID number 265d of the entry being referred to in the communication log aggregation table 265 are added to the destination IP number 266c and the user ID number 266d, respectively. The detection time 266f is compared with the detection time 265f of the entry being referred to in the communication log aggregation table 265, and the older time is set as the detection time 266f. The registration time 266g is the current time when this process is performed. Then, the attack number 265h of the entry being referred to in the communication log aggregation table 265 is added to the attack number 266h.

  After the processing in step S505 or S506 is completed, the communication log secondary aggregation unit 253 deletes the corresponding entry in the communication log aggregation table 265 being referred to (step S507). After the above processing is repeated for all the rows of all the communication log aggregation tables 265, the communication log transmission means 254 transmits the communication log transmission table 266 for which aggregation has been completed to the manager computer 20 for further transmission. Is deleted (step S508), and the processing is completed.

  FIG. 15 is an explanatory diagram showing the data structure of the communication log transmission table 266 shown in FIG. In the example shown in FIG. 15, a communication log transmission table 266 aggregated through this process from the communication log aggregation table 265 shown in FIG.

  As described above, the communication log transmission table 266 stores the same data items as the communication log aggregation table 265. For example, the plurality of signature ID 265e = “1” entries in FIG. In the table 266, one line is collected. That is, a plurality of attacks with different detection times 265f are determined to be attacks of the same content issued from the same transmission source IP address 265a, and are combined into one data.

  As described above, in this embodiment, the data necessary for specifying the worm infection source is divided into three tables (communication log temporary table 264, communication log aggregation table 265, communication log transmission table) on the agent computer 21, 22, 23 side. 266), the storage period is set and managed for each table, managed through two steps, and sent to the manager computer 20.

  Thus, in this embodiment, waste of resources (computer resources) of the agent computer and the manager computer can be suppressed, and processing related to the identification of the worm infection source can be performed efficiently on both sides.

(Reception of communication log and identification of worm infection source)
FIG. 16 shows an operation in which the communication log storage unit 201 shown in FIG. 3 receives the contents of the communication log transmission table 266 sent from the agent computers 21, 22, and 23 and stores it in the communication log management table 212. It is a flowchart which shows. The communication log storage unit 201 that has received communication from each agent computer (step S601) adds the IP address of the agent computer that sent the content to the head of the received content as the agent computer IP 212a, and the communication log management table 212. (Step S602).

  In the example shown in FIG. 11, the communication log management table 212 aggregated on the manager computer 20 side by the processing of FIG. 16 from the communication log transmission table 266 shown in FIG. As described above, the communication log management table 212 is the same except that the IP address of the agent computer that sent the contents of the communication log transmission table 266 is prefixed as the agent computer IP 212a. And the same data item as the communication log aggregation table 265).

  FIG. 17 is an example in which information necessary for specifying the worm infection source and infection route is extracted from the communication log management table 212 shown in FIG. 11 (hereinafter, this is referred to as an extracted communication log management table 220). As the worm detection condition, a condition of signature ID 212f = 4 and (user ID number 212d ≧ 100 or destination IP number 212c ≧ 10) is set in advance. If the signature management table 261 is searched using the signature ID 212f (261a) = 4 as a key, “destination port number is TCP / 25” is set as the rule 261d. The worm infection source identifying unit 202 extracts the extracted communication log management table 220 from the communication log management table 212 according to this condition.

  Worms can be broadly divided into those that use software vulnerabilities to spread and others that spread via email and shared folders. The former worm performs specific communication with a large number of destinations in a short period of time. The latter worm attempts to access a specific destination using multiple IDs.

  Therefore, in the present embodiment, as described with reference to FIGS. 11 and 17, the worm detection condition “signature ID 212f = 4 and (user ID number 212d ≧ 100 or destination IP number 212c ≧ 10)” is set. is doing. The former worm has a destination IP number 212c condition, and the latter worm has a user ID number 212d condition.

  Each data item of the extracted communication log management table 220 and the contents indicated by each data item are the same as those in FIG. 11, and only the unique communication log ID 220a is inserted at the head. Source IP 220c, destination NW 220d, destination IP number 220e, user ID number 220f, signature ID 220g, start time (detection time) 220h, end time (registration time) 220i, and attack number 220j. In the example shown in FIG. 17, symbols are used for the start time 220h and the end time 220i, which are in a relationship of S1 <S2 <S3 <S4 <S5 and E1 <E2 <E3 <E4 <E5, respectively. And

  The worm infection source identification means 202 includes an NW arrival list 213 to 217 for storing addresses of networks suspected of being infected with worms and times at which packets have arrived from terminals suspected of being infected with the worm, and worm infection routes. And an infection route list 218 for storing.

  As will be described later, the NW arrival lists 213 to 217 include a destination NW 213a indicating a network address serving as a communication (attack) destination, and communication (attack) from a terminal suspected of being infected with the worm at the network address. The arrival time 213b indicating the time is a list registered as a pair.

  FIG. 18 is a flowchart showing an operation in which the worm infection source identifying unit 202 shown in FIG. 3 creates the NW arrival lists 213 to 217 from the extracted communication log management table 220. The worm infection source identification unit 202 confirms the extracted communication log management table 220 in order from the top, and performs the processing shown in FIG. 18 for each content to create the NW arrival lists 213 to 217.

  The worm infection source identifying unit 202 first searches the NW arrival list 213 using the network address described in the destination NW 220d of the extracted communication log management table 220 as a key, and checks whether the same network address is already registered. (Step S701). If the same network address is registered, the process proceeds to step S702, and if not, the process proceeds to step S703.

  If the same network address is not stored in the NW arrival list 213 in step S701, the worm infection source identifying unit 202 reaches the destination NW 220d and the start time 220h corresponding to the destination NW 220d in the extracted communication log management table 220. As the time 213b, the destination NW 220d (213a) and the arrival time 213b are paired and stored in the NW arrival list 213 (step S702), and the process ends.

  If the same network address is stored in the NW arrival list 213 in step S701, the worm infection source identifying unit 202 determines the arrival time 213b corresponding to the destination NW 213a (220d) on the NW arrival list 213, and the extracted communication log. The start time 220h on the management table 220 is compared (step S703). If arrival time 213b ≧ start time 220h, the worm infection source identifying unit 202 registers the arrival time 213b as the value of the start time 220h (step S704), and ends the corresponding communication log confirmation processing.

  FIG. 19 is an explanatory diagram showing NW arrival lists 213 to 217 created for each of the communication log IDs 220a (1 to 5) in the extracted communication log management table 220 shown in FIG. The NW arrival list 213 extracted from the communication log ID = 1 indicates the destination NW 213a and the arrival time 213b at which the worm arrived there. The other NW arrival lists 214 to 217 respectively extracted from the communication log ID = 2 to 5 also show similar data.

  FIG. 20 is a flowchart showing an operation in which the worm infection source identification unit 202 shown in FIG. 3 creates the infection route list 218 from the NW arrival lists 213 to 217. FIG. 21 is an explanatory diagram showing the infection route list 218 created by the processing shown in FIG. 20 for the NW arrival lists 213 to 217.

  The infection route list 218 includes a communication log ID 218a corresponding to the communication log ID 220a of the extracted communication log management table 220, a transmission source IP 218b, a destination NW 218c, a signature ID 218d, a start time 218e, an end time 218f, and the number of attacks 218g. Each data such as the infection source flag 218h is stored. The contents of these data are the same as the data of the same name in the extracted communication log management table 220 shown in FIG. The infection source flag 218h has a value of 1 when the device corresponding to the transmission source IP 218b is considered to be the infection source of the worm, and has a value of 0 otherwise.

  First, the worm infection source identifying unit 202 adds a new entry to the infection route list 218 (step S801). Communication log ID 218a, transmission source IP 218b, destination NW 218c, signature ID 218d, start time 218e, end time 218f, number of attacks 218g are communication log ID 220a, transmission source IP 220c, destination NW 220d, signature ID 220g of extracted communication log management table 220, respectively. Data of start time 220h, end time 220i, and number of attacks 220j is stored. The initial value of the infection source flag 218h is null.

  Next, the worm infection source identifying unit 202 searches the NW arrival lists 213 to 260 using the transmission source IP 218b as a key, and checks whether there is an entry for the same network (step S802). If there is an entry for the same network, the process proceeds to step S803, and if not, the process proceeds to step S804.

  If there is no entry for the same network in the NW arrival lists 213 to 260 in step S802, the infection source flag 218h = 1 of the corresponding entry in the infection route list 218 is set (step S803), and the process is terminated.

  If there is an entry for the same network in step S802, the arrival time 213b of the corresponding entry in the NW arrival list 213 to 260 is compared with the start time 220h of the corresponding entry in the infection route list 218 (step S804). If arrival time 213b ≦ start time 220h, the process proceeds to step S803 described above. If arrival time 213b> start time 220h, the infection source flag 218h = 0 of the corresponding entry in the infection route list 218 is set (step S805), and the process is terminated.

(Creation of infection route map)
FIG. 22 is a flowchart showing an operation in which the infection route diagram creation unit 203 shown in FIG. 3 outputs the infection source and the infection route of the worm from the infection route list 218 to the infection route diagram 219. The infection route diagram creation means 203 confirms the contents of the infection route list 218 in order from the top, and outputs the infection source and the infection route infection route diagram 219 for each entry.

  Infection route diagram 219 takes the communication log ID 220a of the infection route list 218 on the vertical axis, the start time 218e or the end time 218f on the horizontal axis, and the start time and end time are indicated by ○ (open circles) and ◎ (two FIG. The infection route diagram creation unit 203 outputs ◯ and ◎ for each communication log ID 220a in the infection route list 218 (step S901).

  The infection route diagram creation means 203 indicates that the infected terminal is ○, and a packet that is intended to spread infection flows from the infected terminal, and ◎ is output as a network that is suspected of worm infection. Connect with arrows (step S902). Further, the value of the source IP 218b is output on the circle, and the value of the destination NW 218c is output on the circle (steps S903 to 904).

  Next, the infection route diagram creation unit 203 checks whether or not the infection source flag 218h is 1 (step S905). If it is 0, the process proceeds to step S906, and if it is 1, the process proceeds to step S907. If the infection source flag 218h = 0 in step S905, the infection route list 218 is searched using the transmission source IP 218b as a key to check whether there is another entry with the infection source flag 218h = 1 (step S906). . If it exists, the process proceeds to step S907, and if not, the process proceeds to step S908.

  If the infection source flag 218h = 1 of the corresponding entry, or the infection source flag 218h = 0 of the corresponding entry but an entry with the infection source flag 218h = 1 exists in the same transmission source IP 218b, this transmission source IP 218b is the infection source. Therefore, the already outputted o is overwritten with ● (black circle) (step S907). ● can be treated as a mark indicating the source of infection.

  If there is no entry with the infection source flag 218h = 1, the destination NW 218c of the infection route list 218 is searched using the transmission source IP 218b output in step S903 as a key, and an entry storing the network to which the infected terminal belongs is stored in the destination NW 218c. It is confirmed whether or not it exists (step S908). If it does not exist, the process ends there.

  In step S908, if there is an entry of the destination NW 218c corresponding to the transmission source IP 218b output in step S903, it is confirmed whether or not there is an entry with the infection source flag 218h = 1 (step S909). If it does not exist, the process ends there.

  If there is an entry with the infection source flag 218h = 1 in step S909, the communication is considered to be an attack by a worm. In order to output route information indicating which terminal and network this communication has been performed on, the 矢 印 of each entry extracted in step S909 and the ◯ output in step S901 are indicated by thin arrows pointing to the ◯ side. Conclusion (step S910), the process is terminated.

  FIG. 23 is an explanatory diagram showing an infection route diagram 219 created from the infection route list 218 shown in FIG. 21 by the processing shown in FIG. As described above, ○ (open circle) indicates an infected terminal, ◎ (double circle) indicates a suspected network, and ● (black circle) indicates an infection source. The thick arrow drawn in step S902 indicates the direction of the packet sent from the infected terminal for the purpose of spreading the infection, and the thin arrow drawn in step S910 may be used for the purpose of spreading the infection of the worm. Indicates the route.

  In the infection route diagram 219 shown in FIG. 23, the terminal having the IP address “192.168.3.1” (the worm-infected terminal 30) is connected to the network having the IP address “192.168.3.0/24” (the first one). A worm infection was detected on the agent computer side before time T3 when the infection may have spread to one segment 11). Therefore, in the first segment 11, it can be determined that the worm-infected terminal 30 is the worm infection source.

  Similarly, each client of the IP addresses “192.168.4.1” and “192.168.4.2” belonging to the second segment 12 has an IP address “192.168.4.0/24”. The worm infection has been detected on the agent computer side before time T4 when the infection may have spread to the network (second segment 12). Therefore, in the second segment 12, it can be determined that these terminals are worm infection sources.

  A packet sent from a client having an IP address “192.168.4.2” infected with a worm is considered to be a purpose of spreading infection, and the network having the IP address “192.168.4.0/24” (No. 2 segment 12) arrives at time T4. Further, after that, a packet transmitted from a client having an IP address “192.168.4.5” infected with a worm is considered to have an object of spreading infection, and an IP address “192.168.4.0/24” is transmitted. (Second segment 12) and “192.168.5.0/24” (third segment 13).

  As a result, the worm infection of the client with the IP address “192.168.4.5” belonging to the second segment 12 was caused to the client with the IP address “192.168.4.2” corresponding to the same segment. It can also be assumed that the possibility is high.

(Overall operation of the first embodiment)
Next, the overall operation of the above embodiment will be described. The worm infection source identifying method according to the present embodiment includes a manager computer 20 that is a computer device that is connected to a computer network and detects that a worm-infected terminal that is a computer device infected with the worm is connected to the computer network; This is a method for specifying the infection source of a worm in a computer network including agent computers 21, 22, and 23 that collect information related to an infected terminal and send it to a manager computer. First, the agent computer stores in advance a condition for detecting communication by the worm and a signature ID corresponding to the condition in the signature management table 255, inspects the communication packet on the computer network (step S301 in FIG. 12), and signs the communication packet as a signature. The signature ID is identified by collating with the management table (FIG. 12, steps S307 to 308), and the inspection result of the communication packet is recorded as a communication log temporary table (FIG. 12, step S309). The communication log transmission tables are created by aggregating communications having the same source, destination network, and signature ID from the contents of FIG. 13 (steps S404 to S408 in FIG. 13 and steps S504 to S507 in FIG. 14), and communication. Log sending table And transmits to the manager computer (14 step S508). In response to this, the manager computer stores the contents of the communication log transmission table received from the agent computer as a communication log management table (FIG. 16, steps S601 to 602), and the worm infection is determined from the data recorded in the communication log management table. The terminal is identified and an infection route list is created (FIG. 20, steps S801-805).

Here, each of the above-described operation steps is programmed to be executable by a computer, and these are executed by the manager computer 20 and the agent computers 21, 22, and 23 which are computers that directly execute the respective steps. Also good.
With this configuration and operation, the present embodiment has the following effects.

  The first effect of the present embodiment is that the worm infection source and the infection route can be identified without requiring many machine resources after the worm infection. The reason is that a huge amount of data in the communication log is aggregated in two stages, and the unnecessary data is deleted, so that the agent computer and the manager computer detect communication satisfying a specific condition from the huge log. This is because resource consumption for the processing to be performed is suppressed. Furthermore, this is because the role of the agent computer and the manager computer is shared to suppress consumption of machine resources per unit.

  The second effect of the present embodiment is to solve the problem of network bandwidth compression that occurs during log collection. The reason is that as described above, the communication log data is aggregated and then transmitted from the agent computer to the manager computer.

  The third effect of the present embodiment is that the worm infection source and the infection route can be identified without requiring special skills, as compared with the case where a huge log of each network device is confirmed one by one. The reason is that the communication log management table 212 is provided with data items such as the number of user IDs 212d and the number of destination IPs 212c to maintain the communication characteristics of the worm that spreads infection via the network and detect the worm there. This is because of

(Second Embodiment)
In the second embodiment of the present invention, in addition to the configuration of the first embodiment described above, a management dedicated network connecting the manager computer and the agent computer is provided separately from the normal network. As a result, even if the network bandwidth is squeezed due to worm infection, communication between the agent computer and the manager computer will not be difficult, so the operation according to the present invention can be executed more reliably to detect the worm. can do. Hereinafter, this will be described in more detail.

  FIG. 24 is an explanatory diagram showing a configuration of a computer network 1001 according to the second embodiment of the present invention. The computer network 1001 is composed of the same computer as the computer network 1 according to the first embodiment described above. An agent computer belonging to the first segment 11 is referred to as an agent computer 1021, an agent computer belonging to the second segment 12 is referred to as an agent computer 1022, and an agent computer belonging to the third segment 11 is referred to as an agent computer 1023.

  Each agent computer 1021, 1022, 1023 and manager computer computer 20 are connected to a management dedicated network 1002 indicated by a broken line, which is separate from a normal network. In the management dedicated network 1002, routers 1041 and 1042 for relaying data are also provided separately from the normal network.

  FIG. 25 is an explanatory diagram showing the software configuration of each of the agent computers 121, 122, 123 shown in FIG. Each agent computer 121, 122, 123 is the same as the first embodiment shown in FIG. 2 except that the communication means 103 is connected to both the normal network and the management dedicated network 1002 as hardware. Have the same configuration. The configuration as software is the same as that in the first embodiment except that the network management table 263 stored in the storage unit 102 is changed to the network management table 1263. Elements in the configuration that are the same as in the first embodiment are referred to by the same name and reference number.

  FIG. 26 is an explanatory diagram showing the data structure of the network management table 1263 shown in FIG. The agent program 250 has the authority to change the recorded data in the network management table 1263 as necessary. The manager program 200 can also refer to the network management table 1263 by instructing each agent computer.

  The network management table 1263 records the following contents. The network ID 1263a is an ID for uniquely specifying a registered network address. The network address 1263b represents an address range of each segment in a normal network, and the management address 1263c represents an IP address in the management dedicated network 1002 of the agent computer belonging to this segment.

  For example, the first segment 11 has an IP address “192.168.3.0/24” in a normal network, but the IP address of the management dedicated network 1002 of the agent computer 121 belonging to the first segment 11 is “10.5.1. .1 ". As described above, the network management table 1263 stores the IP address of each segment in the normal network as the network address 1263b and the IP address in the management dedicated network 1002 of the agent computer belonging to this segment as the management address 1263c. Is associated with. Further, the management address 1263c of the manager computer 20 is also stored as the network ID 1263a = “M”.

  Except for this point, the computer network 1001 has the same functions as the computer network 1 according to the first embodiment described above, and performs the same operation. However, the communication between the agent computer and the manager computer can be performed using the management-dedicated network 1002 that is free from the risk of worm intrusion. As a result, even when the worm performs an operation of compressing the network bandwidth, such as a DoS attack, the communication between the agent computer and the manager computer is not difficult, and the operation according to the present invention is ensured. The effect as described above can be surely obtained.

  The present invention has been described with reference to the specific embodiments shown in the drawings. However, the present invention is not limited to the embodiments shown in the drawings, and any known hitherto provided that the effects of the present invention are achieved. Even if it is a structure, it is employable.

  The present invention can be used to improve the security of a computer network.

DESCRIPTION OF SYMBOLS 1,1001 Computer network 11 1st segment 12 2nd segment 13 3rd segment 20 Each computer apparatus 21 Processor 22 Storage means 23 Communication means 24 Output means 21, 22, 23, 121, 122, 123 Agent computer 30 Worm infection terminal 41 42, 1041, 1042 Router 20 Manager computer 31 Client 200 Agent program 201 Packet inspection unit 202 Communication log primary aggregation unit 203 Communication log secondary aggregation unit 204 Communication log transmission unit 211, 271 Initial setting file 211 Agent computer information table 212 Communication log management table 213, 214, 217 NW arrival list 218 Infection route list 219 Infection route diagram 220 Extracted communication Management table 250 manager program 251 communication log storage means 252 worm infection source identification means 253 infection route diagram creation means 261 signature management table 262 exception information management table 263, 1263 network management table 264 communication log temporary table 265 communication log aggregation table 266 communication Log transmission table 1002 Management-dedicated network

Claims (13)

A worm infection source identification system for detecting that a worm-infected terminal, which is a computer device infected with a worm, is connected to a computer network,
An agent computer that collects information about the worm-infected terminal; and a manager computer that receives the information collected by the agent computer and identifies the worm-infected terminal;
The agent computer inspects a communication packet on the computer network and records the inspection result as a communication log temporary table, a condition for detecting communication by the worm, and a signature ID corresponding thereto are stored in advance. A communication log aggregating unit for aggregating communication having the same source ID, destination network and signature ID from the contents of the communication log temporary table, and creating a communication log transmission table; A worm infection source identifying system, comprising: communication log transmission means for transmitting the communication log transmission table to the manager computer. The communication log aggregation means of the agent computer includes:
A communication log primary aggregating unit that aggregates communications having the same source ID, destination network, and signature ID from the contents of the communication log temporary table, counts the number of destination IPs, and creates a communication log aggregation table; ,
A communication log secondary that aggregates communications having the same source ID, destination network, and signature ID from the contents of the communication log aggregation table and totals the number of destination IPs to create the communication log transmission table The worm infection source identification system according to claim 1, further comprising an aggregation unit.   3. The communication log primary aggregation unit of the agent computer has a function of deleting, from the communication log temporary table, data that has passed a timeout time stored in advance in the signature management table. The worm infection source identification system described in 1. The agent computer has an exception information management table storing communication contents not targeted for detection of the worm-infected terminal;
The packet inspection unit excludes communication having contents stored in the exception information management table from the inspection result of the communication packet and records the communication packet in the communication log temporary table. The worm infection source identification system described in 1.   The manager computer stores the contents of the communication log transmission table received from the agent computer as a communication log management table, and identifies the worm-infected terminal from the data recorded in the communication log management table The worm infection source identification system according to claim 1, further comprising a worm infection source identification means for outputting an infection route list.   The worm infection source identifying means of the manager computer includes the number of user IDs indicating the number of user IDs indicating specific users and the number of destination IP addresses included in the communication packet recorded in the communication log management table. The worm infection source identification system according to claim 5, wherein the worm-infected terminal is identified from at least one of a certain number of destination IPs.   The manager computer has an infection route diagram creation means for creating and outputting an infection route diagram illustrating the date and route when the worm spreads infection in the computer network from the infection route list, The worm infection source identification system according to claim 5.   8. The system according to claim 1, wherein the manager computer and the agent computer are connected by a management network different from the computer network. 9. Worm infection source identification system. An agent computer that collects information about a worm-infected terminal that is a computer device infected with a worm and sends it to a manager computer,
Packet inspection means for inspecting communication packets on the computer network and recording the inspection results as a communication log temporary table;
A signature management table preliminarily storing a condition for detecting communication by the worm and a signature ID corresponding to the condition;
A communication log aggregating means for aggregating communications having the same source ID, destination network and signature ID from the contents of the communication log temporary table to create a communication log transmission table;
An agent computer comprising: communication log transmission means for transmitting the communication log transmission table to the manager computer. A manager computer for detecting that a worm-infected terminal, which is a computer device infected with a worm, is connected to a computer network;
A communication log storage means for storing information about the worm-infected terminal received from an agent computer connected to the same computer network as a communication log management table;
A manager computer, comprising: a worm infection source identifying unit that identifies the worm-infected terminal from data recorded in the communication log management table and creates an infection route list indicating an infection route of the worm. Worm infection comprising: a manager computer that detects that a worm-infected terminal that is a computer device infected with a worm is connected to a computer network; and an agent computer that collects information about the worm-infected terminal and transmits the information to the manager computer. In the source identification system,
The agent computer stores a condition for detecting communication by the worm and a signature ID corresponding to the condition in advance in a signature management table,
The agent computer inspects a communication packet on the computer network;
The agent computer compares the communication packet with the signature management table to identify the signature ID;
The agent computer records the inspection result of the communication packet as a communication log temporary table,
The agent computer creates a communication log transmission table by aggregating communications having the same source ID, destination network and signature ID from the contents of the communication log temporary table,
The agent computer transmits the communication log transmission table to the manager computer;
The manager computer stores the contents of the communication log transmission table received from the agent computer as a communication log management table,
The worm infection source identification method, wherein the manager computer creates an infection route list indicating the infection route of the worm by identifying the worm-infected terminal from data recorded in the communication log management table. Worm infection comprising: a manager computer that detects that a worm-infected terminal that is a computer device infected with a worm is connected to a computer network; and an agent computer that collects information about the worm-infected terminal and transmits the information to the manager computer. In the source identification system, the agent computer that pre-stores the condition for detecting communication by the worm and the corresponding signature ID in the signature management table,
Inspecting communication packets on the computer network;
Checking the communication packet against the signature management table to identify the signature ID;
A procedure for recording the inspection result of the communication packet as a communication log temporary table;
A procedure for creating a communication log transmission table by aggregating communication having the same source ID, destination network and signature ID from the contents of the communication log temporary table;
A worm infection source identification program for executing the procedure for transmitting the communication log transmission table to the manager computer. Worm infection comprising: a manager computer that detects that a worm-infected terminal that is a computer device infected with a worm is connected to a computer network; and an agent computer that collects information about the worm-infected terminal and transmits the information to the manager computer. In the source identification system, the manager computer
A procedure for storing information about the worm-infected terminal received from the agent computer as a communication log management table;
A program for identifying a worm infection source, comprising: a step of identifying the worm-infected terminal from data recorded in the communication log management table and creating an infection route list indicating an infection route of the worm.

Images