JP2011258018A - Security server system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a security server system improved in processing capacity.SOLUTION: The security server system comprises: a first server system which provides contents in response to a request transmitted via a network; a second server system which is more resistant against an attack via the network than the first server system and provides contents in response to the request transmitted via the network; a reception unit which receives contents provided via the network; a determination table which includes vulnerability information indicating content details that could receive an impact of the attack via the network; a determination unit which determines presence or absence of vulnerability against the attack via the network for the contents received in the reception unit based on the vulnerability information; and a file control unit which stores contents received in the reception unit as provision candidates in the first server system or the second server system according to a determination result of the determination unit.

Description

  The present invention relates to a security server system that protects a server that provides a service on a network from attacks.

  Various attacks via the Internet have occurred against servers that provide services on the Internet. For example, as a result of an attack in which an attacker gains access to the server using a method different from the original to steal information on the server or a legitimate user has been tricked by the attacker, There is known an attack that guides a server having vulnerability through a prepared server.

  Examples of attacks with application vulnerabilities include cross-site scripting against WEB servers, cross-site request forgery, and SQL injection against WEB servers and SQL servers. SQL injection is intended to illegally operate a database system by intentionally using a security flaw in an application and executing an SQL statement that is not assumed by the application. If this attack is successful, the attacker will be able to fraud, falsify, and delete data.

  As a technique for preventing an attack via a network, a method for determining whether an access is illegal or harmful and preventing execution of a harmful operation request has been proposed (Patent Document 1). In order to protect against DoS / DDoS attacks on applications, it has been proposed to detect attacks based on information such as traffic volume, and to control and filter the rate of attack traffic (Patent Document 2).

  Furthermore, a security server system (application security system) is also known that protects server applications from attacks via the network by passing all access from the network via a defense device. As a precaution, it is generally performed that vulnerability detection of an application caused by a source code or the like is performed in advance to find a vulnerability, and a vulnerable element of the application is manually removed.

  In the conventional system in which all accesses are routed through the protection device, the processing capacity of the protection device may be exceeded as the traffic increases. In particular, when multiple servers are protected at once, all access passes through the defense device regardless of whether the server itself is vulnerable or the service provided by the server is vulnerable. As the number of accesses increases, the processing capability of the defense device tends to be exceeded.

  On the other hand, when the vulnerability discovered by the vulnerability diagnosis is manually repaired, it takes a lot of time and effort to repair the source code of the application. In particular, remediation of vulnerabilities requires personnel with knowledge and experience related to secure programming, which increases the burden on the server operator.

Special table 2004-533676 gazette JP 2006-60599 A

  As described above, the conventional security server system has a problem that the processing capacity is easily exceeded due to an increase in access to the server. In addition, there is a limit to repairing the vulnerability manually.

  The present invention has been made to solve such a problem, and an object thereof is to provide a security server system with improved processing capability.

  In order to solve the above-mentioned problem, a security server system according to an embodiment of the present invention includes a first server system that provides content in response to a request sent via a network, and a network that is more than a first server system. The second server system that is strong against attacks via the network and that provides content in response to requests sent via the network, the accepting unit that accepts content provided via the network, and the impact of attacks via the network A determination table including vulnerability information indicating content details that can be received, a determination unit that determines whether there is a vulnerability to an attack via a network, based on the vulnerability information, and a determination result of the determination unit In response, the content received by the reception unit is designated as the provision candidate. Is characterized by comprising between the server system or the file control unit to be stored in either the second server system, the.

  According to the present invention, a security server system with improved processing capability can be provided.

It is a block diagram which shows the structure of the security server system which concerns on 1st Embodiment. It is a block diagram which shows the structure of the security server system which concerns on 1st Embodiment in detail. It is a conceptual diagram which shows the function structure of the defense part (reverse proxy) which concerns on 1st Embodiment. It is a conceptual diagram which shows the function structure of a general router. It is a flowchart which shows operation | movement of the security server system which concerns on 1st Embodiment. It is a block diagram which shows the structure of the security server system which concerns on 2nd Embodiment. It is a block diagram which shows the structure of the security server system which concerns on 2nd Embodiment in detail. It is a flowchart which shows operation | movement of the security server system which concerns on 2nd Embodiment. It is a block diagram which shows the structure of the security server system which concerns on 3rd Embodiment. It is a block diagram which shows the structure of the security server system which concerns on 4th Embodiment.

(First embodiment)
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. The security server system according to the embodiment has a function of protecting a server connected to a network such as the Internet from attacks via the network. More specifically, each server includes a server directly connected to an external network and a server connected to the external network through a defense means, and provides contents to be provided depending on whether there is a vulnerability to an attack from the outside. It is possible to upload by sorting to.

  As shown in FIG. 1, the security server system 1 according to the first embodiment includes a first server 10 and a second server 20. A first storage unit 12 and a second storage unit 22 are connected to the first server 10 and the second server 20, respectively. The first server 10 is directly connected to the network 40, and the second server 20 is connected to the network 40 via the defense unit 24. Furthermore, the security server system 1 according to this embodiment includes a file reception unit 30, a vulnerability determination unit 32, and a determination table 34.

  The first server 10 provides content including electronic file groups via a network, such as a Web server. The first storage unit 12 is, for example, a hard disk drive, and stores content provided by the first server 10. That is, the first server 10 and the first storage unit 12 function as a server system in cooperation. The second server 20 and the second storage unit 22 correspond to the first server 10 and the first storage unit 12, respectively, and have a common function. That is, the security server system of this embodiment has two or more server systems having a common function. The first server 10 and the second server 20 can be realized by a server application that operates on a network OS such as UNIX (registered trademark).

  The defense unit 24 has a function of inspecting all accesses from the network 40 to the second server 20 and protecting the second server 20 from unauthorized access and attacks against vulnerabilities such as servers. The defense unit 24 once interprets the received traffic from the physical layer to the application layer, extracts the data, and checks whether the extracted data may attack the second server 20 or the like. If there is no possibility of attack as a result of the check, the defense unit 24 converts the data again from the application layer to the physical layer and sends it to the second server 20. If there is a possibility of attack, the defense unit 24 makes the data harmless or discards it. By doing so, the second server 20 is protected.

  That is, this system includes the first server 10 directly connected to the network 40 and the second server 20 that includes the defense unit 24 between the network 40 and prioritizes safety over an increase in processing load due to traffic. Have.

The file reception unit 30 receives content provided by the first server 10 or the second server 20 to the clients 42 a and 42 b via the network 40. Here, the content provided by the first server 10 or the second server 20 is configured by an electronic file such as a text file or an image file. Therefore, the file accepting unit 30 is configured by, for example, a directory (or a directory configured on a hard disk drive). Folder).
In the following description, it is assumed that the content is composed of a “page” having no vulnerability and a “program” that may include the vulnerability. The content may be composed only of pages, and in this case, the content is not vulnerable. On the other hand, when the content is composed of “page” and “program”, whether or not the content has vulnerability depends on whether or not the “program” includes vulnerability.

  The vulnerability determination unit 32 has a function of analyzing the content (electronic file group) stored in the file reception unit 30 and determining whether or not there is vulnerability to an attack via the network. In addition, the vulnerability determination unit 32 also has a function of moving the electronic file stored in the file reception unit 30 to the first storage unit 12 or the second storage unit 22 according to the determination result. The vulnerability determination unit 32 is realized by, for example, a computer program developed on a memory and an arithmetic device such as a CPU.

  The determination table 34 records vulnerability information used by the vulnerability determination unit 32 for analysis and determination. That is, the vulnerability determination unit 32 determines the presence or absence of vulnerability of the electronic file based on the vulnerability information recorded in the determination table 34. The determination table 34 is realized by a directory (or folder) configured on the hard disk drive, a memory, or the like.

(Specific configuration of the first embodiment)
Next, the configuration of the security server system according to the first embodiment will be described in more detail with reference to FIG. As shown in FIG. 2, the first server 10 includes a WEB server 102, a CGI unit 104, and a database server (DB server) 106. Similarly, the second server 20 includes a WEB server 202, a CGI unit 204, and a DB server 206. The defense unit 24 includes a firewall 242 and a reverse proxy 244. The vulnerability determination unit 32 includes a text extraction unit 301, a determination unit 302, a link matching unit 303, and a file storage unit 304.

  The WEB server 102 and the WEB server 202 are functional elements that provide content composed of HTML (HyperText Markup Language), image data, and the like to the clients 42a and 42b using HTTP (HyperText Transfer Protocol). The CGI unit 104 and the CGI unit 204 are functional elements that execute a program in cooperation with the WEB server 102 and the WEB server 202, respectively, and provide the execution results to the clients 42a and 42b. The DB server 106 and the DB server 206 use the data (database) 125 and 225 stored in the first storage unit 12 and the second storage unit 22, respectively, to provide the searched and sorted data to the clients 42a and 42b. Is a functional element.

  The firewall 242 is a functional element that prevents unauthorized access from the network 40. The reverse proxy 244 is a functional element that once analyzes received traffic from the physical layer to the application layer to extract data, and analyzes whether or not the extracted data has aggressiveness. The reverse proxy 244 performs a detoxification process or a disposal process when the analyzed result data is harmful and harmful, and if it is also harmless, converts the retrieved data from the application layer to the physical layer again. And output.

The text extraction unit 301 is a functional element that searches and extracts a predetermined character string or the like from the electronic file received by the file reception unit 30. The determination unit 302 determines the vulnerability of the received electronic file based on the search result by the text extraction unit 301, and classifies the vulnerable data and the non-vulnerable data. The link matching unit 303 is a functional element that updates a link indicating a jump to other data included in the data with vulnerability among the data classified by the determination unit 302. The file storage unit 304 stores the electronic file in either the first storage unit 12 connected to the first server 10 or the second storage unit 22 connected to the second server 20 based on the classification result by the determination unit 302. It is a functional element that controls storage.
Examples of vulnerability determination methods include, for example, analyzing source code, processing a character string input to a program by a plurality of procedures in the program, and finally outputting the program There is a method of tracing the processing flow and determining whether or not the processing includes a process of sanitizing a dangerous character or character string often used for an attack and removing it from the input. In addition, “<” and “>” used in HTML are detected in addition to “'” and “%” used in SQL to prevent attacks such as SQL injection, and the contents of data are not changed according to certain rules. If the escape process to be converted is not implemented in the determination target program, it can be determined that there is a vulnerability. For example, “&” is “& amp”, “<” is “& lt”, “>” is “& gt”, “'” is “&# 039”, “” is “&”. What is converted to “& quot”.

(Operations of the first server / second server and attacks from outside)
Here, basic operations of the first server 10 and the second server 20 will be described. In the following description, content A consisting only of page a without vulnerability, content B consisting of page b without vulnerability, program b1 without vulnerability, and program b2 with vulnerability, and page without vulnerability It is assumed that content C consisting of c and a vulnerable program c is provided on the network.

  First, an example of a WEB () service will be described as an example of an application that provides a service via a network.

  As shown in FIGS. 1 and 2, the WEB server 102 in the first server 10 provides services to clients 42 a and 42 b connected to the network 40 via the network 40. The first storage unit 12 connected to the WEB server 102 holds a page a121 and the like as pages to be provided to the client 42a and the like. Further, the WEB server 102 runs the program b1 stored in the first storage unit 12 in cooperation with the CGI unit 104. Here, the electronic files such as the page a121 and the programs b1 and 122b may be configured as an electronic file group including a plurality of electronic files instead of a single electronic file.

  When the client 42a specifies the URL of the page that the client 42a wants to browse and makes a browsing request to the first server 10, the WEB server 102 indicates that the URL included in the browsing request is a page directly under the WEB server 102. The page is provided to the client 42a. On the other hand, if the page indicated by the URL is not directly under the WEB server 102 but is accessible only via the CGI unit 104, for example, the program b1 122b, the WEB server 102 stores the program b1 122b. The page file created by execution by the CGI unit 104 is provided to the client 42a.

  The programs b1 and 122b are program source codes that can be executed in the language constituting the CGI unit 104. Therefore, by using the CGI unit 104, it is possible to provide not only a fixed page such as the page a121 but also a page dynamically generated in response to a request from the client 42a. That is, by using the function of the CGI unit 104, various application programs can be created. Similarly, the client 42a can access the DB server 106 via the CGI unit 104 and a program.

  In general, when an information resource such as the database 106 is accessed via the network 40, user authentication is performed to prevent an unintended user from accessing the information resource. However, if the program or the like includes a vulnerable command or the like, the authentication may be broken from the outside via the network 40 and the data may be accessed.

Next, an example of the SQL injection attack will be described. Consider issuing the following SQL to the DB server 106 via the WEB server 102. For example, if your program contains the following text:
SELECT * FROM users WHERE name = 'input value';
The application developer expects that a user name such as “suzuki” created by the client 42a is input as the “input value”. However, malicious attackers, for example,
'OR' t '=' t
Is given as a parameter input value. Then the above text
SELECT * FROM users WHERE name = '' OR 't' = 't';
Will be expanded. Since the condition is always true for “t” = “t”, all records are selected in this SQL statement regardless of the value of the “name” column. The record selected at this time includes all data registered by the client 42a with the user name “suzuki”.

  In this way, in the case of an application that displays or downloads the database extraction result on the screen for confirmation, all data may be stolen. The developer of the application program expects to input data such as a user name in the “input value”, but a malicious attacker may use a character string “that forms part of the SQL command as a whole in the“ input value ”. Enter 'OR' t '=' t 'and as a result, select all records.

  For this reason, it is indispensable to check input values in application programming using CGI. For example, when the user name is expected to be entered, only characters that can be entered as the user name are allowed, and special characters such as “%”, “<”, and “>” that are not used as the user name are not allowed. Like that. It is also effective to sanitize and remove dangerous characters or character strings that are often used for attacks from the input.

  To prevent SQL injection attacks, there is an escape process that detects “<” and “>” used in HTML in addition to “'” and “%” used in SQL and converts them so that the data contents are not changed. Done. For example, “<” and “>” are converted into “&lt;” and “&gt;”.

  Searching for potential vulnerabilities that can be included in a program manually is not a good idea, especially in large programs, because of the possibility of overlooking costs and vulnerabilities. Therefore, a vulnerability diagnosis tool is used instead of human labor to diagnose a vulnerability included in an application program. The program is completed by repeating the process of manually correcting the vulnerable part discovered by the vulnerability diagnostic tool until no vulnerability is discovered by the vulnerability diagnostic tool.

  However, on a page where the service has already been started, it is difficult to stop the service and introduce a correction program. In addition, in a large-scale program, it takes a long time to modify, and in the meantime, contents having vulnerability are exposed on the network. Therefore, in this embodiment, the defense unit 24 is introduced so that vulnerable content can be safely provided.

(Function of the defense unit 24)
An example of an attack against the server and the function of the defense unit 24 will be described in detail. The defense unit 24 prevents an attack from the outside with a content vulnerability. That is, the defense unit 24 checks whether or not a dangerous parameter is included in the parameter sent from the client 42a so that the vulnerability of the CGI program (program c or the like) is not exposed on the network. This check is performed at the application layer. As a result of the inspection, when a character string that may attack the vulnerability is found, the defense unit 24 rewrites the character string so as to be harmless and transfers the character string to a subsequent server or stops the transfer itself.

  Here, the “application layer” and “physical layer” are hierarchical structures based on a network structure design policy (OSI) established by the International Organization for Standardization (ISO) to realize data communication between different models. It means each function divided into. In other words, in OSI, the communication functions are arranged in order from the lower layer to the physical layer (L1), data link layer (L2), network layer (L3), transport layer (L4), session layer (L5), presentation layer (L6), application. It is divided into seven layers of layers (L7). In the Internet, the Ethernet (registered trademark) is often used for the second lower data link layer, and the Internet protocol (IP) is often used for the third network layer.

  FIG. 3A shows an example of the functional configuration of the reverse proxy 244 that forms the core of the defense unit 24. As shown in FIG. 3A, the reverse proxy 244 in the defense unit 24 includes a first conversion unit 244a, an attack determination unit 244b, and a second conversion unit 244c.

  The first conversion unit 244a interprets the packet received at the physical layer (L1) up to the application layer (L7) and converts it to the original data. The attack determination unit 244b extracts the input value of the parameter from the data sent from the client, determines whether or not there is a possibility of attacking the vulnerability to the character string, and rewrites or discards the character string to make it harmless To do. The second determination unit 244c converts the data (original data or detoxified data) output from the attack determination unit 244b again from the application layer (L7) to the physical layer (L1), and outputs a packet. Since the reverse proxy 244 having such a configuration extracts the original data from the transmitted packet and determines the presence or absence of aggression, it can effectively prevent an attack from the outside.

  On the other hand, the defense unit 24 including the reverse proxy 244 illustrated in FIG. 3A easily interprets all the packets up to the application layer, and thus easily becomes a traffic bottleneck. Even when compared with the router 245 having the L2 switch in the data link layer and the L3 switch in the network layer as shown in FIG. 3B, it is clear that the analysis process and the conversion process take time.

  Therefore, in the security server system according to the embodiment, the processing capability is improved by narrowing down the traffic to be processed by the defense unit 24 to only access to content having vulnerability.

(Operation of vulnerability judgment unit)
Next, the operation of the security server system of this embodiment will be described with reference to FIGS.

  In the security server system according to this embodiment, the user stores the electronic file group of the contents A to C to be provided to the clients 42a and 42b through the network 40 in the file accepting unit 30 (step S51; hereinafter referred to as “S51”). So called). Specifically, the user saves a desired electronic file group in a predetermined folder on the hard disk.

  When the file reception unit 30 receives the electronic file, the text extraction unit 301 reads vulnerability information from the determination table 34 (S52). Vulnerability information includes, for example, a vulnerability command 341 in which a vulnerability is pointed out, a dangerous address 342 such as a URL of a site with aggressiveness, and the like, and is stored in the determination table 34 in advance.

  When the vulnerability information is read out, the text extraction unit 301 uses the vulnerability information to search the electronic file received by the file reception unit 30 for data that partially or completely matches the vulnerability command 341 and the dangerous address 342. Text extraction processing to be extracted is executed (S53). The extraction process result is sent to the determination unit 302.

  The determination unit 302 determines the vulnerability of the electronic file received by the file reception unit 30 based on the extraction processing result by the text extraction unit 301 (S54). Judgment criteria can be variously defined according to the size of the site and the type of content. For example, the determination unit 302 may determine that there is a vulnerability when at least one vulnerable command 341 or dangerous address 342 is included in the electronic file received by the file receiving unit 30, or it may be included above a certain standard. If it is, it may be determined that there is a vulnerability. Since “vulnerability” here means vulnerability to an attack from the outside, the determination unit 302 may determine that there is no vulnerability in an HTML file or pure image data including only text information. .

  As a result of the determination, if there is no vulnerability at all (No in S55), for example, if the electronic file to be determined is content A consisting only of a safe HTML file, the file receiving unit 30 receives the file storage unit 304. All electronic files are stored (moved or copied) in the first storage unit 12. That is, for the safe content, priority is given to the access speed or the like, and the first server 10 not provided with the defense unit 24 is provided. FIG. 2 shows a state in which the page a • 121 of the content A determined as having no vulnerability by the determination unit 302 is stored in the first storage unit 12 from the file reception unit 30.

  If a vulnerability is found as a result of the determination (Yes in S55), the text extraction unit 301 classifies the data for which the determination unit 302 has found the vulnerability and the data that has not been found. That is, the text extraction unit 301 classifies the electronic file received by the file reception unit 30 into a program in which a vulnerability is found and a program in which no vulnerability is found. At this time, when the vulnerability is found in all the electronic files received by the file receiving unit 30 (Yes in S57), the file storage unit 304 stores all the files in the second storage unit 22 (S58). That is, content that is vulnerable to all the programs that are configured is given priority to safety, and all accesses to the programs are provided by the second server 20 via the defense unit 24. In FIG. 2, the program c 123 b is stored in the second storage unit 22 from the file reception unit 30 among the contents C in which the determination unit 302 determines that there is vulnerability and the text extraction unit 301 has found vulnerability in all data. The state of being done is shown. Note that the page c • 123a of the content C is stored in the first storage unit 12 because it does not have vulnerability.

  When the electronic file received by the file accepting unit 30 is composed of data for which vulnerability is found and data for which vulnerability has not been found (No in S57), the link matching unit 303 identifies data for which the vulnerability has been found and discovery The association with the data that has not been updated is updated (S59). Then, the file storage unit 304 stores data in which the vulnerability is found in the second storage unit 22 and stores data that has not been found in the first storage unit 12 (S60). The update of the association by the link matching unit 303 eliminates the broken link that occurs when the electronic file received by the file receiving unit 30 is distributed and stored in the first storage unit 12 and the second storage unit 22. That is, the link that moves from the data for which no vulnerability is found to the data for which the vulnerability is found is changed to the address (URL) of the second server 20. Similarly, the link that moves from the data in which the vulnerability is found to the data in which the vulnerability is not found is changed to the address of the first server 10. As a result, it is possible to prevent inconveniences such as broken links due to one content being divided and stored and provided. In FIG. 2, the pages b and 122a having no vulnerability and the programs b1 and 122b in which no vulnerability is found are classified as the programs b2 and 122c in which the vulnerability is found, and the first storage unit 12 and the second storage are stored. The state stored in each part 22 is shown.

  By repeating steps 51 to 60 in FIG. 4, the content provided to the clients 42a and 42b is distributed to the first storage unit 12 and the second storage unit 22 based on the presence or absence of vulnerability to external attacks. Stored separately and provided separately by the first server 10 and the second server 20.

  For example, if the client 42 a refers to the page a 121 using the browser application, the reference request is sent to the WEB server 102, and the WEB server 102 reads the page a 121 from the first storage unit 12 and transmits the page a 121 via the network 40. Send to 40a. On the other hand, when the client 42a refers to the page c • 123a that executes the vulnerable program c • 123b, or refers to the page b that partially executes the vulnerable program b2 • 122c, the reference request is And sent to the firewall 242 via the network 40, and then reaches the WEB server 202 via the reverse proxy 242. At this time, even if the reference request from the client 42a has aggression, it is made harmless or discarded by the reverse proxy 242, so that the vulnerability of the WEB server 202 or the CGI unit 204 is not attacked.

  The WEB server 202 sends page data obtained by executing the program b2 or the program c read by the CGI unit 204 from the second storage unit 22 to the client 42a via the network 40.

  According to the security server system of this embodiment, the access to the application including the vulnerability is connected to the second server via the defense means, and the majority access without the vulnerability does not pass through the protection means. Since it is directly connected to the first server, the traffic load of the defense means can be reduced.

  In the example illustrated in FIG. 4, the text extraction unit 301 classifies the electronic file received by the file reception unit 30 into a file (program) in which a vulnerability is found and a file (program) in which the vulnerability is not found, The file storage unit 304 stores the divided files in the first storage unit 12 and the second storage unit 22, respectively, but is not limited thereto. That is, the file storage unit 304 may store all files (pages and programs) in the second storage unit 22 when a vulnerability is found in some of the files (programs) constituting the content. In this case, even if there is an extraction omission or division omission by the text extraction unit, a vulnerable file (program) can be reliably provided from the second server 20. In addition, since the files are stored in the first storage unit 12 or the second storage unit 22 in a lump without dividing the files, the storage from the file reception to the first or second server can be processed at high speed.

(Second Embodiment)
Next, a second embodiment of the present invention will be described in detail with reference to the drawings. The security server system according to this embodiment is obtained by changing a part of the configuration of the security server system according to the first embodiment shown in FIGS. 1 and 2. Therefore, in the following description, elements that are the same as those in the first embodiment are denoted by the same reference numerals, and redundant description is omitted.

  As shown in FIG. 5, the security server system 2 according to the second embodiment includes a first server 10 and a second server 20. A first storage unit 12 and a second storage unit 22 are connected to the first server 10 and the second server 20, respectively. The first server 10 is connected to the network 40 via the communication path selection unit 126, and the second server 20 is connected to the network 40 via the defense unit 24 and the communication path selection unit 126. Furthermore, the security server system 2 according to this embodiment includes a file reception unit 30, a vulnerability determination unit 132, and a determination table 34. That is, the security server system 2 according to the second embodiment has a configuration in which the communication path selection unit 126 is added to the security server system 1 according to the first embodiment.

  The communication path selection unit 126 is a functional element that distributes an access request sent from the network 40 to either the first server 10 or the second server 20. The communication path selection unit 126 can be realized by a router which is a kind of network device, for example. Alternatively, the function of the communication path selection unit 126 can be realized by using a DNS (Domain Name System) provided on the network 40.

(Specific Configuration of Second Embodiment)
Next, the configuration of the security server system according to the second embodiment will be described in more detail with reference to FIG. As illustrated in FIG. 6, the vulnerability determination unit 132 includes a text extraction unit 301, a determination unit 302, an address processing unit 403, and a file storage unit 304. The vulnerability determination unit 132 of the second embodiment is different from the vulnerability determination unit 32 of the first embodiment in that an address processing unit 403 is provided.

  The text extraction unit 301 is a functional element that searches and extracts a predetermined character string or the like from the received electronic file. The determination unit 302 determines the vulnerability of the received electronic file based on the search result by the text extraction unit 301, and classifies the vulnerable data and the non-vulnerable data. The address processing unit 403 instructs the communication path selection unit 126 to distribute the access from the network 40 to the first server 10 or the second server 20 based on the classification result using the determination table 34 by the determination unit 302. It is. The file storage unit 304 stores the electronic file in either the first storage unit 12 connected to the first server 10 or the second storage unit 22 connected to the second server 20 based on the classification result by the determination unit 302. A functional element to be stored.

(Operation of Second Embodiment)
The operation of the security server system of this embodiment will be described with reference to FIGS. In the following description, content A consisting only of page a without vulnerability, content B consisting of page b without vulnerability, program b1 without vulnerability, and program b2 with vulnerability, and page without vulnerability It is assumed that content C consisting of c and a vulnerable program c is provided on the network.

  In the security server system according to this embodiment, the service provider of the server stores the electronic file of the content to be provided to the clients 42a and 42b in the file receiving unit 30 (step S51, hereinafter "S51"). ). Specifically, the user stores a desired electronic file in a predetermined folder on the hard disk. Hereinafter, the operation is the same as that of the first embodiment until the determination of the vulnerability of the electronic file received by the file reception unit 30 by the determination unit 302 (S52 to S54 in FIG. 7).

  As a result of the determination, if there is no vulnerability at all (No in S55), for example, if the electronic file to be determined is content A consisting only of a safe HTML file, the file receiving unit 30 receives the file storage unit 304. All the electronic files stored in the first storage unit 12 are stored. That is, the safe content is provided by the first server 10 that does not have the defense unit 24, giving priority to the access speed and the like. FIG. 6 illustrates a state in which the page a • 121 of the content A determined as having no vulnerability by the determination unit 302 is stored in the first storage unit 12 from the file reception unit 30.

  If a vulnerability is found as a result of the determination (Yes in S55), the file storage unit 304 stores all the electronic files in the second storage unit 22 (S157). In other words, content that has a vulnerability in a program to be configured is provided by the second server 20 via the defense unit 24, giving priority to safety and the like, and all accesses to the program. FIG. 6 shows a state in which the program c · 123b of the content C determined to be vulnerable by the determination unit 302 is stored in the second storage unit 22 from the file reception unit 30.

  When the file storage unit 304 stores the electronic file, the address processing unit 403 stores the contents stored in the first storage unit 12 and the second storage unit 22 respectively, and the first server 10 and the second server that provide the content. Address information that associates each of the 20 addresses (addresses for the clients 42a and 42b providing the content to access via the network 40) is generated and sent to the communication path selection unit 126 (S158). Based on the address information sent from the address processing unit 403, the communication path selection unit 126 selects the contents stored in the first storage unit 12 and the second storage unit 22 and the first server 10 and the second server 20 respectively. The address shown is associated and stored in its own memory area.

  By repeating step 51 to step 158 in FIG. 6, the content provided to the clients 42a and 42b is distributed to the first storage unit 12 and the second storage unit 22 based on the presence or absence of external vulnerabilities. The stored contents are associated with the addresses of the first server 10 and the second server 20, respectively.

  For example, if the client 42 a refers to the page a 121 using the browser application, the reference request is sent to the communication path selection unit 126 via the network 40. The communication path selection unit 126 selects an address for providing the page a • 121 from the addresses stored in the memory area, and sends the reference request to the WEB server 102. The WEB server 102 reads the page a · 121 from the first storage unit 12 and sends it to the client 42 a via the network 40.

  When the client 42a refers to the page c • 123a that executes the vulnerable program c • 123b, the reference request is sent to the communication path selection unit 126 via the network 40. The communication path selection unit 126 selects an address that provides the execution result of the program c · 123b from the addresses stored in the memory area, and sends the reference request to the firewall 242. The reference request sent to the firewall 242 then reaches the WEB server 202 via the reverse proxy 242. At this time, even if the reference request from the client 42a has aggression, the vulnerability of the WEB server 202 or the CGI unit 204 is not attacked because it is rendered harmless or discarded by the reverse proxy 242.

  The WEB server 202 sends the page data obtained by executing the program c read from the second storage unit 22 by the CGI unit 204 to the client 42 a via the network 40.

  In this example, the communication path selection unit 126 has been described as functioning as a router. However, the present invention is not limited to this. When the function of the communication path selection unit 126 is realized by DNS, when the DNS receives a query from the client 42a, the IP address indicating the page corresponding to the URL included in the query is selected from the IP addresses stored in the memory area, The address may be returned to the client 42a, and the client 42a may issue a reference request again using the returned address. In this case, the DNS does not need to be directly connected to the first server 10 or the defense unit 24 like the communication path selection unit 126 of this embodiment, and the first server 10 and the defense unit 24 are not connected to the first implementation. As shown in the form, it can be directly connected to the network 40.

  According to the security server system of this embodiment, access to the application including the vulnerability is connected to the second server via the defense means, and the majority of accesses not including the vulnerability are directly performed without going through the protection means. Since it is connected to the first server, the traffic load of the defense means can be reduced. Further, according to the security server system of this embodiment, since the communication path selection unit is provided, it is possible to reliably specify the reference destination according to the presence or absence of content vulnerability.

  In the second embodiment, the determination is not made when there is a vulnerability in only a part of the files constituting the content (content B consisting of page b and programs b1 and b2), but this is not limitative. Not. As in the first embodiment, a link matching unit may be provided so that only vulnerable files are classified and stored in the second storage unit.

(Other operation example 1 of communication path selection unit)
When creating the electronic file group constituting the content, the address (URL) of the server that provides the content is, for example, “www1.sample.jp”, “www2.sample.co.jp”, “www3.sample.co. Prepare multiple items in advance like “jp”. When the determination unit 302 finds a vulnerability in the program B2 of the content B and the program c of the content C, the file storage unit 304 stores all files of the content B or the content C in the second storage unit 22. In addition, the address processing unit 403 registers the “www1.sample.jp” as the IP address of the second server 20 in the communication path selection unit 126 as the DNS.

  Similarly, when the determination unit 302 finds no vulnerability in the page A of the content A or the program b1 of the content B, the file storage unit 304 stores all files related to the program b2 in the content A or the content B. 1 is stored in the storage unit 12. In addition, the address processing unit 403 registers the “www1.sample.jp” as the IP address of the first server 10 in the communication path selection unit 126 as the DNS.

  That is, since the clients 42a and 42b can automatically access either the first server 10 or the second server 20 by the DNS function on the Internet, the clients 42a and 42b are included in the pages and programs that make up the content. Only the content including the vulnerable content can be provided from the second server 20 without rewriting the jump destination URL. This also leads to reducing the load on the defense unit 24.

(Other operation example 2 of communication path selection unit)
The first server 10 and the second server 20 are constructed by a single server using a virtual domain (virtual domain). In this case, since the URLs of the first server 10 and the second server 20 can be changed internally, when the communication path selection unit 126 is constructed by a router, the first server 10 and the second server 20 are determined according to the presence or absence of vulnerability. Access can be assigned to either of these. Similar to the first operation example, it is possible to provide only the content including the vulnerable content from the second server 20 without rewriting the jump destination URL included in the page or the program forming the content. This also leads to reducing the load on the defense unit 24.

(Third embodiment)
Next, a security server system according to the third embodiment will be described in detail with reference to FIG. As shown in FIG. 8, the security server system according to this embodiment further includes a third server 426 and a vulnerability scanning unit 428 in addition to the security server system according to the first embodiment shown in FIG. . Therefore, common elements are denoted by the same reference numerals, and redundant description is omitted.

  The third server 426 is a server having a function common to the first server 10 and the second server 20 and reproduces the operations of the first server 10 and the second server 20 in a pseudo manner. The third server 426 operates to provide the vulnerability scanning unit 428 with the content received by the file receiving unit 30 in response to the pseudo reference request given from the determination unit 302.

  The vulnerability scanning unit 428 is connected to the third server 426, issues a pseudo reference request to the third server 426 on behalf of the client, and the file reception unit 30 provided by the third server 426 in response to the reference request It is a functional element that scans received content packets. The scan control unit 428 issues an aggressive reference request to the third server 426 based on the attack information indicating the attack mode via the network stored in the determination table 434 in advance. Further, the scan control unit 428 should scan the packet of the content provided by the third server 426 (content received by the file reception unit 30) based on the attack information stored in the determination table 434, and protect the packet. It is a functional element that determines whether data is included (whether the security of the server has been compromised as a result of the attack).

  The vulnerability scanning unit 428 can be realized by a tool such as Nikto, Paros, and skipfish, for example. The vulnerability scanning unit 428 actually issues an attack packet by various assumed attack methods stored in advance in the determination table 434 to the third server 426, and scans the packet provided according to the attack packet. . The vulnerability scanning unit 428 determines whether or not the third server 426 can be captured based on the scan result. That is, when an attack is possible, the content received by the file reception unit 30 is vulnerable to an attack from the outside.

  As an attack packet, for example, a packet including a character string “'OR' t '=' t” as described above with respect to a WEB server connected to a DB server as an SQL server can be considered. The vulnerability scanning unit 428 checks whether or not unintended user information is leaked in the scan result, and if it is leaked, determines that there is a vulnerability and notifies the determination unit 302 of it. In this case, the presence or absence of information leakage is determined by determining whether or not the characters included in the backup log used to restore the database of the DB server used for vulnerability diagnosis are leaked in the scan result. Can do. When a new attack method is discovered, it is possible to update the attack method to the latest by newly storing it in the determination table 434 as attack information.

  The operation of the security server system of the embodiment shown in FIG. 8 is the same as that of the first embodiment shown in FIG. That is, vulnerability scanning by the third server 426 and the vulnerability scanning unit 428 is executed as the determination processing in step 54 shown in FIG.

  According to the security server system of this embodiment, in addition to the determination unit 302, the vulnerability scanning unit 428 that actually issues an attack packet to the server and determines whether there is leaked data in the provided packet is provided. Therefore, it is possible to accurately determine whether the electronic file received by the file receiving unit 30 is vulnerable.

  In the example shown in FIG. 8, the third server is provided separately from the first server and the second server, but the present invention is not limited to this. For example, the first server 10 may be disconnected from the network 40 and the first server 10 may be substituted for the function of the third server 426.

(Fourth embodiment)
Next, a security server system according to the fourth embodiment will be described in detail with reference to FIG. As shown in FIG. 9, the security server system according to this embodiment further includes a third server 426 and a vulnerability scanning unit 428 in addition to the security server system according to the second embodiment shown in FIG. . That is, the third server and vulnerability scanning unit in the third embodiment are applied to the second embodiment, and the operations of the third server and vulnerability scanning unit are the same as those in the third embodiment.

  Similarly to the third embodiment, the security server system of this embodiment also includes a vulnerability scanning unit 428 that issues an attack packet to the server and determines whether there is leaked data in the provided packet. Therefore, it is possible to accurately determine whether or not the electronic file received by the file receiving unit 30 is vulnerable.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

  DESCRIPTION OF SYMBOLS 1 ... Security server system, 10 ... 1st server, 12 ... 1st memory | storage part, 20 ... 2nd server, 22 ... 2nd memory | storage part, 24 ... Defense part, 30 ... File reception part, 32 ... Vulnerability determination part, 34 ... Determination table, 40 ... Network, 42a, 42b ... Client.

Claims (5)

A first server system that provides content in response to a request sent over a network;
A second server system that is stronger against attacks via the network than the first server system and that provides content in response to a request sent via the network;
A reception unit for receiving content provided via the network;
A determination table including vulnerability information indicating content details that may be affected by an attack via the network;
Based on the vulnerability information, a determination unit that determines whether or not there is vulnerability to an attack via the network for the content received by the reception unit;
A file control unit that stores the content received by the reception unit as a provision candidate according to the determination result of the determination unit in either the first server system or the second server system;
A security server system comprising:   The file control unit stores data having the vulnerability in the content received by the reception unit in the second server system, and stores data having no vulnerability in the first server system. The security server system according to claim 1, wherein:   3. The matching unit according to claim 2, further comprising a matching unit configured to match a link between data stored in the first server system and data stored in the second server system by the file control unit. Security server system.   Connected between the network and the first server system and the second server system, and based on a determination result of the determination unit, a request sent via the network is transmitted to the first server system or the second server system. The security server system according to claim 2, further comprising a communication path control unit that distributes to any of the two server systems. The determination table includes attack information related to an attack via the network,
A pseudo-attack generating unit that pseudo-generates an attack via the network based on the attack information;
A third server system that provides the content received by the receiving unit in response to the pseudo-generated attack;
A vulnerability scanning unit that scans whether the content provided by the third server system is normal, and determines that the content has the vulnerability when the content is not normal;
The security server system according to any one of claims 1 to 4, further comprising:

Images