JP2012150658A - Information processing device, system, communication monitoring method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To effectively detect a program (code) which may cause a computer to perform an unauthorized operation.SOLUTION: An information processing device comprises: a request detection part 32 detecting a request for acquiring data outputted from a client terminal, from network traffic; a file extraction part 33 acquiring the data file acquired corresponding to the request from the network traffic; and a file inspection part 34 inspecting whether or not a program code for acquiring a second data file is included in the acquired first data file, and inspecting the second data file acquired based on the program code if the program code for acquiring the second data file is included in the first data file.

Description

  The present invention relates to an information processing apparatus, system, communication monitoring method, and program for monitoring network communication and detecting a file.

  Malware such as a computer virus invades and operates on a computer system, and causes various damages to the invaded computer system itself and other systems connected to the system. As measures to prevent the occurrence of damage caused by malware, malware that attempts to invade the computer system is detected to prevent intrusion, or malware that has already entered the computer system is detected and removed.

  Detection of malware entering through the network is performed, for example, on a communication log file of a computer system. In some cases, the data file is obtained by intercepting or relaying network communication. In this case, since it is difficult to detect malware in the state of packets during network communication, the malware is detected after the communication contents are received and the data file is restored by a server / computer for malware detection. Processing is performed.

  As a technique for detecting malware, list matching is generally performed using a list (black list) in which information on known malware is collected (see, for example, Patent Document 1). However, in recent years, the number of types of malware has become enormous, and when malware is detected only by list matching using a black list, the load on detection processing is increasing.

  Also, with the widespread use of computer networks, the amount of communication traffic is enormous. Therefore, if malware is detected by list matching for all network communications, a great load is applied to the detection process.

  In recent years, malware has become more sophisticated and sophisticated, and it has become difficult to prevent invasion of computers. For example, there is a case in which the malware is proactively acquired (downloaded) from the computer instead of sending the malware to the computer from the outside to be invaded. This includes a case in which a user such as a computer guides the user to operate the computer or the like to acquire (download) malware by a device provided on a web page or the like.

  In some cases, malware is described as a script or the like in a document file such as a PDF (Portable Document Format) file. In such a case, in order to detect the malware, it is necessary to analyze a document file in which the malware is described, and the load required for the processing further increases.

JP 2009-181233 A

  As described above, it has conventionally been difficult to completely prevent malware from entering a computer system. The process of detecting malware that has invaded or is about to invade a computer system by list matching has a heavy load in recent years when the number of types of malware has become enormous, and a more efficient detection method is required. In addition, with the widespread use of computer networks today, it is difficult to detect malware by list matching for all network communications.

  An object of the present invention is to efficiently detect a program (code) that may cause a computer to perform an illegal operation.

  In order to achieve the above object, the present invention is realized as the following information processing apparatus. The apparatus includes a file acquisition unit that acquires a data file, and a first that checks whether the acquired first data file includes a program code for acquiring another second data file. File inspection means, and second file inspection means for inspecting a second data file acquired based on the program code when the first data file includes a program code.

More preferably, the file acquisition means detects the request for acquiring data from the network traffic, and acquires the first data file by extracting the data file acquired in response to the request from the network traffic. To do.
In addition, when a program code for acquiring the second data file from the first data file is detected by the first file checking means, the second data acquired based on the first data file and the program code Source information acquisition means for acquiring information about the source of the data file is further provided.

More specifically, the second file inspection means inspects whether or not a program code for performing a predetermined specific operation is included in the second data file.
Further, the second file inspection means has predetermined meta information of the second data file including at least one of the creation date and time information, copyright information, version information, and file name of the second data file. Check whether the conditions are met.

According to another aspect of the present invention for achieving the above object, meta information acquisition means for acquiring meta information from a data file and at least information on the creation date and time of the data file among the acquired meta information are predetermined. When the above condition is satisfied, an extraction unit that extracts the data file as an inspection target and a processing unit that performs a predetermined process on the data file extracted by the extraction unit are provided.
More preferably, the extracting unit further processes the data file as a processing target when at least one of the meta information and the copyright information, version information, and file name of the data file satisfies a predetermined condition. Extract.

  Still another embodiment of the present invention for achieving the above object is configured as a system including a client terminal connected to a network and a communication monitoring device for monitoring network communication by the client terminal. The communication monitoring device detects a request for acquiring data output from the client terminal from network traffic, and acquires a data file acquired in response to the request from the network traffic. First file checking means for checking whether or not the first data file includes a program code for acquiring another second data file, and the first data file includes the second data file. And a second file inspection means for inspecting a second data file acquired based on the program code when the program code for acquiring is included.

  Still another aspect of the present invention that achieves the above object is grasped as a network communication monitoring method. In this communication monitoring method, a computer connected to a network detects a request for acquiring data from network traffic, and extracts a data file acquired in response to the request from network traffic. Obtaining the data file, inspecting whether or not the obtained first data file includes a program code for obtaining another second data file, and the first data file If the program code for acquiring the second data file is included, the step of inspecting the second data file acquired based on the program code is included.

  Furthermore, the present invention is also realized as a program that controls a computer to realize each function of the information processing apparatus described above, or a program that causes a computer to execute processing corresponding to each step in the communication monitoring method. This program can be provided by being stored and distributed in a magnetic disk, an optical disk, a semiconductor memory, or other recording media, or distributed via a network.

  According to the present invention, it is possible to efficiently detect a program (code) that may cause a computer to perform an illegal operation.

It is a figure showing the example of whole composition of the computer system to which this embodiment is applied. It is a figure which shows the function structural example of the communication analyzer by this embodiment. It is a flowchart which shows the procedure of the process of the communication analyzer of this embodiment. It is a figure which shows the example of the PCAP file acquired by the communication acquisition part. It is a figure which shows the example of the analysis result of the code contained in the download file extracted by the file extraction part of this embodiment. It is a figure which shows the example of the analysis result of the executable file in this embodiment. It is a figure which shows the example of the meta information of an executable file. It is a figure which shows the other example of the meta information of an executable file. It is a figure which shows the further another example of the meta information of an execution file. It is a figure which shows an example of the hardware constitutions of a computer suitable for implement | achieving the communication analyzer of this embodiment.

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
<System configuration example>
First, a computer system to which this embodiment is applied will be described.
FIG. 1 is a diagram showing an example of the overall configuration of such a computer system.
As shown in the figure, this computer system is configured by connecting a client terminal 10, a proxy server 20, and a communication analysis device 30 to a LAN (Local Area Network) 100. Each device on the LAN 100 is connected to the Internet 200 via a firewall provided by the proxy server 20 or the like. In the configuration shown in the figure, communication from the device on the LAN 100 to the external network is always performed via the proxy server 20 and the communication analysis device 30.

  The client terminal 10 is a computer used by a user. For example, it is realized by a personal computer, a workstation, or other computer devices. The client terminal 10 may be invaded by malware such as a computer virus. Although four client terminals 10 are illustrated in FIG. 1, the number of client terminals 10 connected to the LAN 100 is not limited to the four illustrated.

  The proxy server 20 is a server computer that relays communication between the client terminal 10 on the LAN 100 and a server (not shown) on the Internet 200. That is, the client terminal 10 always accesses the Internet 200 via the proxy server 20. The proxy server 20 has a general function of an existing proxy server in addition to a firewall function.

  The communication analysis device 30 acquires (captures) and analyzes network traffic between the LAN 100 and the Internet 200. Then, the communication analysis device 30 identifies a communication performed to acquire (download) some data file, analyzes the acquired (downloaded) data file, and performs an illegal operation. Check for the presence of a code (hereinafter, illegal code). Then, the communication analysis device 30 collates the address information (for example, URL (Uniform Resource Locator)) of the data file from which the illegal code is detected with a black list. It will be described later.

  The LAN 100 is a network in which terminal devices such as a client terminal 10 and a network printer (not shown) are connected through various lines so that data can be transmitted and received between them. The Internet 200 is a huge network that connects networks all over the world using TCP / IP.

<Functional configuration of communication analyzer>
FIG. 2 is a diagram illustrating a functional configuration example of the communication analysis apparatus 30 according to the present embodiment.
The communication analysis device 30 illustrated in FIG. 2 includes a communication acquisition unit 31, a request detection unit 32, a file extraction unit 33, a file inspection unit 34, a transmission source information acquisition unit 35, and an unauthorized access determination unit 36. .

  The communication acquisition unit 31 acquires network traffic related to communication between a device (such as the client terminal 10) in the LAN 100 and the outside of the LAN 100 (Internet 200). Specifically, for example, a data stream on the network is captured, and a PCAP (Packet CAPture) file is acquired. A PCAP file is a file obtained by capturing packets flowing on the network. Communication to be acquired includes both communication from a device in the LAN 100 to the outside of the LAN 100 and communication from the outside of the LAN 100 to a device in the LAN 100.

  The request detection unit 32 detects a request for acquiring (downloading) data from the PCAP file acquired by the communication acquisition unit 31. A request (command) for acquiring data is specified according to a protocol used for network communication. For example, in the case of HTTP generally used in the Internet 200, data is acquired by a GET request. Therefore, the request detection unit 32 detects this GET request from the PCAP file. Note that the request detected by the request detection unit 32 need not be limited to a request output from a specific device on the network. However, since the purpose is to protect the devices in the LAN 100 from attacks, the request output from the devices in the LAN 100 such as the client terminal 10 to an external (Internet 200) device may be detected.

  The file extraction unit 33 extracts a data file (downloaded file) acquired (downloaded) from the data stream captured by the communication acquisition unit 31 based on the request detected by the request detection unit 32. The type of download file to be extracted is not particularly limited, but a data file in which an illegal code may be described as a script or the like may be selectively extracted. Examples of such data files include PDF files, document files of various office suites (such as Microsoft Office (registered trademark) of US Microsoft Corporation), and image files. When the request detection unit 32 detects a request output from a device in the LAN 100 to an external device, a data file acquired by the device in the LAN 100 that has output the request is extracted.

  The file inspection unit 34 analyzes the download file extracted by the file extraction unit 33 and checks whether the file includes a code for acquiring some other data file. If such a code is included, it is checked whether or not the data file acquired by the code is an illegal file (hereinafter referred to as an illegal file). That is, the file inspection unit 34 is an inspection unit for the primary download file extracted by the file extraction unit 33, and an inspection of the data file that is secondarily acquired by the code included in the primary download file. It is also a means. Further, the file inspection unit 34 acquires information on the transmission source of the data file acquired secondarily from the analysis result of the primary download file. That is, the file inspection unit 34 is also a means for acquiring the transmission source information of the data file acquired secondarily.

  In the present embodiment, a file including the above-described malicious code (a program code that may perform an illegal operation) and a file that may not be properly created are determined to be illegal files. However, files that should be determined as illegal files are not limited to these files. What kind of file is determined as an illegal file may be appropriately set according to the specifications of the system to which the present embodiment is applied, the purpose of use, and the like. Specific contents of the file inspection and illegal code detection processing by the file inspection unit 34 will be described later.

  The transmission source information acquisition unit 35 acquires address information (URL or the like) of the transmission source of the file that is determined to be an illegal file by the file inspection unit 34. The address information of the transmission source is obtained from the network traffic information (PCAP file or the like) acquired by the communication acquisition unit 31. In addition, the transmission source information acquisition unit 35 includes an illegal code included in an unauthorized file, and the unauthorized code is a code for acquiring (downloading) another file from a server on the network. If the source address information (such as URL) can be acquired from the network traffic information, the source information may be acquired instead of the file inspection unit 34. That is, the transmission source information acquisition unit 35 is a transmission source information acquisition unit related to the primary download file extracted by the file extraction unit 33 and is acquired secondarily by the code included in the primary download file. It is also means for acquiring transmission source information of the data file to be processed.

  The unauthorized access determination unit 36 collates the address information of the transmission source of the unauthorized file obtained by the transmission source information acquisition unit 35 with the black list. When the file inspection unit 34 detects an unauthorized code included in the unauthorized file, the unauthorized access determination unit 36 checks the detected unauthorized code against a blacklist. Further, when the unauthorized code is a code for acquiring another file from a server on the network, the unauthorized access determining unit 36 obtains the file that the unauthorized code obtained by the transmission source information acquiring unit 35 intends to acquire. The address information of the sender is checked against the black list. Then, the unauthorized access determination unit 36 determines whether unauthorized access to the client terminal 10 on the LAN 100 has been performed based on these comparison results. As the black list used for detecting unauthorized access, an existing list may be used, or a list that is uniquely created according to the specifications or purpose of use of the system to which this embodiment is applied. May be.

<Processing by communication analyzer>
Next, processing by the communication analysis device 30 configured as described above will be described with a specific example.
FIG. 3 is a flowchart illustrating a processing procedure of the communication analysis device 30 according to the present embodiment.

  The communication analysis device 30 constantly monitors communication between a device (such as the client terminal 10) in the LAN 100 and the Internet 200. Then, the communication acquisition unit 31 acquires network traffic (step 301). Here, it is assumed that a PCAP file is acquired. Next, the request detection unit 32 detects a file including a request for acquiring data from the PCAP file (step 302). Here, it is assumed that a PCAP file including a GET request is detected. Next, the file extraction unit 33 extracts a file downloaded by the GET request in the communication (PCAP file) including the GET request (step 303).

FIG. 4 is a diagram illustrating an example of the PCAP file acquired by the communication acquisition unit 31.
In FIG. 4, the range divided by the broken line corresponds to individual communication. Therefore, in the example shown in FIG. 4, a GET request is detected in each of the first communication, the third communication, and the fourth communication (see arrow A in the figure). In addition, it can be seen that the third communication includes a PDF file as a download file acquired by the GET request (see arrow B in the figure). Accordingly, the file extraction unit 33 extracts a PDF file from the third communication.

  When the download file is extracted, the file inspection unit 34 next checks whether or not the extracted download file corresponds to an illegal file (steps 304 and 305). If it is determined that the download file is an unauthorized file, the transmission source information acquisition unit 35 acquires address information of the transmission source of the download file determined to be an unauthorized file (steps 306 and 307). At this time, if the illegal file contains an illegal code and the illegal code is a code for acquiring another file from a server on the network, the address information of the sender of the other file is also acquired. . The address information of the transmission source of the other file can be obtained by the file inspection unit 34 analyzing the contents of the illegal file (for example, the contents of shellcode). Further, when the address information of the transmission source of the other file can be acquired from the network traffic information, it can be acquired by the transmission source information acquisition unit 35.

  Next, the unauthorized access determination unit 36 determines the presence or absence of unauthorized access based on the source address information obtained in step 307 and the unauthorized code obtained in step 305 (step 308). The determination result is sent to the proxy server 20 or the client terminal 10 of the LAN 100, for example. In these devices, countermeasures against unauthorized access are taken.

<Detection of illegal files by the file inspection unit>
Next, a method for detecting an illegal file by the file inspection unit 34 will be described.
FIG. 5 is a diagram illustrating an example of the analysis result of the code included in the download file extracted by the file extraction unit 33.
FIG. 5 shows an example of the analysis result of the PDF file extracted as the download file. An illegal code can be detected using an existing detection method such as keyword matching. Here, what kind of detection method is used is selected according to the type of malicious code to be detected. If the file to be analyzed is encoded, a decoding process corresponding to the encoding method is performed. In the example shown in FIG. 5, for example, “malicious: collectEmailInfo CVE-2007-5659 detected” on the second line and “malicious: shellcode of length 440/221” on the fourth line are codes that acquire (download) some file. There is a possibility that it is detected as a malicious code.

  Further, when any file is acquired by the code described in the PDF file shown in FIG. 5, the file inspection unit 34 further identifies the acquired file by disassembling and analyzing the code. In addition, the transmission source of the file is specified. In the example shown in FIG. 5, for example, “file: shellcode_c30129f1846219245d1a207739844807db2e1b7b: 440 bytes” on the eighth line is analyzed.

  When the file secondarily acquired by the code as shown in FIG. 5 (shellcode etc. on the 8th line) is an execution file (file with extension “.exe”, etc.), the file checking unit 34 Further, it is determined whether or not the execution file is an illegal file. A method for determining whether or not the file is an illegal file may be set as appropriate according to the specifications of the system to which the present embodiment is applied, the purpose of use, and the like. As a preferred example, in the present embodiment, when there is a possibility that an illegal operation is performed by the code included in the execution file, and when there is a possibility that the execution file is not properly created, the execution is performed. The file is determined to be an illegal file. However, the conditions for determining an illegal file are not limited to these, and even if these conditions are satisfied, it is not always necessary to determine that the file is an illegal file.

FIG. 6 is a diagram illustrating an example of the analysis result of the executable file.
First, a description will be given of a determination method for determining whether an execution file is an illegal file based on the presence or absence of a code that may perform an illegal operation. Here, it is not necessary to strictly determine whether or not an illegal operation is performed when a certain code is executed. If a code that performs a highly probable operation that is performed when an illegal process is executed is described in the execution file, the file inspection unit 34 detects this as a code that may perform an illegal operation. The code that performs the operation may be set as appropriate according to the specifications of the system to which this embodiment is applied, the purpose of use, and the like. As a preferred example, in the example shown in FIG. 6, for example, “[+] Found an Interesting call to: LoadLibraryA” on the fourth line (operation to load some library), “[+] Found an Interesting call to” on the fifth line. : "GetProcAddress" (operation to check some address) can be detected as a code that may perform an illegal operation.

  Note that here, as an illegal operation, an operation related to a call within the system (Found an Interesting call to) has been described. In addition to this, it is also possible to detect a code that may perform an illegal operation on a code related to behavior on the network.

  Next, a method for determining an executable file that may not be created properly will be described. When the acquired executable file is analyzed, the meta information of this file is obtained together with the analysis result of the contents of the file as shown in FIG. Based on this meta information, the file checking unit 34 determines whether or not there is a possibility that the executable file has not been properly created. Here, it is not necessary to strictly determine whether the file has been created normally. If there is a possibility that the file is not properly created, this file is determined to be an invalid file. The criterion for determining whether or not there is a possibility of being created properly may be set as appropriate according to the specifications of the system to which the present embodiment is applied, the purpose of use, and the like. As a preferred example, in the present embodiment, an example in which information on the date and time when an execution file is created, copyright information of the execution file, version information, a file name, and the like will be described.

FIG. 7 is a diagram illustrating an example of meta information of an execution file.
Here, it is determined whether or not the file is an illegal file based on the date and time information when the executable file is created, the copyright information and version information of the executable file as meta information. In the example shown in FIG. 7, the date and time information when the execution file is created is described in the header (FIG. 7 (a): FILE_HEADER) (see the fourth line, TimeDateStamp). Also, copyright information and version information are described in version information (FIG. 7B: Version Information) (see 10th to 12th lines, LegalCopyright, InternalName, and FileVersion).

  As a specific determination method, for example, when the date and time when the execution file was created is a date and time that is not possible if it is a normal file, it may be determined that the execution file is an illegal file. Possible date / time includes a date / time that does not exist, a future date / time, a past date / time when a program used in the file and an operating system on which the program operates do not exist. Further, when copyright information (LegalCopyright) and version information (FileVersion) are not described, it is considered that the execution file is determined to be an illegal file. In addition, the copyright information and version information may be checked against a white list (a list of copyright holders who have no problems or a version that actually exists), and if that is not the case, the executable file may be determined to be an illegal file. It is done.

  Furthermore, a determination can be made based on the file name in addition to the copyright and version information. The file name is described in version information (FIG. 7 (b): Version Information) (see the 17th line, OriginalFilename). When making a determination based on the file name, for example, as in the case of using the copyright and version information described above, it is possible to make a determination based on the presence or absence of a file name, or to collate with a white list.

  As described above, the file inspection unit 34 functions as a meta information acquisition unit that acquires meta information from the execution file acquired secondarily as a processing target. In addition, when the acquired meta information satisfies the conditions defined as described above, the file inspection unit 34 acquires the execution file from the transmission source information acquisition unit 35 and the unauthorized access determination. It functions as an extracting means for extracting as a target of the collation processing by the unit 36.

  Further, not only the determination criteria as described above are used alone, but also a composite file may be used to determine whether the file is an illegal file. By using them in combination, it is possible to determine a file having a higher probability that is not a legitimately created file as an illegal file. Further, even when it is difficult to determine whether or not a file is a malicious file using only a single determination criterion, it may be determined that the file is an illegal file by applying a plurality of determination criteria.

FIG. 8 is a diagram illustrating another example of meta information of an execution file.
The meta information shown in FIG. 8 is the date and time information (FIG. 8A: the fourth line of FILE_HEADER, TimeDateStamp) when the executable file is created, 0x39769585 [Thu Jul 20 06:00:37 2000 UTC]. Also, there is no description of copyright information and version information (FIG. 8B: Version Information). Here, it is assumed that the date and time information shown in FIG. 8A is a date and time that cannot be created as the date and time of creation of the execution file. In this case, the creation date of the executable file satisfies the determination condition as an illegal file, and the validity of the executable file based on the copyright information and the version information cannot be confirmed. Therefore, the executable file having the meta information shown in FIG. 8 is determined as an illegal file.

FIG. 9 is a diagram illustrating still another example of the meta information of the executable file.
The meta information shown in FIG. 9 is the date and time information (FIG. 9A: FILE_HEADER, 4th line, TimeDateStamp) when the executable file is created, 0x48D131F8 [Wed Sep 17 16:36:08 2008 UTC]. Also, there is no description of copyright information and version information (FIG. 9B: Version Information). Here, it is assumed that the date and time information shown in FIG. 9A is a date and time that is possible as the execution date and time of the execution file. In this case, the creation date and time of the executable file does not satisfy the determination condition as an illegal file, and the validity of the executable file cannot be confirmed based on the copyright information and the version information. For this reason, it is impossible to determine whether or not the file is an illegal file only with these pieces of meta information.

  In such a case, confirmation that the executable file is a legitimately created executable file cannot be obtained, so the file checking unit 34 may determine that the executable file is an illegal file. Further, a determination result based on the presence or absence of a code that may perform an illegal operation may be added to make a composite determination.

  As described above, according to the present embodiment, it is first determined whether or not there is a possibility of performing an illegal operation on a determination target file. When it is determined that there is a possibility that the file to be determined performs an illegal operation, the list matching using the black list is performed on the file to determine whether there is an unauthorized access. Therefore, since the files for executing the list matching can be narrowed down in advance, the load in the list matching process can be reduced. This is particularly effective when detecting unauthorized access regarding a download file in network communication as in the present embodiment.

  In this embodiment, whether or not there is a possibility of performing an illegal operation is determined in advance based on static information such as the type of code and meta information included in the file, and the file is actually processed. Never run into. Therefore, actual damage due to unauthorized operation does not occur.

  Furthermore, in the present embodiment, when the code included in the determination target file is a code for acquiring another file, this code is analyzed and the second file acquired secondarily is analyzed. However, it is possible to determine whether or not there is a possibility of performing an illegal operation.

<Example of hardware configuration>
Finally, a hardware configuration of a computer suitable for realizing the communication analysis device 30 of the present embodiment will be described.
FIG. 10 is a diagram illustrating an example of the hardware configuration of such a computer.
The computer shown in FIG. 10 includes a CPU (Central Processing Unit) 300a that is a calculation means and a memory 300c that is a main storage means. As external devices, a hard disk drive (HDD) 300g, a network interface 300f, a display mechanism 300d, an audio mechanism 300h, an input device 300i such as a keyboard and a mouse, and the like are provided.

  In the configuration example shown in FIG. 10, the memory 300c and the display mechanism 300d are connected to the CPU 300a via the system controller 300b. The network interface 300f, the magnetic disk device 300g, the audio mechanism 300h, and the input device 300i are connected to the system controller 300b via the I / O controller 300e. Each component is connected by various buses such as a system bus and an input / output bus.

  FIG. 10 merely exemplifies a hardware configuration of a computer suitable for applying the present embodiment. The present embodiment can be widely applied to an information processing system that analyzes a data file obtained from network traffic or the like, and the present embodiment is not realized only in the configuration shown in the figure.

  In FIG. 10, the magnetic disk device 300g stores an OS and application software programs. These programs are read into the memory 300c and executed by the CPU 300a, whereby the communication acquisition unit 31, the request detection unit 32, the file extraction unit 33, the file inspection unit 34, and the transmission source information acquisition unit illustrated in FIG. 35. Various functions including the unauthorized access determination unit 36 are realized.

  In this embodiment, when an illegal file is detected, information and code of the transmission source of the primary download file extracted by the file extraction unit 33 and the data file (illegal file) acquired secondarily. Based on the contents of, it was determined whether there was unauthorized access. On the other hand, the communication analysis device 30 may be configured to obtain information on the transmission source of these data files and determine unauthorized access by means such as list matching on another server. Alternatively, the communication analysis device 30 may be configured to perform list matching processing on the information of the transmission source of the data file, send the matching result to another server, and determine whether or not there is unauthorized access in the server. .

DESCRIPTION OF SYMBOLS 10 ... Client terminal, 20 ... Proxy server, 30 ... Communication analysis apparatus, 31 ... Communication acquisition part, 32 ... Request detection part, 33 ... File extraction part, 34 ... File inspection part, 35 ... Source information acquisition part, 100 ... LAN (Local Area Network), 200 ... Internet

Claims (10)

A file acquisition means for acquiring a data file;
First file checking means for checking whether the acquired first data file includes a program code for acquiring another second data file;
Second file inspection means for inspecting the second data file acquired based on the program code when the program code is included in the first data file;
An information processing apparatus comprising: The file acquisition means detects a request for acquiring data from network traffic, and acquires the first data file by extracting a data file acquired in response to the request from the network traffic. It is characterized by
The information processing apparatus according to claim 1. When the program code is detected from the first data file by the first file checking means, the transmission source of the second data file acquired based on the first data file and the program code It further comprises transmission source information acquisition means for acquiring information,
The information processing apparatus according to claim 1 or 2. The second file inspection means inspects whether or not a program code for performing a predetermined specific operation is included in the second data file.
The information processing apparatus according to any one of claims 1 to 3. The second file inspection means preliminarily determines meta information of the second data file including at least one of creation date and time information, copyright information, version information, and file name of the second data file. Check whether the specified conditions are met,
The information processing apparatus according to claim 1. Meta information acquisition means for acquiring meta information of the data file from the data file;
Extraction means for extracting the data file as an inspection target when at least the information on the creation date of the data file satisfies a predetermined condition among the acquired meta information,
Processing means for performing predetermined processing on the data file extracted by the extraction means;
An information processing apparatus comprising: The extraction means further extracts the data file as a processing target when a predetermined condition is satisfied with respect to at least one of copyright information, version information, and a file name of the data file among the meta information. To
The information processing apparatus according to claim 6. A client terminal connected to the network;
A communication monitoring device for monitoring network communication by the client terminal,
The communication monitoring device includes:
A file acquisition means for detecting a request for acquiring data output from the client terminal from network traffic, and acquiring a data file acquired in response to the request from the network traffic;
First file checking means for checking whether the acquired first data file includes a program code for acquiring another second data file;
Second file inspection means for inspecting the second data file acquired based on the program code when the program code is included in the first data file;
A system comprising: A network communication monitoring method,
A computer connected to the network detects a request to obtain data from network traffic, and obtains the first data file by extracting the data file obtained in response to the request from the network traffic. And steps to
Inspecting whether the computer includes a program code for acquiring another second data file in the acquired first data file; and
The computer inspecting the second data file acquired based on the program code when the program code is included in the first data file;
Including a communication monitoring method. In a program for controlling a computer connected to a network,
A file acquisition means for detecting a request for acquiring data from network traffic and acquiring a first data file by extracting a data file acquired in response to the request from the network traffic;
First file checking means for checking whether the acquired first data file includes a program code for acquiring another second data file;
As the second file inspection means for inspecting the second data file acquired based on the program code when the program code is included in the first data file,
A program for causing the computer to function.

Images