JP2015082191A - Information processing device and information processing method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique enabling detection of an illegal program without depending on a definition file which has been conventionally used.SOLUTION: An information processing device includes: first monitoring means that monitors an operation of a process that is executed in the information processing device; and second monitoring means that monitors an instruction from a user to the information processing device. If the first monitoring means detects that a predetermined operation is executed by the process during a period in which the second monitoring means does not detect the instruction, control is performed to the information processing device.

Description

  The present invention relates to security technology against malicious programs such as viruses.

  Conventionally, malicious programs (malware such as viruses and worms) that intrude by attacking security holes such as computer system vulnerabilities have become a socially important problem regardless of individuals or companies.

  This unauthorized program takes control of the computer, destroys data stored in the computer, transmits unauthorized data to the outside, and performs a new attacking action against a third party using the intruded computer. For example, a plurality of modules are operating in a process executed by a computer system, and when a vulnerability exists in this module, an attack and intrusion targeting the corresponding module are performed. For such malicious programs, detection methods based on definition files are still mainstream.

JP 2009-157524 A

  However, the above-described prior art (Patent Document 1) has a problem that only known malicious programs can be detected, and unknown malicious programs such as zero-day attacks cannot be detected. Furthermore, more than tens of thousands of new types of such malicious programs appear per day, and the detection method based on definition files is no longer broken.

  The present invention has been made in view of such problems, and provides a technique that enables detection of a malicious program without depending on a definition file that has been used conventionally.

  According to one aspect of the present invention, a first monitoring unit for monitoring an operation of a process executed in the information processing apparatus, a second monitoring unit for monitoring an instruction from the user to the information processing apparatus, The first monitoring unit detects that a prescribed operation is being executed by the process during a period in which the second monitoring unit does not detect the instruction. In this case, the information processing apparatus includes a control unit that controls the information processing apparatus.

  According to the configuration of the present invention, a malicious program can be detected without depending on a definition file that has been used conventionally.

The figure which shows a process, a process monitor, a system monitor, and a related peripheral unit. The figure which shows the structural example of a system monitor. The figure which shows the structural example of a process monitor. The figure which shows the structural example of a list. The figure which shows the structural example of a network system. The figure which illustrated cooperation with an information processor and gateway equipment. The flowchart of the process which information processing apparatus performs. The flowchart explaining operation | movement of an information processing system. The block diagram which shows the hardware structural example of information processing apparatus.

  Preferred embodiments of the present invention will be described below with reference to the accompanying drawings. The embodiment described below shows an example when the present invention is specifically implemented, and is one of the specific examples of the configurations described in the claims.

[First Embodiment]
As a result of the widespread use of the Internet, opportunities for exchanging information with unknown third-party devices have greatly increased, and as a result, opportunities for exchanging information with malicious third-party devices have also increased. An information processing apparatus in which an unauthorized program is executed by such a malicious third-party apparatus is not only performed by the information processing apparatus. That is, various other devices such as another device connected to a LAN (for example, an in-house LAN or a home LAN) to which the information processing device is connected, and a new illegal act using the information processing device as a stepping stone are executed. Problems occur. Such a problem is not only a personal problem, but has led to a large social problem (crime), which is a very large problem. For this reason, companies that have information processing devices such as various servers are eagerly desired to quickly and accurately detect unauthorized programs that execute unauthorized attacks and intrusions.

  Note that “illegal attack” indicates that the computer system is to perform an unintended operation different from the process that the computer system originally intends to execute. The term “intrusion” means that a part or all of the system is taken away by causing an unintended operation by an attack.

  The information processing apparatus according to the present embodiment is a computer system that executes arithmetic processing according to a program. For example, a server device that provides services to users such as a Web server, a content server, and a DNS server, personal computer systems used personally, and network devices such as routers and L3 switches. The information processing apparatus according to the present embodiment enables detailed monitoring up to the inside of the system, and further enables to quickly and accurately detect unauthorized programs that execute unauthorized attacks and intrusions.

  First, a hardware configuration example of the information processing apparatus according to the present embodiment will be described with reference to the block diagram of FIG. Note that the hardware configuration of the information processing apparatus applicable to the present embodiment is not limited to the configuration illustrated in FIG. 9, and may be a configuration capable of executing each process described below as performed by the information processing apparatus. Any configuration may be adopted.

  The CPU 91 executes various processes using computer programs and data stored in the ROM 92 and the RAM 93, thereby controlling the operation of the entire apparatus and executing processes described later as performed by the apparatus. . The CPU 91 also has a timer function for timing.

  The ROM 92 stores setting data and a boot program for the apparatus.

  The RAM 93 has an area for temporarily storing computer programs and data loaded from an HDD (Hard Disk Drive) 94 and an area for temporarily storing data received from the outside via the interface 97. The RAM 93 also has a work area used when the CPU 91 executes various processes. That is, the RAM 93 can provide various areas as appropriate.

  The HDD 94 stores an OS (Operating System) and computer programs and data for causing the CPU 91 to execute processes described later as those performed by the apparatus. This computer program includes a process monitor (first monitoring means) and a system monitor (second monitoring means) described later. Further, this data includes list data to be described later. Computer programs and data stored in the HDD 94 are appropriately loaded into the RAM 93 under the control of the CPU 91 and are processed by the CPU 91.

  The input device 95 is an operation input interface such as a keyboard and a mouse, and various instructions can be input to the CPU 91 by a user of the device.

  The display device 96 is configured by a CRT, a liquid crystal screen, or the like, and can display a processing result by the CPU 91 with an image, text, or the like.

  The interface 97 includes an interface for connecting the apparatus to a network such as a LAN or the Internet, an interface for connecting an external memory such as a USB memory to the apparatus, and the like.

  Each of the above parts is connected to the bus 98.

  Next, a process managed in the HDD 94, a process monitor, a system monitor, and peripheral units related to them will be described with reference to FIG.

  The OS 110 manages various processes, and a process monitor that monitors the operation of the process is set for each process. More specifically, the process monitor is injected (code injection) into the process. Then, the process monitor monitors the operation of the process, and detects whether there is an operation such as activation of another process, file access by the process, network access by the process, API 114 call by the process, or the like.

  In FIG. 1, as an example, the OS 110 manages process A and process B, process A is set for process A, and process monitor B is set for process B.

  The process monitor is actually set for each module in the process, and its operation is monitored for each module. However, in order to simplify the explanation, the process monitor is set for the process. It will be described as a thing.

  The OS 110 also manages the system monitor 111. The system monitor 111 monitors the behavior of the apparatus regardless of the process. For example, an instruction input event to the apparatus, a window message, and a print output via the interface 97 (communication I / F 113 in FIG. 1) generated when the user operates the input apparatus 95 (input device 112 in FIG. 1). Monitor output events.

  As described above, by injecting the system monitor and the process monitor, detailed information regarding the operation of the system can be obtained from the input event by the user. Therefore, by collecting various types of information generated in the computer system, it is possible to monitor in detail even the inside of the system, and furthermore, it is possible to quickly and accurately detect unauthorized programs that execute unauthorized attacks and intrusions. . The process monitor may be anything that can monitor processes such as API hooks and filter drivers.

  Next, the process monitor will be described. Since the process monitor has a common configuration for all processes, the process monitor for process A will be described below as an example.

  As illustrated in FIG. 3, the process monitor A includes a control unit 301 and a monitoring unit 302. The control unit 301 is for performing operation control of the process A according to the monitoring result by the monitoring unit 302. The monitoring unit 302 monitors the operation of the process A and detects whether or not there is an operation such as activation of another process, file access by the process A, network access by the process A, and API 114 calling by the process A. More specifically, the monitoring unit 302 collects information such as API calls and system call calls by the process A as information generated by the process A. More specifically, as the information generated by the process A, the monitoring unit 302 of the process monitor acquires, for example, the module type, the type of the called function, the argument value, the read source address, the time stamp, and the like. The monitoring unit 302 detects from the collected information whether or not there is a behavior indicating an unauthorized attack or intrusion, that is, whether there is an operation such as file access, network access, or activation of another process.

  The system monitor includes a monitoring unit 201 as illustrated in FIG. The monitoring unit 201 collects information related to the operation of the apparatus regardless of the process. And the monitoring part 201 detects the event regarding operation | movement of this apparatus based on this collected information. For example, an instruction input event to this apparatus that occurs when the user operates the input device 95 (input device 112 in FIG. 1), a window message, print output via the interface 97 (communication I / F 113 in FIG. 1), etc. Detect whether there was an output event.

  During a period when the monitoring unit 201 does not detect an instruction input event corresponding to a user operation on the input device 95, the monitoring unit 302 of the process monitor A performs operations such as file access, network access, and activation of other processes. Suppose that it is detected. At this time, the control unit 301 of the process monitor A regards the process A as an illegal program and forcibly stops the operation of the process A. Note that the control unit 301 of the process monitor A sends an e-mail stating that the process A has been detected as an unauthorized program to a specified transmission destination (for example, a system administrator) instead of or in addition to this forced stop. You may make it transmit. Further, the SNMP manager may be notified by an SNMP trap.

  In addition, when a malicious program is detected, it is necessary to immediately disconnect the information processing apparatus from the network to prevent the damage from spreading. Therefore, when the control unit 301 forcibly stops the operation of the malicious program, the control unit 301 stops all the interfaces included in the information processing apparatus in order to prevent the damage caused by the malicious program. That is, the network connection is automatically disconnected, all data input from the external storage device such as a USB device is stopped, and process execution is also prohibited to prevent further unauthorized program execution. As described above, various processes are conceivable to be executed when a malicious program is detected.

  Note that there is also a process that is clearly illegitimate in the information processing apparatus, and this non-illegal process may perform operations such as file access and network access during a period in which user operations cannot be detected. is there. In such a case, this non-invalid process is detected as an illegal program by the system monitor and the process monitor.

  Therefore, in order to deal with such a problem, information (for example, process name) for specifying a process that is not unauthorized (non-illegal process) is registered in a list (white list) in advance. A configuration example of this list is shown in FIG. In FIG. 4, the process names of processes that are known not to be illegal are registered in the list.

  For example, it is assumed that the monitoring unit 302 of the process monitor A detects operations such as file access, network access, and activation of other processes during a period in which the monitoring unit 201 does not detect the instruction input event. At this time, the control unit 301 of the process monitor A refers to the above list before considering the process A as a malicious program. Then, the control unit 301 of the process monitor A determines whether or not the information of the process A is registered in the above list, and if it is registered, determines that the process A is not a malicious program. On the other hand, if it is not registered, it is determined that the process A is a malicious program. Note that various methods of using the above list are conceivable, and the list is not limited to a specific method of use. For example, the process name of the process registered in the list can be excluded in advance from the process monitoring target monitored by the process monitor monitoring unit 302. By doing so, it is possible to prevent a process that is clearly not illegal from being erroneously detected as an illegal program. In step S701, processes registered in the list of FIG. 4 among the processes can be excluded from the monitoring targets in advance.

  Next, processing performed by the information processing apparatus will be described with reference to FIG. 7 showing a flowchart of the processing. In the following description, the system monitor monitoring unit 201, the process monitor control unit 301, and the process monitor monitoring unit 302 will be described as the main processing units, but actually, the CPU 91 executes these functional units. Corresponding processing is executed.

  In step S701, the process monitor monitoring unit 302 for each process managed by the OS 110 starts monitoring the operation of the process.

  In step S <b> 702, the monitoring unit 201 of the system monitor has received an instruction input event to the apparatus generated by the user operating the input apparatus 95, or an output event such as a window message or print output via the interface 97. Judge whether or not. As a result of this determination, if it is determined that there is not, the process proceeds to step S703, and if it is determined that it is, the process according to the flowchart of FIG. 7 is terminated.

  In step S703, the process monitor monitoring unit 302 for each process determines whether the process is trying to access the network from the information generated by the process. As a result of this determination, if one or more processes are trying to access the network, the process proceeds to step S706. If there is no process attempting to access the network, the process proceeds to step S704.

  In step S704, the monitoring unit 302 of the process monitor for each process determines whether the process is trying to access a file from the information generated by the process. If it is determined that one or more processes are trying to access the file, the process proceeds to step S706. If there is no process attempting to access the file, the process proceeds to step S705.

  In step S705, the process monitor monitoring unit 302 for each process determines whether or not the process is to be restarted from information generated by the process. As a result of this determination, when one or more processes are trying to restart a predetermined number of times within a predetermined period (for example, when restarting twice or more from 17:00 to 9:00 on the next day), the process proceeds to step S706. Proceed to On the other hand, when there is no process to be restarted, the process according to the flowchart of FIG. The order in which steps S703, S704, and S705 are executed is arbitrary, and may be executed in any order.

  In step S <b> 706, the process monitor control unit 301 for a process (hereinafter referred to as a target process) trying to access the network, access a file, or restart is referred to the above list. Then, the process monitor control unit 301 for the target process determines whether information on the target process is registered in the list. As a result of this determination, if registered, it is determined that the target process is not a malicious program, and the processing according to the flowchart of FIG. 7 is terminated. On the other hand, if it is not registered, the target process is determined to be an unauthorized program, and the process proceeds to step S707.

  In step S707, the control unit 301 of the process monitor for the target process is set in advance to stop the target process or remove the virus, or whether the user instructs using the input device 95. Determine whether. As a result of this determination, if the target process has been set in advance to remove the virus or the user has instructed using the input device 95, the process proceeds to step S708. On the other hand, if such an instruction or setting has not been made, the process according to the flowchart of FIG. 7 ends.

  In step S708, the process monitor control unit 301 for the target process stops the target process. As described above, in this step, instead of or in addition to this, an e-mail stating that the target process has been detected as a malicious program may be transmitted to a prescribed destination. Further, as described above, in this step, all the interfaces included in the information processing apparatus may be stopped.

  Further, as described above, it is also possible to perform processing for previously removing processes registered in the list from monitoring targets. In that case, in step S701, the processes registered in the list are excluded from the monitoring targets in advance, and the processes to be monitored (processes not registered in the list) are monitored. In this case, in step S706, when it is detected that the prescribed operation is being executed by the process to be monitored, it is determined that this process is a malicious program without referring to the above list.

  As described above, according to the present embodiment, since the malicious program is detected by the information processing operation and the process behavior by the user, the malicious program can be detected without depending on the definition file.

  In addition, by registering a process that is clearly not a malicious program in the white list, the probability of erroneous detection as a malicious program can be reduced, and a malicious program can be detected more accurately.

  In addition, when a malicious program is detected, various interfaces provided in the information processing device are automatically blocked, so that damage caused by a malicious program including undetected malicious programs can be minimized. .

[Second Embodiment]
In the present embodiment, the system monitor has a control unit in addition to the monitoring unit 201, and the control unit forcibly changes the network connection destination when an unauthorized program is detected. In this embodiment, when a malicious program is detected, the control unit of the system monitor switches the network connection destination to the quarantine network.

  The quarantine network is a network used for a mechanism for connecting a device to be connected to a network such as a LAN to a network isolated from the network and confirming the safety of the device. If safety cannot be confirmed, it is possible to connect to the network after applying a patch or the latest virus definition file. With such a mechanism, only devices regarded as safe can be connected to the network, and the network can be kept secure. In addition, isolation methods for the quarantine network include a DHCP authentication method, an authentication VLAN method, a personal firewall method, an authentication gateway method, and the like.

  A configuration example of a network system in which a plurality of information processing apparatuses described in the first embodiment are connected will be described with reference to FIG. In FIG. 5, all of the information processing apparatuses 501 to 503 are the information processing apparatuses described in the first embodiment. Each of the information processing apparatuses 501 to 503 is connected to a switch 504 connected to the network 505. A quarantine network 507 is connected to the network 505. The quarantine network 507 includes an isolation unit 508, an inspection unit 509, and a treatment unit 510.

  The control unit of the system monitor in the information processing apparatuses 501 to 503 changes the network connection destination to the quarantine network 507 when an unauthorized program is detected. The CPU 91 connects the apparatus to the quarantine network 507 in cooperation with the switch 504 and the isolation unit 508.

  The inspection unit 509 receives information related to security, such as a correction program and version applied to the OS 110 and various software in the information processing apparatus connected to the quarantine network 507, definition file information of virus software, and the like. Collect from. Then, the inspection unit 509 determines whether the information processing apparatus is safe from the collected information. If the information processing apparatus determines that the information processing apparatus is safe, the inspection unit 509 permits the information processing apparatus to connect to another device on the network 505. To do. On the other hand, if the examination unit 509 determines that it is not safe, it notifies the treatment unit 510 to that effect. Such a determination as to whether or not it is safe may be performed by a general virus check, and is not limited to a specific method. For example, it is checked whether the latest correction program is applied to the OS 110, software, or the like, the latest malicious program definition file is applied, and the like.

  The treatment unit 510 performs actions necessary for keeping the information processing apparatus safe, such as the OS 110 in the information processing apparatus connected to the quarantine network 507, the latest software update program, and virus software definition files. This is performed on the information processing apparatus. When the inspection unit 509 determines that the information processing apparatus is safe as a result of applying these, the inspection unit 509 permits the information processing apparatus to connect to another device on the network 505.

  When the CPU 91 of the information processing apparatus receives connection permission from the quarantine network 507 to another device on the network 505, the CPU 91 controls the switch 504 so that the other device on the network 505 can be accessed.

  As described above, according to the present embodiment, when a malicious program is detected, it is automatically isolated to the quarantine network, and the latest correction program and virus definition file are applied by inspection and treatment to restore to a safe state. it can. Many of the attacks on known vulnerabilities to the OS 110 and software can be prevented if the latest correction program is applied, so that the effect is high.

[Third Embodiment]
The information processing apparatus described in the first embodiment or the second embodiment can construct a more secure environment in cooperation with devices on the network. For example, it is possible to block communication between a malicious program and a C & C server (command & control server) or communication by a malicious program impersonating a bot by linking with a firewall as a gateway device.

  There are many companies that have to continue to use an OS that is no longer supported. In this case, of course, since the OS correction program is not provided, the correction program cannot be applied. If the patch cannot be applied, the system will be operated with security vulnerabilities. Also, if you are operating a mission critical system, etc., if you apply a modification program to the OS, there is a risk that the mission critical system may not operate due to a problem with the modification program. Often not applicable. In such a case, the information processing apparatus is susceptible to attacks on vulnerabilities by malicious programs, and must continue to operate the system while holding risks.

  When a modification program is not applied to the OS or software in the information processing apparatus, if the information processing apparatus is attacked against a vulnerability such as a buffer overflow, the program is executed illegally and the information processing apparatus A malicious program is installed.

  When a malicious program is detected by an information processing device on the network, it is suspected that the malicious program is infected by another information processing device having the same vulnerability as the information processing device due to the characteristics of the malicious program There is. This malicious program may communicate with a C & C server (command and control server) on the Internet or may become a bot and perform a DoS (Denial of Services) attack on a server on the Internet. Or there is a risk of leaking data stored in the information processing apparatus as spyware to the Internet.

  FIG. 6 is a diagram illustrating cooperation between the information processing apparatus and the gateway device. In order to prevent the critical situation as described above to a minimum, when the information processing apparatus detects an unauthorized program, it issues a communication cutoff command to the gateway device via the router. When the gateway device receives this command, it automatically cuts off communication with the Internet. The gateway device may be a device that operates in a DMZ (demilitarized zone) and directly communicates with the Internet, or a router in a LAN.

  As described above, according to the present embodiment, even if the latest correction program cannot be applied unavoidably, the information processing apparatus cooperates with the gateway device to block communication, thereby minimizing the damage caused by the unauthorized program. Can be suppressed.

[Fourth Embodiment]
By using the first to third embodiments, an information processing system that performs the following operations can be constructed. The operation of such an information processing system will be described using the flowchart of FIG. This information processing system has a configuration in which a quarantine network 507 is connected to the Internet in the configuration of FIG.

  In step S801, the processes in steps S701 to S706 described above are performed, and a malicious program is detected.

  In step S802, as described in the first to third embodiments, a process is stopped, communication with the Internet is interrupted, data communication with an external device is interrupted, and the like.

  In step S803, the monitoring unit 201 of the system monitor notifies the gateway device of a network cutoff command. In step S804, the monitoring unit 201 of the system monitor notifies all information processing apparatuses connected to a management server (not shown) that manages a plurality of information processing apparatuses to execute a virus scan command.

  In step S805, the information processing apparatus is connected to the quarantine network 507. In step S806, the quarantine network 507 applies the latest patch to the information processing apparatus or executes virus scanning.

  Thus, when a malicious program is detected in a certain information processing apparatus, there is a suspicion that the malicious program is infected in another information processing apparatus managed by the management server. According to this embodiment, it is possible to restore an information processing apparatus other than the information processing apparatus in which the malicious program is detected to a safe state while minimizing the damage of the malicious program.

Claims (12)

Information processing apparatus comprising: first monitoring means for monitoring operation of a process executed in the information processing apparatus; and second monitoring means for monitoring an instruction from the user to the information processing apparatus Because
When the first monitoring unit detects that a prescribed operation is being executed by the process during a period in which the second monitoring unit has not detected the instruction, the information processing apparatus An information processing apparatus comprising control means for performing control. The control means includes
The information processing apparatus according to claim 1, wherein a process that is not registered in the list in which the non-illegal process is registered is stopped.   If the first monitoring means detects that the specified operation is being executed by the process during the period, the control means sends an e-mail stating that the process has been detected as a malicious program The information processing apparatus according to claim 1, wherein:   The control means stops all the interfaces in the information processing apparatus when the first monitoring means detects that a prescribed operation is being executed by the process during the period. The information processing apparatus according to claim 1.   The control means restores the safety of the information processing apparatus when the first monitoring means detects that a prescribed operation is being executed by the process during the period The information processing apparatus according to claim 1, wherein the information processing apparatus is connected to a network.   When the first monitoring unit detects that a predetermined operation is being executed by the process during the period, the control unit sets a gateway device that connects the information processing apparatus and the network. The information processing apparatus according to claim 1, wherein the information processing apparatus instructs the connection to the network to be cut off.   The information processing apparatus according to claim 1, wherein the first monitoring unit is a process monitor, and the second monitoring unit is a system monitor.   The information processing apparatus according to any one of claims 1 to 7, wherein the prescribed operation includes file access, network access, and reactivation more than a predetermined number of times.   2. The information according to claim 1, wherein the first monitoring unit refers to a list in which processes excluded from monitoring targets are registered, and monitors operations of processes not registered in the list. Processing equipment.   The control means controls the information processing apparatus when the first monitoring means detects that a prescribed operation is being executed by a process to be monitored. 9. The information processing apparatus according to 9. Information processing apparatus comprising: first monitoring means for monitoring operation of a process executed in the information processing apparatus; and second monitoring means for monitoring an instruction from the user to the information processing apparatus Is an information processing method performed by
When the first monitoring unit detects that the control unit of the information processing apparatus is executing a specified operation by the process during a period in which the second monitoring unit does not detect the instruction The information processing method characterized by performing control with respect to this information processing apparatus.   The computer program for functioning a computer as a control means of the information processing apparatus according to any one of claims 1 to 10.

Images