JP2016071707A - Infection check device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a device that immediately detects infection by malware, and can deal with the infection.SOLUTION: Each of terminal devices T1, T2...Tn used by users, who are an employee, is connected to an infection check device 20 via a network. Operation status acquisition means 4 is configured to acquire an operation status of each of the terminal devices T1, T2...Tn, and infection determination means 6 is configured to compare an operation status 12 of the terminal device Tc (not shown) to be used by the user of a monitor object with an operation status 14 of the terminal device Tf (not shown) to be used by the user of a comparison object on the basis of an operation status recorded in a recording unit 10. As a result of the comparison, when the operation status of the terminal device Tc of the user of the monitor object is unique in contrast to the operation status of the terminal device Tf of the user of the comparison object, it is determined that the terminal device Tc of the user of the monitor object is infected.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an apparatus that detects that a malware has been infected.

  In computer systems, measures have been taken to prevent damage from virus and other malware infections. For example, what is called virus check software is widely used. In this method, when a file is downloaded to the terminal device, it is checked whether or not the file contains malware by referring to a previously prepared dictionary of malware information (see Patent Document 1, etc.). .

  In addition, a virtual environment called Sandbox is constructed, and files received from outside are operated in Sandbox. In the sandbox area, other programs and data cannot be manipulated, so if malware enters, it will not be damaged.

JP2010-146566A

  However, the conventional virus check software has a problem that it can be checked only by malware whose presence has been known in advance. For this reason, although the malware information is regularly updated, there is a problem that it cannot keep up with new malware that appears one after another.

  In addition, Sandbox can handle new malware, but the operation of the software stored in the Sandbox is limited, which is inconvenient.

  An object of the present invention is to solve the above-described problems, and to provide an apparatus capable of quickly detecting and responding to malware infection.

  Listed below are some independent features of the invention.

(1) (2) The infection confirmation apparatus according to the present invention compares the operation status acquisition means for acquiring the operation status of each user's terminal device, the operation status of the monitored user, and the operation status of the user to be compared. And an infection determination means for determining that there is a possibility of infection when the operation status of the monitoring target user is peculiar to the operation status of the comparison target user.

  Therefore, it is possible to confirm the possibility of infection with malware that is not yet known.

(3) In the infection confirmation apparatus according to the present invention, the infection determination means has at least one of the operating program, the communication destination of the program, and the file accessed by the program, the operation status of the monitoring target user and the comparison target user. It is characterized by comparing operating conditions.

  Therefore, the possibility of infection can be determined more accurately.

(4) The infection confirmation apparatus according to the present invention is characterized in that the infection determination means sets a user selected based on at least one of the following criteria as a monitoring target user. (i) a user whose number of folders accessed within a predetermined period exceeds a predetermined number, (ii) a user whose communication volume outside the organization within a predetermined period exceeds a predetermined amount, and (iii) installed in a terminal device Users who have more than a certain number of software, (iv) users whose personal information disclosure level on the web exceeds a predetermined level, (v) users whose job title level in the organization exceeds a predetermined level .

  Therefore, it is possible to appropriately select the monitoring target user.

(5) The infection confirmation apparatus according to the present invention is characterized in that the infection determination means changes a threshold value for determining that the operation status of the monitored user is unique based on at least one of the following criteria: It is said. (i) Number of folders accessed within a specified period, (ii) Amount of communication outside the organization within a specified period, (iii) Number of software installed on terminal devices, (iv) Personal information on the web (V) the level of position within the organization.

  Therefore, it is possible to change the judgment of whether or not it is peculiar according to the degree of risk of the monitoring target user.

(6) (7) In the infection confirmation device according to the present invention, when the infection determination means determines that the terminal device of the monitoring target user is infected, it sends a warning to the terminal device of the administrator user, or Infection countermeasure means for stopping the communication function of the infected terminal device is further provided.

  Therefore, damage due to infection can be prevented quickly.

  In the embodiment, “usage status acquisition unit” corresponds to step S6.

  In the embodiment, “infection determination means” corresponds to step S9.

  In the embodiment, “infection handling means” corresponds to step S10.

  The “program” is a concept that includes not only a program that can be directly executed by the CPU, but also a source format program, a compressed program, an encrypted program, and the like.

It is a functional block diagram of the infection confirmation apparatus 20 by one Embodiment of this invention. This is a hardware configuration of the infection confirmation apparatus 20. 5 is a flowchart of an infection confirmation program 46. 5 is a flowchart of an infection confirmation program 46. It is an example of a log. It is an example of a log.

1. Overall Configuration FIG. 1 shows a functional block diagram of an infection confirmation apparatus 20 according to an embodiment of the present invention. Here, the case where the infection confirmation apparatus 20 is installed as a server apparatus in a company or the like will be described as an example.

  Each terminal device T1, T2,... Tn used by a user who is an employee is connected to the infection confirmation device 20 via a network. The operation status acquisition means 4 acquires the operation status of each terminal device T1, T2,... Tn. For example, it can be realized by obtaining operation log data from each terminal device T1, T2,... Tn. The operation status acquisition means 4 records the acquired operation status of each terminal device T1, T2,... Tn in the recording unit 10.

  Based on the operation status recorded in the recording unit 10, the infection determination means 6 determines the operation status 12 of the terminal device Tc (not shown) used by the monitoring target user and the terminal device Tf used by the comparison target user. The operation status 14 (not shown) is compared. It is preferable to use a plurality of terminal devices Tf to be compared.

  As a result of the comparison, if the operation status of the terminal device Tc of the monitoring target user is unique as compared to the operation status of the terminal device Tf of the comparison target user, it is determined that the terminal device Tc of the monitoring target user is infected. To do.

  When it is determined that the infection determination unit 6 is infected, the infection handling unit 8 invalidates the communication processing of the terminal device Tc to be monitored.

As described above, it is possible to prevent damage caused by malware infection by invalidating the communication processing of the terminal device that has performed an abnormal operation.

2. Hardware Configuration FIG. 2 shows a hardware configuration of the infection confirmation apparatus 20. A memory 32, a display 34, a hard disk 36, a communication circuit 38, a keyboard / mouse 40, and a DVD-ROM drive 42 are connected to the CPU 30. The communication circuit 38 is for connecting to an in-house network or the Internet.

In the hard disk 36, an operating system 44 and an infection confirmation program 46 are recorded. The infection confirmation program 46 performs its function in cooperation with the operating system 44. These programs are those recorded on the DVD-ROM 52 and installed via the DVD-ROM drive 42. It may be downloaded via the Internet.

3. Infection Confirmation Process FIG. 3 shows a process for determining a monitoring target user and a comparison target user in the flowchart of the infection confirmation program 46.

  The CPU 30 of the infection confirmation device 20 (hereinafter may be abbreviated as the infection confirmation device 20) accesses an in-house server device (not shown) in which the employee DB is recorded, and acquires employee information (step S1). ). In this embodiment, the position of each employee is acquired.

  Next, the infection confirmation apparatus 20 accesses a site relating to the employee and obtains public information in order to check how much the employee has disclosed his / her information on the Internet (step S2). For example, public information is collected from a homepage, an SNS page, etc. that the employee has disclosed.

  Subsequently, the infection confirmation apparatus 20 calculates how much each employee is likely to be subjected to a malware attack (that is, the degree of risk) based on the employee information and public information (step S3).

  In this embodiment, if each employee is an important position, it is determined that the degree of risk is high. This is because the higher the position, the more likely it is to be subject to malware attacks because it is assumed that important information is handled.

  Moreover, if important information is included in the public information of each employee on the Internet, it is determined that the degree of risk is high. In this embodiment, if the company is disclosed or the address is disclosed, it is determined that the risk is high. This is because when such information is available on the Internet, it is easy to perform a malware attack.

  Specifically, for example, the risk D (%) is calculated by the following equation.

D = CN + AD + TI
Here, CN is the degree of risk related to the disclosure of the company name, and is 33.3% when the company name is disclosed and 0% when the company name is not disclosed. AD is the degree of risk related to address disclosure, and is 33.3% when the address is disclosed and 0% when the address is not disclosed. TI is the degree of risk related to the position. For example, the president is 33%, the department manager is 20%, and the section manager is 10%.

  Next, the infection confirmation apparatus 20 extracts employees whose risk level D exceeds a predetermined threshold and sets them as monitoring target users (step S4). For example, an employee whose degree of risk exceeds 70% is set as a monitoring target user.

  Subsequently, a comparison target user is determined for each monitoring target user (step S5). Here, it is preferable that the number of comparison target users is plural. The comparison target user is preferably selected from employees with low risk (for example, employees with a risk of 30% or less). In addition, the higher the risk level of the monitoring target user, the comparison target user is selected from employees with a low risk level.

  Note that the comparison target users are increased as the risk level of the monitoring target user is higher, and the number of comparison target users is decreased as the risk level of the monitoring target user is lower. This is because, as will be described later, as the number of comparison target users increases, a slight abnormal situation of the monitoring target user is more easily detected.

  In this embodiment, based on the past access log of each employee, an employee whose access file or usage program (exe file) is similar to the monitoring target user is set as a comparison target user.

  The monitoring target user and the comparison target user determined as described above are recorded in the hard disk 36.

  FIG. 4 shows an infection confirmation processing flowchart. First, the infection confirmation apparatus 20 acquires a log of the monitoring target user (step S6). Here, the log of the monitoring target user refers to a log of the terminal device Tc registered as acquired and used by the monitoring target user. The same applies to the log of the comparison target user.

  In this embodiment, it is acquired once per hour. That is, the process of FIG. 4 is performed every hour. Therefore, the latest one hour log is acquired. In this embodiment, a log acquisition / recording program is installed in advance in each employee's terminal device T, and the log recorded in the terminal device T is acquired from the infection confirmation device 20. . Alternatively, the log may be periodically transmitted from the terminal device T to the infection confirmation device 20.

  Subsequently, a log of the terminal device Tf of the comparison target user for the monitoring target user is acquired (step S7).

  The infection confirmation apparatus 20 refers to the log of the monitoring target user and confirms whether the exe file (execution file) being used and the IP address of the data transmission destination are not registered as known malware. (Step S8). Such malware information is periodically recorded and updated in advance in the infection confirmation apparatus 20 as a definition file.

  For example, as shown in FIG. 5, taskxxx.exe appears in the log of the monitoring target user as indicated by reference numeral 62. If this is known malware, it can be determined that the user is infected. Further, as indicated by reference numeral 60, if the communication destination 152.28.253.10 is a known malware communication destination, it can be determined that it is infected.

  If it is determined that there is an infection, the infection confirmation apparatus 20 transmits a warning that the monitoring target terminal Tc is infected to the administrator's terminal device (step S10).

  Next, the infection confirmation apparatus 20 compares the log of the monitoring target user with the log of the comparison target user to determine whether the use exe, the destination IP, and the access file have specificity (step S9). .

  For example, it is assumed that the log of the monitoring target user and the log of the comparison target user are as shown in FIG. As is clear from this figure, Internet Free.exe used by the monitoring target user accesses a folder c: // kenkyu as indicated by reference numeral 64. On the other hand, Internet Free.exe accesses a folder c: // soumu as indicated by reference numerals 66, 68, and 70 in the log of the comparison target user. Since there is clearly specificity, it is determined that there is a possibility that the terminal device Tc of the monitoring target user is infected with malware. If it is determined that there is specificity, a warning is transmitted to the administrator terminal device (step S10).

  The specificity is determined as follows, for example. This is extracted from the monitored user's log and the comparison target user's log that shows the same usage exe. The appearance frequency of the combination of the use exe and the file of the comparison target user is calculated for each combination. In the case of FIG. 6, there are three combinations of Internet Free.exe and c: // soumu.

  If at least one of the combination of the use exe and the file of the monitoring target user appears in the log of the comparison target user, it is determined that there is no specificity. If the same combination does not exist, the occupancy ratio of the most frequently used exe and file combination in the comparison target user log is calculated. For example, if the A.exe and F files are 10 times, the A.exe and C files are 3 times, and the A.exe and B files are 1 time, the occupation ratio is 10/14. As described above, if the same combination of usage exe and file of the monitoring target user is not found in the log of the comparison target user, there is specificity if this occupancy exceeds a predetermined ratio (for example, 50%) Judge. Note that the predetermined ratio may be 50% or less. Further, if there is no combination of the use exe and the file of the monitoring target user in the comparison target user log, it may be immediately determined that there is specificity.

  In the above description, the combination of the use exe and the file has been described. However, the infection confirmation apparatus 20 similarly examines the use exe and the transmission destination IP and the transmission destination IP and the file to determine whether or not there is specificity.

As described above, by finding the difference from the log of the comparison target user, it is possible to confirm the presence or absence of malware infection for the monitoring target user.

4). Other
(1) In the above embodiment, in order to select a user to be monitored, public information on the title and the Internet is used. However, instead of or in addition to this, the amount of communication to outside the company (the higher the risk, the higher the risk), the number of installed software (the higher the risk, the higher the risk), and the number of accesses to important folders (the higher the risk, the higher the risk) May be used as a criterion.

  Further, it may be determined that an employee who accesses a folder with a small number of accesses has a higher risk. For example, this risk level can be calculated as the total number of employees / the number of employees accessing the folder.

(2) In the above embodiment, when it is determined that there is specificity, a warning is transmitted to the administrator's terminal device. However, it may be controlled from the infection confirmation device 20 side to prohibit communication with the outside of the terminal device Tc of the monitoring target user.

(3) In the above embodiment, the comparison target user is fixed. However, the comparison target user may be dynamically changed according to the situation at that time.

(4) In the above embodiment, the infection confirmation process of FIG. 4 is performed once an hour. However, this may be performed at longer intervals or shorter intervals.

  For example, the infection confirmation process of FIG. 4 may be performed at 1 second intervals (that is, substantially in real time). In this case, a comparison with the operation status of the comparison target user at the time of performing the infection confirmation process is performed. In this case, since the terminal device of the user to be compared may not be activated for one second to be compared, it is preferable to determine an appropriate comparison target user each time.

(5) In the above embodiment, the specificity is determined for all combinations of the used exe, the destination IP, and the access file, and if any one is unique, it is determined that there is a possibility of infection. However, the specificity may be determined based on only a specific combination. Moreover, you may make it judge based on three combinations. Furthermore, the use exe, the destination IP, and the access file may be independently compared to determine the specificity.

(6) In the above embodiment, the criterion for whether or not there is specificity is fixed regardless of the monitoring target user. However, the threshold value indicating whether or not there is specificity may be changed according to the risk level of the monitoring target user. For example, (i) the number of folders accessed within a predetermined period, (ii) the amount of communication outside the organization within a predetermined period, (iii) the number of software installed in the terminal device, (iv) The threshold value may be changed according to the disclosure level of personal information, (v) the position level within the organization, and the like.

(7) In the above-described embodiment, the infection confirmation device 20 as a server determines a monitoring target user and a comparison target user, and performs a comparison of logs of each user, judgment of specificity, and warning.

  However, the terminal device of each user may perform the above processing. For example, it is determined whether the terminal device itself of each user connected in the communication network is to be monitored or compared. When it is determined that the target is a comparison target, the possibility of malware infection of the terminal device to be monitored may be determined by monitoring and comparing the logs of the terminal device to be monitored.

Claims (7)

Operation status acquisition means for acquiring the operation status of the terminal device of each user;
If the operation status of the monitoring target user is compared with the operation status of the comparison target user, and the operation status of the monitoring target user is unique to the operation status of the comparison target user, there is a possibility of infection. Infection determination means to determine,
Infection confirmation device. An infection confirmation program for realizing an infection confirmation apparatus by a computer,
Operation status acquisition means for acquiring the operation status of the terminal device of each user;
If the operation status of the monitoring target user is compared with the operation status of the comparison target user, and the operation status of the monitoring target user is unique to the operation status of the comparison target user, there is a possibility of infection. An infection confirmation program for functioning as an infection determination means. In the apparatus of claim 1 or the program of claim 2,
The infection determination unit compares the operation status of the monitoring target user with the operation status of the comparison target user for at least one of the operated program, the communication destination of the program, and the file accessed by the program. Or program. In the apparatus or program in any one of Claims 1-3,
The infection determination means sets a user selected based on at least one of the following criteria as a monitoring target user.
(1) Users whose number of folders accessed within the specified period exceeds the specified number
(2) Users whose communication volume outside the organization within the specified period exceeds the specified amount
(3) Users whose software installed on the terminal device exceeds the specified number
(4) Users whose personal information disclosure level on the web exceeds the specified level
(5) Users whose job title level in the organization exceeds a predetermined level. In the apparatus or program in any one of Claims 1-4,
The infection determination unit changes a threshold value for determining that the operation status of the monitoring target user is unique based on at least one of the following criteria.
(1) Number of folders accessed within a specified period
(2) Traffic volume outside the organization within a specified period
(3) Number of software installed in the terminal device
(4) Disclosure level of personal information on the web
(5) Job level within the organization. In the apparatus in any one of Claim 1, 3-5,
When the infection determining means determines that the terminal device of the monitoring target user is infected, an infection countermeasure that transmits a warning to the terminal device of the administrator user or stops the communication function of the infected terminal device An apparatus further comprising means. In the program according to any one of claims 2 to 5, when the infection determination unit determines that the terminal device of the monitoring target user is infected, a warning is transmitted to the terminal device of the administrator user. Alternatively, a program that functions as an infection countermeasure unit that stops the communication function of the infected terminal device.

Images