JP2016143320A - Log monitoring method, log monitor, log monitoring system, and log monitoring program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect a suspicious monitoring object at an early stage.SOLUTION: When a monitoring object collates log data among plural identical logs, the log monitoring method causes a computer to execute the steps of: acquiring a combination of log data to be determined as abnormal from the combinations of conditions indicated by the log data as abnormal pattern 11a from a storage 11; determining whether the combination of log data matches with the abnormality pattern 11a with respect to plural logs on each of the plural monitoring objects; and when the combination of log data matches, causing the storage 11 to store a piece of monitoring information 11b including at least a part of the log data for each.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a log monitoring method, a log monitoring device, a log monitoring system, and a log monitoring program.

  Research is being conducted on techniques for analyzing logs output from various devices such as network devices (hereinafter referred to as NW devices) and file servers and detecting attacks and unauthorized access to the system to prevent failures and information leakage.

  For example, a system that detects unauthorized access by analyzing a plurality of communication logs has been proposed. This system sets boot force attack, port scan, and the like as patterns to be monitored, and analyzes connection IP (Internet Protocol) and connection time. In addition, a log management method has been proposed in which date and time information is managed for each log, logs are rearranged based on the date and time, the logs are integrated, and the integrated log is displayed.

  When fraud is detected from the analysis result of the log output by each device to be monitored, for example, each device or the security system transmits an email notifying the administrator of the fraud. There is also a system for notifying an administrator of fraud by using Patlite (registered trademark) or buzzer instead of email. The administrator analyzes the notified fraud contents and identifies the cause of the fraud.

JP 2002-318734 A JP 2008-210308 A

  In many cases, there are an enormous amount of logs that are referenced to identify the cause, so it takes a long time to perform the specific work, and whether the cause is identified depends on the skill level of the administrator. In addition, since the administrator starts to identify the cause when any device detects fraud, the system is in danger until each device detects fraud. In other words, the cause identifying operation is started after a log (hereinafter referred to as an abnormal log) that the device determines to be illegal is detected.

  If the cause is delayed, damage will become serious. If a situation suspected of fraud can be detected at an early stage, such serious damage can be avoided. However, it is practically difficult for an administrator to find a suspected fraud situation from a log that occupies most of the enormous log output by the device and from which the device judges that there is no fraud (hereinafter, normal log). It is also a problem how to find a situation where fraud is suspected from the normal log that each device has determined to be fraudulent.

  An object of the present invention is to provide a log monitoring method, a log monitoring device, a log monitoring system, and a log monitoring program capable of early detection of a monitoring target suspected of fraud.

  In one aspect, when the computer collates the log contents of the logs from a plurality of logs with the same monitoring target from the storage unit, the log contents determined to be abnormal from the combination of the situations indicated by the log contents Is obtained as an abnormal pattern, and it is determined whether the combination of log contents matches the abnormal pattern for a plurality of logs related to a plurality of monitoring targets, and if they match, monitoring including at least a part of the log contents A log monitoring method for storing information in a storage unit for each monitoring target is provided.

  As one aspect, early detection of a monitoring target suspected of fraud becomes possible.

It is the figure which showed an example of the log monitoring system which concerns on 1st Embodiment. It is the figure which showed an example of the system which concerns on 2nd Embodiment. It is the figure which showed an example of the hardware which can implement | achieve the function of the monitoring apparatus which concerns on 2nd Embodiment. It is the block diagram which showed an example of the function of the monitoring apparatus which concerns on 2nd Embodiment. It is the 1st figure showing an example of the log registered into the log database concerning a 2nd embodiment. It is the 2nd figure showing an example of the log registered into the log database concerning a 2nd embodiment. It is the 3rd figure showing an example of the log registered into the log database concerning a 2nd embodiment. It is the 4th figure showing an example of the log registered into the log database concerning a 2nd embodiment. It is the 5th figure showing an example of the log registered into the log database concerning a 2nd embodiment. It is the 6th figure showing an example of the log registered into the log database concerning a 2nd embodiment. It is the figure which showed an example of the common key database which concerns on 2nd Embodiment. It is the figure which showed an example of the event database which concerns on 2nd Embodiment. It is the figure which showed an example of the behavior database which concerns on 2nd Embodiment. It is the figure which showed an example of the monitoring object database which concerns on 2nd Embodiment. It is the figure which showed an example of the threshold value database which concerns on 2nd Embodiment. It is the flowchart which showed the flow of the process which the monitoring apparatus which concerns on 2nd Embodiment performs. It is the flowchart which showed the flow of the construction process of the common key database which concerns on 2nd Embodiment. It is the flowchart which showed the flow of the construction process of the monitoring object database which concerns on 2nd Embodiment.

  Embodiments of the present invention will be described below with reference to the accompanying drawings. In addition, about the element which has the substantially same function in this specification and drawing, duplication description may be abbreviate | omitted by attaching | subjecting the same code | symbol.

<1. First Embodiment>
The first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating an example of a log monitoring system according to the first embodiment. A log monitoring system 5 illustrated in FIG. 1 is an example of a log monitoring system according to the first embodiment.

As illustrated in FIG. 1, the log monitoring system 5 includes devices 21, 22, and 23 that output logs, and a log monitoring device 10 that acquires logs from the devices 21, 22, and 23.
Note that the number of devices included in the log monitoring system 5 is arbitrary. The devices 21, 22, and 23 are connected to the log monitoring device 10 via a network. The network may be wired or wireless. For example, the network is a local area network (LAN) or a wide area network (WAN). Some or all of the devices 21, 22, and 23 may be directly connected to the log monitoring apparatus 10 using a cable or the like.

(About equipment 21, 22, 23)
The devices 21, 22, and 23 are, for example, terminal devices, server devices, or NW devices.
The terminal device is a computer used by a user such as a personal computer, a thin client terminal, a mobile phone, a smartphone, or a tablet terminal. The terminal device outputs, for example, logs such as user login status, application program execution status, CPU load status, and network connection status.

  The server device is a computer such as an attendance management server, a login management server, a VPN (Virtual Private Network) server, a file server, a backbone system, a forensic server, an SNMP (Simple Network Management Protocol) server, an authentication server, a firewall, or a proxy server. . The NW device is, for example, a device such as a router, a switch, a load balancer, or a radio base station.

  The attendance management server outputs, for example, logs such as attendance status (attendance / not attendance), attendance time, and attendance time. The login management server outputs, for example, logs such as the user login time, logoff time, and login status (logged in / not logged in). The VPN server outputs, for example, logs such as VPN connection start time, disconnection time, and connection status (connected / not connected). For example, the file server outputs a log such as the access start time of the file and the file name of the access destination.

  The backbone system outputs, for example, logs such as usage status (in use / unused), use start time, user name in use, and IP address of the terminal device used at the time of use. The forensic server outputs, for example, logs of data transfer contents (file names and the like), transfer source and transfer destination IP addresses, transfer date and time, and the like.

  For example, the SNMP server outputs a log such as a traffic amount for each transmission destination. The authentication server outputs, for example, logs such as authentication status (authenticated / unauthenticated) and authentication date / time. For example, the firewall and the proxy server output logs such as the IP address of the transmission source and the transmission destination, the transmission date and time, and the like.

  The types of the devices 21, 22, and 23 are not limited to the above example. The types of logs output by the devices 21, 22, and 23 are not limited to the above example. For example, gateway log, filtering log, Syslog, DHCP (Dynamic Host Configuration Protocol) / DNS (Domain Name System) log, mail log, IDS (Intrusion Detection System) / IPS (Intrusion Prevention System) log, entrance / exit log, Air conditioning / lighting logs (on / off), temperature / humidity logs, and the like can also be used.

  Here, for convenience of explanation, the description will be made assuming that the device 21 is an attendance management server, the device 22 is a login management server, and the device 23 is a VPN server. In this case, the device 21 outputs a log (log # 1) as shown in FIG. The device 22 outputs a log (log # 2) as shown in FIG. The device 23 outputs a log (log # 3) as shown in FIG. Of course, the application range of the technology according to the first embodiment is not limited to this.

(About log monitoring device 10)
The log monitoring device 10 includes a storage unit 11 and a control unit 12.
The storage unit 11 is a volatile storage device such as a RAM (Random Access Memory) or a non-volatile storage device such as an HDD (Hard Disk Drive) or a flash memory. The control unit 12 is a processor such as a CPU (Central Processing Unit) or a DSP (Digital Signal Processor). However, the control unit 12 may be an electronic circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). For example, the control unit 12 executes a program stored in the storage unit 11 or another memory.

  The storage unit 11 sets, as an abnormal pattern 11a, a combination of log contents that is determined to be abnormal from a combination of situations indicated by the log contents when the log contents of the logs are collated between a plurality of logs having the same monitoring target. Remember. The log contents are log contents specified from information included in the logs output from the devices 21, 22, and 23.

  Referring to log # 1 illustrated in FIG. 1, the attendance status of employee A is “not attended” and the attendance status of employee B is “attendance”. Referring to log # 2, the login status of employees A and B is “login”. Referring to log # 3, the connection status of employees A and B by VPN connection is “not connected”.

  That is, referring to the log # 1, the situation where the employee A is not attending can be understood from the log content combining the information “A” indicating the employee name and the information “not attending” indicating the attendance status. Similarly, it can be seen from the log contents of log # 2 that employees A and B are logging in. Further, it can be seen from the log content of log # 3 that the employees A and B are not making a VPN connection.

  When paying attention to the employee A (monitoring target), the employee A is logged in to an in-house system managed by the login management server even though he / she is not at work. When logging in to an in-house system from outside the company, a VPN connection is used from the viewpoint of security, but employee A does not have a VPN connection. Then, there is a suspicion that somebody has illegally accessed the in-house system using the login ID of employee A or the like. On the other hand, when attention is paid to employee B as a monitoring target, a situation in which unauthorized access or the like is suspected does not occur.

  Logs # 1, # 2, and # 3 relating to employee A are output by the devices 21, 22, and 23 as normal logs. However, as described above, the employee A is clearly in an abnormal state. Such an abnormality is not easily detected even if only the logs output from the devices 21, 22, and 23 are analyzed. If an experienced administrator analyzes over a long period of time, it may be possible to detect anomalies. However, if it takes a long time to discover anomalies, there is a high risk of damage spreading.

  Therefore, the log monitoring apparatus 10 stores in the storage unit 11 a combination of log contents that can logically lead to the possibility of abnormality when a plurality of log contents are collated, and this abnormality pattern 11a is abnormal. Used to detect In the example of FIG. 1, when a combination of logs (abnormal pattern 11a) in which the attendance status is “not attended”, the login status is “login”, and the VPN connection status is “not connected” is determined to be abnormal. Is done.

  The determination process is executed by the control unit 12. The control unit 12 acquires a plurality of logs related to a plurality of monitoring targets from the devices 21, 22, and 23. For example, the control unit 12 acquires logs # 1, # 2, and # 3 related to the employee name “A” (log contents are logs of attendance status, login status, connection status). Similarly, the control unit 12 acquires a log related to the employee name “B”.

  Then, the control unit 12 determines whether the combination of log contents matches the abnormal pattern 11a for the acquired log, and if they match, the monitoring information 11b including at least a part of the log contents is monitored for each monitoring target. The data is stored in the storage unit 11.

  In the example of FIG. 1, since the log of the employee name “A” matches the abnormal pattern 11a, the control unit 12 stores the monitoring information 11b related to the employee name “A” in the storage unit 11. For example, the control unit 12 causes the storage unit 11 to store (1) only the employee name or (2) a set of employee name, attendance status, login status, and connection status as the monitoring information 11b. In the case of (1), the administrator can specify the monitoring target (employee) suspected of being abnormal from the monitoring information 11b in the storage unit 11. In the case of (2), the administrator can specify the reason for determining that there is a suspicion of abnormality along with the monitoring target.

  As described above, by applying the technology according to the first embodiment, it is possible to easily find an abnormality that is difficult to detect even if a log output from one device is analyzed. As a result, it is possible to respond more quickly to less sophisticated attacks such as spoofing, targeted attacks, and unauthorized access. Further, the dependence on the skill of the manager is reduced, and a high abnormality detection level can be stably maintained.

  In the above example, the employee name is used as a key to monitor individuals, but the key information is set to the login ID, MAC (Media Access Control) address, IP address, etc. of the computer used by the employee. May be. It is also possible to monitor a computer, not a person, using a MAC address or the like as a key. In addition, if information related to a log is included, for example, a department, a company, a group on a network, and the like can be monitored. Such a modification also belongs to the technical scope of the first embodiment.

The first embodiment has been described above.
<2. Second Embodiment>
Next, a second embodiment will be described.

[2-1. system]
A system according to the second embodiment will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of a system according to the second embodiment.

As shown in FIG. 2, the system according to the second embodiment includes a monitoring device 100 and a monitored device group 200.
The monitoring device 100 analyzes a log output by each device included in the monitored device group 200, and identifies an object suspected of fraud such as spoofing, targeted attack, or unauthorized access. For example, the monitoring device 100 identifies a user or a computer that is suspected of unauthorized access from a combination of logs (normal logs) that the monitored device group 200 determines to be normal.

  The monitored device group 200 includes, for example, a terminal device used by a user such as a personal computer, a thin client terminal, a mobile phone, a smartphone, or a tablet terminal. The terminal device outputs, for example, logs such as user login status, application program execution status, CPU load status, and network connection status.

  The monitored device group 200 includes server devices such as an attendance management server, a login management server, a VPN server, a file server, a backbone system, a forensic server, an SNMP server, an authentication server, a firewall, and a proxy server.

  The attendance management server outputs, for example, logs such as attendance status (attendance / not attendance), attendance time, and attendance time. The login management server outputs, for example, logs such as the user login time, logoff time, and login status (logged in / not logged in). The VPN server outputs, for example, logs such as VPN connection start time, disconnection time, and connection status (connected / not connected). For example, the file server outputs a log such as the access start time of the file and the file name of the access destination.

  The backbone system outputs, for example, logs such as usage status (in use / unused), use start time, user name in use, and IP address of the terminal device used at the time of use. The forensic server outputs, for example, logs of data transfer contents (file names and the like), transfer source and transfer destination IP addresses, transfer date and time, and the like.

  For example, the SNMP server outputs a log such as a traffic amount for each transmission destination. The authentication server outputs, for example, logs such as authentication status (authenticated / unauthenticated) and authentication date / time. For example, the firewall and the proxy server output logs such as the IP address of the transmission source and the transmission destination, the transmission date and time, and the like.

  The monitored device group 200 includes NW devices such as routers, switches, load balancers, and radio base stations. Furthermore, the monitored device group 200 may include an entrance / exit management device, a power supply management device, an air conditioning management device, a lighting management device, a temperature / humidity management device, and the like. Logs that can be output from the monitored device group 200 include, for example, gateway log, filtering log, Syslog, DHCP / DNS log, mail log, IDS / IPS log, entrance / exit log, power supply / air conditioning / lighting log (on / off) ) And temperature / humidity logs.

The system according to the second embodiment has been described above. In the following, for the sake of explanation, the description will be made on the assumption of the system illustrated in FIG.
[2-2. hardware]
With reference to FIG. 3, hardware capable of realizing the function of the monitoring apparatus 100 will be described. FIG. 3 is a diagram illustrating an example of hardware capable of realizing the function of the monitoring apparatus according to the second embodiment.

  The functions of the monitoring apparatus 100 can be realized using, for example, hardware resources of the information processing apparatus illustrated in FIG. That is, the functions of the monitoring apparatus 100 are realized by controlling the hardware shown in FIG. 3 using a computer program.

  As shown in FIG. 3, this hardware mainly includes a CPU 902, a ROM (Read Only Memory) 904, a RAM 906, a host bus 908, and a bridge 910. Further, this hardware includes an external bus 912, an interface 914, an input unit 916, an output unit 918, a storage unit 920, a drive 922, a connection port 924, and a communication unit 926.

  The CPU 902 functions as, for example, an arithmetic processing unit or a control unit, and controls the overall operation of each component or a part thereof based on various programs recorded in the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928. . The ROM 904 is an example of a storage device that stores a program read by the CPU 902, data used for calculation, and the like. The RAM 906 temporarily or permanently stores, for example, a program read by the CPU 902 and various parameters that change when the program is executed.

  These elements are connected to each other via, for example, a host bus 908 capable of high-speed data transmission. On the other hand, the host bus 908 is connected to an external bus 912 having a relatively low data transmission speed via a bridge 910, for example. As the input unit 916, for example, a mouse, a keyboard, a touch panel, a touch pad, a button, a switch, a lever, or the like is used. Furthermore, as the input unit 916, a remote controller capable of transmitting a control signal using infrared rays or other radio waves may be used.

  As the output unit 918, for example, a display device such as a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), a PDP (Plasma Display Panel), or an ELD (Electro-Luminescence Display) is used. As the output unit 918, an audio output device such as a speaker or headphones, or a printer may be used. In other words, the output unit 918 is a device that can output information visually or audibly.

  The storage unit 920 is a device for storing various data. As the storage unit 920, for example, a magnetic storage device such as an HDD is used. Further, as the storage unit 920, a semiconductor storage device such as an SSD (Solid State Drive) or a RAM disk, an optical storage device, a magneto-optical storage device, or the like may be used.

  The drive 922 is a device that reads information recorded on a removable recording medium 928 that is a removable recording medium or writes information on the removable recording medium 928. As the removable recording medium 928, for example, a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory is used.

  The connection port 924 is a port for connecting an external connection device 930 such as a USB (Universal Serial Bus) port, an IEEE 1394 port, a SCSI (Small Computer System Interface), an RS-232C port, or an optical audio terminal. For example, a printer or the like is used as the external connection device 930.

  The communication unit 926 is a communication device for connecting to the network 932. Examples of the communication unit 926 include a wired or wireless LAN communication circuit, a WUSB (Wireless USB) communication circuit, an optical communication circuit or router, an ADSL (Asymmetric Digital Subscriber Line) communication circuit or router, A communication circuit for a cellular phone network is used. A network 932 connected to the communication unit 926 is a wired or wireless network, and includes, for example, the Internet, a LAN, a broadcast network, a satellite communication line, and the like.

  The hardware capable of realizing the function of the monitoring apparatus 100 has been described above. The functions of the monitored device group 200 can also be realized by using a part or all of the hardware illustrated in FIG. For example, the monitored device group 200 includes a CPU 902, a RAM 906, a communication unit 926, and the like. Therefore, detailed description of the hardware of the monitored device group 200 is omitted.

[2-3. Monitoring device functions]
The function of the monitoring device 100 will be described with reference to FIG. FIG. 4 is a block diagram illustrating an example of functions of the monitoring apparatus according to the second embodiment.

As illustrated in FIG. 4, the monitoring apparatus 100 includes a storage unit 101, a log collection unit 102, a key generation unit 103, a candidate detection unit 104, and a fraud determination unit 105.
Note that the function of the storage unit 101 can be realized by using the above-described RAM 906, the storage unit 920, or the like. The function of the log collection unit 102 can be realized by using the above-described CPU 902, connection port 924, communication unit 926, and the like. The functions of the key generation unit 103, candidate detection unit 104, and fraud determination unit 105 can be realized using the above-described CPU 902 and the like.

(Storage unit 101)
The storage unit 101 includes a log database 101a, a common key database 101b, an event database 101c, a behavior database 101d, a monitoring target database 101e, and a threshold database 101f.

(Log database 101a)
First, the log database 101a will be described. The log database 101a is a database in which logs collected from the monitored device group 200 are registered. Examples of logs registered in the log database 101a are shown in FIGS. In FIGS. 5 to 10, for convenience of explanation, logs are described as combination examples # 1 to # 6. However, logs are not associated with each combination in the log database 101a. Also good.

  FIG. 5 is a first diagram illustrating an example of a log registered in the log database according to the second embodiment. FIG. 6 is a second diagram illustrating an example of a log registered in the log database according to the second embodiment. FIG. 7 is a third diagram illustrating an example of a log registered in the log database according to the second embodiment.

  FIG. 8 is a fourth diagram illustrating an example of a log registered in the log database according to the second embodiment. FIG. 9 is a fifth diagram illustrating an example of a log registered in the log database according to the second embodiment. FIG. 10 is a sixth diagram illustrating an example of a log registered in the log database according to the second embodiment.

  The example of FIG. 5 (combination example # 1) shows logs related to attendance management, login management, and VPN connection. The log (log # 1) relating to attendance management is a log recording the attendance status for each employee name. The log relating to login management (log # 2) is a log recording the login status for each employee name. The log relating to the VPN connection (log # 3) is a log in which the connection status of the VPN connection is recorded for each employee name. Log # 1 is collected from the attendance management server. Log # 2 is collected from the login management server. Log # 3 is collected from the VPN server.

  The example of FIG. 6 (combination example # 2) shows a log related to the file server, login management, and access time. The log related to the file server (log # 1) is a log in which the access time is recorded for each file name. The log relating to login management (log # 2) is a log recording the login status for each employee name. The log relating to the access time (log # 3) is a log in which the access time to the file server is recorded for each employee name. Log # 1 is collected from the file server. Log # 2 is collected from the login management server. Log # 3 is collected from the terminal device or file server.

  The example of FIG. 7 (combination example # 3) shows logs related to the use of the backbone system and the firewall. The log (log # 1) related to the use of the backbone system is a log in which the start time of use of the backbone system, the user name of the user, and the IP address of the terminal device used by the user when using the backbone system are recorded. The log relating to the firewall (log # 2) is a log that records the transmission source IP address, transmission destination IP address, and passage time of data that has passed through the firewall. Log # 1 is collected from the core system. Log # 2 is collected from the firewall.

  The example of FIG. 8 (combination example # 4) shows logs related to proxy, firewall, and forensic. The proxy log (log # 1) is a log that records the transmission source IP address, transmission destination IP address, and transmission date and time of the data transferred by the proxy server. The log related to the firewall (log # 2) is a log in which the transmission source IP address, transmission destination IP address, and passage time of data passing through the firewall are recorded.

  The log related to forensic (log # 3) is the content of the process that the forensic server determines to be suspected of unauthorized access, the destination IP address of the data accompanying the process, the source IP address, and the process executed This is a log that records the date and time. Although FIG. 8C is an example of a log related to network forensics, a log related to computer forensics may be registered in the log database 101a. Log # 1 is collected from the proxy server. Log # 2 is collected from the firewall. Log # 3 is collected from the forensic server.

  The example in FIG. 9 (combination example # 5) shows logs related to traffic, firewalls, and file servers. The log relating to traffic (log # 1) is a log in which the traffic amount for each transmission destination IP address in the NW device monitored by the SNMP server is recorded.

  The log relating to the firewall (log # 2) is a log that records the transmission source IP address, transmission destination IP address, and passage time of data that has passed through the firewall. The log relating to the file server (log # 3) is a log in which the access time is recorded for each file name. Log # 1 is collected from the SNMP server. Log # 2 is collected from the firewall. Log # 3 is collected from the file server.

  The example of FIG. 10 (combination example # 6) shows a log relating to attendance and leaving and authentication. The log (log # 1) relating to attendance and departure is a log in which the attendance status for each employee name is recorded for each date. The log relating to authentication (log # 2) is a log in which the authentication status for each employee name is recorded for each date. Log # 1 is collected from the attendance management server and the entry / exit management device. Log # 2 is collected from the authentication server or terminal device.

(Common key database 101b)
Next, the common key database 101b will be described. In the common key database 101b, key information (hereinafter referred to as a common key) used for cross-searching log information (hereinafter referred to as log information) regarding a monitoring target from a plurality of logs registered in the log database 101a is registered. Is done. An example of the common key database 101b is shown in FIG. FIG. 11 is a diagram showing an example of a common key database according to the second embodiment.

  The common key database 101b illustrated in FIG. 11 associates IP addresses, employee names, user names, host names, MAC addresses, and the like. In many cases, the information included in the log varies depending on the device or application program that outputs the log. On the other hand, in order to identify a certain employee, in addition to the employee name, a plurality of information such as a user name and an employee number can be used. Similarly, in order to specify a certain terminal device, a plurality of information such as a host name and a MAC address can be used in addition to the IP address.

  Therefore, the common key database 101b associates a plurality of pieces of information (common keys) that can be used for specifying monitoring targets such as employees and terminal devices for each monitoring target. For example, if the IP address is included in the log, the employee name can be specified by referring to the common key database 101b even if the employee name is not included in the log. In other words, by using the common key database 101b, it is possible to associate a plurality of logs with the monitoring target as a key, and it is possible to search a plurality of logs registered in the log database 101a across the common key using the common key. become.

(Event database 101c)
Next, the event database 101c will be described. The event database 101c is a database for registering a log and a combination of log information used for specifying an abnormal behavior suspected of impersonation or unauthorized access. FIG. 12 shows an example of the event database 101c. FIG. 12 is a diagram showing an example of an event database according to the second embodiment.

  The example of the event database 101c illustrated in FIG. 12 corresponds to the combination examples # 1 to # 6 illustrated in FIGS. Here, the abnormal behavior (hereinafter referred to as an event) corresponding to each of the combination examples # 1 to # 6 will be described with reference to FIGS. Hereinafter, an employee having an employee name X (X = A, B,...) Is referred to as an employee X.

(Behavior ID = 001: Combination example # 1)
First, an event corresponding to a record whose behavior ID is 001 in the event database 101c illustrated in FIG. 12 will be described with reference to FIG.

  In the record whose behavior ID is 001, three items (hereinafter referred to as event items) of “Attendance management”, “Login management”, and “VPN connection” are registered in the event column, and “Not attended” is recorded under each of the three items. , “Login” and “Not connected” information (log information) is registered. In other words, this record has log information related to “time attendance” as “not attended”, log information related to “login management” as “login”, and log information related to “VPN connection” as “not connected”. Indicates that the event is suspected.

  Here, referring to log # 1 (log relating to “time management”) in FIG. 5 (combination example # 1), the attendance status of employee A is “not attended” and the attendance status of employee B is “attendance”. is there. Referring to log # 2 (log related to “login management”), the login status of employees A and B is “login”. Referring to log # 3 (log relating to “VPN connection”), the connection status of employees A and B by VPN connection is “not connected”.

  From the log of the combination example # 1, it can be seen that the employee A is logged in to the in-house terminal device managed by the login management server even though he / she is not at work. When logging in to an in-house system from outside the company, a VPN connection is used from the viewpoint of security, but employee A does not have a VPN connection. Then, there is a suspicion that someone has illegally accessed (spoofed) the in-house system using the login ID of employee A or the like. That is, a situation corresponding to the record having the behavior ID 001 (a situation in which an event is suspected) has occurred.

  On the other hand, since the situation corresponding to the record whose behavior ID is 001 does not occur for employee B, it can be seen that employee B is not in a situation that is suspected of causing an event. Thus, by investigating for each monitoring target (employee in this example) whether a situation that matches the record of the event database 101c occurs, it is possible to identify a monitoring target that is suspected of causing an event. The same applies to records with behavior IDs other than 001 as follows.

(Case where behavior ID = 002: Combination example # 2)
Referring to log # 1 (log related to “file server”) in FIG. 6 (combination example # 2), the file (File01.zip, File02.zip) on the file server was accessed many times on Saturday (Sat). I understand that. Referring to log # 2 (log related to “login management”), it can be seen that employee A is logged in to an in-house terminal device managed by the login management server.

  Referring to log # 3 (log related to “access time”) together with log # 1, it can be seen that access to the file server is by employee A. When logs # 1 to # 3 are combined, it can be seen that a user frequently logs in to the terminal device on Saturday, which is a holiday, and frequently accesses the file on the file server, and the terminal device has been hijacked by someone. That is, a situation corresponding to the record with the behavior ID 002 has occurred, and there is a suspicion that an event has occurred in the terminal device of employee A.

(Case where behavior ID = 003: Combination example # 3)
Referring to log # 1 in FIG. 7 (combination example # 3) (log related to “use of backbone system”), User A is using the backbone system, and the IP address is A.A. A. A. It can be seen that the terminal device A is used. Referring to log # 2 (log regarding “firewall”), the IP address is A.A. A. A. It can be seen that the terminal device A transmits data to a plurality of destinations through the firewall without going through the proxy.

  There is a possibility of information leakage from the above situation. That is, a situation corresponding to a record with a behavior ID of 003 has occurred, and User A and IP address are A.D. A. A. There is a suspicion that an event has occurred in the terminal device A.

(Case where behavior ID = 004: Combination example # 4)
Referring to log # 1 (log related to “Proxy”) in FIG. A. A. A source and IP address are D.D. D. D. It can be seen that the frequency of communication with the transmission destination of D is low. A similar trend can be seen from log # 2 (log concerning “firewall”). Referring to log # 3 (log related to “forensic”), the IP address is A.A. A. A. A source and IP address are D.D. D. D. It can be seen that all communication with the transmission destination of D is data transfer.

  From the above situation, it is inferred that data is being transferred between a non-business-use partner and an in-house terminal device, and there is a possibility of information leakage to the outside using takeover of the terminal device . That is, a situation corresponding to a record with a behavior ID of 004 has occurred, and the IP address is A.E. A. A. There is a suspicion that an event has occurred in the terminal device A.

(Case where behavior ID = 005: Combination example # 5)
Referring to log # 1 (log relating to “traffic”) in FIG. D. D. It can be seen that the traffic volume for the destination of D is large. Referring to log # 2 (log related to “firewall”) and log # 3 (log related to “file server”), it can be seen that a file in the file server is transferred to a specific destination. Since a certain amount of data is transferred to a specific destination, there is a possibility of information leakage. That is, a situation corresponding to the record having the behavior ID 005 has occurred, and the IP address is A.E. A. A. There is a suspicion that an event has occurred in the terminal device of A.

(Case where behavior ID = 006: Combination example # 6)
Referring to log # 1 (log related to “attendance / leaving”) in FIG. 10 (combination example # 6), it can be seen that employee B has not attended on April 1. Referring to log # 2 (log related to “authentication”), it can be seen that on April 1, employee B succeeded in authentication of the authentication server. From these situations, employee B is suspected of being impersonated. That is, a situation corresponding to the record with the behavior ID 005 has occurred, and there is a suspicion that an event occurs for employee B.

(About the error log)
As described above, by checking the conditions described in the record registered in the event database 101c and the log information registered in the log database 101a, even if each log is a normal log, the occurrence of an event is suspected. A certain monitoring target can be specified. In the following description, a condition that can identify a monitoring target that is suspected of generating an event from a combination of normal logs may be referred to as “normal system”. On the other hand, a condition that can identify a monitoring target that is suspected of causing an event from the abnormality log may be referred to as “abnormal system”.

As abnormal system conditions, as shown in FIG. 12, there are an authentication error, an account error, a filtering error, a device usage restriction violation, an unauthorized software installation, and the like.
An authentication error may occur in, for example, AD (Active Directory), RADIUS (Remote Authentication Dial In User Service), Proxy, or the like. An account error can occur in e-mail or application software, for example. A filtering error can occur, for example, in a firewall. The device usage restriction violation occurs, for example, when a USB memory or the like that is prohibited in-house to prevent information leakage or the like is connected to the terminal device. Unauthorized software installation occurs when software is installed on a terminal device without permission.

  Logs are also output and registered in the log database 101a when abnormal system conditions are met. When a log including log information satisfying the abnormal system condition registered in the event database 101c is detected, the monitoring target related to the detected log is specified as a suspicious event occurrence. Note that there may be a case where a plurality of normal system conditions are satisfied, or a case where both normal system conditions and abnormal system conditions are satisfied.

(Behavior database 101d)
Next, the behavior database 101d will be described. The behavior database 101d is a database in which log information that matches the conditions registered in the event database 101c is registered. An example of the behavior database 101d is shown in FIG. FIG. 13 is a diagram showing an example of a behavior database according to the second embodiment.

  When the logs of FIGS. 5 to 10 are obtained, the log information related to the employee A is specified as a suspicious event occurrence for the pattern with the behavior ID 001. In this case, as shown in FIG. 13, log information (employee name “A” or the like) related to the employee A is registered in the record whose behavior ID is 001. When the monitoring target is an employee, at least log information (for example, an employee name, a user name, an IP address, etc.) that can specify the employee is registered in the behavior database 101d.

  In the example of FIG. 13, the employee name, the attendance status, the login status, and the connection status of the VPN connection are registered in the record whose behavior ID is 001. The employee to be monitored can be identified by the employee name alone, but the attendance status, login status, and VPN connection status are registered together to facilitate the task of identifying the cause of the event occurrence. Similarly, the record whose behavior ID is 002 includes the access time, file name, and login status in addition to the employee name.

  In the behavior database 101d, not only log information that satisfies a normal condition but also log information that satisfies an abnormal condition is registered. In the example of FIG. 13, the employee name and the device used are registered in the record with the behavior ID E004. For example, when the use of the USB memory is prohibited, when the employee C connects the USB memory to the terminal device, an abnormality log is output from the terminal device and registered in the behavior database 101d.

  As shown in FIG. 13, each record of the behavior database 101d includes log information related to a monitoring target (employee in this example). Therefore, by using a common key registered in the common key database 101b, a specific key is registered. You can search log information related to monitoring targets. In the example of FIG. 13, the behavior database 101d is described as if it is one database, but a separate database may be provided for each behavior ID.

(Monitored database 101e)
Next, the monitoring target database 101e will be described. The monitoring target database 101e searches the log information registered in the behavior database 101d using each common key, and when the search result satisfies a preset condition, the common key that satisfies the condition is registered. It is a database. An example of the monitoring target database 101e is shown in FIG. FIG. 14 is a diagram illustrating an example of a monitoring target database according to the second embodiment.

  The condition for registering the common key in the monitoring target database 101e is, for example, when the number of records extracted from the behavior database 101d by the search is larger than a preset threshold value. For example, when the behavior database 101d illustrated in FIG. 13 is searched using the common key related to the employee A, records with behavior IDs 001, 002, 003, 004, and 005 are extracted. If the threshold is set to 3, the common key for employee A is registered in the monitoring target database 101e.

(Threshold database 101f)
Next, the threshold database 101f will be described. The threshold database 101f is a database in which thresholds used for determination of common keys registered in the monitoring target database 101e are registered. An example of the threshold database 101f is shown in FIG. FIG. 15 is a diagram illustrating an example of a threshold database according to the second embodiment.

  The example of FIG. 15 shows an example of registration when threshold values are set by distinguishing between normal systems, abnormal systems, and totals. The normal threshold value Th1 is a threshold value for evaluating the number of records related to the normal system condition among the records extracted from the behavior database 101d using the common key. The abnormal system threshold value Th2 is a threshold value for evaluating the number of records relating to the abnormal system condition among the records extracted from the behavior database 101d using the common key.

  The total threshold Th3 is a threshold for evaluating the number of records related to normal or abnormal conditions (that is, the number of all extracted records) among the records extracted from the behavior database 101d using the common key. It is. In this way, by distinguishing between the normal system and the abnormal system, it is possible to evaluate the abnormality considering the ease of satisfying the condition (frequency and possibility of satisfying the condition). In addition, by providing the threshold value Th3 for the total, it is possible to adjust the severity of the determination as to whether or not to finally register in the monitoring target database 101e.

  In the example of FIG. 15, the normal system and the abnormal system are distinguished from each other. However, the conditions for each behavior ID may be distinguished, and a threshold value may be set for each behavior ID and registered in the threshold value database 101f. For example, the event occurrence frequency for each behavior ID may be estimated by simulation or experiment, and a threshold value corresponding to the occurrence frequency ratio may be set for each behavior ID. However, Th3 ≧ Th1 + Th2.

(Log collection unit 102, key generation unit 103)
Refer to FIG. 4 again. The log collection unit 102 acquires a log from the monitored device group 200 and registers it in the log database 101a (see FIGS. 5 to 10). The key generation unit 103 extracts log information common to a plurality of logs registered in the log database 101a for the monitoring target, and registers the extracted log information as a common key in the common key database 101b (see FIG. 11). . The common key database 101b may be stored in the storage unit 101 in advance. In this case, the key generation unit 103 can be omitted.

(Candidate detection unit 104, fraud determination unit 105)
The candidate detection unit 104 refers to the log database 101a and detects log information satisfying the conditions registered in the event database 101c (see FIG. 12) for each behavior ID. Then, the candidate detection unit 104 registers the detected log information in the behavior database 101d (see FIG. 13).

  The fraud determination unit 105 searches for a record in the behavior database 101d using each common key registered in the common key database 101b, and counts the number of detected records. Then, the fraud determination unit 105 registers, in the monitoring target database 101e (see FIG. 14), a common key whose counted number is larger than the threshold registered in the threshold database 101f (see FIG. 15). When the common key is registered in the monitoring target database 101e, the fraud determination unit 105 transmits, for example, an email notifying the administrator of the fraud or notifies the administrator of the fraud using a notification device such as a patrol or buzzer.

The function of the monitoring device 100 has been described above.
[2-4. Processing flow]
The flow of processing executed by the monitoring apparatus 100 will be described with reference to FIG. FIG. 16 is a flowchart showing a flow of processing executed by the monitoring apparatus according to the second embodiment.

  (S101) The log collection unit 102 acquires a log from the monitored device group 200. In addition, the log collection unit 102 detects a difference between the time of the monitored device group 200 and the time of the monitoring device 100 and corrects the time of the acquired log. For example, the log collection unit 102 corrects the time of the log so that the time of the monitoring device 100 becomes a reference based on the detected time difference. Then, the log collection unit 102 registers the time-corrected log in the log database 101a (see FIGS. 5 to 10).

  (S102) The key generation unit 103 analyzes a correlation between log information of logs registered in the log database 101a, and specifies log information that can be used as a common key for specifying a monitoring target. Then, the key generation unit 103 constructs the common key database 101b by registering the identified log information as a common key in the common key database 101b (see FIG. 11).

(S103) The candidate detection unit 104 selects one behavior ID registered in the event database 101c (see FIG. 12).
(S104) The candidate detection unit 104 extracts a set of log information satisfying a condition corresponding to the selected behavior ID from the log database 101a. For example, the candidate detection unit 104 sets the log information regarding the employee A of the logs # 1 to # 3 illustrated in FIG. 5 as a set of log information satisfying the condition that the behavior ID is 001 in the event database 101c illustrated in FIG. Employee name “A”, attendance status “not attended”, login status “login”, VPN connection status “not connected”) are extracted.

  (S105) The candidate detection unit 104 registers a set of log information including the common key (see FIG. 11) in the behavior database 101d (see FIG. 13) in association with the log information extracted in S104. For example, when the behavior ID is 001, the candidate detection unit 104 recognizes the employee name “A” as log information serving as a common key, and a set of log information including the employee name “A” (in this example, the attendance status “ "Not attended", login status "login", connection status of VPN connection "not connected") is registered in the behavior database 101d.

  (S106) The candidate detection unit 104 determines whether or not all behavior IDs registered in the behavior database 101d have been selected. If there is an unselected behavior ID, the process proceeds to S103. On the other hand, when all the behavior IDs have been selected, the process proceeds to S107.

  (S107) The fraud determination unit 105 searches for a record in the behavior database 101d using the common key, and identifies the common key related to the monitoring target based on the search result. At this time, the fraud determination unit 105 counts the number of detected records for each used common key, and records more than the threshold registered in the threshold database 101f (see FIG. 15). The common key that increases the number of IDs) is specified. Then, the fraud determination unit 105 registers the identified common key in the monitoring target database 101e (see FIG. 14), and constructs the monitoring target database 101e.

When the process of S107 is completed, the series of processes shown in FIG.
(Common key DB construction process)
Here, the flow of the construction process (S102) of the common key database 101b will be further described with reference to FIG. FIG. 17 is a flowchart showing the flow of the construction process of the common key database according to the second embodiment.

(S131) The key generation unit 103 selects one behavior ID registered in the event database 101c (see FIG. 12).
(S132) The key generation unit 103 refers to the log database 101a (see FIG. 5 to FIG. 10), identifies the type of log information that includes the same information redundantly in a plurality of logs, and stores the identified log information Set type to search key. For example, the logs # 1 to # 3 shown in FIG. 5 include information of employee names “A” and “B” redundantly. In this case, the key generation unit 103 sets an employee name that is a type of overlapping information as a search key.

  (S133) The key generation unit 103 determines whether or not all the behavior IDs included in the event database 101c have been selected. If there is an unselected behavior ID, the process proceeds to S131. On the other hand, when all the behavior IDs have been selected, the process proceeds to S134.

  (S134) The key generation unit 103 specifies a corresponding search key based on a search key representing a preset monitoring target (for example, an employee or a terminal device), and sets the specified search key as a common key. . When the employee is to be monitored, the key generation unit 103 specifies, for example, the IP address (search key) corresponding to the user name (search key) of the core system corresponding to the employee from the log # 1 in FIG. Set the IP address as a common key. Note that the type of the common key to be set depends on the content of the log output by the monitored device group 200 and the setting of the monitoring target.

  (S135) The key generation unit 103 associates the common key set in S134 and registers it in the common key database 101b (see FIG. 11). For example, the key generation unit 103 registers an IP address, employee name, user name, host name, MAC address, and the like as a common key. Then, the key generation unit 103 extracts log information corresponding to each common key from the log database 101a, and registers the set of extracted log information in the common key database 101b, thereby constructing the common key database 101b.

When the process of S135 is completed, the series of processes shown in FIG.
(Monitoring DB construction process)
Here, the flow of the monitoring target database 101e construction process (S107) will be further described with reference to FIG. FIG. 18 is a flowchart showing the flow of the monitoring target database construction process according to the second embodiment.

(S151) The fraud determination unit 105 selects one common key record (a set of common keys related to the monitoring target) registered in the common key database 101b (see FIG. 11).
(S152) The fraud determination unit 105 refers to the behavior database 101d (see FIG. 13), and identifies a record in the behavior database 101d including the common key of the record selected in S151 in units of behavior IDs. Then, the fraud determination unit 105 counts the number of identified records. At this time, the fraud determination unit 105 counts the number of records relating to normal conditions (hereinafter, normal record number N1) and the number of records relating to abnormal conditions (hereinafter, abnormal record number N2).

  For example, when a common key set for employee A is selected, five records with behavior IDs of 001, 002, 003, 004, and 005 are specified in the behavior database 101d shown in FIG. In this example, for the employee A, since no record that satisfies the abnormal condition is detected, the normal record number N1 is 5 and the abnormal record number N2 is 0. The total record number N3, which is the sum of the normal record number N1 and the abnormal record number N2, is 5.

  (S153) The fraud determination unit 105 compares the threshold Th1 related to the normal system registered in the threshold database 101f (see FIG. 15) with the number N1 of normal system records. Then, the fraud determination unit 105 determines whether or not the normal record number N1 is equal to or greater than the threshold value Th1. If the normal record number N1 is greater than or equal to the threshold value Th1, the process proceeds to S154. On the other hand, if the number of normal records N1 is less than the threshold Th1, the process proceeds to S157.

  (S154) The fraud determination unit 105 compares the threshold Th2 related to the abnormal system registered in the threshold database 101f with the number N2 of abnormal system records. Then, the fraud determination unit 105 determines whether or not the abnormal record number N2 is equal to or greater than the threshold Th2. If the abnormal record number N2 is greater than or equal to the threshold Th2, the process proceeds to S155. On the other hand, if the abnormal record number N2 is less than the threshold value Th2, the process proceeds to S157.

  (S155) The fraud determination unit 105 compares the threshold Th3 for both the normal system and the abnormal system (total) registered in the threshold database 101f with the total number of records N3. Then, the fraud determination unit 105 determines whether or not the total number of records N3 is equal to or greater than a threshold Th3. If the total record number N3 is greater than or equal to the threshold Th3, the process proceeds to S156. On the other hand, if the total record number N3 is less than the threshold Th3, the process proceeds to S157.

(S156) The fraud determination unit 105 registers the common key selected in S151 in the monitoring target database 101e.
(S157) The fraud determination unit 105 determines whether or not all the common key records registered in the common key database 101b have been selected. If there is an unselected record, the process proceeds to S151. On the other hand, when all the common key records have been selected, the series of processing shown in FIG. 18 ends.

The flow of processing executed by the monitoring apparatus 100 has been described above.
As described above, a situation in which abnormal behavior is suspected from a combination of logs is retained as a pattern, and a monitoring target is identified from a log that matches the pattern, so that the monitored device group 200 determines that it is normal. Targets suspected of fraud can be detected. Further, by specifying the final monitoring target based on the search result obtained by searching the behavior database 101d using the common key, it is possible to more appropriately narrow down targets that are highly suspected of fraud. For this reason, it is possible to reduce the risk of the fraud cause identifying work for a fraudulent target, and the work burden can be reduced.

  The second embodiment has been described above.

DESCRIPTION OF SYMBOLS 5 Log monitoring system 10 Log monitoring apparatus 11 Memory | storage part 11a Abnormal pattern 11b Monitoring information 12 Control part 21, 22, 23 Equipment

Claims (7)

Computer
When a log content of the log is collated between a plurality of logs having the same monitoring target, a combination of the log content that is determined to be abnormal is acquired from the storage unit as an abnormal pattern. ,
It is determined whether a combination of log contents and the abnormal pattern match for a plurality of logs related to a plurality of monitoring targets, and if they match, monitoring information including at least a part of the log contents is Log monitoring method to be stored in the storage unit. The storage unit stores a plurality of the abnormal patterns with different combinations of the log contents,
The computer
It is determined whether a combination of log contents matches each of the plurality of abnormal patterns for a plurality of logs related to the monitoring target, and the monitoring information is stored for each abnormal pattern according to a determination result for each abnormal pattern To remember
The log monitoring method according to claim 1, wherein presence / absence of abnormality is determined for each monitoring target based on the number of the monitoring information. The computer
Of the plurality of logs related to the monitoring target, the number of abnormal logs determined to be abnormal from the log contents of one log is counted, and the abnormality is detected for the monitoring target based on the number of the abnormal logs and the number of the monitoring information The log monitoring method according to claim 2, wherein the presence or absence of the log is determined. The computer
Obtaining a first threshold value and a second threshold value different from the first threshold value from the storage unit;
The log monitoring method according to claim 3, wherein when the number of the monitoring information is larger than the first threshold and the number of the abnormal logs is larger than the second threshold, it is determined that there is an abnormality. A storage unit that stores, as an abnormal pattern, a combination of log contents that is determined to be abnormal from a combination of situations indicated by the log contents when the log contents of the logs are collated between a plurality of logs that are the same as a monitoring target;
It is determined whether a combination of log contents and the abnormal pattern match for a plurality of logs related to a plurality of monitoring targets, and if they match, monitoring information including at least a part of the log contents is A log monitoring device comprising: a control unit that stores the data in a storage unit. A log monitoring system including a plurality of devices that output logs, and a log monitoring device that acquires the logs from the plurality of devices,
The log monitoring device
A storage unit that stores, as an abnormal pattern, a combination of log contents that is determined to be abnormal from a combination of situations indicated by the log contents when the log contents of the logs are collated between a plurality of logs that are the same as a monitoring target;
A plurality of logs related to each of a plurality of monitoring targets are acquired from the plurality of devices, a determination is made as to whether a combination of log contents matches the abnormal pattern for the plurality of logs, and if there is a match, at least the log contents A log monitoring system comprising: a control unit that stores monitoring information including a part in the storage unit for each monitoring target. On the computer,
When a log content of the log is collated between a plurality of logs having the same monitoring target, a combination of the log content that is determined to be abnormal is acquired from the storage unit as an abnormal pattern. ,
It is determined whether a combination of log contents and the abnormal pattern match for a plurality of logs related to a plurality of monitoring targets, and if they match, monitoring information including at least a part of the log contents is A log monitoring program that executes processing to be stored in the storage unit.

Images