JP2016148939A - Detection system, detection method, detection program, accumulation apparatus, and accumulation method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To effectively detect an attack of unauthorized communication, while reducing processing load.SOLUTION: A detection system 100 includes: a repeater 120 which repeats communication with a server to be monitored; a detection apparatus 130; and a control apparatus 110. The control apparatus 110 transmits an instruction to the detection apparatus 130 to mirror the communication repeated by the repeater 120 when a fault is detected in information on a communication resource of the server. The detection apparatus 130 detects unauthorized communication from communication mirrored in response to the instruction transmitted by the control apparatus 110. The control apparatus 110 transmits an instruction to shut off the specified unauthorized communication, to the repeater 120, on the basis of a result detected by the detection apparatus 130.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a detection system, a detection method, a detection program, a storage device, and a storage method.

  A slow DoS (Slow Denial of Service) attack is known as a kind of attack that causes a failure in communication of a target server or the like in communication via the Internet. The SlowDoS attack is a session in which a server can be established by exchanging packets of a small size in order to avoid timeout due to no communication in a session established between a client and a server, and by continuing the session for a long period of time. An attack technique that fills up. Note that a session is a unit of connection of a TCP connection established when a server and a client exchange packets using TCP (Transmission Control Protocol). The unit from the start to the end of this connection is defined as one session. This means communication corresponding to one series of communication.

  A DoS attack that generates a large amount of traffic (communication packets) and fills up the network bandwidth can detect the attack by monitoring the traffic flow, but a SlowDoS attack can be monitored by paying attention to the traffic volume. It cannot be detected. Therefore, as a technique for detecting a Slow DoS attack, a technique has been proposed in which the number of sessions that can be simultaneously established from the same IP address on the web server side is limited, and the attack is stopped by forcibly timeout (session disconnection) after a predetermined time ( For example, Non-Patent Document 1).

Park, Iwai, Tanaka, Kurokawa, “Analysis of Slow Read DoS Attacks and Countermeasures”, Computer Security Symposium 2014, 22-24, October 2014

  However, with the above-described conventional technology, it is difficult to effectively detect an attack caused by unauthorized communication while suppressing the processing load. For example, in the above-described conventional technology, it has been shown that when an attack is simultaneously received from a large number of IP addresses, an effect as a countermeasure cannot be obtained. Or, even if a large number of sessions are established from the same IP address, not all of these sessions are caused by attacks, so if you simply filter communications from this IP address, normal sessions will also be disconnected. Can end up. Thus, limiting communication from a specific IP address by an attack technique may not be an effective measure. In this case, it is desirable to detect the SlowDoS attack after monitoring the session established between the server and the client as well as the information regarding the IP address indicating the packet transmission source and observing the characteristics of the content of the session. .

  By the way, in order to detect an unauthorized session, a large amount of communication traffic (traffic) exchanged between a single server (for example, a web server) and an unspecified number of clients, hereinafter simply referred to as “traffic”. ) To the detection device, it is required to constantly monitor the session. In such a method, the detection load is large and the detection process may not catch up. For this reason, there is a demand for a method for efficiently monitoring traffic and suppressing the processing load to detect an unauthorized session.

  The present invention has been made in view of the above, and has a detection system, a detection method, a detection program, a storage device, and a storage method capable of effectively detecting an attack caused by unauthorized communication while suppressing a processing load. The purpose is to provide.

  In order to solve the above-described problems and achieve the object, the present invention provides a detection system including a relay device that relays communication with a server that is a monitoring target, a detection device, and a control device. When an apparatus detects an abnormality in information related to communication resources of the server, the apparatus transmits an instruction to cause the detection apparatus to mirror communication relayed by the relay apparatus, and the detection apparatus is transmitted by the control apparatus An unauthorized communication is detected from communications mirrored according to the instruction, and the control device transmits an instruction to block the identified unauthorized communication to the relay device based on a result of detection processing by the detection device. It is characterized by.

  According to an example of the embodiment disclosed in the present application, it is possible to effectively detect an attack caused by unauthorized communication while suppressing the processing load.

FIG. 1 is a diagram (1) illustrating an example of detection processing by the detection system according to the first embodiment. FIG. 2 is a diagram (2) illustrating an example of detection processing by the detection system according to the first embodiment. FIG. 3 is a diagram (3) illustrating an example of the detection process performed by the detection system according to the first embodiment. FIG. 4 is a flowchart illustrating a processing procedure performed by the detection system according to the first embodiment. FIG. 5 is a diagram for explaining an example of detection processing by the detection system according to the second embodiment. FIG. 6 is a diagram illustrating an example of the configuration of the storage device according to the second embodiment. FIG. 7 is a diagram illustrating an example of a communication data storage unit according to the second embodiment. FIG. 8 is a diagram illustrating an example of the extraction session accumulation unit according to the second embodiment. FIG. 9 is a flowchart illustrating a processing procedure performed by the detection system according to the second embodiment. FIG. 10 is a diagram illustrating a computer that executes a detection program.

  Hereinafter, embodiments of a detection system, a detection method, a detection program, a storage device, and a storage method according to the present application will be described in detail with reference to the drawings. In addition, the detection system, the detection method, the detection program, the storage device, and the storage method according to the present application are not limited by this embodiment.

[First Embodiment]
Below, the structure and process of the detection system which concern on 1st Embodiment are demonstrated, and the effect by 1st Embodiment is demonstrated finally.

[Example of detection processing according to the first embodiment]
First, an example of detection processing by the detection system 100 according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram (1) illustrating an example of detection processing by the detection system 100 according to the first embodiment. As illustrated in FIG. 1, the detection system 100 includes a control device 110, a relay device 120, and a detection device 130.

The detection system 100 is connected via the Internet to a web server 30 that is a target of an attack by unauthorized communication and a client that communicates with the web server 30. For the client, a terminal 10 that attempts normal communication with the web server 30 (in this case, communication that is not illegal communication that has aggressiveness), and an attack generation terminal 20 that attempts unauthorized communication with the web server 30. _{1 to} 20 ₃ are included. As shown in FIG. 1, the detection system 100 includes a relay network (communication carrier network or ISP (Internet Service) on the communication path between the terminal 10 or the attack generation terminals 20 _{1 to} 20 ₃ and the web server 30. 1, the detection system 100 is connected to the terminal 10 and the attack generation terminals 20 _{1 to} 20 ₃ via border routers, and the web is not shown in FIG. The server 30 is connected via an accommodation router.

In the following description, communication between the terminal 10 and the attack generation terminals 20 _{1 to} 20 ₃ and the web server 30 is illustrated as traffic Tn (n is an arbitrary number). For example, as shown in FIG. 1, communication between the terminal 10 and the web server 30 is indicated by traffic T1. The communication between the attacker generation terminal 20 ₁ and the web server 30 is indicated by traffic T2. The communication between the attacker generation terminal 20 ₂ and the web server 30 is indicated by traffic T3. The communication between the attacker generation terminal 20 ₃ and the web server 30 is indicated by traffic T4. Further, the number of terminals 10 and attack generation terminals 20 _{1 to} 20 ₃ connected to the detection system 100 is not limited to the illustrated number, and a larger number may be connected. Moreover, when it is not necessary to distinguish the attack generation terminals 20 _{1 to} 20 ₃ , they are described as attack generation terminals 20.

  Here, each apparatus which comprises the detection system 100 is demonstrated. The control device 110 according to the detection system 100 is an information processing device that controls processing of the relay device 120 and the detection device 130. Specifically, the control device 110 receives information about the traffic volume between the terminal 10 or the attack generation terminal 20 and the web server 30 from the relay device 120. In addition, the control device 110 receives information regarding the number of sessions established by the web server 30 from the web server 30 or via an external device that monitors communication resources of the web server 30. And the control apparatus 110 performs abnormality detection regarding the resources (communication resources and server resources) of the web server 30 based on the received information. Then, when detecting an abnormality, the control device 110 transmits an instruction to the relay device 120 and / or the detection device 130 in order to execute a predetermined process described later.

  The relay device 120 according to the detection system 100 is an information processing device (or network device) that relays communication with the web server 30 including communication from the terminal 10 and the attack generation terminal 20. The relay device 120 performs mirroring on the traffic based on an instruction transmitted from the control device 110 that has detected an abnormality in the communication status of the web server 30, and sends the traffic to the detection device 130. Here, mirroring refers to copying the target traffic and transmitting it to different locations in real time. For example, by mirroring the traffic relayed by the relay device 120 to the detection device 130, the detection device 130 can execute processing such as analysis on the communication data included in the traffic. In addition, when an unauthorized session is identified by the detection process, the relay device 120 performs a filtering process on the session so as to block the identified unauthorized session.

  The detection device 130 according to the detection system 100 is an information processing device that detects an unauthorized session. Specifically, the detection device 130 detects an unauthorized session by analyzing communication data included in traffic transmitted from the relay device 120 by mirroring based on a predetermined detection rule. Then, the detection device 130 transmits information specifying the detected unauthorized session to the control device 110. As will be described in detail later, the detection apparatus 130 specifies at least information on a source IP address, a source port number, a destination IP address, a destination port number, and the like as information in the TCP / IP protocol stack. Then, the detection system 100 detects an unauthorized session by analyzing the details of the header information of the transport layer using a known technique in the unauthorized session detection process.

Below, an example of the detection process which the detection system 100 performs is demonstrated in detail using FIG. 1 thru | or FIG. As illustrated in FIG. 1, the detection system 100 relays traffic T1 to T4 transmitted from the terminal 10 and the attack generation terminals 20 _{1 to} 20 ₃ to the web server 30. At this time, the relay apparatus 120 monitors the traffic to the web server 30 (step S11). Then, the relay device 120 notifies the control device 110 of information related to the traffic (Step S12).

  In addition, the control device 110 receives a notification of the number of sessions established from the web server 30 (step S13). The control device 110 periodically or sequentially acquires information related to the communication amount transmitted from the relay device 120 and the number of sessions notified from the web server 30. The control device 110 determines that a group of packets having the same combination of five tuples of a transmission source IP address, a transmission source port number, a destination IP address, a destination port number, and a protocol number is the same session. As described above, in the normal time of the detection system 100, the control device 110 acquires information on the traffic and the number of sessions, and determines whether or not to move to the “monitoring mode” described below based on the acquired information. The state which is doing.

  The control device 110 detects an abnormality in traffic based on the acquired information (step S14). Here, the control device 110 detects that an abnormality has occurred in the resources of the web server 30 to be monitored when the acquired information satisfies a predetermined condition. Specifically, the control device 110 is notified from the web server 30 even though the communication amount notified from the relay device 120 is smaller than a predetermined value or the increase in the normal communication amount is smaller than the predetermined value. When the number of established sessions exceeds the predetermined threshold, it is determined that an abnormality has occurred in the resources of the web server 30. In other words, the fact that the number of sessions established by the web server 30 is larger than normal even though the relay device 120 observes the normal traffic, causes an increase in the traffic. This is because it is assumed that there is a high possibility that the web server 30 is receiving an attack due to unauthorized communication that increases the number of sessions. Alternatively, the control device 110 may simply determine that an abnormality has occurred in the resources of the web server 30 when the number of established sessions notified from the web server 30 is greater than a predetermined threshold. Alternatively, the control device 110 may determine that an abnormality has occurred when the ratio of the number of sessions established with respect to the maximum number of sessions that can be simultaneously established by the web server 30 exceeds a predetermined threshold.

  When detecting an abnormality, the control device 110 instructs the relay device 120 to perform traffic mirroring (step S15). The relay device 120 mirrors traffic on the detection device 130 in accordance with the instruction (step S16). That is, the detection device 130 receives the traffic flowing between the web server 30 via the relay device 120 by mirroring, thereby acquiring the same communication data as the communication data included in the monitored traffic. Attempts to detect unauthorized sessions from communication data. In this way, the state in which the relay apparatus 120 starts traffic mirroring with respect to the detection apparatus 130 is referred to as a “monitoring mode” in the detection system 100.

  Next, of the detection processing performed by the detection system 100 according to the first embodiment, processing continued from FIG. 1 will be described with reference to FIG. FIG. 2 is a diagram (2) illustrating an example of the detection process performed by the detection system 100 according to the first embodiment.

  When the detection device 130 detects an unauthorized session in the monitoring mode state, the detection device 130 notifies the control device 110 of the result of detecting the unauthorized session (step S21). When receiving the notification, the control device 110 transmits an instruction to the relay device 120 to filter the transmission source IP address of the client corresponding to the identified session (step S22). And the relay apparatus 120 performs a filter according to an instruction | indication (step S23). When the filter is executed, the relay apparatus 120 can disconnect the identified session and can prevent subsequent attempts to establish an unauthorized session from the same IP address. In this way, a state where the filtering is performed on the unauthorized session in which the relay device 120 is detected is referred to as a “defense mode” in the detection system 100.

  Note that, as described above, the detection device 130 can use various known logics regarding detection of an unauthorized session related to traffic. As an example, the detection apparatus 130 acquires the IP header information and TCP header information of each packet from the traffic flowing between the client and the server, and analyzes the behavior in the TCP layer for each session. Then, the detection device 130 detects a session that behaves differently from the normal user session based on a predetermined detection rule set, and estimates the detected session as an unauthorized session.

When the control device 110 receives a notification from the detection device 130 that an unauthorized session has been detected, the control device 110 specifies information for identifying the unauthorized session (for example, a source IP address, a source port number, and a destination IP address). , Destination port number, etc.). Then, based on the received information, the control device 110 sends a filter instruction to the relay device 120 for the source IP address of the client corresponding to the identified unauthorized session among the sessions related to the web server 30 to be monitored. Send. In addition, the control device 110 corresponds to a session established with the client (here, the attack generation terminals 20 _{1 to} 20 ₃ ) corresponding to an unauthorized session or an IP address to be filtered with respect to the web server 30. A connection reset command (TCP reset signal) that is a control signal for releasing all sessions to be transmitted is transmitted to the client and / or the web server 30 (step S24). As a result, the session between the web server 30 and the attack generation terminals 20 _{1 to} 20 ₃ is released, and the process regarding the session remaining in the client and / or the web server 30 ends. That is, as shown in FIG. 2, the traffic T2-4 between the web server 30 and the attack generation terminals 20 _{1 to} 20 ₃ is interrupted. In this way, the detection system 100 can recover resources related to the session of the web server 30 by releasing the established invalid session.

  Next, of the detection processing performed by the detection system 100 according to the first embodiment, processing continued from FIG. 2 will be described with reference to FIG. FIG. 3 is a diagram (3) illustrating an example of the detection process performed by the detection system 100 according to the first embodiment.

  As shown in FIG. 3, the relay device 120 notifies the control device 110 of the communication status regarding the traffic to be relayed (step S30). Further, the detection device 130 notifies the control device 110 of the detection status regarding the traffic being mirrored (step S31). Then, the control device 110 determines whether or not the current traffic state is in a predetermined state based on the information notified from both devices. For example, the control device 110 acquires from the relay device 120 information indicating that the communication from the IP address that is subject to filtering for a predetermined time is equal to or less than a predetermined amount. Specifically, the control device 110 is in a state in which the communication from one IP address or from the previous IP address that is the target of filtering is equal to or less than a predetermined amount (including the case of 0). Is acquired from the relay device 120 to the effect that has been continued for a predetermined time. In addition, the control device 110 acquires information indicating that an unauthorized session has not been detected for traffic that is being mirrored by the detection device 130 for a predetermined time (it may not receive a detection notification of an unauthorized session for a predetermined time). . And the control apparatus 110 determines that the attack by unauthorized communication stopped based on each acquired information. Then, the control device 110 transmits an instruction to cancel the traffic mirroring to the relay device 120 (step S32). The relay device 120 that has received the instruction cancels the mirroring to the detection device 130 (step S33).

  Further, after a predetermined time, the control device 110 transmits an instruction to cancel the filter that has been instructed to the relay device 120 (step S34). In response to the instruction, the relay apparatus 120 cancels the filter that has been executed. Then, the detection system 100 returns to a normal state in which the control device 110 sequentially acquires information on the traffic and the number of sessions, and continues to observe traffic on the web server 30.

  Note that, in steps S30 to S32 described above, the control device 110 receives a predetermined notification from the relay device 120 and the detection device 130, and issues an instruction to cancel mirroring or filtering based on information included in the notification. explained. Here, the control device 110 may adopt any one of the information transmitted from the relay device 120 and the detection device 130 as a determination element, and may also indicate any instruction to transmit from the control device 110 to the relay device 120. Only one of them may be used. That is, the control device 110 does not detect unauthorized communication by the detection device 130 and / or communicates from a transmission source (for example, determined by an IP address) corresponding to the communication filtered by the relay device 120. May be transmitted to relay device 120 when mirroring is canceled and / or when the filter is canceled when a state where is less than or equal to a predetermined amount continues for a predetermined time. Specifically, when the detection device 130 does not detect unauthorized communication, the control device 110 instructs to cancel the mirroring, release the filter, or release the mirroring and the filter. be able to. Also, the control device 110 cancels the mirroring, cancels the filter, or cancels the filter when the state where the communication from the transmission source corresponding to the communication being filtered is a predetermined amount or less continues for a predetermined time, or Either mirroring or disabling the filter can be instructed. In addition, the control device 110 performs mirroring when the detection device 130 does not detect unauthorized communication and the state where the communication from the transmission source corresponding to the filtered communication is less than or equal to a predetermined amount continues for a predetermined time. Can be instructed to cancel the filter, cancel the filter, or cancel the mirroring and the filter. In this way, the control device 110 can flexibly change the mirroring and filter settings to an appropriate state in accordance with the communication monitoring status or the trend of the monitoring target.

  As described above, the detection system 100 according to the first embodiment includes the relay device 120 that relays communication with the web server 30 to be monitored, the detection device 130, and the control device 110. When detecting an abnormality in the information related to the resources of the web server 30, the control device 110 transmits an instruction to cause the detection device 130 to mirror the communication relayed by the relay device 120. The detection device 130 detects unauthorized communication from the communication mirrored from the relay device 120 according to the instruction transmitted by the control device 110. Then, the control device 130 transmits an instruction to block the specified unauthorized communication to the relay device 120 based on the result of the detection process by the detection device 130.

  That is, the detection system 100 according to the first embodiment periodically determines the communication amount of the web server 30 and information on the resources (for example, the number of sessions) of the web server 30 without performing precise detection related to constant communication. Whether or not to perform precise detection for communication is dynamically determined by acquiring automatically or sequentially. This can be said to be a processing technique useful for a SlowDoS attack, which is an example of an attack technique based on unauthorized communication. For example, SlowDoS attacks are not likely to occur frequently, and thus there is a feature that the necessity for constant monitoring is low. Also, compared to intrusion attacks such as SQL injection and malware intrusion that exploits server vulnerabilities, SlowDoS attacks consume the resources of the network or server under attack, but as long as the resources are not exhausted. The service can be continued. Specifically, the server can establish a new session as long as the maximum number of sessions is not filled, so it will continue to provide its services even if a certain number of unauthorized sessions are established. be able to.

  In view of the characteristics of such attacks, the detection system 100 extracts the communication to be mirrored by monitoring the relationship between the traffic and the number of sessions as described above, and detects an unauthorized session from the extracted communication. To detect. That is, the detection system 100 reduces the load related to the detection process by extracting the dynamically detected communication instead of always monitoring all the communication in accordance with the attack method by the unauthorized communication. Thereby, the detection system 100 can effectively detect an attack caused by unauthorized communication while suppressing the processing load related to detection.

[Processing procedure]
Next, the procedure of the detection process by the detection system 100 described above will be described in detail with reference to FIG. FIG. 4 is a flowchart illustrating a processing procedure performed by the detection system 100 according to the first embodiment.

  As illustrated in FIG. 4, the control device 110 monitors communication related to the web server 30 to be monitored, such as the traffic and the number of sessions (step S <b> 101). And the control apparatus 110 determines whether the abnormality of the session was detected in the web server 30 currently monitored (step S102). The control device 110 continues monitoring if no session abnormality is detected (step S102; No).

  On the other hand, when an abnormality of the session is detected (step S102; Yes), the control device 110 transmits an instruction to start traffic mirroring to the relay device 120. Then, the relay device 120 starts traffic mirroring toward the detection device 130 (step S103).

  Then, regarding the traffic that has been mirrored, the detection device 130 determines whether or not an unauthorized session has been detected (step S104). When an unauthorized session is not detected (step S104; No), the detection process is continued, and it is determined whether a predetermined time has elapsed (step S105). While the predetermined time has not elapsed (step S105; No), the detection device 130 continues the detection process. When the predetermined time has elapsed (step S105; Yes), the detection device 130 transmits to the control device 110 that an unauthorized session is not detected. And the control apparatus 110 cancels | releases mirroring by transmitting the instruction | indication of mirroring cancellation | release to the relay apparatus 120 (step S106). Then, the detection system 100 returns to the step of monitoring communication (S101).

  On the other hand, when detecting an unauthorized session in step S104 (step S104; Yes), the detection device 130 transmits information for identifying the unauthorized session. Then, according to the instruction of the control device 110 that has received such information, the relay device 120 starts filtering the transmission source IP address corresponding to the unauthorized session (step S107).

  Subsequently, the detection device 130 determines whether or not an unauthorized session is not detected for a predetermined time (step S108). While the unauthorized session is detected (step S108; No), the detection device 130 continues the detection. On the other hand, if the unauthorized session is not detected for a predetermined time (step S108; Yes), the detection device 130 transmits such information to the control device 110. Then, the control device 110 transmits a mirroring cancellation instruction to the relay device 120. Thereby, the relay apparatus 120 cancels | releases mirroring (step S109).

  Even after the mirroring is released, the relay device 120 continues relaying communication from the terminal 10 and the attack generation terminal 20, and determines whether or not the session attempt has stopped for a predetermined time (step S110). If the predetermined time has not elapsed (step S110; No), the relay device 120 continues to observe the session trial.

  On the other hand, when the predetermined time has elapsed (step S110; Yes), the relay apparatus 120 transmits information indicating that the filter-set communication is not observed to the control apparatus 110 in the relayed traffic. And according to the instruction | indication from the control apparatus 110, the relay apparatus 120 cancels | releases a filter (step S111). The detection system 100 repeatedly executes the above processing (step S101).

  Note that, as described above, the control device 110 may issue an instruction to cancel the mirroring based on only the notification from the detection device 130 that the unauthorized session is not detected for a predetermined time, or the session trial is predetermined. Along with the notification from the relay apparatus 120 that the time has stopped, an instruction to cancel the mirroring and the filter may be given. In addition, the control device 110 not only cancels the mirroring when no unauthorized communication is detected for a predetermined time, but may also be a mirroring cancellation target when the number of detected unauthorized communications for a predetermined time is equal to or less than a predetermined value. . That is, the processing procedure of steps S108 to S111 in FIG. 4 can be flexibly changed by the control device 110 according to the determination element related to the mirroring and filter release instructions.

[Effect of the first embodiment]

  As described above, the detection system 100 according to the first embodiment reduces the load related to the detection process by extracting the dynamically detected communication instead of always monitoring all the communication. Thereby, the detection system 100 can effectively detect an attack caused by unauthorized communication while suppressing the processing load related to detection.

[Second Embodiment]
Below, the structure and process of the detection system which concern on 2nd Embodiment are demonstrated, and the effect by 2nd Embodiment is demonstrated finally.

[Example of Detection Processing According to Second Embodiment]
First, an example of detection processing by the detection system 100 according to the second embodiment will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of detection processing by the detection system 100 according to the second embodiment. As illustrated in FIG. 5, the detection system 100 includes a storage device 140 in addition to the control device 110, the relay device 120, and the detection device 130. In the following description, description of the contents described in the first embodiment is omitted. In FIG. 5, communication between the client and the web server 30 is shown as traffic T11, but illustration of the client that performs such communication is omitted.

  In 1st Embodiment, the detection system 100 showed the example which detects abnormality of communication and detects an unauthorized session. That is, the detection process executed by the detection system 100 according to the first embodiment is to detect an illicit session that can be observed after the detection process by the detection device 130 is started. Depending on the detection rule to be used, for example, when a detection rule that needs to be monitored from communication at the start of a session is applied, it may be difficult to detect an already established session.

  Therefore, the detection system 100 according to the second embodiment accumulates information related to communication between the web server 30 and the client before shifting to the monitoring mode. Specifically, the storage device 140 included in the detection system 100 according to the second embodiment mirrors the traffic between the web server 30 and the client relayed by the relay device 120, so that the data related to the traffic (that is, The communication data regarding the web server 30 is continuously accumulated. At this time, when the amount of stored data approaches the upper limit, the storage device 140 discards the communication data in the oldest storage time, secures a free space, and stores newly input communication data. . Alternatively, the old information determined to be discarded may be overwritten with newly input information. Then, the storage device 140 has detected / abnormally detected an abnormality in the traffic volume or the number of sessions of the web server 30, or has started / started mirroring according to the instruction transmitted by the relay device 120 by the control device 110. (In other words, the control device 110 has transmitted / transmitted a mirroring instruction to the relay device 120), or the control device 110 has notified the predetermined number of unauthorized sessions due to the detection of an unauthorized session by the detection device 130. The received data is received as an opportunity to receive the instruction from the control device 110 and flow the accumulated data into the detection device 130. As a result, the detection device 130 can detect an unauthorized session retroactively by the amount of accumulated data with respect to the session before the start of traffic mirroring.

  Hereinafter, an example of the detection process executed by the detection system 100 according to the second embodiment will be described in detail with reference to FIG. As illustrated in FIG. 5, the relay device 120 according to the detection system 100 relays traffic T <b> 11 transmitted from the client to the web server 30. At this time, the storage device 140 performs a storage process for storing communication data related to the traffic T11 in a predetermined storage unit (step S41).

  Here, the control apparatus 110 shall detect abnormality in communication regarding the web server 30 (step S42). Then, similarly to the first embodiment, the control device 110 transmits a traffic T11 mirroring instruction to the relay device 120 (step S43). And the control apparatus 110 transmits the instruction | indication to perform the pouring process of the accumulate | stored data with respect to the storage apparatus 140 by having triggered the mirroring instruction | indication (step S44). In addition, as described above, the control device 110 not only transmits (or transmits) the mirroring instruction, but also detects, for example, an abnormality in the communication amount of the web server 30 and the number of sessions. Alternatively, an instruction may be transmitted to perform the pouring process when the control device 110 receives a notification regarding a predetermined number of unauthorized sessions due to the detection of an unauthorized session by the detection device 130. This is because it is assumed that there is a high possibility that there is an unauthorized session among the sessions already established at the time mirroring was started because an abnormality in communication was detected or an invalid session was detected. This is because that.

  Then, as in the first embodiment, the relay device 120 mirrors traffic to the detection device 130 (step S45). At this time, the storage device 140 flows data that has been accumulated to flow into the detection device 130 and is useful for detection processing into the detection device 130 (step S46). Then, the detection device 130 detects an unauthorized session including not only communication directly mirrored from the relay device 120 but also communication sent from the storage device 140. Then, the detection device 130 notifies the detection result to the control device 110 (step S47).

  As described above, the detection system 100 according to the second embodiment may be communication data (traffic, for example, a mirrored packet itself, which is information related to communication relayed by the relay device 120, or may be included in the detection device 130. (It may be communication data that is extracted and shaped information necessary for determination based on the applied detection rule) and discards the accumulated communication data in a specified order before reaching the upper limit of the capacity that can be stored A storage device 140 is further provided. The storage device 140 transmits communication data stored before the timing at which the detection device 130 starts mirroring in accordance with the instruction transmitted by the control device 110 among the stored communication data to the detection device 130. The detection device 130 detects unauthorized communication from the communication mirrored according to the instruction transmitted from the control device 110 and the communication data transmitted from the storage device 140.

  In other words, in addition to the first embodiment, the detection system 100 according to the second embodiment includes a buffer mechanism related to communication that performs detection, and an unauthorized session is also performed regarding communication accumulated in the buffer. Can be processed. In other words, the detection system 100 according to the second embodiment can detect an unauthorized session as far back as the accumulated traffic even for a session already established at the time of shifting to the monitoring mode. As described above, the detection system 100 according to the second embodiment can increase the number of sessions that are targets of detection processing as compared to the first embodiment, and therefore, more unauthorized sessions can be performed. It can be expected to detect. Further, in the detection system 100 according to the second embodiment, when the logic for detecting fraud based on the behavior from the start of the session is used for the detection process, the second The detection system 100 according to the embodiment can improve the accuracy of detecting a more unauthorized session.

[Configuration of Storage Device 140]
Hereinafter, each processing unit constituting the storage device 140 according to the second embodiment described above will be described in detail with reference to FIGS. 6 to 8. First, the configuration of the storage device 140 according to the second embodiment will be described with reference to FIG. FIG. 6 is a diagram illustrating an example of the configuration of the storage device 140 according to the second embodiment. As illustrated in FIG. 6, the storage device 140 includes an IF unit 141, a storage unit 142, and a control unit 145.

  The IF unit 141 is a NIC (Network Interface Card), for example, and transmits / receives various data to / from an external device. For example, the IF unit 141 transmits and receives information related to communication with the control device 110, the relay device 120, or the detection device 130.

  The storage unit 142 is realized by, for example, a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory, or a storage device such as a hard disk or an optical disk. As illustrated in FIG. 6, the storage unit 142 includes a communication data storage unit 143 and an extraction session storage unit 144.

(About the communication data storage unit 143)
The communication data storage unit 143 sequentially acquires and stores communication data (packets, a part of the packets, etc.) included in the traffic via the relay device 120. FIG. 7 shows an example of the communication data storage unit 143 according to the second embodiment. As illustrated in FIG. 7, the communication data storage unit 143 includes “communication data number”, “source IP address”, “source port number”, “destination IP address”, “destination port number”, and “protocol number”. And “packet size”.

  The “communication data number” indicates a number for identifying communication data related to traffic between the client and the web server 30. Here, the communication data number is an example in which numbers are assigned in the order in which data is stored in the storage device 140.

  The “source IP address” indicates an IP address that identifies a source that is transmitting communication data. Here, the source IP address is information that identifies the client or the web server 30. The “transmission source port number” indicates a port number used for data transmission of the transmission source.

  The “destination IP address” indicates an IP address that identifies a destination that is a transmission destination of communication data. The “destination port number” indicates a port number used by the destination side that is the transmission destination of the communication data. “Protocol number” indicates a number for identifying a protocol used for communication. “Packet size” indicates the amount of packet communication related to data communication.

  That is, in FIG. 7, the communication data having the communication data number “001” has the transmission source IP address “AAA”, the transmission source port number “11111”, and the destination IP address “SSS”. In this example, the destination port number is “80”, the protocol number is “6”, and the packet size is “100”.

  Although illustration in FIG. 7 is omitted, when a detection rule focusing on TCP is applied to the detection device 130, each data accumulated in the communication data accumulation unit 143 includes the accumulated time and , A TCP flag, a sequence number, a window size, a header size in communication, a payload, and the like may be included.

(About the extraction session storage unit 144)
The extracted session storage unit 144 stores the data stored in the communication data storage unit 143 for each session extracted by the session extraction unit 146. Here, FIG. 8 illustrates an example of the extraction session storage unit 144 according to the second embodiment. As illustrated in FIG. 8, the extracted session storage unit 144 includes “session identifier”, “number”, “source IP address”, “source port number”, “destination IP address”, “destination port number”, “ It has items such as “protocol number”, “time”, and “packet size”. Note that description of the items described in FIG. 7 is omitted.

  “Session identifier” indicates identification information given to identify a session when communication data is extracted for each session. The “number” indicates the order assigned to the data included in the same session in the order of the time when the data is accumulated.

  “Time” indicates a time when data is accumulated. The extracted session storage unit 144 stores communication data in session units, and sets an upper limit for storage for each session unit. In the example illustrated in FIG. 8, data to which the same session identifier is assigned as one session is data accumulated for one minute from the time of the data of the number “1” (for example, detection For example, a rule can be determined by communication data exchanged for a predetermined time, one minute from the start of a session). For example, when the predetermined communication data is accumulated at “December 11, 2014, 10:00:00”, the communication data accumulated by “December 11, 2014, 10:01:00” And the same session identifier is provided with respect to the communication data contained in the same session.

  That is, in FIG. 8, the data is identified by the session identifier “001”, and the communication data has the number “1” in the session identifier “001” and the source IP address “AAA”. The source port number is “11111”, the destination IP address is “SSS”, the destination port number is “80”, the protocol number is “6”, and the time is “December 11, 2014 10 In this example, the time is “00:00” and the packet size is “1000”.

  Although illustration in FIG. 8 is omitted, when a detection rule focusing on TCP is applied to the detection apparatus 130, each data stored in the extraction session storage unit 144 includes a TCP flag or a sequence. Information regarding a number, a window size, a header size in communication, a payload, and the like may be included.

(About the control unit 145)
The control unit 145 is realized by an integrated circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). The control unit 145 is realized, for example, by executing a program stored in a storage device (not shown) using a RAM as a work area by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like. Further, as illustrated in FIG. 6, the control unit 145 includes a session extraction unit 146 and a session management unit 147, and executes a process of storing data. Hereinafter, each processing unit will be described.

(About the session extraction unit 146)
The session extraction unit 146 extracts data used for the unauthorized session detection process performed by the detection device 130 from the communication data stored in the communication data storage unit 143. Then, the session extraction unit 146 accumulates the extracted data in the extraction session accumulation unit 144 for each session.

  In addition, the session extraction unit 146 preferentially discards communication data that is assumed not to be used for the detection processing by the detection device 130, and communication data that is assumed to be used for the detection processing by the detection device 130. You may make it accumulate | store preferentially. For example, the session extraction unit 146 preferentially selects communication data corresponding to a predetermined condition when extracting communication data used for detecting an unauthorized session from communication data stored in the communication data storage unit 143. It is good also as extracting and accumulating. In this case, the session extraction unit 146 can discard the communication data that does not satisfy the predetermined condition because it does not need to be accumulated. Thereby, the session extraction unit 146 can suppress an increase in the amount of data stored in the extraction session storage unit 144.

  Specifically, the session extraction unit 146 can use time information stored in communication data as a predetermined condition. In other words, the session extraction unit 146 is a packet within a predetermined time (for example, several minutes) from the start of the session or within a predetermined time (for example, several minutes) from any starting point in the predetermined session in a predetermined session. The packet is extracted and stored in the extraction session storage unit 144.

  In addition, the session extraction unit 146 may extract communication data to be accumulated on the basis of the number of packets that is a communication amount as a predetermined condition. That is, the session extraction unit 146 extracts a predetermined amount of packets from the start of the session or a predetermined amount of packets from an arbitrary starting point in the predetermined session, and stores them in the extraction session storage unit 144.

  In addition, when the data of the payload portion of the communication data is unnecessary as the communication data used for the determination process of the unauthorized session of the detection device 130, the session extraction unit 146 sets the payload portion of the communication data to 0 bytes or a small size. May be stored in the extraction session storage unit 144.

(About session management unit 147)
The session management unit 147 manages input / output of data stored in the communication data storage unit 143 and the extracted session storage unit 144. Specifically, the session management unit 147 executes a process of sending (transmitting) communication data corresponding to the instruction to the detection device 130 when receiving an instruction to send data from the control device 110. In addition, the session management unit 147 monitors the usage status of the communication data storage unit 143 and the extraction session storage unit 144, and sets a predetermined threshold value for the amount of data stored in the communication data storage unit 143 and the extraction session storage unit 144. By setting it, unnecessary communication data is discarded before reaching the upper limit of the capacity that can be stored. For example, the session management unit 147 preferentially discards communication data that is assumed not to be used for the detection process by the detection device 130, and communication data that is assumed to be used for the detection process by the detection device 130. Manage to preferentially accumulate.

  When the communication data is flowed into the detection device 130, the session management unit 147 flows in communication data related to a session identified as useful for detecting an unauthorized session. For example, the session management unit 147 receives an instruction regarding the flow of communication data from the control device 110, and flows the communication data specified by the received instruction. That is, the control device 110 instructs the relay device 120 on the mirroring target, and when communication data related to the target is stored in the storage device 140, the control device 110 flows the communication data from the storage device 140 into the detection device 130. Instruct. Specifically, the session management unit 147 follows the information included in the instruction from the control device 110, and the IP address included in the communication data in the extraction session storage unit 144 and the communication data mirrored in the detection device 130. Identify the session to be flowed from such information.

  Then, the session management unit 147 flows the communication data in the extracted session storage unit 144 collected for each session identifier into the detection device 130. As described above, when the storage device 140 stores communication data in the packet capture format, the session management unit 147 transmits the communication data to the detection device 130 in the packet format. Note that the communication data is not the packet format, but is extracted only from the features required for unauthorized detection, and stored as communication data in a format that cannot be transmitted to the outside as a packet (for example, data that can be transmitted only in the file format). In such a case, the session management unit 147 converts the communication data into a transmittable format and transmits it to the detection device 130. In this case, it is assumed that the detection device 130 has a configuration capable of performing an unauthorized session detection process based on the information received from the storage device 140. For example, the detection apparatus 130 has a configuration capable of reading communication data in a file format indicating the characteristics of communication data as well as the packet format.

  In addition, the session management unit 147 limits the communication rate so that fraud detection processing can be continued by storing traffic in the communication data storage unit 143 without buffering traffic from the relay device 120 or by buffering traffic. The communication data may be poured into the detection device 130.

  In addition, the session management unit 147 sequentially discards the communication data flowed into the detection apparatus 130 from the storage unit 142. This is because the session management unit 147 monitors communication data that has been extended before the detection system 100 enters the monitoring mode (that is, detects fraud related to an already established session). This is because there is no request to continue storing communication data corresponding to a session poured into the detection apparatus 130 or communication data corresponding to a session that has already ended. For this reason, the session management unit 147 manages the accumulated communication data so that information corresponding to these sessions is preferentially discarded from the communication data accumulation unit 143 and the extraction session accumulation unit 144. For example, the control device 110 periodically collects information related to the session established by the web server 30, and the session ends when the information indicating that the corresponding session has not been collected. It is instructed to discard the information regarding the session considered to have been terminated.

  For example, when the protocol is TCP, the session management unit 147 confirms a packet that includes an RST (reset) flag from at least one direction in transmission and reception, and also includes a FIN (end) flag from both directions. Assuming that the session ends, information corresponding to the session corresponding to the packet is discarded. In addition, the session management unit 147 measures pps (packet per second) or bps (bit per second) for each session in the data stored in the extracted session storage unit 144, and a session that is not smaller than a predetermined value is SlowDoS. It may be determined that the attack does not apply and discarded.

  The session management unit 147 may not store such information when a session corresponding to the filtered IP address is acquired by the filter set by the relay device 120. In addition, when session information corresponding to the filtered IP address is accumulated by the filter set by the relay device 120, the session management unit 147 performs priority based on an instruction from the control device 110, for example. May be discarded. When the filter set by the relay device 120 is canceled, the session management unit 147 stores the session information corresponding to the IP address again.

  As described above, the storage device 140 has been described, but the storage device 140 may function by being incorporated in the detection device 130 as each processing unit constituting the detection device 130.

[Processing procedure]
Next, the procedure of detection processing by the detection system 100 according to the second embodiment will be described in detail with reference to FIG. FIG. 9 is a flowchart illustrating a processing procedure performed by the detection system 100 according to the second embodiment.

  As shown in FIG. 9, the storage device 140 stores communication data between the client relayed by the relay device 120 and the web server 30 (step S201). Then, the storage device 140 extracts the stored data for each session (step S202).

  And the control apparatus 110 determines whether the abnormality regarding a session was detected in the monitored communication (step S203). When the control device 110 has not detected an abnormality related to the session (step S203; No), the storage device 140, for example, out of the stored communication data according to conditions such as a predetermined time after storage of communication data, Communication data that is assumed not to be used in the detection process is discarded (step S204).

  On the other hand, when an abnormality related to the session is detected (step S203; Yes), the control device 110 transmits an instruction to start mirroring of communication data to the relay device 120. And the relay apparatus 120 starts mirroring to the detection apparatus 130 (step S205).

  Then, when the relay device 120 starts mirroring, based on an instruction from the control device 110, the storage device 140 starts processing to flow the stored data corresponding to the session that is the target of mirroring into the detection device 130. (Step S206).

  As a result, the detection device 130 can also detect the communication data stored in the storage device 140, so that it is possible to detect an unauthorized session retroactive to the mirroring start time. . Note that the processing after step S206 is the same as the processing after step S104 in FIG. The communication data discarding process described in step S204 is not necessarily performed at the above timing, and the storage device 140 may sequentially discard communication data based on the upper limit value of the storage amount.

[Effect of the second embodiment]
As described above, the detection system 100 according to the second embodiment includes the storage device 140 that stores communication data, thereby performing processing for detecting an unauthorized session using the communication data stored in advance. Can do. As a result, the detection system 100 according to the second embodiment can increase the number of sessions that are subject to detection processing as compared to the first embodiment, and thus detect more unauthorized sessions. Can do.

  In addition, the storage device 140 according to the second embodiment preferentially discards communication data that is assumed not to be used for the detection processing by the detection device 130 and is used for the detection processing by the detection device 130. Communication data that is assumed to be stored preferentially.

  As described above, the detection system 100 according to the second embodiment determines the upper limit of the capacity that can be accumulated by determining communication data that is preferentially accumulated from a large amount of communication data that is generated in communication with the web server 30. Thus, communication data useful for detection processing can be appropriately stored. Thereby, the detection system 100 according to the second embodiment can reduce the load on the detection process. The upper limit of the capacity that can be stored may be, for example, the most recent predetermined time, the capacity of a predetermined data size, a predetermined number of packets, and the like.

  In addition, the storage device 140 according to the second embodiment stores communication data in units of sessions and sets an upper limit of storage for each unit of sessions. The upper limit of the capacity that can be stored may be, for example, for each session, a predetermined time, a capacity of a predetermined data size, a predetermined number of packets, or the like from the start of the session or the latest. If it exceeds the upper limit, it is discarded in session units. For example, the session start time may be discarded in session units from the old session.

  As described above, according to the detection system 100 according to the second embodiment, communication data is managed in units of sessions, which is communication established between the web server 30 and the client, and therefore communication useful for detection processing and the like. Data can be transmitted and stored appropriately.

  In addition, the storage device 140 according to the second embodiment includes a storage unit 142 that stores communication data that is information related to communication with the web server 30 that is a monitoring target, and communication data stored by the storage unit 142. Detection that is an apparatus that detects unauthorized communication by analyzing communication triggered by an abnormality detected in communication between the session extraction unit 146 that extracts communication data in session units and communication with the web server 30 The apparatus includes a transmission unit (here, session management unit 147) that transmits the communication data extracted by the session extraction unit 146.

  As described above, the storage device 140 according to the second embodiment operates as a buffer mechanism that stores communication in advance before the detection process is executed in a system that detects an unauthorized session. As a result, the storage device 140 according to the second embodiment can provide communication data retroactive to the point in time when an abnormality is detected in the communication to be monitored. Can be widened.

[Third Embodiment]
In the above-described embodiment, the detection system 100 sets a filter when it is determined to be an unauthorized session, and shows an example in which the protection mode is canceled after communication from the transmission source IP address to which the filter is set stops. Specifically, the detection system 100 has shown an example in which communication from the transmission source IP address to which the filter is set stops and the set filter is released after a predetermined time has elapsed.

  However, depending on the processing method described above, there is a risk that countermeasures will be insufficient with respect to attacks that occur intermittently. That is, even after the filter is released after a predetermined time has elapsed, communication from the source IP address corresponding to the unauthorized session is monitored to determine whether or not an attack has occurred intermittently. It is desirable to do. Therefore, the detection system 100 monitors the communication after the cancellation of the filter by the process described below.

  First, the control device 110 according to the detection system 100 receives a notification from the relay device 120 about a filter set for a predetermined IP address after a predetermined time after communication from the IP address stops. Thus, the relay apparatus 120 is instructed to cancel the filter. Alternatively, the control device 110 may instruct that the filter is released after a predetermined time elapses by setting a timer when setting the filter.

  Then, after canceling the filter, the control device 110 causes the relay device 120 to monitor the traffic of the same IP address whose instruction is set as a filter. Specifically, the control device 110 instructs the relay device 120 to mirror the traffic with the same IP address to the detection device 130 when releasing the filter set for the IP address. Alternatively, the control device 110 may instruct the mirroring to be activated when the filter is set, triggered by the cancellation of the filter.

  Then, when an unauthorized connection (in other words, an unauthorized session) having the IP address as a transmission source is detected by the mirroring, the control device 110 again sets a filter for the IP address. That is, the control device 110 transmits an instruction for setting a filter to the relay device 120 when receiving a notification of detecting an unauthorized session from the detection device 130.

  At this time, the control device 110 may set a predetermined time that is the same as or longer than the time when the filter is initially set as the predetermined time during which the filter setting is valid. For example, when the predetermined time during which the first filter is valid is “3 minutes”, the control device 110 sets the predetermined time for the second filter to “6 minutes”. Furthermore, when setting the third filter, the control device 110 sets the predetermined time to “9 minutes”.

[Effect of the third embodiment]
In this way, the detection system 100 according to the third embodiment can improve the countermeasure effect against intermittent communication that occurs intermittently by setting the filter repeatedly by extending the predetermined time.

(About filter cancellation processing)
In addition, as described above, the point that it is desirable for the detection system 100 to release the filter after unauthorized communication is no longer observed will be described below.

  Attacks caused by unauthorized communications (for example, SlowDoS attacks) may be attacked by an attacker using his / her own client. By remotely operating a large number of clients equipped with bots, the target system can be controlled. In some cases, an attempt is made to establish an unauthorized session from a plurality of different IP addresses. At this time, communication from a client whose bot has been removed by security measures or the like is normal communication.

  On the other hand, communication via proxy, NAT (Network Address Translation), CGN (Career Grade NAT), etc. is regarded as communication from one shared IP address, even from multiple clients. It is.

  In other words, if filtering is performed based on the detected source IP address of the unauthorized session, only the communication from the attacker may not be filtered. Therefore, it is desirable that the detection system 100 does not permanently filter the source IP address corresponding to the detected unauthorized session, but cancels the filter when the attack stops.

  At this time, the detection system 100 desirably releases the filter after confirming that the attack has completely stopped, but such a determination may be difficult. Therefore, the processing performed in the above third embodiment or the case where communication for trying to establish a considerable number of sessions with the web server 30 is not observed, or the number of sessions that the web server 30 can establish The detection system 100 may cancel the filter when a predetermined number of margins are secured. In the former, the relay device 120 notifies the control device 110 of the observation result, and in the latter, the web server 30 notifies the control device 110 so that the control device 110 instructs the relay device 120 to cancel the filter.

[Fourth Embodiment]
In the embodiment described above, the detection system 100 may have caused unauthorized communication when the number of established sessions exceeds a predetermined threshold with respect to the web server 30 to be monitored. An example is shown in which it is determined that the mode is shifted to the monitoring mode. Here, the detection system 100 determines that there is a possibility of unauthorized communication even when the number of established sessions exceeds a predetermined threshold value, and shifts to the monitoring mode. Also good.

  For example, the detection system 100 may shift to the monitoring mode by paying attention to the increase rate of the number of established sessions. In this case, the control device 110 is periodically notified of information related to the established session from the web server 30 or an external device that monitors the resources of the web server 30. Then, the control device 110 calculates an increase rate per unit time of the number of established sessions, and compares the calculated value with a preset threshold value. Then, the control device 110 determines whether or not the calculated value exceeds a preset threshold value. If exceeded, the control device 110 transmits an instruction to execute the mirroring to the relay device 120 and shifts to the monitoring mode.

  The detection system 100 may shift to the monitoring mode based on the number of sessions established for a predetermined time or more, or the rate of increase in the number of sessions, among the number of established sessions. In other words, the control device 110 receives a notification of information on the duration of each session using a transmission source IP address and a transmission source port number as a set from the web server 30 or an external device that monitors the resources of the web server 30. For example, by periodically receiving notification of information for each session established in the web server 30, the control device 110 may calculate the duration based on the time when the notification is first received for each session. Good. Then, the control device 110 shifts to the monitoring mode when the established number or the increase rate exceeds a preset threshold for a session whose notified duration exceeds a predetermined time.

[Effect of the fourth embodiment]
As described above, the detection system 100 according to the fourth embodiment monitors not only the number of sessions but also factors such as the rate of increase and the duration of session establishment as the determination targets for the web server 30. . For this reason, the detection system 100 according to the fourth embodiment can detect an unauthorized session flexibly in response to various attack methods from an attacker.

[Other Examples]
The detection system 100 according to each embodiment described above may be implemented in various different forms other than the above embodiment. Therefore, in the following, another embodiment of the detection system 100 will be described.

  The detection system 100 described above may be installed other than a communication carrier network or ISP network. For example, the detection system 100 may be installed on the data center side in order to protect a cloud service built on the data center.

  In the above description, the filter unit set in the relay device 120 is the source IP address of the client. However, a pair of the source IP address and source port number corresponding to the unauthorized session, or a destination IP address and destination A combination of port numbers may be used. Further, the detection system 100 may be set in units of IP addresses as a filter for a session determined to be illegal, or may be set in units of pairs of IP addresses and port numbers. In addition, the detection system 100 may set in advance the IP addresses to be filtered so as to filter the top N addresses (N is a natural number) in order from the IP addresses with the largest number of established illegal sessions. Alternatively, it may be set in advance so as to filter for IP addresses in which the ratio of the number of established illegal sessions to the number of established sessions with respect to the IP address is a predetermined value or more. The number is acquired by receiving a notification from the web server 30. In this case, the control device 110 transmits an instruction to filter the corresponding IP address to the relay device 120 according to the setting. In addition, when the detection system 100 calculates a degree (score) indicating the likelihood of being fraudulent for each fraudulent session detected by the detection device 130, a session having such a score equal to or greater than a predetermined threshold is selected. It may be regarded as an unauthorized session.

  Further, the storage device 140 related to the detection system 100 may be communication data related to all traffic relayed by the relay device 120 as communication data to be stored, or may be the target system (here, the web server 30). It may be accumulated only for traffic used for attacks that exhaust resources. Specifically, when the storage device 140 is limited to sessions that can be established by the web server 30, the destination port number in TCP communication is “80” or “8080” indicating HTTP (Hypertext Transfer Protocol), HTTPS (Hypertext) You may make it accumulate | store for the communication (or its response) which is "443" which shows Transfer Protocol Secure. Further, since connectionless communication data such as UDP (User Datagram Protocol) or IP does not need to be stored, it may be excluded from storage or discarded preferentially.

  Further, when the target system is one or more specific web servers, the storage device 140 may store the communication (or the response) including the IP addresses indicating the web servers as targets. In this case, the storage device 140 may manage the communication data storage unit 143 and the extraction session storage unit 144 for each web server or for each IP address corresponding to the web server. The relay device 120 may mirror only the traffic corresponding to the IP address of the web server of one or more target systems to the detection device 130 and / or the storage device 140. In this case, the control device 110 performs traffic to be mirrored. Is explicitly indicated. In addition, when a countermeasure against the SlowDoS attack is provided as a service, only the traffic related to the web server that uses this service may be targeted for mirroring.

  Further, the storage device 140 may be configured such that communication data related to traffic relayed to the relay device 120 is directly extracted by the session extraction unit 146 and stored in the extraction session storage unit 144. In this case, the storage device 140 may not include the communication data storage unit 143.

  Moreover, each apparatus which comprises the detection system 100 which concerns on each embodiment mentioned above may be implemented by the quantity different from the quantity shown by the said embodiment. For example, in the above-described embodiment, an example in which one relay device 120 performs mirroring for detection processing or pouring for storage processing to both the detection device 130 and the storage device 140 has been described. However, the detection system 100 may include two or more relay devices 120, and the processing may be performed in a shared manner so that each relay device 120 performs each process on the detection device 130 and the storage device 140.

  Further, for communication within the detection system 100, the instruction from the control device 110 to the relay device 120 may be based on the OpenFlow specification. In this case, the control device 110 includes an OpenFlow controller, and the relay device 120 includes an OpenFlow compatible switch. Alternatively, the detection system 100 may notify the operator of a notification received by the control device 110 and cause the control device 110 to operate based on the content of the instruction input by the operator.

  In the above embodiment, the detection system 100 has been described by taking the SlowDoS attack as an attack to be monitored and the web server 30 as an example of a target system that is the target of the attack. Applicable to all other unauthorized communications targeted.

(Configuration etc.)
Note that each component of each illustrated apparatus is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  In addition, among the processes described in the present embodiment, all or part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

(program)
In addition, it is possible to create a program in which processing executed by the detection system 100 according to the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed to execute the same processing as in the above embodiment. Hereinafter, an example of a computer that executes a detection program that realizes the same function as the detection system 100 will be described.

  FIG. 10 is a diagram illustrating a computer that executes a detection program. As shown in FIG. 10, a computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, a network Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1041. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1041. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 10, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each piece of information described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.

  Further, the detection program is stored in the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described, for example. Specifically, a program module describing each process executed by each device included in the detection system 100 described in the above embodiment is stored in the hard disk drive 1090.

  Data used for information processing by the detection program is stored as program data in, for example, the hard disk drive 1090. Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the detection program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1041 or the like. May be. Alternatively, the program module 1093 and the program data 1094 related to the detection program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and are transmitted via the network interface 1070. It may be read by the CPU 1020.

10 terminal 20 attack generation terminal 30 web server 100 detection system 110 control device 120 relay device 130 detection device 140 storage device 141 IF unit 142 storage unit 143 communication data storage unit 144 extraction session storage unit 145 control unit 146 session extraction unit 147 session management Part

Claims (8)

A detection system comprising a relay device that relays communication with a server to be monitored, a detection device, and a control device,
The controller is
When an abnormality is detected in the information related to the communication resources of the server, an instruction to mirror the communication relayed by the relay device to the detection device is transmitted.
The detection device includes:
Detecting unauthorized communications from among the communications mirrored according to the instructions transmitted by the control device;
The controller is
Based on the result of the detection process by the detection device, an instruction to block the specified unauthorized communication is transmitted to the relay device.
A detection system characterized by that. A storage device that accumulates communication data that is information related to communication relayed by the relay device and that discards the communication data stored in a predetermined order before reaching the upper limit of the storable capacity,
The storage device
Among the accumulated communication data, the detection device transmits communication data accumulated before the timing at which mirroring is started according to the instruction transmitted by the control device to the detection device,
The detection device includes:
Detecting unauthorized communication from communication mirrored according to the instruction transmitted by the control device and communication data transmitted from the storage device;
The detection system according to claim 1. The storage device
Preferentially discarding communication data that is assumed not to be used for detection processing by the detection device, and preferentially storing communication data assumed to be used for detection processing by the detection device;
The detection system according to claim 2. The controller is
When the detection device does not detect unauthorized communication and / or when a state where communication from a transmission source corresponding to communication blocked by the relay device is not more than a predetermined amount continues for a predetermined time, Transmitting an instruction to cancel mirroring and / or an instruction to cancel blocking to the relay device;
The detection system according to any one of claims 1 to 3. An accumulator that accumulates communication data that is information related to communication with the monitoring target server;
An extraction unit that extracts the communication data in a series of communication units from the communication data accumulated by the accumulation unit;
A transmission unit that transmits the communication data extracted by the extraction unit to a detection device that is a device that detects unauthorized communication by analyzing the communication when an abnormality is detected in communication with the server. ,
A storage device comprising: A detection method in which a detection system detects unauthorized communication,
A relay step for relaying communication with the monitored server;
A monitoring step of mirroring the communication relayed by the relay step when an abnormality is detected in the information related to the communication resource of the server;
A detection step of detecting unauthorized communication out of the communication mirrored by the monitoring step;
An instruction step for instructing to block the specified unauthorized communication based on the detection result of the detection step;
The detection method characterized by including. A storage method in which a storage device stores information related to communication,
An accumulation step for accumulating communication data that is information relating to communication with a server to be monitored;
An extraction step for extracting the communication data in a series of communication units from the communication data accumulated by the accumulation step;
A transmission step of transmitting the communication data extracted by the extraction step to a detection device that is a device that detects unauthorized communication by analyzing communication triggered by an abnormality detected in communication with the server; ,
A storage method characterized by comprising   The detection program for functioning a computer as a control apparatus which concerns on the detection system as described in any one of Claims 1-4.

Images