JP2016157311A - Network monitoring apparatus, network monitoring method, and network monitoring program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network monitoring apparatus configured to detect spread of malware, a method, and a program.SOLUTION: A network device 10 extracts a shared connection request from data transmitted over a network, and a response to the shared connection request, calculates a use feature that identifies a state of use of a file server which is to receive the shared connection request, on the basis of the extracted shared connection request and the response, and detects an illegal access to the file server, in accordance with comparison between the calculated use feature and a reference use feature which is identified in advance by a purpose of use of the file server.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a network monitoring device, a network monitoring method, and a network monitoring program.

  Conventionally, it is known that malware that has entered an organization spreads within the organization by exploiting a file sharing protocol. As an attempt to detect the spread of malware, a method of monitoring an authentication log at the time of file sharing, a method of monitoring a host operation log, a method using anti-virus software, and the like are used.

  For example, in the method of monitoring the authentication log, it is monitored whether the authentication log when the user terminal logs in to the file server is an authentication request from a normal account. In the method of monitoring the operation log of the host, the log of the file server is monitored to monitor whether the file operation is performed by a normal account. In the method using anti-virus software, malware is detected using a signature.

JP 2006-333433 A Special table 2013-518342 gazette Special table 2013-533554 gazette

  However, the above technique cannot detect the spread of malware that has stolen legitimate accounts or unknown malware.

  For example, when a legitimate user terminal is infected with malware after authentication to the file server is permitted using the file sharing protocol, access to the file server is executed with a legitimate account. For this reason, it is impossible to determine whether the log is a normal user log or a malware log from the authentication log or operation log. In addition, since the signature corresponds to known malware, antivirus software cannot detect unknown malware.

  An object of one aspect is to provide a network monitoring apparatus, a network monitoring method, and a network monitoring program that can detect the spread of malware.

  In the first plan, the network monitoring apparatus includes an extraction unit that extracts a shared connection request and a response to the shared connection request from data transmitted through the network. The network monitoring device includes a calculation unit that calculates a usage characteristic that identifies a situation in which a file server that is a request destination of the shared connection request is used based on the shared connection request and the response extracted by the extraction unit. Have. The network monitoring device includes a detection unit that detects unauthorized access to the file server in accordance with a comparison between the usage characteristic calculated by the calculation unit and a reference usage characteristic specified in advance by the use of the file server. .

  According to one embodiment, the spread of malware can be detected.

FIG. 1 is a diagram illustrating an example of the overall configuration of a system according to the first embodiment. FIG. 2 is a functional block diagram of the functional configuration of the network device according to the first embodiment. FIG. 3 is a diagram illustrating an example of the reference usage characteristics stored in the usage reference DB. FIG. 4 is a diagram illustrating an example of actually measured values stored in the usage characteristic DB. FIG. 5 is a diagram illustrating an example of reference user characteristics stored in the user reference DB. FIG. 6 is a diagram illustrating an example of actual measurement values stored in the user characteristic DB. FIG. 7 is a flowchart showing the overall processing flow. FIG. 8 is a flowchart showing the flow of processing for calculating the reference usage characteristics of the file server. FIG. 9 is a flowchart showing a flow of processing for calculating the reference user characteristic of the file server. FIG. 10 is a flowchart showing the flow of unauthorized access detection processing. FIG. 11 is a diagram illustrating determination of usage characteristics of a file server. FIG. 12 is a diagram illustrating determination of user characteristics. FIG. 13 is a diagram illustrating a hardware configuration example.

  Hereinafter, embodiments of a network monitoring device, a network monitoring method, and a network monitoring program disclosed in the present application will be described in detail with reference to the drawings. Note that the present invention is not limited to the embodiments.

[overall structure]
FIG. 1 is a diagram illustrating an example of the overall configuration of a system according to the first embodiment. As shown in FIG. 1, this system includes a plurality of user terminals 1, a network device 10, and a file server 50. In addition, although the case where the number of the file server 50 is one is illustrated as an example, it is not limited to this, You may have a plurality of file servers 50.

  The user terminal 1 is a terminal device that accesses the file server 50 via the network device 10 using the SMB protocol, which is an example of a shared connection method, and is an example of a personal computer, a server, a smartphone, or the like. For example, the user terminal 1 executes a login process on the file server 50, and after the login is permitted, the user terminal 1 accesses the file server 50 using the SMB protocol.

  The file server 50 is a shared file server provided for each use such as business, and is shared by the user terminals 1 using the SMB protocol. The file server 50 executes a login process for the accessing user terminal 1 and permits an operation from the user terminal 1 permitted to log in.

  In the file server 50 and the shared folder in the file server 50, a share name to which an access right is set is set. The user terminal 1 transmits an SMB shared connection request (hereinafter, sometimes referred to as a shared connection request) by specifying a shared name. Then, the file server 50 permits the SMB sharing connection request when the request is from the user terminal permitted to log in and is the request from the user terminal 1 having the access right to the existing share name.

  The network device 10 is a network device that relays communication between the user terminal 1 and the file server 50, and is an example of a router or a switch. The network device 10 extracts an SMB shared connection request and a response to the SMB shared connection request from data transmitted through the network. Then, based on the extracted SMB shared connection request and response, the network device 10 calculates a usage characteristic that identifies a situation in which the file server 50 that is the request destination of the SMB shared connection request is used. Thereafter, the network device 10 detects unauthorized access to the file server 50 according to a comparison between the calculated usage characteristic and a reference usage characteristic specified in advance by the use of the file server 50.

  That is, the network device 10 calculates the usage characteristics of the file server 50 in advance, and compares the usage characteristics with the measured values measured from the shared connection to the file server 50 (hereinafter sometimes referred to as “TreeConnect”). Detect unauthorized access that is different from. As a result, the network device 10 can detect the spread of malware.

[Functional configuration of network device]
Next, the functional configuration of each device shown in FIG. 1 will be described. Since the file server 50 has the same functional configuration as a general file server, and the user terminal 1 has the same function as a general personal computer or the like, a detailed description thereof will be omitted. Here, the functional configuration of the network device 10 will be described.

  FIG. 2 is a functional block diagram of the functional configuration of the network device according to the first embodiment. As illustrated in FIG. 2, the network device 10 includes a communication unit 11, a storage unit 12, and a control unit 15. Note that the functional units illustrated here are examples, and may have other functions such as a display unit that displays information on a display or the like.

  The communication unit 11 is a processing unit that controls communication with the user terminal 1 and the file server 50, and is an example of a network interface, for example. For example, the communication unit 11 transmits various requests received from the user terminal 1 to the file server 50, and transmits a response received from the file server 50 to the user terminal 1.

  The storage unit 12 is a storage device that stores programs executed by the control unit 15 and data, and is an example of a memory or a hard disk. The storage unit 12 stores a usage standard DB 12a, a usage characteristic DB 12b, a user standard DB 12c, and a user characteristic DB 12d.

  The usage standard DB 12a is a database that stores standard usage characteristics specified in advance according to the use of the file server 50. The use of the file server 50 is determined for each server, and different features are seen in how it is used. This is called the standard usage characteristic of the file server.

  FIG. 3 is a diagram illustrating an example of the reference usage characteristics stored in the usage reference DB. As shown in FIG. 3, the usage standard DB 12a includes “server name, number of connected users (person / day), client IP address, shared name, number of connections (times / day), shared name that does not exist as standard usage characteristics. The number of connection requests (number of times / day), the number of connection requests to the shared name without access right (times / day), and the shortest connection time are stored in association with each other.

  The “server name” stored here is information for uniquely identifying the file server 50, and is, for example, an IP (Internet Protocol) address or a host name. The “number of connected users (person / day)” is the number of users per day that are shared and connected to the file server 50 specified by the server name, and information for uniquely identifying the file server + one connection by account name With a person. The “client IP address” is the IP address of the user terminal 1 connected to the file server 50 specified by the server name.

  The “share name” is a share name with which the file server 50 has received a connection request from a user. “Number of times of connection (times / day)” is the number of times that the file server 50 is stated in one day when the file server 50 is shared by users. “Number of connection requests to non-existing share name (times / day)” is the number of times a connection request accepted by the file server 50 for a non-existing share name per day. The “number of requests for connection to a shared name without access right (times / day)” is the number of times that the file server 50 accepts a connection request to a shared name without access right for one day. The “shortest connection time” is the shortest connection time among the user connection times, and is measured by associating a connection request with a disconnection request.

  The first line in FIG. 3 shows the reference usage characteristics for the file server 50 whose server name is “serverA”. This standard usage characteristic is that there are 18 users per day, 54 connections per day, 2 requests for connection to a non-existing share name, and 1 day for a share name without access rights. 3 connection requests and the shortest connection time is 3 minutes 15 seconds. In addition, the IP address of the user terminal that is shared and connected to “server A” is “192.168.1.11, 192.168.1.12, 192.168.1.13, 192.168.1.14, 192.168.1.15, 192.168.1.16”. In addition, the shared name of the shared connection is “doc, lib, tmp”.

  The reference usage characteristics stored here can be set in advance by an administrator or the like according to the use of the file server 50. For example, a file server that stores business data has more daily access than a file server that stores personnel data, and security is strictly set for a file server that stores personnel data. The reference usage characteristics stored here can also be created from the past access history to the file server 50 or the like.

  The usage characteristics DB 12b is a database that stores usage characteristics calculated from SMB sharing connection requests and responses actually executed for the file server 50. That is, the usage characteristic DB 12b stores actual measurement values obtained by measuring actual shared connections. FIG. 4 is a diagram illustrating an example of actually measured values stored in the usage characteristic DB. As shown in FIG. 4, the usage characteristic DB 12 b has “server name, number of connected users (person / day), client IP address, shared name, number of times of connection (times / day), not present as measured values (usage characteristics). The number of connection requests to the shared name (times / day), the number of connection requests to the shared name without access right (times / day), and the shortest connection time are stored in association with each other. Since each item is the same as that in FIG. 3, detailed description thereof is omitted.

  The first line in FIG. 4 shows actual measurement values for the file server 50 whose server name is “serverA”. The actual measurement values are as follows: 31 people connected per day, 87 connections per day, 23 connection requests per day to non-existing share names, and 1 day per share name without access rights The connection request is 19 times and the shortest connection time is 1 second. In addition, the IP address of the user terminal that is shared and connected to “server A” is “192.168.1.11, 192.168.1.12, 192.168.1.13, 192.168.1.14, 192.168.1.15, 192.168.1.16”. In addition, the shared name of the shared connection is “doc, lib, Tmp, c $, d $, E $”.

  In addition, although the actual measurement value of 1 day was demonstrated here as an example, it is not limited to this. For example, actual measurement values measured every predetermined time such as one hour can be accumulated, and measurement time, information to be stored, and the like can be arbitrarily changed.

  The user reference DB 12c is a database that stores user characteristics that specify a situation in which the user uses the file server 50. There are different features in the usage of the file server 50 for each user who uses the file server 50. This is called the standard user characteristic of the file server user.

  FIG. 5 is a diagram illustrating an example of reference user characteristics stored in the user reference DB. As shown in FIG. 5, the user reference DB 12c includes “user name, client IP address, connection server name, number of connections (times / day), number of connection requests to a non-existing shared name ( Times / day), the number of requests for connection to a shared name without access right (times / day), and the shortest connection time ”are stored in association with each other.

  The “user name” stored here is a user name that is shared and connected to the file server 50, such as a login ID. The “client IP address” is an IP address used for communication by the user terminals of the users connected in common. The “connection server name” is the name of the file server 50 to which the user has shared connection. “Number of connected users (times / day)” is the number of times the user has connected to each file server in one day.

  “Number of connection requests to non-existing shared name (times / day)” is the number of connection requests sent by the user to non-existing shared name per day, and is stored for each file server that is shared and connected. . The nonexistent share name means that the share server has not been set by the administrator of the file server 50. “Number of connection requests to a shared name without access right (times / day)” is the number of connection requests sent by a user to a shared name without access right per day, and for each file server connected in a shared manner Is remembered. The “shortest connection time” is the shortest connection time, and is stored for each file server connected in a shared manner.

  The first line in FIG. 5 is a reference user characteristic for user A. This reference user characteristic indicates that the IP address is “192.168.1.11” and the connection is made to “server A”, “server B”, and “server C”. For “server A”, user A connects twice a day, sends a connection request once per day to a non-existing share name, and there is no connection request for a share name without access rights. The shortest connection time is 3 minutes 15 seconds. For "server B", user A connects once a day, indicates that there is no connection request for a shared name that does not exist or a shared name that does not have access rights, and the shortest connection time is 1 minute 28 seconds. . For "serverC", user A connects four times a day, indicates that there is no connection request for a shared name that does not exist or has no access right, and the shortest connection time is 5 minutes 41 seconds. .

  Further, the user criterion DB 12c stores information regarding the file server 50. Specifically, as illustrated in FIG. 5, the user reference DB 12c stores “server name, shared name, connection timing” in association with each other. The “server name” is the name of the file server 50, the “share name” is the name of a folder or the like shared in the file server 50, and the “connection timing” is the connection timing to the share name.

  In the example of FIG. 5, “doc”, “lib”, and “tmp” are set as share names for the file server “serverA”. Then, the connection timing to the share names “doc” and “lib” is an automatic connection when the OS (Operating System) is started, and the connection timing to the share name “tmp” is a connection at any time. That is, when the file server “serverA” starts up, the user terminal 1 permitted to log in automatically connects to the shared names “doc” and “lib”, and connects to the shared name “tmp” at an arbitrary timing. Indicates to do.

  The user characteristics DB 12d is a database that stores user characteristics calculated from SMB shared connection requests and responses that are actually executed by users who are connected to the file server 50 in a shared manner. That is, the user characteristic DB 12d stores actual measurement values obtained by measuring actual shared connections. FIG. 6 is a diagram illustrating an example of actual measurement values stored in the user characteristic DB. As shown in FIG. 6, the user characteristic DB 12d includes “user name, client IP address, connection server name, connection frequency (times / day), connection request to non-existing shared name” as an actual measurement value (use characteristic). Number (times / day), number of requests for connection to shared name without access right (times / day), shortest connection time, connection timing ”are stored in association with each other. Since each item is the same as that in FIG. 4, detailed description is omitted.

  The first line in FIG. 6 is a reference user characteristic for user A. This reference user characteristic indicates that a shared connection is made using IP addresses “192.168.2.24, 192.168.3.86, 192.168.3.154”. Further, it indicates that connection is made to each of the file servers “serverA”, “serverB”, “serverC”, “serverD”, “serverE”, and “serverF”.

  For “server A”, user A connects 20 times a day, sends a connection request 10 times a day to a non-existing shared name, and issues a connection request for a shared name without access rights for 1 day. Is transmitted 5 times, and the shortest connection time is 3 seconds. Both indicate that the message is transmitted while the OS of “server A” is stopped. For “server B”, user A connects 10 times a day, sends a connection request 5 times a day to a shared name that does not exist, and issues a connection request for a shared name that does not have access rights for 1 day. Is transmitted 10 times, and the shortest connection time is 5 seconds. Both indicate that the message is transmitted while the OS of “serverB” is stopped. Since the same applies to server C and later, detailed description thereof is omitted.

  In addition, although the actual measurement value of 1 day was demonstrated here as an example, it is not limited to this. For example, actual measurement values measured every predetermined time such as one hour can be accumulated, and measurement time, information to be stored, and the like can be arbitrarily changed.

  The control unit 15 is a processing unit that controls the entire network device 10 and is, for example, a processor. The control unit 15 includes a capture unit 16, an extraction unit 17, a file processing unit 18, a user processing unit 19, and a warning unit 20. Note that the capture unit 16, the extraction unit 17, the file processing unit 18, the user processing unit 19, and the warning unit 20 are examples of an electronic circuit included in the processor and an example of a process executed by the processor.

  The capture unit 16 is a processing unit that captures data flowing through the network. Specifically, data transmitted and received between the user terminal 1 and the file server 50 is captured and stored in the storage unit 12 or the like.

  The extraction unit 17 is a processing unit that extracts an SMB packet from the data captured by the capture unit 16, extracts an SMB shared connection request and a response, and outputs the request to the file processing unit 18 and the user processing unit 19.

  Specifically, the extraction unit 17 refers to a command in the SMB header in the SMB packet, detects a shared connection request and response, which is an SMB authorization process, and sends the request and response to an IP address and a port number. Associate with session ID. Then, when the shared connection is successful, the extraction unit 17 holds the time.

  Similarly, the extraction unit 17 detects a request and a response of a server connection (SessionSetup) that is an authentication process of SMB, and associates the request and the response with an IP address and a port number. Holds the user ID. Further, the extraction unit 17 detects a disconnection (Logoff) request and response to the server, associates the request and the response with an IP address and a port number, and holds the IP address and port number held when the authentication is successful when the disconnection is successful. , Release account name or user ID.

  The file processing unit 18 includes a file server usage characteristic calculation unit 18a and a characteristic comparison unit 18b, and is a processing unit that detects unauthorized access from file usage characteristics.

  The file server usage characteristic calculation unit 18a is a processing unit that calculates a usage characteristic that identifies a situation in which the file server that is the request destination of the SMB shared connection request is used based on the SMB shared connection request and the response. Specifically, the file server usage characteristic calculation unit 18a analyzes the Tree Connect that is a shared connection request and its response, calculates the usage characteristic of the file server 50 shown in FIG. 4, and stores it in the usage characteristic DB 12b. .

  In order to calculate the usage characteristics for each file server 50, the file server 50 is uniquely managed. Therefore, the destination of the shared connection request, in other words, the IP address of the response transmission source, the MAC (Media Access Control) address, or the host name reversely looked up from the IP address is used. In addition, the file server usage characteristic calculation unit 18a calculates the following information for each file server 50 in units of one day. Note that, here, the explanation will be given by taking the unit of one day as an example. However, the present invention is not limited to this. For example, the calculation can be performed every hour, and the information of one day can be divided and managed in one hour. it can.

(Number of connected users)
For example, the file server usage characteristic calculation unit 18 a determines that there is one connection person by the connection source IP address + account name, and counts the number of connection persons for each file server 50. At this time, the file server usage characteristic calculation unit 18a confirms the account information being connected at the timing of the shared connection request, and if the account has not issued a connection request so far, Count up the number of connected users.

(Client IP address)
For example, the file server usage characteristic calculation unit 18a extracts, for each file server 50, the transmission source IP address that transmitted the shared connection request.

(Share name)
For example, when the file server usage characteristic calculation unit 18a acquires and holds the share name information included in the share connection request for each file server 50, and the share name has not been issued so far. The number of shared names is recorded as an actual measurement value.

(Number of connections)
For example, the file server usage characteristic calculation unit 18a counts the number of successful connections among the shared connection (TreeConnect) requests transmitted from all users of the file server 50 by the number of statements. Whether or not the shared connection is successful can be confirmed by analyzing the response of the TreeConnect.

(Number of connection requests to non-existing share name)
For example, the file server usage characteristic calculation unit 18a counts the number of requests transmitted to a shared name that does not exist among the shared connection requests transmitted from all users of the file server 50. Whether or not the request is for a shared name that does not exist can be confirmed by analyzing the response of the shared connection and checking whether or not a message such as an error has been returned.

(Number of connection requests to share names without access rights)
For example, the file server usage characteristic calculation unit 18a counts the number of requests transmitted to a shared name without access right among the shared connection requests transmitted from all users of the file server 50. Whether the request is for a shared name without access right can be confirmed by analyzing the response of the shared connection and checking whether a message such as an error has been returned.

(Shortest connection time)
For example, when the file disconnection (TreeDisconnect) succeeds for each file server 50, the file server usage characteristic calculation unit 18a measures the time from the time when the shared connection is successful until the connection is disconnected as the connection time.

  In this way, the file server usage characteristic calculation unit 18a calculates the above items at intervals such as a daily unit or an hour unit, specifies an actual measurement value of the usage characteristic, and stores it in the usage characteristic DB 12b.

  Returning to FIG. 2, the characteristic comparison unit 18 b determines whether the file server 50 receives the file server 50 according to the comparison between the usage characteristic calculated by the file server usage characteristic calculation unit 18 a and the reference usage characteristic specified in advance by the use of the file server 50. It is a processing unit that detects unauthorized access. Specifically, the characteristic comparison unit 18b compares the actual measurement value with the reference value for each file server 50, and detects that unauthorized access by malware has occurred when an actual measurement value different from the reference value is measured. To do.

  For example, Server A shown in FIGS. 3 and 4 will be described as an example. The characteristic comparison unit 18b has 31 measured values for the number of connected users and 18 reference values, and the measured value is different from the reference value or the measured value is a threshold value (for example, 5 people) from the reference value. ) Because of the above, the unauthorized access to the file server 50 is detected.

  The characteristic comparison unit 18b detects unauthorized access to the file server 50 because “c $, d $, E $” is not included in the reference value among the measured values of the shared name. Further, the characteristic comparison unit 18b has a measured value of the number of connections of 87 people and a reference value of 54 people, because the measured value is different from the reference value, or the measured value is a threshold value (for example, 5 Unauthorized access to the file server 50 is detected because there are more people.

  In addition, the characteristic comparison unit 18b determines that the actual measurement value of the number of connection requests to the non-existing shared name is 23 people and the reference value is 2 people, and the actual measurement value is different from the reference value. Unauthorized access to the file server 50 is detected because it is greater than the value by a threshold (for example, five people) or more.

  Similarly, the characteristic comparison unit 18b determines that the actual measurement value of the number of connection requests to the shared name without access right is 19 people and the reference value is 3, and the actual measurement value is different from the reference value. Is detected as an unauthorized access to the file server 50 because it is greater than the reference value by a threshold value (for example, five people) or more. Further, the characteristic comparison unit 18b determines that the measured value of the shortest connection time is 1 second and the reference value is 3 minutes and 15 seconds, and the measured value is different from the reference value, or the measured value is a threshold value that is lower than the reference value. Unauthorized access to the file server 50 is detected because it is shorter (for example, 1 minute) or more.

  In addition to the comparison between the actual measurement value and the reference value, the characteristic comparison unit 18b can also detect unauthorized access to the file server 50 from the rate of increase of the actual measurement value every predetermined time. For example, the characteristic comparison unit 18b detects unauthorized access to the file server 50 when the increase rate of the number of connected users counted for example every hour exceeds 10%.

  In addition, the characteristic comparison unit 18b, for example, has an increase rate exceeding 10% or more such as the number of connections counted every hour, the number of connection requests to a non-existing shared name, the number of connection requests to a shared name without access right, etc. In the case, unauthorized access to the file server 50 is detected.

  The characteristic comparison unit 18b can arbitrarily change the setting of which item is used for detecting unauthorized access. For example, the characteristic comparison unit 18b can detect unauthorized access to the file server 50 when one item satisfies the condition, and can also perform unauthorized access to the file server 50 when three or more items satisfy the condition. Can also be detected.

  The user processing unit 19 includes a user characteristic calculation unit 19a and a user characteristic comparison unit 19b, and is a processing unit that detects unauthorized access from the user characteristics of the file.

  The user characteristic calculation unit 19a determines, for a user who uses the file server 50, a situation in which the user uses the file server 50 based on an SMB sharing connection request requested by the user and a response acquired by the user. It is a processing unit that calculates user characteristics to be identified. Specifically, the user characteristic calculation unit 19a analyzes the Tree Connect that is a shared connection request and its response, calculates the usage characteristic of the file server 50 shown in FIG. 6, and stores it in the user characteristic DB 12d. .

  In order to calculate the usage characteristics for each user of the file server 50, the users are uniquely managed. For this purpose, the IP address, MAC address, and account name of the request transmission source are used. The user characteristic calculation unit 19a calculates the following information on a daily basis for each user. Note that, here, the explanation will be given by taking the unit of one day as an example. However, the present invention is not limited to this. For example, the calculation can be performed every hour, and the information of one day can be divided and managed in one hour. it can.

(Client IP address)
For example, if the shared connection request transmitted by the user is a user who has not issued a connection request so far, the user characteristic calculation unit 19a extracts the IP address or the host name reversely looked up from the IP address. And hold.

(Connection server name)
For example, the user characteristic calculation unit 19a confirms the account information being connected that is held at the timing of the shared connection request. When the user has not issued a connection request so far, the user characteristic calculation unit 19a holds the IP address of the server for each user.

(Number of connections)
For example, the user characteristic calculation unit 19a counts the number of successful connections among the shared connection requests transmitted by the user by the number of statements. Note that whether or not the SMB shared connection is successful can be confirmed by analyzing the response of TreeConnect.

(Number of connection requests to non-existing share name)
For example, the user characteristic calculation unit 19a counts the number of requests transmitted to a shared name that does not exist among the shared connection requests transmitted from the user. Whether or not the request is for a shared name that does not exist can be confirmed by analyzing the response of the SMB shared connection. Further, the nonexistent share name means a share name that is not set by the administrator of the file server 50.

(Number of connection requests to share names without access rights)
For example, the user characteristic calculation unit 19a counts the number of requests transmitted to a shared name without access right among the shared connection requests transmitted from the user. Whether or not the request is for a shared name without access right can be confirmed by analyzing the response of the SMB shared connection.

(Shortest connection time)
For example, when the sharing disconnection is successful for each user and for each file server, the user characteristic calculation unit 19a holds the time from the time when the shared connection is successful until the connection is disconnected as the connection time.

(Connection timing)
For example, the user characteristic calculation unit 19a extracts whether the SMB shared connection request is due to automatic connection at the time of OS startup or other manual connection. For example, the user characteristic calculation unit 19a is configured to display a time when an IP is assigned by DHCP (Dynamic Host Configuration Protocol), a broadcast time of a NetBIOS (Network Basic Input Output System) name, or WINS (Windows (registered trademark) Internet Name Service). Judgment is made based on the registration time. In this way, the user characteristic calculation unit 19a calculates the above items at intervals such as a day unit or an hour unit, specifies the actual measurement value of the user characteristic, and stores it in the user characteristic DB 12d.

  Returning to FIG. 2, the user characteristic comparison unit 19 b responds to the comparison between the user characteristic calculated by the user characteristic calculation unit 19 a and the reference user who uses the file server 50 of the user specified in advance. The processing unit detects a user who has illegally accessed the file server 50. Specifically, the user characteristic comparison unit 19b compares an actual measurement value with a reference value for each user, and detects an unauthorized access due to malware when an actual measurement value different from the reference value is measured. To do.

  For example, a description will be given by taking user A shown in FIGS. 5 and 6 as an example. The user characteristic comparison unit 19b has an IP address actually used which is “192.168.2.24, 192.168.3.86, 192.168.3.154”, which is different from the reference value “192.168.1.11”. It detects that it did.

  In addition to the reference values “ServerA, ServerB, ServerC”, the user characteristic comparison unit 19b detects that unauthorized access by malware has occurred because the server is actually connected to “ServerD, ServerE, ServerF”.

  In addition, the user characteristic comparison unit 19b detects that the number of connections to the reference values “ServerA, ServerB, and ServerC” is “20, 10, 9”. Then, the user characteristic comparison unit 19b may illegally apply to the file server 50 because the actual measurement value is different from the reference value or because the actual measurement value is greater than the reference value by a threshold (for example, five people) or more. Detect access.

  In addition, the user characteristic comparison unit 19b detects that the number of connection requests to a shared name that does not exist in the reference values “ServerA, ServerB, ServerC” is “10, 5, 8”. Then, the user characteristic comparison unit 19b may illegally apply to the file server 50 because the actual measurement value is different from the reference value or because the actual measurement value is greater than the reference value by a threshold (for example, five people) or more. Detect access.

  In addition, the user characteristic comparison unit 19b detects that the number of connection requests to the shared name having no access right in the reference values “ServerA, ServerB, ServerC” is “5, 10, 4”. Then, the user characteristic comparison unit 19b may illegally apply to the file server 50 because the actual measurement value is different from the reference value or because the actual measurement value is greater than the reference value by a threshold (for example, three people) or more. Detect access.

  Further, the user characteristic comparison unit 19b detects the measured value of the shortest connection time for the reference values “ServerA, ServerB, ServerC” as “3 seconds, 5 seconds, 41 seconds”. Then, the user characteristic comparison unit 19b may illegally apply to the file server 50 because the actual measurement value is different from the reference value or because the actual measurement value is shorter than the reference value by a threshold (for example, 1 minute) or more. Detect access.

  In addition, the user characteristic comparison unit 19b detects the measured value of the connection timing to the reference values “Server A, Server B, Server C” as “OS stopped, OS stopped, OS started”. Then, the user characteristic comparison unit 19b detects unauthorized access to the file server 50 because the measured value for “ServerA” is different from the reference value.

  In addition to the comparison between the actual measurement value and the reference value, the user characteristic comparison unit 19b can also detect unauthorized access to the file server 50 from the rate of increase of the actual measurement value per predetermined time. For example, the user characteristic comparison unit 19b can also detect unauthorized access to the file server 50 when the rate of increase in the number of users connected to the connection server destination counted every hour exceeds 10%. .

  Similarly, in the user characteristic comparison unit 19b, for example, the increase rate of the number of connection requests to the non-existing shared name or the number of connection requests to the non-access right shared name, which is counted every hour, exceeds 10% or more. If this happens, an unauthorized access to the file server 50 is detected.

  Note that the user characteristic comparison unit 19b can arbitrarily change the setting of which item is used for detecting unauthorized access. For example, the user characteristic comparison unit 19b can detect an unauthorized access to the file server 50 when one item satisfies the condition, and the user characteristic comparison unit 19b can access the file server 50 when three or more items satisfy the condition. Unauthorized access can also be detected.

  The warning unit 20 is a processing unit that outputs a message indicating that unauthorized access has occurred on an administrator terminal, a display, or the like, a message for prompting danger avoidance, or the like when unauthorized access is detected.

[Process flow]
Next, processing executed by the network device 10 will be described. Here, the overall processing flow, file reference usage characteristic calculation processing, file reference user characteristic calculation processing, and detection processing will be described.

(Overall processing)
FIG. 7 is a flowchart showing the overall processing flow. As shown in FIG. 7, the capture unit 16 captures network data (S101), and the extraction unit 17 extracts an SMB packet (S102).

  Subsequently, when the file server usage characteristic calculation unit 18a of the file processing unit 18 determines that it is the characteristic calculation period (S103: Yes), it calculates the reference usage characteristic of the file server 50 (S104). After that, the characteristic comparison unit 18b compares the calculated reference usage characteristic with actual data (S105).

  Similarly, when it is determined that it is the characteristic calculation period (S103: Yes), the user characteristic calculation unit 19a of the user processing unit 19 calculates the reference user characteristic of the user who uses the file server 50 (S106). ). Thereafter, the user characteristic comparison unit 19b compares the calculated reference user characteristic with actual data (S107).

  When it is not the characteristic calculation period (S103: No), S105 and S107 are executed without executing S104 and S106.

  Subsequently, when an abnormality is detected by the comparison of S105 or S107 (S108: Yes), the warning unit 20 records the abnormality and notifies a warning such as a monitoring system or an administrator terminal (S109). Thereafter, when an end instruction or the like is received (S110: Yes), the control unit 15 ends the process, and when an end instruction or the like is not received (S110: No), S101 and subsequent steps are repeated.

  On the other hand, when no abnormality is detected by the comparison of S105 or S107 (S108: No), the file server usage characteristic calculation unit 18a and the user characteristic calculation unit 19a determine whether it is a characteristic calculation period (S111). ).

  If the file server usage characteristic calculation unit 18a determines that it is the characteristic calculation period (S111: Yes), it calculates the standard usage characteristic of the file server 50 and records it in the usage standard DB 12a (S112). Further, the user characteristic calculation unit 19a calculates the reference user characteristic of the user who uses the file server 50 and records it in the user reference DB 12c (S113). Thereafter, S110 is executed. Even when it is not the characteristic calculation period (S111: No), S110 is executed.

(Calculation process of standard usage characteristics of files)
FIG. 8 is a flowchart showing the flow of processing for calculating the reference usage characteristics of the file server. As shown in FIG. 8, the file server usage characteristic calculation unit 18a acquires an IP address and a MAC address as a packet transmission source from the data extracted by the extraction unit 17, and specifies the file server 50 (S201).

  Subsequently, when the data extracted by the extraction unit 17 is an authentication request (S202: Yes), the file server usage characteristic calculation unit 18a acquires an IP address, a MAC address, and an account name as connection source information, and uses the usage criteria. Store in the DB 12a (S203). If the data extracted by the extraction unit 17 is not an authentication request (S202: No), the file server usage characteristic calculation unit 18a executes S204 without executing S203.

  Then, when the data extracted by the extraction unit 17 is a shared connection request (S204: Yes), the file server usage characteristic calculation unit 18a acquires the shared name and the number of shared connection requests as shared connection information, and uses the usage criterion DB 12a. (S205). Further, the file server usage characteristic calculation unit 18a holds the shared connection request time in the storage unit 12 or the like (S206). When the data extracted by the extraction unit 17 is not a shared connection request (S204: No), the file server usage characteristic calculation unit 18a executes S207 without executing S205 and S206.

  Furthermore, when the data extracted by the extraction unit 17 is a shared connection response (S207: Yes), the file server usage characteristic calculation unit 18a executes S208. That is, the file server usage characteristic calculation unit 18a acquires the number of connection requests to a non-existing share name and the number of connection requests to a share name without access right as sharability information, and stores them in the usage standard DB 12a (S208). ). If the data extracted by the extraction unit 17 is not a shared connection response (S207: No), the file server usage characteristic calculation unit 18a executes S209 without executing S208.

  In addition, when the data extracted by the extraction unit 17 is shared disconnection (S209: Yes), the file server usage characteristic calculation unit 18a calculates the time from the shared connection request time acquired in S206 to the disconnection (S210). .

  Subsequently, when the calculated time until disconnection is the shortest connection time so far (S211: Yes), the file server usage characteristic calculation unit 18a stores the time calculated in S210 in the usage criterion DB 12a as the shortest disconnection time. (S212). In addition, the file server utilization characteristic calculation part 18a will complete | finish a process as it is, when the time until the calculated cutting | disconnection is not the shortest connection time until now (S211: No). Also, the file server usage characteristic calculation unit 18a ends the process when the data extracted by the extraction unit 17 is not shared disconnection (S209: No).

  In addition, although the calculation example of the reference usage characteristic has been described here, the same flow can be processed when the actual value of the usage characteristic is calculated.

(File standard user characteristics calculation process)
FIG. 9 is a flowchart showing a flow of processing for calculating a reference user characteristic of a file. As shown in FIG. 9, when the data extracted by the extraction unit 17 is an authentication request (S301: Yes), the user characteristic calculation unit 19a uses an IP address, a MAC address, and a host name as connection source information as a packet transmission source. The user name is acquired and stored in the user reference DB 12c (S302). If the data extracted by the extraction unit 17 is not an authentication request (S301: No), the user characteristic calculation unit 19a executes S303 without executing S302.

  Then, when the data extracted by the extraction unit 17 is a shared connection request (S303: Yes), the user characteristic calculation unit 19a executes S304. That is, the user characteristic calculation unit 19a acquires a server name, an IP address, a MAC address, a shared name, and the number of shared connection requests as shared connection information for each connection source + user name, and stores them in the user reference DB 12c. To do.

  The user characteristic calculation unit 19a holds the shared connection request time in the storage unit 12 or the like (S305), and holds the shared connection timing in the storage unit 12 or the like (S306). If the data extracted by the extraction unit 17 is not a shared connection response (S303: No), the user characteristic calculation unit 19a executes S307 without executing S304 to S306.

  Furthermore, when the data extracted by the extraction unit 17 is a shared connection response (S307: Yes), the user characteristic calculation unit 19a executes S308. That is, the user characteristic calculation unit 19a acquires the number of connection requests to a non-existing share name and the number of connection requests to a share name without access right as sharability information, and stores them in the user reference DB 12c. If the data extracted by the extraction unit 17 is not a shared connection response (S307: No), the user characteristic calculation unit 19a executes S309 without executing S308.

  In addition, when the data extracted by the extraction unit 17 is shared disconnection (S309: Yes), the user characteristic calculation unit 19a calculates the time from the shared connection request time acquired in S305 to the disconnection (S310).

  Subsequently, when the calculated time until disconnection is the shortest connection time so far (S311: Yes), the user characteristic calculation unit 19a stores the time calculated in S310 as the shortest disconnection time in the user reference DB 12c. (S312). In addition, the user characteristic calculation part 19a will complete | finish a process as it is, when the time until the calculated cutting | disconnection is not the shortest connection time until now (S311: No). Moreover, the user characteristic calculation part 19a complete | finishes a process, when the data which the extraction part 17 extracted is not shared cutting | disconnection (S309: No).

  In addition, although the calculation example of the reference | standard user characteristic was demonstrated here, when calculating the actual value of a user characteristic, it can process by the same flow.

(Unauthorized access detection processing)
FIG. 10 is a flowchart showing the flow of unauthorized access detection processing. Here, the characteristic comparison unit 18b and the user characteristic comparison unit 19b are collectively referred to as a comparison unit.

  As shown in FIG. 10, the comparison unit selects one comparison item (S401). For example, the comparison unit selects one of the items shown in FIG. 3 and FIG. Then, the comparison unit sets the abnormality flag to OFF as initialization (S402). Thereafter, the comparison unit determines a comparison value generation method suitable for the selected comparison item (S403). The method for generating the comparison value can be specified for each comparison item by the administrator or the like.

  Then, when the comparison value generation method is the cumulative number, the comparison unit calculates the cumulative number in designated time units (S404). For example, the comparison unit calculates the number of connected users for each file server 50, or calculates the number of connected users to a shared name that does not exist. In addition, the comparison unit calculates the number of connection requests and the number of connection requests to the shared name without access right for each user on an hourly basis.

  Further, when the comparison value generation method is the accumulation list, the comparison unit calculates the accumulation list in units of designated time (S405). For example, the comparison unit creates a list of IP addresses of connected clients for each file server 50 in units of one hour. The comparison unit also creates a list of used IP addresses and a list of connected server names for each user on an hourly basis.

  Further, when the comparison value generation method is an increase rate, the comparison unit calculates the increase rate in units of designated time (S406). For example, the comparison unit calculates an increase rate of the number of connected users in one hour for each file server 50 or an increase rate of the number of connections in one hour for each user.

  Further, when the comparison value generation method is the minimum value, the comparison unit calculates the minimum value in a specified time unit (S407). For example, the comparison unit calculates the shortest connection time or the like for each file server 50 or user.

  Thereafter, the comparison unit determines a comparison method based on the comparison item (S408), and detects unauthorized access based on the determined comparison method (S409 to S412).

  Specifically, when the increase rate is greater than the threshold (S409: Yes), the comparison unit turns on the abnormality flag (S412). When the calculated minimum value is smaller than the recorded minimum value (S410: Yes), the comparison unit sets the abnormality flag to On (S412). If the created cumulative list is different from the recorded cumulative list (S411: Yes), the comparison unit sets the abnormality flag to On (S412). Thereafter, when there are other comparison items (S413: Yes), the comparison unit repeats S401 and the subsequent steps, and when there are no other comparison items (S413: No), the processing ends.

  Further, when the increase rate is equal to or less than the threshold (S409: No), when the calculated minimum value is equal to or less than the recorded minimum value (S410: No), when the created cumulative list is the same as the recorded cumulative list ( (S411: No), the comparison unit executes S413 without executing S412.

[Description of file characteristics judgment]
FIG. 11 is a diagram illustrating determination of usage characteristics of a file server. The example shown in FIG. 11 shows an example in which three users, Mr. A, Mr. B and Mr. C infected with malware, access the file server 50.

  As shown in FIG. 11, since any user executes the authentication process with a valid account, authentication to the file server 50 is permitted. In general detection software and the like, malware detection is executed by this authentication process, and therefore it is impossible to detect that Mr. B is infected with malware.

  However, the network device 10 according to the first embodiment can detect access by malware from each access to which a shared connection is authorized after authentication is permitted. Specifically, if it is a legitimate user, the network device 10 determines that the shared connection and disconnection are not repeated in a short time and the connection time is not short. Further, since the network device 10 knows whether there is a share name or access right that exists if it is a legitimate user, the network device 10 determines that it does not repeat the connection request to the share name that does not exist or has no access right more than necessary. To do.

  Since the network device 10 detects the shared connection corresponding to these points from the execution state of the shared connection, it is possible to detect unauthorized access at the time of the shared connection that was not a detection target in the past. In addition, the network device 10 can find a dangerous server targeted by an attacker.

[Description of file characteristics judgment]
FIG. 12 is a diagram illustrating determination of user characteristics. The example shown in FIG. 12 shows an example in which Mr. A infected with malware accesses the file server 51 and the file server 52.

  As shown in FIG. 12, the user terminal 1 used by Mr. A who is infected with malware executes authentication processing with a valid account, so that authentication to the file server 51 and the file server 52 is permitted. In general detection software and the like, malware detection is executed by this authentication process, and therefore it is impossible to detect that Mr. A is infected with malware.

  However, the network device 10 according to the first embodiment can detect access by malware from each access to which a shared connection is authorized after authentication is permitted. Specifically, if it is a legitimate user, the network device 10 determines that the shared connection and disconnection are not repeated in a short time and the connection time is not short. Further, since the network device 10 knows whether there is a share name or access right that exists if it is a legitimate user, the network device 10 determines that it does not repeat the connection request to the share name that does not exist or has no access right more than necessary. To do. Further, the network device 10 determines that the IP address used by the user is roughly determined, and it is rare that the IP address is different every time. Furthermore, the network device 10 determines that the number of accesses to the shared name or the like that has not been used by the user A is small.

  Since the network device 10 detects the shared connection corresponding to these points from the execution state of the shared connection, it is possible to identify the user terminal that executes the shared connection, which was not a detection target in the past. In addition, the network device 10 can detect an activity in which the malware spreads the malware via the file server using a valid account that is valid for the malware. Further, the network device 10 can detect malware diffusion in real time and can also detect the diffusion of unknown malware. Furthermore, since the network device 10 can detect an attack or the like by malware without using special software or the like, it is also possible to reduce the cost for detecting the malware.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above.

[Determination process]
In the above embodiment, an example has been described in which both the usage characteristics of a file and the characteristics of a user are determined. However, the present invention is not limited to this. For example, the network device 10 can determine only one of them, and can arbitrarily combine the determination items. For example, the network device 10 can use any one item of usage characteristics and any two items of user characteristics as determination items.

[Judgment method]
In the above embodiment, an example has been described in which the network device 10 detects unauthorized access using a comparison between a reference and an actual measurement value, an increase rate of the actual measurement value, a minimum value, and the like, but is not limited thereto. . For example, the network device 10 can use another index such as a maximum value. Specifically, the network device 10 measures the number of connected users every hour and extracts the maximum value of the measured values. The network device 10 can also detect unauthorized access when the maximum value exceeds the threshold.

[system]
Further, each configuration of the illustrated apparatus does not necessarily need to be physically configured as illustrated. That is, it can be configured to be distributed or integrated in arbitrary units. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

  In addition, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

[hardware]
FIG. 13 is a diagram illustrating a hardware configuration example. As shown in FIG. 13, the network device 10 includes an HDD (Hard Disk Drive) 10a, a communication interface 10b, a memory 10c, and a CPU (Central Processing Unit) 10d. Each unit shown in FIG. 13 is connected to each other by a bus or the like. Note that the hardware shown here is an example, and other hardware such as a graphic interface and a mouse may be included.

  The HDD 10a stores a program and DB for operating the functions shown in FIG. The communication interface 10b is an interface that controls communication with other devices, and is, for example, a network interface card.

  The CPU 10d operates a process for executing each function described with reference to FIG. 2 and the like by reading from the HDD 10a and the like a program that executes the same processing as the processing units illustrated in FIG.

  That is, this process executes the same function as each processing unit included in the network device 10. Specifically, the CPU 10d reads a program having functions similar to those of the capture unit 16, the extraction unit 17, the file processing unit 18, the user processing unit 19, and the warning unit 20 from the HDD 10a and the like. Then, the CPU 10d executes a process for executing processing similar to that performed by the capture unit 16, the extraction unit 17, the file processing unit 18, the user processing unit 19, and the warning unit 20.

  As described above, the network device 10 operates as an information processing apparatus that executes the network monitoring method by reading and executing the program. The program is recorded on a computer-readable recording medium such as a hard disk, a flexible disk, a CD-ROM (Compact Disk-Read Only Memory), an MO (Magneto Optical) disk, a DVD (Digital Versatile Disk), etc. And can be executed by being read from the recording medium by a computer. Note that the program referred to in the other embodiments is not limited to being executed by the network device 10. For example, the present invention can be similarly applied to a case where another computer or server executes the program or a case where these programs cooperate to execute the program.

10 Network equipment 11 Communication unit 12 Storage unit 12a Usage standard DB
12b Usage characteristic DB
12c user standard DB
12d User characteristics DB
DESCRIPTION OF SYMBOLS 15 Control part 16 Capture part 17 Extraction part 18 File processing part 18a File server utilization characteristic calculation part 18b Characteristic comparison part 19 User processing part 19a User characteristic calculation part 19b User characteristic comparison part 20 Warning part

Claims (8)

An extraction unit that extracts a shared connection request and a response to the shared connection request from data transmitted over the network;
Based on the shared connection request and the response extracted by the extraction unit, a calculation unit that calculates a usage characteristic that identifies a situation in which a file server that is a request destination of the shared connection request is used;
A detection unit that detects unauthorized access to the file server according to a comparison between the usage characteristic calculated by the calculation unit and a reference usage characteristic specified in advance by a use of the file server. Network monitoring device. The calculation unit includes the number of connected users connected to the file server, the share name that the file server has accepted the share connection request, the number of times the file server is connected to be shared, and the share name that the file server has The number of shared connection requests sent to a share name that is not shared, the number of shared connection requests received from a user to whom the file server does not have access rights, and the shortest connection time among the connections to which the file server is shared Extract at least one of
The network monitoring apparatus according to claim 1, wherein the detection unit detects unauthorized access to the file server when the information calculated by the calculation unit is different from the reference usage characteristic. The calculation unit includes a rate of increase of the number of connected users connected to the file server every predetermined time, a rate of increase of the number of times that the file server is shared and connected per predetermined time, and a shared name of the file server At least a rate of increase of the number of shared connection requests transmitted to a shared name per predetermined time, and a rate of increase of the number of shared connection requests received from a user without access right by the file server per predetermined time Calculate one,
The network monitoring apparatus according to claim 1, wherein the detection unit detects unauthorized access to the file server when the increase rate calculated by the calculation unit exceeds a threshold value. The calculation unit, for a user who uses the file server, based on the shared connection request requested by the user and the response acquired by the user, the situation where the user has used the file server User characteristics that identify
The detection unit is configured to send the file server to the file server according to a comparison between the user characteristic calculated by the calculation unit and a reference user characteristic that is a method of using the file server of the user specified in advance. The network monitoring apparatus according to claim 1, wherein unauthorized access is detected. The calculation unit includes the address information used by the user, the number of times the user has connected to the file server, the share name from which the user has sent a connection request, and the share name to which the user does not exist. At least one of the number of shared connection requests, the number of shared connection requests transmitted to the file server to which the user has no access right, and the shortest connection time among the connections that the user has connected to the file server Extract
The network monitoring apparatus according to claim 4, wherein the detection unit detects unauthorized access to the file server when the information calculated by the calculation unit is different from the reference user characteristic. The calculation unit is configured to increase the number of connection times that the user has connected to the file server for each predetermined time, increase rate for the predetermined number of times of the shared connection request transmitted to the share name that the user does not exist, Calculating at least one of the rate of increase of the number of shared connection requests transmitted to the file server to which the user has no access right per predetermined time;
The network monitoring apparatus according to claim 4, wherein the detection unit detects unauthorized access to the file server when the increase rate calculated by the calculation unit exceeds a threshold value. A computer extracts a shared connection request and a response to the shared connection request from data transmitted over the network;
Based on the extracted shared connection request and the response, calculate a usage characteristic that identifies a situation in which a file server that is a request destination of the shared connection request is used,
A network monitoring method, comprising: a process of detecting unauthorized access to the file server in accordance with a comparison between the calculated usage characteristic and a reference usage characteristic specified in advance according to a use of the file server. Extracting a shared connection request and a response to the shared connection request from data transmitted over the network to the computer,
Based on the extracted shared connection request and the response, calculate a usage characteristic that identifies a situation in which a file server that is a request destination of the shared connection request is used,
A network monitoring program for executing a process of detecting unauthorized access to the file server in accordance with a comparison between the calculated usage characteristic and a reference usage characteristic specified in advance by the use of the file server.

Images