JP2017005422A - Detection system, detection method and detection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a detection system, method, and program capable of suppressing the deterioration in accuracy of attack detection with reduced cost.SOLUTION: A detection system comprises a relay unit, a selection unit, an extraction unit, and a detection unit. The relay unit relays data. The selection unit selects a predetermined connection from among connections through which data relayed by the relay unit passes. The extraction unit extracts data corresponding to the predetermined connection selected by the selection unit from among data relayed by the relay unit. The detection unit analyzes the data extracted by the extraction unit to detect a connection performing illegal communication.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a detection system, a detection method, and a detection program.

  A denial-of-service attack is known that makes it impossible to provide a service by temporarily increasing the amount of traffic to a network device such as a server. For example, DoS attack (Denial-of-Service Attack), DDoS attack (Distributed Denial-of-Service Attack), Slow DoS attack (Slow Denial-of-Service Attack), and the like.

  The Slow DoS attack is a session established between a client and a server. In order to avoid timeout due to no communication, a small-sized packet is exchanged, and the server can be established by continuing the session for a long time. An attack technique that fills up a session. Note that a session is a unit of connection of a TCP connection established when a server and a client exchange packets using TCP (Transmission Control Protocol). The unit from the start to the end of this connection is defined as one session. This means communication corresponding to one series of communication.

Kumar Sourav, Debi Prasad Mishra, “DDos Detection and Defense: Client Termination Approach”, CUBE’12 Proceedings of the CUBE International Information Technology Conference, pp. 749-752, ACM, 2012 P. Phaal, S. Panchen, and N. McKee, “InMon Corporation ’s sFlow: A Method for Monitoring Traffic in Switched and Routed Networks” (RFC 3176), IETF, 2001

  Conventionally, in order to detect an attack on the network as described above, a packet flowing on the network is mirrored and monitored, and an illegal packet is detected.

  However, when all packets on the network are monitored by mirroring, the load is large if executed by a single monitoring device. On the other hand, it is expensive to provide a monitoring device for each website to be monitored. Therefore, it is conceivable to extract only a part of the packet flowing on the network, mirror it, and monitor it. However, in this case, when attack communication is configured by a plurality of packets, only some of the packets may be extracted and monitored. Then, the packet to be monitored includes only a part of the attack information, and the accuracy of attack detection is reduced. Also, techniques using statistical information and the like have been proposed, but there are attacks that cannot be detected depending on statistical information.

  An embodiment of the disclosure has been made in view of the above, and includes a detection system, a detection method, and a detection program capable of suppressing a decrease in accuracy of attack detection while suppressing cost required for attack detection on a network. It aims to be realized.

  The disclosed detection system, detection method, and detection program select a predetermined connection from connections through which data to be relayed passes, and extract and extract data corresponding to the selected predetermined connection from data to be relayed It is characterized by detecting the connection that performs unauthorized communication by analyzing the data.

  The disclosed detection system, detection method, and detection program have the effect of realizing a detection system, a detection method, and a detection program that can suppress a decrease in the accuracy of attack detection while suppressing the cost required for attack detection on the network. Play.

FIG. 1 is a diagram illustrating an example of a configuration of a detection system according to the first embodiment. FIG. 2 is a diagram illustrating an example of a configuration of connection information stored in the relay device according to the first embodiment. FIG. 3 is a diagram illustrating an example of the configuration of the monitoring target connection information stored in the relay device according to the first embodiment. FIG. 4 is a diagram illustrating an example of a configuration of website information stored in the relay device according to the first embodiment. FIG. 5 is a diagram illustrating an example of the configuration of the upper limit value information stored in the relay device according to the first embodiment. FIG. 6 is a flowchart illustrating an example of a processing flow of the detection method according to the first embodiment. FIG. 7 is a flowchart illustrating an example of a monitoring target connection selection process in the detection method according to the first embodiment. FIG. 8 is a diagram illustrating an example of a configuration of a detection system according to Modification 1 of the first embodiment. FIG. 9 is a diagram illustrating an example of a configuration of a detection system according to the second embodiment. FIG. 10 is a flowchart illustrating an example of the flow of the reallocation process for updating the analysis connection frame in the detection method according to the second embodiment. FIG. 11 is a diagram illustrating an example of a configuration of monitoring importance information stored in an analysis device included in the detection system according to the second embodiment. FIG. 12 is a diagram illustrating an example of the configuration of the upper limit information stored in the relay device included in the detection system according to the second embodiment. FIG. 13 is a diagram illustrating an example of a configuration of a detection system according to the third embodiment. FIG. 14 is a flowchart illustrating an example of a flow of monitoring importance calculation processing according to the third embodiment. FIG. 15 is a diagram illustrating an example of a configuration of monitoring importance information stored in an analysis device included in the detection system according to the third embodiment. FIG. 16 is a diagram for explaining a case where connections to be monitored are biased in the detection methods according to the first to third embodiments. FIG. 17 is a diagram for explaining that the bias of connections to be monitored is suppressed in the fourth embodiment. FIG. 18 is a diagram illustrating an example of a configuration of a detection system according to the fourth embodiment. FIG. 19 is a diagram illustrating an example of a configuration of probability information stored in the detection system according to the fourth embodiment. FIG. 20 is a diagram for explaining a modification of the configuration of the detection system according to the first to fourth embodiments. FIG. 21 is a diagram illustrating that the information processing by the detection program according to the disclosed technique is specifically realized using a computer.

(First embodiment)
The detection system, the detection method, and the detection program according to the first embodiment extract and monitor data flowing on the network in connection units. Here, “connection” refers to a communication path established between predetermined devices. The communication path is, for example, a logical communication path. For example, “connection” refers to a logical communication path established between a plurality of devices specified by a predetermined IP address and port number. For example, “connection” refers to a TCP connection.

  The detection system according to the first embodiment selects some of the TCP connections established on the network, for example. Then, the detection system extracts and monitors a packet corresponding to the selected connection. The packet corresponding to the selected connection is, for example, a packet that is transmitted / received using the selected connection among the established TCP connections. For example, a TCP packet including a predetermined destination IP address, destination port number, source IP address, and source port number in the header. For example, similarly, it is a UDP (User Datagram Protocol) packet including a predetermined destination IP address, a source IP address, a destination port number, and a source port number.

[Example of configuration of detection system 1]
FIG. 1 is a diagram illustrating an example of a configuration of a detection system 1 according to the first embodiment. An example of the configuration of the detection system 1 will be described with reference to FIG.

  The detection system 1 includes a relay device 10 and an analysis device 20. The relay device 10 receives and relays a packet flowing on the network. The relay device 10 is connected to hosts (web servers, etc.) 30A to 30D via a network. The relay device 10 is also connected to the analysis device 20 via a network. The relay device 10 relays the received packet to the destination hosts 30A to 30D. Further, when the relay apparatus 10 receives a packet corresponding to a predetermined connection, the relay apparatus 10 mirrors the packet on the analysis apparatus 20. Although FIG. 1 shows four hosts 30A to 30D, the number of hosts that the relay device serves as a packet relay destination is not limited to this.

[Example of Configuration of Relay Device 10]
The relay device 10 includes a storage unit 110, a relay unit 120, a selection unit 130, an extraction unit 140, and an update unit 150.

  The storage unit 110 is, for example, a semiconductor memory element or a storage device. For example, a VRAM (Video Random Access Memory), a RAM (Random Access Memory), a ROM (Read Only Memory), a flash memory, or the like can be used as the semiconductor memory element. As the storage device, a storage device such as a hard disk or an optical disk can be used. Details of the information stored in the storage unit 110 will be described later.

  The relay unit 120 is a communication unit that transmits and receives packets and relays them. When receiving the packet, the relay unit 120 relays the received packet to a destination specified by the header of the packet. The relay unit 120 passes the received packet to the selection unit 130, the extraction unit 140, and the update unit 150.

  The selection unit 130 extracts connection information from the received packet. If the connection information is not stored in the storage unit 110, the selection unit 130 stores the information in the storage unit 110. Further, the selection unit 130 refers to the information stored in the storage unit 110 and determines whether or not to select the extracted connection as a monitoring target connection. The monitoring target connection refers to a connection to be monitored, that is, analyzed by the analysis device 20 in order to detect data used for an attack or the like. When the selection unit 130 determines to select the extracted connection as the monitoring target connection, the selection unit 130 stores information on the connection in the storage unit 110 as monitoring target connection information. Details of the selection process of the monitoring target connection by the selection unit 130 will be described later.

  The extraction unit 140 extracts connection information from the received packet, and determines whether the connection information is stored in the storage unit 110 as monitoring target connection information. When the extraction unit 140 determines that the connection information is stored as the monitoring target connection information, the extraction unit 140 mirrors the packet to the analysis device 20.

  The update unit 150 updates the monitoring target connection information stored in the storage unit 110. For example, when the update unit 150 detects that the established connection has ended, the update unit 150 deletes the information on the connection from the monitoring target connection information stored in the storage unit 110.

  For example, when receiving an FIN packet indicating the end of a TCP connection or an RST packet indicating an interruption or rejection of a TCP connection, the updating unit 150 extracts connection information included in the packet. Then, the update unit 150 deletes the connection information from the monitoring target connection information stored in the storage unit 110.

  When the update unit 150 has not received a packet including connection information stored as monitoring target connection information for a predetermined period (timeout), the monitoring target connection information stored in the storage unit 110 is information about the connection. Delete from.

  In addition, what is necessary is just to comprise the process in the relay part 120, the selection part 130, the extraction part 140, and the update part 150 as what a control part, such as CPU (Central Processing Unit), controls and performs collectively. Further, the processing of each unit can be appropriately integrated and distributed.

[Example of information stored in storage unit 110]
Next, information stored in the storage unit 110 of the relay device 10 will be described. The storage unit 110 includes a connection storage unit 111, a monitoring target connection storage unit 112, a website storage unit 113, and an upper limit value storage unit 114.

  The connection storage unit 111 stores information on a connection established via the relay device 10. In the first embodiment, the connection storage unit 111 stores all information on connections established via the relay device 10.

  Information stored in the connection storage unit 111 is extracted by the selection unit 130. The selection unit 130 extracts connection information included in the received packet. If the connection information is not already stored in the connection storage unit 111, the selection unit 130 stores the connection information in the connection storage unit 111.

  FIG. 2 is a diagram illustrating an example of a configuration of connection information stored in the relay device 10 according to the first embodiment. As shown in FIG. 2, the connection information stored in the connection storage unit 111 includes “connection ID”, “destination IP address”, “destination port number”, “source IP address”, and “source port number”. . The “connection ID” is an identifier for uniquely identifying each connection. The “destination IP address” is an IP address indicating the destination of the packet received by the relay device 10. The “destination port number” is a port number for specifying the destination of the packet received by the relay device 10. The “source IP address” is an IP address indicating the source of the packet received by the relay device 10. The “transmission source port number” is a port number for specifying the transmission source of the packet received by the relay device 10. For example, the selection unit 130 extracts information stored in the connection storage unit 111 based on information stored in the header portion of the packet.

  In FIG. 2, for example, in association with the connection ID “C001”, “destination IP address, 192.168.0.1”, “destination port number, 80”, “source IP address, 221.34.76.54”, “source port number” , 13556 ”is stored. Note that packets belonging to the same connection include upstream packets and downstream packets transmitted and received between the same client and the web server. That is, packets whose destination IP address and source IP address and destination port and source port are reversed belong to the same connection. In the above example, “destination IP address, 192.168.0.1”, “destination port number, 80”, “source IP address, 221.34.76.54”, “source port number, 13556” packets and “destination IP address” , 221.34.76.54 ”,“ destination port number, 13556 ”,“ source IP address, 192.168.0.1 ”, and“ source port number, 80 ”packets are treated as belonging to the same connection.

  The monitoring target connection storage unit 112 stores information on connections to be monitored by the relay device 10. Information stored in the monitoring target connection storage unit 112 is selected by the selection unit 130. The selection unit 130 selects a predetermined connection among the connections stored in the connection storage unit 111 as a monitoring target, and stores the selected connection in the monitoring target connection storage unit 112.

  FIG. 3 is a diagram illustrating an example of the configuration of the monitoring target connection information stored in the relay device 10 according to the first embodiment. The configuration of the monitoring target connection information is the same as the configuration of the connection information shown in FIG. However, the monitoring target connection information further includes a “website ID”. “Website ID” is information for uniquely identifying a destination or transmission source website. In the example of FIG. 3, information of three connections whose “connection ID” is “C010”, “C014”, and “C026” is stored in association with the website specified by “website ID, W001”. ing. The destination IP address “192.158.9.3” and the destination port number “80” of the connection with the connection ID “C010” are the same as the destination IP address and the destination port number of the connection with the connection ID “C014”, respectively. That is, the destination of the packet transmitted via the connection “C010” is the same as the transmission source of the packet transmitted via the connection “C014”. The selection unit 130 refers to the website information stored in the website storage unit 113 described later, and identifies the destination of the packet and the website of the transmission source. Then, a packet having the same website as the destination or transmission source is stored in association with the website. In the example of FIG. 3, the website ID of the website specified by the IP address “192.158.9.3” and the port number “80” is “W001” (see FIG. 4). As described above, the monitoring target connection storage unit 112 stores a connection for each website that is a destination or a transmission source of each connection.

  The website storage unit 113 stores information on a website that is a transmission source or a destination of data that passes through the relay device 10. FIG. 4 is a diagram illustrating an example of a configuration of website information stored in the relay device 10 according to the first embodiment. As shown in FIG. 4, the website storage unit 113 stores “website ID” and “IP address” in association with each other. “Website ID” is an identifier for uniquely identifying a website, and is the same as that shown in FIG. “IP address” is information indicating the IP address of the website for uniquely identifying the website. The “IP address” is, for example, the same as the “destination IP address” and “source IP address” shown in FIGS. In the example of FIG. 4, for example, “IP address, 192.158.9.3” is stored in association with “Website ID, W001”. In the example of FIG. 4, the website is specified by the IP address. However, the present invention is not limited to this, and the website may be specified by a combination of the IP address and the port number.

  The upper limit storage unit 114 stores an upper limit value of connections to be monitored in the relay device 10. Here, the upper limit value is the upper limit number of connections that are simultaneously analyzed by the analysis apparatus 20 in the detection system 1. Since the amount of information that can be analyzed simultaneously by the analysis device 20 is limited, the upper limit value is calculated in advance based on the processing capability of the analysis device 20 and the like. The selection unit 130 selects a monitoring target connection within a predetermined upper limit range.

  In the detection system 1 according to the first embodiment, the selection unit 130 assigns the number of monitoring target connections that can be selected within the range of the upper limit value to each website. For example, assume that the predetermined upper limit is 1000 and the number of websites to be monitored is 100. In this case, for example, if the monitoring target connections are equally allocated to the respective websites, ten connections among the connections having the respective websites as destinations or transmission sources can be set as the monitoring target connections. In the first embodiment, the upper limit value of monitoring target connections that can be analyzed simultaneously as the entire detection system 1 is set as described above, and the number of connections that can be set as monitoring targets corresponding to each website is set. . Hereinafter, the upper limit number of monitored connections allocated to each website is referred to as an analysis connection frame. In the first embodiment, it is assumed that the analysis connection frame is equally allocated to each website. However, the analysis connection frame allocation method is not limited to this.

  The upper limit storage unit 114 stores the analysis connection frame calculated in this way. FIG. 5 is a diagram illustrating an example of the configuration of the upper limit information stored in the relay device 10 according to the first embodiment. As shown in FIG. 5, the upper limit storage unit 114 stores “website ID” and “analysis connection frame” in association with each other. “Website ID” is an identifier for uniquely identifying a website, and “Analysis connection frame” indicates the upper limit number of monitoring target connections allocated in association with each website. In the example of FIG. 5, “analysis connection frame 10” is stored in association with the website of “website ID, W001”. This means that up to 10 connections whose destination or transmission source is the website identified by the website ID “W001” can be monitored.

[Example of Configuration of Analysis Device 20]
Next, referring to FIG. 1 again, an example of the configuration of the analysis apparatus 20 will be described. The analysis device 20 analyzes the packet mirrored by the relay device 10 and detects an illegal packet or connection. The analysis device 20 also notifies the relay device 10 about the detected illegal packet or connection.

  As illustrated in FIG. 1, the analysis device 20 includes a storage unit 210 and a detection unit 220.

  The storage unit 210 is a semiconductor memory element or a storage device, for example, like the storage unit 110. For example, the storage unit 210 temporarily stores the monitoring target packet transmitted from the relay device 10 and stores information on the detected illegal packet or connection. The storage unit 210 includes an unauthorized connection storage unit 211. The unauthorized connection storage unit 211 stores information related to unauthorized communication detected by the analysis device 20.

  The detection unit 220 analyzes the packet mirrored from the relay device 10 and detects unauthorized communication. For example, the detection unit 220 detects a connection in which the communication interval from the client to the website matches a predetermined pattern, and stores it in the unauthorized connection storage unit 211 as an unauthorized connection. In addition, the detection unit 220 notifies the relay apparatus 10 of the detected illegal packet or connection information.

[An example of processing flow of the detection method according to the first embodiment]
FIG. 6 is a flowchart illustrating an example of a processing flow of the detection method according to the first embodiment. As shown in FIG. 6, when the process starts, first, the relay unit 120 of the relay device 10 receives a packet (step S201). The relay unit 120 transmits the received packet to the destination of the packet and passes it to the selection unit 130. The selection unit 130 extracts connection information included in the packet (step S202). The selection unit 130 refers to the information stored in the storage unit 110 and determines whether to select the extracted information as the monitoring target connection information (step S203). When it is determined that the connection information is selected as the monitoring target connection information (Yes in step S203), the selection unit 130 stores the connection information in the monitoring target connection storage unit 112 (step S204). On the other hand, when determining that the connection information is not selected as the monitoring target connection information (No at Step S203), the selection unit 130 returns to Step S201. Next, the extraction unit 140 extracts connection information from the received packet, compares it with information stored in the monitored connection storage unit 112, extracts a packet including the stored connection information, and sends it to the analysis device 20. Mirroring is performed (step S205). The analysis device 20 analyzes the mirrored packet and detects unauthorized communication (step S206). When the analysis device 20 detects unauthorized communication, the analysis device 20 stores information on packets or connections constituting the communication in the unauthorized connection storage unit 211 and notifies the relay device 10 of the information. This completes the detection process according to the first embodiment.

[Selection of connection to be monitored: Processing of the selection unit when receiving a packet]
Next, monitoring target connection selection processing by the selection unit 130 of the relay apparatus 10 will be further described. FIG. 7 is a flowchart illustrating an example of a monitoring target connection selection process according to the first embodiment. Note that the selection processing shown in FIG. 7 generally corresponds to the processing from step S201 to step S204 in FIG.

  As illustrated in FIG. 7, the selection unit 130 receives the packet received by the relay unit 120 (step S701). Then, the selection unit 130 extracts connection information included in the received packet (step S702). The selection unit 130 refers to the connection storage unit 111 and determines whether or not the extracted connection information is stored (step S703). If it is determined that the information is not stored in the connection storage unit 111 (No at Step S703), the selection unit 130 stores the information in the connection storage unit 111 (Step S704), and proceeds to Step S705. On the other hand, when it determines with having memorize | stored in the connection memory | storage part 111 (step S703, affirmation), the selection part 130 progresses to step S705 as it is.

  Then, the selection unit 130 refers to the website storage unit 113 and identifies a website corresponding to the destination or source IP address of the connection extracted from the received packet (step S705). Then, the selection unit 130 refers to the connection information stored in the monitored connection storage unit 112 in association with the identified website, and determines whether or not the connection information of the received packet has been stored (step). S706). When it determines with having memorize | stored (step S706, affirmation), the selection part 130 complete | finishes a selection process. On the other hand, when it determines with having not memorize | stored (step S706, negative), the selection part 130 reads the analysis connection frame corresponding to the identified website with reference to the upper limit value memory | storage part 114 (step S707). Next, the selection unit 130 determines whether or not the number of monitoring target connections stored in association with the identified website is smaller than the read analysis connection frame (step S708). When the number is smaller than the analysis connection frame (Yes in step S708), the selection unit 130 stores the connection information of the received packet in the monitoring target connection storage unit 112 as the monitoring target connection (step S709), and ends the selection process. On the other hand, when it is more than the analysis connection frame (No at Step S708), the selection unit 130 ends the selection process. This completes the monitoring target connection selection process.

[Update timing of connection information stored in storage unit 110]
In the above description, every time a new packet is received, the selection unit 130 checks the connection information stored in the connection storage unit 111 and additionally stores connection information that is not stored. In addition, the selection unit 130 collates with the monitoring target connection information stored in the monitoring target connection storage unit 112 every time a new packet is received. However, the update timing of the information stored in the storage unit 110 is not limited to the above.

  For example, the selection unit 130 may update the stored information only when a newly received packet is a packet constituting a three-way handshake process for establishing a TCP connection. For example, the selection unit 130 may store information on the connection in the connection storage unit 111 at a timing when a packet that is a response message to the connection establishment request is received from among the packets constituting the three-way handshake. In addition, the selection unit 130 may store information on the connection in the connection storage unit 111 at the timing of receiving a packet that is a message indicating connection establishment among the packets configuring the three-way handshake. For example, the information may be updated at the reception timing of the SYN packet.

  Note that in the case of UDP instead of TCP, there is no packet indicating the start of a connection. Therefore, each time a packet is received, the connection information included in the packet may be compared with the information stored in the storage unit 110.

  In addition, when the update unit 150 deletes the monitoring target connection, the selection unit 130 is notified, and the selection unit 130 monitors connections that are stored in the connection storage unit 111 but are not selected as monitoring target connections. It may be added to the connection.

  In addition, the selection unit 130 determines whether or not there is an empty analysis connection frame every predetermined period even if no packet is received. If there is an empty space, the selection unit 130 supplements the monitored connection with the connection stored in the connection storage unit 111. It may be.

  Note that the update timing of the information stored in the monitoring target connection storage unit 112 may not be synchronized with the update timing of the upper limit value storage unit 114. For example, when the number of connections per website stored in the monitoring target connection storage unit 112 is greater than the upper limit number, the selection unit 130 does not add any more connections to be monitored. And it waits until the number of monitoring object connections becomes below an upper limit number by the process of the update part 150. FIG. When the number of connections per website stored in the monitoring target connection storage unit 112 is smaller than the new upper limit number, the selection unit 130 sets the monitoring target connections within the upper limit number at a predetermined update timing. Add it.

  Also, the number of monitoring target connections (analysis connection frame) assigned to each website need not necessarily be assigned equally. For example, an analysis connection frame may be arbitrarily assigned, such as taking a large number of analysis connection frames, for websites in which fraud has been detected in the past or websites for which security measures are not sufficient.

  Further, the upper limit value and the analysis connection frame of the monitoring target connection as the entire detection system 1 may be manually set and input by a user or the like, or the processing capability of the analysis device 20 and the network on which the relay device 10 is arranged. The initial setting may be automatically performed based on the amount of communication.

[Effect of the first embodiment]
The detection system according to the first embodiment includes a relay unit that relays data, a selection unit that selects a predetermined connection among connections through which data relayed by the relay unit passes, and data that is relayed by the relay unit And an extraction unit that extracts data corresponding to the predetermined connection selected by the selection unit, and a detection unit that analyzes the data extracted by the extraction unit and detects a connection that performs unauthorized communication.

  As described above, the detection system according to the first embodiment selects and monitors a packet corresponding to a predetermined connection among packets flowing on the network. For this reason, compared with the case where all the packets which flow on the network are monitored, the load required for monitoring the packets can be reduced. Further, according to the detection system according to the first embodiment, when a connection for attack communication is selected as a monitoring target connection, an attack is performed with the same accuracy as when all packets on the network are monitored. Can be detected. Moreover, attack detection can be realized with a high probability for a technique of executing an attack using a large number of connections, such as a slow DoS attack.

  In addition, the detection system according to the first embodiment further includes a storage unit that stores the predetermined connection selected by the selection unit, and the selection unit points to a predetermined website among the connections stored in the storage unit. A predetermined connection is selected so that the total number of connections to be equal to or less than the first predetermined number. That is, in the detection system according to the first embodiment, the selection unit selects the monitoring target connection corresponding to each website within the range of the analysis connection frame. For this reason, it is possible to detect an attack with high probability when a Slow DoS attack occurs on a monitored website while suppressing the processing load on the analysis apparatus.

  The detection system according to the first embodiment further includes an update unit that updates the connection stored in the storage unit, and the update unit is configured when the connection stored in the storage unit ends or when the relay unit is When data corresponding to the connection is not relayed for a predetermined period, the connection is deleted from the storage unit. For this reason, it is possible to quickly remove a connection that is no longer necessary for monitoring or a connection that is less necessary for monitoring from the monitoring target, efficiently select the monitoring target, and detect an attack.

  The detection system, the detection method, and the detection program according to the first embodiment are particularly effective for detecting an attack that generates a large amount of unauthorized connections, such as a slow DoS attack. In the case of a slow DoS attack, the attacker establishes a large number of unauthorized connections to a specific website and maintains the connections for a long time. This exhausts the simultaneous connection of the website. In such a case, it is possible that most of the connections to which the website is connected become unauthorized sessions by an attacker. In the detection system according to the first embodiment, an analysis connection frame is provided for each website, and a certain number of connections are mirrored. For this reason, if a large number of unauthorized connections have occurred for one website, there is a high possibility that any unauthorized connection will be monitored. In addition, for the connection to be monitored, all corresponding packets are to be analyzed. For this reason, an attack can be detected with high probability.

  In the first embodiment, since all packets corresponding to a predetermined connection are analyzed by mirroring, it is possible to detect the attack pattern when there is an attack pattern peculiar to the predetermined connection. .

(Variation 1 of the first embodiment-Analysis connection frame setting in real time)
In the above description, the upper limit value of the monitoring target connection, that is, the analysis connection frame is set in advance. However, the present invention is not limited to this. For example, the upper limit value of the monitoring target connection may be changed in real time.

  FIG. 8 is a diagram illustrating an example of the configuration of the detection system 1a according to the first modification of the first embodiment. As illustrated in FIG. 8, the relay device 10 a included in the detection system 1 a according to Modification 1 further includes a calculation unit 160. The analysis device 20a included in the detection system 1a according to the first modification further includes a usage rate information collection notification unit 230. Note that the configuration and function of the detection system 1a according to Modification 1 are the same as those of the detection system 1 of the first embodiment unless otherwise specified.

  In the detection system 1a of the first modification, the usage rate information collection notification unit 230 periodically collects information indicating the usage rate of the calculation resource of the analysis device 20a. Then, the usage rate information collection notification unit 230 notifies the calculation unit 160 of the relay device 10a of the collected information. The calculation unit 160 calculates the upper limit number of connections that can be set as the monitoring target connection based on the notified usage rate information and the number of connections stored as the monitoring target connection at that time.

ただし、式（１）中、Ｕは監視対象コネクションの上限値、ｐは計算資源の使用率、ｃはその時点で記憶されている監視対象コネクションの数を示す。 For example, the calculation unit 160 calculates the upper limit number based on the following formula (1).

In Equation (1), U is the upper limit value of the monitoring target connection, p is the usage rate of the computational resource, and c is the number of monitoring target connections stored at that time.

  The calculation unit 160 calculates an analysis connection frame to be allocated to each website based on the upper limit information calculated as described above. Then, the calculation unit 160 updates the numerical value of the analysis connection frame stored in the upper limit value storage unit 114a.

  Note that the calculation unit 160 can use, for example, a CPU usage rate, a memory usage rate, or a combination of both as the calculation resource usage rate.

  As described above, by dynamically setting the analysis connection frame according to the usage status of the resources of the analysis device, it is possible to efficiently detect the attack by effectively using the resources of the analysis device.

(Second Embodiment)
In the first embodiment, a packet corresponding to a specific connection among packets flowing on the network is set as a monitoring target. In the second embodiment, in addition to this, when an unauthorized communication is detected, monitoring of a website corresponding to the unauthorized communication is strengthened. That is, in the detection system according to the second embodiment, the monitoring importance level corresponding to the detection status of unauthorized communication is set for each website to be monitored. Then, the upper limit number of connections to be monitored with the website as the destination or transmission source is changed in accordance with the change in the monitoring importance. That is, the sampling rate of the packet to be monitored is changed according to detection of unauthorized communication. Therefore, it is possible to dynamically adjust the monitoring state of communication (packet, connection) that is highly likely to cause an unauthorized attack.

[Example of Configuration of Detection System 1A According to Second Embodiment]
FIG. 9 is a diagram illustrating an example of a configuration of a detection system 1A according to the second embodiment. As shown in FIG. 9, the configuration of the detection system 1A according to the second embodiment is substantially the same as the configuration of the detection system 1 according to the first embodiment shown in FIG. However, the detection system 1A according to the second embodiment differs from the detection system 1 according to the first embodiment in that it includes a monitoring importance calculation unit 240A and a monitoring importance storage unit 212A. Hereinafter, description of functions and configurations similar to those of the first embodiment will be omitted.

  The relay device 10A included in the detection system 1A according to the second embodiment includes a storage unit 110A, a relay unit 120A, a selection unit 130A, an extraction unit 140A, and an update unit 150A. The storage unit 110A includes a connection storage unit 111A, a monitoring target connection storage unit 112A, a website storage unit 113A, and an upper limit storage unit 114A. The configurations and functions of these units are the same as those of the similar units according to the first embodiment. However, in the relay device 10A, the processing in the updating unit 150A and the configuration of the information stored in the upper limit storage unit 114A are stored in the processing in the updating unit 150 and the upper limit storage unit 114 according to the first embodiment. Different from the information structure.

  The analysis device 20A included in the detection system 1A according to the second embodiment includes a storage unit 210A, a detection unit 220A, and a monitoring importance calculation unit 240A. The storage unit 210A includes an unauthorized connection storage unit 211A and a monitoring importance storage unit 212A. The analysis device 20A according to the second embodiment is different from the analysis device 20 according to the first embodiment in that a monitoring importance calculation unit 240A and a monitoring importance storage unit 212A are provided.

  The relay device 10A monitors a predetermined connection among connections established on the network. For the connection to be monitored, an upper limit value is determined for each website, and the relay device 10A selects the monitoring target within the range of the upper limit value. Then, the relay device 10A receives the packet flowing on the network, extracts the packet corresponding to the connection to be monitored, and mirrors it to the analysis device 20A. The analysis device 20A analyzes the mirrored packet and detects unauthorized communication that constitutes an attack on the website. These points are the same as in the first embodiment. When the analysis device 20A detects unauthorized communication, the analysis device 20A increases the monitoring importance of the website that is the target of the unauthorized communication. For example, when an attack on a website is detected from the received packet, the analysis apparatus 20A increases the monitoring importance stored in association with the website. The monitoring importance level is stored in the monitoring importance level storage unit 212A in association with the website. When the analysis importance level is updated, the analysis apparatus 20A notifies the relay apparatus 10A. The relay device 10A updates the analysis connection frame stored in the upper limit storage unit 114A according to the notified monitoring importance. Then, the selection unit 130A selects a monitoring target connection based on the updated analysis connection frame.

  FIG. 11 is a diagram illustrating an example of a configuration of monitoring importance information stored in the analysis device 20A included in the detection system 1A according to the second embodiment. As shown in FIG. 11, in the monitoring importance level information stored in the monitoring importance level storage unit 212A, “website ID” and “monitoring importance level” are associated with each other. The “website ID” is the same as the “website ID” included in the website information shown in FIG. The “monitoring importance” is a value indicating the importance of communication monitoring for each website. That is, the value indicates the magnitude of the possibility of an attack on the website. For example, if the possibility of an attack on the website is high, the monitoring importance level is set high. If the possibility of an attack on the website is low, the monitoring importance level is set low. In the example of FIG. 11, for example, “monitoring importance 10” is stored in association with “website ID, W001”.

  For example, when communication monitoring by the detection system 1A is started, a monitoring importance level of “5” is given by default to each website whose communication is detected on the network. Then, after the start of the communication monitoring, the monitoring importance calculation unit 240A increases the monitoring importance of the website where the unauthorized communication is detected by “5” for each detection. In addition, after the start of communication monitoring, the monitoring importance level calculation unit 240A decreases the monitoring importance level of a website for which unauthorized communication has not been detected over a predetermined period by “1” every elapse of the predetermined period. As described above, the monitoring importance calculation unit 240A varies the monitoring importance according to the possibility of fraud being detected on each website.

  FIG. 12 is a diagram illustrating an example of the configuration of the upper limit value information stored in the relay device 10A included in the detection system 1A according to the second embodiment. The upper limit information according to the second embodiment illustrated in FIG. 12 is different from the upper limit information according to the first embodiment illustrated in FIG. 5 in that “monitoring importance” is included. As shown in FIG. 12, the upper limit information according to the second embodiment includes “monitoring importance” and “analysis connection frame” in association with “website ID”. “Website ID” and “Analysis connection frame” are the same as those shown in FIGS.

[Example of Flow of Reassignment Processing in Second Embodiment]
FIG. 10 is a flowchart illustrating an example of the flow of the reallocation process for updating the analysis connection frame in the detection method according to the second embodiment. The reallocation process shown in FIG. 10 is executed in parallel with the process shown in FIG. 6, for example. In the second embodiment, the processing in the relay unit 120A, the selection unit 130A, and the extraction unit 140A is the same as that of the relay unit 120, the selection unit 130, and the extraction unit 140 in the first embodiment. The processing of the detection unit 220A is the same as that of the detection unit 220.

  In the upper limit storage unit 114A according to the second embodiment, for example, “monitoring importance 5” is assigned in association with all websites at the start of communication monitoring. In this case, since the monitoring importance of all websites is the same, the analysis connection frame is allocated equally to all websites. For example, if the number of websites is 10 and the upper limit value of connections to be monitored is 100, the analysis connection frame of each website is set to 10.

  It is assumed that communication monitoring is continuously executed and the detection unit 220A of the analysis device 20A detects unauthorized communication. For example, it is assumed that the detection unit 220A detects a packet belonging to unauthorized communication in the connection with the connection ID “C010” destined for the website with the website ID “W001”. Then, the detection unit 220A stores the detected unauthorized connection information in the unauthorized connection storage unit 211A. The monitoring importance calculation unit 240A checks whether or not unauthorized communication has been detected with reference to the unauthorized connection storage unit 211A for each predetermined period. If unauthorized communication is detected, the monitoring importance degree stored in the monitoring importance degree storage unit 212A is increased according to the number of times of detection. For example, the monitoring importance is increased by 5 if the number of detections is 1 and 10 if the number of detections is 2. Moreover, the monitoring importance calculation unit 240A decreases the monitoring importance by 1 if no unauthorized communication is detected.

  The updated monitoring importance level is notified to the relay device 10A. The relay device 10A updates the “monitoring importance” stored in the upper limit storage unit 114A to the notified value. Then, the “analysis connection frame” stored in the upper limit storage unit 114A is updated to a value corresponding to the updated monitoring importance value.

  Referring to FIG. 10, first, monitoring importance level calculation section 240A determines whether a predetermined time has elapsed since the last reallocation process or whether a predetermined time has elapsed since the start of communication monitoring (step S901). If it is determined that the predetermined time has not elapsed (No at Step S901), the monitoring importance calculation unit 240A returns to Step S901 and repeats the determination. On the other hand, if it is determined that the predetermined time has elapsed (Yes in step S901), the monitoring importance calculation unit 240A determines whether or not unauthorized communication is detected within the predetermined time (step S902). If it is determined that unauthorized communication has been detected (Yes in step S902), the monitoring importance calculation unit 240A increases the monitoring importance stored in the monitoring importance storage unit 212A according to the number of detected unauthorized communications. (Step S903). On the other hand, if it is determined that no unauthorized communication is detected (No at step S902), the monitoring importance calculation unit 240A updates the monitoring importance stored in the monitoring importance storage unit 212A by a predetermined number. (Step S904).

  Then, the monitoring importance calculation unit 240A notifies the relay monitoring device 10A of the updated monitoring importance (step S905). In relay apparatus 10A, update unit 150A receives the notification of the updated monitoring importance, and updates the monitoring importance stored in upper limit storage unit 114A. Furthermore, the updating unit 150A calculates and stores an analysis connection frame corresponding to the updated monitoring importance level in association with the website ID (step S906). Thus, the process for updating the analysis connection frame is completed.

  Note that in the second embodiment, a website that has been subjected to an unauthorized attack is identified by analyzing the mirrored packet. However, the present invention is not limited to this, and for example, it may be configured to acquire information on a website under an unauthorized attack from an external security system and increase the monitoring importance score of the website. . Further, the value of the score to be increased may be changed according to the system that detects the unauthorized attack. For example, the system increases the score by 1 for a website subjected to an unauthorized attack notified from the system A, and increases the score by 5 for a website received an unauthorized attack notified from the system B. You may adjust according to reliability.

[Effects of Second Embodiment]
As described above, the detection system according to the second embodiment includes a calculation unit that calculates the monitoring importance of each website, which changes according to the number of times of unauthorized communication detection with each website as a destination or a transmission source. In addition, the storage unit further stores the monitoring importance level of the website and the number of connections that can be stored in the storage unit in association with each website, and the selection unit is configured according to the monitoring importance level. A predetermined connection is selected so as to be less than or equal to the first predetermined number that varies. For this reason, the detection system according to the second embodiment can adjust the number of monitoring target connections assigned to each website according to the number of times of unauthorized communication detection. For this reason, monitoring can be strengthened by increasing the number of connections to be monitored of websites that have many unauthorized communications and high monitoring needs. For websites where no unauthorized communication occurs, the number of monitoring target connections can be reduced to reduce the load on the detection system.

  As described above, in the detection system 1A according to the second embodiment, the same effect as that obtained by increasing the sampling rate of packets transmitted / received by a website in which unauthorized communication has occurred can be obtained. Further, it is possible to increase the number of connections to be monitored for websites where unauthorized communication occurs while suppressing the load on the analysis device 20A related to communication monitoring. For this reason, in the detection system 1A according to the second embodiment, when one website is under attack from a plurality of IP addresses, it is possible to efficiently detect a plurality of attack source IP addresses. .

(Third embodiment)
In the second embodiment, the monitoring importance is set in association with the website, and the monitoring importance is changed according to the presence or absence of unauthorized communication. Then, by changing the analysis connection frame according to the monitoring importance, the monitoring is strengthened according to the presence or absence of unauthorized communication on the network. In the third embodiment, the monitoring importance is set in association with the connection, instead of setting the monitoring importance in association with the website. In the third embodiment, connections that are less necessary to be monitored are deleted from the monitoring target connections based on the monitoring importance.

[Example of Configuration of Detection System 1B according to Third Embodiment]
FIG. 13 is a diagram illustrating an example of a configuration of a detection system 1B according to the third embodiment. The configuration of the detection system 1B shown in FIG. 13 is the same as the configuration of the detection system 1A according to the second embodiment shown in FIG. However, in the third embodiment, the processing in the monitoring importance calculation unit 240B and the configuration of information stored in the monitoring importance storage unit 212B are the same as the processing in the monitoring importance calculation unit 240A of the second embodiment. The configuration of information stored in the monitoring importance storage unit 212A is different. Hereinafter, descriptions of functions and configurations similar to those of the first and second embodiments are omitted.

  The relay device 10B included in the detection system 1B according to the third embodiment includes a storage unit 110B, a relay unit 120B, a selection unit 130B, an extraction unit 140B, and an update unit 150B. The storage unit 110B includes a connection storage unit 111B, a monitoring target connection storage unit 112B, a website storage unit 113B, and an upper limit value storage unit 114B. The configurations and functions of these parts are the same as those of the similar parts according to the second embodiment.

  The analysis device 20B included in the detection system 1B according to the third embodiment includes a storage unit 210B, a detection unit 220B, and a monitoring importance calculation unit 240B. The storage unit 210B includes an unauthorized connection storage unit 211B and a monitoring importance storage unit 212B.

[Information stored in the detection system 1B according to the third embodiment]
FIG. 15 is a diagram illustrating an example of a configuration of monitoring importance information stored in the analysis device 20B included in the detection system 1B according to the third embodiment. The information shown in FIG. 15 is stored in the monitoring importance storage unit 212B. The monitoring importance level information includes “score” and “monitoring importance level” in association with “connection ID”. The “connection ID” is the same as the “connection ID” shown in FIG. 2, for example. The “score” is an evaluation value for evaluating the number of detections of a communication pattern suspected of unauthorized communication detected corresponding to each connection. “Monitoring importance” is a value indicating the importance of monitoring communication in each connection. That is, the “monitoring importance” is a value that evaluates the possibility of unauthorized communication occurring in the connection. The monitoring importance in the third embodiment is calculated by a method different from the monitoring importance in the second embodiment.

  The monitoring importance calculation unit 240B according to the third embodiment scores each connection according to the number of detected communication patterns suspected of unauthorized communication detected by the detection unit 220B. Then, the monitoring importance calculation unit 240B calculates the monitoring importance according to the score of each connection. The score and the monitoring importance calculated by the monitoring importance calculation unit 240B are stored in the monitoring importance storage unit 212B. The monitoring importance calculation unit 240B notifies the relay device 10B of connections whose score exceeds the first threshold value as unauthorized connections. Further, the monitoring importance calculation unit 240B calculates the monitoring importance according to the score. Then, when the calculated monitoring importance level is below the second threshold, the monitoring importance level calculation unit 240B notifies the relay apparatus 10B of the connection of the monitoring importance level. The relay device 10B deletes the notified connection from the monitoring target connection.

[Monitoring importance calculation processing in the third embodiment]
FIG. 14 is a flowchart illustrating an example of a flow of monitoring importance calculation processing according to the third embodiment. The monitoring importance calculation unit 240B determines whether or not a predetermined time has elapsed since the start of communication monitoring or from the previous monitoring importance calculation processing (step S1301). When it is determined that the predetermined time has not elapsed (No at Step S1301), the monitoring importance degree calculation unit 240B repeats Step S1301. When it is determined that the predetermined time has elapsed (Yes at Step S1301), the monitoring importance calculation unit 240B determines whether or not unauthorized communication is detected within a predetermined time for each monitoring target connection (Step S1302). . If it is determined that unauthorized communication has been detected (Yes at step S1302), the monitoring importance calculation unit 240B sets the score stored in association with the connection ID of the connection to the number of times unauthorized communication has been detected. The number is increased accordingly (step S1303). For example, the monitoring importance calculation unit 240B increases the score by 2 × 1 = 2 if unauthorized communication has occurred twice. On the other hand, if it is determined that no unauthorized communication has been detected (No at step S1302), the monitoring importance calculation unit 240B decreases the score stored in association with the connection ID of the corresponding connection by a predetermined value. (Step S1304). For example, the monitoring importance calculation unit 240B decreases the score by one.

  Then, the monitoring importance calculation unit 240B determines whether or not the score after being updated by decreasing or increasing is larger than a predetermined threshold (Th1) (step S1305). When it is determined that the score is equal to or less than the predetermined threshold (Th1) (No at Step S1305), the monitoring importance calculation unit 240B calculates the monitoring importance based on the score (Step S1306). The monitoring importance is, for example, a value (s / t) obtained by dividing the score s at that time by the elapsed time t (seconds) from the communication monitoring start time.

  Here, the value obtained by dividing the score by the elapsed time t from the start of communication start is that the monitoring importance of the website does not change with the passage of time, but the importance of the connection decreases with the passage of time. Because there is. This is because a connection whose score has increased in a short time is more likely to be an unauthorized connection than a connection whose score has increased over a long period of time. If it is assumed that the importance level of the connection does not decrease much over time, the score s may be used as the monitoring importance level without removing the score s with the elapsed time.

  In addition, when the value divided by t is set as the monitoring importance, the above-described processing for reducing the score may not be performed. Further, if the process of decreasing the score is performed at regular time intervals, the monitoring importance does not have to be a value divided by t.

  The monitoring importance calculation unit 240B stores the calculated monitoring importance in the monitoring importance storage unit 212B. Then, the monitoring importance calculation unit 240B determines whether or not the calculated monitoring importance is smaller than a predetermined threshold (Th2) (step S1307). When the monitoring importance calculation unit 240B determines that the monitoring importance is equal to or greater than the predetermined threshold (Th2) (No in step S1307), the process returns to step S1301. On the other hand, when it is determined that the monitoring importance level is smaller than the predetermined threshold (Th2) (Yes in step S1307), the monitoring importance level calculation unit 240B notifies the relay apparatus 10B accordingly (step S1308). The update unit 150B of the relay device 10B that has received the notification deletes the connection corresponding to the notified monitoring importance from the monitoring target connection stored in the monitoring target connection storage unit 112B (step S1309).

  Returning to step S1305, when the monitoring importance calculation unit 240B determines that the score is greater than the predetermined threshold (Th1) (Yes in step S1305), the connection associated with the score is detected as an unauthorized connection ( Step S1310). Then, the monitoring importance calculation unit 240B notifies the relay device 10B of the detected unauthorized connection (step S1311). In the relay device 10B, the relay unit 120B that has received the notification blocks communication via the notified unauthorized connection (step S1312). As a result, the monitoring importance degree calculation process ends.

  In the example of FIG. 14, when the monitoring importance level falls below a predetermined threshold, the connection is immediately deleted from the monitoring target connection. However, the present invention is not limited to this. Information on the connection is temporarily stored, and when the number of selected connections to be monitored reaches the analysis connection frame, a connection whose monitoring importance is below a predetermined threshold is selected. You may comprise so that it may delete.

  Also, the timing at which the analysis device 20B notifies the monitoring device 10B of the monitoring importance is not particularly limited. For example, the analysis device 20B may notify the relay device 10B every predetermined period regardless of whether or not the monitoring importance level is updated. Moreover, you may make it notify to the relay apparatus 10B from the analysis apparatus 20B whenever there exists a fluctuation | variation in a score.

  In the example of FIG. 14, the analysis device 20B executes the calculation process every predetermined time. However, the present invention is not limited to this, and the score and the monitoring importance level are calculated each time an unauthorized communication is detected. It may be.

[Effect of the third embodiment]
As described above, the detection system according to the third embodiment further includes a calculation unit that calculates the monitoring importance of each connection, which changes according to the number of detections of the communication pattern in which unauthorized communication corresponding to each connection is suspected. The storage unit further stores the monitoring importance level of the connection in association with each connection, and the update unit deletes the connection whose monitoring importance level is below a predetermined threshold from the storage unit. For this reason, a connection in which unauthorized communication is not detected over a predetermined period can be deleted from the monitoring target connection and another connection can be set as a monitoring target, thereby realizing efficient communication monitoring.

(Fourth embodiment)
In the first to third embodiments, the method for selecting the monitoring target connection is not particularly limited, and the monitoring target connection can be added within the range of the analysis connection frame. That is, in the first to third embodiments, every time a detection system detects a new connection, if there is a margin in the analysis connection frame, the detection system adds it to the monitoring target connection. However, for example, when the detected connections are set as monitoring targets in the order in which they are detected, there may be a case where an attack cannot be detected efficiently.

  FIG. 16 is a diagram for explaining a case where connections to be monitored are biased in the detection methods according to the first to third embodiments. In FIG. 16, it is assumed that 1000 connections of connections C1 to C1000 are detected in order in the relay device in correspondence with a predetermined website. In this case, it is assumed that the analysis connection frame set corresponding to the website is “5”. Then, the relay device sets the connections C1, C2, C3, C4, and C5 as monitoring target connections in the detected order. In this case, it is assumed that an attack has occurred in the connections C111 to C200. Since the connections C111 to C200 are not monitored, the detection system cannot detect an attack.

  On the other hand, it is conceivable to select the monitoring target connection so that the monitoring target connection is not biased to a part of connections that are sequentially detected. For example, when the relay apparatus detects a new connection, the probability that the connection is to be monitored can be set in advance. For example, when the relay device detects a new connection, if there is an empty analysis connection frame, the connection is set as a monitoring target connection with a probability of 20%. In this way, the connection to be monitored is not partially biased, and an illegal connection can be detected efficiently.

  FIG. 17 is a diagram for explaining that the bias of connections to be monitored is suppressed in the fourth embodiment. In the example of FIG. 17, the connection that is the connection to be monitored is indicated by a double frame. That is, in the example of FIG. 17, the monitoring target connections are connections C56, C180, C360, C780, and C950. Thus, by selecting the monitoring target connection without any bias, the detection rate of unauthorized connections can be increased. For example, it is assumed that an attack has occurred in the connections C111 to C200. Even in this case, since at least the connection C180 is a monitoring target connection, unauthorized communication can be detected. Then, if the configuration as in the second embodiment in which an analysis connection frame of a website corresponding to unauthorized communication is detected when an unauthorized activity is detected, C180 in C111 to C200 is detected according to the detected unauthorized communication. Other connections can also be monitored.

  FIG. 18 is a diagram illustrating an example of a configuration of a detection system 1C according to the fourth embodiment. A detection system 1 </ b> C according to the fourth embodiment has substantially the same configuration as the detection system 1 according to the first embodiment. However, the detection system 1C does not include a connection storage unit and an upper limit storage unit. Instead, the detection system 1C is different from the detection system 1 according to the first embodiment in that it includes a probability storage unit 114C.

  A detection system 1C according to the fourth embodiment includes a relay device 10C and an analysis device 20C. The relay device 10C includes a storage unit 110C, a relay unit 120C, a selection unit 130C, an extraction unit 140C, and an update unit 150C. The storage unit 110C includes a monitoring target connection storage unit 112C, a website storage unit 113C, and a probability storage unit 114C. The analysis device 20C includes a storage unit 210C and a detection unit 220C, and the storage unit 210C includes an unauthorized connection storage unit 211C. The processes of the relay unit 120C, the extraction unit 140C, and the update unit 150C are the same as those of the relay unit 120, the extraction unit 140, and the update unit 150 according to the first embodiment. The processing of each part of the analysis device 20C is the same as that of the analysis device 20 according to the first embodiment.

  In the detection system 1C according to the fourth embodiment, the selection unit 130C extracts connection information when receiving a newly received packet from the relay unit 120C. Then, when the connection information is not stored in the monitoring target connection storage unit 112C, the selection unit 130C selects the connection information with the probability stored in the probability storage unit 114C.

  FIG. 19 is a diagram illustrating an example of a configuration of probability information stored in the detection system 1C according to the fourth embodiment. As illustrated in FIG. 19, the probability storage unit 114 </ b> C stores “selection probability” in association with “website ID”. The “selection probability” is a probability of newly selecting a connection whose destination or source is the corresponding website as a monitoring target connection. The selection unit 130C selects a connection to be monitored based on the probability stored in the probability storage unit 114C.

  In such a configuration, it is possible to execute a process for determining whether or not to select a connection to be monitored simultaneously with reception of a packet including new connection information, and information on connections other than the connection to be monitored need not be stored. For this reason, there is no need to provide a connection storage unit. If the selection probability is uniformly set for all websites, the probability storage unit 114C may not be provided.

  The selection probability may not be fixed, and may be set dynamically according to the load of the detection system 1C. For example, when the monitoring importance is set for each website as in the second embodiment, the selection probability may be set for each website corresponding to the monitoring importance.

  Note that the timing for selecting the monitoring target connection may be the time when the three-way handshake is completed or the time when a SYN packet is received, as in the first embodiment. Further, the fourth embodiment may be combined with the first to third embodiments, and the monitoring target connection may be selected using the selection probability, and may be selected within the analysis connection frame.

[Effect of the fourth embodiment]
In the detection system according to the fourth embodiment, the selection unit selects a predetermined connection with a predetermined probability from connections through which data relayed by the relay unit passes. For this reason, the detected connections can be selected without bias, and the detection rate of unauthorized connections can be improved.

  Further, when the detection system is configured as in the fourth embodiment, each time a new connection is detected from the received packet, it may be selected as a monitoring target connection with a predetermined probability. For this reason, it is not necessary to accumulate information about each connection. Therefore, it is not necessary to provide a connection storage unit. For this reason, the usage-amount of a memory | storage part can be reduced.

(Modification)
In the first to fourth embodiments, the detection system includes the relay device and the analysis device, and the analysis device analyzes the packet mirrored by the relay device. However, the division of functions between the relay device and the analysis device and packet processing are not limited to this, and may be arbitrarily changed. FIG. 20 is a diagram for explaining a modification of the configuration of the detection system according to the first to fourth embodiments.

  As shown in (1) of FIG. 20, the relay device and the analysis device can be provided separately. Of the packets passing through the relay device, the packet corresponding to the monitored connection, that is, only the packets belonging to some connections are mirrored by the relay device to the analysis device, and the remaining packets are directly relayed. Can be relayed to the original destination. A packet that is not subject to mirroring is directly relayed to the original destination by the relay device. In this case, it becomes like the first to third embodiments described above.

  Next, as shown in (2) of FIG. 20, the relay apparatus may be configured to forward the packet instead of mirroring the packet corresponding to the monitoring target connection to the analysis apparatus. Then, the packet may be transmitted to the original destination after extracting the information of the packet to be analyzed on the analysis device side.

  Further, as shown in (3) of FIG. 20, the relay device and the analysis device may be configured as an integrated device. And you may comprise so that the packet corresponding to a monitoring object connection may be extracted and analyzed within an apparatus.

  In the above embodiment, the relay apparatus includes a selection unit that selects a connection to be monitored, a storage unit that stores the connection, and the like. The present invention is not limited to this, and a network controller that collectively controls a plurality of relay devices may be provided to perform processing such as selection of a monitoring target connection.

(program)
FIG. 21 is a diagram illustrating that information processing by the detection program according to the disclosed technique is specifically realized using a computer. As illustrated in FIG. 21, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive 1080, and a network interface 1070. Each part of the computer 1000 is connected by a bus 1100.

  The memory 1010 includes a ROM 1011 and a RAM 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System).

  Here, as illustrated in FIG. 21, the hard disk drive 1080 stores, for example, an OS 1081, an application program 1082, a program module 1083, and program data 1084. That is, the detection program according to the disclosed embodiment is stored in, for example, the hard disk drive 1080 as the program module 1083 in which an instruction to be executed by the computer is described.

  Data used for information processing by the detection program is stored as program data 1084 in, for example, the hard disk drive 1080. Then, the CPU 1020 reads the program module 1083 and program data 1084 stored in the hard disk drive 1080 to the RAM 1012 as necessary, and executes various procedures.

  The program module 1083 and the program data 1084 related to the detection program are not limited to being stored in the hard disk drive 1080. For example, the program module 1083 and the program data 1084 may be stored in a removable storage medium. In this case, the CPU 1020 reads data via a removable storage medium such as a disk drive. Similarly, the program module 1083 and the program data 1084 related to the detection program may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). . In this case, the CPU 1020 reads various data by accessing another computer via the network interface 1070.

(Other)
The detection program described in this embodiment can be distributed via a network such as the Internet. The detection program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and being read from the recording medium by the computer.

  Of the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  The above embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

1, 1A, 1B, 1C detection system 10, 10A, 10B, 10C relay device 110, 110A, 110B, 110C storage unit 111, 111A, 111B connection storage unit 112, 112A, 112B, 112C monitoring target connection storage unit 113, 113A , 113B, 113C Website storage unit 114, 114a, 114A, 114B Upper limit storage unit 114C Probability storage unit 120 Relay unit 130 Selection unit 140 Extraction unit 150 Update unit 20, 20A, 20B, 20C Analysis device 210 Storage unit 220 Detection unit 230 Usage rate information collection / notification unit 240A, 240B Monitoring importance calculation unit 30A-30D Host

Claims (8)

A relay unit that relays data;
Among the connections through which the data relayed by the relay unit passes, a selection unit that selects a predetermined connection;
An extraction unit that extracts data corresponding to a predetermined connection selected by the selection unit from among data relayed by the relay unit;
A detection unit for analyzing the data extracted by the extraction unit and detecting a connection for performing unauthorized communication;
A detection system comprising: A storage unit for storing the predetermined connection selected by the selection unit;
The selection unit selects the predetermined connection among the connections stored in the storage unit such that a total number of connections having a predetermined website as one end point is equal to or less than a first predetermined number. The detection system according to claim 1.   The update unit further updates the connection stored in the storage unit, and the update unit stores data corresponding to the connection when the connection stored in the storage unit ends or when the relay unit stores data corresponding to the connection. The detection system according to claim 2, wherein the connection is deleted from the storage unit when relaying is not performed for a period.   The detection system according to claim 1, wherein the selection unit selects a predetermined connection with a predetermined probability from connections through which data relayed by the relay unit passes. A calculation unit that calculates the monitoring importance of each website, which changes according to the number of times of unauthorized communication detected with each website as a destination or transmission source;
The storage unit further stores the monitoring importance of the website and the number of connections that can be stored in the storage unit in association with each website,
5. The detection according to claim 2, wherein the selection unit selects the predetermined connection to be equal to or less than the first predetermined number that varies according to the monitoring importance. system. It further includes a calculation unit that calculates the monitoring importance of each connection, which changes according to the number of detected communication patterns suspected of unauthorized communication corresponding to each connection,
The storage unit further stores the monitoring importance of the connection in association with each connection,
5. The detection system according to claim 3, wherein the update unit deletes, from the storage unit, a connection having the monitoring importance level lower than a predetermined threshold value. A relay process for relaying data;
A selection step of selecting a predetermined connection among connections through which data to be relayed in the relay step passes;
Of the data relayed in the relay step, an extraction step of extracting data corresponding to the predetermined connection selected in the selection step;
A detection step of analyzing the data extracted in the extraction step and detecting a connection for performing unauthorized communication;
The detection method characterized by including. A relay procedure to relay data;
A selection procedure for selecting a predetermined connection among connections through which data to be relayed in the relay procedure passes;
An extraction procedure for extracting data corresponding to a predetermined connection selected in the selection procedure, among data relayed in the relay procedure;
A detection procedure for analyzing the data extracted in the extraction procedure and detecting a connection for performing unauthorized communication;
A detection program for causing a computer to execute.

Images