JP2017156837A - Management program, management method, and management device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently identify an infection source electronic mail.SOLUTION: A management program causes a computer to perform processes of: associating, for each piece of attachment file information to identify file data attached to a message, the attachment file information with identification information to identify the message and storing them in a storage unit; and deleting, from the storage unit, the attachment file information identified by using safety information stored in the storage unit in response to receiving the safety information indicating the attached file data has no risk from any of transmission destinations of the message.SELECTED DRAWING: Figure 9

Description

  The present invention relates to a management program, a management method, and a management apparatus.

  In recent years, there are many types of malware carrying, and the mechanism has been skillfully changed. Various malware that has entered by e-mail (sometimes simply referred to as “mail”) and the like poses a threat to corporate systems. In addition to detecting the malware itself, it is important to identify the path that the malware entered.

  If the attachment file is infected with malware by using a technology that associates and manages the email body, email header information, etc., with the attached file, the email information such as the email body It may be possible to investigate the route of infection. Also, a technique for detecting an infection of an attached file in advance in a mail server is known.

JP 2005-166039 A International Publication No. 2005/36409 Pamphlet Special table 2014-513834 gazette Special table 2001-500205 gazette

  Malware detection using an attached file of an e-mail can also be performed by a mail server using the above-described technique. However, if the delivery of e-mail is delayed due to the detection of malware, the business or the like will be hindered.

  In particular, in the case of malware that operates at a specific date and time (so-called zero-day attack), it is not practically practical to stop email distribution until a specific date and time. In the first place, there are cases where the specific date and time cannot be known.

  In recent years, the number of electronic mails delivered has been increasing and the number is enormous. On the other hand, the number of e-mails infected with malware causing tremendous damage is only a small number compared to the total number of e-mails to be distributed.

  Therefore, in one aspect, the present invention aims to efficiently identify the original email.

  According to one aspect, for each attached file information for specifying file data attached to a message, the computer stores the specific information for specifying the message in the storage unit in association with each other, and any one of the transmission destinations of the message The attached file information specified by the safety information stored in the storage unit is deleted from the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from A management program for executing the processing is provided.

  In addition, as a means for solving the above problems, a management method and an information processing apparatus can be used.

  It is possible to efficiently identify the original email.

It is a figure for demonstrating the example which identifies the infection source file by the existing method. It is a figure which shows the system block diagram in a present Example. It is a figure which shows the hardware constitutions of a matching management server. It is a flowchart figure for demonstrating an attachment file information storage process (step A of FIG. 2). It is a flowchart figure for demonstrating an attached file extraction monitoring process (step B of FIG. 2). It is a flowchart for demonstrating an infection source mail specific process (step C of FIG. 2). It is a flowchart figure for demonstrating an unnecessary information deletion process (step D of FIG. 2). It is a flowchart for demonstrating infection source mail countermeasure processing (step E of FIG. 2). It is a figure which shows the function structural example of the system in a present Example. It is a figure which shows the example of a data structure of matching information storage DB. It is a figure which shows the data structural example of agent DB. It is a figure which shows the data structural example of malware information. It is a figure which shows the data structural example of mail information storage DB. FIG. 5 is a flowchart for explaining in detail the attached file information storage process (step A) of FIG. 4. FIG. 6 is a flowchart for explaining in detail the attached file retrieval monitoring process (step B) of FIG. 5. FIG. 7 is a flowchart for explaining the infection source mail identification process (step C) in FIG. 6 in detail. FIG. 8 is a flowchart for explaining the unnecessary information deletion process (step D) of FIG. 7 in detail. FIG. 9 is a flowchart for explaining the infection source mail handling process (step E) in FIG. 8 in detail.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. First, existing methods (I), (II), and (III) for identifying an infection source file by malware will be described.
(I) A mail server executes each attached file of an electronic mail in a virtual environment, and as a result, when the presence of malware is not confirmed, the electronic mail is distributed.
(II) In the user terminal, when malware is detected by an endpoint type sensor that detects malware according to storage and execution of a file, quarantine such as quarantine and deletion is executed.
(III) By using a tracking system for files, processes, etc., the source program name and file name are tracked from the detected malware file name to identify the infection source file.

  FIG. 1 is a diagram for explaining an example of specifying an infection source file by an existing method. In FIG. 1, the mail server 300 stores a plurality of electronic mails 3 and the electronic mails 3 are downloaded to the user terminal 500 in response to a download request from the user terminal 500. At this time, the infection source mail 9a infected with the malware 93w may be downloaded.

  The mail server 300 executes the attached file of each e-mail 3 in the virtual environment using the method (I) described above, and confirms the presence of malware. However, in the case of zero-day attack malware, the mail server 300 cannot immediately detect the malware. Moreover, if the existence of zero-day attack malware is assumed, the e-mail 3 cannot be delivered indefinitely.

  Therefore, in operation, when no malware is detected in the verification performed by the mail server 300 in response to reception of the email 3, the email 3 is in a distributable state. Therefore, there is a possibility that the distributable electronic mail 3 includes the infection source mail 9a. The case where the user terminal 500 accesses the mail server 300 and downloads the infection source mail 9a from the electronic mail 3 that can be distributed will be described.

  In the user terminal 500, the user uses the mail software 510 to connect to the mail server 300 and download the infection source mail 9 a as the safe e-mail 3 from the distributable e-mail 3.

  An infection source file 91e, which is an attached file of the downloaded infection source mail 9a, is executed by the user. The infection source file 91e may be a file executed by a corresponding application such as document data, spreadsheet data, presentation data, an image file, or the program execution file itself.

  The infection source file 91e is executed for the first time by the user's operation of the user terminal 500. When the infection source file 91e is executed, another file 92e is further generated, and the file 92e is executed. Then, the file 92e further generates and executes another file (malware 93w).

  In the user terminal 500, the malware 53w is detected by the malware detection unit 513 using an endpoint sensor or the like, and quarantine such as isolation or deletion of the malware 53w is executed. Thereafter, the process name and file of the malware 39w are notified to the administrator. The malware detection unit 513 notifies the generation path tracking unit 515 of the process name, file, and the like of the malware 39w.

  In response to the malware detection notification from the malware detection unit 513, the generation path tracking unit 515 tracks the generation source of the malware 53w detected by the malware detection unit 513. That is, the program file 92e that generated the malware 53w is specified, and the infection source file 91e that generated the program file 92e is specified. The generation path tracking unit 515 further determines that the infection source file 91e has been downloaded by the mail software 510.

  Since the file that generated the infection source file 91e does not exist, the infection source file 91e is identified as the source. In addition, the malware detection unit 513 identifies until the mail software 510 has taken out the malware.

  However, even if the generation path tracking unit 515 can trace the generation source of the malware 53w, it cannot identify the infection source mail 9a from which the infection source file 91e is extracted from the plurality of electronic mails 3. Therefore, it is impossible to know the cause of the infection source file 91e existing in the user terminal 500. Specifically, it is impossible to determine which e-mail 3 is taken out from.

  In the above, the generation path tracking unit 515 may be a part of the function of the malware detection unit 513.

  The malware 93w has been described in the example in which the user terminal 500 is affected by the user terminal 500 from the infection source mail 9a received from the mail server 300. However, from the user terminal 500 of another user via the external storage medium. The malware 93w may be activated by acquiring the received infection source file 91e. In that case, it becomes more difficult to specify the infection source mail 9a that has become the infection source.

  In order to identify the infection source mail 9a as the infection source, it is conceivable to manage the message ID in association with the content of the infection source file 91e. In the case of determination by file name, it becomes difficult to specify if the user changes the file name and retrieves it, or if the file name has no features such as "setup.exe".

  In this embodiment, the message ID can be specified by recording the file name of the email 3 downloaded to the user terminal 500 and the file information of the attached file. By using the message ID, it is possible to deal with the infection source mail 9a held in the mail server 300.

  However, the number of infection source emails 9a is very small compared to the number of emails 3 that can be safely received. Accumulating and storing message IDs for all emails 3 is not preferable from the viewpoint of hardware resources.

  Therefore, in the present embodiment, when a security threat (simply referred to as “threat”) is not detected for the accumulated message ID, information associated with the corresponding email 3 and message ID is deleted. By doing so, the amount of information held and managed to identify the infection source mail 9a is greatly reduced. In the present embodiment, when a result of not detecting a threat is obtained, it is determined to be “safe”.

  FIG. 2 is a diagram showing a system configuration diagram in this embodiment. 2 includes an FW (Fire Wall) 3, an SMTP (Simple Mail Transfer Protocol) server 100, a mail server 300, an association management server 400, a user terminal 500, a threat report management server 600, and the like. Have

  The FW (Fire Wall) 3 is a device that protects a network related to mail distribution from attacks from the Internet 2. The SMTP server 100 is a server that transmits the e-mail 3. The mail server 300 is a server that stores electronic mail 3 to be transmitted and received.

  The association management server 400 is a server that manages by associating the attached file information of the email 3 received by the mail server 300 with the message ID. Upon receipt of the detection notification of the marvel of malware, the infection source mail 9a attached with the infection source file 91e is identified based on the identified malware infection source file 91e, and the infection stored in the mail server 300 is detected. Requests deletion of the source mail 9a.

  The user terminal 500 is a personal computer (PC) such as a stand-alone type, a notebook, or a tablet, and is a terminal used by the user to receive at least the e-mail 3.

  The threat report management server 600 receives a notification that the malware detection unit 513 of the user terminal 500 has detected a threat, and notifies the association management server 400 of the notification. The association management server 400 stores malware information.

  In this embodiment, the threat detection notification is also notified to the mail server 300, and the mail server 300 deletes the infection source mail 9a in which the threat is detected from the electronic mail 3 held. By deleting the infection source mail 9a, it is possible to prevent the infection source mail 9a from spreading due to transfer or the like.

  Further, in this embodiment, the information related to the message ID without threat is deleted by notifying the association management server 400 of the information obtained from the detection result without threat by the malware detection unit 513. Therefore, the amount of information for identifying the infection source mail 9a to which the infection source file 91e is attached by the association management server 400 can be reduced.

  The association management server 400 responsible for information management for specifying the infection source mail 9a to which the infection source file 91e is attached has a hardware configuration as shown in FIG.

  FIG. 3 is a diagram illustrating a hardware configuration of the association management server. In FIG. 3, the association management server 400 is an information processing device controlled by a computer, and includes a CPU (Central Processing Unit) 11, a main storage device 12, an auxiliary storage device 13, an input device 14, and a display. The device 15 has a communication I / F (interface) 17 and a drive device 18, and is connected to the bus B.

  The CPU 11 corresponds to a processor that controls the association management server 400 in accordance with a program stored in the main storage device 12. The main storage device 12 uses a RAM (Random Access Memory), a ROM (Read Only Memory) or the like, and is obtained by a program executed by the CPU 11, data necessary for processing by the CPU 11, and processing by the CPU 11. Store or temporarily store the data.

  The auxiliary storage device 13 uses an HDD (Hard Disk Drive) or the like, and stores data such as programs for executing various processes. A part of the program stored in the auxiliary storage device 13 is loaded into the main storage device 12 and executed by the CPU 11, whereby various processes are realized. The storage unit 130 corresponds to the main storage device 12 and the auxiliary storage device 13.

The input device 14 includes a mouse, a keyboard, and the like, and is used by an administrator to input various information necessary for processing by the association management server 400. The display device 15 displays various information required under the control of the CPU 11. The input device 14 and the display device 15 may be a user interface such as an integrated touch panel. The communication I / F 17 performs communication through a wired or wireless network. Communication by the communication I / F 17 is not limited to wireless or wired.
A program for realizing the processing performed by the association management server 400 is provided to the association management server 400 by the storage medium 19 such as a CD-ROM (Compact Disc Read-Only Memory).

  The drive device 18 performs an interface between the storage medium 19 (for example, a CD-ROM) set in the drive device 18 and the association management server 400.

  In addition, the storage medium 19 stores a program that realizes various processes according to the present embodiment described later, and the program stored in the storage medium 19 is stored in the association management server 400 via the drive device 18. Installed. The installed program can be executed by the association management server 400.

  The storage medium 19 for storing the program is not limited to a CD-ROM, but one or more non-transitory tangible media having a structure that can be read by a computer. If it is. As a computer-readable storage medium, in addition to a CD-ROM, a portable recording medium such as a DVD disk or a USB memory, or a semiconductor memory such as a flash memory may be used.

  Since the SMTP server 100, the mail server 300, the user terminal 500, the threat report management server 600, and the like are computers having the same hardware configuration, description thereof is omitted.

The main processes in the system 1000 of FIG. 2 are as follows.
-Attached file information storage processing (step A)
-Attachment file retrieval monitoring process (step B)
-Infection source mail identification processing (Step C)
-Unnecessary information deletion processing (Step D)
-Infection source mail handling process (Step E)
Each of these processes will be described with reference to a flowchart.

  FIG. 4 is a flowchart for explaining the attached file information storing process (step A in FIG. 2). The attached file information storage process (step A) operates as a computer resident program provided between the SMTP server 100 and the mail server 300 and is executed every time the electronic mail 3 is relayed. Alternatively, it may be incorporated as part of the processing on the receiving side of the mail server 300.

  As shown in FIG. 4, when the relayed electronic mail 3 is received from the SMTP server 100 in the attached file information storage process (step A) (step S11), the attached file is taken out from the received electronic mail 3 (step S12), and attached. After the file information is transmitted to and stored in the association management server 400 (step S13), the e-mail 3 is relayed to the mail server 300 (step S14). The attached file information storage process (step A) ends every time the electronic mail 3 is received.

  In the attached file information storing process (step A), the attached file information is associated with the message ID that identifies the e-mail 3 and accumulated and managed in the association information accumulation DB 460 (FIG. 10) of the association management server 400. The The attached file information is a content obtained by compressing the attached file.

  FIG. 5 is a flowchart for explaining the attached file retrieval monitoring process (step B in FIG. 2). The attached file retrieval monitoring process (step B) is a process that operates as a resident program of the user terminal 500 and monitors file generation by the mail software 510.

  In FIG. 5, the user terminal 500 monitors the generation of a file by extracting the attached file from the electronic mail 3 by the mail software 510 (step S21).

  In the user terminal 500, the file generated by the mail software 510 is read (step S22), and file information indicating the contents of the read file is stored in the storage unit in the user terminal 500 (step S23). The file information is a content obtained by compressing the attached file, and is held in the user terminal 500 together with the downloaded date and time, the storage destination, and the like.

  After the file information is stored, the process returns to the file generation monitoring (step S24), and the same process is repeated for the next generated file.

  FIG. 6 is a flowchart for explaining the infection source mail identification process (step C in FIG. 2). The infection source mail identification process (step C) is a process performed in the user terminal 500 and the association management server 400.

  In FIG. 6, the malware detection unit 513 detects malware 93w to acquire malware information (step S31). In response to the detection of the malware 93w, the generation path tracking unit 515 tracks the source of the file of the malware 93w based on the malware information, and specifies the infection source file 91e (step S32).

  The file information of the infection source file 91e (sometimes referred to as “infection source file information”) is acquired (step S33), and the infection source file information is notified to the association management server 400.

  The association management server 400 matches the notified infection source file information with the file information of the attached file of the e-mail 3 held in its own device (sometimes referred to as “attached file information”) to The original electronic mail 3 is specified (step S34).

  FIG. 7 is a flowchart for explaining the unnecessary information deletion processing (step D in FIG. 2). The unnecessary information deletion process (step D) is performed as a regular background process such as once a day, and the file information determined to have no threat stored in the association management server 400 is deleted. In FIG. 7, the user terminal 500 starts to operate at regular intervals (step S41). The generation path tracking unit 515 tracks the file generated by the mail software 510 (step S42).

  The generated file and the derived file obtained by tracking are matched with the detection result by the malware detection unit 513 (step S43), and if there is no threat in the generated file and the derived file, the correspondence management server 400 is notified. , “No threat” is notified (step S44). Attached file information is notified.

  The association management server notifies the recipient of the email of the attached file that matches the generated file that there is no danger, and deletes the attached file information from the database (step S45). Then, the unnecessary information deletion process ends.

  FIG. 8 is a flowchart for explaining the infection source mail handling process (step E in FIG. 2). The infection source mail handling process (step E) is executed by the association management server 400 every time the infection source mail 9a is specified.

  In FIG. 8, the association management server 400 acquires the message ID of the infection source mail 9a (step S51). Multiple message IDs may be acquired. The association management server 400 acquires information about the e-mail 3 attached with a file that matches the content obtained from the message ID from the mail server 300 (step S52).

  The e-mail 3 attached with a file that matches the content obtained from the message ID is called “target e-mail”, and the information of the e-mail 3 is called “mail information”.

  The association management server 400 requests the mail server 300 to delete the target electronic mail based on the acquired mail information, and alerts the recipient of the target electronic mail (step S54). The receiver may be notified of the alert content by e-mail.

  The association management server 400 determines whether or not all target emails have been processed (step S54). If there is an unprocessed target mail (NO in step S54), the association management server 400 returns to step S52 and repeats the same processing as described above. On the other hand, when there is an unprocessed target mail (YES in step S54), the association management server 400 ends the infection source mail handling process.

  Next, a functional configuration example in the system 1000 will be described. FIG. 9 is a diagram illustrating an example of a functional configuration of the system according to the present embodiment.

  In the description of FIG. 9, the term “electronic mail 3” may be used as a generic term including the infection source mail 9a. In the system 1000 shown in FIG. 9, in the present embodiment, an attached file management unit 330 is provided in the middle path between the SMTP server 100 and the mail server 300.

  The processing in the attached file management unit 330 is realized by a plug-in program, and includes an attached file information acquisition unit 350. The attached file information acquisition unit 350 acquires information (attached file information) of the attached file 2 f attached to the e-mail 3. The attached file management unit 330 transmits the association information 7a including the attachment file information acquired by the attachment file information acquisition unit 350 and the message ID for specifying the e-mail 3 to the association management server 400 for holding.

  The attached file information is, for example, a value obtained by summarizing the contents of the attached file 2f using a hash function. The message ID is, for example, a value given by the mail server used by the sender and is information indicating a part of the sender's mail address.

  The user terminal 500 includes mail software 510, a malware detection unit 513, a generation path tracking unit 515, and an agent 530. The user terminal 500 also has an agent DB 540 in the storage unit.

  The mail software 510 is software that provides various functions including transmission / reception of the electronic mail 3.

  The malware detection unit 513 detects a threat from an operation (behavior) performed by the user on the user terminal 500. When the mail software 510 takes out the attached file 2f from the e-mail 3 and executes it by the user's operation, the malware detection unit 513 monitors the operation of the file generated according to the execution. When the malware 93w is generated, the malware detection unit 513 detects the generation of the malware 93w.

  The detection results are accumulated in the result log 514. As an example of the malware detection unit 513, software called an endpoint type sensor is used. Threat information (malware information) 9m detected by the malware detection unit 513 is collected in the threat report management server 600. Information such as a file name or full path name, a detection result, and the like is accumulated in the result log 514 every time a program file is generated.

  The generation path tracking unit 515 is executed by a function call from the agent 530, refers to the agent DB, tracks the path until the malware 93w is generated, and specifies the infection source file 91e.

  The agent 530 refers to the result log 514 of the malware detection unit 513 and deletes information related to the file indicating “no threat”. The agent 530 further includes an extraction monitoring unit 532 and a file information acquisition unit 534.

  The take-out monitoring unit 532 detects a file written by the mail software 510. The file information acquisition unit 534 creates file information based on the contents of the file detected by the extraction monitoring unit 532, and stores the file name, the created file information, and the like in the agent DB 540.

  The agent DB 540 is a database that stores and manages information related to files written from the mail software 510, and stores at least the file name, file information, and the like of each written file.

  The association management server 400 accumulates and stores the association information 7a obtained from the email 3 received from the attached file management unit 330 of the mail server 300, and accumulates it according to the information received from the user terminal 500. The infection source mail 9a is specified from the association information 7a or the accumulated association information 7a is deleted.

  The association management server 400 includes an association information receiving unit 410, an association information deleting unit 430, a message ID specifying unit 450, and an infection source file specifying unit 470. The association management server 400 stores the association information accumulation DB 460, the malware information DB 490, and the like in the storage unit 130.

  When the association information receiving unit 410 receives the association information 7 a from the attached file management unit 330, the association information receiving unit 410 adds and stores a record in the association information accumulation DB 460.

  When the association information deleting unit 430 receives the safe file information 8a from the user terminal 500, the association information deleting unit 430 deletes the record storing the attached file information that matches the safe file information 8a from the association information accumulation DB 460.

  When receiving the infection source file information 8b from the user terminal 500, the message ID identification unit 450 identifies the message ID from the record storing the attached file information that matches the infection source file information 8b, and uses the identified message ID. The infection source mail 9a held by the mail server 300 is deleted.

  When receiving the malware information 9m from the threat report management server 600, the infection source file specifying unit 470 adds a record to the malware information DB 490 and stores it, and notifies the user terminal 500 of the received malware information 9m. The message ID specifying unit 450 is notified of the infection source file information 8b regarding the specified infection source file 91e.

The overall operation in the functional configuration described above will be described with reference to FIG.
-Reception of electronic mail <1> The SMTP server 100 receives a plurality of electronic mails 3 including the infection source mail 9a.

  <2> The SMTP server 100 relays the email 3 to the mail server 300.

  <3> The attached file management unit 330 takes out the attached file 2f from the e-mail 3 through the route between the SMTP server 100 and the mail server 300, and the attached file information acquisition unit 350 performs file information (attached file information) of the attached file 2f. To get.

  <4> The attached file management unit 330 transmits the association information 7a indicating the attachment file information and the message ID to the association management server 400.

  <5> In the association management server 400, the association information receiving unit 410 adds a record to the association information storage unit 460 and stores the received association information 7a.

  <6> The user terminal 500 receives the email 3 by the mail software 510. The mail software 510 downloads the attached file 2f by the user's operation to extract the attached file 2f or the attached file execution operation.

  <7> The agent 530 monitors the extraction operation of the attached file 2f by the user using the extraction monitoring unit 532, and stores at least the file name and file information of the extracted attachment file 2f in the agent DB 540. The file name and file information are acquired by the file information acquisition unit 534.

  The file information of the first file taken out from the e-mail 3 matches the attachment file information acquired by the attachment file information acquisition unit 350 of the attachment file management unit 330.

  <8> The user executes the attached file 2f.

<9> The malware detection unit 513 monitors the operation of the program related to the executed attached file 2f.
When there is no threat <10> The executed program ends without any problem, and the malware detection unit 513 determines that “no threat”.

  <11> The agent 530 refers to the result log 514 of the malware detection unit 513 and determines that the result of “no threat” is a “safe” file.

  <12> The agent 530 uses the generation path tracking unit 515 to identify the generation source file of the attached file 2f that the malware detection unit 513 determines is “no threat”.

  <13> The agent 530 determines that “no threat”, and stores the information of the generation file of the attached file 2f in the agent DB 540 together with the detection result indicating “safe”.

  <14> The agent 530 transmits the file information determined to be “safe” to the association management server 400 as safe file information 8a at a timing such as once a day, and records the transmitted safe file information 8a. Are deleted from the agent DB 540.

<15> The association management server 400 deletes the attached file information record that matches the secure file information 8a received from the user terminal 500 from the association information accumulation DB 460.
When there is a threat <21> The malware detection unit 513 monitors the operation of the executed program and detects the malware 93w.

  <22> The malware detection unit 513 notifies the threat report management server 600 of malware information (malware information 9m).

  <23> The threat report management server 600 transmits the malware information 9m to the association management server 400.

  <24> The association management server 400 stores the malware information 9m received by adding a record to the malware information DB 490.

  <25> The association management server 400 transmits the malware information 9m received from the malware detection unit 513 to the agent 530 of the user terminal 500, and requests the identification of the infection source file 91e.

  <26> The agent 530 extracts the malware file name from the malware information 9m, and specifies the infection source file 91e using the generation path tracking unit 51.

  <27> The agent 530 acquires the file information of the infection source file 91e from the agent DB 540, and transmits it to the association management server 400 as the infection source file information 8b.

  <28> In the association management server 400, the message ID specifying unit 450 searches the association information storage DB 460 for attached file information that matches the infection source file information 8b, and acquires one or more message IDs from the matched records. To do.

  <29> The message ID specifying unit 450 transmits the acquired message ID to the mail server 300 to request the deletion of the e-mail 3 that is a candidate for the infection source including the infection source mail 9a, and the suspicious electronic Notify the user who downloaded Mail 3 to alert (delete downloaded file, etc.).

  <30> When there are a plurality of message IDs in the attached file information retrieved from the association information storage DB 460, a deletion request and alerting are performed for the emails 3 of all message IDs. In addition to the infection source mail 9a, when an attached file 2f having the same content is attached to another mail with a different file name, a plurality of message IDs may exist. In such a case, by performing deletion request and alerting, it is possible to cope in advance with respect to the suspicious email 3 before the infected attachment 2f is executed.

  Next, various DB and information data configuration examples will be described. FIG. 10 is a diagram illustrating a data configuration example of the association information accumulation DB. In FIG. 10, the association information accumulation DB 460 is a database that accumulates attached file information and stores and manages message IDs in association with each attached file information. Items such as attached file information and a plurality of message IDs are stored in the database. Have.

  In the attached file information item, the attached file information included in the association information 7a is stored. In the item of message ID, the message ID included in the association information 7a is stored. The message ID indicates a part or all of the sender's e-mail address. At least “user name @ domain name” is stored as the message ID.

  When the association information receiving unit 410 receives the association information 7a from the attached file management unit 330, the association information receiving unit 410 searches the association information accumulation DB 460 with the attached file information included in the association information 7a, and associates the matching record with the association record. If the message ID indicated by the information 7a does not exist, the message ID is added.

  If there is no matching record, the association information receiving unit 410 adds a record and stores the attached file information and the message ID of the received association information 7a.

  In the data configuration example of FIG. 10, one message ID “avc @ dimain24” is associated with the attached file information “Fsad #% 321”. Also, one message ID “arw @ dimain24” is associated with the attached file information “eGr6wea% t5 # $”. Further, two message IDs “arw @ dimain24” and “arw @ dimain25” are associated with the attached file information “Fasdr4 $ Y3”. The same applies to other records.

  When the file information of the attachment file 2f of the infection source of the malware 93w is the attachment file information “eGr6wea% t5 # $”, the association management server 400 stores the infection source file information 8b indicating “eGr6wea% t5 # $”. Receive.

  The message ID specifying unit 450 acquires the message ID “arw @ dimain24” from the record of the attached file information “eGr6wea% t5 # $” that matches the received infection source file information 8b. By transmitting the acquired message ID “arw @ dimain24” to the mail server 300, the infection source mail 9a is specified, and the mail server 300 is requested to delete it.

  In addition, the message ID specifying unit 450 notifies the recipient of the specified infection source mail 9a of an alert message by e-mail or the like.

  FIG. 11 is a diagram illustrating a data configuration example of the agent DB. In FIG. 11, an agent DB 540 is a database that stores information related to files generated in time series, and includes items such as generation date and time, file name, file information, and detection result.

  The creation date / time indicates the date / time when the file was created. The generation date and time is not essential and can be omitted. The file name indicates information including at least the generated file name. A full path name may be used as long as it is a directory including a file name indicating a storage location, a URL (Uniform Resource Locator), or the like. The file information is a value obtained by summarizing the file contents generated by the file information acquisition unit 534 using a hash function.

  The detection result indicates the risk determined for the first attached file 2f extracted from the mail software 510 based on the file tracking result based on the result log 514 obtained by the malware detection unit 513.

  As the detection result, one of “unconfirmed”, “danger”, “safety”, and the like is indicated. “Unconfirmed” indicates a state immediately after generation of a file or the like, and it is not possible to determine whether it is “dangerous” or “safe”. “Danger” indicates that the file is infected with malware 93w. “Safe” indicates that the file does not detect a threat.

  “Danger” is set for the first attached file 2f from the mail software 510 that is the generation source of the malware 93w even if the first attached file 2f is “safe”. If the first attached file 2f is determined to be “safe”, and then all of the derived files are “safe”, “safe” is set for the first attached file 2f. .

  In the agent DB 540, the file that has been confirmed to be “safe” is notified of the file name and file information as safe file information 8a to the association management server 400, whereby the correspondence held by the association management server 400 is stored. The amount of information in the attached information storage DB 460 can be reduced.

  In the data configuration example of FIG. 11, in the first record, if the file name “C: \ Programfiles \ Programdata \ temp \ abc.exe” is referred to for the file generated on the generation date “2015/06/01 13:51” The generated file is “abc.exe”, which is stored in the directory “C: \ Programfiles \ Programdata \ temp”. The detection result is “unconfirmed”.

  In the second record, when the file name “D: \ work \ xyz.exe” is referred to for the file generated on the generation date “2015/06/01 13:55”, the generated file “xyz.exe” is generated. “exe”, which is stored in the directory “d”. The detection result is “dangerous”.

  In the third record, when the file name “e: \ app \ qwert.exe” is referred to for the file generated on the generation date “2015/06/01 13:59”, the generated file “qwert.exe” is generated. exe ", which is stored in the directory" e: \ app ". The detection result is “dangerous”. The same applies to other records.

  FIG. 11 also shows the association between the above-described association information accumulation DB 460 and malware information 9m described later. The agent DB 540 and the association information accumulation DB 460 are associated by attached file information, and the agent DB 540 and the malware information 9m are associated by a full path name.

  FIG. 12 is a diagram illustrating a data configuration example of malware information. In FIG. 12, the malware information 9m indicates information on the malware 93w detected by the malware detection unit 513, and includes items such as occurrence date / time, name, file name, risk level, and full path name.

  The occurrence date and time indicates the date and time when the malware 93w occurred. The name indicates the name of the malware 93w. The file name indicates the generated file name. The degree of danger indicates the level of threat given by the malware 93w. “High” indicates that the threat level is high, “medium” indicates that the threat level is medium, and “low” indicates that the threat level is low. The infection source file information is information indicating the full path name with which the malware 93w is confirmed.

  In the data configuration example of FIG. 12, the malware 93w with the name “Aboor” is detected on the occurrence date “XX: XX”, the file name of the detected malware 93w is “xyz.exe”, and the location (ie, The storage location is “D: \ work \ abc2.exe” indicated by the full path name.

  FIG. 13 is a diagram illustrating a data configuration example of the mail information storage DB. In FIG. 13, the mail information storage DB 6 is a database for managing information such as titles in order to improve visibility to the user when calling attention to the user. , Recipient, title, etc.

  The mail information storage DB 6 is not an indispensable database, but by providing the mail information storage DB 6, it is possible to acquire the recipient information without accessing the mail server 300, the delivery log, etc., and promptly call attention. it can.

  The mail server 300, the delivery log, and the like may hold the log of the distributed electronic mail 3, but may be deleted due to a storage period or the like and the recipient information may not be obtained. It is a recommended database in order to sufficiently cope with zero-day attacks.

  The message ID is a message ID managed by the association information accumulation DB 460 and indicates a part or all of the sender's e-mail address. The reception date and time is the date and time when the electronic mail 3 specified by the message ID is received.

  The sender indicates the email address of the sender of the email 3. The recipient indicates the email address of the recipient of the email 3. The title indicates the title set in the e-mail 3.

  In the data configuration example of FIG. 13, the e-mail 3 with the message ID “ark @ dimain24” is received at “2015/06/01 13:51”, and the e-mail address of the sender is “abc@abc.com”. The recipient's e-mail address is “zyx@xyz.jp”, and the title is “Thank you yesterday”. The same applies to other electronic mails 3.

  Each step A, B, C, D, and E of FIG. 2 will be described in detail based on the functional configuration example shown in FIG.

  FIG. 14 is a flowchart for explaining the attached file information storage process (step A) in FIG. 4 in detail. In FIG. 14, the SMTP server 100 starts sending the e-mail 3 (step S111).

  The attached file management unit 330 starts reception processing for the email 3 sent from the SMTP server 100 (step S311), and temporarily stores the received email 3 (step S312).

  The attached file management unit 330 analyzes the e-mail 3 that has been primarily saved, extracts the attached file 2f, and primarily saves it (step S313). The attached file management unit 330 confirms the encoding method from the body header, decodes the confirmed method, and extracts the attached file 2f.

  The attached file management unit 330 creates file information (attached file information) of the extracted attached file 2f (step S314), and sends the association information 7a including at least the attached file information and the message ID to the association management server 400. Is transmitted (step S315). The association information 7a may further include information such as the reception date and time of the email 3, the sender's email address, the recipient's email address, and the title. In this case, the association management server 400 can include a mail information storage DB 6 as shown in FIG.

  Then, the attached file management unit 330 relays the primarily stored e-mail to the mail server 300 (step S316), and ends the process for each received e-mail 3. When the next e-mail 3 is received, the same processing as described above is repeated from step S311.

  On the other hand, when the association management server 400 receives the association information 7a from the attached file management unit 330, the association management server 400 stores it in the association information accumulation DB 460 (step S411).

  FIG. 15 is a flowchart for explaining in detail the attached file retrieval monitoring process (step B) of FIG. In FIG. 15, in the user terminal 500, when the mail software 510 writes out the attached file 2f (step S521), the agent 530 monitors the file system by the take-out monitoring unit 532, and the attached file 2f written out by the mail software 510. Is read (step S521).

  When the attached file 2f is read, the agent 530 creates attached file information that summarizes the attached file 2f by the file information acquisition unit 534, and stores it in the agent DB 540 (step S523). Then, the attached file retrieval monitoring process ends.

  FIG. 16 is a flowchart for explaining the infection source mail identification process (step C) in FIG. 6 in detail. The infection source mail identification process is started by detecting the malware 93w in the user terminal 500.

  16, when the malware detection unit 513 detects the malware 93w in the user terminal 500 (step S531), the malware information 9m is transmitted to the association management server 400 via the threat report management server 600 (step S532). .

  In the association management server 400, the infection source file specifying unit 470 stores the received malware information 9m in the malware information DB 490 (step S431). Then, the infection source file identification unit 470 requests the identification of the infection source file 91e of the malware 93w by transmitting the malware information 9m to the agent 530 of the user terminal 500 (step S432).

  In the user terminal 500, when the malware information 9m is received, the agent 530 notifies the generation path tracking unit 515 of the received malware information 9m, and the generation path tracking unit 515 identifies the infection source file 91e (step S533). . By specifying the infection source file 91e, the full path name of the infection source file 91e is acquired.

  The agent 530 searches the agent DB 540 using the acquired full path name, acquires the attachment file information stored in the record with the matching full path name, and transmits it to the association management server 400 as the infection source file information 8b. (Step S534).

  In the association management server 400, the message ID specifying unit 450 searches the association information storage DB 460 using the received infection source file information 8b, and specifies the message ID (step S433).

  In the association information storage DB 460, one or more message IDs are specified from the attached file information record that matches the received infection source file information 8b. The identified one or more message IDs are stored in the storage unit 130 and used in an infection source mail process (step E) described later.

  FIG. 17 is a flowchart for explaining the unnecessary information deleting process (step D) in FIG. 7 in detail. The unnecessary information deletion process is performed by the user terminal 500 and the association management server 400, and the user terminal 500 periodically specifies the safe file information 8a and holds the association information held in the association management server 400. 7a reduces the amount of information.

  17, the user terminal 500 acquires one file name from the agent DB 540 (step S541), matches the result log 514 by the malware detection unit 513, and determines the detection status (step S542). The determination results of “not detected yet”, “with detected threat”, and “without detected threat” are obtained.

  If it is determined that the detection status is “not detected yet” or “there is a detected threat”, the agent 530 proceeds to step S546.

  When it is determined that the detection status is “no detected threat”, the agent 530 uses the generation path tracking unit 515 to determine whether there is a threat in the derived and generated file (step S543). One of “all threats absent”, “some threats present”, and “partially not detected” is indicated as a determination result.

  If it is determined that “partially threated” or “partially not detected”, the agent 530 proceeds to step S546. On the other hand, when determining that “all threats are absent”, the agent 530 determines that the file having the file name acquired in step S541 is a safe file, acquires the attached file information from the agent DB 540, and then acquires the safe file. The deletion is requested by transmitting the information 8a to the association management server 400 (step S534).

  When the association management server 400 receives the secure file information 8a, the association information deletion unit 430 deletes the record of the attached file information that matches the safe file information 8a from the association information storage DB 460 (step S441). .

  When the mail information storage DB 6 is provided, the message ID can be acquired from the attached file information record that matches the safe file information 8a, and the recipient can be specified from the mail information storage DB 6. If the mail information storage DB 6 is not provided, the message ID may be transmitted to the mail server 300 to acquire the recipient's mail address.

  Therefore, the association information deletion unit 430 may notify the receiver that the attachment is safe (has no danger). Then, after notifying the recipient, the record of the attached file information that matches the safe file information 8a is deleted.

  In the data configuration example of FIG. 10, the record of the attached file information “eGr6wea% t5 # $” is deleted by this process.

  Thereafter, the agent 530 deletes the record of attached file information from the agent DB 540 (step S545).

  When the process for the file name acquired in step S541 ends, the agent DB 540 determines whether there is a next file name (step S546). If the next file name exists (YES in step S546), the agent 530 returns to step S541 and repeats the same processing as described above. On the other hand, if the next file name does not exist (NO in step S546), the unnecessary information deletion process ends.

  FIG. 18 is a flowchart for explaining the infection source mail handling process (step E) in FIG. 8 in detail. The infection source mail handling process is performed by the association management server 400 and the mail server 300, and deletes the infection source mail 9a and alerts the recipient of the infection source mail 9a.

  18, in the association management server 400, the message ID specifying unit 450 acquires one from one or more message IDs stored in the storage unit 130 (step S451). The one or more message IDs stored in the storage unit 130 are message IDs identified based on the infection source file information 8b identified in the infection source mail identification process (FIG. 16).

  The message ID specifying unit 450 acquires information such as the recipient of the infection source mail 9a using the message ID (step S452). Information such as the recipient of the infection source mail 9a may be acquired by inquiring of the mail server with the message ID. If the association management server 400 includes the mail information storage DB 6 (FIG. 13), the mail Information such as the recipient may be acquired by searching the information storage DB 6 using the message ID.

  The message ID specifying unit 450 transmits the message ID acquired in step S451 to the mail server 300, and requests deletion of the infection source mail 9a (step S453).

  When the mail server 300 receives the message ID from the association management server 400, the infection source mail 9 a held in the storage area in the mail server 300 is identified and deleted based on the message ID, and the association management server 400 is notified of the completion of deletion (step S351).

  When the association management server 400 receives the notification of the completion of the deletion of the infection source mail 9a, the message ID specifying unit 450 sends a warning and an email deletion result notification to the recipient of the infection source mail 9a. The electronic mail is requested to be sent (step S454). At least the email address of the recipient of the infection source mail 9a is transmitted to the mail server 300. Along with the e-mail address of the recipient, the contents of the alert and e-mail deletion result notification may be transmitted to the mail server 300.

  When the mail server 300 receives a request specifying at least the recipient's email address from the association management server 400, the email server 300 sends an email to the recipient of the infection source mail 9a and completes the association management server 400. The result is notified (step S352).

  When the association management server 400 receives the completion result from the mail server 300, it determines whether or not the processing has been completed for all message IDs (step S455). If there is an unprocessed message ID (YES in step S455), the message ID specifying unit 450 returns to step S451 and repeats the same processing described above.

  If there are two or more message IDs, it means that the infection source file 91e is attached to a plurality of electronic mails 3. Therefore, the e-mail 3 including the same attached file (in this case, the infection source e-mail 9) is deleted.

  On the other hand, when the process is completed for all message IDs (NO in step S455), the infection source mail handling process is terminated.

  As described above, in the present embodiment, the association management server 400 that manages the attachment file information (attachment file information) of the electronic mail 3 and the message ID that identifies the electronic mail 3 is associated with the user terminal. By adopting a mechanism capable of receiving safe file information 8a from 500, the amount of association information 7a accumulated to identify infection source mail 9a can be reduced.

  The results calculated by the inventors for reducing the amount of information are shown below. First, the amount of information when the message ID of the e-mail 3 having an attached file and the attached file information are stored will be considered.

  Although the maximum length of the character string used for the message ID is not defined by the standard or the like, generally, a length of about 64 bytes to 256 bytes is used. The attached file information is information obtained by summarizing the contents of a file with a hash function or the like and converted into a character string, and is a character string of several tens of bytes.

The inventors calculated the amount of information to be stored when the environment was assumed as follows.
・ Email distribution volume: 200,000 mails per day (in a company with 2000 employees, 100 mails per person)
・ Attached file content rate: 50%
-Number of attached files: average 2 per email-Message ID length: average 128 bytes-File information length: average 80 bytes

Also,
-Total message ID string: 200,000 x 50% x 128 bytes
= 12800000 bytes = about 12MB
・ Total amount of file information: 200,000 copies x 50% x 2 pieces x 80 bytes
= 16000000 bytes = about 16MB
・ Total per day: about 28MB
-Total for 5 years of operation: 28MB x 1825 days
= 51100MB = about 50GB
It became.

In other words, when malware is detected in the user terminal 500 in the state of operation for 5 years, a message ID is searched from about 50 GB and 182.5 million records, which takes a lot of time and CPU cost. Will consume.
・ Assuming a large-scale user exceeding 10,000, it is considered that the amount of information becomes unrealistic and operation becomes difficult.

  However, in the present embodiment, the association management server 400 receives the secure file information 8a determined by the agent of the user terminal 500 using the result log 514 of the malware detection unit 513, thereby storing the association information. An increase in the amount of information stored in the DB 460 can be reduced.

Next, the defense by reinfection in a present Example is demonstrated. In recent years, targeted attacks by e-mail have become more sophisticated, and endpoint sensors have been used to immediately detect malware 93w. In the present embodiment, the malware detection unit 513 of the user terminal 500 corresponds to an endpoint type sensor. A targeted attack is one of cyber attacks aimed at users of a specific company or organization.
The endpoint type sensor can specify the file name of the malware 93w that behaves abnormally on the user terminal 500, but cannot specify the infection source mail 9a. Therefore, it is regarded as a problem that the infection source mail 9a continues to remain in the mail server 300 and becomes a perpetrator due to re-infection or transfer to the outside of the company, leading to a decrease in the trust of the company.

  In the present embodiment, the infection source mail 9a is specified, and the deletion of the infection source mail 9a specified in the mail server 300 and the deletion of the downloaded infection source file 91e can be requested to the user.

  Furthermore, it has the effect of preventing reinfection. If the infection source mail 9a remains in the mail server 300, there is a possibility of re-infection when the user operates the infection source mail 9a again. Further, there is a possibility that the infection spreads by an operation such as forwarding the infection source mail 9a to another user by the user.

  Even in the case of re-infection, the endpoint sensor can detect and report a threat at each user terminal 500. For this reason, it is considered unnecessary to deal with reinfection. However, in the case of a behavioral sensor, detection is performed after the program operates, so that a threat is detected when the computer system is destroyed or modified. For this reason, unlike the conventional signature type detection, if the reinfection occurs, the damage proceeds again. Even in a situation where the malware 93w can be detected by the endpoint sensor, it is important to immediately delete the infection source mail 9a by the mail server 300.

  In this embodiment, since it is possible to request the mail server 300 to delete the infection source mail 9a, the threat against reinfection can be minimized.

  The present invention is not limited to the specifically disclosed embodiments, and can be principally modified and changed without departing from the scope of the claims.

The following additional notes are further disclosed with respect to the embodiment including the above examples.
(Appendix 1)
On the computer,
For each attached file information that specifies file data attached to the message, the specific information that specifies the message is associated and stored in the storage unit,
The attachment specified by the safety information stored in the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from any one of the transmission destinations of the message A management program for executing processing for deleting file information from the storage unit.
(Appendix 2)
In the computer,
Based on the specific information associated with the attached file information specified by the infection information stored in the storage unit in response to receiving the infection information indicating that the file data is infected. The management program according to appendix 1, wherein a message is specified, and a device that holds the message and a transmission destination of the message are requested to execute processing for requesting deletion of the message.
(Appendix 3)
In the computer,
In response to receiving the danger information for notifying the dangerous file data, the process of requesting the notification source to specify the attached file information of the dangerous file data indicated by the danger information is executed.
The management program according to appendix 2, wherein the infection information specifying the attached file information specified in response to the request is received.
(Appendix 4)
In the computer,
Based on the specific information associated with the attached file information specified by the safety information stored in the storage unit in response to receiving the safety information that the file data is not dangerous. Processing for identifying the message, requesting the message destination to delete the message, and deleting the attached file information specified by the safety information stored in the storage unit from the storage unit The management program according to appendix 3, characterized in that:
(Appendix 5)
In the computer,
At least, the processing for storing the specific information for specifying the message and the transmission destination information of the message in association with each other is executed,
The management program according to appendix 2 or 3, wherein the information of the transmission destination associated with the specific information associated with the attached file information identified by the infection information is acquired.
(Appendix 6)
Computer
For each attached file information that specifies file data attached to the message, the specific information that specifies the message is associated and stored in the storage unit,
The attachment specified by the safety information stored in the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from any one of the transmission destinations of the message A management method for performing processing for deleting file information from the storage unit.
(Appendix 7)
For each attached file information that identifies file data attached to a message, an association unit that associates specific information that identifies the message and stores the associated information in a storage unit;
The attachment specified by the safety information stored in the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from any one of the transmission destinations of the message An information processing apparatus comprising: a deletion unit that deletes file information from the storage unit.

2f Attached file 3 E-mail 7a Correspondence information 8a Safe file information 8b Infection source file information 9a Infection source mail 9m Malware information 91e Infection source file 100 SMTP server 300 Mail server 330 Attached file management unit 350 Attached file information acquisition unit 400 Management server 410 association information receiving unit 430 association information deleting unit 450 message ID identifying unit 460 association information accumulating unit 470 infection source file identifying unit 490 malware information DB
500 User terminal 510 Mail software 513 Malware detection unit, 515 Generation path tracking unit 514 Result log 530 Agent 532 Retrieval monitoring unit, 534 File information acquisition unit 540 Agent DB
1000 systems

Claims (6)

On the computer,
For each attached file information that specifies file data attached to the message, the specific information that specifies the message is associated and stored in the storage unit,
The attachment specified by the safety information stored in the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from any one of the transmission destinations of the message A management program for executing processing for deleting file information from the storage unit. In the computer,
Based on the specific information associated with the attached file information specified by the infection information stored in the storage unit in response to receiving the infection information indicating that the file data is infected. The management program according to claim 1, wherein a message is specified, and processing for requesting deletion of the message is executed to an apparatus that holds the message and a transmission destination of the message. In the computer,
In response to receiving the danger information for notifying the dangerous file data, the process of requesting the notification source to specify the attached file information of the dangerous file data indicated by the danger information is executed.
The management program according to claim 2, wherein the infection information specifying the attached file information specified in response to the request is received. In the computer,
Based on the specific information associated with the attached file information specified by the safety information stored in the storage unit in response to receiving the safety information that the file data is not dangerous. Processing for identifying the message, requesting the message destination to delete the message, and deleting the attached file information specified by the safety information stored in the storage unit from the storage unit The management program according to any one of claims 1 to 3, wherein the management program is executed. Computer
For each attached file information that specifies file data attached to the message, the specific information that specifies the message is associated and stored in the storage unit,
The attachment specified by the safety information stored in the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from any one of the transmission destinations of the message A management method for performing processing for deleting file information from the storage unit. For each attached file information that identifies file data attached to a message, an association unit that associates specific information that identifies the message and stores the associated information in a storage unit;
The attachment specified by the safety information stored in the storage unit in response to receiving safety information indicating that there is no danger with respect to the attached file data from any one of the transmission destinations of the message An information processing apparatus comprising: a deletion unit that deletes file information from the storage unit.

Images