JP2017182520A - Control device, control method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a control device, a control method, and a program that can optimize a list used for filtering electronic mail and websites in a countermeasure against cyber attacks.SOLUTION: A control device includes: a collection unit for collecting communication history information from a plurality of terminals; a storage unit for storing a first list registering particular communication definition information indicating a particular communication object; and a creation unit for creating a first list for one terminal and registering one or more pieces of particular communication definition information on the basis of particular communication definition information according with communication history information on the one terminal and particular communication definition information according with communication history information on another terminal.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a control device, a control method, and a program.

  There are a black list method and a white list method for filtering e-mails and websites against cyber attacks. In the blacklist method, a blacklist of a person who sent a large amount of spam mail or a harmful website is created, and a communication carrier blocks communication with the listed person or site. In the white list method, a list of persons and sites whose safety has been confirmed is created, and a communication carrier blocks communication with those other than those listed and sites. Various proposals for filtering by the blacklist method and the whitelist method have been made.

  Patent Document 1 discloses an access control apparatus that collects a communication log of a management target network and creates a new black list based on public black list information and the collected communication log. In the access control device of Patent Document 1, a black list with high access frequency is narrowed down according to the state of the communication log.

JP 2014-93027 A

  However, since the access control device of Patent Document 1 creates a black list based on the communication log of the management target network, attacks that the management target network has not received in the past are not registered in the black list. For this reason, the access control device disclosed in Patent Document 1 has a problem in that it cannot respond to attacks that have not been received in the past using a blacklist.

  Further, when the technique disclosed in Patent Document 1 is applied to the creation of a white list, objects that have not been accessed in the past are not registered in the white list. Therefore, there is a problem that it is impossible to access a target that has not been accessed in the past using the white list.

  The objective of this invention is providing the control apparatus, control method, and program which solve the above-mentioned subject.

  The control device of the present invention includes a collection unit that collects communication history information from a plurality of terminals, a storage unit that stores a first list in which specific communication definition information indicating a specific communication target is registered, For one terminal in which one or more specific communication definition information is registered based on specific communication definition information that matches the communication history information of the terminal and specific communication definition information that matches the communication history information of another terminal A creation unit for creating a first list.

  The control method of the present invention includes a collection step of collecting communication history information from a plurality of terminals, a storage step of storing a first list in which specific communication definition information indicating a specific communication target is registered, For one terminal in which one or more specific communication definition information is registered based on specific communication definition information that matches the communication history information of the terminal and specific communication definition information that matches the communication history information of another terminal Creating a first list.

  The program according to the present invention includes a collection process for collecting communication history information from a plurality of terminals in a computer, a storage process for storing a first list in which specific communication definition information indicating a specific communication target is registered, One terminal in which one or more specific communication definition information is registered based on specific communication definition information that matches the communication history information of one terminal and specific communication definition information that matches the communication history information of another terminal And a creation process for creating a first list.

  According to the present invention, it is possible to optimize a list used for filtering e-mails and websites in countermeasures against cyber attacks.

It is a figure which shows the structure of the control apparatus 100 concerning 1st Embodiment. 2 is a diagram illustrating a hardware configuration of a control device 100. FIG. It is a figure explaining operation | movement of the control apparatus. It is a figure which shows the whole structure of the system 2000 containing the access control apparatus 21 concerning 2nd Embodiment. It is a figure which shows an example of the information stored in the log information database. It is a figure which shows an example of the information stored in the unauthorized communication information database. It is a figure which shows an example of a weighting parameter corresponding table. It is a figure which shows an example of the management object terminal information at the time of registering the group to which each terminal belongs. 4 is a flowchart illustrating an operation of the access control device 21. 4 is a flowchart illustrating an operation of the access control device 21. 4 is a flowchart illustrating an operation of the access control device 21. 4 is a flowchart illustrating an operation of the access control device 21. It is a figure which shows an example of the log information obtained when the process of step S11 thru | or 13 is performed. It is a figure which shows an example of the unauthorized communication log after associating a score in step S33. It is a figure which shows the result of having calculated own weight and other weight. It is a figure which shows an example of the table which shows weight information. It is a figure which shows an example of the information stored in the black list database 23 when the process of step S37 is performed. It is the figure which put together the reference | standard used when correcting a weighting parameter.

[First Embodiment]
[Processing configuration]
FIG. 1 is a diagram illustrating a configuration of a control device 100 according to the first embodiment. The control device 100 includes a collection unit 101, a storage unit 102, and a creation unit 103.

  The collection unit 101 collects communication history information from a plurality of terminals. The terminal is a terminal having a firewall function. The firewall function is a function that is installed at the boundary between a certain computer or network and those external networks, relays and monitors internal and external communications, and protects the inside from external attacks. For example, the terminal is installed at the boundary between an intranet as an internal network and the Internet as an external network. The internal network may be different or the same for each connected terminal.

  The storage unit 102 stores a list (first list) in which specific communication definition information indicating a specific communication target is registered. The list is, for example, a black list. The specific communication definition information that defines communication from a specific source is information that defines communication from an unauthorized source, for example, and accesses the Internet Protocol (IP) address of a dangerous user (computer virus distribution source). This includes at least one of a Uniform Resource Locator (URL) of a Web site that is not preferable and information on an unauthorized communication pattern. An illegal communication pattern includes, for example, an F5 attack that sends a large number of page transmission requests by repeatedly executing the “reread” function of a Web browser many times and stops it with an excessive load. In the case of the F5 attack, a communication pattern (F5 attack) including the IP address of the attack source as header information is registered in the list. In addition to registering one communication behavior as an unauthorized communication pattern, a plurality of communication behaviors may be registered together as one communication pattern.

  The creation unit 103 registers one or more pieces of specific communication definition information based on specific communication definition information that matches communication history information of one terminal and specific communication definition information that matches communication history information of another terminal. Create a list for a single terminal. A terminal set based on the list created by the creation unit 103 can block (block) communication defined by the specific communication definition information registered in the list.

[Hardware configuration]
FIG. 2 is a diagram illustrating a hardware configuration of the control device 100. The control device 100 includes a processor 100a, a memory 100b, a storage 100c, an input / output interface (input / output I / F) 100d, and a communication interface (communication I / F) 100e. The processor 100a, the memory 100b, the storage 100c, the input / output interface 100d, and the communication interface 100e are connected by a data transmission path 100f for transmitting / receiving data to / from each other.

  The processor 100a is an arithmetic processing device such as a Central Processing Unit or a Graphics Processing Unit. The processor 100a implements the functions of each processing unit (collection unit 101, storage unit 102, creation unit 103) by executing each program stored in the storage 100c described later. Here, when executing each program, the processor 100a may execute these programs after reading them onto a memory 100b described later, or may execute them without reading them onto the memory 100b.

  The memory 100b is a memory such as a random access memory (RAM) or a read only memory (ROM).

  The storage 100c is a storage device such as a hard disk drive, a solid state drive, or a memory card. The storage 100c may be a memory such as a RAM or a ROM. The storage 100c stores programs that realize the functions of the respective processing units (collecting unit 101, storage unit 102, creation unit 103).

  The communication interface 100e transmits / receives data to / from an external device or an external network. The communication interface 100e communicates with an external device or an external network via, for example, a wired network or a wireless network. The hardware configuration of the control device 100 is not limited to the configuration shown in FIG.

[Operation]
The operation of the control device 100 will be described with reference to FIG. Communication history information is collected from a plurality of terminals (step S1). A list in which specific communication definition information indicating a specific communication target is registered is stored (step S2). One terminal in which one or more specific communication definition information is registered based on specific communication definition information that matches the communication history information of one terminal and specific communication definition information that matches the communication history information of another terminal A list is created (step S3).

[Function and effect]
According to the control apparatus 100 according to the first embodiment, the creation unit 103 includes specific communication definition information that matches communication history information of one terminal, specific communication definition information that matches communication history information of another terminal, and , A list for one terminal in which one or more specific communication definition information is registered is created. This makes it possible to optimize the list used for filtering e-mails and websites in countermeasures against cyber attacks.

  Note that the terminals can be grouped, and the other terminals described above can be terminals belonging to the same group as the one terminal. The group to which the terminal belongs is a group of industries in which the terminal is used, such as educational institutions, medical institutions, and financial institutions. In addition, the group to which the terminal belongs may be a country in which the terminal is used or an operating system (OS) group installed in the terminal. It is considered that other terminals belonging to the same group as the group to which the terminal T subjected to a certain attack is likely to receive the same attack as the attack received by the terminal T. Therefore, a more effective list can be created by using the communication history information of other terminals belonging to the same group as the one terminal.

  The configuration of the control device 100 according to the first embodiment may be configured in the terminal. That is, a list and communication history information of other terminals may be collected at one terminal, and a list may be created for one terminal.

[Second Embodiment]
[Processing configuration]
FIG. 4 is a block diagram showing an overall configuration of a system 2000 including the access control apparatus 21 according to the second embodiment. The system 2000 includes terminals 1 to 3 and an access control device 21.

  Terminals 1 to 3 are terminals that perform access control by a blacklist method. Terminals 1 to 3 are terminals managed by the access control device 21 and are hereinafter also referred to as managed terminals. Each of the terminals 1 to 3 includes log transmission units 4 to 6 and black list reception units 7 to 9. Terminals 1 to 3 are terminals that belong to the same group 20 but exist in different places. For example, in this embodiment, the group 20 is a group consisting of terminals installed in financial institutions. The terminal managed by the access control device 21 may include a terminal belonging to a group different from the group 20. The terminals 1 to 3 are, for example, hardware equipped with a firewall function.

  Each of the log transmission units 4 to 6 periodically transmits a communication log (communication history information) of the terminal itself to a log collection unit 10 (described later) of the access control device 21. The transmission cycle is arbitrary.

  The black list reception units 7 to 9 receive the black list distributed from the list distribution unit 19 (described later) of the access control device 21 and update the black lists of the terminals 1 to 3.

  Next, the access control device 21 will be described. The access control device 21 corresponds to the control device 100 in the first embodiment. The access control device 21 includes a log collection unit 10, a log analysis unit 11, a database control unit 12, a log information database 13, a black list acquisition unit 15, an unauthorized communication information database 16, a list creation unit 17, a weighting unit 18, and a list distribution unit. 19, a parameter control unit 22, a black list database 23, and a weighting database 24.

  The log collection unit 10 corresponds to the collection unit 101 in the first embodiment. The log collection unit 10 receives the communication logs transmitted from the log transmission units 4 to 6 of the terminals 1 to 3 and outputs the collected communication logs to the log analysis unit 11.

  The log analysis unit 11 analyzes the communication log received from the log collection unit 10. The log analysis unit 11 uses the communication log, the information that associates the terminal name of the terminal from which the communication log is obtained, and the communication observation time as log information, and the log information is stored in the log information database 13 via the database control unit 12. To store.

  The database control unit 12 controls the generation, reference, update, and deletion of information with respect to the log information database 13, the unauthorized communication information database 16, the blacklist database 23, and the weighting database 24.

  The log information database 13 is a database that stores information on the terminals 1 to 3 (management target terminal information) and log information.

  Referring to FIG. 5, log information and management target terminal information are stored in the log information database 13. The log information is information in which the communication log, the terminal name of the terminal from which the communication log is obtained, and the communication observation time are associated with each other. The communication log includes the IP address of the computer that established or attempted to establish communication with the terminal. Moreover, the management target terminal information is, for example, a terminal name, a business type, a region, and an OS. The information stored as the management target terminal information and the log information is not limited to these. As the business type, region, and OS stored as an example of the management target terminal information, group names and group identifiers when the terminals are grouped by business type, region, or OS are stored in the log information database 13.

  The black list acquisition unit 15 acquires the public black list 14 (second list) from the Internet. The public blacklist 14 includes unauthorized communication definition information and its score. The unauthorized communication definition information corresponds to the specific communication definition information in the first embodiment. The score is a value set in advance in the public blacklist, and represents the risk level of each unauthorized communication information definition information. The unauthorized communication information definition information has a higher degree of risk as the score is higher or higher. The blacklist acquisition unit 15 extracts the unauthorized communication information in which the unauthorized communication definition information and the score are associated with each other from the acquired public blacklist 14 and stores it in the unauthorized communication information database 16 through the database control unit 12. To do. Note that the black list acquisition unit 15 may acquire the black list that the vendor independently holds in addition to acquiring the public black list 14.

  Referring to FIG. 6, the unauthorized communication information database 16 stores unauthorized communication information in which the unauthorized communication definition information included in the public blacklist acquired by the blacklist acquisition unit 15 is associated with its score. The unauthorized communication information database 16 holds not only the latest unauthorized communication information but also past unauthorized communication information. The unauthorized communication information is used when the parameter control unit 22 (described later) creates a weighting parameter correspondence table. FIG. 7 is an example of a weighting parameter correspondence table. The weighting parameter correspondence table is created for each terminal and used for weighting by the weighting unit 18. Referring to FIG. 7, (a) is a weighting parameter correspondence table for own weight, and (b) is a weighting parameter correspondence table for other weights. The unauthorized communication information database 16 may store the black list acquired by the black list acquisition unit 15 as it is instead of storing the unauthorized communication information extracted from the black list acquired by the black list acquisition unit 15.

The list creation unit 17 corresponds to the creation unit 103 in the first embodiment. The list creation unit 17 creates a black list for each terminal (hereinafter also referred to as a black list for each terminal). The terminal-specific black list corresponds to the first list in the first embodiment. More specifically, the list creation unit 17 performs the following processes 1 to 6.
1. One or more unauthorized communication information extracted from the unauthorized communication information database 16 is received via the database control unit 12.
2. One or more pieces of log information matching the unauthorized communication definition information of the unauthorized communication information are extracted from the log information database 13 via the database control unit 12. The extraction is performed for one terminal and one or more other terminals belonging to the same group as the one terminal. For example, when there is a large amount of communication from a specific IP address to a terminal at a certain time, there is a possibility of an F5 attack. In this case, an unauthorized communication pattern can be extracted from the log information in addition to the transmission source IP address. Hereinafter, the extracted log information is also referred to as an unauthorized communication log.
3. The unauthorized communication log is associated with the score of each unauthorized communication definition information included in the unauthorized communication information, and is output to the weighting unit 18 (described later).
4). Based on the weight information received from the weighting unit 18, a black list is created for each terminal. In the case of creating a black list, a black list is created by extracting and registering a predetermined number of illegal communication definition information having a large value for each of “score × own weight” and “score × other weight”. As an example, priority is given to “score × own weight”, and two pieces of unauthorized communication definition information with a large value of “score × self weight” and one piece of unauthorized communication definition information with a large value of “score × other weight” are extracted. . If the unauthorized communication definition information having a large value of “score × self-weight” and the unauthorized communication definition information having a large value of “score × other weight” are the same, for example, a value different from “score × self-weight” The unauthorized communication definition information having a large value is extracted from the unauthorized communication definition information having “score × other weight”. Further, for example, in the case of extracting two unauthorized communication definition information having a large value of “score × self weight” and one unauthorized communication definition information having a large value of “score × other weight”, If the unauthorized communication definition information with a large value of “A” is D, and the unauthorized communication definition information with a large “score × other weight” value is D, only A and D may be extracted.
5. The created black list is output to the list distribution unit 19.
6). The created black list is stored in the black list database 23 via the database control unit 12.

The weighting unit 18 performs weighting based on the unauthorized communication log received from the list creation unit 17 and outputs the weighted unauthorized communication log to the list creation unit 17. The weighting unit 18 uses two kinds of weights, that is, its own weight and other weights when weighting. The own weight is a weight derived based on log information of one terminal (hereinafter referred to as the own terminal). The other weight is a weight derived based on log information of other terminals (hereinafter referred to as other terminals) belonging to the same group as the own terminal. As an example, in the system configuration of FIG. 3, when weighting is performed to create the black list of the terminal 1, the self-weight is derived based on the log information of the terminal 1, and the log information of the terminal 2 and the terminal 3 is The other weight is derived from the basis. The method of deriving each weight is shown below.
Own weight = N x T
Other weight = N × M × T
The variables N, T and M are as follows. The variables N, T, and M are derived based on the weighting parameter correspondence table.
N: A parameter related to the number of observed communications indicated by the unauthorized communication definition information in the terminal. In the calculation of own weight, the number of observations of communication indicated by the unauthorized communication definition information in the own terminal is used, and in the calculation of other weight, the total number of observations of communication indicated by the unauthorized communication definition information in other terminals is used. .
T: A parameter related to the communication observation time indicated by the unauthorized communication definition information. In the calculation of the own weight, the communication observation time indicated by the unauthorized communication definition information at the own terminal is used, and in the calculation of the other weight, the observation time of the communication indicated by the unauthorized communication definition information at the other terminal is used. When communication indicated by the same unauthorized communication definition information is observed at a plurality of other terminals, the one with the observation time close to the current time is used for the calculation.
M: A parameter relating to the number of terminals in which communication indicated by the unauthorized communication definition information has been observed. As the number of terminals in which communication indicated by the unauthorized communication definition information is observed, the number of other terminals in which communication indicated by the unauthorized communication definition information is observed is used.

  Here, for example, if the observed time of communication indicated by the unauthorized communication definition information is far from the current time (old), the value of T becomes small, and the values of the own weight and the other weight become small. Further, in the case of communication that has not been observed by other terminals, the value of M becomes smaller and the value of other weights becomes smaller. In these cases, even the unauthorized communication definition information related to the communication observed at the terminal itself is not necessarily registered in the terminal-specific black list that is newly created by the list creation unit 17.

  The list distribution unit 19 distributes the terminal-specific black list received from the list creation unit 17 to the corresponding terminal.

  The parameter control unit 22 reads the unauthorized communication information in the unauthorized communication information database 16, the log information in the log information database 13, and the black list in the black list database 23 via the database control unit 12, and a weighting parameter correspondence table (FIG. 8). Create

  The black list database 23 is a database that stores a terminal-specific black list distributed to each terminal. The terminal-specific black list distributed to each terminal is used when the parameter control unit 22 creates a weighting parameter correspondence table.

  The weighting database 24 is a database that stores a weighting parameter correspondence table for each terminal.

[Operation]
9 to 12 are flowcharts showing the operation of the access control apparatus 21, and show independent operations. FIG. 9 shows a flow of processing performed when communication logs are received from the log transmission units 4 to 6. 10 to 12 show the flow of processing performed periodically. As processing to be performed in advance when performing the processing of FIGS. 9 to 12, terminals are divided into groups in various ranges such as industry, region, and OS, and the group to which each terminal belongs is registered in the log information database 13. FIG. 7 is a diagram showing management target terminal information (FIG. 5) when a group to which each terminal belongs is registered.

  First, each process in FIG. 9 will be described. The log collection unit 10 receives communication logs periodically transmitted from the log transmission units 4 to 6 of the terminals 1 to 3 (step S11). The log analysis unit 11 analyzes the communication log received in step S11 and creates log information (step S12). The log analysis unit 11 stores the log information created in step S12 in the log information database 13 via the database control unit 12 (step S13).

  FIG. 13 is a diagram illustrating an example of log information (FIG. 5) obtained when the processes in steps S11 to S13 are performed.

  Next, each process in FIG. 9 will be described. The blacklist acquisition unit 15 acquires the blacklist 14 that is publicly available on the Internet or that is independently held by the vendor (step S21). The black list acquisition unit 15 stores the black list acquired in step S21 in the unauthorized communication information database 16 via the database control unit 12 (step S22). The table stored in the unauthorized communication information database 16 when the processes of steps S21 and S22 are performed is the above-described FIG.

  Next, each process in FIG. 11 will be described. The list creation unit 17 reads the unauthorized communication information stored in the unauthorized communication information database 16 via the database control unit 12 (step S31). The list creation unit 17 extracts log information (unauthorized communication log) that matches the unauthorized communication definition information included in the unauthorized communication information read in step S31 from the log information database 13 via the database control unit 12 ( Step S32). Here, the log information observed in a predetermined period in the past is targeted.

  The list creation unit 17 associates the unauthorized communication log extracted in step S32 with the score of each unauthorized communication definition information included in the unauthorized communication information, and assigns the unauthorized communication log associated with the score to the weighting unit 18. (Step S33).

  FIG. 14 is a diagram illustrating an example of an unauthorized communication log in which a score is associated in step S33. The weighting unit 18 reads the weighting parameter correspondence table stored in the weighting database 24 via the database control unit 12 (step S34). The weighting unit 18 weights the unauthorized communication information based on the unauthorized communication log and the weighting parameter correspondence table (step S35). In weighting, two kinds of weights are used: the own weight and the other weight.

  FIG. 15 is a diagram illustrating a result of calculating the own weight and the other weight for the terminal 1, for example. For example, for the communication (communication A) indicated by the unauthorized communication definition information A, N based on the number of observations of the communication A at the terminal 1 and T based on the observation time of the communication A at the terminal 1 are used for calculating the own weight. Use. In calculating other weights, N based on the number of observations of communication A at terminals 2 and 3 belonging to the same group as terminal 1, T based on the observation time of communication A at terminals 2 and 3 and communication A are observed. M based on the number of other terminals in the same group is used. The calculation method is an example. The weighting unit 18 creates a table (hereinafter referred to as weight information) as shown in FIG. 16 based on the own weight, other weight, and the score of the unauthorized communication definition information (FIG. 6). In FIG. 16, “score × self weight” is a value obtained by multiplying the score of FIG. 6 by the self weight calculated in FIG. 15. “Score × other weight” is a value obtained by multiplying the score of FIG. 6 by the other weight calculated in FIG.

  The process of step S35 is performed for each terminal, and the weight information for each terminal is output to the list creation unit 17.

  The list creation unit 17 creates a terminal-specific black list based on the weight information received from the weighting unit 18 (step S36). The list creation unit 17 extracts a predetermined number of unauthorized communication definition information having a large value for each of “score × own weight” and “score × other weight”, and registers the extracted unauthorized communication definition information to create a black list. create. The list creation unit 17 outputs the created terminal-specific black list to the list distribution unit 19. The list creation unit 17 stores the black list and black list creation time for each terminal in the black list database 23 in the format shown in FIG. 17 via the data control unit 12 (step S37). FIG. 17 is a diagram illustrating information stored in the blacklist database 23 when the process of step S37 is performed. Referring to FIG. 17, (a) is a list for terminals with terminal name XXX, (b) is a list for terminals with terminal name YYY, and (c) is a list for terminals with terminal name ZZZ. The list distribution unit 19 distributes the terminal-specific black list received from the list creation unit 17 to the black list reception units 7 to 9 of the terminals 1 to 3 (step S38).

  Next, each process in FIG. 12 will be described. The parameter control unit 22 reads from the black list database 23 the latest terminal-specific black list and its creation time among the terminal-specific black lists distributed in the past at each terminal via the database control unit 12 (step S41). . The parameter control unit 22 reads the weighting parameter correspondence table of each terminal from the weighting database 24 via the database control unit 12 (step S42). The parameter control unit 22 reads, via the database control unit 12, the unauthorized communication information used when creating the terminal-specific blacklist and the unauthorized communication information for a predetermined period after the terminal-specific blacklist is distributed from the unauthorized communication information database 16. Here, the unauthorized communication information used at the time of creating the blacklist for each terminal and the unauthorized communication information for a predetermined period after the blacklist distribution for each terminal are collectively referred to as unauthorized communication information before and after the blacklist distribution. Then, the parameter control unit 22 transmits, from the log information database 13 via the database control unit 12, the log information used when the black list for each terminal is created and the log information for a predetermined period after the black list for each terminal is distributed. Log information (unauthorized communication log) that matches the unauthorized communication definition information included in the unauthorized communication information before and after list distribution is extracted and read (step S43). The parameter control unit 22 associates the score of each unauthorized communication definition information included in the unauthorized communication information with the unauthorized communication log read in Step S43 (Step S44).

  The processes in steps S45 to S52 described below are performed for each terminal, and the process proceeds to step S53 as soon as the process in the process target terminal is completed.

The parameter control unit 22 compares the latest terminal-specific black list read in step S41 with the unauthorized communication log read in step S43, and checks the number of matching unauthorized communication definition information (step S45). The parameter control unit 22 corrects the weighting parameter correspondence table by paying attention to the unauthorized communication definition information that is not registered in the black list read in step S41 but is found in the unauthorized communication log after distribution (step). S46). FIG. 18 is a table summarizing the criteria used when correcting the weighting parameters. The viewpoint of correcting the weighting parameters is shown below.
1. Since the unauthorized communication definition information having a larger number of observations has a higher degree of risk, the value of the variable N is increased as the unauthorized communication definition information having a larger number of observations in the past predetermined period.
2. Since an unauthorized user who has recently attacked has a high possibility of performing the same attack again, the value of the variable T is increased as the observation time is closer to the present time.
3. Since an attack being performed on many terminals is highly likely to be a trendy attack with a high degree of risk, the value of the variable M is increased as the number of observation terminals increases.

  The correction of the weighting parameter will be described using a specific example. It is assumed that the unauthorized communication log X of the terminal itself after distribution of a certain blacklist is not included in the distributed blacklist. In this case, according to FIG. 18, when the communication indicated by the unauthorized communication log X has been observed after the blacklist distribution and has been observed for the past three days from the present, in the weighting parameter correspondence table read in step S42, The value of the variable T corresponding to the observation time of the unauthorized communication definition information that matches the unauthorized communication log X is corrected (changed) to 5.

  The parameter control unit 22 weights the unauthorized communication definition information based on the modified weighting parameter and the unauthorized communication log after distribution, and creates a new terminal-specific black list in the same procedure as in step S36 of FIG. (Step S47). The parameter control unit 22 compares the created terminal-specific black list with the unauthorized communication log after distribution read in step S43, and checks the number of matching unauthorized communication definition information (step S48). If the number of matches in step S48 is larger than the number of matches in step S45, the process proceeds to step S53, and if it is smaller, the process proceeds to S50 (step S49).

  If the processes in steps S46 to S49 have been performed a predetermined number of times, the process proceeds to step S52, and if not, the process proceeds to step S51 (step S50).

  In step S51, the increment number is changed using the weighting pattern correspondence table in step S45. And it progresses to the process of step S46 again.

  In step S52, the weighting parameter correspondence table is returned to the state of step S45.

  The parameter control unit 22 stores the weighting parameter correspondence table in the weighting database 24 via the database control unit 12.

[effect]
If a blacklist is created based only on the communication log of its own terminal, it is not possible to respond to unknown attacks. The access control apparatus 21 according to the present embodiment uses terminal grouping and learning of a weighting method. Thereby, when creating a black list for setting one terminal, it is possible to consider an attack on another terminal belonging to the same group as the one terminal. That is, a black list that can prevent an unknown attack on each terminal can be created and distributed to each terminal.

  In the present embodiment, the aspect in which the access control apparatus 21 creates the black list of each terminal from the public black list has been described. Instead of this mode, one terminal may acquire a black list of another terminal and create a black list of the own terminal from the black list of the other terminal.

[Third Embodiment]
In the third embodiment, the configuration and operation when creating a blacklist have been described. In the present embodiment, the configuration and operation when creating a white list will be described. The description of the same configuration as in the first and second embodiments is omitted.

  The control device of the present embodiment includes a white list acquisition unit 15 ′ instead of the black list acquisition unit 15 in the second embodiment. The white list acquisition unit 15 ′ acquires a white list held by the plurality of terminals 1 to 3.

  The weighting unit 18 ′ weights the white list acquired by the white list acquisition unit 15 ′ and outputs it to the list creation unit 17. The weighting unit 18 'uses two kinds of weights, that is, its own weight and other weights when weighting. The self weight and the other weight are as described in the second embodiment.

[effect]
In the present embodiment, grouping of terminals and learning of a weighting method are used. This makes it possible to create an objective white list for a white list that tends to be arbitrary. In addition, for example, with respect to an application whose access is permitted in another terminal belonging to the same group as the one terminal, there is a high probability that the access is permitted also in the one terminal. In this case, by creating a white list held by one terminal with reference to log information of other terminals in the same group, a fluid and convenient white list can be created.

  In addition, it can also be set as the aspect which combined 2nd Embodiment and 3rd Embodiment.

  As mentioned above, although embodiment of this invention was described, this invention is not limited to the said embodiment, It cannot be overemphasized that another modification and an application example are included unless it deviates from the meaning of this invention.

1, 2, 3 terminals (managed terminals)
4, 5, 6 Log transmission unit 7, 8, 9 Black list reception unit 10 Log collection unit 11 Log analysis unit 12 Database control unit 13 Log information database 14 Public black list 15 Black list acquisition unit 16 Unauthorized communication information database 17 List creation Unit 18 weighting unit 19 list distribution unit 20 group 21 access control device 22 parameter control unit 23 black list database 24 weighting database 100 control device 100a processor 100b memory 100c storage 100d input / output interface 100e communication interface 101 collection unit 102 storage unit 103 creation unit 2000 system

Claims (10)

A collection unit for collecting communication history information from a plurality of terminals;
A storage unit for storing a first list in which specific communication definition information indicating a specific communication target is registered;
The one or more specific communication definition information is registered based on the specific communication definition information that matches the communication history information of the one terminal and the specific communication definition information that matches the communication history information of the other terminal. And a creation unit that creates the first list for the terminal. An acquisition unit for acquiring a second list in which the specific communication definition information is registered;
The creation unit, from the second list acquired by the acquisition unit, specific communication definition information that matches the communication history information of the one terminal and specific communication definition information that matches the communication history information of the other terminal The control device according to claim 1, wherein the first list is generated by extracting the information.   The control device according to claim 1, wherein the other terminal belongs to the same group as the one terminal.   The creation unit includes the specific communication definition information having a large number of matches with the communication history information among the specific communication definition information that matches the communication history information, and the communication history information that matches the specific communication definition information. The specific communication definition information having a large number of the terminals from which the specific communication definition information obtained within a predetermined period in the past from the creation time of the second list or the communication history information matching the specific communication definition information is obtained. The control device according to claim 2, wherein the control device extracts the information preferentially. A weighting unit for setting a weight on the specific communication definition information that matches the communication history information;
The weighting unit is a self-weight derived based on communication history information of the one terminal, and another weight derived based on the communication history information of the other terminal belonging to the same group as the one terminal. Set
The control device according to claim 2, wherein the creation unit creates the first list based on the specific communication definition information that satisfies a predetermined condition as a result of the weighting. A collection step of collecting communication history information from a plurality of terminals;
A storing step of storing a first list in which specific communication definition information indicating a specific communication target is registered;
The one or more specific communication definition information is registered based on the specific communication definition information that matches the communication history information of the one terminal and the specific communication definition information that matches the communication history information of the other terminal. Creating a first list for a terminal of the terminal. A first acquisition step of acquiring a second list in which the specific communication definition information is registered;
In the creating step, the specific communication definition information matching the communication history information of the one terminal and the communication history information of the other terminal are matched from the second list acquired in the first acquiring step. The control method according to claim 6, wherein specific communication definition information is extracted to create the first list.   The control method according to claim 6 or 7, wherein the other terminal belongs to the same group as the one terminal. On the computer,
A collection process for collecting communication history information from multiple terminals;
A storage process for storing a first list in which specific communication definition information indicating a specific communication target is registered;
The one or more specific communication definition information is registered based on the specific communication definition information that matches the communication history information of the one terminal and the specific communication definition information that matches the communication history information of the other terminal. And a creation process for creating the first list for the terminal. A first acquisition process for acquiring a second list in which the specific communication definition information is registered;
In the creation unit process, from the second list acquired in the first acquisition process, the specific communication definition information matching the communication history information of the one terminal and the communication history information of the other terminal are matched. The program according to claim 9, wherein the first list is created by extracting specific communication definition information to be created.

Images