JP2018174471A - Communication control unit, communication control system, communication control method and communication control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To make a security product inspect a sample in a state where communication of the security product is blocked, but communication of the sample (malware) is canalized.SOLUTION: A security product 42 installed in a first terminal 4 determines whether a sample is detected by executing communication to an IP address recorded in an address list, by means of the first terminal 4 in which the security product is installed, a second terminal 6 in which the security product is not installed, connection setting means (firewall 10) for setting to pass communication from the second terminal 6 entirely, IP address recording means (firewall 10) for generating an address list by recording the destination IP address of an IP packet issued from the terminal when the second terminal 6 executes an execution file of inspection object, i.e., specimen, communication interruption means (firewall 10) for interrupting the IP packet of the destination IP address not recorded in the address list, out of the IP packets where the first terminal 4 is the transmission source, and the first terminal 4.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication control device, a communication control system, a communication control method, and a communication control program.

    Malware is an abbreviation for malicious software that performs undesirable operations for computer users, and there are various types such as viruses, spyware, worms, and ransomware. In addition, there are two types of malware: “known malware” and “unknown malware” that cannot be detected by signature pattern matching because security countermeasure products detect by pattern matching by signature.

  For the detection of malware in security products, pattern matching based on signatures is performed. When evaluating the security level when using a security product, it is also important to evaluate how much malware is known to the product (that is, whether it can be detected by the signature). In today's generation, it is very important to evaluate the detection rate when the product inspects unknown malware that does not match the signature.

  When evaluating security products, you want to test the sample by blocking communications performed by the security product for reasons such as evaluating the detection rate when testing a sample that does not match the signature (malware). There is. On the other hand, there is a case where communication itself from a terminal in which a security product is installed is desired to be performed so that the security product can observe the original behavior of the specimen.

  Conventionally, in Windows OS, whether or not external communication is possible can be set for each execution file. Therefore, there is a method for realizing the above problem by blocking external communication of an execution file of a security product using this function. is there. However, security products may consist of a number of executable files. In such a case, it may not be easy to register the executable file without omission. Moreover, there is a possibility that communication control of the Windows firewall is invalidated by execution of the specimen (malware).

  Non-Patent Document 1 discloses an example in which communication of each process operating on a virtual machine is controlled from a hypervisor operating the virtual machine. In this example, since communication is controlled from the hypervisor, there is no possibility that communication control is invalidated by executing the sample. On the other hand, the sample is executed on the virtual machine. In addition, some malware in recent years do not perform malicious operations on virtual machines, and thus are not suitable for evaluation of security products using actual specimens.

Takeshi Azumi et al., “Fine-grained packet filtering with virtual machine monitor”, IPSJ Research Report, System Software and Operating System (OS) 2010.12, pp1-7

  SUMMARY OF THE INVENTION In view of the above circumstances, the present invention provides a communication control device, a communication control system, and a communication control capable of inspecting a security product in a state where communication performed by a sample (malware) is blocked while communication performed by the security product is blocked It is an object to provide a method and a communication control program.

  A first aspect for achieving the above object is a communication control apparatus having a function of blocking communication packets arranged in a network and passing through the network, wherein the first IP address and the second IP address are input. IP address recording means for recording a destination IP address of the communication packet and adding it to an address list when receiving a communication packet having the second IP address as a transmission source, and the first IP address And a communication blocking means for blocking when receiving a communication packet whose destination is an IP address not included in the address list.

  A 2nd aspect is a communication control system comprised by a communication control apparatus and a DNS server.

  A third aspect is a communication control method in a communication control apparatus having a function of blocking a communication packet that is arranged in a network and that passes through the network, wherein a first IP address and a second IP address are given as inputs, When a communication packet having the second IP address as a transmission source is received, the destination IP address of the communication packet is recorded and added to the address list, and the first IP address is used as the transmission source, and the address list The communication control method is characterized in that when a communication packet destined for an IP address not included in is received, the packet is blocked.

  A fourth aspect is a communication control method in a communication control system comprising a communication control device arranged in a network and having a function of blocking communication packets passing through itself and a DNS server, wherein the communication control device 1 IP address and 2nd IP address are given as inputs, and when a communication packet with the second IP address as the source is received, the destination IP address of the communication packet is recorded and added to the address list Then, when a communication packet having the first IP address as a transmission source and destined for an IP address not included in the address list is blocked, the DNS server transmits the second IP address. When the original DNS query packet is received, the domain subject to name resolution in the query is recorded in the domain list. When receiving a DNS query packet that requests the name resolution of the domain described in the domain list with the first IP address as the transmission source, the IP address obtained by performing the name resolution of the domain is A request packet specifying that it is added to an address list is transmitted to the communication control device, and the communication control device adds an IP address to the address list when there is the request packet. Is a communication control method.

  A 5th aspect is a communication control program for comprising a communication control apparatus with a computer.

  While the communication performed by the security product is cut off, the communication performed by the sample (malware) can be communicated with the security product so that the sample can be tested.

It is a block diagram which shows the structure of 1st Embodiment to which the communication control apparatus which concerns on this invention was applied. It is a flowchart which shows operation | movement of 1st Embodiment to which the communication control apparatus which concerns on this invention was applied. It is a block diagram which shows the structure of 2nd Embodiment to which the communication control apparatus which concerns on this invention was applied. It is a flowchart which shows operation | movement of 2nd Embodiment to which the communication control apparatus which concerns on this invention was applied.

<First Embodiment>
The communication control apparatus 2A according to the first embodiment to which the communication control apparatus according to the present invention is applied includes a first terminal 4, a second terminal 6, the Internet 8, and a firewall 10.

  The first terminal 4 is a terminal connected to the firewall 10 and installed with a security product 42 to be evaluated.

  The second terminal 6 is a terminal that is connected to the firewall 10 and has no security product installed.

  The firewall 10 includes an access control unit 12 and a destination IP address list 14.

  The access control unit 12 records the destination IP address of the IP packet issued from the second terminal 6 and generates the address list by connecting setting means for setting all communication from the second terminal 6 to pass. Address recording means and communication blocking means for blocking IP packets of destination IP addresses not recorded in the address list among IP packets originating from the first terminal 4 are included.

  The destination IP address list 14 is created by the access control unit 12 and records destination IP addresses included in a communication packet transmitted from the second terminal 6, and is also referred to as an “IP white list”.

  Next, the operation of the first embodiment will be described with reference to the flowchart of FIG.

  First, the specimen is executed for a certain time (such as 10 minutes) on the second terminal 6 on which no security product is installed. In this process, a communication packet may be transmitted from the second terminal 6 to the Internet depending on the execution of the sample. In this case, the communication packet is observed by the firewall 10 (SB2). The firewall 10 records the destination IP address included in the communication packet having the source IP address of the second terminal 6 among the observed communication packets, and creates the IP address list 14 (SF2). This is a process of adding the destination IP address list of the received packet to the IP white list.

  The access control unit 12 of the firewall 10 is set with a function of “blocking a packet whose destination IP address is not included in the IP white list 14 among packets whose source is the IP address of the first terminal 4”. . Therefore, only the communication packet having the destination IP address included in the IP white list 14 is transmitted on the Internet 8 as the communication packet transmitted from the first terminal 6 (SF4).

  After executing the sample on the second terminal 6 for a certain period of time (such as 10 minutes) in the above process, the sample is executed on the first terminal 4 to check whether the security product 42 detects the sample as malware. (SA4, SA6, SA8). During this time, a communication packet may be transmitted from the first terminal 4 to the Internet from the process executing the sample. The destination IP address of this communication packet is included in the IP whitelist 14 by the above processing. Therefore, it can be expected that the communication performed by the sample is not hindered by the access control unit 12. On the other hand, since the second terminal 6 does not install the security product 42 in the above process, it can be expected that the destination IP address of the communication performed by the security product 42 is not included in the white list 14. Therefore, communication performed by the process executing the security product to the outside, for example, communication for updating the signature by exchanging with the server operated by the organization that developed the security product is blocked by the access control unit 12. I can expect that.

  Thus, according to the first embodiment, only communication packets destined for the same destination IP address as the communication packets transmitted from the second terminal 6 in which the security product 42 is not installed pass through the access control unit 12. Therefore, the communication performed by the security product 42 is blocked, while the communication performed by the sample (malware) is allowed to communicate with the security product 42.

Second Embodiment
In the first embodiment, the communication performed by the sample on the first terminal 4 is realized by creating the IP white list 14 composed of IP addresses. However, in the configuration of the first embodiment, communication performed by the specimen may be interrupted for the following reason.

  That is, the communication destination performed by the sample may be described as an FQDN (Fully Qualified Domain Name, hereinafter referred to as “host name”) instead of being described as an IP address in the program code of the sample.

  When a sample communicates with a communication destination described as a host name, first, a DNS request is transmitted to the DNS server 16 to acquire an IP address corresponding to the host name, and communication is performed to the IP address.

  Further, when the host name and the IP address correspond one-to-one, the object can be achieved by the method of the first embodiment. However, there may be a case where there are a plurality of IP addresses corresponding to the host name, and the IP address corresponding to the host name may change with time.

  Therefore, when the sample is executed on the second terminal 6 and when the sample is executed on the first terminal 4, different IP addresses may be obtained for name resolution of the same host name. In this case, the communication of the sample executed by the first terminal 4 is interrupted.

  In order to solve the above problems, the second embodiment adopts the following configuration.

  As shown in FIG. 3, the communication control device 2 </ b> B of the second embodiment includes a DNS server 16 in addition to the first terminal 4, the second terminal 6, the Internet 8, and the firewall 10.

  The DNS server 16 has a function of converting a domain name into an IP address. In the second embodiment, when a DNS query packet is transmitted from the second terminal 6, it has a function of creating a list of all domains for which there has been a name resolution request in the transmitted DNS query packet.

  FIG. 4 is a flowchart illustrating a processing procedure according to the second embodiment.

  In FIG. 4, steps denoted by the same step numbers as in FIG. 2 mean the same processes as those in the first embodiment.

  First, the specimen is executed for a certain time (such as 10 minutes) on the second terminal 6 on which no security product is installed. In this process, a communication packet may be transmitted from the second terminal 6 to the Internet depending on the execution of the sample. In this case, the communication packet is observed by the firewall 10 (SB2). The firewall 10 records the destination IP address included in the communication packet having the source IP address of the second terminal 6 among the observed communication packets, and creates the IP address list 14 (SF2). This is a process of adding the destination IP address list of the received packet to the IP white list.

  As described above, when a DNS query packet is transmitted from the second terminal 6 while the specimen is being executed on the second terminal 6 for a certain time (such as 10 minutes) (SB8), the DNS server 16 transmits the DNS query packet. A list of all domains for which a name resolution request has been made in the DNS query packet is created (added) (SD2). Hereinafter, the created domain list 162 is also referred to as a DNS white list.

  The access control unit 12 of the firewall 10 is set with a function of “blocking a packet whose destination IP address is not included in the IP white list 14 among packets whose source is the IP address of the first terminal 4”. .

  Here, in the second embodiment, when the DNS query packet (SA10) transmitted from the first terminal 4 includes the name resolution target domain in the DNS whitelist (SD4YES), the DNS server 16 A DNS response addressed to one terminal 4 is temporarily suspended, a request packet specifying that an IP address corresponding to the domain is added to the IP whitelist is sent (SD6), and then a DNS response addressed to the first terminal 4 is transmitted. (SD8). Further, when a request packet is transmitted (SD6) from the DNS server 16, the firewall 10 adds the IP address included in the request packet to the IP white list 14 (SF8).

  Therefore, the communication packet transmitted from the first terminal 6 requests the name resolution of the host name corresponding to the IP address X before that even if the destination IP address X is not initially listed in the IP whitelist. The DNS query packet to be transmitted is transmitted from the first terminal 6 to the DNS server 16, and the IP address X is received from the DNS server 16 as a response, and the host name is included in the DNS white list 162. In this case, since the IP address X is described in the IP white list before the communication packet reaches the access control unit 12, it can pass through the access control unit 12.

  Then, after elapse of a predetermined period of the processing, the sample is executed on the first terminal 4 for a predetermined time (SA4, SA6), and it is confirmed whether the security product 42 detects the sample (SA8).

  As described above, according to the second embodiment, when the specimen to be examined stores the communication destination of communication performed by itself as a host name, and the IP address obtained by name resolution for the host name can be different. However, the communication performed for the host name described in the DNS white list created when the second terminal 6 executes the sample may dynamically expand the IP white list and pass through the access control unit 12. Therefore, the communication performed by the security product 42 is blocked, while the communication performed by the sample (malware) is allowed to communicate with the security product 42.

  In addition, the said embodiment is shown as an example and of course does not intend limiting the range of invention.

  2A, 2B ... communication control device, 4 ... first terminal, 6 ... second terminal, 8 ... internet, 10 ... firewall, 12 ... access control unit, 14 ... destination IP address list (IP white list), 16 ... DNS server 42 ... Security product 162 ... Domain list (DNS white list).

When evaluating security products, you want to test the samples by blocking communications performed by security products for the purpose of evaluating the detection rate when testing samples that do not match the signature (malware). There is. On the other hand, there is a case where communication itself from a terminal in which the security product is installed is desired to be performed so that the security product can observe the original behavior of the specimen.

Claims (6)

A communication control device having a function of blocking communication packets arranged in a network and passing through the network,
When a first IP address and a second IP address are given as inputs and a communication packet having the second IP address as a transmission source is received, the destination IP address of the communication packet is recorded and recorded in the address list. IP address recording means to be added;
Communication blocking means for blocking when receiving a communication packet having the first IP address as a transmission source and an IP address not included in the address list as a destination;
A communication control apparatus comprising: Domain recording means for recording a domain that is a name resolution target in the DNS query packet when receiving a DNS query packet having the second IP address as a transmission source in a domain list;
When a DNS query packet that requests the name resolution of the domain described in the domain list is received from the first IP address, the IP address obtained by performing the name resolution of the domain is the address A request transmission means for transmitting a request packet specifying that it is added to the list to the communication control device;
Assuming the presence of a DNS server with
The IP address recording means
When there is a request packet from the DNS server, an IP address described in the request packet is added to the address list.
The communication control apparatus according to claim 1.   A communication control system comprising the communication control device according to claim 2 and a DNS server. A communication control method in a communication control device having a function of blocking communication packets arranged in a network and passing through the network,
When a first IP address and a second IP address are given as inputs and a communication packet having the second IP address as a transmission source is received, the destination IP address of the communication packet is recorded and recorded in the address list. Add
Blocking when receiving a communication packet having the first IP address as a source and having an IP address not included in the address list as a destination;
A communication control method characterized by the above. A communication control method in a communication control system comprising a communication control device arranged in a network and having a function of blocking communication packets passing through the network and a DNS server,
The communication control device includes:
When a first IP address and a second IP address are given as inputs and a communication packet having the second IP address as a transmission source is received, the destination IP address of the communication packet is recorded and recorded in the address list. Add
When receiving a communication packet having the first IP address as a source and an IP address not included in the address list as a destination,
The DNS server
When a DNS query packet having the second IP address as a transmission source is received, a domain that is a name resolution target in the DNS query packet is recorded in a domain list;
When a DNS query packet that requests the name resolution of the domain described in the domain list is received from the first IP address, the IP address obtained by performing the name resolution of the domain is the address A request packet specifying that it is added to the list is sent to the communication control device
The communication control device, when there is the request packet, adds the IP address of the request packet to the address list,
A communication control method characterized by the above.   A communication control program for configuring the communication control device according to claim 1 with a computer.

Images