JP2019037001A - Network information output system and network information output method - Google Patents

Abstract

To identify a range influenced by malware in an SDN environment.SOLUTION: A malware influence range identification system includes in an SDN environment: a recording unit for chronologically recording in a database network configuration information representing a network configuration; intrusion time identification unit for identifying an intrusion time concerning a terminal intruded by a malware; a network configuration identification unit for acquiring network configuration information that is associated with a date and time identified on the basis of identified intruding time in the database; and a display unit for displaying acquired network configuration information.SELECTED DRAWING: Figure 9

Description

  The present invention relates to a technique for identifying the influence range of malware.

  In recent years, SDN (Software-Defined Networking), which is a network architecture that realizes network control by a program, is becoming popular and practical. One of the protocols for realizing this SDN is OpenFlow. In OpenFlow, an OpenFlow switch is centrally controlled by an OpenFlow controller (see, for example, Patent Documents 1 and 2). SDN can be quickly and flexibly executed for network path control and configuration change, and is being introduced to companies including data centers.

International Publication No. 2012/115058 International Publication No. 2012/086816

  By the way, targeted attack malware that has been reported in recent years communicates after intruding inside an organization, and develops attacks such as malware diffusion and confidential information theft. In order to cope with such an attack as an organization, it is necessary to be able to detect and block the attack and to track the attack information. For this reason, the security officer needs to collect logs from terminals and servers in the network and specify a range that may have been attacked by malware. However, in the above-described SDN environment, the network state frequently changes, so that there is a problem that it is difficult to grasp network configuration information at a specific point in the past such as an attack occurrence point.

  The present invention has been made in view of such circumstances, and an object thereof is to specify the range of influence of malware in an SDN environment.

  In order to solve the above problems, the present invention provides network configuration information indicating a network configuration, terminal information indicating any one of a plurality of terminals included in the network, and the terminal information. A recording unit that records network configuration information including terminal connection state information in association with virtual network information indicating a virtual network to which a terminal belongs to in a database in time series, and the intrusion of the first terminal invaded by malware An intrusion time specifying unit for specifying a time point; a network configuration specifying unit for acquiring network configuration information associated with the date and time specified based on the specified intrusion time point in the database; and the acquired network configuration An output unit for outputting information and a feeling of acquiring first terminal information indicating the first terminal A terminal identification unit, a virtual network identification unit that acquires first virtual network information associated with the acquired first terminal information and the database, and a correspondence between the acquired first virtual network information and the database An infection suspected terminal identifying unit that acquires second terminal information indicating a second terminal different from the first terminal, and the output unit further outputs the acquired second terminal information A network information output system is provided.

  In a preferred aspect, the network includes a plurality of relay devices that relay communication packets between the plurality of terminals based on routing control information, and the network configuration information includes logical links between the plurality of relay devices. The network configuration specifying unit is associated with the latest date and time when the logical link information is recorded in the database, the date and time before the specified intrusion time. The logical link information may be acquired, and the output unit may output the acquired logical link information.

  In a further preferred aspect, the network configuration specifying unit corresponds to a plurality of dates and times after the most recent date and time when the logical link information is recorded in the database, which is a date and time before the specified intrusion time. A plurality of attached logical link information may be acquired.

  In a further preferred aspect, the network configuration information includes terminal information indicating any one of the plurality of terminals, virtual network information indicating a virtual network to which the terminal indicated by the terminal information belongs, and the virtual network Terminal connection state information that associates connection state information for specifying the connection period of the terminal with respect to the infection, and the infected suspected terminal identification unit associates the acquired first virtual network information with the database. Second terminal information indicating a second terminal that is connected to the first virtual network indicated by the first virtual network information and overlaps with the first terminal may be acquired.

  In a further preferred aspect, the virtual network specifying unit further acquires second virtual network information that is associated with the acquired first terminal information and in the database and is different from the first virtual network information, The infection suspected terminal specifying unit further acquires third terminal information indicating a third terminal different from the first and second terminals, which is associated with the acquired second virtual network information in the database, The output unit may further output the acquired third terminal information.

  In a further preferred aspect, the virtual network specifying unit further acquires third virtual network information that is associated with the acquired second terminal information in the database and is different from the first and second virtual network information. The infected suspected terminal identifying unit is a fourth terminal indicating a fourth terminal different from the first, second and third terminals, which is associated with the acquired third virtual network information in the database. The information may be further acquired, and the output unit may further output the acquired fourth terminal information.

  In a further preferred aspect, the output unit may display a diagram showing a topology of the network represented by the acquired network configuration information.

  In a further preferred aspect, the network configuration information further includes physical link information indicating a physical link between the plurality of relay devices, and the output unit has the physical link information represented by the physical link information on the physical link. You may display the figure which shows the topology of the said network which displays the logical link represented by the acquired logical link information in piles.

  According to the present invention, it is possible to specify the range of influence of malware in the SDN environment.

It is a figure which shows the structure of the malware influence range specific system. It is a figure which shows the outline | summary of the malware influence range identification method. 1 is a diagram illustrating an example of a configuration of a communication network 1. FIG. It is a figure which shows the various tables which comprise DB2. It is a figure which shows an example of the physical link information table. It is a figure which shows an example of the logical link information table. It is a figure which shows an example of the terminal connection state table. It is a figure which shows an example of the snap information table. It is a figure which shows an example of a function structure of the malware influence range specific system. It is a figure explaining an example of the method of detecting the physical topology of the communication network. It is a figure explaining an example of the logical link information recorded on the logical link information table. It is a figure explaining the other example of the logical link information recorded on the logical link information table. It is a figure explaining an example of the procedure at the time of recording connection state information at the time of login. It is a flowchart which shows a malware influence range specific process. It is a flowchart which shows a malware influence range specific process. It is a figure explaining the example of application of the malware influence range specific process. It is a figure explaining the example of application of the malware influence range specific process. It is a figure explaining the example of application of the malware influence range specific process. It is a figure explaining the example of application of the malware influence range specific process. It is a flowchart which shows a malware influence range visualization process. It is a figure explaining an example of the calculation method of the score P. FIG. It is a figure which shows an example of a display screen. It is a figure explaining an example in case a some logic topology diagram is synthesize | combined.

1. Embodiment 1-1. Configuration of Malware Influence Range Identification System 100 FIG. 1 is a diagram showing a configuration of a malware influence range identification system 100 according to an embodiment of the present invention. As shown in the figure, the malware influence range specifying system 100 includes a communication network 1, a database (hereinafter referred to as “DB”) 2, an OpenFlow controller (hereinafter referred to as “OFC”) 3, and detection. A device 4 and a network visualization device (hereinafter referred to as “NW visualization device”) 5 are configured.

The communication network 1 is a network that conforms to the OpenFlow specification, and includes a plurality of OpenFlow switches (hereinafter referred to as “OFS”) 6 and a plurality of terminals 7. The DB 2 stores network configuration information of the communication network 1. The OFC 3 is connected to the communication network 1 and changes the configuration of the communication network 1 by updating the path control information of the OFS 6. The OFC 3 is connected to the DB 2 and records the network configuration information of the communication network 1 in the DB 2 in time series. The detection device 4 is connected to the communication network 1 and periodically analyzes logs collected on the communication network 1 to detect intrusion of malware. In addition, the detection device 4 is operated by the user U and issues an alert to the user U when it detects the intrusion of malware. Here, the user U is, for example, a security officer or a network administrator of the communication network 1. The NW visualization device 5 is connected to the DB 2, acquires network configuration information stored in the DB 2, and displays the information on the screen. The NW visualization device 5 is operated by the user U.
The connection method between the elements may be wired or wireless.

1-2. Overview of Malware Impact Range Identification Method FIG. 2 is a diagram showing an overview of a malware impact range identification method according to the present embodiment. This system mainly consists of four elements: log analysis, information acquisition, storage, and visualization. In this method, the detection device 4 periodically analyzes the logs collected on the communication network 1 and, when detecting the intrusion of malware, shows the terminal information indicating the terminal invaded by the malware and the time of the intrusion. Output time information. The OFC 3 periodically acquires network configuration information of the communication network 1 and records it in the DB 2 in association with the time information. Specifically, physical link information and logical link information are periodically acquired, and terminal connection state information is acquired at the time of login or logout, and is recorded in the DB 2 in association with time information. When the NW visualization device 5 acquires the terminal information and time information output from the detection device 4 through the operation of the user U, the NW visualization device 5 acquires network configuration information from the DB 2 up to the detection time point including the intrusion time point. Is displayed on the screen.
The above is the outline of the malware influence range specifying method according to the present embodiment. Below, each element which comprises the malware influence range specific system 100 is explained in full detail.

1-3. Configuration of Communication Network 1 FIG. 3 is a diagram illustrating an example of the configuration of the communication network 1. As shown in the figure, the communication network 1 includes six OFS 6A to 6F (hereinafter collectively referred to as “OFS6” unless otherwise required) and four terminals 7A to 7D (hereinafter, particularly When there is no need to distinguish between them, they are collectively referred to as “terminal 7”. The OFS 6A is connected to the terminals 7A and 7B and the OFS 6B via a physical link. The OFSs 6B to 6E are connected to each other via physical links. The OFS 6F is connected to the OFS 6D and the terminals 7C and 7D via physical links. Here, the physical link refers to a physical connection via a communication cable, for example. Each OFS 6 includes a plurality of ports (connection ports) to which communication cables are connected, and is connected to other devices via any of the ports. OFS 6A and 6F are edge switches, and OFS 6B to 6E are core switches.

  The OFS 6 is a transmission device (or relay device, transfer device) compliant with the OpenFlow specification, and is a transmission device that performs packet transmission processing performed by hardware. Here, OpenFlow is a technology that enables centralized management of network devices constituting a communication network by a single control device to perform complex transfer control and flexibly change the network configuration. OpenFlow is one of the protocols that realizes SDN. Here, SDN is a technology that makes it possible to centrally control communication devices that make up a computer network with a single software, and to change the structure, configuration, settings, etc. of the network flexibly and dynamically. It is a generic name or a network constructed by such technology.

  The OFS 6 relays communication packets between a plurality of terminals 7 based on route control information (or relay control information, transfer control information). Specifically, the communication packet transfer control is performed with reference to the stored flow table. Here, the flow table is a table that stores path information calculated by the OFC 3, and is a table that is referred to when the OFS 6 processes packet transfer. This flow table includes one or more flow entries, and each flow entry includes a data transfer condition (Match) and an operation instruction (Instructions) when the condition is met. The condition part includes, for example, a packet source such as a source or destination IP (Internet Protocol) address, a source or destination MAC (Media Access Control) address, a VLAN (Virtual Local Area Network) ID, and an input port number. Header information is specified. Alternatively, an arbitrary bit value set in one or more header fields (including a Type of Service field and a Class of Service field) and a plurality of different bits are designated. On the other hand, for example, data transfer (Output command), data discard (Drop command), and data header information rewrite (Set-Field command) are specified in the operation instruction portion. When receiving the packet, the OFS 6 checks whether a condition that matches the header information of the packet exists in the flow table, and if it exists, executes the process according to the operation instruction corresponding to the condition. In addition, a priority (Priority), a counter (Counters), a valid period (Timeouts), and a cookie (Cookie) may be specified in the flow entry.

  The OFS 6 communicates with the OFC 3 according to the OpenFlow protocol via an OpenFlow channel (secure channel) (not shown). When receiving a flow entry modification message (Flow Modify message) from the OFC 3, the OFS 6 performs processing such as addition, update, and deletion of a flow entry in accordance with the message. Further, when receiving a packet, the OFS 6 transmits a PacketIn message to the OFC 3 when a condition that matches the header information of the packet does not exist in the flow table. This PacketIn message is a message transmitted to inquire the OFC 3 about the packet processing method when there is no flow entry that matches the received packet. When a flow entry change message is sent from the OFC 3 as a response to this message, the OFS 6 performs a flow entry addition process according to the message.

  Next, the terminal 7 is a computer device that communicates with each other via the OFS 6. The terminal 7 includes, for example, an arithmetic device such as a CPU (Central Processing Unit), a storage device such as an HDD (Hard Disk Drive), an input device such as a keyboard and a mouse, a display device such as a liquid crystal display, a network card, etc. The communication interface is provided.

1-4. Configuration of DB2 FIG. 4 is a diagram illustrating various tables that configure DB2. The DB 2 includes a physical link information table 21, a logical link information table 22, a terminal connection state table 23, and a snap information table 24, as shown in FIG. The physical link information table 21 is used to draw a topology diagram of the physical network in the malware influence range visualization process described later. Other tables are used to draw a topology diagram of the virtual network in the same processing.

  FIG. 5 is a diagram illustrating an example of the physical link information table 21. The physical link information table 21 is a table that stores physical link information indicating physical links between OFSs 6 constituting the communication network 1. As shown in the figure, each record constituting the physical link information table 21 includes a DPID (src_DPID) of the transmission source OFS6, a transmission port number (src_PortNo) of the transmission source OFS6, and a DPID (dst_DPID) of the destination OFS6. The destination OFS 6 includes a receiving port number (dst_PortNo) and a snap ID (SnapID) field. Here, DPID (Datapath ID) is identification information for uniquely identifying the OFS 6. The snap ID will be described later.

  FIG. 6 is a diagram illustrating an example of the logical link information table 22. The logical link information table 22 is a table that stores logical link information indicating logical links between OFSs 6 constituting the communication network 1 in association with snap IDs. As shown in the figure, each record constituting the logical link information table 22 includes a DPID (src_DPID) of the transmission source OFS 6, a transmission port number (src_PortNo) of the transmission source OFS 6, a network ID, a user ID, It consists of each field of terminal flag and snap ID. Here, the network ID is identification information for uniquely identifying the network in the present embodiment. As the network ID, a VLAN-ID in the data transfer condition (Match) is used unless otherwise specified. Note that the network ID is limited to 4094, which is the upper limit of the number of VLAN-IDs. Therefore, if a larger number of networks is required, another data transfer condition part is used in combination. The user ID is identification information for uniquely identifying the terminal 7. The terminal flag is a flag (boolean type variable) indicating whether the OFS 6 is directly connected to the terminal 7 or not. It is “true” when directly connected, and “false” when not directly connected. The snap ID will be described later.

  FIG. 7 is a diagram illustrating an example of the terminal connection state table 23. The terminal connection status table 23 is a table that stores connection status information indicating the connection status of each terminal 7 constituting the communication network 1 in association with a time stamp. As shown in the figure, each record constituting the terminal connection status table 23 includes a user ID, a login authenticated account name, a connection status (loginStatus), a transmission source IP address, and a transmission source MAC address. , And network ID and snap ID fields. Here, the connection state is a boolean variable indicating whether or not the terminal 7 is connected. For example, the connection state is “true” when connected, and “false” when disconnected. Become. This connection state is referred to in order to specify the connection period during which the terminal 7 is connected to the network.

  FIG. 8 is a diagram illustrating an example of the snap information table 24. The snap information table 24 is a table that stores a snap ID and a time stamp in association with each other. As shown in the figure, each record constituting the snap information table 24 is composed of fields of a snap ID, a time stamp, and a logical link acquisition identifier. Here, the snap ID is identification information for uniquely identifying each time stamp. The time stamp is a character string indicating the date and time (specifically, date (yyyy / mm / dd) and time (hh: mm: ss)) when the network configuration information is recorded in the DB 2 by the OFC 3. The logical link acquisition identifier is an identifier for identifying a snap ID indicating the date and time when the logical link information was recorded.

1-5. Configuration of OFC 3 OFC 3 is a control device that complies with the OpenFlow specification, and is a control device that collectively manages the behavior of a plurality of OFSs 6. The OFC 3 performs route calculation for data transfer in the communication network 1 and controls each OFS 6 so that data transfer is performed along the calculated route.

  FIG. 9 is a diagram illustrating an example of a functional configuration of the malware influence range specifying system 100. The OFC 3 includes the functions of a network control unit 31 and a recording unit 32 as shown in FIG. The recording unit 32 includes a physical link recording unit 321, a logical link recording unit 322, a terminal connection state recording unit 323, and a snap information recording unit 324. Each of these functions is realized, for example, by executing a program by an arithmetic device such as a CPU.

  The network control unit 31 calculates the route of the communication network 1 and updates the route control information stored in each OFS 6 to change the configuration of the communication network 1. Specifically, the logical link of the communication network 1 is changed by transmitting a flow entry change message to each OFS 6 and updating the flow entry stored in the OFS 6. The flow entries recorded in each OFS 6 are centrally managed in a flow management table (not shown). When the flow entry is updated in each OFS 6, the information in the flow management table is updated accordingly.

  The physical link recording unit 321 records physical link information of the entire communication network 1 in the physical link information table 21. In other words, information indicating the physical topology of the communication network 1 is recorded in the physical link information table 21. In the present embodiment, the recording is performed periodically. However, the recording may be performed in response to detection of a physical topology change. Alternatively, it may be sequentially executed with the route calculation of the communication network 1 and the login or logout of the terminal 7 as a trigger.

  FIG. 10 is a diagram for explaining an example of a method for detecting the physical topology of the communication network 1. In the example shown in the figure, LLDP (Link Layer Discovery Protocol) is used. In this example, it is assumed that the physical link connected to the port 11 of the OFS 6A is examined.

First, the OFC 3 creates an LLDP packet in which the DPID of the OFS 6A and the port number “11” are embedded (step Sa1). Next, the OFC 3 transmits the above LLDP packet to the OFS 6A as a PacketOut message including an operation instruction “output from the port 11” (step Sa2). The OFS 6A that has received the LLDP packet outputs the LLDP packet from the port 11 in accordance with the operation instruction (step Sa3). When the OFS 6B connected to the port 11 receives the LLDP packet output from the OFS 6A, the OFS 6B checks the processing method of the packet with reference to its own flow table. At this time, however, since the flow entry matching the packet is not set in the OFS 6B, the OFS 6B outputs the received LLDP packet to the OFC 3 as a PacketIn message (step Sa4). The OFC 3 that has received the LLDP packet detects the presence of a physical link between the OFS 6A and the OFS 6B by analyzing the packet (step Sa5). If no OFS 6 continuously sends LLDP packets n times, the OFC 3 determines that the physical link connected to the port 11 of the OFS 6A is disconnected.
The OFC 3 grasps the physical topology of the communication network 1 by repeatedly performing the procedure described above for the connected OFS 6. As described above, the transmission of the LLDP packet triggers a change in the physical link.

  Next, the logical link recording unit 322 records the logical link information of the entire communication network 1 in the logical link information table 22 in association with the snap ID. In other words, information indicating the logical topology of the communication network 1 is recorded in the logical link information table 22 in association with the snap ID. The logical link recording unit 322 reads the logical link information from the flow management table described above and writes it in the logical link information table 22. Here, the snap ID is generated as identification information for identifying a time stamp indicating the time of the recording. In the present embodiment, the recording of information in the logical link information table 22 is performed periodically, but may be performed in response to a change in logical topology.

  FIG. 11 is a diagram illustrating an example of logical link information recorded in the logical link information table 22. FIG. 11A is a diagram illustrating an example of a data configuration of logical link information (in other words, a flow entry), and FIG. 11B is a diagram illustrating an example of a logical topology represented by the logical link information. is there. The example illustrated in FIG. 11 illustrates an example of a logical link that is set when communication is performed from the terminal 7A to the terminal 7C in the communication network 1.

  FIG. 12 is a diagram for explaining another example of the logical link information recorded in the logical link information table 22. FIG. 12A is a diagram illustrating another example of the data configuration of the logical link information (in other words, the flow entry), and FIG. 12B is another example of the logical topology represented by the logical link information. FIG. The example illustrated in FIG. 12 illustrates an example of a logical link that is set when communication is performed from the terminal 7B to the terminal 7D in the communication network 1.

  Next, the terminal connection state recording unit 323 records connection state information indicating the connection state of each terminal 7 constituting the communication network 1 in the terminal connection state table 23 in association with a time stamp. The recording is executed when the terminal 7 logs in and when logging out.

  FIG. 13 is a diagram illustrating an example of a procedure for recording connection state information at the time of login. According to the procedure shown in the figure, when the OFS 6A receives a packet that does not match its own flow table from the terminal 7A (step Sb1), it transmits the received packet to the OFC 3 using the PacketIn message (step Sb2). The OFC 3 that has received the packet identifies the source IP address and the source MAC address with reference to the header information of the packet. Further, the OFC 3 specifies the user ID and the account name based on the specified address information. Further, the OFC 3 specifies the variable “true” as the connection state and specifies the network ID assigned to the path for transferring the received packet. Then, the information specified above (that is, the connection state information) is recorded in the terminal connection state table 23 in association with the time stamp indicating the recording time (step Sb3).

  On the other hand, when logging out, specifically, when the OFC 3 receives a packet requesting logout transmitted from the terminal 7 via the OFS 6, or when the OFC 3 that the terminal 7 has logged out due to a session timeout is determined. is there. In these cases, the OFC 3 records the connection state information specifying the variable “false” as the connection state in the terminal connection state table 23 in association with the time stamp indicating the recording time.

  Note that the method of determining login and logout is not limited to the above example. For example, login and logout may be determined by an external authentication server (for example, an LDAP (Lightweight Directory Access Protocol) server or active directory) and the OFC 3 in cooperation. Alternatively, the external servlet function and the OFC 3 may make a determination in cooperation.

  Next, the snap information recording unit 324 records the snap ID and the time stamp in the snap information table 24 in association with each other. Here, the time stamp associated with the snap ID is the time when the logical link information is recorded in the logical link information table 22 by the logical link recording unit 322 or the terminal connection state table by the terminal connection state recording unit 323. 23 is a time stamp indicating the point in time when the connection status information is recorded for 23. Network configuration information (physical link information, logical link information, or connection status information) associated with a snap ID is called a snapshot.

1-6. Configuration of Detection Device 4 The detection device 4 is, for example, a computer device equipped with SIEM (Security Information and Event Management). The detection device 4 collects log information and event data in real time from servers, network devices, security devices, and the like existing on the communication network 1 and detects the intrusion of malware by performing a correlation analysis. When a malware intrusion is detected, the time of the malware intrusion is specified, time information indicating the time of the intrusion, and identification information (specifically, an IP address and a MAC address) of the terminal 7 invaded by the malware. ) To the user U.

  Here, examples of the security device include a firewall, IDS (Intrusion Detection System), IPS (Intrusion Prevention System), SPF (Sender Policy Framework), spam filter, Web filtering is included. SPF (Sender Policy Framework) and spam filter detect email-type malware, and web filtering detects web-type malware. IDS and IPS detect malware for all communications. In the present embodiment, malware is harmful software.

  The detection device 4 may be a sandbox type firewall. Specifically, it may be a firewall that executes a file passing through itself in a virtual space (sandbox) on the cloud, detects malware by monitoring its operation, and updates the signature as needed.

1-7. Configuration of NW Visualization Device 5 As shown in FIG. 9, the NW visualization device 5 includes an intrusion time specifying unit 51, an infected terminal specifying unit 52, a snap ID acquiring unit 53, an infected terminal ID acquiring unit 54, a virtual Network identification unit (hereinafter referred to as “virtual NW identification unit”) 55, infection suspected terminal identification unit 56, physical link identification unit 57, logical link identification unit 58, score calculation unit 59, and topology diagram creation unit 60 and the function of the display unit 61. Each of these functions is realized, for example, by executing a program by an arithmetic device such as a CPU.

  The intrusion time specifying unit 51 acquires time information indicating the intrusion time T for the first terminal 7 invaded by malware. The time information indicating the entry time T is input to the NW visualization device 5 by the user U, for example. The intrusion time T is represented by, for example, a combination of date (yyyy / mm / dd) and time (hh: mm: ss).

  The infected terminal specifying unit 52 acquires terminal information indicating the first terminal 7 invaded by malware. This terminal information is identification information for identifying the first terminal 7, and is specifically an IP address or a MAC address. This terminal information is input to the NW visualization device 5 by the user U, for example.

  The snap ID acquisition unit 53 acquires a snap ID corresponding to the intrusion time T specified by the intrusion time specifying unit 51. Specifically, the snap ID associated with the time stamp specified based on the intrusion time T indicated by the time information acquired by the intrusion time specifying unit 51 is acquired from the snap information table 24. Specifically, the snap ID acquired here is a snap ID associated with a time stamp that is past the intrusion time T, and the latest snap ID whose logical link acquisition identifier is “1”. It is.

  The infected terminal ID acquisition unit 54 acquires the user ID of the first terminal 7 specified by the infected terminal specifying unit 52. Specifically, the user ID associated with the terminal information acquired by the infected terminal specifying unit 52 is acquired from the terminal connection state table 23.

  The virtual NW specifying unit 55 specifies the first virtual network (or logical network) to which the first terminal 7 specified by the infected terminal specifying unit 52 belongs. Specifically, the terminal information acquired by the infected terminal identification unit 52 and the first virtual network information associated with the user ID acquired by the infected terminal ID acquisition unit 54 are acquired from the terminal connection state table 23. . Here, the virtual network information is, for example, a network ID or a network segment ID.

  The infection suspected terminal specifying unit 56 specifies the second terminal 7 that may have been infected secondarily through the first virtual network specified by the virtual NW specifying unit 55. Specifically, the second terminal different from the first terminal 7 indicated in the terminal information acquired by the infected terminal specifying unit 52, which is associated with the first virtual network information acquired by the virtual NW specifying unit 55 The terminal information indicating 7 is acquired from the terminal connection state table 23. The terminal information acquired here is, for example, identification information such as a user ID.

  When the suspected infection identifying unit 56 identifies the second terminal 7, the login period for the first virtual network identified by the virtual NW identifying unit 55 overlaps with the first terminal 7 identified by the infected terminal identifying unit 52. The second terminal 7 to be identified is specified. Specifically, the second terminal 7 in which the period in which the first virtual network indicated by the first virtual network information acquired by the virtual NW specifying unit 55 is in the connected state overlaps with the first terminal 7 is specified. .

  In addition, when the suspected infection terminal specifying unit 56 specifies the second terminal 7, the second terminal 7 whose at least part of the overlapping login period is after the intrusion time T is specified. In other words, the second terminal 7 in which at least a part of the overlapping period of the connection state with respect to the first virtual network is after the intrusion time T is specified.

  In addition to specifying the second terminal 7, the infection suspected terminal specifying unit 56 specifies the second virtual network when the virtual NW specifying unit 55 specifies the second virtual network to which the first terminal 7 belongs. The third terminal 7 that may possibly be secondary infected via the network is specified. Specifically, when the second virtual network information associated with the terminal information of the first terminal 7 is acquired from the terminal connection state table 23 by the virtual NW specifying unit 55, the second virtual network information is associated with the second virtual network information. Terminal information indicating a third terminal 7 different from the first and second terminals 7 is obtained from the terminal connection state table 23.

  In addition, after identifying the second terminal 7, the infection suspected terminal identifying unit 56 identifies the third virtual network to which the second terminal 7 belongs by the virtual NW identifying unit 55, via the third virtual network. Thus, the fourth terminal 7 that may possibly be secondaryly infected is identified. Specifically, when the third virtual network information associated with the terminal information indicating the second terminal 7 is acquired from the terminal connection state table 23 by the virtual NW specifying unit 55, the third virtual network information is associated with the third virtual network information. Terminal information indicating the fourth terminal 7 different from the first to third terminals 7 is acquired from the terminal connection state table 23.

  The physical link specifying unit 57 acquires the physical link information of the communication network 1 from the physical link information table 21. Specifically, physical link information associated with a snap ID after the snap ID acquired by the snap ID acquisition unit 53 is acquired.

  The logical link specifying unit 58 acquires the logical link information of the communication network 1 from the logical link information table 22. Specifically, logical link information associated with a snap ID after the snap ID acquired by the snap ID acquisition unit 53 is acquired.

  The score calculation unit 59 calculates a score P indicating the probability of malware infection for each terminal 7 specified by the infection suspected terminal specifying unit 56.

  The topology diagram creating unit 60 draws a diagram showing the topology of the communication network 1. Here, the topology is a physical and / or logical connection form of the communication network 1. Specifically, the topology diagram creating unit 60 refers to the physical link information acquired by the physical link specifying unit 57, shows the OFS 6 as a node, and draws a physical topology diagram with the physical link between the OFS 6 as an edge. . Further, the topology diagram creating unit 60 refers to the logical link information acquired by the logical link specifying unit 58 and draws a logical topology diagram in which the OFS 6 is indicated by a node and the logical link between the OFSs 6 is an edge. At this time, the topology diagram creation unit 60 draws a logical topology diagram over the physical topology diagram. Further, the topology diagram creating unit 60 draws each terminal 7 identified by the infection suspected terminal identifying unit 56 as a node in the logical topology diagram. In addition, the display mode of the node indicating each terminal 7 drawn at this time is determined according to the score P calculated by the score calculation unit 59.

  The display unit 61 displays the topology diagram created by the topology diagram creation unit 60 on a display device such as a liquid crystal display. The display unit 61 is an example of an output unit that outputs data indicating the topology diagram created by the topology diagram creation unit 60.

1-8. Operation of Malware Influence Range Identification System 100 The operation of the malware influence range identification system 100 will be described. Specifically, a process for identifying the affected area of the malware when detecting the intrusion of the malware and a process for visualizing the identified affected area of the malware will be described.

1-8-1. Malware Influence Range Identification Processing FIGS. 14 and 15 are flowcharts showing malware influence range identification processing. In this process, for example, when the user U who has received an alert of malware detection from the detection device 4 has received the malware intrusion into the NW visualization device 5, the identification information of the terminal 7 and the time information indicating the intrusion time T It is executed by inputting.

  In step Sc1 of this process, the infected terminal identification unit 52 of the NW visualization device 5 uses terminal information (specifically, “infected terminal 7” in the description of this process) that has been invaded by malware. IP address and MAC address), and the intrusion time specifying unit 51 acquires time information indicating the intrusion time T.

  Next, the snap ID acquisition unit 53 is a snap ID associated with a time stamp in the past from the intrusion time T, and the latest snap ID whose logical link acquisition identifier is “1” is stored in the snap information table. 24 (step Sc2). Here, the snap ID whose logical link acquisition identifier is “1” is acquired because the snap ID corresponding to the point in time when the logical link information is recorded among the snap IDs recorded in the snap information table 24. It is for acquiring. For example, when the intrusion time T is “2015/03/01 12:30:00”, the snap ID acquisition unit 53 acquires the snap ID “1” in the snap information table 24 shown in FIG. To do.

  Next, the infected terminal ID acquisition unit 54 acquires the user ID of the infected terminal 7 from the terminal connection state table 23 (step Sc3). For example, when the IP address of the infected terminal 7 is “ip2” and the MAC address is “mac2”, the infected terminal ID acquisition unit 54 determines the user ID in the terminal connection state table 23 shown in FIG. “2” is acquired. Then, the infected terminal ID acquisition unit 54 records the acquired user ID as, for example, a RAM (Random Access Memory) as a processing target of the subsequent loop L1.

  Next, the processing of loop L1 is executed. In this loop L1, for each user ID recorded in the RAM, it is secondary through the terminal 7 identified by the user ID (hereinafter referred to as “infection source terminal 7” in the description of this process). Information on other terminals 7 that may have been infected (hereinafter referred to as “infection suspected terminal 7” in the description of this process) is acquired.

  First, the virtual NW specifying unit 55 specifies the network to which the infection source terminal 7 belongs (step Sc4). Specifically, the network ID associated with the processing target user ID of the loop L1 is acquired from the terminal connection state table 23. For example, when the user ID to be processed in the loop L1 is “2”, the virtual NW specifying unit 55 sets the network IDs “vlan2” and “vlan8” in the terminal connection state table 23 illustrated in FIG. get.

  Next, the process of loop L2 is executed. In this loop L2, information on the suspected infection terminal 7 is acquired for each network ID specified in step Sc4. In other words, information on the suspected infection terminal 7 is acquired with each network to which the infection source terminal 7 belongs as an infection route.

  First, the infection suspected terminal identification unit 56 identifies a period during which the infection source terminal 7 has logged in to the network serving as an infection route (ie, a login period) (step Sc5). Specifically, referring to the terminal connection state table 23, the period during which the terminal 7 identified by the user ID subject to processing in the loop L1 is logged into the network identified by the processing subject network ID in the loop L2 is referred to. Identify. For example, if the network ID of the processing target of the loop L2 is “vlan2” and the user ID of the processing target of the loop L1 is “2”, the infection suspected terminal identifying unit 56 is connected to the terminal shown in FIG. In the state table 23, snap IDs “3” to “8” are acquired as login periods.

  Next, the infected suspected terminal identifying unit 56 identifies a terminal that belongs to the infection route network and is a candidate for the suspected infected terminal 7 (hereinafter, referred to as “infected suspected candidate terminal 7” in the description of this process). (Step Sc6). Specifically, the user ID associated with the network ID to be processed in the loop L2 is acquired from the terminal connection state table 23. For example, when the network ID that is the processing target of the loop L2 is “vlan2”, the infection suspected terminal specifying unit 56 acquires the user ID “4” in the terminal connection state table 23 illustrated in FIG.

  Next, the process of loop L3 is executed. In this loop L3, it is determined whether or not the information should be acquired as the suspected infection terminal 7 for each user ID acquired in step Sc6. In other words, it is determined whether each of the suspected infection candidate terminals 7 is the suspected infection terminal 7 or not.

  First, the infection suspected terminal identifying unit 56 identifies a period during which the suspected infection candidate terminal 7 has logged in to the network of the infection route (that is, a login period) (step Sc7). Specifically, the period during which the terminal 7 identified by the processing target user ID of the loop L3 is logged in to the network identified by the processing target network ID of the loop L2 is specified. For example, if the user ID that is the processing target of the loop L3 is “4” and the network ID that is the processing target of the loop L2 is “vlan2”, the infected suspected terminal identifying unit 56 is connected to the terminal shown in FIG. In the state table 23, snap IDs “5” to “11” are acquired as login periods.

  Next, the infection suspected terminal specifying unit 56 determines whether or not the login period of the infection source terminal 7 and the login period of the infection suspected candidate terminal 7 overlap (step Sc8). Specifically, it is determined whether or not the login period specified in step Sc5 and the login period specified in step Sc7 overlap. For example, when snap IDs “3” to “8” are acquired as login periods in step Sc5 and snap IDs “5” to “11” are acquired as login periods in step Sc7, snap ID “5” is acquired. Since both are duplicated in “8”, the infected suspected terminal identifying unit 56 determines that the login periods are duplicated. If the result of this determination is affirmative (step Sc8; YES), the infection suspected terminal specifying unit 56 executes step Sc9.

  In step Sc9, the suspected infection terminal specifying unit 56 determines that at least part of the login period overlapping between the infection source terminal 7 and the suspected infection candidate terminal 7 is a period during which the infection source terminal 7 may have been infected. It is determined whether or not it is after the start of (step Sc9). Specifically, it is determined whether or not at least a part of the overlapping login periods in step Sc8 is after the beginning of the overlapping login period recorded in the RAM in association with the processing target user ID of the loop L1. To do. However, in this step, if the user ID to be processed in the loop L1 is the user ID of the infected terminal 7, whether or not at least part of the overlapping login period in step Sc8 is after the intrusion time T or not. to decide. For example, the infection suspected terminal identifying unit 56 identifies the snap IDs “5” to “8” as the overlapping login periods in step Sc8, and the snap ID identified in step Sc2 is “2”. Since IDs “5” to “8” are identifiers indicating times after the snap ID “2”, it is determined that the overlapping login period is after the intrusion time T.

  If the result of this determination is affirmative (step Sc9; YES), the infected suspected terminal identifying unit 56 determines that the suspected infected terminal 7 is the suspected infected terminal 7, and the infected suspected candidate terminal 7 Information is acquired (step Sc10). Specifically, the account name, IP address, and MAC address associated with the user ID specified in step Sc6 are acquired from the terminal connection state table 23.

  Further, the infection suspected terminal specifying unit 56 records the user ID of the infection suspected candidate terminal 7 (that is, the user ID specified in step Sc6) in the RAM as a processing target of the loop L1 (step Sc11). At this time, the suspected infection terminal specifying unit 56 adds the user ID of the infection source terminal 7 (that is, the user ID that is the processing target of the loop L1) to the head of the user ID of the suspected infection candidate terminal 7. Record in RAM. For example, if the user ID identified in step Sc6 is “4” and the user ID that is the processing target of the loop L1 is “2”, the infection suspected terminal identification unit 56 determines “2-4”. Is recorded in the RAM. This is to specify the user ID of the ancestor node to be excluded in the process of step Sc6 described later.

  Further, the infected suspected terminal specifying unit 56 records the overlapping login period specified in step Sc9 in association with the user ID of the suspected infected terminal 7 (ie, the user ID specified in step Sc6), for example, in the RAM. (Step Sc12). At this time, the suspected infection terminal specifying unit 56 adds the user ID of the infection source terminal 7 (that is, the user ID that is the processing target of the loop L1) to the head of the user ID of the suspected infection candidate terminal 7. To record in RAM.

  After execution of step Sc12, or when the determination result of step Sc8 or Sc9 is negative (step Sc8 or Sc9; NO), if there is a user ID to be processed in loop L3, Loop L3 is executed for the user ID. If such a user ID does not exist and if there is a network ID to be processed in loop L2, loop L2 is executed for the network ID. If such a network ID does not exist and there is a user ID to be processed in the loop L1, the loop L1 is executed for the user ID. If there is no such user ID, this process ends.

  Here, it is assumed that there is no processing target for the loop L3 and the loop L2, and the user ID “2-4” exists as the processing target for the loop L1. In this case, the process returns to step Sc4, and the virtual NW specifying unit 55 specifies the network to which the infection source terminal 7 identified by the user ID “2-4” belongs. Specifically, the network ID associated with the user ID “2-4” is acquired from the terminal connection state table 23. At this time, if the user ID is a numerical sequence such as “2-4”, the virtual NW specifying unit 55 is associated with the user ID at the end of the numerical sequence (here, “4”). Get an ID. In this step, the virtual NW specifying unit 55 acquires the network IDs “vlan2” and “vlan10” in the terminal connection state table 23 shown in FIG.

  Next, the process of loop L2 is executed. In this loop L2, information on the suspected infection terminal 7 is acquired for the network IDs “vlan2” and “vlan10” specified in step Sc4. In other words, information on the suspected infection terminal 7 is acquired with each network to which the infection source terminal 7 belongs as an infection route.

  First, assuming that the network ID “vlan2” is the processing target of the loop L2, the infection suspected terminal identifying unit 56 is a period during which the infection source terminal 7 has logged in to the network of the infection route identified by the network ID “vlan2”. (That is, the login period) is specified (step Sc5). Specifically, a period during which the terminal 7 identified by the user ID “2-4” is logged in to the network identified by the network ID “vlan2” is specified with reference to the terminal connection state table 23. At this time, if the user ID is a numerical sequence such as “2-4”, the infected suspected terminal identifying unit 56 identifies the terminal 7 identified by the user ID at the end of the numerical sequence (here, “4”). Specify how long the user has been logged in. In this step, the infection suspected terminal identifying unit 56 acquires snap IDs “5” to “11” as login periods in the terminal connection state table 23 shown in FIG.

  Next, the infected suspected terminal specifying unit 56 specifies the suspected infected terminal 7 belonging to the infection route network (step Sc6). Specifically, the user ID associated with the network ID “vlan2” is acquired from the terminal connection state table 23. In this step, the infection suspected terminal specifying unit 56 acquires the user ID “2” in the terminal connection state table 23 shown in FIG. However, in this step, the suspected infection terminal specifying unit 56 excludes the user ID corresponding to the ancestor node of the user ID to be processed. Here, the ancestor node is a direct terminal 7 that has mediated the infection in the process until the infection source terminal 7 itself is infected. Since the acquired user ID “2” corresponds to the ancestor node of the user ID “2-4”, it is excluded.

  Next, the process of loop L3 is executed. However, since there is no user ID to be processed in this loop, the processing in this loop ends. Then, the process returns to step Sc5, and the process of loop L2 is started for the network ID “vlan10”.

  When the network ID “vlan10” is the processing target of the loop L2, the suspected infection terminal identifying unit 56 is a period during which the infection source terminal 7 has logged in to the network of the infection route identified by the network ID “vlan10” (that is, login) (Period) is specified (step Sc5). Specifically, the period in which the terminal 7 identified by the user ID “2-4” is logged in to the network identified by the network ID “vlan10” is specified with reference to the terminal connection state table 23. In this step, the infected suspected terminal specifying unit 56 acquires snap IDs “17” to “25” as the login period in the terminal connection state table 23 shown in FIG.

  Next, the infected suspected terminal specifying unit 56 specifies the suspected infected terminal 7 belonging to the infection route network (step Sc6). Specifically, the user ID associated with the network ID “vlan10” is acquired from the terminal connection state table 23. In this step, the suspected infection terminal specifying unit 56 acquires the user ID “16” in the terminal connection state table 23 shown in FIG. The user ID “16” is not excluded because it does not correspond to the ancestor node of the user ID “4”.

  Next, the process of loop L3 is executed. In this loop L3, it is determined whether the infection suspected candidate terminal 7 identified by the user ID “16” is the infection suspected terminal 7 or not.

  First, the infection suspected terminal identifying unit 56 identifies a period during which the suspected infection candidate terminal 7 has logged in to the network of the infection route (that is, a login period) (step Sc7). Specifically, the period during which the terminal 7 identified by the user ID “16” has logged into the network identified by the network ID “vlan10” is specified. In this step, the infected suspected terminal specifying unit 56 acquires snap IDs “18” to “24” as the login period in the terminal connection state table 23 shown in FIG.

  Next, the infection suspected terminal specifying unit 56 determines whether or not the login period of the infection source terminal 7 and the login period of the infection suspected candidate terminal 7 overlap (step Sc8). Specifically, it is determined whether or not the login period specified in step Sc5 and the login period specified in step Sc7 overlap. In this determination, the suspected infection terminal specifying unit 56 determines that the login period overlaps because the snap ID specified in step Sc5 and the snap ID specified in step Sc7 overlap between snap IDs “18” to “24”. Judgment is made (step Sc8; YES).

  If the result of this determination is affirmative, then the infected suspected terminal identifying unit 56 next determines that the infected source terminal 7 has the infection period when the overlapping login period between the infected source terminal 7 and the suspected infected terminal 7 exists. It is determined whether or not it is after the beginning of a period that may have been received (step Sc9). Specifically, it is determined whether or not the overlapping login period in step Sc8 is after the start of the overlapping login period recorded in the RAM in association with the user ID “2-4”. In this determination, the suspected infection terminal specifying unit 56 has the duplicate login periods in step Sc8 as the snap IDs “18” to “24”, and is recorded in the RAM in association with the user ID “2-4”. Since the start of the login period is the snap ID “5” and the snap IDs “18” to “24” are identifiers indicating the time after the snap ID “5”, a positive determination is made (step Sc9; YES).

  If the result of this determination is affirmative, the infected suspected terminal identifying unit 56 determines that the suspected infected terminal 7 is the suspected infected terminal 7, and acquires information on the suspected infected terminal 7 (step Sc10). . Specifically, the account name, IP address, and MAC address associated with the user ID “16” are acquired from the terminal connection state table 23.

  Further, the infection suspected terminal specifying unit 56 records the user ID of the suspected infection candidate terminal 7 (that is, the user ID “16”) in the RAM as a processing target of the loop L1 (step Sc11). At this time, the suspected infection terminal specifying unit 56 adds the user ID of the infection source terminal 7 (ie, the user ID “2-4”) to the head of the user ID of the suspected infection candidate terminal 7 and records it in the RAM. . In this step, the infection suspected terminal identifying unit 56 records the user ID “2-4-16” in the RAM.

  Further, the infected suspected terminal specifying unit 56 records the overlapping login period specified in step Sc9 in the RAM in association with the user ID of the suspected candidate terminal terminal 7 (ie, user ID “2-4-16”). (Step Sc12).

After execution of step Sc12, there is no processing target for loop L3 and loop L2, so loop L1 is executed. In this loop L1, the user ID recorded in the RAM including the user ID “2-4-16” is the processing target.
The above is the description of the malware influence range specifying process.

  Next, application examples of the above-described malware influence range specifying process will be described with reference to FIGS.

  First, FIG. 16 is a diagram illustrating a state after steps Sc1 to Sc5 in the malware influence range specifying process are executed. Specifically, as a result of executing Steps Sc1 to Sc5, the user ID of the infected terminal 7 is specified, the network ID of the network to which the infected terminal 7 belongs is specified, and the login period of the infected terminal 7 is specified. It is a figure which shows the state made. FIG. 16A is a tree diagram showing the influence range of malware specified in this state, and FIG. 16B is a diagram of the terminal connection state table 23A to which the malware influence range specifying process is applied in this application example. It is a figure which shows an example.

  More specifically, the tree diagram shown in FIG. 16A is a diagram showing the history of the estimated spread of malware infection. In the figure, the terminal 7 is represented as a node, and the relationship between the infection source terminal 7 and the infected terminal 7 is represented by a link. The lower the tree, the greater the order of infection. The description relating to this tree diagram is valid also in the tree diagrams of FIGS. In the state shown in FIG. 16A, only the user A is specified as the primary infection source.

  A terminal connection state table 23A shown in FIG. 16B is a simplified table of the terminal connection state table 23 shown in FIG. In the terminal connection state table 23A, only the user ID, the network ID, and the snap ID among the data recorded in the terminal connection state table 23 are recorded. Each row of the terminal connection state table 23A corresponds to a user ID, each column corresponds to a snap ID, and a network ID is stored at a position where the row and the column intersect. For example, this table indicates that the terminal 7 of the user “A” belongs to the network identified by the network ID “VID1” in the period indicated by the snap IDs “1” to “10”.

  In the description of this application example, malware intrusion occurs at the time indicated by the snap ID “1” in the terminal connection state table 23A, and the malware influence range specifying process is executed at the time indicated by the snap ID “10”. Assuming that Further, it is assumed that the terminal 7 identified by any user ID is in the login state at any time point indicated by any snap ID in the terminal connection state table 23A. The above description of the terminal connection state table 23A is valid also in the terminal connection state table 23A of FIGS.

  Next, FIG. 17 shows a state after the loop L1 in the malware influence range specifying process is executed for the user “A”. As shown in FIG. 17B, among the users other than the user “A”, the user “B” has the network ID “VID1” as the user “D” during the period indicated by the snap IDs “1” to “5”. A ”(see Step Sc6 in FIG. 14). Further, the user “B” does not correspond to an ancestor node for the user “A” (see step Sc6 in FIG. 14). Further, during the same period, both the users “A” and “B” are in the login state (see step Sc8 in FIG. 15). Further, the period of synchronization is after the malware intrusion time T indicated by the snap ID “1” (see step Sc9 in FIG. 15) (the intrusion time T is also represented as the start time of the investigation period in FIG. 17B). Has been). Therefore, the user ID “B” is specified as the secondary infection source as shown in FIG. In the state shown in FIG. 17, as with user “B”, users “E” and “F” are also identified as secondary infection sources.

  FIG. 18 shows a state after the loop L1 in the malware influence range specifying process is executed for the user “B” (the user “B” having the user “A” as a parent node). As shown in FIG. 18B, among the users other than the users “A” and “B”, the user “C” has the network ID “VID2” in the period indicated by the snap IDs “6” to “10”. "Is common to the user" B "(see step Sc6 in FIG. 14). Further, the user “C” does not correspond to an ancestor node for the user “B” (see step Sc6 in FIG. 14). In addition, during the same period, the users “B” and “C” are both logged in (see step Sc8 in FIG. 15). Also, during the same period, it is after the beginning of the period in which the user “B” may have been infected (see step Sc9 in FIG. 15) (the beginning is the start point of the investigation period in FIG. 18B). Represented.) Therefore, the user ID “C” is specified as a tertiary infection source, as shown in FIG. In the state shown in FIG. 18, as with the user “C”, the users “E” and “F” are identified as the tertiary infection sources.

  FIG. 19 is a tree diagram showing the malware influence range specified when all the user IDs to be processed in the loop L1 are processed as a result of repeating the loop L1 in the malware influence range specifying process. In the tree diagram shown in the figure, up to the sixth infection source is specified.

1-8-2. Malware Influence Range Visualization Processing FIG. 20 is a flowchart showing malware influence range visualization processing. This process is automatically executed after the above-described malware influence range specifying process, for example. Alternatively, it is executed in response to a predetermined instruction from the user U after execution of the malware influence range specifying process.

  In step Sd1 of this process, the physical link specifying unit 57 of the NW visualization device 5 obtains the physical link information associated with the snap ID acquired in step Sc2 of the malware influence range specifying process from the physical link information table 21. get. At this time, if there is another snap ID indicating a date after the date indicated by the snap ID in the physical link information table 21, the physical link information associated with the snap ID is also acquired. Then, the acquired physical link information is output to the topology diagram creation unit 60.

  Next, the logical link specifying unit 58 acquires the logical link information associated with the snap ID acquired in step Sc2 of the malware influence range specifying process from the logical link information table 22 (step Sd2). At this time, if another snap ID indicating the date after the date indicated by the snap ID exists in the logical link information table 22, the logical link information associated with the snap ID is also acquired. For example, when the snap ID “1” is acquired in step Sc2 of the above-described malware influence range specifying process, the logical link specifying unit 58 uses the snap ID “1” in the logical link information table 22 shown in FIG. All the logical link information associated with any one of “7” to “7” is acquired. Then, the logical link specifying unit 58 outputs the acquired logical link information to the topology diagram creating unit 60.

Next, the score calculation unit 59 calculates a score P indicating the probability of malware infection for each terminal 7 specified as the infection suspected terminal 7 as a result of the above-described malware influence range specifying process (step Sd3). This score P is calculated by, for example, calculating for each terminal 7 a score Q when the M-order infected terminal 7 is used as an infection source and summing the scores Q calculated for each order of infection. The The score Q is represented by the following formula, for example.
Q = (X · a) (Y · b) c ^M
In this equation, “X”, “Y”, and “M” indicate time, the number of terminals, and the order of infection, respectively. According to this equation, the score Q is obtained when it is in a state where it can communicate with the M-order infected terminal 7 for X hours and appears Y times as the M + 1-order infected terminal 7. “A”, “b”, and “c” are coefficients of time, number of terminals, and degree, respectively.

  FIG. 21 is a diagram illustrating an example of a method for calculating the score P. The example shown in the figure shows a case where the score P is calculated for each terminal 7 constituting the tree shown in FIG. FIG. 21A shows a table showing the number of appearances for each degree of infection for each terminal 7, and FIG. 21B shows the accumulated login period overlapping with the M-order infected terminal 7 for each terminal 7. FIG. 21 (c) is determined from the score Q for each terminal 7 when the M-order infected terminal 7 is used as the infection source, the score P that is the total value of the scores Q, and the score P. A table showing the corresponding priority. In the example shown in FIG. 21, the score Q is calculated with the coefficients “a”, “b”, and “c” being “0.7”, “0.7”, and “0.5”, respectively. .

An example of calculating the score Q will be specifically described. According to FIG. 21B, for example, the terminal 7 of the user “B” can communicate with the “M = 1” next-infected terminal 7 for “X = 5” time. Further, according to FIG. 21A, the terminal 7 of the user “B” appears “Y = 1” times as the “M + 1 = 2” next-infected terminal 7. From the above, the score Q _B1 when the terminal 7 of the user “B” uses the “M = 1” next-infected terminal 7 as an infection source is expressed by the following equation.
Q _B1 = (5 · 0.7) (1 · 0.7) 0.5 ¹ = 1.225

  The score calculation unit 59 outputs the score P calculated for each terminal 7 in this step to the topology diagram creation unit 60.

  Next, the topology diagram creating unit 60 refers to the physical link information acquired by the physical link specifying unit 57 in step Sd1, shows the OFS 6 as a rectangular node, and uses the physical link between the OFS 6 as an edge. Is drawn (step Sd4). At this time, the topology diagram creation unit 60 draws the diagram with a thin line or light color so that the physical topology diagram is not conspicuous.

  Next, the topology diagram creating unit 60 refers to the logical link information acquired by the logical link specifying unit 58 in step Sd2, indicates the OFS 6 as a rectangular node, and uses the logical link between the OFSs 6 as an edge. Is drawn (step Sd5). At this time, the topology diagram creation unit 60 draws the logical topology diagram so as to overlap the physical topology diagram. Further, the topology diagram creation unit 60 draws the logical topology diagram with a thick line or a dark color so that the logical topology diagram is more conspicuous than the physical topology diagram.

  Next, the topology diagram creation unit 60 further draws each terminal 7 identified as the infection suspected terminal 7 as a circular node in the logical topology diagram drawn in step Sd5 as a result of the malware influence range specifying process. The logical link between each terminal 7 and OFS 6 is further drawn as an edge (step Sd6). At this time, the topology diagram creating unit 60 identifies the OFS 6 connected to each terminal 7 by the logical link with reference to the logical link information acquired by the logical link identifying unit 58 in step Sd2. Further, the topology diagram creation unit 60 draws nodes and edges with bold lines or dark colors so as to stand out from the physical topology diagram. At this time, the topology diagram creation unit 60 determines the display mode (specifically, color, shape, and size) of the node indicating each terminal 7 based on the score P calculated by the score calculation unit 59 in step Sd3. To do. The topology diagram creation unit 60 outputs image data indicating the topology diagram (a set of physical topology diagram and logical topology diagram) completed in this step to the display unit 61.

  Next, the display unit 61 displays a screen including the topology diagram completed by the topology diagram creation unit 60 in step Sd6 (step Sd7).

  FIG. 22 is a diagram illustrating an example of a screen displayed by the display unit 61. The screen shown in the figure is a display area A1 where a topology diagram is displayed, check boxes CB1 and CB2 for selecting a topology diagram to be displayed from a physical topology diagram and a logical topology diagram, and a display target. Input fields F1 and F2 for designating the start and end of the period in which the logical topology was formed, and a display for displaying the user name, IP address, MAC address, and network ID of the terminal 7 of the primary infection source, respectively The area A2 to A5 and an input field F3 for designating the order of infection of the suspected infection terminal 7 to be displayed.

  In the topology diagram displayed in the display area A1, the black circle node indicates the primary infected terminal 7, and the shaded node indicates the infection suspected terminal 7. In this topology diagram, the correspondence priority value may be displayed in association with the node indicating each terminal 7. If the check boxes CB1 and CB2 are used, only the physical topology diagram can be displayed, or only the logical topology diagram can be displayed. The input fields F1, F2, and F3 will be described in detail later.

  When the logical topology diagram displayed in the display area A1 is drawn with reference to logical link information at a plurality of points in time (in other words, multiple sets of logical link information associated with different snap IDs). , A logical topology diagram at each time point is synthesized to generate one logical topology diagram.

FIG. 23 is a diagram for explaining an example in which a plurality of logical topology diagrams are combined. In the example shown in the figure, the logical topology diagrams drawn based on the logical link information corresponding to the snap IDs “X”, “Y”, and “Z” are merged to generate one logical topology diagram. Yes.
This completes the description of the malware influence range visualization process.

  According to the malware influence range specifying system 100 according to the present embodiment described above, since the network configuration information is stored in time series at a predetermined timing, the influence of malware infection also in the SDN environment where the network state frequently changes. A range can be specified. In addition, by presenting the range of influence of malware infection, log acquisition for forensics can be simplified. In addition, it is possible to visually grasp the security risk in the network, and to evaluate the validity of the affected area of malware infection.

2. Modifications The above embodiment may be modified as shown below. Further, the following modifications may be combined with each other.

2-1. Modification 1
When the order of infection N is entered in the input field F3 of the screen shown in FIG. 22, the suspected infection terminal 7 until the N-th infection is identified by the above-described malware influence range identifying process, and the identified suspected infection A node indicating the terminal 7 and a logical network to which these terminals 7 belong are displayed. For example, when the infection order “1” is designated by the user U, the screen displayed in step Sd7 includes a node indicating the primary infected terminal 7 and a logical network to which the terminal 7 belongs. Is displayed.

2-2. Modification 2
When the start and end of the display period are input to the input fields F1 and F2 of the screen shown in FIG. 22 described above, the above-described malware influence range visualization process is re-executed. At this time, the snap ID acquisition unit 53 of the NW visualization device 5 replaces the intrusion time T with a snap ID that is associated with a time stamp that is earlier than the input start time, and has a logical link acquisition identifier. The latest snap ID “1” is acquired from the snap information table 24. In step Sd1, the physical link specifying unit 57 acquires the physical link information associated with the snap ID acquired by the snap ID acquiring unit 53 from the physical link information table 21. At this time, if there is another snap ID indicating the date before and after the end date that is input, the physical link specifying unit 57 associates with the snap ID. Obtained physical link information is also acquired. Next, the logical link specifying unit 58 acquires the logical link information associated with the snap ID acquired by the snap ID acquisition unit 53 from the logical link information table 22 in step Sd2. At this time, if there is another snap ID indicating the date before and after the input end date and time after the date and time indicated by the snap ID in the logical link information table 22, the logical link specifying unit 58 The logical link information associated with the snap ID is also acquired. Further, the topology diagram creating unit 60, in step Sd6, among the terminals 7 identified as infected suspected terminals 7 as a result of the malware influence range identifying process, the terminal that was in the login state between the input start period and the end period Only 7 is drawn in the logical topology diagram. As a result, the user U can specify the influence range of the malware for a specific period from the intrusion time T to the present time (for example, a period from the intrusion time T to the detection time).

2-3. Modification 3
In the display area A2 to A4 of the screen shown in FIG. 22 described above, the information of the terminal 7 of the primary infection source is displayed in the above embodiment, but these areas indicate the terminal 7 to be searched. It may be used as an input field for specifying. For example, the display unit 61 of the NW visualization device 5 may display only the node indicating the terminal 7 specified by the input field among the identified infection suspected terminals 7 as a result of the malware influence range specifying process. Good. Alternatively, the node may be highlighted.

2-4. Modification 4
In the above embodiment, the processing result of the malware influence range specifying process is illustrated, but it may be output as character information without being illustrated. Specifically, the display unit 61 of the NW visualization device 5 acquires the result of the malware influence range identification process, information such as the user ID of the identified infection suspected terminal 7 and the result of step Sd2 of the malware influence range visualization process. The logical link information thus made may be displayed as character information. At this time, of the logical link information, only the network ID or only information other than the network ID may be displayed. Alternatively, the acquired physical link information may be displayed as character information as a result of step Sd1 of the malware influence range visualization process.

2-5. Modification 5
The communication network 1 and OFC 3 according to the above embodiment are compliant with the OpenFlow specification, but may be compliant with other protocols as long as they realize SDN.

2-6. Modification 6
The NW visualization device 5 according to the above embodiment includes the display unit 61 and can display the topology diagram created by the topology diagram creation unit 60. However, the display unit 61 is not necessarily provided. For example, the NW visualization device 5 may include an output unit that outputs data indicating the topology diagram created by the topology diagram creation unit 60 and may output the data to a computer device that the user U has.

  Further, in the above embodiment, information related to malware infection detected by the detection device 4 (specifically, the IP address and MAC address of the infected terminal 7 and information indicating the intrusion time T) is displayed by the user U on the NW visualization device. However, the information may be transmitted directly from the detection device 4 to the NW visualization device 5.

  In the above-described embodiment, the OFC 3 records various types of information on the DB 2. However, information on the DB 2 may be recorded by another device different from the OFC 3.

2-7. Modification 7
In the above embodiment, the program executed in the OFC 3 or the NW visualization device 5 may be provided via a computer-readable recording medium. Here, the recording medium is, for example, a magnetic recording medium such as a magnetic tape or a magnetic disk, an optical recording medium such as an optical disk, a magneto-optical recording medium, or a semiconductor memory. In addition, this program may be provided via a network such as the Internet.

DESCRIPTION OF SYMBOLS 1 ... Communication network, 2 ... DB, 3 ... OFC, 4 ... Detection apparatus, 5 ... NW visualization apparatus, 6 ... OFS, 7 ... Terminal, 21 ... Physical link information table, 22 ... Logical link information table, 23 ... Terminal connection Status table 24 ... Snap information table 31 ... Network control unit 32 ... Recording unit 51 ... Intrusion point specifying unit 52 ... Infected terminal specifying unit 53 ... Snap ID acquiring unit 54 ... Infected terminal ID acquiring unit 55 ... Virtual NW identification unit, 56 ... Suspicious infection terminal identification unit, 57 ... Physical link identification unit, 58 ... Logical link identification unit, 59 ... Score calculation unit, 60 ... Topology diagram creation unit, 61 ... Display unit, 100 ... Malware influence Range identification system, 321 ... physical link recording unit, 322 ... logical link recording unit, 323 ... terminal connection status recording unit, 324 ... snap information recording unit

Claims (8)

Network configuration information indicating a network configuration, which is terminal information indicating any one of a plurality of terminals included in the network, and virtual network information indicating a virtual network to which the terminal indicated by the terminal information belongs A recording unit that records network configuration information including terminal connection state information in association with each other in a database in time series,
An intrusion time identifying unit that identifies the intrusion time for the first terminal invaded by malware;
A network configuration specifying unit for acquiring network configuration information associated with the date and time specified on the basis of the specified intrusion time point in the database;
An output unit for outputting the acquired network configuration information;
An infected terminal identifying unit for obtaining first terminal information indicating the first terminal;
A virtual network specifying unit that acquires first virtual network information associated with the acquired first terminal information and the database;
An infection suspected terminal identifying unit that obtains second terminal information indicating a second terminal different from the first terminal, which is associated with the obtained first virtual network information in the database,
The output unit further outputs the acquired second terminal information. A network information output system, wherein: The network includes a plurality of relay devices that relay communication packets based on routing control information between the plurality of terminals.
The network configuration information includes logical link information indicating a logical link between the plurality of relay devices,
The network configuration specifying unit obtains the logical link information associated with the latest date and time when the logical link information is recorded in the database, the date and time before the specified intrusion time. ,
The network information output system according to claim 1, wherein the output unit outputs the acquired logical link information.   The network configuration specifying unit is a date and time before the specified intrusion time, and a plurality of dates and times that are associated with a plurality of dates and times after the most recent date and time when logical link information is recorded in the database. The network information output system according to claim 2, wherein the logical link information is acquired. The network configuration information includes terminal information indicating one of the plurality of terminals, virtual network information indicating a virtual network to which the terminal indicated by the terminal information belongs, and connection of the terminal to the virtual network Including terminal connection state information in association with connection state information for specifying a period,
The infection suspected terminal specifying unit is a second terminal associated with the acquired first virtual network information in the database, and a connection period for the first virtual network indicated by the first virtual network information is The network information output system according to any one of claims 1 to 3, wherein second terminal information indicating a second terminal overlapping with the first terminal is acquired. The virtual network specifying unit further acquires second virtual network information that is associated with the acquired first terminal information in the database and is different from the first virtual network information,
The infected suspected terminal specifying unit further acquires third terminal information indicating a third terminal different from the first and second terminals, which is associated with the acquired second virtual network information in the database. ,
4. The network information output system according to claim 1, wherein the output unit further outputs the acquired third terminal information. 5. The virtual network specifying unit further acquires third virtual network information different from the first and second virtual network information, which is associated with the acquired second terminal information in the database,
The infection suspected terminal identifying unit is configured to obtain fourth terminal information indicating a fourth terminal different from the first, second, and third terminals, which is associated with the acquired third virtual network information in the database. Get more and
The network information output system according to any one of claims 1 to 5, wherein the output unit further outputs the acquired fourth terminal information.   The network information output system according to claim 1, wherein the output unit displays a diagram showing a topology of the network represented by the acquired network configuration information. The network configuration information further includes physical link information indicating a physical link between the plurality of relay devices,
The output unit displays a diagram showing the topology of the network, in which the logical link represented by the acquired logical link information is displayed on the physical link represented by the physical link information. The network information output system according to claim 2, wherein:

Images