JP2019121017A - Information processing apparatus, vulnerability detection method and program - Google Patents

Abstract

To provide an information processing apparatus capable of detecting a constant degree of vulnerability possessed by equipment and reducing the cost to maintain the security of a network while relieving the burden on the equipment.SOLUTION: An information processing apparatus comprises a packet monitor 110 including storage means 116 for storing a vulnerability pattern describing a feature of a prescribed unit of communication data having vulnerability. The packet monitor 110 also includes acquisition means that acquires a prescribed unit of communication data from a network 102, evaluation means that compares a content of the acquired prescribed unit of communication data with a stored vulnerability pattern and evaluates the vulnerability of the communication data, and recording means that records information of at least an origin on the basis of the evaluation result of vulnerability.SELECTED DRAWING: Figure 3

Description

  The present disclosure relates to an information processing device, a vulnerability detection method, and a program for realizing the information processing device.

  2. Description of the Related Art Conventionally, techniques for scanning network devices to detect vulnerabilities are known. Further, Japanese Patent No. 4995170 (Patent Document 1) collects various information generated by the module for each module in a process executed by a computer system, and based on the collected various information, it is illegal. An information processing apparatus is disclosed that monitors behavior indicating an attack or intrusion for each module. This information processing apparatus has a rule DB that stores behavior information that specifies behavior indicating an unauthorized attack or intrusion, and various information collected is illegal if it matches the behavior information stored in the rule DB. Detect that a dangerous attack or intrusion has occurred.

  However, in the prior art, active processing such as scanning has to be performed on the device, which is not sufficient. In the related art of Patent Document 1, it is necessary to insert a monitoring program for collecting various information such as API calls and system calls generated for each module in the information processing apparatus to be monitored.

  The present disclosure has been made in view of the above points, and while reducing the load on the target device, it is possible to detect a certain vulnerability of the device and reduce the cost of maintaining the security of the network. An object of the present invention is to provide an information processing apparatus that can.

  According to the present disclosure, in order to solve the above problems, an information processing apparatus connected to a network, having the following features is provided. The information processing apparatus comprises: storage means for storing a vulnerability pattern describing characteristics of communication data of a predetermined unit having vulnerability; acquisition means for acquiring communication data of a predetermined unit from the network; and communication for the acquired predetermined unit It includes an evaluation unit that compares the content of data with the stored vulnerability pattern and evaluates the vulnerability of communication data, and a recording unit that records at least source information based on the evaluation result of the vulnerability. .

  According to the above configuration, while reducing the load on the target device, it is possible to detect a certain vulnerability of the device and to reduce the cost of maintaining the security of the network.

The figure which shows the network environment where the packet monitoring apparatus by this embodiment is installed. FIG. 2 is a hardware configuration diagram of a computer used as a packet monitoring device according to the present embodiment. FIG. 2 is a functional block diagram for performing vulnerability detection based on packet monitoring in the packet monitoring device according to the present embodiment. The figure explaining the flow for establishing a session in SSL (Secure Socket Layer) / TLS (Transport Layer Security) handshake protocol. The figure which shows the data structure of the vulnerability pattern database referred in the packet monitoring apparatus in this embodiment. The figure which shows the data structure of the vulnerability log recorded in the packet monitoring apparatus in this embodiment. The flowchart which shows the vulnerability detection process based on packet monitoring which the packet monitoring apparatus in this embodiment performs. FIG. 6 is a diagram for explaining a log browsing function provided by the packet monitoring device in the present embodiment. FIG. 6 is a diagram for explaining a log mail reporting function provided by the packet monitoring device in the present embodiment. 5 is a flowchart showing log mail report processing executed by the packet monitoring device in the present embodiment. FIG. 14 is a functional block diagram for performing packet filtering by vulnerability detection based on packet monitoring in a network device according to another embodiment. 5 is a flowchart illustrating processing executed by the network device in the present embodiment to record a forbidden address and a port by vulnerability detection. FIG. 6 is a diagram for explaining a prohibited address and a port management function provided by the network device in the embodiment.

  Hereinafter, although it demonstrates with this embodiment, embodiment is not limited to embodiment mentioned later.

  The information processing apparatus and the vulnerability detection method according to the present embodiment acquire communication data of a predetermined unit from a network, and the content of the acquired communication data of the predetermined unit and a vulnerability pattern that describes vulnerability stored in advance It has a configuration to check the vulnerability and to evaluate the vulnerability.

  Hereinafter, the packet monitoring device having the vulnerability detection function based on the packet monitoring according to the present embodiment will be described in detail with reference to FIGS.

  Hereinafter, a network environment in which a packet monitoring apparatus is installed, which is provided with a vulnerability detection function based on packet monitoring according to the present embodiment, will be described first with reference to FIG.

  FIG. 1 shows a network environment in which a packet monitoring apparatus according to the present embodiment is installed. In the network environment 100 shown in FIG. 1, a plurality of devices such as a multifunction machine 150, a network projector 152, an interactive whiteboard 154, a server computer 156 and a tablet computer 158 are arranged. The devices 150 to 158 mutually communicate with each other by packet communication based on Transmission Control Protocol (TCP) / Internet Protocol (IP) protocol via the network 102. The network 102 may include, but is not limited to, a wired or wireless local area network of standards such as 1000Base-TX Ethernet (registered trademark) and IEEE 802.11. Note that FIG. 1 illustrates that the tablet computer 158 is connected to the network 102 by wireless communication via the access point 104.

  In the present embodiment, a packet monitoring device 110 is further installed in the network environment 100. The packet monitoring device 110 is connected to the network 102, intercepts various packets flowing through the network 102, and tries to detect security vulnerability based on the content of the intercepted packet. The above-described devices such as the MFP 150, the network projector 152, the interactive whiteboard 154, the server computer 156, and the tablet computer 158 are sources (sources) of packets to be monitored by the packet monitoring apparatus 110 in this embodiment. Or it can be a destination. These devices 150 to 158 may be connected to the Internet via a router on the network 102 or the like. Packets between these devices 150 to 158 and the Internet can also be targets of monitoring in this embodiment. The packet monitoring device 110 constitutes an information processing device in the present embodiment.

  Subsequently, the hardware configuration of the packet monitoring device 110 provided with the vulnerability detection function based on the packet monitoring according to the present embodiment will be described with reference to FIG. FIG. 2 shows a hardware configuration of a computer that can be used as the packet monitoring device 110 according to the present embodiment. The computer 10 can be typically configured as a computer device such as a personal computer or a server computer.

  The computer 10 illustrated in FIG. 2 includes a single-core or multi-core central processing unit (CPU) 12, a random access memory (RAM) 14, a read only memory (ROM) 16, a hard disk drive (HDD) 18, and a drive. A device 24 and a network interface 26 are configured. The computer 10 can also include an input device 20 and a display device 22 as needed.

  The CPU 12 performs overall control such as processing inside the computer 10. The RAM 14 provides a work area of the CPU 12. The ROM 16 stores control programs such as BIOS (Basic Input / Output System). The HDD 18 stores an OS (Operating System) for controlling the computer 10, a program for realizing a functional unit to be described later, various system information, and various setting information. The recording medium 30 is detachably inserted into the drive device 24, and the drive device 24 reads and writes the inserted recording medium 30.

  The input device 20 is an input device such as a mouse, a keyboard, or a touch screen panel. The display device 22 is a display device such as a liquid crystal display device or an organic EL (Electroluminescence) display. The input device 20 and the display device 22 can provide a user interface for receiving input of various instructions from the operator. The network interface 26 is an interface device such as a network interface card (NIC) for connecting the computer 10 to the network 102.

  The computer 10 according to the present embodiment reads a program from the ROM 16 or the HDD 18 and expands the program in a work space provided by the RAM 14 to realize the functions and processes of each unit as the packet monitoring device 110 under the control of the CPU 12. .

  Although the packet monitoring device 110 is described as being implemented as a computer device in the above description, the implementation form of the packet monitoring device 110 is not limited to this. The packet monitoring apparatus 110 may be implemented as an image processing apparatus such as a multifunction peripheral having a packet monitoring function, a printer facsimile, a scanner, etc., or may be implemented as a network apparatus such as a hub, a switch, or a router having a packet monitoring function. Good. In these cases, the packet monitoring device 110 can be equipped with appropriate hardware depending on the application of the device.

  Hereinafter, the function of detecting vulnerability based on packet monitoring in the packet monitoring device 110 according to the present embodiment will be described in more detail with reference to FIG. FIG. 3 shows functional blocks provided for performing vulnerability detection based on packet monitoring in the packet monitoring device 110 according to the present embodiment.

  As shown in FIG. 3, the packet monitoring device 110 includes a packet acquisition unit 112, a vulnerability analysis unit 114, a vulnerability pattern database 116, a vulnerability log storage unit 118, and an output unit 120.

  The packet acquisition unit 112 is configured to acquire communication data of a predetermined unit from the network 102. Here, communication data of a predetermined unit means a data unit called a frame, a packet, etc. in various layers of the network, and is a unit according to a protocol. For example, a MAC (Media Access Control) frame, an IP (Internet Protocol) packet, a TCP (Transmission Control Protocol) segment, an SSL packet, and the like are acquired. The upper layer unit data may be composed of data of one or more lower layer units. For example, an SSL packet is composed of one or more TCP segments. Hereinafter, these predetermined units of data are collectively referred to simply as "packet". Packet acquisition can be performed using a technique called packet capture or a network analyzer. The packet acquisition unit 112 constitutes an acquisition unit in the present embodiment.

  Typically, the network interface 26 such as the NIC of the packet monitoring apparatus 110 operates in the promiscuous mode, and can be configured to take in and process packets other than the packet addressed to itself. Also, the packet monitoring device 110 is connected to the network 102 via, for example, a repeater hub, a mirror port-equipped LAN switch or a network tap that copies packets transmitted and received by one or more specific ports to a specified port. It is configured to be able to intercept packets flowing through the network 102. Alternatively, when the packet monitoring device 110 is implemented as a network device such as a hub or switch, in addition to the processing as a hub or switch, all packets received by the device itself are captured and analyzed. It can be configured.

  The vulnerability analysis unit 114 collates the content of the acquired packet with the stored vulnerability pattern, evaluates the vulnerability of the packet, and based on the evaluation result of the vulnerability, the vulnerability including the information of the source. Are configured to record the sex log. The vulnerability analysis unit 114 constitutes an evaluation unit and a recording unit in the present embodiment.

  The vulnerability pattern database 116 is configured to store one or more vulnerability patterns that each describe the characteristics of the vulnerable packet. The vulnerability pattern will be described later. The vulnerability pattern database 116 constitutes a storage unit in the present embodiment.

  The vulnerability log storage unit 118 is configured to receive, from the vulnerability analysis unit 114, the vulnerability log including information on the source and store the received vulnerability log. In the present embodiment, the source information is recorded as a log together with the information of the vulnerability content. The source information recorded may include one or both of a source address and a source port number. Although the content of the vulnerability is not particularly limited, it may include the detection time and the name of the vulnerability, and may further include transmission destination information (such as transmission destination address and transmission destination port number). It is also good.

  The output unit 120 is configured to output the recorded source information. In a preferred embodiment, the output unit 120 can provide the contents of a plurality of recorded logs in response to an external request.

  As a form of output, when the packet monitoring device 110 includes the display device 22, display is performed in response to an external request such as an operation for browsing a log browsing screen on the display device 22 by the operator of the packet monitoring device 110. There is a mode in which the log viewing screen is displayed on the device 22.

  Further, as an output form, in response to an external request from a remote terminal connected via the network 102, screen data describing a log browsing screen may be transmitted to the remote terminal. In a particular embodiment, the output unit 120 provides a web user interface, the external request is issued from the remote terminal as, for example, an HTTP message requesting acquisition of the log viewing screen, and the screen data is, for example, remote as an HTTP response. It is answered by the terminal.

  Furthermore, as a form of output, when the packet monitoring device 110 has a mail transmission function, the contents of a plurality of logs recorded from the previous time point to the current time point are mailed to a predetermined destination at a predefined timing. It can also be an aspect of sending.

  The output unit 120 constitutes an output unit in the present embodiment. The form of the output will be described in more detail later.

  Hereinafter, a method of detecting a vulnerability based on packet monitoring according to the present embodiment will be described with reference to FIGS. 4 to 6 by taking an SSL (Secure Sockets Layer) / TLS (Transport Layer Security) packet as an example.

  FIG. 4 shows a flow for establishing a session in the SSL / TLS handshake protocol. In addition to the flow of the handshake protocol, FIG. 4 also shows the contents of the ClientHello message 200 as an example of a packet exchanged between the client and the server by the handshake protocol.

  As shown in FIG. 4, in the SSL / TLS handshake, various messages such as ClientHello, ServerCertificate, ServerKeyExchange, CertificateRequest, ServerHello, ClientCertificate, ClientKeyExchange, CertificateVerify, ChangeCipherSpec, Finished, etc. are exchanged between the client and the server. Through exchange of these messages, a session is established.

  The ClientHello message 200 illustrated in FIG. 4 may include a client version 200a, a random number 200b unique to the client, a session ID 200c in the case of session resumption, a cipher suite list 200d, a compression method list 200e, and the like. In the example shown in FIG. 4, a plurality of cipher suites are listed in the cipher suite list 200d. Similarly, the ServerHello message may include the protocol version, a random number unique to the server, the session ID, the cipher suite to use, the compression method to use, etc. The details of other messages will not be further discussed here.

  FIG. 5 shows the data structure of the vulnerability pattern database 210 which is referred to by the vulnerability analysis unit 114 in the packet monitoring apparatus 110 in the present embodiment. In the ClientHello message 200 shown in FIG. 4, there is a possibility that suites having security vulnerabilities are listed in the cipher suite list 200 d. Further, in the ClientHello message 200 and the ServerHello message shown in FIG. 4, there is a possibility that a version having security vulnerability is used. FIG. 5 illustrates a vulnerability pattern that may be included in such a message that describes the characteristics of the vulnerability.

  The vulnerability pattern database 210 shown in FIG. 5 illustratively includes a plurality of vulnerability patterns that describe the characteristics of vulnerabilities related to packets related to SSL / TLS. As the data structure of the vulnerability pattern database 210, an ID field 210a holding an identifier for identifying a vulnerability pattern, a vulnerability name field 210b holding a name of vulnerability, and designation of the type of packet to be judged are held. The packet type field 210c includes a focused part field 210d for holding designation of the focused part in the type-designated packet, and a pattern expression field 210e representing a character string matching a pattern for the focused part. For example, a regular expression or the like can be used as the pattern expression held in the pattern expression field 210 e.

  In addition, the vulnerability can be known from information such as the released vulnerability countermeasure database, and regarding some of the vulnerabilities, the vulnerability pattern for determining the vulnerability from the packet in the format as shown in FIG. It can be prepared. For example, if there is a cipher suite including "RC4" in the handshake packet, it may be vulnerable.

  FIG. 6 shows the data structure of the vulnerability log 220 recorded in the vulnerability log storage unit 118 in the packet monitoring device 110 in the present embodiment. As shown in FIG. 6, the vulnerability log 220 includes a detection time field 220a holding the time at which the vulnerability was detected, a vulnerability name field 220b holding the name of the detected vulnerability, and source information A source IP address field 220c holding an IP address, which is one of the above, and a source port number field 220d holding a port number which is also one of the source information. As shown in FIG. 6, each time a packet is evaluated as having a vulnerability, a vulnerability log including information on the source and information on the content of the vulnerability is recorded in the vulnerability log storage unit 118.

  The flow of the vulnerability detection process for detecting the vulnerability of communication data will be described below based on packet monitoring in the present embodiment with reference to FIG. FIG. 7 is a flowchart showing vulnerability detection processing based on packet monitoring performed by the packet monitoring device in the present embodiment. The process shown in FIG. 7 is executed by a processor such as the CPU 12 shown in FIG.

  The process shown in FIG. 7 may be started from step S100, for example, for each packet. In step S101, the processor acquires a packet via the network 102. In step S102, the processor causes the control to branch depending on whether the acquired packet is a packet related to an SSL (TLS) connection.

  If it is determined in step S102 that the packet is not a packet related to an SSL (TLS) connection (NO), the processor causes the process to branch to step S109 and ends the processing for the packet. In this case, it is determined that the packet is not vulnerable. In the embodiment to be described, for convenience of explanation, in the case of a packet related to an SSL (TLS) connection, the evaluation of vulnerability is further advanced, and the other packets are unquestioned. However, even if it is possible to detect vulnerabilities from the content of the packet, even if it is other than packets related to SSL (TLS) connection, prepare an appropriate vulnerability pattern and perform further vulnerability assessment on the packet. It goes without saying that it may be configured.

  On the other hand, if it is determined in step S102 that the packet relates to an SSL (TLS) connection (YES), the processor branches the process to step S103. In step S103, the processor reads one or more vulnerability patterns that respectively describe the characteristics of the vulnerable packet, and advances the process to step S104. In step S103, typically, one or more vulnerability patterns are read from the HDD 18 or the like onto a work space such as the RAM 14. If the read vulnerability pattern is maintained on the work space and there is no need to read it later, step S103 may be omitted.

  In the loop of steps S104 to S108, each vulnerability pattern is collated with the content of the acquired packet.

  In steps S105 and S106, the processor collates the content of the acquired packet with the read vulnerability pattern, and evaluates the vulnerability of the packet.

  More specifically, in step S105, the processor determines whether or not the type of the packet matches the type designated by the vulnerability pattern currently targeted. If it is determined in step S105 that the types do not match (NO), the processor proceeds the process directly to step S108 and proceeds to the process of the next vulnerability pattern as necessary. On the other hand, if it is determined in step S105 that the types match (YES), the processor proceeds with the process to step S106.

  In step S106, the processor further determines whether the focused part of the packet matches the pattern expression designated by the vulnerability pattern currently targeted. If it is determined in step S106 that the pattern expression is not matched (NO), the processor proceeds directly to step S108, and performs processing of the next vulnerability pattern as necessary. On the other hand, if it is determined in step S106 that the pattern expression is matched (YES), the processor proceeds with the process to step S107.

  In step S102, if it is determined that the packet relates to an SSL connection, and if it is determined in step S105 that the types match, and if it is determined in step S106 that the packet matches the pattern expression, the packet is currently a target for processing It is an evaluation result that it has the vulnerability corresponding to the sex pattern. Based on the evaluation result, in step S107, the processor records a vulnerability log record including the detection time, vulnerability ID, source IP address, source port number in the vulnerability log storage unit 118, and step S108. Proceed with the processing of the next vulnerability pattern as necessary.

  If the packet matches one vulnerability pattern, or if the packet does not match any vulnerability pattern, the loop from step S104 to step S108 is exited, and the process proceeds to step S109. It is advanced. In step S109, the processor ends the processing for the packet.

  Note that the loop from step S104 to step S108 may be exited at the stage where one vulnerability pattern is matched. Alternatively, it may be configured to leave the loop of the loop after checking all the vulnerability patterns. In that case, records of a plurality of matching vulnerability logs can also be recorded in step S107. If none of the vulnerability patterns are matched, it means that the packet has been evaluated as not vulnerable. If at least one vulnerability pattern is matched, it means that the packet has been evaluated as a detected vulnerability.

  By the process shown in FIG. 7, after the record of the vulnerability log is recorded, it is possible to appropriately output the content of the vulnerability log including the information of the recorded source in response to the external request or the internal event as appropriate. It will be.

  FIGS. 8 and 9 are diagrams for explaining the log providing function provided by the packet monitoring device 110 in the present embodiment.

  FIG. 8 is a diagram for explaining the log browsing function provided by the packet monitoring device 110 in the present embodiment. Here, the log browsing function refers to a function of displaying a log browsing screen on a predetermined display device in response to an instruction from the operator.

  FIG. 8A shows an internal database query 230 used for log browsing as an example. FIG. 8B shows a log browsing screen 240 provided by the log browsing function as an example. When the vulnerability log is recorded as a relational database, the log within a predetermined period can be acquired by querying the database with an SQL query as shown in FIG. 8A. Then, based on the acquired inquiry result, a log browsing screen 240 for displaying a list of logs as shown in FIG. 8B is displayed.

  The log browsing screen 240 shown in FIG. 8B includes a period display 242 indicating a period of the log to be displayed, and a log list 244. The log list 244 displays a detection time column 244a that displays the time at which the vulnerability was detected, and a vulnerability name that displays the name of the detected vulnerability, corresponding to the contents of the vulnerability log illustrated in FIG. It includes a column 244b, a source IP address column 244c for displaying an IP address which is one of source information, and a source port number column 244d which similarly holds a port number which is one of source information. Configured As shown in FIG. 8B, on the log browsing screen 240, one or more logs each including information of the content of the vulnerability in addition to the information of the transmission source are displayed.

  The log browsing screen 240 shown in FIG. 8 can be displayed on the display device 22 provided in the packet monitoring device 110 in response to an operation on the input device 20 provided in the packet monitoring device 110 by the operator. Alternatively, it is displayed on the display device of the remote terminal in response to a request (in response to an operation of the operator on the remote terminal) from the remote terminal remotely connected to the packet monitoring device 110 via the network 102. can do.

  FIG. 9 is a diagram for explaining the log mail reporting function provided by the packet monitoring device 110 in the present embodiment. Here, the log mail report function reports the detected vulnerability log to a predetermined destination similarly set in advance, in response to arrival of a timing set in advance by the administrator or the like. A function that sends emails.

  FIG. 9A shows the data structure of the internal notification condition 250 used in the log mail report function. FIG. 9B shows an internal database query 260 used in the log mail report function as an example. FIG. 9C shows a log report mail sent to a predetermined destination by the log mail report function as an example.

  In the log mail report, it is assumed that a destination mail address and a notification schedule as shown in FIG. 9A are previously defined by the administrator in advance. The notification condition 250 shown in FIG. 9A includes a destination e-mail address field 250a holding a destination for notifying a report e-mail, a notification schedule field 250b holding information defining the timing of notification of the report e-mail, and the previous notification. And a previously notified date and time field 250c that holds the time. When the timing defined in the notification schedule field 250b comes, the mail notification process is called. In the e-mail notification process, when the vulnerability log is recorded as a relational database, a log from the previous e-mail notification to the current notification time is acquired by SQL query as shown in FIG. 9B. Ru. Then, a log report mail 270 including a log list as shown in FIG. 9C is sent via the mail server to the destination mail address indicated by the destination mail address field 250 a.

  The log report mail 270 shown in FIG. 9C includes a destination 272 specified in the destination mail address field 250a, a subject 274, a period display 276 indicating a log period, and a log list 278. The contents of the log list 278 are the same as those shown in FIG.

  The flow of processing for outputting the recorded source information will be described below with reference to FIG. 10 as an example of the log mail report processing. FIG. 10 is a flowchart showing a log mail report process performed by the packet monitoring device 110 in the present embodiment. The process shown in FIG. 10 is executed by a processor such as the CPU 12 shown in FIG.

  The process shown in FIG. 10 is started from step S200, for example, periodically or irregularly. In the loop from step S201 to step S208, the processing shown in step S202 to step S206 is performed for each destination registered in advance. In step S202, the processor determines whether or not the timing defined in the notification schedule field 250b described in the record of the currently targeted addressee has arrived. If it is determined in step S202 that the timing has not arrived (NO), the process proceeds to step S208, and as necessary, the process proceeds to the next destination process.

  On the other hand, if it is determined in step S202 that the timing has arrived (YES), the process proceeds to step S203. In step S203, the processor reads the previous notification time of the record of the currently processed destination from the previous notification date field 250c. In step S204, the processor acquires, for example, the current time held by the system as the current notification time. In step S205, the processor queries the database for a query based on the acquired previous notification time and the current notification time, and acquires a query result. In step S206, the processor creates a log report email based on the inquiry result, and transmits the created log report email via the email server by the network interface 26. In step S207, the processor updates the previous notification date and time field 250c with the current notification time as the previous notification time to be used next, advances the process to step S208, and advances to the process of the next destination as necessary. .

  When the process is completed for all the destinations, the loop of step S201 to step S208 is exited, and the process proceeds to step S209. In step S209, the processor ends the present process. After that, the processing shown in FIG. 10 is repeatedly executed at appropriate intervals.

  According to the embodiment described above, the presence or absence of a vulnerability can be evaluated from the content of a packet, such as using a specific protocol, for a specific type of vulnerability, and the vulnerability can be detected. It is possible to keep the network secure at low cost for vulnerabilities that can be judged formally from the contents of packets. Since the packet monitoring device 110 only acquires packets from the network 102, it does not impose an extra load on the device to be monitored. In addition, it is possible to save time and the like for performing a vulnerability test on a device.

  In the embodiment described above, when detecting a packet having vulnerability, the packet monitoring device 110 records it as a vulnerability log. However, other ways of dealing with vulnerability detection are also conceivable. In another embodiment, more aggressive processing may be performed when a vulnerable packet is detected. Hereinafter, a network device having a packet filtering function based on the above-described vulnerability detection according to another embodiment will be described with reference to FIGS. 11 to 13.

  FIG. 11 illustrates functional blocks for performing packet filtering by vulnerability detection based on packet monitoring in the network device 310 according to another embodiment. The network environment in which the network device 310 is installed can be the same as that described with reference to FIG. 1, and the hardware configuration also has an appropriate configuration depending on the purpose and application of the network device 310. It should be adopted. As shown in FIG. 10, the network device 310 includes, as its functional blocks, a packet acquisition unit 312, a vulnerability analysis unit 314, a vulnerability pattern database 316, a prohibited address / port list storage unit 318, an output unit 320 and a packet filter unit. 330 is comprised.

  The packet acquisition unit 312 is configured to acquire a packet from the network 102. The packet acquisition unit 312 constitutes an acquisition unit in the present embodiment. In the embodiment to be described, the network device 310 is configured as a hub, a switch, or the like, and is configured to capture and analyze all packets transmitted and received at its own port. The packet acquisition unit 312 has the same function as the packet acquisition unit 112 of the embodiment described with reference to FIG.

  The vulnerability analysis unit 314 collates the content of the acquired packet with the stored vulnerability pattern, and based on the evaluation result of the vulnerability, the source information of the packet having vulnerability is prohibited address / port list The storage unit 318 is configured to record. The vulnerability analysis unit 314 constitutes an evaluation unit and a recording unit in the present embodiment. The vulnerability analysis unit 314 has the same function as the vulnerability analysis unit 114 of the embodiment described with reference to FIG. 3 except that the information on the transmission source is recorded in the prohibited address / port list storage unit 318.

  The vulnerability pattern database 316 is configured to store one or more vulnerability patterns. The vulnerability pattern database 316 constitutes a storage unit in the present embodiment. The vulnerability pattern database 316 is similar to the vulnerability pattern database 116 of the embodiment described with reference to FIG.

  The prohibited address / port list storage unit 318 is configured to receive the information on the source from the vulnerability analysis unit 314 and store the received information on the source. In the present embodiment, the source information is recorded as address information for prohibiting communication. The source information recorded may include one or both of a source address and a source port number.

  The output unit 320 is configured to output the source information recorded in the prohibited address / port list of the prohibited address / port list storage unit 318. In a preferred embodiment, the output unit 320 can editably provide the contents of the record including address information for prohibiting the recorded communication in response to the external request. As the form of output, in response to an external request such as a command or an HTTP message from a remote terminal connected via the network 102, the screen data for displaying the list list or the list list in an editable manner is transmitted to the remote terminal. It is also possible to use As another form of output, when the network device 310 includes the display 22, the list of the list is displayed on the display 22 in response to an external request such as an operation for displaying the list on the display 22. There is also a mode to display. The output unit 320 constitutes an output unit in the present embodiment.

  The packet filter unit 330 receives packets flowing through the network and performs filtering with reference to the prohibited address / port list of the prohibited address / port list storage unit 318. More specifically, the packet filter unit 330 is configured to discard the packet when the address information for prohibiting communication is included as a source or a destination. The packet filter unit 330 passes the packet if the packet does not include address information for prohibiting communication. For example, packets received at one port can be configured to be output from the other port. The packet filter unit 330 constitutes discarding means in the present embodiment.

  The flow of processing for recording a prohibited address / port by vulnerability detection in another embodiment will be described below with reference to FIG. FIG. 12 is a flowchart showing a process of recording a prohibited address / port by vulnerability detection, which is executed by the network device 310 in another embodiment. The processing shown in FIG. 12 is executed by a processor such as a CPU.

  The process shown in FIG. 12 is started, for example, from step S300 for each packet. In step S301, the processor obtains a packet via the network 102. In step S302, the processor causes the control to branch depending on whether the acquired packet is a packet related to an SSL (TLS) connection.

  If it is determined in step S302 that the packet is not a packet related to an SSL (TLS) connection (NO), the processor causes the process to branch to step S309 and ends the processing for the packet. On the other hand, if it is determined in step S302 that the packet relates to an SSL (TLS) connection (YES), the processor branches the process to step S303. In step S303, the processor reads out one or more vulnerability patterns, each of which describes characteristics of the vulnerable packet, as necessary.

  In the loop of steps S304 to S308, each vulnerability pattern is compared with the contents of the acquired packet. In step S305, the processor determines whether the type of the packet matches the type specified in the vulnerability pattern currently targeted. If it is determined in step S305 that the types do not match (NO), the processor proceeds directly to step S308 and proceeds to processing of the next vulnerability pattern as necessary. On the other hand, if it is determined in step S305 that the types match (YES), the processor proceeds with the process to step S306.

  In step S306, the processor further determines whether the focused portion of the packet matches the pattern expression designated by the vulnerability pattern currently targeted. If it is determined in step S306 that the pattern expression is not matched (NO), the processor proceeds directly to step S308 and proceeds to processing the next vulnerability pattern as necessary. On the other hand, if it is determined in step S306 that the pattern expression is matched (YES), the processor proceeds with the process to step S307.

  In step S307, the processor records the sender IP address and the sender port number in the prohibited address / port list storage unit 318, advances the process to step S308, and advances to the process of the next vulnerability pattern as necessary.

  If the packet matches one vulnerability pattern, or if the packet does not match any vulnerability pattern, the loop from step S304 to step S308 is exited, and the process proceeds to step S109. It is advanced. In this case, in step S309, the processor ends the processing for the packet.

  After the source IP address and port number are recorded in the list by the process shown in FIG. 12, if the IP address and port number of the source or destination of the received packet match the prohibited one, the packet Will be destroyed.

  Here, it has been described that the information of the source of the packet is recorded in the prohibition list by the discovery of one vulnerability. However, in another embodiment, the number of times of finding the vulnerability is counted, and it is configured to be recorded on the prohibition list when the vulnerability is found at a predetermined number or more or a predetermined frequency or more based on the evaluation result over multiple times. You can also In this case, a counter is prepared separately for each pair of source IP address and source port number, and the counter value is incremented in step S307, and the source IP address and the source IP address are determined when the counter value is greater than or equal to the threshold. The source port number may be recorded in the prohibited address / port list storage unit 318.

  FIG. 13 is a diagram for explaining the prohibited address / port management function provided by the network device in the present embodiment. FIG. 13A shows the data structure of the prohibition list 400 recorded in the prohibition address / port list storage unit 318 in the network device 310 in the present embodiment. As shown in FIG. 13A, the prohibition list 400 includes a source IP address field 400a holding an IP address which is one of source information, and a port number which is also one of source information. And a source port number field 400b to be held. As shown in FIG. 13A, when the packet is evaluated as having vulnerability, information on the source is recorded in the prohibited address / port list storage unit 318.

  FIG. 13B shows, as an example, a prohibition list management screen 410 provided by the prohibition list management function. A prohibition list management screen 410 shown in FIG. 13B includes a record list 412 of the prohibited address information. The prohibited address information record list 412 includes a source IP address field 412a for displaying an IP address, which is one of the source information, corresponding to the contents of the vulnerability log shown in FIG. A transmission source port number field 412b holding a port number which is one of transmission source information, an edit button 412c, and a delete button 412d are included.

  When the edit button 412 c is pressed, the contents of the corresponding source IP address field 412 a and source port number field 412 b can be edited. When the delete button 412 d is pressed, the corresponding record is deleted. The prohibition list management screen 410 shown in FIG. 13B may be displayed on the display device of the remote terminal in response to a request from the remote terminal remotely connected to the network device 310 via the network 102. Good. Alternatively, it may be displayed on the display device 22 provided in the network device 310 in response to an operation on the input device 20 by the operator of the network device 310.

  According to another embodiment, for a particular type of vulnerability, the content of the packet is formally evaluated for the presence or absence of a vulnerability, such as using a particular protocol, and the source of the vulnerability is associated with the source Packets can be filtered. It is possible to maintain the security of the network at low cost for the vulnerability that can be judged formally from the contents of the packet. The network device 310 only acquires packets from the network 102, and therefore does not impose an extra load on the monitored device.

  As described above, according to the embodiments described above, it is possible to detect a certain vulnerability of the device while reducing the load on the target device, and reduce the cost of maintaining the security of the network. A possible information processing apparatus, a vulnerability detection method, and a program for realizing the information processing apparatus can be provided. The information processing apparatus may be a computer apparatus having a packet monitoring function, a multifunction machine having a packet monitoring function, an image processing apparatus such as a printer, a facsimile, or a scanner, or a network apparatus such as a hub, a switch, or a router having a packet monitoring function. Can be configured as

  The above function unit can be realized by a computer executable program written in a legacy programming language such as assembler, C, C ++, C #, Java (registered trademark) or an object oriented programming language, etc., ROM, EEPROM, EPROM , Flash memory, flexible disk, CD-ROM, CD-RW, DVD-ROM, DVD-RAM, DVD-RW, Blu-ray disc, SD card, MO etc. It can be distributed.

  Although the embodiments of the present invention have been described above, the embodiments of the present invention are not limited to the above-described embodiments, and other embodiments, additions, modifications, deletions, etc. can be conceived by those skilled in the art. The invention can be modified within the scope of the invention, and any modifications are possible within the scope of the present invention as long as the functions and effects of the present invention are exhibited.

100: Network environment 102: Network 104: Access point 110: Packet monitoring device 112: 312 Packet acquisition unit 114: 314 Vulnerability analysis unit 116: 316 Vulnerability pattern database 118: Vulnerability Log storage unit, 120, 320 ... output unit, 150-158 ... equipment, 200 ... Client Hello message, 210 ... vulnerability pattern database, 220 ... vulnerability log, 230 ... database query, 240 ... log browsing screen, 242, 276 ... Period display, 244, 278 ... Log list, 250 ... Notification condition, 270 ... Log report mail, 310 ... Network device, 318 ... Prohibited address / port list storage unit, 330 ... Packet filter unit, 400 ... Prohibited list, 410 ... Prohibited list management screen 412 ... prohibited address record list

Patent No. 4995170 gazette

Claims (9)

An information processing apparatus connected to a network,
Storage means for storing a vulnerability pattern that describes characteristics of predetermined units of communication data having vulnerability;
Acquisition means for acquiring predetermined units of communication data from the network;
An evaluation unit that compares the content of the acquired communication data of a predetermined unit with the stored vulnerability pattern and evaluates the communication data for vulnerability;
An information processing apparatus, comprising: recording means for recording at least information of a transmission source based on the evaluation result of the vulnerability. The source information is recorded as address information for prohibiting communication,
The information processing apparatus further includes:
The information processing apparatus according to claim 1, further comprising: a discarding unit that discards communication data including address information for prohibiting communication that flows through the network. The source information is recorded as a log together with information on the content of the vulnerability, and the information processing apparatus
The information processing apparatus according to claim 1, further comprising: output means for providing contents of a plurality of recorded logs in response to an external request. The source information is recorded as a log together with information on the content of the vulnerability, and the information processing apparatus
The information processing apparatus according to claim 1, further comprising: an output unit that sends the contents of the plurality of logs recorded from the previous time to the current time at a predetermined timing by e-mail to a predetermined destination.   Communication data of a predetermined unit is a packet flowing through the network, and the vulnerability pattern describes characteristics of a vulnerability related to a packet related to Secure Sockets Layer (SSL) / Transport Layer Security (TLS). The information processing apparatus according to any one of claims 1 to 4.   The information processing apparatus according to claim 5, wherein the vulnerability pattern includes designation of a type of a packet to be determined, designation of a focused portion in the packet, and pattern expression for the focused portion.   The information processing apparatus according to any one of claims 1 to 6, wherein the source information includes one or both of a source address and a source port number. A vulnerability detection method for detecting a vulnerability of communication data, comprising:
Reading out a vulnerability pattern that describes characteristics of predetermined units of communication data having vulnerability;
The computer acquiring communication data of a predetermined unit via a network;
The computer collating the content of the acquired communication data of the predetermined unit with the read vulnerability pattern, and evaluating the vulnerability of the communication data;
And D. a computer recording at least information on a source based on the evaluation result of the vulnerability. A program for realizing an information processing apparatus connected to a network, the program comprising:
Storage means for storing a vulnerability pattern which describes characteristics of predetermined units of communication data having vulnerability;
Acquisition means for acquiring communication data of a predetermined unit from the network;
Based on the evaluation means for comparing the content of communication data of a predetermined unit acquired with the stored vulnerability pattern and evaluating the vulnerability of the communication data, and based on the evaluation result of the vulnerability, at least the information of the source Recording means for recording
Program to function as.