JP2022049717A - Communication device - Google Patents

Abstract

To detect cyber attacks in real time.SOLUTION: A communication device determines whether a server device is a malignant host when a terminal connected to a network accesses the server device. The terminal transmits a name resolution request including an absolute domain name of the server device to a DNS server, and starts communication with the server device based on a name resolution result transmitted from the DNS server. The communication device includes a determination unit that determines whether the server device is a malignant host, determines whether the server device is a malignant host based on the absolute domain name included in the name resolution request when the name resolution request transmitted to the DNS server is received, transmits the name resolution request to the DNS server regardless of whether a determination result of whether the server device is a malignant host is derived, and determines whether the server device is a malignant host based on the determination result when the name resolution result is received from the DNS server.SELECTED DRAWING: Figure 4

Description

The present invention relates to a technique for detecting unauthorized communication in a network.

In recent years, cyber attacks targeting individuals and organizations have been carried out against network services, causing enormous damage. Various attack detection methods have been proposed to protect communication devices such as Web servers connected to the network from these attacks, but attackers frequently change or refine the attack methods. It was difficult to detect. The conventional attack detection method detects a method that has been attacked in the past, and it is difficult to detect an attack by a new method.

Therefore, a technique for identifying a host (malignant host) attacking by detecting an IP address group of a terminal performing abnormal communication from a large-scale traffic data has been proposed (see, for example, Patent Document 1). ).

Japanese Unexamined Patent Publication No. 2018-148270

However, although it is necessary to detect cyber attacks as soon as possible, it takes a lot of processing time to analyze large-scale traffic data. In particular, in order to detect an unknown attack, it has been difficult to detect an attack in real time by machine learning on the packet to be communicated.

The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a technique for detecting a cyber attack in real time.

According to a typical embodiment of the present invention, when accessing a server device from a terminal connected to a network, the server device is a communication device for determining whether or not the server device is a malicious host, and the terminal is a communication device. A name resolution request including the absolute domain name of the server device is sent to a DSN server that identifies an IP address corresponding to the absolute domain name, and the DSN server corresponds to the absolute domain name included in the name resolution request. The IP address is specified, the name resolution result including the specified IP address is transmitted to the terminal, and the terminal starts communication with the server device based on the name resolution result transmitted from the DNS server. However, the communication device includes a data receiving unit that receives data transmitted from the terminal regardless of the destination of the data, a determination unit that determines whether the server device is a malicious host, and the above. The determination unit includes a data transmission unit that transmits the data received by the data reception unit to the transmission destination of the data, and when the data reception unit receives a name resolution request to be transmitted to the DNS server, the determination unit Based on the absolute domain name included in the name resolution request, the server device determines whether or not the server device is a malicious host, and the data transmission unit determines whether or not the server device is a malicious host. When the name resolution request is transmitted to the DNS server regardless of whether or not is derived, and the data receiving unit receives the name resolution result from the DSN server, the determination unit determines the name resolution result. It is characterized in that it is determined whether or not the server device is a malicious host based on the determination result of the name resolution request corresponding to.

According to a typical embodiment of the present invention, it is possible to detect a cyber attack in real time without making the user feel a decrease in communication speed.

It is a figure explaining the outline of the communication system including the packet classification apparatus (communication apparatus) which detects the access to a malignant host of the embodiment of this invention in real time. It is a figure which shows an example of the network configuration of the Embodiment of this invention. It is a figure which shows an example of the hardware configuration and software configuration of the packet classification apparatus of the embodiment of this invention. It is a figure which shows an example of the structure for forwarding a packet by the packet classification apparatus of this embodiment. It is a figure which shows the processing time of each process until a terminal starts communication with a Web server in this embodiment. It is a figure explaining the timing which detects the malignant host in embodiment of this invention. It is a figure explaining the structure for detecting a malicious host at the timing T1 that a terminal sends a name resolution request to a DNS server in embodiment of this invention. It is a figure explaining the structure for detecting a malicious host at the timing T2 when a terminal receives a name resolution result from a DNS server in embodiment of this invention. It is a figure explaining the structure for detecting a malicious host at the timing T3 when a terminal accesses the connection destination Web server in the Embodiment of this invention.

When accessing a server device connected to another network (for example, a WEB server) from a terminal connected to the network, first, the IP address of the connection destination is specified from the DNS server by the server name (absolute domain name) of the connection destination. (Name resolution). In the present embodiment, it is determined whether or not the server device to be connected is a malicious host (computer that performs a cyber attack) while performing name resolution. If it is determined that the server device to be connected is not a malicious host (benign host), communication is continued as it is, and if it is determined to be a malicious host, communication is cut off. Since the time for name resolution is the time required for normal communication, it is unlikely that the user will experience a delay even if processing for detecting a malicious host is performed during this time. Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.

FIG. 1 is a diagram illustrating an outline of a communication system including a packet classification device (communication device) that detects access to a malicious host according to the embodiment of the present invention in real time. Although the present embodiment targets communication by TCP / IP, the present invention can also be applied to communication by other protocols. Further, in the present embodiment, it is assumed that the user operates the terminal and accesses a server device (for example, a Web server) connected to an external network.

When a user operates a terminal to access a Web server connected to an external network, first the IP address of the Web server to be connected is queried to the DSN server to identify it, and then based on the specified IP address. And start communication with the Web server. At this time, the time for the user to wait from the operation of the terminal to the reference to the specified site is the time required for name resolution, the communication time with the Web server, and the time for processing the data received from the Web server on the terminal. Become. Therefore, it is necessary to prevent access to the malicious host by determining whether the connection destination Web server is a malicious host before the name resolution is completed and the communication with the connection destination Web server is started. Can be done.

Subsequently, an example of a network configuration to which the method for detecting a malicious host in the embodiment of the present invention is applied will be described. FIG. 2 is a diagram showing an example of a network configuration according to an embodiment of the present invention. In the present embodiment, communication is performed between the Web server 11 connected to the external network (first network) 10 and the terminal 21 connected to the internal network (second network) 20.

A communication device (router 40) for interconnecting each network is arranged between the external network 10 and the internal network 20. Further, a packet classification device (communication device) 100 for determining whether or not the Web server 11 to be connected to the terminal 21 is a malicious host is arranged between the router 40 and the internal network 20. The packet classification device 100 may be installed inside the internal network 20. In the present embodiment, when the terminal 21 is connected to a computer such as a Web server 11 connected to the external network 10, the terminal 21 is connected to the DNS cache server (DNS server) 30 via the packet classification device 100, and the communication destination computer is connected. Identify the IP address of. If the DNS cache server 30 cannot specify the server name (absolute domain name) of the connection destination, it recursively queries a plurality of authoritative DNS servers 60 via the network to resolve the absolute domain name. Hereinafter, the DNS cache server 30 and the authoritative DNS server 60 are combined to form a DNS server.

When the packet classification device 100 determines that the connection destination (Web server 11) of the terminal 21 is a malicious host (classified as a malicious host), the packet classification device 100 cuts off communication with the Web server 11 connected to the external network 10. At this time, the classification result (alarm) is notified to the management computer (not shown) for managing network devices such as the router 40 and the packet classification device 100, and a warning message is displayed to notify the administrator. You may do it. Further, the packet classification device 100 may instruct the router 40 to block the communication with the malicious host without blocking the communication.

Further, in the present embodiment, it is not necessary to selectively determine whether or not the host is a malignant host. For example, if the judgment value of a malignant host is 100, the judgment value of a benign host is 0, and the possibility of being a malignant host is judged by a judgment value of 0 to 100, if the judgment value is equal to or higher than a predetermined threshold value. Communication may be cut off, and if the determination value is within a predetermined range, a warning message may be displayed and the user may decide whether or not to connect. In this case, it is preferable to record a log of the determination result of the malicious host in the packet classification device 100 so that it can be determined whether or not the host is actually a malicious host. Alternatively, the management computer may be notified so that the management computer records the log. Further, the packet classification device 100 may record a communication log and notify the management computer only when there is a possibility of a malicious host.

The packet classification device 100 is always arranged at a place where a packet passes when accessing an external network in order to block the connection of a malicious host. Further, the packet classification device 100 arranged in the network may be single or may be plural. When a plurality of packets are arranged, in order to prevent an increase in traffic, it is preferable to arrange the packets so as to avoid passing through the plurality of packet classification devices 100.

Subsequently, the hardware and software configurations of the packet classification device 100 will be described. FIG. 3 is a diagram showing an example of a hardware configuration and a software configuration of the packet classification device 100 according to the embodiment of the present invention. The packet classification device 100 includes a communication interface (IF) 101, a processor (CPU) 110, a memory 120, and a storage device 160, and each configuration is connected by a bus.

The communication interface (IF) 101 receives the packet transferred from the terminal 21, the DNS cache server 30, and the like, and receives the command input from the management computer. The processor (CPU) 110 provides various functions by executing various programs stored in the memory 120, and for example, a function of determining whether or not the connection destination (Web server 11) of the terminal 21 is a malicious host. I will provide a. The memory 120 stores various programs executed by the processor 110, and temporarily stores data necessary for executing the programs. The storage device 160 has information on a packet received via the communication interface (IF) 101 (for example, the absolute domain name of the connection destination (Web server 11) included in the name resolution request, and the connection destination (Web) included in the name resolution result. The IP address of the server 11), etc.) is accumulated, and the processing result by the program (determination result of whether or not the connection destination of the terminal 21 is a malicious host, etc.) is stored.

Next, the configurations of the memory 120 and the storage device 160 will be described. The memory 120 stores a communication control unit 121 that controls communication of packets and a detection unit (determination unit) 130 that determines whether or not the computer communicating with the terminal 21 is a malicious host. In the present embodiment, any method may be used to determine (classify) a malicious host, but the malicious host is learned by accumulating information such as the absolute domain name and IP address of the server device to which the packet is sent. A method of determining whether or not it is is adopted. Further, the memory 120 stores a learning unit 140 that collects and generates learning data in order to improve the accuracy of detecting a malicious host. The detection unit 130 and the learning unit 140 are composed of a program and data for executing the program. The storage device 160 provides a packet data storage unit 161 and a learning data storage unit 162. Hereinafter, each configuration will be described.

The detection unit 130 determines whether or not the connection destination of the terminal 21 is a malicious host. The detection unit 130 includes an analysis unit 131, a feature extraction unit 132, and a classification unit 133. The analysis unit 131 temporarily stores the packet acquired from the communication IF 101, analyzes the information acquired from the received packet, and stores the analysis result in the packet data storage unit 161 as needed.

The feature extraction unit 132 extracts feature information from the analysis result by the analysis unit 131. The analysis result by the analysis unit 131 may be directly acquired from the analysis unit 131, or the analysis result stored in the packet data storage unit 161 may be acquired.

The classification unit 133 inputs the feature information extracted by the feature extraction unit 132 into the neural network, and based on the training data stored in the training data storage unit 162, the connection destination of the terminal 21 (packet transmission destination, Web server 11). ) Is determined (classified) whether it is a benign host or a malignant host.

In order to improve the classification (judgment) accuracy by the classification unit 133, the learning unit 140 adjusts the parameters for improving the accuracy of the judgment by the neural network based on the collected learning data, and stores the learning result in the learning data. It is reflected in the part 162. The learning data collection unit 141 collects learning data from the packet data storage unit 161 and the learning data storage unit 162. The neural network learning unit 142 learns the neural network based on the learning data collected by the learning data collection unit 141. At this time, the learning data before the learning result is reflected is acquired from the learning data storage unit 162, and after the learning is performed, the learning data reflecting the learning result is stored in the learning data storage unit 162. The training data are parameters and data necessary for classifying the connection destination of the terminal 21 into a benign host or a malignant host by the neural network.

The learning of the neural network may be executed based on the execution instruction from the management computer, or may be executed periodically. Further, it may be executed when unlearned data is accumulated in the packet data storage unit 161 in a predetermined amount or more.

The classification unit 133 classifies (determines) the connection destination of the terminal 21 into a benign host or a malignant host by a neural network. In this embodiment, a machine learning library such as TensorFlow or LIBSVM is used as an algorithm for classifying the connection destination of the terminal 21.

Subsequently, a procedure for transferring the received packet by the packet classification device 100 to the external network will be described. FIG. 4 is a diagram showing an example of a configuration for the packet classification device 100 of the present embodiment to transfer a packet. The packet classification device 100 of the present embodiment uses Intel® Data Plane Development Kit (DPDK) technology in order to speed up network processing. DPDK provides a dedicated function that bypasses the kernel function for a specific application. A solution other than DPDK may be applied as long as it has the same function.

The packet received by the communication IF 101 is temporarily stored in the reception buffer RX (data receiving unit) 102 provided by the DPDK, and is delivered to the detection unit 130. The reception buffer RX (data receiving unit) 102 has a queue structure, and sends out packets to the detection unit 130 in the order in which they are received. After that, the destination (connection destination of the terminal 21; Web server 11) of the packet received by the analysis unit 131, the feature extraction unit 132, and the classification unit 133 is classified (determined) into a benign host or a malignant host.

Further, the packet is stored in the transmission buffer TX (data transmission unit) 103 and transmitted to the external network 10 via the communication IF 101. At this time, if the destination of the packet is a malicious host, the packet may be discarded without being stored in the transmission buffer TX103. With this configuration, it is possible to use general network devices other than the packet classification device 100, such as a function of discarding packets specified on the router side, and the introduction cost can be reduced. On the other hand, the router that forwards the packet to the external network 10 may be notified that the destination is a malicious host, and the router may discard the packet.

Subsequently, an application example of the real-time detection system to which the present invention is applied will be specifically described. As described above, the method for detecting a malicious host in the present embodiment adopts an existing technique, specifically, a machine learning library such as TensorFlow or LIBSVM is used. The accuracy of detecting malicious hosts by these methods has been improved due to technological advances and the accumulation of learning data. On the other hand, it is difficult to detect a malicious host in real time because it takes time to extract and analyze the feature amount based on the information extracted from the received packet. The purpose of this embodiment is to achieve both a practical packet transfer speed and high attack detection accuracy.

On the other hand, it is not easy to maintain a practical packet transfer speed while improving the detection accuracy of malicious hosts by increasing the speed of algorithms and improving hardware performance. As described above, since the existing technique is used for the detection accuracy of the malicious host, the present invention aims to maintain the packet transfer speed. Here, the result of measuring the processing time of each executed process for starting the communication from the terminal 21 to the connection destination server device (Web server 11) is shown.

FIG. 5 is a diagram showing the processing time of each process until the terminal 21 starts communication with the Web server 11 in the present embodiment. The graph is a box plot, the vertical axis is the logarithmic axis for the processing time (μsec), and the horizontal axis is the process. FIG. 5 shows the processing time of each step for each algorithm when LIBSVM is applied to the classification unit 133 (left) and when TensorFlow is applied (right). Each step consists of reception (RX), analysis (parse), feature extraction (Extractor Processing), classification (Classifier parts), and total (Total).

As shown in FIG. 5, the classification (broken line) requires a lot of processing time as compared with other steps. In addition, although the difference in processing time for each algorithm is small in processes other than classification, it is possible to process faster by applying TensorFlow than in LIBSVM in the classification process. The total processing time for one packet is 0.4231 μs (2.118 Gbps) when no malicious host is detected, 557.8 μs (1.264 Mbps) when LIBSVM is applied, and when TensorFlow is applied. Is 72.492 μs (9.60 Mbps). The algorithm for classification may be selected according to the required processing speed and detection accuracy.

As described above, since the process of detecting a malicious host becomes a bottleneck at the time of packet transfer, it is necessary to increase the speed by about 100 to 1000 times in order to realize a practical packet transfer speed. Therefore, in the present invention, paying attention to the communication procedure, the connection destination server device is a malicious host or a benign host while the terminal 21 is performing name resolution of the server device connected to the external network with which the terminal 21 communicates. Judge (classify) whether or not there is. The feature of the present invention is that the detection of a malicious host is started based on the information (absolute domain name, etc.) included in the name resolution request of the connection destination server device (Web server 11) transmitted from the terminal 21, and the DNS server starts the detection. By completing the detection of the malicious host before the IP address of the connection destination server device is specified, the terminal 21 is prevented from actually connecting to the malicious host.

FIG. 6 is a diagram illustrating a timing for detecting a malignant host in the embodiment of the present invention. The packet classification device 100 has (1) timing T1 when the terminal 21 transmits a name resolution request to the DNS cache server 30, (2) timing T2 when the DNS cache server 30 transmits the result of name resolution to the terminal 21, (3). At the timing T3 when the terminal 21 starts communication with the Web server 11, it is determined whether or not the Web server 11 is a malicious host. By determining whether or not the connection destination (Web server 11) is a malicious host at timings T1, T2, and T3, communication can be blocked before connecting to the malicious host (before receiving a cyber attack). Hereinafter, a configuration for detecting a malicious host at each timing will be described.

FIG. 7 is a diagram illustrating a configuration for detecting a malicious host at the timing T1 when the terminal 21 transmits a name resolution request to the DNS cache server 30 in the embodiment of the present invention. At the timing T1, the terminal 21 transmits a name resolution request (DNS query) for specifying the IP address of the connection destination (Web server 11) to the DNS cache server 30. The packet classification device 100 receives the name resolution request transmitted from the terminal 21, and determines whether or not the connection destination (Web server 11) is a malicious host based on the information included in the name resolution request.

When the packet classification device 100 receives the name resolution request from the terminal 21, the packet classification device 100 stores the packet corresponding to the name resolution request in the reception buffer RX 102 via the communication IF 101. The analysis unit 131 refers to the content of the received name resolution request and extracts the absolute domain name (FQDN). Furthermore, the domain whitelist in which the absolute domain name of the benign host is recorded is referred to, and it is determined whether or not the extracted absolute domain name is included in the domain whitelist. When the extracted absolute domain name is included in the domain whitelist (“legitimate”), since the connection destination is a benign host, the packet corresponding to the name resolution request is stored in the transmission buffer TX103. The packet stored in the transmission buffer TX103 is transmitted to the DNS cache server 30 by the communication control unit 121.

When the extracted absolute domain name is not included in the domain whitelist (“not matched”), the analysis unit 131 refers to the domain blacklist in which the absolute domain name of the malicious host is recorded and extracts it. Determine if the absolute domain name is on the domain blacklist. If the extracted absolute domain name is included in the domain blacklist (“malicious”), the packet to be sent is discarded because the connection destination is a malicious host. At this time, a message indicating that the terminal cannot be connected to the terminal 21 may be responded to the terminal 21.

In addition, when the extracted absolute domain name is not included in the domain blacklist (“not matched”), it is not possible to identify whether the connection destination is a malicious host or a benign host, so the feature extraction unit 132 uses the feature extraction unit 132. Feature information is extracted from the information included in the name resolution request, and the connection destination is classified into a malignant host or a benign host by the classification unit 133. Further, since processing time is required to classify a malicious host or a benign host, a packet corresponding to the name resolution request is stored in the transmission buffer TX103 in order to prevent a delay in access to the connection destination. As a result, the name resolution request is sent to the DNS cache server 30, and the connection destinations can be classified in parallel while the DNS cache server 30 is performing name resolution. When the classification result is derived, the classification unit 133 reflects it in the domain whitelist (“legitimate”) if the classification result is a benign host, and reflects it in the domain blacklist if it is a malignant host (“malicious”). ).

As described above, when the name resolution request is transmitted from the terminal 21 to the DNS cache server 30, whether the packet classification device 100 connects to the benign host based on the information such as the absolute domain name included in the name resolution request. Determine if it is a malicious host. If the absolute domain name is not included in the domain blacklist or domain whitelist and it is not possible to identify whether it is a benign host or a malicious host, the detection unit 130 is based on the characteristic information and learning data of the connection destination. Classify (determine) whether the connection destination is a malicious host or a benign host. At this time, a name resolution request is sent to the DNS cache server 30, the connection destinations are classified while the DNS cache server 30 is performing name resolution, and the classification result is reflected in the domain blacklist or domain whitelist. In this way, communication delay can be minimized by classifying the absolute domain name of the connection destination while the DNS cache server 30 is performing name resolution.

When the DNS cache server 30 receives the name resolution request transmitted from the terminal 21, it identifies the IP address of the connection destination and transmits the name resolution result including the specified IP address to the terminal 21. When the packet classification device 100 receives the name resolution result from the DNS cache server 30 (timing T2), the packet classification device 100 again determines whether or not the connection destination is a malicious host. Hereinafter, the processing at the timing T2 will be described.

FIG. 8 is a diagram illustrating a configuration for detecting a malicious host at the timing T2 when the terminal 21 receives the name resolution result from the DNS cache server 30 in the embodiment of the present invention. When the packet classification device 100 receives the name resolution result from the DNS cache server 30, the packet classification device 100 stores the packet corresponding to the name resolution result in the reception buffer RX102 via the communication IF 101.

The analysis unit 131 determines again whether or not the connection destination is a malicious host based on the domain blacklist and the domain whitelist that reflect the result of classifying the absolute domain name when the name resolution request is received (timing T1). do. Further explaining, first, it is determined whether or not the absolute domain name of the connection destination is included in the domain whitelist. At this time, if the absolute domain name of the connection destination is included in the domain whitelist (“legitimate”), since the connection destination is a benign host, the packet corresponding to the name resolution result is stored in the transmission buffer TX103. .. The packet stored in the transmission buffer TX103 is transmitted to the terminal 21 by the communication control unit 121.

When the absolute domain name is not included in the domain whitelist (“not matched”), the analysis unit 131 determines whether or not the absolute domain name is included in the domain blacklist. If the absolute domain name is included in the domain blacklist (“malicious”), the connection destination is a malicious host, so the packet corresponding to the name resolution result is discarded. Furthermore, if the name resolution result includes the IP address of the connection destination domain (“domain ext”), the IP address of the malicious host is added (updated) to the recorded IP blacklist.

On the other hand, when the absolute domain name is not included in the domain blacklist (“not matched”), the processor 110 stores the packet corresponding to the name resolution result in the transmission buffer TX103, and the communication control unit 121 stores the packet at the terminal 21. Send to.

As described above, when the name resolution result is transmitted from the DNS cache server 30 to the terminal 21, the domain blacklist and the domain blacklist in which the classification result of the connection destination domain is reflected while the DNS cache server 30 is executing the name resolution Based on the domain white list, it is determined (classified) again whether it is a benign host or a malicious host. Since it is determined whether or not the connection is possible in parallel with the name resolution of the connection destination domain, the user can operate the terminal 21 without being aware of the time required for determining the malicious host. If the classification of the connection destination is not completed when the name resolution result is responded, the detection accuracy may be prioritized and the wait until the classification is completed, or the malicious host may be prioritized to suppress the delay in communication time. The determination of may be omitted.

When the terminal 21 receives the name resolution result from the DNS cache server 30, the terminal 21 accesses the connection destination Web server 11 based on the connection destination IP address included in the name resolution result. When the packet classification device 100 receives the access request to the Web server 11 (timing T3), the packet classification device 100 determines whether or not the computer corresponding to the IP address of the connection destination is a malicious host. Hereinafter, the processing at the timing T3 will be described.

FIG. 9 is a diagram illustrating a configuration for detecting a malicious host at the timing T3 when the terminal 21 accesses the connection destination Web server 11 in the embodiment of the present invention. When the packet classification device 100 receives an access request (connection request) from the terminal 21 to the connection destination Web server 11, the packet classification device 100 stores the packet corresponding to the access request in the reception buffer RX102 via the communication IF 101.

The analysis unit 131 extracts the IP address of the connection destination (Web server 11) included in the access request, and determines whether or not it is included in the IP blacklist. If the extracted IP address is included in the IP blacklist (“domain ext”), the packet to be transmitted (access request) is discarded because the connection destination is a malicious host. On the other hand, when the extracted IP address is not included in the IP blacklist (“not matched”), the packet corresponding to the access request to the connection destination is stored in the transmission buffer TX103, and the connection is made by the communication control unit 121. It is transmitted to the destination (Web server 11).

As described above, according to the embodiment of the present invention, when the terminal 21 starts communication with the Web server 11, whether or not the connection destination Web server 11 is a malicious host while executing name resolution is determined. Since it is possible to make a determination, it is possible to detect a cyber attack in real time without making the user feel a decrease in communication speed.

Although the embodiments of the present invention have been described above, the above embodiments are only a part of the application examples of the present invention, and the technical scope of the present invention is limited to the specific configuration of the above embodiments. do not have.

10 External network (1st network)
11 Web server (server device)
20 Internal network (second network)
21 Terminal 30 DNS cache server (DNS server)
40 Router 60 Authoritative DNS Server 100 Packet classifier (communication device)
101 Communication interface (IF)
102 Receive buffer RX (data receiver)
103 Transmission buffer TX (data transmission unit)
110 processor (CPU)
120 Memory 121 Communication control unit 130 Detection unit (judgment unit)
131 Analysis unit 132 Feature extraction unit 133 Classification unit 140 Learning unit 141 Learning data collection unit 142 Neural net learning unit 160 Storage device 161 Packet data storage unit 162 Learning data storage unit

Claims (7)

A communication device that determines whether or not the server device is a malicious host when accessing the server device from a terminal connected to the network.
The terminal sends a name resolution request including the absolute domain name of the server device to the DSN server that identifies the IP address corresponding to the absolute domain name.
The DNS server identifies an IP address corresponding to an absolute domain name included in the name resolution request, and sends a name resolution result including the specified IP address to the terminal.
The terminal starts communication with the server device based on the name resolution result transmitted from the DNS server.
The communication device is
A data receiving unit that receives data transmitted from the terminal regardless of the destination of the data, and
A determination unit for determining whether or not the server device is a malicious host,
A data transmission unit that transmits the data received by the data reception unit to the destination of the data, and a data transmission unit.
Equipped with
When the data receiving unit receives the name resolution request to be transmitted to the DNS server, the determination unit determines whether or not the server device is a malicious host based on the absolute domain name included in the name resolution request. Judging whether
The data transmission unit transmits the name resolution request to the DNS server regardless of whether or not the determination result of whether or not the server device is a malicious host is derived.
When the data receiving unit receives the name resolution result from the DNS server, the determination unit determines that the server device is a malicious host based on the determination result of the name resolution request corresponding to the name resolution result. A communication device characterized by determining whether or not it is. In the communication device according to claim 1,
If the determination result by the name resolution request is not derived at the timing when the data receiving unit receives the name resolution result from the DNS server, the name resolution result is transmitted to the terminal.
When the data receiving unit receives an access request to the server device from the terminal, the determination unit determines whether or not the server device is a malicious host based on the determination result of the name resolution request. A communication device characterized by In the communication device according to claim 1 or 2.
A communication control unit that controls communication between the terminal and the server device is further provided.
The communication control unit is a communication device, characterized in that, when it is determined that the server device is a malicious host, the communication between the terminal and the server device is cut off. The communication device according to any one of claims 1 to 3.
A learning unit that generates learning data based on the determination result by the determination unit and stores the learning data is further provided.
The determination unit is a communication device, characterized in that it determines whether or not the server device is a malignant host based on the accumulated learning data. In the communication device according to claim 4,
The determination unit
It has a domain whitelist that stores the absolute domain names of server devices that are not malicious hosts.
The determination result based on the learning data is reflected in the domain whitelist, and
A communication device for determining that the server device is not a malicious host based on the domain whitelist. In the communication device according to claim 4 or 5.
The determination unit
It has a domain blacklist that stores the absolute domain name of the server device that is the malicious host.
The determination result based on the learning data is reflected in the domain blacklist, and
A communication device for determining that the server device is a malicious host based on the domain blacklist. In the communication device according to claim 6,
The determination unit
It has an IP blacklist that stores the IP address of the server device that is the malicious host.
The determination result based on the domain blacklist is reflected in the IP blacklist, and
A communication device for determining that the server device is a malicious host based on the IP blacklist.

Images