JP4130445B2 - Abnormal data detection apparatus, abnormal data detection program, and abnormal data detection method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an abnormal data detection device, an abnormal data detection program and an abnormal data detection method for determining whether access data is normal even when statistical information for the access data is not available. <P>SOLUTION: This abnormal data detection device is provided with: a data analysis means for calculating feature quantity for each CGI variation name of access data; a statistical information storage means for accumulating and storing statistical information including the mean value of the feature quantity and standard deviation for each CGI name; a statistical processing execution means for updating the statistical information stored in the storage means; an access determining means for determining whether or not the CGI names are stored in the storage means; a statistical abnormality determining means for determining whether the access data is normal in comparison between the feature quantity and the statistical information; and a directory name determining means for determining whether the access data is normal in comparison between the directory names at which CGIs are positioned depending on the input CGI names, and the directory names included in the CGI names stored in the storage means. <P>COPYRIGHT: (C)2007,JPO&amp;INPIT

Description

  The present invention relates to an abnormal data detection device, an abnormal data detection program, and an abnormal data detection method.

  As a method for detecting abnormal data in a communication network such as the Internet, a method in which a packet received from a predetermined IP address and port number via a firewall or the like is generally not passed. However, there are a variety of attacks that cannot be prevented by this firewall. Among them, there are many attacks aimed at security holes on web servers, that is, bugs and vulnerabilities in software such as operating systems and browsers. For example, if a specific character string is included in an HTTP request, the HTTP request is decrypted and executed, so that software such as CGI (Common Gateway Interface) running on the web server may cause a buffer overflow, etc. Cause unexpected behavior. In order to respond to such attacks targeting web server vulnerabilities, HTTP requests sent from the client to the web server are relayed and analyzed at the application layer, and the known attack characteristics are stored in advance. There is a method of defending a web server by blocking session relay when it matches with a pattern file (for example, Patent Document 1).

Since this method alone cannot protect the web server from unknown attacks that are not stored in the attack pattern file, a technology that detects abnormal data by statistical judgment has been developed to compensate for this. (For example, Non-Patent Document 1). According to this, for access data sent to devices connected to the Internet, such as web servers, the range of values and character types included in the access data are analyzed, the average value and variance are obtained, and statistically abnormal. Calculate the threshold value. Further, based on the threshold, it is determined whether or not the access data is statistically normal or abnormal, thereby detecting whether or not the access data is related to the abnormal data. This technique is expected to be able to detect unknown abnormality data that cannot be detected only from a known abnormality pattern or a normal pattern given in advance.
JP 2002-063084 A ISSN 0919-6072 Information Processing Society of Japan Research Report 2003, No. 74 July 17-18, 2003 Issued by Information Processing Society of Japan p. 91-96 "Unknown attack defense system based on HTTP request analysis" Toru Konno, Masamichi Sasaoka

  However, in the above-described technique, the value range, character type, and the like are determined based on a threshold value calculated for a CGI variable that has been accessed at the time of statistical processing, and are not stored, that is, appear for the first time. CGI variables cannot be statistically determined. Unless such an access is properly determined, the detection rate and the false detection rate regarding unknown unauthorized access cannot be improved.

  Therefore, an object of the present invention is to provide an abnormal data detection device, an abnormal data detection program, and an abnormal data detection method capable of determining whether or not normal access data is obtained even for access data for which statistical information cannot be used in advance. Is to provide.

  In order to solve the above-described problem, according to the abnormal data detection apparatus according to the feature of the present invention, when access data including a CGI name and a CGI variable name is input, the parameter value included in the input access data is Based on the data analysis means for calculating the feature quantity indicating the feature of the abnormal data for each CGI variable name, and the statistical information including the average value and the standard deviation of the feature quantity calculated by the data analysis means in the input access data Statistical information storage means for accumulating and storing for each included CGI name, statistical processing execution means for generating statistical information including an average value and standard deviation of feature values, and updating the statistical information stored in the statistical information storage means An access determination means for determining whether or not the CGI name included in the access data input with reference to the statistical information storage means is stored in the statistical information storage means; When it is determined that the CGI name is stored in the statistical information storage unit by the test determination unit, the feature amount calculated by the data analysis unit is compared with the statistical information stored in the statistical information storage unit, Statistical abnormality determination means for determining whether or not the input access data is normal, and when the access determination means determines that the CGI name is not stored in the statistical information storage means, from the input CGI name The directory name where the CGI is located is extracted, and this directory name is compared with the directory name included in the CGI name stored in the statistical information storage means to determine whether the input access data is normal or not. It has a directory name judging means.

  According to the present invention having the above-described configuration, it is possible to determine whether or not access data for which statistical information is not available is normal access data.

  According to the present invention, there is provided an abnormal data detection device, an abnormal data detection program, and an abnormal data detection method capable of determining whether or not normal access data is available even for access data for which statistical information cannot be used in advance. can do.

  Embodiments of the present invention will be described below with reference to the drawings.

<First Embodiment>
With reference to FIG. 1, an abnormal data detection apparatus according to a first embodiment of the present invention will be described. The abnormal data detection apparatus according to the first embodiment of the present invention detects unknown abnormal data with respect to access data input via a connected network.

  As shown in FIG. 1, the abnormal data detection apparatus 1 includes a data analysis unit 11, an access determination unit 12, a statistical abnormality determination unit 13, a directory name determination unit 14, a statistical processing execution unit 15, and a statistical information table 16. ing.

  Specifically, the abnormal data detection apparatus 1 includes a second network segment 3 output from a client computer connected to the first network segment 2 (not shown) input from the first network segment 2 such as the Internet or an intranet. When the access data for a server (Web server) (not shown) connected to is normal access data, the input access data is passed through the second network segment 3.

  On the other hand, when the access data input from the first network segment 2 is abnormal access data, the abnormal data detection device 1 discards the access data without passing it through the second network segment 3 or sets the access data as access data. Additional information indicating that there is a possibility of abnormal access data is attached and passed to the second network segment 3.

  Here, the access data is information based on a communication protocol such as an HTTP request or an SMTP request. The abnormal data detection apparatus 1 is realized, for example, by installing a software program such as an abnormal data detection program in a general computer and executing the software program in the central processing control apparatus.

  As shown in FIG. 2, the abnormal data detection apparatus 1 according to the first embodiment of the present invention includes a central processing control device 101, a ROM (Read Only Memory) 102, a RAM (Random Access Memory) 103, and an input / output interface. 109 are connected via the bus 110. An input device 104, a display device 105, a communication control device 106, a storage device 107, and a removable disk 108 are connected to the input / output interface 109.

  The central processing control device 101 reads out and executes a boot program for starting up the abnormal data detection device 1 from the ROM 102 based on an input signal from the input device 104, and further reads out an operating system stored in the storage device 107. Further, the central processing control device 101 controls various devices based on input signals from the input device 104, the communication control device 106, etc., reads out programs and data stored in the RAM 103, the storage device 107, etc., and loads them into the RAM 103. In addition, the processing device implements a series of processes to be described later, such as data calculation or processing, based on a program command read from the RAM 103.

  The input device 104 includes input devices such as a keyboard and a mouse through which an operator inputs various operations. The input device 104 generates an input signal based on the operation of the operator, and inputs via the input / output interface 109 and the bus 111. It is transmitted to the central processing control apparatus 101. The display device 105 is a CRT (Cathode Ray Tube) display, a liquid crystal display, or the like. The display device 105 receives an output signal to be displayed on the display device 105 from the central processing control device 101 via the bus 110 and the input / output interface 109. It is a device that displays the processing result of the control device 101 and the like. The communication control device 106 is a device such as a LAN card or a modem, and is a device that connects the abnormal data detection device to a communication network such as 1 Internet or LAN. Data transmitted / received to / from the communication network via the communication control device 106 is transmitted / received to / from the central processing control device 101 via the input / output interface 109 and the bus 110 as an input signal or an output signal.

  The storage device 107 is a magnetic disk device, and stores programs and data executed by the central processing control device 101. The removable disk 108 is an optical disk or a flexible disk, and signals read / written by the disk drive are transmitted / received to / from the central processing control apparatus 101 via the input / output interface 109 and the bus 110.

  The storage device 107 of the abnormal data detection apparatus 1 according to the first embodiment of the present invention stores an abnormal data detection program and a statistical information table 16. In addition, the abnormal data detection program is read and executed by the central processing control device 101 of the abnormal data detection apparatus 1 so that the data analysis unit 11, the access determination unit 12, the statistical abnormality determination unit 13, the directory name determination unit 14, and the A statistical processing execution unit 15 is mounted on the abnormal data detection apparatus 1.

  When the access data is input from the connected first network segment 2, the data analysis unit 11 is a feature amount indicating the characteristic of abnormal data for each CGI variable based on the parameter value included in the input access data. Is calculated. Further, the data analysis unit 11 outputs the calculated feature amount to the access determination unit 12 together with the access data.

  FIG. 3 is an example of access data input to the abnormal data detection apparatus 1 from the first network segment. For example, the data analysis unit 11 analyzes the access data of the HTTP request as shown in FIG. 3 and calculates the feature value of the parameter value. When the access data shown in FIG. 3 is input and analyzed, the data analysis unit 11 cuts out the numerical value “123” as the parameter value 1 of the variable “P” that is the CGI variable name 1. Further, “user” that is an ASCII character is extracted as the parameter value 2 of the variable “Q” that is the CGI variable name 2, and “456” that is a numerical value is extracted as the parameter value 3 of the variable “R” that is the CGI variable name 3. When the value of each CGI variable name is cut out, the data analysis unit 11 calculates a feature amount based on the cut out value. The feature amount will be described later with reference to FIGS.

  The access determination unit 12 reads the statistical information table 16 and determines whether or not the CGI name included in the input access data exists in the statistical information table 16.

  Further, as a result of referring to the statistical information table 16 by the access determination unit 12, when it is determined that the corresponding CGI name exists in the statistical information table 16, the access determination unit 12 displays the access data and the feature amount as a statistical abnormality determination unit. 13 is output. On the other hand, as a result of referring to the statistical information table 16 by the access determination unit 12, when it is determined that the corresponding CGI name does not exist in the statistical information table 16, the access determination unit 12 sends the access data to the directory name determination unit 14. Output.

  When the statistical abnormality determination unit 13 receives the access data and the feature amount from the access determination unit 12, the statistical abnormality determination unit 13 compares the input feature amount with the statistical information stored in the statistical information table 16. It is determined whether or not it is normal. Further, the statistical abnormality determination unit 13 transmits the access data to the second network segment 3 based on the determination result. Further, the statistical abnormality determination unit 13 outputs the feature amount to the statistical processing execution unit 15 based on the determination result.

  Specifically, it is determined whether or not the access data is normal by using a statistically calculated threshold that can be regarded as statistically abnormal based on the feature amount of the access data. For example, when the feature amount obtained for the parameter value is within the range of f (x) in Expression 1, it is determined that the parameter value is normal, and when it is out of the range, the parameter value is determined to be abnormal.

μ _mn −A _mn × σ _mn ≦ f (x) _mn ≦ μ _mn + A _mn × σ _mn (Equation 1)
The average value μ and the standard deviation σ in Equation 1 are determined as shown in FIG. 4 by taking the statistics of the feature amount of the access data. In the abnormal data detection apparatus 1 according to the first embodiment of the present invention, the threshold coefficient A is determined according to each parameter value for “numerical value”, “metacharacter”, and “binary code”. Value. Specifically, a value of about 2 to 11 is practically preferable, but is not limited to this, and the best value is set.

  When it is determined that all parameter values included in the access data are normal, the statistical abnormality determination unit 13 determines that the access data is normal access data. If the parameter value determined to be abnormal is included, the access data is determined to be abnormal access data.

  When the access data is input from the access determination unit 12, the directory name determination unit 14 extracts the directory name and the real CGI name from the CGI name of the input access data, and the access data input based on the extracted real CGI name It is determined whether or not is normal. Further, the directory name determination unit 14 transmits access data to the second network segment 3 based on the determination result. Further, the directory name determination unit 14 may accumulate and store the CGI name included in the access data in the statistical information table 16.

  The actual CGI name here is a character string indicating a normal file name so that the CGI is implemented as a file, and the rightmost directory delimiter (generally “/”, “ Characters on the right side of characters such as “\” and “¥”. That is, the rightmost directory delimiter is the last delimiter in the CGI name, and the character string on the right side of the rightmost delimiter is the character string on the rear side of the rightmost delimiter. is there.

  The directory name here is a character string indicating a directory name indicating a location where a CGI file is stored, and is a character string on the left side of the rightmost directory delimiter in the CGI name. That is, the character string before the last directory delimiter is the directory name.

  Specifically, referring to the statistical information table 16, if the same directory name exists, the directory name determination unit 14 determines that the input access data is normal. This eliminates false detection on the basis that another CGI exists in the same directory even if the CGI cannot be stored in advance due to restrictions on the learning period.

  On the other hand, referring to the statistical information table 16, if the same directory name does not exist, it is determined that the input access data is abnormal. This is because there is a tendency that a directory that is actually legitimate access includes a plurality of legitimate CGIs, and that a directory name used for attack access is significantly different from a legitimate one. Is used.

  FIG. 5 is a diagram illustrating an example of extracting a directory name and a real CGI name from access data. When the access data shown in FIG. 5 is input, the directory name determination unit 14 extracts “cgi-bin / users / bob”, which is a character string on the right side of the rightmost directory delimiter, from the CGI name as a directory name. In addition, “search.cgi”, which is a character string on the left side of the rightmost directory delimiter, is extracted as an actual CGI name.

  For the directory name thus obtained, the directory name determination unit 14 refers to each CGI name stored in the statistical information table 16 and searches whether the same directory name exists.

  If the CGI name including the directory name determined to be normal is stored in the statistical information table 16, then access data including the same CGI name is further input and accumulated and stored in the statistical information table 16. After the data of the number of times of access is obtained, when the access data including the CGI name is input, it becomes possible to make a statistical abnormality determination.

  The statistical information table 16 stores statistical information including an average value of feature values, a standard deviation, and the number of accesses. For example, as shown in FIG. 6, statistical information is stored for each combination of CGI name and CGI variable name. In the example shown in FIG. 6A, the statistical information table 16 describes pointer variables corresponding to statistical information for combinations of CGI names and CGI variable names.

  For example, a pointer variable stored as statistical information 2b associated with CGI name b and CGI variable name 2 is associated with statistical information 2b shown in FIG. The statistical information 2b shown in FIG. 6B stores “average value” and “standard deviation” obtained based on the feature amount for “numerical value”, “metacharacter”, and “binary code”. Yes. Further, the statistical information 2b stores “access count” for the combination of the CGI name and the CGI variable name.

  The statistical processing execution unit 15 generates statistical information including an average value, a standard deviation, and the number of accesses for the access data determined to be normal as the access data among the feature amounts calculated by the data analysis unit 11. Then, the generated statistical information is stored in the statistical information table 16.

  In the calculation of the feature amount, the feature amount obtained from the value (parameter) of the CGI variable name included in the packet data input as access data to the Web server is handled as the feature amount for the CGI variable name.

  For example, when the first to fourth packet data shown in FIG. 7 are input as the access data, the feature quantities obtained for the “numerical value”, “metacharacter”, and “binary code” of the CGI variables are shown in FIG. It is expressed as numerical data as shown. The “metacharacter” is a character having a special meaning in a communication protocol such as HTTP.

  FIG. 7A shows the first packet data, and the value of “Q” in the CGI variable name 2 is the numerical value “12345”. FIG. 7B shows second packet data, and the value of “Q” in CGI variable name 2 is the ASCII character “abcde”. Further, FIG. 7C shows the third packet data, and the value of “Q” in the CGI variable name 2 is the metacharacter “” ′; ”. FIG. 7D shows the fourth packet data, and the “Q” value of the CGI variable name 2 is the binary code “ΔΔΔΔ”. Note that this “Δ” virtually illustrates the binary code. Here, “cgi-bin / users / bob / search.cgi” is “CGI name b”.

  Thus, for the value of “Q” that is CGI variable name 2 included in the first to fourth packet data, the total number of “numerical value”, “metacharacter”, and “binary code” in the parameter value is used as a feature amount. deal with.

  FIG. 8 is an example of feature data generated using the access data shown in FIG. 7 as an example. The number including “numerical value” in the parameter value of “Q” of the first packet data is “5”, and “metacharacter” and “binary code” are not included. Therefore, the feature amounts of the first packet data are “5, 0, 0”, respectively. Since the parameter value of “Q” of the second packet data does not include any of “numerical value”, “metacharacter”, and “binary code”, the feature amount of the second packet data is “ 0, 0, 0 ". Similarly, since the third packet data includes three “metacharacters”, the feature amount is “0, 3, 0”, and the fourth packet data includes four “binary codes”. The feature amount is “0, 0, 4”.

  The statistical information 2b shown in FIG. 6B is generated based on the feature quantity shown in FIG. 8, and is calculated by the statistical processing execution unit 15. For example, the “average value” of “numerical values” is obtained by dividing “5”, which is the sum of the “numerical value” feature amounts of the first to fourth packet data, by the access count “4”. Also, the “average value” for “metacharacter” and “binary code” is also obtained by dividing the total of the feature quantities of “metacharacter” and “binary code” of the first to fourth packet data by the number of accesses “4”. Seeking. The “standard deviation” is obtained by using the feature values and average values of the first to fourth packet data.

(Abnormal data detection processing)
Next, the abnormal data detection process in the abnormal data detection apparatus 1 according to the first embodiment of the present invention will be described with reference to the flowchart shown in FIG.

  When access data is input to the data analysis unit 11 of the abnormal data detection device 1 via the first network segment 2 connected to the abnormal data detection device 1 (YES in S001), the data analysis unit 11 The feature amount is calculated by analyzing the data, and is output together with the input access data (S002).

  The access data is HTTP request access data as shown in FIG. The feature amount is calculated by obtaining the number of each character type of “numerical value”, “metacharacter”, and “binary code” of the data as shown in FIG.

  When the access data and the feature amount are input, the access determination unit 12 determines whether or not the CGI name of the input access data exists in the statistical information table 16 (S003).

  If the CGI name of the access data exists in the statistical information table in the determination in step S003 (YES in S003), the access determination unit 12 performs normal / abnormal determination processing for the CGI variable included in the input access data. The access data and the feature amount are output to the statistical abnormality determination unit 13 (S004). Specifically, the normal / abnormal determination process determines that the value for the CGI variable is normal when the feature amount calculated in step S002 is within a specified range. If the feature amount is outside the specified range, the value for the CGI variable is determined to be abnormal.

  When the statistical abnormality determination unit 13 inputs the access data and the feature amount from the access determination unit, the statistical abnormality determination unit 13 determines whether or not the parameter values of all the CGI variables included in the access data are normal. For example, in the case of the access data shown in FIG. 3, it is determined whether or not all the parameter values of the CGI name variables 1 to 3 are “normal” (S005).

  If all the CGI variables included in the access data are “normal” (YES in S005), the statistical abnormality determination unit 13 determines that the access data is “normal” (S006). On the other hand, when the access data includes at least one CGI variable determined to be “abnormal” (NO in S005), the statistical abnormality determination unit 13 determines that the access data is “abnormal” (S007).

  If it is determined in step S007 that the input access data is “normal”, the statistical abnormality determination unit 13 outputs the calculated feature value to the statistical processing execution unit 15 (S008).

  The statistical processing execution unit 15 recalculates the statistical information from the obtained feature amount, and updates and stores the statistical information table 16 for the calculated statistical information (S009).

  Thereafter, the statistical abnormality determination unit 13 sends the access data to the second network segment 3 based on the determination result (S010).

  If it is determined in step S003 that the CGI name of the access data does not exist in the statistical information table 16 (NO in S003), the access determination unit 12 outputs the calculated feature amount and access data to the directory name determination unit 14 Then, the directory name determination unit 14 executes a directory name determination process (S011). The directory name determination process in step S011 will be described in detail later.

(Directory name judgment processing)
Next, the directory name determination process in step S011 will be described using the flowchart shown in FIG.

  The directory name determination unit 14 extracts a directory name from the access data (S201). The directory name is extracted by using the rightmost directory delimiter as described above with reference to FIG. Subsequently, the directory name determination unit 14 determines whether or not a CGI name having the same directory name as the directory name exists in the statistical information table 16 (S202).

  When it is determined in step S202 that the directory name exists in the statistical information table 16 (YES in S202), the directory name determination unit 14 determines that the input access data is “normal” (S203). ), The statistical information table 16 is updated and stored in the CGI name of the access data (S204).

  On the other hand, when it is determined in step S202 that the directory name does not exist in the statistical information table 16 (NO in S202), the directory name determination unit 14 determines that the input access data is “abnormal” (S205). ).

  Thereafter, the directory name determination unit 14 sends the access data input from the first network segment 2 to the second network segment 3 based on the determination result (S206). Specifically, as described above, when the access data is normal access data, the input access data is passed through the second network segment 3. On the other hand, if the access data is abnormal access data, the access data is discarded without passing through the second network segment 3, or additional information is attached to the access data that may be abnormal access data. To the second network segment 3.

  As described above, according to the first embodiment of the present invention, false detection in which normal access is erroneously determined as an attack is reduced. In addition, even if statistical determination cannot be made, even if the CGI name is not stored in advance, the detection rate of unknown attacks should be maintained based on whether another CGI name exists in the same directory. I can do it.

<Second Embodiment>
With reference to FIG. 11, an abnormal data detection apparatus 1a according to a second embodiment of the present invention will be described.

  The abnormal data detection device 1a according to the second embodiment of the present invention has an access number reference means 141 in the directory name determination unit 14a, as compared with the abnormal data detection device 1 according to the first embodiment. It is different in point. Since other configurations are the same as those of the abnormal data detection apparatus 1 according to the first embodiment described above, the description thereof is omitted.

  The access number reference unit 141 refers to the statistical information table 16 to determine whether the access data is normal or abnormal, and refers to the access count of the retrieved CGI name when searching for a CGI name having the same directory name. .

  When the referred access number is a predetermined access number or more, the directory name determination unit 14a determines that the input access data is “normal”, and when the access number is not the predetermined access number or more, It is determined that the input access data is “abnormal”. Further, the directory name determination unit 14 b sends the access data to the second network segment 3 based on the determination result.

  Here, in order to hold the number of accesses for each CGI name, the statistical information table 16a of the abnormal data detection apparatus 1a according to the second embodiment of the present invention stores the number of accesses as shown in FIG. ing.

  In the statistical information table 16a in FIG. 12A, the number of accesses is stored for each CGI name. This number of accesses is calculated as the sum of the number of accesses of each CGI variable in the CGI name (that is, the number of accesses in FIG. 12B).

  With reference to FIG. 13, the directory name extraction processing in the directory name determination unit 14a for the access data input to the abnormal data detection apparatus 1a will be described. FIG. 13A is an example of access data input to the abnormal data detection apparatus 1a, and FIG. 13B is an example of access data that has been determined to be normal in the past.

  Processing of the directory name determination unit 14a in the abnormal data detection apparatus 1a according to the second embodiment of the present invention will be described using the flowchart shown in FIG. Since other processes in the abnormal data detection apparatus 1a are the same as the processes of the abnormal data detection apparatus 1 described above, the description thereof is omitted.

  The directory name determination unit 14a extracts a directory name from the access data (S301). Thereafter, the directory name determination unit 14a searches for all CGI names stored in the statistical information table 16a for CGI names including the same directory name as the extracted directory name (S302, S303).

  When the CGI name is retrieved from the statistical information table 16a (NO in S303), the access count reference means 141 refers to the access count of the target CGI name from the statistical information table 16a, and the access count is greater than the predetermined number. It is determined whether or not (S304).

  As a result of the determination in step S304, if the number is greater than or equal to the predetermined number (YES in S304), the directory name determination unit 14a determines that the input access data is “normal” (S305), and the CGI name of the access data is statistical information. It is added and stored in the table 16a (S306).

  Here, as an example, a specific description will be given with reference to FIGS. It is assumed that the CGI name d shown in FIG. 13B is included and stored in the statistical information table 16a, and the access count is “2500”.

  For example, when the directory name determination unit 14a inputs the access data shown in FIG. 13A, “/ cgi-bin / users / bob” is extracted from the access data as the directory name. Further, it is assumed that the CGI name d is retrieved from the statistical information table 16a as a CGI name including the same directory name “/ cgi-bin / users / bob”. Here, when “200” is determined as the predetermined number, the number of accesses of the CGI name d is “2500”, and therefore the directory name determination unit 14a determines that the input access data is “normal”.

  On the other hand, if the result of determination in step S304 is not greater than or equal to the predetermined number (NO in S304), the process returns to step S302, and the directory name determination unit 14a searches the statistical information table 16a for other CGI names including the same directory name. (S304). If it is determined in step S302 that the CGI name including the directory name included in the access data does not exist in the statistical information table 16a (YES in S303), the directory name determination unit 14a determines that the input access data is “abnormal”. (S307).

  Thereafter, the directory name determination unit 14a transmits the access data received from the first network segment 2 to the second network segment based on the determination result (S308).

  As described above, in the abnormal data detection apparatus 1a according to the second exemplary embodiment of the present invention, the directory name determination unit 14a includes the access number reference unit 141, so that other CGI names including the same directory name can be obtained. Eliminate those with less than a certain number of accesses. As a result, it is possible to eliminate erroneous detection based only on CGI with higher legitimacy.

<Third Embodiment>
With reference to FIG. 15, an abnormal data detection apparatus 1b according to a third embodiment of the present invention will be described.

  The abnormal data detection apparatus 1b according to the third embodiment of the present invention has a forward match determination unit 142 in the directory name determination unit 14b, as compared with the abnormal data detection apparatus 1 according to the first embodiment. Is different. Since other configurations are the same as those of the abnormal data detection apparatus 1 according to the first embodiment described above, the description thereof is omitted.

  The forward match determination unit 142 sets a section for each character string for the directory name included in the CGI name stored in the statistical information table 16, and determines whether or not the forward match with the directory name included in the input access data. judge. Specifically, it is determined whether or not the CGI name having the same directory name as the character string obtained by sequentially removing the CGI name included in the access data from the rightmost character string section exists in the statistical information table 16.

  When the forward match determination unit 142 determines that there is a forward match, the directory name determination unit 14b determines that the input access data is “normal” for the access data, and when it is determined that the forward match does not match, it is “abnormal”. judge. Further, the directory name determination unit 14 sends access data to the second network segment 3.

  With reference to FIG. 16, a description will be given of the forward match determination process in the forward match determination unit 142 for the access data input to the abnormal data detection device 1b. The result of the forward matching determination process is used in the directory name determination process in the directory name determination unit 14b. Here, a directory name is forward-matched with another directory name means that there is a section that matches at least one or more character strings continuously as viewed from the leftmost of the directory name with respect to the section delimited by the directory delimiter character. That means.

  Specifically, in the abnormal data detection device 1b according to the third exemplary embodiment of the present invention, how much the directory name of the target CGI name is extracted from the access data at the level of the number of sections that coincide with each other. Define from the viewpoint of whether the directory name is included, the left direction from the base point is a positive level (the original directory name is deep), and the right direction from the base point is a negative level (the original directory name is shallow) .

  FIG. 16A is an example of access data for determining whether or not the input is normal. FIGS. 16B to 16E show the CGI names stored in the statistical information table 16b. It is an example of the access data received in the past contained.

  From the input access data shown in FIG. 16A, first, the rightmost directory delimiter in the CGI name is extracted, the right is extracted as “directory name”, and the left is extracted as “real CGI name”. ". Further, the rightmost directory name delimiter is used as a base point for forward matching, the left side is set as a positive level, and the right side is set as a negative level.

  In the CGI name shown in FIG. 16B, the directory name “/ cgi-bin / users” is ahead of “/ cgi-bin / users / bob” in the directory name included in the access data to be determined. Match. Here, among the directory names included in the input access data, since only one section differs from the positive level, the level is defined as +1.

  In the CGI name shown in FIG. 16C, the directory name “/ cgi-bin” matches the directory name included in the access data to be determined. Here, among the directory names included in the input access data, since only two sections differ from the positive level, the level is defined as +2.

  The CGI name shown in FIG. 16D does not include any directory name that matches the directory name included in the access data to be determined, the directory name does not match forward, and the level Is also not defined. In addition, although the example in which the real CGI name coincides is shown, the real CGI name is not related to the forward coincidence.

  In the CGI name shown in FIG. 16D, “/ local” is reversed in addition to the directory name “/ cgi-bin / users / bob” with respect to the directory name included in the access data to be determined. It is included and further matches the negative level forward. In the example shown in FIG. 16D, the level is defined to be -1.

  The forward coincidence determining unit 142 determines forward coincidence in this way, and using this forward coincidence, when the level of forward coincidence is a predetermined value or more, it determines that the input access data is normal. . For example, it is preferable to determine that the front matching level is +1 or more as normal.

  This is because when considering an actual Web server, the directory structure is often deeper in order from the existing state in time series, and the CGI name of certain access data is higher than the existing CGI name. Matching forward at (positive level) is because the CGI name can be deeply drilled down in the existing directory structure, and can therefore be a valid directory name. is there.

  In the example illustrated in FIG. 16, when the forward match determination unit 142 determines whether the access data is normal or not, the statistical information is determined based on the fact that the forward match level is equal to or higher than +1. In the table, when there is a CGI name that matches the level +1 or higher as shown in FIG. 16B or 16C, the access data is determined to be normal, while in the statistical information table, FIG. Or, when there is no CGI name as shown in FIG. 16C and there is only a CGI name that does not match forward as shown in FIG. 16D or FIG. The access data is determined to be abnormal.

  As described above, in the abnormal data detection device 1b according to the third embodiment, by detecting a forward match, it is possible to reduce false detection even when a directory name that completely matches is not stored. There is an effect that can be.

  As described above, the embodiments of the present invention have been described. However, it should not be understood that the descriptions and drawings constituting a part of this disclosure limit the present invention. From this disclosure, various alternative embodiments, examples, and operational techniques will be apparent to those skilled in the art.

  It goes without saying that the present invention includes various embodiments not described herein. Therefore, the technical scope of the present invention is defined only by the matters described in the above description and the invention specific matters according to the obvious claims.

It is a block diagram of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a hardware block diagram of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a figure explaining the access data input into the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is an example of the feature-value used for abnormality determination with the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a figure explaining the method to extract a directory name and a real CGI name from a CGI name in the directory name determination part of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is an example of the statistical information table memorize | stored with the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a figure explaining the access data input into the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is an example of the feature-value data calculated | required with the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a flowchart explaining the process of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention.

It is a flowchart explaining the directory name determination process in the directory name determination part of the abnormal data detection apparatus which concerns on the 1st Embodiment of this invention. It is a block diagram of the abnormal data detection apparatus which concerns on the 2nd Embodiment of this invention. It is an example of the statistical information table memorize | stored with the abnormal data detection apparatus which concerns on the 2nd Embodiment of this invention. It is a figure explaining an example of the access data input into the abnormal data detection apparatus which concerns on the 2nd Embodiment of this invention. It is a flowchart explaining the directory name determination process in the directory name determination part of the abnormal data detection apparatus which concerns on the 2nd Embodiment of this invention. It is a block diagram of the abnormal data detection apparatus which concerns on the 3rd Embodiment of this invention. It is a figure explaining an example of the access data input into the abnormal data detection apparatus which concerns on the 3rd Embodiment of this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1, 1a, 1b ... Abnormal data detection apparatus 2 ... 1st network segment 3 ... 2nd network segment 11 ... Data analysis part 12 ... Access determination part 13 ... Statistical abnormality determination part 14 ... Directory name determination part 14a ... Access Number reference means 14a ... directory name determination unit 14b ... directory name determination unit 15 ... statistical processing execution unit 16, 16a ... statistical information table 101 ... central processing control device 102 ... ROM
103 ... RAM
DESCRIPTION OF SYMBOLS 104 ... Input device 105 ... Display apparatus 106 ... Communication control device 107 ... Memory | storage device 108 ... Removable disk 109 ... Input-output interface 110 ... Bus 141 ... Access number reference means 141 ... Directory name determination means 142 ... Forward matching determination means

Claims (15)

When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Means,
Statistical information storage means for accumulating and storing statistical information including average values and standard deviations of feature amounts calculated by the data analysis means for each CGI name included in the input access data;
Statistical processing execution means for generating statistical information including an average value and standard deviation of the feature amount, and updating the statistical information stored in the statistical information storage means,
Access determination means for determining whether or not a CGI name included in the inputted access data with reference to the statistical information storage means is stored in the statistical information storage means;
When the access determination means determines that the CGI name is stored in the statistical information storage means, the feature amount calculated by the data analysis means and the statistical information stored in the statistical information storage means In comparison, statistical abnormality determination means for determining whether or not the input access data is normal,
When the access determination means determines that the CGI name is not stored in the statistical information storage means, the directory name where the CGI is located is extracted from the input CGI name, and the directory name and the statistical information storage are extracted. The directory name included in another CGI name stored in the means is compared to determine whether or not the input access data is normal, and the number of times the access data including the CGI name is input is determined. A directory name determination unit that counts and adds the CGI name and statistical information to the statistical information storage unit when the number of times of input of the access data including the CGI name reaches a predetermined number ;
An abnormal data detection device comprising: When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Means,
Statistical information storage means for accumulating and storing statistical information including average values, standard deviations, and access counts of feature amounts calculated by the data analysis means for each CGI name;
Statistical processing execution means for generating statistical information including an average value, standard deviation, and number of accesses of the feature quantity, and updating statistical information stored in the statistical information storage means,
Access determination means for determining whether or not a CGI name included in the inputted access data with reference to the statistical information storage means is stored in the statistical information storage means;
When the access determination means determines that the CGI name is stored in the statistical information storage means, the feature amount calculated by the data analysis means and the statistical information stored in the statistical information storage means In comparison, statistical abnormality determination means for determining whether or not the input access data is normal,
When the access determination means determines that the CGI name is not stored in the statistical information storage means, the directory name where the CGI is located is extracted from the input CGI name, and the same directory name as this directory name Is stored in the statistical information storage means , and the number of accesses associated with another CGI name including the same directory name is equal to or greater than a predetermined number, the input access data is When it is determined that the access data including the CGI name is input, the access data including the CGI name is counted. Directory name determination means to be added to the storage means ;
An abnormal data detection device comprising: When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Means,
Statistical information storage means for accumulating and storing statistical information including average values and standard deviations of feature amounts calculated by the data analysis means for each CGI name included in the input access data;
Statistical processing execution means for generating statistical information including an average value and a standard deviation of the feature amount, and updating statistical information stored in the statistical information storage means,
Access determination means for determining whether or not a CGI name included in the input access data is present in the statistical information storage means with reference to the statistical information storage means;
If the CGI name the access determination means is determined to be stored in the statistical information storage means, compares the statistical information stored in the statistical information storage means, wherein the amount calculated by the data analysis means And a statistical abnormality determination means for determining whether or not the input access data is normal,
If the CGI name the access determination means is determined not to be stored in the statistical information storage unit, extracts the directory name CGI is located from said input CGI name, said this extracted directory name When comparing with a directory name included in another CGI name stored in the statistical information storage means to make a forward match, it is determined whether or not the input access data is normal, and the CGI name is A directory name determination unit that counts the number of times of access data including, and adds the CGI name and statistical information to the statistical information storage unit when the number of times of input of access data including the CGI name reaches a predetermined number ;
An abnormal data detection device comprising:   4. The abnormal data detection apparatus according to claim 1, wherein the directory name determination unit extracts the left of the CGI name from the rightmost directory delimiter as a directory name. 5.   The directory name determination means extracts the left of the rightmost directory separator from the CGI name as a directory name, and the extracted directory name and the directory name included in the CGI name stored in the statistical information storage means If the directory names are not the same, a section is set for each character string for the directory name, and the CGI name having the same directory name as the character string obtained by sequentially removing the extracted directory name from the rightmost character string section is included in the statistical information. The abnormal data detection device according to claim 3, wherein when there exists, it is determined that the front matches. When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Steps,
Statistical information including the average value and standard deviation of the feature amount is generated, and the statistical information including the average value and standard deviation of the feature amount calculated in the data analysis step is generated for each CGI name included in the input access data. A statistical processing execution step to be updated and stored in the statistical information storage means;
An access determination step of determining whether or not a CGI name included in the input access data is stored with reference to the statistical information storage means;
When it is determined in the access determination step that the CGI name is stored in the statistical information storage unit, the feature amount calculated in the data analysis step and the statistical information stored in the statistical information storage unit are In comparison, a statistical abnormality determination step of determining whether or not the input access data is normal;
If it is determined in the access determination step that the CGI name is not stored in the statistical information storage means, a directory name where the CGI is located is extracted from the input CGI name, and the directory name and the statistical information storage are extracted. The directory name included in another CGI name stored in the means is compared to determine whether or not the input access data is normal, and the number of times the access data including the CGI name is input is determined. A directory name determining step of counting and adding the CGI name and statistical information to the statistical information storage means when the number of times of input of access data including the CGI name reaches a predetermined number ;
An abnormal data detection program for causing a computer to execute. When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Steps,
Statistical information including the average value, standard deviation, and access count of the feature amount is generated, and statistical information including the average value, standard deviation, and access count of the feature amount calculated by the data analysis unit is statistical information for each CGI name. A statistical processing execution step to be updated and stored in the storage means;
An access determination step of determining whether or not a CGI name included in the input access data is stored with reference to the statistical information storage means;
When it is determined in the access determination step that the CGI name is stored in the statistical information storage unit, the feature amount calculated in the data analysis step and the statistical information stored in the statistical information storage unit are In comparison, a statistical abnormality determination step of determining whether or not the input access data is normal;
If it is determined in the access determination step that the CGI name is not stored in the statistical information storage means, the directory name where the CGI is located is extracted from the input CGI name, and the directory name identical to this directory name Is stored in the statistical information storage means , and the number of accesses associated with another CGI name including the same directory name is equal to or greater than a predetermined number, the input access data is When it is determined that the access data including the CGI name is input, the access data including the CGI name is counted. and directory name judgment step to be added to the storage means,
An abnormal data detection program for causing a computer to execute. When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Steps,
Statistical information including the average value and standard deviation of the feature value is generated, and the CGI name included in the input access data includes the statistical value including the average value and standard deviation of the feature value calculated in the data analysis step. A statistical processing execution step for updating and storing in the statistical information storage means each time;
An access determination step of determining whether or not a CGI name included in the input access data exists with reference to the statistical information storage unit;
When it is determined in the access determination step that the CGI name is stored in the statistical information storage unit, the feature amount calculated in the data analysis step is compared with the statistical information stored in the statistical information storage unit A statistical abnormality determination step for determining whether or not the input access data is normal;
If the CGI name the access determining step is determined not to be stored in the statistical information storage unit, extracts the directory name CGI is located from said input CGI name, said this extracted directory name When comparing with a directory name included in another CGI name stored in the statistical information storage means to make a forward match, it is determined whether or not the input access data is normal, and the CGI name is counting the number of inputs of the access data including, when the input number of accesses data including the CGI name is a predetermined number of times, and the directory name judgment step of adding the CGI names and statistics on the statistical information storage means,
An abnormal data detection program for causing a computer to execute.   The abnormal data detection program according to any one of claims 6 to 8, wherein the directory name determination step extracts the left of the CGI name from the rightmost directory delimiter as a directory name.   The directory name determining step extracts the left of the rightmost directory delimiter from the CGI name as a directory name, and the extracted directory name and the directory name included in the CGI name stored in the statistical information storage means Are not identical, a section is set for each character string for the directory name, and the CGI name having the same directory name as the character string obtained by sequentially removing the rightmost character string section from the extracted directory name is included in the statistical information. The abnormal data detection program according to claim 8, wherein when there exists, it is determined that the front matches. When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Steps,
Statistical information including the average value and standard deviation of the feature amount is generated, and the statistical information including the average value and standard deviation of the feature amount calculated in the data analysis step is generated for each CGI name included in the input access data. A statistical processing execution step to be updated and stored in the statistical information storage means;
An access determination step of determining whether or not a CGI name included in the input access data is stored with reference to the statistical information storage means;
When it is determined in the access determination step that the CGI name is stored in the statistical information storage unit, the feature amount calculated in the data analysis step and the statistical information stored in the statistical information storage unit are In comparison, a statistical abnormality determination step of determining whether or not the input access data is normal;
When it is determined in the access determination step that the CGI name is not stored in the statistical information storage means, a directory name where the CGI is located is extracted from the input CGI name, and the directory name and the statistical information storage are extracted. The directory name included in another CGI name stored in the means is compared to determine whether or not the input access data is normal, and the number of times the access data including the CGI name is input is determined. A directory name determining step of counting and adding the CGI name and statistical information to the statistical information storage means when the number of times of input of access data including the CGI name reaches a predetermined number ;
A method for detecting abnormal data, comprising: When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Steps,
Statistical information including the average value, standard deviation, and access count of the feature amount is generated, and statistical information including the average value, standard deviation, and access count of the feature amount calculated by the data analysis unit is statistical information for each CGI name. A statistical processing execution step for updating the statistical information stored in the storage means;
An access determination step of determining whether or not a CGI name included in the input access data is stored in the statistical information storage unit with reference to the statistical information storage unit;
Wherein when said at access decision step CGI name is determined to be stored in the statistical information storage means, and a statistical information stored in the statistical information storage unit and the data analysis feature amount calculated in the step In comparison, a statistical abnormality determination step of determining whether or not the input access data is normal;
Wherein when said at access decision step CGI name is determined not to be stored in the statistical information storage unit, it extracts the directory name CGI is positioned from CGI name that is the input, the same directory name and the directory name Is stored in the statistical information storage means , and the number of accesses associated with another CGI name including the same directory name is equal to or greater than a predetermined number, the input access data is When it is determined that the access data including the CGI name is input, the access data including the CGI name is counted. and directory name judgment step to be added to the storage means,
A method for detecting abnormal data, comprising: When access data including a CGI name and a CGI variable name is input, data analysis that calculates a feature amount indicating the characteristic of abnormal data for each CGI variable name based on a parameter value included in the input access data Steps,
Statistical information including the average value and standard deviation of the feature value is generated, and the CGI name included in the input access data includes the statistical value including the average value and standard deviation of the feature value calculated in the data analysis step. A statistical processing execution step for updating and storing in the statistical information storage means each time;
An access determination step of determining whether or not a CGI name included in the input access data exists with reference to the statistical information storage unit;
When it is determined in the access determination step that the CGI name is stored in the statistical information storage unit, the feature amount calculated in the data analysis step is compared with the statistical information stored in the statistical information storage unit. A statistical abnormality determination step for determining whether or not the input access data is normal;
If it is determined in the access determination step that the CGI name is not stored in the statistical information storage means, the directory name where the CGI is located is extracted from the input CGI name, and the extracted directory name and the statistics When comparing with a directory name included in another CGI name stored in the information storage means to make a forward match, it is determined whether or not the input access data is normal and includes the CGI name A directory name determination step of counting the number of times of access data input and adding the CGI name and statistical information to the statistical information storage means when the number of times of input of access data including the CGI name reaches a predetermined number ;
A method for detecting abnormal data, comprising:   The abnormal data detection method according to claim 11, wherein in the directory name determination step, the left of the rightmost directory delimiter is extracted as a directory name from the CGI name.   The directory name determining step extracts the left of the rightmost directory delimiter from the CGI name as a directory name, and the extracted directory name and the directory name included in the CGI name stored in the statistical information storage means Are not identical, a section is set for each character string for the directory name, and the CGI name having the same directory name as the character string obtained by sequentially removing the rightmost character string section from the extracted directory name is included in the statistical information. The abnormal data detection method according to claim 13, wherein when there exists, it is determined that there is a forward match.

Images