JP4303741B2 - Communication interruption device, communication interruption program, and communication interruption method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To easily and efficiently judge whether or not communication is caused by a worm independently of whether the communication is applied to a server apparatus or a client apparatus. <P>SOLUTION: A communication information acquisition section 240a acquires information associated with a communication amount of communication packets and a communication address of the communication packets on the basis of setting information related to acquisition of information stored in setting data 230a, and a worm judgement section 240b judges whether or not the communication results from the worm on the basis of the information acquired by the communication information acquisition section 240a and information associated with criteria stored in the setting data 230a for specifying whether or not the communication results from the worm. <P>COPYRIGHT: (C)2007,JPO&amp;INPIT

Description

  The present invention relates to a communication cut-off device, a communication cut-off program, and a communication cut-off method for monitoring communication between a predetermined network segment and the outside of the predetermined network segment and blocking communication performed by a worm. The present invention relates to a communication cut-off device, a communication cut-off program, and a communication cut-off method that can effectively suppress the proliferation of worms.

  The present invention also provides a worm determination program for monitoring communication related to a predetermined network segment connected to a network and determining whether the communication is communication performed by a worm, or a computer-readable computer storing the worm determination program In particular, a worm determination program and a worm that can easily and efficiently determine whether communication is performed by a worm regardless of whether it is a server device or a client device. The present invention relates to a computer-readable storage medium storing a determination program, a worm determination method, and a worm determination device.

  In recent years, computers have been infected one after another while repeating self-replication, and the damage caused by computer viruses called worms that adversely affect computers has been increasing. In the old days, worms were not so infectious because they were infected to computers via flexible disks (FD) and CD-ROMs. Recently, the worm's infectivity has accelerated as the Internet has spread. The problem is how to protect against worms.

  For this reason, Patent Document 1 introduces whether or not a test target for testing whether or not a worm is included is introduced into a virtually constructed computer environment, and whether or not the test target changes a predetermined file in the virtual computer environment. A worm inspection method for determining whether or not a worm is detected by monitoring the above is disclosed.

  Also, in Non-Patent Document 1, the behavior of a server device that always occurs when attacked by a worm (data I / O, system call, etc.) is defined as a monitoring rule in advance, and whether or not a worm is included. A Web server defense system that detects an attack by a worm by introducing an inspection target to inspect an access inspection server device and monitoring its operation is disclosed.

JP 2002-342106 A NEC Corporation, “Press Release”, [online], April 11, 2003, [October 28, 2003 search], Internet <URL: http: // www. nec. co. jp / press / ja / 0304/1101. html>

  However, in the prior art disclosed in Patent Document 1, it is necessary to introduce an inspection target into a virtual computer environment that has been constructed in advance every time communication is performed, and to inspect the presence or absence of infection in the virtual computer environment. Therefore, it is not efficient to detect worms for all communications, and even if only dangerous communications that contain worms are tested, it is possible to establish criteria for judging the risk. There was a problem that it was difficult.

  Further, in the prior art of Non-Patent Document 2, the behavior of the server device that always occurs when attacked by a worm is defined as a monitoring rule. However, the client is used for many purposes and exhibits various behaviors. There has been a problem that it is difficult to define a monitoring rule for a device that distinguishes between behavior due to a worm attack and behavior due to normal use.

  The present invention has been made to solve the above-described problems of the prior art, and easily and efficiently determines whether communication is performed by a worm regardless of whether it is a server device or a client device. It is an object to provide a worm determination program, a computer-readable storage medium storing the worm determination program, a worm determination method, and a worm determination device.

  Another object of the present invention is to provide a communication interruption device, a communication interruption program, and a communication interruption method that can effectively suppress the proliferation of worms.

  In order to solve the above-described problems and achieve the object, the present invention monitors communication performed between a predetermined network segment and the outside of the predetermined network segment and blocks communication performed by the worm. Included in the shut-off device, the worm determination means for determining whether or not the communication is a communication made by a worm, and the communication when the worm determination means determines that the communication is a communication made by a worm An infected computer IP address extracting unit that acquires a communication packet of a specific type from the communication packet to be extracted, and extracts a transmission source IP address of the acquired communication packet as an infected computer IP address, and is extracted by the infected computer IP address extracting unit. By accessing the infected computer identified by the IP address A communication interrupting means for interrupting the communication that is, characterized by comprising a.

  Further, the present invention is characterized in that the communication blocking means blocks communication performed by the worm by stopping a process started by the worm on the infected computer.

  Further, the present invention is characterized in that the communication blocking means blocks communication performed by a worm by enabling a firewall function of the infected computer.

  The present invention also relates to a communication blocking program for monitoring communication between a predetermined network segment and the outside of the predetermined network segment, and blocking communication performed by the worm. A worm determination procedure for determining whether or not the communication has been made, and obtaining a communication packet of a specific type from a communication packet included in the communication when the worm determination procedure determines that the communication is communication performed by the worm Then, an infected computer IP address extraction procedure for extracting the transmission source IP address of the acquired communication packet as an infected computer IP address, and an access to the infected computer identified by the IP address extracted in the infected computer IP address extraction procedure Communication blocking to block communication made by the worm Characterized in that to execute the order, to the computer.

  The present invention also relates to a communication blocking method for monitoring communication performed between a predetermined network segment and the outside of the predetermined network segment and blocking communication performed by the worm, wherein the communication is performed by the worm. A worm determination step for determining whether or not the communication is made, and obtaining a communication packet of a specific type from a communication packet included in the communication when the worm determination step determines that the communication is made by the worm Then, an infected computer IP address extracting step of extracting the acquired source IP address of the communication packet as an infected computer IP address, and an access to the infected computer specified by the IP address extracted in the infected computer IP address extracting step And a communication blocking process for blocking communication performed by the worm Characterized in that it contains.

  Further, the present invention is a worm determination program for monitoring communication related to a predetermined network segment connected to a network and determining whether the communication is communication performed by a worm, and includes setting information related to information acquisition Communication information acquisition procedure for acquiring information relating to the communication amount of the communication packet and the communication address of the communication packet based on the communication information, information acquired by the communication information acquisition procedure and whether the communication is a communication made by a worm A worm determination procedure for determining whether or not the communication is a communication performed by a worm based on information relating to a predetermined determination criterion is executed by a computer.

  In addition, the present invention further includes a setting information change procedure for changing setting information related to acquisition of the information when the communication is determined to be communication performed by a worm by the worm determination procedure, and the communication information acquisition procedure Is characterized in that the information related to the communication amount of the communication packet and the information related to the communication address of the communication packet is acquired based on the setting information related to the acquisition of the information changed by the information acquisition setting change procedure.

  The present invention further includes a determination criterion information change procedure for changing information related to the determination criterion when the communication is determined to be communication performed by a worm according to the worm determination procedure, and the worm determination procedure includes: It is characterized in that it is determined whether or not the communication is made by a worm based on the information acquired by the communication information acquisition procedure and the information on the determination criterion changed by the determination criterion information change procedure.

  According to the present invention, in the worm determination procedure, the amount of communication packets transmitted from the predetermined network segment to be monitored to monitor communication to the outside of the predetermined network segment increases, and the communication packet When the number of destination addresses increases, it is determined that communication from the computer in the predetermined network segment is communication performed by a worm.

  In the present invention, the worm determination procedure may have previously determined that the communication from the computer in the predetermined network segment that is a monitoring target for monitoring communication is communication performed by the worm, and the predetermined network segment From the predetermined network segment acquired by the communication information acquisition means when determining that the destination address of the communication packet transmitted to the outside of the predetermined network segment is communication performed by a worm. When the number of destination addresses of communication packets transmitted outside a predetermined network segment is increased, it is determined that the communication from the computer in the predetermined network segment is a communication made by a worm that has infected multiple computers. It is characterized by.

  Further, according to the present invention, the worm determination procedure increases a packet amount of a response communication packet for a communication packet transmitted from outside the predetermined network segment with respect to the predetermined network segment to be monitored. When the number of transmission source addresses of the communication packet increases, it is determined that communication from a computer outside the predetermined network segment is communication performed by a worm.

  Further, the present invention is characterized in that, when the worm determination procedure determines that the communication is a communication made by a worm, information relating to a computer or communication status that has performed the communication is further output.

  Further, the present invention is characterized in that, when the worm determination procedure determines that the communication is communication performed by a worm, a pre-registered characteristic related to communication performed by the worm and a characteristic related to communication determined to be performed by the worm The type of the worm is estimated by comparing.

  In addition, the present invention includes a communication blocking procedure for blocking communication performed by the worm when the communication is determined to be performed by the worm according to the worm determination procedure.

  Further, the present invention is characterized in that the communication blocking procedure blocks communication performed by the worm by stopping a process started by the worm.

  Further, the present invention is characterized in that the communication blocking procedure blocks communication performed by a worm by enabling a firewall function of a computer determined to have the worm.

  The present invention is also a computer-readable recording medium that records a worm determination program that monitors communication related to a predetermined network segment connected to a network and determines whether the communication is performed by a worm. Communication information acquisition procedure for acquiring information related to the communication amount of the communication packet and the communication address of the communication packet based on the setting information related to acquisition of information, and the information acquired by the communication information acquisition procedure and the communication Recording a worm determination program for causing a computer to execute a worm determination procedure for determining whether or not the communication is a communication performed by a worm based on information relating to a determination standard that defines whether or not the communication is performed by a worm It is characterized by.

  The present invention is also a worm determination method for monitoring communication related to a predetermined network segment connected to a network and determining whether the communication is communication performed by a worm, wherein the setting information related to information acquisition Communication information acquisition step of acquiring information related to the communication amount of the communication packet and the communication address of the communication packet based on the information, whether the information acquired by the communication information acquisition step and the communication is communication made by a worm And a worm determination step of determining whether or not the communication is a communication made by a worm based on information relating to a predetermined determination criterion.

  The present invention is also a worm determination device that monitors communication related to a predetermined network segment connected to a network and determines whether the communication is communication performed by a worm, and includes setting information related to information acquisition Communication information acquisition means for acquiring information related to the communication amount of the communication packet and the communication address of the communication packet based on the information, whether the information acquired by the communication information acquisition means and the communication is a communication made by a worm Worm determination means for determining whether or not the communication is a communication made by a worm based on information relating to a predetermined determination criterion.

  According to the present invention, it is determined whether or not the communication is performed by a worm, and when it is determined that the communication is performed by a worm, a communication packet of a specific type is selected from the communication packets included in the communication. Because the transmission source IP address of the acquired communication packet is extracted as an infected computer IP address, the infected computer specified by the extracted IP address is accessed and communication performed by the worm is blocked. The effect that the proliferation of a worm can be effectively suppressed is achieved.

  Further, according to the present invention, since the communication performed by the worm is blocked by stopping the process started by the worm on the infected computer, the propagation of the worm is stopped by stopping the processing itself performed by the worm. The effect that it can suppress effectively is produced.

  Further, according to the present invention, since the communication performed by the worm is blocked by enabling the firewall function of the infected computer, the computer infected by the worm is blocked by the computer infected by the worm. The effect that the proliferation of a worm can be effectively suppressed is achieved.

  Further, according to the present invention, information related to the communication amount of the communication packet and the communication address of the communication packet is acquired based on the setting information related to the acquisition of the information, and whether the acquired information and communication are communication made by the worm Whether or not the communication is made by the worm is determined based on the information related to the determination criteria for specifying whether the communication is made by the worm regardless of the server device or the client device. There exists an effect that it can determine easily and efficiently.

  Further, according to the present invention, when it is determined that the communication is performed by the worm, the setting information related to the information acquisition is changed, and the communication packet communication is performed based on the setting information related to the acquisition of the changed information. Since it is decided to acquire information related to the amount and communication address of the communication packet, the behavior of the worm can be further detailed by changing the setting information related to the acquisition of information when it is determined that the communication is made by the worm. There is an effect that can be monitored.

  Further, according to the present invention, when it is determined that the communication is performed by a worm, the information related to the determination criterion is changed, and the communication is performed based on the acquired information and the information related to the changed determination criterion. Since it was decided whether or not the communication was made by the worm, if the communication is judged to be made by the worm, the information related to the judgment criteria is changed, so that the communication is made more strictly by the worm. There is an effect that it can be determined whether or not.

  Further, according to the present invention, the amount of communication packets transmitted from a predetermined network segment to be monitored to the outside of the predetermined network segment increases, and the number of destination addresses of the communication packets increases. In such a case, it is determined that the communication from the computer in the predetermined network segment is a communication made by the worm. Therefore, when the communication by the worm is performed from the computer in the predetermined network segment, it is easy to do so. In addition, there is an effect that the determination can be made efficiently and efficiently.

  In addition, according to the present invention, it is previously determined that communication from a computer in a predetermined network segment to be monitored is communication performed by a worm, and the predetermined network segment is determined from the predetermined network segment. The destination address of the communication packet transmitted outside the predetermined network segment from the predetermined network segment acquired when it is determined that the destination address of the communication packet transmitted to the outside is the communication made by the worm If the number exceeds the number, it is determined that the communication from the computer in the predetermined network segment is a communication made by a worm infected with a plurality of computers. From the computer If it is, an effect that it can be determined easily and efficiently.

  Further, according to the present invention, the packet amount of a response communication packet for a communication packet transmitted from outside the predetermined network segment is increased for a predetermined network segment to be monitored, and the communication packet When the number of source addresses increases, it is determined that the communication from the computer outside the predetermined network segment is a communication performed by the worm. Therefore, the communication by the worm is performed from a computer outside the predetermined network segment. In this case, it is possible to determine it easily and efficiently.

  Further, according to the present invention, when it is determined that the communication is performed by the worm, information related to the computer or the communication status that has performed communication is further output. Therefore, based on the information related to the output computer. In this way, it is possible to identify a computer that may be infected with the worm.

  Further, according to the present invention, when it is determined that the communication is performed by the worm, the characteristics registered in advance related to the communication performed by the worm are compared with the characteristics related to the communication determined to be performed by the worm. Since the type of worm is estimated, there is an effect that it is possible to appropriately cope with the attack of the worm based on the information on the estimated type of worm.

  In addition, according to the present invention, when communication is determined to be communication performed by a worm, the communication performed by the worm is blocked, so that the effect of effectively suppressing the proliferation of the worm can be achieved. Play.

  In addition, according to the present invention, since the communication performed by the worm is cut off by stopping the process started by the worm, the process itself performed by the worm is stopped to effectively propagate the worm. There exists an effect that it can control.

  In addition, according to the present invention, the communication performed by the worm is blocked by enabling the firewall function of the computer that is determined that the worm exists, so that the communication performed by the worm is infected with the worm. By causing the computer to shut off, it is possible to effectively suppress the proliferation of the worm.

  Referring to the accompanying drawings, a communication blocking device, a communication blocking program, a communication blocking method, a worm determination program, a computer-readable storage medium storing a worm determination program, a worm determination method, and a worm determination device according to the present invention will be described below. A preferred embodiment will be described in detail.

  First, the concept of the network segment according to the present embodiment will be described. FIG. 16 is a conceptual diagram illustrating the concept of the network segment according to the present embodiment. As shown in FIG. 16, the network segment in the present embodiment has a structure composed of a plurality of hierarchies.

  For example, the smallest network segment 16a includes only one computer in which a worm determination program is installed. In this case, the computer monitors communication related to the network segment 16a and performs worm determination processing. The network segment 16b having a slightly larger scale is a segment configured in units of intranets of departments. A worm determination device 17a is connected to the network segment 16b, and the worm determination device 17a is connected to the work segment 16b. The communication is monitored and worm determination processing is performed.

  The network segment 16c having a larger scale is a segment configured in units of corporate intranets. A worm determination device 17b is connected to the network segment 16c, and the worm determination device 17b communicates with the work segment 16c. Is monitored and worm determination processing is performed. The larger network segment 16d is a segment configured in ISP (Internet Service Provider) units, and a worm determination device 17c is connected to the network segment 16d, and the worm determination device 17c is connected to the work segment. The communication related to 16d is monitored and worm determination processing is performed.

  As described above, there are various network segment sizes and forms, and the worm determination system according to the present invention can be applied to the network segments of various sizes and forms.

  Next, the concept of the worm determination system according to the present embodiment will be described. FIG. 1 is a conceptual diagram illustrating the concept of the worm determination system according to the present embodiment. As shown in FIG. 1, this worm determination system has a configuration in which network segments 10a to 10d including at least one server device or client device are connected to a network 11 via worm determination devices 20a to 20d. ing. Here, the network 11 indicates the Internet, an intranet, an ISP network, or the like.

  The worm determination devices 20a to 20d include communication packets transmitted from the other network segments 10a to 10d to the network segments 10a to 10d, and communication packets transmitted from the network segments 10a to 10d to the other network segments 10a to 10d. And processing for determining whether or not the communication by the communication packet is communication performed by the worm.

  Specifically, the number of communication packets per unit time, information on the source IP address and destination IP address of each communication packet, etc. are acquired, and the network segments 10a to 10d to be monitored are based on the acquired information. It is determined whether or not there is a worm attack from the network segment 10 and whether or not a worm attack is made on the computers in the other network segments 10 a to 10 d from the network segments 10 a to 10 d.

  Here, the number of packets per unit time of communication packets generated when a worm is infected and the change in the information of the source IP address and destination IP address of each communication packet depend on the type of computer such as a server device or a client device. In this worm determination system, it is possible to easily and efficiently detect a worm regardless of whether it is a server device or a client device.

  Rather than registering the characteristics of the worm in advance and detecting communication by the worm with reference to the characteristics, the number of communication packets per unit time, the source IP address and the destination IP address of each communication packet Therefore, it is possible to appropriately deal with an unknown worm.

  Next, the functional configuration of the worm determination devices 20a to 20d according to the present embodiment will be described. FIG. 2 is a functional block diagram illustrating a functional configuration of the worm determination devices 20a to 20d according to the present embodiment. Since each of the worm determination devices 20a to 20d has the same function, the functional configuration of the worm determination device 20a will be described here.

  As shown in FIG. 2, the worm determination device 20a is connected to the network 12 excluding the network segment A10a and the network segment A10a via the LAN 21 and the network 21. Here, the LAN 21 is a network such as an intranet.

  The worm determination device 20a is a device according to the present invention. The worm determination device 20a acquires information related to the communication amount of communication packets and the communication address of communication packets based on setting information related to acquisition of information. This is a determination device that determines whether or not the communication is a communication made by a worm based on information relating to a determination criterion that defines whether or not the communication is performed by the worm.

  The worm determination device 20a includes an interface unit 200, an input unit 210, a display unit 220, a storage unit 230, and a control unit 240. The interface unit 200 is a network interface that relays transmission / reception of communication data between the network segment A 10 a and the network 12 excluding the network segment A via the LAN 21 and the network 21.

  The input unit 210 is an input device such as a keyboard or a mouse, and the display unit 220 is a display device such as a display. The storage unit 230 is a storage device such as a hard disk device, and the storage unit 230 stores setting data 230a, communication log data 230b, and worm data 230c.

  The setting data 230a includes setting information related to the acquisition of information related to the communication amount of communication packets and the communication address of communication packets, information related to determination criteria for specifying whether the monitored communication is communication performed by a worm, and the like. This is data that stores various setting information.

  FIG. 3 is a diagram illustrating an example of the setting data 230a illustrated in FIG. The setting data 230a includes setting items, initial settings, and settings after a SYN packet abnormality is detected. The setting item is each item set in the setting data 230a, the initial setting is setting information referred to during normal monitoring, and the setting after the SYN packet abnormality is detected is an abnormality detected in the SYN packet being monitored. In this case, the setting information is referred to instead of the initial setting. As described later, this SYN packet abnormality means that the number of SYN packets measured within a unit time is equal to or greater than a predetermined threshold and the number of destination IP addresses is equal to or greater than a predetermined threshold.

  Specifically, the setting items include a SYN packet measurement unit time, a SYN ACK packet measurement unit time, a UDP packet measurement unit time, an ICMP (request) packet measurement unit time, and an ICMP (reply) packet measurement. Unit time, destination IP address measurement unit time, source IP address measurement unit time, destination port number reference, SYN packet count threshold, SYN ACK packet count threshold, UDP packet threshold, ICMP (request) packet The threshold value, the ICMP (reply) packet threshold value, the destination IP address number threshold value, the source IP address number threshold value, the monitoring location, the network direction to be monitored, and the time from blocking and detection to blocking are registered.

  The measurement unit time of the SYN packet, the measurement unit time of the SYN ACK packet, the measurement unit time of the UDP packet, the measurement unit time of the ICMP (request) packet, and the measurement unit time of the ICMP (reply) packet are respectively TCP (Transmission Control Protocol). ) Send a base packet SYN packet, a SYN ACK packet sent as a response when the computer receives the SYN packet, a UDP (User Datagram Protocol) based packet, and an operation confirmation message of the other computer ICMP (Internet Control Message Protocol) (request) packet, its ICPM (requests) ) Is a unit for measuring the number of ICMP (reply) packet sent in reply packet time. For example, this unit time of 1 sec means that the number of transmissions or receptions of the packet per second is measured every second.

  The measurement unit time of the destination IP address and the measurement unit time of the source IP address are unit times for measuring the destination IP address and the source IP address of each packet. For example, this unit time of 1 sec means that the destination IP address and the source IP address of the packet for 1 second are measured every second. The reference of the destination port number is an item for setting whether or not to refer to the destination port number of each packet in real time, and is set to either “ON” or “OFF”.

  The threshold of the number of SYN packets, the threshold of the number of SYN ACK packets, the threshold of the UDP packet, the threshold of the ICMP (request) packet, and the threshold of the ICMP (reply) packet determine whether or not communication performed by the worm is performed. Threshold information on the number of packets used at the time. The threshold value for the number of destination IP addresses and the threshold value for the number of transmission source IP addresses are threshold information on the number of destination IP addresses and the number of transmission source IP addresses used when determining whether or not communication performed by the worm is performed. is there. Here, the number of destination IP addresses or the number of transmission source IP addresses is the number of different destination IP addresses or transmission source IP addresses measured within the measurement unit time of the destination IP address or the measurement unit time of the transmission source IP address.

  The monitoring location is an item for setting a network driver for monitoring a packet. For example, the monitoring location is set as a network driver “Eth0” or the like. The network direction to be monitored is an item for setting the direction of packet communication to be monitored. For example, when monitoring only packets transmitted outside from the network segment A10a to which the worm determination device 20a is connected, “Outgoing” is set, and the network 12 excluding the network segment A from the network segment A10a When monitoring a transmitted packet, it is set to “incoming”, and when both packets are monitored, it is set to “both”.

  Blocking is an item for setting whether or not to block communication when packet communication is determined to be communication performed by a worm, and is set to either “ON” or “OFF”. The time from detection to blocking is an item for setting a waiting time until the packet communication is blocked when the packet communication performed by the worm is detected. For example, “5 sec” is set.

  Returning to the description of FIG. 2, the communication log data 230b is data storing communication records of packet communication. Specifically, information on the number of communication packets and the number of IP addresses acquired based on the setting data 230a shown in FIG. 3, information on determination results for determining whether communication is performed by a worm, and the like are stored. ing.

  FIG. 4 is a diagram illustrating an example of the communication log data 230b illustrated in FIG. As shown in FIG. 4, this communication log data 230b has items of measurement time, number of packets, and number of IP addresses. The measurement time is the time when measurement is performed, and the number of packets is the number of packets measured at each measurement time. This number of packets further includes items of the number of SYN packets, the number of SYN ACK packets, the number of UDP packets, the number of ICMP (request) packets, and the number of ICMP (reply) packets, and the number of packets measured for each type of packet. Is memorized.

  The number of IP addresses is the number of IP addresses measured at each measurement time. The number of IP addresses further includes items of the number of destination IP addresses and the number of source IP addresses, and information on the number of destination IP addresses and the number of source IP addresses of communication packets at each measurement time is stored.

  3 is “ON” in the setting data 230a shown in FIG. 3, the most frequent destination port number acquired by the communication information acquisition unit 240a in the communication log data 230b. Is stored for each measurement time (not shown in FIG. 4). Further, in the communication log data 230b, when it is determined that the communication by the worm has been performed, the determination result is stored together with information on the worm having similar communication method, communication speed, communication characteristics, and the like. (Not shown in FIG. 4).

  Returning to the description of FIG. 2, the worm data 230 c is data in which characteristics of communication performed by the worm are stored. Specifically, the worm data 230c stores information on the scan speed at which a worm found in the past scans another computer within a unit time and characteristic information of the worm such as a destination port number to attack.

  The control unit 240 is a control unit that controls the worm determination device 20a as a whole. The control unit 240 includes a communication information acquisition unit 240a, a worm determination unit 240b, a setting data change unit 240c, and a communication blocking unit 240d.

  The communication information acquisition unit 240a is an acquisition unit that acquires information related to the communication amount of the communication packet and the communication address of the communication packet based on the setting data 230a stored in the storage unit 230. Specifically, the communication information acquisition unit 240a measures the number of communication packets, acquires information on the destination IP address and the source IP address from the header of the communication packet, and determines the number of destination IP addresses and the source IP. Processing such as measuring the number of addresses or acquiring information on the most frequent destination port number from information such as the destination port number of the communication packet and storing it in the communication log data 230b is performed.

  Based on the information acquired by the communication information acquisition unit 240a and the setting data 230a stored in the storage unit 230, the worm determination unit 240b determines whether the packet communication to be monitored is communication performed by the worm. It is the determination part to do. Next, the contents of this determination process will be specifically described.

  FIG. 5 is a diagram illustrating an example of a worm determination process for each type of packet performed by the worm determination unit 240b illustrated in FIG. In FIG. 5, the contents of the determination process performed by the worm determination unit 240b are divided into three cases. Case 1 is a case where a situation is observed in which the number of SYN packets is increased and the number of destination IP addresses is increased while monitoring outgoing communication.

  Since this situation means that many SYN packets are transmitted to various computers outside the network segment A10a, the worm determination unit 240b has the TCP-based worm infected with the computers in the network segment A10a. It is determined that a random scan is being performed on a computer outside the network segment A10a. In this case, the worm determination unit 240b further measures the destination port number and detects which service is targeted from the most frequent destination port number. For example, if the measured most frequent destination port number is 80, it can be determined that the worm is aimed at the Web service.

  Case 2 is a case where a situation is observed in which the number of UDP packets increases and the number of destination IP addresses increases while monitoring outgoing communication. Since this situation means that many UDP packets are transmitted to various computers outside the network segment A10a, the worm determination unit 240b has the UDP-based worm infected with the computers in the network segment A10a. It is determined that a random scan is being performed on a computer outside the network segment A10a. In this case, the worm determination unit 240b further measures the destination port number and detects which service is targeted from the most frequent destination port number. For example, if the measured most frequent destination port number is 53, it can be determined that the worm is aimed at the DNS service.

  Case 3 is a case where a situation is observed in which the number of ICMP (request) packets is increased and the number of destination IP addresses is increased while monitoring Outgoing communication. This situation means that many ICMP (request) packets are transmitted to various computers outside the network segment A 10a. In this case, the worm determination unit 240b temporarily holds the determination of whether or not the transmission of the packet is due to the worm. The ICMP (request) packet is a packet for transmitting an operation confirmation message of the partner computer. If only the number of ICMP (request) packets and the number of destination IP addresses are increased, a random scan is performed by the worm. It is because it is unknown whether it is.

  In this case, the worm determination unit 240b determines whether the worm is a TCP-based worm or a UDP-based worm by monitoring the SYN packet or UDP packet transmitted thereafter and determining the situation as in case 1 or 2. Further, the destination port number is measured, and processing for detecting which service is targeted from the most frequent destination port number is performed. Here, three cases of cases 1 to 3 have been described. However, by adding various situations, it is possible to determine in detail whether or not the communication is performed by a worm for each packet type.

  FIG. 6 is a diagram illustrating an example of processing for determining the presence / absence of a worm scan from outside the network segment performed by the worm determination unit 240b illustrated in FIG. Here, a case where an abnormality is detected in the SYN ACK packet is shown. As illustrated in FIG. 6, the worm determination unit 240b refers to the communication log data 230b and checks whether the number of packets and the number of IP addresses of each packet are equal to or greater than a threshold stored in the setting data 230a. For example, when the threshold value for the number of SYN ACK packets is “10” and the threshold value for the number of transmission source IP addresses is “10”, the worm determination unit 240 b measures the measurement time “10:00:35 to 10:00:36”. ", The number of SYN ACK packets" 30 "is greater than or equal to the threshold value" 10 "and the number of source IP addresses" 36 "is greater than or equal to the threshold value" 10 ", so an abnormality in the SYN ACK packet is detected.

  In addition, the worm determination unit 240b performs processing for detecting which service is the worm from information on the most frequent destination port number of the SYN ACK packet acquired by the communication information acquisition unit 240a. The communication log data 230b in FIG. 6 shows information on the acquired most frequent destination port number “80”. Percentage information (“90%” and “92%”) shown in the most frequent destination port number column monitors the “number of SYN ACK packets” and “number of source IP addresses” within the measurement time. Of all the packets, the ratio of the packets with the most frequent destination port number “80” is shown.

  Thereafter, the worm determination unit 240b determines whether or not there is a worm scan based on the above information, and performs a process of outputting the worm determination result 60. Specifically, the worm determination unit 240b transmits more SYN ACK packets than the threshold from the network segment A10a as a response when receiving the SYN packet, and the number of source IP addresses of the SYN ACK packet exceeds the threshold. Because there are many, it is determined that the computer in the network 12 excluding the network segment A has been randomly scanned by the worm to the computer in the network segment A 10a, and the worm determination result 60 is output.

  The worm determination result 60 includes information on a scan method, a scan source IP address, a most frequent destination port number, and a warning message. The scan method indicates the type of packet used when the worm performs a random scan, and the scan source IP address is the IP address of the computer that is transmitting the packet used for the random scan. The information on the scan source IP address can be acquired from the header of the packet. The most frequent destination port number is the most frequent destination port number included in the communication log data 230b, and the warning message is a message notifying the user of the determination result and calling attention. In the example of FIG. 6, since a random scan from a computer on the network 12 excluding the network segment A is detected, the user is notified that a worm targeting the vulnerability of the Web service may enter from the outside.

  FIG. 7 is a diagram illustrating an example of processing for determining the presence / absence of a worm infection performed by the worm determination unit 240b illustrated in FIG. Here, a case where an abnormality is detected in the SYN packet is shown. As illustrated in FIG. 7, the worm determination unit 240b refers to the communication log data 230b and checks whether the number of packets and the number of IP addresses of each packet are equal to or greater than a threshold stored in the setting data 230a. For example, when the threshold for the number of SYN packets is “10” and the threshold for the number of destination IP addresses is “10”, the worm determination unit 240b has a measurement time of “10:00:37 to 10:00:38”. Since the number of SYN packets “22” is equal to or greater than the threshold “10” and the number of destination IP addresses “28” is equal to or greater than the threshold “10”, an abnormality of the SYN packet is detected.

  In addition, the worm determination unit 240b performs processing for detecting which service is targeted for the worm from information on the most frequent destination port number of the SYN packet acquired by the communication information acquisition unit 240a. The communication log data 230b in FIG. 7 includes information on the acquired most frequent destination port number “80” and the ratio of packets having the most frequent destination port number “80” out of all the monitored packets. Information (“94%” and “89%”) is shown for each measurement item of the number of SYN packets and the number of destination IP addresses.

  Thereafter, the worm determination unit 240b determines whether or not there is a worm infection based on the above information, and performs a process of outputting the worm determination result 70. Specifically, the worm determination unit 240b transmits the SYN packet from the network segment A10a to the network segment because the SYN packet is transmitted from the network segment A10a more than the threshold and the number of destination IP addresses of the SYN packet is larger than the threshold. It is determined that a random scan by the worm is performed on the computers in the network 12 except A, and the worm determination result 70 is output.

  The worm determination result 70 includes information on a scanning method, a scanning speed, the number of infected computers, an infected computer name, an infected computer IP address, a most frequent destination port number, and a warning message. The scan method indicates the type of packet used when the worm performs a random scan, and the scan speed is information on the speed at which the scan was performed per second. The number of infected computers is the number of computers that may be infected with the worm, and the infected computer name is the name of a computer that may be infected with the worm. The infected computer IP address is an IP address of a computer that may have been infected with the worm.

  The information on the scan speed can be calculated from information on the number of computers (destination IP addresses) to which SYN packets are transmitted per unit time. Further, the infected computer IP address can be obtained from the header of the SYN packet, and the information on the number of infected computers can be obtained from the number of infected computer IP addresses. The infected computer name can be acquired by preparing a database (not shown in FIG. 2) that stores the IP address and the computer name in association with each other. The most frequent destination port number is the most frequent destination port number included in the communication log data 230b, and the warning message is a message notifying the user of the determination result and calling attention.

  In the example of FIG. 7, since the worm determination unit 240b detects a random scan from within the network segment A10a and the most frequent destination port number is “80”, the Web server in the network segment A10a may have been infected. Notify the user that there is Further, the worm determination unit 240b refers to the characteristics of the worm stored in the worm data 230c of the storage unit 230, and as a result, the information on the worm determined to be similar or the information on the network subjected to the random scan. Etc. to the user.

  FIG. 8 is a diagram illustrating an example of processing for determining the presence / absence of a worm infection due to an attack from outside the network segment A10a performed by the worm determination unit 240b illustrated in FIG. Here, a case where an abnormality is detected in the SYN packet after an abnormality is detected in the SYN ACK packet is shown. As illustrated in FIG. 8, the worm determination unit 240b refers to the communication log data 230b and checks whether the number of packets and the number of IP addresses of each packet are equal to or greater than a threshold stored in the setting data 230a.

  For example, when the threshold value for the number of SYN ACK packets is “10” and the threshold value for the number of transmission source IP addresses is “10”, the worm determination unit 240 b measures the measurement time “10:00:35 to 10:00:36”. ", The number of SYN ACK packets" 30 "is greater than or equal to the threshold value" 10 "and the number of source IP addresses" 36 "is greater than or equal to the threshold value" 10 ", so an abnormality in the SYN ACK packet is detected. Further, when the threshold value of the number of SYN packets is “10” and the threshold value of the number of destination IP addresses is “10”, the worm determination unit 240b takes the measurement time “10:00:37 to 10:00:38”. Since the number of SYN packets “22” is equal to or greater than the threshold “10” and the number of destination IP addresses “28” is equal to or greater than the threshold “10”, an abnormality of the SYN packet is detected.

  Further, the worm determination unit 240b performs processing to detect which service is targeted from the SYN ACK packet acquired by the communication information acquisition unit 240a and information on the most frequent destination port number of the SYN packet. The communication log data 230b of FIG. 8 includes information on the acquired most frequent destination port number “80” and the ratio of packets with the most frequent destination port number “80” among all the monitored packets. Information (“87%”, “87%”, “89%”, and “86%”) for each measurement item of the number of SYN packets, the number of SYN ACK packets, the number of destination IP addresses, and the number of source IP addresses Is shown in

  Thereafter, the worm determination unit 240b determines whether or not there is a worm infection based on the above information and performs a process of outputting the worm determination result 80. Specifically, the worm determination unit 240b excludes the network segment A because the SYN ACK packet is transmitted more than the threshold value from within the network segment A 10a and the number of source IP addresses of the SYN ACK packet is greater than the threshold value. It is determined that a random scan by a worm has been performed from a computer in the network 12 to a computer in the network segment A 10a.

  Further, since the worm determination unit 240b transmits more SYN packets than the threshold value from within the network segment A10a, and the number of destination IP addresses of the SYN packet is greater than the threshold value, the computer in the network segment A10a performs the random scan. It is determined that the computer in the network 12 excluding the network segment A from the computer infected with the worm has been randomly scanned, and the worm determination result 80 is output.

  The worm determination result 80 includes information on the scan method, the most frequent destination port number, and a warning message. The scan method indicates the type of packet used when the worm performs a random scan, and the most frequent destination port number is the most frequent destination port number included in the communication log data 230b. The warning message is a message for notifying the user of the determination result and calling attention, and notifies the user that the Web server in the network segment A10a may be infected by an external worm attack.

  FIG. 9 is a diagram illustrating an example of a process for determining the presence or absence of worm infection in a plurality of computers performed by the worm determination unit illustrated in FIG. 2. Here, after an abnormality is detected in the SYN packet, if an abnormality is detected again in the SYN packet, the number of destination IP addresses when an abnormality is detected in the SYN packet again is detected in the previous SYN packet. The situation shows an increase compared to the number of destination IP addresses at that time.

  As illustrated in FIG. 9, the worm determination unit 240b refers to the communication log data 230b and checks whether the number of packets and the number of IP addresses of each packet are equal to or greater than a threshold stored in the setting data 230a. For example, when the threshold value of the SYN packet number is “10” and the threshold value of the transmission source IP address is “10”, the worm determination unit 240b at the measurement time “10:00:37 to 10:00:38” Since the number of SYN packets “22” is equal to or greater than the threshold “10” and the number of destination IP addresses “28” is equal to or greater than the threshold “10”, an abnormality of the SYN packet is detected. Further, the worm determination unit 240b determines that the number of SYN packets “49” is greater than or equal to the threshold “10” and the number of destination IP addresses “60” is the threshold at the measurement time “10:00:39 to 10:00:40”. Since it is “10” or more, the abnormality of the SYN packet is detected again.

  Further, the worm determination unit 240b performs processing for detecting which service is targeted for the worm from the information of the most frequent destination port number of the SYN packet acquired by the communication information acquisition unit 240a. The communication log data 230b of FIG. 9 includes information on the acquired most frequent destination port number “80” and the ratio of packets with the most frequent destination port number “80” among all the monitored packets. Information (“92%” and “95%”) is shown for each measurement item of the number of SYN packets and the number of destination IP addresses.

  Thereafter, the worm determination unit 240b determines whether or not there is a worm infection based on the above information, and performs a process of outputting the worm determination result 90. Specifically, the worm determination unit 240b transmits the SYN packet more than the threshold value from the network segment A10a and the number of destination IP addresses of the SYN packet is greater than the threshold value, so that the computer in the network segment A10a It is determined that the computer on the network 12 excluding the network segment A from the computer infected with the worm has been randomly scanned.

  Also, the worm determination unit 240b has the most frequent destination port number “80”, and the destination IP address when an abnormality is detected in the current SYN packet is the destination when the abnormality was detected in the previous SYN packet. Since the number of IP addresses has increased by a factor of two or more, it is determined that a plurality of Web servers in the network segment A 10a are infected with the worm, and the worm determination result 90 is output. Here, it is determined that a plurality of Web servers have been infected when the number of destination IP addresses has increased by a factor of two or more, but this multiple can be arbitrarily set.

  The worm determination result 90 includes information on a scan method, a scan speed, the number of infected computers, an infected computer name, an infected computer IP address, a most frequent destination port number, and a warning message. The scan method indicates the type of packet used when the worm performs a random scan, and the scan speed is information on the speed at which the scan was performed per second. The number of infected computers is the number of computers infected with the worm, and the infected computer name is the name of a computer that may be infected with the worm. The infected computer IP address is an IP address of a computer that may have been infected with the worm. In the example of FIG. 9, information on infected computer names and infected computer IP addresses of two Web servers that may have been infected with the worm is shown.

  The most frequent destination port number is the most frequent destination port number included in the communication log data 230b, and the warning message is a message notifying the user of the determination result and calling attention. In the example of FIG. 9, the worm determination result 90 notifies the user as a warning message that a plurality of Web servers in the network segment A 10a may be infected with the worm.

  Returning to the description of FIG. 2, the setting data changing unit 240c is configured to input a new data input by the user when there is a change in the setting data 230a referred to by the communication information acquiring unit 240a, the worm determining unit 240b, or the communication blocking unit 240c. Is a change unit that changes the setting data 230a by adding new setting items, updating setting items, or deleting setting items that have already been set. In addition, when an abnormality is detected in the monitored SYN packet, the setting data changing unit 240c performs processing to change the setting of the setting data 230a from the initial setting to the setting after the SYN packet abnormality is detected.

  The communication blocking unit 240d is a blocking unit that blocks packet communication performed by the worm when the worm determination unit 240b determines that the packet communication is packet communication performed by the worm. This blocking process is performed when the setting item “blocking” is “ON” in the setting data 230a of FIG. Further, the communication blocking unit 240d refers to the setting item “time from detection to blocking” of the setting data 230a in FIG. 3 and waits for the set time, and then starts the blocking process.

  Specifically, the communication blocking unit 240d blocks packet communication by the worm in three ways. FIG. 10 is a diagram illustrating an example of a blocking process for blocking communication performed by the worm performed by the communication blocking unit 240d illustrated in FIG. As shown in FIG. 10, in the method 1, the communication blocking unit 240d blocks specific outgoing communication (random scan) from all computers in the network segment A10a including the computer determined to be infected with the worm. Is the method. In this method 1, outgoing communication is blocked with reference to information on whether the protocol of the communication packet transmitted by the worm is TCP-based or UDP-based, information on the most frequent destination port number of the communication packet, and the like. At that time, the communication blocking unit 240d does not block communication packets other than the communication packet specified from the information, and suppresses communication failure to a minimum.

  Method 2 is a method in which the communication blocking unit 240d blocks a specific outgoing communication (random scan) from a computer determined to be infected with a worm in the network segment A10a. In this method 2, information on whether the protocol of the communication packet transmitted by the worm is TCP-based or UDP-based, the source IP address that identifies the computer determined to be infected with the worm, the most frequent destination port number of the communication packet The outgoing communication is blocked by referring to the information of the above. At that time, the communication blocking unit 240d does not block communication packets other than the communication packet specified from the information, and suppresses communication failure to a minimum.

  FIG. 11 is an explanatory diagram illustrating a blocking process in which the worm determination device 20a blocks communication performed by the worm. FIG. 11 shows a case where the Outgoing communication is blocked by the method 1 or 2. As shown in FIG. 11, the communication blocking unit 240d blocks the outgoing communication performed by the worm from the network segment A10a to be monitored by the worm determination device 20a, and is transmitted to the network 21 excluding the network segment A by the worm. Prevent communication packets from reaching. For communication packets other than communication packets transmitted by the worm, the communication blocking unit 240d passes the worm determination device 20a to avoid communication failure.

  Returning to the description of FIG. 10, after the blocking process according to the method 1 or the method 2, the method 3 is a method in which the communication blocking unit 240d remotely stops the random scan of the computer determined to be infected with the worm. . Specifically, the communication blocking unit 240d accesses a computer determined to be infected with the worm, stops a process performing random scanning, or a personal firewall of the computer determined to be infected with the worm. The function is set to active, and the random scan performed by the own device is blocked by the own device. In this method 3, information on whether the protocol of the communication packet transmitted by the worm is TCP-based or UDP-based, the source IP address for identifying the computer determined to be infected with the worm, the most frequent destination port number of the communication packet The random scan is blocked by remote control with reference to the information. At that time, the communication blocking unit 240d operates so that the computer determined to be infected with the worm does not block communication packets other than the communication packet specified from the above information, and minimizes communication failure. .

  FIG. 12 is an explanatory diagram for explaining a blocking process for blocking the communication performed by the worm to the infected computer itself. FIG. 12 shows a case where random scan is blocked by Method 3. As shown in FIG. 12, the communication blocking unit 240d blocks the random scan from the network segment A10a to be monitored by the computer itself determined to be infected with the worm, and causes the network 21 excluding the network segment A to Prevent communication packets sent by the worm from reaching. For communication packets other than communication packets transmitted by the worm, the communication blocking unit 240d operates the computer so that the computer determined to be infected with the worm does not block to avoid a communication failure. Here, the blocking process by the method 3 is performed after the blocking process by the method 1 or 2, but the blocking process by the method 3 may be performed alone.

  Here, “communication information acquisition means” and “communication information acquisition procedure” / “communication information acquisition step” in the claims or the appendix described later are the communication information acquisition unit 240a and the communication information acquisition unit 240a shown in FIG. "Worm determination means" and "Worm determination procedure" / "Worm determination process" correspond to the procedure / process performed by the worm determination unit 240b and the worm determination unit 240b. "Procedure" corresponds to the procedure performed by the setting data changing unit 240c, and "Communication blocking means" and "Communication blocking procedure" / "Communication blocking process" are the procedures / processes performed by the communication blocking unit 240d and the communication blocking unit 240d. Correspond.

  In addition, “setting information related to information acquisition” in the claims or the appendix described later includes “measurement unit time of SYN packet”, “measurement unit time of SYN ACK packet”, and “UDP packet “Measurement unit time”, “Measurement unit time of ICMP (request) packet”, “Measurement unit time of ICMP (reply) packet”, “Measurement unit time of destination IP address”, “Measurement unit time of source IP address”, Corresponding to the information of each setting item of “reference to destination port number”, “monitoring location”, and “direction of network to be monitored”, “determination criteria for specifying whether communication is made by a worm” is “ “Threshold of SYN packet count”, “Threshold of SYN ACK packet count”, “Threshold of UDP packet”, “Threshold of ICMP (request) packet” ”,“ ICMP (reply) packet threshold ”,“ destination IP address number threshold ”, and“ source IP address number threshold ”.

  In addition, “information about the computer” in the claims or the appendix to be described later is “scanning IP address”, “number of infected” in the worm determination result 60, 70, or 90 shown in FIG. Corresponding to “infected computer name”, “infected computer IP address”, etc., and “information relating to communication status” is “scanning method” in the worm determination results 60, 70, 80 or 90 shown in FIGS. , “Most frequent destination port number”, warning message, “scan speed”, etc., “Log” corresponds to the communication log data 230b shown in FIG.

  Next, a hardware configuration of the worm determination device 20a according to the present embodiment will be described. FIG. 13 is a block diagram illustrating a hardware configuration of the worm determination device 20a according to the present embodiment. As shown in FIG. 13, the worm determination device 20 a has a configuration in which a keyboard 130, a display 131, a CPU 132, a RAM 133, an HDD 134, a ROM 136, and a network I / F 137 are connected via a bus 138.

  The network I / F 137 performs communication processing via the LAN 21 or the network 11 between the network segment A10a or the network 12 excluding the network segment A and the worm determination device 20a.

  A hard disk (HD) 135, which is a storage medium that the HDD 134 stores and reads, stores a worm determination program 135a that is realized by executing the worm determination method shown in the present embodiment with a computer. Then, the program is analyzed by the CPU 132 and the worm determination process is executed.

  This worm determination process corresponds to the functions of the communication information acquisition unit 240a, worm determination unit 240b, setting data change unit 240c, and communication blocking unit 240d in the control unit 240 shown in FIG. Setting data 240a, communication log data 240b, and worm data 240c are also stored in the HD 135, read into the RAM 133, and referred to by the CPU 132.

  The worm determination program 135a can be distributed via a network such as the Internet. The worm determination program 135a can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and being read from the recording medium by the computer. .

  Next, a processing procedure of worm determination processing according to the present embodiment will be described. FIG. 14 is a flowchart illustrating the procedure of the worm determination process according to the present embodiment. As shown in FIG. 14, first, the setting data changing unit 240c of the worm determination device 20a receives the setting input by the user when the setting data 230a is changed (step S1401).

  Subsequently, the communication information acquisition unit 240a monitors network communication between the computer in the network segment A10a and the computer in the network 12 excluding the network segment A (step S1402), and the measurement unit set in the setting data 230a It is checked whether the measurement time for measuring the packet has come based on the time (step S1403).

  If the measurement time for measuring the packet is not yet reached (step S1403, No), the process proceeds to step S1402 and the subsequent processing is continued. When the measurement time for measuring the packet comes (step S1403, Yes), the communication information acquisition unit 240a acquires the packet information and stores the acquired information in the communication log data 230b (step S1404).

  Thereafter, the worm determination unit 240b performs a process of determining whether or not packet communication has been performed by the worm based on the information acquired by the communication information acquisition unit 240a and stored in the communication log data 230b (step S1). S1405). This situation determination processing will be described in detail later with reference to FIGS. 15-1 and 15-2.

  If the worm determination unit 240b determines that the packet communication to be monitored is not due to a worm (No in step S1406), the process proceeds to step S1402 and the subsequent processing is continued. If it is determined that the packet communication is due to a worm (step S1406, Yes), the worm determination unit 240b obtains and outputs information on the worm having a similar worm scanning method, scanning speed, and scanning characteristics, and the like. The process to perform is performed (step S1407).

  Thereafter, the communication blocking unit 240d performs a process of blocking packet communication determined to be performed by the worm by the method described with reference to FIGS. 10 to 12 (step S1408), and ends the worm determination process.

  Next, the procedure of the situation determination process shown in FIG. 14 will be described. FIGS. 15A and 15B are flowcharts (1) and (2) illustrating the procedure of the situation determination process illustrated in FIG. As illustrated in FIG. 15A, first, the worm determination unit 240b transmits the transmission of the SYN ACK packet acquired by the communication information acquisition unit 240a to be larger than the threshold of the number of SYN ACK packets set in the setting data 230a. It is checked whether or not the number of source IP addresses is larger than the threshold value of the number of source IP addresses set in the setting data 230a (step S1501).

  When the number of SYN ACK packets is larger than the threshold value for the number of SYN ACK packets and the number of transmission source IP addresses is larger than the threshold value for the number of transmission source IP addresses, the worm determination unit 240b (Yes in step S1501). Then, it is determined that there is a worm scan from outside the network segment A10a (step S1502), and the determination result is stored in the communication log data 230b (step S1511) as shown in FIG. finish.

  In step S1501, if either the condition that the number of SYN ACK packets is larger than the threshold value for the number of SYN ACK packets or the condition that the number of source IP addresses is larger than the threshold value for the number of source IP addresses is not satisfied (No in step S1501), the worm determination unit 240b determines that the number of SYN packets acquired by the communication information acquisition unit 240a is larger than the threshold value of the number of SYN packets set in the setting data 230a, and the number of destination IP addresses is the setting data. It is checked whether it is larger than the threshold value of the number of destination IP addresses set in 230a (step S1503).

  If either the condition that the number of SYN packets is larger than the threshold value for the number of SYN packets or the condition that the number of destination IP addresses is larger than the threshold value for the number of destination IP addresses is not satisfied (No in step S1503). Then, it is determined that there is no worm scan from outside the network segment A10a (step S1504), and as shown in FIG. 15-2, the determination result is stored in the communication log data 230b (step S1511). finish.

  When the number of SYN packets is larger than the threshold value for the number of SYN packets and the number of destination IP addresses is larger than the threshold value for the number of destination IP addresses (step S1503, Yes), the worm determination unit 240b detects from outside the network segment A10a. It is checked whether or not it is determined that there is a worm scan in the past predetermined time (step S1505). The past predetermined time is, for example, between 5 minutes ago and the present time.

  If it is determined that there is a worm scan from outside the network segment A10a within the past predetermined time (step S1505, Yes), the worm determination unit 240b, as shown in FIG. It is determined that the internal computer is infected with the worm by packet communication from outside the network segment A10a (step S1506).

  If it is not determined that there is a worm scan from outside the network segment A10a within the past predetermined time (step S1505, No), the worm determination unit 240b, as shown in FIG. It is determined that the computer in A10a is infected with the worm for a reason other than packet communication from outside the network segment A10a (step S1507). Here, the cause other than the packet communication from outside the network segment A10a is a case where a computer in the network segment A10a is infected with a worm from a storage medium such as a flexible disk (FD) or a CD-ROM.

  After the determination process in step S1506 or step S1507, the worm determination unit 240b determines that the number of destination IP addresses detected this time is equal to or more than twice the maximum number of destination IP addresses detected in the past predetermined time. Whether or not (step S1508). If the number of destination IP addresses detected this time is equal to or more than twice the maximum number of destination IP addresses detected in the past predetermined time (step S1508, Yes), the number in the network segment A10a It is determined that a plurality of computers are infected with the worm (step S1509), and the setting data changing unit 240c sets the setting of the setting data 230a referred to by the communication information acquiring unit 240a, the worm determining unit 240b, or the communication blocking unit 240d as an initial value. Processing to change from setting to setting after detecting SYN packet abnormality is performed (step S1510).

  In step S1508, if the number of destination IP addresses detected this time is not equal to or more than twice the maximum number of destination IP addresses detected in the past predetermined time (step S1510), the process proceeds to step S1510. The setting data changing unit 240c performs processing for changing the setting of the setting data 230a from the initial setting to the setting after the SYN packet abnormality is detected. Thereafter, the worm determination unit 240b stores the determination result in the communication log data 230b, and ends this situation determination process.

  As described above, in the present embodiment, the communication information acquisition unit 240a obtains information related to the communication amount of the communication packet and the communication address of the communication packet based on the setting information related to the acquisition of the information stored in the setting data 230a. The worm determination unit 240b acquires the information acquired by the communication information acquisition unit 240a and the information related to the determination criterion stored in the setting data 230a that defines whether the communication is communication performed by the worm. Since it is determined whether or not the communication is performed by a worm, it can be easily and efficiently determined whether or not the communication is performed by a worm regardless of whether the communication is performed by a server device or a client device.

  In this embodiment, when it is determined that the communication is performed by the worm, the setting data changing unit 240c changes the setting information related to the acquisition of information stored in the setting data 230a, and the communication information acquiring unit 240a is to acquire the information related to the communication amount of the communication packet and the communication address of the communication packet on the basis of the setting information related to the acquisition of the changed information, so that it is determined that the communication is communication performed by the worm By changing the setting information related to the acquisition of information, the behavior of the worm can be monitored in more detail.

  Further, in the present embodiment, the setting data changing unit 240c adds information to be newly set to setting information related to acquisition of information stored in the setting data 230a, or is already set to setting information related to acquisition of information. Therefore, it is possible to appropriately monitor the behavior of the worm by appropriately updating the setting information related to the information acquisition.

  In this embodiment, when it is determined that the communication is performed by a worm, the setting data changing unit 240c changes the information related to the determination criterion stored in the setting data 230a, and the communication information acquiring unit 240a Since it was decided whether or not the communication was made by a worm based on the acquired information and the information related to the changed judgment criteria, if the communication was judged to be made by a worm, By changing such information, it is possible to determine whether or not the communication is made by a worm more strictly.

  In the present embodiment, the setting data changing unit 240c adds information to be newly set to the information related to the determination criterion stored in the setting data 230a, or the information already set in the information related to the determination criterion. Since the deletion is performed, it is possible to appropriately determine whether or not the communication is made by the worm by appropriately updating the information related to the determination criterion.

  In this embodiment, the worm determination unit 240b increases the packet amount of communication packets transmitted from the network segment A10a to be monitored to monitor communication to the network 12 excluding the network segment A, and the communication packet When the number of destination addresses increases, it is determined that the communication from the computer in the network segment A10a is a communication made by the worm. Therefore, when the communication by the worm is made from the computer in the network segment A10a, It can be easily and efficiently determined.

  Further, in this embodiment, the worm determination unit 240b has previously determined that the communication from the computer in the network segment A10a to be monitored is a communication performed by the worm, and from the network segment A10a to the network segment. The network segment A10a is excluded from the network segment A10a acquired by the communication information acquisition unit 240a when it is determined that the destination address number of the communication packet transmitted to the network 12 excluding A10a is communication performed by the worm. When the number of destination addresses of communication packets transmitted to the network 12 is increased, it is determined that the communication from the computer in the network segment A 10a is a communication made by a worm infected with a plurality of computers. Since the Rukoto can communication by the worm when made from a plurality of computers in a given network segment A 10a, to determine it easily and efficiently.

  In this embodiment, the worm determination unit 240b increases the packet amount of response communication packets to the communication packets transmitted from the network 12 excluding the network segment A with respect to the network segment A10a to be monitored. When the number of source addresses of communication packets increases, it is determined that the communication from the computer outside the network segment A 10a is a communication performed by the worm, so that the communication by the worm is a predetermined network segment A 10a. If made from an external computer, it can be easily and efficiently determined.

  Further, in this embodiment, when the worm determination unit 240b determines that the communication is communication performed by the worm, the information related to the computer that performed communication is further output. Can identify computers that may be infected by a worm.

  Further, in this embodiment, when the worm determination unit 240b determines that the communication is communication performed by the worm, the information related to the communication status of the communication is further output, so the information related to the output communication status You can know the activity status of the worm based on.

  In this embodiment, since the worm determination unit 240b stores the result of determining whether or not the communication is made by the worm as the communication log data 230b, the state of the communication made by the past worm is displayed. You can check at any time.

  In the present embodiment, when the worm determination unit 240b determines that the communication is communication performed by the worm, the communication stored in the worm data 230c related to the communication performed by the worm is determined to be performed by the worm. Since the type of worm is estimated by comparing with such a feature, it is possible to appropriately cope with the attack of the worm based on the information on the estimated type of worm.

  In the present embodiment, the communication blocking unit 240d blocks the communication performed by the worm when the communication is determined to be performed by the worm, so that the propagation of the worm is effectively suppressed. Can do.

  Further, in this embodiment, the communication blocking unit 240d blocks the communication performed by the worm by stopping the process started by the worm. Therefore, by stopping the processing itself performed by the worm, Proliferation can be effectively suppressed.

  Further, in this embodiment, the communication blocking unit 240d blocks communication by enabling the firewall function of the computer that is determined that the worm is present because communication performed by the worm is performed. By blocking communication with a computer infected with the worm, the propagation of the worm can be effectively suppressed.

  Although the embodiments of the present invention have been described so far, the present invention can be implemented in various different embodiments within the scope of the technical idea described in the claims other than the above-described embodiments. It may be done.

  For example, in this embodiment, the worm determination device 20a is connected to the network segment A10a via the LAN 21 here, but the present invention is not limited to this, and the worm determination device 20a is connected to the network segment A10a. It may be directly connected to the computer. Further, when the network segment A10a includes only one computer, a worm determination program may be introduced into the computer, and the computer may monitor communication related to the network segment A10a and perform worm determination processing.

  In addition, although mainly described as a type of communication packet to be monitored for monitoring a SYN packet and a SYN ACK packet, the present invention is not limited to this, and is based on a UDP packet, an ICMP packet, or another protocol. The present invention can be similarly applied to packets.

  Further, in this embodiment, based on the determination method as shown in FIGS. 5 to 9, it is determined whether or not the communication is performed by a worm, but the present invention is not limited to this. Instead, various other determination methods using information relating to the communication amount of the communication packet and the communication address of the communication packet may be applied.

  In addition, among the processes described in this embodiment, all or part of the processes described as being performed automatically can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above-described document and drawings can be arbitrarily changed unless otherwise specified.

  Each component of each illustrated device is functionally conceptual and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of the worm determination devices 20a to 20d is not limited to that shown in the figure, and all or a part thereof can be functionally or physically processed in an arbitrary unit according to various loads or usage conditions. Can be distributed and integrated. Further, all or some of the processing functions performed by the worm determination devices 20a to 20d are realized by the CPU and a program that is analyzed and executed by the CPU, or are realized as hardware by wired logic. Can be done.

(Appendix 1) A worm determination program for monitoring communication related to a predetermined network segment connected to a network and determining whether the communication is communication performed by a worm,
A communication information acquisition procedure for acquiring information related to a communication amount of a communication packet and a communication address of the communication packet based on setting information related to acquisition of information;
Worm determination procedure for determining whether the communication is a communication made by a worm based on the information acquired by the communication information acquisition procedure and information relating to a determination criterion for specifying whether the communication is a communication made by a worm When,
A worm determination program for causing a computer to execute.

(Additional remark 2) When it is determined by the worm determination procedure that the communication is performed by a worm, the communication information acquisition procedure further includes a setting information change procedure for changing setting information related to the acquisition of the information. The worm determination according to appendix 1, wherein information relating to a communication amount of a communication packet and a communication address of the communication packet is acquired based on setting information related to acquisition of information changed by the information acquisition setting change procedure program.

(Supplementary note 3) When the communication is determined to be communication made by a worm according to the worm determination procedure, the information processing method further includes a determination criterion information change procedure for changing information related to the determination criterion, and the worm determination procedure includes the communication Supplementary note 1 or 2, wherein whether or not the communication is a communication made by a worm is determined based on information acquired by the information acquisition procedure and information on the determination criterion changed by the determination criterion information change procedure The worm determination program described in 1.

(Supplementary Note 4) The worm determination procedure includes a step of increasing a packet amount of communication packets transmitted from the predetermined network segment to be monitored to monitor communication to the outside of the predetermined network segment, and a destination of the communication packet The worm determination program according to appendix 1, 2 or 3, wherein when the number of addresses increases, it is determined that communication from a computer in the predetermined network segment is communication made by a worm.

(Supplementary Note 5) The worm determination procedure determines that communication from a computer in the predetermined network segment that is a monitoring target for monitoring communication is communication performed by a worm before, and from the predetermined network segment When the number of destination addresses of a communication packet transmitted outside a predetermined network segment is determined that the communication is communication performed by a worm, the predetermined address from the predetermined network segment acquired by the communication information acquisition unit is determined. When the number of destination addresses of communication packets transmitted outside the network segment is increased, it is determined that communication from a computer in the predetermined network segment is communication made by a worm infected with a plurality of computers. The worm determination program described in Appendix 4 Grams.

(Additional remark 6) The said worm determination procedure increases the packet amount of the response communication packet with respect to the communication packet transmitted from the outside of the predetermined network segment with respect to the predetermined network segment to be monitored. Any one of appendices 1 to 5, wherein when the number of transmission source addresses of the communication packet increases, it is determined that communication from a computer outside the predetermined network segment is communication performed by a worm. Worm determination program described in 1.

(Appendix 7) When the worm determination procedure determines that the communication is performed by a worm, the computer further performs communication or information related to the communication status is output. The worm determination program according to any one of the above.

(Supplementary Note 8) When the worm determination procedure determines that the communication is a communication made by a worm, the pre-registered feature related to the communication made by the worm is compared with the feature related to the communication determined to be made by the worm. The worm determination program according to any one of appendices 1 to 7, wherein the worm type is estimated by doing so.

(Supplementary note 9) Any one of Supplementary notes 1 to 8, further comprising a communication blocking procedure for blocking communication performed by the worm when the communication is determined to be performed by the worm according to the worm determination procedure. The worm determination program according to any one of the above.

(Additional remark 10) The said communication interruption | blocking procedure interrupts | blocks the communication made by a worm by stopping the process started by the worm, The worm determination program of Additional remark 9 characterized by the above-mentioned.

(Appendix 11) The worm according to appendix 9, wherein the communication blocking procedure blocks communication performed by the worm by enabling a firewall function of a computer that is determined to have the worm. Judgment program.

(Supplementary note 12) A computer-readable recording medium recording a worm determination program for monitoring communication related to a predetermined network segment connected to a network and determining whether the communication is communication performed by a worm,
A communication information acquisition procedure for acquiring information related to a communication amount of a communication packet and a communication address of the communication packet based on setting information related to acquisition of information;
Worm determination procedure for determining whether the communication is a communication made by a worm based on the information acquired by the communication information acquisition procedure and information relating to a determination criterion for specifying whether the communication is a communication made by a worm When,
A computer-readable recording medium on which a worm determination program for causing a computer to execute is recorded.

(Supplementary note 13) A worm determination method for monitoring communication related to a predetermined network segment connected to a network and determining whether the communication is communication performed by a worm,
A communication information acquisition step of acquiring information related to a communication amount of a communication packet and a communication address of the communication packet based on setting information related to acquisition of information;
Worm determination step for determining whether or not the communication is a communication made by a worm based on the information acquired by the communication information acquisition step and information relating to a determination criterion for specifying whether or not the communication is a communication made by a worm When,
A method for determining a worm characterized by including:

(Supplementary note 14) A worm determination device that monitors communication related to a predetermined network segment connected to a network and determines whether the communication is communication made by a worm,
Communication information acquisition means for acquiring information relating to the communication amount of the communication packet and the communication address of the communication packet based on the setting information relating to the acquisition of information;
Worm determination means for determining whether or not the communication is made by a worm based on the information acquired by the communication information acquisition means and information on a criterion for specifying whether or not the communication is made by a worm When,
A worm determination device comprising:

  As described above, the communication cutoff device, the communication cutoff program, and the communication cutoff method according to the present invention are useful for a worm determination system that effectively suppresses the proliferation of worms.

  As described above, the worm determination program, the computer-readable storage medium storing the worm determination program, the worm determination method, and the worm determination device according to the present invention communicated by the worm regardless of whether it is a server device or a client device. This is useful for a worm determination system that needs to easily and efficiently determine whether or not it is a thing.

It is a conceptual diagram explaining the concept of the worm determination system which concerns on a present Example. It is a functional block diagram explaining the functional structure of the worm determination apparatus which concerns on a present Example. It is a figure which shows an example of the setting data shown in FIG. It is a figure which shows an example of the communication log data shown in FIG. It is a figure which shows the example of the worm determination process for every kind of packet which the worm determination part shown in FIG. 2 performs. It is a figure which shows an example of the process which determines the presence or absence of the worm scan from the network segment A which the worm determination part shown in FIG. 2 performs. It is a figure which shows an example of the process which determines the presence or absence of the worm infection which the worm determination part shown in FIG. 2 performs. It is a figure which shows an example of the process which determines the presence or absence of the worm infection by the attack from the network segment A which the worm determination part shown in FIG. 2 performs. It is a figure which shows an example of the process which determines the presence or absence of the worm infection of the several computer which the worm determination part shown in FIG. 2 performs. It is a figure which shows the example of the interruption | blocking process which interrupts | blocks the communication made by the worm which the communication interruption | blocking part shown in FIG. 2 performs. It is explanatory drawing explaining the interruption | blocking process which a worm determination apparatus interrupts | blocks the communication made by the worm. It is explanatory drawing explaining the interruption | blocking process which makes the infected computer itself cut off the communication made by the worm. It is a block diagram explaining the hardware constitutions of the worm determination apparatus which concerns on a present Example. It is a flowchart which shows the process sequence of the worm determination process which concerns on a present Example. It is a flowchart (1) which shows the process sequence of the situation determination process shown in FIG. It is a flowchart (2) which shows the process sequence of the situation determination process shown in FIG. It is a conceptual diagram explaining the concept of a network segment.

Explanation of symbols

10a to 10d, 16a to 16d Network segment 11 Network 130 Keyboard 131 Display 132 CPU
133 RAM
134 HDD
135 HD
135a Worm determination program 136 ROM
137 Network I / F
138 Bus 17a to 17c, 20a to 20d Worm determination device 200 Interface unit 21 LAN
210 Input unit 220 Display unit 230 Storage unit 230a Setting data 230b Communication log data 230c Worm data 240 Control unit 240a Communication information acquisition unit 240b Worm determination unit 240c Setting data change unit 240d Communication blocking unit 60, 70, 80, 90 Worm determination result

Claims (6)

A communication blocking device that monitors communication performed between a predetermined network segment and the outside of the predetermined network segment and blocks communication performed by the worm,
Worm determination means for determining whether the communication is made by a worm;
When it is determined by the worm determination means that the communication is a communication made by a worm, a specific type of communication packet is acquired from a communication packet included in the communication, and a transmission source IP address of the acquired communication packet is set. An infected computer IP address extracting means for extracting as an infected computer IP address;
Blocking communication that blocks communication performed by the worm by accessing the infected computer specified by the IP address extracted by the infected computer IP address extracting means and stopping the process started by the worm on the infected computer Means,
A communication cut-off device comprising: A communication blocking device that monitors communication performed between a predetermined network segment and the outside of the predetermined network segment and blocks communication performed by the worm,
Worm determination means for determining whether the communication is made by a worm;
When it is determined by the worm determination means that the communication is a communication made by a worm, a specific type of communication packet is acquired from a communication packet included in the communication, and a transmission source IP address of the acquired communication packet is set. An infected computer IP address extracting means for extracting as an infected computer IP address;
Communication blocking means for blocking communication performed by the worm by accessing the infected computer specified by the IP address extracted by the infected computer IP address extracting means and enabling the firewall function of the infected computer;
A communication cut-off device comprising: A communication blocking program that monitors communication performed between a predetermined network segment and outside the predetermined network segment, and blocks communication performed by the worm,
A worm determination procedure for determining whether the communication is performed by a worm;
When it is determined by the worm determination procedure that the communication is communication performed by the worm, a specific type of communication packet is acquired from the communication packet included in the communication, and the source IP address of the acquired communication packet is set An infected computer IP address extraction procedure for extracting as an infected computer IP address;
Blocking communication that blocks communication performed by the worm by accessing the infected computer specified by the IP address extracted in the infected computer IP address extraction procedure and stopping the process started by the worm on the infected computer Procedure and
A communication blocking program for causing a computer to execute . A communication blocking program that monitors communication performed between a predetermined network segment and outside the predetermined network segment, and blocks communication performed by the worm,
A worm determination procedure for determining whether the communication is performed by a worm;
When it is determined by the worm determination procedure that the communication is communication performed by the worm, a specific type of communication packet is acquired from the communication packet included in the communication, and the source IP address of the acquired communication packet is set An infected computer IP address extraction procedure for extracting as an infected computer IP address;
A communication blocking procedure for blocking communication performed by the worm by accessing the infected computer identified by the IP address extracted in the infected computer IP address extraction procedure and enabling the firewall function of the infected computer ;
A communication blocking program for causing a computer to execute. A communication blocking method for monitoring communication between a predetermined network segment and outside the predetermined network segment and blocking communication performed by the worm,
A worm determination step of determining whether the communication is a communication made by a worm;
When it is determined in the worm determination step that the communication is a communication made by a worm, a specific type of communication packet is acquired from the communication packet included in the communication, and a source IP address of the acquired communication packet is set. An infected computer IP address extracting step of extracting as an infected computer IP address;
Communication blocking for blocking communication performed by the worm by accessing the infected computer specified by the IP address extracted in the infected computer IP address extraction step and stopping the process started by the worm on the infected computer Process,
A communication blocking method comprising: A communication blocking method for monitoring communication between a predetermined network segment and outside the predetermined network segment and blocking communication performed by the worm,
A worm determination step of determining whether the communication is a communication made by a worm;
When it is determined in the worm determination step that the communication is a communication made by a worm, a specific type of communication packet is acquired from the communication packet included in the communication, and a source IP address of the acquired communication packet is set. An infected computer IP address extracting step of extracting as an infected computer IP address;
A communication blocking step of blocking communication performed by the worm by accessing the infected computer specified by the IP address extracted in the infected computer IP address extracting step and enabling a firewall function of the infected computer;
A communication blocking method comprising:

Images