JP4729944B2 - Information monitoring system - Google Patents

Description

  The present invention relates to an information monitoring system for monitoring a security state in a network such as the Internet or a local area network (LAN), for example, transmission of an illegal program such as a virus or a worm.

  In recent years, network failures have rapidly increased due to the fact that terminals connected to the network are infected with malicious programs such as viruses and worms, or unauthorized access by terminals that are not allowed to participate in the network. ing. Accordingly, various information monitoring systems have been proposed for monitoring information transmitted through a transmission path to prevent unauthorized programs such as viruses from entering the network or accessing unauthorized terminals (for example, , See Patent Document 1).

In the conventional system described in Patent Document 1, the terminal state monitoring unit provided in each terminal acquires the monitoring policy stored in the storage unit of the management server (management device), and based on this monitoring policy Monitor terminal status. When the status of the terminal used by the user violates the monitoring policy, the terminal notifies the management server of the violation information, and the management server cannot use the communication function for the terminal based on the notified violation information. Send a command to do.
JP 2004-355450 A

  By the way, in the conventional system, it is necessary to change the terminal state monitoring means (actually a program) in order to add a monitoring function for the terminal, and it is not easy for the user himself to perform.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide an information monitoring system capable of easily adding or changing a monitoring function in a monitoring device.

In order to achieve the above object, the first aspect of the present invention provides a plurality of terminals that exchange information with each other via a transmission path and one or more that are provided on a transmission path that connects the terminals to control the flow of information. Control devices, multiple monitoring devices that monitor unauthorized programs such as viruses and worms transmitted through the transmission line, unauthorized unauthorized access, and monitoring policies set for each monitoring device. A management device that causes the control device to perform a measure corresponding to the monitoring result of the monitoring device, and a memory device that stores a program for realizing at least one type of monitoring function of the plurality of types of monitoring functions by the monitoring device. Each monitoring device is configured such that one or a plurality of memory devices are detachably connected, and reading means for reading the program from the connected memory devices, and reading by the reading means Monitoring function executing means for stopping the monitoring function to stop the execution of the program when the connection state of the memory device and the reading means is released with realizing the monitoring function running program, the monitoring function executing unit A notification unit that notifies the management device of the type of the monitoring function that has started execution via the transmission line , the management device storing the monitoring policy, and the type of monitoring function that is notified of the start from the monitoring device And a monitoring policy creating means for creating a monitoring policy including the above and storing it in the storage means .

According to a second aspect of the present invention, in the first aspect of the invention, each of the monitoring devices includes the notification unit that notifies the management device of the type of the monitoring function that has been stopped by the monitoring function execution unit via a transmission line. The apparatus includes a monitoring policy update unit that creates a monitoring policy that does not include the type of monitoring function notified of the stop from the monitoring apparatus and updates the monitoring policy stored in the storage unit.

According to a third aspect of the present invention, in the first aspect of the invention, each monitoring device includes the notification unit that notifies the management device of the type of the monitoring function whose execution is stopped by the monitoring function execution unit. The apparatus includes a monitoring policy update unit that deletes the monitoring function of the type notified of the stop from the monitoring apparatus and updates the monitoring policy.

The invention according to claim 4 is the invention according to claim 2 or 3 , wherein the notification means includes an identification code individually assigned to each monitoring device, a monitoring function number assigned to each type of monitoring function, and a monitoring function. The execution state is notified.

According to a fifth aspect of the present invention, in the fourth aspect of the invention, the monitoring policy creating means and the monitoring policy updating means retrieve the monitoring policy of the monitoring device stored in the storage means based on the identification code notified from the notification means. The monitoring policy is created or updated based on the monitoring function number and the execution state of the monitoring function.

  According to the present invention, if the memory device is connected to the connection means of the monitoring device, the monitoring function is realized by the program stored in the memory device being read and executed by the monitoring device. The monitoring function can be easily added or changed.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings.

  In the present embodiment, the technical idea of the present invention is applied to a star LAN compliant with, for example, 100BASE-TX (IEEE802.3u) standard. As shown in FIG. 1, a plurality of terminals (clients) X1, X2 and X3 and a plurality of control devices (switching hubs) SW1, SW2 and SW3 which are provided on the transmission path connecting the terminals X1, X2 and X3 and control the flow of information are transmitted via the transmission path. A plurality of monitoring devices S1, S2, and S3 that monitor unauthorized programs such as viruses and worms, unauthorized access that is not permitted to exchange information, and monitoring policies set for each of the monitoring devices S1, S2, and S3 Based on the management device M that causes the control devices SW1, SW2, and SW3 to perform the treatment corresponding to the monitoring results of the monitoring devices S1, S2, and S3, and the terminal X via the transmission line , X2 and X3, a server Y for providing various services (information), and a program (hereinafter referred to as “function module”) for realizing at least one type of monitoring function among a plurality of types of monitoring functions by a monitoring device. .) Is stored in memory devices Ai, Bi, Ci (i = 1, 2, 3). However, since the terminal Xj (j = 1, 2, 3) and the server Y have a conventionally well-known configuration in which client software and server software (OS and application software) are mounted on a general-purpose computer, details will be described. The illustration and explanation are omitted.

  The monitoring devices Sk (k = 1, 2, 3) all have a common hardware configuration, and as shown in FIG. 2A, the CPU 1, the memory 2, the LAN controller 3, the LAN connector 4, and the USB host. A controller 5 and a USB connector 6 are provided. The LAN connector 4 has two RJ-45 modular connectors, and a terminal Xj and a control device SWn (n = 1, 2, 3) are connected to these two modular connectors via a LAN cable (not shown). The The LAN controller 3 is connected to a LAN cable via the LAN connector 4 and controls communication between the CPU 1 and devices on the LAN (terminal Xj, management device M, and server Y). However, since such a LAN controller 3 is well known in the art, illustration and description of a detailed configuration are omitted.

  In addition, a rewritable nonvolatile memory (EEPROM or the like) included in the memory 2 includes a driver for controlling the LAN controller 3 and the USB host controller 5 by the CPU 1, TCP (Transmissinon Control Protocol), and IP (Internet Protocol). , UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), SNMP (Simple Network Manegement Protocol) and other protocol stacks in TCP / IP communication are stored, and the above-mentioned programs are stored in the memory 2 under the control of the OS. It is loaded into the included main memory and executed.

  The USB host controller 5 is an interface on the computer side corresponding to USB (Universal Serial Bus) which is a data transmission path standard connecting a computer and peripheral devices, and is inserted into and removed from a plurality of USB connectors 6 (only one is shown). Data transmission to and from peripheral devices is controlled via a USB cable or the like that can be freely connected. However, since such a USB host controller 5 is conventionally well-known, detailed illustration and description thereof will be omitted.

  On the other hand, the memory devices Ai, Bi, and Ci all have a common hardware configuration, and are a so-called USB formed by housing a USB connector 7, a USB target controller 8, and a flash memory 9 in a housing (not shown). This is a storage medium called a memory, and a detailed configuration is well known in the art, and a detailed description thereof will be omitted. Here, the flash memory 9 of the memory device Ai, Bi, Ci stores functional modules for realizing different types of monitoring functions for each code (A, B, C). The flash memory 9 of the device Ai stores a function module (hereinafter referred to as “virus detection module”) that detects an illegal program such as a virus or worm, and the flash memory 9 of the memory device Bi stores the packet transmission source. A functional module for detecting unauthorized access based on the address (hereinafter referred to as “illegal access detection module”) is stored, and an attack such as DoS (Denial of Services) is performed on the flash memory 9 of the memory device Ci. A function module (hereinafter referred to as a “reverse detection module”) for detecting (reverse detecting) a terminal that is being stored is stored. The virus detection module detects viruses and worms by pattern matching the data (packets and frames) exchanged in protocol communications such as TCP, UDP, and IP with the virus and worm data given in advance. The detection module corresponds to a so-called firewall, and a transmission source address, a transmission destination address, or a port permitted in protocol communication such as TCP, UDP, or IP is determined in advance, and other unauthorized addresses or ports are accessed. The reverse detection module holds the IP address of the passing data, detects based on the held IP address and notifies the management apparatus M whether or not the specified data has passed. is there. Note that the monitoring function provided by the memory device is not limited to the above three types, and a memory device that provides another monitoring function such as an unauthorized terminal detection function may be separately prepared. Here, the unauthorized terminal detection function is a function of detecting an unauthorized terminal that is not permitted to participate in the network by pattern matching the MAC address of the data transmission source with an unauthorized pattern given in advance.

  Thus, when the USB connector 7 of the memory device Ai, Bi, Ci is inserted and connected to the USB connector 6 of the monitoring device Sk (k = 1, 2, 3), the USB host controller 5 of the monitoring device Sk is Upon detecting this, the USB target controller 8 is requested to load a functional module, and in response to the request, the USB target controller 8 stores the functional module (virus detection module or unauthorized access detection module or The reverse detection module) is read out and transferred to the USB host controller 5. The USB host controller 5 delivers the transferred functional module to the CPU 1, and the CPU 1 loads the delivered functional module into the main memory of the memory 2 and executes the functional module under the control of the OS. On the other hand, when the USB connector 7 of the memory device Ai, Bi, Ci is pulled out from the USB connector 6 of the monitoring device Sk and the connection is released, the USB host controller 5 detects this and notifies the CPU 1 of the release of the connection. . When the CPU 1 is notified of the connection release, the CPU 1 stops executing the function module loaded from the memory devices Ai, Bi, and Ci, and unloads the function module from the main memory of the memory 2. That is, in each monitoring device Sk, the USB connector 6, the USB host controller 5 and the CPU 1 realize reading means, and the CPU 1 and the memory 2 realize monitoring function execution means, and the memory devices Ai, Bi, Ci By simply inserting and connecting the USB connector 7 to the USB connector 6, the function module is automatically loaded and executed to realize a desired monitoring function, so that the monitoring function can be easily added or changed. Hereinafter, to simplify the description, the USB connector 7 of the memory devices Ai, Bi, and Ci is connected to the USB connector 6 of the monitoring device Sk by “plug-in”, and conversely, the USB connector 7 is connected from the USB connector 6. Pulling out and releasing the connection state is expressed as “plug-out”, and the CPU 1 of the monitoring device Sk loads the function module from the memory devices Ai, Bi, and Ci and executes it. Stopping execution and unloading is expressed as “reset”.

  As shown in FIG. 2B, the management apparatus M includes a CPU 11, a memory 12, a LAN controller 13, a LAN connector 14, a hard disk 15, a monitor 16 such as a liquid crystal display or a CRT display, and an input device 17 such as a keyboard and a mouse. I have. Similar to the monitoring device Sk, the LAN connector 14 has two RJ-45 modular connectors, and the control device SW2 and the server Y are connected to these two modular connectors via a LAN cable (not shown). In addition, a rewritable nonvolatile memory (EEPROM or the like) included in the memory 12 includes a driver for the CPU 11 to control the LAN controller 13 and a protocol in TCP / IP communication such as TCP, IP, UDP, ICMP, and SNMP. A stack is stored, and the program and the like are loaded into a main memory included in the memory 12 and executed under the control of the OS.

  Further, the non-volatile memory stores a monitoring policy created for each monitoring device Sk in a table format. FIG. 3A shows an example of a monitoring policy data table (hereinafter referred to as a “monitoring policy table”), which includes a unique ID for identifying the monitoring device Sk, the type of the monitoring function, and the monitoring function. Each item includes a flag indicating an execution state and a rule applied to the monitoring control. In the illustrated example, the codes S1, S2, and S3 are entered in the ID column, but the IP address assigned to the monitoring device Sk is actually registered. The numbers entered in the type column correspond to 0 for virus detection, 1 for unauthorized access detection, 2 for reverse detection, and if the flag is 1, that type of monitoring function is set. If it is 0, it has been reset. Further, FIGS. 3B and 3C show two kinds of rules applied to the monitoring control, and “AND” or “OR” corresponding to the ID of the monitoring device Sk or the type of the monitoring function. Apply conditions (rules). For example, as shown in FIG. 3B, the “AND” rule is applied to the monitoring device S1 whose ID is S1, so that the monitoring control is performed only when all the monitoring functions are set. Since the “OR” rule is applied to the monitoring device S2 with ID S2, monitoring control is performed if at least one of the monitoring functions is set. Alternatively, as shown in FIG. 3C, since the type is 0, that is, the “AND” rule is applied for virus detection, virus detection is supported only when it is set in all the monitoring devices Sk. Since the monitoring control is performed and the rule of “OR” is applied for the type 1, that is, the unauthorized access detection, the monitoring control corresponding to the unauthorized access detection is set if at least one of the monitoring devices Sk is set. Since the rule of “NOP” is applied to the type 2, that is, the reverse detection, the monitoring control is not performed.

Here, the monitoring control performed by the management apparatus M will be briefly described. The control device SWn to be monitored and controlled is a general-purpose switching hub having an SNMP agent function (this type of switching hub is particularly called an “intelligent hub”), and has a management information base (MIB) owned by itself. The information (message) acquired from (1) is transmitted to the SNMP manager of the management apparatus M via the transmission path by the SNMP agent. On the other hand, in the management device M, the SNMP manager collects messages from the SNMP agents of the respective control devices SWn and manages them centrally, and the ports designated by the port numbers as shown in FIG. 4 for the SNMP agents of the control devices SWn. link state up or down to set request command: to send an SNMP message containing a (PDU P rotocol D ata U nits ). The control device SWn composed of a switching hub has a plurality of ports to which transmission paths (LAN cables) are connected, and analyzes the data (packets and frames) sent from the terminal Xj etc. to detect the destination. The data is sent only to the port to which the transmission path to the destination terminal Xj is connected. However, when the set request is received by the SNMP message, the link state of the port designated by the port number is controlled. is there. However, since SNMP is well known in the art, a detailed description of procedures for sending and receiving SNMP messages is omitted.

  For example, if the unauthorized access detection module set in the monitoring device S1 detects that the terminal X1 is performing unauthorized access, the SNMP agent of the monitoring device S1 includes an SNMP including a trap command to notify the detection of unauthorized access. The message is transmitted to the SNMP agent of the management apparatus M. The SNMP manager of the management device M that has received this SNMP message identifies the control device SW1 that is monitored by the monitoring device S1 based on the ID (IP address) of the monitoring device S1 that is the transmission source, and Then, a set request command for linking down the port to which the terminal X1 performing unauthorized access is linked down is transmitted as an SNMP message. When the SNMP agent of the control device SW1 that has received this SNMP message links down the port having the designated port number, unauthorized access to the terminal X1 can be prevented.

  Next, automatic creation or automatic change of a monitoring policy accompanying addition or deletion of a functional module will be described in detail.

  First, the operation of the monitoring device Sk will be described with reference to the flowchart of FIG. When any memory device Ai, Bi, Ci is plugged into the monitoring device Sk (step 1), the CPU 1 of the monitoring device Sk loads the functional module from the memory device Ai, Bi, Ci (step 2), and loads The monitoring function corresponding to the function module thus executed is executed (step 3). Further, the CPU 1 of the monitoring device Sk transmits the log output using the syslog function when the functional module is loaded to the management device M via the transmission path (step 4). When the memory device Ai, Bi, Ci is plugged out from the monitoring device Sk (step 5), the execution of the function module loaded from the memory device Ai, Bi, Ci is stopped and the memory module Ai, Bi, Ci is stopped from the main memory. The function module is unloaded (step 6). Also at this time, the CPU 1 of the monitoring device Sk transmits the log output using the syslog function when the function module is unloaded to the management device M via the transmission path (step 4). That is, in this embodiment, the notification means is realized by the LAN connector 4, the LAN controller 5, and the CPU 1. Here, the syslog function, the log message transmission protocol of the syslog, etc. are standardized by RFC3164, and the log message including the ID of each monitoring device Sk, the type of the function module, and the load / unload processing contents is managed by the management device. M is notified.

  On the other hand, the management device M that has received the notification by the log message from any of the monitoring devices Sk creates or changes the monitoring policy according to the notification content as shown in the flowchart of FIG. That is, when the management device M receives a log message notification from any of the monitoring devices Sk (step 1), the management device M searches the monitoring policy table for an ID included in the log message (step 2), and there is a matching ID. If not, a new monitoring policy corresponding to the ID is created (step 3). If there is a matching ID, the type of function module included in the log message is searched in the monitoring policy table (step 4). If there is no matching ID, it means that a new monitoring function has been added. The function module type is added to the monitoring policy (step 5). If there is a matching type, the flag for the function module of that type is searched (step 6). If the flag status (1 or 0) does not match the load or unload processing contents, the existing monitoring function If the execution state has been changed, the execution state of the monitoring function included in the existing monitoring policy is changed (step 7). On the contrary, if the flag state matches the load or unload processing content There is no need to change the monitoring policy. Then, in the management device M, monitoring control is performed on the control device SWn based on the newly created or changed monitoring policy (step 8). That is, in this embodiment, the CPU 11 implements a monitoring policy creation unit. For reference, the syslog log message format is shown in FIG.

  Here, when the monitoring function in the monitoring device Sk is added or changed, the monitoring policy in the management device M also needs to be changed, but the addition or change of the monitoring function is not known to the system administrator, or the system management If the person forgets to change the monitoring policy, the monitoring function of the management apparatus M includes an unnecessary monitoring function, which increases the burden on the management apparatus M. Therefore, the action corresponding to the monitoring result is delayed. There is a risk that. However, according to the present embodiment, by connecting the memory devices Ai, Bi, and Ci to the USB connector 6 of the monitoring device Sk, the functional modules stored in the memory devices Ai, Bi, and Ci are read into the monitoring device Sk and When the monitoring function is implemented, the type of the realized monitoring function is notified to the management apparatus M, and the monitoring policy including the monitoring function is created or changed. Even if the monitoring policy in the management apparatus M is not artificially changed, the monitoring function that is originally unnecessary is not included in the monitoring policy, and as a result, the burden on the management apparatus M due to an inappropriate monitoring policy is prevented. Treatment (monitoring control) corresponding to the monitoring result can be performed quickly.

  In the present embodiment, the setting or resetting of the monitoring function in the monitoring device Sk is managed by the flag item provided in the monitoring policy table, but the monitoring function is registered in the monitoring policy table only at the time of setting and the monitoring function at the time of resetting Is deleted from the monitoring policy table, memory consumption by the monitoring policy table can be suppressed. In this case, if a protocol that polls all the monitoring devices Sk for which the monitoring policy is set from the management device M is used instead of SNMP, the reset monitoring function is deleted from the monitoring policy table to be polled. Therefore, the burden on the management apparatus M is reduced, and a measure corresponding to the monitoring result (monitoring control) can be quickly performed.

  By the way, the monitoring control performed by the management device M is performed by the individual monitoring devices Sk, and the management device M only performs management such as creation and change of a monitoring policy, or a switching hub having a monitoring function is controlled by the control device. The monitoring function may be realized in the control device SWn by using it for SWn. In that case, the created or changed monitoring policy is notified from the management device M to the corresponding monitoring device Sk or the control device SWn, and the monitoring device Sk or the control device SWn performs monitoring control based on the received monitoring policy. That's fine. Note that the monitoring function realized by the monitoring device Sk is not limited to the virus detection, unauthorized access detection, and reverse detection exemplified, but may be other types such as traffic abnormality detection. Further, although the USB memory is exemplified as the memory devices Ai, Bi, and Ci, a storage medium (for example, a memory card) that has a capacity capable of storing the functional module and can be detachably connected to the monitoring device Sk. I just need it. Furthermore, in order to notify the set or reset of the monitoring function in the monitoring device Sk, it is also possible to use SNMP trap commands, TCP / IP multicast or broadcast, etc. in addition to syslog.

It is a system configuration figure showing an embodiment of the present invention. (A) is a block diagram showing an outline of the hardware configuration of the monitoring device and the memory device in the above, and (b) is a block diagram showing an outline of the hardware configuration of the management device in the above. (A)-(c) is explanatory drawing of the monitoring policy table and 2 types of rules which the management apparatus in the same as the above has memorized. It is the format of the SNMP message in the same as above. It is a flowchart for demonstrating operation | movement of the monitoring apparatus same as the above. It is a flowchart for demonstrating operation | movement of the management apparatus same as the above. This is the syslog message format described above.

Explanation of symbols

X1, X2, X3 terminal Y server S1, S2, S3 monitoring device Ai, Bi, Ci memory device SW1, SW2, SW3 control device M management device

Claims (5)

A plurality of terminals that exchange information with each other via a transmission path; one or more control devices that are provided on a transmission path that connects the terminals and controls the flow of information; a virus that is transmitted via the transmission path; The control device performs actions corresponding to the monitoring results of the monitoring devices based on a plurality of monitoring devices that monitor illegal programs such as worms, unauthorized unauthorized access, etc., and the monitoring policy set for each monitoring device And a memory device storing a program for realizing at least one type of monitoring function of the plurality of types of monitoring functions by the monitoring device. Each monitoring device includes one or more memory devices. A reading unit that is detachably connected and reads the program from the connected memory device, and the monitoring function is realized by executing the program read by the reading unit Monitoring function executing means for stopping the monitoring function to stop the execution of the program when the monitor connection states of the memory device and the reading means is released, it transmits the type of the start running monitoring function executing unit monitoring function A notification means for notifying the management apparatus via a path, the management apparatus storing a monitoring policy, and a storage means for creating a monitoring policy including a monitoring function of a type notified of the start from the monitoring apparatus An information monitoring system comprising: a monitoring policy creating means for storing the information. Each monitoring device is provided with the notification means notifies the management apparatus via the transmission path the type of stop execution at the monitoring function execution unit monitoring function, the management unit of the type stop is notified from the monitoring device The information monitoring system according to claim 1, further comprising a monitoring policy update unit that creates a monitoring policy that does not include a monitoring function and updates the monitoring policy stored in the storage unit. Each monitoring device includes the notification unit that notifies the management device of the type of the monitoring function stopped by the monitoring function execution unit via the transmission line, and the management device monitors the type of monitoring notified from the monitoring device. information monitoring system according to claim 1, characterized in that a monitoring policy update means for updating the monitoring policy by deleting the function. Notification means, the identification code attached individually to each monitoring device, the monitoring function number assigned to each type of monitoring, claim and notifies the execution state of the monitoring function 2 or 3. The information monitoring system according to 3 . The monitoring policy creation means and the monitoring policy update means search the monitoring policy of the monitoring device stored in the storage means based on the identification code notified from the notification means, and based on the monitoring function number and the execution state of the monitoring function 5. The information monitoring system according to claim 4, wherein the monitoring policy is created or updated .

Images