JP5102659B2 - Malignant website determining device, malignant website determining system, method and program thereof - Google Patents

Description

  The present invention relates to an application technology of information security technology. More specifically, the present invention relates to a malicious Web site determination device, a malicious Web site determination system, and a method thereof for safely accessing a Web site from a user terminal through an operation system and an application. And the program.

  When accessing a Web site from a user's PC, a request is transmitted from the PC to the target URL, and various files are downloaded as responses. Some of these downloaded files sometimes contain computer viruses, bots, and other malicious programs that can infiltrate the PC, causing various security problems such as information leakage and abnormal PC operation. cause. As techniques for avoiding such problems, the following are mainly used.

(1) Virus detection technology As a typical example, there is a technology for making a characteristic file in a malicious program code such as a computer virus into a pattern file and collating it with the contents of the downloaded file (Non-Patent Documents). 1). This technique has an advantage that the probability of a false alarm is low because an actual file exchanged on the network is analyzed and collated with a pattern file.

(2) IDS / IPS Technology IDS (Unauthorized Intrusion Detection System) is a system that checks for unauthorized intrusion or attack by monitoring communication packets flowing through a network (see Non-Patent Document 2). The IDS method includes a signature matching method that detects attacks and intrusions by checking against data representing the characteristics of an attack pattern, and an anomaly that detects abnormal values in protocol data and determines that the attack is an anomaly. There is a method. An IPS (Unauthorized Intrusion Prevention System) is a system in which a function that automatically blocks communication that seems to be an attack is added in addition to the IDS detection function. These technologies have the advantage that they can prevent illegal intrusions that could not be blocked by the firewall by tracking and monitoring the packets.

(3) Reputation DB technology Malignant websites that lead to phishing and virus infection are made into a database based on predetermined evaluation criteria such as operational stability and reliability, commonality of senders, etc., and the database is inquired before access This is a technique for preventing access to a malicious website (see Non-Patent Document 1). Since this technology does not depend on pattern files, it has the advantage of preventing chained intrusion of malicious programs with many variants, and is a complex technology that complements virus detection technology and IDS / IPS technology. Often used.
Nobuaki Hirahara, “Threats, everything starts with Web access. 5th. Pattern matching is not enough, we will strengthen our defense together.” [Online], October 19, 2007, Nikkei BP Co., Ltd. [2008 February 26, 2009], Internet <URL: http://itpro.nikkeibp.co.jp/article/COLUMN/20071005/283934/?ST=web_threat> Toshihiro Yokomori, "I'm going to know?" Reconfirming "common sense of security" 4th Common sense of IDS / IPS against unauthorized intrusion ", [online], December 10, 2004, IT Media Corporation, [Heisei Search on February 26, 20], Internet <URL: http://www.itmedia.co.jp/enterprise/articles/0412/10/news068.html> Tetsuhiro Yamaguchi, "Learning Virtualization Technology", [online], January 26, 2007, Nikkei Business Publications, Inc. [searched December 27, 2007], Internet <URL: http: //itpro.nikkeibp .co.jp / article / lecture / 20061228/258010 />

  In the virus detection technology and IDS / IPS technology shown in Background Art, pattern files and signatures are created based on known viruses and attack patterns, and they are used to protect them. It is difficult to defend against seeds and new attack patterns. Further, since a malignant Web site generally has a fast generation / annihilation cycle, it is difficult to maintain a reputation database with a high freshness.

  An object of the present invention is to realize a malignant website determination apparatus and method that detect and prevent new attacks that cannot be detected and prevented by the prior art and prevent a user from browsing the malignant website.

  The malignant website determination apparatus of the present invention includes an input unit that takes input information for accessing an arbitrary website into the apparatus, a virtual environment in the apparatus, and an operation system that is activated under the virtual environment. A proxy access execution unit that performs proxy access to the Web site under the subordinate and detects a change in a predetermined parameter of the operation system before and after the proxy access, and determines whether the Web site is benign or malignant based on the parameter change A determination unit.

  According to the apparatus / method for determining a malicious website according to the present invention, it becomes possible to detect / protect against a new attack that cannot be detected / prevented by the prior art, thereby preventing the user from browsing the malicious website. As a result, the website can be safely browsed without encountering damage such as virus infection, bot infection, one-click fraud, and phishing.

[First Embodiment]
FIG. 1 is a block diagram of the malicious website judging device 10 of the first embodiment, and FIG. 2 is a processing flow thereof. The malicious website determination device 10 includes an input unit 11, a proxy access execution unit 12, a determination database 13, a determination unit 14, and a permission unit 15.

  The input unit 11 operates from the URL information of the Web site 300 to be accessed and the type information of the operation system (hereinafter referred to as OS) of the user PC 100, which is output from the user PC 100 which is a user terminal, and operates on the OS. The type information of the application for exchanging information with the site 300 is taken into the apparatus (S1). Here, the OS type is, for example, Windows (registered trademark) 2000, Windows XP, etc. The application type is not only a browser such as InternetExplore or Firefox, but also a website such as Windows Media Player, Acrobat Reader, Word / Excel, etc. Applications that can exchange information are also included.

  The proxy access execution unit 12 performs proxy access before the user PC 100 accesses the Web site 300, and generates and outputs a change content list when the OS parameter is changed (S2). The proxy access execution unit 12 is a virtual environment built in the apparatus using a known virtualization technology (for example, see Non-Patent Document 3), and in this virtual environment, a virtual OS equal to the OS type of the user PC 100 And an application equal to the application type (may be activated in advance), and proxy access is performed to the target URL by the application. The virtual OS is set such that only access to the Internet 200 using the HTTP and HTTPS protocols is permitted, and access to the outside of the virtual OS (for example, a host OS or another virtual OS) is not possible. In addition, the proxy access execution unit 12 has a change detection function that detects the change contents of each parameter (file, registry, process, memory, etc.) in the virtual OS by proxy access, and generates and outputs a change contents list. It is assumed that the change detection function is implemented as driver software, for example, so that changes in the virtual OS can be caught in real time. An example of creating a change content list is shown in FIG. This creation example shows the change contents when a cookie is set when an URL is accessed and the install.exe process is started. When each parameter in the virtual OS is changed, as soon as the change content list is generated, each parameter of the virtual OS is set to an initial state using the snapshot function of the virtualization technology in preparation for the next Web access. Bring it back. By performing proxy access in the environment as described above, it is possible to accurately grasp the behavior of the OS when the user PC 100 accesses the Web site 300, and to prevent infection outside the virtual OS even if virus infection occurs during proxy access. It can be avoided.

  The determination database 13 stores a white list. The white list is a change in each parameter that can occur when connected to a website, and the change in benignity that occurs when browsing a normal website that is not a virus infection or when starting an application, etc. The list is associated with the type. An example of creating a white list is shown in FIG. The white list needs to be created in advance, but the contents of the white list depend on the configuration of the OS and browser application, and even if new viruses or new attack patterns appear, they do not depend on them. Basically, there is no need to change unless there is a major change.

  The determination unit 14 collates the change content list generated by the proxy access execution unit 12 with the white list stored in the determination database 13 and when all the change content on the change content list is in the white list. Is determined to be benign, otherwise it is determined to be malignant and the determination result is output (S3). For example, if the change content list and the white list are those shown in FIGS. 3 and 4, respectively, the cookie setting is in the white list but the install.exe is not generated, so it is determined as malignant.

  The permission unit 15 permits the user PC 100 to access the Web site 300 when the determination result by the determination unit 14 is benign, and warns the user PC 100 of warning information (warning screen) when the determination result is malignant. Etc.) (S4).

  When a virus intrudes or starts an attack by accessing a Web site, an abnormal change is almost always added to any parameter in the OS, regardless of whether the virus or the attack method is new or old. Therefore, the present invention pays attention to it, a list of parameter change contents (change contents list) generated as a result of proxy access to the Web site, and changes in benign parameter contents that occur during normal Web site browsing or application startup, etc. A list (white list) is collated, and only access to a Web site determined to be benign is permitted. By judging whether or not permission is granted in this way, it is possible to immediately detect and defend against a virus that has just appeared, a new attack pattern, etc., without going back to the preparation of pattern files and signatures as in the past. It becomes possible.

[Second Embodiment]
FIG. 5 is a block diagram of the malicious website judging device 20 of the second embodiment, and FIG. 6 is a processing flow thereof. The malicious website determination device 20 includes an input unit 11, a proxy access execution unit 12, a determination database 23, a determination unit 24, and a permission unit 25. Since the input unit 11 and the proxy access execution unit 12 are the same as those in the first embodiment, the same reference numerals are given and description thereof is omitted. Also in the following embodiments, when the components and functions are common in this way, the same reference numerals are given, and the description is basically omitted.

  In addition to the white list used in the first embodiment, the determination database 23 also stores a black list. The blacklist is a list in which malignant changes that are suspected of being infected with a virus are associated with application types and parameter types. Further, each change content of the black list is assigned a malignancy score indicating the degree of malignancy (for example, a higher value as the malignancy degree is higher). An example of blacklist creation is shown in FIG. Note that the white list and black list in the determination database 23 are configured separately as shown in FIG. 4 and FIG. 7, and a source list as shown in FIG. A white list (FIG. 8B) and a black list (FIG. 8C) may be configured in a relational form.

  First, the determination unit 24 collates the change content list generated by the proxy access execution unit 12 with the white list stored in the determination database 23, and there is a change content on the change content list that is not in the white list. If there is, a predetermined basic malignancy score (for example, 10) is assigned to the change content list at that time. Next, the remaining changes on the change list that were not in the white list are checked against the black list, and if there is a match, the malignancy score (or the sum of the malignant scores if multiple changes match) ) Is added to the basic malignancy score to obtain an overall malignancy score. If the total malignancy score is larger than a predetermined threshold (for example, 0), it is determined as malignant, and the determination result including the total malignancy score is output. If the total malignancy score is less than the threshold (for example, the total malignancy score is 0) In the case of (3), it is determined to be benign and the determination result is output (S5). For example, when the change content list, the white list, and the black list are those shown in FIGS. 3, 4, and 7, respectively, the change content list and the white list are first collated, and the cookie settings are in the white list. Since there is no install.exe generation, a basic malignancy score (for example, 10) is assigned to the change content list. Subsequently, if install.exe generation that was not in the white list is collated with the black list, it corresponds to * .exe file generation, so that malignant score 80 is added to the basic malignant score, and the total malignant score is 90. If the predetermined threshold is 0, it is determined to be malignant because it is larger than that, and a determination result of malignancy / score 90 is output.

  The permission unit 25 permits the user PC 100 to access the Web site 300 when the determination result by the determination unit 24 is benign, and responds to the user PC 100 according to the total malignancy score when it is malignant. The warning information (warning screen etc.) is notified (S6).

  Thus, by making a determination using not only the white list but also the black list, it is possible to provide warning information according to the degree of malignancy to the user PC when the Web site is determined to be malignant. Become.

[Third Embodiment]
FIG. 9 is a block diagram of the malicious Web site determination device 30 of the third embodiment, and FIG. 10 is a processing flow thereof. The malicious website determination device 30 includes an input unit 11, a malicious website database 31, a database confirmation unit 32, a proxy access execution unit 12, a determination database 13 (or 23), a determination unit 34, and a permission unit 15 (or 25). Prepare. The input unit 11, the proxy access execution unit 12, the determination database 13 (or 23), and the permission unit 15 (or 25) are the same as those in the first (or second) embodiment.

  The malicious website database 31 stores URLs of known malicious websites. This database is more effective when constructed based on the reputation DB technology described in the background art (3).

  Prior to the proxy access execution by the proxy access execution unit 12, the database confirmation unit 32 inquires whether the URL of the website 300 captured by the input unit 11 exists in the malicious website database 31. Notifies the determination unit 34 to that effect and does not perform proxy access. If it does not exist, proxy access is performed as in the first (or second) embodiment (S7).

  The determination unit 34 performs the same processing as that of the determination unit 14 (or 24) of the first (or second) embodiment when proxy access is performed, and if it is determined as malignant (the total malignancy score is predetermined). If the value is greater than the value of (), the URL of the website is added to the malicious website database 31. Further, when proxy access is not performed, that is, when there is a notification from the database confirmation unit 32 that the URL of the website 300 exists in the malicious website database 31, it is determined to be malignant, and the determination result is (determination In the case of the unit 24, a predetermined overall malignant score (including, for example, 10) is output (S8).

  Thus, by providing the malignant website database 31 and inquiring prior to the execution of proxy access, proxy access can be omitted in the case of a previously known malignant website, thereby speeding up the determination. Can do.

[Fourth Embodiment]
FIG. 11 is a block diagram of the malicious Web site determination device 40 of the fourth embodiment. The malicious website determination device 40 has a configuration in which a database maintenance management unit 41 is added to the malicious website determination device 30 of the third embodiment.

  If the malicious website database 31 is left without being maintained, the database capacity may become insufficient, and the search speed may decrease due to an increase in capacity. On the other hand, since the malicious website generally has a short life cycle, the database can be effectively used by sequentially deleting the URLs of the extinct website.

  Therefore, in this embodiment, a database maintenance / management unit 41 is provided in addition to the configuration of the third embodiment, and this database maintenance / management unit 41 periodically accesses the URL stored in the malignant website database 31 to benign / malignant. A determination is made, and URLs that have become benign are sequentially deleted from the malignant website database 31. Since the proxy access / determination function of the database maintenance management unit 41 is the same as the functions of the proxy access execution unit and the determination unit in each of the above embodiments, the same configuration is implemented in the database maintenance management unit 41. This can be realized.

  Thus, by providing the database maintenance management unit 41, it is possible to effectively use the storage area of the malignant website database 31, and to prevent a decrease in search speed.

[Fifth Embodiment]
FIG. 12 is a block diagram of a malicious website determination system 50 according to the fifth embodiment. The malicious website determination system 50 includes a main body device 60 and an external device 70. The main device 60 has a configuration in which the malicious website database 31 and the database maintenance / management unit 41 of the malicious website determination device 40 of the fourth embodiment are replaced with a malicious website cache 61 and a cache maintenance / management unit 62, respectively. The external device 70 includes a malicious website external database 71 and an external database maintenance / management unit 72.

  In the configuration of the fourth embodiment, two virtual environments are constructed in the apparatus so that both the proxy access execution unit 12 and the database maintenance management unit 41 can perform proxy access (or a configuration that can substantially realize it). And there was a need. In contrast, in the fifth embodiment, the proxy access execution unit and the database maintenance management unit can be separated into different devices.

  In the present embodiment, the malignant website external database 71 and the external database maintenance / management unit 72 of the external device 70 are the same as the malignant website database 31 and the database maintenance / management unit 41 of the malignant website determination device 40 of the fourth embodiment. Realize a direct database maintenance function. That is, the malicious website external database 71 stores URLs of previously known malicious websites, and the database maintenance manager 72 periodically accesses the URLs stored in the malicious website database 71 to benign / The malignancy is determined and the benign URL is deleted from the malignant website database 71. On the other hand, the cache maintenance management unit 62 of the main body device 60 periodically accesses the malicious website external database 71 of the external device 70, sucks up the URL information of the latest malicious website from the malicious website external database 71, and executes the malicious website. Supply to the site cache 61. Thus, by periodically mirroring the URL information of the malicious website external database 71 and the URL information of the malicious website cache 61, the URL information of the malicious website cache 61 is indirectly maintained and managed. Even if the proxy access execution unit and the database maintenance management unit are separated into different devices, substantially the same functions as in the fourth embodiment can be realized. In FIG. 12, the main device 60 and the external device 70 are connected via the Internet 200, but any connecting means may be used as long as information can be transmitted and received between them.

<Modification>
By applying the configuration of the fifth embodiment, it is possible to configure a malignant website determination system 80 in which a user PC has a main body function as shown in FIG. That is, the user PC 101 incorporating the main body device 60 of the fifth embodiment is configured as a main body device, and this is used in combination with the external device 70.

  As described above, by making the proxy access execution unit and the database maintenance management unit separable to different devices, it is possible to flexibly configure the malignant website determination system.

  The malignant website determination apparatus / system and method according to the present invention are not limited to the above-described embodiments, and can be appropriately changed without departing from the present invention. In addition, the processes described above are not only executed in time series according to the order of description, but may be executed in parallel or individually as required by the processing capability of the apparatus that executes the processes.

  When the processing functions of the malicious website determination device / system and method are realized by a computer, the processing contents of the functions that the malicious website determination device / system and method should have are described by a program. Then, by executing this program on a computer, the processing functions in the above-described malicious Web site determination apparatus / system and method are realized on the computer. A part of the processing content may be realized by hardware.

  The program describing the processing contents can be recorded on a computer-readable recording medium. As the computer-readable recording medium, for example, any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, and a semiconductor memory may be used.

  The present invention is particularly useful when an Internet connection provider wants to provide a user with a more secure service.

The figure which shows the structural example of the malignant Web site determination apparatus 10 of 1st Embodiment. The figure which shows the example of a processing flow of the malignant Web site determination apparatus 10 of 1st Embodiment. The figure which shows the example of creation of a change content list. The figure which shows the example of creation of a white list. The figure which shows the structural example of the malignant Web site determination apparatus 20 of 2nd Embodiment. The figure which shows the example of a processing flow of the malignant Web site determination apparatus 20 of 2nd Embodiment. The figure which shows the creation example of a black list. The figure which shows the image which comprises a white list and a black list from a source list. The figure which shows the structural example of the malignant Web site determination apparatus 30 of 3rd Embodiment. The figure which shows the example of a processing flow of the malignant Web site determination apparatus 30 of 3rd Embodiment. The figure which shows the structural example of the malignant Web site determination apparatus 40 of 4th Embodiment. The figure which shows the structural example of the malignant Web site determination system 50 of 5th Embodiment. The figure which shows the structural example of the malignant Web site determination system 80 which is a modification of 5th Embodiment.

Explanation of symbols

10, 20, 30, 40 Malicious Web site determination device 11 Input unit 12 Proxy access execution unit 13, 23 Judgment database 14, 24, 34 Judgment unit 15, 25 Authorization unit 31 Malicious Web site database 32 Database confirmation unit 41 Database maintenance management Units 50 and 80 Malicious Website Determination System 60 Main Unit 61 Malicious Website Cache 62 Cache Maintenance Management Unit 70 External Device 71 Malicious Website External Database 72 External Database Maintenance Management Units 100 and 110 User PC
200 Internet 300 Website

Claims (10)

An input unit that captures input information for accessing an arbitrary website into the device;
Realizing a virtual environment with a means for acquiring a snapshot of the virtual operating system in the device, and proxy access to the Web site under the virtual environment in the activated the virtual operating system, proxy access before and after the A proxy access execution unit that detects changes in predetermined parameters of the virtual operation system;
Malignant Web site determination unit and a determination unit for determining malignant of the Web site based on the changes of the parameters. An input unit that captures input information for accessing an arbitrary website into the device;
A virtual environment having means for acquiring a snapshot of the virtual operation system in the apparatus is realized, the proxy operation is accessed to the Web site under the virtual operation system started in the virtual environment, and before and after the proxy access. A proxy access execution unit that detects changes in predetermined parameters of the virtual operation system;
A malicious website database storing URLs of malicious websites;
And a database check unit URL, which is included in the input information captured by the above entry force unit that Cais irradiation whether or not present in the malignant Web site database,
The database query in the confirmation unit results, URL contained in the input information is the Web site and determined that malignant if present in the malignant Web site database, if there is not the proxy access execution unit A malignant website judging device comprising: a judging unit for judging malignancy of the website based on the change contents of the predetermined parameter detected by the computer.   The malignant website judging device according to claim 2,
  A malignant website judging device, wherein the judging unit adds the URL of the website to the malignant website database when it is judged as malignant based on the change contents of the parameters. In the malignant website judging device according to claim 2 or 3 ,
Periodically accesses each URL stored on SL malicious Web site database makes a determination of malignant-benign, the determination result database maintenance unit the URL became benign to delete et al or the malicious Web site database A malignant website judging device comprising: The malignant website determination device according to claim 1 ,
Comprising a decision database which changes the good properties the listed whitelist is stored,
The input information is a URL, an operation system type, and an application type.
The proxy access execution unit activates a virtual operation system equal to the operation system type and an application equal to the application type in the virtual environment, and performs proxy access to the URL included in the input information to detect the detection Output a change list that lists the changes to the parameter
The determination unit collates the change content list with the white list, and determines that all changes on the change content list are in the white list, and determines that it is malignant otherwise. And a malignant Web site determination apparatus characterized by outputting a determination result. The malignant website judging device according to claim 5 ,
Permission unit above Symbol When the result is determined to be benign to allow access to the Web site from the input source of the input information, in the case of malignant notifying the warning information to the input source without allowing access A malignant website judging device comprising: The malignant website determination device according to claim 6 ,
The determination database further stores a blacklist in which malignant changes are listed with a malignant score,
The determination unit further collates the change content list with the black list, and if there is a matching malignant change content, sums the malignant score, and outputs a determination result including the total malignant score,
The said permission part notifies the said warning information according to the malignancy score when the said determination result is malignant, The malignant Web site determination apparatus characterized by the above-mentioned . The malignant website judging device according to any one of claims 1 , 5, 6 and 7 , a malignant website cache storing a URL of a malignant website, and the input prior to the processing in the proxy access execution unit and a database check unit URL, which is included in the input information to query whether or not present in the malignant Web site cache, if you exist, which notifies the above-size constant part taken in parts, malignant Web periodically accesses the site external database, a main unit and a cache maintenance unit of the malignant Web site cache mirroring and the malignant Web site external database,
The malignant website external database storing the URL of the malignant website and the URLs stored in the malignant website external database are periodically accessed to determine malignant / benign, and the determination result is benign. an external device and an external database maintenance unit to become the URL to delete et al or the malicious Web site external database,
A malignant website determination system comprising: An input unit provided in the apparatus, an input step of capturing input information for access to any Web site into the device,
Proxy access execution unit constructed as a virtual environment comprising means for acquiring a snapshot of the virtual operating system in the device, the proxy accesses the Web site under the virtual environment in the activated the virtual operating system Proxy access execution step for detecting changes in predetermined parameters of the virtual operation system before and after proxy access;
The determination unit provided in the apparatus, malignant Web site determination method for organic and determining steps malignant of the Web site based on the changes of the parameters. Program for causing a computer to function as an apparatus or system as claimed in any one of claims 1 to 8.

Images