JP5476578B2 - Network monitoring system and method - Google Patents

Description

  The present invention relates to a network monitoring system and a processing method thereof, and more particularly to a system and method for detecting an illegal signal by monitoring a dark net that is reachable and unused on a network.

  As communication networks such as the Internet become an important foundation of society, virus infection on networks and attacks on specific host computers have become serious problems. Therefore, various methods for monitoring a network have been proposed.

  One of them is a method of monitoring a dark net. A dark net refers to an IP address space that is reachable and unused on the Internet, and is described in Non-Patent Documents 1-3. Although it is unlikely that a packet is transmitted to an unused IP address in the range of normal Internet use, a substantial number of packets have actually arrived at the dark net. Many of these packets are due to illegal activities on the Internet, such as scans and exploit codes sent by remote infectious malware, and backscatter that is a response to a SYN flood attack that spoofed the source IP address. .

  Therefore, by observing packets that arrive at the darknet, it becomes possible to grasp the trend of illegal activities occurring on the Internet. The biggest advantage of darknet observation is that it is not necessary to distinguish between right and wrong traffic, and all packets can be regarded as illegal.

  The incident analysis center nicter (Network ncident analysis Center for Tactical Emergency Response), where the applicant is conducting research and development, installs sensors in multiple dark nets (over 100,000 addresses in total) scattered throughout Japan. Are making observations. (See Non-Patent Documents 4-6)

The following two issues have emerged through regular observation of such dark nets.
First, the direct connection to real network protection is useful for grasping the trend of illegal activities on the Internet, but it is not directly connected to the protection of the real network of the organization where servers and hosts exist.
Next, the accuracy of wide-area sensor darknet observation improves as the number of addresses to be observed increases (see Non-Patent Document 2). Therefore, wide-area sensor deployment is important, but darknet information is also security information. Yes, it cannot be disclosed to other organizations. It is also expensive to install a sensor on the dark net.

Here is an overview of the major network observation projects that have been conducted in the past.
First, Network Telescope (Non-Patent Document 2) can be cited. This is a dark net observation project by CAIDA (Cooperative Association for Internet Data Analysis) in the United States, and it observes dark nets with more than 160,000 addresses. In this project, a dataset of traffic from backscatter and worms is published.

  Next, IMS (Internet Motion Sensor) (nonpatent literature 3) is mentioned. This is a large-scale darknet observation project with over 17 million addresses including the / 8 network by the University of Michigan. It has a function to collect and analyze the payload of the first packet after establishing a connection by returning a SYN-ACK from the sensor side to a part of the observed TCP SYN packet.

  Leurre.com (see Non-Patent Documents 7 and 8) is an information collection and analysis project using a distributed honeypot by Eurecom in France. Although the number of IP addresses to be observed is relatively small, the observation area is dispersed all over the world. The first generation Leurre.com v1.0 used Honeyd (see Non-Patent Document 9), a low interaction sensor, while the second generation Leurre.com v2.0 used SGNET (see Non-Patent Document 10). It is used to improve information gathering ability.

REN-ISAC (see Non-Patent Document 11) is a security information sharing / analysis project in the US research and education network (REN). Analyzes the traffic observed on Internet2 and publishes the observation results.
ISC (Internet Storm Center) (see Non-Patent Document 12) is a security information collection / analysis project by SANS (SysAdmin, Audit, Networking, and Security) in the United States. Firewall logs of 500,000 addresses or more are collected in a system called DShield (see Non-Patent Document 13), and statistical information and analysis reports by volunteers are made public.

  In addition to these, network observation projects such as ISDAS (see non-patent document 14), @police (see non-patent document 15), MUSTAN (see non-patent document 16), and WCLSCAN (see non-patent document 17) are in progress in Japan. It is in.

 The various projects shown so far have focused on understanding the trend of unauthorized traffic on the Internet, and have left the issue of not being directly connected to the protection of the organization's actual network.

D. Song, R. Malan, R. Stone, “A Snapshot of Global Internet Worm Activity,” The 14th Annual FIRST Conference on Computer Security Incident Handling and Response, 2002 Moore, D .: Network telescopes: tracking Denial-of-Service attacks and internet worms around the globe, 17th Large Installation Systems Administration Conference (LISA’03), USENIX, 2003 M. Bailey, E. Cooke, F. Jahanian, J. Nazario, D. Watson, “The Internet Motion Sensor: A Distributed Blackhole Monitoring System,” The 12th Annual Network and Distributed System Security Symposium (NDSS05), 2005 K. Nakao, K. Yoshioka, D. Inoue, M. Eto, K. Rikitake, “nicter: An Incident Analysis System using Correlation between Network Monitoring and Malware Analysis,” The 1st Joint Workshop on Information Security (JWIS06), pp. 363- 377, 2006 K. Nakao, K. Yoshioka, D. Inoue, M. Eto, “A Novel Concept of Network Incident Analysis based on Multi-layer Observations of Malware Activities,” The 2nd Joint Workshop on Information Security (JWIS07), pp. 267-279, 2007 Year D. Inoue, M. Eto, K. Yoshioka, S. Baba, K. Suzuki, J. Nakazato, K. Ohtaka, K. Nakao, “nicter: An Incident Analysis Systemtoward Binding Network Monitoring with Malware Analysis,” WOMBAT Workshop on InformationSecurity Threats Data Collection and Sharing (WISTDCS 2008), pp. 58-66, 2008 F. Pouget, M. Dacier, V.H.Pham, “Leurre.com: On the Advantages of Deploying a Large Scale Distributed Honeypot Platform,” E-Crime and Computer Conference (ECCE’05), 2005 C. Leita, VH Pham, O. Thonnard, E. Ramirez-Silva, F. Pouget, E. Kirda, M. Dacier, “The Leurre.com Project: CollectingThreats Information using a Worldwide Distributed Honeynet,” WOMBAT Workshop on Information SecurityThreats Data Collection and Sharing (WISTDCS 2008), pp. 40-57, 2008 N. Provos, “A Virtual Honeypot Framework,” The 13th USENIX Security Symposium, 2004 Internet http://www.honeyd.org/ C. Leita, M. Dacier, “SGNET: A Worldwide Deployable Framework to Support the Analysis of Malware Threat Models,” The 7th European Dependable Computing Conference (EDCC 2008), 2008 REN-ISAC: Research and Education Networking Information Sharing and Analysis Center, Internet http://www.ren-isac.net/ M. V. Horenbeeck, “The SANS Internet Storm Center,” WOMBAT Workshop on InformationSecurity Threats Data Collection and Sharing (WISTDCS 2008), pp. 17-23, 2008 Internet http://isc.sans.org/. DShield, Internet http://www.dshield.org/ JPCERT / CCISDAS, Internet http://www.jpcert.or.jp/isdas/. @police, Internet http://www.cyberpolice.go.jp/english/obs_e.html MUSTAN, Internet http://mustan.ipa.go.jp/mustan_web/. WCLSCAN, Internet http://www.wclscan.org/.

The present invention was created in view of the above-described problems of the prior art. Dark net observation is performed over a wide area, and the observation result is used to enhance the protection of the real network of the organization where the server and the host exist. It aims at providing the technology to plan.
In particular, the present invention provides a network monitoring system and a processing method thereof that can provide useful information to the administrator who performs dark net information provision and sensor installation.

  In order to solve the above problems, the present invention provides the following network monitoring system. The most distinctive point is to directly link darknet observation and real network protection, which were previously sparse relationships, to expand the possibilities of darknet observation and promote the wide-area deployment of sensors. It is in.

  Therefore, a network monitoring system for monitoring a dark net that is an address used on a network and that is reachable and unused is used. This system is managed by different organizations, each having a predetermined address range, a sensor means installed in each communication network for detecting a signal addressed to a dark net in the own network, and each communication network And an analysis center device that holds the used address information in the address range and receives the detection result of each sensor means.

Therefore, a network monitoring system for monitoring a dark net that is an address used on a network and that is reachable and unused is used. This system is managed by different organizations, each of which has a communication network having a predetermined address range, and is installed in each communication network, and includes at least signals transmitted from the same address range. Sensor means for detecting the above-mentioned signal, and an analysis center device for holding the used address information in the address range of each communication network and receiving the detection result of each sensor means.

The analysis center device stores used address information storage means for storing used address information in each communication network to be monitored, at least the presence of a signal from each sensor means, and the transmission source address of the detected signal. A detection result receiving means for receiving a detection result including, and an analysis means for analyzing whether the transmission source address of the signal is used address information in each monitored communication network when the detection result is received; As a result of the analysis, it is characterized by comprising alert means for outputting an alert when a signal addressed to a dark net in any of the monitored networks is transmitted from at least an address where the signal has been used.

  The sensor means may be a sensor that does not make any response to the signal from the transmission source address. The sensor means may be a sensor that makes a predetermined response to a known signal from a transmission source address.

  The present invention can also be provided as a network monitoring method for monitoring a dark net which is an address used on a network and forms a reachable and unused address space. This method uses an analysis center device in which used address information of each communication network to be monitored is stored in a used address information storage means.

And it has the following each step.
(S1) A signal detection step in which sensor means managed in different organizations, each installed in a communication network having a predetermined address range, detects a signal addressed to a dark net in its own network;
(S2) a detection result receiving step in which the detection result receiving means of the analysis center apparatus receives a detection result including at least the presence of a signal and the transmission source address of the detected signal from each sensor means;
(S3) When the analysis means of the analysis center apparatus accepts the detection result, an analysis step of analyzing whether the transmission source address of the signal is used address information in each monitored communication network;
(S4) An alert step in which the alert means of the analysis center device outputs an alert when the signal is transmitted from at least the used address as a result of the analysis.

And it has the following each step.
(S1) Sensor means managed by different organizations, each installed in a communication network having a predetermined address range, sends a signal addressed to a dark net in its own network including a signal transmitted from at least the same address range. A signal detection step to detect,
(S2) a detection result receiving step in which the detection result receiving means of the analysis center apparatus receives a detection result including at least the presence of a signal and the transmission source address of the detected signal from each sensor means;
(S3) When the analysis means of the analysis center apparatus accepts the detection result, an analysis step of analyzing whether the transmission source address of the signal is used address information in each monitored communication network;
(S4) An alert step in which the alert means of the analysis center device outputs an alert when the signal is transmitted from at least the used address as a result of the analysis.

  In the above sensor step, the sensor means detects the destination port number of the detected signal, and in the analysis step, the analysis means determines whether or not the communication is illegal from at least the information of the destination port number according to a predetermined determination rule. Further, in the alert step, the alert means can output an alert according to the determination result.

  In the signal detection step of the network monitoring method, the sensor means may not make any response to the signal from the transmission source address.

  In the signal detection step of the network monitoring method, the sensor means may make a predetermined response to a known signal from the transmission source address.

By providing the above configuration, the present invention has the following effects.
Since it is possible to monitor a dark net in a communication network used in an actual organization, it is possible to perform monitoring activities that are directly connected to the protection of the real network. The analysis center device can detect the address range of each communication network and the used address information so that it can be detected when a signal is sent to the dark net from a host that is actually operating. become able to.
As a result, instead of measuring only the signals sent from other networks to the darknet that is being monitored as in the past, by detecting the signals sent from the own network to the darknet, It becomes possible to detect device setting mistakes at an early stage.

  Each organization that operates the communication network must install sensor means in the dark net and provide information to the analysis center device, while the communication network that provides information to the same analysis center device. If an unauthorized signal is sent to the darknet from within your network, the analysis center device can detect it and output an alert, so you can know the unauthorized behavior of the devices in your network. it can.

  That is, by sharing the information of the signal detected by the dark net via the analysis center device, it becomes possible to know each other's transmission of an illegal signal from the own network to another communication network. In this regard, since it was only the information that arrived at the darknet that was monitored for research purposes in the past, it was not necessarily directly linked to the protection of the actual network. More practical monitoring can be performed to detect signal transmission from the network.

In this way, when the actual network monitoring system is jointly established between different organizations, the sensor method installers had to share the details of the communication network address range and used addresses with each other, This was one of the reasons why the spread did not progress.
According to the present invention, since the analysis center device is interposed and only the analysis center device needs to manage whether the source address detected by the sensor means belongs to the organization that has joined the system, However, there is no need to share information about each communication network.
This contributes to protecting the privacy and network security of each organization.

On the other hand, the administrator who has borne the installation of the sensor means can know the information transmitted from the local network and detected by other darknets, so take appropriate measures for the devices in the local network. Can do.
By such a mechanism, the installer of the sensor means can obtain information useful for managing the own network, and therefore, incentive is generated in the installation of the sensor means. Therefore, it can be expected that the sensor means is installed in many communication networks.

  The sensor means can also detect the destination port number of the detected signal. The destination port number is information that is useful for identifying the infected virus and identifying the problem, and the analysis means determines whether the communication is unauthorized according to a predetermined determination rule. Contribute to.

  Conventionally, various sensors have been used for darknet monitoring. However, according to the present invention, a sensor that does not respond to a signal from a transmission source address is used as a sensor means. Suitable for installing sensor means on a large scale. Such a sensor also has an advantage that it is difficult to detect the presence of the sensor from the outside. Moreover, the installation cost of the sensor means is low, which contributes to the cost reduction of the entire system.

  According to the configuration in which the sensor means uses a sensor that performs a predetermined response to a known signal from the source address, the sensor means returns a certain level of response to the packet source and knows the reaction to it. Can do. For this reason, there is an advantage that it becomes easy to identify the problem of the device of the source address. Further, since only a predetermined response is performed, maintenance of the device is relatively easy.

It is explanatory drawing of the network monitoring system which concerns on this invention. It is a block diagram of the analysis center apparatus which concerns on this invention. It is a block diagram of the structure | tissue side sensor apparatus which concerns on this invention. It is a process flowchart of the network monitoring method which concerns on this invention. It is explanatory drawing which shows a mode that the scan of an internal network is monitored. It is explanatory drawing which shows a mode that the scan of an external network is monitored. It is an observation result by the network monitoring system.

Hereinafter, embodiments of the present invention will be described based on examples shown in the drawings. The embodiment is not limited to the following. First, the outline of the present invention will be described.
In the present invention, an architecture for not only using a dark net for grasping a traffic trend as in the prior art but also directly using it for protecting a real network (hereinafter referred to as a live net) where servers and hosts exist. There is a point in having. In other words, in the conventional darknet observation, traffic that reaches the darknet owned by an organization (hereinafter referred to as darknet traffic) is forwarded to a sensor installed in the organization, and the sensor transfers the darknet traffic to the center. Send to analysis center. The analysis center generally has an architecture that analyzes darknet traffic collected from sensors of each organization and publishes traffic statistical information and the like.

In the present invention, the conventional dark net observation architecture is followed, and it is not particularly necessary to change the sensors installed in each organization. However, the difference is that the range of IP addresses used by each organization as a live net is registered in the analysis center.
That is, in the network monitoring system (1) as shown in FIG. 1, communication networks (2a) to (2g) managed by a plurality of organizations, for example, organizations A to G, and communication networks (2a) to (2g) are connected. An analysis center device (10) for monitoring is provided.

Each of the communication networks (2a) to (2g) can be assigned freely by a live net (3) used by assigning an address to a network device and each organization, but is actually assigned to a device. There is no dark net (4).
The address in the present invention may be any address used on a network, and an IP address is typical in an IP network. It may be a physical address such as a MAC address assigned to a network device.

  Each organization has sensor means for observing the dark net. When a signal addressed to the dark net is detected from the internal network or the external network, the dark net traffic is transferred to the analysis center device (10).

FIG. 2 is a configuration diagram of the analysis center device (10), FIG. 3 is a configuration diagram of a sensor device installed in each communication network, and FIG. 4 is a processing flowchart of the network monitoring method according to the present invention.
The analysis center device (10) and the sensor device (20) can be easily configured by a well-known personal computer, a workstation, or the like, and the CPU (11) (21) and a memory (not shown) cooperate to store. Each process is performed according to the program stored in the means. Since the operation method of the computer is a well-known matter, the description is omitted.

  In addition to the CPU (11), the analysis center device (10) includes communication modules (12) and (13) connected to each communication network, and a hard disk (14) as storage means for storing information. The communication modules (12) and (13) need only be provided for each communication network, and one module corresponding to a plurality of communication networks may be provided.

  In the CPU (11), a detection result receiving unit (111) that receives a detection result including at least the presence of darknet traffic and the transmission source address of the detected signal from each sensor device (20), and the detection result is received. In this case, an analysis unit (112) for analyzing whether the source address of the signal is the address range of each of the monitored communication networks (2a) to (2g) and used address information, As a result of the analysis, an alert unit (113) is provided that outputs an alert when at least darknet traffic originates from a used address.

  Further, as described as a feature of the present invention, the hard disk (14) stores used address information (141) in each communication network to be monitored. In addition, the address range of each communication network may be provided as address range information (142).

The configuration of the sensor means installed on each tissue side is arbitrary in the present invention. As an example, as shown in FIG. 3, a sensor device (20) provided with a signal sensor (22) and a monitor (23) in the CPU (21). ) Can be installed.
The signal sensor (22) monitors the darknet (4) of its own network (2) and monitors whether illegal darknet traffic is received.

  In addition to notifying darknet traffic, the sensor device (20) in this embodiment has a function of transmitting used address information and a function of receiving and outputting an alert from the analysis center device (10). Yes.

The process flow will be described with reference to FIG.
First, in each communication network, live network information in the local network, that is, used address information is transmitted from the local network information transmission unit (211) of the sensor device (20) (own network information notification step: S10).
In the analysis center device (20), this is received by the communication modules (12) and (13) and stored in the hard disk (14) as used address information (141). (Each communication network information collection step: S11)

In this state, the signal sensors (22) of the respective communication networks (2a) to (2g) are in a state of monitoring the respective dark nets.
For example, in the communication network (2a) of organization A, when the dark sensor traffic is detected by the signal sensor (22) and the sensor processing unit (212) that controls the dark net traffic, the analysis center device (10) is detected from the detection result transmission unit (213). ).

  At this time, the sensor processing unit (212) extracts and transmits at least the address of the transmission source host from the darknet traffic received by the signal sensor (22). Or the structure which transmits the whole unit darknet traffic may be sufficient. (Signal detection step: S12)

The detection result receiving unit (111) of the analysis center device (10) receives the detection result via the communication module (12) (S13). (Detection result acceptance step: S13)
Further, the analysis unit (112) refers to the used address information (142) to check whether the transmission source address of the darknet traffic is included in the address of the used address information. (Analysis step: S14)

Here, as the processing of the analysis unit (112), when the sensor processing unit (212) has extracted the source address as described above, it is only necessary to collate, or when the entire darknet traffic is transferred. Performs processing for analyzing the source host from among them.
For example, in the case of an IP packet, 32 bits from the 12th byte are the transmission source IP address, and 32 bits from the 16th byte are the destination IP address. By analyzing these, the transmission source address is extracted.
In addition, the analysis unit (112) analyzes the content of darknet traffic, as in the past, and analyzes the type of virus that has been infected, behavior analysis, and determination of misconfiguration of the source host. May be.

It is also possible to analyze the destination port number to which the darknet traffic has been sent. The typical behavior of malware is to send random numbers to port numbers that are not generally used, such as port number 50000, or to send a large amount of signals to numbers 80, 8080, etc. used by TCP. There is a case.
On the other hand, UDP port 67 is a port number used by the DHCP server inside the LAN, and it is more likely that a setting error will be transmitted to the darknet than the malware.
Thus, by analyzing the port number, it is possible to determine to some extent whether it is infected with a virus or a setting error.

Therefore, for example, a protocol and port number that should be suspected of malware, a protocol and port number that should be suspected of setting errors, and a list of protocols and port numbers that do not require alerts are stored as determination rules in the hard disk (14), and the analysis unit (112) The port number is verified.
As a result, it is classified into “malware”, “setting error”, and “no alert required”.
In addition, it is also possible to estimate the type of malware or the content of a setting error using a known method.

As a result of the analysis processing, for example, when the transmission source address of the detected dark net traffic is the address of the live net of the organization B, the alert unit (113) outputs an alert. In the present invention, at a minimum, it may be a process of outputting by screen display on the analysis center device (10), outputting a sound from a speaker, or recording an alert on the hard disk (14).
In this embodiment, alert information is transmitted from the alert unit (113) to the alert receiving unit (214) of the sensor device (20) via the communication module (13). (Alert notification step: S15)

The alert receiving unit (214) receives the alert information (alert receiving step: S16), and displays the alert information from the monitor (23). (Alert display step: S17)
Here, in the analysis step (S14), when it is determined as “malware” or “setting error” and the result is transmitted as an alert, this is also displayed, and what suspicion about which host is displayed to the administrator Can tell if there is.

  In the present invention, when the address range information (142) is provided in the hard disk (14), even if the source address of the darknet traffic is not included in the used address information (141), the address range information (142). May be configured to alert the sensor device (20) of the communication network. Thus, even when the used address information cannot be updated in time, such as when an IP address is dynamically assigned from a DHCP server or the like, it is possible to notify the administrator of the communication network suspected of being the transmission source.

Two specific examples of what kind of dark traffic can be detected by the present invention will be described.
First, FIG. 5 is an explanatory diagram showing how the internal network scan is monitored. This figure shows a pattern in which the address (5) of a host computer infected with malware exists in the communication network (2g) of organization G.

  In such an organization, a dark net included within the range of IP addresses managed by the own organization is referred to as an internal dark net. If a host infected with malware in the organization performs a local scan (50) (typically a scan to a / 24 or / 16 network that includes an infected host) and the scan reaches the internal darknet, the analysis center device (10) detects it and sends an alert to the appropriate organization.

In the example of FIG. 5, as a result of a local scan performed by a host infected with malware in the organization G, the signal sensor (22) of the sensor device (20) installed in the organization G detects this, and darknet traffic (51 ).
And it becomes clear from the analysis of the analysis center device (10) that this transmission source address is the address (5) of the infected host of the organization G.

An alert (52) is transmitted from the analysis center apparatus (10) to the organization G according to the analysis result. In the internal darknet, in addition to the local scan, packets from the own organization may be detected due to an error in the network settings within the organization. Can be useful information.
In such a configuration used for monitoring the internal darknet, since it is information in the communication network of the organization G, any information on how traffic was in the darknet is given to the administrator. You may be notified. This may facilitate the identification of the problem.

On the other hand, FIG. 6 is an explanatory diagram showing a state in which scanning of an external network is monitored. This figure shows a pattern in which the address (5) of the host computer infected with malware exists in the communication network (2g) of organization G and the dark net of organization A is scanned.
In a certain organization, a dark net outside the range of IP addresses managed by the own organization is called an external dark net. In the organization, a host infected with malware performs a global scan (60) (scanning outside the organization to which the infected host belongs), and when the scan reaches the external darknet, the analysis center device (10) detects it. , Send alerts to the appropriate organizations.

In the example of FIG. 6, a host infected with malware in the organization G performs a global scan, and as a result of the scan reaching the dark net of the organization A, the signal sensor (22) of the sensor device (20) installed in the organization G Detects this and transmits darknet traffic (61).
And it becomes clear from the analysis of the analysis center device (10) that this transmission source address is the address (5) of the infected host of the organization G.

  An alert (62) is transmitted from the analysis center device (10) to the organization G according to the analysis result. In the external darknet, in addition to the global scan, an alert may be sent as a result of detecting backscatter from the live net registered in the analysis center, but this is because the server of the organization is under attack. This suggests the possibility and is important information for security.

In such a configuration used for monitoring the external darknet, the administrator of the organization G usually does not want the administrator of the organization A to send detailed information of the own network. On the other hand, in the case of malware infection, even if the organization G is specified as the administrator of the organization A, it makes little sense and such information is not necessary.
According to the present invention, although the analysis center device (10) uses the sensor means of the organization A, it is only necessary to notify the alert to the manager of the organization G.

  In this case, the administrator of the organization A does not receive a direct benefit by installing the sensor means, but the attack on the own network is also eliminated by repairing the malware infection in the organization G. Can contribute to improving the security of the entire participating communication network. Of course, when a malware infection occurs in the organization A, the cause can be identified by other participating sensor means, so there is a reciprocal effect, and there is sufficient benefit to install the sensor means. Will be.

Here, two aspects of the sensor means are shown.
A black hole sensor is particularly suitable as the sensor means of the present invention. A black hole sensor refers to a sensor that does not respond to a packet transmission source at all. This sensor is the sensor described in the above embodiment, and it is easy to maintain because it only monitors the input signal. Therefore, it is suitable for observation of a large-scale darknet as in the present invention, and it is not costly to install.

Since the black hole sensor has no response, there is an advantage that it is difficult to detect the presence of the sensor from the outside. Further, the risk that the sensor means itself is infected with malware is very small.
Scanning, which is the initial stage of malware infection activity, is observable, but behavior after that cannot be observed. However, it can be said that the present invention has a sufficient effect in specifying the transmission source host.

A low-interaction sensor may be mentioned as a suitable sensor after the black hole sensor. This is a sensor that returns a certain level of response to the packet source. This includes sensors that return SYN-ACK packets in response to TCP SYN packets, and low interaction honeypots that emulate known vulnerabilities in the OS. This sensor can monitor the behavior of malware to a certain extent and only makes a predetermined response to a known signal, so it is not easily attacked by malware.
However, the presence of the sensor is easy to detect due to the tendency of the listening port and the like, and there is a feature that it is not suitable for operation in a large-scale darknet with continuous addresses.

On the other hand, a sensor called a high interaction sensor is also known. This is a real host or a sensor (a so-called high interaction honeypot) that returns a response equivalent thereto. A variety of information can be acquired, including behavior at the time of malware infection and keystrokes of attackers, but the cost for safe operation is high and unsuitable for large-scale operation.
But each sensor means of this invention does not need to be the same, and the structure | tissue which uses such a high interaction sensor may be mixed.

  The conventional method of using the dark net is to observe illegal packets coming from outside the organization, that is, to capture access from outside to inside. The proposed method, on the other hand, observes illegal packets sent from within the organization with a distributed darknet, that is, captures access from inside to outside (or from inside to inside). It shows how to use.

In the present invention, the analysis center device (10) detects a malware infection or the like occurring in the organization and sends an alert to the corresponding organization, so that the observation result of the dark net becomes a trigger for the security operation of the real network. There is expected.
The former of the two problems of conventional dark net observation, that is, the real network protection is intended. From the point of view of the organization that provides the darknet, the provision of some used IP addresses in the organization and the installation of the black hole sensor provided direct feedback of alerts from the wide-area darknet observation network, An incentive to quickly detect unauthorized access to the outside by hosts in the organization works.

  For this reason, the latter of the two problems of darknet observation, the progress of wide-area deployment of sensors, can be expected, and a positive spiral can be realized: expansion of the darknet observation network, improvement of analysis accuracy, and increase of participating organizations. it can.

  Finally, experimental results for verifying the effectiveness of the present invention are shown based on darknet observation results of two domestic organizations (referred to as organization X and organization Y for convenience) in which a nicker black hole sensor is installed. The organization X has a network configuration in which a dark net and a live net are mixed in a / 16 network (such as organization B in FIG. 1). Therefore, the live net of organization X is set as an IP address registered in the analysis center apparatus, and the dark net of organization X is regarded as an internal dark net.

On the other hand, the organization Y has a dark net that is unused for the entire / 16 network. The dark net of organization Y is regarded as an external dark net. FIG. 7 is a graph in which the number of unique hosts that transmitted one or more packets from the organization X to the internal darknet or the external darknet in July 2008 is plotted every day.
On the internal darknet, an average of about 83 hosts were detected a day, and on July 16, there was a spike (176 hosts). On the other hand, on the external darknet, an average of about 0.3 hosts per day was detected, and the maximum was 2 hosts on July 5. These detected hosts behave in a manner that cannot occur with normal network usage, and it is necessary to apply anti-virus software, update to the latest OS, or check network settings. The alert by is considered effective.

DESCRIPTION OF SYMBOLS 1 Network monitoring system 2a Communication network of organization A 2b Communication network of organization B 2c Communication network of organization C 2d Communication network of organization D 2e Communication network of organization E 2f Organization F communication network 2g Communication network of organization G 3 Live net 4 Dark Net 10 Analysis center device

Claims (10)

In a network monitoring system that monitors a darknet that is an address space that is used on a network and that is reachable and unused,
A communication network managed by different organizations, each having a predetermined address range;
Sensor means for detecting a signal addressed to a dark net in the own network, which is installed in each communication network and includes a signal transmitted from at least the same address range ;
An analysis center device that holds used address information in the address range of each communication network and receives the detection result of each sensor means,
The analysis center device
Used address information storage means for storing used address information in each communication network to be monitored;
A detection result receiving means for receiving a detection result including at least the presence of a signal from each sensor means and a transmission source address of the detected signal;
An analysis means for analyzing whether or not the source address of the signal is used address information in each monitored communication network when receiving the detection result;
A network monitor comprising: an alert means for outputting an alert when a signal addressed to a dark net in any of the monitored networks is transmitted from an address at which the signal is used as a result of analysis; system. In the network monitoring system,
The alert means of the analysis center device comprises:
The network monitoring system according to claim 1, wherein information on a transmission source address is notified to a communication network administrator including a transmission source address of a signal detected by the sensor means in an address range. In the network monitoring system,
The sensor means detects a destination port number of the detected signal;
The analysis means of the analysis center device determines whether or not the communication is at least from the information of the destination port number according to a predetermined determination rule,
The network monitoring system according to claim 1, wherein the alert unit outputs an alert according to the determination result. The sensor means comprises:
The network monitoring system according to claim 1, wherein the network monitoring system is a sensor that does not respond to a signal from a transmission source address. The sensor means comprises:
The network monitoring system according to claim 1, wherein the network monitoring system is a sensor that performs a predetermined response to a known signal from a transmission source address. In a network monitoring method for monitoring a darknet which is an address used on a network and which is a reachable and unused address space,
Using an analysis center device that stores used address information of each communication network to be monitored in a used address information storage means,
A signal managed by different organizations, each of which is installed in a communication network having a predetermined address range, detects signals addressed to the dark net in the own network, including signals transmitted from at least the same address range. Detection step,
A detection result receiving step in which the detection result receiving means of the analysis center apparatus receives a detection result including at least the presence of a signal and the source address of the detected signal from each sensor means;
An analysis step of analyzing whether the transmission source address of the signal is used address information in each monitored communication network when the analysis means of the analysis center apparatus receives the detection result;
An alerting step for outputting an alert when an alert means of the analysis center apparatus sends a signal addressed to a dark net in any of the monitored networks from at least the address where the signal has been used as a result of the analysis; A network monitoring method comprising: In the alert step of the network monitoring method,
The alert means of the analysis center device comprises:
The network monitoring method according to claim 6, wherein information on a transmission source address is notified to an administrator of a communication network that includes a transmission source address of a signal detected by the sensor means in an address range. In the network monitoring method,
In the sensor step, the sensor means detects a destination port number of the detected signal,
In the analyzing step, the analyzing means determines whether or not the communication is illegal communication from at least the information of the destination port number according to a predetermined determination rule,
The network monitoring method according to claim 6 or 7, wherein in the alert step, the alert means outputs an alert according to the determination result. In the signal detection step of the network monitoring method,
The network monitoring method according to claim 6, wherein the sensor unit does not respond at all to a signal from a transmission source address. In the signal detection step of the network monitoring method,
The network monitoring method according to claim 6, wherein the sensor unit makes a predetermined response to a known signal from a transmission source address.

Images