JP5684842B2 - Malignant site detection apparatus, malignant site detection method and program - Google Patents

Description

  The present invention relates to a technique for detecting a malicious site from a Web site established on a network.

  Due to the diversification and complexity of online threats, the number of events in which user terminals are infected with malicious programs is rapidly increasing. Malicious software programs represented by computer viruses are called "malware". For example, when a user terminal accesses a malicious website, the user terminal is directed to an unintended site, the user terminal is infected with malware, and suffers damage such as leakage of information in the user terminal.

  In recent years, the so-called Drive-by-Download attack has been rapidly increasing as an attack for infecting user terminals with malware. Briefly explain the Drive-by-Download attack. FIG. 9 is a diagram for explaining an example of an attack method using malware.

  First, when a user terminal accesses a website (entrance site) that has been falsified by a malicious third party, it is redirected to another site (stepping site) by the code embedded in the site by falsification, and further attacks the user terminal. Redirected to the site (attack site) In this way, when the user is guided to the attack site, the user terminal is infected with malware.

  As a countermeasure against these threats, a malicious site list that lists malicious website information (URL (Uniform Resource Locator), domain name, IP (Internet Protocol) address)) is generated and listed on the list. A method for controlling access to a site has been proposed.

  Non-Patent Document 1 and Non-Patent Document 2 are known as related technologies. The techniques disclosed in these documents focus on communications sent by user terminals, particularly DNS (Domain Name System) queries, and improve the accuracy of known malicious site lists. In Non-Patent Document 1, a score representing a malignancy is assigned to a domain name that is not listed in a known malignant site list from the co-occurrence relationship of DNS queries of user terminals. Non-Patent Document 2 is a technique for removing benign ones from sites listed in a known malignant site list. In this technique, a score is assigned to a domain name using a graph kernel (see Non-Patent Document 3).

  In the techniques disclosed in Non-Patent Document 1 and Non-Patent Document 2, the accuracy of the malignant site list is improved based on user access information.

  Non-patent documents 4 to 7 are known as other related technologies. Non-patent documents 4 to 7 all analyze a DNS packet and detect an unknown malignant site. In these technologies, parameters such as IP address, TTL (Time to Live) included in DNS response, AS (Autonomous System) number obtained from the IP address, and geographic information are learned parameters for each malignant site and non-malignant site. Let the system learn. A score indicating malignancy is assigned to a newly appearing site based on the above-described parameters and past learning data.

K. Sato, K. Ishibashi, T. Toyono, and N. Miyake, "Extending Black Domain Name List by Using Co-occurrence Relation between DNS Queries," Proceedings of Leet 2010 Keisuke Ishibashi, Tsuyoshi Toyono, Kazumichi Sato, Makoto Iwamura, "Malignant domain name list evaluation using DNS query graph," Internet Architecture Study Group, 2009 R. L. Kondor, "Diffusion Kernels on Graphs and Other Discrete Input Spaces," Proceedings of the 19th International Conference on Machine Learning, 2002 L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis," Proceedings of NDSS 2011 M. Antonakakis, R. Perdisci, W. Lee, N. Vasiloglou, and D. Dagon, "Detecting Malware Domains at the Upper DNS Hierarchy," Proceedings of USENIX Security 2011 M. Antonakakis, R. Perdisci, D. Dagon, W. Lee, and N. Feamster, "Building a Dynamic Reputation Sysytem for DNS," USENIX Security 2010 M. Felegyhazi, C. Kreibich, and V. Paxon, "On the Potential of Proactive Domain Blacklisting," Proceedings of Leet 2010

  However, URLs and domain names of malignant sites are updated every day, and known malignant sites become non-malignant sites in a short period of time, or a large number of new malignant sites are generated every day. As a result, there is a problem that the list becomes obsolete and the accuracy and completeness of the list are lowered. If the accuracy of the list decreases, problems such as blocking access to non-malignant sites may occur. Further, if the comprehensiveness is lowered, the communication that should be blocked cannot be blocked, and the number of malware-infected terminals increases.

  The present invention has been made in order to solve the problems of the above-described technology, and a malignant site detection apparatus, a malignant site detection method, and the like capable of improving the accuracy and completeness of the malignant site list, Another object of the present invention is to provide a program for causing a computer to execute the program.

In order to achieve the above object, the malignant site detection apparatus of the present invention comprises:
A storage unit for storing site access information that is a history of access to a website on the network by an information terminal, and a known malignant site list that is a list on which known malignant sites are posted;
Site access information collected by extracting from the site access information stored in the storage unit a site accessed by the information terminal within a predetermined time before and after accessing the known malicious site, and using the extracted site as a suspected malicious site And
A score calculation unit that gives a score representing malignancy to the suspected malignant site extracted by the site access information collection unit;
A malignant list update unit that determines a suspected malignant site whose score assigned by the score calculation unit exceeds a preset threshold value as an unknown malignant site, and adds the unknown malignant site to the known malignant site list;
It is the structure which has.

The malignant site detection method of the present invention is a malignant site detection method by a malignant site detection device,
The storage unit of malignant site detecting apparatus, information terminal stores the known malignant site list is a list site access information is a history of accessing the Web site on a network, and a known malignant sites have been published,
The site access information collection unit of the malignant site detection apparatus extracts sites accessed within a predetermined time before and after the information terminal accesses the known malignant site from the site access information stored in the storage unit , the extracted site and malignant site doubt,
The score calculation unit malignant site detecting apparatus, a score representing the grade given to the pseudo-malignant sites the site access information collection unit is extracted,
Malignant list updating section of the malignant site detecting apparatus, the score score calculation unit has given it is determined malignant site suspected exceeds a preset threshold and unknown malignant sites, said the unknown malignant sites known malignant site To add to the list.

Furthermore, the program of the present invention is stored in a computer.
A procedure for collecting site access information, which is a history of information terminals accessing websites on the network, and a list of known malignant sites, which is a list of known malignant sites;
From the collected site access information, a site accessed within a predetermined time before and after the information terminal accessed the known malignant site is extracted, a suspected malignant site extraction procedure in which the extracted site is a suspected malignant site;
A score granting procedure for giving a score representing malignancy to the suspected malignant site extracted in the suspected malignant site extraction procedure;
A determination procedure for determining a suspicious malignant site whose score assigned in the score assigning procedure exceeds a preset threshold as an unknown malignant site,
A procedure for adding the unknown malignant site determined in the determination procedure to the known malignant site list is executed.

  According to the present invention, the accuracy and completeness of the malignant site list can be improved.

It is a figure for demonstrating the outline | summary of the malignant site detection method of this embodiment. It is a block diagram which shows the example of 1 structure of the communication system containing the malignant site detection apparatus of this embodiment. It is a block diagram which shows the example of 1 structure of the malignant site detection apparatus of this embodiment. It is a figure for demonstrating the malignant site detection method of this embodiment. It is a flowchart which shows the procedure of the malignant site detection method of this embodiment. It is a figure for demonstrating the process of step 101 shown in FIG. It is a figure for demonstrating the process of step 102 shown in FIG. It is a figure for demonstrating the process of step 103 shown in FIG. It is a figure for demonstrating an example of the attack method by malware.

  The features of the malignant site detection method of this embodiment will be described. FIG. 1 is a diagram for explaining the outline of the malignant site detection method of this embodiment.

  The malignant site detection method of the present embodiment focuses on the property that a user's information terminals successively access malignant sites one after another in a drive-by-download attack. Because of this property, it can be said that an unknown malicious site is included in the accessed site before and after accessing a known malicious site.

The malicious site detection apparatus according to the present embodiment is infected with malware by using as input the site access information, which is information on the history of websites accessed by the user's information terminal, and the list of malicious sites on which known malicious sites are posted. An unknown malignant site is detected by analyzing the site access order of the information terminal, and the information of the detected unknown malignant site is added to the list on which the known malignant site is posted to update the list.
Hereinafter, embodiments of the malignant site detection apparatus of the present invention will be described in detail.

  First, the configuration of a communication system including the malignant site detection device of the present embodiment will be described.

  FIG. 2 is a block diagram illustrating a configuration example of a communication system including the malignant site detection apparatus according to the present embodiment.

  As shown in FIG. 2, the malignant site detection apparatus 10 of the present embodiment is connected to a plurality of user terminals 30 via a network 200. Further, the malicious site detection apparatus 10 is connected to the network 100 via the proxy server 20. For example, the network 200 is a LAN (Local Area Network), and the network 100 is the Internet.

  A plurality of Web servers 40 are connected to the Internet. The Web server 40 stores Web page information and opens a Web site that provides the Web page to the user terminal 30 on the network 100 so that the user terminal 10 can access it.

  The user terminal 30 is, for example, an information terminal typified by a personal computer (PC), and is not limited to a desktop PC, but may be a notebook PC, or a portable device such as a PDA (Personal Digital Assistants) and a smartphone. It may be a terminal.

  In FIG. 1, for the sake of explanation, it is shown that the malicious site detection apparatus 10 is connected to the communication line connecting the proxy server 20 and the network 200, but the malicious site 10 collects the access history of the user terminal 30. As long as it can be configured, it is not limited to the connection configuration shown in FIG.

  Next, the configuration of the malignant site detection apparatus 10 shown in FIG. 1 will be described. FIG. 3 is a block diagram showing a configuration example of the malignant site detection apparatus according to the present embodiment.

  The malignant site detection apparatus 10 includes a storage unit 15 and an information processing unit 11. The information processing unit 11 includes a site access information collection unit 12, a score calculation unit 13, a malignant list update unit 14, and an access control unit 16. The storage unit 15 includes an access information storage unit 151 and a malignant site list storage unit 152.

  The access information storage unit 151 stores site access information that is a history of sites accessed by the user terminal 30. As for the site access information, for each site accessed by each of the plurality of user terminals 30, an identifier such as a URL serving as information for specifying the site and an access time that is a time when the site is accessed are recorded in time series. Information. The malignant site list storage unit 152 stores a malignant site list on which known malignant sites are posted. In this embodiment, it is assumed that a malignant site list on which known malignant sites are posted is stored in advance in the malignant site list storage unit 152. Hereinafter, a malignant site list on which known malignant sites are posted is referred to as a known malignant site list.

  The information processing unit 11 includes a CPU (Central Processing Unit) (not shown) that executes processing according to a program, and a memory (not shown) that stores the program. When the CPU executes processing according to the program, the site access information collecting unit 12, the score calculating unit 13, the malignant list updating unit 14, and the access control unit 16 are virtually configured in the malignant site detection apparatus 10.

  The site access information collection unit 12 collects server logs and traffic data from the proxy server 20 and stores site access information based on the collected data in the access information storage unit 151. The collection of traffic data is not limited to the case of collecting from the proxy server 20. If a traffic collection device (not shown) specialized for the traffic data collection function is provided in the network, the traffic data is collected from the traffic collection device. Also good.

  Further, when the site access information collecting unit 12 refers to the site access information stored in the access information storage unit 151 and recognizes that the user terminal 30 has accessed a malignant site listed in the known malignant site list, the site access information collecting unit 12 Sites accessed within a predetermined time before and after are extracted, and the extracted sites are notified to the score calculator 13 as suspicious malignant sites that are suspected to be malignant sites.

  When the score calculation unit 13 receives the notification of the suspected malignant site from the site access information collecting unit 12, the score calculation unit 13 refers to the site access information and the known malignant site list, and among the suspected malignant sites, the suspected malignant that is not listed Give the site a score.

  The malignant list update unit 14 compares the score calculated by the score calculation unit 13 with a preset threshold value, and adds a suspected malignant site whose calculated score exceeds the threshold value as a malignant site to the known malignant site list. As a result, the newly detected unknown malicious site is added to the list, and the known malicious site list is updated.

  The access control unit 16 refers to the latest known malignant site list from the malignant site list storage unit 15 and controls communication of the user terminal 30 to the malignant site. For example, when the user terminal 30 tries to access a malignant site, the access control unit 16 displays a warning display on the user terminal 30 and performs processing such as not permitting access to the malignant site.

  Next, a malignant site detection method by the malignant site detection apparatus of this embodiment will be described.

  FIG. 4 is a diagram for explaining the malignant site detection method of the present embodiment, and FIG. 5 is a flowchart thereof. Here, it is assumed that site access information is collected in advance.

  The site access information collection unit 12 extracts an infected terminal that has accessed the malignant site by matching the collected site access information of the user terminal 30 with the known malignant site list (step 101). Subsequently, the site access information collection unit 12 extracts another site accessed within a predetermined time before and after the malicious site accessed by the infected terminal extracted in step 101 (step 102). Then, the site access information collection unit 12 notifies the score calculation unit 13 of the site extracted in step 102 as a suspicious site.

  The score calculation unit 13 assigns a score representing malignancy to the suspected malignant site notified from the site access information collection unit 12 (step 103). The score calculation unit 13 gives a score of a predetermined value for the suspected malignant site, but accesses a non-malignant site that is a site not listed in the known malignant site list within a predetermined time before and after the malignant site. If there is, the score to be given is made smaller than when the non-malignant site is not accessed.

  FIG. 4 shows a list of suspected malignant sites created by the score calculation unit 13 on which suspected malignant sites are posted. In the list of suspected malignant sites, information (identifier) for specifying the suspected malignant sites and the score assigned to the suspected malignant sites are listed and listed. The score calculation unit 13 passes the suspected malignant site list to the malignant list update unit 14.

  When the malignant list update unit 14 receives the suspected malignant site list from the score calculation unit 13, the malignant list update unit 14 compares the score of each suspected malignant site listed in the suspected malignant site list with a threshold value. As a result of the comparison, the malignant list update unit 14 determines the suspected malignant site whose score has exceeded the threshold value as an unknown malignant site, and stores the information on the site in the known malignant site list stored in the malignant site list storage unit 151. Add (step 104). The access control unit 16 refers to the latest known malignant site list stored in the malignant site list accumulation unit 15 and controls communication of the user terminal 30 to the malignant site.

  In this way, the access order of the user terminal 30 is analyzed to detect an unknown malicious site, and the accuracy of the known malicious list is improved.

  Next, the processing in steps 101 to 103 shown in FIG. 5 will be described in detail.

  Here, u is a user, U is a set of users, s is a site, S is a set of sites, and B is a set of known malignant sites. Also, i is the i-th accessed site, I is the set of i, t is the access time of the site, and T is the set of access times.

  FIG. 6 is a diagram for explaining the processing of step 101 shown in FIG.

  In step 101, the malignant site accessed by the user terminal 30 and the access time are extracted by matching the site access information of the user terminal 30 with the known malignant site list. It is assumed that the site access information includes an identifier such as the URL or domain name of the site accessed by the user terminal 30 and the access time.

  Specifically, all sites that satisfy the following conditions are extracted.

  FIG. 6 shows a case where the site B is a malignant site, and the site B is an extraction target site.

  Next, a specific example of the processing in step 102 will be described. FIG. 7 is a diagram for explaining the processing of step 102 shown in FIG.

  A malignant site and a suspicious malignant site are extracted from the extracted malignant site, infected terminal, and site access information. As mentioned above, there is a high possibility that other malicious sites are accessed before and after the malicious site is accessed. Therefore, before and after an infected terminal accesses the malicious site, the site accessed by the same terminal is suspected. A malignant site. Here, the time information (n seconds before and after) and the number of sites (n sites before and after) can be considered as the definitions before and after.

  Specifically, all sites that satisfy the following conditions are extracted. Here, Δt is a range before and after the time, and Δi is a range before and after the number of sites. That is, [Formula 2] is a set of before and after definitions using time, and [Formula 3] is a set of suspicious malignant sites extracted from the definitions before and after using the number of sites.

  In FIG. 7, the site B and the site C are sites accessed before and after the site B of the malignant site, and indicate that they are suspected malignant sites.

  Next, a specific example of the process in step 103 will be described. FIG. 8 is a diagram for explaining the processing of step 103 shown in FIG.

  There is a high possibility that other malicious sites are included before and after accessing the malicious site, but non-malignant sites are included by the operation of the user terminal (Web browsing). That is, when all the suspicious malignant sites are malignant sites, there is a problem that a non-malignant site is erroneously determined as a malignant site. Therefore, in this embodiment, a score representing the malignancy is assigned to the suspected malignant site.

  As described above, in this embodiment, the property of accessing other malignant sites is used before and after the access to the malignant site, but the non-malignant site also has the same property. That is, there is a high possibility that the sites accessed before and after the non-malignant site are non-malignant sites. This is because, in general, terminals infected with malware are much fewer than terminals not infected, and most users access only non-malignant sites.

  It is reported, for example, in the Microsoft Security Intelligence Report (http://www.microsoft.com/security/sir/default.aspx) that the number of devices infected with malware is much less than the number of devices not infected. Yes.

  Therefore, as the score indicating the malignancy, the score is increased if there are many malignant sites in the sites accessed before and after accessing the suspected malignant site, and the score is decreased if there are many non-malignant sites. Further, when there is a malignant site in the sites accessed before and after the suspected malignant site, the increase in the score is increased when the distance between the two sites is close, and the increase in the score is decreased when the site is far away. This is because the relationship between the two sites is considered to be lower as the distance increases.

  Here, as the distance between two different sites, the absolute value of the difference of t, the absolute value of the difference of i, and the like can be considered, but other mathematically definable distances may be used. The difference in t corresponds to the access interval corresponding to the difference in access time between the suspicious malignant site and the malignant site, and the difference in i is the access interval corresponding to the number of accesses accessed between these two sites. It corresponds to. The shorter the access interval, the larger the score increase, and the longer the access interval, the smaller the score increase.

  Specifically, the score score (s) of the site s is defined as follows. When [Expression 4] defines the distance by the access time t, [Expression 5] defines the distance by the i-th access.

FIG. 8 shows the score of the site C according to [Formula 4]. score _black indicates a score corresponding to the number of malignant sites, and score _white indicates a score corresponding to the number of non-malignant sites. score indicates the final score. The score calculation is not limited to one of [Formula 4] and [Formula 5], and a combination of these formulas may be used.

  In the malignant site detection apparatus according to the present embodiment, it is possible to detect a malignant list not listed in a known malignant site list by analyzing user access information in consideration of the access order of the user, and detection accuracy Will improve. As a result, the accuracy and completeness of the malignant site list can be improved.

  Note that a program describing a procedure for executing the malignant site detection method of the present invention may be installed in a computer, and the computer may execute the malignant site detection method of the present invention.

DESCRIPTION OF SYMBOLS 10 Malignant site detection apparatus 12 Site access information collection part 13 Score calculation part 14 Malignant list update part 15 Memory | storage part 16 Access control part

Claims (6)

A storage unit for storing site access information that is a history of access to a website on the network by an information terminal, and a known malignant site list that is a list on which known malignant sites are posted;
Site access information collected by extracting from the site access information stored in the storage unit a site accessed by the information terminal within a predetermined time before and after accessing the known malicious site, and using the extracted site as a suspected malicious site And
A score calculation unit that gives a score representing malignancy to the suspected malignant site extracted by the site access information collection unit;
A malignant list update unit that determines a suspected malignant site whose score assigned by the score calculation unit exceeds a preset threshold value as an unknown malignant site, and adds the unknown malignant site to the known malignant site list;
A malignant site detection apparatus having The malignant site detection apparatus according to claim 1,
The score calculation unit
A score of a predetermined value is given to the suspected malignant site extracted by the site access information collecting unit, and access to a non-malignant site that is a site that is not listed in the known malignant site list is performed within the predetermined time. In some cases, the malignant site detection apparatus reduces the score as compared to a case where the non-malignant site is not accessed. The malignant site detection apparatus according to claim 2,
The score calculation unit
Regarding the score of the suspected malignant site, the increase in the score increases as the number of the known malignant sites accessed within the predetermined time increases, and the number of the non-malignant sites accessed within the predetermined time increases. A malignant site detection apparatus that reduces the increase in the score as much as possible. The malignant site detection apparatus according to claim 2 or 3,
The score calculation unit
For the two sites of the suspected malicious site and the known malicious site accessed within the predetermined time, the difference in access time between the two sites, or another access between the two sites accessed A malignant site detection apparatus that, when a value corresponding to the number of accesses to a site is defined as an access interval, increases the score as the access interval is shorter, and decreases the score as the access interval is longer. A malignant site detection method using a malignant site detection apparatus,
The storage unit of malignant site detecting apparatus, information terminal stores the known malignant site list is a list site access information is a history of accessing the Web site on a network, and a known malignant sites have been published,
The site access information collection unit of the malignant site detection apparatus extracts sites accessed within a predetermined time before and after the information terminal accesses the known malignant site from the site access information stored in the storage unit , the extracted site and malignant site doubt,
The score calculation unit malignant site detecting apparatus, a score representing the grade given to the pseudo-malignant sites the site access information collection unit is extracted,
Malignant list updating section of the malignant site detecting apparatus, the score score calculation unit has given it is determined malignant site suspected exceeds a preset threshold and unknown malignant sites, said the unknown malignant sites known malignant site to add to the list,
Malignant site detection method. On the computer,
A procedure for collecting site access information, which is a history of information terminals accessing websites on the network, and a list of known malignant sites, which is a list of known malignant sites;
From the collected site access information, a site accessed within a predetermined time before and after the information terminal accessed the known malignant site is extracted, a suspected malignant site extraction procedure in which the extracted site is a suspected malignant site;
A score granting procedure for giving a score representing malignancy to the suspected malignant site extracted in the suspected malignant site extraction procedure;
A determination procedure for determining a suspicious malignant site whose score assigned in the score assigning procedure exceeds a preset threshold as an unknown malignant site,
A program for executing a procedure of adding the unknown malignant site determined by the determination procedure to the known malignant site list.