JP5713445B2 - Communication monitoring system and method, communication monitoring device, virtual host device, and communication monitoring program - Google Patents

Description

  The present invention relates to a communication monitoring system and method, a communication monitoring device, a virtual host device, and a communication monitoring program, and in particular, pattern learning of a combination of an attack by a malicious attacker and a response of an attacked side, Monitoring system and method, communication monitoring apparatus, and virtual host for automatically generating a pseudo response to an attacker as if the attack was successful against an unknown attack from a certain attacker The present invention relates to an apparatus and a communication monitoring program.

  With the rapid spread of the Internet, damage caused by malware (malicious software) called worms and botnets has become serious. When malware infects a computer, it may cause system destruction or personal information leakage, and spread to other hosts. In order to prevent such damage, a technique for detecting the malware itself and communications transmitted and received by the malware is required.

  Malware attempts to penetrate the system by exploiting the vulnerabilities of the communication services implemented in the system. Focusing on this point, in order to efficiently observe the malware type, behavior, and communication, a system with a vulnerability is installed on the network, and the system is intentionally infected with malware (honey) Pots) are widely used and put into practical use (for example, see Non-Patent Document 1).

  There are two types of honeypots depending on the mounting method. One is a high-interaction honeypot that operates a service having a vulnerability used in an actual OS or the like, and the other is a low-interaction honeypot that operates a service that emulates a vulnerability.

Lance Spitzner, "Honeypots tracking hackers," Addison Wesley. ISBN 0321108957. http://www.tracking-hackers.com/

  The high-interaction honeypot in the above-mentioned conventional technology can obtain detailed information about malware, but it is necessary to consider a mechanism for returning the system to the pre-infection state each time an infection occurs and to prevent unintended behavior of malware. . The low-interaction honeypot allows the observer to grasp all communications related to the infection, so that the observation can be performed safely. On the other hand, since it is necessary to input all attack patterns to the system in advance, there is a problem that it is not possible to cope with new or unknown attacks.

  The present invention has been made in view of the above points. By inheriting the merits of the low-interaction honeypot, the pseudo-response packet is returned to an unknown attack pattern as in the high-interaction type. An object of the present invention is to provide a communication monitoring method, apparatus, and program capable of continuing communication and extracting information on more attackers and attack techniques.

In order to solve the above-described problem, the present invention is for generating a pseudo-response to an attacker as if the attack was successful against an unknown attack from a malicious attacker. A communication monitoring system,
An attack host device of a malicious attacker,
An attacked host device that receives an attack from the attacking host device;
A virtual host device that is a pseudo host device that can estimate that the received packet is malicious without performing normal communication;
A communication monitoring device;
The virtual host device and the shared communication monitoring device, attack attack pattern DB which attack pattern is stored, the masking rule DB masking rule is stored to detect an attack pattern, malicious attack pattern and responses An attack response pattern DB for storing patterns;
Have
The communication monitoring device includes:
When a packet is received from the attacking host device and the attacked host device , the payload and header information are extracted from the packet, and it is determined whether or not the pattern of the payload matches the attack pattern of the attack response pattern DB. In this case, it is determined whether they are similar. If they are similar, masking is performed by obtaining a masking rule from the masking rule DB and applying the masking rule to the pattern of the payload. when matching the attack pattern has an attack response pattern generating means responses received from the with the masking pattern to be attacking host device to add register to the attack response pattern DB,
The virtual host device is
When a packet is received from the attack host device, the payload is extracted from the packet, masking is performed by applying the masking rule of the masking rule DB, and it is determined whether the masked pattern is registered in the attack pattern DB Pattern determination means;
In the pattern determination means, if the pattern after masking is not registered in the attack pattern DB, the pattern after masking is registered in the attack pattern DB, and if registered, the session of the packet is registered. Response generating means for generating a pseudo response packet from the information, the masking rule, the masked pattern, and the response pattern acquired from the attack response pattern DB.

  In the virtual host device, the difference between the payload of the received packet and the payload of the packet received immediately before is obtained, and the difference is smaller than a predetermined value. Is included in a past packet in the same flow, further includes a masking rule generating means for generating a mask pattern using the difference as a variable parameter and registering the mask pattern in the mask pattern DB.

  As described above, according to the present invention, communication is continued by returning a pseudo response packet to an unknown attack pattern as in the high interaction type while inheriting the merit of the low interaction type honeypot. Therefore, it is possible to extract information on more attackers and attack methods.

1 is a system configuration diagram according to an embodiment of the present invention. It is a block diagram of the virtual host in one embodiment of this invention. It is a flowchart of operation | movement until the attack response pattern production | generation in one embodiment of this invention. It is a flowchart of the masking rule production | generation process in one embodiment of this invention. It is a flowchart of the pseudo response transmission / reception by the virtual host in one embodiment of this invention.

  Embodiments of the present invention will be described below with reference to the drawings.

  The present invention proposes a system in which a low interactive honeypot can respond to an unknown attack.

  The system shown in the present invention analyzes a network through which communication of general users flows, and extracts and learns an attack pattern of malware. Based on the learned attack pattern, this system returns a pseudo-response that makes it appear as if an attack has been established in response to a communication request from malware.

  FIG. 1 shows a system configuration according to an embodiment of the present invention.

The system shown in FIG. 1 includes a communication monitoring device 100, a virtual host device (hereinafter simply referred to as “virtual host”) 200, a masking rule DB 310, an attack pattern DB 320, an attack response pattern DB 330, and a plurality of host devices A and B ( hereinafter referred to as “host”). Simply referred to as “attack host”), host device C (attacked host), and data transfer device 400 such as a router.

  The masking rule DB 310 stores masking rules for detecting attack patterns.

  The attack pattern DB 320 stores the attack pattern and is compared with the communication pattern after masking.

  The attack response pattern DB 330 records and holds a malicious attack pattern such as malware and its response pattern. The attack response pattern is composed of session information that constitutes an attack (information about what type of communication occurs at which packet in the session) and a data portion (payload / response pattern).

  The main components in the system shown in FIG. 2 are the communication monitoring device 100 and the virtual host 200.

(1) Communication monitoring device:
First, the communication monitoring apparatus 100 will be described.

  The communication monitoring device 100 is installed as an independent device at an arbitrary position such as an external connection point in the network. The communication monitoring apparatus 100 includes a session management unit 110, an attack determination unit 120, and a communication pattern analysis unit 130, and extracts and learns malware attack patterns.

  The communication monitoring apparatus 100 can transfer all communications arriving from the outside to the communication pattern analysis unit 130. However, by transferring only some communication patterns to the communication pattern analysis unit 130, the load on the communication pattern analysis unit 130 is increased. Can also be reduced. Hereinafter, the latter method will be described.

  The session management unit 110 in the communication monitoring apparatus 100 manages arriving packets in units of sessions, and records information such as which session the corresponding packet belongs to and what number of packet is recorded in a memory (not shown). to manage. Here, the session refers to a series of data sets from the start to the end of communication. Each packet includes a payload that is a byte string of the main service included in the attack communication.

  When the communication monitoring apparatus 100 receives a packet, the session management unit 110 first confirms which session the packet is, and then confirms what packet communication is in the session. The value is stored as X (X = 1, 2, 3,...) In a memory (not shown).

  Next, the attack determination unit 120 deletes the dynamically changing part based on the packet number information (X) in the session acquired by the session management unit 110, and performs masking to extract only necessary information. With reference to the masking rule DB 310 storing the rules, a set Ω of masking rules corresponding to the information X is obtained. The masking rule will be described later. Further, the rules included in the acquired masking rule set Ω are applied to the payload of the packet. Reference is made to whether or not the result of applying each masking rule to the payload of the packet exists in the attack pattern DB 320, and if it exists, it is transferred to the communication pattern analysis unit 130 including the response to the packet thereafter. If there are multiple matches, use the first one or randomly selected results.

  Further, the communication monitoring apparatus 100 scans the attack pattern DB 320 every time a predetermined period arrives, and if the difference between the current time and the last update date / time of the entered communication pattern is larger than a certain value, the communication monitoring apparatus 100 Is deleted from the attack pattern DB 320.

  The communication pattern analysis unit 130 manages the attack response pattern DB 330 based on the information transmitted through the attack determination unit 120.

(2) Virtual host:
Next, the virtual host 200 will be described.

  The virtual host 200 behaves as a normal host that is vulnerable to the attacker. In other words, it acts as a pseudo host. The virtual host 200 has a communication function and is assigned an address (IP address or the like) necessary for communication. Multiple addresses can be assigned. Further, since the virtual host does not perform normal communication, it can be regarded as malicious communication with high probability when receiving communication from the outside.

  FIG. 2 shows the configuration of the virtual host in one embodiment of the present invention.

The virtual host 200 shown in the figure includes a communication receiving unit 210, a session management unit 220, a session DB 230, a pattern determination unit 240, a response generation unit 250, and a communication device unit 260. The pattern determination unit 240 includes an attack pattern DB 320. The masking rule DB 310 and the attack response pattern DB 330 are connected, and the response generation unit 250 is connected to the attack response pattern DB 330.

  The virtual host 200 receives communication from the outside by the communication receiving unit 210. The received communication data is sent to the session management unit 220, and the communication state for each session is managed by the session DB 230. Further, the communication data is sent to the pattern determination unit 240. The pattern determination unit 240 applies a masking rule (described later) registered in the masking rule DB 310 (described later) to the received communication data, and refers to the attack pattern DB 320 based on the obtained masked communication pattern. When the communication pattern after masking is not registered in the attack pattern DB 320, the communication pattern after masking is registered in the attack pattern DB 320 and the last update date is updated.

  If registered in the attack pattern DB 320, the session information, the masking rule, and the communication pattern after masking are transmitted to the response generation unit 250. The response generation unit 250 queries the attack response pattern DB 330 for the communication pattern and obtains a response pattern. Next, the response generation unit 250 generates a response communication using the response pattern, the masking rule, and session information corresponding to the communication pattern. A method for generating response communication will be described later. The generated response communication is transmitted as a response to the transmission source host through the communication transmission unit 260.

(3) Masking method:
Next, a masking method by the virtual host 200 will be described.

  The masking method is a means that enables the search to the attack response pattern DB 300 and the generation of a response packet even when the payload includes variable parameters unique to the session. Assume that the following payload sequence is observed.

X1: aaaabbbbxxxxdddd
X2: aaaabbbbyyyyydddd
If the payload of the previous packet that triggered the transmission of the packet containing the data strings X1 and X2 is the same and the difference between X1 and X2 is very small, X1 and X2 are almost the same content , It can be estimated that some include variable parameters.

  In the above example, xxxx of X1 and yyyyy of X2 can be extracted by an existing character string difference extraction algorithm or the like. Assuming that the extracted difference is a variable parameter in the payload, it can be abstracted by applying a mask to the variable parameter.

  The masking rules are expressed as follows using the regular expression format.

Xabs: aaaabbbb (. +) Dddd
The above is the communication pattern after masking. Where unknown binary string: X3
X3: aaaabbbbzzzzzzdddd
When X3 is masked, X3 is masked with a pattern of Xabs, and if the result matches Xabs, X3 is regarded as a packet of the same type as X1 and X2, but with different parameters.

  Masking rules for detecting attack patterns are managed by the masking rule DB 310.

In the following, a method for configuring a masking rule will be described. The packet received by the virtual host 200 does not have normal communication, and therefore may basically be an attack, and is a masking rule generation target. The virtual host 200 limits the masking rule to be referred to for the packet based on the received packet number in the session and the pattern determined before the packet in the attack response pattern DB 330. . For example,
A->B->C-> X
A->B->C-> Y
A->B->C-> Z
If 3 patterns of flow including variable parameters are observed in the 4th packet, the masking rule to be applied to each of X, Y, and Z is the mask when the pattern (A->B-> C) continues And so on. There may be a plurality of such masks.

  The masking rule set obtained in this way is applied to the payload of the packet, the edit distance between the result and the corresponding attack communication pattern registered in the attack pattern DB 320 is calculated, and the edit distance is a predetermined threshold value. If it is smaller, the corresponding mask is registered in the masking rule DB 310. Here, it is assumed that some existing attack patterns are registered in the attack pattern DB 320 in advance, or attack patterns determined to be frequent after being monitored for a while.

(4) Response packet generation method:
Next, a method for generating a response packet including variable parameters in the response generation unit 250 of the virtual host 200 will be described.

  The variable parameter included in the payload may not be unique for each session or host, and may not be uniquely obtained from an attack pattern learned in advance. In that case, it is necessary to estimate the variable parameter from the session established by the virtual host 200.

  The following cases mainly exist for variable parameters.

1) Unique values for each host (IP address, port number, server name, share name (for SMB protocol), etc.):
2) Unique values for each session (process number, session identifier (ID), etc.):
3) Values generated by one-way functions such as Challenge and Response and hash:
The IP address and port number of Case 1) can be inferred from the IP address and port number included in the header below the TCP / UDP layer of the host. In addition, since a user can arbitrarily specify a server name, a shared name, etc., an appropriate value is generated on the virtual host 200 side, and communication can be established as long as the same value is used in the same session. .

For the unique value for each session in Case 2), a variable parameter is extracted by applying a masking pattern (Xabs) to the packet (X) received from the malware. A response packet (Y) can be generated by embedding a variable parameter in the response packet pattern (Yabs).

a) X: aaabbbcccddd
b) Xabs: aaabbb (. +) ddd
c) Variable parameter: ccc
d) Yabs: oooppp (. +) rrr
e) Y: ooopppcccrrr
In case 3), since the one-way function depends on the protocol specification, the variable parameter value cannot be estimated by the system method. Packets having the property of case 3) are not covered by the present invention.

  Below, the method in said system structure is demonstrated.

  Further, in the following example, an example of an implementation form targeting a TCP / IP network is shown, but the scope of application of the present invention is not limited to this.

  In the system shown in FIG. 1, the communication monitoring apparatus 100 may be mounted inside the network transfer apparatus 400 such as a router, or may be mounted in a form connected to the network in an external form. A plurality of IP addresses to be monitored are assigned to the virtual host 200 and installed in a place where a response to an attack from the attack source host can be returned. The communication monitoring apparatus 100 and the virtual host 200 share the masking rule DB 310, the attack pattern DB 320, and the attack response pattern DB 330, respectively.

  First, the operation of the communication monitoring apparatus 100 until it finally generates an attack response pattern after receiving a communication packet will be described.

  FIG. 3 is a flowchart up to the generation of an attack response pattern according to the embodiment of the present invention. In the following processing, it is assumed that the masking rule DB 310 has already been constructed in the virtual host 200.

  Step 101) The session management unit 110 of the communication monitoring apparatus 100 receives a packet from the network.

  Step 102) The session management unit 110 stores a session DB (FIG. 10) that holds in the session management unit 110 what session the received packet is or what packet (packet number). The packet information is stored in a memory (not shown).

  Step 103) The session management unit 110 extracts header information and payload from the received packet.

Step 104) The attack determination unit 120 refers to the attack response pattern DB 3 30 based on the payload of the packet. If there is a match, the attack determination unit 120 returns to Step 101. If they do not match, the process proceeds to step 105.

Step 105) attacks judging unit 120, if there is similar to the payload of a packet attack response pattern DB330, the process proceeds to step 106, if not, the process proceeds to step 10 1. Here, “similar to payload” refers to the one in which the edit distance between the attack communication pattern of the attack response pattern DB 330 and the payload of the packet is smaller than a predetermined value.

  Step 106) Based on the packet payload in the session acquired in step 102, the attack determination unit 120 refers to the masking rule DB 310, acquires and applies the corresponding masking rule, performs masking, and sets the masked pattern. Store in a memory (not shown).

Step 107) to determine pattern after masking matches the attack pattern of the attack pattern DB 320, if they match, the process proceeds to step 109, if they do not match the process moves to step 10 1.

In Step 109) Step 107, if the pattern after masking does not match the known attack patterns proceeds to step 101, the pattern and the payload and after masking the attack response pattern DB330 in the case of matching, constitute an attack Add session information as an attack response pattern .

  Next, a masking rule generation method in the virtual host 200 will be described.

  FIG. 4 is a flowchart of masking rule generation processing according to an embodiment of the present invention.

  Step 201) The pattern determination unit 240 of the virtual host 200 extracts the communication pattern of the session from the attack pattern DB 320.

Step 202) The pattern determination unit 240 calculates a difference between the n + 1th packets when the nth packets constituting the flow stored in the attack pattern DB 320 are the same or have been masked. Here, the difference between the nth packets refers to the edit distance between the payload of the packet n of the attack pattern DB 320 and the payload of the received packet n .

  Step 203) If the calculated difference (edit distance) is small (below a predetermined value), the process proceeds to step 204, and if greater than the predetermined value, the process proceeds to step 210.

  Step 204) When it is determined in Step 203 that the difference is slight, it is determined that “there is a variable length parameter”.

  Step 205) Referring to the attack pattern DB 320, it is determined whether or not the difference value obtained in Step 202 exists in a past packet in the same flow. If it exists, the process proceeds to Step 206. 211.

  Step 206) The pattern determination unit 240 generates a mask pattern based on the difference detection position in the flow.

  Step 207) A parameter (for example, IP address) subordinate to the difference value is searched from the attack pattern DB 320.

  Step 208) The pattern determination unit 240 registers the mask pattern and the dependent parameter in the masking rule DB 310.

  Step 209) The masking rule generation process is terminated.

  Step 210) If the difference amount exceeds the predetermined value in Step 203, the process returns to Step 201 because there is no variable length parameter or learning is impossible.

  Step 211) If the difference value does not exist in the past packet in the same flow in Step 205, it is determined that there is no variable length parameter, learning is impossible, or the sample is insufficient, and the process returns to Step 201.

  Next, the operation at the time of a pseudo response of the virtual host 200 shown in FIG. 2 will be described.

  FIG. 5 is a flowchart of the pseudo response transmission / reception by the virtual host according to the embodiment of the present invention.

  Step 301) The communication receiver 210 of the virtual host 200 receives a packet from another host (attack host), and stores the payload and session information of the packet in the session DB 230.

  Step 302) The session management unit 220 determines whether or not the received packet includes a payload. If the payload is included, the session management unit 220 proceeds to Step 303. If not included, the session management unit 220 returns to Step 301.

Step 303) The pattern determination unit 240 refers to the attack response pattern DB3 30 to determine whether there is a pattern that matches the payload acquired in Step 302. If there is a pattern, the pattern determination unit 240 proceeds to Step 308. The process proceeds to step 304.

Step 304) If there is no matching pattern in the attack response pattern DB 3 30 in step 303, it is determined whether there is a similar pattern. If there is, the process proceeds to step 305. If not, the process proceeds to step 309.

  Step 305) The pattern determination unit 240 refers to the masking rule DB 310 and performs the masking process by the method described above.

  Step 306) After masking, the attack pattern DB 320 is referenced to determine whether there is a matching pattern. If there is a matching pattern, the process proceeds to Step 307, and if not, the process proceeds to Step 310.

  Step 307) The response generation unit 250 performs response packet transmission processing, and returns to Step 301. This process will be described later.

  Step 308) Response packet transmission processing similar to the above is performed, and the processing returns to Step 301.

Step 309) the pattern determination unit 24 0, in step 304, if similar patterns are not present in the attack response pattern DB3 3 0 adds payload as a new attack pattern attack pattern DB 320, the flow returns to step 301.

  Step 310) If there is no pattern that matches the masked pattern in the attack pattern DB 320 in Step 306, the pattern determination unit 240 adds the pattern to the attack pattern DB 320 as a new attack pattern, and returns to Step 301.

  Next, the response packet transmission process in steps 307 and 308 will be described.

  Step 401) The response generation unit 250 of the virtual host 200 acquires a response pattern from the attack response pattern DB 330.

  Step 402) It is determined whether the acquired response pattern has been masked. If the masking process has been completed, the process proceeds to Step 403. If the masking process has not been performed, the process proceeds to Step 405.

  Step 403) When the masking process is performed, the response generation unit 250 extracts the variable length parameter from the payload of the packet stored in the session DB 230.

  Step 404) The variable length parameter is estimated by the method shown in the response packet generation method in (4) above.

  Step 405) A variable length parameter is embedded in the response packet pattern to generate a response packet.

  Step 406) The communication transmitter 260 transmits a response packet to the transmission source of the packet received in Step 301.

  The operation of each component of the communication monitoring device 100 and the virtual host 200 is constructed as a program and installed and executed on a computer used as the communication monitoring device or virtual host, or distributed through a network. It is possible.

  The present invention is not limited to the above-described embodiments, and various modifications and applications can be made within the scope of the claims.

100 Communication Monitoring Device 110 Session Management Unit 120 Attack Determination Unit 130 Communication Pattern Analysis Unit 200 Virtual Host 210 Communication Reception Unit 220 Session Management Unit 230 Session DB
240 pattern determination unit 250 response generation unit 260 communication transmission unit 310 masking rule DB
320 Attack pattern DB
330 Attack Response Pattern DB
400 routers, etc.

Claims (8)

A communication monitoring system for generating a pseudo response to an unknown attack from a malicious attacker as if the attack was successful.
An attack host device of a malicious attacker,
An attacked host device that receives an attack from the attacking host device;
A virtual host device that is a pseudo host device that can estimate that the received packet is malicious without performing normal communication;
A communication monitoring device;
The virtual host device and the shared communication monitoring device, attack attack pattern DB which attack pattern is stored, the masking rule DB masking rule is stored to detect an attack pattern, malicious attack pattern and responses An attack response pattern DB for storing patterns;
Have
The communication monitoring device includes:
When a packet is received from the attacking host device and the attacked host device , the payload and header information are extracted from the packet, and it is determined whether or not the pattern of the payload matches the attack pattern of the attack response pattern DB. In this case, it is determined whether they are similar. If they are similar, masking is performed by obtaining a masking rule from the masking rule DB and applying the masking rule to the pattern of the payload. when matching the attack pattern has an attack response pattern generating means responses received from the with the masking pattern to be attacking host device to add register to the attack response pattern DB,
The virtual host device is
When a packet is received from the attack host device, the payload is extracted from the packet, masking is performed by applying the masking rule of the masking rule DB, and it is determined whether the masked pattern is registered in the attack pattern DB Pattern determination means;
In the pattern determination means, if the pattern after masking is not registered in the attack pattern DB, the pattern after masking is registered in the attack pattern DB, and if registered, the session of the packet is registered. Response generating means for generating a pseudo response packet from the information, the masking rule, the pattern after masking, and the response pattern acquired from the attack response pattern DB;
A communication monitoring system comprising: The virtual host device is
When the difference between the payload of the received packet and the data string of the payload of the packet received immediately before is obtained, the difference is smaller than a predetermined value, and the difference data string exists in a past packet in the same flow 2. The communication monitoring system according to claim 1, further comprising a masking rule generating means for generating a mask pattern using the difference as a variable parameter and registering the mask pattern in the mask pattern DB. A communication monitoring method for generating a pseudo response to an unknown attack from a malicious attacker as if the attack was successful.
An attack host device of a malicious attacker,
An attacked host device that receives an attack from the attacking host device;
A virtual host device that is a pseudo host device that can estimate that the received packet is malicious without performing normal communication;
A communication monitoring device;
The virtual host device and the shared communication monitoring device, attack attack pattern DB which attack pattern is stored, the masking rule DB masking rule is stored to detect an attack pattern, malicious attack pattern and responses An attack response pattern DB for storing patterns;
On a system consisting of
When the communication monitoring device receives a packet from the attacking host device and the attacked host device , it extracts a payload and header information from the packet, and whether the pattern of the payload matches the attack pattern of the attack response pattern DB Determine
If they do not match, determines whether similar, if you like class obtains masking rules from the masking rule DB performs masking by applying the pattern of the payload, the masking pattern, the when matching the attack pattern of the attack pattern DB includes attack response pattern generating step to add register the with the masking pattern responses received from the attacking host device to the attack response pattern DB,
When the virtual host device receives a packet from the attack host device, the payload is extracted from the packet, masking is performed by applying the masking rule of the masking rule DB, and the masked pattern is registered in the attack pattern DB. A pattern determination step for determining whether or not
In the pattern determination step, if the pattern after masking is not registered in the attack pattern DB, the pattern after masking is registered in the attack pattern DB, and if registered, the session of the packet is registered. A response generation step of generating a pseudo response packet from the information, the masking rule, the pattern after masking, and the response pattern acquired from the attack response pattern DB;
The communication monitoring method characterized by performing. In the virtual host device,
When the difference between the payload of the received packet and the data string of the payload of the packet received immediately before is obtained, the difference is smaller than a predetermined value, and the difference data string exists in a past packet in the same flow 4. The communication monitoring method according to claim 3, further comprising a masking rule generating step of generating a mask pattern using the difference as a variable parameter and registering the mask pattern in the mask pattern DB. A communication monitoring device for generating a pseudo-response to an attacker as if the attack was successful against an unknown attack from a malicious attacker,
When a packet is received from the attacking host device and the attacked host device under attack from the attacking host device , the payload and header information are extracted from the packet, and the malicious attack pattern and its response pattern are stored in the payload pattern To determine whether it matches the attack pattern in the attack response pattern DB
If they do not match, determine if they are similar ,
If you like class performs masking by applying the pattern of the payload from the masking rule DB masking rule is stored to detect an attack pattern to obtain the masking rule, the masking pattern, attacks If that matches an attack pattern of the pattern DB is characterized in that it has an attack response pattern generating means and said and said masking pattern responses received from the attack host device to add register to the attack response pattern DB Communication monitoring device. In response to an unknown attack from a malicious attacker, a pseudo-response is generated as if the attack was successful against the attacker, so normal communication is not performed and the received packet is malicious A virtual host device that is a pseudo host device that can be estimated to have
When a packet is received from the attacking host device, the payload is extracted from the packet, masking is performed by applying the masking rule of the masking rule DB in which the masking rule for detecting the attack pattern is stored , and the pattern after masking is Pattern determination means for determining whether the attack pattern DB is registered;
In the pattern determination means, if the pattern after masking is not registered in the attack pattern DB, the pattern after masking is registered in the attack pattern DB, and if registered, the session of the packet is registered. information, the masking rule, a response generation means for generating a pseudo response packet by the response pattern pattern and malicious attack pattern and its response pattern after the masking has been acquired from the stored attack response pattern DB,
When the difference between the payload of the received packet and the data string of the payload of the packet received immediately before is obtained, the difference is smaller than a predetermined value, and the difference data string exists in a past packet in the same flow Masking rule generating means for generating a mask pattern using the difference as a variable parameter and registering the mask pattern in the mask pattern DB;
A virtual host device comprising: Computer
The communication monitoring program for functioning as each means of the communication monitoring apparatus of Claim 5. Computer
A communication monitoring program for functioning as each unit of the virtual host device according to claim 6.

Images