JP5752020B2 - Attack countermeasure device, attack countermeasure method, and attack countermeasure program - Google Patents

Description

  The present invention relates to an attack countermeasure device, an attack countermeasure method, and an attack countermeasure program that support a countermeasure performed by an administrator of a network when an attack on a host belonging to a predetermined network is detected.

  Conventionally, there are services that deal with DoS (Denial of Service attack) attacks (see, for example, Non-Patent Documents 1 to 4). These services are communications that are judged as normal by removing communications judged to be abnormal from communications addressed to the attack target host when a DoS attack is detected on a network that is centrally managed by an Internet service provider. This is a mechanism to deliver only to the attack target host. It should be noted that these services are arbitrarily contracted with an Internet service provider by an administrator of a host that can be an attack target.

  In the backbone network, network operators monitor traffic to maintain their facilities. However, for example, an Internet service provider that manages a large amount of traffic of several hundred Gbps, for example, has a high operation cost, and thus the above-described service mechanism is often not used. In this case, when a DoS attack occurs, a method for causing the black hole router or the like to bypass the attack packet is adopted.

DoS (DDoS) attack countermeasure service, [November 14, 2011], Internet <http: // www. sectrust. net / service / datacenter / service / managed_dos. html> Traffic anomaly detection and mitigation (DDoS attack countermeasure) solution, [November 14, 2011], Internet <http: // www. cisco. com / web / JP / product / hs / security / ddos. html> IIJ DDoS Countermeasure Service, [November 14, 2011], Internet <http: // www. ii. ad. jp / service / system / IIJ-SD. html> OCN DDoS attack countermeasure service, [November 14, 2011], Internet <http: // www. ocn. ne. jp / business / security / ddos />

  However, for example, in the case of a method of bypassing attack packets, normal packets are also greatly affected. In order to sort out these normal packets, it is necessary to analyze the attack, so that it takes time to deal with it. Further, since the urgency for protecting the communication device varies depending on the link capacity or the number of allowable packets of the router, it is not appropriate to perform a uniform countermeasure against the attack.

  It is an object of the present invention to provide an attack countermeasure device, an attack countermeasure method, and an attack countermeasure program that can acquire information for an administrator to more appropriately take action when an attack is detected.

  The present invention provides the following solutions.

  (1) When an attack on a host belonging to a predetermined network is detected, the attack countermeasure device assists a countermeasure performed by an administrator of the network, and includes at least one network including the predetermined network. For each host to which it belongs, a configuration storage unit that stores a predetermined type of configuration feature amount indicating the scale of a communication path to the host, and communication data related to the attack are acquired, and the characteristics of the communication are indicated from the data When a new attack is detected, a communication extraction unit that extracts a predetermined type of communication feature amount, a class classification unit that classifies a combination of the configuration feature amount and the communication feature amount related to a plurality of past attack cases, and a new attack A class determination unit for determining which class the new attack is classified by the class classification unit; and The class determined by the Department, attack countermeasure device; and a notification unit for notifying together with the communication path of the new attack.

According to such a configuration, the attack countermeasure device classifies the combination of the configuration feature amount and the communication feature amount related to the past attack case to determine which class the feature amount of the new attack corresponds to. To do. Therefore, the attack countermeasure device can provide information for the administrator to more appropriately take action when an attack is detected.
At this time, the number of combinations of feature amounts can be enormous, but the number of classes generated from actual attack cases is greatly reduced. Therefore, since the attack countermeasure device can easily identify similar classes, the processing efficiency is reduced and the administrator can appropriately cope with the attack.

  (2) The attack according to (1), wherein the configuration storage unit includes at least one of a link capacity for an edge router connected to each host or the number of accommodated hosts of the edge router as the configuration feature amount. Countermeasure device.

  According to such a configuration, the attack countermeasure device uses at least one of the link capacity for the edge router connected to each host and the number of hosts accommodated by the edge router as the configuration feature amount. Therefore, since the urgency level corresponding to the size of the edge router is represented in the configuration feature quantity, the administrator can take appropriate measures.

  (3) The communication extraction unit, as the communication feature amount, includes the number of transmission source hosts, the protocol type, the ratio of a predetermined TCP flag, the number of packets per predetermined time, the number of bytes, or the number of flows as the communication related to the attack The attack countermeasure device according to (1) or (2), including at least one of them.

  According to such a configuration, the attack countermeasure device has, as the communication feature amount, the number of transmission source hosts of the communication related to the attack, the protocol type, the ratio of the predetermined TCP flag, the number of packets per predetermined time, the number of bytes, or At least one of the numbers of flows is used. Therefore, since the type and scale of the attack are represented in the communication feature amount, the administrator can take appropriate measures.

  (4) For each class classified by the class classification unit, a handling information storage unit that preliminarily stores data relating to a handling method corresponding to any one or combination of the configuration feature amount or the communication feature amount, the class By comparing the combination of the configuration feature amount and the communication feature amount included in the information with the configuration feature amount or the communication feature amount or the combination stored in the handling information storage unit, An attack countermeasure device according to any one of (1) to (3), further comprising: a class definition unit that associates any of the data relating to the countermeasure method and defines the class.

  According to such a configuration, the attack countermeasure device can provide data related to a countermeasure method against an attack belonging to each class by collating with the countermeasure information storage unit. Therefore, the administrator can more appropriately cope with the attack.

  (5) The attack countermeasure device according to (4), wherein the data relating to the countermeasure method is data indicating a malignancy level, a scale, or an emergency level of the attack.

  According to such a configuration, the data relating to the countermeasure method is data indicating the malignancy level, scale, or urgency level of the attack, so that the administrator can take appropriate measures in a timely manner.

  (6) The attack countermeasure device according to (4) or (5), further including a countermeasure execution unit that executes a predetermined process set in advance based on data relating to the countermeasure method linked by the class definition unit .

  According to such a configuration, the attack countermeasure device can automatically execute a predetermined process that is set in advance based on data relating to a countermeasure that is stored in association with a class. Can be reduced, and the accuracy of countermeasures can be improved.

  (7) An attack countermeasure method in which a computer supports a countermeasure performed by an administrator of a network when an attack on a host belonging to the predetermined network is detected, wherein the computer includes at least the predetermined network For each host belonging to one or a plurality of networks, a configuration storage unit that stores a predetermined type of configuration feature amount indicating the scale of a communication path to the host is obtained, and communication data related to the attack is acquired, and from the data A communication extraction step for extracting a predetermined type of communication feature amount indicating the feature of the communication, a class classification step for classifying a combination of the configuration feature amount and the communication feature amount according to a plurality of past attack cases, and a new If a new attack is detected, any of the new attacks classified in the classification step And class determination step of determining whether corresponding to the class, the class that is determined in the class determination step, attack countermeasure method comprising a notification step, the notifying together with the communication path of the new attack.

  According to such a configuration, the same effect as in (1) can be expected when the attack countermeasure method is executed by the computer.

  (8) An attack countermeasure program for causing a computer to support a countermeasure performed by an administrator of the network when an attack on a host belonging to the predetermined network is detected, the computer including at least the predetermined network Each of the hosts belonging to one or a plurality of networks including a configuration storage unit that stores a predetermined type of configuration feature amount indicating the scale of a communication path to the host, and obtains communication data related to the attack, A communication extraction step for extracting a predetermined type of communication feature amount indicating the feature of the communication from data, and a class classification step for classifying the combination of the configuration feature amount and the communication feature amount according to a plurality of past attack cases; When a new attack is detected, the new attack is classified in the classification step. For causing the computer to execute a class determination step for determining which class is determined, and a notification step for notifying the class determined in the class determination step together with the communication path of the new attack Anti-attack program.

  According to such a configuration, the same effect as in (1) can be expected by causing the computer to execute the attack countermeasure program.

  ADVANTAGE OF THE INVENTION According to this invention, the information for an administrator to perform the countermeasure at the time of detecting an attack more appropriately can be provided.

It is a figure which shows the function structure of the attack countermeasure apparatus which concerns on embodiment. It is a figure which shows the communication path | route which leads to the attack target host in the monitoring target network which concerns on embodiment. It is a flowchart which shows the process which produces | generates class definition DB which concerns on embodiment. It is a flowchart which shows a process when the attack to the monitoring object network which concerns on embodiment is detected.

Hereinafter, an example of an embodiment of the present invention will be described.
The attack countermeasure device 1 according to the present embodiment is a server device that supports a countermeasure performed by an administrator of a network when an attack on a host belonging to a predetermined network such as an Internet service provider is detected. The attack countermeasure device 1 can communicate with various routers including at least a core router in the network, acquires communication data such as network flow data or packet capture data from the router, and sets a communication path for attack countermeasures. You can control and instruct the execution of the filtering function.

FIG. 1 is a diagram illustrating a functional configuration of an attack countermeasure device 1 according to the present embodiment.
The attack countermeasure device 1 includes a control unit 10, a storage unit 20, a communication unit 30, an input unit 40, and a display unit 50.

  The control unit 10 is a part that controls the attack countermeasure device 1 as a whole. By appropriately reading and executing various programs stored in the storage unit 20, the control unit 10 cooperates with the above-described hardware, and performs various types in the present embodiment. The function is realized. The control unit 10 may be a CPU (Central Processing Unit). In addition, the function of each part with which the control part 10 is provided is mentioned later.

  The storage unit 20 stores various programs for causing the hardware group to function as the attack countermeasure device 1, programs for causing the control unit 10 to execute various functions of the present embodiment, various data, and the like. Various data included in the storage unit 20 will be described later.

  The communication unit 30 is a network adapter when the attack countermeasure device 1 transmits / receives information to / from other devices, accesses a core router in the network, and acquires communication data such as network flow data or packet capture data. Provided to the control unit 10. In addition, the communication unit 30 transmits a control signal to the router according to an instruction from the control unit 10.

  The input unit 40 is an interface device that receives an instruction input from the user to the attack countermeasure device 1. The input unit 40 is configured by, for example, a key operation unit or a touch panel.

  The display unit 50 displays a screen for accepting data input to the user, or displays a screen for processing results obtained by the attack countermeasure device 1. The user confirms that the attack has been detected and information on the countermeasure against the screen displayed on the display unit 50. The display unit 50 may be a liquid crystal display or an organic EL display.

  The control unit 10 includes a configuration collection unit 11, a case collection unit 12, a communication extraction unit 13, an attack detection unit 14, a class classification unit 15, a class definition unit 16, a class determination unit 17, and a notification. A unit 18 and a countermeasure execution unit 19 are provided. The storage unit 20 includes a network configuration DB 21 (configuration storage unit), a class definition DB 22, and a handling information DB 23 (handling information storage unit).

The configuration collection unit 11 acquires, for each host belonging to a predetermined network to be monitored and a network for collecting attack cases, a predetermined type of configuration feature amount indicating the size of a communication path to the host, Store in the network configuration DB 21.
Specifically, the configuration collection unit 11 uses a command such as “pchar” or “pathchar” as one of the configuration feature amounts to calculate the link capacity of the immediately preceding line for the edge router connected to each host. get. Also, the configuration collection unit 11 acquires the number of accommodated hosts of the edge router by grasping the topology using one of the “traceroute” commands as one of the configuration feature amounts.

FIG. 2 is a diagram illustrating a communication path to the attack target host in the monitoring target network according to the present embodiment.
A data packet destined for the attack target host reaches an edge router adjacent to the host via a router under the core router. At this time, the link capacity with respect to the edge router or the number of hosts accommodated by the edge router represents the amount of communication that can be indirectly processed by the edge router, that is, the scale.

  The case collection unit 12 communicates network flow data (for example, NetFlow or sFlow) or packet capture data of communication related to an attack case from a core router in a predetermined network to be monitored or a network for collecting attack cases. Get the data.

The communication extraction unit 13 extracts a predetermined type of communication feature amount indicating the communication feature from the communication data acquired by the case collection unit 12.
Specifically, the communication extraction unit 13 includes, as communication feature quantities, the number of transmission source hosts, the protocol type, the ratio of a predetermined TCP flag, the number of packets per predetermined time, the number of bytes, and the number of flows. To get.

  The attack detection unit 14 monitors traffic in a predetermined network to be monitored and detects that a DoS attack has occurred.

  The class classification unit 15 classifies feature vectors formed by combinations of configuration feature amounts and communication feature amounts related to a plurality of past attack cases, and stores each feature vector and classification information in the class definition DB 22. As a classification method, an existing clustering technique can be used.

Here, an example of the feature vector is shown below.
The feature vector x = (x ₁ , x ₂ , x ₃ , x ₄ , x ₅ , x ₆ , x ₇ , x ₈ ) is composed of ₈ elements x _{1 to} x 8 that can take binary values of 0 or 1. .

x ₁ : Number of transmission source hosts.
It is 1 when the number of transmission source hosts is a predetermined number or more, and 0 otherwise.
x ₂ : Protocol type.
It is 1 when the protocol is TCP or UDP, and 0 otherwise.
x ₃ : ratio of TCP flag.
It is 1 when the number of packets having the SYN flag out of the TCP flags exceeds a predetermined ratio, and 0 otherwise.
x ₄ : number of packets.
It is 1 when the average number of packets per unit time exceeds a predetermined value, and 0 otherwise.
x ₅ : number of bytes.
It is 1 when the average number of bytes per unit time exceeds a predetermined value, and 0 otherwise.
x ₆ : number of flows.
1 if the average number of flows per unit time exceeds a predetermined value, 0 otherwise.
x ₇ : Link capacity around the immediately preceding edge router.
1 when the link capacity is equal to or less than the predetermined value [bps], and 0 otherwise.
x ₈ : The size of the immediately preceding edge router.
1 when the size of the edge router (the number of accommodated hosts) is less than or equal to a predetermined value, and 0 otherwise.

  For each class classified by the class classification unit 15, the class definition unit 16 compares the feature vector of the class with the elements stored in the handling information DB 23, thereby obtaining data related to the handling method for the class. The class is defined by linking one of these.

Here, the countermeasure information DB 23 stores in advance data related to a countermeasure method that indicates the malignancy level, scale, or urgency level of countermeasures corresponding to any one or combination of configuration feature quantities and communication feature quantities.
For example, when the above-described feature vector elements x ₁ = 1 (distributed DoS attack), x ₄ = 1 (the number of packets is large), and x ₇ = 1 (the link capacity is small), the malignancy, scale, and urgency are In any case, data relating to a countermeasure is stored as a high attack.

Specifically, for example, an attack that belongs to a class having x ₁ = 1, x ₄ = 1, and x ₇ = 1 as common terms is highly urgent, so it is necessary to reduce the attack immediately. However, since there are many attacking hosts, even if the traffic of a specific attack source is blocked, the attack cannot be stopped. Therefore, the network equipment is maintained by a countermeasure such as diverting traffic to the black hole router.
Further, for example, an attack belonging to a class whose common terms are x ₁ = 1, x ₄ = 1, x ₇ = 0 (large link capacity) is unlikely to immediately strain the network, and therefore, a predetermined filtering rule Applying (such as eliminating a predetermined protocol such as ICMP or eliminating a SYNFlod attacker) reduces the attack.

  When a new attack is detected, the class determination unit 17 generates a feature vector composed of a combination of the configuration feature amount and the communication feature amount related to the new attack, and the feature vector is classified by the class classification unit 15. Which class is applicable.

  The notification unit 18 displays the class determined by the class determination unit 17 on the display unit 50 together with the communication path of the new attack detected by the attack detection unit 14 to notify the class.

  The coping execution unit 19 executes a predetermined process set in advance based on the data relating to the coping method linked by the class definition unit 16. At this time, the countermeasure execution unit 19 may inquire of the administrator whether or not the execution is possible via the display unit 50 and may receive an instruction input via the input unit 40.

  FIG. 3 is a flowchart showing processing for generating the class definition DB 22 according to the present embodiment.

  In step S <b> 1, the configuration collection unit 11 collects configuration feature amounts as information about the configuration of the monitoring target network and the network that is the collection target of the attack case, and stores the configuration feature amount in the network configuration DB 21.

  In step S2, the case collection unit 12 collects communication data related to the attack case, such as network flow data or packet capture data of the attack case, from the network that is the target of the attack case collection.

  In step S3, the communication extraction unit 13 extracts a communication feature amount from the communication data related to the attack case collected in step S2.

  In step S4, the class classification unit 15 generates a feature vector composed of the communication feature value extracted in step S3 and the configuration feature value stored in step S1 for each attack case, classifies these, and classifies them. Store in the class definition DB 22.

  In step S <b> 5, the class definition unit 16 collates each class classified in step S <b> 4 with the handling information DB 23, and stores data relating to the handling method for each class.

  FIG. 4 is a flowchart showing processing when an attack on the monitored network according to the present embodiment is detected.

  In step S11, the communication extraction unit 13 extracts a communication feature amount from communication data such as network flow data or packet capture data related to the detected attack.

  In step S12, the class determination unit 17 generates a feature vector composed of the communication feature value extracted in step S11 and the configuration feature value stored in the network configuration DB 21, and the class determination unit 17 stores the class vector stored in the class definition DB 22. It is determined which is applicable.

  In step S <b> 13, the notification unit 18 outputs data (such as malignancy, scale, urgency, and coping method) related to the coping method associated with the class determined in step S <b> 12 to the display unit 50.

  In step S <b> 14, the countermeasure execution unit 19 receives an instruction input via the input unit 40 and determines whether to perform countermeasures against the attack. If this determination is YES, the process proceeds to step S15, and if the determination is NO, the process ends.

  In step S15, the countermeasure execution unit 19 controls the router of the monitoring target network and executes the countermeasure method output in step S13.

  As described above, according to the present embodiment, the attack countermeasure device 1 classifies feature vectors formed by combinations of configuration feature amounts and communication feature amounts relating to past attack cases, so that a new attack feature vector can be obtained. Determine which class is applicable. Therefore, the attack countermeasure device 1 can provide information for the administrator to more appropriately take measures when an attack is detected.

  At this time, the number of combinations of element values of feature vectors can be enormous, but the number of classes generated from actual attack cases is greatly reduced. Therefore, since the attack countermeasure device 1 can easily identify similar classes, the processing efficiency is reduced and the administrator can appropriately deal with the attack.

  Further, the attack countermeasure device 1 uses the link capacity for the edge router connected to each host and the number of hosts accommodated by the edge router as elements of the feature vector. Therefore, the urgency level corresponding to the size of the edge router is represented in the feature vector, so that the administrator can take appropriate measures.

  Further, the attack countermeasure device 1 uses the number of transmission source hosts, the protocol type, the ratio of a predetermined TCP flag, the number of packets per predetermined time, the number of bytes, and the number of flows as the elements of the feature vector. Therefore, since the type and scale of the attack are represented in the feature vector, the administrator can take appropriate measures.

Further, the attack countermeasure device 1 can provide data relating to a countermeasure method against an attack belonging to each class by checking 23 in the countermeasure information DB. Therefore, the administrator can more appropriately cope with the attack.
Furthermore, since the data related to the countermeasure method is data indicating the malignancy level, scale, or urgency level of the attack, the administrator can take an appropriate countermeasure in a timely manner.

  Further, the attack countermeasure device 1 can automatically execute a predetermined process based on the data relating to the countermeasure stored in the class definition DB 22, so that the burden on the administrator can be reduced and the countermeasure can be taken. There is a possibility of improving the accuracy of.

  As mentioned above, although embodiment of this invention was described, this invention is not restricted to embodiment mentioned above. Further, the effects described in the present embodiment are merely a list of the most preferable effects resulting from the present invention, and the effects of the present invention are not limited to those described in the present embodiment.

  For example, the feature vector of the above-described embodiment is an example of quantifying the feature of an attack, and the type of feature amount and the value range can be designed as appropriate.

  The attack countermeasure device 1 is an example of an information processing device that can be connected to a network, and may be various information processing devices (computers) such as a server device or a PC (Personal Computer). Realized by software. When realized by software, a program constituting the software is installed in the information processing apparatus. Also, these programs may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network.

DESCRIPTION OF SYMBOLS 1 Attack countermeasure apparatus 10 Control part 11 Configuration collection part 12 Case collection part 13 Communication extraction part 14 Attack detection part 15 Class classification part 16 Class definition part 17 Class determination part 18 Notification part 19 Countermeasure execution part 20 Storage part 21 Network configuration DB ( Configuration storage unit)
22 Class definition DB
23 Handling Information DB (Handling Information Storage Unit)

Claims (8)

An attack countermeasure device that supports a countermeasure performed by an administrator of a network when an attack on a host belonging to a predetermined network is detected,
A configuration storage unit that stores, for each host belonging to at least one network including the predetermined network, a predetermined type of configuration feature amount indicating the scale of a communication path to the host;
A communication extraction unit that acquires communication data related to the attack, and extracts a predetermined type of communication feature amount indicating the characteristic of the communication from the data;
A class classification unit that classifies the combination of the configuration feature amount and the communication feature amount according to a plurality of past attack cases;
A class determination unit that determines which class classified by the class classification unit the new attack corresponds to when a new attack is detected;
An attack countermeasure device comprising: a notification unit that notifies the class determined by the class determination unit together with the communication path of the new attack.   The attack countermeasure device according to claim 1, wherein the configuration storage unit includes at least one of a link capacity for an edge router connected to each host and the number of hosts accommodated by the edge router as the configuration feature amount.   The communication extraction unit, as the communication feature amount, among the number of transmission source hosts, the protocol type, the ratio of a predetermined TCP flag, the number of packets per predetermined time, the number of bytes, or the number of flows, as the communication feature amount, The attack countermeasure apparatus of Claim 1 or Claim 2 containing at least one. A handling information storage unit that stores data related to a handling method in advance corresponding to any one or combination of the configuration feature quantity or the communication feature quantity,
For each class classified by the class classification unit, a combination of the configuration feature amount and the communication feature amount included in the class, and the configuration feature amount or the communication feature amount stored in the handling information storage unit The class definition part which defines the said class by associating any one of the data regarding the said coping method with the said class by comparing either or a combination, Either of Claims 1-3 Attack countermeasure device as described in 1.   The attack countermeasure device according to claim 4, wherein the data relating to the countermeasure method is data indicating a malignancy level, a scale, or an emergency level of the attack.   The attack countermeasure device according to claim 4 or 5, further comprising a countermeasure execution unit that executes a predetermined process set in advance based on data relating to the countermeasure method linked by the class definition unit. An attack countermeasure method in which a computer supports a countermeasure performed by an administrator of a network when an attack on a host belonging to a predetermined network is detected,
The computer includes a configuration storage unit that stores, for each host belonging to at least one network including the predetermined network, a predetermined type of configuration feature amount indicating the scale of a communication path to the host,
A communication extraction step of acquiring data of communication related to the attack and extracting a predetermined type of communication feature amount indicating the characteristic of the communication from the data;
A class classification step for classifying a combination of the configuration feature amount and the communication feature amount according to a plurality of past attack cases;
A class determination step for determining, when a new attack is detected, which class classified in the class classification step the new attack corresponds to;
An attack countermeasure method comprising: a notifying step of notifying the class determined in the class determining step together with the communication path of the new attack. An attack countermeasure program for causing a computer to support a countermeasure performed by an administrator of a network when an attack on a host belonging to a predetermined network is detected,
The computer includes a configuration storage unit that stores, for each host belonging to at least one network including the predetermined network, a predetermined type of configuration feature amount indicating the scale of a communication path to the host,
A communication extraction step of acquiring data of communication related to the attack and extracting a predetermined type of communication feature amount indicating the characteristic of the communication from the data;
A class classification step for classifying a combination of the configuration feature amount and the communication feature amount according to a plurality of past attack cases;
A class determination step for determining, when a new attack is detected, which class classified in the class classification step the new attack corresponds to;
An attack countermeasure program for causing the computer to execute a notification step of notifying the class determined in the class determination step together with the communication path of the new attack.

Images