JP6736913B2 - Management program, management method, and management device - Google Patents

Description

The present invention relates to a management program, a management method, and a management device.

In recent years, there are many types of malware mobile phones, and their mechanisms are changing cleverly. Various types of malware that have entered by e-mail (sometimes simply referred to as “mail”) pose a threat to systems of companies and the like. In addition to detecting the malware itself, it is important to identify the route that the malware entered.

When the attachment file is infected with malware by using the technology that manages the email text, email header information, etc., in association with the attached file, the email information such as the email text It may be possible to investigate the transmission route. In addition, there is known a technique of detecting an infection of an attached file in a mail server in advance.

JP, 2005-166039, A International Publication No. 2005/36409 Pamphlet Japanese Patent Publication No. 2014-513834 Japanese Patent Publication No. 2001-500295

The malware can be detected by the attached file of the electronic mail by the mail server by the above-mentioned technique. However, if the delivery of the e-mail is delayed due to the detection of the malware, the business of the company or the like will be hindered.

In particular, in the case of malware that operates at a specific date and time (so-called zero-day attack), it is not practically practical to stop the email delivery until the specific date and time. In the first place, it may not be possible to know the specific date and time.

Further, in recent years, the number of e-mails delivered has been increasing, and the number is enormous. On the other hand, the number of emails infected with malware, which causes enormous damage, is a very small number compared to the total number of delivered emails.

Therefore, in one aspect, the present invention aims to efficiently identify an email source of infection.

According to one aspect, the computer stores, in the storage unit, the specific information identifying the message for each piece of attached file information identifying the file data attached to the message, and stores the associated information in the storage unit. In response to receiving the safety information indicating that the attached file data is not dangerous, the attached file information stored in the storage unit and specified by the safety information is deleted from the storage unit. A management program for executing the processing to be performed is provided.

Further, as a means for solving the above problems, a management method and an information processing apparatus can be used.

E-mail that is the source of infection can be efficiently identified.

It is a figure for explaining an example which specifies an infection source file by an existing method. It is a figure which shows the system block diagram in a present Example. It is a figure which shows the hardware constitutions of a correspondence management server. It is a flowchart figure for demonstrating an attachment file information storage process (step A of FIG. 2). It is a flowchart figure for demonstrating an attachment file extraction monitoring process (step B of FIG. 2). It is a flowchart figure for demonstrating an infection source email identification process (step C of FIG. 2). It is a flowchart figure for demonstrating unnecessary information deletion processing (step D of FIG. 2). It is a flowchart figure for demonstrating an infection source email coping process (step E of FIG. 2). It is a figure which shows the function structural example of the system in a present Example. It is a figure which shows the data structural example of correspondence information storage DB. It is a figure which shows the data structural example of agent DB. It is a figure which shows the data structural example of malware information. It is a figure which shows the data structural example of mail information storage DB. FIG. 5 is a flow chart for explaining the attached file information storage processing (step A) of FIG. 4 in detail. FIG. 6 is a flow chart diagram for explaining the attached file extraction monitoring process (step B) of FIG. 5 in detail. FIG. 7 is a flowchart for explaining in detail the infection source email identification processing (step C) of FIG. 6. FIG. 8 is a flow chart for explaining the unnecessary information deletion processing (step D) of FIG. 7 in detail. FIG. 9 is a flowchart for explaining in detail the infection source e-mail handling process (step E) of FIG. 8.

Embodiments of the present invention will be described below with reference to the drawings. First, existing methods (I), (II), and (III) for identifying an infection source file due to malware will be described.
(I) A mail server executes each attachment file of an electronic mail in a virtual environment, and as a result, when the presence of malware is not confirmed, the electronic mail is delivered.
(II) In the user terminal, quarantine such as quarantine or deletion is executed when malware is detected by the endpoint type sensor that detects malware according to the storage and execution of the file.
(III) The file and process tracking system traces the program name and file name of the generation source from the detected malware file name to identify the infection source file.

FIG. 1 is a diagram for explaining an example of identifying an infection source file by an existing method. In FIG. 1, the mail server 300 stores a plurality of emails 3 and the emails 3 are downloaded to the user terminal 500 in response to a download request from the user terminal 500. At this time, the infection source mail 9a infected with the malware 93w may be downloaded.

The mail server 300 executes the attachment file of each electronic mail 3 in the virtual environment by using the above-mentioned method (I), and confirms the presence of malware. However, the mail server 300 cannot immediately detect malware in the case of zero-day malware. Further, assuming that there is malware for a zero-day attack, the email 3 cannot be delivered forever.

Therefore, in operation, if no malware is detected in the verification performed by the mail server 300 upon receipt of the electronic mail 3, the electronic mail 3 is ready for distribution. Therefore, the distributable electronic mail 3 may include the infection source mail 9a. The case where the user terminal 500 accesses the mail server 300 and downloads the infection source mail 9a from the deliverable electronic mail 3 will be described.

In the user terminal 500, the user uses the mail software 510 to connect to the mail server 300 and download the infection source mail 9a as a safe email 3 from among the deliverable emails 3.

The infection source file 91e, which is an attachment file of the downloaded infection source mail 9a, is executed by the user. The infection source file 91e may be a file such as document data, spreadsheet data, presentation data, or an image file that is executed by a corresponding application, or the program execution file itself.

The infection source file 91e is executed for the first time by the operation of the user of the user terminal 500. When the infection source file 91e is executed, another file 92e is further generated and the file 92e is executed. Then, the file 92e further generates and executes another file (malware 93w).

In the user terminal 500, the malware detection unit 513 such as an endpoint type sensor detects the malware 53w and executes quarantine such as quarantine or deletion of the malware 53w. After that, the administrator is notified of the process name, file, etc. of the malware 39w. The malware detection unit 513 also notifies the generation route tracking unit 515 of the process name, file, etc. of the malware 39w.

In response to the malware detection notification from the malware detection unit 513, the generation route tracking unit 515 tracks the generation source of the malware 53w detected by the malware detection unit 513. That is, the program file 92e that generated the malware 53w is specified, and the infection source file 91e that generated the program file 92e is specified. The generation route tracking unit 515 further finds out that the infection source file 91e has been downloaded by the mail software 510.

Since the file that generated the infection source file 91e does not exist, the infection source file 91e is identified as the original. Further, the malware detection unit 513 identifies up to the one extracted by the mail software 510.

However, although the generation route tracking unit 515 can trace the generation source of the malware 53w, it cannot specify the infection source mail 9a from which the infection source file 91e is extracted from the plurality of emails 3. Therefore, the cause of the existence of the infection source file 91e in the user terminal 500 cannot be known. Specifically, it is impossible to find out from which e-mail 3 the e-mail 3 was extracted.

In the above, the generation route tracking unit 515 may be a part of the function of the malware detection unit 513.

The malware 93w has been described in the example in which the user terminal 500 has been infected by the infection source mail 9a received from the mail server 300, but the malware 93w is transmitted from the user terminals 500 of other users via the external storage medium. The malware 93w may be activated by acquiring the received infection source file 91e. In that case, it becomes more difficult to identify the infection source mail 9a that has become the infection source.

In order to identify the infection source mail 9a which is the infection source, it is conceivable to manage the message IDs in association with each other based on the contents of the infection source file 91e. In the case of judgment by file name, it becomes difficult for the user to change the file name and take it out, or for a file name with no characteristics such as "setup.exe".

In this embodiment, the message ID can be specified by recording the file name of the electronic mail 3 downloaded to the user terminal 500 and the file information of the attached file. By using the message ID, it is possible to deal with the infection source mail 9a held in the mail server 300.

However, the number of infection source mails 9a is very small compared to the number of emails 3 that can be safely received. Accumulating and storing the message IDs for all the e-mails 3 is not preferable from the viewpoint of hardware resources.

Therefore, in the present embodiment, further, when no security threat (simply referred to as “threat”) is detected in the accumulated message ID, the corresponding information of the electronic mail 3 and the message ID is deleted. By doing so, the amount of information that is held and managed to identify the infection source mail 9a is significantly reduced. In this embodiment, when the result that the threat is not detected is obtained, it is determined to be “safe”.

FIG. 2 is a diagram showing a system configuration diagram in this embodiment. The system 1000 shown in FIG. 2 includes an FW (Fire Wall) 3, an SMTP (Simple Mail Transfer Protocol) server 100, a mail server 300, a correspondence management server 400, a user terminal 500, and a threat report management server 600. Have.

The FW (Fire Wall) 3 is a device that protects a network related to mail delivery from an attack from the Internet 2. The SMTP server 100 is a server that sends the electronic mail 3. The mail server 300 is a server that stores the electronic mails 3 to be transmitted and received.

The association management server 400 is a server that associates and manages the attachment file information of the electronic mail 3 received by the mail server 300 and the message ID. When the notification of the detection of the wonder of the malware is received, the infection source mail 9a to which the infection source file 91e is attached is identified based on the identified malware infection source file 91e, and the infection stored in the mail server 300 is identified. Request deletion of the source mail 9a.

The user terminal 500 is a PC (Personal Computer) such as a stand-alone type, notebook, tablet, etc., and is a terminal used by the user to receive at least the email 3.

The threat report management server 600 receives the notification that the malware detection unit 513 of the user terminal 500 has detected a threat, and notifies the association management server 400. The association management server 400 stores malware information.

In the present embodiment, the notification of threat detection is also sent to the mail server 300, and the mail server 300 deletes the infection source mail 9a in which the threat is detected from the held emails 3. By deleting the infection source mail 9a, it is possible to prevent the infection source mail 9a from spreading due to transfer or the like.

In addition, in the present embodiment, the information regarding the message ID without threat is deleted by notifying the association management server 400 of the information obtained by the malware detection unit 513 as the detection result without threat. Therefore, the amount of information for identifying the infection source mail 9a to which the infection source file 91e is attached by the association management server 400 can be reduced.

The association management server 400 that manages information for identifying the infection source mail 9a to which the infection source file 91e is attached has a hardware configuration as shown in FIG.

FIG. 3 is a diagram showing a hardware configuration of the association management server. 3, the association management server 400 is an information processing device controlled by a computer, and includes a CPU (Central Processing Unit) 11, a main storage device 12, an auxiliary storage device 13, an input device 14, and a display. It has a device 15, a communication I/F (interface) 17, and a drive device 18, and is connected to the bus B.

The CPU 11 corresponds to a processor that controls the association management server 400 according to a program stored in the main storage device 12. A RAM (Random Access Memory), a ROM (Read Only Memory), or the like is used for the main storage device 12, and a program executed by the CPU 11, data required for processing by the CPU 11, and data obtained by the processing by the CPU 11 are obtained. Stores or temporarily saves data etc.

An HDD (Hard Disk Drive) or the like is used as the auxiliary storage device 13, and stores data such as programs for executing various processes. Various processes are realized by loading a part of the program stored in the auxiliary storage device 13 into the main storage device 12 and executing it in the CPU 11. The storage unit 130 corresponds to the main storage device 12 and the auxiliary storage device 13.

The input device 14 has a mouse, a keyboard, and the like, and is used by an administrator to input various information necessary for the processing by the association management server 400. The display device 15 displays various information required under the control of the CPU 11. The input device 14 and the display device 15 may be a user interface such as an integrated touch panel. The communication I/F 17 communicates via a wired or wireless network. The communication by the communication I/F 17 is not limited to wireless or wired.
The program that realizes the processing performed by the association management server 400 is provided to the association management server 400 by the storage medium 19 such as a CD-ROM (Compact Disc Read-Only Memory).

The drive device 18 interfaces the storage medium 19 (for example, a CD-ROM or the like) set in the drive device 18 with the association management server 400.

Further, the storage medium 19 stores a program that implements various processes described later according to the present embodiment, and the program stored in the storage medium 19 is stored in the association management server 400 via the drive device 18. Installed. The installed program can be executed by the association management server 400.

The storage medium 19 for storing the program is not limited to the CD-ROM, and one or more non-transitory, tangible medium having a structure that can be read by a computer. If The computer-readable storage medium may be a CD-ROM, a DVD disk, a portable recording medium such as a USB memory, or a semiconductor memory such as a flash memory.

The SMTP server 100, the mail server 300, the user terminal 500, the threat report management server 600, and the like are computers having the same hardware configuration, and therefore description thereof will be omitted.

The main processing in the system 1000 of FIG. 2 is as follows.
-Attached file information storage process (step A)
-Attached file retrieval monitoring process (step B)
-Infection source email identification processing (step C)
-Unnecessary information deletion processing (step D)
-Infection source e-mail handling process (step E)
Each of these processes will be described with reference to a flowchart.

FIG. 4 is a flow chart for explaining the attached file information storage processing (step A in FIG. 2). The attached file information storage process (step A) operates as a resident program of a computer provided between the SMTP server 100 and the mail server 300, and is executed each time the electronic mail 3 is relayed. Alternatively, it may be incorporated as a part of the processing on the receiving side of the mail server 300.

As shown in FIG. 4, in the attached file information storage process (step A), when the relayed e-mail 3 is received from the SMTP server 100 (step S11), the attached file is extracted from the received e-mail 3 (step S12) and attached. After the file information is transmitted to and stored in the association management server 400 (step S13), the electronic mail 3 is relayed to the mail server 300 (step S14). The attached file information storage process (step A) ends every time the electronic mail 3 is received.

In the attachment file information storage process (step A), the attachment file information is associated with the message ID that identifies the e-mail 3, and is accumulated and managed in the association information storage DB 460 (FIG. 10) of the association management server 400. It The attached file information is the compressed contents of the attached file.

FIG. 5 is a flow chart for explaining the attached file extraction monitoring process (step B in FIG. 2). The attached file extraction monitoring process (step B) is a process that operates as a resident program of the user terminal 500 and monitors the file generation by the mail software 510.

In FIG. 5, in the user terminal 500, it is monitored that a file is generated when the attached file is taken out from the electronic mail 3 by the mail software 510 (step S21).

In the user terminal 500, the file generated by the mail software 510 is read (step S22), and file information indicating the contents of the read file is stored in the storage unit in the user terminal 500 (step S23). The file information is a compressed content of the attached file, and is stored in the user terminal 500 together with the downloaded date and time, the storage destination, and the like.

After storing the file information, the process returns to the file generation monitoring (step S24), and the same process as above is repeated for the next generated file.

FIG. 6 is a flow chart for explaining the infection source email identification processing (step C in FIG. 2). The infection source email identification process (step C) is a process performed in the user terminal 500 and the association management server 400.

In FIG. 6, the malware detection unit 513 acquires malware information by detecting the malware 93w (step S31). In response to the detection of the malware 93w, the generation path tracking unit 515 traces the generation source of the file of the malware 93w by tracing it based on the malware information, and identifies the infection source file 91e (step S32).

File information of the infection source file 91e (may be referred to as "infection source file information") is acquired (step S33), and the infection source file information is notified to the association management server 400.

In the association management server 400, the notified infection source file information is compared with the file information (sometimes referred to as “attached file information”) of the attached file of the e-mail 3 held by the device itself, and the infection is detected. The original electronic mail 3 is specified (step S34).

FIG. 7 is a flowchart for explaining the unnecessary information deletion processing (step D in FIG. 2). The unnecessary information deletion process (step D) is performed as a regular background process such as once a day, and the file information accumulated in the association management server 400 that is determined to have no threat is deleted. In FIG. 7, the user terminal 500 starts operating at regular intervals (step S41). The generation route tracking unit 515 tracks the file generated by the mail software 510 (step S42).

The generated file and the derived file obtained by tracking are matched with the detection result by the malware detection unit 513 (step S43), and if the generated file and the derived file are not threatened, the association management server 400 , "No threat" is notified (step S44). The attached file information is notified.

The association management server notifies the recipient of the email of the attached file that matches the generated file that there is no risk, and deletes the attached file information from the database (step S45). Then, the unnecessary information deletion process ends.

FIG. 8 is a flow chart for explaining the infection source e-mail handling process (step E in FIG. 2). The infection source email handling process (step E) is executed by the association management server 400 each time the infection source email 9a is identified.

In FIG. 8, the association management server 400 acquires the message ID of the infection source email 9a (step S51). Multiple message IDs may be acquired. The association management server 400 acquires, from the mail server 300, the information of the electronic mail 3 to which the file matching the content obtained from the message ID is attached (step S52).

The electronic mail 3 to which a file matching the content obtained from the message ID is attached is called "target electronic mail", and the information of the electronic mail 3 is called "mail information".

The association management server 400 requests the mail server 300 to delete the target electronic mail based on the acquired mail information, and also alerts the recipient of the target electronic mail and the like (step S54). The recipient may be notified of the alert content by email.

The association management server 400 determines whether all target mails have been processed (step S54). When there is an unprocessed target mail (NO in step S54), the association management server 400 returns to step S52 and repeats the same processing as described above. On the other hand, when there is an unprocessed target email (YES in step S54), the association management server 400 ends this infection source email handling processing.

Next, a functional configuration example in the system 1000 will be described. FIG. 9 is a diagram showing an example of the functional configuration of the system in this embodiment.

In the description of FIG. 9, the infection source mail 9a may be collectively referred to as the electronic mail 3. In the system 1000 shown in FIG. 9, in the present embodiment, an attachment file management unit 330 is provided on the way between the SMTP server 100 and the mail server 300.

The processing in the attached file management unit 330 is realized by a plug-in program and has an attached file information acquisition unit 350. The attached file information acquisition unit 350 acquires information (attached file information) of the attached file 2f attached to the electronic mail 3. The attachment file management unit 330 transmits the association information 7a including the attachment file information acquired by the attachment file information acquisition unit 350 and the message ID identifying the electronic mail 3 to the association management server 400 and causes the association management server 400 to retain the association information 7a.

The attached file information is, for example, a value obtained by summarizing the content of the attached file 2f using a hash function. The message ID is, for example, a value given by the mail server used by the sender, and is information indicating a part of the sender's mail address.

The user terminal 500 has mail software 510, a malware detection unit 513, a generation route tracking unit 515, and an agent 530. The user terminal 500 also has an agent DB 540 in the storage unit.

The mail software 510 is software that provides various functions including transmission and reception of the electronic mail 3.

The malware detection unit 513 detects a threat from the operation (behavior) performed by the user on the user terminal 500. When the mail software 510 retrieves and executes the attached file 2f from the electronic mail 3 by the operation of the user, the malware detection unit 513 monitors the operation of the file generated according to the execution. When the malware 93w is generated, the malware detection unit 513 detects the generation of the malware 93w.

The detection result is accumulated in the result log 514. As an example of the malware detection unit 513, software called an endpoint type sensor is used. The threat information (malware information) 9m detected by the malware detection unit 513 is collected in the threat report management server 600. In the result log 514, information such as a file name or a full path name and a detection result is accumulated every time a program file is generated.

The generation route tracking unit 515 is executed by a function call from the agent 530, refers to the agent DB, traces the route until the malware 93w is generated, and identifies the infection source file 91e.

The agent 530 refers to the result log 514 of the malware detection unit 513 and deletes the information related to the file indicating “no threat”. The agent 530 further includes a takeout monitoring unit 532 and a file information acquisition unit 534.

The take-out monitoring unit 532 detects the file written by the mail software 510. The file information acquisition unit 534 creates file information based on the content of the file detected by the extraction monitoring unit 532, and stores the file name, the created file information, and the like in the agent DB 540.

The agent DB 540 is a database that stores and manages information regarding files written from the mail software 510, and stores at least the file name, file information, and the like of each written file.

The association management server 400 accumulates and stores the association information 7a obtained from the electronic mail 3 received from the attached file management unit 330 of the mail server 300, and accumulates it in accordance with the information received from the user terminal 500. The infection source mail 9a is specified from the association information 7a, or the accumulated association information 7a is deleted.

The association management server 400 includes an association information receiving unit 410, an association information deleting unit 430, a message ID identifying unit 450, and an infection source file identifying unit 470. The association management server 400 stores the association information storage DB 460, the malware information DB 490, etc. in the storage unit 130.

When the association information receiving unit 410 receives the association information 7a from the attached file management unit 330, the association information receiving unit 410 adds and stores a record in the association information storage DB 460.

When the association information deletion unit 430 receives the safe file information 8a from the user terminal 500, the association information deletion unit 430 deletes the record storing the attached file information that matches the safe file information 8a from the association information storage DB 460.

Upon receiving the infection source file information 8b from the user terminal 500, the message ID identification unit 450 identifies the message ID from the record storing the attached file information that matches the infection source file information 8b, and uses the identified message ID. The infection source mail 9a held by the mail server 300 is deleted.

Upon receiving the malware information 9m from the threat report management server 600, the infection source file identifying unit 470 adds a record to the malware information DB 490 and stores it, and notifies the user terminal 500 of the received malware information 9m. Infection source file information 8b regarding the identified infection source file 91e is notified to the message ID identification unit 450.

The overall operation of the above-described functional configuration will be described with reference to FIG.
-Reception of E-mail <1> The SMTP server 100 receives a plurality of e-mails 3 including the infection source mail 9a.

<2> The SMTP server 100 relays the electronic mail 3 to the mail server 300.

<3> The attached file management unit 330 takes out the attached file 2f from the email 3 along the way of the SMTP server 100 and the mail server 300, and the attached file information acquisition unit 350 makes the attached file 2f file information (attached file information). To get

<4> The attached file management unit 330 transmits the attached file information and the association information 7a indicating the message ID to the association management server 400.

<5> In the association management server 400, the association information receiving unit 410 stores the received association information 7a by adding a record to the association information storage unit 460.

<6> The user terminal 500 receives the electronic mail 3 by the mail software 510. The mail software 510 downloads the attached file 2f by the user's operation of extracting the attached file 2f or the operation of executing the attached file.

<7> The agent 530 monitors the extraction operation of the attached file 2f by the user by the extraction monitoring unit 532, and stores at least the file name of the extracted attached file 2f and the file information in the agent DB 540. The file name and the file information are acquired by the file information acquisition unit 534.

The file information of the first file extracted from the electronic mail 3 matches the attached file information acquired by the attached file information acquisition unit 350 of the attached file management unit 330.

<8> The user executes the attached file 2f.

<9> The malware detection unit 513 monitors the operation of the executed program related to the attached file 2f.
In the case of no threat <10> The executed program ends without any problem, and the malware detection unit 513 determines that there is no threat.

<11> The agent 530 refers to the result log 514 of the malware detection unit 513 and determines that the result of “no threat” is a “safe” file.

<12> The agent 530 uses the generation route tracking unit 515 to identify the generation source file of the attached file 2f that the malware detection unit 513 has determined to be “no threat”.

<13> The agent 530 determines that “no threat”, and stores the information of the generation source file of the attached file 2f in the agent DB 540 together with the detection result indicating “safe”.

<14> The agent 530 transmits the file information determined to be “safe” to the association management server 400 as the safe file information 8a at a timing such as once a day, and records the transmitted safe file information 8a. Is deleted from the agent DB 540.

<15> The association management server 400 deletes, from the association information storage DB 460, a record of attached file information that matches the safe file information 8a received from the user terminal 500.
-In case of threat <21> The malware detection unit 513 monitors the operation of the executed program and detects the malware 93w.

<22> The malware detection unit 513 notifies the threat report management server 600 of malware information (malware information 9m).

<23> The threat report management server 600 transmits the malware information 9m to the association management server 400.

<24> The association management server 400 adds the record to the malware information DB 490 and stores the received malware information 9m.

<25> The association management server 400 sends the malware information 9m received from the malware detection unit 513 to the agent 530 of the user terminal 500 to request the identification of the infection source file 91e.

<26> The agent 530 extracts the file name of the malware from the malware information 9m, and uses the generation route tracking unit 51 to identify the infection source file 91e.

<27> The agent 530 acquires the file information of the infection source file 91e from the agent DB 540 and sends it to the association management server 400 as the infection source file information 8b.

<28> In the association management server 400, the message ID identification unit 450 searches the association information storage DB 460 for attached file information that matches the infection source file information 8b, and acquires one or more message IDs from the matched records. To do.

<29> The message ID identification unit 450 sends the acquired message ID to the mail server 300 to request the deletion of the email 3 that is a candidate of the infection source including the infection source email 9a, and also the suspicious electronic mail. Notify the user who downloaded Email 3 to alert (delete the downloaded file, etc.).

<30> When a plurality of message IDs are present in the attached file information retrieved from the association information storage DB 460, the deletion request and the alert are issued to the electronic mails 3 having all the message IDs. In addition to the infection source mail 9a, a plurality of message IDs may exist when the attachment file 2f having the same content is attached to another mail with a different file name. In such a case, by issuing a deletion request and alerting, the suspicious e-mail 3 before the infected attachment file 2f is executed can be dealt with in advance.

Next, examples of data configurations of various DBs and information will be described. FIG. 10 is a diagram showing a data configuration example of the association information storage DB. In FIG. 10, the association information storage DB 460 is a database that stores attached file information and stores and manages message IDs associated with each attached file information, and stores items such as attached file information and a plurality of message IDs. Have.

The attached file information item stores the attached file information included in the association information 7a. The message ID included in the association information 7a is stored in the message ID item. The message ID indicates a part or all of the sender's e-mail address. At least "user name@domain name" is stored as the message ID.

When the association information receiving unit 410 receives the association information 7a from the attachment file management unit 330, the association information storage DB 460 is searched for the attachment file information included in the association information 7a, and the association record is associated with the associated record. If the message ID indicated by the information 7a does not exist, the message ID is added.

When there is no matching record, the association information receiving unit 410 adds a record and stores the attached file information and the message ID of the received association information 7a.

In the data configuration example of FIG. 10, one message ID “avc@dimain24” is associated with the attached file information “Fsad#%321”. Further, one message ID “arw@dimain24” is associated with the attached file information “eGr6wea%t5#$”. Further, two message IDs “arw@dimain24” and “arw@dimain25” are associated with the attached file information “Fasdr4$Y3”. The same applies to other records.

When the file information of the attachment file 2f of the infection source of the malware 93w is the attachment file information "eGr6wea%t5#$", the association management server 400 sets the infection source file information 8b indicating "eGr6wea%t5#$". To receive.

The message ID identification unit 450 acquires the message ID “arw@dimain24” from the record of the attached file information “eGr6wea%t5#$” that matches the received infection source file information 8b. By transmitting the acquired message ID “arw@dimain24” to the mail server 300, the infection source mail 9a is specified and the mail server 300 is requested to delete it.

Further, the message ID identification unit 450 notifies the recipient of the identified infection source email 9a of a warning message by e-mail or the like.

FIG. 11 is a diagram showing an example of the data structure of the agent DB. In FIG. 11, the agent DB 540 is a database that stores information about files generated in time series, and has items such as date and time of generation, file name, file information, and detection result.

The creation date and time indicates the date and time when the file was created. The generation date and time is not mandatory and can be omitted. The file name indicates information including at least the generated file name. A full path name may be used as long as it is a directory including a file name indicating a storage location, a URL (Uniform Resource Locator) and the like. The file information is a value obtained by summarizing the file contents generated by the file information acquisition unit 534 using a hash function.

The detection result indicates the risk determined for the first attached file 2f extracted from the mail software 510 based on the file tracking result based on the result log 514 obtained by the malware detection unit 513.

As the detection result, any one of "unconfirmed", "danger", "safety", etc. is shown. "Unconfirmed" indicates a state immediately after the generation of the file or the like, and it is not possible to determine whether the file is "dangerous" or "safe". “Danger” indicates that the file is infected with the malware 93w. “Safe” indicates that the file has not detected a threat.

“Danger” is set for the first attached file 2f from the mail software 510 that is the generation source of the malware 93w, even if the first attached file 2f is determined to be “safe”. If the first attached file 2f is determined to be "safe", and then all the derived files are "safe", "safe" is set to the first attached file 2f. ..

In the agent DB 540, the file that is confirmed as “safe” is notified of the file name and file information as the safe file information 8a to the association management server 400, so that the association management server 400 holds the file. The amount of information in the attached information storage DB 460 can be reduced.

In the data structure example of FIG. 11, in the first record, when the file name “C:\Program files\Programdata\temp\abc.exe” is referred to for the file created at the creation date “2015/06/01 13:51” It is shown that the generated file is the execution file "abc.exe", which is stored in the directory "C:\Program files\Programdata\temp". The detection result is “unconfirmed”.

In the second record, referring to the file name "D:\work\xyz.exe" for the file created at the creation date and time "2015/06/01 13:55", the created file is the execution file "xyz. exe” and is stored in the directory “d”. The detection result is "danger".

In the third record, referring to the file name "e:\app\qwert.exe" for the file generated at the generation date and time "2015/06/01 13:59", the generated file is the execution file "qwert. exe” and is stored in the directory “e:\app”. The detection result is "danger". The same applies to other records.

FIG. 11 also shows the association between the association information storage DB 460 described above and the malware information 9m described later. The agent DB 540 and the association information storage DB 460 are associated with each other by the attached file information, and the agent DB 540 and the malware information 9m are associated with each other by the full path name.

FIG. 12 is a diagram showing a data configuration example of malware information. In FIG. 12, the malware information 9m indicates information on the malware 93w detected by the malware detection unit 513, and has items such as date and time of occurrence, name, file name, risk, and full path name.

The date and time of occurrence indicates the date and time when the malware 93w occurred. The name indicates the name of the malware 93w. The file name indicates the generated file name. The degree of risk indicates the level of threat given by the malware 93w. “High” indicates a high threat level, “medium” indicates a medium threat level, and “low” indicates a low threat level. The infection source file information is information indicating the full path name for confirming the malware 93w.

In the data configuration example of FIG. 12, the malware 93w with the name “Aboor” is detected on the occurrence date “XX:XX”, the file name of the detected malware 93w is “xyz.exe”, and the location (ie, It is shown that the storage location is “D:\work\abc2.exe” indicated by the full path name.

FIG. 13 is a diagram showing a data configuration example of the mail information storage DB. In FIG. 13, the mail information storage DB 6 is a database that manages information such as a title in order to improve the visibility to the user when alerting the user, and includes a message ID, a reception date and time, and a transmission. It has items such as person, recipient, and title.

The mail information storage DB 6 is not an indispensable database, but by providing the mail information storage DB 6, it is possible to acquire the information of the recipient without accessing the mail server 300, the delivery log, etc., and to promptly alert the user. it can.

The mail server 300, the delivery log, and the like may retain the log of the delivered electronic mail 3, but it may be deleted due to the storage period or the like, and the recipient information may not be obtained. It is a recommended database to fully respond to zero-day attacks.

The message ID is a message ID managed by the association information storage DB 460 and indicates a part or all of the sender's e-mail address. The reception date and time is the date and time when the electronic mail 3 specified by the message ID is received.

The sender indicates the electronic mail address of the sender of the electronic mail 3. The recipient indicates the email address of the recipient of the email 3. The title indicates the title set in the electronic mail 3.

In the data configuration example of FIG. 13, the email 3 with the message ID “ark@dimain24” is received at “2015/06/01 13:51”, and the sender email address is “abc@abc.com”. Yes, the e-mail address of the recipient is “zyx@xyz.jp”, and the title is “Thank you for yesterday”. The same applies to other e-mails 3.

Based on the functional configuration example shown in FIG. 9, each step A, B, C, D, and E in FIG. 2 will be described in detail.

FIG. 14 is a flow chart for explaining the attached file information storage processing (step A) of FIG. 4 in detail. In FIG. 14, the SMTP server 100 starts sending the electronic mail 3 (step S111).

The attached file management unit 330 starts the reception process for the electronic mail 3 sent from the SMTP server 100 (step S311), and temporarily stores the received electronic mail 3 (step S312).

The attached file management unit 330 analyzes the temporarily stored e-mail 3, extracts the attached file 2f, and temporarily stores it (step S313). The attached file management unit 330 confirms the encoding method from the body header, decodes the confirmed method, and extracts the attached file 2f.

The attached file management unit 330 creates the file information (attached file information) of the extracted attached file 2f (step S314), and associates the associated management server 400 with at least the associated information 7a including the attached file information and the message ID. Is transmitted (step S315). The association information 7a may further include information such as the date and time of reception of the email 3, the sender's email address, the recipient's email address, and the title. In this case, the correspondence management server 400 can include the mail information storage DB 6 as shown in FIG.

Then, the attached file management unit 330 relays the temporarily stored e-mail to the mail server 300 (step S316), and ends the process for each received e-mail 3. When the next e-mail 3 is received, the same processing as described above is repeated from step S311.

On the other hand, when the association management server 400 receives the association information 7a from the attached file management unit 330, it stores it in the association information storage DB 460 (step S411).

FIG. 15 is a flow chart for explaining the attached file fetching monitoring process (step B) of FIG. 5 in detail. 15, in the user terminal 500, when the mail software 510 writes the attached file 2f (step S521), the agent 530 monitors the file system by the extraction monitoring unit 532, and the attached file 2f written by the mail software 510. Is read (step S521).

When the attached file 2f is read, the agent 530 uses the file information acquisition unit 534 to create attached file information that summarizes the attached file 2f and stores it in the agent DB 540 (step S523). Then, the attached file extraction monitoring process ends.

FIG. 16 is a flow chart for explaining the infection source email identification processing (step C) of FIG. 6 in detail. The infection source email identification process is started by detecting the malware 93w in the user terminal 500.

From FIG. 16, when the malware detection unit 513 detects the malware 93w in the user terminal 500 (step S531), the malware information 9m is transmitted to the association management server 400 via the threat report management server 600 (step S532). ..

In the association management server 400, the infection source file identification unit 470 stores the received malware information 9m in the malware information DB 490 (step S431). Then, the infection source file identification unit 470 requests the identification of the infection source file 91e of the malware 93w by transmitting the malware information 9m to the agent 530 of the user terminal 500 (step S432).

In the user terminal 500, when the malware information 9m is received, the agent 530 notifies the received malware information 9m to the generation route tracking unit 515, and the generation route tracking unit 515 identifies the infection source file 91e (step S533). .. By specifying the infection source file 91e, the full path name of the infection source file 91e is acquired.

The agent 530 searches the agent DB 540 using the acquired full path name, acquires the attached file information stored in the record with the matching full path name, and transmits it as the infection source file information 8b to the association management server 400. (Step S534).

Then, in the association management server 400, the message ID identification unit 450 searches the association information storage DB 460 using the received infection source file information 8b and identifies the message ID (step S433).

In the association information storage DB 460, one or more message IDs are specified from the record of the attached file information that matches the received infection source file information 8b. The identified one or more message IDs are stored in the storage unit 130 and used in the infection source email process (step E) described later.

FIG. 17 is a flow chart for explaining the unnecessary information deleting process (step D) of FIG. 7 in detail. The unnecessary information deletion processing is performed by the user terminal 500 and the association management server 400, and the user terminal 500 regularly identifies the safe file information 8a and retains it in the association management server 400. The amount of information of 7a is reduced.

From FIG. 17, in the user terminal 500, the agent 530 acquires one file name from the agent DB 540 (step S541), compares it with the result log 514 by the malware detection unit 513, and determines the detection status (step S542). The determination results of “undetected”, “with detected threat”, and “without detected threat” are obtained.

When it is determined that the detection status is “undetected” or “with detected threat”, the agent 530 proceeds to step S546.

When it is determined that the detection status is “no detected threat”, the agent 530 causes the generation route tracking unit 515 to determine whether or not the derived file has a threat (step S543). One of "no threat", "partially threatened", and "partially undetected" is shown as the judgment result.

If the agent 530 determines that “partially threatened” or “partially detected unexecuted”, the agent 530 proceeds to step S546. On the other hand, if the agent 530 determines that “all threats are absent”, the agent 530 determines that the file having the file name obtained in step S541 is a safe file, obtains the attached file information from the agent DB 540, and outputs the safe file. The deletion is requested by transmitting the information 8a to the association management server 400 (step S534).

When the association management server 400 receives the safe file information 8a, the association information deletion unit 430 deletes the attached file information record that matches the safe file information 8a from the association information storage DB 460 (step S441). ..

When the mail information storage DB 6 is provided, the message ID can be acquired from the record of the attached file information that matches the safe file information 8a, and the recipient can be specified from the mail information storage DB 6. If the mail information storage DB 6 is not provided, the message ID may be transmitted to the mail server 300 to acquire the recipient's mail address.

Therefore, the association information deletion unit 430 may notify the recipient that the file is a safe (non-dangerous) attached file. Then, after notifying the recipient, the record of the attached file information that matches the safe file information 8a is deleted.

In the data configuration example of FIG. 10, the deletion of the record of the attached file information “eGr6wea%t5#$” is performed by this processing.

After that, the agent 530 deletes the attached file information record from the agent DB 540 (step S545).

When the process for the file name acquired in step S541 ends, the agent DB 540 determines whether or not there is a next file name (step S546). If the next file name exists (YES in step S546), the agent 530 returns to step S541 and repeats the same processing as described above. On the other hand, if the next file name does not exist (NO in step S546), this unnecessary information deletion processing ends.

FIG. 18 is a flow chart for explaining the infection source e-mail handling process (step E) of FIG. 8 in detail. The infection source email handling process is performed by the association management server 400 and the mail server 300, and deletes the infection source email 9a and alerts the recipient of the infection source email 9a.

From FIG. 18, in the association management server 400, the message ID identification unit 450 acquires one from the one or more message IDs stored in the storage unit 130 (step S451). The one or more message IDs stored in the storage unit 130 are message IDs identified based on the infection source file information 8b identified in the infection source email identification process (FIG. 16).

The message ID identification unit 450 acquires information such as the recipient of the infection source email 9a using the message ID (step S452). Information such as the recipient of the infection source mail 9a may be acquired by inquiring the mail server using the message ID, or if the correspondence management server 400 includes the mail information storage DB 6 (FIG. 13), Information such as the recipient may be acquired by searching the information storage DB 6 with the message ID.

The message ID identification unit 450 sends the message ID acquired in step S451 to the mail server 300 and requests deletion of the infection source mail 9a (step S453).

When the mail server 300 receives the message ID from the association management server 400, the infection source email 9a held in the storage area of the mail server 300 is identified and deleted based on the message ID. It notifies the deletion completion to 400 (step S351).

When the association management server 400 receives the notification of the completion of the deletion of the infection source mail 9a, the message ID identification unit 450 includes a warning and a deletion result notification of the email to the recipient of the infection source mail 9a. A request is made to send the email (step S454). At least the e-mail address of the recipient of the infection source mail 9a is transmitted to the mail server 300. The contents of the alert and the deletion result notification of the email may be transmitted to the mail server 300 together with the email address of the recipient.

When the mail server 300 receives from the association management server 400 a request in which at least the email address of the recipient is specified, the email server sends an email to the recipient of the infection source email 9a, and the association management server 400 completes. The result is notified (step S352).

Upon receiving the completion result from the mail server 300, the association management server 400 determines whether or not the processing has been completed for all message IDs (step S455). If there is an unprocessed message ID (YES in step S455), the message ID identification unit 450 returns to step S451 and repeats the same processing as described above.

If there are two or more message IDs, it means that the infection source file 91e was attached to a plurality of emails 3. Therefore, the electronic mail 3 including the same attached file (in this case, the infection source electronic mail 9) is deleted.

On the other hand, if the processing has been completed for all message IDs (NO in step S455), the infection source email coping processing ends.

As described above, in this embodiment, the association management server 400 that manages the information (attached file information) of the attached file of the email 3 and the message ID that identifies the email 3 in association with each other is the user terminal. By adopting a mechanism capable of receiving the safe file information 8a from 500, it is possible to reduce the information amount of the association information 7a accumulated for identifying the infection source mail 9a.

The results of trial calculations by the inventors regarding the reduction of the amount of information are shown below. First, the amount of information when the message ID of the e-mail 3 having the attached file and the attached file information are simply stored will be considered.

The maximum length of the character string used for the message ID is not defined by the standard, but generally a length of about 64 bytes to 256 bytes is used. The attached file information is information in which the contents of the file are summarized by a hash function or the like and converted into a character string, which is a character string of several tens of bytes.

The inventors calculated the amount of information to be stored when the environment was assumed as follows.
・E-mail distribution volume: 200,000 mails per day (for a company with 2,000 employees, 100 mails per person)
・Attached file content rate: 50%
-Number of attached files: 1 on average per e-mail-Message ID length: 128 bytes on average-File information length: 80 bytes on average.

Also,
-Total message ID character string: 200,000 x 50% x 128 bytes
= 12800000 bytes = About 12MB
・Total file information: 200,000 x 50% x 2 x 80 bytes
= 16000000 bytes = About 16MB
・Total per day: 28MB
・Total when operating for 5 years: 28MB x 1825 days
=51100MB=About 50GB
Became.

That is, when malware is detected in the user terminal 500 after operating for 5 years, the message ID is searched from about 50 GB and 182.5 million records, which consumes a lot of time and CPU cost. It will be consumed.
-Assuming a large-scale user of more than 10,000, the amount of information will be unrealistic and operation will be difficult.

However, in the present exemplary embodiment, the association management server 400 receives the safe file information 8a determined by the agent of the user terminal 500 using the result log 514 of the malware detection unit 513, and thus the association information storage It is possible to reduce the increase in the amount of information stored in the DB 460.

Next, the protection by re-infection in this embodiment will be described. In recent years, targeted attacks using e-mail have become more sophisticated, and endpoint sensors have been used to immediately detect malware 93w. In the present embodiment, the malware detection unit 513 of the user terminal 500 corresponds to the endpoint type sensor. Targeted attacks are one type of cyber attack that targets users of specific companies and organizations.
The endpoint type sensor can specify the file name of the malware 93w that behaves abnormally on the user terminal 500, but cannot specify the infection source mail 9a. Therefore, there is a problem that the infection source mail 9a remains in the mail server 300 and reinfection or transfer to the outside becomes a perpetrator, leading to deterioration of the trust of the company.

In the present embodiment, the infection source mail 9a can be specified, and the deletion of the infection source mail 9a specified in the mail server 300 and the deletion of the downloaded infection source file 91e can be prohibited.

Furthermore, it also has the effect of preventing reinfection. If the infection source mail 9a remains in the mail server 300, there is a possibility of reinfection when the user operates the infection source mail 9a again. Further, there is a possibility that the infection may spread due to an operation such as a transfer of the infection source mail 9a to another user by the user.

Even in the case of reinfection, the endpoint type sensor in each user terminal 500 can detect and report a threat. For this reason, reinfection is not considered necessary. However, in the case of the behavior type sensor, since the detection is performed after the program operates, the threat is detected when the computer system is destroyed or modified. Therefore, unlike conventional signature-based detection, reinfection causes damage to proceed again. Even in the situation where the malware 93w can be detected by the endpoint type sensor, it is important to immediately delete the infection source mail 9a in the mail server 300.

In this embodiment, since it is possible to request the mail server 300 to delete the infection source mail 9a, it is possible to minimize the threat of reinfection.

The present invention is not limited to the specifically disclosed embodiments, and various modifications and changes can be made without departing from the scope of the claims.

With regard to the embodiments including the above examples, the following additional notes are further disclosed.
(Appendix 1)
On the computer,
For each piece of attached file information that identifies the file data attached to the message, the specific information that identifies the message is stored in association with the storage unit,
In response to receipt of safety information indicating that there is no risk for the attached file data from any of the transmission destinations of the messages, the attachment specified in the safety information stored in the storage unit. A management program for executing a process of deleting file information from the storage unit.
(Appendix 2)
On the computer,
In response to receiving the infection information indicating that the file data is infected, based on the identification information stored in the storage unit and associated with the attached file information identified by the infection information, 2. The management program according to appendix 1, which specifies a message, and causes a device holding the message and a destination of the message to execute processing for requesting deletion of the message.
(Appendix 3)
On the computer,
In response to receiving the risk information notifying the dangerous file data, the process of requesting the notification source to specify the attached file information of the dangerous file data indicated by the risk information is executed,
3. The management program according to appendix 2, wherein the infection information specifying the attached file information specified in response to the request is received.
(Appendix 4)
On the computer,
In response to receiving the safety information indicating that the file data is not dangerous, based on the specific information stored in the storage unit and associated with the attached file information specified by the safety information. A process of specifying the message, requesting the destination of the message to delete the message, and deleting the attachment file information stored in the storage unit and specified by the safety information from the storage unit 5. The management program according to appendix 3, characterized in that the management program is executed.
(Appendix 5)
On the computer,
At least performing a process of storing the specific information that identifies the message and the information of the destination of the message in the storage unit in association with each other,
4. The management program according to appendix 2 or 3, characterized in that the information of the transmission destination associated with the specific information associated with the attached file information identified by the infection information is acquired.
(Appendix 6)
Computer
For each piece of attached file information that identifies the file data attached to the message, the specific information that identifies the message is stored in association with the storage unit,
In response to receipt of safety information indicating that there is no risk for the attached file data from any of the transmission destinations of the message, the attachment specified in the safety information stored in the storage unit. A management method for performing a process of deleting file information from the storage unit.
(Appendix 7)
An associating unit that associates, for each piece of attached file information that identifies the file data attached to the message, the identification information that identifies the message in the storage unit,
In response to receipt of safety information indicating that there is no risk for the attached file data from any of the transmission destinations of the message, the attachment specified in the safety information stored in the storage unit. An information processing apparatus, comprising: a deletion unit that deletes file information from the storage unit.

2f Attachment 3 Email 7a Correspondence information 8a Safe file information 8b Infection source file information 9a Infection source mail 9m Malware information 91e Infection source file 100 SMTP server 300 Mail server 330 Attachment file management unit 350 Attachment file information acquisition unit 400 Compatible Attachment management server 410 Correlation information receiving unit, 430 Correlation information deleting unit 450 Message ID specifying unit, 460 Correlation information accumulating unit 470 Infection source file specifying unit, 490 Malware information DB
500 user terminal 510 mail software 513 malware detection unit, 515 generation route tracking unit 514 result log 530 agent 532 retrieval monitoring unit, 534 file information acquisition unit 540 agent DB
1000 systems

Claims (6)

On the computer,
For each piece of attached file information that identifies the file data attached to the message, the specific information that identifies the message is stored in association with the storage unit,
In response to receipt of safety information indicating that there is no risk for the attached file data from any of the transmission destinations of the messages, the attachment specified in the safety information stored in the storage unit. A management program for executing a process of deleting file information from the storage unit. On the computer,
In response to receiving the infection information indicating that the file data is infected, based on the identification information stored in the storage unit and associated with the attached file information identified by the infection information, The management program according to claim 1, wherein the management program executes a process of specifying a message and requesting a device holding the message and a destination of the message to delete the message. On the computer,
In response to receiving the risk information notifying the dangerous file data, the process of requesting the notification source to specify the attached file information of the dangerous file data indicated by the risk information is executed,
The management program according to claim 2, wherein the infection information specifying the attached file information specified in response to the request is received. On the computer,
In response to receiving the safety information indicating that the file data is not dangerous, based on the specific information stored in the storage unit and associated with the attached file information specified by the safety information. Identify the message,
By sending a removal request cutting with respect to the destination of the message, the attachment information of claims 1 to 3, characterized in that for executing processing Ru is deleted from the transmission destination specified by the safety information The management program according to any one of items. Computer
For each piece of attached file information that identifies the file data attached to the message, the specific information that identifies the message is stored in association with the storage unit,
In response to receipt of safety information indicating that there is no risk for the attached file data from any of the transmission destinations of the messages, the attachment specified in the safety information stored in the storage unit. A management method for performing a process of deleting file information from the storage unit. An associating unit that associates, for each attached file information that identifies the file data attached to the message, the specific information that identifies the message in the storage unit,
In response to receipt of safety information indicating that there is no risk for the attached file data from any of the transmission destinations of the message, the attachment specified in the safety information stored in the storage unit. An information processing device, comprising: a deletion unit that deletes file information from the storage unit.

Images