JP6783261B2 - 脅威情報抽出装置及び脅威情報抽出システム - Google Patents
脅威情報抽出装置及び脅威情報抽出システム Download PDFInfo
- Publication number
- JP6783261B2 JP6783261B2 JP2018025426A JP2018025426A JP6783261B2 JP 6783261 B2 JP6783261 B2 JP 6783261B2 JP 2018025426 A JP2018025426 A JP 2018025426A JP 2018025426 A JP2018025426 A JP 2018025426A JP 6783261 B2 JP6783261 B2 JP 6783261B2
- Authority
- JP
- Japan
- Prior art keywords
- address
- threat information
- information
- threat
- information extraction
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
100 脅威情報DB
200 外部知識DB
300 DNS
400 転送装置
500 脅威情報抽出装置
501 脅威情報交換部
510 脅威情報抽出部
511 ワークフロー管理機能
512 脅威情報整形機能
513 類似ホスト抽出機能
514 ホスト状態監視機能
515 ホスト特性抽出機能
516 トラフィック集計機能
520 網情報DB
521 クエリログTB
522 フローTB
Claims (7)
- クエリログ及びフロー情報を格納する網情報DBと、
前記クエリログ及び前記フロー情報を用いて、取得した脅威情報から新たな脅威情報を抽出する脅威情報抽出部と、
を有する脅威情報抽出装置であって、
前記脅威情報抽出部は、
前記取得した脅威情報からC2サーバの第1のIPアドレス及びFQDNを抽出し、
前記クエリログから前記抽出したFQDNに対して返送された第2のIPアドレスを抽出し、
前記フロー情報から前記第1のIPアドレス及び前記第2のIPアドレスについて集計情報を作成し、
前記集計情報から前記第1のIPアドレス及び前記第2のIPアドレスに係る通信の特徴量を推定し、
前記推定された特徴量に基づき、前記第1のIPアドレス及び前記第2のIPアドレスに類似する通信が行われている0または1以上の他のIPアドレスを抽出し、脅威情報として生成する脅威情報抽出装置。 - フロー情報は、各フローのプロトコル、ソースIPアドレス、ソースポート、デスティネーションIPアドレス、デスティネーションポート及び通信量を少なくとも含む、請求項1記載の脅威情報抽出装置。
- クエリログは、要求元のIPアドレス、FQDN及び返送先のIPアドレスを少なくとも含む、請求項1又は2記載の脅威情報抽出装置。
- 集計情報は、第1のIPアドレス又は第2のIPアドレスの通信先数を少なくとも含む、請求項1乃至3何れか一項記載の脅威情報抽出装置。
- 特徴量は、第1のIPアドレス又は第2のIPアドレスに係る通信の平均ビットレート及び平均通信時間を含む、請求項1乃至4何れか一項記載の脅威情報抽出装置。
- 第1のIPアドレス、第2のIPアドレス及び他のIPアドレスのうち、所定の閾値以上のボットネットを有するIPアドレスの通信が監視され、前記監視されているIPアドレスのフロー情報に基づき異常が検知される、請求項1乃至5何れか一項記載の脅威情報抽出装置。
- 請求項1乃至6何れか一項記載の脅威情報抽出装置と、
前記脅威情報抽出装置によって抽出された脅威情報を格納する脅威情報DBと、
を有する脅威情報抽出システム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018025426A JP6783261B2 (ja) | 2018-02-15 | 2018-02-15 | 脅威情報抽出装置及び脅威情報抽出システム |
US16/968,974 US11546356B2 (en) | 2018-02-15 | 2019-02-08 | Threat information extraction apparatus and threat information extraction system |
PCT/JP2019/004586 WO2019159833A1 (ja) | 2018-02-15 | 2019-02-08 | 脅威情報抽出装置及び脅威情報抽出システム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018025426A JP6783261B2 (ja) | 2018-02-15 | 2018-02-15 | 脅威情報抽出装置及び脅威情報抽出システム |
Publications (2)
Publication Number | Publication Date |
---|---|
JP2019145879A JP2019145879A (ja) | 2019-08-29 |
JP6783261B2 true JP6783261B2 (ja) | 2020-11-11 |
Family
ID=67619291
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
JP2018025426A Active JP6783261B2 (ja) | 2018-02-15 | 2018-02-15 | 脅威情報抽出装置及び脅威情報抽出システム |
Country Status (3)
Country | Link |
---|---|
US (1) | US11546356B2 (ja) |
JP (1) | JP6783261B2 (ja) |
WO (1) | WO2019159833A1 (ja) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DK3588897T3 (da) * | 2018-06-30 | 2020-05-25 | Ovh | Fremgangsmåde og system til at forsvare en infrastruktur mod et distributed denial of service-angreb |
JP2023054506A (ja) * | 2021-10-04 | 2023-04-14 | 株式会社ラック | 情報検索システム、情報検索方法およびプログラム |
KR102661261B1 (ko) * | 2022-10-20 | 2024-04-29 | 한국과학기술정보연구원 | 봇넷 탐지 시스템 및 방법 |
CN115955333A (zh) * | 2022-12-02 | 2023-04-11 | 北京知道创宇信息技术股份有限公司 | C2服务器识别方法、装置、电子设备及可读存储介质 |
CN116192490A (zh) * | 2023-02-14 | 2023-05-30 | 北京中睿天下信息技术有限公司 | 一种基于流量行为的网络威胁检测方法和系统 |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7500266B1 (en) * | 2002-12-03 | 2009-03-03 | Bbn Technologies Corp. | Systems and methods for detecting network intrusions |
US7624447B1 (en) * | 2005-09-08 | 2009-11-24 | Cisco Technology, Inc. | Using threshold lists for worm detection |
US7661136B1 (en) * | 2005-12-13 | 2010-02-09 | At&T Intellectual Property Ii, L.P. | Detecting anomalous web proxy activity |
US7917957B2 (en) * | 2007-05-29 | 2011-03-29 | Alcatel Lucent | Method and system for counting new destination addresses |
US7823202B1 (en) * | 2007-03-21 | 2010-10-26 | Narus, Inc. | Method for detecting internet border gateway protocol prefix hijacking attacks |
JP4755658B2 (ja) | 2008-01-30 | 2011-08-24 | 日本電信電話株式会社 | 解析システム、解析方法および解析プログラム |
JP5286018B2 (ja) * | 2008-10-07 | 2013-09-11 | Kddi株式会社 | 情報処理装置、プログラム、および記録媒体 |
US10574630B2 (en) * | 2011-02-15 | 2020-02-25 | Webroot Inc. | Methods and apparatus for malware threat research |
US9118702B2 (en) * | 2011-05-31 | 2015-08-25 | Bce Inc. | System and method for generating and refining cyber threat intelligence data |
US9661003B2 (en) * | 2012-05-11 | 2017-05-23 | Thomas W. Parker | System and method for forensic cyber adversary profiling, attribution and attack identification |
CN103078752B (zh) * | 2012-12-27 | 2016-03-30 | 华为技术有限公司 | 一种检测邮件攻击的方法、装置及设备 |
JP6053091B2 (ja) * | 2014-03-19 | 2016-12-27 | 日本電信電話株式会社 | トラヒック特徴情報抽出方法、トラヒック特徴情報抽出装置及びトラヒック特徴情報抽出プログラム |
US9344441B2 (en) * | 2014-09-14 | 2016-05-17 | Cisco Technology, Inc. | Detection of malicious network connections |
US20160164886A1 (en) * | 2014-10-17 | 2016-06-09 | Computer Sciences Corporation | Systems and methods for threat analysis of computer data |
US10681060B2 (en) * | 2015-05-05 | 2020-06-09 | Balabit S.A. | Computer-implemented method for determining computer system security threats, security operations center system and computer program product |
JP6641819B2 (ja) * | 2015-09-15 | 2020-02-05 | 富士通株式会社 | ネットワーク監視装置、ネットワーク監視方法及びネットワーク監視プログラム |
KR101890272B1 (ko) * | 2015-10-19 | 2018-08-21 | 한국과학기술정보연구원 | 보안이벤트 자동 검증 방법 및 장치 |
US10673870B2 (en) * | 2017-01-27 | 2020-06-02 | Splunk Inc. | Security monitoring of network connections using metrics data |
TWI648650B (zh) * | 2017-07-20 | 2019-01-21 | 中華電信股份有限公司 | 閘道裝置、其惡意網域與受駭主機的偵測方法及非暫態電腦可讀取媒體 |
-
2018
- 2018-02-15 JP JP2018025426A patent/JP6783261B2/ja active Active
-
2019
- 2019-02-08 US US16/968,974 patent/US11546356B2/en active Active
- 2019-02-08 WO PCT/JP2019/004586 patent/WO2019159833A1/ja active Application Filing
Also Published As
Publication number | Publication date |
---|---|
US20210058411A1 (en) | 2021-02-25 |
US11546356B2 (en) | 2023-01-03 |
WO2019159833A1 (ja) | 2019-08-22 |
JP2019145879A (ja) | 2019-08-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6783261B2 (ja) | 脅威情報抽出装置及び脅威情報抽出システム | |
Rafique et al. | Firma: Malware clustering and network signature generation with mixed network behaviors | |
Kumar et al. | Early detection of Mirai-like IoT bots in large-scale networks through sub-sampled packet traffic analysis | |
EP3297248B1 (en) | System and method for generating rules for attack detection feedback system | |
US9578045B2 (en) | Method and apparatus for providing forensic visibility into systems and networks | |
US8935773B2 (en) | Malware detector | |
KR102580898B1 (ko) | Dns 메시지를 사용하여 컴퓨터 포렌식 데이터를 선택적으로 수집하는 시스템 및 방법 | |
US8874723B2 (en) | Source detection device for detecting a source of sending a virus and/or a DNS attack linked to an application, method thereof, and program thereof | |
US11411851B2 (en) | Network sensor deployment for deep packet inspection | |
WO2014052756A2 (en) | Apparatus, system and method for identifying and mitigating malicious network threats | |
US11777960B2 (en) | Detection of DNS (domain name system) tunneling and exfiltration through DNS query analysis | |
WO2017039602A1 (en) | Collecting domain name system traffic | |
US20240146753A1 (en) | Automated identification of false positives in dns tunneling detectors | |
Wang et al. | Behavior‐based botnet detection in parallel | |
Kaushik et al. | Network forensic system for ICMP attacks | |
KR102125966B1 (ko) | 사설 네트워크 및 가상머신을 이용한 토르 네트워크의 트래픽 및 특징점 수집 시스템 | |
CN114172881B (zh) | 基于预测的网络安全验证方法、装置及系统 | |
Sourour et al. | Network security alerts management architecture for signature-based intrusions detection systems within a NAT environment | |
van der Eijk et al. | Detecting cobalt strike beacons in netflow data | |
Alageel et al. | EarlyCrow: Detecting APT malware command and control over HTTP (S) using contextual summaries | |
Čermák et al. | Stream-Based IP Flow Analysis | |
EP3474489B1 (en) | A method and a system to enable a (re-)configuration of a telecommunications network | |
Biß et al. | Device discovery and identification in industrial networks: Geräteerkennung und-identifizierung in industriellen Netzen | |
KR100775455B1 (ko) | 네트워크 테스트 시스템 및 그 테스트 방법 | |
JP2009527982A (ja) | ネットワークトラフィックを分割するシステムおよび方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
A621 | Written request for application examination |
Free format text: JAPANESE INTERMEDIATE CODE: A621 Effective date: 20191216 |
|
A131 | Notification of reasons for refusal |
Free format text: JAPANESE INTERMEDIATE CODE: A131 Effective date: 20200915 |
|
A521 | Request for written amendment filed |
Free format text: JAPANESE INTERMEDIATE CODE: A523 Effective date: 20201012 |
|
TRDD | Decision of grant or rejection written | ||
A01 | Written decision to grant a patent or to grant a registration (utility model) |
Free format text: JAPANESE INTERMEDIATE CODE: A01 Effective date: 20201020 |
|
A61 | First payment of annual fees (during grant procedure) |
Free format text: JAPANESE INTERMEDIATE CODE: A61 Effective date: 20201021 |
|
R150 | Certificate of patent or registration of utility model |
Ref document number: 6783261 Country of ref document: JP Free format text: JAPANESE INTERMEDIATE CODE: R150 |