JP6860161B2 - Unauthorized communication monitoring device, unauthorized communication monitoring method, unauthorized communication monitoring program, and unauthorized communication monitoring system - Google Patents

Description

The present invention relates to an unauthorized communication monitoring device, an unauthorized communication monitoring method, an unauthorized communication monitoring program, and an unauthorized communication monitoring system.

Malware called computer viruses, worms, etc. causes terminals to perform unauthorized communication in communication between terminals connected via a network composed of communication devices. As a method of detecting such malware, a method of monitoring communication packets with a communication device that relays communication packets sent and received between terminals is known.

Patent Document 1 discloses an infection prevention system that supports worm detection by monitoring a network and outputting information for identifying a worm infection source.

Patent Document 2 discloses a method of detecting a worm by monitoring the flow rate of communication packets sent and received between communication devices, fluctuations in the amount of communication, communication patterns, and the like.

Japanese Unexamined Patent Publication No. 2005-056243 Japanese Patent Publication No. 2008-518323

Patent Document 1 holds a worm pattern file in advance, and detects malware by comparing the pattern file with the payload of a communication packet. Therefore, Patent Document 1 has a problem that an unknown worm or a worm (subspecies) in which a part of an existing worm is modified cannot be detected.

Further, Patent Document 2 monitors the flow rate of communication packets, the tendency of fluctuations in communication volume, communication patterns, and the like, but this method only estimates the existence of worms. Therefore, Patent Document 2 has a problem that the existence of the worm cannot be determined.

An object of the present invention is to provide a fraudulent communication monitoring device, a fraudulent communication monitoring method, a fraudulent communication monitoring program, and a fraudulent communication monitoring system capable of detecting malware including unknown worms and variants of worms.

The fraudulent communication monitoring device according to the first aspect of the present invention includes a communication history receiving unit that receives communication history of communication packets transmitted and received between a terminal and a communication device and between a communication device and a communication device constituting a network, and the communication packet. based on the communication history, the terminal - the communication device and between the communication device - and a fraud communication detector that detects the unauthorized communication that triggered malware generated between the communication device, the unauthorized communication detector Detects the unauthorized communication based on the information in the range from the beginning of the communication packet to the part determined according to the communication protocol used for the communication of the communication packet in the communication history of the communication packet.

The method for monitoring unauthorized communication according to the second aspect of the present invention receives the communication history of communication packets transmitted and received between terminals and communication devices and between communication devices and communication devices constituting the network, and receives the communication history of the communication packets. Among them, based on the information in the range from the beginning of the communication packet to the part determined according to the communication protocol used for the communication of the communication packet , the terminal and the communication device and the communication device and the communication device are used. Detects unauthorized communication caused by malware generated in.

The fraudulent communication monitoring program according to the third aspect of the present invention is a process of receiving a communication history of communication packets transmitted and received between a terminal and a communication device and a communication device and a communication device constituting a network by a computer, and the communication packet. in the communication history, the beginning of the communication packet, processing based on the information of the range to a point determined according to the communication protocol used for communication of the communication packet, detecting fraudulent communication malware caused And to execute.

The unauthorized communication monitoring system according to the fourth aspect of the present invention includes a communication history collecting device and an unauthorized communication monitoring device, and the communication history collecting device is the head of the communication packet among the communication packets transmitted and received by the communication device. To a communication packet receiver that generates a communication history based on information in a range determined according to the communication protocol used for the communication of the communication packet, and a communication that transmits the communication history to the unauthorized communication monitoring device. The unauthorized communication monitoring device includes a history transmitting unit, a communication history receiving unit that receives the communication history, an unauthorized communication detecting unit that analyzes the communication history and detects an unauthorized communication generated by malware, and an unauthorized communication detecting unit. To be equipped.

According to the present invention, it is possible to provide an unauthorized communication monitoring device, an unauthorized communication monitoring method, an unauthorized communication monitoring program, and an unauthorized communication monitoring system capable of quickly detecting an unauthorized operation caused by malware.

It is a block diagram which shows the structure of the unauthorized communication monitoring apparatus which concerns on 1st Embodiment of this invention. It is a flowchart which shows the operation flow of the fraudulent communication monitoring apparatus which concerns on 1st Embodiment of this invention. It is a block diagram which shows the structure of the unauthorized communication monitoring system which concerns on 2nd Embodiment of this invention. It is a figure which shows an example of the network diagram generated by the fraudulent communication monitoring apparatus in the fraudulent communication monitoring system which concerns on 2nd Embodiment of this invention. It is a figure which shows an example of the report generated by the fraudulent communication monitoring apparatus in the fraudulent communication monitoring system which concerns on 2nd Embodiment of this invention. It is a figure which shows an example of the method of displaying the fraudulent communication in the report generated by the fraudulent communication monitoring apparatus in the fraudulent communication monitoring system which concerns on 2nd Embodiment of this invention. It is a flowchart which shows the operation flow of the communication history collecting apparatus in the fraudulent communication monitoring system which concerns on 2nd Embodiment of this invention. It is a flowchart which shows the operation flow of the fraudulent communication monitoring apparatus in the fraudulent communication monitoring system which concerns on 2nd Embodiment of this invention. It is a block diagram which shows the structure of the communication history monitoring device and the unauthorized communication monitoring device which concerns on other embodiment of this invention.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In each figure, the same or corresponding parts are designated by the same reference numerals, and the description thereof will be omitted as appropriate.

[First Embodiment]
FIG. 1 is a block diagram showing a configuration of an unauthorized communication monitoring device according to the first embodiment of the present invention.

The fraudulent communication monitoring device 20 of the present invention includes a communication history receiving unit 21 and a fraudulent communication detecting unit 22.

The communication history receiving unit 21 receives the communication history of communication packets transmitted / received between the terminals constituting the network and the communication device and between the communication device and the communication device. In the present embodiment, the "terminal" is a PC (Personal Computer), a server, a tablet terminal, a smartphone, or the like. Further, in the present embodiment, the "communication device" is a device having a role of a path that mediates communication between the terminal and the terminal. Specifically, the communication device includes a router, a hub, an L2 / L3 switch, a wireless LAN (Local Area Network) access point, a load balancer, and the like. In addition, security products such as firewalls, IPS (Intrusion Prevention System), and IDS (Intrusion Detection System) are also included in communication devices because they have a function of mediating communication between terminals.

The fraudulent communication detection unit 22 detects fraudulent communication by a communication device based on the communication history of the communication packet. Specifically, the unauthorized communication detection unit 22 detects unauthorized communication based on the information included in the header of the communication packet. That is, the unauthorized communication detection unit 22 does not detect the malware itself, but detects the unauthorized communication generated by the malware.

More specifically, the header of the communication packet includes information on the MAC (Media Access Control) address, IP (Internet Protocol) address, port, and the like of the communication device of the source. In addition, the header of the communication packet contains information about the MAC address, IP address, and port of the destination communication device. That is, the unauthorized communication detection unit 22 can obtain information on the transmission source communication device and the transmission destination communication device by analyzing the header of the communication packet. Therefore, the unauthorized communication detection unit 22 can grasp the terminal configuration connected to the network. The terminal configuration connected to the network means how the terminal is connected to the network.

On the other hand, malware usually causes the destination terminal to copy the malware. Utilizing this fact, the unauthorized communication detection unit 22 analyzes, for example, the IP address, port number, etc. of the destination terminal included in the header of the communication packet, and includes the IP address, port number, etc. of the nonexistent terminal. If so, the communication can be detected as an unauthorized communication generated by the packet. This is because, as described above, the unauthorized communication detection unit 22 has already grasped the terminal configuration connected to the network. Therefore, since the unauthorized communication detection unit 22 does not need a pattern file or the like to detect malware, it is possible to detect unknown malware or unauthorized communication generated by a variant of existing malware. it can.

Furthermore, the unauthorized communication detection unit 22 can detect packets that the malware has indiscriminately transmitted in order to search the network, such as packets whose destination is unknown and communication has failed. That is, the unauthorized communication detection unit 22 can detect the network search activity seen in the initial stage of the malware activity. Therefore, the unauthorized communication detection unit 22 can detect malware at an early stage.

[Operation of unauthorized communication monitoring device 20]
FIG. 2 is a flowchart showing an operation flow of the unauthorized communication monitoring device according to the first embodiment of the present invention.

In the unauthorized communication monitoring device 20, first, the communication history receiving unit 21 receives the communication history of the communication packet transmitted / received between the terminal and the communication device and between the communication device and the communication device (step S101).

Next, the unauthorized communication detection unit 22 detects unauthorized communication based on the information regarding the communication history of the communication packet received by the communication history receiving unit 21 (step S102).

[Second Embodiment]
FIG. 3 is a schematic diagram showing a configuration of an unauthorized communication monitoring system according to a second embodiment of the present invention.

The unauthorized communication monitoring system 100 shown in FIG. 3 includes a communication history collecting device 10 and an unauthorized communication monitoring device 20A. The communication history collecting device 10 is connected to, for example, each communication device constituting the network, and is connected to the communication device 30 in FIG. The unauthorized communication monitoring device 20A is, for example, a server between communication devices constituting the network. The communication history collecting device 10 and the unauthorized communication monitoring device 20A are connected via the network 40. The network 40 may be wired or wireless. Further, a plurality of communication history collecting devices 10 may be connected to the unauthorized communication monitoring device 20A via the network 40. In FIG. 3, the communication history collecting device 10 and the unauthorized communication monitoring device 20A are described as separate devices connected via the network 40, but this is an example and limits the present invention. It's not a thing. The communication history collecting device 10 and the unauthorized communication monitoring device 20A may be configured as one device, or at least one of the communication history collecting device 10 and the unauthorized communication monitoring device 20A is integrated with the communication device 30. It may be configured.

The illustrated communication history collecting device 10 includes a communication packet receiving unit 11 and a communication history transmitting unit 12.

The communication packet receiving unit 11 receives communication packets transmitted / received from the communication device 30 by the communication device 30 to / from another communication device or terminal. Further, the communication packet receiving unit 11 extracts from the beginning of the communication packet to the part necessary for analyzing the illegal communication generated by the malware. The part required to analyze malicious communication depends on what kind of communication the malware you want to detect performs. For example, some malware communicates using the HTTP protocol. In this case, the part necessary for analyzing the unauthorized communication of the malware is the length from the beginning of the packet to the range including the information of the connection destination URL included in the HTTP header. Extracting the range including the information of the connection destination URL included in the HTTP header from the beginning of the packet does not mean that only the information of the HTTP header is used for the analysis of illegal communication. Specifically, lower-level protocol information included in the same communication packet, for example, IP header and TCP header information included between the beginning and the HTTP header can also be used for analysis of unauthorized communication. Similarly, in the case of analyzing malware that communicates using TCP, in addition to the information in the TCP header, the information in the IP header, which is a lower protocol, can also be used for the analysis. In addition, the communication packet receiving unit 11 deletes a part that is not necessary for analysis. Further, the communication packet receiving unit 11 generates communication history data which is information on the communication history of the communication device 30 based on the portion extracted from the communication packet.

The communication history transmission unit 12 transmits the communication history data to the unauthorized communication monitoring device 20A via the network 40.

The unauthorized communication monitoring device 20A shown in FIG. 3 includes a communication history receiving unit 21, an unauthorized communication detection unit 22, and an unauthorized communication recognition unit 23.

The communication history receiving unit 21 receives the communication history data from the communication history transmitting unit 12.

The fraudulent communication detection unit 22 detects fraudulent communication via the communication device 30 based on the communication history data received by the communication history reception unit 21. Since the communication history data includes the communication history relayed by the communication device 30, the unauthorized communication detection unit 22 grasps the configuration of the terminal connected to the network and provides a security incident such as unauthorized communication caused by malware. Can be detected at the same time.

Further, although not shown in FIG. 3, the unauthorized communication detection unit 22 receives the communication history of the communication packet from each communication device constituting the network. That is, the unauthorized communication detection unit 22 can read the trace of malware activity based on the communication history of each communication device constituting the network. This means that the malware can erase its traces on the infected device (log tampering, erasing, disguising or erasing the malware itself, etc.). However, since the malware cannot erase even the communication history collected by the communication device 30, the unauthorized communication detection unit 22 can more reliably detect the activity of the malware. Since the specific operation of the fraudulent communication detection unit 22 has been described in the first embodiment, the description thereof will be omitted.

The unauthorized communication recognition unit 23 shows the user the state of communication between each communication device in the network. Specifically, the unauthorized communication recognition unit 23 can generate information that can visually determine unauthorized communication in the network, and can display the generated information to the user. Such an unauthorized communication recognition unit 23 includes, for example, a network diagram creation unit 231, a network screen display unit 232, a report creation unit 233, and a report output unit 234.

The network diagram creation unit 231 creates a network diagram showing the state of communication between the communication device 30 and each communication device based on the detection result of the communication between the communication devices in the network detected by the unauthorized communication detection unit 22. Further, the network diagram creation unit 231 causes the network screen display unit 232 to display the generated network diagram. The network screen display unit 232 can be configured by a normal display or the like. Although the network screen display unit 232 will be described as a display, this is an example and does not limit the present invention. The network screen display unit 232 may be provided, for example, in an external device (not shown) separate from the unauthorized communication monitoring device 20A. In this case, the fraud monitoring device 20A transmits the network diagram created by the network diagram creation unit 231 to the external device. Then, the external device displays the network diagram to the user. The external device is not particularly limited, but can be realized by, for example, a personal computer, a smartphone, or a tablet terminal.

FIG. 4 is a diagram showing an example of a network diagram created by the network diagram creation unit 231.

FIG. 4 shows a state of communication between the communication device 30 and three external devices which are communication devices different from the communication device 30. Specifically, the first communication 41 indicates communication between the communication device 30 and the first external device 31. The second communication 42 indicates communication between the communication device 30 and the second external device 32. The third communication 43 indicates communication between the communication device 30 and the third external device 33. In the first communication 41, the second communication 42, and the third communication 43, the direction of the arrow indicates the communication direction, and the thickness of the arrow indicates the communication amount.

In FIG. 4, the first communication 41 indicates that the communication device 30 communicates with the first external device 31 in only one direction. Here, it is assumed that the first external device 31 is a terminal that does not actually exist (for example, a terminal that does not have a corresponding address). In this case, the communication from the communication device 30 to the first external device 31 means an unauthorized communication, that is, the first communication 41 is a communication caused by malware. The second communication 42 and the third communication 43 are normal communications because the arrows point in both directions. Further, in FIG. 4, since the third communication 43 is thicker than the second communication 42, the communication device 30 communicates with the third external device 33 more than the second external device 32. It is also shown that there are many.

As shown in FIG. 4, the fraudulent communication monitoring system 100 can display the state between each communication device in the network and the state between each terminal and each communication device in a form that can be easily visually determined. Further, by changing the color according to the communication situation, such as displaying normal communication in blue and illegal communication in red, the user can easily determine the illegal communication. Further, the color is not limited to be changed. For example, the line expression method such as a wavy line or a broken line may be changed according to the communication, or the line display method may be changed such as blinking the line according to the communication. May be good. That is, the display method is not particularly limited as long as it is a method in which the difference can be visually determined according to the communication. That is, the user can quickly and accurately grasp the state of communication in the network by visually recognizing the network diagram displayed by superimposing unauthorized communication, normal communication, and the like on the network configuration.

In addition, the network diagram creation unit 231 shown in FIG. 3 shows the communication port number, IP address, and MAC address of each of the communication source and the communication destination in the illustration of the network configuration and the illustration of the activity range (damage range) of the malware. , Period, network address, etc. can be freely changed.

The report creation unit 233 generates a report showing the state of malware activity on the network (for example, network search, remote control, infection spread) in chronological order. Specifically, since the communication history receiving unit 21 receives the communication history of the communication packet of the communication device 30, the report creating unit 233 can create a report showing the activity of the malware in chronological order. In addition, the report creation unit 233 outputs the created report to the report output unit 234. The report output unit 234 can be configured by a normal display or the like. Although the report output unit 234 will be described as a display, this is an example and does not limit the present invention. The report output unit 234 may be provided, for example, in an external device (not shown) separate from the unauthorized communication monitoring device 20A. In this case, the fraud monitoring device 20A transmits the network diagram created by the report creation unit 233 to the external device. Then, the external device displays the network diagram to the user. The external device is not particularly limited, but can be realized by, for example, a personal computer, a smartphone, or a tablet terminal.

FIG. 5 is a diagram showing an example of a report created by the report creation unit 233.

As shown in FIG. 5, the report creation unit 233 can create a report that visually shows the communication generated by each communication device within an arbitrary designated period. The report shown in FIG. 5 includes the IP address of the source terminal, the IP address of the destination, the date, the communication protocol, the port number, and the like. Here, the file format of the report created by the report creation unit 233 is not limited, and is, for example, a CSV format or a PDF format.

Specifically, the report creation unit 233 can display the communication generated by each communication device separately for each communication protocol. In FIG. 5, TCP (Transmission Control Protocol), UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), and other communication protocols are displayed so that the user can distinguish them. In addition, the port number used for the communication is also described in each communication protocol. Further, in the report shown in FIG. 5, the communication within the segment is represented by a solid line and the communication outside the segment is represented by a broken line so that the user can determine at a glance whether the communication is inside or outside the segment. In FIG. 5, the communication outside the segment is represented by a broken line, but this is an example and does not limit the present invention. The expression representing the communication outside the segment may be an expression that can be distinguished from the communication within the segment, and the line type, color, or the like may be changed from the expression representing the communication within the segment. In FIG. 5, as out-of-segment communication, on January 20, the terminal "192.168.1.10" communicates with the destination "10.11.244.80" using the port number 80. It is shown that it was done. Further, in FIG. 5, as communication within the segment, the terminal “192.168.1.11” uses the port number 80 for the destination “192.168.1.10” on January 21st. It is shown that it communicated with. That is, in the report shown in FIG. 5, the user can narrow down the destinations by protocol, port number, IP address, and the like. In addition, the report generation unit 233 can generate a report divided into separate lines for each port number regarding communication with each destination, and can display a plurality of port numbers in one frame. It is possible.

The unauthorized communication in FIG. 5 will be described. As illegal communication, the user is notified of communication that does not normally occur, such as direct communication between terminals, instead of normal communication such as communication between terminals and servers. In FIG. 5, such communication occurs on January 21st and January 22nd, when the destination "192.168.1.59" is the terminal, the terminal "192.168.1.10". And the communication between the destination "192.168.1.59" is illegal communication. In addition, communication using a protocol that is not normally used and communication using a port number that is not normally used are also illegal communications. In FIG. 5, other communications (ARP (Address Resolution Protocol), DHCP (Dynamic)) to the terminal “192.168.1.13” and the destination “12.253.14.29” that occurred on January 21st. Host Configuration Protocol), etc.) is illegal communication. Similarly, other communications (ARP, DHCP, etc.) to the terminal "192.168.1.13" and the destination "12.253.14.29" that occurred on January 22 are illegal communications.

A method of showing unauthorized communication to the user will be described with reference to FIG. FIG. 6 is an example of a report showing the user unauthorized communication to the user.

The report creation unit 233 generates, for example, a report in which the unauthorized communication is displayed in a color or shape different from that of the normal communication so that the user can distinguish between the normal communication and the unauthorized communication. In FIG. 6, the illegal communication is filled in and displayed. Further, the report creation unit 233 may extract the unauthorized communication and separately generate a report composed of only the extracted unauthorized communication.

[Operation of unauthorized communication monitoring system 100]
Next, the operation flow of the unauthorized communication monitoring system 100 will be described. FIG. 7 is a flowchart showing the operation flow of the communication history collecting device 10 in the unauthorized communication monitoring system 100.

In the communication history collecting device 10, first, the communication packet receiving unit 11 receives the communication history of the communication packet from the communication device 30 (step S201). Next, the communication packet receiving unit 11 extracts up to a portion of the communication packet necessary for analyzing the malicious communication generated by the malware, and generates communication history data based on the extracted portion (step). S202). Next, the communication history transmission unit 12 transmits the communication history data to the unauthorized communication monitoring device 20A (step S203).

FIG. 8 is a flowchart showing an operation flow of the unauthorized communication monitoring device 20A in the unauthorized communication monitoring system 100.

In the unauthorized communication monitoring device 20A, first, the communication history receiving unit 21 receives the communication history data from the communication history transmitting unit 12 (step S301). Next, the unauthorized communication detection unit 22 analyzes the communication history data received by the communication history reception unit 21 (step S302). Then, the unauthorized communication detection unit 22 detects the unauthorized communication generated by the malware based on the analysis result (step S303). Finally, the unauthorized communication recognition unit 23 outputs to the user information that can visually determine the unauthorized communication in the network (step S304).

[Other Embodiments]
The communication history collecting device and the fraudulent communication monitoring device constituting the fraudulent communication monitoring system may be realized by hardware or software. Further, the commercial communication history collecting device and the unauthorized communication monitoring device may be realized by a combination of hardware and software.

FIG. 9 is a block diagram showing an example of an information processing device (computer) constituting a communication history collecting device and an unauthorized communication monitoring device.

As shown in FIG. 9, the information processing device 200 includes a control unit (CPU: Central Processing Unit) 210, a storage unit 220, a ROM (Read Only Memory) 230, a RAM (Random Access Memory) 240, and a communication interface. It includes 250 and a user interface 260.

The control unit (CPU) 210 can realize various functions of the communication history collecting device and the unauthorized communication monitoring device by expanding the program stored in the storage unit 220 or the ROM 230 into the RAM 240 and executing the program. Further, the control unit (CPU) 210 may include an internal buffer that can temporarily store data and the like.

The storage unit 220 is a large-capacity storage medium that can hold various types of data, and can be realized by a storage medium such as an HDD (Hard Disk Drive) and an SSD (Solid State Drive). Further, the storage unit 220 may be a cloud storage existing on the communication network when the information processing device 200 is connected to the communication network via the communication interface 250. Further, the storage unit 220 may hold a program that can be read by the control unit (CPU) 210.

The ROM 230 is a non-volatile storage device that can be configured with a flash memory or the like having a smaller capacity than the storage unit 220. Further, the ROM 230 may hold a program that can be read by the control unit (CPU) 210. The program that can be read by the control unit (CPU) 210 may be held by at least one of the storage unit 220 and the ROM 230.

The program that can be read by the control unit (CPU) 210 may be supplied to the information processing device 200 in a state of being non-temporarily stored in various storage media that can be read by a computer. Such storage media are, for example, magnetic tapes, magnetic disks, magneto-optical disks, CD-ROMs, CD-Rs, CD-R / Ws, and semiconductor memories.

The RAM 240 is a semiconductor memory such as a DRAM (Dynamic Random Access Memory) and a SRAM (Static Random Access Memory), and can be used as an internal buffer for temporarily storing data and the like.

The communication interface 250 is an interface that connects the information processing device 200 and the communication network via a wired or wireless device.

The user interface 260 is, for example, a display unit such as a display and an input unit such as a keyboard, a mouse, and a touch panel.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments. The present invention also includes a form in which a part or all of the embodiments are appropriately combined, and a form in which the embodiment is appropriately modified.

Some or all of the above embodiments may also be described, but not limited to:

[Appendix 1]
A communication history receiver that receives the communication history of communication packets sent and received between terminals and communication devices and between communication devices and communication devices that make up the network.
Unauthorized communication monitoring including an unauthorized communication detection unit that detects unauthorized communication generated by malware generated between the terminal and the communication device and between the communication device and the communication device based on the communication history of the communication packet. apparatus.

[Appendix 2]
The fraudulent communication detection unit detects the fraudulent communication from the beginning of the communication packet in the communication history of the communication packet based on a part necessary for analyzing the fraudulent communication generated by the malware. The unauthorized communication monitoring device according to Appendix 1.

[Appendix 3]
The fraudulent communication monitoring device according to Appendix 1 or 2, further comprising a fraudulent communication recognition unit that visually displays the state of communication in the network based on the detection result of the fraudulent communication detection unit.

[Appendix 4]
The unauthorized communication monitoring device according to Appendix 3, wherein the unauthorized communication recognition unit includes a network generation unit that generates a network diagram showing a state of communication generated in the network.

[Appendix 5]
The unauthorized communication monitoring device according to Appendix 3 or 4, wherein the unauthorized communication recognition unit has a report creation unit that creates a report showing the state of activity of the malware on the network in chronological order.

[Appendix 6]
Receives the communication history of communication packets sent and received between terminals and communication devices and between communication devices and communication devices that make up the network.
A fraudulent communication monitoring method for detecting fraudulent communication generated by malware generated between the terminal and the communication device and between the communication device and the communication device based on the communication history of the communication packet.

[Appendix 7]
The unauthorized communication according to Appendix 6 that detects the unauthorized communication based on the portion of the communication history of the communication packet necessary for analyzing the unauthorized communication generated by the malware from the beginning of the communication packet. Monitoring method.

[Appendix 8]
The unauthorized communication monitoring method according to Appendix 6 or 7, which visually displays the state of communication in the network based on the detection result of the unauthorized communication detection unit.

[Appendix 9]
The method for monitoring unauthorized communication according to Appendix 8, which has a network generator that generates a network diagram showing the state of communication generated in the network.

[Appendix 10]
The method for monitoring unauthorized communication according to Appendix 8 or 9, which creates a report showing the state of activity of the malware on the network in chronological order.

[Appendix 11]
On the computer
Processing to receive the communication history of communication packets sent and received between terminals and communication devices and between communication devices and communication devices that make up the network.
A fraudulent communication monitoring program that executes a process of detecting fraudulent communication generated by malware based on the communication packet communication history.
[Appendix 12]
On the computer
In Appendix 11, the process of detecting the unauthorized communication is executed from the beginning of the communication packet in the communication history of the communication packet based on the portion necessary for analyzing the unauthorized communication generated by the malware. The listed unauthorized communication monitoring program.

[Appendix 13]
On the computer
The unauthorized communication monitoring program according to Appendix 11 or 12, which executes a process of visually displaying the state of communication in the network based on the detection result of the unauthorized communication detection unit.

[Appendix 14]
On the computer
The unauthorized communication monitoring program according to Appendix 13, which executes a process of generating a network diagram showing a state of communication generated in the network.

[Appendix 15]
On the computer
The unauthorized communication monitoring program according to Appendix 13 or 14, which executes a process of creating a report showing the state of activity of the malware on the network in chronological order.

[Appendix 16]
Including a communication history collection device and an unauthorized communication monitoring device,
The communication history collecting device is
A communication packet receiver that generates a communication history from the beginning of the communication packet sent / received by the communication device based on information about a part necessary for analyzing an unauthorized communication generated by the malware.
A communication history transmission unit that transmits the communication history to the unauthorized communication device is provided.
The unauthorized communication monitoring device is
The communication history receiving unit that receives the communication history and
An unauthorized communication monitoring system including an unauthorized communication detection unit that analyzes the communication history and detects unauthorized communication generated by malware.

10 ... Communication history collection device 11 ... Communication packet reception unit 12 ... Communication history transmission unit 20,20A ... Unauthorized communication monitoring device 21 ... Communication history reception unit 22 ... Unauthorized communication detection unit 23 ... Unauthorized communication recognition unit 30 ... Communication device 31 ... First external device 32 ... Second external device 33 ... Third external device 41 ... First communication 42・ ・ ・ Second communication 43 ・ ・ ・ Third communication 231 ・ ・ ・ Network diagram creation unit 232 ・ ・ ・ Network screen display unit 233 ・ ・ ・ Report creation unit 234 ・ ・ ・ Report output unit

Claims (8)

A communication history receiver that receives the communication history of communication packets sent and received between terminals and communication devices and between communication devices and communication devices that make up the network.
A fraudulent communication detection unit that detects malicious communication generated by malware generated between the terminal and the communication device and between the communication device and the communication device based on the communication history of the communication packet is provided .
The fraudulent communication detection unit is based on information in the range from the beginning of the communication packet to a portion determined according to the communication protocol used for communication of the communication packet in the communication history of the communication packet. Unauthorized communication monitoring device that detects communication. The fraudulent communication monitoring device according to claim 1, further comprising a fraudulent communication recognition unit that visually displays the state of communication in the network based on the detection result of the fraudulent communication detection unit. The unauthorized communication monitoring device according to claim 2 , wherein the unauthorized communication recognition unit includes a network generation unit that generates a network diagram showing a state of communication generated in the network. The unauthorized communication monitoring device according to claim 2 or 3 , wherein the unauthorized communication recognition unit has a report creation unit that creates a report showing the state of activity of the malware on the network in chronological order. Receives the communication history of communication packets sent and received between terminals and communication devices and between communication devices and communication devices that make up the network.
Based on the information in the range from the beginning of the communication packet to the part determined according to the communication protocol used for the communication of the communication packet in the communication history of the communication packet, the terminal and the communication device and the communication device are described. Communication device-A method for monitoring unauthorized communication that detects unauthorized communication generated by malware generated between the communication devices. On the basis of the incorrect communications detection result, illegal communication monitoring method according to claim 5 for visually displaying the state of communication in the network. On the computer
Processing to receive the communication history of communication packets sent and received between terminals and communication devices and between communication devices and communication devices that make up the network.
Unauthorized communication generated by malware is performed based on the information in the communication history of the communication packet from the beginning of the communication packet to the part determined according to the communication protocol used for the communication of the communication packet. Unauthorized communication monitoring program that detects and executes unauthorized communication monitoring programs. Including a communication history collection device and an unauthorized communication monitoring device,
The communication history collecting device is
A communication packet receiver that generates a communication history based on information in the range from the beginning of the communication packet sent / received by the communication device to a part determined according to the communication protocol used for the communication of the communication packet. When,
A communication history transmission unit that transmits the communication history to the unauthorized communication monitoring device is provided.
The unauthorized communication monitoring device is
The communication history receiving unit that receives the communication history and
An unauthorized communication monitoring system including an unauthorized communication detection unit that analyzes the communication history and detects unauthorized communication generated by malware.

Images