JP7135870B2 - DETECTION DEVICE, DETECTION METHOD, AND DETECTION PROGRAM - Google Patents

Description

The present specification relates to a detection device, a detection method, and a detection program.

In recent years, malware infection of terminals used in factories for machine control and management has become a problem. In addition, there have been cases where production lines have stopped due to the use of terminals being prevented due to malware infections. For this reason, it is required to take countermeasures against malware infection in factories. However, in factories, terminals with known vulnerabilities may still be used due to factors such as the relationship with machines to be managed. In addition, it is possible that an external terminal or USB (Universal Serial Bus) with no security measures connected to the network by a worker in the factory. Therefore, it is difficult to prevent the terminals in the factory from being infected with malware (primary infection) due to the connection of the external terminal or USB.

Here, worm-type malware (worms) spreads damage by infecting terminals in a network, replicating itself, and infecting other terminals in the network (secondary infection). Therefore, it is conceivable to prevent the spread of damage by detecting the occurrence of secondary worm infection at an early stage. For example, a monitoring system has been proposed that outputs an alert when the source address of a signal destined for a darknet that constitutes a reachable and unused address space is an address used in a monitored communication network ( For example, Patent Document 1).

However, some worms use the ARP (Address Resolution Protocol) table of the primary infected terminal to limit the spread of infection to communication devices that have a track record of communicating with the primary infected terminal. Such worm-type malware cannot be detected by monitoring unused addresses.

FIG. 1 is a diagram for explaining an example of worm detection. In addition to the detection device 10, terminals 2a to 2d and a router 5 are connected to the network. For example, the terminal 2 may be connected to actuators 1a to 1c that do not support TCP/IP (Transmission Control Protocol/Internet Protocol). Also, the tablet 6 may communicate via the router 5 .

The detection device 10 periodically accesses each device such as the terminals 2a to 2d and the router 5 connected to the network at a short period such as every second, thereby enabling communication with each device in the network. The communication record is maintained (arrow A1). In the example of FIG. 1, the IP address assigned to the detection device 10 is 192.168.10.50, and the MAC (Media Access Control) address is AA:BB:CC:DD:EE:FF. Through the communication indicated by the arrow A1, each of the terminals 2a to 2d and the router 5 records the IP address and MAC address of the detection device 10 in the ARP table. In the example of FIG. 1, it is assumed that terminal 2a holds ARP table 4a and terminal 2b holds ARP table 4b. Furthermore, the terminal 2c holds an ARP table 4c, and the terminal 2d holds an ARP table 4d. Similarly, router 5 is assumed to have ARP table 4e.

Assume that the terminal 2 d is then primarily infected with the worm 7 . The worm 7 accesses the device whose address is recorded in the ARP table 4d by referring to the ARP table 4d held by the terminal 2d. In the example of FIG. 1, the ARP table 4d contains the address information of the terminal 2b (IP address=192.168.10.23, MAC address=CC:DD:EE:FF:00:11) and the address of the detection device 10. information is recorded. For this reason, the terminal 2d accesses the detection device 10 and the terminal 2b (arrows A2 and A3), which causes the spread of the worm 7 infection. By accessing the detection device 10 from the terminal 2d, the detection device 10 can detect the worm 7 (A4). In FIG. 1, the case where the terminal 2d is infected with the worm 7 is taken as an example. 7, the detection device 10 can detect secondary infection by the worm 7 by similar processing.

As a related technique, a system has been proposed in which a terminal that has transmitted a reply to an ARP request is accommodated in a predetermined VLAN (Virtual Local Area Network) using a MAC address in the reply (for example, Patent Document 2). There is also known a device that records the correspondence between IP addresses and MAC addresses in ARP response packets when the number of ARP response packets is the same as the number of ARP request packets (for example, Patent Document 3). The device provides early warning if the source IP address and source MAC address in the ARP data packet are different from those recorded.

JP 2010-161488 A JP 2010-136014 A JP 2009-17562 A

If the detection device communicates with the monitoring target device at short intervals in order to maintain the communication performance, the load on the network will increase. However, if the frequency of communication between the detection device and the monitored device is low, there is a possibility that the monitored device will be infected with a worm while it does not retain the information of the detection device, and worm detection will fail. There is Even if the methods described as related techniques are used, it is difficult to reduce communications generated for detecting worms.

One aspect of the present invention is to reduce the network load caused by worm detection.

A detection device according to one aspect includes a transmitter, a controller, and a detector. A request frame that requests each of one or more communication devices used in the network to transmit a response frame containing parameters associated with the type of operating system used by the communication device. to send. The control unit performs control for transmitting a transmission frame to the transmission source of the response frame at a cycle corresponding to the operating system specified from the received response frame. The detection unit detects malware included in access from any one of the one or more communication devices.

It can reduce the network load caused by worm detection.

FIG. 4 is a diagram for explaining an example of worm detection; It is a figure explaining the example of the detection method concerning embodiment. It is a figure explaining the example of a structure of a detection apparatus. It is a figure explaining the example of the hardware constitutions of a detection apparatus. FIG. 4 is a diagram for explaining a configuration example of a PING frame; FIG. 10 is a diagram illustrating an example of a timer set value table; FIG. It is a figure explaining the example of a timer table. It is a figure explaining the example of the detection method concerning 1st Embodiment. 4 is a flowchart for explaining an example of a detection method according to the first embodiment; FIG. 10 is a diagram illustrating an example of a state setting method; FIG. 10 is a diagram illustrating an example of a state setting method; FIG. 10 is a diagram illustrating an example of processing performed when a terminal is replaced; FIG. 10 is a diagram illustrating an example of processing performed when a new terminal is added; 9 is a flowchart for explaining an example of a detection method according to the second embodiment; FIG. 10 is a diagram illustrating an example of processing performed when a new terminal is added; FIG. 10 is a diagram illustrating an example of processing performed when a terminal is changed; 10 is a flowchart for explaining an example of a detection method according to the third embodiment;

FIG. 2 is a diagram illustrating an example of a detection method according to the embodiment; In FIG. 2, it is assumed that the detection device 20, terminals 2a to 2d, and router 5 are included in the network. Furthermore, actuators 1a and 1b that do not support TCP/IP are connected to terminal 2a, and actuator 1c is connected to terminal 2b. It is also assumed that the tablet 6 is communicating via the router 5 . The types of devices included in the terminals 2a to 2d may be the same or different. For example, the terminals 2a and 2b may be mechanical controllers (Programmable Logic Controller, PLC) for controlling the actuator 1. FIG. Also, the terminals 2c and 2d may be a production management device (Human Machine Interface, HMI) used for management of the production status in the factory. Note that the network shown in FIG. 2 is an example, and the number and types of terminals 2 and routers 5 in the network may be changed according to implementation. Furthermore, the number and types of devices connected to the terminal 2 and the router 5 can also be arbitrarily changed according to implementation.

The detecting device 20 transmits a request frame to each of the terminals 2a to 2d and the router 5, which are devices capable of communicating using the IP protocol among the devices in the network (arrow A11). Here, the request frame is a frame requesting transmission of a response frame including parameters associated with the type of operating system (OS) used by the device to the destination device of the request frame. is. The parameter associated with the OS type may be, for example, a TTL (Time to live) value in the IP header. In the example of FIG. 2, assume that the parameter indicating the OS A is α. Similarly, assume that the parameter indicating the OS B is β, and the parameter indicating the OS C is γ.

In the example of FIG. 2, when the terminal 2a receives the request frame, it transmits a response frame including parameter=β to the detection device 20 (arrow A12). Further, when the terminals 2b to 2d receive the request frame, they transmit a response frame including the parameter=α to the detection device 20 (arrows A13 to A15). Furthermore, upon receiving the request frame, the router 5 transmits a response frame including parameter=γ to the detection device 20 (arrow A16).

The detection device 20 identifies the type of OS used in each device by using the parameters in the response frames received from each device to which the request frame was sent. In the example of FIG. 2, the parameter=β is included in the response frame from the terminal 2a, so the detecting device 20 determines that OS B is used in the terminal 2a. Similarly, the parameter=α is included in the response frames received from the terminals 2b to 2d, so the detecting device 20 determines that the OS used by the terminals 2b to 2d is A. Furthermore, since the response frame from the router 5 includes the parameter=γ, the detection device 20 determines that the OS used by the router 5 is C.

It is assumed that the detection device 20 is aware in advance of information regarding the period during which the OS retains the communication history for each of the OSs that may be used by the devices in the network. For example, OS A deletes from its communication history entries relating to communication destinations that have not been used for x seconds. Similarly, OS=B deletes from the communication history entries for destinations that have not been used for y seconds, and OS=C deletes entries for destinations that have not been used for z seconds from the communication history.

The detection device 20 periodically transmits a transmission frame to each device at time intervals equal to or less than the cycle in which the OS used by the device deletes the communication history. For example, since OS=B is used in the terminal 2a, if the detection device 20 does not communicate with the terminal 2a for y seconds or longer, the communication history with the detection device 20 is deleted. Therefore, the detection device 20 determines to transmit the frame to the terminal 2a after y seconds from the transmission of the request frame. Furthermore, after that, the detection device 20 transmits a frame to the terminal 2a every y seconds.

Similarly, since OS=A is used in terminals 2b-2d, detection device 20 determines to transmit a frame to terminals 2b-2d x seconds after transmission of the request frame. After that, the sensing device 20 still transmits frames to the terminals 2b-2d every x seconds. Since OS=C is used in router 5, detection device 20 decides to send a frame to router 5 z seconds after sending the request frame, and thereafter sends a frame to router 5 every z seconds. to send.

Through the above processing, the communication history with the detection device 20 is maintained in each of the terminals 2a to 2d and the router 5. FIG. Therefore, when one of the terminals 2a to 2d and the router 5 is infected with worm-type malware (worm 7), access is made to the detecting device 20 to infect the worm 7. FIG. Therefore, the detection device 20 can detect the occurrence of secondary infection with the worm 7 .

The detection device 20 according to the embodiment maintains the communication track record with each device by transmitting a frame at the timing when the communication history is deleted by the OS used by each device in the network. Therefore, the detection device 20 reduces the number of frames to be transmitted by improving the efficiency of frame transmission for maintaining the communication performance between the detection device 20 and each device in the network, thereby reducing the amount of communication. can do. Therefore, by using the detection device 20, the secondary infection of the worm 7 can be detected while reducing the amount of communication generated for detecting the worm 7. FIG.

<Device configuration>
FIG. 3 is a diagram illustrating an example of the configuration of the detection device 20. As shown in FIG. The detection device 20 includes a communication section 21 , a control section 30 and a storage section 40 .

The communication section 21 has a transmission section 22 and a reception section 23 . The transmitter 22 transmits the frame to other devices in the network such as the terminal 2 and the router 5 . The receiving unit 23 receives frames from other devices in the network such as the terminal 2 and the router 5 .

The control unit 30 has a generation processing unit 31 , an OS identification unit 32 , and a detection unit 34 , and can optionally include a state update processing unit 33 . The generation processing unit 31 generates a frame such as a request frame or a transmission frame to be transmitted for maintaining the communication performance. The OS identification unit 32 identifies the type of OS used at the transmission source of the response frame using the parameter values included in the response frame. Further, the OS identification unit 32 refers to the timer setting value table 41 to determine the waiting time until the next frame is transmitted to the transmission source of the response frame according to the identified OS. The state update processing unit 33 sets or changes the state of the terminal 2 or the like connected to the target network of the detection processing. A state is set for a device such as a terminal connected to the network, corresponding to the type of information recognized by the detection device 20 . The state update processing unit 33 records the latest state set for each device in the state information 44 . The detection unit 34 detects malware such as worm-type malware included in accesses from devices in the network.

The storage unit 40 includes a timer set value table 41, a timer table 42, an ARP table 43, and optionally state information 44. FIG. The timer set value table 41 records the waiting time until the detection device 20 transmits the next transmission frame in association with the type of OS used by the destination of the transmission frame. The timer table 42 manages the remaining time until the detection device 20 transmits the transmission frame. For example, the OS identification unit 32 records in the timer table 42 the standby time identified using the timer setting value table 41 for the terminal 2 that received the response frame. The timer table 42 decrements the value of the set standby time as time elapses. Therefore, frame transmission processing is performed for the terminal 2 or the like for which the standby time stored in the timer table 42 has become 0. FIG. Examples of the timer set value table 41 and the timer table 42 will be described later.

The ARP table 43 records combinations of IP addresses and MAC addresses assigned to devices that have a track record of communication with the detection device 20 . The state information 44 records information such as the state set by the state update processing unit 33 for each device in the network to be detected.

FIG. 4 is a diagram illustrating an example of the hardware configuration of the detection device 20. As shown in FIG. The sensing device 20 has a processor 101 , a memory 102 , a bus 103 and a network connection device 104 . The processor 101 is any processing circuit, and can be, for example, a CPU (Central Processing Unit). The processor 101 uses the memory 102 as a working memory and executes various processes by executing programs. The memory 102 includes RAM (Random Access Memory), and further includes non-volatile memory such as ROM (Read Only Memory). The memory 102 stores programs and data used for processing by the processor 101 . Network connection device 104 is used to communicate with other devices over a network. A bus 103 connects the processor 101, the memory 102, and the network connection device 104 so that data can be input/output to each other.

In the detection device 20 , the controller 30 is realized by the processor 101 . The communication unit 21 is implemented by the network connection device 104 . Furthermore, the storage unit 40 is implemented by the memory 102 . The sensing device 20 may be implemented as a computer, gateway device, router, L3 switch, or the like.

<Example of request frame and information held by detection device>
A case in which a PING request is used as a request frame transmitted from the detection device 20 to devices in the network will be described below as an example. If a PING request is used as the request frame, the response frame is the PING reply. Also, a TTL (Time to live) value in the PING reply is used as a parameter associated with the OS type in the response frame.

FIG. 5 is a diagram illustrating a configuration example of a PING frame. Note that the PING frame shown in FIG. 5 shows part of the information elements included in the PING frame. A PING frame includes a source MAC address (Source MAC) and a destination MAC address (Destination MAC) in an Ethernet header in an Ethernet (registered trademark) frame. An IP frame in an Ethernet frame includes an IP header and an ICMP (Internet Control Message Protocol) message. The IP header includes TTL, source IP address (Source IP), and destination IP address (Destination IP). An ICMP message contains a type, code and data. The type in the ICMP message is a value that indicates the function type in the ICMP message. Code represents the function code of the ICMP message.

In the following description, a PING request is used as the request frame, but the request frame is not limited to the PING request. For example, any frame with a TTL in the IP header can be used as a request frame. Also, when a value other than TTL is used as a parameter associated with the OS type, any frame including that parameter may be used as a request frame to request transmission.

FIG. 6 is a diagram illustrating an example of the timer set value table 41. As shown in FIG. The timer setting value table 41 contains TTL values and timer setting values used in each OS in association with the type of OS. The timer set value is a value set in the timer table 42 by the OS identification unit 32 as an initial value of the waiting time. The timer setting value is set to be equal to or less than the default value of the retention time of the ARP table entry in each OS.

For example, in a Windows-based OS, the default value for the period during which entries are held in the ARP table is 15 to 45 seconds or 2 minutes. Therefore, in the example of FIG. 6, the timer setting value for the device using the Windows OS is set to 15 seconds. In addition, the fact that the TTL value in the Windows-based OS is 128 is also recorded in the timer set value table 41 in association with the Windows-based OS.

On the other hand, in the Linux (registered trademark) OS, the default value of the period during which entries are held in the ARP table is 1 second. Therefore, in FIG. 6, the timer setting value for the device using the Linux-based OS is set to 1 second. Also, the TTL value=64 for the Linux OS is recorded in the timer set value table 41 .

Similarly, in network equipment such as the router 5, the default value for the period during which entries are held in the ARP table is about 20 minutes. Therefore, in FIG. 6, the timer setting value for the network device is set to 1200 seconds. The TTL value=255 specified by the network device is also recorded in the timer set value table 41 .

FIG. 7 is a diagram illustrating an example of the timer table 42. As shown in FIG. The timer table 42 records the remaining time until the timer expires in association with the IP address of the device. Here, the remaining time until expiration of the timer is the time until the next transmission frame is transmitted to the device using the IP address in the entry. In the timer table 42-1, the remaining time until timer expiration for the device with IP address=192.168.10.23 is 15 seconds, and the remaining time until timer expiration for the device with IP address=192.168.10.24 is 15 seconds. Time is 1200 seconds. For example, assume that a PING reply is obtained from the device with IP address=192.168.10.22 10 seconds after the timer table 42-1 is obtained. Also assume that the OS identification unit 32 recognizes that the timer setting value associated with the OS used in the device with the IP address=192.168.10.22 is 1 second. Then, as shown in the timer table 42-2, the OS specifying unit 32 sets the remaining time until the timer expires for the device with the IP address=192.168.10.22 to 1 second. Note that the timer table 42-2 shows the state 10 seconds after the state of the timer table 42-1 is observed, so the remaining time until the expiration of the timer for the device with the IP address=192.168.10.23 is The time is 5 seconds in the timer table 42-2. Similarly, the remaining time until the timer expires for the device with IP address=192.168.10.24 is 1190 seconds in the timer table 42-2.

<First embodiment>
In the first embodiment, an example of processing performed when the detection device 20 does not have the state update processing unit 33 and the state information 44 will be described.

In a network used in a factory or the like, information on connected devices is not managed, and it is often not known which device uses which IP address. Therefore, an example of processing performed by the detection device 20 when the detection device 20 does not hold information on devices such as the terminals 2 and routers 5 connected to the network will be described below. It is assumed that the detection device 20 does not store information about devices connected to the network, but stores the range of IP addresses that can be used on the network in the storage unit 40 .

Since the detection device 20 does not hold information about the IP addresses used by the devices in the detection target network, it does not recognize the destination of the request frame. Therefore, the generation processing unit 31 of the detection device 20 generates an ARP request for each IP address included in the IP address range that can be used in the network. The generation processing unit 31 transmits each generated ARP request via the transmission unit 22 . A device that receives an ARP request containing the IP address used by itself transmits an ARP reply to the detection device 20 .

The receiving unit 23 receives an ARP reply. The OS identification unit 32 records the IP address and MAC address of the transmission source of the received ARP reply in the ARP table 43 . When the ARP table 43 is updated, the generation processing unit 31 generates a PING request addressed to each device whose combination of IP address and MAC address is recorded in the ARP table 43 .

FIG. 8 is a diagram illustrating an example of a detection method according to the first embodiment; In the example of FIG. 8, it is assumed that the terminal 2a uses a Linux-based OS, and the terminals 2b to 2d use a Windows-based OS. Further, it is assumed that each of the terminals 2a to 2d and the router 5 is transmitting an ARP reply to the detection device 20. FIG. Then, the generation processing unit 31 of the detection device 20 generates a PING request addressed to each of the terminals 2a to 2d and the router 5, and transmits it via the transmission unit 22 (arrow A21).

Upon receiving the PING request, the terminal 2a transmits a PING reply including TTL=64 toward the detection device 20 (arrow A22). The OS identification unit 32 of the detection device 20 acquires the PING reply transmitted from the terminal 2a via the reception unit 23. FIG. Since TTL=64 is included in the PING reply transmitted by the terminal 2a, the OS identification unit 32 uses the timer setting value table 41 (FIG. 6) to determine whether the OS used in the terminal 2a is a Linux OS. It is determined that Furthermore, since the timer setting value associated with the Linux-based OS is 1 second, the OS identification unit 32 determines to transmit the PING request to the terminal 2a 1 second after the transmission of the previous PING request. do. The OS identification unit 32 records the timer setting value of 1 second in the timer table 42 as the time until the timer expires in association with the IP address used by the terminal 2a.

Upon receiving the PING request, the terminal 2b transmits a PING reply including TTL=128 toward the detection device 20 (arrow A23). The OS identification unit 32 of the detection device 20 acquires the PING reply transmitted from the terminal 2b via the reception unit 23. FIG. Since TTL=128 is included in the PING reply transmitted by the terminal 2b, the OS identification unit 32 uses the timer setting value table 41 (FIG. 6) to determine whether the OS used in the terminal 2b is a Windows OS. It is determined that Furthermore, since the timer setting value associated with the Windows-based OS is 15 seconds, the OS identification unit 32 determines to transmit the PING request to the terminal 2b 15 seconds after the transmission of the previous PING request. do. The OS identification unit 32 records the timer setting value of 15 seconds in the timer table 42 as the time until the timer expires in association with the IP address used by the terminal 2b.

Similarly to the terminal 2b, the terminals 2c and 2d also transmit PING replies including TTL=128 to the detection device 20 (arrows A24 and A25). Therefore, by the same processing as the processing for the PING reply received from the terminal 2b, the OS identification unit 32 associates the IP addresses used by the terminals 2c and 2d with 15 seconds as the timer expiration time. Record in the timer table 42 .

Upon receiving the PING request, the router 5 transmits a PING reply including TTL=255 toward the detection device 20 (arrow A26). The OS identification unit 32 of the detection device 20 acquires the PING reply transmitted from the router 5 via the reception unit 23 . Since TTL=255 is included in the PING reply sent by the router 5, the OS identification unit 32 uses the timer setting value table 41 (FIG. 6) to determine that the router 5 is a network device. Furthermore, since the timer setting value associated with the network device is 1200 seconds, the OS identification unit 32 determines to transmit the PING request to the router 5 1200 seconds after the transmission of the previous PING request. The OS identification unit 32 records the timer setting value of 1200 seconds in the timer table 42 as the time until the timer expires in association with the IP address used by the router 5 .

The generation processing unit 31 of the detection device 20 monitors the timer table 42 and generates a PING request addressed to the IP address for which the remaining time until the timer expires is 0 seconds. The transmission unit 22 transmits the generated PING request. Therefore, in the example of FIG. 8, the detection device 20 transmits a PING request to the terminal 2a every second. Similarly, the detection device 20 transmits PING requests to the terminals 2b to 2d every 15 seconds, and transmits PING requests to the router 5 every 1200 seconds. The processing of the detection device 20 when receiving a PING reply in response to the PING request transmitted for the second time and thereafter is the same as that when receiving the first PING reply.

FIG. 9 is a flowchart illustrating an example of a detection method according to the first embodiment; At the time when the processing in FIG. 9 is performed, the IP address used by the device to be monitored (the IP address to be processed) is stored in the ARP table 43 held by the detection device 20 due to the transmission of the ARP request and the reception of the ARP reply. ) shall be recorded. Further, in the example of FIG. 9, it is assumed that the detection device 20 holds the timer set value table 41 shown in FIG.

The generation processing unit 31 uses the transmission unit 22 to transmit a PING request to the IP address to be processed (step S1). The OS identification unit 32 determines whether or not a PING reply has been received during the period from the transmission of the PING request to the occurrence of timeout (step S2). When receiving the PING reply, the OS identifying unit 32 refers to the TTL in the PING reply and identifies the OS used by the source of the PING reply (Yes in step S2, step S3). After that, the generation processing unit 31 waits for the timer setting value associated with the specified OS, and returns to step S1 (step S3). Note that the timer setting value associated with the specified OS is acquired from the timer setting value table 41 in step S3.

On the other hand, the destination of the PING request may be set not to send the PING reply for security reasons. In such a case, the detection device 20 does not receive the PING reply (No in step S2). If the PING reply is not received within the predetermined period, the OS identification unit 32 assumes that the destination of the PING request uses an OS with the shortest retention time of the entry in the ARP table. This assumption is made to prevent secondary infection of the worm 7 from the destination of the PING request from being overlooked due to the fact that the ARP table held by the destination of the PING request does not include the information of the detection device 20 . . In the timer setting value table 41 shown in FIG. 6, the timer setting value takes the minimum value when a Linux-based OS is used. Therefore, the OS identification unit 32 waits for the timer setting value associated with Linux, and returns to step S1 (step S4).

In this way, the detection device 20 can detect the address information of the terminal 2 before the address information of the detection device 20 is deleted from the ARP table 4 held by the terminal 2 or the like according to the type of OS used in each device in the network. etc. to send the PING request again. Therefore, secondary infection of the worm 7 from devices in the network can be detected. On the other hand, by specifying the type of OS, the detection device 20 can refrain from transmitting frames to the device while the address information of the detection device 20 is held in the ARP table 4 of the device in the network. . Therefore, it is possible to prevent unnecessary transmission of frames from the detection device 20 to each device in the network, thereby reducing the amount of communication.

For example, let's calculate the amount of traffic used to maintain communication performance with 250 devices in the network. Here, it is assumed that 25 of 250 devices in the network use a Linux-based OS and the remaining 225 devices use a Windows-based OS. Without using the detection device 20 according to the embodiment, it is possible to send a PING request every second to all the devices in the network regardless of the OSs used by the devices. In this case, assuming that the ARP request (42 bytes) is also sent before the PING request (74 bytes) is sent, the traffic per second is 250×(74+42)=29000 bytes. Even if only ARP requests are sent to 250 devices every second, the amount of communication per second is 250×42=10500 bytes. On the other hand, according to the first embodiment, even if it is assumed that the ARP request (42 bytes) is also transmitted before the PING request (74 bytes) is transmitted, the amount of communication per second is 25×(74+42) +225*1/15*(74+42)=4640 bytes. Therefore, by using the detection device 20, the secondary infection of the worm 7 can be detected while reducing the amount of communication generated for detecting the worm 7. FIG.

As shown in the first embodiment, when a PING request is transmitted in accordance with the timing when the entry of the detection device 20 is deleted from the ARP table 4, even if the device connected to the network is changed, The frame transmission cycle is changed according to For example, assume that the terminal 2b was using the IP address 192.168.10.23 at time T1. Assume that the terminal 2b is then disconnected from the network, the router 5a (not shown) is connected instead of the terminal 2b, and the address 192.168.10.23 is started to be used. In this case, when the detecting device 20 transmits a PING request 15 seconds after the time T1, the router 5a receives the PING request. Since the router 5a sends a PING reply including TTL=255 to the detection device 20, the OS identification unit 32 of the detection device 20 identifies that the device using the IP address = 192.168.10.23 is a network device. can be recognized. Therefore, the OS identification unit 32 can set the next PING request addressed to IP address=192.168.10.23 1200 seconds after the transmission of the previous PING request.

In this way, the detecting device 20 identifies the OS used by the source of the PING reply each time it transmits a PING reply, and transmits frames at a frequency according to the identified OS. Wasteful transmission of frames to each device can be reduced.

<Second embodiment>
In the second embodiment, the detection device 20 is assumed to have a state update processor 33 and state information 44 . Also in the second embodiment, it is assumed that the detection device 20 holds the timer set value table 41 shown in FIG. Furthermore, also in the second embodiment, the PING request is used as the request frame, and the TTL value is used as the parameter associated with the OS type.

The state update processing unit 33 selects state 0 to state 3 for each IP address that can be used in the network, depending on the amount of information that the detection device 20 recognizes about the device using that IP address. Set up four stages of states. The state update processing unit 33 records the set state in the state information 44 .

FIG. 10 is a diagram illustrating an example of a state setting method. An example of state setting will be described below with reference to FIG. In the example of FIG. 10, the sensing device 20 uses an IP address of 192.168.10.50 and a MAC address of AA:BB:CC:DD:EE:FF. It is also assumed that a terminal 2a, a terminal 2b, a terminal 2d, and a router 5 are connected to the network. The addresses used by the terminal 2a are IP address=192.168.10.22 and MAC address=00:11:22:33:44:55. The addresses used by the terminal 2b are IP address=192.168.10.23 and MAC address=CC:DD:EE:FF:00:11. The addresses used by the terminal 2d are IP address=192.168.10.26 and MAC address=22:33:44:55:66:77. Further, the addresses used by the router 5 are IP address=192.168.10.25 and MAC address=33:44:55:66:77:88. Also in the second embodiment, the terminal 2 can be connected to an arbitrary number of actuators 1 and the like, and the router 5 can also be connected to an arbitrary number of devices such as tablets 6 .

State information 44-1 is an example of state information 44 held by the detection device 20 at startup. The state information 44-1 includes IP address (IP addr.), MAC address (MAC addr.), OS, and state. The state update processing unit 33 sets state 0 to an IP address to which the detection device 20 has never sent an ARP request. Therefore, at startup, state 0 is set for all IP addresses that can be used in the network. Since the sensing device 20 is not communicating with devices in state 0, it is also unaware that state 0 IP addresses are used by devices in the network.

Generation processing unit 31 generates an ARP request for each of all IP addresses that can be used in the network, and transmits the ARP request via transmission unit 22 (arrow A31). When the ARP request is transmitted, the state update processing unit 33 sets state 1 to the IP address that is the target of address resolution in the ARP request. Therefore, when the process of arrow A31 is performed, state 1 is set for all IP addresses in the state information 44. FIG. In state 1, sensing device 20 has sent an ARP request but has not received an ARP reply. In other words, state 1 is assigned to an IP address that neither the MAC address nor the OS used by the device is known to the detection device 20, but has sent an ARP request from the detection device 20 at least once. . Therefore, the IP address in state 1 is either an address that is not used by a device in the network such as the terminal 2 or the router 5 at the time of sending the ARP request, or an address that the detection device 20 does not recognize the usage status of. You can say that.

The terminal 2a receives an ARP request for requesting address resolution for the IP address used by the terminal 2a. Upon receiving the ARP request transmitted from the detection device 20, the terminal 2a records the address information of the detection device 20 in the ARP table 4a held by the terminal 2a. Furthermore, an ARP reply for notifying the detection device 20 of the MAC address of the terminal 2a is transmitted (arrow A32). When the OS identifying unit 32 of the detecting device 20 acquires the ARP reply via the receiving unit 23 , it records the address information of the terminal 2 a in the ARP table 43 provided in the detecting device 20 . The state update processing unit 33 assigns state 2 to the IP address used by the terminal 2a, which is the transmission source of the ARP reply. That is, an IP address used by a device that is the source of an ARP reply responding to an ARP request and whose OS has not yet been specified is classified into state 2 . After that, the state update processing unit 33 records the MAC address of the terminal 2a in the state information 44 together with the set state information.

The terminals 2b, 2d, and router 5 also perform the same processing as the terminal 2a when receiving the ARP request transmitted from the detection device 20 for address resolution related to the IP address used by their own devices. Therefore, the address information of the detection device 20 is recorded in each of the ARP tables 4b, 4d, and 4e. It is assumed that terminal 2b holds ARP table 4b and terminal 2d holds ARP table 4d. Furthermore, assume that the router 5 holds an ARP table 4e. Each of the terminal 2b, the terminal 2d, and the router 5 transmits an ARP reply for notifying the detection device 20 of the MAC address used by itself (arrows A33 to A35).

The processing performed when the OS identifying unit 32 and the state update processing unit 33 in the detection device 20 receive the ARP reply is the same as the processing when receiving the ARP reply transmitted from the terminal 2a. Therefore, upon receiving the ARP reply, the state update processing unit 33 sets each of the terminal 2b, the terminal 2d, and the router 5 to state 2. FIG. Since the set state information and MAC addresses of the terminals 2a, 2b, 2d, and router 5 are recorded in the state information 44, the state information 44-1 is updated to the state information 44-2.

In the example of FIG. 10, the IP address 192.168.10.24 is not used. Therefore, no response is sent to the ARP request addressed to 192.168.10.24. Therefore, in the state information 44-2, state 1 remains set for IP address=192.168.10.24.

FIG. 11 is a diagram illustrating an example of a state setting method. Processing performed after the processing in FIG. 10 will be described with reference to FIG.

The generation processing unit 31 periodically transmits an ARP request to the IP address set in State 1 in order to detect the start of use of the IP address set in State 1 . For example, IP address=192.168.10.24 is set to state 1 in the state information 44-2. Therefore, generation processing unit 31 generates an ARP request for requesting address resolution of IP address=192.168.10.24 at predetermined intervals and transmits it via transmission unit 22 (arrow A41). The transmission cycle of the ARP request for detecting the start of use of the IP address set in state 1 can be set according to the implementation.

On the other hand, for devices using IP addresses classified into state 2, the MAC addresses are recorded in the ARP table 43 and the state information 44 by the processing described with reference to FIG. Therefore, the detection device 20 can communicate with devices using IP addresses classified in state 2, but has not yet identified the OS used by the devices using state 2 IP addresses. Therefore, the generation processing unit 31 generates a PING request addressed to each of the addresses classified into state 2, and transmits it via the transmission unit 22 (arrow A42).

The terminal 2b that has received the PING request transmits a PING reply to the detection device 20 (arrow A43). Since communication between the terminal 2b and the detection device 20 is generated by this processing, the period until information such as the MAC address of the detection device 20 is deleted from the ARP table 4b provided in the terminal 2b is the initial value back to Therefore, the information of the detection device 20 is held in the ARP table 4b.

Upon receiving the PING reply from the terminal 2b, the OS identification unit 32 uses the timer setting value table 41 to identify the type of OS used by the source of the PING reply. The processing for identifying the OS is the same as in the first embodiment. Here, it is assumed that TTL=128 was included in the PING reply transmitted from the terminal 2b. Then, the OS identification unit 32 determines that the OS used in the terminal 2b (192.168.10.23) is a Windows OS. The state update processing unit 33 assigns state 3 to the IP address used by the device whose OS is specified. Further, the state update processing unit 33 updates the state information 44 by using the specified OS type and the state information after the change. Therefore, the information about the IP address used by the terminal 2b is as follows.

IP address 192.168.10.23
MAC address CC:DD:EE:FF:00:11
OS Windows
state state 3
Assume that the terminal 2d and the router 5 also transmit PING replies to the detection device 20 in response to the reception of the PING request (arrows A44 and A45). Both the terminal 2d and the router 5 hold an entry regarding the detection device 20 in the ARP table 4 because communication with the detection device 20 is occurring. Therefore, as shown in FIG. 11, the information of the detection device 20 is maintained in both the ARP table 4d and the ARP table 4e.

When the PING reply is received from the terminal 2d and the router 5, the same process as when the PING reply is received from the terminal 2b is performed. As a result, it is assumed that the OS used in the terminal 2d (192.168.10.26) is determined to be the Windows OS. Assume that router 5 (192.168.10.25) is determined to be a network device.

On the other hand, it is assumed that the terminal 2a is set not to respond to the PING request. In this case, the terminal 2a does not send a PING reply even if it receives a PING request. Note that the terminal 2a also maintains the information of the detection device 20 in the ARP table 4a held by the terminal 2a by receiving the PING request.

If no PING reply is received after a predetermined period of time has passed since the transmission of the PING request, the state update processing unit 33 assumes that the OS used as the destination of the PING request is the OS with the shortest timer setting time. This assumption is made so as not to create a period during which the information of the detection device 20 is deleted from the ARP table 4 held by the device that does not send the PING reply. Based on the timer set value table 41 (FIG. 6), the state update processing unit 33 assumes that the OS used in the terminal 2a is Linux.

The state update processing unit 33 also records OS information and states obtained for the terminals 2a, 2d, and the router 5 in the state information 44. FIG. Therefore, the state information 44-2 is updated as indicated by the state information 44-3.

As described with reference to FIG. 11, state 3 is assigned to an IP address used by a device whose MAC address and OS are both recognized by the detection device 20 . Here, after specifying the OS of the device in the network, the OS of each device communicates with the detection device 20 at an interval at which the information of the detection device 20 is not deleted from the ARP table 4 held by each device. A track record of communication with the device is maintained. Also, any type of frame can be used to maintain the communication record. In other words, the amount of communication in the network can be reduced by setting the frames to be sent to the IPs classified in state 3 to have a frame length shorter than that of the PING request. An example of a frame having a shorter frame length than the PING request is an ARP request.

Therefore, the generation processing unit 31 generates an ARP request for the IP address classified into state 3 at a cycle corresponding to the type of OS of the device using the IP address. By transmitting the ARP request generated by the generation processing unit 31, the detection device 20 can maintain the communication record with the device using the IP address inquired by the ARP request. For example, in the example of FIG. 11, it is determined that the OS of the terminal 2a (192.168.10.22) is Linux. is sent every second. On the other hand, it is determined that the OS of terminal 2b (192.168.10.23) and terminal 2d (192.168.10.26) is Windows. Therefore, the generation processing unit 31 performs processing for transmitting an ARP request for the IP address used by each of the terminals 2b and 2d every 15 seconds. Furthermore, since router 5 (192.168.10.25) is determined to be a network device, generation processing unit 31 transmits an ARP request for the IP address used by router 5 every 1200 seconds.

As described above, in the second embodiment, the communication cycle is adjusted according to the OS used by the devices in the network, and the frame used for communication is changed before and after the OS is specified, thereby enabling detection. The amount of communication between the device 20 and each device in the network can be further reduced.

FIG. 12 is a diagram illustrating an example of processing performed when a terminal is replaced. In a factory network, devices may be replaced. Further, a first device using an IP address is replaced by a second device using a different OS than the device, and the first device and the second device use the same IP address. It is possible to do so. Therefore, when using a frame that does not include a parameter that can be used to specify the type of OS for maintaining the communication performance, the state update processing unit 33 detects whether or not the device has been replaced. Monitor what happened. A case where the device using the IP address=192.168.10.23 is changed from the terminal 2b to the terminal 2f will be described below as an example.

When the detection device 20 holds the state information 44-3, an ARP request for the IP address=192.168.10.23 is sent every 15 seconds, as described with reference to FIG. If the device using IP address=192.168.10.23 is still terminal 2b, upon receiving the ARP request, terminal 2b maintains the information of detector 20 in ARP table 4b and Send an ARP reply to The ARP reply generated by terminal 2b includes IP address=192.168.10.23 and MAC address=CC:DD:EE:FF:00:11.

When the state update processing unit 33 acquires the ARP reply via the receiving unit 23, the state update processing unit 33 compares the combination of the IP address and MAC address included in the ARP reply with the combination recorded in the state information 44-3. . At this stage, the combination of the IP address and MAC address included in the ARP reply matches the information in the state information 44-3. Therefore, the state update processing unit 33 determines that no device change has occurred at the source of the ARP reply. Since the device has not been changed, the communication processing for maintaining the communication record is not changed.

After that, assume that the device using the IP address=192.168.10.23 is changed from the terminal 2b to the terminal 2f. The generation processing unit 31 of the detection device 20 performs processing for transmitting an ARP request for the IP address=192.168.10.23 15 seconds after the transmission of the previous ARP request. Since the terminal 2f uses IP address=192.168.10.23, the ARP request from the detection device 20 is received by the terminal 2f (arrow A51).

Since the terminal 2f has no history of communication with the detection device 20, it records the address information of the detection device 20 included in the ARP request in the ARP table 4f held by the terminal 2f. Further, the terminal 2f transmits an ARP reply including IP address=192.168.10.23 and MAC address=AA:AA:AA:AA:AA:AA to the detecting device 20 (arrow A52).

When the state update processing unit 33 acquires the ARP reply via the receiving unit 23, the state update processing unit 33 compares the combination of the IP address and MAC address included in the ARP reply with the combination recorded in the state information 44-3. . The ARP reply contains IP address=192.168.10.23 and MAC address=AA:AA:AA:AA:AA:AA. On the other hand, in the state information 44-3, MAC address=CC:DD:EE:FF:00:11 is associated with IP address=192.168.10.23. Therefore, the state update processing unit 33 determines that the combination of the IP address and the MAC address in the ARP reply does not match the information in the state information 44-3, and the change of the device has occurred in the transmission source of the ARP reply. I judge. Also, there is a possibility that the OS of the device using IP address=192.168.10.23 has been changed due to the device change. Therefore, the state update processing unit 33 deletes the OS information associated with the IP address=192.168.10.23. Furthermore, in order to specify the OS used in the device after the change, the state update processing unit 33 changes the state for the IP address=192.168.10.23 to state 2 . Furthermore, the state update processing unit 33 records the new MAC address notified by the ARP reply in the state information 44 . Therefore, the state information 44-3 is updated as indicated by the state information 44-4.

When the state information 44 is updated as indicated by the state information 44-4, the generation processing unit 31 generates and transmits a PING request addressed to the IP address=192.168.10.23 classified in state 2. It is transmitted via the unit 22. Therefore, the type of OS used in the terminal 2f is specified by the same process as the process described with reference to FIG. 11, and the state information 44 is appropriately updated.

On the other hand, if the combination of the IP address and the MAC address match in both the ARP reply and the state information 44, the state update processing unit 33 determines that the device has not been changed, and updates the information for that address. Do not update. Therefore, the communication processing for maintaining the communication record is not changed.

For example, an ARP request for the IP address (192.168.10.22) used by terminal 2a is sent every second (arrow A53). Therefore, the terminal 2a maintains the information of the detection device 20 in the ARP table 4a and transmits an ARP reply addressed to the detection device 20. FIG. Since the combination of the IP address and MAC address matches between the ARP reply and the state information 44-4, processing to IP address = 192.168.10.22 or processing for IP address = 192.168.10.22 State is not changed.

Similarly, the detection device 20 transmits an ARP request for the IP address used by the terminal 2d every 15 seconds, and an ARP request for the IP address used by the router 5 every 20 minutes (arrows A54, A55). . Since the terminal 2 d and the router 5 perform the same processing as the terminal 2 a when receiving the ARP request, the terminal 2 d and the router 5 also maintain the communication record with the detection device 20 . Furthermore, using the combination of the IP address and the MAC address, the state update processing unit 33 determines that the IP address used by the terminal 2d and the router 5 has not changed. Therefore, the communication processing for maintaining the communication record is not changed for these devices as well.

As described above, in the second embodiment, the state update processing unit 33 monitors whether the combination of the IP address and the MAC address changes. device changes can be detected.

FIG. 13 is a diagram illustrating an example of processing performed when a new terminal is added. A case where the terminal 2c newly connected to the network after the process described with reference to FIG. 11 uses the IP address=192.168.10.24 will be described below as an example. Although FIG. 13 shows the ARP table 4c held by the terminal 2c, the ARP table 4 held by the other terminals 2 and the router 5 is omitted for the sake of clarity.

In state information 44-3, state 1 is set to IP address=192.168.10.24. Therefore, IP address=192.168.10.24 is not used for communication. Therefore, the generation processing unit 31 transmits an ARP request for the IP address = 192.168.10.24 at predetermined intervals in order to detect the start of use of the IP address = 192.168.10.24 (arrow A61).

Suppose terminal 2c is connected to the network and starts using IP address=192.168.10.24. The terminal 2 c then receives the ARP request sent from the detection device 20 . The terminal 2c records the address information (IP address=192.168.10.50, MAC address=AA:BB:CC:DD:EE:FF) of the detection device 20 in the ARP table 4c. Further, the terminal 2c transmits an ARP reply addressed to the detection device 20 (arrow A62).

The receiving unit 23 of the detection device 20 receives the ARP reply transmitted from the terminal 2c. The OS identification unit 32 registers the information of the terminal 2c in the ARP table 43 using the ARP reply. Further, the state update processing unit 33 updates the state of 192.168.10.24, which is the source IP address of the ARP reply, to state 2, and records the MAC address of the terminal 2c in the state information 44. FIG. Therefore, the state information 44-3 is updated as indicated by the state information 44-5. After obtaining the state information 44-5, the processing performed for the IP address set in state 2 is the same as the processing to be described with reference to FIG. Therefore, a PING request is sent to the IP address used by the terminal 2c newly connected to the network, and the PING reply is used to identify the OS used by the terminal 2c. Therefore, an ARP request transmission process for the IP address used by the terminal 2c is performed at each time interval associated with the OS used by the terminal 2c.

FIG. 14 is a flowchart illustrating an example of a detection method according to the second embodiment; The generation processing unit 31 uses the transmission unit 22 to transmit an ARP request for the IP address to be processed (step S11). The OS identification unit 32 determines whether an ARP reply has been received (step S12). If the ARP reply has not been received, the state update processing unit 33 sets the IP address inquired by the ARP request to state 1, and the generation processing unit 31 waits for a predetermined time (No in step S12, step S13). After that, the processing after step S11 is repeated.

When the ARP reply is received, the state update processing unit 33 sets the IP address of the transmission source of the ARP reply to state 2 and records the MAC address of the transmission source of the ARP reply in the state information 44 . Further, the generation processing unit 31 transmits a PING request to the source of the ARP reply (Yes in step S12, step S14).

The OS identification unit 32 determines whether a PING reply has been received from the destination of the PING request (step S15). When the PING reply is received, the OS identifying unit 32 refers to the TTL in the PING reply to identify the OS used at the source of the PING reply, and records it in the state information 44 (Yes in step S15; S16). On the other hand, if the PING reply has not been received, the OS identification unit 32 assumes Linux as the OS used by the destination device of the PING request, and records it in the state information 44 (No in step S15, step S17). . The state update processing unit 33 sets the IP address targeted for the processing in step S16 or S17 to state 3 . Further, the generation processing unit 31 waits for the timer setting value associated with the OS, and then transmits an ARP request (step S18).

The OS identification unit 32 determines whether an ARP reply has been received (step S19). If the ARP reply has not been received, the device using the IP address inquired by the ARP request is disconnected from the network, so the state update processing unit 33 returns to step S13 (No in step S19). When receiving the ARP reply, the state update processing unit 33 determines whether the MAC address in the ARP reply matches the record in the state information 44 (Yes in step S19, step S20). If the MAC address in the ARP reply matches the record in the state information 44, the processes after step S18 are repeated (Yes in step S20). On the other hand, if the MAC address in the ARP reply does not match the record in the state information 44, the processing after step S14 is repeated (No in step S20).

As an example, let's calculate the amount of communication used to maintain the communication performance with 250 devices in the network for the second embodiment as well. Also here, it is assumed that 25 of the 250 devices in the network use a Linux-based OS and the remaining 225 devices use a Windows-based OS. According to the second embodiment, when all devices are in state 3, the amount of communication per second is 25×42+225×1/15×42=1680 bytes. Under the same conditions, communication of 4640 bytes per second occurs in the first embodiment.

As described above, in the second embodiment, by transmitting an ARP request at a communication cycle corresponding to the OS used by the devices in the network, the amount of communication between the detection device 20 and each device in the network is reduced. can be further reduced than in the first embodiment.

In the second embodiment, by monitoring whether the source MAC address in the ARP reply has changed from the MAC address in the state information 44, it is detected that the device using one IP address has been changed. , the OS can be specified again. Even if the device using one IP address is changed, after specifying the OS, the communication cycle is adjusted according to the specified OS. Therefore, according to the second embodiment as well, the detection device 20 can reduce the amount of communication while maintaining the communication performance with each device in the network. Therefore, the amount of communication between the detection device 20 and the devices in the network can be reduced without failing to detect secondary infection to the worm 7 .

<Third Embodiment>
In the third embodiment, a case will be described where the detecting device 20 detects that a new device has been connected to the network when it receives a GARP (Gratuitous ARP) message from a device on the network. Note that the case where a new device is connected to the network includes both the case where a device using an unused IP address is connected to the network and the case where a device using a certain IP address is changed. Also in the third embodiment, the actuator 1 may be connected to the terminal 2 and the tablet 6 may communicate via the router 5 .

FIG. 15 is a diagram illustrating an example of processing performed when a new terminal is added. In the initial state of FIG. 15, it is assumed that the detection device 20 holds the state information 44-3 by the processing described with reference to FIG. However, in the third embodiment, the generation processing unit 31 does not perform processing for transmitting an ARP request to the IP address set in State 1. FIG.

Assume that the terminal 2c is then connected to the network. Assume that the IP address=192.168.10.24 is assigned to the terminal 2c. Terminal 2c transmits an ARP request by GARP in order to confirm whether the assigned IP address is being used by another device (arrow A71). Since the ARP request is broadcast, the receiver 23 of the detection device 20 can receive the ARP request by GARP from the terminal 2c.

The OS identification unit 32 transmits an ARP request to the transmission source IP address recorded in the ARP request by GARP, and stores the information of the transmission source MAC address recorded in the ARP reply from the terminal 2c in the ARP table 43. to record. The state update processing unit 33 sets state 2 to the IP address used by the source of the ARP request, and records the source MAC address in the ARP request in the state information 44 . Then, the state information 44-3 is updated as indicated by the state information 44-11.

FIG. 16 is a diagram illustrating an example of processing performed when a terminal is changed. FIG. 16 illustrates an example in which the terminal 2b is changed to the terminal 2f immediately after the state information 44-11 is obtained.

Assume that the IP address=192.168.10.23 is assigned to the terminal 2f. Then, the terminal 2f broadcasts an ARP request by GARP in order to confirm whether the assigned IP address is being used by another device. Therefore, the receiving unit 23 of the detection device 20 can receive an ARP request by GARP from the terminal 2f.

The OS identification unit 32 transmits an ARP request to the transmission source IP address recorded in the ARP request by GARP. The state update processing unit 33 determines that the combination of the source IP address and source MAC address information recorded in the ARP reply from the terminal 2f is not included in the state information 44-11. Then, the state update processing unit 33 updates the state corresponding to the source IP address recorded in the ARP reply to state 2, and updates the state information 44 using the source MAC address in the ARP request. Therefore, the state information 44-11 is updated to the state information 44-12.

It has been described with reference to FIGS. 15 and 16 that when a new device is connected to the network, state 2 is set for the IP address used by the newly connected device. Also in the third embodiment, the same processing as the processing described with reference to FIG. 11 is performed for the IP address set in State 2. FIG. Therefore, the generation processing unit 31 transmits a PING request to each IP address set in state 2 in the state information 44-12. Subsequent processing is the same as in the second embodiment. For this reason, the address information of the detection device 20 is recorded in the ARP table 4 held by the terminal 2c or the terminal 2f, which is the transmission source of the ARP request by GARP. Furthermore, in order to maintain the communication record with the terminal 2c, the generation processing unit 31 updates the IP address used by the terminal 2c for each time interval associated with the OS used by the terminal 2c. ARP request transmission processing. Through similar processing, the detection device 20 also maintains the communication record with the terminal 2f.

FIG. 17 is a flowchart illustrating an example of a detection method according to the third embodiment; The generation processing unit 31 uses the transmission unit 22 to transmit an ARP request for the IP address to be processed (step S31). The OS identification unit 32 determines whether an ARP reply has been received (step S32). If the ARP reply has not been received, the state update processing unit 33 sets the IP address inquired by the ARP request to state 1 (No in step S32). Further, the generation processing unit 31 waits until an ARP request by GARP for the IP address set in state 1 is received (No in step S34). If it is determined in step S34 that an ARP request based on GARP has been received, the processing after step S33 is performed (Yes in step S34).

When the ARP reply is received, the state update processing unit 33 sets the IP address of the transmission source of the ARP reply to state 2 and records the MAC address of the transmission source of the ARP reply in the state information 44 . Further, the generation processing unit 31 transmits a PING request to the transmission source of the ARP reply (Yes in step S32, step S33). The processing performed in steps S35 to S37 is the same as steps S15 to S17 described with reference to FIG. The state update processing unit 33 sets the IP address targeted for the processing in step S36 or S37 to state 3 . Furthermore, after transmitting the ARP request, the generation processing unit 31 sets the timer table 42 according to the timer setting value associated with the OS of the device using the IP address that is the target of address resolution in the ARP request. (Step S38). The OS identification unit 32 determines whether an ARP reply has been received (step S39).

If it is determined in step S39 that the ARP reply has not been received, the processing after step S34 is performed (No in step S39). It should be noted that the case where the determination in step S39 is No is, for example, the case where the device using the IP address inquired by the ARP request is disconnected from the network.

On the other hand, when determining that an ARP reply has been received in step S39, the state update processing unit 33 determines whether an ARP request by GARP has been received for the IP address to be processed (Yes in step S39, step S40). When an ARP request based on GARP is received, the source of the ARP request based on GARP is newly connected to the network. Therefore, the device using the source IP address of the ARP request by GARP has been changed since the state information 44 was last updated. Therefore, the processing after step S33 is performed (Yes in step S40).

If the ARP request by GARP has not been received, the device using the IP address to be processed has not been changed since the state information 44 was last updated (No in step S40). Therefore, the generation processing unit 31 determines whether the timer set in association with the OS of the device using the IP address to be processed has expired (step S41). If the timer has not expired, the process after step S40 is performed (No in step S41). On the other hand, if the timer has expired, the processing after step S38 is repeated in order to maintain the communication record with the device using the IP address to be processed (Yes in step S41).

Thus, in the third embodiment, GARP can be used to detect when a device using an unused IP address is connected to the network or when a device using a certain IP address is changed. can be done. Therefore, in the third embodiment, the detection device 20 does not have to send an ARP request to detect the start of use of an unused IP address. Therefore, in the third embodiment, it is possible to reduce the processing load of the detection device 20 more than in the second embodiment.

<Others>
Note that the embodiment is not limited to the above, and various modifications are possible. Some examples are given below.

The frames and tables illustrated in the above description are examples, and the information elements included in the frames and tables may be changed according to implementation. For example, in the third embodiment, GARP is used to detect device changes and the like, and each IP address is handled, so MAC address changes are not monitored. It doesn't have to be. Furthermore, in the second embodiment as well, if the processing is modified so that the state update processing unit 33 accesses both the ARP table 43 and the state information 44, the state information 44 does not have to include the MAC address. . Also, the state information 44 may hold blanks when corresponding to state 0 instead of recording state 0 as described in the second embodiment.

In the second embodiment, even when MAC addresses are compared with each other, the MAC addresses may be compressed and recorded to such an extent that address comparison is not hindered. In this case, the memory capacity used for the table can be reduced. Furthermore, OS information and the like in the table may be coded as appropriate.

In the above description, the transmission cycle of transmission frames is measured using the remaining time until the timer expires in the timer table 42, but the detection device 20 may have a timer as hardware. In this case, the detecting device 20 does not have to include the timer table 42 because the timer expiration for each IP address can be measured by a hardware timer.

In the above description, it is assumed that a Linux-based OS is used at the destination of the PING request when the detection device 20 does not receive a PING reply within a predetermined period of time, but this is only an example. do not have. The type of OS used for assumptions can be changed according to the setting implementation of the timer setting value table 41 . The OS that is assumed to be used by the device to which the PING request is directed may be the OS with the smallest timer setting value in the timer setting value table 41 .

In the third embodiment, the case where the GARP message is an ARP request has been described as an example, but this is only an example. The GARP message may be a message other than an ARP request depending on the implementation, as long as it is a message for notifying the IP address used by a certain device.

1 actuator 2 terminal 4, 43 ARP table 5 router 6 tablet 7 worm 10, 20 detector 21 communication unit 22 transmission unit 23 reception unit 30 control unit 31 generation processing unit 32 OS identification unit 33 state update processing unit 40 storage unit 41 timer Set value table 42 Timer table 44 State information 101 Processor 102 Memory 103 Bus 104 Network connection device

Claims (9)

Transmission of a request frame requesting transmission of a response frame containing parameters associated with the type of operating system used by each of one or more communication devices used in the network. Department and
a control unit that performs control for transmitting a transmission frame to a transmission source of the response frame at a cycle corresponding to the operating system specified from the received response frame;
A detection device, comprising: a detection unit that detects malware included in access from any one of the one or more communication devices. The transmitting unit transmits an address resolution request for each of one or more IP addresses that may be in use in the network;
The detection device according to claim 1, wherein, when receiving an address resolution response that responds to the address resolution request, the control unit identifies the transmission source of the address resolution response as the one or more communication devices. . The control unit
obtaining the first MAC address notified in the address resolution response from the communication device using the target IP address to be processed;
generating another address resolution request inquiring the MAC address of a device using the target IP address as the transmission frame addressed to the target IP address;
To transmit another request frame addressed to the target IP address when a second MAC address different from the first MAC address is included in another address resolution response in response to the other address resolution request. control the
2. The cycle of transmitting the transmission frame to the target IP address is updated according to the operating system identified using the parameter in the other response frame responding to the other request frame. The detection device according to . The control unit causes the transmission unit to transmit the address resolution request at predetermined time intervals to an IP address that has not received the address resolution response among the one or more IP addresses. The detection device according to claim 2 or 3. further comprising a receiving unit that receives frames from the network;
When the reception frame received by the reception unit is a notification frame for notifying an IP address used by the transmission source of the reception frame, the control unit determines that the transmission source of the notification frame is the one or more communication devices. The detection device according to claim 1, characterized in that: The control unit
after receiving the notification frame from the communication device using the target IP address to be processed, performing control for transmitting another request frame addressed to the target IP address;
Updating a period for transmitting the transmission frame addressed to the target IP address according to the operating system identified using the parameter in the other response frame responding to the other request frame. Item 6. The detection device according to item 5. 7. The control unit according to any one of claims 1 to 6, wherein the control unit sets a cycle for transmitting the transmission frame to a cycle equal to or less than a time interval for updating the communication history by the specified operating system. detection device. sending a request frame to each of one or more communication devices used in the network, requesting transmission of a response frame containing parameters associated with the type of operating system used by the communication device;
transmitting a transmission frame to the transmission source of the response frame at a cycle corresponding to the operating system specified from the received response frame;
A detection method, wherein a computer executes a process of detecting malware included in access from any one of the one or more communication devices. sending a request frame to each of one or more communication devices used in the network, requesting transmission of a response frame containing parameters associated with the type of operating system used by the communication device;
transmitting a transmission frame to the transmission source of the response frame at a cycle corresponding to the operating system specified from the received response frame;
A detection program that causes a computer to execute a process of detecting malware included in access from any one of the one or more communication devices.

Images