WO2005050935A1 - 侵入検知装置およびその方法 - Google Patents
侵入検知装置およびその方法 Download PDFInfo
- Publication number
- WO2005050935A1 WO2005050935A1 PCT/JP2004/014370 JP2004014370W WO2005050935A1 WO 2005050935 A1 WO2005050935 A1 WO 2005050935A1 JP 2004014370 W JP2004014370 W JP 2004014370W WO 2005050935 A1 WO2005050935 A1 WO 2005050935A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- unauthorized access
- data segment
- intrusion detection
- unit
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
Definitions
- the present invention relates to an intrusion detection device capable of improving data security in a network that is connected to an external network such as the Internet and communicates with each other, and a method thereof.
- the packet transfer device described in Patent Document 1 has a packet receiving unit and a packet sending unit connected to different network segments, a bucket identifier adding mechanism for adding an identifier to a received packet, and an identifier added.
- a packet holding queue that temporarily holds packets
- a sent packet holding mechanism that holds sent packets that are referenced when analyzing packets that require multiple packets
- received packets are packets related to unauthorized access
- a packet analysis mechanism for determining whether
- the received packet received by the packet receiving unit and added with the identifier by the packet identifier adding mechanism is stored in the packet holding queue, and transmitted to the packet analyzing mechanism at the same time as being transmitted. It is held by the already-completed packet holding mechanism.
- the packet analysis mechanism refers to the received packet and the packet transmitted before the received packet held in the transmitted packet holding mechanism to determine whether the received packet is a packet related to an unauthorized access, and determines whether the packet related to the unauthorized access is a packet related to the unauthorized access. If so, discard it; otherwise, transfer it.
- the packet held in the sent packet holding mechanism is a function of discarding the packet after a lapse of a certain period of time or storing a specific data specified in advance. Discard the excess amount in the order of arrival.
- the intrusion detection device described in Patent Document 2 analyzes whether or not a certain number or more packets have been detected in a certain period of time in order to determine whether or not a received packet is illegal. I have.
- Patent Document 1 Japanese Patent Application Laid-Open No. 2002-63084
- Patent Document 2 JP-A-2002-73433
- control other than user data such as a message indicating that a packet or data exchanged when establishing or disconnecting a connection has reached the other party, has been performed. Packets are transmitted and received. As a result, the amount of control packets other than user data also increases.
- the received packet is held in the sent packet holding mechanism until a certain period of time has passed or until a specific data amount is exceeded.
- the number of user data packets was reduced, and the accuracy of unauthorized access detection with reference to transmitted packets was reduced.
- extra data is retained, when referring to already transmitted packets, there is a problem in that the time required to search for a related packet increases, and the overhead of intrusion detection increases. .
- the present invention has been made in view of the above, and is intended for analyzing an unauthorized access of a TCP / IP packet that requires assembling of a packet before and after being transmitted from another information terminal! It is an object of the present invention to provide an intrusion detection device and method capable of improving the accuracy of TCP / IP unauthorized access detection that requires packet assembling while retaining the packet well.
- the present invention provides an intrusion detection device provided between the network and an external network to detect unauthorized intrusion into a device connected to the network.
- a copy of a data segment included in the received packet is temporarily held in association with predetermined session information included in the packet, and the same data segment as the session information is stored.
- a data segment assembling means for assembling a data segment having the same session information when a payload size equal to or larger than a predetermined size is received, and an unauthorized access is included in the data segment included in the received bucket or the assembled data segment.
- the illegal access analysis discards the packet including the data segment received when the payload size is reached, and transmits only the normal packet to the device connected to the network. Means.
- a copy of the data segment included in the packet received by the external network is held, and is held when the total size of the data segment copy after assembling becomes larger than the pay-port size. Then, the packet is taken out and set up, and after analyzing whether or not the data segment included in the received packet or the assembled data segment contains an illegal access, it is retained. Since the packet is discarded, the packet can be held efficiently.
- FIG. 1 is a block diagram showing a configuration of a first embodiment of an intrusion detection device according to the present invention.
- FIG. 2 is a block diagram showing a configuration of a system in which an intrusion detection device according to the present invention is incorporated.
- FIG. 3 shows an example of a code used for pattern matching in an unauthorized access analysis method.
- FIG. 4 is a diagram for explaining a method of determining whether or not the total size of a packet exceeds the payload size.
- FIG. 5 is a flowchart showing a processing procedure of an intrusion detection method according to the first embodiment.
- FIG. 6 is a block diagram showing a configuration of an intrusion detection device according to Embodiment 2 of the present invention.
- FIG. 7 is a diagram for explaining a method of adding a reserved payload to a packet.
- FIG. 8 is a flowchart illustrating a processing procedure of an intrusion detection method according to the second embodiment.
- FIG. 9 shows a configuration of a third embodiment of an intrusion detection device according to the present invention.
- FIG. 10 is a diagram showing a configuration of an intrusion detection device according to a fourth embodiment of the present invention.
- FIG. 11 is a flowchart illustrating a processing procedure of an intrusion detection method according to the fourth embodiment.
- FIG. 12 is a diagram showing a configuration of a fifth embodiment of an intrusion detection device according to the present invention.
- FIG. 1 is a block diagram showing a configuration of a first embodiment of an intrusion detection device according to the present invention
- FIG. 2 is a block diagram showing a configuration of a network system in which this intrusion detection device is used.
- the intrusion detection device 1 is connected between an Internet 30 to which a terminal C23 such as another personal computer is connected, and a network 20 such as a LAN (Local Area Network) connected to the Internet 30 as shown in FIG. Are connected as shown in FIG.
- a network 20 such as a LAN (Local Area Network) connected to the Internet 30 as shown in FIG.
- the terminal A21 and the terminal B22 are connected to the network 20.
- the terminal A21 and the terminal B22 in the network 20 are devices capable of transmitting and receiving information, for example, an information terminal such as a personal computer.
- FIG. 2 illustrates a case where two terminals 21 and 22 are connected to the network 20, and is not limited to two terminals.
- the intrusion detection device 1 includes a reception control unit 2 that receives a packet such as a terminal C23 externally connected to the network 20 such as the Internet 30 and a terminal A21 in the network 20.
- Control unit 3 that sends packets to the network and terminal B22, etc.
- protocol judgment unit 4 that determines the destination protocol of the received packets
- reassembly data holding unit 5 that holds packets that are IP fragmented
- the packet protocol is TCP (Transmission Control Protocol)
- the segment processing unit 10 performs predetermined processing on the data segment
- the unauthorized access analysis unit 6 determines whether the received packet includes unauthorized access
- the access analysis unit 6 has a countermeasure unit 7 for performing a predetermined countermeasure when an abnormality is detected.
- the data segment refers to data to be transmitted to the other party in communication using TCP, and particularly means a data portion excluding a TCP header.
- the protocol determination unit 4 is connected to the reception control unit 2, the reassembled data reservation unit 5, and the segment processing unit 10, and the segment processing unit 10 includes the protocol determination unit 4, the unauthorized access analysis unit 6, and the transmission control unit 3. Is connected to The countermeasure unit 7 is connected to the unauthorized access analysis unit 6 and the transmission control unit 3.
- Reception control unit 2 receives a packet from external terminal C23 connected to Internet 30, and transmission control unit 3 transmits the received packet to predetermined terminals 21 and 22 in network 20. Therefore, in FIG. 2, the Internet 30 side of the intrusion detection device 1 is connected to the reception control unit 2, and the network 20 side of the intrusion detection device 1 is connected to the transmission control unit 3.
- the protocol determining unit 4 has a function of analyzing a header of a received or assembled packet and determining a destination, a source address, and a protocol, in addition to a function of assembling a plurality of IP fragmented packets.
- the determination of the protocol is, for example,
- the “destination address” is a 32-bit area where the destination IP address is stored
- the “source address” is a 32-bit area where the source IP address of the packet is stored. This makes it possible to determine the destination and protocol of the packet.
- the packet assembling function of the protocol determination unit 4 determines whether the received packet is IP fragmented by analyzing the header in the same manner as in the above-described protocol determination. It is determined whether or not the packet has been fragmented, and the packet is assembled when the IP fragment is found. Specifically, for example, in the case of an IPv4 packet, the header is an identifier used when the packet is IP-fragmented, and the 16-bit "ID" used to restore the IP-fragmented packet is analyzed. By doing so, it can be determined whether or not the packet is IP fragmented.
- the protocol determining means and the packet assembling means in the claims correspond to the protocol determining unit 4.
- the reassembled data holding unit 5 has a function of holding a packet until all packets arrive when a received packet is fragmented by IP. When all the packets have arrived, these packets are passed to the protocol decision unit 4.
- the segment processing unit 10 checks the total size of the packets held by the segment holding unit 13 and the segment holding unit 13 that holds the packet sent from the protocol determining unit 4, and checks the total size of the packets.
- Payload size determination unit 12 that determines whether or not the packet exceeds the payload size
- segment assembling unit 11 that assembles a data segment when the protocol of the received packet is TCP
- line feed code included in the data segment Then, it has a line feed code judging section 14 for judging whether or not it is.
- the segment assembling unit 11 has a function of assembling a packet received from another terminal C23 or the like using TCP.
- TCP data to be transmitted to a communication partner is called a segment (in this specification, a data segment).
- a segment in this specification, a data segment.
- the receiving terminal that processes these data can correctly recognize the command by assembling the divided data segments and adjusting the order correctly, so that the intrusion detection device 1 also needs to analyze the presence or absence of unauthorized access. It is necessary to assemble the divided data segments in the same way as the receiving terminal and recognize the command correctly. Therefore, when the packet is received by the segment assembler 11 using TCP, A function to assemble the objects is required.
- the segment assembling unit 11 identifies a destination address, a source address, a destination port number, and a source port number of a packet, and determines whether a data segment constituting the session is divided and transmitted. Assembles a bucket (data segment) having the same session information.
- the segment holding unit 13 has a function of holding the packet until the total size (total size of the data segment) when the packet sent from the protocol determination unit 4 is assembled exceeds the payload size.
- the payload size is a size serving as a reference when determining whether or not to execute an unauthorized access search, and is set in advance in the payload size determination unit 12.
- the segment holding unit 13 determines that the total size when the held packet and the packet newly sent from the protocol determining unit 4 are assembled is smaller than a predetermined payload size! / ⁇ ⁇ ⁇ . If the line feed code judging unit 14 judges that there is no line feed code in the packet, the copy of the packet newly sent from the protocol judgment unit 4 is newly held.
- the original of the packet newly sent to the segment holding unit 13 is transmitted to the terminal having the specified destination address. .
- the line feed code determining unit 14 determines that there is a line feed code in the packet.
- the segment assembling unit 11 keeps a copy of the packet including the !!
- the segment holding unit 13 leaves (holds) only the original packet including the line feed code newly sent from the protocol determining unit 4, and erases the packet held up to that time.
- the segment holding unit 13 transmits the original of the newly sent packet to the terminal having the designated destination address. Of the packet newly sent from the protocol decision unit 4. Keep the new signal. Then, a copy of the held packet and a packet newly sent from the protocol determination unit 4 is sent to the segment assembling unit 11. Thereafter, the segment holding unit 13 leaves (holds) only the original packet newly transmitted from the protocol determining unit 4 and deletes the packet held up to that time.
- the retained data segment is managed by being associated with session information such as a destination address, a source address, a destination port number, and a source port number of a packet.
- the payload size determination unit 12 checks the total size of the packet held in the segment storage unit 13 and the packet newly transmitted from the protocol determination unit 4, and the total size exceeds the payload size. It has a function to determine whether or not it is valid.
- the unauthorized access analyzer 6 searches for unauthorized access. On the other hand, if the total size of the packet held in the segment holding unit 13 and the packet newly sent from the protocol judgment unit 4 is smaller than 460 bytes, V and V are determined based on the judgment result in the line feed code judgment unit 14. The unauthorized access analysis unit 6 determines whether or not it is capable of performing an unauthorized access search. Note that the total size of the packet shall be obtained by calculating the total size after the data segment is assembled.
- the line feed code determining unit 14 has a function of determining whether a line feed code is included in a packet.
- the line feed code is transmitted from the terminal C23 when the command in the data is executed after the input of the data at the terminal C23 is completed. If the command contains an illegal access! /, The unauthorized access may be executed on the data transmission terminal (destination terminal) such as terminal A21 or terminal B22. For this reason, the total size of the packet that has been stored in the segment storage unit 13 and the packet newly transmitted from the protocol determination unit 4 exceeds the payload size, and the If the packet contains a line feed code, the unauthorized access analysis unit 6 of the intrusion detection device 1 analyzes whether or not the packet contains the unauthorized access and whether or not the packet is illegal.
- the unauthorized access analysis unit 6 has a function of determining whether or not a received packet includes an unauthorized access, and discarding the packet if the received packet is determined to be an unauthorized access. Judgment as to whether or not a received packet contains unauthorized access is made based on the data, command, access frequency, etc. in the request source address / packet. Further, the determination as to whether or not the received packet includes unauthorized access may be made by performing pattern matching for detecting whether or not a predetermined character string or code is included in the packet, for example. Good. Note that the packet is discarded by deleting the original of the packet newly sent from the protocol determining unit 4 and held by the segment holding unit 13.
- the countermeasure unit 7 has a function of performing a countermeasure when the unauthorized access analysis unit 6 detects an abnormality.
- a countermeasure for example, when an unauthorized access is detected in a received packet, an e-mail indicating that the unauthorized access has been made can be transmitted to a network administrator. The network administrator may be notified of unauthorized access via a mobile phone or pager.
- FIG. 3 shows an example of pattern matching.
- unauthorized access analysis unit 6 can determine unauthorized access. Note that the above-described determination of whether or not the unauthorized access power is an example is an example, and the method of detecting an unauthorized access known in the related art can be executed by the unauthorized access analyzing unit 6.
- FIG. 4 illustrates an example of a method of determining whether or not the total size of the packet held in the segment holding unit and the packet newly transmitted from the protocol determining unit 4 exceeds the payload size.
- FIG. FIG. 4 shows a state in which packets PI, P2, P3, P4, and P5 having a payload size of 60 bytes and a size of 100 bytes after assembling the packet (data segment) are assembled.
- the order of the packets is assumed to be PI, P2, P3, P4, and P5 in the order of the leading order, and none of the packets P1 to P5 contains a line feed code.
- the segment holding unit 13 in the order of packets PI, P2, P3, P4, and P5 Shall be sent to
- the packet P 1 received by the reception control unit 2 is sent to the segment processing unit 10 via the protocol judgment unit 4.
- the total size of the packet held in the segment holding unit 13 and the packet P1 newly sent from the protocol determination unit 4 after assembly is 460 bytes of the payload size. Less than. That is, even if the packet P1 sent from the protocol determination unit 4 is assembled, the total size of the assembled packet is 100 bytes, which is smaller than the payload size of 460 knots.
- the payload size determining unit 12 determines that the total size of the packet held in the segment holding unit 13 and the packet newly sent from the protocol determining unit 4 is smaller than the payload size. Thereafter, the line feed code determining unit 14 determines whether or not the packet P1 includes a line feed code.
- the packet P1 since the packet P1 has no linefeed code, a copy of the packet P1 is held by the segment holding unit 13, and the original of the packet P1 is transmitted from the transmission control unit 3 to the terminal having the destination address stored in the header. You.
- the packet P 2 received by the reception control unit 2 is sent to the segment processing unit 10 via the protocol judgment unit 4.
- the packet P1 held by the segment holding unit 13 is 100 bytes
- the packet P2 newly sent to the protocol judgment unit 4 is 100 bytes. Therefore, the total size of the packet P1 held in the segment holding unit 13 and the packet P2 newly sent from the protocol determination unit 4 after assembly is 200 knots, which is smaller than the payload size of 460 bytes.
- the payload size determining unit 12 determines that the total size of the packet held in the segment holding unit 13 and the packet newly sent from the protocol determining unit 4 is smaller than the payload size.
- the line feed code determining unit 14 determines whether or not the packet P1 includes a line feed code.
- the packet P2 since the packet P2 has no line feed code, a copy of the packet P2 is newly held by the segment holding unit 13.
- the same processing is performed for the packets P3 and P4, and the packets P1 to P4 are sequentially stored in the segment storage unit 13 as shown in FIG.
- the packet P5 received by the reception control unit 2 is sent to the segment processing unit 10 via the protocol determination unit 4.
- the total size of the buckets P1 to P4 held by the segment holding unit 13 is 400 bytes, and the protocol judgment unit 4 has a newly sent packet P5 of 100 bytes. For this reason, the total size of the packets P1 to P4 held in the segment holding unit 13 and the newly determined packet P5 of the protocol determination unit 4 is 500 bytes, which is larger than the payload size of 460 bytes. .
- the payload size determining unit 12 determines that the total size of the packet held in the segment holding unit 13 and the packet newly sent from the protocol determining unit 4 is larger than the payload size. Then, copies of the packets P1 to P4 and the packet P5 in the segment holding unit 13 are sent to the segment assembling unit 11. At this time, the segment holding unit 13 erases the packets P1 to P4 and holds only the original of the packet P5. Thereafter, if no unauthorized access is detected in the unauthorized access analysis unit 6, the original of the packet P5 is sent from the segment assembling unit or 11 to the transmission control unit 3, and if the unauthorized access is detected, the packet P5 is discarded. .
- the terminal C 23 accesses the terminals 21 and 22 in the network 20, a packet is transmitted from the terminal C 23 to the terminals 21 and 22 in the network 20 during this access. .
- the intrusion detection device 1 receives packets (data) for the terminals 21 and 22 in the network 20 from the reception control unit 2 (step S10).
- the reception control unit 2 passes the received packet to the protocol determination unit 4, and the protocol determination unit 4 reads the header of the packet and determines whether or not the IP fragment is performed (step S20). If it is determined that the packet has been IP-fragmented (Yes in step S20), the protocol determination unit 4 refers to the reassembly data reservation unit 5 and all the IP-fragmented packets arrive. Then, it is determined whether the reassembly is completed, that is, whether or not the received packet is the last packet subjected to IP fragmentation (step S30). [0049] If all of the IP-fragmented packets have arrived at! /, Na!
- step S30 a copy of the received packet is held in reassembly data storage unit 5 (step S40), the original of the received packet is sent to the segment processing unit 10. Then, as described later, when the unauthorized access analysis unit 6 determines that there is no unauthorized access, the original packet is transmitted from the transmission control unit 3 (step S45). Thereafter, the processing is executed again from the processing in step S10. Note that the header of the received packet is detected by the protocol determination unit 4, and the packet determined to be the packet including the last data segment is not transmitted from the transmission control unit 3 in step S45. I do.
- step S30 the IP fragment stored in reassembly data holding unit 5 is received. All packets are taken out and assembled in the order of the leading power (step S50). At this time, when the packet is assembled, the data held in the reassembled data holding unit 5 is deleted.
- the protocol determination unit 4 it is determined whether the protocol type of the received and assembled packet is TCP (step S60).
- the segment holding unit 13 extracts the destination address, the source address, the destination port number, and the source port number from the packet.
- the session is also read, and the combined power is used to identify the session (step S70).
- the payload size determining unit 12 checks the total size of the packet already held in the segment holding unit 13 and the packet newly assembled from the protocol determining unit 4 after assembling, and checks the total size. It is determined whether the power exceeds the payload size (step S80).
- step S90 If the total size of the packet already held in the segment holding unit 13 and the packet newly sent from the protocol determination unit 4 after assembly is smaller than the payload size (No in step S80), Whether the packet contains a line feed code Is determined by the line feed code determination unit 14 (step S90).
- step S90 When the line feed code is not included in the packet (No in step S90), the packet newly sent from the protocol determination unit 4 is copied and held in the segment holding unit 13 ( Step S95), the original packet of the copy source is transmitted from the transmission control unit 3 to the terminal having the destination address stored in the header (step S100), and the processing from step S10 is executed again.
- step S90 if the line feed code is included in the packet in step S90 (if Yes in step S90), or if the packet has already been stored in the segment storage unit 13 in step S80! If the total size of the packet and the packet newly transmitted from the protocol determining unit 4 exceeds the payload size (Yes in step S80), the segment assembling unit 11 transmits the new packet from the protocol determining unit 4.
- the extracted packet and the packet held by the segment holding unit 13 are extracted to assemble the divided data segments (step S110). At this time, when the data segment is assembled, it is managed by the same session information as the data segment assembled in the segment assembling unit 11. Then, only the newly transmitted packet is held in the segment holding unit 13, and the other packets held in the segment holding unit 13 are deleted.
- step S60 when the protocol type of the packet is ICMP (Internet Protocol).
- ICMP Internet Protocol
- the unauthorized access analysis unit 6 sends the assembled data segment or packet other than TCP Passed.
- the unauthorized access analysis unit 6 analyzes whether or not the packet or the assembled data segment includes unauthorized access by using an unauthorized access analysis method such as Noturn matching (step S120).
- the packet or the assembled data segment includes an unauthorized access (Yes in step S120) and the protocol type is other than TCP, the received packet is discarded and the protocol type is discarded. If is a TCP, the packet is discarded (step S140). Then, the countermeasure unit 7 sends an e-mail to the network administrator indicating that the unauthorized access has been made, and notifies the abnormality (step S150). On the other hand, the packet If unauthorized access is not included in the cut or assembled data segment (No in step S120), the data segment is sent immediately before the unauthorized access analysis held in the segment holding unit 13. The transmitted packet is transmitted from the transmission control unit 3 (step S130). Then, the process returns to step S10 to monitor the data accessed in the external power network 20 again.
- the first embodiment it is determined whether there is a line feed code for data that does not exceed the payload size. However, if a URG (Urgent) bit is present in the TCP head of the received packet, You may decide to do that.
- URG User Agent
- a copy of the data segment included in the packet received from the external network is held by the segment holding unit 13, and the held packet and the protocol judging unit 4 newly store the copy.
- the packet is held, the packets are taken out, and the data segments or the assembled data included in the received packets are obtained.
- the packet is discarded after analyzing whether or not the segment contains an unauthorized access and discarding the packet! /, So that the packet can be held efficiently and the segment holding unit 13 Accuracy of TCP / IP unauthorized access detection that requires packet assembly because it can prevent received data from being discarded due to packet overflow. Can be raised.
- the segment holding unit 13 Accuracy of TCP / IP unauthorized access detection that requires packet assembly because it can prevent received data from being discarded due to packet overflow. Can be raised.
- it is possible to reduce the overhead when assembling the TCP data segment. As a result, high-speed processing can be performed.
- FIG. 6 is a block diagram showing a configuration of a second embodiment of the intrusion detection device according to the present invention.
- This intrusion detection device 1 is characterized in that the segment processing unit 10 is provided with a payload holding unit 15 in FIG. 1 of the first embodiment.
- the payload retaining unit 15 has a function of retaining the payload as reserved payloads 51 and 52 described later.
- the same components as those in the first embodiment are the same. And the description thereof is omitted.
- FIG. 7 is a diagram for explaining a method of adding a reserved payload to a packet.
- Packets P11-P15 have already been assembled and analysis of unauthorized access has been completed, and packets P16 and P17 have been assembled and unauthorized access analysis will now be performed. It is also assumed that packet P15 and packet P16 are connected to each other. Note that the size of the packet Pll, P12, P13, P14, P15, P16, and P17 after the packet assembly (data segment) is! /, The gap is 300 bytes, and the line break code is included. To be
- the unauthorized access extends over the packet P15 and the packet P16
- the packet P15 and the packet P16 are separately analyzed for the unauthorized access
- the unauthorized access cannot be detected.
- the packet P16 is added to the packet P15 when analyzing the unauthorized access of the packet P16, the unauthorized access can be detected.
- Packets P11-P15 are assembled and analyzed for unauthorized access, and if it is determined that there is no unauthorized access, there is a packet connected before and after the packets P11-P15 analyzed for unauthorized access. Check if. Here, since there are packets connected before and after the packets P11-P15 for which the unauthorized access analysis has been performed, the first 200 bytes and the last 200 bytes of the packets P11-P15 are retained as pending payloads 51 and 52. I do.
- the packet P16 Since the packet P16 is connected to the packet P15, the packets P15 and P16 subjected to the unauthorized access analysis are appended with the pending payload 52. Then, the unauthorized access analysis of the packets P16 and P17 to which the payload 2 is added is performed. This makes it possible to detect unauthorized access even when the unauthorized access extends over a plurality of packets.
- the pending payload 51 is a case where there is a packet P10 (not shown) connected before the packet P11, and the packets P11 to P15 are sent and assembled before the packet P10, and the packet P10 If the unauthorized access analysis has not been performed yet, it is retained.
- the illegal access analysis is performed by adding the reserved payload 51.
- the size of the pending payloads 51 and 52 is not limited to 200 bytes, and can be set arbitrarily by the user of the intrusion detection device 1.
- FIG. 8 is a flowchart showing an intrusion detection method of the intrusion detection device according to the second embodiment.
- the intrusion detection device 1 receives the packets (data) destined for the terminals 21 and 22 in the network 20 from the reception control unit 2 and all the IP fragments held from the reassembly data holding unit 5 Then, the packets are assembled in the order of the head (step S10—step S50).
- the protocol type of the assembled packet or the like is TCP or not. If the packet includes a line feed code, or if the packet has already been held in the segment holding unit 13, If the total size of the packet newly sent from the protocol judgment unit 4 exceeds the payload size, the segment assembling unit 11 sends the packet newly sent from the protocol judgment unit 4 to the segment holding unit 13. The held bucket is taken out to assemble the divided data segments (Step S60—Step S110).
- Step S110 After the segmented data segments are assembled in the segment assembling section 11 (Step S110), it is confirmed whether or not the reserved payloads 51 and 52 are retained in the payload retaining section 15 (Step S110). 200). If the payload storage unit 15 has the reserved payloads 51 and 52 (Yes in step S200), the segment assembler 11 attaches the reserved payload 51 or 52 to the assembled data segment. Sulking (step S210
- the unauthorized access analysis unit 6 sends the assembled data segment Non-TCP or non-TCP packets are passed.
- the unauthorized access analysis unit 6 analyzes whether or not the packet or the assembled data segment includes unauthorized access by using an unauthorized access analysis method such as pattern matching (Step S220).
- the packet or the assembled data segment includes an unauthorized access (Yes in step S220) and the protocol type is other than TCP, the received packet is discarded and the protocol type is If is TCP, the packet is discarded (step S260). Then, the countermeasure unit 7 sends an e-mail to the network administrator indicating that the unauthorized access has been made, and notifies the network administrator of the abnormality (step S270).
- step S220 contains an illegal access, and if it is not (in the case of No in step S220), the packet before or after the packet subjected to the illegal access analysis is If there is a packet to be connected, for example, the first 200 bytes and the last 200 bytes of the packet subjected to the illegal access analysis are held as the pending payloads 51 and 52 (step S230).
- step S210 the suspended payloads 51 and 52 added in step S210 are deleted from the payload retaining unit 15 (step S240).
- the packet held by the segment holding unit 13 is transmitted from the transmission control unit 3 immediately before the unauthorized access is denied (step S250). Then, the process returns to step S10 to monitor the data accessed in the external power network 20 again.
- the suspended payloads 51 and 52 held in step S230 remain without being added for a predetermined period, they may be deleted.
- the unauthorized access is analyzed.
- the packets of a predetermined size are stored as pending payloads 51 and 52, so that unauthorized access can be detected even if the unauthorized access extends over multiple packets.
- FIG. 9 is a block diagram showing a configuration of a second embodiment of the intrusion detection device according to the present invention.
- This intrusion detection device 1 is different from the reception control unit 2 in FIG. It is characterized in that a filter unit 60 is provided between the protocol judging unit 4.
- the filter unit 60 registers the address information including the source address of the terminal that has transmitted the unauthorized access packet, and matches the source address of the packet received by the reception control unit 2 with the registered address information. It has a function to discard the packet in the case.
- the address information of the terminal that transmitted the unauthorized access packet is registered by the address information notified from the countermeasure unit 7 based on the result of analyzing the unauthorized access in the past.
- the same components as those in the above-described first embodiment are denoted by the same reference numerals, and description thereof is omitted.
- the power of transmitting an e-mail from the countermeasure unit 7 to the administrator of the network 20 at the time of detecting unauthorized access is the second time by the same source terminal.
- the intrusion detection device 1 according to the third embodiment may be provided with a payload holding unit 15 as shown in FIG. 6 of the second embodiment.
- the intrusion detection device 1 according to the third embodiment is provided with the payload holding unit 15 shown in Fig. 6 of the second embodiment, there is a case where an unauthorized access extends over a plurality of packets. In addition, unauthorized access can be detected, and the accuracy of TCP / IP unauthorized access detection that requires packet assembly can be improved.
- the configuration is such that the address information of the terminal that has made an unauthorized access in the past is registered, so that the packet of the terminal that has transmitted the unauthorized access can be immediately discarded. .
- the resources inside the intrusion detection device 1 such as the reassembly data holding unit 5 and the segment holding unit 13 are not used, it is possible to use the internal resources for packet processing from another terminal C23. Therefore, it is possible to efficiently hold packets and increase the accuracy of TCP / IP unauthorized access detection that requires packet assembly.
- FIG. 10 is a block diagram illustrating a configuration of an intrusion detection device according to a fourth embodiment of the present invention.
- This intrusion detection device 1 is different from the process distribution unit in FIG. It has a configuration in which a 110 and a plurality of intrusion detection processing units 120 are added.
- the same components as those in the above-described first embodiment are denoted by the same reference numerals, and description thereof is omitted.
- the intrusion detection processing unit 120 includes a plurality of intrusion detection processing units 12 (n is a natural number) configured by the segment processing unit 10, the unauthorized access analysis unit 6, and the countermeasure unit 7 as one unit. It is constituted by. Each of these intrusion detection processing units 120 has the same function as the segment processing unit 10, the unauthorized access analysis unit 6, and the countermeasure unit 7 in the first embodiment described above.
- the processing distribution unit 110 performs processing to the intrusion detection processing unit 120, which is a part of the intrusion detection processing unit 120 that performs analysis processing of an unauthorized access to the packet received by the intrusion detection device 1 and has a low movable state! It has the function of sorting out.
- a method to be determined by the intrusion detection processing unit 120 with a low operating status for example, a device with a low number of processing packets of the plurality of unauthorized access analysis units 6 can be determined as the intrusion detection processing unit 120 with a low operating status.
- the protocol is a communication protocol based on TCP
- the processing distribution unit 110 determines that the session identified by the destination address, source address, destination port number, and source port number of the received packet has the same data. Distributes the data to the same intrusion detection processing unit 120.
- FIG. 11 is a flowchart showing an intrusion detection method of the intrusion detection device according to the fourth embodiment.
- step S10 to step S60 the same processing as in FIG. 5 shown in the first embodiment is performed. That is, the packet from the terminal C23 is received by the reception control unit 2, and when the received packet or the received packet is fragmented by IP! //, the protocol determination unit 4 refers to the header of the assembled packet. Determines the protocol type.
- the processing distribution unit 110 reads the destination address, the source address, the destination port number, and the source port number from the packet.
- the combined power also identifies the session (step S70), and buckets the intrusion detection processing unit 120 with a low operating status among the plurality of intrusion detection processing units 120. (Step S75).
- the processing distribution unit 110 identifies a session from a combination of the destination address, the transmission source address, the destination port number, and the transmission source port number stored in the packet, and detects the session and the intrusion of the distribution destination. Since the combination with the processing unit 120 is stored, when a packet having the same session is received, the processing distribution unit 110 determines the same intrusion detection as the intrusion detection processing unit 120 that previously allocated the packet. It can be distributed to the processing unit 120.
- step S80 the same processing as in Fig. 5 shown in the first embodiment is performed. That is, the total size of the packet already held in the segment holding unit 13 and the assembled size of the packet newly sent from the protocol determination unit 4 is checked, and the total size exceeds the payload size. A determination is made as to whether or not the input is invalid (step S80). If the total size is smaller than the payload size, it is determined whether or not a packet includes a line feed code! / (Step S90).
- step S90 If the line feed code is not included in the packet (No in Step S90), the packet newly sent from the protocol determination unit 4 is copied and stored in the segment storage unit 13 ( In step S95, the original packet of the copy source is transmitted from the transmission control unit 3 to the terminal having the destination address stored in the header (step S100).
- step S90 when a line feed code is included in the packet (in case of Yes in step S90), or in step S80, the packet which has already been held in the segment holding unit 13 and the protocol determination unit 4 If the total size of the packets newly transmitted from the PDU exceeds the payload size (Yes in step S80), the segment assembling unit 11 determines whether the packet newly transmitted from the protocol determination unit 4 The packets held by the segment holding unit 13 are taken out, and the divided data segments are assembled (step S110). At this time, when the data segment is assembled, it is managed by the same session information as that of the data segment assembled in the segment assembling unit 11, and packets other than the newly transmitted packet held in the segment holding unit 13 are deleted. Is done.
- step S60 if the protocol type is a protocol other than TCP, such as ICMP or UDP (if it is other than TCP in step S60), the processing distribution unit 110 detects multiple intrusions. Distributing the packet to the low operation state intrusion detection processing unit 120 n of the processing unit 120 n (stearyl-up S115), the sorted packets are passed to the illegal access analysis section 6 n therein.
- TCP Transmission Control Protocol
- UDP if it is other than TCP in step S60, the processing distribution unit 110 detects multiple intrusions. Distributing the packet to the low operation state intrusion detection processing unit 120 n of the processing unit 120 n (stearyl-up S115), the sorted packets are passed to the illegal access analysis section 6 n therein.
- the unauthorized access analysis unit 6 analyzes whether or not the packet or the assembled data segment contains unauthorized access by using an unauthorized access analysis method such as pattern matching (step S 120). .
- step S130 Thereafter, from step S130 to step S150, the same processing as that of Fig. 5 shown in the first embodiment is performed.
- the packet is sent to the transmission control unit immediately before the illegal access analysis. Transmit from 3 (step S130).
- the packet or the assembled data segment includes unauthorized access and the protocol type is other than TCP, the received packet is discarded, and if the protocol type is TCP, the received packet is discarded. Discard the packet (step S140). Then, the countermeasure unit 7 sends an e-mail to the network administrator indicating that the unauthorized access has been made, and notifies the abnormality (step S150).
- a plurality of intrusion detection processing units 120 including the segment processing unit 10, the unauthorized access analysis unit 6, and the countermeasure unit 7 are configured, so that a plurality of packets can be processed simultaneously. Therefore, there is an effect that unauthorized access can be detected at high speed.
- the intrusion detection device 1 may be provided with a payload holding unit 15 as shown in Fig. 6 of the second embodiment.
- the provision of the payload holding unit 15 makes it possible to detect an unauthorized access even if the unauthorized access extends over a plurality of packets. The accuracy of access detection can be improved.
- the filter unit 60 is configured to transmit an e-mail from the countermeasure unit 7 when an unauthorized access is detected, as shown in FIG. 9 of the third embodiment. Good.
- the information of the terminal that transmitted the packet including the unauthorized access is also notified to the countermeasure unit 60 and registered, so that the address of the packet received by the filter unit 60 at the time of packet reception can be obtained. Matches registered address information In this case, the packet can be discarded, and the resources of the reassembled data holding unit 5 and the segment holding unit 13 of the intrusion detection processing unit 120 can be used effectively. Therefore, it is possible to further improve the accuracy of TCP / IP unauthorized access detection that requires packet assembly.
- the intrusion detection device 1 according to the fourth embodiment is provided with both the payload holding unit 15 shown in Fig. 6 of the second embodiment and the filter unit 60 shown in Fig. 9 of the third embodiment. You can do it.
- FIG. 12 is a block diagram showing a configuration of the intrusion detection device according to the fifth embodiment of the present invention.
- the intrusion detection device 1 is characterized in that a detection target search unit 130 is provided between the reception control unit 2 and the protocol determination unit 4 of the intrusion detection device 1 in FIG.
- a detection target search unit 130 is provided between the reception control unit 2 and the protocol determination unit 4 of the intrusion detection device 1 in FIG.
- detection target search unit 130 In the detection target search unit 130, detection target information including, for example, a destination address and an application type is registered as an unauthorized access detection target. Then, the detection target search unit 130 confirms whether or not the packet passed from the reception control unit 2 matches the address and the application type with the registered destination address and the application type. In this case, it has a function to execute unauthorized access processing by regarding the packet as detection of unauthorized access.
- the destination address “terminal A” and the application type “WWW” are registered in the detection target search unit 130 as the detection target information of the unauthorized access detection target.
- the reception control unit 2 when the address of the received packet and the application type match the registered detection target information, the ability to execute the unauthorized access detection described in the first embodiment, for example, the terminal C23 If it is registered as a packet addressed to terminal B22 from! And does not match the detection target information, the transmission control unit 3 transmits the packet received as not being detected as an unauthorized access detection.
- the fifth embodiment by immediately transmitting a packet that is not to be detected, it is possible to transmit a packet inside the intrusion detection device 1 such as the reassembly data holding unit 5 and the segment holding unit 13. Since the source is not used, internal resources can be used for processing of the packet to be detected. Therefore, it is possible to efficiently hold packets and improve the accuracy of TCPZIP unauthorized access detection that requires packet assembly.
- the intrusion detection device 1 includes a payload holding unit 15 shown in Fig. 6 of the second embodiment, a filter unit 60 shown in Fig. 9 of the third embodiment, and a fourth embodiment. Some or all of the processing distribution unit 110 and the plurality of intrusion detection processing units 120 shown in FIG. 10 may be provided.
- the intrusion detection device 1 may be provided with a payload storage 15 as shown in Fig. 6 of the second embodiment.
- the provision of the payload holding unit 15 makes it possible to detect an unauthorized access even if the unauthorized access extends over a plurality of packets. This makes it possible to improve the accuracy of the power detection.
- the intrusion detection device 1 detects unauthorized access of TCP / IP that requires packet assembly. Accuracy can be further improved.
- the intrusion detection device 1 includes the processing distribution unit 110 and the plurality of intrusion detection processing units 120 shown in FIG. 10 of the fourth embodiment, a plurality of packets are simultaneously processed. As a result, unauthorized access can be detected at high speed.
- the intrusion detection device and the method thereof according to the present invention are suitable for understanding unauthorized access of TCP / IP packets that require assembling of packets before and after transmission from another information terminal. I have.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2005515551A JPWO2005050935A1 (ja) | 2003-11-21 | 2004-09-30 | 侵入検知装置およびその方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2003-391900 | 2003-11-21 | ||
JP2003391900 | 2003-11-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005050935A1 true WO2005050935A1 (ja) | 2005-06-02 |
Family
ID=34616428
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2004/014370 WO2005050935A1 (ja) | 2003-11-21 | 2004-09-30 | 侵入検知装置およびその方法 |
Country Status (2)
Country | Link |
---|---|
JP (1) | JPWO2005050935A1 (ja) |
WO (1) | WO2005050935A1 (ja) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009510815A (ja) * | 2005-08-29 | 2009-03-12 | 株式会社コネクトテクノロジーズ | サーチ前のパケットのリアセンブル方法及びシステム |
JP2010045767A (ja) * | 2008-07-18 | 2010-02-25 | Canon Inc | ネットワーク処理装置及びその処理方法 |
JP2010158016A (ja) * | 2008-12-24 | 2010-07-15 | Mitsubishi Electric R & D Centre Europe Bv | プロトコルスタックにおいて下位層から上位層まで受信データセグメントを送信する方法、プロトコルスタック製品、及びプロトコルスタック製品の端末 |
JP2014089668A (ja) * | 2012-10-31 | 2014-05-15 | Brother Ind Ltd | 通信中継プログラム、通信中継装置、及び、画像処理装置 |
US10091368B2 (en) | 2012-09-03 | 2018-10-02 | Brother Kogyo Kabushiki Kaisha | Non-transitory machine-readable medium and communication relay apparatus |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10242976A (ja) * | 1997-02-25 | 1998-09-11 | Fujitsu Ltd | Atm交換機の通信監視制御方式 |
JPH10313341A (ja) * | 1997-03-11 | 1998-11-24 | Natl Aerospace Lab | ネットワーク不正解析方法及びこれを利用したネットワーク不正解析装置並びにネットワーク不正解析プログラムを記録したコンピュータ読み取り可能な記録媒体 |
JP2000330897A (ja) * | 1999-05-17 | 2000-11-30 | Nec Corp | ファイアウォール負荷分散システム、ファイアウォール負荷分散方法および記録媒体 |
JP2002124996A (ja) * | 2000-10-13 | 2002-04-26 | Yoshimi Baba | 高速パケット取得エンジン・セキュリティ |
JP2002358253A (ja) * | 2001-05-31 | 2002-12-13 | Trend Micro Inc | データ通信方法、データ通信システム、データ中継装置、サーバ、プログラム及び記録媒体 |
JP2003179647A (ja) * | 2001-12-13 | 2003-06-27 | Toshiba Corp | パケット転送装置およびパケット転送方法 |
JP2003223375A (ja) * | 2002-01-30 | 2003-08-08 | Toshiba Corp | 不正アクセス検知装置および不正アクセス検知方法 |
JP2003527793A (ja) * | 1999-11-29 | 2003-09-16 | フォアスカウト テクノロジース インコポレーテッド | ネットワークにおける、自動的な侵入検出及び偏向のための方法 |
-
2004
- 2004-09-30 JP JP2005515551A patent/JPWO2005050935A1/ja not_active Abandoned
- 2004-09-30 WO PCT/JP2004/014370 patent/WO2005050935A1/ja active Application Filing
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10242976A (ja) * | 1997-02-25 | 1998-09-11 | Fujitsu Ltd | Atm交換機の通信監視制御方式 |
JPH10313341A (ja) * | 1997-03-11 | 1998-11-24 | Natl Aerospace Lab | ネットワーク不正解析方法及びこれを利用したネットワーク不正解析装置並びにネットワーク不正解析プログラムを記録したコンピュータ読み取り可能な記録媒体 |
JP2000330897A (ja) * | 1999-05-17 | 2000-11-30 | Nec Corp | ファイアウォール負荷分散システム、ファイアウォール負荷分散方法および記録媒体 |
JP2003527793A (ja) * | 1999-11-29 | 2003-09-16 | フォアスカウト テクノロジース インコポレーテッド | ネットワークにおける、自動的な侵入検出及び偏向のための方法 |
JP2002124996A (ja) * | 2000-10-13 | 2002-04-26 | Yoshimi Baba | 高速パケット取得エンジン・セキュリティ |
JP2002358253A (ja) * | 2001-05-31 | 2002-12-13 | Trend Micro Inc | データ通信方法、データ通信システム、データ中継装置、サーバ、プログラム及び記録媒体 |
JP2003179647A (ja) * | 2001-12-13 | 2003-06-27 | Toshiba Corp | パケット転送装置およびパケット転送方法 |
JP2003223375A (ja) * | 2002-01-30 | 2003-08-08 | Toshiba Corp | 不正アクセス検知装置および不正アクセス検知方法 |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2009510815A (ja) * | 2005-08-29 | 2009-03-12 | 株式会社コネクトテクノロジーズ | サーチ前のパケットのリアセンブル方法及びシステム |
JP2010045767A (ja) * | 2008-07-18 | 2010-02-25 | Canon Inc | ネットワーク処理装置及びその処理方法 |
JP2010158016A (ja) * | 2008-12-24 | 2010-07-15 | Mitsubishi Electric R & D Centre Europe Bv | プロトコルスタックにおいて下位層から上位層まで受信データセグメントを送信する方法、プロトコルスタック製品、及びプロトコルスタック製品の端末 |
US10091368B2 (en) | 2012-09-03 | 2018-10-02 | Brother Kogyo Kabushiki Kaisha | Non-transitory machine-readable medium and communication relay apparatus |
JP2014089668A (ja) * | 2012-10-31 | 2014-05-15 | Brother Ind Ltd | 通信中継プログラム、通信中継装置、及び、画像処理装置 |
US9565053B2 (en) | 2012-10-31 | 2017-02-07 | Brother Kogyo Kabushiki Kaisha | Non-transitory computer-readable medium, communication relay apparatus, and image processing apparatus |
Also Published As
Publication number | Publication date |
---|---|
JPWO2005050935A1 (ja) | 2007-12-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9009830B2 (en) | Inline intrusion detection | |
JP3954385B2 (ja) | 迅速なパケット・フィルタリング及びパケット・プロセシングのためのシステム、デバイス及び方法 | |
US6714985B1 (en) | Method and apparatus for efficiently reassembling fragments received at an intermediate station in a computer network | |
US7706378B2 (en) | Method and apparatus for processing network packets | |
US7760737B2 (en) | Method for reordering and reassembling data packets in a network | |
EP1393496B1 (en) | System and methods for providing differentiated services within a network communication system | |
US6381242B1 (en) | Content processor | |
US6415313B1 (en) | Communication quality control system | |
US7058974B1 (en) | Method and apparatus for preventing denial of service attacks | |
US7467406B2 (en) | Embedded data set processing | |
US7356599B2 (en) | Method and apparatus for data normalization | |
US8060633B2 (en) | Method and apparatus for identifying data content | |
US20040039940A1 (en) | Hardware-based packet filtering accelerator | |
JP2009510815A (ja) | サーチ前のパケットのリアセンブル方法及びシステム | |
WO2002045364A1 (en) | Engine for reassembling and reordering packetized data | |
US7275093B1 (en) | Methods and device for managing message size transmitted over a network | |
US8320249B2 (en) | Method and system for controlling network access on a per-flow basis | |
US7362780B2 (en) | Avoiding compression of encrypted payload | |
US20030229710A1 (en) | Method for matching complex patterns in IP data streams | |
US8130074B2 (en) | Method for discarding all segments corresponding to same packet in a buffer | |
US20020131364A1 (en) | Handling of data packets | |
US7990861B1 (en) | Session-based sequence checking | |
JP3581345B2 (ja) | パケット転送装置およびパケット転送方法 | |
WO2005050935A1 (ja) | 侵入検知装置およびその方法 | |
JP4027213B2 (ja) | 侵入検知装置およびその方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2005515551 Country of ref document: JP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |