WO2006043310A1 - 不正アクセスプログラム監視処理方法、不正アクセスプログラム検出プログラムおよび不正アクセスプログラム対策プログラム - Google Patents
不正アクセスプログラム監視処理方法、不正アクセスプログラム検出プログラムおよび不正アクセスプログラム対策プログラム Download PDFInfo
- Publication number
- WO2006043310A1 WO2006043310A1 PCT/JP2004/015406 JP2004015406W WO2006043310A1 WO 2006043310 A1 WO2006043310 A1 WO 2006043310A1 JP 2004015406 W JP2004015406 W JP 2004015406W WO 2006043310 A1 WO2006043310 A1 WO 2006043310A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- network
- unauthorized access
- computer
- access program
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/085—Retrieval of network configuration; Tracking network configuration history
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/085—Retrieval of network configuration; Tracking network configuration history
- H04L41/0853—Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/085—Retrieval of network configuration; Tracking network configuration history
- H04L41/0853—Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information
- H04L41/0856—Retrieval of network configuration; Tracking network configuration history by actively collecting configuration information or by backing up configuration information by backing up or archiving configuration information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0866—Checking the configuration
- H04L41/0869—Validating the configuration within one network element
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2143—Clearing memory, e.g. to prevent the data from being stolen
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
- H04L41/0213—Standardised network management protocols, e.g. simple network management protocol [SNMP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/04—Network management architectures or arrangements
- H04L41/046—Network management architectures or arrangements comprising network management agents or mobile agents therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
Definitions
- the present invention relates to a worm detection and isolation method and program, and a server connected to a network using an existing network management technology, for example, a network management technology of Simple Network Management Protocol (SNMP).
- SNMP Simple Network Management Protocol
- Nya relates to technology that prevents damage caused by viruses by detecting and isolating PC viruses and worm infections at an early stage.
- Figure 9 shows an example of an unauthorized access program detection 'quarantine system.
- the detection and isolation of unauthorized access programs can be implemented by installing anti-virus software 902 on each endpoint computer 901 to detect infection, or for networks, measures against unauthorized access programs installed on the network. (For example, see Non-Patent Document 1).
- the anti-virus software 902 is a signature-based program based on a detection process based on matching of a specific binary pattern possessed by an unauthorized access program, and is therefore effective in detecting a known worm.
- anti-virus software 902 has a function of detecting an unknown unauthorized access program and preventing infection, there is a problem of false detection, and there are only a few that can be detected.
- the anti-worm appliance installed in the network Nodeware 903
- Nodeware 903 has dedicated hardware for collecting and analyzing all packets flowing on the network. By detecting traffic that targets the network, it is detected that an unauthorized access program is operating on the network.
- the anti-worm appliance “NODEWARE 903” is capable of detecting the activity of variants and new types of unauthorized access programs. In order to capture unauthorized access traffic, each network 'segment switch . All traffic on the intranet 906 (network) must be monitored from the mirroring port 905 of the router 904 to determine if it is fraudulent. For this reason, processing by software and hardware becomes heavy, and there is a disadvantage that processing cannot catch up when network traffic increases.
- An object of the present invention is to provide a process capable of detecting the activity of a fraudulent access program without using conventional signature-based anti-virus software on each computer, appliance for each network segment, and hardware. To realize the method and program.
- an object of the present invention is to provide a processing method and program capable of isolating a detected unauthorized access program so that the spread of infection due to the activity of the unauthorized access program does not occur. It is to realize the program.
- the present invention is a processing method for monitoring the activity of an unauthorized access program in a network, and is specific to the activity of an unauthorized access program by analyzing management information of network information collected by a computer or network connection device capability.
- Management information monitoring process for detecting a change in management information of network information, the type of device for which the management information of network information related to the detection of the change was collected, and the address information of the device suspected of being an unauthorized access program And an alert generation process for generating alert information.
- network devices installed on a network and computers that perform information communication using the network have a network information management function.
- the present invention uses the network information management information provided by the network information management processing unit used as the network information management function, and changes the management information of the network information specific to the activity of the unauthorized access program, that is, the illegal Analyzes changes in specific management information caused by a simple information transmission / reception process, detects signs of activity of a predetermined change force unauthorized access program, and generates an alert.
- the present invention includes a management information collecting process for collecting the management information of the network information from the computer or the network connection device in real time when the above process is provided.
- the present invention extracts error notification information accompanying unknown transmission destination from the management information collected from the network connection device in the management information monitoring process, and A state in which the amount of transmission time of the notification information shows a predetermined increasing tendency is detected as the change.
- both the computer power and the management information power of the collected network information extract error notification information associated with an unknown transmission destination, and the state in which the amount of received information of the error notification information indicates a predetermined increase tendency is set as the change. To detect.
- the amount of information discarded due to unknown transmission destination is extracted from the management information collected from the network connection device, and the state in which the amount of discarded information shows a predetermined increasing trend is detected as the change. To do.
- the collected management information is analyzed, and the numerical value of either the number of endpoints indicating connection establishment or the number of endpoints indicating connection establishment failure is predetermined for the computer. A state showing an increasing tendency is detected as the change.
- the type of device from which the management information of the network information related to the detection of the change is collected from the alert information, the address information of the computer or network connection device suspected of the activity of the unauthorized access program is collected from the alert information, the address information of the computer or network connection device suspected of the activity of the unauthorized access program.
- a relay information deletion instruction is generated for the computer specified by the address information
- the type of the device is a network connection device.
- a countermeasure instruction generating process for generating a filter setting instruction for blocking communication of the unauthorized access program to the network connection device specified by the address information, and a relay information deletion instruction or a filter setting instruction. And a countermeasure instruction process to be transmitted.
- the present invention further includes a network configuration management process for managing network configuration information indicating a network configuration, wherein the countermeasure instruction generation process refers to the activity of the unauthorized access program with reference to the network configuration information. Analyze the address information of the computer or network segment that is suspected or the network connection device that controls the network 'segment.
- any computer power belonging to any network segment (subnetwork) on a large-scale network can determine whether an unauthorized access program performs unauthorized communications. And can prevent the spread of unauthorized access programs on a large-scale network.
- the present invention provides a program for causing a computer to function as an apparatus for detecting an unauthorized access program by including the above processing means and components, and a computer as an apparatus for isolating the detected unauthorized access program. It is a program for functioning.
- network management information of a computer or a network connection device that does not install special software in each system is used. Unauthorized access programs that perform unauthorized access can be detected.
- the detected unauthorized access program can be quarantined by sending an instruction to the network setting information of the computer or the setting information of the filtering function of the network connection device.
- FIG. 1 is a diagram showing a system configuration in an embodiment of the present invention.
- FIG. 2 is a diagram illustrating a block configuration example of a worm detection unit.
- FIG. 3 is a diagram illustrating an example of a block configuration of a worm countermeasure unit.
- Figure 4 shows an example of changes in network management information related to connection establishment on a computer.
- FIG. 5 is a diagram showing an example of a change in the discard amount of relay information in a network device.
- FIG. 6 is a diagram showing a configuration example in an example of the present invention.
- FIG. 7 is a diagram showing an example of a processing flow of worm detection processing.
- FIG. 8 is a diagram showing an example of a processing flow of worm countermeasure processing.
- FIG. 9 is a diagram showing an example of a worm detection / isolation system.
- FIG. 1 shows a system configuration in the embodiment of the present invention.
- Unauthorized access program monitoring device (worm monitoring device) 1 uses network information management information collected from network connection device (L ⁇ ) 2 and computer (host) 3 to detect unauthorized access such as viruses and worms. It is a device that detects and quarantines an accessing program (hereinafter simply referred to as a “worm”).
- the worm monitoring device 1 includes a worm detection unit 11 that detects worm activity in the network, a worm countermeasure unit 12 that performs predetermined countermeasures against the detected worm activity, a network connection device 2 or a computer 3, respectively.
- Management information collection unit (SNMP manager) 13 that collects management information of network information, and a management information database 14 that stores management information of collected network information.
- the network connection device 2 is a device that controls the connection between the network segments, and is, for example, a router or a switch.
- the network connection device 2 manages the network information of the filtering unit 21 that passes or blocks the network information according to predetermined conditions, and the network information of its own device, and manages the management information of the network information according to the request.
- a network information management unit 22 that transmits to the information collection unit 13 is provided.
- the computer 3 is a computer (PC) having a network information management function.
- the computer 3 manages the network stack of the protocol stack unit 31 that processes the network protocol hierarchically, and transmits the management information of the network information to the management information collection unit 13 of the worm monitoring device 1 in response to the request.
- a network information management unit 32 is provided.
- FIG. 2 shows a block configuration example of the worm detection unit 11 of the worm monitoring device 1.
- the worm detection unit 11 includes an item extraction unit 111, an error information monitoring unit 112, a discard information monitoring unit 113, an endpoint information monitoring unit 114, and an alert generation unit 115.
- the item extraction unit 111 identifies the network transmission destination as an item necessary for detecting a worm from the management information of the network information stored in the management information database 14. Error notification information, the amount of information discarded due to unknown destination, and the end point information of computer 3 are extracted and sent to each information monitoring unit of error information monitoring unit 112, discard information monitoring unit 113, and endpoint information monitoring unit 114 Processing means to pass.
- the error information monitoring unit 112 analyzes the error force of the error notification information in the management information of the network information, and analyzes whether the number of error notifications is continuously increasing and increases beyond a predetermined threshold. In this case, the processing means detects the change (increase state). The error information monitoring unit 112 measures the number of destination unknown error notifications based on the network information management information of the network connection device 2 or the computer 3, and determines whether the error notification is received or transmitted. When the number of error notifications exceeds a predetermined threshold, the alert generation unit 115 is notified.
- the discard information monitoring unit 113 measures the amount of information discard from the discard information of the management information of the network information, analyzes the power / power of the information discard amount continuously increasing, This is a processing means to detect the change (increase state) when the amount of increase exceeds the threshold value.
- the discard information monitoring unit 113 analyzes the amount of information discarded when relaying through each network connection device 2 because the destination is unknown, and generates an alert when the discard information amount exceeds a predetermined threshold. Section 115 is notified.
- the endpoint information monitoring unit 114 measures the number of endpoints in the middle of connection from the endpoint information in the management information of the network information, and the number of endpoints in the middle of the connection is continuously increasing. This is a processing means for detecting the change (increase state) when the amount exceeds the predetermined threshold and increases.
- the endpoint information monitoring unit 114 measures the number of endpoints that are in a connected state with unknown destinations when each computer 3 starts a connection, and the number of endpoints in the connected state increases. When the predetermined threshold is exceeded, the alert generation unit 115 is notified.
- the alert generation unit 115 When the alert generation unit 115 receives a notification of a change in monitoring target information from any of the error information monitoring unit 112, the discard information monitoring unit 113, or the end point information monitoring unit 114, the alert generation unit 115 It is a processing means that generates alert information indicating that the worm is active.
- the alert information includes the type of the device that generated the management information for the network information that caused the change (computer or network connection device) and the address of the device. Information etc. are included.
- FIG. 3 shows a block configuration example of the worm countermeasure unit 12.
- the worm countermeasure unit 12 includes an alert analysis unit 121, a countermeasure instruction generation unit 122, a network configuration management unit 123, and a countermeasure instruction unit 124.
- the alert analysis unit 121 is a processing unit that analyzes the type of device for which management information of network information is collected and the address information of the device from the inputted alert information.
- the alert analysis unit 121 displays the analyzed device type and address information as a countermeasure instruction generation unit 1
- the countermeasure instruction generating unit 122 is processing means for generating a countermeasure instruction for the worm activity based on the analysis result of the alert information.
- the countermeasure instruction generation unit 122 generates relay information for the computer 3 identified based on the address information of the alert information when the type of the analysis result device passed from the alert analysis unit 121 is “computer”. Generate delete instructions. Also, when the device type is “network connection device”, a filter setting instruction is generated to block unauthorized access program communication to the network connection device 2 specified based on the address information of the alert information.
- the generated relay information deletion instruction or filter setting instruction is passed to the countermeasure instruction unit 124.
- the countermeasure instruction generation unit 122 performs the above processing in cooperation with the network configuration management unit 123.
- the network configuration management unit 123 is a processing unit that manages the configuration of the network to be monitored by the worm monitoring device 1.
- the management information collection unit 13 is a processing unit that collects management information of network information from the network connection device 2 or the computer 3 and accumulates it in the management information database 14.
- the management information collection unit 13 of the worm monitoring device 1 collects network information management information from each network connection device 2 and the computer 3 at regular intervals to obtain a management information database 14. To accumulate.
- the worm detection unit 11 of the worm monitoring device 1 uses the item extraction unit 111 to determine the end point of the connection process in the computer 3 from the management information of the network information collected from the network information management unit 32 of the computer 3. Number or the number of notifications of error information indicating unknown destination.
- the error information monitoring unit 112 analyzes the notification amount of error information with unknown connection destination, and the endpoint information monitoring unit 114 analyzes the number of connected endpoints. When it is determined that the information exceeds a predetermined threshold, it is detected that the worm is active.
- the alert generation unit 115 generates alert information including the type of device to be detected (computer setting), the address information of the computer 3 in which the worm is active, that is, infected with the worm, and sends it to the worm countermeasure unit 12 hand over.
- the worm countermeasure unit 12 receives the alert information from the alert generation unit 115 by the alert analysis unit 121, and when the alert information indicates that the device infected with the worm is the computer 3, generates a countermeasure instruction.
- the unit 122 generates an instruction for deleting the relay information of the protocol stack unit 31 to the network information management unit 32 of the computer 3.
- a connection request with a wide range of destination addresses is sent from the computer 3 infected with the worm, so that a large number of connection requests with no transmission destination are received. .
- the number of notifications (number of transmissions) of error information indicating that the connection destination is unknown increases.
- the number of relay information due to worm activity increases and the total number of relay information in the entire network connection device 2 increases, there is no connection destination, so the destination is unknown. The total number of information discarded due to relay increases.
- the worm detection unit 11 of the worm monitoring device 1 uses the item extraction unit 111 to From the network information management information collected from the network information management unit 22 of the network connection device 2, the number of relay information discarded information due to unknown transmission destination or the number of error information notifications indicating unknown transmission destination is extracted. Then, the error information monitoring unit 112 analyzes the notification amount of the error information with unknown connection destination, and the discard information monitoring unit 113 analyzes the discard information amount of the relay information. If the information exceeds a predetermined threshold, When it is determined, it detects that the worm is active in the network segment under the network connection device 2.
- the alert generator 115 sets the type of the device to be detected (sets the network connection device), the address information of the network connection device 2, the network connection device 2 under the active worm, that is, the virus. Alert information including the address information of the network 'segment is generated and passed to the worm countermeasure unit 12.
- the worm countermeasure unit 12 receives the alert information from the alert generation unit 115 by the alert analysis unit 121, and the device that controls the network segment infected with the worm by the alert information is the network connection device 2.
- the countermeasure instruction generation unit 122 sends a filter setting instruction to block the traffic generated by the worm activity to the filtering unit 21 of the network connection device 2, and the network connection device 2 Change the filter function setting.
- FIG. 6 shows an embodiment of the present invention.
- the worm monitoring device 1 is to monitor the activity of the worm in a plurality of networks' segments A to D, and one worm monitoring device 1 is installed in the segment D.
- Network connection device 2 is a router
- computer 3 is a host PC.
- the network information management unit 22 of the network connection device (router) 2 and the network information management unit 32 of the computer (host) 3 implement an SNMP agent that supports S NMP (Simple Network Management Protocol) to manage network information. Information shall be managed as MIB (Management Information Base) information. Also, SNMP and TCP / IP are used as network protocols.
- the management information collection unit 13 of the worm monitoring device 1 makes an inquiry to each host 3 and router 2 in the network at regular intervals, collects MIB information, and stores it in the management information database 14. . Or, when an abnormality is detected, the management information (MIB information) of the network information is sent by traps from the SNM P agents 22 and 32 of each router 2 or host 3 to the management information collection unit 13. To.
- the MIB information collected by the management information collection unit 13 is sent to the worm detection unit 11.
- the worm detection unit 11 performs worm detection processing for each router 2 and host 3, and checks for signs of worm activity. When an indication of worm activity is detected, the address of the corresponding router 2 or host 3 is passed to the worm countermeasure unit 12.
- FIG. 7 shows a process flow of the worm detection process.
- the worm detection unit 11 determines whether the address added to the MIB information is the router 2 or the host 3 (step S1).
- step SI When the address of the MIB information is host 3 (step SI), ICMP and TCP information is extracted from the MIB information and analyzed (step S2).
- step S3 When all the conditions are met (step S3), the worm countermeasure unit 12 is notified of the network address of the corresponding host 3 (step S4).
- each information of ICMP and IP is extracted from the MIB information and analyzed (step S5).
- the number of ICMP destination unreachable messages sent (icmpOutDestUnreachs) in the MIB object continuously increases, and the number of discarded IP datagrams (ipOutNoRoutes) due to the failure to detect the route to the destination continuously increases. (Step S6).
- the worm countermeasure unit 12 is notified of the network address of the router 2 (step S7).
- the worm countermeasure unit 12 performs worm countermeasure processing, and based on the address and device information of the host 3 notified from the worm detection unit 11, the routing entry is sent to the SNMP agent 32 of the corresponding host 3. Instruct to delete Also, based on the router 2 address and device information notified from the worm detection unit 11, the SNMP agent 22 of the corresponding router 2 is set to filter to block communication due to worm activity.
- FIG. 8 shows a processing flow of worm countermeasure processing.
- the worm countermeasure unit 12 determines whether the notified address is the router 2 or the host 3. Judgment is made (step S11).
- the filter for blocking the worm traffic is set in the filtering unit (filter) 21 of the corresponding router (step S12).
- the SNMP agent 32 of the corresponding host 3 is instructed to delete the routing information (step S13).
- the present invention may use a network management function similar to the power described as using SNMP and TCPZIP.
- packet communication such as SNA (Systems Network Architecture: IBM) and FNA (Fujitsu Network Architecture) can be used.
- the computer 3 is implemented by a computer terminal (PC) having a network information management function and a host
- the computer 3 may be a mobile terminal having a network information management function, an information home appliance, a printer, or the like. That's fine.
- the network management information database 14 of the worm monitoring device 1 may be data on the force memory described as the static storage means.
- the present invention is described as being implemented as a program that is read and executed by a computer.
- a program that implements the present invention is a computer-readable medium such as a portable medium memory, a semiconductor memory, or a hard disk. It can be stored in an appropriate recording medium, provided by being recorded on these recording media, or via a communication interface. Thus, it is provided by transmission / reception using a network.
- Management information monitoring process that analyzes the management information of the collected network information by computer or network connection device capability to detect changes in the management information of the network information specific to the activities of unauthorized access programs
- the unauthorized access program monitoring processing method according to any one of Appendix 1 or Appendix 2 [0082] (Appendix 6)
- the management information collected from the computer is prayed, and either the number of endpoints indicating that the connection is being established in the computer or the number of endpoints indicating that the connection has failed to be established.
- a state in which the numerical value indicates a predetermined increasing trend is detected as the change.
- a countermeasure instruction process for transmitting the relay information deletion instruction or the filter setting instruction for transmitting the relay information deletion instruction or the filter setting instruction.
- the network configuration information is referred to, and the address information of the computer or the network segment or the network connection device that controls the network segment is suspected to be the activity of the unauthorized access program.
- the management information of the collected network information is also collected by the computer or network connection device capabilities.
- Management information monitoring means for analyzing the management information and detecting a change in management information of network information specific to the activity of the unauthorized access program
- a device comprising a type of device from which management information of network information related to the detection of the change is collected, and an alert generation means for generating alert information including address information of a device suspected of an activity of the unauthorized access program
- An unauthorized access program detection program for causing the computer to function.
- appendix 10 The unauthorized access program according to appendix 9 for causing the computer to function as a device comprising management information collection means for collecting the management information of the network information from the computer or the network connection device in real time. Detection program.
- the management information monitoring means extracts error notification information associated with unknown management information capability collected from the network connection device, and the transmission time of the error notification information is increased by a predetermined amount.
- the unauthorized access program detection program according to any one of the appendix 9 or the appendix 10, which causes the computer to function as a device that detects a state indicating a tendency as the change.
- the management information monitoring means extracts the error information associated with the management information power transmission destination unknown of the network information collected from the computer, and the received information amount of the error notification information is a predetermined amount.
- the unauthorized access program detection program according to any one of the supplementary note 9 and the supplementary note 10 for causing the computer to function as a device that detects a state showing an increasing tendency as the change.
- the management information monitoring means extracts the amount of information discarded due to unknown transmission destination from the management information collected from the network connection device, and the amount of discarded information shows a predetermined increasing tendency. As a device for detecting the state shown as the change,
- the unauthorized access program detection program according to any one of the supplementary note 9 and the supplementary note 10 for causing the computer to function.
- the management information monitoring means prays for management information collected from the computer, and the number of endpoints or connections indicating that the computer is establishing a connection.
- the management information monitoring means prays for management information collected from the computer, and the number of endpoints or connections indicating that the computer is establishing a connection.
- the unauthorized access program detection program according to any one of the supplementary note 9 and the supplementary note 10 for causing the computer to function.
- the type of device that received alert information including the type of device suspected of unauthorized access program activity and address information, and from which the management information of network information related to the detection of the change was collected from the alert information, the unauthorized access
- a relay information deletion instruction is generated for the computer specified by the address information.
- the relay information is specified by the address information.
- Countermeasure instruction generating means for generating a filter setting instruction for blocking communication of the unauthorized access program to the network connection device to be connected;
- An unauthorized access program countermeasure program for causing the computer to function.
- Network configuration information storage means for storing network configuration information indicating a network configuration
- Network configuration management means for managing network configuration information indicating the network configuration
- the countermeasure instruction generating means is a device that analyzes address information of a computer, a network segment, or a network connection device that controls the network segment that is suspected to be an activity of the unauthorized access program by referring to the network configuration information.
- Network management information storage means for accumulating management information of collected network information of computer or network connection device power
- Management information monitoring means for analyzing the management information and detecting a change in management information of network information specific to the activity of the unauthorized access program
- Alert analysis means for analyzing the type of device from which the management information of the network information related to the detection of the change is collected from the alert information, the address information of the computer or network connection device suspected of the activity of the unauthorized access program,
- a relay information deletion instruction is generated for the computer specified by the address information.
- the relay information is specified by the address information.
- Countermeasure instruction generating means for generating a filter setting instruction for blocking communication of the unauthorized access program to the network connection device to be connected;
- An unauthorized access program monitoring system comprising a countermeasure instruction means for transmitting the relay information deletion instruction or the filter setting instruction.
- the present invention can realize detection and countermeasures for programs that perform unauthorized access without introducing special software for each network and computer in a network system in which network management is introduced.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006542129A JP4680931B2 (ja) | 2004-10-19 | 2004-10-19 | 不正アクセスプログラム監視処理方法、不正アクセスプログラム監視プログラムおよび不正アクセスプログラム監視装置 |
PCT/JP2004/015406 WO2006043310A1 (ja) | 2004-10-19 | 2004-10-19 | 不正アクセスプログラム監視処理方法、不正アクセスプログラム検出プログラムおよび不正アクセスプログラム対策プログラム |
US11/785,558 US7832010B2 (en) | 2004-10-19 | 2007-04-18 | Unauthorized access program monitoring method, unauthorized access program detecting apparatus, and unauthorized access program control apparatus |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2004/015406 WO2006043310A1 (ja) | 2004-10-19 | 2004-10-19 | 不正アクセスプログラム監視処理方法、不正アクセスプログラム検出プログラムおよび不正アクセスプログラム対策プログラム |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/785,558 Continuation US7832010B2 (en) | 2004-10-19 | 2007-04-18 | Unauthorized access program monitoring method, unauthorized access program detecting apparatus, and unauthorized access program control apparatus |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006043310A1 true WO2006043310A1 (ja) | 2006-04-27 |
Family
ID=36202735
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2004/015406 WO2006043310A1 (ja) | 2004-10-19 | 2004-10-19 | 不正アクセスプログラム監視処理方法、不正アクセスプログラム検出プログラムおよび不正アクセスプログラム対策プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US7832010B2 (ja) |
JP (1) | JP4680931B2 (ja) |
WO (1) | WO2006043310A1 (ja) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008535304A (ja) * | 2005-03-24 | 2008-08-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | ネットワーク攻撃を検出するための方法、装置、およびコンピュータ・プログラム(ネットワーク攻撃の検出) |
JP2010524069A (ja) * | 2007-04-05 | 2010-07-15 | インターナショナル・ビジネス・マシーンズ・コーポレーション | ファイアウォールを構成する方法、システム、およびコンピュータ・プログラム |
JP2016148939A (ja) * | 2015-02-10 | 2016-08-18 | 日本電信電話株式会社 | 検出システム、検出方法、検出プログラム、蓄積装置および蓄積方法 |
JP2018129712A (ja) * | 2017-02-09 | 2018-08-16 | Sky株式会社 | ネットワーク監視システム |
JPWO2020054818A1 (ja) * | 2018-09-14 | 2021-04-30 | 株式会社東芝 | 通信制御装置 |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9230213B2 (en) | 2013-03-15 | 2016-01-05 | Extreme Networks, Inc. | Device and related method for scoring applications running on a network |
US9584393B2 (en) | 2013-03-15 | 2017-02-28 | Extreme Networks, Inc. | Device and related method for dynamic traffic mirroring policy |
US9172627B2 (en) | 2013-03-15 | 2015-10-27 | Extreme Networks, Inc. | Device and related method for dynamic traffic mirroring |
US9130826B2 (en) | 2013-03-15 | 2015-09-08 | Enterasys Networks, Inc. | System and related method for network monitoring and control based on applications |
US9813447B2 (en) | 2013-03-15 | 2017-11-07 | Extreme Networks, Inc. | Device and related method for establishing network policy based on applications |
US9256636B2 (en) | 2013-03-15 | 2016-02-09 | Extreme Networks, Inc. | Device and related method for application identification |
US11212255B2 (en) * | 2015-10-30 | 2021-12-28 | Melih Abdulhayoglu | System and method of protecting a network |
US20160253501A1 (en) * | 2015-02-26 | 2016-09-01 | Dell Products, Lp | Method for Detecting a Unified Extensible Firmware Interface Protocol Reload Attack and System Therefor |
JP2016181191A (ja) * | 2015-03-25 | 2016-10-13 | 富士通株式会社 | 管理プログラム、管理装置及び管理方法 |
JP6441725B2 (ja) * | 2015-03-26 | 2018-12-19 | 株式会社エヌ・ティ・ティ・データ | ネットワーク情報出力システム及びネットワーク情報出力方法 |
JP6603782B2 (ja) * | 2018-11-22 | 2019-11-06 | 株式会社エヌ・ティ・ティ・データ | ネットワーク情報出力システム及びネットワーク情報出力方法 |
US11651089B2 (en) * | 2021-07-13 | 2023-05-16 | Graphcore Ltd. | Terminating distributed trusted execution environment via self-isolation |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003241989A (ja) * | 2002-02-15 | 2003-08-29 | Toshiba Corp | コンピュータウイルス発生検出装置、方法、およびプログラム |
JP2004164270A (ja) * | 2002-11-13 | 2004-06-10 | Nec System Technologies Ltd | ウイルス感染警告通知システム及び方法 |
JP2004260575A (ja) * | 2003-02-26 | 2004-09-16 | Fujitsu Ltd | 異常検出方法、異常検出プログラム、サーバ、コンピュータ |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003188986A (ja) * | 2001-12-17 | 2003-07-04 | Fujitsu Ltd | ゲートウェイ装置 |
US6952779B1 (en) * | 2002-10-01 | 2005-10-04 | Gideon Cohen | System and method for risk detection and analysis in a computer network |
JP2004259060A (ja) * | 2003-02-26 | 2004-09-16 | Canon Inc | データ受信方法及び画像形成装置 |
-
2004
- 2004-10-19 JP JP2006542129A patent/JP4680931B2/ja not_active Expired - Fee Related
- 2004-10-19 WO PCT/JP2004/015406 patent/WO2006043310A1/ja active Application Filing
-
2007
- 2007-04-18 US US11/785,558 patent/US7832010B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2003241989A (ja) * | 2002-02-15 | 2003-08-29 | Toshiba Corp | コンピュータウイルス発生検出装置、方法、およびプログラム |
JP2004164270A (ja) * | 2002-11-13 | 2004-06-10 | Nec System Technologies Ltd | ウイルス感染警告通知システム及び方法 |
JP2004260575A (ja) * | 2003-02-26 | 2004-09-16 | Fujitsu Ltd | 異常検出方法、異常検出プログラム、サーバ、コンピュータ |
Non-Patent Citations (2)
Title |
---|
"Multivender-ka to Bunsanka ga Susumu Kigyo Network o Togo Kanri", NIKKEI COMMUNICATIONS, no. 229, 2 September 1996 (1996-09-02), pages 118 - 119, XP002998906 * |
SANO & SAKURAI: "Network Worm no Jiko Zoshoku Kino ni Kansuru Jikken to Kaiseki. (Simulating Self-Reproduction Mechanisms of the Network Worm)", THE INSTITUTE OF ELECTRONICS, INFORMATION AND COMMUNICATION ENGINEERS GIJUTSU KENKYU HOKOKU, vol. 95, no. 240, 20 September 1995 (1995-09-20), pages 1 - 11, XP002998907 * |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008535304A (ja) * | 2005-03-24 | 2008-08-28 | インターナショナル・ビジネス・マシーンズ・コーポレーション | ネットワーク攻撃を検出するための方法、装置、およびコンピュータ・プログラム(ネットワーク攻撃の検出) |
JP4753264B2 (ja) * | 2005-03-24 | 2011-08-24 | インターナショナル・ビジネス・マシーンズ・コーポレーション | ネットワーク攻撃を検出するための方法、装置、およびコンピュータ・プログラム(ネットワーク攻撃の検出) |
JP2010524069A (ja) * | 2007-04-05 | 2010-07-15 | インターナショナル・ビジネス・マシーンズ・コーポレーション | ファイアウォールを構成する方法、システム、およびコンピュータ・プログラム |
JP2016148939A (ja) * | 2015-02-10 | 2016-08-18 | 日本電信電話株式会社 | 検出システム、検出方法、検出プログラム、蓄積装置および蓄積方法 |
JP2018129712A (ja) * | 2017-02-09 | 2018-08-16 | Sky株式会社 | ネットワーク監視システム |
JPWO2020054818A1 (ja) * | 2018-09-14 | 2021-04-30 | 株式会社東芝 | 通信制御装置 |
JP7068482B2 (ja) | 2018-09-14 | 2022-05-16 | 株式会社東芝 | 通信制御システム |
Also Published As
Publication number | Publication date |
---|---|
JPWO2006043310A1 (ja) | 2008-05-22 |
JP4680931B2 (ja) | 2011-05-11 |
US7832010B2 (en) | 2010-11-09 |
US20070256119A1 (en) | 2007-11-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7832010B2 (en) | Unauthorized access program monitoring method, unauthorized access program detecting apparatus, and unauthorized access program control apparatus | |
US7596807B2 (en) | Method and system for reducing scope of self-propagating attack code in network | |
US8087085B2 (en) | Wireless intrusion prevention system and method | |
CN100530208C (zh) | 适于病毒防护的网络隔离技术 | |
US7617533B1 (en) | Self-quarantining network | |
US20060230456A1 (en) | Methods and apparatus to maintain telecommunication system integrity | |
US7610624B1 (en) | System and method for detecting and preventing attacks to a target computer system | |
US20050278779A1 (en) | System and method for identifying the source of a denial-of-service attack | |
US10798061B2 (en) | Automated learning of externally defined network assets by a network security device | |
US20060037075A1 (en) | Dynamic network detection system and method | |
Bailey et al. | Data reduction for the scalable automated analysis of distributed darknet traffic | |
JP2006319982A (ja) | 通信ネットワーク内ワーム特定及び不活化方法及び装置 | |
GB2382261A (en) | Inserting an intrusion prevention system into a network stack | |
JP2012015684A (ja) | 内部ネットワーク管理システム及び内部ネットワーク管理方法及びプログラム | |
JP2006119754A (ja) | ネットワーク型ウィルス活動検出プログラム、処理方法およびシステム | |
JP6168977B2 (ja) | 異常なインターネットプロトコル攻撃のリアルタイム報告を行うシステム及び方法 | |
US20170070518A1 (en) | Advanced persistent threat identification | |
US20200186557A1 (en) | Network anomaly detection apparatus, network anomaly detection system, and network anomaly detection method | |
JP2008085819A (ja) | ネットワーク異常検出システム、ネットワーク異常検出方法及びネットワーク異常検出プログラム | |
JP2011151514A (ja) | トラフィック量監視システム | |
CN114172881B (zh) | 基于预测的网络安全验证方法、装置及系统 | |
CN114244610B (zh) | 一种文件传输方法、装置,网络安全设备及存储介质 | |
JP2004328307A (ja) | 攻撃防御システム、攻撃防御制御サーバおよび攻撃防御方法 | |
JP2006050442A (ja) | トラヒック監視方法及びシステム | |
JP4753264B2 (ja) | ネットワーク攻撃を検出するための方法、装置、およびコンピュータ・プログラム(ネットワーク攻撃の検出) |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2006542129 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11785558 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 11785558 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 04792575 Country of ref document: EP Kind code of ref document: A1 |