WO2014057542A1 - Système de sécurité et procédé de surveillance de sécurité - Google Patents

Système de sécurité et procédé de surveillance de sécurité Download PDF

Info

Publication number
WO2014057542A1
WO2014057542A1 PCT/JP2012/076211 JP2012076211W WO2014057542A1 WO 2014057542 A1 WO2014057542 A1 WO 2014057542A1 JP 2012076211 W JP2012076211 W JP 2012076211W WO 2014057542 A1 WO2014057542 A1 WO 2014057542A1
Authority
WO
WIPO (PCT)
Prior art keywords
monitoring
user
information
log
mail
Prior art date
Application number
PCT/JP2012/076211
Other languages
English (en)
Japanese (ja)
Inventor
哲郎 鬼頭
谷川 嘉伸
信隆 川口
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2012/076211 priority Critical patent/WO2014057542A1/fr
Priority to JP2014540659A priority patent/JP5969618B2/ja
Publication of WO2014057542A1 publication Critical patent/WO2014057542A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the present invention relates to a security system.
  • each of the anti-virus software includes viruses that are good at detection and viruses that are not good at detection.
  • virus detection is due to the internal structure of the anti-virus engine included in the anti-virus software or the difference in the contents of the signature database included in the anti-virus software. A difference in rate occurs.
  • the purpose of the present invention is to reduce the load on the computer necessary for malware detection and to make malware countermeasures more efficient.
  • a security system comprising a processor and a memory, connected to a computer system that scans for received data for malware, A plurality of scanning methods used by the computer system to scan the data, and a monitoring scenario holding unit that holds a plurality of monitoring scenarios indicating the order in which the computer system uses each of the plurality of scanning methods; A user information holding unit for holding information indicating each of the monitoring scenarios and at least one user to which each of the plurality of monitoring scenarios is assigned; and After scanning using one of the scanning methods, Based on the plurality of monitoring scenarios held by the scenario holding unit, the information held by the user information holding unit, and the user indicated by the identifier included in the data, the data is selected from the plurality of scanning methods.
  • a distribution unit that determines a scan method to be used next and transmits information indicating the determined scan method to the computer system so that the data is scanned by the determined scan method;
  • FIG. 1 is a block diagram illustrating a network system including a security monitoring system and a computer system according to a first embodiment. It is a block diagram which shows the hardware of the distribution apparatus of the present Example 1. It is a block diagram which shows the outline
  • FIG. 1 It is a flowchart which shows the process of the log analysis part of the present Example 1. It is a block diagram which shows the structure of the management information storage apparatus of this Example 2, and the monitoring scenario update apparatus. It is explanatory drawing which shows user DB of the present Example 2. It is a flowchart which shows the process in which the distribution apparatus of a present Example 2 acquires the monitoring scenario corresponding to a user. It is explanatory drawing which shows the monitoring scenario decision policy DB of the present Example 2. It is a flowchart which shows the process which allocates a monitoring scenario to a user among the processes of the log analysis part of the present Example 2.
  • FIG. 1 It is a block diagram which shows the structure of the management information storage apparatus of this Example 2, and the monitoring scenario update apparatus. It is explanatory drawing which shows user DB of the present Example 2. It is a flowchart which shows the process in which the distribution apparatus of a present Example 2 acquires the monitoring scenario corresponding to a user. It is explanatory drawing which shows the monitoring scenario decision policy DB of
  • FIG. 1 is a block diagram illustrating a network system 100 including a security monitoring system 101 and a computer system 102 according to the first embodiment.
  • the security monitoring system 101 and the computer system 102 are connected via a network 103.
  • the computer system 102 is a system that detects malware that attempts to enter a specific system (for example, a system of a company or an organization such as a school).
  • the security monitoring system 101 is a system that monitors malware detection processing performed in the computer system 102.
  • the security monitoring system 101 includes a distribution device 105, a management information storage device 106, an information update device 107, a log information storage device 108, and a monitoring scenario update device 109. Each device provided in the security monitoring system 101 is connected via the network 104.
  • the distribution device 105 is a device that distributes mail received by the computer system 102 to a server included in the computer system 102.
  • the management information storage device 106 is a storage device that holds information indicating which server of the computer system 102 the mail received by the computer system 102 is processed by.
  • the information update device 107 is a device that updates processing of at least one of the servers included in the computer system 102.
  • the log information storage device 108 is a device that holds a processing log in the computer system 102.
  • the monitoring scenario update device 109 is a device that updates information in the management information storage device 106.
  • the computer system 102 includes a mail receiving server 111, a mail storage server 112, an AV (Anti Virus) server (Method A) 113, an AV server (Method B) 114, an AV server (Method C) 115, a URL inspection server 116, A file analysis server 117 is provided.
  • AV Anti Virus
  • the computer system 102 may include a business server, a DNS server, a Web server, a file server, a network device (for example, a firewall), a terminal used by a user, or the like in addition to the above-described server. These servers are not shown because they are not directly related to the processing shown below.
  • the mail receiving server 111 is a mail server that receives mail from the external network of the organization to which the computer system 102 belongs.
  • the mail storage server 112 is a server that holds received mail so that the user can receive mail received by the mail receiving server 111.
  • the AV server (Method A) 113, AV server (Method B) 114, and AV server (Method C) 115 are AV servers and mail servers. Further, these three AV servers inspect (scan) whether malware is added to the mail received by the mail receiving server 111. These three AV servers have different methods for scanning mail.
  • the scanning method in this embodiment uses a signature that matches all or part of a file (file added to an email), and estimates whether the file is malware from an instruction sequence in the file. There are methods. Different scanning methods indicate differences in such methods. Furthermore, in this embodiment, a method of scanning using different signature databases even when using the same signature is described as a different method.
  • the three AV servers, the URL inspection server 116, and the file analysis server 117 of this embodiment are servers that scan whether or not malware is added to the mail by different methods.
  • the AV server (method A) 113 can detect malware by determining whether the signature indicated by the signature database held by the AV server 113 matches the entire file attached to the mail. Furthermore, the AV server (method A) 113 can detect an unauthorized mail by checking the URL described in the mail against a URL blacklist held by the AV server (method A) 113.
  • the AV server (method A) 113 has an external interface in addition to the signature database and the URL blacklist.
  • the AV server (method A) 113 can add information to the signature database held by the AV server (method A) 113 according to information input from the outside via the external interface, and can add information to the URL blacklist held by the AV server.
  • the URL inspection server 116 is a mail server. Furthermore, the URL inspection server 116 is a server that scans by checking whether or not the URL described in the received mail is illegal with a URL blacklist held by itself.
  • the file analysis server 117 operates as a mail server. Furthermore, the file analysis server 117 analyzes the received mail in detail, for example, by actually executing the file attached to the received mail and measuring the execution result. Then, by this detailed analysis, the file analysis server 117 scans whether the file is malware.
  • Each server of the computer system 102 described above is merely an example, and the number of AV servers and the number of scanning methods, the presence or absence of the URL inspection server 116 or the file analysis server 117, and the presence or absence of other servers are limited. is not.
  • the computer system 102 only needs to have a plurality of servers, and in this embodiment, it is not necessary to clearly define the breakdown of the usage of the servers.
  • the network 103, the network 104, and the network 110 are shown as separate networks, but any two or all of the three networks are included in one network. May be.
  • the network 103, the network 104, and the network 110 may be a local area network (LAN) such as a corporate network or the Internet.
  • LAN local area network
  • a terminal or a communication device may be connected to the network 103, the network 104, and the network 110.
  • the security monitoring system 101 and the computer system 102 are illustrated one by one, but one security monitoring system 101 may monitor a plurality of computer systems 102.
  • each server provided in the computer system 102 may be implemented by each function possessed by a different computer, or may be implemented by a plurality of programs possessed by one computer.
  • each device provided in the security monitoring system 101 may be implemented by different computers, and may be further implemented by a plurality of programs included in one computer.
  • FIG. 2 is a block diagram illustrating hardware of the sorting apparatus 105 according to the first embodiment.
  • the distribution device 105 includes a communication device 201, an input device 202, a display device 203, a calculation device 204, a memory 205, and a storage device 206.
  • the communication device 201 is a network interface such as a network card.
  • the communication device 201 receives data from other devices via the network 104 and sends the received data to the arithmetic device 204. Then, the communication device 201 transmits the data generated by the arithmetic device 204 to another device via the network 104.
  • the input device 202 is a device such as a keyboard or a mouse, and is a device for accepting input of information by the user.
  • the display device 203 is a device such as an LCD (Liquid Crystal Display), and is a device for outputting information to an administrator.
  • the storage device 206 is a device such as a hard disk, and stores a program executed by the arithmetic device 204, data used by the arithmetic device 204, and the like.
  • the memory 205 is a storage area from which data and the like are temporarily read.
  • the computing device 204 executes a program stored in the storage device 206 and controls each device provided in the sorting device 105.
  • the arithmetic device 204 controls the input device 202 and the display device 203, receives data input from the input device 202, and outputs the data to the display device 203.
  • the program stored in the storage device 206 is read from the storage device 206 to the memory 205 by the arithmetic device 204 and executed in the memory 205.
  • the arithmetic unit 204 reads the program from the storage device 206.
  • the arithmetic unit 204 records an optical recording medium such as a CD or a DVD, a magneto-optical recording medium such as an MO, a tape medium, a magnetic recording medium, or a semiconductor memory.
  • the program may be read from the medium.
  • a program may be read from another device via a communication medium.
  • a communication medium refers to a network or a digital signal or carrier wave that propagates through the network.
  • FIG. 1 that is, management information storage device 106, information update device 107, log information storage device 108, monitoring scenario update device 109, mail receiving server 111, mail storage server 112, AV server (method A) 113 , Whether the hardware configuration of the AV server (method B) 114, AV server (method C) 115, URL inspection server 116, file analysis server 117) is the same hardware configuration as the distribution device 105 shown in FIG. It has a structure corresponding to it. For this reason, the hardware configuration of other devices is not shown.
  • FIG. 3 is a block diagram illustrating an outline of processing of the security monitoring system 101 according to the first embodiment.
  • each server other than the mail storage server 112 and the AV server (Method A) 113 scans whether or not malware is added to the received mail, and then sends the received mail to the security monitoring system 101. It is set in advance so as to be transferred to the distribution device 105. Further, the mail storage server 112 is set in advance so as to store the received mail in itself. Further, the AV server (method A) 113 is set in advance so as to transfer the received mail to the mail storage server 112 after scanning whether or not malware is added to the received mail.
  • the mail receiving server 111 AV server (Method A) 113, AV server (Method B) 114, AV server (Method C) 115, URL inspection server 116, and file analysis server 117 add malware to the received mail. It is set in advance so that the scan result is output as a log after scanning whether or not it is performed.
  • the log output here includes at least the result processed at each server and the header information of the mail processed at each server. Further, the output log may include the text (data portion) of the mail processed in each server.
  • the external network 300 shown in FIG. 3 is a network connected to a system outside the organization to which the computer system 102 belongs.
  • the computer system 102 receives mail transmitted from a system outside the organization via the external network 300.
  • the mail receiving server 111 When the computer system 102 receives mail from the external network 300, the mail receiving server 111 receives the mail (301). The mail receiving server 111 transfers the received mail to the sorting apparatus 105 according to the setting of the mail receiving server 111 itself (302).
  • the distribution apparatus 105 acquires the monitoring scenario corresponding to the destination user of the received mail from the management information storage apparatus 106 (303).
  • the destination user is an identifier indicating the user who is the destination of the received mail.
  • the monitoring scenario is information indicating the order of processing for scanning received mail.
  • the monitoring scenario of the present embodiment shows the order of the servers of the computer system 102 in which the received mail is scanned for whether or not malware is added.
  • the received mail passes through each server of the computer system 102 according to the monitoring scenario.
  • the distribution apparatus 105 determines a server on which the received mail is to be processed next from the acquired monitoring scenario. Then, the distribution apparatus 105 transfers the mail to the determined server (304). Alternatively, the distribution apparatus 105 instructs the computer system 102 to transfer the mail to the determined server.
  • Each server in the computer system 102 processes the received mail, and then generates a log indicating the result of detecting malware in the process.
  • the generated log is collected in the log information storage device 108 and accumulated in the log information storage device 108 (305).
  • the information update device 107 acquires log information from the log information storage device 108 (306).
  • the information update apparatus 107 extracts the result of detecting malware in the three AV servers, the URL inspection server 116, and the file analysis server 117 from the acquired log information.
  • the information update device 107 updates information such as a signature database and a URL black list held by the AV server (method A) 113 based on the extracted information (307).
  • the AV server (method A) 113 receives information from the information updating apparatus 107 and updates information such as a signature database and a URL black list held by itself.
  • information such as a signature database and a URL black list held by itself.
  • the signature database and the URL blacklist are held in a storage device or the like included in the AV server (method A) 113 as a file including a plurality of signatures and URLs.
  • the AV server (method A) 113 updates the file held in the storage device of the AV server (method A) 113 with the signature and URL transmitted from the information update device 107. Then, the AV server (Method A) 113 scans the mail by using the new signature database and URL blacklist by reading the updated file.
  • the AV server (Method A) 113 updates the signature database and the URL black list by adding the information transmitted from the information updating device 107 to the signature database or URL black list held in the memory of the AV server (method A). May be.
  • the monitoring scenario update device 109 acquires log information from the log information storage device 108 (308). Then, the monitoring scenario update device 109 updates the combination of the destination user and the monitoring scenario stored in the management information storage device 106 based on the acquired log information (309).
  • FIG. 4 is an explanatory diagram illustrating an example of a monitoring scenario according to the first embodiment.
  • FIG. 4 shows three monitoring scenarios: monitoring scenario X401, monitoring scenario Y402, and monitoring scenario Z403.
  • one of the monitoring scenarios is set for the user who receives the mail.
  • the monitoring scenario X401 indicates that the mail received by the mail receiving server 111 is scanned by the AV server (method A) 113 and then stored by the mail storage server 112.
  • the mail received by the mail receiving server 111 is scanned by each server in the order of the AV server (Method B) 114, the URL inspection server 116, and the AV server (Method A) 113, and then the mail It indicates that it is stored in the storage server 112.
  • the mail received by the mail receiving server 111 includes an AV server (Method B) 114, an AV server (Method C) 115, a URL inspection server 116, a file analysis server 117, and an AV server (Method A). Scanned by each server in the order of 113 and stored in the mail storage server 112.
  • the AV server (method A) 113 is predetermined to be included in all of the monitoring scenario X401, the monitoring scenario Y402, and the monitoring scenario Z403.
  • the update of the information of the AV server (method A) 113 performed in the process 307 of FIG. 3 is an update of information for maintaining security for all users.
  • the monitoring scenario Y402 is a monitoring scenario in which a passing server is added to the monitoring scenario X401, and is a monitoring scenario having a higher security level than the security level of the monitoring scenario X401.
  • the monitoring scenario Z403 is a monitoring scenario in which a passing server is added to the monitoring scenario Y402, and is a scenario in which the security level is higher than the security level of the monitoring scenario Y402.
  • the monitoring scenario Z403 is a monitoring scenario in which a large number of servers scan a single e-mail. Therefore, the e-mail processing takes more time than the monitoring scenario Y402, and the load on resources in the computer system 102 increases. This is a monitoring scenario.
  • the monitoring scenario Y402 is a monitoring scenario that takes more time to process mail than the monitoring scenario X401 and increases the load on resources in the computer system 102.
  • the above-described three monitoring scenarios are examples, and the monitoring scenario in the security monitoring system 101 of the present embodiment is not limited to the above-described processing content. There may be two types or four or more types of monitoring scenarios in this embodiment. Further, for example, the monitoring scenario A indicates only the server A, and the monitoring scenario B indicates only the server B, so that it is not necessary to include a server having a plurality of common scenarios.
  • FIG. 5 is a block diagram illustrating a logical configuration of the sorting apparatus 105 according to the first embodiment.
  • the distribution apparatus 105 is an apparatus that determines a server to which a mail received from the computer system 102 is transferred.
  • the sorting apparatus 105 includes a reception unit 501, a transmission unit 502, and a transfer destination determination unit 503.
  • the functions of the reception unit 501, the transmission unit 502, and the transfer destination determination unit 503 may be implemented by executing a program by the arithmetic device 204, or may be implemented by a physical device such as an integrated circuit. Good.
  • the reception unit 501 and the transmission unit 502 are interfaces in accordance with a mail transmission protocol SMTP (Simple Mail Transfer Protocol).
  • SMTP Simple Mail Transfer Protocol
  • the receiving unit 501 and the transmitting unit 502 transmit and receive mail via the communication device 201.
  • the receiving unit 501 When the receiving unit 501 receives a mail, the receiving unit 501 transmits the received mail to the transfer destination determining unit 503.
  • the transfer destination determination unit 503 determines a server to which the mail received from the reception unit 501 is transferred according to the destination user of the received mail.
  • the transfer destination determination unit 503 transmits the received mail to the computer system 102 so that the received mail is transmitted to the determined transfer destination server via the transmission unit 502. Specifically, the transfer destination determination unit 503 adds information indicating the determined transfer destination server to the received mail, and transmits the received mail to the determined transfer destination server.
  • the distribution apparatus 105 may receive only mail header information from the computer system 102, and the transfer destination determination unit 503 may determine a transfer destination server according to the mail header information. Then, the distribution apparatus 105 may transmit information indicating the transfer destination server to the server that last scanned the mail received in the computer system 102, and transfer the received mail to the transfer destination server.
  • FIG. 6 is a block diagram illustrating a logical configuration of the management information storage device 106 according to the first embodiment.
  • DB database
  • the management information storage device 106 is a storage device having a user DB 601 and a monitoring scenario DB 602.
  • the user DB 601 and the monitoring scenario DB 602 are stored in the storage device 206 of the management information storage device 106.
  • the user DB 601 includes information indicating to which user a plurality of monitoring scenarios used by the security monitoring system 101 are applied.
  • the monitoring scenario DB 602 is a database that stores monitoring scenarios indicating servers in the computer system 102 through which mail passes and the order in which the mail passes.
  • Information stored in the user DB 601 and the monitoring scenario DB 602 is used by the transfer destination determination unit 503 of the distribution apparatus 105 to determine a mail transfer destination server.
  • the information stored in the user DB 601 is updated by the monitoring scenario update device 109.
  • Information stored in the monitoring scenario DB 602 is set in advance by an administrator or the like.
  • FIG. 7 is an explanatory diagram showing the user DB 601 of the first embodiment.
  • the user DB 601 includes a user identifier 701 and a scenario identifier 702.
  • the user identifier 701 is an identifier for uniquely identifying a user who uses the computer system 102.
  • the scenario identifier 702 is an identifier for uniquely identifying the monitoring scenario. “X” shown in FIG. 7 indicates the monitoring scenario X401, “Y” indicates the monitoring scenario Y402, and “Z” indicates the monitoring scenario Z403.
  • the combination of the value of the user identifier 701 and the value of the scenario identifier 702 is unique in the user DB 601.
  • FIG. 8 is an explanatory diagram illustrating the monitoring scenario DB 602 according to the first embodiment.
  • the monitoring scenario DB 602 includes a scenario identifier 801, a reception source server 802, and a transfer destination server 803.
  • the scenario identifier 801 is an identifier for uniquely identifying the monitoring scenario, and corresponds to the scenario identifier 702 of the user DB 601.
  • a reception source server 802 and a transfer destination server 803 indicate servers of the computer system 102.
  • Each entry of the monitoring scenario DB 602 indicates that, in the monitoring scenario indicated by the scenario identifier 702, mail received from the server indicated by the reception source server 802 is transmitted to the server indicated by the transfer destination server 803.
  • the monitoring scenario DB 602 shown in FIG. 8 corresponds to the three monitoring scenarios shown in FIG.
  • FIG. 9 is a block diagram illustrating a logical configuration of the information updating apparatus 107 according to the first embodiment.
  • the information update device 107 includes a detection information acquisition unit 901 and an update unit 902.
  • the detection information acquisition unit 901 acquires malware detection information or illegal URL detection information from the log information storage device 108.
  • the functions of the detection information acquisition unit 901 and the update unit 902 may be implemented by the arithmetic device 204 of the information update device 107 executing a program, or may be implemented by a physical device such as an integrated circuit.
  • the update unit 902 extracts information that can be used by the AV server (method A) 113 in the computer system 102 from the information acquired by the detection information acquisition unit 901. Then, the update unit 902 generates update information of the AV server (method A) 113 including the extracted information. Then, the update unit 902 transmits the generated update information to the AV server (method A) 113.
  • the update information transmitted from the update unit 902 to the AV server (method A) 113 includes signature information to be added to the signature database used by the AV server (method A) 113 and illegal URL information to be added to the URL blacklist. Including.
  • the AV server (method A) 113 receives the update information from the information update device 107, at least one of the signature database and the URL blacklist is updated.
  • the mail monitoring method according to method A) 113 is changed.
  • FIG. 10 is a block diagram illustrating a logical configuration of the log information storage device 108 according to the first embodiment.
  • the log information storage device 108 includes a mail log DB 1001, an AV log DB 1002, a URL inspection log DB 1003, a file analysis log DB 1004, and a log collection unit 1005.
  • the log information storage device 108 is a storage device that stores log information of each server of the computer system 102.
  • the function of the log collection unit 1005 may be implemented by the arithmetic device 204 of the log information storage device 108 executing a program, or may be implemented by a physical device such as an integrated circuit.
  • the mail log DB 1001, AV log DB 1002, URL inspection log DB 1003, and file analysis log DB 1004 are stored in the storage device 206 of the log information storage device 108.
  • the log collection unit 1005 collects log information from each server of the computer system 102.
  • the log collection unit 1005 may collect log information by causing each server of the computer system 102 to periodically transmit a log such as syslog to the log information storage device 108. Further, the log collection unit 1005 periodically checks the log such as the syslog of each server of the computer system 102, and if it is determined that a new log is output, the log collection unit 1005 may collect the new log as log information. Good.
  • the log collection unit 1005 stores the collected log information in the mail log DB 1001, the AV log DB 1002, the URL inspection log DB 1003, and the file analysis log DB 1004.
  • the log information storage device 108 transmits the collected log information to the information update device 107.
  • the new log information is used by the information update device 107 to update the malware detection method by the AV server (method A) 113.
  • the log information stored in the log information storage device 108 is acquired by the monitoring scenario update device 109, and is used by the monitoring scenario update device 109 to update the user DB 601.
  • the log information storage device 108 transmits data including the contents of each entry of each DB included in the log information storage device 108 as log information.
  • the log information storage device 108 may include a program or device (not shown) that transmits log information from the log information storage device 108 to the information update device 107 and the monitoring scenario update device 109.
  • FIG. 11 is an explanatory diagram showing the mail log DB 1001 according to the first embodiment.
  • the mail log DB 1001 corresponds to a log (mail log) output from the mail receiving server 111.
  • the mail log DB 1001 includes a mail identifier 1101, a destination user 1102, a reception date and time 1103, a sender mail address 1104, and mail data 1105.
  • One entry in the mail log DB 1001 indicates one mail log.
  • the mail identifier 1101 is an identifier for uniquely identifying mail, and is a value assigned by the log collection unit 1005.
  • the destination user 1102 is an email destination user identifier indicated by the email identifier 1101 and corresponds to the user identifier 701 in the user DB 601 of the management information storage device 106.
  • the reception date and time 1103 indicates the date and time when the mail receiving server 111 receives the mail.
  • a sender mail address 1104 is a mail address indicating a system or the like to which a mail is transmitted.
  • the mail data 1105 includes the entire mail data indicated by the mail identifier 1101.
  • the entire data included in the mail data 1105 includes header information and a text (including an attached file).
  • the mail log DB 1001 in the present embodiment stores the entire mail data, but may include other information.
  • the mail log DB 1001 may include at least one of the sender host information, the transfer path, the presence / absence of an attached file, and the attached file name.
  • FIG. 12 is an explanatory diagram illustrating the AV log DB 1002 according to the first embodiment.
  • the AV log DB 1002 is a database that accumulates logs (AV logs) output from the AV server of the computer system 102.
  • the AV log DB 1002 includes a mail identifier 1201, a destination user 1202, an AV server 1203, a scan result 1204, an attached file name 1205, and an attached file signature 1206.
  • One entry in the AV log DB 1002 indicates one AV log.
  • the mail identifier 1201 and the destination user 1202 correspond to the mail identifier 1101 and the destination user 1102 of the mail log DB 1001.
  • the AV server 1203 includes a value indicating the AV server that scanned the mail indicated by the mail identifier 1201.
  • the AV servers in this embodiment are three AV servers that perform each of the three types of method A, method B, and method C. Therefore, the AV server 1203 stores a value indicating any one of these three AV servers.
  • Scan result 1204 indicates the result of the AV server indicated by the AV server 1203 scanning the email indicated by the email identifier 1201. Specifically, the scan result 1204 includes information indicating whether malware is added to the received mail.
  • the scan result 1204 shown in FIG. 12 stores “True” when it is determined that malware is added to the received mail, and “False” when it is determined that malware is not added. Stored.
  • the attached file name 1205 includes the name of the attached file scanned by each AV server.
  • the attached file signature 1206 stores signature information for uniquely identifying the attached file when it is determined that the attached file is malware.
  • the information stored in the attached file signature 1206 includes a hash value of a file acquired by a hash function such as MD5 or SHA1.
  • the attached file name 1205 and the attached file signature 1206 are blank. If it is determined that the attached file is not malware as a result of scanning the attached file, the attached file signature 1206 is blank.
  • the log collection unit 1005 stores the signature stored in the log information in the attached file signature 1206.
  • the log collection unit 1005 may calculate the signature value stored in the attached file signature 1206 based on the collected log information. .
  • FIG. 13 is an explanatory diagram showing the URL inspection log DB 1003 of the first embodiment.
  • the URL inspection log DB 1003 is a database that accumulates a log (URL inspection log) output from the URL inspection server 116.
  • the URL inspection log DB 1003 includes a mail identifier 1301, a destination user 1302, an inspection server 1303, a URL inspection result 1304, and a description URL 1305.
  • One entry in the URL inspection log DB 1003 indicates one URL inspection log.
  • the mail identifier 1301 and the destination user 1302 correspond to the mail identifier 1101 and the destination user 1102 of the mail log DB 1001.
  • the inspection server 1303 includes a value indicating the URL inspection server 116 that has scanned the URL described in the mail indicated by the mail identifier 1301.
  • the URL inspection server 116 is the only server other than the AV server that scans the URL. Therefore, the value stored in the inspection server 1303 shown in FIG. 13 is only the value indicating the URL inspection server 116. However, when there are a plurality of URL inspection servers 116, the inspection server 1303 includes a value for identifying each of the plurality of URL inspection servers 116.
  • the URL inspection result 1304 indicates a result of scanning the mail indicated by the mail identifier 1301 by the URL inspection server indicated by the inspection server 1303. Specifically, the URL inspection result 1304 includes information indicating whether or not the URL described in the mail text indicated by the mail identifier 1301 is invalid. The URL inspection result 1304 stores “True” when it is determined that the URL described in the mail is invalid, and “False” when it is determined that the URL described in the mail is not illegal.
  • the described URL 1305 indicates a URL scanned by the inspection server 1303.
  • FIG. 14 is an explanatory diagram showing the file analysis log DB 1004 of the first embodiment.
  • the file analysis log DB 1004 is a database that accumulates logs (file analysis logs) output from the file analysis server 117.
  • the file analysis log DB 1004 includes a mail identifier 1401, a destination user 1402, an analysis server 1403, an attached file analysis result 1404, an attached file name 1405, and an attached file signature 1406.
  • One entry of the file analysis log DB 1004 indicates one file analysis log.
  • the mail identifier 1401 and the destination user 1402 correspond to the mail identifier 1101 and the destination user 1102 of the mail log DB 1001.
  • the analysis server 1403 is information indicating a file analysis server that has analyzed the mail attachment file indicated by the mail identifier 1401.
  • the analysis server 1403 of the file analysis log DB 1004 shown in FIG. 14 has only a value indicating the file analysis server 117. Stored.
  • the attached file analysis result 1404 indicates a result of analyzing the attached file of the mail indicated by the mail identifier 1401 by the analysis server 1403, and specifically indicates a result of determining whether or not the analyzed attached file is malware. .
  • the attached file analysis result 1404 stores “True” when it is determined that the attached file is malware, and “False” when it is determined that the attached file is not malware.
  • the attached file name 1405 indicates the name of the analyzed attached file.
  • the attached file signature 1406 stores a value indicating a signature for uniquely identifying the attached file when it is determined that the attached file is malware.
  • the information stored in the attached file signature 1406 includes a hash value of a file acquired by a hash function such as MD5 or SHA1, as in the attached file signature 1206 of the AV log DB 1002.
  • the attached file name 1405 and the attached file signature 1406 are blank.
  • the attached file signature 1406 is blank.
  • the log collection unit 1005 collects log information from the mail receiving server 111
  • the log collection unit 1005 extracts information about the received mail from the collected log information. Then, the log collection unit 1005 assigns a mail identifier that uniquely identifies each received mail based on the extracted information.
  • the log collection unit 1005 stores the assigned mail identifier in the mail identifier 1101 of the mail log DB 1001 and stores information extracted from the log information in each entry of the mail log DB 1001.
  • the log collection unit 1005 stores information (particularly, mail data 1105) stored in the mail log DB 1001 and collected log information (for example, log information). Mail header information included in Based on the comparison result, the log collection unit 1005 extracts an entry in the mail log DB 1001 indicating mail corresponding to the collected log information, and acquires the value of the mail identifier 1101 of the extracted entry.
  • the log collection unit 1005 converts the value of the acquired mail identifier 1101 into the mail identifier area of the database corresponding to the server from which the log information is collected (the mail identifier 1201 of the AV log DB 1002, the mail identifier of the URL inspection log DB 1003) 1301 or the mail identifier 1401) of the file analysis log DB 1004. Then, the log collection unit 1005 extracts information of each DB from the collected log information values using a predetermined template or the like, and stores the extracted information in each DB.
  • the log collecting unit 1005 Generate an attachment signature.
  • the log information collected from the three AV servers does not include the attached file signature information (corresponding to the attached file signature 1206), and includes “True” as the value corresponding to the scan result 1204. If it is, the log collection unit 1005 extracts an entry in the mail log DB 1001 indicating the mail corresponding to the collected log information. Then, an attached file signature is generated from the mail data 1105 of the extracted entry. Then, the log collection unit 1005 stores the generated attached file signature in the attached file signature 1206.
  • the log collection unit 1005 may extract an identifier indicating an attached file from a value of the mail data 1105 using a predetermined template, and may use the extracted identifier as an attached file signature. Further, the attached file signature may be generated from the value of the mail data 1105 by a predetermined procedure.
  • the log information collected from the file analysis server 117 does not include the attached file signature information (corresponding to the attached file signature 1406), and includes “True” as a value corresponding to the attached file analysis result 1404. Even in such a case, the log collection unit 1005 generates an attached file signature in the same manner as described above.
  • FIG. 15 is a block diagram of the monitoring scenario update device 109 according to the first embodiment.
  • the monitoring scenario update device 109 includes a log analysis unit 1501 and an update unit 1502.
  • the functions of the log analysis unit 1501 and the update unit 1502 may be implemented by the arithmetic device 204 of the monitoring scenario update device 109 executing a program, or may be implemented by a physical device such as an integrated circuit. .
  • the log analysis unit 1501 acquires log information stored in the log information storage device 108, and updates information for updating a combination of a user and a monitoring scenario (corresponding to the user DB 601) based on the acquired log information. Is generated.
  • the generated update information is sent to the update unit 1502 and transmitted to the management information storage device 106 by the update unit 1502.
  • FIG. 16 is a flowchart illustrating the processing of the transfer destination determination unit 503 according to the first embodiment.
  • the transfer destination determination unit 503 starts the processing illustrated in FIG. 16 when the mail is transferred from the reception unit 501.
  • the receiving unit 501 receives a mail (corresponding to the process 302 shown in FIG. 3)
  • the transfer destination determining unit 503 acquires the mail from the receiving unit 501 by transferring the mail from the receiving unit 501 (S1601). .
  • the receiving unit 501 may transfer a plurality of mails received during a predetermined period to the transfer destination determining unit 503.
  • the receiving unit 501 adds the value of the receiving server to the mail to be transferred to the transfer destination determining unit 503 when the value of the receiving server indicating the server of the computer system 102 that transmitted the mail is not added. To do.
  • the transfer destination determining unit 503 extracts a destination user from one or more received mails (S1602).
  • One or a plurality of destination users extracted here are values indicating users, and correspond to the user identifier 701 in the user DB 601.
  • the transfer destination determination unit 503 repeats the processing from S1604 to S1606 for the received one or more mails for each destination user extracted in S1602 (S1603). Specifically, in step S1603, the transfer destination determination unit 503 arbitrarily selects one destination user that has not been subjected to the processing in steps S1604 to S1606 from one or more destination users extracted in step S1602.
  • the transfer destination determination unit 503 refers to the user DB 601 of the management information storage device 106 (corresponding to the process 303 shown in FIG. 3). Then, the transfer destination determination unit 503 extracts one entry in the user DB 601 of the user identifier 701 indicating the destination user selected in S1603. Then, the transfer destination determination unit 503 acquires a scenario identifier of the monitoring scenario from the extracted scenario identifier 702 of one entry (S1604).
  • the transfer destination determination unit 503 refers to the monitoring scenario DB 602 of the management information storage device 106 (corresponding to the process 303 shown in FIG. 3). Then, the transfer destination determining unit 503 includes the scenario identifier acquired in S1604 in the scenario identifier 801, and receives the value of the receiving server added to the mail (one or more) of the destination user selected in S1603 as the receiving source. The entry (one or more) included in the server 802 is extracted from the monitoring scenario DB 602.
  • the transfer destination determining unit 503 acquires the value of the transfer destination server 803 of the extracted entry as the mail transfer destination server (1605).
  • the transfer destination determination unit 503 determines the value of the transfer destination server 803 acquired in S1605 as the mail transfer destination server. Then, the transfer destination determination unit 503 transmits one or a plurality of mails and a value indicating the server of the transmission destination determined for each mail to the transmission unit 502 (S1606).
  • the transmission unit 502 transmits one or more mails to the computer system 102 so that one or more mails are respectively transmitted to the transfer destination server determined by the transfer destination determination unit 503 (see FIG. 3). Equivalent to the process 304 shown). For example, the transmission unit 502 may transmit each of the mails added with the value indicating the determined transfer destination server as the address of the destination server.
  • the transfer destination determining unit 503 After S1606, the transfer destination determining unit 503 returns to S1603.
  • the transfer destination determining unit 503 ends the process shown in FIG.
  • the distribution apparatus 105 can determine the server of the computer system 102 that the received mail should be scanned next, according to the destination user of the received mail and the monitoring scenario. Therefore, the security monitoring system 101 can change the security level for each destination user by using different monitoring scenarios for each destination user.
  • the security monitoring system 101 can increase the security level by using a monitoring scenario in which a large number of servers scan a mail when a mail is transmitted to a user who needs a high security level.
  • the security monitoring system 101 can lower the security level by using a monitoring scenario in which there are few servers that scan mail when a mail is transmitted to a user who does not need a high security level.
  • the security monitoring system 101 can reduce the processing load of each server of the computer system 102, and can further suppress the amount of log output by each server.
  • FIG. 17 is a flowchart illustrating the processing of the detection information acquisition unit 901 according to the first embodiment.
  • the detection information acquisition unit 901 of the information update device 107 receives log information (the latest AV log, the latest URL inspection log, and the latest file analysis log in FIG. 17) from the log information storage device 108 ( The process shown in FIG. 17 is started.
  • the log information storage device 108 may transmit the latest log information to the detection information acquisition unit 901 during a predetermined period. Further, the log information storage device 108 may transmit the latest log information to the detection information acquisition unit 901 when a predetermined amount of log information that has not been transmitted to the detection information acquisition unit 901 is accumulated.
  • the detection information acquisition unit 901 acquires the latest log information from the log information storage device 108 (S1701, corresponding to the process 306 in FIG. 3). After S1701, the detection information acquisition unit 901 indicates that one of the acquired log information indicates that the AV server 1203 indicates other than the AV server (method A) 113, and the scan result 1204 indicates “True”. It is determined whether or not a plurality of AV logs can be extracted (S1702). In other words, in S1702, the detection information acquisition unit 901 determines whether or not an AV log indicating that an AV server other than the AV server (method A) 113 has detected malware can be extracted.
  • the detection information acquisition unit 901 proceeds to S1703.
  • the detection information acquisition unit 901 transmits the information of the attached file signature 1206 of one or more AV logs extracted in S1702 to the update unit 902 (S1703).
  • the detection information acquisition unit 901 When it is determined in S1702 that the AV log cannot be extracted, or after S1703, the detection information acquisition unit 901 indicates that the URL scan result 1304 indicates “True” from the log information acquired in S1701. Alternatively, it is determined whether or not a plurality of URL inspection logs can be extracted (S1704).
  • the URL blacklist of the AV server (method A) 113 does not need to be updated with the URL inspection log, and the detection information acquisition unit 901 proceeds to S1706.
  • the detection information acquisition unit 901 updates the information of the URL 1305 described in the one or more URL inspection logs extracted in S1704 with the update unit 902. (S1705).
  • the detection information acquisition unit 901 When it is determined in S1704 that the URL inspection log cannot be extracted, or after S1705, the detection information acquisition unit 901 indicates that the attached file analysis result 1404 indicates “True” from the log information acquired in S1701. It is determined whether one or more file analysis logs can be extracted (S1706).
  • the detection information acquisition unit 901 does not need to update the signature database of the AV server (method A) 113 with the file analysis log.
  • the detection information acquisition unit 901 ends the process illustrated in FIG.
  • the update unit 902 When the information is transmitted from the detection information acquisition unit 901, the update unit 902 generates update information for updating the signature database or the URL blacklist of the AV server (method A) 113 based on the transmitted information. . Then, the update unit 902 transmits the generated update information to the AV server (method A) 113 (corresponding to the process 307 in FIG. 3).
  • the security monitoring system 101 can change the scan method in some servers of the computer system 102 at any time based on the scan results of each server in the computer system 102. Further, this allows the security monitoring system 101 to change the level of security provided by the computer system 102 at any time.
  • the information updating apparatus 107 changes the scanning method in the AV server (method A) 113 based on the result of scanning of each server in the computer system 102. This is to increase the level of security held by the AV server (method A) 113. Further, increasing the security level of the AV server (method A) 113 that is commonly included in a plurality of monitoring scenarios is to increase the security level provided by the computer system 102. Therefore, the level of security provided by the computer system 102 can be changed at any time by the processing shown in FIG.
  • FIG. 18 is a flowchart showing the processing of the log analysis unit 1501 according to the first embodiment.
  • the log analysis unit 1501 of the monitoring scenario update device 109 starts the process shown in FIG. 18 in a predetermined period or at a timing designated by the system administrator.
  • the log analysis unit 1501 repeats the processing from S1802 to S1804 for all destination users (S1801). All the destination users in S1801 may be all the destination users indicated by the destination user 1102 of the mail log DB 1001. In addition, all the destination users in S1801 may be all the destination users indicated by the destination user 1102 of the mail log included in the period in which the value of the reception time 1103 is set in advance.
  • the log analysis unit 1501 selects one destination user that has not been subjected to the processing of S1802 to S1804 among all the destination users indicated by all the destination users 1102.
  • the log analysis unit 1501 refers to the mail log DB 1001 of the log information storage device 108 (corresponding to the processing 308 in FIG. 3), and the destination user 1102 selects one or more entries in the mail log DB 1001 indicating the selected destination user. Extract. Then, the log analysis unit 1501 acquires the extracted mail identifier 1101 of one or more entries as one or more mail identifiers indicating the mail transmitted to the selected destination user. Further, the log analysis unit 1501 calculates the number of the extracted one or more entries as the total number of mails transmitted to the selected destination user (S1802).
  • the log analysis unit 1501 in S1802 may extract all entries indicating the mail transmitted to the selected destination user from the mail log DB 1001.
  • the log analysis unit 1501 may limit the entries of the mail log DB 1001 to be extracted by a predetermined method.
  • the log analysis unit 1501 may extract only the entry of the mail log DB 1001 indicating the date and time included in the predetermined period of the reception date and time 1103 of the mail log DB 1001, or may determine in advance from the latest entry.
  • the number of entries entered may be extracted from the mail log DB 1001.
  • the log analysis unit 1501 refers to the AV log DB 1002 of the log information storage device 108 (corresponding to the processing 308 in FIG. 3), and the mail identifier 1201 is the mail of one or more entries extracted in S1802. An entry indicating the value of the identifier 1101 and the scan result 1204 indicating “True” (detected that the attached file is malware) is extracted. Then, the log analysis unit 1501 calculates the number of extracted entries (S1803).
  • the number of entries calculated in S1803 is the number of emails sent to the destination user selected in S1801 and to which malware is added. For this reason, the number of entries calculated in S1803 may be zero.
  • the log analysis unit 1501 in S1803 further selects an AV log entry in which the AV server 1203 indicates the AV server (method A) 113 from the entries extracted according to the conditions of the mail identifier 1201 and the scan result 1204 described above. May be extracted. Then, the log analysis unit 1501 may calculate the number of AV log entries finally extracted as the number of mails to which malware is added.
  • the log analysis unit 1501 in S1803 applies malware to the mail indicated by the mail identifier 1101 of one or more entries extracted in S1802 from at least one of the URL inspection log and the file analysis log as well as the AV log. An entry indicating that “” has been added may be extracted. Then, the log analysis unit 1501 may calculate the number of entries extracted from the AV log and at least one of the URL inspection log and the file analysis log as the number of mails to which malware is added.
  • the log analysis unit 1501 may extract an entry in which the URL inspection result 1304 of the URL inspection log DB 1003 indicates “True” as an entry indicating a mail to which malware is added, and further, a file analysis log An entry whose attachment file analysis result 1404 of the DB 1004 indicates “True” may be extracted.
  • the malware mail reception rate of the destination user selected in S1801 is calculated by dividing the number of mails added with the malware calculated in S1803 by the total number of mails calculated in S1802 (S1804). ). By repeating S1802 to S1804, the malware mail reception rates of all destination users are calculated.
  • the malware mail reception rate of the present embodiment is calculated for each destination user, and indicates the ratio of mail with malware added to the mail transmitted to the destination user. For this reason, when the malware mail reception rate is high, it indicates that malware is frequently added to the transmitted mail.
  • the log analysis unit 1501 sorts all the destination users by the malware mail reception rate (S1805). After S1805, the log analysis unit 1501 assigns a monitoring scenario to each destination user according to the malware mail reception rate (S1806).
  • the log analysis unit 1501 assigns a monitoring scenario to each destination user using a predetermined method.
  • the predetermined method includes assigning a monitoring scenario Z403 to a destination user whose malware mail reception rate is equal to or higher than the threshold Th_z, assigning a monitoring scenario Y402 to a destination user whose malware mail reception rate is equal to or higher than the threshold Th_y and lower than the threshold Th_z, and In this method, the monitoring scenario X401 is assigned to a destination user whose malware mail reception rate is less than the threshold Th_y.
  • the threshold value Th_y and the threshold value Th_z are predetermined threshold values.
  • step S1806 the log analysis unit 1501 determines an identifier indicating the destination user (corresponding to the user identifier 701 of the user DB 601) and an identifier indicating the monitoring scenario allocated to the destination user (user DB 601) based on the above-described allocation result.
  • Monitoring scenario update information including the scenario identifier 702).
  • the log analysis unit 1501 transmits the generated monitoring scenario update information to the update unit 1502 (S1807). After S1807, the log analysis unit 1501 ends the process illustrated in FIG.
  • the update unit 1502 transmits the monitoring scenario update information received from the log analysis unit 1501 to the management information storage device 106 (corresponding to the processing 309 in FIG. 3), and the user DB 601 of the management information storage device 106 is received. Update with update information.
  • the method of assigning the monitoring scenario to each destination user in S1806 is not limited to the method described above.
  • the monitoring scenario Z403 is allocated to the number of destination users corresponding to 5% of all destination users from the top malware mail reception rate, and the number corresponding to 5% of all destination users from the top malware mail reception rate.
  • the monitoring scenario Y402 may be assigned to the destination user, and the monitoring scenario X401 may be assigned to the remaining destination users.
  • the security monitoring system 101 can appropriately assign a monitoring scenario to each user based on the latest information on malware detected in the computer system 102.
  • the security monitoring system 101 according to the first embodiment causes the computer system 102 to increase the scanning level of the mail transmitted to the destination user S when malware is frequently detected from the mail transmitted to the destination user S. be able to.
  • the security monitoring system 101 can cause the computer system 102 to provide an appropriate security level to each destination user.
  • the computer system 102 scans an email for whether or not malware is added.
  • the target of the security monitoring system 101 of the first embodiment is not limited to mail.
  • the computer system 102 scans traffic during Web browsing, the same configuration as that described above can be applied to the security monitoring system of the first embodiment.
  • each server of the computer system 102 When the computer system 102 targets traffic during Web browsing, each server of the computer system 102 operates as a proxy server.
  • the AV server, URL inspection server 116, and file analysis server 117 in the first embodiment are replaced with servers that perform URL filtering, content filtering, and malware filtering when the computer system 102 targets traffic during Web browsing. .
  • Each server other than the server that finally accesses the Web on the Internet is set to transfer the received request to the distribution device 105.
  • the user When the user accesses the Web, the user transmits a request to the proxy server of the computer system 102 via the terminal.
  • the proxy server receives the request, the proxy server performs processing related to Web access, and further forwards the received request to the sorting apparatus 105 according to its own setting.
  • the distribution apparatus 105 extracts a monitoring scenario assigned to the user who transmitted the request, and determines a transfer destination server for the request from the extracted monitoring scenario. Then, the distribution device 105 transmits a request to the determined transfer destination server. If the transfer destination server is not a server that finally accesses the Web on the Internet, the transfer destination server performs processing related to access to the Web, and further transfers the request to the distribution device 105 according to its own setting. These processes are repeated until the request is transferred to the server that finally accesses the Web on the Internet.
  • monitoring scenario of this example is set in advance so that the server that finally accesses the Internet Web scans the requests of all users.
  • the server that finally accesses the Web on the Internet transmits from the information update device 107 information related to the illegal URL and the illegal content acquired from the request by each server of the computer system 102. This enhances filtering at the server that ultimately accesses the Web on the Internet.
  • the security monitoring system 101 is configured by a plurality of devices.
  • the security monitoring system 101 uses a device in which the functions of two or more of these devices are integrated into one unit. May be implemented.
  • a security monitoring apparatus in which the functions of the security monitoring system 101 are integrated into one unit may be configured.
  • the security monitoring system 101 scans mail addressed to each user according to a necessary security level, as compared to the case where all users scan mail using all servers. For this reason, the security monitoring system 101 of Example 1 can implement
  • the security monitoring system 101 in the second embodiment will be described. According to the security monitoring system 101 in the second embodiment, a method for assigning a monitoring scenario for each user can be flexibly changed during operation, and a monitoring scenario according to the user's job title or business can be assigned to the user.
  • the description of the second embodiment the description of the components, functional units, and processing steps that are denoted by the same reference numerals as those shown in the already described drawings is omitted.
  • FIG. 19 is a block diagram illustrating the configuration of the management information storage device 106 and the monitoring scenario update device 109 according to the second embodiment.
  • Example 1 and Example 2 Differences between Example 1 and Example 2 are shown below.
  • the first difference is that the user DB 1901 of the second embodiment includes information of the user DB 601 of the first embodiment and information not included in the user DB 601 of the first embodiment.
  • the second difference is that the management information storage device 106 according to the second embodiment has a monitoring scenario determination policy DB 1902.
  • the third difference is that the processing of the log analysis unit 1903 and the transfer destination determination unit 503 is different from the processing of the log analysis unit 1501 and the transfer destination determination unit 503 of the first embodiment. is there.
  • the method for allocating a monitoring scenario to a user is determined in advance in the first embodiment.
  • the method for allocating a monitoring scenario to a user in the second embodiment can be changed at any time by specifying a policy group by an administrator or the like. is there.
  • the monitoring scenario determination policy DB 1902 shows a pattern of a method for assigning a monitoring scenario to a user. According to the second embodiment, an administrator or the like assigns a monitoring scenario by specifying a policy group indicated by the monitoring scenario determination policy DB 1902. The method can be changed at any time.
  • the values stored in the monitoring scenario determination policy DB 1902 are determined in advance by an administrator or the like.
  • the monitoring scenario determination policy DB 1902 is stored in the storage device 206 of the management information storage device 106.
  • the log analysis unit 1903 analyzes the log information acquired from the log information storage device 108, and further generates monitoring scenario update information based on the analysis result, the user DB 1901, and the monitoring scenario determination policy DB 1902.
  • FIG. 20 is an explanatory diagram showing the user DB 1901 of the second embodiment.
  • the user DB 1901 includes a field for statically determining a combination of a user and a monitoring scenario in addition to the information (user identifier 701 and scenario identifier 702) included in the user DB 601 of the first embodiment.
  • the user DB 1901 includes a user identifier 701, a scenario identifier 702, and a static scenario 2001.
  • a value is set in advance when a monitoring scenario is statically assigned to a user.
  • the user DB 1901 illustrated in FIG. 20 indicates that a monitoring scenario Z403 indicated by the static scenario 2001 is always assigned to a user whose user identifier 701 is “ddd” (user “ddd”).
  • the monitoring scenario update information generated by the log analysis unit 1501 of the monitoring scenario update device 109 indicates that the monitoring scenario X401 is assigned to the user “ddd”, the monitoring scenario Z403 is assigned to the user “ddd”. Is finally assigned.
  • FIG. 21 is a flowchart illustrating a process in which the distribution device 105 according to the second embodiment acquires a monitoring scenario corresponding to a user.
  • the transfer destination determination unit 503 determines the static destination scenario of the user DB 1901 in the process of acquiring the monitoring scenario of the destination user of the received mail (S1604 in FIG. 16) in order to determine the transfer destination server of the received mail. Reference is made to 2001.
  • the process of the transfer destination determining unit 503 of the first embodiment is different from the process of the transfer destination determining unit 503 of the second embodiment.
  • the process shown in FIG. 21 corresponds to S1604 shown in FIG.
  • the transfer destination determination unit 503 extracts the entry of the user identifier 701 indicating the destination user selected in S1603 from the user DB 1901, and the extracted entry static scenario 2001. It is determined whether or not a value is stored in (S2301).
  • the transfer destination determination unit 503 acquires the value stored in the scenario identifier 702 of the extracted entry as the scenario identifier of the monitoring scenario (S2302).
  • the transfer destination determining unit 503 acquires the value stored in the static scenario 2001 of the extracted entry as the scenario identifier of the monitoring scenario (S2303).
  • the transfer destination determining unit 503 ends the processing of S1604 and starts S1605.
  • the transfer destination determination unit 503 assigns a static scenario as a monitoring scenario to a user who has determined a static scenario in advance. Can do. This also allows the transfer destination determination unit 503 to always assign the same monitoring scenario to a specific user.
  • FIG. 22 is an explanatory diagram illustrating the monitoring scenario determination policy DB 1902 according to the second embodiment.
  • the monitoring scenario determination policy DB 1902 includes a policy group identifier 2101, a policy identifier 2102, a scenario identifier 2103, a priority 2104, a parameter lower limit 2105, a parameter upper limit 2106, and a limited number 2107.
  • the policy group identifier 2101 is an identifier for uniquely identifying a policy group.
  • One policy group includes a plurality of policies. Each of the plurality of policies indicates each of a plurality of monitoring scenarios and a method for assigning each of the monitoring scenarios to a user.
  • the policy group identifier 2101 stores a value indicating a plurality of policy groups. As a result, the administrator can change the method of assigning the monitoring scenario to the user simply by specifying the value of the policy group to be applied when the security monitoring system 101 is operated.
  • the policy identifier 2102 includes an identifier for uniquely identifying the policy.
  • the scenario identifier 2103 includes a scenario identifier of a monitoring scenario corresponding to the policy indicated by the policy identifier 2102. In the second embodiment, one monitoring scenario corresponds to one policy.
  • the priority 2104 indicates the priority with which the policy is used in each policy group.
  • an entry in which a large numerical value is stored in the priority 2104 indicates a policy that is preferentially used.
  • the parameter lower limit 2105 is a value indicating the condition of the user that matches each policy, and in Example 2, indicates the lower limit value of the malware mail reception rate. For example, when the malware mail reception rate calculated by the user T is equal to or greater than the value of the parameter lower limit 2105 of the entry U of the monitoring scenario determination policy DB 1902, a monitoring scenario is assigned to the user T according to the policy of the entry U.
  • the parameter upper limit 2106 is a value indicating a user's condition that conforms to each policy. For example, when the malware mail reception rate calculated by the user T is smaller than the value of the parameter upper limit 2106 of the entry V of the monitoring scenario determination policy DB 1902, a monitoring scenario is assigned to the user T according to the policy of the entry V.
  • the entry in which the value of the parameter lower limit 2105 is not stored indicates a policy in which the lower limit of the malware mail reception rate is not set.
  • An entry in which the value of the parameter upper limit 2106 is not stored indicates a policy in which the upper limit of the malware mail reception rate is not set, that is, a policy in which the malware mail reception rate is infinite.
  • the limited number 2107 indicates the upper limit number of users who can be assigned a monitoring scenario according to the policy indicated by the policy identifier 2102. After the user to whom the policy monitoring scenario indicated by the policy identifier 2102 is assigned becomes the same value as the value stored in the limited number 2107, no monitoring scenario is assigned to the user by the policy. If no value is stored in the limited number 2107, the number of users assigned to the policy is not limited.
  • an entry whose policy group identifier 2101 is “PG01” assigns the monitoring scenario Z403 to five users with a high malware mail reception rate, and among the remaining users, the malware mail reception rate is 0.1 or more.
  • the monitoring scenario Y402 is assigned to the user and the monitoring scenario X401 is assigned to the remaining users.
  • FIG. 23 is a flowchart illustrating a process of assigning a monitoring scenario to a user among the processes of the log analysis unit 1903 according to the second embodiment.
  • the process shown in FIG. 23 is a process corresponding to S1806 in FIG.
  • the processing of the log analysis unit 1501 in the first embodiment is different from the processing of the log analysis unit 1903 in the second embodiment only in the processing of S1806.
  • the log analysis unit 1903 acquires an identifier of a policy group applied to the computer system 102 (S2201).
  • the identifier of the policy group is stored in advance in the setting information of the log analysis unit 1903, which is changed as necessary by the administrator. Therefore, in step S2201, the log analysis unit 1903 acquires the identifier of the policy group to be applied to the computer system 102 from the setting information that the log analysis unit 1903 has.
  • the log analysis unit 1903 extracts all entries in the monitoring scenario determination policy DB 1902 of the monitoring scenario update device 109 that indicate the policy group identifiers acquired in S2201 in the policy group identifier 2101 (S2202). Each of the entries extracted here indicates a policy for assigning a monitoring scenario.
  • the log analysis unit 1903 sorts the extracted entries (policies) in descending order of priority 2104 (S2203).
  • the log analysis unit 1903 repeats the processing of S2207 to S2209 for all the destination users in descending order of the malware mail reception rate (S2204). Specifically, in S2204, the log analysis unit 1903 selects one destination user for whom the processing of S2205 has not been executed, in descending order of malware mail reception rate.
  • the log analysis unit 1903 repeats the processing of S2206 and S2207 for all entries (policies) sorted in S2203 (S2205). Specifically, in S2205, the log analysis unit 1903 selects one of the entries sorted in S2203 that has not been subjected to the processing in S2206 in descending order of priority 2104.
  • the log analysis unit 1903 determines whether the malware mail reception rate of the selected destination user is equal to or greater than the value of the parameter lower limit 2105 of the selected entry and lower than the value of the parameter upper limit 2106 ( S2206).
  • the log analysis unit 1903 proceeds to S2207.
  • step S2205 the log analysis unit 1903 selects one entry (policy) for which the processing in step S2206 has not been executed among the entries sorted in step S2203 in descending order of priority 2104.
  • step S ⁇ b> 2207 the log analysis unit 1903 determines that the number of remaining seats is 0 or less even when a value is not stored in the limited number 2107 of the selected entry or a value is stored in the limited number 2107 of the selected entry. It is determined whether it is large.
  • the number of remaining seats is a value obtained by subtracting the number of users assigned a monitoring scenario according to the policy indicated by the entry from the value indicated by the limited number 2107. If no value is stored in the limited number 2107, or if the number of remaining seats is greater than 0, the log analysis unit 1903 proceeds to S2208.
  • the log analysis unit 1903 If no value is set in the limited number 2107 or the number of remaining seats is 0, the log analysis unit 1903 returns to S2205 and selects a new entry.
  • the log analysis unit 1903 subtracts 1 from the number of remaining seats of the selected entry. After S2208, the log analysis unit 1903 extracts the value of the scenario identifier 2103 of the selected entry, and assigns the monitoring scenario indicated by the extracted value to the selected destination user (S2209).
  • the log analysis unit 1903 stores an identifier indicating the selected destination user and the monitoring scenario assigned to the selected destination user in the monitoring scenario update information.
  • the log analysis unit 1903 After S2209, the log analysis unit 1903 returns to S2204, and selects a new destination user from all the destination users. When the iterative process in S2204 is completed, the log analysis unit 1903 proceeds to S1807.
  • the administrator can flexibly change the method of assigning the monitoring scenario to the user when the computer system 102 is operated.
  • the user DB 1901 includes the static scenario 2001, a monitoring scenario according to the user's job title or business can be set in advance.
  • the user DB 601 described in the first embodiment does not include the static scenario 2001, but the user DB 601 in the first embodiment is changed to the same content as the user DB 1901, and the process illustrated in FIG. 21 is performed. This may be done in Example 1.
  • Information such as programs, databases, and files that realize the functions of each processing unit is stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, SD card, or DVD. can do.
  • a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, SD card, or DVD. can do.
  • control lines and information lines indicate what is considered necessary for the explanation, and not all control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)
  • Debugging And Monitoring (AREA)

Abstract

L'invention concerne un système de sécurité qui: conserve une pluralité de scénarios de surveillance indiquant une pluralité de procédés de balayage utilisés pour balayer des données à l'aide d'un système informatique, et un ordre dans lequel le système informatique utilise chaque procédé de la pluralité de procédés de balayage; et conserve des informations d'utilisateurs indiquant chaque scénario de la pluralité de scénarios de surveillance, ainsi qu'au moins un utilisateur auquel est affecté un scénario respectif de surveillance parmi la pluralité de scénarios de surveillance. Après que le système informatique a balayé des données en utilisant un procédé de balayage parmi la pluralité de procédés de balayage, le procédé de balayage suivant à utiliser sur les données est déterminé parmi la pluralité de procédés de balayage sur la base de la pluralité de scénarios conservée, des informations d'utilisateurs et de l'utilisateur indiqué par un identifiant compris dans les données. Les informations indiquant le procédé de balayage déterminé sont transmises au système informatique de telle façon que les données soient balayées par le procédé de balayage déterminé.
PCT/JP2012/076211 2012-10-10 2012-10-10 Système de sécurité et procédé de surveillance de sécurité WO2014057542A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2012/076211 WO2014057542A1 (fr) 2012-10-10 2012-10-10 Système de sécurité et procédé de surveillance de sécurité
JP2014540659A JP5969618B2 (ja) 2012-10-10 2012-10-10 セキュリティシステム、および、セキュリティ監視方法

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2012/076211 WO2014057542A1 (fr) 2012-10-10 2012-10-10 Système de sécurité et procédé de surveillance de sécurité

Publications (1)

Publication Number Publication Date
WO2014057542A1 true WO2014057542A1 (fr) 2014-04-17

Family

ID=50477031

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2012/076211 WO2014057542A1 (fr) 2012-10-10 2012-10-10 Système de sécurité et procédé de surveillance de sécurité

Country Status (2)

Country Link
JP (1) JP5969618B2 (fr)
WO (1) WO2014057542A1 (fr)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150096022A1 (en) * 2013-09-30 2015-04-02 Michael Vincent Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9118715B2 (en) 2008-11-03 2015-08-25 Fireeye, Inc. Systems and methods for detecting malicious PDF network content
JP5944041B1 (ja) * 2015-11-19 2016-07-05 ネクスト・イット株式会社 コンピュータウイルススキャン装置、コンピュータウイルス方法及びコンピュータ媒体
JP2018160094A (ja) * 2017-03-23 2018-10-11 日本電気株式会社 通信システム、通信方法及びプログラム
US10515214B1 (en) 2013-09-30 2019-12-24 Fireeye, Inc. System and method for classifying malware within content created during analysis of a specimen

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002063116A (ja) * 2000-08-22 2002-02-28 Xaxon R & D Corp 電子メールプロキシサーバ
WO2002103533A1 (fr) * 2001-05-22 2002-12-27 Worldcom, Inc. Systeme et procede de detection d'antiprogramme
EP1655682A2 (fr) * 2004-11-08 2006-05-10 Microsoft Corporation Système et méthode pour agréger la base de connaissance des applications de logiciel d'antivirus

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6802012B1 (en) * 2000-10-03 2004-10-05 Networks Associates Technology, Inc. Scanning computer files for unwanted properties
US8595839B2 (en) * 2011-01-21 2013-11-26 International Business Machines Corporation Selecting one of a plurality of scanner nodes to perform scan operations for an interface node receiving a file request

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002063116A (ja) * 2000-08-22 2002-02-28 Xaxon R & D Corp 電子メールプロキシサーバ
WO2002103533A1 (fr) * 2001-05-22 2002-12-27 Worldcom, Inc. Systeme et procede de detection d'antiprogramme
EP1655682A2 (fr) * 2004-11-08 2006-05-10 Microsoft Corporation Système et méthode pour agréger la base de connaissance des applications de logiciel d'antivirus

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9118715B2 (en) 2008-11-03 2015-08-25 Fireeye, Inc. Systems and methods for detecting malicious PDF network content
US9438622B1 (en) 2008-11-03 2016-09-06 Fireeye, Inc. Systems and methods for analyzing malicious PDF network content
US9954890B1 (en) 2008-11-03 2018-04-24 Fireeye, Inc. Systems and methods for analyzing PDF documents
US20150096022A1 (en) * 2013-09-30 2015-04-02 Michael Vincent Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9171160B2 (en) * 2013-09-30 2015-10-27 Fireeye, Inc. Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
US9910988B1 (en) 2013-09-30 2018-03-06 Fireeye, Inc. Malware analysis in accordance with an analysis plan
US10515214B1 (en) 2013-09-30 2019-12-24 Fireeye, Inc. System and method for classifying malware within content created during analysis of a specimen
US10713362B1 (en) 2013-09-30 2020-07-14 Fireeye, Inc. Dynamically adaptive framework and method for classifying malware using intelligent static, emulation, and dynamic analyses
JP5944041B1 (ja) * 2015-11-19 2016-07-05 ネクスト・イット株式会社 コンピュータウイルススキャン装置、コンピュータウイルス方法及びコンピュータ媒体
JP2018160094A (ja) * 2017-03-23 2018-10-11 日本電気株式会社 通信システム、通信方法及びプログラム

Also Published As

Publication number Publication date
JP5969618B2 (ja) 2016-08-17
JPWO2014057542A1 (ja) 2016-08-25

Similar Documents

Publication Publication Date Title
US11068588B2 (en) Detecting irregularities on a device
Lever et al. A lustrum of malware network communication: Evolution and insights
US8813228B2 (en) Collective threat intelligence gathering system
CN105721461B (zh) 利用专用计算机安全服务的系统和方法
US8214490B1 (en) Compact input compensating reputation data tracking mechanism
RU2444056C1 (ru) Система и способ ускорения решения проблем за счет накопления статистической информации
US8375120B2 (en) Domain name system security network
US8850571B2 (en) Systems and methods for detecting malicious network content
US8776241B2 (en) Automatic analysis of security related incidents in computer networks
US8572740B2 (en) Method and system for detection of previously unknown malware
US8776242B2 (en) Providing a malware analysis using a secure malware detection process
EP2933973A1 (fr) Procédé, appareil et système de protection de données
JP5969618B2 (ja) セキュリティシステム、および、セキュリティ監視方法
US20080229419A1 (en) Automated identification of firewall malware scanner deficiencies
US8635079B2 (en) System and method for sharing malware analysis results
US11489850B2 (en) Apparatus and methods thereof for inspecting events in a computerized environment respective of a unified index for granular access control
WO2014179805A1 (fr) Procédé et appareil permettant de fournir une visibilité légale de systèmes et de réseaux
US20180234234A1 (en) System for describing and tracking the creation and evolution of digital files
US11347872B2 (en) Dynamic cybersecurity protection mechanism for data storage devices
Chiba et al. Botprofiler: Profiling variability of substrings in http requests to detect malware-infected hosts
US11882131B1 (en) Systems and methods for prioritizing URL review for sandboxing based on accelerated velocities of URL features in network traffic
US11743286B2 (en) Combination rule mining for malware signature generation
US20210250331A1 (en) Electronic message processing systems and methods
Skrzewski About the efficiency of malware monitoring via server-side honeypots
JP6900328B2 (ja) 攻撃種別判定装置、攻撃種別判定方法、及びプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 12886391

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2014540659

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 12886391

Country of ref document: EP

Kind code of ref document: A1