WO2014129587A1 - ネットワーク監視装置、ネットワーク監視方法およびネットワーク監視プログラム - Google Patents
ネットワーク監視装置、ネットワーク監視方法およびネットワーク監視プログラム Download PDFInfo
- Publication number
- WO2014129587A1 WO2014129587A1 PCT/JP2014/054190 JP2014054190W WO2014129587A1 WO 2014129587 A1 WO2014129587 A1 WO 2014129587A1 JP 2014054190 W JP2014054190 W JP 2014054190W WO 2014129587 A1 WO2014129587 A1 WO 2014129587A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- log
- information
- analysis
- log data
- network
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
Definitions
- the present invention relates to a technology for supporting detection of cyber attacks from external networks such as the Internet and information leakage to external networks.
- FIG. 8 is a diagram for explaining an example of a countermeasure technique according to the conventional technique.
- the FW is arranged at a connection point between an internal network and an external network as a packet filtering function of a network device such as a router or as a dedicated device.
- the FW is a packet of a service provided by a terminal included in the internal network to a terminal of the external network, and a packet used by a terminal of the internal network to use a service provided by the terminal of the external network.
- a rule is set by a user of a terminal included in the internal network so that only the packet is allowed to pass and other packets are blocked.
- IDS and IPS are provided as a function of a network device such as a router or a dedicated device.
- An anomaly type is known in which traffic is monitored using various logs and statistical information collected from network devices, and abnormal data is detected by analyzing monitoring data.
- a packet is acquired at a point after passing through the FW, it is determined whether or not the packet includes an invalid bit string, and an invalid bit string exists.
- a normal state is defined for behaviors such as addition of resources and communication amount in a terminal of an internal network, and an abnormality is detected when the normal state is deviated.
- an alert is output to notify the network administrator of the abnormality.
- the above-described conventional technology has a certain limit as a countermeasure technology against unauthorized communication.
- FW whether or not a packet is allowed to pass is determined for each packet, and the attacker's communication cannot be identified by just looking at a single log of packets that passed when the attack was successful.
- IDS and IPS signature types are based on a pre-defined pattern, so that the response to an unknown attack is delayed, and there is a certain limit as a countermeasure technique.
- the IDS and IPS anomaly types if the definition of the normal state is strictly defined, false detections frequently occur, and it is difficult to detect all unauthorized communications, and there are certain limitations as countermeasure technology. It was.
- the technology according to the present application has been made in view of the above-described problems of the prior art, and includes a network monitoring device, a network monitoring method, and a network monitoring program that can detect unauthorized communication with high accuracy.
- the purpose is to provide.
- a network monitoring apparatus includes a firewall provided at at least one of a connection point with an external network and an internal segment division point and a proxy server for web access.
- a log analysis unit that inquires log data to the log collection unit, analyzes the log data according to set analysis conditions, and outputs an analysis result, and is stored by the log collection unit
- Log data is 5-tuple, send size, receive size, http Information extracted from Da is information including at least one time stamp, information extracted from the http header contains at least one destination URL, User-Agent name and request method.
- the network monitoring device makes it possible to detect unauthorized communications with high accuracy.
- FIG. 1 is a diagram illustrating an example of a configuration of a network including a network monitoring apparatus according to the first embodiment.
- FIG. 2 is a diagram illustrating an example of the configuration of the network monitoring apparatus according to the first embodiment.
- FIG. 3 is a diagram illustrating an example of log information stored by the log DB according to the first embodiment.
- FIG. 4 is a flowchart illustrating a processing procedure performed by the network monitoring apparatus according to the first embodiment.
- FIG. 5 is a diagram illustrating an example of the configuration of a system for detecting and protecting against unauthorized access and intrusion.
- FIG. 6 is a block diagram illustrating a configuration of a detection device according to the second embodiment.
- FIG. 7 is a diagram illustrating an example of a network configuration to which the detection apparatus according to the second embodiment is applied.
- FIG. 8 is a diagram for explaining an example of a countermeasure technique according to the conventional technique.
- FIG. 1 is a diagram illustrating an example of a configuration of a network including a network monitoring apparatus 100 according to the first embodiment.
- the network including the network monitoring apparatus according to the first embodiment is an in-house NW (Network) as shown in FIG. 1 and is connected to the Internet (denoted as an external network as appropriate).
- the corporate NW includes a network monitoring device 100, an FW (FireWall) 200, and a proxy server 300 as shown in FIG.
- the corporate NW includes a user PC, a file server, SW (Switch) / router, IDS / IPS, and the like.
- SW Switch
- IDS IDS / IPS
- a file server is accessed from a user PC, or the Internet is accessed from the user PC via the FW 200.
- a user PC accesses the Internet via a proxy server 300.
- the FW 200 monitors packets in communication executed between the user PC and file server included in the corporate NW and a terminal and server on the Internet. Specifically, the FW 200 controls packet transfer between the Internet and the corporate NW based on conditions defined in advance by the user. For example, the FW 200 determines whether the packet is related to unauthorized communication based on the 5-tuple information (destination IP (Internet Protocol) address, source IP address, destination port, transmission port and protocol) of the packet. If it is determined that the communication is illegal, the packet is discarded. Further, the FW 200 controls the connection between the user PC or file server included in the corporate NW and the Internet so as to be connected via the proxy server 300. That is, the FW 200 controls the user PC and file server included in the corporate NW so that they are not directly connected to the Internet.
- destination IP Internet Protocol
- the FW 200 monitors packets in communication executed between the user PC included in the corporate NW and the file server. Specifically, the FW 200 controls packet transfer between the user PC and the file server based on conditions defined in advance by the user. For example, the FW 200 determines whether the packet is related to illegal communication based on the 5-tuple information of the packet, and discards the packet when determining that the packet is illegal communication.
- the FW 200 outputs various logs for packets passing through the FW 200.
- the FW 200 includes 5-tuple information on a packet that has passed through the FW 200, information on a passage time (packet passage time stamp) of the packet, and information on a determination result (passability result) on the packet. Etc. are output. Note that the information described above is merely an example, and the FW 200 can output other information as appropriate depending on the device.
- the FW 200 may output various logs and store various logs.
- the proxy server 300 acts as a proxy for communication between the user PC and file server included in the corporate NW and the terminal and server included in the Internet. That is, when a user PC or file server included in the corporate NW accesses the Internet, the proxy server 300 performs communication with the access destination terminal or server as a proxy.
- the proxy server 300 holds (caches) a file once read in communication with a terminal and server included in the Internet for a certain period of time, and a similar connection request is received from a user PC or file server included in the corporate NW. If there is, provide the cached file. Further, the proxy server 300 restricts the connection destination Web site and the connection source user terminal on the Internet based on the destination URL (Uniform Resource Locator) of the packet.
- URL Uniform Resource Locator
- the proxy server 300 stores a log of packets in the communication that it proxyed.
- the proxy server 300 includes the communication connection time, the connection source user terminal, the connection result, the packet transmission / reception size, the access method, the URL information of the access destination, the time when the communication was performed (the communication was executed). Time stamp) information and the like are stored. Note that the information described above is merely an example, and the proxy server 300 can appropriately store other information depending on the device.
- the network monitoring device 100 monitors packets transferred in the corporate NW and detects unauthorized communication with high accuracy. Specifically, as illustrated in FIG. 1, the network monitoring apparatus 100 collects packet information from the FW 200 and the proxy server 300 and detects unauthorized communication. For example, the network monitoring apparatus 100 collects and analyzes log information (appropriately described as “log data”) from the FW 200 or the proxy server 300, and as shown in FIG. Detection of “communications executed between infected user PCs infected with the Internet and malicious sites on the Internet”, “2: Investigation of unauthorized communications inside the corporate NW”, “3: Attacks on the Internet Communication between a user and a server included in the in-company NW, and detection of “take-out of data by attacker”.
- log data log information
- FIG. 2 is a diagram illustrating an example of the configuration of the network monitoring apparatus 100 according to the first embodiment.
- the network monitoring apparatus 100 is connected to the FW 200 and the proxy server 300 and monitors communication in the in-company NW.
- the network monitoring apparatus 100 is connected to the FW 200 and the proxy server 300 and monitors communication in the in-company NW.
- one FW 200 and one proxy server 300 are shown, but in practice, an arbitrary number of FWs 200 and proxy servers 300 are connected to the network monitoring apparatus 100.
- the network monitoring apparatus 100 includes a communication control I / F unit 110, an input unit 120, a display unit 130, a storage unit 140, and a control unit 150. Then, the network monitoring apparatus 100 collects log information from the FW 200 and the proxy server 300 included in the in-company NW, and monitors communication in the in-company NW based on the collected log information.
- the communication control I / F unit 110 controls communication regarding various information exchanged between the control unit 150 and the FW 200 and the proxy server 300 included in the corporate NW. For example, the communication control I / F unit 110 controls communication related to log collection from the FW 200 and the proxy server 300. The communication control I / F unit 110 controls the exchange of various information between the input unit 120 and the display unit 130 and the control unit 150.
- the input unit 120 is a keyboard or a mouse, for example, and accepts various information input processes by the user.
- the input unit 120 accepts input processing such as conditions for analyzing log information.
- the conditions for analyzing the log information will be described later.
- the display unit 130 is, for example, a display, and displays and outputs the processing result to the user.
- the display unit 130 displays and outputs log information corresponding to conditions for analyzing log information. That is, the display unit 130 displays and outputs log information related to unauthorized communication in the corporate NW.
- the storage unit 140 includes a log DB 141, an analysis information DB 142, and an analysis result DB 143.
- the storage unit 140 is, for example, a storage device such as a hard disk or an optical disk, or a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory), and stores various programs executed by the network monitoring device 100.
- a storage device such as a hard disk or an optical disk
- a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory)
- the log DB 141 stores logs collected from at least one of the FW 200 and the proxy server 300 by the control unit 150 described later. Specifically, the log DB 141 stores normalized log information collected from at least one of the FW 200 and the proxy server 300 by the control unit 150 described later. For example, the log DB 141 includes 5-tuple information (destination IP address, transmission source IP address, destination port, transmission port and protocol) of a packet that has passed through the FW 200 or the proxy server 300, communication connection time, connection result, packet Log information obtained by normalizing information including the transmission / reception size, URL information of the access destination, and information including a time stamp.
- 5-tuple information destination IP address, transmission source IP address, destination port, transmission port and protocol
- FIG. 3 is a diagram illustrating an example of log information stored by the log DB 141 according to the first embodiment.
- the log DB 141 stores log information in which information of each packet is arranged in time series based on time stamp information. That is, as illustrated in FIG. 3, the log DB 141 includes a destination IP address, a source IP address, a destination port, a transmission port, a protocol, a transmission size, a reception size, and a destination as “date / time”. Log information in which a URL, a user agent, a request method, and a determination result are associated with each other is stored.
- “date / time” shown in FIG. 3 indicates the time when the packet passes through the FW 200 or the time when the proxy server 300 executes communication.
- the “destination IP address” shown in FIG. 3 refers to a packet destination terminal (user PC of an in-company NW, a terminal on the Internet, etc.) or a server (file server of in-company NW, server on the Internet, etc.) ) IP address.
- the “source IP address” shown in FIG. 3 is a packet source terminal (a user PC of a company NW, a terminal on the Internet, etc.) or a server (a file server of a company NW, a server on the Internet, etc.). IP address of the server).
- the “destination port” shown in FIG. 3 is a terminal (a user PC of an in-company NW, a terminal on the Internet, etc.) or a server (a file server of an in-company NW, a server on the Internet, etc.) ) Port.
- the “transmission port” shown in FIG. 3 is a terminal (a user PC of an in-company NW, a terminal on the Internet) or a server (a file server of an in-company NW or a server on the Internet) that is a packet transmission source. Etc.) port.
- the “protocol” shown in FIG. 3 indicates a communication protocol used for packet transmission / reception.
- the “transmission size” shown in FIG. 3 indicates the size of the packet transmitted by the FW 200 or the proxy server 300. Further, the “reception size” illustrated in FIG. 3 indicates the size of the packet received by the FW 200 or the proxy server 300. Further, the “destination URL” shown in FIG. 3 refers to a server (such as a file server of a corporate NW or a server on the Internet) accessed by a terminal (such as a user PC of a corporate NW or a terminal on the Internet). URL of the site is shown.
- the “user agent” shown in FIG. 3 refers to a terminal (such as a user PC of a corporate NW or a terminal on the Internet) that accesses a site on a server (such as a file server of a corporate NW or a server on the Internet). ) Browser information. For example, when a user requests browsing of a website, a series of headers are transmitted from the browser to the server that hosts the site. Each header contains detailed information for the server to determine the best way to provide the information requested to be viewed.
- the “user agent” is a header for identifying an application that requests information from the server.
- the “user agent” includes information such as the browser of the terminal that requested browsing of the Web site, the browser version, and the OS.
- the “request method” shown in FIG. 3 is a request transmitted from a terminal (a user PC of a corporate NW, a terminal on the Internet, etc.) (a file server of a corporate NW, a server on the Internet, etc.). Indicates.
- a terminal a user PC of a corporate NW, a terminal on the Internet, etc.
- a file server of a corporate NW, a server on the Internet, etc. Indicates.
- the “request method” for example, “GET” that the browser requests the server to acquire a website, “HEAD” that requests only header information, “PUT” that requests the server to upload a file, There is “POST”.
- the “determination result” illustrated in FIG. 3 indicates a determination result by the FW 200 or the proxy server 300.
- the “determination result” includes a result of packet transfer control between the user PC and the Internet based on conditions predefined by the user.
- the “determination result” includes, for example, the result of the connection restriction on the connection destination Web site on the Internet and the connection source user terminal based on the destination URL of the packet.
- the log DB 141 is collected by the control unit 150 described later, and stores log information as shown in FIG.
- the log information illustrated in FIG. 3 is merely an example, and the embodiment is not limited thereto. That is, the log DB 141 can also store other information as log information.
- not all information shown in FIG. 3 is collected for all packets, and for example, logs corresponding to log output devices that output logs are collected. In other words, some information may not be collected depending on the type of log output device.
- the analysis information DB 142 stores information used for analysis by the control unit 150 described later. Specifically, the analysis information DB 142 stores various information used when extracting log information satisfying a predetermined condition from the log information stored by the log DB 141. For example, the analysis information DB 142 stores information that is a key when extracting log information with information included in the header of the packet. For example, the analysis information DB 142 stores information that becomes a key when log information is extracted by a character string included in a user agent. For example, the analysis information DB 142 stores a predetermined character string for extracting log information in which a character string other than the predetermined character string is included in the user agent.
- the analysis information DB 142 can store any information as long as it can be used when extracting log information satisfying a predetermined condition from the log information stored in the log DB 141. .
- the analysis result DB 143 stores an analysis result by the control unit 150 described later. Specifically, the analysis result DB 143 stores log information extracted from log information stored in the log DB 141 by a control unit 150 described later based on a predetermined condition. More specifically, the analysis result DB 143 stores log information that satisfies a predetermined condition in a predetermined period, which is extracted by analyzing log information stored in the log DB 141 over time.
- the control unit 150 includes a log collection unit 151, a log analysis unit 152, and an output control unit 153.
- the control unit 150 is, for example, an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array), and a network monitoring device. 100 total control is executed.
- CPU Central Processing Unit
- MPU Micro Processing Unit
- ASIC Application Specific Integrated Circuit
- FPGA Field Programmable Gate Array
- the log collection unit 151 collects logs related to packets passing through at least one of the FW 200 and the proxy server 300 included in the in-company NW with respect to the packets transferred through the in-company NW. Specifically, the log collection unit 151 receives information on the 5-tuple of a packet from the FW 200, information on the passage time of the packet (time stamp of packet passage), and a determination result (invalid communication or not) on the packet. Information on the result of the failure). In addition, the log collection unit 151 connects the communication connection time from the proxy server 300, the connection source user terminal, the connection result, the packet transmission / reception size, the access method, the access destination URL information, and the communication time ( Collect information such as the time stamp when the communication was executed.
- the log collection unit 151 normalizes the collected information to convert log files of different formats into a unified common format log information. Then, the log collecting unit 151 stores the normalized log information in the log DB 141.
- the log collection unit 151 stores log information obtained by normalizing the above-described log information in the log DB 141 (see FIG. 3). That is, the log collection unit 151 uses, as log information, a destination IP address, a source IP address, a destination port, a transmission port, a protocol, a packet transmission / reception size, a packet, Log information including the destination URL, the user agent, the request method, the determination result by the FW 200 or the proxy server 300, and the time information is stored in the log DB 141.
- the log collection unit 151 can also select log information to be collected according to the conditions of analysis of log information by the log analysis unit 152 described later.
- the log collection unit 151 collects a log including a destination IP address, a source IP address, a destination port, a transmission port, a protocol, and time information (time stamp) in a packet transferred through the network.
- the log collection unit 151 may include a destination IP address, a source IP address, a destination port, a transmission port, a protocol, a packet transmission / reception size, and time information (time stamp) in a packet transferred through the network.
- the log collection unit 151 uses, as log information, a destination IP address, a source IP address, a destination port, a transmission port, a protocol, a packet destination URL, and a user agent in a packet transferred over the network.
- Information including request method and time information (time stamp) is collected. That is, by selecting the log information to be collected, the configuration of the log information stored in the log DB 141 by the log collection unit 151 changes as appropriate.
- the log analysis unit 152 analyzes the log information collected by the log collection unit 151 over time, and extracts log information that satisfies a predetermined condition in a predetermined period. Specifically, based on the log information collected by the log collection unit 151, the log analysis unit 152 extracts log information in which the number of communication connections and the interval satisfy a predetermined condition in a predetermined period. For example, the log analysis unit 152 uses the destination IP address, the source IP address, the destination port, the transmission port, the protocol, and the time information of the log information collected by the log collection unit 151 to use the log DB 141. The log information stored in is stored in the log information in which the number of communication connections is “10” and the communication that occurs every “30 seconds” continues for a predetermined period. . Then, the log analysis unit 152 stores the extracted log information in the analysis result DB 143.
- the log analysis unit 152 extracts log information in which a packet transmission / reception size satisfies the predetermined condition in a predetermined period based on the log information collected by the log collection unit 151.
- the log analysis unit 152 includes a destination IP address, a source IP address, a destination port, a transmission port, a protocol, a packet transmission / reception size, and time information of the log information collected by the log collection unit 151. Is used to extract from the log information stored in the log DB 141 the log information in which the transmission / reception size of the packet exceeds the predetermined number of bytes and continues for a predetermined period. Then, the log analysis unit 152 stores the extracted log information in the analysis result DB 143.
- the log analysis unit 152 extracts log information that satisfies the predetermined condition of the header information of the original communication included in the log in a predetermined period based on the log information collected by the log collection unit 151.
- the log analysis unit 152 includes a destination IP address, a source IP address, a destination port, a transmission port, a protocol, a packet destination URL, a user agent, and a log information collected by the log collection unit 151.
- the log information in which the communication that is the character string in which the character string included in the user agent is not stored in the analysis information DB 142 continues for a predetermined period is extracted. Then, the log analysis unit 152 stores the extracted log information in the analysis result DB 143.
- the log analysis unit 152 extracts log information that satisfies a predetermined condition in a predetermined period by analyzing the log information collected by the log collection unit 151 over time.
- the condition for extracting log information can be arbitrarily set by the user.
- various conditions may be set for a plurality of pieces of information (for example, each information shown in FIG. 3), and log information in which communication that satisfies the set conditions continues for a predetermined period may be extracted. These conditions may be set when the user inputs the log information via the input unit 120 when analyzing the log information, or when the log analysis unit 152 reads a preset condition. Also good.
- it is possible to detect log information having a high possibility of unauthorized communication by setting various conditions for analogy with unauthorized communication and analyzing them.
- the output control unit 153 controls the display unit 130 to display and output the analysis result analyzed by the log analysis unit 152 and stored in the analysis result DB 143. That is, the output control unit 153 displays and outputs the log information extracted under the conditions set by the user. Therefore, information that has a high possibility of unauthorized communication can be confirmed on the display unit 130 by setting various conditions that are presumed to be unauthorized communication by the user.
- FIG. 4 is a flowchart illustrating a processing procedure performed by the network monitoring apparatus 100 according to the first embodiment.
- the log collection unit 151 collects log information from the FW 200 and the proxy server 300 (step S101), and normalizes the collected log information. And stored in the log DB 141 (step S102).
- the log analysis unit 152 extracts log information according to the received analysis conditions (step S104). Thereafter, the log analysis unit 152 stores the analysis result that is the extracted log information in the analysis result DB 143 (step S105). The log information is continuously collected until the log analysis unit 152 accepts the analysis conditions (No at Step S103).
- the output control unit 153 displays and outputs the analysis result stored in the analysis result DB 143 on the display unit 130 (step S106).
- the log collection unit 151 collects log information from at least one of the FW 200 and the proxy server 300 included in the company NW, with respect to a packet transferred through the company NW. Then, the log analysis unit 152 analyzes the log information collected by the log collection unit 151 over time, thereby extracting log information satisfying a predetermined condition in a predetermined period. Therefore, the network monitoring apparatus 100 according to the first embodiment extracts the log information based on the change over time of the log information satisfying the predetermined condition, so that the illegal communication candidates that have been overlooked so far are extracted. Can be detected, and unauthorized communication can be identified efficiently.
- the network monitoring apparatus 100 of the present application can detect attacks and the like that could not be detected so far by analyzing log information that satisfies a predetermined condition over time. It is possible to specify efficiently.
- unauthorized communication can be widely detected by flexibly changing predetermined conditions regarding information of a plurality of logs stored in the FW 200 or the proxy server 300.
- the log collection unit 151 uses, as log information, a destination IP address, a source IP address, a destination port, a transmission port, a protocol, and the like in a packet transferred through the company NW. Collect information including time stamps. Based on the log information collected by the log collection unit 151, the log analysis unit 152 extracts log information in which the number of communication connections and the interval satisfy a predetermined condition in a predetermined period. Therefore, for example, the network monitoring apparatus 100 according to the first embodiment can detect unauthorized communication such as communication continuously executed with a malicious site and data taken out by an attacker on the Internet.
- the log collection unit 151 includes, as log information, a destination IP address, a source IP address, a destination port, a transmission port, a protocol, and a packet transferred through the network. Information including packet transmission / reception size and time stamp is collected. Further, the log analysis unit 152 extracts log information satisfying a predetermined condition for the transmission / reception size of the packet in a predetermined period based on the log information collected by the log collection unit 151. Therefore, the network monitoring apparatus 100 according to the first embodiment can detect unauthorized communication such as an attack on a file server in the company NW from an attacker on the Internet, for example.
- the log collection unit 151 uses, as log information, a destination IP address, a source IP address, a destination port, a transmission port, a protocol, and the like in a packet transferred through the company NW. Collect information including the destination URL of the packet, the user agent, the request method, and the time stamp. Based on the log information collected by the log collection unit 151, the log analysis unit 152 extracts log information in which the original communication header information included in the log satisfies a predetermined condition in a predetermined period. Therefore, the network monitoring apparatus 100 according to the first embodiment can detect, for example, unauthorized communication including unauthorized HTTP header information.
- a detection apparatus (corresponding to the network monitoring apparatus according to the first embodiment) according to the second embodiment will be described.
- the detection apparatus according to the second embodiment it is possible to detect a cyber attack that is difficult to detect at present, and to detect an event such as communication with an attacker and information leakage after a successful attack.
- An example of such a threat is that a server provided in the internal network is illegally accessed from the external network to steal confidential information. Not only illegally access the internal network from the external network, but also maliciously embed malicious software into the PC (personal computer) connected to the internal network, that is, infect the PC with malicious software In some cases, the infected software is used to illegally collect information from a server in the internal network and send it to the outside. In addition, there is a technique in which a normal operation of a server in the internal network is prevented by sending an illegal packet from the external network to the internal network.
- IDS / IPS In order to protect the internal network from such threats, an IDS / IPS has been deployed after providing a firewall (FW) at the connection point between the external network and the internal network.
- IDS / IPS is a system that detects an event suspected of intrusion from the outside, and executes necessary defense measures such as disconnection of communication when such an event is detected.
- FIG. 5 is a diagram showing an example of a system configuration for detecting and protecting against unauthorized access and intrusion.
- the internal network 62 is connected to the external network 61. Both networks transfer IP packets, and TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) is used as an upper layer protocol of IP.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- a firewall 71 is provided between the external network 61 and the internal network 62 to prevent unauthorized communication by performing packet filtering.
- the firewall 71 performs packet filtering processing based on a so-called 5-tuple included in the packet header.
- a 5-tuple is a combination of five parameters consisting of the source IP address, destination IP address and protocol included in the header of the IP packet, and the source port number and destination port number included in the header of the TCP packet or UDP packet. is there.
- the firewall 71 has a log function, and can provide the administrator with a log regarding whether or not a packet that is about to pass can be passed.
- servers 75 and 76 are provided, and an IDS / IPS 73 is also provided to detect and prevent cyber attacks such as unauthorized access and intrusion that could not be blocked by the firewall 71.
- the IDS / IPS 73 detects unauthorized access or intrusion, the IDS / IPS 73 issues an alarm to the network manager 63.
- Detecting methods used in IDS / IPS 73 for detecting unauthorized access and intrusion are roughly classified into a signature type and an anomaly type.
- the signature type detection method assuming that a bit string that characterizes unauthorized access or intrusion is known, a packet passing through a certain point in the network is inspected, and if an illegal bit string exists in the packet, it is detected as abnormal.
- the anomaly type defines normal states for resource load, traffic, and user behavior, and monitors various logs, statistical information, load, traffic, etc., and the network and servers connected to it. An error is detected when the state deviates from the normal state.
- the signature type is based on matching with a predefined pattern and is based on the assumption that an illegal bit string is known, there is a problem that response to an unknown attack tends to be delayed.
- the anomaly type there is a problem that it is difficult to find illegal communication without fail because there are many false detections if the normal state is strictly defined.
- Cyber attack techniques have evolved and diversified, but continue to evolve only by techniques that use firewalls to make decisions by looking at logs from logs or using IDS / IPS to protect against signatures and pattern files. Difficult to respond to cyber attacks. Therefore, protection by a security appliance such as a conventional firewall or IDS / IPS is not sufficient, and a new technique for detecting a cyber attack without missing it is necessary. There are also security appliances that detect when the traffic flow exceeds a threshold value or when the traffic flow deviates from a predetermined pattern, but the infected terminals on the internal network (terminals with malicious software embedded) ) And an external network side attacker cannot be detected.
- the detection device detects the above-described evolved cyber attack, which is difficult to detect at present, and detects events such as communication and information leakage with an attacker after the successful attack. By detecting it, the above problem is solved.
- FIG. 6 is a block diagram illustrating a configuration of a detection device according to the second embodiment.
- the detection device 20 is provided separately from a conventional security appliance such as IDS / IPS.
- the detection device 20 uses the logs from the firewall 41 and the proxy server 44 to perform correlation analysis focusing on the time series of the logs, and extracts illegal patterns from the analysis results, thereby generating cyber attacks and information leaks. Is detected. It is preferable to perform the correlation analysis focusing on the time series over a long period of time.
- the detection apparatus 20 uses, in particular, a 5-tuple, a transmission size, a reception size, a destination URL, a User-Agent name, a request method, and a time stamp.
- the transmission size and the reception size can be obtained from both the log of the firewall 41 and the http header.
- the destination URL, User-Agent name, and request method are all obtained from the http header or the https header.
- the time stamp is time information regarding log recording in devices such as the firewall 41 and the proxy server 44, and represents, for example, the time when an event corresponding to the log occurs or the time when the log was actually recorded.
- such a detection device 20 is roughly divided into a log collection unit 21 that collects and stores log data from the firewall 41 and the proxy server 44, and log data stored in the log collection unit 21. And a log analysis unit 22 that performs the above analysis.
- the log collection unit 21 includes a collection execution unit 31 that collects log data from the firewall 41 and the proxy server 44, a normalization unit 32 that normalizes log data to facilitate analysis, and normalized log data Is stored in response to a query from the log management storage unit 33 and the log analysis unit 22, and log analysis is performed by receiving a response to the search result from the log management storage unit 33.
- the log data collected by the collection execution unit 31 includes, for example, a destination IP address, a source IP address, a destination port, a transmission port, and protocol 5-tuple information, a transmission size, a reception size, a destination URL, and a User- Includes Agent name, request method, and time stamp information.
- the log data is determined by the firewall 41 and the proxy server 44 as to whether the target packet or http message has been passed or rejected as an illegal one (this is referred to as a device determination result), the firewall 41 and Information such as each device ID of the proxy server 44 may be included.
- the format of the log data output from the firewall 41 or the proxy server 44 is unified, the analysis can be easily performed without necessarily performing the normalization process, so the normalization unit 32 is not provided.
- the log data collected by the collection execution unit 31 may be directly stored in the log management storage unit 33.
- the log analysis unit 22 makes an inquiry to the log extraction unit 34 of the log collection unit 21 to acquire a log, and requests log data from the log acquisition unit 35 and sends a response to the log data.
- An analysis execution unit 36 that receives and sets log data according to the set analysis conditions, and an analysis result DB (database) 37 that stores the analysis results output from the analysis execution unit 36 are provided.
- the log analysis unit 22 includes a storage unit 38 (denoted as “NW information 38” as appropriate) for storing network (NW) information, and various analysis rules as analysis conditions.
- a storage unit 39 (described as “analysis rule 39” as appropriate) may be provided.
- the network information is information such as the topology, address, and subnet of the network to be monitored.
- the log acquisition unit 35 acquires log data from the log collection unit 21, which communication direction is related to the log data? It is used to determine the direction (communication from the internal network to the external network, the opposite direction, or communication closed to the internal network). The determined communication direction is sent to the analysis execution unit 36 together with the log data.
- the analysis execution unit 36 can read a plurality of analysis rules for analyzing time-series correlation for a plurality of log data instead of a single log data from the storage unit 39. .
- the analysis execution unit 36 uses the value of the item determined by each analysis rule out of the log data accumulated in the log collection unit 21 for each analysis rule. Output analysis results. Further, the analysis execution unit 36 identifies an illegal communication candidate from the combination pattern of analysis results based on each analysis rule, and outputs the candidate.
- Log data is transmitted from the firewall 41 and the proxy server 44 in the internal network at any time.
- the collection execution unit 31 collects the log data and transfers it to the normalization unit 32.
- the normalizing unit 32 normalizes the log data and stores it in the log management storage unit 33.
- the analysis execution unit 36 sends a log data request to the log acquisition unit 35, and the log acquisition unit 35 makes an inquiry to the log extraction unit 34 in the log collection unit 21 based on the log data request.
- the log extraction unit 34 searches the log data in the log management storage unit 33 based on the inquiry. A result response to this search is sent from the log management storage unit 33 to the log extraction unit 34, whereby the log acquisition unit 35 acquires log data from the log extraction unit 34.
- the log acquisition unit 35 determines the communication direction of communication related to the acquired log data based on the network information in the NW information 38, and analyzes the log data and the determination result of the communication direction as a log data response.
- Send to part 36 the analysis execution unit 36 applies single or plural analysis rules read from the analysis rule 39 to the log data, and extracts candidates for unauthorized communication by time-series correlation analysis.
- the analysis execution unit 36 detects unauthorized communication with higher accuracy by analyzing the output frequency and pattern of analysis results obtained from the plurality of analysis rules.
- the extracted illegal communication candidates are accumulated in the analysis result DB 37.
- the detection device 20 can use the log data itself that is output from an existing device, it can be introduced without greatly affecting the network configuration. .
- analysis rules that can be used in the detection device 20 according to the second embodiment, in particular, communication between an infected terminal and an attacker, or communication that may cause information leakage, can be used.
- An example of an analysis rule that can analyze a time series correlation for data will be described.
- the time of the time stamp is based on at least the 5-tuple information, the number of transmission bytes, and the time stamp information of the log data stored in the log collecting unit 21.
- communication in which the value of the number of transmitted bytes is different from the normal value within a set period is regarded as communication with suspected fraud.
- the time information of the time stamp is obtained based on at least 5-tuple information of the log data stored in the log collection unit 21, destination URL, and time stamp information.
- the detection apparatus 20 can be configured as dedicated hardware, but uses a general-purpose computer including a microprocessor, a memory, a communication interface, and the like to execute the functions of the inspection apparatus 20. It can also be realized by executing a computer program on this computer. The same applies to the network monitoring apparatus 100 according to the first embodiment.
- FIG. 7 is a diagram illustrating an example of a network configuration to which the detection apparatus according to the second embodiment is applied.
- An internal network 12 that is an internal network is connected to the Internet 11, and a firewall 41 is provided at a connection point between the internal network 12 and the Internet 11.
- a switch (SW) / router 42 connected to the firewall 41 is provided.
- the switch / router 42 includes an IDS / IPS 43, a proxy server 44, file servers 45 and 46, and a user PC 47 that is a terminal. To 49 are provided.
- the inspection device 20 described above is provided so as to receive log data from the firewall 41 and the proxy server 44.
- the network may be further divided into several segments, and an internal firewall may be provided at the segment division point. If log data of the internal firewall is also provided to the inspection device 20, it is possible to detect communications that are suspected of fraud with the internal network 12 as a start and end point.
- the Internet 11 includes a malicious site 51 and an attacker 52.
- the user PC 49 indicated by a double line frame is an infected terminal in which malicious software is embedded.
- an attacker tries to steal information from within the corporate network 12
- the user PC 49 communicates with the malicious site 51 to investigate the file servers 45 and 46.
- the user PC 49 conducts internal investigation activities to obtain information from the file servers 45 and 46, and finally, as shown in [3], the infected terminal
- the user PC 49 communicates as the attacker 52 and transmits the illegally obtained data to the attacker 52, the data is taken out to the Internet 11 side.
- the firewall 41 and the internal firewall at any stage indicated by [1], [2], and [3] in the figure. Based on the log data from at least one of the above and the log data from the proxy server 44, communication suspected of fraud can be detected.
- the detection device uses the log data from the devices generally provided in the existing network such as the firewall and the proxy server, and combines these log data to obtain an unauthorized Suspicious communication can be detected, and in particular, there is an effect that it is possible to detect communication with an attacker after an attack is successful and events such as information leakage.
- each device for example, the form shown in FIG. 2
- the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part thereof can be changed in arbitrary units according to various loads and usage conditions.
- Functionally or physically distributed and integrated for example, the log DB 141 and the analysis result DB 143 may be integrated as one DB.
- the log collection unit 151 is divided into a collection unit that collects logs and a normalization processing unit that performs normalization processing. It may be dispersed.
- the storage unit 140 may be a case where an existing management system or an external DB is used.
- an existing management system DB or an external DB has a log DB 141, an analysis information DB 142, and an analysis result DB 143 included in the storage unit 140, and the control unit 150 is an existing management system DB or an external DB.
- the DB may be accessed and information is read / written.
- control unit 150 may be connected as an external device of the network monitoring device 100 via a network, or the log collection unit 151 and the log analysis unit 152 are respectively provided as separate devices and connected to the network.
- the functions of the network monitoring device 100 described above may be realized.
- the embodiment is not limited to this, and can be applied to any environment as long as it is an environment in which packets are exchanged between a plurality of networks.
- the embodiment is not limited to this, and the number of devices is arbitrarily changed by the network. That is, the network monitoring apparatus 100 collects log information from the FW 200 and the proxy server 300 arranged in the network to be monitored.
- log information is collected from the FW 200 and the proxy server 300 has been described.
- the embodiment is not limited to this, and for example, log information may be collected from either one.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
[第1の実施形態に係るネットワーク監視装置を含むネットワークの構成]
まず、第1の実施形態に係るネットワーク監視装置100を含むネットワークの構成について説明する。図1は、第1の実施形態に係るネットワーク監視装置100が含まれるネットワークの構成の一例を示す図である。例えば、第1の実施形態に係るネットワーク監視装置を含むネットワークは、図1に示すように、企業内NW(Network)であり、インターネット(適宜、外部ネットワークと記載)と接続される。
次に、第1の実施形態に係るネットワーク監視装置の構成について説明する。図2は、第1の実施形態に係るネットワーク監視装置100の構成の一例を示す図である。図2に示すように、ネットワーク監視装置100は、FW200及びプロキシサーバ300に接続され、企業内NWにおける通信を監視する。なお、図2においては、FW200及びプロキシサーバ300がそれぞれ1台ずつ示されているが、実際には、任意の台数のFW200及びプロキシサーバ300がネットワーク監視装置100に接続される。
次に、第1の実施形態に係るネットワーク監視装置100による処理の手順について、図4を用いて説明する。図4は、第1の実施形態に係るネットワーク監視装置100による処理の手順を示すフローチャートである。図4に示すように、第1の実施形態に係るネットワーク監視装置100においては、ログ収集部151が、FW200及びプロキシサーバ300からログ情報を収集し(ステップS101)、収集したログ情報を正規化してログDB141に格納する(ステップS102)。
上述したように、第1の実施形態によれば、ログ収集部151が、企業NWを転送されるパケットについて、企業NWに含まれるFW200及びプロキシサーバ300のうち少なくとも一方からログ情報を収集する。そして、ログ分析部152が、ログ収集部151によって収集されたログ情報を経時的に分析することで、所定の期間において所定の条件を満たすログ情報を抽出する。従って、第1の実施形態に係るネットワーク監視装置100は、所定の条件を満たすログ情報の経時的な変化に基づいてログ情報を抽出することで、これまでは見逃されていた不正な通信の候補を検出することができ、不正な通信を効率よく特定することを可能とする。
次に、第2の実施形態に係る検出装置(第1の実施形態に係るネットワーク監視装置に対応)について説明する。第2の実施形態に係る検出装置では、現状では検出が難しいサイバー攻撃を検出し、また、攻撃成功後の攻撃者との間の通信や情報漏えいなどの事象を検出することができる。
これまで第1の実施形態および第2の実施形態を説明したが、本願に係る実施例は、第1の実施形態および第2の実施形態に限定されるものではない。すなわち、これらの実施例は、その他の様々な形態で実施されることが可能であり、種々の省略、置き換え、変更を行うことができる。
12 企業内ネットワーク
20 検出装置
21、151 ログ収集部
22、152 ログ分析部
31 収集実行部
32 正規化部
33 ログ管理記憶部
34 ログ抽出部
35 ログ取得部
36 分析実行部
37、143 分析結果データベース(DB)
38 ネットワーク(NW)情報を格納する記憶部
39 分析ルールを格納する記憶部
41、200 ファイアウォール(FW)
42 スイッチ/ルータ
43 IDS/IPS
44、300 プロキシサーバ
45、46 ファイルサーバ
47~49 ユーザPC
100 ネットワーク監視装置
141 ログDB
142 分析情報DB
153 出力制御部
Claims (9)
- 外部ネットワークとの接続点及び内部のセグメント分割点の少なくとも一方に設けられるファイアウォールとウェブアクセス用のプロキシサーバとを備えてIPパケットを転送するネットワーク内に設けられ、不正の疑いがある通信を検出するネットワーク監視装置であって、
前記ファイアウォール及び前記プロキシサーバの少なくとも一方からログデータを収集して格納するログ収集部と、
前記ログ収集部に対してログデータの問い合わせを行い、設定された分析条件にしたがって前記ログデータを分析して分析結果を出力するログ分析部と、
を備え、
前記ログ収集部により格納されるログデータは、5-タプル、送信サイズ、受信サイズ、httpヘッダから抽出された情報、タイムスタンプの少なくとも一つ以上を含む情報であり、前記httpヘッダから抽出される情報は、宛先URL、User-Agent名及びリクエストメソッドの少なくとも1つ以上を含んでいることを特徴とするネットワーク監視装置。 - 前記ログ分析部は、複数の前記ログデータについて時系列相関を分析するための分析条件を複数設定可能であって、各分析条件にしたがって分析を実行することを特徴とする請求項1に記載のネットワーク監視装置。
- 前記ログ分析部は、前記各分析条件での分析結果の組み合わせパターンから不正な通信の候補を検出して出力することを特徴とする請求項2に記載のネットワーク監視装置。
- 前記ログ分析部において、監視対象のネットワークについての情報に基づきログデータの対象となる通信の方向を判別し、判別した方向と当該ログデータとに基づいて分析を実行することを特徴とする請求項1乃至3のいずれか1項に記載のネットワーク監視装置。
- 前記ログ収集部は、前記ログデータとして、前記5-タプルと前記タイムスタンプとを含む情報を収集し、
前記ログ分析部は、前記ログ収集部によって収集されたログデータに基づいて、所定の期間において通信のコネクション数及び間隔が所定の条件を満たすログデータを抽出することを特徴とする請求項3に記載のネットワーク監視装置。 - 前記ログ収集部は、前記ログデータとして、前記5-タプルと前記送信サイズと前記受信サイズと前記タイムスタンプとを含む情報を収集し、
前記ログ分析部は、前記ログ収集部によって収集されたログデータに基づいて、所定の期間において前記IPパケットの送受信サイズが所定の条件を満たすログデータを抽出することを特徴とする請求項3に記載のネットワーク監視装置。 - 前記ログ収集部は、前記ログデータとして、前記5-タプルと前記宛先URLと前記User-Agent名と前記リクエストメソッドと前記タイムスタンプとを含む情報を収集し、
前記ログ分析部は、前記ログ収集部によって収集されたログデータに基づいて、所定の期間において前記ログデータに含まれる元の通信のヘッダ情報が所定の条件を満たすログデータを抽出することを特徴とする請求項3に記載のネットワーク監視装置。 - 外部ネットワークとの接続点及び内部のセグメント分割点の少なくとも一方に設けられるファイアウォールとウェブアクセス用のプロキシサーバとを備えてIPパケットを転送するネットワーク内に設けられ、不正の疑いがある通信を検出するネットワーク監視装置で実行するネットワーク監視方法であって、
前記ファイアウォール及び前記プロキシサーバの少なくとも一方からログデータを収集して格納するログ収集工程と、
前記ログ収集工程に対してログデータの問い合わせを行い、設定された分析条件にしたがって前記ログデータを分析して分析結果を出力するログ分析工程と、
を含み、
前記ログ収集工程により格納されるログデータは、5-タプル、送信サイズ、受信サイズ、httpヘッダから抽出された情報、タイムスタンプの少なくとも一つ以上を含む情報であり、前記httpヘッダから抽出される情報は、宛先URL、User-Agent名及びリクエストメソッドの少なくとも1つ以上を含んでいることを特徴とするネットワーク監視方法。 - 外部ネットワークとの接続点及び内部のセグメント分割点の少なくとも一方に設けられるファイアウォールとウェブアクセス用のプロキシサーバとを備えてIPパケットを転送するネットワーク内に設けられ、不正の疑いがある通信を検出するネットワーク監視プログラムであって、
前記ファイアウォール及び前記プロキシサーバの少なくとも一方からログデータを収集して格納するログ収集ステップと、
前記ログ収集ステップに対してログデータの問い合わせを行い、設定された分析条件にしたがって前記ログデータを分析して分析結果を出力するログ分析ステップと、
をコンピュータに実行させ、
前記ログ収集ステップにより格納されるログデータは、5-タプル、送信サイズ、受信サイズ、httpヘッダから抽出された情報、タイムスタンプの少なくとも一つ以上を含む情報であり、前記httpヘッダから抽出される情報は、宛先URL、User-Agent名及びリクエストメソッドの少なくとも1つ以上を含んでいることを特徴とするネットワーク監視プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201480009739.7A CN105027510B (zh) | 2013-02-21 | 2014-02-21 | 网络监视装置和网络监视方法 |
JP2015501520A JP5844938B2 (ja) | 2013-02-21 | 2014-02-21 | ネットワーク監視装置、ネットワーク監視方法およびネットワーク監視プログラム |
EP14754256.7A EP2961111B1 (en) | 2013-02-21 | 2014-02-21 | Network monitoring device, network monitoring method, and network monitoring program |
US14/769,666 US9661008B2 (en) | 2013-02-21 | 2014-02-21 | Network monitoring apparatus, network monitoring method, and network monitoring program |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2013-032587 | 2013-02-21 | ||
JP2013032587 | 2013-02-21 | ||
JP2013-034529 | 2013-02-25 | ||
JP2013034529 | 2013-02-25 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2014129587A1 true WO2014129587A1 (ja) | 2014-08-28 |
Family
ID=51391367
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2014/054190 WO2014129587A1 (ja) | 2013-02-21 | 2014-02-21 | ネットワーク監視装置、ネットワーク監視方法およびネットワーク監視プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US9661008B2 (ja) |
EP (1) | EP2961111B1 (ja) |
JP (1) | JP5844938B2 (ja) |
CN (1) | CN105027510B (ja) |
WO (1) | WO2014129587A1 (ja) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016114985A (ja) * | 2014-12-11 | 2016-06-23 | Tis株式会社 | ログ解析方法、ログ解析プログラム及びログ解析装置 |
CN106559241A (zh) * | 2015-09-29 | 2017-04-05 | 阿里巴巴集团控股有限公司 | 应用日志的收集、发送方法、装置、系统及日志服务器 |
JP2018121218A (ja) * | 2017-01-25 | 2018-08-02 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | 攻撃検知システム、攻撃検知方法および攻撃検知プログラム |
JP2018157373A (ja) * | 2017-03-17 | 2018-10-04 | 日本電気通信システム株式会社 | 不正通信監視装置、不正通信監視方法、不正通信監視プログラム、および不正通信監視システム |
WO2019043804A1 (ja) * | 2017-08-30 | 2019-03-07 | 日本電気株式会社 | ログ分析装置、ログ分析方法及びコンピュータ読み取り可能記録媒体 |
JP2019186686A (ja) * | 2018-04-06 | 2019-10-24 | 富士通株式会社 | ネットワーク監視装置,ネットワーク監視プログラム及びネットワーク監視方法 |
CN110838949A (zh) * | 2018-08-16 | 2020-02-25 | 阿里巴巴集团控股有限公司 | 一种网络流量日志记录方法及装置 |
JP2020114016A (ja) * | 2015-03-30 | 2020-07-27 | アマゾン・テクノロジーズ、インコーポレイテッド | マルチテナント環境のためのネットワークフローログ |
JP2022000987A (ja) * | 2018-08-06 | 2022-01-04 | 日本電気株式会社 | 通信装置 |
Families Citing this family (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
EP3011430A4 (en) * | 2013-06-19 | 2017-02-08 | Hewlett-Packard Enterprise Development LP | Unifying application log messages using runtime instrumentation |
JP6252254B2 (ja) * | 2014-02-28 | 2017-12-27 | 富士通株式会社 | 監視プログラム、監視方法および監視装置 |
KR101564644B1 (ko) * | 2014-07-03 | 2015-10-30 | 한국전자통신연구원 | 접근제어리스트 추출 방법 및 시스템 |
US10592566B2 (en) * | 2015-10-29 | 2020-03-17 | Ca, Inc. | Intelligent edge device for filtering internet of things (IoT) data |
US10164990B2 (en) * | 2016-03-11 | 2018-12-25 | Bank Of America Corporation | Security test tool |
US10313384B1 (en) * | 2016-08-11 | 2019-06-04 | Balbix, Inc. | Mitigation of security risk vulnerabilities in an enterprise network |
JP6652912B2 (ja) * | 2016-12-21 | 2020-02-26 | アラクサラネットワークス株式会社 | ネットワーク装置および異常検知システム |
US20180211252A1 (en) * | 2017-01-20 | 2018-07-26 | Jiko Group, Inc. | Systems and methods for private node-level data computing and reconciliation |
JP7031667B2 (ja) * | 2017-06-05 | 2022-03-08 | 日本電気株式会社 | 情報処理装置、情報処理システム、情報処理方法、及び、プログラム |
US11095678B2 (en) * | 2017-07-12 | 2021-08-17 | The Boeing Company | Mobile security countermeasures |
JP6973227B2 (ja) | 2018-03-23 | 2021-11-24 | 日本電信電話株式会社 | 異常トラヒック分析装置、異常トラヒック分析方法及び異常トラヒック分析プログラム |
JP7010268B2 (ja) * | 2019-04-19 | 2022-01-26 | オムロン株式会社 | 通信監視システムおよび通信監視方法 |
CN110062049A (zh) * | 2019-04-30 | 2019-07-26 | 深圳前海微众银行股份有限公司 | 一种办公网络的监控方法、装置、计算机设备及存储介质 |
KR102295947B1 (ko) * | 2019-11-15 | 2021-08-30 | 한전케이디엔주식회사 | 사이버 보안관제의 실시간 모니터링 시스템 및 방법 |
JP7388203B2 (ja) | 2020-01-20 | 2023-11-29 | 株式会社Ihi | コンテナ型仮想化環境における通信管理装置 |
CN117061139A (zh) * | 2022-05-07 | 2023-11-14 | 华为技术有限公司 | 一种检测攻击的方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005210601A (ja) | 2004-01-26 | 2005-08-04 | Nippon Telegr & Teleph Corp <Ntt> | 不正侵入検知装置 |
JP2006115007A (ja) | 2004-10-12 | 2006-04-27 | Nippon Telegr & Teleph Corp <Ntt> | 侵入検知処理装置、侵入検知処理方法および記録媒体 |
JP2008219149A (ja) | 2007-02-28 | 2008-09-18 | Nippon Telegr & Teleph Corp <Ntt> | トラヒック制御システムおよびトラヒック制御方法 |
JP2009044665A (ja) * | 2007-08-10 | 2009-02-26 | Fujitsu Ltd | 通信装置を制御するプログラム及び通信装置 |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6321338B1 (en) * | 1998-11-09 | 2001-11-20 | Sri International | Network surveillance |
US7599939B2 (en) * | 2003-11-26 | 2009-10-06 | Loglogic, Inc. | System and method for storing raw log data |
JP2006295232A (ja) * | 2005-04-05 | 2006-10-26 | Lac Co Ltd | セキュリティ監視装置、セキュリティ監視方法、及びプログラム |
US7661136B1 (en) * | 2005-12-13 | 2010-02-09 | At&T Intellectual Property Ii, L.P. | Detecting anomalous web proxy activity |
JP5011234B2 (ja) * | 2008-08-25 | 2012-08-29 | 株式会社日立情報システムズ | 攻撃ノード群判定装置およびその方法、ならびに情報処理装置および攻撃対処方法、およびプログラム |
CN102164129A (zh) * | 2011-03-19 | 2011-08-24 | 东北电力大学 | 防火墙与入侵检测系统的联动方法 |
CN102394885B (zh) * | 2011-11-09 | 2015-07-15 | 中国人民解放军信息工程大学 | 基于数据流的信息分类防护自动化核查方法 |
-
2014
- 2014-02-21 JP JP2015501520A patent/JP5844938B2/ja active Active
- 2014-02-21 WO PCT/JP2014/054190 patent/WO2014129587A1/ja active Application Filing
- 2014-02-21 CN CN201480009739.7A patent/CN105027510B/zh active Active
- 2014-02-21 US US14/769,666 patent/US9661008B2/en active Active
- 2014-02-21 EP EP14754256.7A patent/EP2961111B1/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005210601A (ja) | 2004-01-26 | 2005-08-04 | Nippon Telegr & Teleph Corp <Ntt> | 不正侵入検知装置 |
JP2006115007A (ja) | 2004-10-12 | 2006-04-27 | Nippon Telegr & Teleph Corp <Ntt> | 侵入検知処理装置、侵入検知処理方法および記録媒体 |
JP2008219149A (ja) | 2007-02-28 | 2008-09-18 | Nippon Telegr & Teleph Corp <Ntt> | トラヒック制御システムおよびトラヒック制御方法 |
JP2009044665A (ja) * | 2007-08-10 | 2009-02-26 | Fujitsu Ltd | 通信装置を制御するプログラム及び通信装置 |
Non-Patent Citations (2)
Title |
---|
See also references of EP2961111A4 |
TAKAHIRO KASAMA ET AL.: "Malicious Traffic Detection based on Multimodal Analysis", IEICE TECHNICAL REPORT, vol. 112, no. 315, 15 November 2012 (2012-11-15), pages 25 - 30, XP008180425 * |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2016114985A (ja) * | 2014-12-11 | 2016-06-23 | Tis株式会社 | ログ解析方法、ログ解析プログラム及びログ解析装置 |
US11659004B2 (en) | 2015-03-30 | 2023-05-23 | Amazon Technologies, Inc. | Networking flow logs for multi-tenant environments |
JP7211391B2 (ja) | 2015-03-30 | 2023-01-24 | アマゾン・テクノロジーズ、インコーポレイテッド | マルチテナント環境のためのネットワークフローログ |
JP2020114016A (ja) * | 2015-03-30 | 2020-07-27 | アマゾン・テクノロジーズ、インコーポレイテッド | マルチテナント環境のためのネットワークフローログ |
CN106559241A (zh) * | 2015-09-29 | 2017-04-05 | 阿里巴巴集团控股有限公司 | 应用日志的收集、发送方法、装置、系统及日志服务器 |
CN106559241B (zh) * | 2015-09-29 | 2019-11-08 | 阿里巴巴集团控股有限公司 | 应用日志的收集、发送方法、装置、系统及日志服务器 |
JP7028559B2 (ja) | 2017-01-25 | 2022-03-02 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | 攻撃検知システム、攻撃検知方法および攻撃検知プログラム |
JP2018121218A (ja) * | 2017-01-25 | 2018-08-02 | エヌ・ティ・ティ・コミュニケーションズ株式会社 | 攻撃検知システム、攻撃検知方法および攻撃検知プログラム |
JP2018157373A (ja) * | 2017-03-17 | 2018-10-04 | 日本電気通信システム株式会社 | 不正通信監視装置、不正通信監視方法、不正通信監視プログラム、および不正通信監視システム |
WO2019043804A1 (ja) * | 2017-08-30 | 2019-03-07 | 日本電気株式会社 | ログ分析装置、ログ分析方法及びコンピュータ読み取り可能記録媒体 |
JP7172104B2 (ja) | 2018-04-06 | 2022-11-16 | 富士通株式会社 | ネットワーク監視装置,ネットワーク監視プログラム及びネットワーク監視方法 |
JP2019186686A (ja) * | 2018-04-06 | 2019-10-24 | 富士通株式会社 | ネットワーク監視装置,ネットワーク監視プログラム及びネットワーク監視方法 |
JP2022000987A (ja) * | 2018-08-06 | 2022-01-04 | 日本電気株式会社 | 通信装置 |
JP7168053B2 (ja) | 2018-08-06 | 2022-11-09 | 日本電気株式会社 | 通信装置 |
CN110838949A (zh) * | 2018-08-16 | 2020-02-25 | 阿里巴巴集团控股有限公司 | 一种网络流量日志记录方法及装置 |
CN110838949B (zh) * | 2018-08-16 | 2023-09-29 | 阿里巴巴集团控股有限公司 | 一种网络流量日志记录方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
JP5844938B2 (ja) | 2016-01-20 |
CN105027510B (zh) | 2018-06-12 |
JPWO2014129587A1 (ja) | 2017-02-02 |
US9661008B2 (en) | 2017-05-23 |
EP2961111A1 (en) | 2015-12-30 |
US20160014146A1 (en) | 2016-01-14 |
EP2961111A4 (en) | 2016-12-14 |
EP2961111B1 (en) | 2018-01-31 |
CN105027510A (zh) | 2015-11-04 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5844938B2 (ja) | ネットワーク監視装置、ネットワーク監視方法およびネットワーク監視プログラム | |
Stiawan et al. | Investigating brute force attack patterns in IoT network | |
JP6001689B2 (ja) | ログ分析装置、情報処理方法及びプログラム | |
US7197762B2 (en) | Method, computer readable medium, and node for a three-layered intrusion prevention system for detecting network exploits | |
US8561129B2 (en) | Unified network threat management with rule classification | |
US20030084319A1 (en) | Node, method and computer readable medium for inserting an intrusion prevention system into a network stack | |
US20030097557A1 (en) | Method, node and computer readable medium for performing multiple signature matching in an intrusion prevention system | |
CA2886058A1 (en) | Identifying and mitigating malicious network threats | |
Mangino et al. | Internet-scale insecurity of consumer internet of things: An empirical measurements perspective | |
Debar et al. | Intrusion detection: Introduction to intrusion detection and security information management | |
Seo et al. | A study on efficient detection of network-based IP spoofing DDoS and malware-infected Systems | |
JP4161989B2 (ja) | ネットワーク監視システム | |
Choi et al. | A model of analyzing cyber threats trend and tracing potential attackers based on darknet traffic | |
KR20070072835A (ko) | 실시간 웹로그 수집을 통한 웹해킹 대응 방법 | |
CN113660222A (zh) | 基于强制访问控制的态势感知防御方法及系统 | |
Seo et al. | Abnormal behavior detection to identify infected systems using the APChain algorithm and behavioral profiling | |
KR20120000942A (ko) | 블랙리스트 접근 통계 기반의 봇 감염 호스트 탐지 장치 및 그 탐지 방법 | |
JP2006018527A (ja) | コンピュータネットワークの運用監視方法及び装置並びにプログラム | |
Lu et al. | An adaptive real-time intrusion detection system using sequences of system call | |
Shyla et al. | The Geo-Spatial Distribution of Targeted Attacks sources using Honeypot Networks | |
Kumar et al. | Recent advances in intrusion detection systems: An analytical evaluation and comparative study | |
KR102671718B1 (ko) | 머신러닝을 통한 새로운 침입을 예측하는 웹로그 신규 위협 탐지 보안 시스템 | |
Loginova et al. | Class allocation of events in an automated information system as the basis for increasing organization's cyber resilience | |
Gheorghe et al. | Attack evaluation and mitigation framework | |
Sqalli et al. | Classifying malicious activities in Honeynets using entropy and volume‐based thresholds |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 201480009739.7 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14754256 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2015501520 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 14769666 Country of ref document: US Ref document number: 2014754256 Country of ref document: EP |