WO2015141665A1 - ウェブサイト情報抽出装置、システム、ウェブサイト情報抽出方法、および、ウェブサイト情報抽出プログラム - Google Patents
ウェブサイト情報抽出装置、システム、ウェブサイト情報抽出方法、および、ウェブサイト情報抽出プログラム Download PDFInfo
- Publication number
- WO2015141665A1 WO2015141665A1 PCT/JP2015/057875 JP2015057875W WO2015141665A1 WO 2015141665 A1 WO2015141665 A1 WO 2015141665A1 JP 2015057875 W JP2015057875 W JP 2015057875W WO 2015141665 A1 WO2015141665 A1 WO 2015141665A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- website
- url
- list
- access log
- malignant
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2119—Authenticating web pages, e.g. with suspicious links
Definitions
- the present invention relates to a website information extraction apparatus, system, website information extraction method, and website information extraction program.
- Targeted attack there is a type of attack called “targeted attack” that targets a specific organization or its managed network.
- targeted attack many cases have been reported in which an attacker prepares a malicious URL that is not registered in the list in order to avoid countermeasures based on a publicly disclosed malicious URL (Uniform Resource Locator) list.
- URL Uniform Resource Locator
- an “organized malicious URL list” is necessary.
- an object of the present invention is to solve the above-described problem and extract a list of malignant URL candidates suspected to be malignant URLs in a specific organization.
- the present invention provides an access log storage unit that stores information on an access destination website from a managed network, and a known A known malicious website exclusion unit that extracts an access log that has been excluded from a known malicious website excluding an access log to which the malicious website is an access destination, and information on the website indicated in the access log that has been excluded from the known malicious website
- a malignant website candidate list creation unit that creates a minor website list obtained by extracting information on a predetermined number of websites in order from information on websites with a small number of accesses from the managed network; and the created minor website list
- an output unit for outputting for outputting .
- FIG. 1 is a diagram illustrating a configuration example of a system.
- FIG. 2 is a diagram showing an overview of information exchanged between servers, devices, and terminals in the system.
- FIG. 3 is a diagram conceptually showing a process of creating a malicious URL candidate list by the malicious URL candidate extraction apparatus of FIG.
- FIG. 4 is a diagram illustrating an example of an access log period used to create an original popular URL list and an access log with a known malicious URL excluded.
- FIG. 5 is a flowchart showing the processing procedure of the malicious URL candidate extraction apparatus.
- FIG. 6 is a flowchart showing the process of extracting the known malignant URL excluded access log in S1 of FIG.
- FIG. 7 is a diagram conceptually showing processing from reception to output of an access log.
- FIG. 1 is a diagram illustrating a configuration example of a system.
- FIG. 2 is a diagram showing an overview of information exchanged between servers, devices, and terminals in the system.
- FIG. 3 is a diagram conceptually showing
- FIG. 8 is a diagram illustrating an example of an access log from which known malicious URLs have been excluded.
- FIG. 9 is a flowchart showing the minor URL list creation process in S2 of FIG.
- FIG. 10A is a diagram illustrating an example of a condition that the minor URL list creation unit regards as accessing the same URL.
- FIG. 10B is a diagram illustrating an example of a condition that the minor URL list creation unit regards as accessing the same URL.
- FIG. 11 is a flowchart showing the process of creating a unique popular URL list in S3 of FIG.
- FIG. 12 is a flowchart showing the process of creating a popular URL excluded list in S4 of FIG.
- FIG. 13 is a flowchart showing the processing procedure of the malicious URL candidate extraction apparatus.
- FIG. 14 is a flowchart showing the processing procedure of the malicious URL candidate extraction apparatus.
- FIG. 15 is a diagram illustrating a computer that executes a website information extraction program.
- a URL Uniform Resource Locator
- information website information
- it may be an FQDN (Fully Qualified Domain Name) or an IP (Internet Protocol) address assigned to the FQDN.
- the system of the present embodiment includes a public malignant URL list providing server 10, a client terminal 20, a proxy server 30, a malignant URL candidate extracting device (website information extracting device) 40, a malignant URL. And an inspection device 50.
- the popular URL list (popular website list) providing server 60 indicated by a broken line may or may not be equipped with the system, and will be described later.
- the number of servers, terminals, and devices is not limited to the number shown in FIG.
- the public malignant URL list providing server 10 publishes a list of URLs (malignant URL lists) of websites that may be infected with malware through a network such as the Internet.
- This malignant URL list is a list created by collection / investigation of research institutions, researchers, experts, information security related companies, and the like.
- the malicious URL list provided by the public malicious URL list providing server 10 is referred to as a public malicious URL list.
- the client terminal 20 is a terminal installed in the management target network of this system, and is, for example, a personal computer.
- the proxy server 30 relays the access to the external website from the client terminal 20, and records information (access log) indicating the URL of the access destination website, the access time, the IP address of the client terminal 20, and the like.
- the malicious URL candidate extraction device 40 uses the public malicious URL list received from the public malicious URL list providing server 10, the access log received from the proxy server 30, and the original malicious URL list (original malicious website list, which will be described later). Thus, a malignant URL candidate list that may be a malignant URL is created from the URLs of access destinations of the client terminals 20 in the management target network. The malicious URL candidate extraction device 40 outputs the created malicious URL candidate list to the malicious URL inspection device 50. Details of the malicious URL candidate extraction device 40 will be described later.
- the malicious URL inspection device 50 checks whether the URL shown in the malicious URL candidate list is a malicious URL.
- the malicious URL inspection device 50 may be realized by any of hardware, software, a web service provided on the Internet, and the like. Note that the inspection result of the malicious URL inspection device 50 is transmitted to the malicious URL candidate extraction device 40, the public malicious URL list providing server 10, and the like. When the inspection result is transmitted to the public malicious URL list providing server 10, the malicious URL indicated in the inspection result is added to the public malicious URL list and provided to other users.
- whether or not to transmit the inspection result by the malicious URL inspection device 50 to the public malicious URL list providing server 10 or the like can be controlled by setting by the user of the malicious URL inspection device 50 or the like.
- a unique malignant URL list that can be used only by the organization to which the user belongs is obtained.
- the malignant URL list is referred to as a unique malignant URL list.
- the malicious URL candidate extraction device 40 upon receiving the access log of the client terminal 20 of the management target network, accesses the URL indicated in the public malicious URL list and the URL indicated in the unique malicious URL list as access destinations.
- the log is excluded, and a known malignant URL excluded access log (a known malignant website excluded access log) is obtained (see reference numeral 301 in FIG. 3).
- the malicious URL candidate extraction device 40 extracts a list (unique popular URL list) that is extracted in order from the URLs with the largest number of accesses from the client terminal 20 of the management target network from the URLs indicated in the access log with the known malicious URLs excluded. URLs included in are excluded.
- the list of URLs obtained in this way is called a popular URL excluded list (popular website excluded list) (see reference numeral 302 in FIG. 3).
- the malicious URL candidate extraction device 40 extracts a list (minor URL list) in which URLs with a small number of accesses from the client terminal 20 of the managed network are sequentially extracted from the URLs indicated in the known malicious URL excluded access log. It is created (see reference numeral 303 in FIG. 3).
- the malicious URL candidate extraction device 40 outputs the minor URL list (minor website list) and the popular URL excluded list as a malicious URL candidate list.
- the malicious URL candidate extraction device 40 selects a URL group having a relatively low number of accesses in a predetermined period, other than URLs already known as malicious URLs, among URLs accessed from the client terminal 20 of the management target network. Output as a malicious URL candidate list. That is, since such a URL can be regarded as a relatively safe URL compared to a URL with a small number of accesses, the malicious URL candidate extraction device 40 excludes it from the malicious URL candidate list.
- the malicious URL candidate extraction device 40 also excludes URLs already known to be malicious URLs from the malicious URL candidate list. In other words, the malicious URL candidate extraction device 40 extracts URLs that have not been known to be malicious URLs and have not been accessed so far as a malicious URL candidate list. By doing in this way, the malignant URL candidate extraction device 40 can extract URLs that may be used for attacks on specific organizations, such as targeted attacks, as a malignant URL candidate list.
- the malignant URL candidate extraction apparatus 40 it is preferable to use an access log for a certain period as the access log used to create the unique popular URL list.
- the malignant URL candidate extraction device 40 uses the access log of the day for creating the malignant URL candidate list when creating the access log with the known malignant URL excluded. For the creation, an access log from n days to 1 day before the creation date of the malicious URL candidate list is used. In this way, the malicious URL candidate extraction device 40 creates a unique popular URL list using an access log for a certain period of time, so that even a site with a temporarily low number of accesses can be accessed in a certain period of time. URLs of sites with a relatively large number can be put on the unique popular URL list.
- the malicious URL candidate extraction device 40 includes an access log accumulation unit 41, a known malignant URL exclusion unit (known malignant website exclusion unit) 42, a unique malignant URL list accumulation unit (original malignant website list accumulation unit) 43, and a popular one.
- a URL list creation unit (popular website list creation unit) 44 and a malignant URL candidate list creation unit (malignant website candidate list creation unit) 45 are provided.
- the access log storage unit 41 stores the access log of the client terminal 20. Specifically, the access log storage unit 41 communicates with the proxy server 30 and receives an access log recorded in the proxy server 30 every predetermined period. The access log storage unit 41 outputs an access log for a specified period in response to a request from the known malicious URL exclusion unit 42.
- the known malicious URL exclusion unit 42 extracts an access log (a known malicious URL excluded access log) to a URL other than the known malicious URL from the access log. Specifically, the known malignant URL excluding unit 42 acquires an access log in a specified period (examination target period) from the access log accumulation unit 41. Further, the public malignant URL list is acquired from the public malignant URL list providing server 10, and the unique malignant URL list is acquired from the unique malignant URL list storage unit 43. Then, the known malicious URL excluding unit 42 collates and acquires the URL of the access destination indicated in the acquired access log and the URL indicated in the known malicious URL list (the public malicious URL list and the original malicious URL list).
- a known malignant URL excluded access log is extracted by excluding an access log whose URL is a known malignant URL list.
- This known malicious URL excluded access log does not include an access log to a known malicious URL. That is, there is a possibility that an access log to an unknown malicious URL is included.
- the unique malignant URL list accumulation unit 43 accumulates a unique malignant URL list which is a list of URLs determined to be malignant URLs by the inspection by the malignant URL inspection apparatus 50.
- the popular URL list creation unit 44 refers to the access log and creates a list of URLs (unique popular URL list) having a relatively large number of accesses from the client terminal 20 of the management target network. Specifically, the popular URL list creation unit 44 performs statistical processing on the URLs recorded in the access log in a predetermined period before the examination target period among the access logs accumulated in the access log accumulation unit 41. Then, a list of URLs (unique popular URL list) having a large number of accesses (or access frequencies) from the client terminal 20 of the management target network is created.
- the statistical processing here is, for example, the number of accesses to the URL, the count of the number of client terminals 20 that have accessed the URL, and the like. Since the URL shown in the unique popular URL list is a URL of a site having a large number of daily accesses from the management target network, it is considered to be a URL of a relatively highly reliable site.
- the malicious URL candidate list creation unit 45 creates a malicious URL candidate list based on the known malicious URL excluded access log.
- the malicious URL candidate list creation unit 45 includes a popular URL list exclusion unit 451, a minor URL list creation unit 452, and a malicious URL candidate list output unit 453.
- the popular URL list excluding unit 451 creates a list of URLs (popular URL excluded list) obtained by excluding URLs included in the unique popular URL list from the URLs of the access destinations indicated in the known malignant URL excluded access log. Specifically, the popular URL list excluding unit 451 acquires the known malignant URL excluded access log from the known malignant URL excluding unit 42, and also acquires the unique popular URL list from the popular URL list creating unit 44. Then, the popular URL list excluding unit 451 creates a list of URLs (popular URL excluded list) obtained by excluding the URLs indicated in the unique popular URL list from the URLs indicated in the acquired known malicious URL excluded access log. The popular URL list exclusion unit 451 outputs the created popular URL excluded list to the malignant URL candidate list output unit 453.
- the URLs shown in this popular URL excluded list are URLs of sites that have not been found to be malignant in past examinations and are not frequently accessed from the managed network, and therefore include unknown malicious URLs. There is a possibility.
- the minor URL list creation unit 452 performs statistical processing on URLs recorded in the access log with the known malicious URLs excluded, and lists URLs (minor URLs) with a small number of accesses (or access frequencies) from the client terminals 20 of the managed network. List).
- the minor URL list creation unit 452 outputs the created minor URL list to the malignant URL candidate list output unit 453.
- the URL shown in the minor URL list is a URL of a site that has not been found to be malignant in the past examination and has a small number of accesses from the management target network, and therefore may contain an unknown malignant URL. .
- the malicious URL candidate list output unit 453 outputs the popular URL excluded list and the minor URL list as the malicious URL candidate list.
- This malicious URL candidate list is output to the malicious URL inspection device 50, for example.
- the malignant URL inspection apparatus 50 that has received this malignant URL candidate list inspects the sites indicated in the malignant URL candidate list.
- the malicious URL candidate list output unit 453 may output the malicious URL candidate list after converting it into a file format that can be processed by the malicious URL inspection device 50.
- the malicious URL candidate extraction device 40 extracts a known malicious URL excluded access log from the access log stored in the access log storage unit 41 (S1). Thereafter, the malicious URL candidate extraction device 40 creates a minor URL list from the access log with known malicious URLs excluded (S2). Specifically, the malicious URL candidate extraction device 40 preferentially extracts the URLs of the respective access destinations indicated in the known malicious URL excluded access log from those with a small number of accesses from the management target network, and extracts the minor URL list. create. Further, the malicious URL candidate extraction device 40 creates a unique popular URL list from the access log stored in the access log storage unit 41 (S3). Specifically, the malicious URL candidate extraction device 40 creates a minor URL list preferentially extracted from URLs with a large number of accesses from the managed network for each access destination URL indicated in the access log.
- the malicious URL candidate extraction device 40 creates a popular URL excluded list by excluding the URLs of the unique popular URL list from the URLs shown in the known malicious URL excluded access log (S4). Then, the malicious URL candidate extraction device 40 outputs the minor URL list and the popular URL excluded list as a malicious URL candidate list (S5).
- the malicious URL candidate extraction device 40 generates a list of URLs of sites that are URLs other than known malicious URLs and have a relatively low number of accesses from the client terminal 20 of the management target network. Can be output as
- the malicious URL candidate extraction device 40 may create a popular URL excluded list (S3, S4) after creating a minor URL list (S2), or create a popular URL excluded list (S2). After performing S3, S4), the minor URL list may be created (S2).
- the access log accumulation unit 41 of the malicious URL candidate extraction device 40 receives the access log of the client terminal 20 of the management target network from the proxy server 30 (S11), and accumulates the received access log (S12). Thereafter, the access log accumulation unit 41 outputs an access log for a specified period to the known malicious URL exclusion unit 42 based on a request from the known malicious URL exclusion unit 42 (S13).
- the access log accumulation unit 41 performs an access log reception process from the proxy server 30 and performs a process for accumulating the received access log.
- an access log including items such as access time, client terminal IP address, and access destination URL is stored in the storage unit (not shown) of the access log storage unit 41.
- This access time is the time when the client terminal 20 accesses a site on the Internet via the proxy server 30, the client terminal IP address is the IP address of the client terminal 20, and the access destination URL is the client terminal 20 Is the URL of a site on the Internet accessed via the proxy server 30.
- the access log accumulation unit 41 performs an access log output process for a specified period based on a request from the known malicious URL exclusion unit 42.
- This designated period may be a period set in advance by the known malignant URL excluding unit 42 or may be a period designated by the user every time the malignant URL candidate extracting device 40 is operated.
- Each access log file may be received by a file transfer means such as FTP (File Transfer Protocol) or SMB (Server Message Block), and a certain number of access log files may be received from the proxy server 30 every predetermined period. Also good.
- the known malicious URL exclusion unit 42 receives the public malicious URL list from the public malicious URL list providing server 10 (S14). Also, the known malicious URL exclusion unit 42 acquires the unique malicious URL list from the unique malicious URL list storage unit 43 (S15). Thereafter, the access log to the URL included in the public malignant URL list is excluded from the access log for the specified period transmitted in S13 (S16), and the access log to the URL included in the unique malignant URL list is further excluded. (S17). In this way, the known malicious URL exclusion unit 42 obtains an access log with the known malicious URL excluded.
- the processes of S16 and S17 will be described in detail with specific examples. First, S16 will be described.
- the known malicious URL exclusion unit 42 compares, for example, the value of the URL field of each line of the access log for the specified period output in S13 of FIG. 6 with the URL of the public malicious URL list received in S14. When the URL of the public malicious URL list matches the URL field value of the access log, the corresponding line of the access log held by the known malicious URL exclusion unit 42 is discarded. On the other hand, if the URL of the public malicious URL list does not match the value of the URL field of the access log, the corresponding line of the access log held by the known malicious URL exclusion unit 42 is recorded.
- the known malicious URL excluding unit 42 performs the above process on all the rows of the access log for the specified period transmitted from the access log accumulating unit 41, and from this access log, the row having the URL of the public malicious URL list is displayed. Extract the excluded access logs.
- the known malicious URL exclusion unit 42 compares the access log obtained by the process of S16 with the URL of the unique malicious URL list received in S15. When the URL of the unique malicious URL list matches the value of the URL field of the access log, the corresponding line of the access log held by the known malicious URL exclusion unit 42 is discarded. On the other hand, if the URL of the unique malicious URL list does not match the value of the URL field of the access log, the corresponding line of the access log held by the known malicious URL exclusion unit 42 is recorded.
- the known malicious URL excluding unit 42 performs the above process on all lines of the access log obtained by the process of S16.
- the known malignant URL exclusion unit 42 obtains an access log obtained by excluding the line having the URL of the unique malignant URL list from the access log obtained by the process of S16. That is, the known malicious URL exclusion unit 42 excludes the access logs of the URLs of the public malicious URL list and the original malicious URL list from the access logs for the specified period transmitted in S13 (the known malicious URL excluded access log). )
- the known malicious URL excluding unit 42 does not include an access log to a known malicious URL, that is, an access log (known) that may include an access log to an unknown malicious URL.
- a malicious URL excluded access log can be obtained.
- FIG. 8 shows an example of an access log with the known malignant URL excluded obtained by the above processing.
- the known malicious URL excluded access log is information indicating the URL of the access destination of the client terminal 20 of the IP address for each IP address of the client terminal 20.
- the minor URL list creation unit 452 of the malignant URL candidate extraction device 40 acquires the access log with the known malignant URL excluded from the known malignant URL excluding unit 42 (S21), and the URL of the same URL is recorded for each URL recorded in the access log. The number of client terminals 20 accessing the site is counted (S22).
- the minor URL list creation unit 452 counts the unique number of IP addresses of the client terminals 20 accessing the same URL for each URL in the access log with the known malignant URL excluded.
- the conditions for determining that the same URL is accessed may match up to the path portion of the URL as illustrated in FIG. 10A, or the FQDN portion of the URL as illustrated in FIG. 10B. May be matched.
- the known malicious URL exclusion unit 42 extracts each URL of the access log with the known malicious URL excluded in order from the URL with the few client terminals 20 that have been accessed (S23).
- the URL extracted in this way is used as a minor URL list.
- the number and ratio of URLs extracted in S23 are values set according to the number of URLs that can be investigated by the malignant URL inspection device 50, for example.
- the minor URL list creation unit 452 executes the above processing until, for example, the number of URLs set in advance by the user of the malignant URL candidate extraction device 40 can be extracted to obtain a minor URL list.
- the minor URL list creation unit 452 can obtain a URL (minor URL list) of a site that has not been found to be malignant in past examinations and has a small number of accesses from the management target network. it can.
- the popular URL list creation unit 44 acquires an access log for a specified period from the access log storage unit 41 (S31), and accesses the site of the same URL for each URL recorded in the access log. Are counted (S32).
- the designated period may be a period set in advance in the popular URL list creation unit 44 or may be a period input by the user every time the malicious URL candidate extraction device 40 is operated.
- the popular URL list creation unit 44 counts the unique number of IP addresses of the client terminals 20 accessing the same URL for each URL of the access log acquired from the access log storage unit 41.
- the condition that the same URL is considered to be accessed may match up to the path part of the URL as in the case of the creation of the minor URL list described above, or the FQDN part of the URL may match. Good.
- the popular URL list creation unit 44 extracts each URL of the access log acquired from the access log storage unit 41 in order from the URL having the largest number of client terminals 20 that have been accessed (S33).
- the URL extracted in this way is set as a unique popular URL list.
- the number and ratio of URLs extracted in S32 are values set according to the type of site on which daily access occurs from the client terminal 20 of the management target network, for example.
- the popular URL list creation unit 44 executes the above processing until, for example, the number of URLs set in advance by the user of the malignant URL candidate extraction device 40 can be extracted to obtain a unique popular URL list.
- the popular URL list creation unit 44 can obtain a list of URLs of sites having a large number of accesses from the management target network (unique popular URL list).
- the popular URL list excluding unit 451 acquires an access log with the known malignant URL excluded from the known malignant URL excluding unit 42 (S41), and acquires an original popular URL list from the popular URL list creating unit 44 (S42).
- the popular URL list excluding unit 451 excludes the access log to the URL included in the unique popular URL list from the known malignant URL excluded access log (S43), and extracts the URL included in the excluded access log (S43). S44).
- the popular URL list exclusion unit 451 compares the value of the URL field of each line of the access log with the known malignant URL excluded with the URL of the unique popular URL list.
- the URL included in the unique popular URL list matches the URL field value of the known malicious URL excluded access log
- the corresponding line of the known malicious URL excluded access log held by the popular URL list exclusion unit 451 is discarded. To do.
- the URL included in the unique popular URL list does not match the URL field value of the known malicious URL excluded access log, the corresponding line of the known malicious URL excluded access log held by the popular URL list exclusion unit 451 Record.
- the popular URL list exclusion unit 451 performs the above processing on all the lines of the access log with the known malicious URL excluded, and excludes the line having the URL shown in the unique popular URL list from the access log with the known malicious URL excluded. Get access log. Then, the popular URL list excluding unit 451 extracts the value of the URL field of each line of the access log to obtain a popular URL excluded list.
- the popular URL list excluding unit 451 is a list of URLs (popular URLs) of sites that have not been found to be malignant in past examinations and that are not frequently accessed from the managed network. Excluded list) can be obtained.
- the malicious URL candidate extraction device 40 According to the malicious URL candidate extraction device 40 described above, a list of URLs of sites that are URLs other than known malicious URLs and that have a relatively low number of accesses from the client terminal 20 of the managed network is used as the malicious URL candidate list. Can be output. In other words, the malicious URL candidate extraction device 40 can output URLs that may be used for attacks on specific organizations, such as targeted attacks, as a malicious URL candidate list.
- the popular URL list exclusion unit 451 may create a popular URL excluded list using a popular URL list created by an external organization in addition to the unique popular URL list.
- the popular URL list excluding unit 451 extracts an access log of URLs not included in the unique popular URL list or the popular URL list from the known malignant URL excluded access log, and creates a popular URL excluded list.
- This popular URL list is created by, for example, research institutions, researchers, specialists, information-related companies, etc., and has a large amount of access worldwide, in other words, many users access it daily. It is a list of URLs of highly reliable sites.
- this popular URL list for example, a public popular URL list provided by the popular URL list providing server 60 shown in FIG. 1 is used.
- the malignant URL candidate list creating unit 45 of the malignant URL candidate extracting device 40 includes both the minor URL list creating unit 452 and the popular URL list excluding unit 451. You may make it prepare. That is, the malicious URL candidate list output unit 453 may output either the minor URL list or the popular URL excluded list as the malicious URL candidate list.
- the malicious URL candidate list creation unit 45 creates a minor URL list from the known malignant URL excluded access log by the minor URL list creation unit 452 (S2). Thereafter, the malicious URL candidate list output unit 453 may output the minor URL list created in S2 as a malicious URL candidate list (S6).
- the known malicious URL exclusion unit 42 of the malicious URL candidate extraction device 40 extracts the access log with the known malicious URL excluded from the access log stored in the access log storage unit 41 (S1).
- the popular URL list creation unit 44 creates a unique popular URL list from the access log stored in the access log storage unit 41 (S3).
- the malignant URL candidate list creating unit 45 creates a popular URL excluded list in which the URL of the unique popular URL list is excluded from the URL shown in the known malignant URL excluded access log by the popular URL list excluding unit 451 ( S4).
- the malicious URL candidate extraction device 40 may output the popular URL excluded list created in S4 as a malicious URL candidate list (S7).
- the malicious URL candidate extraction device 40 can output URLs with a relatively small number of accesses as a malicious URL candidate list from the access logs with the known malicious URLs excluded.
- program It is also possible to create a program that describes the processing executed by the malicious URL candidate extraction device 40 according to the above embodiment in a language that can be executed by a computer. In this case, the same effect as the above-described embodiment can be obtained by the computer executing the program. Further, such a program may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed to execute the same processing as in the above embodiment. Below, an example of the computer which performs the website information extraction program which implement
- FIG. 15 is a diagram illustrating a computer that executes a website information extraction program.
- the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example.
- a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050.
- a display 1130 is connected to the video adapter 1060.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Each list described in the above embodiment is stored in, for example, the hard disk drive 1090 or the memory 1010.
- the website information extraction program is stored in the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described, for example.
- a program module describing each process executed by the malicious URL candidate extraction device 40 described in the above embodiment is stored in the hard disk drive 1090.
- data used for information processing by the website information extraction program is stored as program data in, for example, the hard disk drive 1090.
- the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.
- the program module 1093 and the program data 1094 related to the website information extraction program are not limited to being stored in the hard disk drive 1090.
- the program module 1093 and the program data 1094 are stored in a removable storage medium and the CPU 1020 via the disk drive 1100 or the like. May be read.
- the program module 1093 and the program data 1094 related to the website information extraction program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the network interface 1070. It may be read by the CPU 1020 via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and the network interface 1070. It may be read by the CPU 1020 via
Abstract
Description
次に、悪性URL候補抽出装置40の処理手順を説明する。まず、図5を用いて悪性URL候補抽出装置40の処理の概要を説明する。
悪性URL候補抽出装置40は、アクセスログ蓄積部41に蓄積されたアクセスログから既知悪性URL除外済みアクセスログを抽出する(S1)。その後、悪性URL候補抽出装置40は、既知悪性URL除外済みアクセスログからマイナーURLリストを作成する(S2)。具体的には、悪性URL候補抽出装置40は、既知悪性URL除外済みアクセスログに示される各アクセス先のURLについて管理対象ネットワークからのアクセス数の少ないものから優先的に抽出し、マイナーURLリストを作成する。また、悪性URL候補抽出装置40は、アクセスログ蓄積部41に蓄積されたアクセスログから独自ポピュラーURLリストを作成する(S3)。具体的には、悪性URL候補抽出装置40は、アクセスログに示される各アクセス先のURLについて管理対象ネットワークからのアクセス数の多いものから優先的に抽出したマイナーURLリストを作成する。
次に、図6を用いて、図5のS1の既知悪性URL除外済みアクセスログの抽出処理を詳細に説明する。まず、悪性URL候補抽出装置40のアクセスログ蓄積部41は、プロキシサーバ30から管理対象ネットワークのクライアント端末20のアクセスログを受信し(S11)、受信したアクセスログを蓄積する(S12)。その後、アクセスログ蓄積部41は、既知悪性URL除外部42からの要求に基づき、指定期間分のアクセスログを既知悪性URL除外部42へ出力する(S13)。
次に、図9を用いて、図5のS2のマイナーURLリストの作成処理を詳細に説明する。例えば、悪性URL候補抽出装置40のマイナーURLリスト作成部452は、既知悪性URL除外部42から既知悪性URL除外済みアクセスログを取得し(S21)、アクセスログに記録される各URLについて同じURLのサイトにアクセスしているクライアント端末20の数をカウントする(S22)。
次に、図11を用いて、図5のS3の独自ポピュラーURLリストの作成処理を詳細に説明する。例えば、ポピュラーURLリスト作成部44は、アクセスログ蓄積部41から指定期間分のアクセスログを取得し(S31)、アクセスログに記録される各URLについて同じURLのサイトにアクセスしているクライアント端末20の数をカウントする(S32)。なお、この指定期間は、ポピュラーURLリスト作成部44に予め設定された期間でもよいし、悪性URL候補抽出装置40を動作させる都度、ユーザが入力した期間でもよい。
次に、図12を用いて、図5のS4のポピュラーURL除外済みリストの作成処理を詳細に説明する。例えば、ポピュラーURLリスト除外部451は、既知悪性URL除外部42から既知悪性URL除外済みアクセスログを取得し(S41)、ポピュラーURLリスト作成部44から独自ポピュラーURLリストを取得する(S42)。
なお、前記した実施形態においてポピュラーURLリスト除外部451は、独自ポピュラーURLリストに加え、外部機関により作成されたポピュラーURLリストも用いてポピュラーURL除外済みリストを作成するようにしてもよい。すなわち、ポピュラーURLリスト除外部451は、既知悪性URL除外済みアクセスログから、独自ポピュラーURLリストにもポピュラーURLリストにも載っていないURLのアクセスログを抽出し、ポピュラーURL除外済みリストを作成する。なお、このポピュラーURLリストは、例えば、研究機関、研究者、専門家、情報関連企業等により作成された、世界的にアクセスが多い、換言すれば、多くのユーザが日常的にアクセスしており信頼性の高いサイトのURLのリストである。このポピュラーURLリストは、例えば、図1に示すポピュラーURLリスト提供サーバ60により提供される公開ポピュラーURLリストを用いる。
また、上記実施形態に係る悪性URL候補抽出装置40が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。この場合、コンピュータがプログラムを実行することにより、上記実施形態と同様の効果を得ることができる。さらに、かかるプログラムをコンピュータに読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータに読み込ませて実行することにより上記実施形態と同様の処理を実現してもよい。以下に、悪性URL候補抽出装置40と同様の機能を実現するウェブサイト情報抽出プログラムを実行するコンピュータの一例を説明する。
20 クライアント端末
30 プロキシサーバ
40 悪性URL候補抽出装置
41 アクセスログ蓄積部
42 既知悪性URL除外部
43 独自悪性URLリスト蓄積部
44 ポピュラーURLリスト作成部
45 悪性URL候補リスト作成部
50 悪性URL検査装置
60 ポピュラーURLリスト提供サーバ
451 ポピュラーURLリスト除外部
452 マイナーURLリスト作成部
453 悪性URL候補リスト出力部
Claims (8)
- 管理対象ネットワークからのアクセス先のウェブサイトの情報を含むアクセスログを蓄積するアクセスログ蓄積部と、
前記アクセスログから、既知の悪性ウェブサイトがアクセス先であるアクセスログを除外した既知悪性ウェブサイト除外済みアクセスログを抽出する既知悪性ウェブサイト除外部と、
前記既知悪性ウェブサイト除外済みアクセスログに示されるウェブサイトの情報のうち、前記管理対象ネットワークからのアクセス数が少ないウェブサイトの情報から順に所定数のウェブサイトの情報を抽出したマイナーウェブサイトリストを作成する悪性ウェブサイト候補リスト作成部と、
前記作成したマイナーウェブサイトリストを出力する出力部とを備えることを特徴とするウェブサイト情報抽出装置。 - 前記ウェブサイト情報抽出装置は、さらに、
前記アクセスログを参照して、所定期間における前記管理対象ネットワークからのアクセス数が多いウェブサイトの情報から順に所定数のウェブサイトの情報を示したポピュラーウェブサイトリストを作成するポピュラーウェブサイトリスト作成部を備え、
前記悪性ウェブサイト候補リスト作成部は、さらに、
前記既知悪性ウェブサイト除外済みアクセスログに示されるウェブサイトの情報から、前記ポピュラーウェブサイトリストに示されるウェブサイトの情報を除外したポピュラーウェブサイト除外済みリストを作成し、
前記出力部は、さらに、
前記ポピュラーウェブサイト除外済みリストを出力することを特徴とする請求項1に記載のウェブサイト情報抽出装置。 - 前記ウェブサイト情報抽出装置は、さらに、
過去に前記管理対象ネットワークからアクセスしたウェブサイトのうち、所定の検査により、悪性ウェブサイトと判定されたウェブサイトの情報を示す独自悪性ウェブサイトリストを蓄積する独自悪性ウェブサイトリスト蓄積部を備え、
前記既知悪性ウェブサイト除外部は、
前記既知悪性ウェブサイト除外済みアクセスログを抽出する際、前記アクセスログから、前記独自悪性ウェブサイトリストに示されるウェブサイトへのアクセスログをさらに除外することを特徴とする請求項1または2に記載のウェブサイト情報抽出装置。 - 前記悪性ウェブサイト候補リスト作成部が、前記ポピュラーウェブサイト除外済みリストを作成する際、前記既知悪性ウェブサイト除外済みアクセスログに示されるウェブサイトの情報から、事前調査により悪性ウェブサイトである可能性が低いと判定されたウェブサイトの情報をさらに除外することを特徴とする請求項2に記載のウェブサイト情報抽出装置。
- 前記ウェブサイトの情報は、URL(Uniform Resource Locator)、FQDN(Fully Qualified Domain Name)、または、当該FQDNに割り当てられているIP(Internet Protocol)アドレスであることを特徴とする請求項4に記載のウェブサイト情報抽出装置。
- ウェブサイトが悪性ウェブサイトか否かの検査を行う検査装置と、前記検査装置において検査対象とするウェブサイトのリストを抽出するウェブサイト情報抽出装置とを有するシステムであって、
前記ウェブサイト情報抽出装置は、
管理対象ネットワークからのアクセス先のウェブサイトの情報を含むアクセスログを蓄積するアクセスログ蓄積部と、
前記アクセスログから、既知の悪性ウェブサイトがアクセス先であるアクセスログを除外した既知悪性ウェブサイト除外済みアクセスログを抽出する既知悪性ウェブサイト除外部と、
前記既知悪性ウェブサイト除外済みアクセスログに示されるウェブサイトの情報のうち、前記管理対象ネットワークからのアクセス数が少ないウェブサイトの情報から順に所定数のウェブサイトの情報を抽出したマイナーウェブサイトリストを作成する悪性ウェブサイト候補リスト作成部と、
前記作成したマイナーウェブサイトリストを前記検査装置へ出力する出力部とを備えることを特徴とするシステム。 - 管理対象ネットワークからのアクセス先のウェブサイトの情報を含むアクセスログを蓄積するステップと、
前記アクセスログから、既知の悪性ウェブサイトがアクセス先であるアクセスログを除外した既知悪性ウェブサイト除外済みアクセスログを抽出するステップと、
前記既知悪性ウェブサイト除外済みアクセスログに示されるウェブサイトの情報のうち、前記管理対象ネットワークからのアクセス数が少ないウェブサイトの情報から順に所定数のウェブサイトの情報を抽出したマイナーウェブサイトリストを作成するステップと、
前記作成したマイナーウェブサイトリストを出力するステップとを含んだことを特徴とするウェブサイト情報抽出方法。 - 管理対象ネットワークからのアクセス先のウェブサイトの情報を含むアクセスログを蓄積するステップと、
前記アクセスログから、既知の悪性ウェブサイトがアクセス先であるアクセスログを除外した既知悪性ウェブサイト除外済みアクセスログを抽出するステップと、
前記既知悪性ウェブサイト除外済みアクセスログに示されるウェブサイトの情報のうち、前記管理対象ネットワークからのアクセス数が少ないウェブサイトの情報から順に所定数のウェブサイトの情報を抽出したマイナーウェブサイトリストを作成するステップと、
前記作成したマイナーウェブサイトリストを出力するステップとをコンピュータに実行させることを特徴とするウェブサイト情報抽出プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/121,822 US10511618B2 (en) | 2014-03-19 | 2015-03-17 | Website information extraction device, system website information extraction method, and website information extraction program |
JP2016508732A JP6030272B2 (ja) | 2014-03-19 | 2015-03-17 | ウェブサイト情報抽出装置、システム、ウェブサイト情報抽出方法、および、ウェブサイト情報抽出プログラム |
CN201580013640.9A CN106104550A (zh) | 2014-03-19 | 2015-03-17 | 网站信息提取装置、系统、网站信息提取方法以及网站信息提取程序 |
EP15765115.9A EP3101580B1 (en) | 2014-03-19 | 2015-03-17 | Website information extraction device, system, website information extraction method, and website information extraction program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014-056661 | 2014-03-19 | ||
JP2014056661 | 2014-03-19 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015141665A1 true WO2015141665A1 (ja) | 2015-09-24 |
Family
ID=54144630
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/057875 WO2015141665A1 (ja) | 2014-03-19 | 2015-03-17 | ウェブサイト情報抽出装置、システム、ウェブサイト情報抽出方法、および、ウェブサイト情報抽出プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US10511618B2 (ja) |
EP (1) | EP3101580B1 (ja) |
JP (1) | JP6030272B2 (ja) |
CN (1) | CN106104550A (ja) |
WO (1) | WO2015141665A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016194909A1 (ja) * | 2015-06-02 | 2016-12-08 | 日本電信電話株式会社 | アクセス分類装置、アクセス分類方法、及びアクセス分類プログラム |
WO2017140710A1 (en) * | 2016-02-16 | 2017-08-24 | Nokia Solutions And Networks Oy | Detection of malware in communications |
WO2022264366A1 (ja) * | 2021-06-17 | 2022-12-22 | 日本電信電話株式会社 | 探索装置、探索範囲決定方法及び探索範囲決定プログラム |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10404723B1 (en) * | 2016-06-08 | 2019-09-03 | SlashNext, Inc. | Method and system for detecting credential stealing attacks |
US11146576B1 (en) * | 2016-06-08 | 2021-10-12 | SlashNext, Inc. | Method and system for detecting credential stealing attacks |
CN109802919B (zh) * | 2017-11-16 | 2021-06-29 | 中移(杭州)信息技术有限公司 | 一种web网页访问拦截方法及装置 |
JP6716051B2 (ja) * | 2018-07-26 | 2020-07-01 | デジタルア−ツ株式会社 | 情報処理装置、情報処理方法、及び情報処理プログラム |
CN112671747B (zh) * | 2020-12-17 | 2022-08-30 | 赛尔网络有限公司 | 境外恶意url的统计方法、装置、电子设备和存储介质 |
CN114679306B (zh) * | 2022-03-17 | 2024-03-12 | 新华三信息安全技术有限公司 | 一种攻击检测方法及装置 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001033371A1 (en) * | 1999-11-05 | 2001-05-10 | Surfmonkey.Com, Inc. | System and method of filtering adult content on the internet |
US20070204345A1 (en) * | 2006-02-28 | 2007-08-30 | Elton Pereira | Method of detecting computer security threats |
JP2011086086A (ja) * | 2009-10-15 | 2011-04-28 | Nec Access Technica Ltd | コンテンツフィルタリングシステム、コンテンツフィルタリング方法及びゲートウェイ |
JP2013191199A (ja) * | 2012-01-12 | 2013-09-26 | Alexeo Corp | ネットワーク接続装置を侵入から保護するための方法およびシステム |
Family Cites Families (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080189408A1 (en) * | 2002-10-09 | 2008-08-07 | David Cancel | Presenting web site analytics |
US7890451B2 (en) * | 2002-10-09 | 2011-02-15 | Compete, Inc. | Computer program product and method for refining an estimate of internet traffic |
US8316446B1 (en) * | 2005-04-22 | 2012-11-20 | Blue Coat Systems, Inc. | Methods and apparatus for blocking unwanted software downloads |
US20070016951A1 (en) * | 2005-07-13 | 2007-01-18 | Piccard Paul L | Systems and methods for identifying sources of malware |
US8239668B1 (en) * | 2009-04-15 | 2012-08-07 | Trend Micro Incorporated | Computer security threat data collection and aggregation with user privacy protection |
US8595843B1 (en) | 2010-08-12 | 2013-11-26 | Amazon Technologies, Inc. | Techniques for identifying sources of unauthorized code |
JP5465651B2 (ja) | 2010-11-30 | 2014-04-09 | 日本電信電話株式会社 | リスト生成方法、リスト生成装置及びリスト生成プログラム |
CN102082792A (zh) * | 2010-12-31 | 2011-06-01 | 成都市华为赛门铁克科技有限公司 | 钓鱼网页检测方法及设备 |
US8997220B2 (en) | 2011-05-26 | 2015-03-31 | Microsoft Technology Licensing, Llc | Automatic detection of search results poisoning attacks |
CN102546618A (zh) * | 2011-12-29 | 2012-07-04 | 北京神州绿盟信息安全科技股份有限公司 | 钓鱼网站检测方法、装置及系统、网络站点 |
US8910254B2 (en) * | 2012-02-11 | 2014-12-09 | Aol Inc. | System and methods for profiling client devices |
CN103428186A (zh) | 2012-05-24 | 2013-12-04 | 中国移动通信集团公司 | 一种检测钓鱼网站的方法及装置 |
GB2512837A (en) * | 2013-04-08 | 2014-10-15 | F Secure Corp | Controlling access to a website |
US9300686B2 (en) | 2013-06-28 | 2016-03-29 | Fireeye, Inc. | System and method for detecting malicious links in electronic messages |
CN103455758A (zh) * | 2013-08-22 | 2013-12-18 | 北京奇虎科技有限公司 | 恶意网站的识别方法及装置 |
CN103532944B (zh) * | 2013-10-08 | 2016-09-07 | 百度在线网络技术(北京)有限公司 | 一种捕获未知攻击的方法和装置 |
US10474820B2 (en) * | 2014-06-17 | 2019-11-12 | Hewlett Packard Enterprise Development Lp | DNS based infection scores |
US9756063B1 (en) * | 2014-11-25 | 2017-09-05 | Trend Micro Inc. | Identification of host names generated by a domain generation algorithm |
-
2015
- 2015-03-17 EP EP15765115.9A patent/EP3101580B1/en active Active
- 2015-03-17 JP JP2016508732A patent/JP6030272B2/ja active Active
- 2015-03-17 WO PCT/JP2015/057875 patent/WO2015141665A1/ja active Application Filing
- 2015-03-17 US US15/121,822 patent/US10511618B2/en active Active
- 2015-03-17 CN CN201580013640.9A patent/CN106104550A/zh active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001033371A1 (en) * | 1999-11-05 | 2001-05-10 | Surfmonkey.Com, Inc. | System and method of filtering adult content on the internet |
US20070204345A1 (en) * | 2006-02-28 | 2007-08-30 | Elton Pereira | Method of detecting computer security threats |
JP2011086086A (ja) * | 2009-10-15 | 2011-04-28 | Nec Access Technica Ltd | コンテンツフィルタリングシステム、コンテンツフィルタリング方法及びゲートウェイ |
JP2013191199A (ja) * | 2012-01-12 | 2013-09-26 | Alexeo Corp | ネットワーク接続装置を侵入から保護するための方法およびシステム |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016194909A1 (ja) * | 2015-06-02 | 2016-12-08 | 日本電信電話株式会社 | アクセス分類装置、アクセス分類方法、及びアクセス分類プログラム |
US10462168B2 (en) | 2015-06-02 | 2019-10-29 | Nippon Telegraph And Telephone Corporation | Access classifying device, access classifying method, and access classifying program |
WO2017140710A1 (en) * | 2016-02-16 | 2017-08-24 | Nokia Solutions And Networks Oy | Detection of malware in communications |
WO2022264366A1 (ja) * | 2021-06-17 | 2022-12-22 | 日本電信電話株式会社 | 探索装置、探索範囲決定方法及び探索範囲決定プログラム |
Also Published As
Publication number | Publication date |
---|---|
JP6030272B2 (ja) | 2016-11-24 |
CN106104550A (zh) | 2016-11-09 |
EP3101580B1 (en) | 2019-02-27 |
US20170070520A1 (en) | 2017-03-09 |
EP3101580A1 (en) | 2016-12-07 |
US10511618B2 (en) | 2019-12-17 |
JPWO2015141665A1 (ja) | 2017-04-13 |
EP3101580A4 (en) | 2017-07-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6030272B2 (ja) | ウェブサイト情報抽出装置、システム、ウェブサイト情報抽出方法、および、ウェブサイト情報抽出プログラム | |
US11870802B1 (en) | Identifying automated responses to security threats based on communication interactions content | |
US11924251B2 (en) | System and method for cybersecurity reconnaissance, analysis, and score generation using distributed systems | |
US9876813B2 (en) | System and method for web-based log analysis | |
US9584541B1 (en) | Cyber threat identification and analytics apparatuses, methods and systems | |
JP6315640B2 (ja) | 通信先対応関係収集装置、通信先対応関係収集方法及び通信先対応関係収集プログラム | |
US20200106790A1 (en) | Intelligent system for mitigating cybersecurity risk by analyzing domain name system traffic | |
JP5813810B2 (ja) | ブラックリスト拡充装置、ブラックリスト拡充方法およびブラックリスト拡充プログラム | |
US10122722B2 (en) | Resource classification using resource requests | |
US20220060512A1 (en) | System and methods for automatically assessing and improving a cybersecurity risk score | |
CN105635064B (zh) | Csrf攻击检测方法及装置 | |
WO2018148591A1 (en) | System for describing and tracking the creation and evolution of digital files | |
JP5752642B2 (ja) | 監視装置および監視方法 | |
US10560473B2 (en) | Method of network monitoring and device | |
US8910281B1 (en) | Identifying malware sources using phishing kit templates | |
JP5656266B2 (ja) | ブラックリスト抽出装置、抽出方法および抽出プログラム | |
CN110392032B (zh) | 检测异常url的方法、装置及存储介质 | |
JP6623128B2 (ja) | ログ分析システム、ログ分析方法及びログ分析装置 | |
JP5719054B2 (ja) | アクセス制御装置、アクセス制御方法、およびアクセス制御プログラム | |
US11968235B2 (en) | System and method for cybersecurity analysis and protection using distributed systems | |
US10462180B1 (en) | System and method for mitigating phishing attacks against a secured computing device | |
JP6333763B2 (ja) | マルウェア解析装置およびマルウェア解析方法 | |
WO2017110100A1 (ja) | 情報処理装置、情報処理方法及びプログラム | |
WO2017110099A1 (ja) | 情報処理装置、情報処理方法及びプログラム | |
Mokhov et al. | Automating MAC spoofer evidence gathering and encoding for investigations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15765115 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016508732 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15121822 Country of ref document: US |
|
REEP | Request for entry into the european phase |
Ref document number: 2015765115 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2015765115 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |