WO2016031103A1 - セキュリティシステム、セキュリティ方法、及びコンピュータ可読媒体 - Google Patents
セキュリティシステム、セキュリティ方法、及びコンピュータ可読媒体 Download PDFInfo
- Publication number
- WO2016031103A1 WO2016031103A1 PCT/JP2015/002458 JP2015002458W WO2016031103A1 WO 2016031103 A1 WO2016031103 A1 WO 2016031103A1 JP 2015002458 W JP2015002458 W JP 2015002458W WO 2016031103 A1 WO2016031103 A1 WO 2016031103A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- simulated
- layer
- host
- response
- simulation
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- the present invention relates to a network security system, a security method, and a computer-readable medium.
- Patent Document 1 discloses a communication monitoring system that generates a pseudo host device when it can be presumed to be malicious.
- the communication monitoring system of Patent Document 1 generates a pseudo response as if the attack was successful for an attack from a malicious attacker.
- Patent Document 2 discloses an unauthorized intrusion detection device that generates a decoy in a device accessible via a network.
- the unauthorized intrusion detection apparatus disclosed in Patent Literature 2 detects an intruder by an attacker based on the degree of coincidence between an event pattern of decoy access control and a behavior pattern stored in a behavior pattern database. Specifically, it detects that a targeted attack has occurred by detecting the behavior of the attacker searching the internal network of the organization.
- Patent Document 1 it must be presumed to be malicious in advance. Therefore, it may not be possible to estimate that a newly developed attack is malicious. Moreover, in patent document 2, when it does not correspond with the behavior pattern stored in the behavior pattern database, an intruder of an attacker cannot be detected. Therefore, there is a case where an attacker's intrusion cannot be detected for a newly developed attack behavior pattern.
- attackers can attack from anywhere, but defenders must defend against attacks coming from anywhere. Moreover, although the attacker's failure is allowed, the defender's failure is not allowed, and the defender must surely defend all attacks. While attackers can gain insight into the defense network at a fraction of the cost, defenders can spend enormous costs building and maintaining network security. In addition, attackers are more likely to benefit from technological and organizational innovations in cyberspace, while defenders are more likely to be threatened by innovation.
- attackers have an advantage over defenders due to the nature of cyber security. Therefore, in order to improve network security, it is important to increase the cost advantage of the defender by increasing the attack cost. In other words, security can be improved if a deep defense that minimizes damage can be realized while increasing the cost of an attack by an attacker.
- An object of the present invention is to provide a security system, a security method, and a program with high security.
- a security system is a security system that prevents unauthorized intrusion into a network system, a packet receiving unit that receives a packet from an intrusion device that attempts unauthorized intrusion, and a plurality of virtual simulation devices
- a unique information storage unit for storing the unique information
- an activation management unit for managing whether to activate the simulation apparatus based on the unique information, and based on a request included in the packet
- the activation management unit includes: In response to the request to the simulation device, a simulation device management unit that determines whether or not the plurality of activated simulation devices respond, and for each simulation device that is determined to respond in the simulation device management unit
- a simulated response generation unit that generates a simulated response, and a simulated response transmission unit that transmits the simulated response to the intrusion device.
- a security system is a security method for preventing unauthorized intrusion into a network system, the step of receiving a packet from an intrusion device attempting to intrude, and a plurality of pre-stored virtual Referencing unique information of the simulation device, managing whether to activate the simulation device, and whether or not the plurality of activated simulation devices respond based on a request included in the packet
- a program according to an aspect of the present invention is a program for causing a computer to execute a security method for preventing unauthorized intrusion into a network system, and the security method receives a packet from an intrusion device that attempts unauthorized intrusion.
- a step of managing whether or not to activate the simulation device with reference to specific information of a plurality of virtual simulation devices stored in advance, and activation based on a request included in the packet Determining whether or not a plurality of the simulation devices respond, generating a simulation response in response to the request to the simulation device for each simulation device determined to respond, and Transmitting to the intrusion device.
- FIG. 1 is a block diagram showing a configuration of a security device according to a first exemplary embodiment. It is a figure which shows the hierarchy of a communication protocol. It is a figure which shows the specific information of the simulation host contained in the simulation response produced according to the search request. It is a block diagram which shows the structure of the security apparatus concerning Embodiment 2. FIG. It is a block diagram which shows the structure of the security system concerning Embodiment 3.
- Embodiment 1 The security system and the security method according to the present embodiment improve security based on deep defense.
- the cyber kill chain has attack steps such as intelligence, invasion, hiding, securing bridgeheads, searching, penetration, occupation, seizure and withdrawal.
- the security system makes various deceptions at each attack step. For example, a group of virtual communication devices (simulated deception) is generated, and ambiguous information, fake information, or unclear information is given to the attacker in the search step or penetration step. It is possible to obstruct or guide the behavior of a malicious attacker, and increase the attack cost for achieving the purpose. That is, the attack cost until the attacker reaches important data can be increased. It is possible to prevent important data such as intellectual property from leaking outside.
- FIG. 1 is a diagram showing an overall configuration of a security system 100 according to the present embodiment.
- the security system 100 includes a security device 101, a real network system 120, and a simulated network system 110.
- the security device 101, the actual network system 120, and the simulated network system 110 are connected to each other via the network 200.
- the infected apparatus 300 is connected to the network 200 as an attacker.
- the real network system 120 includes a plurality of real hosts 121, 122, and the like.
- the real hosts 121 and 122 are actually communication devices (host devices, computers, or communication terminals) that are connected via a network such as a LAN (Local Area Network), a WAN (Wide Area Network), or the Internet. Yes. Although two real hosts 121 and 122 are shown in FIG. 1, the number of real hosts 121 and 122 is not particularly limited.
- network management information such as a computer name (or NetBIOS name), an IP address, a MAC address, a domain name, a group name, and a network management name is set in the real hosts 121 and 122.
- the real hosts 121 and 122 are equipped with an OS (Operating System) such as Windows (registered trademark) or Linux (registered trademark).
- OS Operating System
- Windows registered trademark
- Linux registered trademark
- the security device 101 generates a simulated network system 110.
- the simulated network system 110 includes a plurality of simulated hosts 111 to 114.
- the simulated hosts 111 to 114 are virtual communication devices (virtual host devices), that is, communication devices that do not exist.
- the security device 101 generates simulated hosts 111 to 114 in the same manner as the virtual honeypot.
- the security device 101 makes various deceptions and makes it appear as if the simulated hosts 111 to 114 that do not actually exist exist.
- the security device 101 can be configured by a real host that actually exists.
- the security device 101 executes the security method according to the present embodiment by a network security program installed in the security device 101.
- the security device 101 may be a dedicated computer, or a computer included as a real host in the real network system 120 may be used.
- the security device 101 is not limited to a physically single device, and may be configured by a plurality of devices.
- the attack cost until the infected device 300 steals important data is increased. Since the security device 101 virtually generates the simulated hosts 111 and 112, the number of simulated hosts can be increased at a low cost. Generating a large number of simulated hosts 111 and 112 makes it easier to deceive an attacker. Note that the number of simulated hosts 111 to 114 generated by the security device 101 is not particularly limited. Since the security device 101 generates more simulations, the attack cost can be further increased.
- the security system 100 prevents unauthorized intrusion from the infected apparatus 300.
- the infected device 300 is a communication device (host) infected with malware.
- the infecting device 300 attempts unauthorized intrusion into the real network system 120 by remote control from the outside.
- the infected apparatus 300 tries to steal important data from the real hosts 121 and 122 included in the real network system 120.
- the intrusion device attempting to intrude into the actual network system 120 is not limited to the infected device 300 infected with malware, but may be an external communication device connected via an external network such as the Internet.
- the security device 101, the infection device 300, and the real network system 120 are connected via the network 200.
- the security device 101 or the real hosts 121 and 122 may be connected to the network 200 via a firewall.
- FIG. 2 is a block diagram schematically showing the configuration of the security device 101.
- the security device 101 includes a packet receiving unit 11, a packet delivery unit 12, a broadcast packet processing unit 13, a unicast packet processing unit 14, a search request determination unit 15, a simulated host management unit 16, a unique information storage unit 17, and a simulated host activation management. 18, a simulated response generation unit 19, a simulated response template storage unit 20, a simulated response transmission control unit 21, a simulated response transmission queue 22, and a simulated response transmission unit 23.
- processing of each unit will be described.
- the packet receiving unit 11 receives a packet flowing on the network 200.
- the packet receiving unit 11 receives a packet when the transmission destination address of the packet is a predetermined address.
- the packet receiving unit 11 receives a packet from the infected apparatus 300 that attempts an unauthorized intrusion.
- the packet delivery unit 12 determines the type of the received packet received by the packet receiving unit 11. Specifically, the packet delivery unit 12 determines whether the packet is a broadcast packet or a unicast packet. The packet delivery unit 12 delivers the broadcast packet to the broadcast packet processing unit 13 and delivers the unipacket to the unicast packet processing unit 14. Further, the packet delivery unit 12 refers to the unique information storage unit 17 and identifies whether or not the transmission destination address is included in the addresses of the simulated hosts 111 to 114.
- a unicast packet is a packet for specifying a single address and performing one-to-one data communication.
- the broadcast packet is a packet for specifying a broadcast address and performing one-to-unspecified many data communication.
- the broadcast packet includes a message for all of the real hosts 121 and 122 and the simulated hosts 111 to 114.
- the infected apparatus 300 transmits a broadcast packet and tries to acquire information on the real hosts 121 and 122 in the real network system 120.
- the broadband cast packet may be a multicast packet.
- the packet delivery unit 12 may deliver the multicast packet to the broadcast packet processing unit 13. Then, the broadcast packet processing unit 13 may process the multicast packet.
- the security device 101 may include a multicast packet processing unit.
- a multicast packet is a packet for performing one-to-multiple data communication.
- the infection apparatus 300 transmits a broadcast packet including a search message such as a search for a communication apparatus (host) or a search for a network service as a broadcast search request (see FIG. 1).
- the search request message is a NetBIOS Name Service (NBNS) message.
- the real hosts 121 and 122 or the simulated hosts 111 to 114 transmit a response to the search request to the infected apparatus 300 as a unicast search response.
- the infected apparatus 300 transmits a unicast negotiation request to a specific host.
- the message of this request is SMB (Server Message Block).
- the simulated hosts 111 to 114 or the real hosts 121 and 122 transmit a unicast negotiation response to the infected apparatus 300. More specifically, the infected device 300 transmits a unicast negotiation request in response to a response to the previous broadcast search request. In the example of FIG. 1, only one unicast negotiation is shown. However, in the configuration of FIG. 1, six unicasts from the real hosts 121 and 122 and the simulated hosts 111 to 114 may be performed. When the infected device 300 receives a cast search response, unicast negotiation is performed in order for all six requests. Furthermore, a plurality of sequences may be performed for one host, and this is performed for the host.
- the infected device 300 When the session is established, the infected device 300 tries to share a file with the host device. Specifically, the infected apparatus 300 tries to share a file by SMB (Server Message Block). In this way, the infected device 300 tries to steal data.
- SMB Server Message Block
- the unique information storage unit 17 stores unique information of the plurality of virtual simulated hosts 111 to 114.
- the unique information is information necessary for the simulated host to be simulated, and is set for each simulated host.
- the simulated host activation management unit 18 manages activation of the simulated hosts 111 to 114 based on the unique information.
- the simulated host management unit 16 manages the simulated hosts 111 to 114 based on the unique information.
- the simulated host management unit 16 and the simulated host activation management unit 18 will be described later.
- Specific information includes, for example, a computer name (or NetBIOS name), an IP address, a MAC address, a domain name, OS information (for example, an OS name and an OS version), a group name, a network management name, and the like.
- the unique information storage unit 17 stores, for example, unique information of the plurality of simulated hosts 111 to 114 as a table. Further, the unique information storage unit 17 may store the network distance of the simulated hosts 111 to 114 for each simulated host. The unique information storage unit 17 stores unique information equivalent to the network management information of the real hosts 121 and 122 as unique information of the simulated hosts 111 to 114.
- a simulated host having the same management information as the information held by the real hosts 121 and 122 may be registered in the unique information storage unit 17.
- the unique information of the simulated host 111 is matched with, for example, the computer name (or NetBIOS name), IP address, MAC address, OS information, domain name, group name, network management name, etc. of the real host 121. By doing so, it is possible to make it appear as if the real host 121 exists even when the real host 121 is stopped.
- a simulation host that is completely unrelated to the real hosts 121 and 122 may be registered in the unique information storage unit 17.
- the broadcast packet processing unit 13 passes the broadcast packet to the simulated host management unit 16 as it is.
- the unicast packet processing unit 14 determines whether the unicast packet is a TCP (Transmission Control Protocol) packet or a UDP (User Datagram Protocol) packet. In the case of a TCP packet, the unicast packet processing unit 14 performs a three-way handshake and passes the payload to the search request determination unit 15. On the other hand, in the case of a UDP packet, the unicast packet processing unit 14 passes the UDP packet as it is to the simulated host management unit 16.
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- the search request determination unit 15 determines whether a search request is included in the received packet. For example, the search request determination unit 15 determines whether the message is a search message for searching for a communication device (host device), a search for a network service, or a message for acquiring information details such as session negotiation. The search request determination unit 15 determines whether a message belonging to the search is included in the payload of the TCP packet.
- the search request determination unit 15 determines that there is a search request when a message belonging to the search is included. Then, the search request determination unit 15 passes the message belonging to the search to the simulated host management unit 16 as a search request. Thus, the search request determination unit 15 determines whether or not the message included in the received packet is a search message (search request). Then, the search request determination unit 15 passes only the search request and does not pass any request other than the search request. For example, a message requesting file sharing is not allowed to pass. Since the search request determination unit 15 has such a determination function and a filtering function, leakage of important data can be prevented.
- the search request determination unit 15 determines whether there is a search request using, for example, a white list. That is, only a message registered in the list in advance is passed as a search request to the simulated host management unit 16. In this way, malicious attacks can be filtered and security can be increased.
- the white list can be set in combination with various types of unique information of the simulated host.
- the reach of the sequence that succeeds for each simulated host changes. Therefore, deception that is easier to deceive can be set.
- the simulated host activation management unit 18 refers to the specific information accumulation unit 17 and manages whether to activate or not activate each of the simulated hosts. That is, the simulated host activation management unit 18 manages whether to activate the simulation apparatus based on the unique information. The simulated host activation management unit 18 determines whether to activate or stop each of the simulated hosts 111 to 114 included in the unique information storage unit 17.
- the simulated host activation management unit 18 manages the activation of the simulated host with an external request as a trigger. Specifically, upon receiving a request (activation request) for turning on the simulated host 111, the simulated host activation management unit 18 activates the simulated host 111. When receiving a request (stop request) for turning off the simulated host 111, the simulated host activation management unit 18 stops the activation of the simulated host 111. Then, the simulated host activation management unit 18 outputs activation information indicating whether or not each simulated host is activated to the simulation host management unit 16. The simulated host activation management unit 18 independently manages activation of a plurality of simulated hosts included in the unique information storage unit 17. The simulated host activation management unit 18 can dynamically change the activated simulated host.
- the simulated host management unit 16 manages the simulated host to be simulated based on the activation information from the simulated host activation management unit 18. That is, the simulated host management unit 16 determines whether the simulated host makes a simulated response. For example, when there is a request for a running simulation host, the simulation host management unit 16 determines to make a response. On the other hand, for the suspended simulated host, it is determined that the simulated response is not performed. In the following description, an example in which the simulated host 113 is activated and the simulated host 112 is stopped will be described.
- the simulated host management unit 16 refers to the specific information storage unit 17 and determines whether or not to respond in response to the search request. For example, the simulated host management unit 16 specifies a simulated host that makes a response based on the transmission destination address included in the received packet. That is, the simulated host management unit 16 determines that a simulated host having an address that matches the destination address included in the received packet responds. When a broadcast packet is received, the simulated host management unit 16 determines that all the activated simulated hosts respond.
- the simulated host management unit 16 determines that a simulated response is to be performed for the simulated host that is the target of the search request. With reference to the packet transmission destination address, it is determined whether or not the simulated host is a search request target. The simulated host management unit 16 determines whether or not the simulated host responds based on the comparison result between the transmission destination address and the unique information and the determination result in the search request determination unit 15. The simulated host management unit 16 determines whether or not a response is required for each activated simulated host.
- the simulated host management unit 16 determines that a simulated response is made as if the simulated host 113 exists when the active simulated host 113 receives a search request. On the other hand, if the simulated host management unit 16 is not a running simulated host, if a search request is not included in the packet, or if it is not a simulated host that is the target of the search request, the simulated host management unit 16 determines not to perform a simulated response . The simulated host management unit 16 stops the simulated host 112 from responding to the suspended simulated host 112. Furthermore, even if the simulation host is active, if it does not receive a search request, a simulated response is not made. The simulated host management unit 16 determines that a response is required for all of the activated simulated hosts that are targets of the search request.
- an external request to the simulated host activation management unit 18 can be realized by a setting file, API (Application Programming Interface), IF (Interface), or the like.
- the setting file is, for example, preset schedule data. For example, the start time and stop time are set for each simulated host.
- the security device 101 may store a setting file. Further, the simulated host activation management unit 18 may manage the activation of the simulated host according to a request from the real host.
- the simulated host activation management unit 18 will be described.
- the same address or the like as that of the real host 121 is registered in the simulated host 111 in the unique information storage unit 17.
- information for constructing the simulated host 111 corresponding to the real host 121 is stored in the simulated host activation management unit 18 in advance or upon request. That is, unique information obtained by copying the management information of the real host 121 is set in the simulated host 111.
- the simulated host activation management unit 18 stops the activation of the simulated host 111.
- the real host 121 is OFF, the simulated host activation management unit 18 activates the simulated host 111.
- the simulated host activation management unit 18 instructs activation of the simulated host 111.
- the simulated host activation management unit 18 instructs the simulated host 111 to stop at the timing when the real host 121 is activated.
- the simulated host activation management unit 18 stops / activates the simulated host 111 using ON / OFF of the real host 121 as a trigger. Even in a situation where the real host 121 is disconnected from the network 200, the simulated host 111 exists on the network 200. By doing in this way, it is possible to set a deception that makes it easier for an attacker to deceive. From the infected device 300, it looks as if the real host 121 exists. Thus, the simulated host activation management unit 18 may manage the activation of the simulated host 111 according to whether the real host 121 is activated.
- the simulated response template storage unit 20 stores a simulated response template corresponding to the search request.
- the simulated response template storage unit 20 holds the message format by hard coding.
- the simulated response template storage unit 20 stores a message format of the response sentence.
- the simulated response template storage unit 20 stores a template for each request or protocol.
- the simulated response template storage unit 20 stores a message response sentence corresponding to the requested service as a template.
- the simulated response template storage unit 20 stores a plurality of templates.
- the simulated response generation unit 19 creates a simulated response in response to a request from the simulated host management unit 16.
- the simulated response generation unit 19 When the simulated host management unit 16 determines to respond, the simulated response generation unit 19 generates a simulated response in response to a request to the simulated host.
- the simulated response generation unit 19 refers to the template stored in the simulated response template storage unit 20. As a result, the simulated response generation unit 19 can create an appropriate simulated response message in response to the request.
- the simulated response generation unit 19 acquires the specific information of the simulated host that should respond from the specific information storage unit 17. Then, the simulated response generation unit 19 generates a simulated response message by combining the unique information and the response message format. That is, the simulated response generation unit 19 generates a simulated response message by including the address and OS information included in the unique information in the message format. That is, the simulated response generation unit 19 generates a simulated response message including simulated information regarding the simulated host 111. As a result, deception that is easier to deceive can be set.
- the simulated response template storage unit 20 stores templates according to services that can be used by the simulated hosts 111 to 114. Furthermore, when the simulated host 111 and the simulated host 112 can use the same service, the simulated response generation unit 19 creates a simulated response message between the simulated host 111 and the simulated host 112 using a common template. Further, the simulated response template storage unit 20 stores response templates for all messages included in the white list of the search request determination unit 15. As the types of templates increase, the types of requests that can be handled increase. Further, the content set in the white list does not need to match the simulated response template storage unit 20 and may be set independently. For example, the message set in the white list may be such that only a part of the template can be used.
- the simulated response transmission queue 22 queues the simulated response message created by the simulated response generation unit 19.
- the simulated response transmission unit 23 transmits the simulated response message queued in the simulated response transmission queue 22 to the infection apparatus 300 as a simulated response.
- the simulated response transmission unit 23 transmits a simulated response by a packet having the destination address of the infected device 300 as a transmission destination address.
- the simulated response message stored in the simulated response transmission queue 22 is transmitted to the network via the simulated response transmission unit 23 according to an instruction from the simulated response transmission control unit 21. That is, the simulated response transmission unit 23 controls the transmission timing of the simulated response in the simulated response transmission unit 23.
- the simulated response transmission unit 23 transmits a simulated response message to the infecting device 300 via the network 200 at a timing according to an instruction from the simulated response transmission control unit 21.
- the simulated response transmission control unit 21 controls the transmission timing of the simulated responses stored in the simulated response transmission queue 22.
- the simulated response transmission control unit 21 controls, for example, to transmit the simulated response message in the order of the queue.
- the simulated response transmission control unit 21 may perform control so that the simulated response message is randomly transmitted.
- the simulated response transmission control unit 21 may transmit a simulated response message according to the pattern.
- the simulated response transmission control unit 21 can control the transmission order of the simulated responses.
- the simulated response transmission unit 23 transmits the simulated response in the simulated response transmission queue 22 to the network 200 based on an instruction from the simulated response transmission control unit 21.
- the simulated response generator 19 upon receiving a search request broadcast message, the simulated response generator 19 generates a simulated response message for the active simulated host. Then, the simulated response transmission queue 22 queues the simulated response messages in the order of the simulated hosts stored in the unique information storage unit 17. For example, the simulated response transmission queue 22 queues the simulated response messages in the order of the simulated host 111, the simulated host 112, the simulated host 113, and the simulated host 114. Then, the simulated response transmission unit 23 transmits the simulated response message in the queue order. Alternatively, the simulated response transmission unit 23 may transmit the simulated response messages in a random order.
- the simulated response transmission unit 23 may transmit a simulated response message according to the response timing. Further, the simulated response transmission unit 23 may transmit the simulated response message in the order or timing according to a preset schedule.
- the simulated response transmission control unit 21 controls the timing of the simulated response in the simulated response transmission unit 23 for each simulated host.
- the response timing may be set according to the network distance stored in the unique information storage unit 17. That is, for the simulated host having a long network distance, the simulated response transmission control unit 21 delays the response timing. For the simulated host having a short network distance, the simulated response transmission control unit 21 speeds up the response timing.
- the simulated response transmission control unit 21 refers to the specific information storage unit 17 and sets a delay time according to the network distance. In this manner, the simulated response transmission control unit 21 controls the transmission timing of the simulated response message, so that it appears to the infected apparatus 300 as if the simulated hosts 111 to 114 exist. That is, it is possible to set a deception that makes it easier for an attacker to deceive.
- the communication protocol of the network 200 has a layer configuration as shown in FIG. 3, for example.
- the communication functions are defined in nine layers as shown in FIG. Physical layer as first layer, data link layer as second layer, network layer as third layer, transport layer as fourth layer, session layer as fifth layer, presentation layer as sixth layer, application layer as seventh layer
- the service layer is defined as the eighth layer
- the operation layer is defined as the ninth layer.
- the 7 layers from the physical layer to the application layer are known OSI reference models. Furthermore, a service layer and an operation layer are provided above the application layer.
- the service layer is a layer that assumes a service by an application.
- the operation layer is a layer that assumes information set in operation such as a computer name.
- the simulated response generation unit 19 creates a simulated response message including information related to application services and information related to computer operations when application software is actually used.
- a simulated response message corresponding to the session layer, presentation layer, application layer, service layer, and operation layer, which are higher layers than the transport layer is also transmitted.
- the simulated response only needs to include simulated information regarding at least one of the session layer, the presentation layer, the application layer, the service layer, and the operation layer.
- the simulated response generation unit 19 generates a simulated response including information related to a layer higher than the network layer.
- the simulated response generation unit 19 includes a simulated response message including information on the session layer, a simulated response message including information on the session layer and the presentation layer, and a simulated response including information on the session layer, the presentation layer, and the application layer.
- a simulated response message including information on the message, the session layer, the presentation layer, the application layer, and the service layer, or a simulated response message including information on the session layer, the presentation layer, the application layer, the service layer, and the operation layer is generated.
- the simulated response message it is preferable to include information on one or more layers of the application layer, service layer, and operation layer in the simulated response message. It also contains information about application services and computer operations. By including such hierarchical information, it is possible to transmit a simulated response that is easier to deceive.
- the infected apparatus 300 can be surely deceived. That is, by including information equivalent to the case where the real hosts 121 and 122 are searched for in the simulated response message, the simulated host looks like a real host from the infected apparatus 300. As a result, it is possible to set a deception that makes it easier for an attacker to deceive. Therefore, attack costs can be increased and security can be improved.
- the simulated response generation unit 19 generates a simulated response message including information on all layers.
- the template stored in the simulated response template storage unit 20 includes information about all layers.
- the security device 101 performs a simulated response of the negotiation part for a plurality of simulated hosts. Then, a session between the infected apparatus 300 and a plurality of simulated hosts is established. Therefore, it appears to the infected device 300 as if there are a large number of simulated hosts on the network. The security device 101 does not make a simulated response for the actual function (service) after the session is established by negotiation. Thereby, leakage of important data due to file sharing or the like can be prevented. Therefore, security can be improved.
- the unique information storage unit 17 has unique information of a plurality of simulated hosts.
- the simulated host activation management unit 18 manages activation of a plurality of simulated hosts based on the unique information. Based on the request included in the packet, the simulated host management unit 16 determines whether or not a plurality of simulated hosts activated by the simulated host activation management unit 18 respond.
- the simulated response generator 19 generates a simulated response for each simulated host, and the simulated response transmitter 23 transmits the simulated response. By doing this, it is possible to make it appear as if the simulated host exists. That is, the illusion of the simulated network system 110 having a plurality of simulated hosts can be shown to the infected device 300.
- the simulated response transmission control unit 21 controls the transmission timing of the simulated response. Therefore, deception that is easier to deceive can be set. Further, only when the search request determination unit 15 is a search request, the request is passed, and requests other than the search (for example, file sharing requests) are filtered. Thereby, leakage of important data can be prevented. Further, the search request determination unit 15 may dynamically change the request to pass. That is, the search request determination unit 15 may dynamically change the threshold value for determining whether or not to pass.
- the security device 101 generates a plurality of simulated hosts 111 to 114 regardless of whether or not the communication device that is the transmission source of the packet is a malicious attacker. Therefore, it is not necessary to detect whether the malicious party is an attacker. Therefore, security against a clever attack concealing malicious intent can be improved.
- the unique information storage unit 17 By increasing the number of simulated hosts stored in the unique information storage unit 17, it is possible to make the attacker easy to deceive. Furthermore, it is possible to easily deceive an attacker by appropriately setting the information stored in the unique information storage unit 17. For example, as the address stored in the unique information storage unit 17, an address suitable for the network in which the IP address is set may be used, or may be acquired from an actual DHCP server existing in the network by DHCP. In addition, when the configuration of vendor code + number is used for the MAC address, it can be generated along this configuration.
- the domain name if the same character string is used for each domain, it is preferable to set the character string used in the actual network system.
- the same character string as the group name of the actual network system 120 can be used for the group name.
- group names can be set to form several groups.
- OS name and the network management name any one of the existing finite variations may be selected.
- FIG. 4 is a diagram showing information on the simulated host acquired by the infection apparatus 300 in the search request.
- the infection apparatus 300 acquires the simulated host IP address, NETBIOS, group name, OS, and OS version by the SMB protocol (findSMB).
- FIG. 4 shows the unique information of the six simulated hosts acquired by the search request of the infected apparatus 300. In this way, by providing information regarding a plurality of simulated hosts to the infecting device 300, it is possible to increase the attack cost until the external intruder reaches the target data. Therefore, the cost advantage on the defense side can be increased and high security can be realized.
- the simulated response generation unit 19 refers to the template stored in the simulated response template storage unit 20 to create the simulated response message.
- the simulated response message may be automatically created.
- the real host 121 or the security device 101 may create a response message for the requested service and replace some information with information about the simulated host.
- an access recording unit that records the access from the infected apparatus 300 may be provided. That is, the received packet, that is, information regarding the received request is recorded.
- the security apparatus 101 uses this access information for detection of unauthorized intrusion, incident response, forensic analysis, and the like.
- FIG. 5 is a block diagram illustrating a configuration of the security device 101. Note that the overall configuration of the security system 100 is the same as that of the first embodiment, and thus the description thereof is omitted.
- the transmission source determination unit 24 is added to the configuration of the security device 101 according to the second embodiment and the first embodiment.
- the configuration other than the transmission source determination unit 24 is the same as the configuration described in the first embodiment, and thus the description thereof is omitted.
- the transmission source determination unit 24 determines the transmission source of the received packet. For example, the security device 101 detects that the infected device 300 is a malicious attacker while the infected device 300 is searching. Alternatively, another detection device (real host) may detect unauthorized intrusion and notify the security device 101 of the detection. When it is detected that the security device 101 is a malicious attacker, the transmission source determination unit 24 extracts the transmission source address of the infected device 300. Then, the information of the transmission source address is transmitted to the simulated host management unit 16. The simulated host management unit 16 manages the simulated host for a specific transmission source. That is, the simulated host management unit 16 manages the simulated host so that a simulated response is sent only to a malicious transmission source.
- the simulated hosts 111 and 112 can be seen only from the infected apparatus 300.
- the simulated host cannot be seen from a normal communication device that is not malicious.
- the simulated host does not respond to a request from a normal communication device. Therefore, in this embodiment, it becomes possible to suppress the influence on a normal communication apparatus.
- Embodiment 3 FIG. A security system according to this embodiment will be described.
- the security system is a security system that prevents unauthorized intrusion into a network system, and stores a packet receiving unit 51 that receives packets from an intrusion device that attempts unauthorized intrusion and unique information of a plurality of virtual simulation devices.
- a unique information storage unit 52 ; a start management unit 53 that manages whether or not to start the simulation device based on the unique information; and a plurality of items that the start management unit starts based on a request included in the packet
- a simulation response is generated in response to the request to the simulation device for each simulation device determined to respond in the simulation device management unit, and the simulation device management unit 54 that determines whether or not the simulation device responds
- a simulated response transmission unit 56 that transmits the simulated response to the intrusion device.
- this security system 100 it is possible to set a deception that makes it easier for a malicious attacker to deceive. Therefore, the attack cost can be increased and high security can be realized. It is possible to appropriately combine or replace the configurations of the first and second embodiments with the configuration of the third embodiment.
- Non-transitory computer readable media include various types of tangible storage media.
- Examples of non-transitory computer-readable media include magnetic recording media (for example, flexible disks, magnetic tapes, hard disk drives), magneto-optical recording media (for example, magneto-optical disks), CD-ROM (Read Only Memory), CD-R, CD-R / W, semiconductor memory (for example, mask ROM, PROM (Programmable ROM), EPROM (Erasable ROM), flash ROM, RAM (Random Access Memory)) are included.
- the program may also be supplied to the computer by various types of temporary computer readable media.
- Examples of transitory computer readable media include electrical signals, optical signals, and electromagnetic waves.
- the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
本実施の形態にかかるセキュリティシステム、及びセキュリティ方法は縦深防御に基づいて、セキュリティを向上するものである。例えば、サイバーキルチェーンには、諜報、侵攻、潜伏、橋頭堡確保、索敵、浸透、占領、収奪、撤収等の攻撃ステップがある。本実施の形態では、セキュリティシステムが各攻撃ステップで、種々の欺瞞を仕掛けている。例えば、仮想的な通信装置群(模擬的欺瞞)を生成して、索敵ステップや浸透ステップにおいて、あいまいな情報、偽の情報、又は不明瞭な情報を攻撃者に与えている。悪意のある攻撃者の行動を邪魔又は誘導することができ、目的の達成にかかる攻撃コストを増加させることができる。すなわち、攻撃者が重要なデータに到達するまでの攻撃コストが増加することが可能になる。知的財産などの重要なデータが外部に流出するのを防止することが可能になる。
より具体的には、先のブロードキャスト探索要求に対する応答に対応して、感染装置300がユニキャストネゴシエーション要求を送信する。図1の例では、1つのユニキャストネゴシエーションしか示されていないが、ホスト分だけ行われる場合もある、図1の構成では、実ホスト121、122、及び模擬ホスト111~114からの6つのユニキャスト探索応答を感染装置300が受信した場合、6つ全ての要求に対して順番にユニキャストネゴシエーションが実施される。さらに、一つのホストに対しても複数のシーケンスが行われる場合もあり、これがホスト分だけ行われることになる。そして、セッションが確立したら、感染装置300はホスト装置とのファイル共有などを試みる。具体的には、感染装置300は、SMB(Server Message Block)によってファイル共有を試みる。このようにして、感染装置300はデータを窃取しようとする。
より具体的には、模擬応答生成部19が、セッション層の情報を含む模擬応答メッセージ、セッション層とプレゼンテーション層の情報を含む模擬応答メッセージ、セッション層とプレゼンテーション層とアプリケーション層の情報を含む模擬応答メッセージ、セッション層とプレゼンテーション層とアプリケーション層とサービス層との情報を含む模擬応答メッセージ、又はセッション層とプレゼンテーション層とアプリケーション層とサービス層とオペレーション層との情報を含む模擬応答メッセージを生成する。
本実施の形態にかかるセキュリティ装置について、図5を用いて説明する。図5は、セキュリティ装置101の構成を示すブロック図である。なお、セキュリティシステム100の全体構成については、実施の形態1と同様であるため説明を省略する。実施の形態2にかかるセキュリティ装置101、実施の形態1の構成に対して、送信元判定部24が追加されて構成を有している。なお、送信元判定部24以外の構成については、実施の形態1で示した構成と同様であるため、説明を省略する。
本実施の形態にかかるセキュリティシステムについて説明する。セキュリティシステムは、ネットワークシステムへの不正侵入を防御するセキュリティシステムであって、不正侵入を試みる侵入装置からのパケットを受信するパケット受信部51と、複数の仮想的な模擬装置の固有情報を格納する固有情報蓄積部52と、前記固有情報に基づいて前記模擬装置を起動させるか否かを管理する起動管理部53と、前記パケットに含まれる要求に基づいて、前記起動管理部が起動させた複数の前記模擬装置が応答するか否かを判定する模擬装置管理部54と、前記模擬装置管理部において応答すると判定された模擬装置毎に、前記模擬装置への前記要求に応じて模擬応答を生成する模擬応答生成部55と、前記模擬応答を前記侵入装置に送信する模擬応答送信部56と、を備えたものである。
101 セキュリティ装置
110 模擬ネットワークシステム
111~114 模擬ホスト
120 実ネットワークシステム
121 実ホスト
11 パケット受信部
12 パケット配送部
13 ブロードキャストパケット処理部
14 ユニキャストパケット処理部
15 探索要求判定部
16 模擬ホスト管理部
17 固有情報蓄積部
18 模擬ホスト起動管理部
19 模擬応答生成部
20 模擬応答テンプレート蓄積部
21 模擬応答送信制御部
22 模擬応答送信キュー
23 模擬応答送信部
24 送信元判定部
200 ネットワーク
300 感染装置
Claims (12)
- ネットワークシステムへの不正侵入を防御するセキュリティシステムであって、
不正侵入を試みる侵入装置からのパケットを受信するパケット受信手段と、
複数の仮想的な模擬装置の固有情報を格納する固有情報蓄積手段と、
前記固有情報に基づいて前記模擬装置を起動させるか否かを管理する起動管理手段と、
前記パケットに含まれる要求に基づいて、前記起動管理手段が起動させた複数の前記模擬装置が応答するか否かを判定する模擬装置管理手段と、
前記模擬装置管理手段において応答すると判定された模擬装置毎に、前記模擬装置への前記要求に応じて模擬応答を生成する模擬応答生成手段と、
前記模擬応答を前記侵入装置に送信する模擬応答送信手段と、を備えたセキュリティシステム。 - 通信プロトコルには、トランスポート層よりも上位層として、セッション層、プレゼンテーション層、アプリケーション層、サービス層、及びオペレーション層の少なくとも1層が含まれ、
前記模擬応答には、ネットワーク層よりも上位層に関する情報が含まれている請求項1に記載のセキュリティシステム。 - 前記パケットに探索要求が含まれているか否かを判定する探索要求判定手段をさらに備え、
前記探索要求が含まれている場合に、前記模擬装置管理手段において前記模擬装置が応答すると判定され、
前記探索要求が含まれていない場合に、前記模擬装置管理手段において前記模擬装置が応答しないと判定される請求項1、又は2に記載のセキュリティシステム。 - 前記模擬応答送信手段が前記模擬応答を送信するタイミングを前記模擬装置毎に制御する送信制御手段をさらに備えた請求項1~3のいずれか1項に記載のセキュリティシステム。
- ネットワークシステムへの不正侵入を防御するセキュリティ方法であって、
不正侵入を試みる侵入装置からのパケットを受信するステップと、
予め格納された複数の仮想的な模擬装置の固有情報を参照して、前記模擬装置を起動させるか否かを管理するステップと、
前記パケットに含まれる要求に基づいて、起動させた複数の前記模擬装置が応答するか否かを判定するステップと、
応答すると判定された模擬装置毎に、前記要求に応じた模擬応答を生成するステップと、
前記模擬応答を前記侵入装置に送信するステップと、を備えたセキュリティ方法。 - 通信プロトコルには、トランスポート層よりも上位層として、セッション層、プレゼンテーション層、アプリケーション層、サービス層、及びオペレーション層の少なくとも1層が含まれ、
前記模擬応答には、ネットワーク層よりも上位層に関する情報が含まれている請求項5に記載のセキュリティ方法。 - 前記パケットに探索要求が含まれているか否かを判定するステップをさらに備え、
前記探索要求が含まれている場合に、前記模擬装置が応答すると判定し、
前記探索要求が含まれていない場合に、前記模擬装置が応答しないと判定する請求項5、又は6に記載のセキュリティ方法。 - 前記模擬応答を送信するタイミングを前記模擬装置毎に制御するステップをさらに備えた請求項5~7のいずれか1項に記載のセキュリティ方法。
- ネットワークシステムへの不正侵入を防御するセキュリティ方法をコンピュータに実行させるためのプログラムが格納された非一時的なコンピュータ可読媒体であって
前記セキュリティ方法が、
不正侵入を試みる侵入装置からのパケットを受信するステップと、
予め格納された複数の仮想的な模擬装置の固有情報を参照して、前記模擬装置を起動させるか否かを管理するステップと、
前記パケットに含まれる要求に基づいて、起動させた複数の前記模擬装置が応答するか否かを判定するステップと、
応答すると判定された模擬装置毎に、前記模擬装置への前記要求に応じて模擬応答を生成するステップと、
前記模擬応答を前記侵入装置に送信するステップと、を備える、非一時的なコンピュータ可読媒体。 - 通信プロトコルには、トランスポート層よりも上位層として、セッション層、プレゼンテーション層、アプリケーション層、サービス層、及びオペレーション層の少なくとも1層が含まれ、
前記模擬応答には、ネットワーク層よりも上位層に関する情報が含まれている請求項9に記載の非一時的なコンピュータ可読媒体。 - 前記パケットに探索要求が含まれているか否かを判定するステップをさらに備え、
前記探索要求が含まれている場合に、前記模擬装置が応答すると判定し、
前記探索要求が含まれていない場合に、前記模擬装置が応答しないと判定する請求項9、又は10に記載の非一時的なコンピュータ可読媒体。 - 前記模擬応答を送信するタイミングを前記模擬装置毎に制御するステップをさらに備えた請求項9~11のいずれか1項に記載の非一時的なコンピュータ可読媒体。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/505,381 US20170272466A1 (en) | 2014-08-25 | 2015-05-15 | Security system, security method, and computer-readable medium |
JP2016544908A JP6460112B2 (ja) | 2014-08-25 | 2015-05-15 | セキュリティシステム、セキュリティ方法およびプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2014-170368 | 2014-08-25 | ||
JP2014170368 | 2014-08-25 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016031103A1 true WO2016031103A1 (ja) | 2016-03-03 |
Family
ID=55399029
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2015/002458 WO2016031103A1 (ja) | 2014-08-25 | 2015-05-15 | セキュリティシステム、セキュリティ方法、及びコンピュータ可読媒体 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20170272466A1 (ja) |
JP (1) | JP6460112B2 (ja) |
WO (1) | WO2016031103A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2018079716A1 (ja) * | 2016-10-27 | 2018-05-03 | 国立大学法人名古屋工業大学 | 通信装置 |
EP3577589A4 (en) * | 2016-12-08 | 2020-12-02 | Cequence Security, Inc. | PREVENTING VICIOUS AUTOMATION ATTACKS ON A WEB SERVICE |
US10868830B2 (en) | 2015-05-27 | 2020-12-15 | Nec Corporation | Network security system, method, recording medium and program for preventing unauthorized attack using dummy response |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10855721B2 (en) * | 2015-05-27 | 2020-12-01 | Nec Corporation | Security system, security method, and recording medium for storing program |
WO2018020299A1 (en) | 2016-07-29 | 2018-02-01 | Chan Kam Fu | Lossless compression and decompression methods |
CN110896388B (zh) * | 2018-09-12 | 2022-07-05 | 西门子(中国)有限公司 | 网络流量分析方法、装置、计算机可读介质 |
Family Cites Families (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20140101724A1 (en) * | 2012-10-10 | 2014-04-10 | Galois, Inc. | Network attack detection and prevention based on emulation of server response and virtual server cloning |
US9495180B2 (en) * | 2013-05-10 | 2016-11-15 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
-
2015
- 2015-05-15 JP JP2016544908A patent/JP6460112B2/ja active Active
- 2015-05-15 WO PCT/JP2015/002458 patent/WO2016031103A1/ja active Application Filing
- 2015-05-15 US US15/505,381 patent/US20170272466A1/en not_active Abandoned
Non-Patent Citations (1)
Title |
---|
TAKAHIRO KAKUMARU ET AL.: "Deceptive Defense Architecture toward Protection against APT", IEICE TECHNICAL REPORT, ISEC2014-15, vol. 114, no. 118, 3 July 2014 (2014-07-03), pages 69 - 74 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10868830B2 (en) | 2015-05-27 | 2020-12-15 | Nec Corporation | Network security system, method, recording medium and program for preventing unauthorized attack using dummy response |
WO2018079716A1 (ja) * | 2016-10-27 | 2018-05-03 | 国立大学法人名古屋工業大学 | 通信装置 |
EP3577589A4 (en) * | 2016-12-08 | 2020-12-02 | Cequence Security, Inc. | PREVENTING VICIOUS AUTOMATION ATTACKS ON A WEB SERVICE |
US11483345B2 (en) | 2016-12-08 | 2022-10-25 | Cequence Security, Inc. | Prevention of malicious automation attacks on a web service |
Also Published As
Publication number | Publication date |
---|---|
US20170272466A1 (en) | 2017-09-21 |
JP6460112B2 (ja) | 2019-01-30 |
JPWO2016031103A1 (ja) | 2017-06-15 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6460112B2 (ja) | セキュリティシステム、セキュリティ方法およびプログラム | |
JP6690644B2 (ja) | セキュリティシステム、セキュリティ方法、及びプログラムを記憶する記録媒体 | |
KR101270041B1 (ko) | Arp 스푸핑 공격 탐지 시스템 및 방법 | |
US10193924B2 (en) | Network intrusion diversion using a software defined network | |
JP6693516B2 (ja) | セキュリティシステム、セキュリティ方法、及びプログラムを記憶する記録媒体 | |
US20170180421A1 (en) | Deception using Distributed Threat Detection | |
KR101369727B1 (ko) | 캡차를 기반으로 하는 트래픽 제어 장치 및 그 방법 | |
US20170264590A1 (en) | Preventing dns cache poisoning | |
JP5713445B2 (ja) | 通信監視システム及び方法及び通信監視装置及び仮想ホスト装置及び通信監視プログラム | |
Arukonda et al. | The innocent perpetrators: reflectors and reflection attacks | |
CN106797378B (zh) | 用于控制通信网络的装置和方法 | |
TWI506472B (zh) | 網路設備及其防止位址解析協定報文攻擊的方法 | |
US20170093911A1 (en) | Customized information networks for deception and attack mitigation | |
CN114257413B (zh) | 基于应用容器引擎的反制阻断方法、装置和计算机设备 | |
JP2015165614A (ja) | 通信装置および通信装置における通信制御方法 | |
WO2013176711A2 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
CN111800401A (zh) | 业务报文的防护方法、装置、系统和计算机设备 | |
CN112688900A (zh) | 一种防御arp欺骗和网络扫描的局域网安全防护系统及方法 | |
CN112738002A (zh) | 一种基于虚实结合的搭建工控蜜网的技术 | |
US9686311B2 (en) | Interdicting undesired service | |
US20220103582A1 (en) | System and method for cybersecurity | |
Narwal et al. | Game-theory based detection and prevention of DoS attacks on networking node in open stack private cloud | |
EP2815350A2 (en) | Methods, systems, and media for inhibiting attacks on embedded devices | |
TWI738900B (zh) | 網路防護系統、方法、裝置及伺服器 | |
Chang et al. | A study on the IP spoofing attack through proxy server and defense thereof |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 15835925 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2016544908 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15505381 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 15835925 Country of ref document: EP Kind code of ref document: A1 |