WO2019043804A1 - Log analysis device, log analysis method, and computer-readable recording medium - Google Patents

Log analysis device, log analysis method, and computer-readable recording medium Download PDF

Info

Publication number
WO2019043804A1
WO2019043804A1 PCT/JP2017/031041 JP2017031041W WO2019043804A1 WO 2019043804 A1 WO2019043804 A1 WO 2019043804A1 JP 2017031041 W JP2017031041 W JP 2017031041W WO 2019043804 A1 WO2019043804 A1 WO 2019043804A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
log
unit
type
communication
Prior art date
Application number
PCT/JP2017/031041
Other languages
French (fr)
Japanese (ja)
Inventor
佑典 高橋
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2019538803A priority Critical patent/JP6962374B2/en
Priority to PCT/JP2017/031041 priority patent/WO2019043804A1/en
Publication of WO2019043804A1 publication Critical patent/WO2019043804A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to a log analysis device, a log analysis method, and a computer readable recording medium.
  • a cyber attack such as unauthorized access and malware infection may be performed.
  • means for operating a remote computer include a method of Character User Interface (CUI) such as Telnet (Teletype Network) and SSH (Secure Shell), a Remote Desktop Protocol (RDP), and a Virtual Network (VNC).
  • CCI Character User Interface
  • RDP Remote Desktop Protocol
  • VNC Virtual Network
  • GUI Graphical User Interface
  • analyzing an attacker's behavior pattern is performed in order to clarify an attacker's purpose and an attack method.
  • Non-Patent Document 1 classifies the types of commands executed after server intrusion into seven groups and displays the behavior patterns of attackers by representing them as a transition diagram of command groups for unauthorized access using SSH (Secure Shell). Disclose the technology shown.
  • SSH Secure Shell
  • Non-Patent Document 2 proposes a method for detecting a botnet that exploits IRC (Internet Relay Chat) in comparison with characteristics of a message input when a human uses an IRC message.
  • IRC Internet Relay Chat
  • Patent Document 1 describes an unauthorized access detection system and the like.
  • Patent Document 2 describes an apparatus and the like for threat detection in a data processing system.
  • the present invention has been made to solve the above-described problems, and its main object is to provide a log analysis device that facilitates the determination of the type of attack in a cyber attack.
  • a log analysis device extracts extraction means for extracting information related to the type of attack from a log of communication related to the attack, information related to the type of attack, and the type of attack. Determining means for determining the type of attack related to the log based on the determination rule.
  • information related to the type of attack is extracted from the log of communication related to the attack, and the information related to the type of attack and the type of attack are determined. Based on the determination rule, the type of attack related to the log is determined.
  • a computer readable recording medium includes, on a computer, a process of extracting information related to the type of attack from a log of communication related to the attack, and information related to the type of attack. And a process of non-temporarily storing a program for executing the process of determining the type of the attack related to the log based on the determination rule corresponding to the type of the attack.
  • each component of each device indicates a block of functional units.
  • some or all of the components of each device (system) are realized by any combination of an information processing device 1000 and a program as shown in FIG. 18, for example.
  • the information processing apparatus 1000 includes, for example, the following configuration.
  • CPU Central Processing Unit
  • ROM Read Only Memory
  • RAM Random Access Memory
  • Each component of each device in each embodiment is realized by the CPU 1001 acquiring and executing a program 1004 for realizing these functions.
  • a program 1004 for realizing the function of each component of each device is stored in advance in, for example, the storage device 1005 or the RAM 1003, and read by the CPU 1001 as necessary.
  • the program 1004 may be supplied to the CPU 1001 via the communication network 1009, or may be stored in advance in the recording medium 1006, and the drive device 1007 may read the program and supply it to the CPU 1001.
  • each device may be realized by any combination of a separate information processing device 1000 and program for each component.
  • a plurality of components included in each device may be realized by any combination of one information processing device 1000 and a program.
  • each component of each device is realized by a general purpose or special purpose circuit including a processor or the like, or a combination thereof. These may be configured by a single chip or may be configured by a plurality of chips connected via a bus. A part or all of each component of each device may be realized by a combination of the above-described circuits and the like and a program.
  • each component of each device When a part or all of each component of each device is realized by a plurality of information processing devices, circuits, etc., the plurality of information processing devices, circuits, etc. may be arranged centrally or distributedly. It is also good.
  • the information processing apparatus, the circuit, and the like may be realized as a form in which each is connected via a communication network, such as a client and server system, a cloud computing system, and the like.
  • FIG. 1 is a diagram showing a log analysis device 100 in the first embodiment of the present invention.
  • the log analysis device 100 includes at least an extraction unit 110 and a determination unit 120.
  • the extraction unit 110 extracts information related to the type of attack from the log of communication related to the attack.
  • the determination unit 120 determines the type of attack related to the log based on the information related to the type of attack and the determination rule according to the type of attack.
  • FIG. 2 shows an example of a more specific configuration of the log analysis device 100.
  • the log analysis device 100 includes a log acquisition unit 101, an output unit 102, and a storage unit 130 in addition to the extraction unit 110 and the determination unit 120.
  • all elements may be realized as one device, or the storage unit 130 and the other elements may be realized by separate devices connected via a communication network.
  • the log acquisition unit 101 acquires a log of communication to be a target of attack type determination.
  • the output unit 102 outputs the result of the attack type determined by the determination unit 120 and information related to the result.
  • the storage unit 130 mainly stores information necessary for determining the type of attack in the determination unit 120.
  • the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, and a manual operation definition storage unit 133.
  • the determination rule storage unit 131 stores conditions for determining the type of attack.
  • the automatic operation definition storage unit 132 stores the features related to the attack performed by the automatic operation.
  • the manual operation definition storage unit 133 stores the features related to the attack performed by the manual operation.
  • the log acquisition unit 101 acquires a log of communication to be a target of attack type determination. It is assumed that the log acquired by the log acquisition unit 101 is mainly a log of communication related to an attack.
  • the type of log acquired by the log acquisition unit 101 is not particularly limited, and may be a binary file such as a pcap (packet capture) file or a text file such as a proxy log.
  • the type of attack is not particularly limited, and, for example, a scan attack or an attack for the purpose of unauthorized access is included in an assumed attack.
  • the extraction unit 110 extracts information related to the type of attack from the log of communication related to the attack.
  • the communication log is, for example, a log acquired by the log acquisition unit 101.
  • the extraction unit 110 extracts information related to the type of attack on a communication session or other predetermined period basis.
  • the source IP Internet Protocol
  • source port number When information related to the type of attack is extracted on a session-by-session basis, the source IP (Internet Protocol) address, source port number, destination IP address, destination port can be used to distinguish sessions. Numbers, protocols and other information are used.
  • IP Internet Protocol
  • the information related to the type of attack includes, for example, information related to time, information related to the size of data, and information related to input from the keyboard.
  • the extraction unit 110 extracts these pieces of information from the log, as an example.
  • the information related to the type of attack is not limited to these, and the extraction unit 110 may acquire other information as information related to the type of attack.
  • the information related to time includes, for example, response time from the transmission source, arrival interval of packets, and arrival time difference between a certain packet and the preceding packet.
  • statistical values such as the mean and standard deviation may be obtained as information on time.
  • the information on the size of the data includes, for example, the packet size received in the target session.
  • statistical values such as the average and standard deviation of packet sizes may be obtained as information regarding time.
  • the information regarding the input from the keyboard includes, for example, the presence or absence of the input of a specific key.
  • each of the information on time, the information on size of data, and the information on input from the keyboard may include information other than the information described above.
  • the extraction unit 110 extracts the above-described information by sequentially referring to the log.
  • the extraction unit 110 may further obtain the above-described statistical value using the extracted information.
  • the extraction unit 110 refers to the log by appropriately using a unit corresponding to the type of the log.
  • the extraction unit 110 acquires values stored in the pcap header and the header of each protocol layer in order from the top of the file.
  • the extraction unit 110 may also acquire information not recorded in the header, such as the size of a Transmission Control Protocol (TCP) payload or an input from a keyboard.
  • TCP Transmission Control Protocol
  • the extraction unit 110 groups the acquired values for each session, and stores the values in the storage unit 130 or other elements as needed, for example, in a format as shown in FIG. 3 described later.
  • the extraction unit 110 may further obtain other information including the average and standard deviation such as the packet arrival interval and the packet size from the information recorded for each session.
  • FIG. 3 illustrates an example of the information extracted by the extraction unit 110 when the information related to the type of attack is extracted for each session.
  • "id” indicates an identification number assigned to each session.
  • “Src_ip” indicates the IP address of the transmission source, and “src_port” indicates the port number of the transmission source.
  • “dst_ip” indicates the IP address of the destination, and “dst_port” indicates the port number of the destination. A specific address or port number may be described in each of “src_ip”, “src_port”, “dst_ip” and “dst_port”.
  • “Type” indicates the type of protocol used in the session. The example shown in FIG. 3 indicates that SSH is used in the session.
  • “keyboard_input” indicates the presence or absence of the input of the indicated key. In the example shown in FIG. 3, the value for the item is "backspace”: True. That is, it is shown that the keyboard backspace key input is included.
  • the number of sessions extracted by the extraction unit 110 is not particularly limited. Further, in the example illustrated in FIG. 3, the number of pieces of information related to the type of attack is not limited for each unit of extraction of a session or the like. That is, in the example shown in FIG. 3, other information such as a statistical value of response time from the transmission source and a packet size may be further included. Depending on the procedure of the determination by the determination unit 120 and the like, at least a part of each of the information listed in FIG. 3 may not be extracted.
  • the determination unit 120 determines the type of attack related to the log based on the information related to the type of attack extracted by the extraction unit 110 and the determination rule corresponding to the type of attack. Whether the attack related to the log is an automatic attack automatically performed by a script, malware or the like, or a manual attack in which an attacker sequentially executes a procedure for each unit described above Determine
  • the determination unit 120 compares the information related to the type of attack extracted by the extraction unit 110 with the determination rule according to the type of attack, so that the attack related to the log is automatically detected. Determine if it is an attack or a manual attack. The procedure of determination unit 120 will be further described.
  • FIG. 4 shows an example of the determination rule used by the determination unit 120.
  • the determination rule is stored in advance in the determination rule storage unit 131, for example.
  • the determination unit 120 is not limited to the determination rule stored in advance in the determination rule storage unit 131.
  • the determination may be made using a determination rule appropriately acquired from an external server or another external device.
  • ID is assigned to each determination rule, and indicates identification information for identifying each determination rule.
  • Protocol indicates the type of protocol targeted by each determination rule.
  • Attack type indicates the type of attack targeted by each determination rule.
  • the “rule” indicates a condition to be satisfied in order to determine that the log in which the item “protocol” matches is related to the type of attack indicated in the “attack type”.
  • the determination rule that "ID” is "R1” can be determined that the log is a log related to an automatic attack when conditions A1 and A2 both hold for the communication log whose protocol is Telnet. Show.
  • the determination rule “ID” is “R2” indicates that it is possible to determine that the log is a log related to a manual attack when the condition M2 is satisfied for a communication log whose protocol is SSH.
  • FIG. 4 shows an automatic operation definition or a manual operation definition.
  • FIG. 5 shows an example of the automatic operation definition.
  • FIG. 6 shows an example of the manual operation definition.
  • Each of the automatic operation definition or the manual operation definition is stored in advance in, for example, the automatic operation definition storage unit 132 or the manual operation definition storage unit 133.
  • the determination unit 120 is not limited to the determination rule stored in advance in the automatic operation definition storage unit 132 or the manual operation definition storage unit 133, and may perform determination using a determination rule appropriately acquired from an external server or the like. Good.
  • the “identifier” is an identifier for identifying each rule.
  • Feature indicates a feature related to the type of attack in the log.
  • Condition indicates a condition for a feature for which it is determined that the rule is satisfied.
  • "response_time” in the “feature” column indicates the response time from the other party designated by the transmission source IP address. Also, “std” indicates the standard deviation, and “mean” indicates the mean. Further, in each of FIG. 5 and FIG. 6, “s” in the “condition” column indicates a second, and “is_true” indicates that the keyboard input specified in the "feature” column is present. That is, when the standard deviation of the response time from the other party designated by the transmission source IP address is less than 5 seconds, it can be determined that the rule A1 shown in FIG. 5 is satisfied.
  • one determination rule is set for each protocol.
  • a plurality of determination rules may be set for each protocol.
  • the type of protocol is not limited to Telnet or SSH, and may be another protocol.
  • one determination rule is set for each of the automatic attack and the manual attack.
  • multiple decision rules may be set for each of the automatic attack and the manual attack.
  • the number of conditions is not limited to the illustrated number for each of the automatic operation definition shown in FIG. 4 and the manual operation definition shown in FIG.
  • the conditions are not limited to response time or input from the keyboard.
  • conditions related to packet size or other conditions may be included as conditions shown in FIG. 4 or FIG. By setting many judgment rules or conditions therefor, it is possible to make judgments on more types of attacks.
  • the determination unit 120 performs determination by acquiring a rule whose protocol is “SSH” among the determination rules illustrated in FIG. 4. That is, the determination unit 120 determines whether the information shown in FIG. 3 satisfies the rule R2 whose protocol is “SSH” among the determination rules shown in FIG. That is, the determination unit 120 determines whether the rule M2 is satisfied. When the information illustrated in FIG. 3 satisfies the rule M2, the determination unit 120 determines that the attack related to the log that is the extraction source of the information is a manual attack.
  • the rule M2 has the feature "keyboard_input [" backspace “]” and the condition "is_true”. That is, it is shown that the rule holds when there is an input of the backspace key of the keyboard.
  • FIG. 3 there is an item “keyboard_input”, and the value for the item is ““ backspace ”: True”. This indicates that the keyboard backspace key input is included as described above. That is, rule M2 holds.
  • the determination unit 120 determines that the attack related to the log that is the extraction source of the information whose "id" is "00001" is a manual attack.
  • the output unit 102 outputs the result of the attack type determined by the determination unit 120 and information related to the result.
  • the target of the output by the output unit 102 is not particularly limited, and may be, for example, a console displayed on any display device (not shown) or a file.
  • the result and other information output by the output unit 102 may be all the determined results or may be any one of the results determined as the automatic attack or the manual attack.
  • the output unit 102 may output other information including the unit when information is extracted by the extraction unit 110, and the extraction criterion.
  • the output unit 102 When the attack type is determined on a communication session basis, the output unit 102 combines the determination result with the IP address of the transmission source, the port number of the transmission source, the IP address of the destination, and the port number of the destination. , A protocol, etc. may be output as information related to the result of the determined attack type.
  • the log acquisition unit 101 acquires a log of communication to be a target of attack type determination (step S101).
  • the log acquisition unit 101 may acquire a plurality of logs.
  • the extraction unit 110 extracts, from the communication log acquired in step S101, information related to the type of attack in units of a predetermined period, session, or the like (step S102).
  • step S102 information related to the type of attack in units of a predetermined period, session, or the like.
  • the determination unit 120 determines the type of attack based on the information related to the type of attack extracted in step S102 and the determination rule according to the type of attack (step S103).
  • step S102 when information is extracted for a plurality of periods, sessions, and the like, the process of step S103 is repeated as appropriate.
  • the output unit 102 outputs information such as the result of the attack type determined in step S103 (step S104).
  • the log analysis device 100 extracts information related to the type of attack from the log of communication, and relates to the log based on the information and the determination rule corresponding to the type of attack. Determine the type of attack to be made.
  • various types of information can be used as information related to the type of attack, and a plurality of determination rules can be used according to the type of attack. Therefore, the log analysis device 100 can determine the type of attack regarding the log of communication including attacks of various patterns. Therefore, the log analysis device 100 facilitates the determination of the attack type in the cyber attack.
  • FIG. 8 is a diagram showing a log analysis device 200 in the second embodiment of the present invention.
  • the log analysis device 200 includes an extraction unit 110, a determination unit 120, and a determination rule generation unit 240.
  • the extraction unit 110 and the determination unit 120 are elements similar to the elements included in the log analysis device 100 in the first embodiment.
  • the determination rule generation unit 240 generates a determination rule based on the communication log for which the type of attack has been determined. That is, the log analysis device 200 differs from the log analysis device 100 in that the log analysis device 200 includes the determination rule generation unit 240.
  • FIG. 9 shows an example of a more specific configuration of the log analysis device 200.
  • the log analysis device 200 includes a log acquisition unit 101, an output unit 102, and a storage unit 130 in addition to the extraction unit 110, the determination unit 120, and the determination rule generation unit 240.
  • the log acquisition unit 101 and the output unit 102 are elements similar to the elements denoted by the same reference numerals in FIG.
  • the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, a manual operation definition storage unit 133, and a communication data storage unit 234.
  • Each of the determination rule storage unit 131, the automatic operation definition storage unit 132, and the manual operation definition storage unit 133 is an element similar to the element denoted by the same reference numeral in FIG.
  • the communication data storage unit 234 stores a log of communication related to the attack for which the type of attack has been determined. That is, the example shown in FIG. 9 is different from the specific configuration example of the log analysis device 200 shown in FIG. 2 in that the storage unit 130 further includes the communication data storage unit 234.
  • each component of the log analysis device 200 will be described.
  • the description of the same elements as the elements included in the above-described log analysis device 100 will be omitted as appropriate.
  • the determination rule generation unit 240 generates a determination rule based on the communication log for which the type of attack has been determined.
  • the determination rule to be generated is expressed, for example, in the format as shown in FIG. 4 to FIG. 6 described above, it is not limited thereto, and may be appropriately determined according to the method of generating the determination rule.
  • the determination unit 120 determines the type of attack based on the determination rule generated by the determination rule generation unit 240 as well as the determination rule prepared in advance.
  • the determination rule generation unit 240 generates a determination rule using a method of machine learning.
  • the determination rule generation unit 240 generates a determination rule using, for example, a method called a random forest.
  • the determination rule generation unit 240 extracts information related to the above-described type of attack from each of the logs determined in advance to be related to the automatic attack or the manual attack. That is, from each of these logs, the determination rule generation unit 240 extracts various types of information including information on time, information on data size, or information on input from a keyboard. The extracted information is represented, for example, as shown in FIG. 3 described above.
  • the determination rule generation unit 240 generates a plurality of decision trees that classify information related to the type of attack described above into an automatic attack and a manual attack.
  • the number of decision trees to be generated is not particularly limited, and may be appropriately determined according to the amount of extracted information or the like.
  • the determination unit 120 determines the type of attack based on the generated determination tree. That is, the determination unit 120 determines the type of attack by majority of the classification results of the automatic attack or the manual attack by each of the generated decision trees.
  • the determination rule generation unit 240 may generate a determination rule based on another machine learning method other than random forest.
  • the generated determination rule is appropriately stored in each of the determination rule storage unit 131, the automatic operation definition storage unit 132, and the manual operation definition storage unit 133 of the storage unit 130.
  • the determination unit 120 determines the type of attack with reference to the determination rule stored in each element of the storage unit 130.
  • the communication log used when the determination rule generation unit 240 generates the determination rule is stored, for example, in the communication data storage unit 234 in advance.
  • the communication log stored in the communication data storage unit 234 is a log that is determined to be either an automatic attack or a manual attack.
  • the communication log stored in the communication data storage unit 234 may be a log for which the type of attack has been determined by the determination unit 120. By doing this, the log of the communication whose attack type has been determined by the determination unit 120 based on the highly accurate determination rule can also be used for generation of the determination rule.
  • FIG. 10 shows an example of a table for managing files.
  • the attack type and information for identifying the file are described for each of the stored files.
  • a file path or a hash value of a file is used as information for identifying the file.
  • the log file relating to the automatic attack is a file specified by ⁇ file path>.
  • the log file related to the manual attack is a file specified by ⁇ file hash value>.
  • the determination rule generation unit 240 may generate a determination rule using a log different from the communication log stored in the communication data storage unit 234. For example, the determination rule generation unit 240 may appropriately acquire, from an external server or the like, a log of communication related to an attack whose type is determined in advance from an external server or the like, and create the determination rule using the acquired determination rule.
  • the determination rule generation unit 240 acquires a log of communication used when generating a determination rule (step S201).
  • the determination rule generation unit 240 appropriately refers to the communication data storage unit 234 of the storage unit 130 to acquire a communication log.
  • the determination rule generation unit 240 generates a determination rule using the communication log acquired in step S201 (step S202).
  • the determination rule generation unit 240 updates the content of the storage unit 130 so as to store the determination rule generated in step S202 in each element of the storage unit 130 (step S203).
  • the log analysis device 200 in the present embodiment further includes the determination rule generation unit 240 that generates the determination rule.
  • the determination unit 120 can determine the type of attack using more determination rules.
  • the determination rule generation unit 240 can generate a determination rule using the log of the communication determined by the determination unit 120. That is, when the machine learning method is used in the determination rule generation unit 240, more data can be used as learning data. Therefore, the log analysis device 200 has the same effect as the log analysis device 100, and enables discrimination of attack types with higher accuracy.
  • FIG. 12 is a diagram showing a log analysis device 300 according to the third embodiment of the present invention.
  • the log analysis device 300 includes an extraction unit 110, a determination unit 120, a determination rule generation unit 240, a reception unit 350, and a first observation unit 360. Equipped with The extraction unit 110 and the determination unit 120 are elements similar to the elements included in the log analysis device 100 in the first embodiment.
  • the determination rule generation unit 240 is an element similar to the element included in the log analysis device 200 in the second embodiment.
  • the receiving unit 350 receives the communication related to the attack.
  • the first observation unit 360 observes the communication received by the reception unit 350. That is, the log analysis device 300 differs from the log analysis device 200 in that the log analysis device 300 includes the reception unit 350 and the first observation unit 360.
  • FIG. 13 shows an example of a more specific configuration of the log analysis device 300.
  • the log analysis device 300 includes the log acquisition unit 101 and the output unit 102 in addition to the extraction unit 110, the determination unit 120, the determination rule generation unit 240, the reception unit 350, and the first observation unit 360. And a storage unit 130.
  • the log acquisition unit 101 and the output unit 102 are elements similar to the elements denoted by the same reference numerals in FIG.
  • the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, a manual operation definition storage unit 133, a communication data storage unit 234, and an observation data storage unit 335.
  • a determination rule storage unit 131 an automatic operation definition storage unit 132, a manual operation definition storage unit 133, a communication data storage unit 234, and an observation data storage unit 335.
  • Each of the determination rule storage unit 131, the automatic operation definition storage unit 132, the manual operation definition storage unit 133, and the communication data storage unit 234 is an element similar to the element to which the same reference numeral is attached in FIG.
  • the observation data storage unit 335 stores the communication log obtained by the first observation unit 360 observing the communication of the reception unit 350.
  • log analyzer 300 may not include these elements. That is, the log analysis device 300 may be configured to further include at least the reception unit 350 and the first observation unit 360 in addition to the log analysis device 100 in the first embodiment.
  • each component of the log analysis device 300 will be described.
  • the description of the same elements as the elements included in the log analysis device 100 or the log analysis device 200 described above is appropriately omitted.
  • the receiving unit 350 receives the communication related to the attack. That is, the receiving unit 350 receives at least a communication transmitted from the outside in association with an attack.
  • the communication related to the attack includes, for example, a scan attack and a communication for the purpose of unauthorized access, but other communication may be included in the communication related to the attack. Also, the receiving unit 350 may be capable of receiving other communications. The receiving unit 350 may be further configured to respond to the received communication.
  • the receiving unit 350 is realized by a honeypot or the like that emulates Telnet, SSH, or other protocols. Also, the receiving unit 350 may be implemented by any type of computer on which Telnet, SSH, or other services operate. The receiving unit 350 may be realized by other means as long as communication related to the attack can be received.
  • the first observation unit 360 observes the communication received by the reception unit 350.
  • the first observation unit 360 is realized by, for example, tcpdump, Wireshark or the like, but is not limited thereto.
  • the first observation unit 360 records the observed communication in the above-described pcap file, text file, or other type of log file.
  • the receiving unit 350 may transmit data in response to communication from the outside.
  • the data transmitted from the reception unit 350 is generally data that is not related to an external attack. Therefore, the first observation unit 360 excludes the data transmitted from the reception unit 350 and records the data in a log. However, the first observation unit 360 may record data including the data transmitted from the reception unit 350 in a log.
  • the log acquisition unit 101 acquires the log of the communication obtained by the first observation unit 360 observing the communication of the reception unit 350.
  • the log acquisition unit 101 may observe the first observation unit 360 and acquire the log stored in the observation data storage unit 335. Such an arrangement makes it possible to quickly determine the type of attack when an attack is made.
  • the log analysis device 300 extracts information, determines the type of attack, and the like by the same operation as the log analysis device 100.
  • the determination rule generation unit 240 generates the determination rule by the same operation as the log analysis device 200.
  • the first observation unit 360 starts observation (step S301).
  • the observation by the first observation unit 360 is started prior to the start of reception by the reception unit 350 so that no leakage occurs in the observation of the communication received by the reception unit 350.
  • the reception unit 350 starts reception of the communication related to the attack (step S302).
  • processing of the received communication by the reception unit 350 and observation of the communication by the first observation unit 360 are performed (step S303). That is, when the receiving unit 350 receives a packet from the outside, the receiving unit 350 performs processing and response of the packet as necessary. In this case, the first observation unit 360 observes the communication performed by the reception unit 350.
  • the first observation unit 360 may rotate the log file and perform other necessary processing at regular intervals, depending on the amount of communication and other conditions.
  • the log analysis device 300 in the present embodiment further includes the reception unit 350 and the first observation unit 360.
  • the reception unit 350 and the first observation unit 360 perform reception and observation of communication regarding an attack.
  • the type of attack is determined. Therefore, the log analysis device 300 has at least the same effect as the log analysis device 100 in the first embodiment.
  • the log analysis device 300 enables quick determination of attack type.
  • FIG. 15 is a diagram showing a log analysis device 400 according to the fourth embodiment of the present invention.
  • the log analysis device 400 includes an extraction unit 110, a determination unit 120, a determination rule generation unit 240, a reception unit 350, a first observation unit 360, a malware execution unit 470, and a second And a control unit 490.
  • the extraction unit 110 and the determination unit 120 are elements similar to the elements included in the log analysis device 100 in the first embodiment.
  • the determination rule generation unit 240 is an element similar to the element included in the log analysis device 200 in the second embodiment.
  • the reception unit 350 and the first observation unit 360 are the same elements as the elements included in the log analysis device 300 in the third embodiment.
  • the malware execution unit 470 executes the acquired malware.
  • the second observing unit 480 observes the communication by the malware executed in the malware execution unit 470.
  • the control unit 490 controls the operation of the malware execution unit 470 and the second observation unit 480.
  • FIG. 16 shows an example of a more specific configuration of the log analysis device 400.
  • the log analysis device 400 includes the log acquisition unit 101, the output unit 102, the storage unit 130, and the malware acquisition unit 451, in addition to the above-described elements.
  • Each of the log acquisition unit 101, the output unit 102, and the storage unit 130 is an element similar to an element to which the same reference numeral is attached in each of the first to third embodiments.
  • the malware acquisition unit 451 acquires the malware received by the reception unit 350.
  • log analyzer 300 may not include these elements.
  • the malware acquisition unit 451 acquires the malware received by the reception unit 350. More specifically, the malware acquisition unit 451 detects and acquires malware from the data received by the reception unit 350.
  • the malware acquisition unit 451 detects malware in the same manner as, for example, general antivirus software. That is, the malware acquisition unit 451 detects and acquires malware based on whether or not the received data matches a previously defined feature.
  • the malware acquiring unit 451 acquires the transmitted program as all programs transmitted to the receiving unit 350 are malware. It is also good.
  • the acquired malware may be stored together with the identifier in any storage means (not shown).
  • the malware execution unit 470 executes, for example, the malware acquired by the malware acquisition unit 451.
  • the malware execution unit 470 may execute the malware acquired by means other than the malware acquisition unit 451.
  • the malware execution unit 470 is implemented in a general environment for executing malware. That is, the malware execution unit 470 is realized by an emulator, a virtual machine, or the like that simulates the operation of the OS (Operating System).
  • the means for realizing the malware execution unit 470 is not limited to the above, but it is preferable that the means resulting from the operation of the malware does not spread to other components or another device.
  • access control of communication may be performed so as not to affect the outside.
  • control may be performed so as to enable communication only to a specific external server.
  • the malware execution unit 470 may include a dummy server corresponding to an external server.
  • the second observing unit 480 observes the communication by the malware executed in the malware execution unit 470.
  • the second observation unit 480 observes communication between an emulator, a virtual machine, and the like, and an external server, a dummy server, and the like.
  • the second observation unit 480 is realized by, for example, a tcpdump command or the like.
  • the second observation unit 480 records the observed communication in the above-described pcap file, text file, and other types of log files. The observed result is appropriately stored in the communication data storage unit 234 together with the information for identifying the malware.
  • the control unit 490 controls the operation of the malware execution unit 470 and the second observation unit 480.
  • the control unit 490 performs transfer of malware to the malware execution unit 470, execution or stop of the malware by the malware execution unit 470, start or stop of observation by the second observation unit 480, or other necessary control.
  • the control unit 490 may control each operation of the malware acquisition unit 451.
  • the control unit 490 transfers the malware to the malware execution unit 470 using, for example, a means such as SCP (Secure Copy), SFTP (Secure File Transfer Protocol), or a shared folder. In this case, it is preferable to carry out in a procedure in which security is secured.
  • SCP Secure Copy
  • SFTP Secure File Transfer Protocol
  • control unit 490 controls the observation by the second observation unit 480 to be generally performed only while the malware execution unit 470 is executing malware. That is, in this example, the control unit 490 controls the second observation unit 480 to start observation immediately before the malware execution unit 470 starts the execution of the malware. The control unit 490 controls the second observation unit 480 to stop observation immediately after the execution of the malware by the malware execution unit 470 is ended.
  • the malware execution unit 470 executes the malware, and the second observation unit 480 observes the communication of the malware to obtain a communication log.
  • the obtained communication log is a log on automatic attacks.
  • the determination rule generation unit 240 generates a new determination rule using the communication log obtained in this way. Then, the determination unit 120 further determines the type of attack by further using the generated determination rule. By determining the type of attack using the generated determination rule, the determination unit 120 can improve the accuracy of analysis.
  • the malware acquiring unit 451 acquires malware from the data received by the receiving unit 350 (step S401).
  • the malware acquisition unit 451 may operate to acquire only the malware that has not been acquired.
  • control unit 490 controls the second observation unit 480 to start observation of communication by malware (step S402).
  • the second observation unit 480 starts observation of communication.
  • control unit 490 controls the malware execution unit 470 to execute the malware (step S403).
  • the malware execution unit 470 starts the execution of the malware.
  • control unit 490 controls the malware execution unit 470 to stop the execution of the malware (step S404).
  • the malware execution unit 470 stops the execution of the malware.
  • control unit 490 controls the second observation unit 480 to stop observation of communication by malware (step S405).
  • the second observation unit 480 stops observation of communication.
  • control unit 490 stores the communication log observed by the second observation unit 480 in the communication data storage unit 234 (step S406).
  • the log analysis device 400 further includes a configuration for executing the acquired malware and observing the communication by the malware.
  • the determination rule regarding the automatic attack is further generated based on the log of the communication by the observed malware. Then, the type of attack is determined using the generated determination rule.
  • the log analysis device 400 has at least the same effect as the log analysis device 100 in the first embodiment. Further, the log analysis device 400 enables highly accurate determination of attack type.
  • a log analyzer comprising: (Supplementary Note 2) The log analysis device according to claim 1, wherein the determination means determines whether the attack is an automatic attack or a manual attack.
  • the determination means determines that the attack is an automatic attack based on whether the information related to the type of the attack matches the determination rule regarding the automatic attack or the determination rule regarding the manual attack.
  • the log analyzer according to appendix 2, wherein it is determined whether it is a manual attack or a manual attack.
  • (Supplementary Note 5) Receiving means for receiving communications related to the attack; First observing means for observing communication received by the receiving means; The log analyzer according to any one of appendices 1 to 4, comprising: (Supplementary Note 6) The determination unit extracts information related to the type of the attack from the log of the communication observed by the first observation unit. The log analyzer according to appendix 5.
  • (Appendix 7) A determination rule generation unit configured to generate the determination rule based on the log of the communication of which the type is determined;
  • the log analyzer according to any one of appendices 1 to 6, comprising: (Supplementary Note 8) Malware execution means for executing malware, A second observation unit for observing the communication by the malware executed in the malware execution unit; Control means for controlling the malware execution means and the second observation means;
  • the determination rule generation unit generates the determination rule regarding the automatic attack based on the log of the communication observed by the second observation unit.
  • the log analyzer according to claim 8.

Abstract

Provided is a log analysis device which makes it easy to distinguish types of cyber attack, for example, to distinguish between automated and manual attacks. This log analysis device is provided with: an extraction means which extracts attack type related information from a communication log associated with an attack; and a determination means which determines the type of the attack associated with the log, on the basis of the attack type related information and on the basis of determination rules set for each type of attack. The extraction means extracts, as the attack type related information, information relating to time, information relating to data size, and information relating to keyboard input.

Description

ログ分析装置、ログ分析方法及びコンピュータ読み取り可能記録媒体Log analyzer, log analysis method and computer readable recording medium
 本発明は、ログ分析装置、ログ分析方法及びコンピュータ読み取り可能記録媒体に関する。 The present invention relates to a log analysis device, a log analysis method, and a computer readable recording medium.
 遠隔地にあるコンピュータを操作するための手段を悪用して、不正アクセスやマルウェア感染等のサイバー攻撃が行われる場合がある。遠隔地にあるコンピュータを操作するための手段には、例えば、Telnet(Teletype Network)やSSH(Secure Shell)等のCUI(Character User Interface)の手法や、RDP(Remote Desktop Protocol)、VNC(Virtual Network Computing)等のGUI(Graphical User Interface)の手法が含まれる。このようなサイバー攻撃が行われる場合に、攻撃者の目的や攻撃手法を明らかにするために、攻撃者の行動パターンを分析することが行われている。 By exploiting a means for operating a remote computer, cyber attacks such as unauthorized access and malware infection may be performed. Examples of means for operating a remote computer include a method of Character User Interface (CUI) such as Telnet (Teletype Network) and SSH (Secure Shell), a Remote Desktop Protocol (RDP), and a Virtual Network (VNC). Methods of Graphical User Interface (GUI) such as Computing) are included. When such a cyber attack is performed, analyzing an attacker's behavior pattern is performed in order to clarify an attacker's purpose and an attack method.
 非特許文献1は、SSH(Secure Shell)を用いた不正アクセスについて、サーバ侵入後に実行されたコマンドの種類を7つのグループに分類し、コマンドグループの遷移図として表すことで攻撃者の行動パターンを示す技術を開示する。 Non-Patent Document 1 classifies the types of commands executed after server intrusion into seven groups and displays the behavior patterns of attackers by representing them as a transition diagram of command groups for unauthorized access using SSH (Secure Shell). Disclose the technology shown.
 非特許文献2は、IRC(Internet Relay Chat)を悪用するボットネットを、人間がIRCメッセージを使用する際に入力されるメッセージの特徴と比較して検知する手法を提案する。 Non-Patent Document 2 proposes a method for detecting a botnet that exploits IRC (Internet Relay Chat) in comparison with characteristics of a message input when a human uses an IRC message.
 また、特許文献1には、不正アクセス検知システム等が記載されている。特許文献2には、データ処理システムにおける脅威検出のための装置等が記載されている。 Patent Document 1 describes an unauthorized access detection system and the like. Patent Document 2 describes an apparatus and the like for threat detection in a data processing system.
特開2016-71384号公報JP, 2016-71384, A 特表2013-503377号公報Japanese Patent Application Publication No. 2013-503377
 サイバー攻撃における攻撃者の行動パターンに関する分析の一例として、攻撃手順が自動化されているか、又は手動での攻撃であるかの判別が行われる場合がある。そして、上述した文献に対して、攻撃の種別を容易に判別するための技術が求められている。 As an example of analysis on an attacker's behavior pattern in a cyber attack, it may be determined whether an attack procedure is automated or a manual attack. Then, a technique for easily determining the type of attack is required for the above-described document.
 本発明は、上記課題を解決するためになされたものであって、サイバー攻撃における攻撃種類の判別を容易にするログ分析装置を提供することを主たる目的とする。 The present invention has been made to solve the above-described problems, and its main object is to provide a log analysis device that facilitates the determination of the type of attack in a cyber attack.
 本発明の一態様におけるログ分析装置は、攻撃に関連する通信のログから、攻撃の種別に関係のある情報を抽出する抽出手段と、攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとに基づいて、ログに関連する攻撃の種別を判定する判定手段と、を備える。 A log analysis device according to one aspect of the present invention extracts extraction means for extracting information related to the type of attack from a log of communication related to the attack, information related to the type of attack, and the type of attack. Determining means for determining the type of attack related to the log based on the determination rule.
 また、本発明の一態様におけるログ分析方法は、攻撃に関連する通信のログから、攻撃の種別に関係のある情報を抽出し、攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとに基づいて、ログに関連する攻撃の種別を判定する。 In the log analysis method according to one aspect of the present invention, information related to the type of attack is extracted from the log of communication related to the attack, and the information related to the type of attack and the type of attack are determined. Based on the determination rule, the type of attack related to the log is determined.
 また、本発明の一態様におけるコンピュータ読み取り可能記録媒体は、コンピュータに、攻撃に関連する通信のログから、攻撃の種別に関係のある情報を抽出する処理と、攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとに基づいて、ログに関連する記攻撃の種別を判定する処理と、を実行させるプログラムを非一時的に格納する。 Further, a computer readable recording medium according to one aspect of the present invention includes, on a computer, a process of extracting information related to the type of attack from a log of communication related to the attack, and information related to the type of attack. And a process of non-temporarily storing a program for executing the process of determining the type of the attack related to the log based on the determination rule corresponding to the type of the attack.
 本発明によると、サイバー攻撃における攻撃種類の判別を容易にするログ分析装置を提供することができる。 According to the present invention, it is possible to provide a log analysis device that facilitates determination of attack types in cyber attacks.
本発明の第1の実施形態におけるログ分析装置を示す図である。It is a figure showing a log analysis device in a 1st embodiment of the present invention. 本発明の第1の実施形態におけるログ分析装置のより詳細な構成の例を示す図である。It is a figure showing an example of a more detailed composition of a log analysis device in a 1st embodiment of the present invention. 抽出部によって抽出される、攻撃の種別に関係のある情報の例を示す図である。It is a figure which shows the example of the information relevant to the classification of attack which is extracted by the extraction part. 判定部において用いられる判定ルールの一例を示す図である。It is a figure which shows an example of the determination rule used in a determination part. 判定部において用いられる自動操作定義の例を示す図である。It is a figure which shows the example of the automatic operation definition used in the determination part. 判定部において用いられる手動操作定義の例を示す図である。It is a figure which shows the example of the manual operation definition used in a determination part. 本発明の第1の実施形態におけるログ分析装置の動作を示すフローチャートである。It is a flowchart which shows operation | movement of the log analysis apparatus in the 1st Embodiment of this invention. 本発明の第2の実施形態におけるログ分析装置を示す図である。It is a figure showing a log analysis device in a 2nd embodiment of the present invention. 本発明の第2の実施形態におけるログ分析装置のより詳細な構成の例を示す図である。It is a figure showing an example of a more detailed composition of a log analysis device in a 2nd embodiment of the present invention. 攻撃の種別毎に格納される通信のログのファイルを管理する表の一例を示す図である。It is a figure which shows an example of the table which manages the file of the log of communication stored for every classification of attack. 本発明の第2の実施形態におけるログ分析装置の動作を示すフローチャートである。It is a flowchart which shows operation | movement of the log analysis apparatus in the 2nd Embodiment of this invention. 本発明の第3の実施形態におけるログ分析装置を示す図である。It is a figure showing the log analysis device in a 3rd embodiment of the present invention. 本発明の第3の実施形態におけるログ分析装置のより詳細な構成の例を示す図である。It is a figure showing an example of a more detailed composition of a log analysis device in a 3rd embodiment of the present invention. 本発明の第3の実施形態におけるログ分析装置の動作を示すフローチャートである。It is a flowchart which shows operation | movement of the log analysis apparatus in the 3rd Embodiment of this invention. 本発明の第4の実施形態におけるログ分析装置を示す図である。It is a figure which shows the log analyzer in the 4th Embodiment of this invention. 本発明の第4の実施形態におけるログ分析装置のより詳細な構成の例を示す図である。It is a figure showing an example of a more detailed composition of a log analysis device in a 4th embodiment of the present invention. 本発明の第4の実施形態におけるログ分析装置の動作を示すフローチャートである。It is a flowchart which shows operation | movement of the log analysis apparatus in the 4th Embodiment of this invention. 本発明の各実施形態におけるログ分析装置等を実現する情報処理装置の例を示す図である。It is a figure which shows the example of the information processing apparatus which implement | achieves the log analysis apparatus etc. in each embodiment of this invention.
 本発明の各実施形態について、添付の図面を参照して説明する。本発明の各実施形態において、各装置(システム)の各構成要素は、機能単位のブロックを示している。各装置(システム)の各構成要素の一部又は全部は、例えば図18に示すような情報処理装置1000とプログラムとの任意の組み合わせにより実現される。情報処理装置1000は、一例として、以下のような構成を含む。 Embodiments of the present invention will be described with reference to the accompanying drawings. In each embodiment of the present invention, each component of each device (system) indicates a block of functional units. For example, some or all of the components of each device (system) are realized by any combination of an information processing device 1000 and a program as shown in FIG. 18, for example. The information processing apparatus 1000 includes, for example, the following configuration.
  ・CPU(Central Processing Unit)1001
  ・ROM(Read Only Memory)1002
  ・RAM(Random Access Memory)1003
  ・RAM1003にロードされるプログラム1004
  ・プログラム1004を格納する記憶装置1005
  ・記録媒体1006の読み書きを行うドライブ装置1007
  ・通信ネットワーク1009と接続する通信インターフェース1008
  ・データの入出力を行う入出力インターフェース1010
  ・各構成要素を接続するバス1011
 各実施形態における各装置の各構成要素は、これらの機能を実現するプログラム1004をCPU1001が取得して実行することで実現される。各装置の各構成要素の機能を実現するプログラム1004は、例えば、予め記憶装置1005やRAM1003に格納されており、必要に応じてCPU1001が読み出す。なお、プログラム1004は、通信ネットワーク1009を介してCPU1001に供給されてもよいし、予め記録媒体1006に格納されており、ドライブ装置1007が当該プログラムを読み出してCPU1001に供給してもよい。 CPU (Central Processing Unit) 1001
ROM (Read Only Memory) 1002
RAM (Random Access Memory) 1003
A program 1004 loaded to the RAM 1003
A storage device 1005 for storing the program 1004
· Drive device 1007 for reading and writing the recording medium 1006
Communication interface 1008 connected to communication network 1009
・ Input / output interface 1010 for data input / output
.Buses 1011 connecting each component
Each component of each device in each embodiment is realized by the CPU 1001 acquiring and executing a program 1004 for realizing these functions. A program 1004 for realizing the function of each component of each device is stored in advance in, for example, the storage device 1005 or the RAM 1003, and read by the CPU 1001 as necessary. The program 1004 may be supplied to the CPU 1001 via the communication network 1009, or may be stored in advance in the recording medium 1006, and the drive device 1007 may read the program and supply it to the CPU 1001.
 各装置の実現方法には、様々な変形例がある。例えば、各装置は、構成要素毎にそれぞれ別個の情報処理装置1000とプログラムとの任意の組み合わせにより実現されてもよい。また、各装置が備える複数の構成要素が、一つの情報処理装置1000とプログラムとの任意の組み合わせにより実現されてもよい。 There are various modifications in the implementation method of each device. For example, each device may be realized by any combination of a separate information processing device 1000 and program for each component. Also, a plurality of components included in each device may be realized by any combination of one information processing device 1000 and a program.
 また、各装置の各構成要素の一部又は全部は、プロセッサ等を含む汎用または専用の回路や、これらの組み合わせによって実現される。これらは、単一のチップによって構成されてもよいし、バスを介して接続される複数のチップによって構成されてもよい。各装置の各構成要素の一部又は全部は、上述した回路等とプログラムとの組み合わせによって実現されてもよい。 In addition, part or all of each component of each device is realized by a general purpose or special purpose circuit including a processor or the like, or a combination thereof. These may be configured by a single chip or may be configured by a plurality of chips connected via a bus. A part or all of each component of each device may be realized by a combination of the above-described circuits and the like and a program.
 各装置の各構成要素の一部又は全部が複数の情報処理装置や回路等により実現される場合には、複数の情報処理装置や回路等は、集中配置されてもよいし、分散配置されてもよい。例えば、情報処理装置や回路等は、クライアントアンドサーバシステム、クラウドコンピューティングシステム等、各々が通信ネットワークを介して接続される形態として実現されてもよい。 When a part or all of each component of each device is realized by a plurality of information processing devices, circuits, etc., the plurality of information processing devices, circuits, etc. may be arranged centrally or distributedly. It is also good. For example, the information processing apparatus, the circuit, and the like may be realized as a form in which each is connected via a communication network, such as a client and server system, a cloud computing system, and the like.
 (第1の実施形態)
 まず、本発明の第1の実施形態について説明する。図1は、本発明の第1の実施形態におけるログ分析装置100を示す図である。 First Embodiment
First, a first embodiment of the present invention will be described. FIG. 1 is a diagram showing a log analysis device 100 in the first embodiment of the present invention.
 図1に示すとおり、本発明の第1の実施形態におけるログ分析装置100は、少なくとも、抽出部110と、判定部120とを備える。抽出部110は、攻撃に関連する通信のログから、攻撃の種別に関係のある情報を抽出する。判定部120は、攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとに基づいて、ログに関連する攻撃の種別を判定する。 As shown in FIG. 1, the log analysis device 100 according to the first embodiment of the present invention includes at least an extraction unit 110 and a determination unit 120. The extraction unit 110 extracts information related to the type of attack from the log of communication related to the attack. The determination unit 120 determines the type of attack related to the log based on the information related to the type of attack and the determination rule according to the type of attack.
 また、図2は、ログ分析装置100のより具体的な構成の一例を示す。図2に示す例では、ログ分析装置100は、抽出部110及び判定部120に加えて、ログ取得部101と、出力部102と、記憶部130とを備える。この構成では、全ての要素が一つの装置として実現されてもよいし、記憶部130とその他の要素とが、通信ネットワークを介して接続される別個の装置によって実現されてもよい。 Further, FIG. 2 shows an example of a more specific configuration of the log analysis device 100. In the example illustrated in FIG. 2, the log analysis device 100 includes a log acquisition unit 101, an output unit 102, and a storage unit 130 in addition to the extraction unit 110 and the determination unit 120. In this configuration, all elements may be realized as one device, or the storage unit 130 and the other elements may be realized by separate devices connected via a communication network.
 ログ取得部101は、攻撃種別の判定の対象となる通信のログを取得する。出力部102は、判定部120によって判定された攻撃種別の結果や、結果に関連する情報を出力する。記憶部130は、主に判定部120における攻撃の種別の判定に必要となる情報を記憶する。図2に示す例では、記憶部130は、判定ルール記憶部131と、自動操作定義記憶部132と、手動操作定義記憶部133とを有する。判定ルール記憶部131は、攻撃の種別を判定する際の条件を記憶する。自動操作定義記憶部132は、自動の操作によって行われる攻撃に関連する特徴を記憶する。手動操作定義記憶部133は、手動の操作によって行われる攻撃に関連する特徴を記憶する。 The log acquisition unit 101 acquires a log of communication to be a target of attack type determination. The output unit 102 outputs the result of the attack type determined by the determination unit 120 and information related to the result. The storage unit 130 mainly stores information necessary for determining the type of attack in the determination unit 120. In the example illustrated in FIG. 2, the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, and a manual operation definition storage unit 133. The determination rule storage unit 131 stores conditions for determining the type of attack. The automatic operation definition storage unit 132 stores the features related to the attack performed by the automatic operation. The manual operation definition storage unit 133 stores the features related to the attack performed by the manual operation.
 続いて、ログ分析装置100の各構成要素について説明する。 Subsequently, each component of the log analysis device 100 will be described.
 ログ取得部101は、攻撃種別の判定の対象となる通信のログを取得する。ログ取得部101が取得するログは、主に、何らかの攻撃に関連する通信のログであることを想定する。ログ取得部101が取得するログの種類は特に限られず、pcap(packet capture)ファイルのようなバイナリファイルでもよいし、又はプロキシログのようなテキストファイルでもよい。また、攻撃の種類は特に制限されず、例えば、スキャン攻撃や不正アクセスを目的とした攻撃が、想定される攻撃に含まれる。 The log acquisition unit 101 acquires a log of communication to be a target of attack type determination. It is assumed that the log acquired by the log acquisition unit 101 is mainly a log of communication related to an attack. The type of log acquired by the log acquisition unit 101 is not particularly limited, and may be a binary file such as a pcap (packet capture) file or a text file such as a proxy log. Also, the type of attack is not particularly limited, and, for example, a scan attack or an attack for the purpose of unauthorized access is included in an assumed attack.
 抽出部110は、攻撃に関連する通信のログから、攻撃の種別に関係のある情報を抽出する。通信のログは、例えばログ取得部101によって取得されたログである。抽出部110は、通信のセッションやその他の予め定められた期間を単位として、攻撃の種別に関係のある情報を抽出する。 The extraction unit 110 extracts information related to the type of attack from the log of communication related to the attack. The communication log is, for example, a log acquired by the log acquisition unit 101. The extraction unit 110 extracts information related to the type of attack on a communication session or other predetermined period basis.
 セッションを単位として攻撃の種別に関係のある情報が抽出される場合には、セッションの区別には、送信元のIP(Internet Protocol)アドレス、送信元のポート番号、宛先のIPアドレス、宛先のポート番号、プロトコル及びその他の情報が用いられる。 When information related to the type of attack is extracted on a session-by-session basis, the source IP (Internet Protocol) address, source port number, destination IP address, destination port can be used to distinguish sessions. Numbers, protocols and other information are used.
 また、攻撃の種別に関係のある情報には、例えば、時間に関する情報や、データの大きさに関する情報、キーボードからの入力に関する情報が含まれる。抽出部110は、一例として、これらの情報をログから抽出する。なお、攻撃の種別に関係のある情報はこれらに限られず、抽出部110は、他の情報を攻撃の種別に関係のある情報として取得してもよい。 Further, the information related to the type of attack includes, for example, information related to time, information related to the size of data, and information related to input from the keyboard. The extraction unit 110 extracts these pieces of information from the log, as an example. The information related to the type of attack is not limited to these, and the extraction unit 110 may acquire other information as information related to the type of attack.
 時間に関する情報には、例えば、送信元からの応答時間や、パケットの到達間隔、あるパケットとその前のパケットとの到達時間差が含まれる。また、これらの平均や標準偏差等の統計的な値が時間に関する情報として求められてもよい。データの大きさに関する情報には、例えば、対象となるセッションにおいて受信したパケットサイズが含まれる。また、パケットサイズの平均や標準偏差等の統計的な値が時間に関する情報として求められてもよい。キーボードからの入力に関する情報には、例えば、特定のキーの入力の有無が含まれる。ただし、時間に関する情報、データの大きさに関する情報及びキーボードからの入力に関する情報の各々には、上述した情報以外の情報が含まれてもよい。 The information related to time includes, for example, response time from the transmission source, arrival interval of packets, and arrival time difference between a certain packet and the preceding packet. In addition, statistical values such as the mean and standard deviation may be obtained as information on time. The information on the size of the data includes, for example, the packet size received in the target session. In addition, statistical values such as the average and standard deviation of packet sizes may be obtained as information regarding time. The information regarding the input from the keyboard includes, for example, the presence or absence of the input of a specific key. However, each of the information on time, the information on size of data, and the information on input from the keyboard may include information other than the information described above.
 抽出部110は、ログを順次参照して、上述した情報を抽出する。また、抽出部110は、抽出した情報を用いて、更に上述した統計的な値を求めてもよい。
ログを参照する場合には、抽出部110は、ログの種類に応じた手段を適宜用いてログを参照する。 The extraction unit 110 extracts the above-described information by sequentially referring to the log. The extraction unit 110 may further obtain the above-described statistical value using the extracted information.
When referring to the log, the extraction unit 110 refers to the log by appropriately using a unit corresponding to the type of the log.
 ログがpcapファイルである場合には、抽出部110は、ファイルの先頭から順に、pcapヘッダや各プロトコルレイヤーのヘッダに格納された値を取得する。抽出部110は、TCP(Transmission Control Protocol)ペイロードのサイズやキーボードからの入力等、ヘッダに記録されていない情報も併せて取得してもよい。抽出部110は、取得された値をセッション毎にまとめ、例えば後述する図3のような形式にて記憶部130やその他の要素に必要に応じて適宜格納する。pcapファイルの最後まで参照した場合には、抽出部110は、セッション毎に記録された情報から、パケット到達間隔やパケットサイズ等の平均や標準偏差を含む他の情報を更に求めてもよい。 When the log is a pcap file, the extraction unit 110 acquires values stored in the pcap header and the header of each protocol layer in order from the top of the file. The extraction unit 110 may also acquire information not recorded in the header, such as the size of a Transmission Control Protocol (TCP) payload or an input from a keyboard. The extraction unit 110 groups the acquired values for each session, and stores the values in the storage unit 130 or other elements as needed, for example, in a format as shown in FIG. 3 described later. When reference is made to the end of the pcap file, the extraction unit 110 may further obtain other information including the average and standard deviation such as the packet arrival interval and the packet size from the information recorded for each session.
 図3は、攻撃の種別に関係のある情報がセッション毎に抽出された場合における、抽出部110によって抽出される情報の一例を示す。図3において、“id”は、セッション毎に割り当てられる識別番号を示す。“src_ip”は、送信元のIPアドレスを、“src_port”は、送信元のポート番号を示す。また、“dst_ip”は、宛先のIPアドレスを、“dst_port”は、宛先のポート番号を示す。“src_ip”、“src_port”、“dst_ip”及び“dst_port”の各々の項には、具体的なアドレスやポート番号が記載されてもよい。“type”は、当該セッションにおいて用いられたプロトコルの種類を示す。図3に示す例では、当該セッションにおいてはSSHが用いられたことを示している。また、“keyboard_input”は、指摘されたキーの入力の有無を示す。図3に示す例では、当該項目に対する値は「“backspace”:True」である。すなわち、キーボードのバックスペースキーの入力が含まれることが示されている。 FIG. 3 illustrates an example of the information extracted by the extraction unit 110 when the information related to the type of attack is extracted for each session. In FIG. 3, "id" indicates an identification number assigned to each session. “Src_ip” indicates the IP address of the transmission source, and “src_port” indicates the port number of the transmission source. Also, “dst_ip” indicates the IP address of the destination, and “dst_port” indicates the port number of the destination. A specific address or port number may be described in each of “src_ip”, “src_port”, “dst_ip” and “dst_port”. “Type” indicates the type of protocol used in the session. The example shown in FIG. 3 indicates that SSH is used in the session. Also, "keyboard_input" indicates the presence or absence of the input of the indicated key. In the example shown in FIG. 3, the value for the item is "backspace": True. That is, it is shown that the keyboard backspace key input is included.
 なお、抽出部110によって抽出するセッションの数は、特に限られない。また、図3に示す例において、セッション等の抽出の単位毎に、攻撃の種別に関係のある情報の数は限られない。すなわち、図3に示す例においては、送信元からの応答時間の統計値やパケットサイズ等、その他の情報が更に含まれてもよい。判定部120による判定の手順等によっては、図3に挙げられている情報の各々の少なくとも一部は、抽出されなくてもよい。 The number of sessions extracted by the extraction unit 110 is not particularly limited. Further, in the example illustrated in FIG. 3, the number of pieces of information related to the type of attack is not limited for each unit of extraction of a session or the like. That is, in the example shown in FIG. 3, other information such as a statistical value of response time from the transmission source and a packet size may be further included. Depending on the procedure of the determination by the determination unit 120 and the like, at least a part of each of the information listed in FIG. 3 may not be extracted.
 判定部120は、抽出部110によって抽出される攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとに基づいて、ログに関連する攻撃の種別を判定する。判定部120は、上述した単位毎に、当該ログに関連する攻撃が、スクリプトやマルウェア等によって自動的に行われる自動攻撃であるか、又は、攻撃者が手順を逐次実行する手動攻撃であるかを判定する。 The determination unit 120 determines the type of attack related to the log based on the information related to the type of attack extracted by the extraction unit 110 and the determination rule corresponding to the type of attack. Whether the attack related to the log is an automatic attack automatically performed by a script, malware or the like, or a manual attack in which an attacker sequentially executes a procedure for each unit described above Determine
 より詳しくは、判定部120は、抽出部110によって抽出される攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとを照合することで、当該ログに関連する攻撃が、自動攻撃であるか、又は手動攻撃であるかを判定する。判定部120による手順について、更に説明する。 More specifically, the determination unit 120 compares the information related to the type of attack extracted by the extraction unit 110 with the determination rule according to the type of attack, so that the attack related to the log is automatically detected. Determine if it is an attack or a manual attack. The procedure of determination unit 120 will be further described.
 図4は、判定部120にて用いられる判定ルールの一例を示す。判定ルールは、例えば、判定ルール記憶部131に予め記憶される。なお、判定部120は、判定ルール記憶部131に予め記憶される判定ルールに限らず、例えば外部のサーバや他の外部の装置から適宜取得した判定ルールを用いて判定を行ってもよい。 FIG. 4 shows an example of the determination rule used by the determination unit 120. The determination rule is stored in advance in the determination rule storage unit 131, for example. The determination unit 120 is not limited to the determination rule stored in advance in the determination rule storage unit 131. For example, the determination may be made using a determination rule appropriately acquired from an external server or another external device.
 図4に示す例において、“ID”は、各々の判定ルール毎に割り当てられ、各々の判定ルールを識別する識別情報を示す。“プロトコル”は、各々の判定ルールによって対象とされるプロトコルの種類を示す。“攻撃種別”は、各々の判定ルールによって対象とされる攻撃の種別を示す。
そして、“ルール”は、項目“プロトコル”が合致するログが、“攻撃種別”に示される攻撃の種別に関連するものであると判断するために満たすべき条件を示す。 In the example shown in FIG. 4, “ID” is assigned to each determination rule, and indicates identification information for identifying each determination rule. "Protocol" indicates the type of protocol targeted by each determination rule. “Attack type” indicates the type of attack targeted by each determination rule.
The “rule” indicates a condition to be satisfied in order to determine that the log in which the item “protocol” matches is related to the type of attack indicated in the “attack type”.
 すなわち、“ID”が“R1”の判定ルールは、プロトコルがTelnetである通信のログについて、条件A1及びA2が共に成り立つ場合に、当該ログは自動攻撃に関するログであると判断可能であることを示す。同様に、“ID”が“R2”の判定ルールは、プロトコルがSSHである通信のログについて、条件M2が成り立つ場合に、当該ログは手動攻撃に関するログであると判断可能であることを示す。 That is, the determination rule that "ID" is "R1" can be determined that the log is a log related to an automatic attack when conditions A1 and A2 both hold for the communication log whose protocol is Telnet. Show. Similarly, the determination rule “ID” is “R2” indicates that it is possible to determine that the log is a log related to a manual attack when the condition M2 is satisfied for a communication log whose protocol is SSH.
 また、図4に示すルールの詳細は、自動操作定義又は手動操作定義として規定される。図5は、自動操作定義の例を示す。また、図6は、手動操作定義の例を示す。 The details of the rules shown in FIG. 4 are defined as an automatic operation definition or a manual operation definition. FIG. 5 shows an example of the automatic operation definition. Further, FIG. 6 shows an example of the manual operation definition.
 自動操作定義又は手動操作定義の各々は、例えば、自動操作定義記憶部132又は手動操作定義記憶部133に予めそれぞれ記憶される。なお、判定部120は、自動操作定義記憶部132又は手動操作定義記憶部133に予め記憶される判定ルールに限らず、適宜外部のサーバ等から適宜取得した判定ルールを用いて判定を行ってもよい。 Each of the automatic operation definition or the manual operation definition is stored in advance in, for example, the automatic operation definition storage unit 132 or the manual operation definition storage unit 133. The determination unit 120 is not limited to the determination rule stored in advance in the automatic operation definition storage unit 132 or the manual operation definition storage unit 133, and may perform determination using a determination rule appropriately acquired from an external server or the like. Good.
 図5及び図6に示す例において、“識別子”は、各々のルールを識別する識別子である。“特徴”は、ログにおいて攻撃の種別に関連する特徴を示す。“条件”は、当該ルールが満たされると判断されるための特徴に対する条件を示す。 In the example shown in FIG. 5 and FIG. 6, the “identifier” is an identifier for identifying each rule. "Feature" indicates a feature related to the type of attack in the log. "Condition" indicates a condition for a feature for which it is determined that the rule is satisfied.
 なお、図5及び図6の各々において、“特徴”欄の“response_time”は、送信元IPアドレスにて指定された相手からの応答時間を示す。また、“std”は標準偏差を示し、“mean”は平均を示す。また、図5及び図6の各々において、“条件”欄の“s”は秒を示し、“is_true”は、“特徴”欄において指定されたキーボードの入力が存在することを示す。すなわち、送信元IPアドレスにて指定された相手からの応答時間の標準偏差が5秒未満である場合に、図5に示すルールA1が満たされると判断できる。 In each of FIGS. 5 and 6, "response_time" in the "feature" column indicates the response time from the other party designated by the transmission source IP address. Also, "std" indicates the standard deviation, and "mean" indicates the mean. Further, in each of FIG. 5 and FIG. 6, "s" in the "condition" column indicates a second, and "is_true" indicates that the keyboard input specified in the "feature" column is present. That is, when the standard deviation of the response time from the other party designated by the transmission source IP address is less than 5 seconds, it can be determined that the rule A1 shown in FIG. 5 is satisfied.
 なお、図4に示す例では、プロトコル毎に1つずつの判定ルールが設定されている。しかしながら、プロトコル毎に複数の判定ルールが設定されてもよい。プロトコルの種類はTelnet又はSSHに限られず、これ以外のプロトコルであってもよい。また、図4に示す例では、自動攻撃又は手動攻撃の各々について、1つずつの判定ルールが設定されている。しかしながら、自動攻撃又は手動攻撃の各々について、複数の判定ルールが設定されてもよい。 In the example shown in FIG. 4, one determination rule is set for each protocol. However, a plurality of determination rules may be set for each protocol. The type of protocol is not limited to Telnet or SSH, and may be another protocol. Further, in the example shown in FIG. 4, one determination rule is set for each of the automatic attack and the manual attack. However, multiple decision rules may be set for each of the automatic attack and the manual attack.
 また、図4に示す自動操作定義及び図6に示す手動操作定義の各々についても、条件の数は図示される数に限定されない。条件は、応答時間又はキーボードからの入力に限られない。例えば、パケットサイズに関する条件やその他の条件が、図4又は図6に示す条件として含まれてもよい。多くの判定ルール又はそのための条件が設定されることで、より多数の種類の攻撃に対する判定が可能となる。 Further, the number of conditions is not limited to the illustrated number for each of the automatic operation definition shown in FIG. 4 and the manual operation definition shown in FIG. The conditions are not limited to response time or input from the keyboard. For example, conditions related to packet size or other conditions may be included as conditions shown in FIG. 4 or FIG. By setting many judgment rules or conditions therefor, it is possible to make judgments on more types of attacks.
 図3から図6に示す例を用いて、抽出部110によって抽出された、攻撃の種別に関係のある情報に対して、判定部120が攻撃の種別を判定する場合の処理を説明する。 The process in the case where the determination unit 120 determines the attack type for the information related to the attack type extracted by the extraction unit 110 will be described using the examples illustrated in FIGS. 3 to 6.
 図3に示す、抽出部110によって抽出された“id”が“00001”である情報を参照すると、“type”が“SSH”である。そのため、判定部120は、図4に示す判定ルールのうち、プロトコルが“SSH”であるルールを取得して判定を行う。つまり、判定部120は、図3に示す情報が、図4に示す判定ルールのうち、プロトコルが“SSH”であるルールR2を満たすか否かを判定する。すなわち、判定部120は、ルールM2を満たすか否かを判定する。図3に示す情報がルールM2を満たす場合には、判定部120は、当該情報の抽出元となったログに関連する攻撃は、手動攻撃であると判定する。 Referring to the information shown in FIG. 3 in which the “id” extracted by the extraction unit 110 is “00001”, the “type” is “SSH”. Therefore, the determination unit 120 performs determination by acquiring a rule whose protocol is “SSH” among the determination rules illustrated in FIG. 4. That is, the determination unit 120 determines whether the information shown in FIG. 3 satisfies the rule R2 whose protocol is “SSH” among the determination rules shown in FIG. That is, the determination unit 120 determines whether the rule M2 is satisfied. When the information illustrated in FIG. 3 satisfies the rule M2, the determination unit 120 determines that the attack related to the log that is the extraction source of the information is a manual attack.
 図6を参照すると、ルールM2は、特徴が“keyboard_input[“backspace”]”であり、条件が“is_true”である。すなわち、キーボードのバックスペースキーの入力がある場合に、当該ルールが成り立つことが示されている。一方、図3を参照すると、“keyboard_input”との項目があり、当該項目に対する値は、「“backspace”:True」である。これは、上述のように、キーボードのバックスペースキーの入力が含まれることが示している。すなわち、ルールM2は成り立つ。 Referring to FIG. 6, the rule M2 has the feature "keyboard_input [" backspace "]" and the condition "is_true". That is, it is shown that the rule holds when there is an input of the backspace key of the keyboard. On the other hand, referring to FIG. 3, there is an item “keyboard_input”, and the value for the item is ““ backspace ”: True”. This indicates that the keyboard backspace key input is included as described above. That is, rule M2 holds.
 したがって、この場合に、判定部120は、“id”が“00001”である情報の抽出元となるログに関連する攻撃は、手動攻撃であると判定する。 Therefore, in this case, the determination unit 120 determines that the attack related to the log that is the extraction source of the information whose "id" is "00001" is a manual attack.
 出力部102は、判定部120によって判定された攻撃種別の結果や、結果に関連する情報を出力する。出力部102による出力の対象は特に限られず、例えば、任意の表示装置(不図示)において表示されるコンソールであってもよいし、ファイルであってもよい。また、出力部102によって出力される結果やその他の情報は、判定された全ての結果であってもよいし、自動攻撃又は手動攻撃と判定された結果のいずれか一方であってもよい。また、出力部102は、抽出部110によって情報を抽出した際の単位や、抽出の基準を含む他の情報を出力してもよい。通信のセッションを単位として攻撃種別の判定が行われた場合には、出力部102は、判定結果と併せて、送信元のIPアドレス、送信元のポート番号、宛先のIPアドレス、宛先のポート番号、プロトコル等を、判定された攻撃種別の結果に関連する情報として出力してもよい。 The output unit 102 outputs the result of the attack type determined by the determination unit 120 and information related to the result. The target of the output by the output unit 102 is not particularly limited, and may be, for example, a console displayed on any display device (not shown) or a file. Further, the result and other information output by the output unit 102 may be all the determined results or may be any one of the results determined as the automatic attack or the manual attack. In addition, the output unit 102 may output other information including the unit when information is extracted by the extraction unit 110, and the extraction criterion. When the attack type is determined on a communication session basis, the output unit 102 combines the determination result with the IP address of the transmission source, the port number of the transmission source, the IP address of the destination, and the port number of the destination. , A protocol, etc. may be output as information related to the result of the determined attack type.
 続いて、図7に示すフローチャートを参照して、本実施形態におけるログ分析装置100の動作を説明する。なお、この動作例は、ログ分析装置100が図2に示す構成を備えることを想定する。 Subsequently, the operation of the log analysis device 100 according to the present embodiment will be described with reference to the flowchart shown in FIG. Note that this operation example assumes that the log analysis device 100 has the configuration shown in FIG.
 まず、ログ取得部101は、攻撃種別の判定の対象となる通信のログを取得する(ステップS101)。このステップにおいて、ログ取得部101は、複数のログを取得してもよい。 First, the log acquisition unit 101 acquires a log of communication to be a target of attack type determination (step S101). In this step, the log acquisition unit 101 may acquire a plurality of logs.
 次に、抽出部110は、ステップS101にて取得された通信のログから、予め定められた期間やセッション等を単位として攻撃の種別に関係のある情報を抽出する(ステップS102)。ステップS101において複数のログが取得されている場合には、ステップS102の動作は、適宜繰り返して行われる。 Next, the extraction unit 110 extracts, from the communication log acquired in step S101, information related to the type of attack in units of a predetermined period, session, or the like (step S102). When a plurality of logs are acquired in step S101, the operation of step S102 is repeated as appropriate.
 次に、判定部120は、ステップS102において抽出された攻撃の種別に関係のある情報と、攻撃の種別に応じた判定ルールとに基づいて、攻撃の種別を判定する(ステップS103)。ステップS102において、複数の期間やセッション等を対象として情報の抽出が行われた場合には、ステップS103の処理は適宜繰り返して行われる。 Next, the determination unit 120 determines the type of attack based on the information related to the type of attack extracted in step S102 and the determination rule according to the type of attack (step S103). In step S102, when information is extracted for a plurality of periods, sessions, and the like, the process of step S103 is repeated as appropriate.
 次に、出力部102は、ステップS103において判定された、攻撃種別の結果等の情報を出力する(ステップS104)。 Next, the output unit 102 outputs information such as the result of the attack type determined in step S103 (step S104).
 以上のとおり、本実施形態におけるログ分析装置100は、通信のログから、攻撃の種別に関係のある情報を抽出し、当該情報と攻撃の種別に応じた判定ルールとに基づいて、ログに関連する攻撃の種別を判定する。ログ分析装置100による分析では、攻撃の種別に関係のある情報として、種々の情報が利用可能であり、かつ、攻撃の種別に応じた複数の判定ルールが利用可能である。
そのため、ログ分析装置100は、様々なパターンの攻撃を含む通信のログに関して、攻撃の種別を判定することができる。したがって、ログ分析装置100は、サイバー攻撃における攻撃種類の判別を容易にする。 As described above, the log analysis device 100 according to the present embodiment extracts information related to the type of attack from the log of communication, and relates to the log based on the information and the determination rule corresponding to the type of attack. Determine the type of attack to be made. In the analysis by the log analysis device 100, various types of information can be used as information related to the type of attack, and a plurality of determination rules can be used according to the type of attack.
Therefore, the log analysis device 100 can determine the type of attack regarding the log of communication including attacks of various patterns. Therefore, the log analysis device 100 facilitates the determination of the attack type in the cyber attack.
 (第2の実施形態)
 次に、本発明の第2の実施形態について説明する。図8は、本発明の第2の実施形態におけるログ分析装置200を示す図である。 Second Embodiment
Next, a second embodiment of the present invention will be described. FIG. 8 is a diagram showing a log analysis device 200 in the second embodiment of the present invention.
 図8に示すとおり、本発明の第2の実施形態におけるログ分析装置200は、抽出部110と、判定部120と、判定ルール生成部240とを備える。抽出部110及び判定部120は、第1の実施形態におけるログ分析装置100が備える要素と同様の要素である。判定ルール生成部240は、攻撃の種別が判定された通信のログに基づいて、判定ルールを生成する。すなわち、ログ分析装置200は、判定ルール生成部240を備える点が、ログ分析装置100と異なる。 As shown in FIG. 8, the log analysis device 200 according to the second embodiment of the present invention includes an extraction unit 110, a determination unit 120, and a determination rule generation unit 240. The extraction unit 110 and the determination unit 120 are elements similar to the elements included in the log analysis device 100 in the first embodiment. The determination rule generation unit 240 generates a determination rule based on the communication log for which the type of attack has been determined. That is, the log analysis device 200 differs from the log analysis device 100 in that the log analysis device 200 includes the determination rule generation unit 240.
 また、図9は、ログ分析装置200のより具体的な構成の一例を示す。図9に示す例では、ログ分析装置200は、抽出部110、判定部120及び判定ルール生成部240に加えて、ログ取得部101と、出力部102と、記憶部130とを備える。ログ取得部101及び出力部102は、図2において同じ符号が付された要素と同様の要素である。また、図9に示す例では、記憶部130は、判定ルール記憶部131と、自動操作定義記憶部132と、手動操作定義記憶部133と、通信データ記憶部234とを有する。判定ルール記憶部131、自動操作定義記憶部132及び手動操作定義記憶部133の各々は、図2において同じ符号が付された要素と同様の要素である。通信データ記憶部234は、攻撃の種別が判定された攻撃に関連する通信のログを記憶する。すなわち、図9に示す例では、記憶部130が通信データ記憶部234を更に有する点が、図2に示すログ分析装置200の具体的な構成例と異なる。 Further, FIG. 9 shows an example of a more specific configuration of the log analysis device 200. In the example illustrated in FIG. 9, the log analysis device 200 includes a log acquisition unit 101, an output unit 102, and a storage unit 130 in addition to the extraction unit 110, the determination unit 120, and the determination rule generation unit 240. The log acquisition unit 101 and the output unit 102 are elements similar to the elements denoted by the same reference numerals in FIG. Further, in the example illustrated in FIG. 9, the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, a manual operation definition storage unit 133, and a communication data storage unit 234. Each of the determination rule storage unit 131, the automatic operation definition storage unit 132, and the manual operation definition storage unit 133 is an element similar to the element denoted by the same reference numeral in FIG. The communication data storage unit 234 stores a log of communication related to the attack for which the type of attack has been determined. That is, the example shown in FIG. 9 is different from the specific configuration example of the log analysis device 200 shown in FIG. 2 in that the storage unit 130 further includes the communication data storage unit 234.
 続いて、ログ分析装置200の各構成要素について説明する。なお、上述したログ分析装置100が備える要素と同様の要素については、説明を適宜省略する。 Subsequently, each component of the log analysis device 200 will be described. The description of the same elements as the elements included in the above-described log analysis device 100 will be omitted as appropriate.
 判定ルール生成部240は、攻撃の種別が判定された通信のログに基づいて、判定ルールを生成する。生成される判定ルールは、例えば、上述した図4から図6のような形式にて表されるが、これには限られず、判定ルールの生成方法に応じて適宜定められればよい。判定部120は、予め用意された判定ルールに限らず、判定ルール生成部240にて生成された判定ルールに基づいて攻撃の種別を判定する。 The determination rule generation unit 240 generates a determination rule based on the communication log for which the type of attack has been determined. Although the determination rule to be generated is expressed, for example, in the format as shown in FIG. 4 to FIG. 6 described above, it is not limited thereto, and may be appropriately determined according to the method of generating the determination rule. The determination unit 120 determines the type of attack based on the determination rule generated by the determination rule generation unit 240 as well as the determination rule prepared in advance.
 判定ルール生成部240は、一例として、機械学習の手法を用いて判定ルールを生成する。この場合に、判定ルール生成部240は、例えばランダムフォレストと呼ばれる手法を用いて判定ルールを生成する。 As an example, the determination rule generation unit 240 generates a determination rule using a method of machine learning. In this case, the determination rule generation unit 240 generates a determination rule using, for example, a method called a random forest.
 判定ルール生成部240が、ランダムフォレストにより判定ルールを生成する場合の一例を説明する。この場合に、判定ルール生成部240は、予め自動攻撃又は手動攻撃に関連すると判定されたログの各々から、上述した攻撃の種別に関係のある情報を抽出する。すなわち、判定ルール生成部240は、これらのログの各々から、時間に関する情報、データの大きさに関する情報、又はキーボードからの入力に関する情報を含む各種の情報を抽出する。抽出された情報は、例えば上述した図3のように表される。 An example in which the determination rule generation unit 240 generates a determination rule by random forest will be described. In this case, the determination rule generation unit 240 extracts information related to the above-described type of attack from each of the logs determined in advance to be related to the automatic attack or the manual attack. That is, from each of these logs, the determination rule generation unit 240 extracts various types of information including information on time, information on data size, or information on input from a keyboard. The extracted information is represented, for example, as shown in FIG. 3 described above.
 そして、判定ルール生成部240は、上述した攻撃の種別に関係のある情報を自動攻撃と手動攻撃とに分類する複数の決定木を生成する。生成される決定木の数は特に制限されず、抽出された情報の量等に応じて適宜定められればよい。このように判定ルールが生成された場合に、判定部120は、生成された決定木に基づいて攻撃の種別を判定する。すなわち、判定部120は、生成された決定木の各々による自動攻撃又は手動攻撃の分類結果の多数決により、攻撃の種別を判定する。 Then, the determination rule generation unit 240 generates a plurality of decision trees that classify information related to the type of attack described above into an automatic attack and a manual attack. The number of decision trees to be generated is not particularly limited, and may be appropriately determined according to the amount of extracted information or the like. When the determination rule is generated as described above, the determination unit 120 determines the type of attack based on the generated determination tree. That is, the determination unit 120 determines the type of attack by majority of the classification results of the automatic attack or the manual attack by each of the generated decision trees.
 なお、判定ルール生成部240は、ランダムフォレスト以外の他の機械学習の手法に基づいて判定ルールを生成してもよい。また、生成された判定ルールは、記憶部130の判定ルール記憶部131、自動操作定義記憶部132又は手動操作定義記憶部133の各々に適宜格納される。判定部120は、記憶部130の各要素に記憶された判定ルールを参照して攻撃の種別を判定する。 The determination rule generation unit 240 may generate a determination rule based on another machine learning method other than random forest. In addition, the generated determination rule is appropriately stored in each of the determination rule storage unit 131, the automatic operation definition storage unit 132, and the manual operation definition storage unit 133 of the storage unit 130. The determination unit 120 determines the type of attack with reference to the determination rule stored in each element of the storage unit 130.
 判定ルール生成部240が判定ルールの生成に際して用いる通信のログは、例えば、予め通信データ記憶部234に格納される。通信データ記憶部234に記憶される通信のログは、自動攻撃又は手動攻撃のいずれかであることが判定されているログである。通信データ記憶部234に記憶される通信のログは、判定部120にて攻撃の種別が判定されたログであってもよい。このようにすることで、精度の高い判定ルールに基づいて判定部120にて攻撃の種別が判定された通信のログが、判定ルールの生成においても利用可能となる。 The communication log used when the determination rule generation unit 240 generates the determination rule is stored, for example, in the communication data storage unit 234 in advance. The communication log stored in the communication data storage unit 234 is a log that is determined to be either an automatic attack or a manual attack. The communication log stored in the communication data storage unit 234 may be a log for which the type of attack has been determined by the determination unit 120. By doing this, the log of the communication whose attack type has been determined by the determination unit 120 based on the highly accurate determination rule can also be used for generation of the determination rule.
 通信データ記憶部234においては、通信のログは、攻撃の種別に応じて別個のファイルとして格納される。そのため、通信データ記憶部234は、ファイルを管理する表を保持する。図10は、ファイルを管理する表の一例を示す。図10に示すような表には、記憶されるファイルの各々について、攻撃種別とファイルを識別する情報が記載される。ファイルを識別する情報には、ファイルパスやファイルのハッシュ値が用いられる。
図10に示す例では、自動攻撃に関するログのファイルは、<ファイルパス>にて指定されるファイルである。また、手動攻撃に関するログのファイルは、<ファイルのハッシュ値>によって特定されるファイルである。 In the communication data storage unit 234, communication logs are stored as separate files according to the type of attack. Therefore, the communication data storage unit 234 holds a table for managing files. FIG. 10 shows an example of a table for managing files. In the table as shown in FIG. 10, the attack type and information for identifying the file are described for each of the stored files. A file path or a hash value of a file is used as information for identifying the file.
In the example shown in FIG. 10, the log file relating to the automatic attack is a file specified by <file path>. Also, the log file related to the manual attack is a file specified by <file hash value>.
 なお、判定ルール生成部240は、通信データ記憶部234に記憶される通信のログとは異なるログを用いて判定ルールを生成してもよい。例えば、判定ルール生成部240は、予め種別が判定された、攻撃に関連する通信のログを外部のサーバ等から適宜取得し、取得した判定ルールを用いて判定ルールを作成してもよい。 The determination rule generation unit 240 may generate a determination rule using a log different from the communication log stored in the communication data storage unit 234. For example, the determination rule generation unit 240 may appropriately acquire, from an external server or the like, a log of communication related to an attack whose type is determined in advance from an external server or the like, and create the determination rule using the acquired determination rule.
 続いて、図11に示すフローチャートを参照して、本実施形態におけるログ分析装置200の判定ルールの生成に関する動作を説明する。この動作例は、ログ分析装置200が図9に示す構成を備えることを想定する。なお、ログ分析装置200は、ログ分析装置100と同様の動作にて情報の抽出や攻撃の種別の判定等を行う。 Next, with reference to a flowchart shown in FIG. 11, an operation related to generation of a determination rule of the log analysis device 200 in the present embodiment will be described. This operation example assumes that the log analysis device 200 has the configuration shown in FIG. The log analysis device 200 extracts information, determines the type of attack, and the like by the same operation as the log analysis device 100.
 まず、判定ルール生成部240は、判定ルールの生成に際して用いられる通信のログを取得する(ステップS201)。判定ルール生成部240は、記憶部130の通信データ記憶部234を適宜参照して、通信のログを取得する。 First, the determination rule generation unit 240 acquires a log of communication used when generating a determination rule (step S201). The determination rule generation unit 240 appropriately refers to the communication data storage unit 234 of the storage unit 130 to acquire a communication log.
 次に、判定ルール生成部240は、ステップS201にて取得された通信のログを用いて、判定ルールを生成する(ステップS202)。 Next, the determination rule generation unit 240 generates a determination rule using the communication log acquired in step S201 (step S202).
 次に、判定ルール生成部240は、ステップS202において生成された判定ルールを記憶部130の各要素に記憶するように記憶部130の内容を更新する(ステップS203)。 Next, the determination rule generation unit 240 updates the content of the storage unit 130 so as to store the determination rule generated in step S202 in each element of the storage unit 130 (step S203).
 以上のとおり、本実施形態におけるログ分析装置200は、判定ルールを生成する判定ルール生成部240を更に備える。判定ルール生成部240が備えられることで、判定部120は、より多くの判定ルールを用いて攻撃の種別を判定することができる。また、判定ルール生成部240は、判定部120によって判定された通信のログを用いて判定ルールを生成することができる。すなわち、判定ルール生成部240において機械学習の手法が用いられる場合に、より多くのデータを学習データとして用いることができる。したがって、ログ分析装置200は、ログ分析装置100と同様の効果を奏し、かつ、より高い精度での攻撃種類の判別を可能にする。 As described above, the log analysis device 200 in the present embodiment further includes the determination rule generation unit 240 that generates the determination rule. By including the determination rule generation unit 240, the determination unit 120 can determine the type of attack using more determination rules. In addition, the determination rule generation unit 240 can generate a determination rule using the log of the communication determined by the determination unit 120. That is, when the machine learning method is used in the determination rule generation unit 240, more data can be used as learning data. Therefore, the log analysis device 200 has the same effect as the log analysis device 100, and enables discrimination of attack types with higher accuracy.
 (第3の実施形態)
 次に、本発明の第3の実施形態について説明する。図12は、本発明の第3の実施形態におけるログ分析装置300を示す図である。 Third Embodiment
Next, a third embodiment of the present invention will be described. FIG. 12 is a diagram showing a log analysis device 300 according to the third embodiment of the present invention.
 図12に示すとおり、本発明の第3の実施形態におけるログ分析装置300は、抽出部110と、判定部120と、判定ルール生成部240と、受信部350と、第1の観測部360とを備える。抽出部110及び判定部120は、第1の実施形態におけるログ分析装置100が備える要素と同様の要素である。判定ルール生成部240は、第2の実施形態におけるログ分析装置200が備える要素と同様の要素である。受信部350は、攻撃に関連する通信を受信する。第1の観測部360は、受信部350が受信する通信を観測する。すなわち、ログ分析装置300は、受信部350及び第1の観測部360を備える点が、ログ分析装置200と異なる。 As shown in FIG. 12, the log analysis device 300 according to the third embodiment of the present invention includes an extraction unit 110, a determination unit 120, a determination rule generation unit 240, a reception unit 350, and a first observation unit 360. Equipped with The extraction unit 110 and the determination unit 120 are elements similar to the elements included in the log analysis device 100 in the first embodiment. The determination rule generation unit 240 is an element similar to the element included in the log analysis device 200 in the second embodiment. The receiving unit 350 receives the communication related to the attack. The first observation unit 360 observes the communication received by the reception unit 350. That is, the log analysis device 300 differs from the log analysis device 200 in that the log analysis device 300 includes the reception unit 350 and the first observation unit 360.
 また、図13は、ログ分析装置300のより具体的な構成の一例を示す。図13に示す例では、ログ分析装置300は、抽出部110、判定部120、判定ルール生成部240、受信部350及び第1の観測部360に加えて、ログ取得部101と、出力部102と、記憶部130とを備える。ログ取得部101及び出力部102は、図2において同じ符号が付された要素と同様の要素である。 Also, FIG. 13 shows an example of a more specific configuration of the log analysis device 300. In the example illustrated in FIG. 13, the log analysis device 300 includes the log acquisition unit 101 and the output unit 102 in addition to the extraction unit 110, the determination unit 120, the determination rule generation unit 240, the reception unit 350, and the first observation unit 360. And a storage unit 130. The log acquisition unit 101 and the output unit 102 are elements similar to the elements denoted by the same reference numerals in FIG.
 また、図13に示す例では、記憶部130は、判定ルール記憶部131と、自動操作定義記憶部132と、手動操作定義記憶部133と、通信データ記憶部234と、観測データ記憶部335とを有する。判定ルール記憶部131、自動操作定義記憶部132、手動操作定義記憶部133及び通信データ記憶部234の各々は、図2又は図9において同じ符号が付された要素と同様の要素である。観測データ記憶部335は、第1の観測部360が、受信部350の通信を観測することで得た通信のログを記憶する。 Further, in the example illustrated in FIG. 13, the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, a manual operation definition storage unit 133, a communication data storage unit 234, and an observation data storage unit 335. Have. Each of the determination rule storage unit 131, the automatic operation definition storage unit 132, the manual operation definition storage unit 133, and the communication data storage unit 234 is an element similar to the element to which the same reference numeral is attached in FIG. The observation data storage unit 335 stores the communication log obtained by the first observation unit 360 observing the communication of the reception unit 350.
 なお、図12及び図13に示す例では、判定ルール生成部240及び通信データ記憶部234を備える構成が示されている。しかしながら、ログ分析装置300は、これらの要素を備えなくてもよい。すなわち、ログ分析装置300は、第1の実施形態におけるログ分析装置100に対して、更に受信部350と、第1の観測部360とを少なくとも備える構成であってもよい。 In the examples shown in FIGS. 12 and 13, a configuration including the determination rule generation unit 240 and the communication data storage unit 234 is shown. However, log analyzer 300 may not include these elements. That is, the log analysis device 300 may be configured to further include at least the reception unit 350 and the first observation unit 360 in addition to the log analysis device 100 in the first embodiment.
 続いて、ログ分析装置300の各構成要素について説明する。なお、上述したログ分析装置100又はログ分析装置200が備える要素と同様の要素については、説明を適宜省略する。 Subsequently, each component of the log analysis device 300 will be described. The description of the same elements as the elements included in the log analysis device 100 or the log analysis device 200 described above is appropriately omitted.
 受信部350は、攻撃に関連する通信を受信する。すなわち、受信部350は、少なくとも、攻撃に関連して外部から送信される通信を受信する。攻撃に関連する通信には、例えば、スキャン攻撃や、不正アクセスを目的とした通信が含まれるが、これ以外の通信が攻撃に関連する通信に含まれてもよい。また、受信部350は、その他の通信を受信可能であってもよい。受信部350は、更に、受信した通信に対して応答するような構成であってもよい。 The receiving unit 350 receives the communication related to the attack. That is, the receiving unit 350 receives at least a communication transmitted from the outside in association with an attack. The communication related to the attack includes, for example, a scan attack and a communication for the purpose of unauthorized access, but other communication may be included in the communication related to the attack. Also, the receiving unit 350 may be capable of receiving other communications. The receiving unit 350 may be further configured to respond to the received communication.
 受信部350は、TelnetやSSH、又はその他のプロトコルをエミュレートするハニーポット等によって実現される。また、受信部350は、TelnetやSSH又はその他のサービスが動作する任意の種類のコンピュータによって実現されてもよい。受信部350は、攻撃に関連する通信が受信可能であれば、この他の手段によって実現されてもよい。 The receiving unit 350 is realized by a honeypot or the like that emulates Telnet, SSH, or other protocols. Also, the receiving unit 350 may be implemented by any type of computer on which Telnet, SSH, or other services operate. The receiving unit 350 may be realized by other means as long as communication related to the attack can be received.
 第1の観測部360は、受信部350が受信する通信を観測する。第1の観測部360は、例えば、tcpdumpやWireshark等により実現されるが、これらには限られない。第1の観測部360は、観測した通信を、上述したpcapファイルやテキストファイル、又はその他の種類のログファイルに記録する。 The first observation unit 360 observes the communication received by the reception unit 350. The first observation unit 360 is realized by, for example, tcpdump, Wireshark or the like, but is not limited thereto. The first observation unit 360 records the observed communication in the above-described pcap file, text file, or other type of log file.
 また、本実施形態において、受信部350は、外部からの通信に応じてデータを送信する場合がある。しかしながら、受信部350から送信されるデータは、一般に、外部からの攻撃には関係のないデータである。そのため、第1の観測部360は、受信部350から送信されるデータを除外してログに記録する。ただし、第1の観測部360は、受信部350から送信されるデータを含めてログに記録してもよい。 Further, in the present embodiment, the receiving unit 350 may transmit data in response to communication from the outside. However, the data transmitted from the reception unit 350 is generally data that is not related to an external attack. Therefore, the first observation unit 360 excludes the data transmitted from the reception unit 350 and records the data in a log. However, the first observation unit 360 may record data including the data transmitted from the reception unit 350 in a log.
 本実施形態においては、ログ取得部101は、第1の観測部360が、受信部350の通信を観測することで得た通信のログを取得する。ログ分析装置300が記憶部130を備える場合には、ログ取得部101は、第1の観測部360が観測し、観測データ記憶部335に記憶されたログを取得してもよい。このような構成とすることで、攻撃が行われた場合に、迅速な攻撃の種別の判定が可能となる。 In the present embodiment, the log acquisition unit 101 acquires the log of the communication obtained by the first observation unit 360 observing the communication of the reception unit 350. When the log analysis device 300 includes the storage unit 130, the log acquisition unit 101 may observe the first observation unit 360 and acquire the log stored in the observation data storage unit 335. Such an arrangement makes it possible to quickly determine the type of attack when an attack is made.
 続いて、図14に示すフローチャートを参照して、本実施形態におけるログ分析装置300の主に受信部350及び第1の観測部360に関する動作を説明する。なお、ログ分析装置300は、ログ分析装置100と同様の動作によって情報の抽出や攻撃の種別の判定等を行う。また、ログ分析装置300が判定ルール生成部240を備える場合には、判定ルール生成部240は、ログ分析装置200と同様の動作によって判定ルールの生成を行う。 Next, with reference to the flowchart shown in FIG. 14, the operations relating mainly to the reception unit 350 and the first observation unit 360 of the log analysis device 300 in the present embodiment will be described. The log analysis device 300 extracts information, determines the type of attack, and the like by the same operation as the log analysis device 100. When the log analysis device 300 includes the determination rule generation unit 240, the determination rule generation unit 240 generates the determination rule by the same operation as the log analysis device 200.
 最初に、第1の観測部360は、観測を開始する(ステップS301)。第1の観測部360による観測は、受信部350が受信する通信の観測に漏れが生じないよう、受信部350による受信の開始に先行して開始される。 First, the first observation unit 360 starts observation (step S301). The observation by the first observation unit 360 is started prior to the start of reception by the reception unit 350 so that no leakage occurs in the observation of the communication received by the reception unit 350.
 次に、受信部350は、攻撃に関連する通信の受信を開始する(ステップS302)。 Next, the reception unit 350 starts reception of the communication related to the attack (step S302).
 次に、受信部350による受信した通信の処理、及び、第1の観測部360による当該通信の観測が行われる(ステップS303)。すなわち、受信部350は、外部からパケットを受信すると、当該パケットの処理及び応答を必要に応じて行う。この場合に、第1の観測部360は、受信部350によって行われる通信を観測する。第1の観測部360は、ログファイルのローテートやその他の必要な処理を一定時間毎、通信量やその他の条件に応じて行ってもよい。 Next, processing of the received communication by the reception unit 350 and observation of the communication by the first observation unit 360 are performed (step S303). That is, when the receiving unit 350 receives a packet from the outside, the receiving unit 350 performs processing and response of the packet as necessary. In this case, the first observation unit 360 observes the communication performed by the reception unit 350. The first observation unit 360 may rotate the log file and perform other necessary processing at regular intervals, depending on the amount of communication and other conditions.
 以上のとおり、本実施形態におけるログ分析装置300は、受信部350及び第1の観測部360を更に備える。受信部350及び第1の観測部360によって、攻撃に関する通信の受信及び観測が行われる。観測された攻撃に関する通信のログに対して、攻撃の種別の判定が行われる。したがって、ログ分析装置300は、少なくとも、第1の実施形態におけるログ分析装置100と同様の効果を奏する。また、ログ分析装置300は、迅速な攻撃種別の判定を可能とする。 As described above, the log analysis device 300 in the present embodiment further includes the reception unit 350 and the first observation unit 360. The reception unit 350 and the first observation unit 360 perform reception and observation of communication regarding an attack. For the communication log related to the observed attack, the type of attack is determined. Therefore, the log analysis device 300 has at least the same effect as the log analysis device 100 in the first embodiment. In addition, the log analysis device 300 enables quick determination of attack type.
 (第4の実施形態)
 次に、本発明の第4の実施形態について説明する。図15は、本発明の第4の実施形態におけるログ分析装置400を示す図である。 Fourth Embodiment
Next, a fourth embodiment of the present invention will be described. FIG. 15 is a diagram showing a log analysis device 400 according to the fourth embodiment of the present invention.
 図15に示すとおり、ログ分析装置400は、抽出部110と、判定部120と、判定ルール生成部240と、受信部350と、第1の観測部360と、マルウェア実行部470と、第2の観測部480と、制御部490とを備える。 As illustrated in FIG. 15, the log analysis device 400 includes an extraction unit 110, a determination unit 120, a determination rule generation unit 240, a reception unit 350, a first observation unit 360, a malware execution unit 470, and a second And a control unit 490.
 抽出部110及び判定部120は、第1の実施形態におけるログ分析装置100が備える要素と同様の要素である。判定ルール生成部240は、第2の実施形態におけるログ分析装置200が備える要素と同様の要素である。また、受信部350及び第1の観測部360は、第3の実施形態におけるログ分析装置300が備える要素と同様の要素である。 The extraction unit 110 and the determination unit 120 are elements similar to the elements included in the log analysis device 100 in the first embodiment. The determination rule generation unit 240 is an element similar to the element included in the log analysis device 200 in the second embodiment. Also, the reception unit 350 and the first observation unit 360 are the same elements as the elements included in the log analysis device 300 in the third embodiment.
 マルウェア実行部470は、取得されたマルウェアを実行する。第2の観測部480は、マルウェア実行部470において実行されるマルウェアによる通信を観測する。制御部490は、マルウェア実行部470及び第2の観測部480の動作を制御する。 The malware execution unit 470 executes the acquired malware. The second observing unit 480 observes the communication by the malware executed in the malware execution unit 470. The control unit 490 controls the operation of the malware execution unit 470 and the second observation unit 480.
 また、図16は、ログ分析装置400のより具体的な構成の一例を示す。図16に示す例では、ログ分析装置400は、上述した要素に加えて、ログ取得部101と、出力部102と、記憶部130と、マルウェア取得部451とを備える。ログ取得部101、出力部102、及び記憶部130の各々は、第1から第3の実施形態までの各図において同じ符号が付された要素と同様の要素である。マルウェア取得部451は、受信部350が受信したマルウェアを取得する。 Further, FIG. 16 shows an example of a more specific configuration of the log analysis device 400. In the example illustrated in FIG. 16, the log analysis device 400 includes the log acquisition unit 101, the output unit 102, the storage unit 130, and the malware acquisition unit 451, in addition to the above-described elements. Each of the log acquisition unit 101, the output unit 102, and the storage unit 130 is an element similar to an element to which the same reference numeral is attached in each of the first to third embodiments. The malware acquisition unit 451 acquires the malware received by the reception unit 350.
 なお、図15及び図16に示す例では、判定ルール生成部240及び通信データ記憶部234を備える構成が示されている。しかしながら、ログ分析装置300は、これらの要素を備えなくてもよい。 In the examples shown in FIGS. 15 and 16, a configuration including the determination rule generation unit 240 and the communication data storage unit 234 is shown. However, log analyzer 300 may not include these elements.
 続いて、ログ分析装置400の各構成要素について説明する。なお、上述した各実施形態において説明した要素と同様の要素については、説明を適宜省略する。 Subsequently, each component of the log analysis device 400 will be described. The description of the same elements as the elements described in the above-described embodiments will be omitted as appropriate.
 マルウェア取得部451は、受信部350が受信したマルウェアを取得する。より詳しくは、マルウェア取得部451は、受信部350が受信したデータから、マルウェアを検出して取得する。 The malware acquisition unit 451 acquires the malware received by the reception unit 350. More specifically, the malware acquisition unit 451 detects and acquires malware from the data received by the reception unit 350.
 マルウェア取得部451は、マルウェアの検出を、例えば、一般的なアンチウイルスソフトウェアと同様に行う。つまり、マルウェア取得部451は、受信したデータが予め定義された特徴に合致するか否か等によってマルウェアを検出して取得する。受信部350が能動的に外部への通信を行わない構成である場合には、マルウェア取得部451は、受信部350へ送信されるプログラムは全てマルウェアであるとして、送信されたプログラムを取得してもよい。取得されたマルウェアは、任意の記憶手段(不図示)に識別子と共に記憶されてもよい。 The malware acquisition unit 451 detects malware in the same manner as, for example, general antivirus software. That is, the malware acquisition unit 451 detects and acquires malware based on whether or not the received data matches a previously defined feature. When the receiving unit 350 is not configured to actively communicate with the outside, the malware acquiring unit 451 acquires the transmitted program as all programs transmitted to the receiving unit 350 are malware. It is also good. The acquired malware may be stored together with the identifier in any storage means (not shown).
 マルウェア実行部470は、例えばマルウェア取得部451によって取得されたマルウェアを実行する。マルウェア実行部470は、マルウェア取得部451以外の手段によって取得されたマルウェアを実行してもよい。 The malware execution unit 470 executes, for example, the malware acquired by the malware acquisition unit 451. The malware execution unit 470 may execute the malware acquired by means other than the malware acquisition unit 451.
 マルウェア実行部470は、マルウェアを実行するための一般的な環境にて実現される。すなわち、マルウェア実行部470は、OS(Operating System)の動作を模擬するエミュレータや仮想マシン等によって実現される。マルウェア実行部470を実現する手段はこれらに限られないが、マルウェアの動作に起因する問題が他の構成要素や別の装置に波及しないような態様であることが好ましい。また、マルウェアは、一般に外部への攻撃を行うことから、マルウェア実行部470において、外部への影響が生じないように通信のアクセス制御が行われてもよい。例えば、マルウェア実行部470においては、特定の外部のサーバのみへの通信が可能となるように制御が行われていてもよい。また、外部へのアクセスを制御する場合には、マルウェア実行部470には、外部のサーバに相当するダミーサーバが含まれてもよい。 The malware execution unit 470 is implemented in a general environment for executing malware. That is, the malware execution unit 470 is realized by an emulator, a virtual machine, or the like that simulates the operation of the OS (Operating System). The means for realizing the malware execution unit 470 is not limited to the above, but it is preferable that the means resulting from the operation of the malware does not spread to other components or another device. In addition, since malware generally attacks outside, in the malware execution unit 470, access control of communication may be performed so as not to affect the outside. For example, in the malware execution unit 470, control may be performed so as to enable communication only to a specific external server. When controlling access to the outside, the malware execution unit 470 may include a dummy server corresponding to an external server.
 第2の観測部480は、マルウェア実行部470において実行されるマルウェアによる通信を観測する。例えば、第2の観測部480は、エミュレータや仮想マシン等と、外部のサーバやダミーサーバ等との間の通信を観測する。第2の観測部480は、一例として、tcpdumpコマンド等によって実現される。第2の観測部480は、観測した通信を、上述したpcapファイルやテキストファイルやその他の種類のログファイルに記録する。観測された結果は、マルウェアを特定するための情報と併せて通信データ記憶部234に適宜記憶される。 The second observing unit 480 observes the communication by the malware executed in the malware execution unit 470. For example, the second observation unit 480 observes communication between an emulator, a virtual machine, and the like, and an external server, a dummy server, and the like. The second observation unit 480 is realized by, for example, a tcpdump command or the like. The second observation unit 480 records the observed communication in the above-described pcap file, text file, and other types of log files. The observed result is appropriately stored in the communication data storage unit 234 together with the information for identifying the malware.
 制御部490は、マルウェア実行部470及び第2の観測部480の動作を制御する。制御部490は、マルウェアのマルウェア実行部470への転送、マルウェア実行部470によるマルウェアの実行又は停止、第2の観測部480による観測の開始や停止、又はその他の必要な制御を行う。制御部490は、マルウェア取得部451の各動作を制御してもよい。 The control unit 490 controls the operation of the malware execution unit 470 and the second observation unit 480. The control unit 490 performs transfer of malware to the malware execution unit 470, execution or stop of the malware by the malware execution unit 470, start or stop of observation by the second observation unit 480, or other necessary control. The control unit 490 may control each operation of the malware acquisition unit 451.
 制御部490は、例えば、SCP(Secure Copy)、SFTP(Secure File Transfer Protocol)又は共有フォルダ等の手段を用いてマルウェア実行部470へマルウェアを転送する。この場合には、セキュリティが確保された手順にて行われることが好ましい。 The control unit 490 transfers the malware to the malware execution unit 470 using, for example, a means such as SCP (Secure Copy), SFTP (Secure File Transfer Protocol), or a shared folder. In this case, it is preferable to carry out in a procedure in which security is secured.
 また、制御部490は、一例として、第2の観測部480による観測が、概ね、マルウェア実行部470によってマルウェアが実行されている間に限って行われるように制御する。つまり、この例では、制御部490は、マルウェア実行部470によるマルウェアの実行が開始される直前に第2の観測部480による観測を開始するように制御する。そして制御部490は、マルウェア実行部470によるマルウェアの実行が終了された直後に第2の観測部480による観測を停止するよう制御する。 Also, as an example, the control unit 490 controls the observation by the second observation unit 480 to be generally performed only while the malware execution unit 470 is executing malware. That is, in this example, the control unit 490 controls the second observation unit 480 to start observation immediately before the malware execution unit 470 starts the execution of the malware. The control unit 490 controls the second observation unit 480 to stop observation immediately after the execution of the malware by the malware execution unit 470 is ended.
 マルウェア実行部470によってマルウェアが実行され、第2の観測部480がマルウェアの通信を観測することで、通信のログが得られる。得られた通信のログは、自動攻撃に関するログとなる。このように得られた通信のログを用いて、判定ルール生成部240によって新たな判定ルールが生成される。そして、判定部120は、生成された判定ルールを更に用いて攻撃の種別を判定する。判定部120が生成された判定ルールを用いて攻撃の種別を判定することで、分析の精度の向上が可能となる。 The malware execution unit 470 executes the malware, and the second observation unit 480 observes the communication of the malware to obtain a communication log. The obtained communication log is a log on automatic attacks. The determination rule generation unit 240 generates a new determination rule using the communication log obtained in this way. Then, the determination unit 120 further determines the type of attack by further using the generated determination rule. By determining the type of attack using the generated determination rule, the determination unit 120 can improve the accuracy of analysis.
 続いて、図17に示すフローチャートを参照して、本実施形態におけるログ分析装置400の主にマルウェア取得部451、マルウェア実行部470及び第2の観測部480に関する動作を説明する。 Subsequently, operations related to the malware acquisition unit 451, the malware execution unit 470, and the second observation unit 480 of the log analysis device 400 in the present embodiment will be described with reference to the flowchart illustrated in FIG.
 最初に、マルウェア取得部451は、受信部350が受信したデータからマルウェア取得する(ステップS401)。ステップS401において、マルウェア取得部451は、未取得であるマルウェアのみを取得するように動作してもよい。 First, the malware acquiring unit 451 acquires malware from the data received by the receiving unit 350 (step S401). In step S401, the malware acquisition unit 451 may operate to acquire only the malware that has not been acquired.
 次に、制御部490は、第2の観測部480がマルウェアによる通信の観測を開始するように制御する(ステップS402)。制御に応じて、第2の観測部480は、通信の観測を開始する。 Next, the control unit 490 controls the second observation unit 480 to start observation of communication by malware (step S402). In response to the control, the second observation unit 480 starts observation of communication.
 次に、制御部490は、マルウェア実行部470がマルウェアを実行するように制御する(ステップS403)。制御に応じて、マルウェア実行部470は、マルウェアの実行を開始する。 Next, the control unit 490 controls the malware execution unit 470 to execute the malware (step S403). In response to the control, the malware execution unit 470 starts the execution of the malware.
 次に、制御部490は、マルウェア実行部470がマルウェアの実行を停止するように制御する(ステップS404)。制御に応じて、マルウェア実行部470は、マルウェアの実行を停止する。 Next, the control unit 490 controls the malware execution unit 470 to stop the execution of the malware (step S404). In response to the control, the malware execution unit 470 stops the execution of the malware.
 次に、制御部490は、第2の観測部480がマルウェアによる通信の観測を停止するように制御する(ステップS405)。制御に応じて、第2の観測部480は、通信の観測を停止する。 Next, the control unit 490 controls the second observation unit 480 to stop observation of communication by malware (step S405). In response to the control, the second observation unit 480 stops observation of communication.
 最後に、制御部490は、第2の観測部480によって観測された通信のログを通信データ記憶部234に格納する(ステップS406)。 Finally, the control unit 490 stores the communication log observed by the second observation unit 480 in the communication data storage unit 234 (step S406).
 以上のとおり、本実施形態におけるログ分析装置400は、取得したマルウェアを実行し、マルウェアによる通信を観測するための構成を更に備える。このような構成とすることで、観測されたマルウェアによる通信のログに基づいて、自動攻撃に関する判定ルールが更に生成される。そして、生成された判定ルールを用いて、攻撃の種類の判定が行われる。 As described above, the log analysis device 400 according to the present embodiment further includes a configuration for executing the acquired malware and observing the communication by the malware. With such a configuration, the determination rule regarding the automatic attack is further generated based on the log of the communication by the observed malware. Then, the type of attack is determined using the generated determination rule.
 したがって、ログ分析装置400は、少なくとも、第1の実施形態におけるログ分析装置100と同様の効果を奏する。また、ログ分析装置400は、精度の高い攻撃種別の判定を可能とする。 Therefore, the log analysis device 400 has at least the same effect as the log analysis device 100 in the first embodiment. Further, the log analysis device 400 enables highly accurate determination of attack type.
 この発明の一部又は全部は、以下の付記のようにも記載されうるが、以下に限られない。
(付記1)
 攻撃に関連する通信のログから、前記攻撃の種別に関係のある情報を抽出する抽出手段と、
 前記攻撃の種別に関係のある情報と、前記攻撃の種別に応じた判定ルールとに基づいて、前記ログに関連する前記攻撃の種別を判定する判定手段と、
 を備えるログ分析装置。
(付記2)
 前記判定手段は、前記攻撃が自動攻撃であるか手動攻撃であるかを判定する、請求項1に記載のログ分析装置。
(付記3)
 前記判定手段は、前記攻撃の種類に関係のある情報が、前記自動攻撃に関する前記判定ルール又は前記手動攻撃に関する前記判定ルールのいずれに合致するか否かに基づいて、前記攻撃が自動攻撃であるか手動攻撃であるかを判定する、付記2に記載のログ分析装置。
(付記4)
 前記攻撃の種別に関係のある情報は、時間に関する情報、データの大きさに関する情報、又はキーボードからの入力に関する情報のうち一つ以上を含む、付記1から3のいずれか一項に記載のログ分析装置。
(付記5)
 攻撃に関連する通信を受信する受信手段と、
 前記受信手段が受信する通信を観測する第1の観測手段と、
 を備える付記1から4のいずれか一項に記載のログ分析装置。
(付記6)
 前記判定手段は、前記第1の観測手段が観測した前記通信のログから前記攻撃の種別に関係のある情報を抽出する、
 付記5に記載のログ分析装置。
(付記7)
 前記種別が判定された前記通信のログに基づいて、前記判定ルールを生成する判定ルール生成手段、
 を備える付記1から6のいずれか一項に記載のログ分析装置。
(付記8)
 マルウェアを実行するマルウェア実行手段と、
 前記マルウェア実行手段において実行された前記マルウェアによる前記通信を観測する第2の観測手段と、
 前記マルウェア実行手段及び前記第2の観測手段を制御する制御手段と、
 を備える付記7に記載のログ分析装置。
(付記9)
 前記判定ルール生成手段は、前記第2の観測手段によって観測された前記通信のログに基づいて、前記自動攻撃に関する前記判定ルールを生成する、
 請求項8に記載のログ分析装置。
(付記10)
 攻撃に関連する通信のログから、前記攻撃の種別に関係のある情報を抽出し、
 前記攻撃の種別に関係のある情報と、前記攻撃の種別に応じた判定ルールとに基づいて、前記ログに関連する前記攻撃の種別を判定する、
 ログ分析方法。
(付記11)
 コンピュータに、
 攻撃に関連する通信のログから、前記攻撃の種別に関係のある情報を抽出する処理と、
 前記攻撃の種別に関係のある情報と、前記攻撃の種別に応じた判定ルールとに基づいて、前記ログに関連する前記攻撃の種別を判定する処理と、
 を実行させるプログラム。 Part or all of the present invention may be described as in the following appendices, but is not limited to the following.
(Supplementary Note 1)
Extracting means for extracting information related to the type of the attack from a log of communication related to the attack;
Determining means for determining the type of the attack related to the log based on the information related to the type of the attack and the determination rule according to the type of the attack;
A log analyzer comprising:
(Supplementary Note 2)
The log analysis device according to claim 1, wherein the determination means determines whether the attack is an automatic attack or a manual attack.
(Supplementary Note 3)
The determination means determines that the attack is an automatic attack based on whether the information related to the type of the attack matches the determination rule regarding the automatic attack or the determination rule regarding the manual attack. The log analyzer according to appendix 2, wherein it is determined whether it is a manual attack or a manual attack.
(Supplementary Note 4)
The log according to any one of Appendices 1 to 3, wherein the information related to the type of attack includes one or more of information on time, information on size of data, and information on input from a keyboard Analysis equipment.
(Supplementary Note 5)
Receiving means for receiving communications related to the attack;
First observing means for observing communication received by the receiving means;
The log analyzer according to any one of appendices 1 to 4, comprising:
(Supplementary Note 6)
The determination unit extracts information related to the type of the attack from the log of the communication observed by the first observation unit.
The log analyzer according to appendix 5.
(Appendix 7)
A determination rule generation unit configured to generate the determination rule based on the log of the communication of which the type is determined;
The log analyzer according to any one of appendices 1 to 6, comprising:
(Supplementary Note 8)
Malware execution means for executing malware,
A second observation unit for observing the communication by the malware executed in the malware execution unit;
Control means for controlling the malware execution means and the second observation means;
The log analyzer according to appendix 7, comprising:
(Appendix 9)
The determination rule generation unit generates the determination rule regarding the automatic attack based on the log of the communication observed by the second observation unit.
The log analyzer according to claim 8.
(Supplementary Note 10)
Extract information related to the type of the attack from the log of communication related to the attack,
The type of the attack related to the log is determined based on the information related to the type of the attack and the determination rule according to the type of the attack.
Log analysis method.
(Supplementary Note 11)
On the computer
A process of extracting information related to the type of the attack from a log of communication related to the attack;
A process of determining the type of the attack related to the log based on the information related to the type of the attack and the determination rule according to the type of the attack;
A program that runs
 100  ログ分析装置
 110  抽出部
 120  判定部
 101  ログ取得部
 102  出力部
 130  記憶部
 131  判定ルール記憶部
 132  自動操作定義記憶部
 133  手動操作定義記憶部
 234  通信データ記憶部
 335  観測データ記憶部
 240  判定ルール生成部
 350  受信部
 360  第1の観測部
 451  マルウェア取得部
 470  マルウェア実行部
 480  第2の観測部
 490  制御部 100 log analyzer 110 extraction unit 120 determination unit 101 log acquisition unit 102 output unit 130 storage unit 131 determination rule storage unit 132 automatic operation definition storage unit 133 manual operation definition storage unit 234 communication data storage unit 335 observation data storage unit 240 determination rule Generation unit 350 Reception unit 360 First observation unit 451 Malware acquisition unit 470 Malware execution unit 480 Second observation unit 490 Control unit

Claims (11)

  1.  攻撃に関連する通信のログから、前記攻撃の種別に関係のある情報を抽出する抽出手段と、
     前記攻撃に関係のある情報と、前記攻撃の種別に応じた判定ルールとに基づいて、前記ログに関連する前記攻撃の種別を判定する判定手段と、
     を備えるログ分析装置。     Extracting means for extracting information related to the type of the attack from a log of communication related to the attack;
    Determining means for determining the type of the attack related to the log based on the information related to the attack and the determination rule according to the type of the attack;
    A log analyzer comprising:
  2.  前記判定手段は、前記攻撃が自動攻撃であるか手動攻撃であるかを判定する、請求項1に記載のログ分析装置。 The log analysis device according to claim 1, wherein the determination means determines whether the attack is an automatic attack or a manual attack.
  3.  前記判定手段は、前記攻撃の種類を表す情報が、前記自動攻撃に関する前記判定ルール又は前記手動攻撃に関する前記判定ルールのいずれに合致するか否かに基づいて、前記攻撃が前記自動攻撃であるか前記手動攻撃であるかを判定する、請求項2に記載のログ分析装置。 The determination means determines whether the attack is the automatic attack based on whether the information indicating the type of the attack matches the determination rule regarding the automatic attack or the determination rule regarding the manual attack. The log analyzer according to claim 2, wherein it is determined whether it is the manual attack.
  4.  前記攻撃の種別に関係のある情報は、時間に関する情報、データの大きさに関する情報、又はキーボードからの入力に関する情報のうち一つ以上を含む、請求項1から3のいずれか一項に記載のログ分析装置。 The information according to any one of claims 1 to 3, wherein the information related to the type of attack includes one or more of information on time, information on size of data, and information on input from a keyboard. Log analyzer.
  5.  攻撃に関連する通信を受信する受信手段と、
     前記受信手段が受信する通信を観測する第1の観測手段と、
     を備える請求項1から4のいずれか一項に記載のログ分析装置。     Receiving means for receiving communications related to the attack;
    First observing means for observing communication received by the receiving means;
    The log analyzer according to any one of claims 1 to 4, comprising:
  6.  前記判定手段は、前記第1の観測手段が観測した前記通信のログから前記攻撃の種別に関係のある情報を抽出する、
     請求項5に記載のログ分析装置。     The determination unit extracts information related to the type of the attack from the log of the communication observed by the first observation unit.
    The log analyzer according to claim 5.
  7.  前記種別が判定された前記通信のログに基づいて、前記判定ルールを生成する判定ルール生成手段、
     を備える請求項1から6のいずれか一項に記載のログ分析装置。     A determination rule generation unit configured to generate the determination rule based on the log of the communication of which the type is determined;
    The log analyzer according to any one of claims 1 to 6, comprising:
  8.  マルウェアを実行するマルウェア実行手段と、
     前記マルウェア実行手段において実行された前記マルウェアによる前記通信を観測する第2の観測手段と、
     前記マルウェア実行手段及び前記第2の観測手段を制御する制御手段と、
     を備える請求項7に記載のログ分析装置。     Malware execution means for executing malware,
    A second observation unit for observing the communication by the malware executed in the malware execution unit;
    Control means for controlling the malware execution means and the second observation means;
    The log analyzer according to claim 7, comprising:
  9.  前記判定ルール生成手段は、前記第2の観測手段によって観測された前記通信のログに基づいて、自動攻撃に関する前記判定ルールを生成する、
     請求項8に記載のログ分析装置。     The determination rule generation unit generates the determination rule regarding an automatic attack based on the log of the communication observed by the second observation unit.
    The log analyzer according to claim 8.
  10.  攻撃に関連する通信のログから、前記攻撃の種別に関係のある情報を抽出し、
     前記攻撃の種別に関係のある情報と、前記攻撃の種別に応じた判定ルールとに基づいて、前記ログに関連する前記攻撃の種別を判定する、
     ログ分析方法。     Extract information related to the type of the attack from the log of communication related to the attack,
    The type of the attack related to the log is determined based on the information related to the type of the attack and the determination rule according to the type of the attack.
    Log analysis method.
  11.  コンピュータに、
     攻撃に関連する通信のログから、前記攻撃の種別に関係のある情報を抽出する処理と、
     前記攻撃の種別に関係のある情報と、前記攻撃の種別に応じた判定ルールとに基づいて、前記ログに関連する前記攻撃の種別を判定する処理と、
     を実行させるプログラムを非一時的に格納するコンピュータ読み取り可能記録媒体。     On the computer
    A process of extracting information related to the type of the attack from a log of communication related to the attack;
    A process of determining the type of the attack related to the log based on the information related to the type of the attack and the determination rule according to the type of the attack;
    A non-transitory computer-readable storage medium storing a program for executing the program.
PCT/JP2017/031041 2017-08-30 2017-08-30 Log analysis device, log analysis method, and computer-readable recording medium WO2019043804A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2019538803A JP6962374B2 (en) 2017-08-30 2017-08-30 Log analyzer, log analysis method and program
PCT/JP2017/031041 WO2019043804A1 (en) 2017-08-30 2017-08-30 Log analysis device, log analysis method, and computer-readable recording medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2017/031041 WO2019043804A1 (en) 2017-08-30 2017-08-30 Log analysis device, log analysis method, and computer-readable recording medium

Publications (1)

Publication Number Publication Date
WO2019043804A1 true WO2019043804A1 (en) 2019-03-07

Family

ID=65526406

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/031041 WO2019043804A1 (en) 2017-08-30 2017-08-30 Log analysis device, log analysis method, and computer-readable recording medium

Country Status (2)

Country Link
JP (1) JP6962374B2 (en)
WO (1) WO2019043804A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU193101U1 (en) * 2019-05-13 2019-10-14 федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации System for analytical processing of information security events
CN112272186A (en) * 2020-10-30 2021-01-26 深信服科技股份有限公司 Network flow detection framework, method, electronic equipment and storage medium
JPWO2021090866A1 (en) * 2019-11-08 2021-05-14
CN117220961A (en) * 2023-09-20 2023-12-12 中国电子科技集团公司第十五研究所 Intrusion detection method and device based on association rule patterns

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005236863A (en) * 2004-02-23 2005-09-02 Kddi Corp Log analyzing device and program, and recording medium
JP2009181335A (en) * 2008-01-30 2009-08-13 Nippon Telegr & Teleph Corp <Ntt> Analysis system, analysis method, and analysis program
WO2014129587A1 (en) * 2013-02-21 2014-08-28 日本電信電話株式会社 Network monitoring device, network monitoring method, and network monitoring program
JP2017059964A (en) * 2015-09-15 2017-03-23 富士通株式会社 Network monitoring device, network monitoring method, and network monitoring program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005236863A (en) * 2004-02-23 2005-09-02 Kddi Corp Log analyzing device and program, and recording medium
JP2009181335A (en) * 2008-01-30 2009-08-13 Nippon Telegr & Teleph Corp <Ntt> Analysis system, analysis method, and analysis program
WO2014129587A1 (en) * 2013-02-21 2014-08-28 日本電信電話株式会社 Network monitoring device, network monitoring method, and network monitoring program
JP2017059964A (en) * 2015-09-15 2017-03-23 富士通株式会社 Network monitoring device, network monitoring method, and network monitoring program

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
RU193101U1 (en) * 2019-05-13 2019-10-14 федеральное государственное казенное военное образовательное учреждение высшего образования "Краснодарское высшее военное училище имени генерала армии С.М. Штеменко" Министерства обороны Российской Федерации System for analytical processing of information security events
JPWO2021090866A1 (en) * 2019-11-08 2021-05-14
WO2021090866A1 (en) * 2019-11-08 2021-05-14 日本電気株式会社 Data processing device, data processing method, and program
JP7318729B2 (en) 2019-11-08 2023-08-01 日本電気株式会社 DATA PROCESSING DEVICE, DATA PROCESSING METHOD, AND PROGRAM
CN112272186A (en) * 2020-10-30 2021-01-26 深信服科技股份有限公司 Network flow detection framework, method, electronic equipment and storage medium
CN112272186B (en) * 2020-10-30 2023-07-18 深信服科技股份有限公司 Network traffic detection device and method, electronic equipment and storage medium
CN117220961A (en) * 2023-09-20 2023-12-12 中国电子科技集团公司第十五研究所 Intrusion detection method and device based on association rule patterns

Also Published As

Publication number Publication date
JP6962374B2 (en) 2021-11-05
JPWO2019043804A1 (en) 2020-08-06

Similar Documents

Publication Publication Date Title
US11374835B2 (en) Apparatus and process for detecting network security attacks on IoT devices
CN109194680B (en) Network attack identification method, device and equipment
US10721244B2 (en) Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US20150033343A1 (en) Method, Apparatus, and Device for Detecting E-Mail Attack
WO2017139489A1 (en) Automated honeypot provisioning system
US10862854B2 (en) Systems and methods for using DNS messages to selectively collect computer forensic data
JP6962374B2 (en) Log analyzer, log analysis method and program
US10257213B2 (en) Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program
JP7388613B2 (en) Packet processing method and apparatus, device, and computer readable storage medium
JP2019097133A (en) Communication monitoring system and communication monitoring method
KR102280845B1 (en) Method and apparatus for detecting abnormal behavior in network
Singh et al. A honeypot system for efficient capture and analysis of network attack traffic
US10142359B1 (en) System and method for identifying security entities in a computing environment
CN111865996A (en) Data detection method and device and electronic equipment
EP3230886B1 (en) Operating system fingerprint detection
CN112804263A (en) Vulnerability scanning method, system and equipment for Internet of things
JP2014179025A (en) Connection destination information extraction device, connection destination information extraction method, and connection destination information extraction program
KR102044181B1 (en) Apparatus and method for creating whitelist with network traffic
CN111131309A (en) Distributed denial of service detection method and device and model creation method and device
CN112822146A (en) Network connection monitoring method, device, system and computer readable storage medium
JP6592196B2 (en) Malignant event detection apparatus, malignant event detection method, and malignant event detection program
US11546356B2 (en) Threat information extraction apparatus and threat information extraction system
KR100772177B1 (en) Method and apparatus for generating intrusion detection event to test security function
CN114117408A (en) Method and device for monitoring command of attack end and readable storage medium
CN112822204A (en) NAT detection method, device, equipment and medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17923407

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2019538803

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17923407

Country of ref document: EP

Kind code of ref document: A1