WO2019225214A1 - 判定方法、判定装置および判定プログラム - Google Patents
判定方法、判定装置および判定プログラム Download PDFInfo
- Publication number
- WO2019225214A1 WO2019225214A1 PCT/JP2019/016207 JP2019016207W WO2019225214A1 WO 2019225214 A1 WO2019225214 A1 WO 2019225214A1 JP 2019016207 W JP2019016207 W JP 2019016207W WO 2019225214 A1 WO2019225214 A1 WO 2019225214A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- attack
- code
- server
- determination
- successful
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
Definitions
- the present invention relates to a determination method, a determination device, and a determination program.
- While Web applications are used by many services, they are easily exposed to attacks because they can be accessed from an unspecified number.
- the attack can be detected by WAF (Web Application Firewall), NIDS (Network-based Intrusion Detection System), etc., but it is necessary to investigate and verify a large number of alerts as to whether or not the attack was successful. Therefore, for example, in order to determine whether or not the attack was successful, the response corresponding to the attack request is inspected, and if there is a feature that appears when the attack is successful, it is determined that the attack is successful. If there is no feature appearing in, a technique for determining that the attack has failed can be considered (for example, see Non-Patent Document 1).
- the present invention has been made in view of the above, and an object thereof is to appropriately determine the success or failure of an attack that works as a back door.
- the determination method of the present invention is a determination method for determining whether or not an attack to a server by an attack code is successful, and includes an attack request to the server.
- An attack type determining step for determining an attack type of the included attack code; an attack code analyzing step for emulating an attack by the attack code to the server according to the determined attack type; and a result of the emulation,
- a success / failure determination step of determining that has succeeded.
- the determination device of the present invention is a determination device that determines whether or not an attack to a server by an attack code is successful, and is an attack type that determines an attack type of an attack code included in an attack request to the server
- a determination unit, an attack code analysis unit that emulates an attack with the attack code on the server according to the determined attack type, and the server when the attack is successful on the server as a result of the emulation A feature extraction unit that extracts a feature related to backdoor operation that appears in the attack code to the server, and a success / failure determination unit that determines that the attack by the attack code is successful when the communication log of the server has the extracted feature. It is characterized by that.
- the determination program of the present invention is a determination program for determining whether or not an attack to a server by an attack code is successful, and an attack type for determining an attack type of an attack code included in an attack request to the server A determination step; an attack code analysis step for emulating an attack by the attack code to the server according to the determined attack type; and if the server attack is successful as a result of the emulation, the server A feature extraction step of extracting a feature relating to backdoor operation appearing in an attack code to the computer, and a success / failure determination step of determining that the attack by the attack code is successful when the communication log of the server has the extracted feature It is made to perform.
- FIG. 1 is a diagram illustrating an outline of operation of the determination apparatus according to the first embodiment.
- FIG. 2 is a diagram illustrating a configuration example of the determination apparatus of FIG.
- FIG. 3 is a diagram showing an example of the keyword list for each attack type shown in FIG.
- FIG. 4 is a diagram illustrating an example of the back door operation feature table of FIG.
- FIG. 5 is a flowchart showing a processing procedure of the determination apparatus of FIG.
- FIG. 6 is a diagram illustrating a configuration example of a network including a determination device.
- FIG. 7 is a diagram illustrating a computer that executes a determination program.
- the determination apparatus 10 receives an attack request ((1)) to a web application (web server).
- a web application web server
- the web application /index.php contains a vulnerability that allows arbitrary command execution
- the determination apparatus 10 executes the attack code by the emulator and stores the behavior observed in the emulator in a backdoor operation feature table 112 (not shown in FIG. 1) described later (2). For example, as a result of executing the attack code by the emulator as a result of the attack being successful, the determination apparatus 10 waits for communication connection at port number 4444, and after the connection / bin / bash starts, it connects to port 4444 from the outside. Thus, it can be observed that an arbitrary command can be executed.
- the determination device 10 refers to the back door operation characteristic table 112 and determines whether or not the attack request is successful based on the presence or absence of the back door operation (4). Specifically, the determination apparatus 10 determines whether the attack is successful by comparing the backdoor operation characteristic table 112 with the actual communication log.
- the determination device 10 observes the operation of the attack code in the emulator, and determines the success or failure of the attack based on the presence or absence of backdoor communication specified by the attack code.
- the determination device 10 observes the operation of the attack code in the emulator without modifying the existing system, and appropriately determines the success or failure of the attack according to the presence or absence of the back door operation specified by the attack code. Is possible.
- the determination device 10 includes a storage unit 11, an attack detection unit 121, an attack type determination unit 122, an attack code analysis unit 123, a feature extraction unit 124, and a success / failure determination unit 125.
- the attack type keyword list 111 is information indicating keywords included in the attack code of the attack type for each attack type.
- the attack type-specific keyword list 111 is referred to when the attack type determination unit 122 determines an attack type from keywords included in the attack code.
- attack types are, for example, attack types that exploit A.OS commands, B. attack types that exploit program code, attack types that exploit C.SQL commands (DB functions), such as SQL Injection, etc.
- D. Attack types that exploit HTTP responses (for example, XSS, Header Injection, etc.) and E. Attack types that exploit file operations (for example, directory traversal) are divided into five types.
- the name of the OS command is a keyword in the attack type A.
- the B. attack type uses a specific expression used in a programming language as a keyword.
- a keyword is a function unique to PHP such as print_r, var_dump, base64_decode, or a PHP specific expression ($ _GET, $ _POST, etc.).
- Java registered trademark
- Perl Perl
- Ruby Python
- the attack type B. maintains a keyword list by attack type for each programming language. At this time, information indicating which programming language corresponds is held as a sub attack type, for example, as shown in FIG.
- the keywords are SQL command names (select, update, insert, drop, etc.) and characteristic expressions for DB access. For example, for MySQL, information_schema, @@ version, mysql, etc. Further, in the attack type of D., a specific expression (alert, onclick, etc.) used in HTML or Javascript (registered trademark) is used as a keyword. In addition, the E. attack type uses a specific expression (../, etc.) used in a directory traversal attack as a keyword.
- the backdoor operation feature table 112 is a table for storing behaviors observed in the emulator as a result of the attack code being executed by the emulator by the attack code analysis unit described later. For example, as illustrated in FIG. 4, the backdoor operation feature table 112 includes “operation” observed by OS system call, application API call or communication monitoring, and “IP address used in backdoor communication”. ”And“ port number ”.
- the communication log 113 is a log related to communication executed by the Web server.
- the attack detection unit 121 determines whether or not the request to the web server is an attack (attack detection).
- Attack detection algorithms include existing signature detection algorithms (eg, Snort (https://www.snort.org/), Bro (https://www.bro.org/)), and anomaly detection algorithms. (For example, Detecting Malicious Inputs of Web Application Parameters Using Character Class Sequences, COMPSAC, 2015) may be used.
- the attack type determination unit 122 determines the attack type for the attack code included in the request determined to be an attack by the attack detection unit 121.
- the attack type determination unit 122 determines which of the five attack types (A. to E. of the above attack types) considered to be particularly important in the attack against the web application. The determination of the attack type here is performed based on which attack type keyword shown in the attack type keyword list 111 (see FIG. 3) matches the keyword included in the attack code.
- the attack type determination unit 122 refers to the keyword list 111 for each attack type, and if “cat” is included in the attack code, the attack code is A. Attack type (Attack type exploiting OS command). ). Further, if “print_r” is included in the attack code, the attack type determination unit 122 uses the attack code as an attack type of B. (Attack type that exploits the program code), and among them, attacks using php It is determined that it is a type.
- the attack type determination unit 122 When the attack code matches a plurality of attack type keywords shown in the attack type keyword list 111 (see FIG. 3), the attack type determination unit 122, for example, at the beginning of the attack code (most in the attack code) It is determined that the attack type of the keyword that appears in the left position).
- attack type keyword list 111 will be “php”, which is the keyword for the attack type of A.
- attack type keyword “var_dump” appears.
- the attack type determination unit 122 determines that “php” appears earlier than “var_dump” in the above attack code, and thus is the attack type of A.
- the attack type determination unit 122 refers to the attack type keyword list 111 and determines that the attack code does not match any attack type.
- the attack code analysis unit 123 emulates an attack using an attack code to the Web server according to the determined attack type. Specifically, the attack code analysis unit 123 uses a emulator corresponding to the attack type of the attack code determined by the attack type determination unit 122 to emulate an attack on the web application using the attack code.
- the emulator corresponding to each attack type is created in advance using, for example, a debugger or an interpreter, and the attack code analysis unit 123 selects an emulator corresponding to the attack type from the emulator created in advance. select.
- the attack code analysis unit 123 can execute an OS command (for example, a Windows (registered trademark) command prompt, Linux (registered trademark) ) Bash or an emulator that can emulate a command) and execute the attack code as a command.
- OS command for example, a Windows (registered trademark) command prompt, Linux (registered trademark) ) Bash or an emulator that can emulate a command
- the attack code analysis unit 123 causes the bash command to execute the command specified by the -c argument, such as “bash -c“ cat / etc / passwd; ””.
- the attack code analysis unit 123 executes the attack code using an interpreter or emulator appropriate for the programming language. To do.
- the attack code analysis unit 123 uses the -r argument to the php interpreter as "php -r" print ('123456789'); die (); " Run the specified code. Also, if the attack code is a python code, the attack code analysis unit 123 uses the code specified by the -c argument to the python interpreter, such as "python -c" import sys; print 123456789; sys.exit () "" Let it run.
- the attack code analysis unit 123 can execute an SQL statement against the DB.
- the attack code is executed using a terminal or emulator.
- the attack code analysis unit 123 shapes the SQL sentence. For example, the attack code analyzing unit 123 changes the SQL sentence so that the SELECT phrase appears at the beginning of the attack code by deleting the part of the SQL sentence before the SELECT phrase.
- the keyword that the attack code analysis unit 123 adjusts so that it appears first among the phrases of the SQL sentence may be a phrase other than the SELECT phrase (for example, a phrase such as update, delete, drop, etc.). It is assumed that the phrase is given in the attack type keyword list 111 (see FIG. 3).
- the feature extraction unit 124 extracts a feature related to the backdoor operation that appears in the attack code to the Web server when the attack to the Web server is successful as a result of emulation. For example, the feature extraction unit 124 extracts an OS system call, an application API call, or a communication log as a feature related to the backdoor operation.
- the feature extraction unit 124 extracts a feature related to the backdoor operation when the attack code at the time of emulation is being executed.
- the operation here refers to an OS system call, an application API call, or a communication log.
- the acquisition method uses an existing system call monitor or API monitor.
- the attack code analysis unit 123 actually executes this command by the emulator when emulating this command. At that time, the attack code analysis unit 123 can acquire an execution log of the attack command by inserting a Linux strace command for monitoring the system call before executing the attack command. For example, in the following example, it is understood that the system call bind is called and the connection is accepted at the port number 4444.
- attack code analysis unit 123 uses this command. When emulating, this command is actually executed by the emulator. At that time, the attack code analysis unit 123 can acquire a communication log when the attack command is executed by executing the attack command while executing a tcpdump command or the like for observing communication. For example, in the following example, it can be seen that the communication destination is 1.2.3.4 and the port number 4444 is used for connection.
- the feature extraction unit 124 stores the system call log, communication log, and the like acquired in this manner as operations in the backdoor operation feature table 112 (see FIG. 4).
- the success / failure determination unit 125 determines that the attack by the attack code is successful when the communication log of the actual communication in the Web server has the feature extracted by the feature extraction unit 124. On the other hand, the success / failure determination unit 125 determines that the attack has failed when the communication log of the Web server does not have the feature extracted by the feature extraction unit 124. Then, the success / failure determination unit 125 outputs a determination result of success / failure of the attack (success / failure).
- the success / failure determination unit 125 compares the operation stored in the backdoor operation feature table 112 with the actual operation, and determines the success or failure of the attack based on the presence or absence of the backdoor operation. Note that the determination method may be different depending on the observed operation. For example, if the operation is “bind” indicating connection waiting, the success / failure determination unit 125 establishes a connection as a determination method for the port number observed for the host that was attacked within the time T. If it is established, it is determined to be successful, and if it cannot be established, it is determined to be failed.
- the success / failure determination unit 125 is “connect” indicating that the operation is connected, whether or not the connection is established for the IP address and the port number observed within the time T as the determination method. If it is determined and established, it is determined to be successful, and if it cannot be established, it is determined to be failed.
- the connection waits at the port 4444, so the success / failure determination unit 125 determines that the attack is successful when the connection is established from the attacker to the port number 4444 within the time T. If it is not established, it is determined as failure.
- the attack detection unit 121 of the determination apparatus 10 determines whether or not the request to the web application is an attack (S1). If the request is an attack (Yes in S1), the attack type determination unit 122 refers to the attack type keyword list 111 to determine the attack type of the attack code included in the request (S2). . When the attack type determination unit 122 can determine the attack type (Yes in S3), the attack code analysis unit 123 executes emulation of the attack code based on the determined attack type.
- the feature extraction unit 124 performs an attack code analysis process for extracting a feature related to the backdoor operation that appears in the attack code to the Web server when the attack to the Web server is successful (S4). If the attack detection unit 121 determines in S1 that the request to the web application is not an attack (No in S1), the process ends.
- the success / failure determination unit 125 compares the behavior of the back door observed in the emulation with the actual communication (step S5). As a result, if the success / failure determination unit 125 determines that there is no backdoor operation (No in S6), it notifies the external device or the like that the attack has failed (S8). If the success / failure determination unit 125 determines that there is a back door operation (Yes in S6), the success / failure determination unit 125 notifies the external device or the like that the attack has been successful (S7). If the attack type determination unit 122 cannot determine the attack type in S3 (No in S3), or the determination device 10 notifies the external device or the like that determination of success or failure of the attack is impossible (S9).
- the operation of the attack code is observed in the emulator, and the success / failure of the attack can be determined based on the presence / absence of the back door operation specified by the attack code. Without doing so, it is possible to appropriately determine the success or failure of an attack that works as a back door.
- the attack detection unit 121 in the determination device 10 described above may be installed outside the determination device 10.
- the determination device 10 may be realized by an attack detection device such as WAF installed outside the determination apparatus 10.
- WAF installed outside the determination apparatus 10.
- the determination device 10 may have a configuration (inline configuration) that is directly connected to a web server that is a target of success or failure of the attack, or as illustrated in FIG. 6B. It is good also as a structure (tap structure) which connects with a web server via attack detection apparatuses, such as WAF.
- each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated.
- the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.
- all or a part of each processing function performed in each device may be realized by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by wired logic.
- the information processing apparatus can function as the determination apparatus 10 by causing the information processing apparatus to execute the program provided as package software or online software.
- the information processing apparatus referred to here includes a desktop or notebook personal computer.
- the information processing apparatus includes mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone System), PDA (Personal Digital Assistants), and the like.
- the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example.
- a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050.
- a display 1130 is connected to the video adapter 1060.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094.
- Various data and information described in the above embodiment are stored in, for example, the hard disk drive 1090 or the memory 1010.
- the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes each procedure described above.
- the program module 1093 and the program data 1094 related to the above determination program are not limited to being stored in the hard disk drive 1090.
- the program module 1093 and the program data 1094 are stored in a detachable storage medium and the CPU 1020 via the disk drive 1100 or the like. It may be read out.
- the program module 1093 and the program data 1094 related to the above program are stored in another computer connected via a network such as a LAN (Local Area Network) or a WAN (Wide Area Network), and via the network interface 1070. May be read by the CPU 1020.
- LAN Local Area Network
- WAN Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
[概要]
図1を用いて、第1の実施形態の判定装置10の動作概要を説明する。まず、判定装置10は、例えば、図1に示すように、webアプリケーション(webサーバ)への攻撃リクエスト((1))を受信する。例えば、webアプリケーション/index.phpには任意のコマンド実行という脆弱性が存在し、webサーバが攻撃リクエストとして「GET /index.php?file=home;nc -l -p 4444 -e /bin/bash」という攻撃を受けたとする。
次に、図2を用いて判定装置10の構成を説明する。判定装置10は、記憶部11と、攻撃検知部121と、攻撃タイプ判定部122と、攻撃コード解析部123と、特徴抽出部124と、成否判定部125とを備える。
実行例:strace nc -l -p 4444
出力:bind(4<TCP:[96541]>, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 128) = 0
例えば、下記の例では通信先が1.2.3.4、ポート番号4444で接続を行うことが分かる。
実行例:tcpdump -i eth0
出力:
00:00:01 IP 192.168.1.2.50000 > 1.2.3.4.4444: Flags [S], seq 100000000, win 65535
00:00:02 IP 192.168.1.2.50000 > 1.2.3.4.4444: Flags [S], seq 100000000, win 65535
次に、図5を用いて、判定装置10の処理手順を説明する。まず、判定装置10の攻撃検知部121は、webアプリケーションへのリクエストが攻撃か否かを判定する(S1)。ここで、当該リクエストが攻撃であれば(S1でYes)、攻撃タイプ判定部122は、攻撃タイプ別キーワードリスト111を参照して、当該リクエストに含まれる攻撃コードの攻撃タイプを判定する(S2)。攻撃タイプ判定部122が攻撃タイプを判定可能な場合(S3でYes)、攻撃コード解析部123は、判定された攻撃タイプに基づき、攻撃コードのエミュレーションを実行する。そして、特徴抽出部124は、エミュレーションの結果、Webサーバへの攻撃に成功した場合にWebサーバへの攻撃コードに現れるバックドア動作に関する特徴を抽出する攻撃コード解析処理を行う(S4)。なお、S1において攻撃検知部121がwebアプリケーションへのリクエストは攻撃ではないと判定した場合(S1でNo)、処理を終了する。
このような判定装置10によれば、攻撃コードをエミュレータ内でその動作を観測し、攻撃コードで指定したバックドア動作の有無によって、攻撃の成否を判定できるようになるため、既存のシステムを変更することなく、バックドアとして働くような攻撃の成否を適切に判定することができるという効果を奏する。
なお、上述した判定装置10における攻撃検知部121は、判定装置10の外部に設置されていてもよい。例えば、図6(a)、(b)に示すように、判定装置10の外部に設置されるWAF等の攻撃検知機器により実現されてもよい。また、判定装置10は、図6(a)に示すように、攻撃の成否の判定対象となるwebサーバと直接接続する構成(インライン構成)としてもよいし、図6(b)に示すように、webサーバとWAF等の攻撃検知機器経由で接続する構成(タップ構成)としてもよい。
また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
また、上記の実施形態で述べた判定装置10の機能を実現するプログラムを所望の情報処理装置(コンピュータ)にインストールすることによって実装できる。例えば、パッケージソフトウェアやオンラインソフトウェアとして提供される上記のプログラムを情報処理装置に実行させることにより、情報処理装置を判定装置10として機能させることができる。ここで言う情報処理装置には、デスクトップ型またはノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistants)等がその範疇に含まれる。また、判定装置10を、クラウドサーバに実装してもよい。
11 記憶部
111 攻撃タイプ別キーワードリスト
112 バックドア動作特徴テーブル
113 通信ログ
121 攻撃検知部
122 攻撃タイプ判定部
123 攻撃コード解析部
125 成否判定部
Claims (4)
- 攻撃コードによるサーバへの攻撃が成功したか否かを判定する判定方法であって、
前記サーバへの攻撃リクエストに含まれる攻撃コードの攻撃タイプを判定する攻撃タイプ判定ステップと、
前記判定された攻撃タイプに応じ、前記サーバへの前記攻撃コードによる攻撃のエミュレーションを実施する攻撃コード解析ステップと、
前記エミュレーションの結果、前記サーバへの攻撃に成功した場合に前記サーバへの攻撃コードに現れるバックドア動作に関する特徴を抽出する特徴抽出ステップと、
前記サーバの通信ログが前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定する成否判定ステップと
を含んだことを特徴とする判定方法。 - 前記特徴抽出ステップは、前記バックドア動作に関する特徴として、OSのシステムコール、アプリケーションのAPI呼び出しあるいは、通信ログを抽出することを特徴とする請求項1に記載の判定方法。
- 攻撃コードによるサーバへの攻撃が成功したか否かを判定する判定装置であって、
前記サーバへの攻撃リクエストに含まれる攻撃コードの攻撃タイプを判定する攻撃タイプ判定部と、
前記判定された攻撃タイプに応じ、前記サーバへの前記攻撃コードによる攻撃のエミュレーションを実施する攻撃コード解析部と、
前記エミュレーションの結果、前記サーバへの攻撃に成功した場合に前記サーバへの攻撃コードに現れるバックドア動作に関する特徴を抽出する特徴抽出部と、
前記サーバの通信ログが前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定する成否判定部と
を備えたことを特徴とする判定装置。 - 攻撃コードによるサーバへの攻撃が成功したか否かを判定する判定プログラムであって、
前記サーバへの攻撃リクエストに含まれる攻撃コードの攻撃タイプを判定する攻撃タイプ判定ステップと、
前記判定された攻撃タイプに応じ、前記サーバへの前記攻撃コードによる攻撃のエミュレーションを実施する攻撃コード解析ステップと、
前記エミュレーションの結果、前記サーバへの攻撃に成功した場合に前記サーバへの攻撃コードに現れるバックドア動作に関する特徴を抽出する特徴抽出ステップと、
前記サーバの通信ログが前記抽出した特徴を有する場合、前記攻撃コードによる攻撃が成功したと判定する成否判定ステップと
をコンピュータに実行させることを特徴とする判定プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
AU2019273972A AU2019273972B2 (en) | 2018-05-21 | 2019-04-15 | Determination method, determination device and determination program |
JP2020521093A JP6867552B2 (ja) | 2018-05-21 | 2019-04-15 | 判定方法、判定装置および判定プログラム |
US17/056,457 US11797670B2 (en) | 2018-05-21 | 2019-04-15 | Determination method, determination device and recording medium |
EP19807702.6A EP3783845B1 (en) | 2018-05-21 | 2019-04-15 | Determination method, determination device and determination program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2018-097419 | 2018-05-21 | ||
JP2018097419 | 2018-05-21 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2019225214A1 true WO2019225214A1 (ja) | 2019-11-28 |
Family
ID=68616375
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2019/016207 WO2019225214A1 (ja) | 2018-05-21 | 2019-04-15 | 判定方法、判定装置および判定プログラム |
Country Status (5)
Country | Link |
---|---|
US (1) | US11797670B2 (ja) |
EP (1) | EP3783845B1 (ja) |
JP (1) | JP6867552B2 (ja) |
AU (1) | AU2019273972B2 (ja) |
WO (1) | WO2019225214A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPWO2021038704A1 (ja) * | 2019-08-27 | 2021-03-04 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014146307A (ja) * | 2013-01-28 | 2014-08-14 | Infosec Co Ltd | ウェブシェル検知/対応システム |
JP2014232923A (ja) * | 2013-05-28 | 2014-12-11 | 日本電気株式会社 | 通信装置、サイバー攻撃検出方法、及びプログラム |
JP2015225512A (ja) * | 2014-05-28 | 2015-12-14 | 株式会社日立製作所 | マルウェア特徴抽出装置、マルウェア特徴抽出システム、マルウェア特徴方法及び対策指示装置 |
JP2017004123A (ja) * | 2015-06-05 | 2017-01-05 | 日本電信電話株式会社 | 判定装置、判定方法および判定プログラム |
Family Cites Families (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8935773B2 (en) * | 2009-04-09 | 2015-01-13 | George Mason Research Foundation, Inc. | Malware detector |
US9787695B2 (en) * | 2015-03-24 | 2017-10-10 | Qualcomm Incorporated | Methods and systems for identifying malware through differences in cloud vs. client behavior |
US10476891B2 (en) * | 2015-07-21 | 2019-11-12 | Attivo Networks Inc. | Monitoring access of network darkspace |
RU2634211C1 (ru) * | 2016-07-06 | 2017-10-24 | Общество с ограниченной ответственностью "Траст" | Способ и система анализа протоколов взаимодействия вредоносных программ с центрами управления и выявления компьютерных атак |
US10614222B2 (en) * | 2017-02-21 | 2020-04-07 | Microsoft Technology Licensing, Llc | Validation of security monitoring through automated attack testing |
JP6708794B2 (ja) | 2017-07-12 | 2020-06-10 | 日本電信電話株式会社 | 判定装置、判定方法、および、判定プログラム |
-
2019
- 2019-04-15 US US17/056,457 patent/US11797670B2/en active Active
- 2019-04-15 EP EP19807702.6A patent/EP3783845B1/en active Active
- 2019-04-15 JP JP2020521093A patent/JP6867552B2/ja active Active
- 2019-04-15 WO PCT/JP2019/016207 patent/WO2019225214A1/ja unknown
- 2019-04-15 AU AU2019273972A patent/AU2019273972B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014146307A (ja) * | 2013-01-28 | 2014-08-14 | Infosec Co Ltd | ウェブシェル検知/対応システム |
JP2014232923A (ja) * | 2013-05-28 | 2014-12-11 | 日本電気株式会社 | 通信装置、サイバー攻撃検出方法、及びプログラム |
JP2015225512A (ja) * | 2014-05-28 | 2015-12-14 | 株式会社日立製作所 | マルウェア特徴抽出装置、マルウェア特徴抽出システム、マルウェア特徴方法及び対策指示装置 |
JP2017004123A (ja) * | 2015-06-05 | 2017-01-05 | 日本電信電話株式会社 | 判定装置、判定方法および判定プログラム |
Non-Patent Citations (2)
Title |
---|
SAKURAI, YUUSUKE: "5th Practice, Security Accident Response ", NIKKEI COMPUTER, no. 899, 12 November 2015 (2015-11-12), pages 096 - 099,130, XP009524265, ISSN: 0285-4619 * |
YANG ZHONGKAZUFUMI AOKIJUN MI YOSHIHAJ IME SHI MADAHIROKI TAKAKURA: "AVT Lite: Detection Successful Neb Attacks Based-on Attack Code Emulation", PROCEEDINGS OF THE COMPUTER SECURITY SYMPOSIUM 2017, 2017 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPWO2021038704A1 (ja) * | 2019-08-27 | 2021-03-04 | ||
JP7235126B2 (ja) | 2019-08-27 | 2023-03-08 | 日本電気株式会社 | バックドア検査装置、バックドア検査方法、及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
EP3783845A1 (en) | 2021-02-24 |
JP6867552B2 (ja) | 2021-04-28 |
AU2019273972B2 (en) | 2022-05-19 |
JPWO2019225214A1 (ja) | 2020-12-10 |
EP3783845B1 (en) | 2022-10-05 |
EP3783845A4 (en) | 2021-12-29 |
AU2019273972A1 (en) | 2020-12-03 |
US20210211459A1 (en) | 2021-07-08 |
US11797670B2 (en) | 2023-10-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10599841B2 (en) | System and method for reverse command shell detection | |
US10164993B2 (en) | Distributed split browser content inspection and analysis | |
US9614863B2 (en) | System and method for analyzing mobile cyber incident | |
CN105814577B (zh) | 隔离表现网络活动的可执行文件 | |
US10313370B2 (en) | Generating malware signatures based on developer fingerprints in debug information | |
EP3783846B1 (en) | Determination method, determination device and determination program | |
JP6708794B2 (ja) | 判定装置、判定方法、および、判定プログラム | |
EP3547121B1 (en) | Combining device, combining method and combining program | |
EP2881877A1 (en) | Program execution device and program analysis device | |
Monnappa | Automating linux malware analysis using limon sandbox | |
JP6867552B2 (ja) | 判定方法、判定装置および判定プログラム | |
JP6314036B2 (ja) | マルウェア特徴抽出装置、マルウェア特徴抽出システム、マルウェア特徴方法及び対策指示装置 | |
JP6666475B2 (ja) | 解析装置、解析方法及び解析プログラム | |
KR20210076455A (ko) | Xss 공격 검증 자동화 방법 및 그 장치 | |
CN112352402A (zh) | 生成装置、生成方法和生成程序 | |
JPWO2019049478A1 (ja) | コールスタック取得装置、コールスタック取得方法およびコールスタック取得プログラム | |
WO2022264239A1 (ja) | アラート検証装置、アラート検証方法及びアラート検証プログラム | |
US11132447B1 (en) | Determining security vulnerabilities of Internet of Things devices | |
Salemi et al. | " Automated rules generation into Web Application Firewall using Runtime Application Self-Protection | |
CN116155530A (zh) | 网络攻击的判定方法、电子设备及计算机可读存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 19807702 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2020521093 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
ENP | Entry into the national phase |
Ref document number: 2019807702 Country of ref document: EP Effective date: 20201116 |
|
ENP | Entry into the national phase |
Ref document number: 2019273972 Country of ref document: AU Date of ref document: 20190415 Kind code of ref document: A |