WO2020158896A1 - Communication device - Google Patents

Communication device Download PDF

Info

Publication number
WO2020158896A1
WO2020158896A1 PCT/JP2020/003542 JP2020003542W WO2020158896A1 WO 2020158896 A1 WO2020158896 A1 WO 2020158896A1 JP 2020003542 W JP2020003542 W JP 2020003542W WO 2020158896 A1 WO2020158896 A1 WO 2020158896A1
Authority
WO
WIPO (PCT)
Prior art keywords
server
name resolution
terminal
server device
malicious host
Prior art date
Application number
PCT/JP2020/003542
Other languages
French (fr)
Japanese (ja)
Inventor
岡田 和也
Original Assignee
国立大学法人 東京大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 国立大学法人 東京大学 filed Critical 国立大学法人 東京大学
Publication of WO2020158896A1 publication Critical patent/WO2020158896A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways

Definitions

  • the present invention relates to a technique for detecting unauthorized communication in a network.
  • the present invention has been made in view of the above circumstances, and an object thereof is to provide a technology for detecting a cyber attack in real time.
  • a communication device for determining whether the server device is a malicious host when accessing the server device from a terminal connected to a network, wherein the terminal is A name resolution request including the absolute domain name of the server device is transmitted to a DNS server that specifies an IP address corresponding to the absolute domain name, and the DNS server corresponds to the absolute domain name included in the name resolution request. An IP address is specified, a name resolution result including the specified IP address is transmitted to the terminal, and the terminal starts communication with the server device based on the name resolution result transmitted from the DNS server.
  • the communication device the data receiving unit that receives the data transmitted from the terminal regardless of the destination of the data, a determination unit that determines whether the server device is a malicious host, A data transmitting unit that transmits the data received by the data receiving unit to a destination of the data, and when the data receiving unit receives a name resolution request to be transmitted to the DNS server, the determining unit determines , Based on the absolute domain name included in the name resolution request, to determine whether the server device is a malicious host, the data transmission unit, the determination result of whether the server device is a malicious host Irrespective of whether or not the name resolution request is sent to the DNS server, and the data receiving unit receives the name resolution result from the DNS server, the determining unit determines that the name resolution result It is determined whether or not the server device is a malicious host based on the determination result by the name resolution request corresponding to.
  • FIG. 1 It is a figure explaining the outline of the communication system containing the packet classification device (communication device) which detects the access to the malicious host of the embodiment of the present invention in real time. It is a figure which shows an example of the network structure of embodiment of this invention. It is a figure which shows an example of the hardware constitutions and software constitutions of the packet classification apparatus of embodiment of this invention. It is a figure which shows an example of a structure for the packet classification apparatus of this embodiment to transfer a packet. It is a figure which shows the processing time of each process until a terminal starts communication with a Web server in this embodiment. It is a figure explaining the timing which detects a malignant host in an embodiment of the invention. FIG.
  • FIG. 6 is a diagram illustrating a configuration for detecting a malicious host at a timing T1 when a terminal transmits a name resolution request to a DNS server in the embodiment of the present invention. It is a figure explaining the composition for a terminal to detect a malicious host at timing T2 which receives a name resolution result from a DNS server in an embodiment of the present invention.
  • FIG. 6 is a diagram illustrating a configuration for detecting a malicious host at a timing T3 when a terminal accesses a connection destination Web server in the embodiment of the present invention.
  • the IP address of the connection destination is specified from the DNS server by the server name (absolute domain name) of the connection destination.
  • Yes name resolution
  • a malicious host computer that performs cyber attack
  • communication is continued as it is, and when it is determined that the host is a malicious host, communication is cut off. Since the time for name resolution is the time required for normal communication, even if the process for detecting a malicious host is performed during this time, the user is unlikely to experience a delay.
  • FIG. 1 is a diagram illustrating an outline of a communication system including a packet classification device (communication device) that detects access to a malicious host in real time according to the embodiment of this invention.
  • a packet classification device communication device
  • TCP/IP communication is targeted, but the present invention can also be applied to communication using other protocols.
  • the user operates the terminal to access a server device (for example, a Web server) connected to an external network.
  • the DNS server When a user operates a terminal to access a web server connected to an external network, first, the DNS server is queried to identify the IP address of the destination web server, and then based on the identified IP address. Communication with the Web server is started. At this time, the time to wait until the user refers to the specified site from the operation of the terminal is the time required for name resolution, the communication time with the Web server, and the time to process the data received from the Web server on the terminal. Become. Therefore, it is possible to prevent access to a malicious host by determining whether the connected web server is a malicious host until the name resolution is completed and communication with the connected web server is started. You can
  • FIG. 2 is a diagram showing an example of a network configuration according to the embodiment of the present invention.
  • communication is performed between the Web server 11 connected to the external network (first network) 10 and the terminal 21 connected to the internal network (second network) 20.
  • a communication device interconnecting each network between the external network 10 and the internal network 20.
  • a packet classification device (communication device) 100 that determines whether or not the Web server 11 to which the terminal 21 is connecting is a malicious host is arranged between the router 40 and the internal network 20.
  • the packet classification device 100 may be installed inside the internal network 20.
  • DNS server DNS cache server
  • the DNS cache server 30 If the DNS cache server 30 cannot specify the server name (absolute domain name) of the connection destination, it recursively queries a plurality of authoritative DNS servers 60 via the network to resolve the absolute domain name.
  • the DNS cache server 30 and the authoritative DNS server 60 will be collectively referred to as a DNS server.
  • the packet classification device 100 When the connection destination (Web server 11) of the terminal 21 is determined to be a malicious host (classified as a malicious host), the packet classification device 100 cuts off communication with the Web server 11 connected to the external network 10. At this time, a classification result (alarm) is notified to a management computer (not shown) for managing network devices such as the router 40 and the packet classification device 100, and a warning message is displayed to notify the administrator. You may Further, the packet classification device 100 may instruct the router 40 to block communication with a malicious host without blocking communication.
  • the host it is not necessary to selectively determine whether or not the host is a malicious host. For example, if the judgment value of a malicious host is 100, the judgment value of a benign host is 0, and the possibility of being a malicious host is judged from the judgment values of 0 to 100, if the judgment value is greater than or equal to a predetermined threshold, Communication may be interrupted, and if the judgment value is within a predetermined range, a warning message may be displayed and the user may judge whether to connect or not. In this case, it is preferable to record a log of the determination result of the malicious host in the packet classification device 100 so that it can be determined whether or not the host is actually the malicious host. Further, the management computer may be notified and the management computer may record the log. Further, the packet classification device 100 may record a communication log and notify the management computer only when there is a possibility of a malicious host.
  • the packet classification device 100 is arranged at a place where a packet always passes when accessing an external network in order to prevent connection of a malicious host. Further, the packet classification device 100 arranged in the network may be single or plural. When arranging a plurality of packets, in order to prevent an increase in traffic, it is preferable to arrange the packets so as to avoid passing through the plurality of packet classification devices 100.
  • FIG. 3 is a diagram illustrating an example of a hardware configuration and a software configuration of the packet classification device 100 according to the embodiment of this invention.
  • the packet classification device 100 includes a communication interface (IF) 101, a processor (CPU) 110, a memory 120, and a storage device 160, and each component is connected by a bus.
  • IF communication interface
  • CPU processor
  • memory 120 memory
  • storage device 160 storage device
  • the communication interface (IF) 101 receives a packet transferred from the terminal 21, the DNS cache server 30, etc., and receives a command input from the management computer.
  • the processor (CPU) 110 provides various functions by executing various programs stored in the memory 120, for example, a function of determining whether the connection destination (Web server 11) of the terminal 21 is a malicious host. I will provide a.
  • the memory 120 stores various programs executed by the processor 110 and temporarily stores data necessary for executing the programs.
  • the storage device 160 uses the information of the packet received via the communication interface (IF) 101 (for example, the absolute domain name of the connection destination (Web server 11) included in the name resolution request, the connection destination (Web) included in the name resolution result. For example, the IP address of the server 11) is accumulated, or the processing result by the program (the determination result of whether the connection destination of the terminal 21 is a malicious host or the like) is stored.
  • the memory 120 stores a communication control unit 121 that controls packet communication, and a detection unit (determination unit) 130 that determines whether or not the computer that communicates with the terminal 21 is a malicious host.
  • a detection unit 130 determines whether or not the computer that communicates with the terminal 21 is a malicious host.
  • any method may be used to determine (classify) a malicious host, but by storing and learning information such as the absolute domain name and IP address of the server device that is the destination of the packet, the malicious host can be learned. The method of determining whether or not is adopted.
  • the memory 120 also stores a learning unit 140 that collects and generates learning data in order to improve the accuracy of detecting a malicious host.
  • the detection unit 130 and the learning unit 140 are composed of a program and data for executing the program.
  • the storage device 160 provides a packet data storage unit 161 and a learning data storage unit 162. Each configuration will be described below.
  • the detection unit 130 determines whether the connection destination of the terminal 21 is a malicious host.
  • the detection unit 130 includes an analysis unit 131, a feature extraction unit 132, and a classification unit 133.
  • the analysis unit 131 temporarily stores the packet acquired from the communication IF 101, analyzes the information acquired from the received packet, and stores the analysis result in the packet data storage unit 161 as necessary.
  • the feature extraction unit 132 extracts feature information from the analysis result of the analysis unit 131.
  • the analysis result by the analysis unit 131 may be directly acquired from the analysis unit 131, or the analysis result stored in the packet data storage unit 161 may be acquired.
  • the classifying unit 133 inputs the feature information extracted by the feature extracting unit 132 to the neural network, and based on the learning data stored in the learning data storage unit 162, the connection destination of the terminal 21 (the packet transmission destination, the Web server 11). ) Is a benign host or a malignant host (classification).
  • the learning unit 140 adjusts a parameter for improving the accuracy of the determination by the neural network based on the collected learning data in order to improve the classification (determination) accuracy by the classification unit 133, and stores the learning result in the learning data. This is reflected in the section 162.
  • the learning data collection unit 141 collects learning data from the packet data storage unit 161 and the learning data storage unit 162.
  • the neural network learning unit 142 carries out learning of the neural network based on the learning data collected by the learning data collection unit 141. At this time, the learning data before reflecting the learning result is acquired from the learning data storage unit 162, and after the learning is performed, the learning data reflecting the learning result is stored in the learning data storage unit 162.
  • the learning data are parameters and data necessary for classifying the connection destination of the terminal 21 into a benign host or a malignant host by the neural network.
  • the learning of the neural network may be executed based on the execution instruction from the management computer, or may be executed periodically. Further, it may be executed when the unlearned data is accumulated in the packet data storage unit 161 by a predetermined amount or more.
  • the classifying unit 133 classifies (determines) the connection destination of the terminal 21 into a benign host or a malignant host using a neural network.
  • a machine learning library such as TensorFlow or LIBSVM is used as an algorithm for classifying the connection destination of the terminal 21.
  • FIG. 4 is a diagram showing an example of a configuration for the packet classification device 100 of the present embodiment to transfer a packet.
  • the packet classification device 100 of the present embodiment uses an Intel (registered trademark) data plane development kit (DPDK; Data Plan Development Kit) technology to speed up network processing.
  • DPDK data plane development kit
  • the DPDK provides specialized functionality that bypasses kernel functionality for specific applications.
  • a solution other than DPDK may be applied as long as it has equivalent functions.
  • the packet received by the communication IF 101 is temporarily stored in the reception buffer RX (data reception unit) 102 provided by the DPDK and delivered to the detection unit 130.
  • the reception buffer RX (data reception unit) 102 has a queue structure and sends out the packets to the detection unit 130 in the order of reception.
  • the analysis unit 131, the feature extraction unit 132, and the classification unit 133 classify (determine) the transmission destination of the packet (the connection destination of the terminal 21; the Web server 11) as a benign host or a malignant host.
  • the packet is stored in the transmission buffer TX (data transmission unit) 103 and transmitted to the external network 10 via the communication IF 101.
  • the packet may be discarded without being stored in the transmission buffer TX103.
  • general network equipment other than the packet classification device 100 such as the function of discarding the packet designated on the router side, and it is possible to reduce the introduction cost.
  • the router that transfers the packet to the external network 10 may be notified that the destination is a malicious host, and the router may discard the packet.
  • the method for detecting a malicious host in the present embodiment employs an existing technique, and specifically uses a machine learning library such as TensorFlow or LIBSVM.
  • the detection of malicious hosts by these methods has been improved in accuracy due to technological advances and the accumulation of learning data.
  • the present embodiment aims to achieve both a practical packet transfer speed and high attack detection accuracy.
  • the present invention aims to maintain the packet transfer rate.
  • the result of measuring the processing time of each process executed to start communication from the terminal 21 to the connection destination server device (Web server 11) is shown.
  • FIG. 5 is a diagram showing the processing time of each process until the terminal 21 starts communication with the Web server 11 in this embodiment.
  • the graph is a box-and-whisker diagram, the vertical axis is the processing time ( ⁇ sec) and the logarithmic axis, and the horizontal axis is the process.
  • the processing time of each process is shown for each algorithm when LIBSVM is applied to the classification unit 133 (left) and TensorFlow is applied (right).
  • Each process is reception (RX), analysis (parse, Parser), feature extraction (Extractor Processing), classification (Classifier parts), and total (Total).
  • the classification (dashed line) requires more processing time than other processes. Further, in the steps other than classification, there is little difference in processing time between algorithms, but in the classification step, applying TensorFlow is faster than applying LIBSVM.
  • the total processing time for one packet is 0.4231 ⁇ s (2.118 Gbps) when no malicious host is detected, 557.8 ⁇ s (1.264 Mbps) when LIBSVM is applied, and TensorFlow is applied. Is 72.492 ⁇ s (9.60 Mbps).
  • the algorithm for classification may be selected according to the required processing speed and detection accuracy.
  • the process of detecting a malicious host becomes a bottleneck during packet transfer, so it is necessary to increase the speed by 100 to 1000 times in order to realize a practical packet transfer speed. Therefore, in the present invention, focusing on the communication procedure, while the terminal device 21 is performing name resolution of the server device connected to the external network with which the terminal 21 is trying to communicate, the connection destination server device is a malicious host or a benign host. Determine (classify) whether there is.
  • the feature of the present invention is that the detection of the malicious host is started based on the information (absolute domain name, etc.) included in the name resolution request of the server device (Web server 11) of the connection destination transmitted from the terminal 21, and By completing the detection of the malicious host until the IP address of the server device of the connection destination is specified, it is possible to prevent the terminal 21 from actually connecting to the malicious host.
  • FIG. 6 is a diagram explaining the timing of detecting a malicious host in the embodiment of the present invention.
  • the packet classification device 100 includes (1) a timing T1 at which the terminal 21 sends a name resolution request to the DNS cache server 30, (2) a timing T2 at which the DNS cache server 30 sends a result of name resolution to the terminal 21, (3).
  • T3 when the terminal 21 starts communication with the Web server 11, it is determined whether the Web server 11 is a malicious host.
  • the connection destination Web server 11
  • T1, T2, and T3 communication can be blocked before connecting to the malicious host (before being attacked by a cyber attack).
  • the configuration for detecting a malicious host at each timing will be described below.
  • FIG. 7 is a diagram illustrating a configuration for detecting a malicious host at a timing T1 when the terminal 21 transmits a name resolution request to the DNS cache server 30 in the embodiment of the present invention.
  • the terminal 21 transmits a name resolution request (DNS query) for specifying the IP address of the connection destination (Web server 11) to the DNS cache server 30.
  • DNS query name resolution request
  • the packet classification device 100 receives the name resolution request transmitted from the terminal 21, and determines whether the connection destination (Web server 11) is a malicious host based on the information included in the name resolution request.
  • the packet classification device 100 Upon receiving the name resolution request from the terminal 21, the packet classification device 100 stores the packet corresponding to the name resolution request in the reception buffer RX 102 via the communication IF 101.
  • the analysis unit 131 refers to the content of the received name resolution request and extracts the absolute domain name (FQDN). Further, the domain white list in which the absolute domain name of the benign host is recorded is referred to, and it is determined whether or not the extracted absolute domain name is included in the domain white list. If the extracted absolute domain name is included in the domain white list (“legitimate”), the connection destination is a benign host, and therefore the packet corresponding to the name resolution request is stored in the transmission buffer TX103. The packet stored in the transmission buffer TX103 is transmitted to the DNS cache server 30 by the communication control unit 121.
  • the analysis unit 131 refers to the domain blacklist in which the absolute domain name of the malicious host is recorded and is extracted. Determine if the absolute domain name is included in the domain blacklist.
  • the connection destination is a malicious host, so the packet to be transmitted is discarded. At this time, a message indicating that the terminal 21 cannot be connected may be returned to the terminal 21.
  • the feature extraction unit 132 Characteristic information is extracted from the information included in the name resolution request, and the connection destination is classified by the classification unit 133 into a malicious host or a benign host. Also, since processing time is required to classify a malicious host or a benign host, a packet corresponding to a name resolution request is stored in the transmission buffer TX103 in order to prevent a delay in access to a connection destination. As a result, a name resolution request is sent to the DNS cache server 30, and connection destination classification can be performed in parallel while the DNS cache server 30 is performing name resolution.
  • the classification unit 133 reflects the classification result in the domain white list (“legitimate”) if the classification result is a benign host, and reflects the domain black list in the case of the malicious host (“malicious”). ).
  • the packet classification device 100 determines whether the connection destination is a benign host based on the information such as the absolute domain name included in the name resolution request. Determine if it is a malicious host.
  • the detection unit 130 determines based on the characteristic information and the learning data of the connection destination. It classifies (determines) whether the connection destination is a malicious host or a benign host.
  • a name resolution request is transmitted to the DNS cache server 30, the connection destinations are classified while the DNS cache server 30 is performing name resolution, and the classification result is reflected in the domain black list or the domain white list. In this way, by classifying the absolute domain name of the connection destination while the DNS cache server 30 is performing name resolution, communication delay can be minimized.
  • the DNS cache server 30 Upon receiving the name resolution request sent from the terminal 21, the DNS cache server 30 identifies the IP address of the connection destination and sends the name resolution result including the identified IP address to the terminal 21. Upon receiving the name resolution result from the DNS cache server 30 (timing T2), the packet classification device 100 determines again whether or not the connection destination is a malicious host. Hereinafter, the processing at the timing T2 will be described.
  • FIG. 8 is a diagram illustrating a configuration for detecting a malicious host at the timing T2 when the terminal 21 receives the name resolution result from the DNS cache server 30 in the embodiment of the present invention.
  • the packet classification device 100 Upon receiving the name resolution result from the DNS cache server 30, the packet classification device 100 stores the packet corresponding to the name resolution result in the reception buffer RX102 via the communication IF101.
  • the analysis unit 131 determines again whether or not the connection destination is a malicious host based on the domain black list and the domain white list that reflect the result of classifying the absolute domain names when the name resolution request is received (timing T1). To do. More specifically, first, it is determined whether or not the absolute domain name of the connection destination is included in the domain white list. At this time, if the absolute domain name of the connection destination is included in the domain white list (“legitimate”), the connection destination is a benign host, and therefore a packet corresponding to the name resolution result is stored in the transmission buffer TX103. .. The packet stored in the transmission buffer TX103 is transmitted to the terminal 21 by the communication control unit 121.
  • the analysis unit 131 determines whether the absolute domain name is included in the domain black list. If the absolute domain name is included in the domain blacklist (“malicious”), the connection destination is a malicious host, and the packet corresponding to the name resolution result is discarded. Furthermore, when the IP address of the domain of the connection destination is included in the name resolution result (“domainexist”), it is added (updated) to the IP black list in which the IP address of the malicious host is recorded.
  • the processor 110 stores the packet corresponding to the name resolution result in the transmission buffer TX103, and the communication controller 121 causes the terminal 21 Send to.
  • the terminal 21 Upon receiving the name resolution result from the DNS cache server 30, the terminal 21 accesses the connection destination Web server 11 based on the connection destination IP address included in the name resolution result. Upon receiving the access request to the Web server 11 (timing T3), the packet classification device 100 determines whether the computer corresponding to the connection destination IP address is a malicious host. The processing at timing T3 will be described below.
  • FIG. 9 is a diagram illustrating a configuration for detecting a malicious host at the timing T3 when the terminal 21 accesses the connection destination Web server 11 in the embodiment of the present invention.
  • the packet classification device 100 Upon receiving an access request (connection request) to the connection destination Web server 11 from the terminal 21, the packet classification device 100 stores the packet corresponding to the access request in the reception buffer RX102 via the communication IF 101.
  • the analysis unit 131 extracts the IP address of the connection destination (Web server 11) included in the access request and determines whether the IP address is included in the IP black list. If the extracted IP address is included in the IP blacklist (“domainexist”), the connection destination is a malicious host, so the packet to be transmitted (access request) is discarded. On the other hand, when the extracted IP address is not included in the IP blacklist (“not matched”), the transmission buffer TX103 stores the packet corresponding to the access request to the connection destination, and the communication control unit 121 connects the packet. It is sent to the destination (Web server 11).
  • the terminal 21 when the terminal 21 starts communication with the web server 11, it is possible to determine whether the connected web server 11 is a malicious host while performing name resolution. Since it is possible to make a determination, it is possible to detect a cyber attack in real time without making the user feel a decrease in communication speed.
  • External network 11 Web server (server device) 20 Internal network (second network) 21 terminal 30 DNS cache server (DNS server) 40 router 60 authoritative DNS server 100 packet classification device (communication device) 101 Communication Interface (IF) 102 reception buffer RX (data reception unit) 103 Transmission buffer TX (data transmission unit) 110 processor (CPU) 120 memory 121 communication control unit 130 detection unit (determination unit) 131 Analysis Unit 132 Feature Extraction Unit 133 Classification Unit 140 Learning Unit 141 Learning Data Collection Unit 142 Neural Network Learning Unit 160 Storage Device 161 Packet Data Storage Unit 162 Learning Data Storage Unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a communication device which determines, when a terminal connected to a network accesses a server device, whether the server device is a malicious host. The terminal transmits to a DNS server a name resolution request including an absolute domain name of the server device, and starts communication with the server device on the basis of a name resolution result transmitted from the DNS server. The communication device is provided with a determination unit which determines whether the server device is a malicious host, and, upon receiving the name resolution request transmitted to the DNS server, determines whether the server device is a malicious host on the basis of the absolute domain name included in the name resolution request. At this time, the name resolution request is transmitted to the DNS server regardless of whether a determination result as to whether the server device is a malicious host has been derived. Further, upon receiving a name resolution result from the DNS server, the communication device determines whether the server device is a malicious host on the basis of the determination result.

Description

通信装置Communication device
 本発明は、ネットワークにおける不正な通信を検知する技術に関する。 The present invention relates to a technique for detecting unauthorized communication in a network.
 近年、ネットワークサービスに対して個人や組織を狙ったサイバー攻撃が行われ、甚大な被害が発生している。これらの攻撃からネットワークに接続されたWebサーバーなどの通信機器を防御するために種々の攻撃検知方法が提案されているが、攻撃者は攻撃手法を頻繁に変更したり、巧妙化したりすることで検知を困難にしていた。従来の攻撃検知方法は、過去に攻撃を受けた手法を検知するものであり、新たな手法による攻撃を検知することは困難であった。 In recent years, cyber attacks aimed at individuals and organizations against network services have caused enormous damage. Various attack detection methods have been proposed in order to protect communication devices such as Web servers connected to the network from these attacks, but attackers frequently change or refine their attack methods. It was difficult to detect. The conventional attack detection method detects a method that has been attacked in the past, and it has been difficult to detect an attack by a new method.
 そこで、大規模なトラフィックデータから異常な通信を行う端末のIPアドレス群を検知することによって攻撃を行っているホスト(悪性ホスト)を特定する技術などが提案されている(例えば、特許文献1参照)。 Therefore, there has been proposed a technique for identifying an attacking host (malicious host) by detecting an IP address group of a terminal that performs abnormal communication from large-scale traffic data (see, for example, Patent Document 1). ).
特開2018-148270号公報JP, 2018-148270, A
 しかしながら、サイバー攻撃の検知はできるだけ早期に行う必要があるが、大規模なトラフィックデータを解析するためには多くの処理時間を必要とした。特に、未知の攻撃を検知するために、通信されるパケットを機械学習によりリアルタイムで攻撃の検知を行うことは困難であった。 However, it is necessary to detect cyber attacks as early as possible, but it took a lot of processing time to analyze large-scale traffic data. In particular, in order to detect an unknown attack, it is difficult to detect an attack in real time by machine learning of a packet to be communicated.
 本発明は、上記事情に鑑みなされたもので、サイバー攻撃をリアルタイムに検知する技術の提供を目的とする。 The present invention has been made in view of the above circumstances, and an object thereof is to provide a technology for detecting a cyber attack in real time.
 本発明の代表的な一形態によれば、ネットワークに接続された端末からサーバー装置にアクセスする場合に当該サーバー装置が悪性ホストであるか否かを判定する通信装置であって、前記端末は、前記サーバー装置の絶対ドメイン名を含む名前解決要求を、当該絶対ドメイン名に対応するIPアドレスを特定するDNSサーバーに送信し、前記DNSサーバーは、前記名前解決要求に含まれる絶対ドメイン名に対応するIPアドレスを特定し、当該特定されたIPアドレスを含む名前解決結果を前記端末に送信し、前記端末は、前記DNSサーバーから送信された名前解決結果に基づいて、前記サーバー装置との通信を開始し、前記通信装置は、前記端末から送信されたデータを、当該データの送信先にかかわらず受信するデータ受信部と、前記サーバー装置が悪性ホストであるか否かを判定する判定部と、前記データ受信部が受信したデータを、当該データの送信先に送信するデータ送信部と、を備え、前記データ受信部が前記DNSサーバーに送信する名前解決要求を受信した場合には、前記判定部が、当該名前解決要求に含まれる絶対ドメイン名に基づいて、前記サーバー装置が悪性ホストであるか否かを判定し、前記データ送信部は、前記サーバー装置が悪性ホストであるか否かの判定結果が導出されたか否かに関わらず前記名前解決要求を前記DNSサーバーに送信し、前記データ受信部が前記DNSサーバーから前記名前解決結果を受信した場合には、前記判定部が、当該名前解決結果に対応する名前解決要求による判定結果に基づいて、前記サーバー装置が悪性ホストであるか否かを判定することを特徴とする。 According to a typical aspect of the present invention, a communication device for determining whether the server device is a malicious host when accessing the server device from a terminal connected to a network, wherein the terminal is A name resolution request including the absolute domain name of the server device is transmitted to a DNS server that specifies an IP address corresponding to the absolute domain name, and the DNS server corresponds to the absolute domain name included in the name resolution request. An IP address is specified, a name resolution result including the specified IP address is transmitted to the terminal, and the terminal starts communication with the server device based on the name resolution result transmitted from the DNS server. However, the communication device, the data receiving unit that receives the data transmitted from the terminal regardless of the destination of the data, a determination unit that determines whether the server device is a malicious host, A data transmitting unit that transmits the data received by the data receiving unit to a destination of the data, and when the data receiving unit receives a name resolution request to be transmitted to the DNS server, the determining unit determines , Based on the absolute domain name included in the name resolution request, to determine whether the server device is a malicious host, the data transmission unit, the determination result of whether the server device is a malicious host Irrespective of whether or not the name resolution request is sent to the DNS server, and the data receiving unit receives the name resolution result from the DNS server, the determining unit determines that the name resolution result It is determined whether or not the server device is a malicious host based on the determination result by the name resolution request corresponding to.
 本発明の代表的な実施形態によると、通信速度の低下を利用者に感じさせることなくサイバー攻撃をリアルタイムで検知可能となる。 According to the representative embodiment of the present invention, it is possible to detect a cyber attack in real time without making the user feel a decrease in communication speed.
本発明の実施形態の悪性ホストへのアクセスをリアルタイムに検知するパケット分類装置(通信装置)を含む通信システムの概要を説明する図である。It is a figure explaining the outline of the communication system containing the packet classification device (communication device) which detects the access to the malicious host of the embodiment of the present invention in real time. 本発明の実施形態のネットワーク構成の一例を示す図である。It is a figure which shows an example of the network structure of embodiment of this invention. 本発明の実施形態のパケット分類装置のハードウェア構成及びソフトウェアの構成の一例を示す図である。It is a figure which shows an example of the hardware constitutions and software constitutions of the packet classification apparatus of embodiment of this invention. 本実施形態のパケット分類装置がパケットを転送するための構成の一例を示す図である。It is a figure which shows an example of a structure for the packet classification apparatus of this embodiment to transfer a packet. 本実施形態において端末がWebサーバーと通信を開始するまでの各工程の処理時間を示す図である。It is a figure which shows the processing time of each process until a terminal starts communication with a Web server in this embodiment. 本発明の実施の形態における悪性ホストを検知するタイミングを説明する図である。It is a figure explaining the timing which detects a malignant host in an embodiment of the invention. 本発明の実施形態において端末がDNSサーバーに名前解決要求を送信するタイミングT1で悪性ホストを検知するための構成を説明する図である。FIG. 6 is a diagram illustrating a configuration for detecting a malicious host at a timing T1 when a terminal transmits a name resolution request to a DNS server in the embodiment of the present invention. 本発明の実施形態において端末がDNSサーバーから名前解決結果を受信するタイミングT2で悪性ホストを検知するための構成を説明する図である。It is a figure explaining the composition for a terminal to detect a malicious host at timing T2 which receives a name resolution result from a DNS server in an embodiment of the present invention. 本発明の実施形態において端末が接続先のWebサーバーにアクセスするタイミングT3で悪性ホストを検知するための構成を説明する図である。FIG. 6 is a diagram illustrating a configuration for detecting a malicious host at a timing T3 when a terminal accesses a connection destination Web server in the embodiment of the present invention.
 ネットワークに接続された端末から別のネットワークに接続されたサーバー装置(例えば、WEBサーバー)にアクセスする場合、まず、接続先のサーバー名(絶対ドメイン名)によってDNSサーバーから接続先のIPアドレスを特定する(名前解決)。本実施形態では、名前解決を行っている間に接続先のサーバー装置が悪性ホスト(サイバー攻撃を行う計算機)であるか否かを判定する。接続先のサーバー装置を悪性ホストでない(良性ホスト)と判定した場合にはそのまま通信を継続し、悪性ホストと判定された場合には通信を遮断する。名前解決を行うための時間は通常の通信に必要な時間であるため、この間に悪性ホストを検知するための処理を行っても利用者は遅延を体感させる可能性は少ない。以下、添付図面を参照しながら本発明の実施形態について説明する。 When accessing a server device (for example, a WEB server) connected to another network from a terminal connected to a network, first, the IP address of the connection destination is specified from the DNS server by the server name (absolute domain name) of the connection destination. Yes (name resolution). In the present embodiment, it is determined whether the server device of the connection destination is a malicious host (computer that performs cyber attack) while performing name resolution. When it is determined that the server device of the connection destination is not a malicious host (benign host), communication is continued as it is, and when it is determined that the host is a malicious host, communication is cut off. Since the time for name resolution is the time required for normal communication, even if the process for detecting a malicious host is performed during this time, the user is unlikely to experience a delay. Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.
 図1は、本発明の実施形態の悪性ホストへのアクセスをリアルタイムに検知するパケット分類装置(通信装置)を含む通信システムの概要を説明する図である。本実施形態ではTCP/IPによる通信を対象とするが、他のプロトコルによる通信でも本発明を適用可能である。また、本実施形態では、利用者が端末を操作し、外部のネットワークに接続されたサーバー装置(例えば、Webサーバー)にアクセスする場合を想定している。 FIG. 1 is a diagram illustrating an outline of a communication system including a packet classification device (communication device) that detects access to a malicious host in real time according to the embodiment of this invention. In this embodiment, TCP/IP communication is targeted, but the present invention can also be applied to communication using other protocols. Further, in the present embodiment, it is assumed that the user operates the terminal to access a server device (for example, a Web server) connected to an external network.
 利用者が端末を操作して外部のネットワークに接続されたWebサーバーにアクセスする場合、まず、接続先のWebサーバーのIPアドレスをDNSサーバーに問い合わせて特定し、その後、特定されたIPアドレスに基づいてWebサーバーとの通信を開始する。このとき、利用者が端末の操作から指定したサイトを参照するまで待機する時間は、名前解決に要する時間、Webサーバーとの通信時間、及び、Webサーバーから受信したデータを端末で処理する時間となる。したがって、名前解決が完了し、接続先のWebサーバーとの通信を開始するまでの間に接続先のWebサーバーが悪性ホストであるか否かを判定することで悪性ホストへのアクセスを阻止することができる。 When a user operates a terminal to access a web server connected to an external network, first, the DNS server is queried to identify the IP address of the destination web server, and then based on the identified IP address. Communication with the Web server is started. At this time, the time to wait until the user refers to the specified site from the operation of the terminal is the time required for name resolution, the communication time with the Web server, and the time to process the data received from the Web server on the terminal. Become. Therefore, it is possible to prevent access to a malicious host by determining whether the connected web server is a malicious host until the name resolution is completed and communication with the connected web server is started. You can
 続いて、本発明の実施形態における悪性ホストの検知方法を適用するネットワーク構成例について説明する。図2は、本発明の実施形態のネットワーク構成の一例を示す図である。本実施形態では、外部ネットワーク(第1ネットワーク)10に接続されたWebサーバー11と、内部ネットワーク(第2ネットワーク)20に接続された端末21との間で通信が行われる。 Next, a network configuration example to which the malicious host detection method according to the embodiment of the present invention is applied will be described. FIG. 2 is a diagram showing an example of a network configuration according to the embodiment of the present invention. In the present embodiment, communication is performed between the Web server 11 connected to the external network (first network) 10 and the terminal 21 connected to the internal network (second network) 20.
 外部ネットワーク10と内部ネットワーク20との間には、各ネットワークを相互接続する通信機器(ルーター40)が配置される。さらに、端末21が接続しようとするWebサーバー11が悪性ホストであるか否かを判定するパケット分類装置(通信装置)100がルーター40と内部ネットワーク20との間に配置されている。なお、パケット分類装置100は、内部ネットワーク20の内部に設置してもよい。本実施形態では、端末21から外部ネットワーク10に接続されたWebサーバー11等の計算機に接続する場合、パケット分類装置100を経由してDNSキャッシュサーバー(DNSサーバー)30に接続し、通信先の計算機のIPアドレスを特定する。DNSキャッシュサーバー30が接続先のサーバー名(絶対ドメイン名)を特定できなかった場合には、ネットワーク経由で複数の権威DNSサーバー60に再帰的に問い合わせて絶対ドメイン名を解決する。以降、DNSキャッシュサーバー30と権威DNSサーバー60を合わせてDNSサーバーとする。 Between the external network 10 and the internal network 20, a communication device (router 40) interconnecting each network is arranged. Further, a packet classification device (communication device) 100 that determines whether or not the Web server 11 to which the terminal 21 is connecting is a malicious host is arranged between the router 40 and the internal network 20. The packet classification device 100 may be installed inside the internal network 20. In the present embodiment, when connecting from the terminal 21 to a computer such as the Web server 11 connected to the external network 10, the connection is made to the DNS cache server (DNS server) 30 via the packet classification device 100, and the computer of the communication destination. Specify the IP address of. If the DNS cache server 30 cannot specify the server name (absolute domain name) of the connection destination, it recursively queries a plurality of authoritative DNS servers 60 via the network to resolve the absolute domain name. Hereinafter, the DNS cache server 30 and the authoritative DNS server 60 will be collectively referred to as a DNS server.
 パケット分類装置100は、端末21の接続先(Webサーバー11)を悪性ホストと判定した(悪性ホストに分類した)場合には、外部ネットワーク10に接続されたWebサーバー11との通信を遮断する。このとき、ルーター40、パケット分類装置100等のネットワーク機器を管理するための管理計算機(図示せず)に分類結果(警報)を通知し、警告メッセージを表示するなどして管理者に報知するようにしてもよい。また、パケット分類装置100が通信を遮断せずに、ルーター40に指示して悪性ホストとの通信を遮断するようにしてもよい。 When the connection destination (Web server 11) of the terminal 21 is determined to be a malicious host (classified as a malicious host), the packet classification device 100 cuts off communication with the Web server 11 connected to the external network 10. At this time, a classification result (alarm) is notified to a management computer (not shown) for managing network devices such as the router 40 and the packet classification device 100, and a warning message is displayed to notify the administrator. You may Further, the packet classification device 100 may instruct the router 40 to block communication with a malicious host without blocking communication.
 また、本実施形態では、悪性ホストであるか否かを択一的に判定するものでなくてもよい。例えば、悪性ホストの判定値を100、良性ホストの判定値を0とし、0から100の判定値で悪性ホストである可能性を判定するのであれば、判定値が所定の閾値以上の場合には通信を遮断し、判定値が所定範囲内であれば警告メッセージを表示して利用者の判断で接続するか否かを選択するようにしてもよい。この場合、パケット分類装置100に悪性ホストの判定結果のログを記録し、実際に悪性ホストであったか否かを判定可能としておくとよい。また、管理計算機に通知し、管理計算機がログを記録するようにしてもよい。さらに、パケット分類装置100で通信ログを記録し、悪性ホストの可能性がある場合のみ管理計算機に通知するようにしてもよい。 Also, in the present embodiment, it is not necessary to selectively determine whether or not the host is a malicious host. For example, if the judgment value of a malicious host is 100, the judgment value of a benign host is 0, and the possibility of being a malicious host is judged from the judgment values of 0 to 100, if the judgment value is greater than or equal to a predetermined threshold, Communication may be interrupted, and if the judgment value is within a predetermined range, a warning message may be displayed and the user may judge whether to connect or not. In this case, it is preferable to record a log of the determination result of the malicious host in the packet classification device 100 so that it can be determined whether or not the host is actually the malicious host. Further, the management computer may be notified and the management computer may record the log. Further, the packet classification device 100 may record a communication log and notify the management computer only when there is a possibility of a malicious host.
 パケット分類装置100は、悪性ホストの接続を阻止するために、外部のネットワークにアクセスする場合に必ずパケットが通過する箇所に配置される。また、ネットワーク内に配置されるパケット分類装置100は単一であってもよいし、複数であってもよい。複数配置する場合には、トラフィックの増大を防ぐために、パケットが複数のパケット分類装置100を通過することを避けるように配置するとよい。 The packet classification device 100 is arranged at a place where a packet always passes when accessing an external network in order to prevent connection of a malicious host. Further, the packet classification device 100 arranged in the network may be single or plural. When arranging a plurality of packets, in order to prevent an increase in traffic, it is preferable to arrange the packets so as to avoid passing through the plurality of packet classification devices 100.
 続いて、パケット分類装置100のハードウェア及びソフトウェアの構成について説明する。図3は、本発明の実施形態のパケット分類装置100のハードウェア構成及びソフトウェアの構成の一例を示す図である。パケット分類装置100は、通信インターフェース(IF)101、プロセッサ(CPU)110、メモリ120及び記憶装置160を備え、各構成はバスによって接続される。 Next, the hardware and software configurations of the packet classification device 100 will be described. FIG. 3 is a diagram illustrating an example of a hardware configuration and a software configuration of the packet classification device 100 according to the embodiment of this invention. The packet classification device 100 includes a communication interface (IF) 101, a processor (CPU) 110, a memory 120, and a storage device 160, and each component is connected by a bus.
 通信インターフェース(IF)101は、端末21、DNSキャッシュサーバー30などから転送されたパケットを受信したり、管理計算機からの命令入力を受け付けたりする。プロセッサ(CPU)110は、メモリ120に記憶された各種プログラムを実行することによって各種機能を提供し、例えば、端末21の接続先(Webサーバー11)が悪性ホストであるか否かを判定する機能を提供する。メモリ120は、プロセッサ110によって実行される各種プログラムを記憶したり、プログラムの実行に必要なデータを一時的に記憶したりする。記憶装置160は、通信インターフェース(IF)101を介して受信したパケットの情報(例えば、名前解決要求に含まれる接続先(Webサーバー11)の絶対ドメイン名、名前解決結果に含まれる接続先(Webサーバー11)のIPアドレス等)を蓄積したり、プログラムによる処理結果(端末21の接続先が悪性ホストであるか否かの判定結果等)を格納したりする。 The communication interface (IF) 101 receives a packet transferred from the terminal 21, the DNS cache server 30, etc., and receives a command input from the management computer. The processor (CPU) 110 provides various functions by executing various programs stored in the memory 120, for example, a function of determining whether the connection destination (Web server 11) of the terminal 21 is a malicious host. I will provide a. The memory 120 stores various programs executed by the processor 110 and temporarily stores data necessary for executing the programs. The storage device 160 uses the information of the packet received via the communication interface (IF) 101 (for example, the absolute domain name of the connection destination (Web server 11) included in the name resolution request, the connection destination (Web) included in the name resolution result. For example, the IP address of the server 11) is accumulated, or the processing result by the program (the determination result of whether the connection destination of the terminal 21 is a malicious host or the like) is stored.
 次に、メモリ120及び記憶装置160の構成について説明する。メモリ120には、パケットの通信制御を行う通信制御部121と、端末21と通信する計算機が悪性ホストであるか否かを判定する検知部(判定部)130を記憶する。本実施形態では、悪性ホストを判定(分類)する手法は任意の方法でよいが、パケットの送信先となるサーバー装置の絶対ドメイン名、IPアドレスなどの情報を蓄積し、学習することによって悪性ホストであるか否かを判定する手法を採用している。また、メモリ120は、悪性ホストを検知する精度を向上させるために学習データを収集及び生成する学習部140を記憶する。検知部130及び学習部140は、プログラム及び当該プログラムを実行するためのデータによって構成される。記憶装置160は、パケットデータ格納部161及び学習データ格納部162を提供する。以下、各構成について説明する。 Next, the configurations of the memory 120 and the storage device 160 will be described. The memory 120 stores a communication control unit 121 that controls packet communication, and a detection unit (determination unit) 130 that determines whether or not the computer that communicates with the terminal 21 is a malicious host. In this embodiment, any method may be used to determine (classify) a malicious host, but by storing and learning information such as the absolute domain name and IP address of the server device that is the destination of the packet, the malicious host can be learned. The method of determining whether or not is adopted. The memory 120 also stores a learning unit 140 that collects and generates learning data in order to improve the accuracy of detecting a malicious host. The detection unit 130 and the learning unit 140 are composed of a program and data for executing the program. The storage device 160 provides a packet data storage unit 161 and a learning data storage unit 162. Each configuration will be described below.
 検知部130は、端末21の接続先が悪性ホストであるか否かを判定する。検知部130は、解析部131、特徴抽出部132及び分類部133を含む。解析部131は、通信IF101から取得したパケットを一時的に記憶し、受信したパケットから取得した情報を解析し、必要に応じてパケットデータ格納部161に解析結果を格納する。 The detection unit 130 determines whether the connection destination of the terminal 21 is a malicious host. The detection unit 130 includes an analysis unit 131, a feature extraction unit 132, and a classification unit 133. The analysis unit 131 temporarily stores the packet acquired from the communication IF 101, analyzes the information acquired from the received packet, and stores the analysis result in the packet data storage unit 161 as necessary.
 特徴抽出部132は、解析部131による解析結果から特徴情報を抽出する。解析部131による解析結果は、解析部131から直接取得してもよいし、パケットデータ格納部161に記憶された解析結果を取得してもよい。 The feature extraction unit 132 extracts feature information from the analysis result of the analysis unit 131. The analysis result by the analysis unit 131 may be directly acquired from the analysis unit 131, or the analysis result stored in the packet data storage unit 161 may be acquired.
 分類部133は、特徴抽出部132によって抽出された特徴情報をニューラルネットに入力し、学習データ格納部162に格納された学習データに基づいて端末21の接続先(パケットの送信先、Webサーバー11)が良性ホストであるか又は悪性ホストであるかを判定(分類)する。 The classifying unit 133 inputs the feature information extracted by the feature extracting unit 132 to the neural network, and based on the learning data stored in the learning data storage unit 162, the connection destination of the terminal 21 (the packet transmission destination, the Web server 11). ) Is a benign host or a malignant host (classification).
 学習部140は、分類部133による分類(判定)精度を向上させるために、収集された学習データに基づいてニューラルネットワークによる判定の精度を向上させるためのパラメータを調整し、学習結果を学習データ格納部162に反映させる。学習データ収集部141は、パケットデータ格納部161及び学習データ格納部162から学習データを収集する。ニューラルネット学習部142は、学習データ収集部141によって収集された学習データに基づいてニューラルネットワークの学習を実施する。このとき、学習データ格納部162から学習結果を反映する前の学習データを取得し、学習実施後、学習結果を反映させた学習データを学習データ格納部162に格納する。学習データは、ニューラルネットによって端末21の接続先を良性ホスト又は悪性ホストに分類するために必要なパラメータ及びデータである。 The learning unit 140 adjusts a parameter for improving the accuracy of the determination by the neural network based on the collected learning data in order to improve the classification (determination) accuracy by the classification unit 133, and stores the learning result in the learning data. This is reflected in the section 162. The learning data collection unit 141 collects learning data from the packet data storage unit 161 and the learning data storage unit 162. The neural network learning unit 142 carries out learning of the neural network based on the learning data collected by the learning data collection unit 141. At this time, the learning data before reflecting the learning result is acquired from the learning data storage unit 162, and after the learning is performed, the learning data reflecting the learning result is stored in the learning data storage unit 162. The learning data are parameters and data necessary for classifying the connection destination of the terminal 21 into a benign host or a malignant host by the neural network.
 ニューラルネットワークの学習は、管理計算機からの実行指示に基づいて実行してもよいし、定期的に実行するようにしてもよい。また、未学習のデータがパケットデータ格納部161に所定量以上蓄積された場合に実行するようにしてもよい。 The learning of the neural network may be executed based on the execution instruction from the management computer, or may be executed periodically. Further, it may be executed when the unlearned data is accumulated in the packet data storage unit 161 by a predetermined amount or more.
 分類部133は、ニューラルネットによって端末21の接続先を良性ホスト又は悪性ホストに分類(判定)する。本実施形態では、端末21の接続先を分類するアルゴリズムとしてTensorFlow、LIBSVMなどの機械学習ライブラリを利用する。 The classifying unit 133 classifies (determines) the connection destination of the terminal 21 into a benign host or a malignant host using a neural network. In this embodiment, a machine learning library such as TensorFlow or LIBSVM is used as an algorithm for classifying the connection destination of the terminal 21.
 続いて、パケット分類装置100が受信したパケットを外部ネットワークに転送する手順について説明する。図4は、本実施形態のパケット分類装置100がパケットを転送するための構成の一例を示す図である。本実施形態のパケット分類装置100では、ネットワーク処理を高速化するためにインテル(登録商標)のデータプレーン開発キット(DPDK;Data Plane Development Kit)技術を利用している。DPDKは、特定のアプリケーションに対してカーネル機能をバイパスした専用機能を提供する。なお、同等の機能を有していればDPDK以外のソリューションを適用してもよい。 Next, a procedure for transferring the packet received by the packet classification device 100 to the external network will be described. FIG. 4 is a diagram showing an example of a configuration for the packet classification device 100 of the present embodiment to transfer a packet. The packet classification device 100 of the present embodiment uses an Intel (registered trademark) data plane development kit (DPDK; Data Plan Development Kit) technology to speed up network processing. The DPDK provides specialized functionality that bypasses kernel functionality for specific applications. A solution other than DPDK may be applied as long as it has equivalent functions.
 通信IF101が受信したパケットは、DPDKによって提供される受信バッファRX(データ受信部)102に一旦格納され、検知部130に引き渡される。受信バッファRX(データ受信部)102は、キュー構造となっており、パケットを受信した順序で検知部130に送り出す。その後、解析部131、特徴抽出部132及び分類部133によって受信したパケットの送信先(端末21の接続先;Webサーバー11)を良性ホスト又は悪性ホストに分類(判定)する。 The packet received by the communication IF 101 is temporarily stored in the reception buffer RX (data reception unit) 102 provided by the DPDK and delivered to the detection unit 130. The reception buffer RX (data reception unit) 102 has a queue structure and sends out the packets to the detection unit 130 in the order of reception. Then, the analysis unit 131, the feature extraction unit 132, and the classification unit 133 classify (determine) the transmission destination of the packet (the connection destination of the terminal 21; the Web server 11) as a benign host or a malignant host.
 さらに、送信バッファTX(データ送信部)103にパケットを格納し、通信IF101を介して外部ネットワーク10に送信する。このとき、パケットの送信先が悪性ホストであれば、送信バッファTX103にパケットを格納せずに破棄してもよい。このように構成することで、ルーター側で指定されたパケットを破棄する機能など、パケット分類装置100以外は一般的なネットワーク機器を使用することが可能となり、導入コストを軽減することができる。一方、外部ネットワーク10にパケットを転送するルーターに送信先が悪性ホストであることを通知し、ルーターがパケットを破棄するようにしてもよい。 Further, the packet is stored in the transmission buffer TX (data transmission unit) 103 and transmitted to the external network 10 via the communication IF 101. At this time, if the destination of the packet is a malicious host, the packet may be discarded without being stored in the transmission buffer TX103. With this configuration, it is possible to use general network equipment other than the packet classification device 100, such as the function of discarding the packet designated on the router side, and it is possible to reduce the introduction cost. On the other hand, the router that transfers the packet to the external network 10 may be notified that the destination is a malicious host, and the router may discard the packet.
 続いて、本発明を適用したリアルタイム検知システムの適用例について具体的に説明する。前述したように、本実施形態で悪性ホストを検知する手法は、既存の技術を採用し、具体的には、TensorFlow、LIBSVMなどの機械学習ライブラリを利用している。これらの手法による悪性ホストの検知は、技術の進歩や学習データの蓄積などにより精度の向上が図られている。一方、受信したパケットから抜き出した情報に基づいて特徴量を抽出して解析するためには時間を要するため、悪性ホストをリアルタイムに検知することは困難であった。本実施形態では、実用的なパケット転送速度と高い攻撃検知精度を両立させることを目的としている。 Next, an application example of the real-time detection system to which the present invention is applied will be specifically described. As described above, the method for detecting a malicious host in the present embodiment employs an existing technique, and specifically uses a machine learning library such as TensorFlow or LIBSVM. The detection of malicious hosts by these methods has been improved in accuracy due to technological advances and the accumulation of learning data. On the other hand, since it takes time to extract and analyze the feature amount based on the information extracted from the received packet, it is difficult to detect the malicious host in real time. The present embodiment aims to achieve both a practical packet transfer speed and high attack detection accuracy.
 一方、アルゴリズムの高速化、ハードウェア性能の向上などによって悪性ホストの検知精度を高めながら実用的なパケット転送速度を維持することは容易ではない。前述のように、悪性ホストの検知精度については既存技術を使用するため、本発明ではパケット転送速度の維持を目的としている。ここで、端末21から接続先のサーバー装置(Webサーバー11)との通信を開始する実行される各工程の処理時間を計測した結果を示す。 On the other hand, it is not easy to maintain a practical packet transfer rate while increasing the detection accuracy of malicious hosts by speeding up algorithms and improving hardware performance. As described above, since the existing technology is used for the detection accuracy of the malicious host, the present invention aims to maintain the packet transfer rate. Here, the result of measuring the processing time of each process executed to start communication from the terminal 21 to the connection destination server device (Web server 11) is shown.
 図5は、本実施形態において端末21がWebサーバー11と通信を開始するまでの各工程の処理時間を示す図である。グラフは箱ひげ図とし、縦軸は処理時間(μ秒)で対数軸となっており、横軸は工程である。図5では、分類部133にLIBSVMを適用する場合(左)とTensorFlowを適用する場合(右)について、アルゴリズムごとに各工程の処理時間を示している。各工程は、受信(RX)、解析(パース、Parser)、特徴量抽出(Extractor Processing)、分類(Classifier parts)、合計(Total)となっている。 FIG. 5 is a diagram showing the processing time of each process until the terminal 21 starts communication with the Web server 11 in this embodiment. The graph is a box-and-whisker diagram, the vertical axis is the processing time (μsec) and the logarithmic axis, and the horizontal axis is the process. In FIG. 5, the processing time of each process is shown for each algorithm when LIBSVM is applied to the classification unit 133 (left) and TensorFlow is applied (right). Each process is reception (RX), analysis (parse, Parser), feature extraction (Extractor Processing), classification (Classifier parts), and total (Total).
 図5に示すように、分類(破線)が他の工程と比較して多くの処理時間を要している。また、分類以外の工程はアルゴリズムごとの処理時間の差は少ないが、分類の工程ではLIBSVMよりもTensorFlowを適用した方が高速に処理できる。なお、1パケット分の総処理時間は、悪性ホストを検知しない場合には0.4231μs(2.118Gbps)、LIBSVMを適用した場合には557.8μs(1.264Mbps)、TensorFlowを適用した場合には72.492μs(9.60Mbps)となっている。なお、分類のためのアルゴリズムは、要求される処理速度及び検知精度に応じて選択すればよい。 As shown in Figure 5, the classification (dashed line) requires more processing time than other processes. Further, in the steps other than classification, there is little difference in processing time between algorithms, but in the classification step, applying TensorFlow is faster than applying LIBSVM. The total processing time for one packet is 0.4231 μs (2.118 Gbps) when no malicious host is detected, 557.8 μs (1.264 Mbps) when LIBSVM is applied, and TensorFlow is applied. Is 72.492 μs (9.60 Mbps). The algorithm for classification may be selected according to the required processing speed and detection accuracy.
 以上のように、悪性ホストを検知する処理がパケット転送時にボトルネックとなってしまうため、実用的なパケット転送速度を実現するためには100~1000倍程度の高速化を必要とする。そこで、本発明では通信の手順に着目し、端末21が通信しようとする外部ネットワークに接続されたサーバー装置の名前解決を行っている間に接続先のサーバー装置が悪性ホストであるか良性ホストであるかを判定(分類)する。本発明の特徴は、端末21から送信される接続先のサーバー装置(Webサーバー11)の名前解決要求に含まれる情報(絶対ドメイン名等)に基づいて悪性ホストの検知を開始し、DNSサーバーによって接続先のサーバー装置のIPアドレスが特定されるまでの間に悪性ホストの検知を完了させることで実際に悪性ホストに端末21が接続することを阻止する。 As described above, the process of detecting a malicious host becomes a bottleneck during packet transfer, so it is necessary to increase the speed by 100 to 1000 times in order to realize a practical packet transfer speed. Therefore, in the present invention, focusing on the communication procedure, while the terminal device 21 is performing name resolution of the server device connected to the external network with which the terminal 21 is trying to communicate, the connection destination server device is a malicious host or a benign host. Determine (classify) whether there is. The feature of the present invention is that the detection of the malicious host is started based on the information (absolute domain name, etc.) included in the name resolution request of the server device (Web server 11) of the connection destination transmitted from the terminal 21, and By completing the detection of the malicious host until the IP address of the server device of the connection destination is specified, it is possible to prevent the terminal 21 from actually connecting to the malicious host.
 図6は、本発明の実施の形態における悪性ホストを検知するタイミングを説明する図である。パケット分類装置100は、(1)端末21がDNSキャッシュサーバー30に名前解決要求を送信するタイミングT1、(2)DNSキャッシュサーバー30が名前解決の結果を端末21に送信するタイミングT2、(3)端末21がWebサーバー11との通信を開始するタイミングT3でWebサーバー11が悪性ホストであるか否かを判定する。タイミングT1、T2、T3で接続先(Webサーバー11)が悪性ホストであるか否かを判定することで悪性ホストに接続する前に(サイバー攻撃を受ける前に)通信を遮断できる。以下、各タイミングで悪性ホストを検知するための構成について説明する。 FIG. 6 is a diagram explaining the timing of detecting a malicious host in the embodiment of the present invention. The packet classification device 100 includes (1) a timing T1 at which the terminal 21 sends a name resolution request to the DNS cache server 30, (2) a timing T2 at which the DNS cache server 30 sends a result of name resolution to the terminal 21, (3). At timing T3 when the terminal 21 starts communication with the Web server 11, it is determined whether the Web server 11 is a malicious host. By determining whether or not the connection destination (Web server 11) is a malicious host at timings T1, T2, and T3, communication can be blocked before connecting to the malicious host (before being attacked by a cyber attack). The configuration for detecting a malicious host at each timing will be described below.
 図7は、本発明の実施形態において端末21がDNSキャッシュサーバー30に名前解決要求を送信するタイミングT1で悪性ホストを検知するための構成を説明する図である。タイミングT1では、端末21がDNSキャッシュサーバー30に対して接続先(Webサーバー11)のIPアドレスを特定するための名前解決要求(DNSクエリ)を送信する。パケット分類装置100は、端末21から送信された名前解決要求を受信し、名前解決要求に含まれる情報に基づいて、接続先(Webサーバー11)が悪性ホストであるか否かを判定する。 FIG. 7 is a diagram illustrating a configuration for detecting a malicious host at a timing T1 when the terminal 21 transmits a name resolution request to the DNS cache server 30 in the embodiment of the present invention. At timing T1, the terminal 21 transmits a name resolution request (DNS query) for specifying the IP address of the connection destination (Web server 11) to the DNS cache server 30. The packet classification device 100 receives the name resolution request transmitted from the terminal 21, and determines whether the connection destination (Web server 11) is a malicious host based on the information included in the name resolution request.
 パケット分類装置100は、端末21から名前解決要求を受信すると、通信IF101を介して受信バッファRX102に名前解決要求に対応するパケットを格納する。解析部131は、受信した名前解決要求の内容を参照し、絶対ドメイン名(FQDN)を抽出する。さらに、良性ホストの絶対ドメイン名が記録されたドメインホワイトリストを参照し、抽出された絶対ドメイン名がドメインホワイトリストに含まれているか否かを判定する。抽出された絶対ドメイン名がドメインホワイトリストに含まれている場合には(“legitimate”)、接続先が良性ホストであるため、送信バッファTX103に名前解決要求に対応するパケットを格納する。送信バッファTX103に格納されたパケットは、通信制御部121によってDNSキャッシュサーバー30に送信される。 Upon receiving the name resolution request from the terminal 21, the packet classification device 100 stores the packet corresponding to the name resolution request in the reception buffer RX 102 via the communication IF 101. The analysis unit 131 refers to the content of the received name resolution request and extracts the absolute domain name (FQDN). Further, the domain white list in which the absolute domain name of the benign host is recorded is referred to, and it is determined whether or not the extracted absolute domain name is included in the domain white list. If the extracted absolute domain name is included in the domain white list (“legitimate”), the connection destination is a benign host, and therefore the packet corresponding to the name resolution request is stored in the transmission buffer TX103. The packet stored in the transmission buffer TX103 is transmitted to the DNS cache server 30 by the communication control unit 121.
 解析部131は、抽出された絶対ドメイン名がドメインホワイトリストに含まれていない場合には(“not matched”)、悪性ホストの絶対ドメイン名が記録されたドメインブラックリストを参照し、抽出された絶対ドメイン名がドメインブラックリストに含まれているか否かを判定する。抽出された絶対ドメイン名がドメインブラックリストに含まれている場合には(“malicious”)、接続先が悪性ホストであるため、送信するパケットを破棄する。このとき、端末21には接続できない旨のメッセージを端末21に応答するようにしてもよい。 When the extracted absolute domain name is not included in the domain whitelist (“not matched”), the analysis unit 131 refers to the domain blacklist in which the absolute domain name of the malicious host is recorded and is extracted. Determine if the absolute domain name is included in the domain blacklist. When the extracted absolute domain name is included in the domain black list (“malicious”), the connection destination is a malicious host, so the packet to be transmitted is discarded. At this time, a message indicating that the terminal 21 cannot be connected may be returned to the terminal 21.
 また、抽出された絶対ドメイン名がドメインブラックリストに含まれていない場合には(“not matched”)、接続先が悪性ホストであるか良性ホストであるかを特定できないため、特徴抽出部132によって名前解決要求に含まれる情報から特徴情報を抽出し、分類部133によって接続先を悪性ホスト又は良性ホストに分類する。また、悪性ホスト又は良性ホストの分類には処理時間を必要とするため、接続先へのアクセスの遅延を防ぐために、送信バッファTX103に名前解決要求に対応するパケットを格納する。これにより、DNSキャッシュサーバー30に名前解決要求が送信され、DNSキャッシュサーバー30が名前解決を行っている間に並行して接続先の分類を実行することができる。分類結果が導出されると、分類部133は、分類結果が良性ホストの場合にはドメインホワイトリストに反映し(“legitimate”)、悪性ホストの場合にはドメインブラックリストに反映する(“malicious”)。 If the extracted absolute domain name is not included in the domain blacklist (“not matched”), it is not possible to identify whether the connection destination is a malicious host or a benign host, so the feature extraction unit 132 Characteristic information is extracted from the information included in the name resolution request, and the connection destination is classified by the classification unit 133 into a malicious host or a benign host. Also, since processing time is required to classify a malicious host or a benign host, a packet corresponding to a name resolution request is stored in the transmission buffer TX103 in order to prevent a delay in access to a connection destination. As a result, a name resolution request is sent to the DNS cache server 30, and connection destination classification can be performed in parallel while the DNS cache server 30 is performing name resolution. When the classification result is derived, the classification unit 133 reflects the classification result in the domain white list (“legitimate”) if the classification result is a benign host, and reflects the domain black list in the case of the malicious host (“malicious”). ).
 以上のように、端末21からDNSキャッシュサーバー30に名前解決要求が送信されると、パケット分類装置100が名前解決要求に含まれる絶対ドメイン名などの情報に基づいて接続先が良性ホストであるか悪性ホストであるかを判定する。絶対ドメイン名がドメインブラックリスト又はドメインホワイトリストに含まれておらず、良性ホストであるか悪性ホストであるかを特定できない場合には、検知部130が接続先の特徴情報及び学習データに基づいて接続先が悪性ホストであるか良性ホストであるかを分類(判定)する。このとき、名前解決要求をDNSキャッシュサーバー30に送信し、DNSキャッシュサーバー30が名前解決を行っている間に接続先を分類し、分類結果をドメインブラックリスト又はドメインホワイトリストに反映する。このように、DNSキャッシュサーバー30が名前解決を行っている間に接続先の絶対ドメイン名を分類することで通信の遅延を最小限に抑制できる。 As described above, when the name resolution request is transmitted from the terminal 21 to the DNS cache server 30, the packet classification device 100 determines whether the connection destination is a benign host based on the information such as the absolute domain name included in the name resolution request. Determine if it is a malicious host. When the absolute domain name is not included in the domain black list or the domain white list and it is not possible to identify whether it is a benign host or a malicious host, the detection unit 130 determines based on the characteristic information and the learning data of the connection destination. It classifies (determines) whether the connection destination is a malicious host or a benign host. At this time, a name resolution request is transmitted to the DNS cache server 30, the connection destinations are classified while the DNS cache server 30 is performing name resolution, and the classification result is reflected in the domain black list or the domain white list. In this way, by classifying the absolute domain name of the connection destination while the DNS cache server 30 is performing name resolution, communication delay can be minimized.
 DNSキャッシュサーバー30は、端末21から送信された名前解決要求を受信すると、接続先のIPアドレスを特定し、特定されたIPアドレスを含む名前解決結果を端末21に送信する。パケット分類装置100は、DNSキャッシュサーバー30から名前解決結果を受信すると(タイミングT2)、再度接続先が悪性ホストであるか否かを判定する。以下、タイミングT2における処理について説明する。 Upon receiving the name resolution request sent from the terminal 21, the DNS cache server 30 identifies the IP address of the connection destination and sends the name resolution result including the identified IP address to the terminal 21. Upon receiving the name resolution result from the DNS cache server 30 (timing T2), the packet classification device 100 determines again whether or not the connection destination is a malicious host. Hereinafter, the processing at the timing T2 will be described.
 図8は、本発明の実施形態において端末21がDNSキャッシュサーバー30から名前解決結果を受信するタイミングT2で悪性ホストを検知するための構成を説明する図である。パケット分類装置100は、DNSキャッシュサーバー30から名前解決結果を受信すると、通信IF101を介して受信バッファRX102に名前解決結果に対応するパケットを格納する。 FIG. 8 is a diagram illustrating a configuration for detecting a malicious host at the timing T2 when the terminal 21 receives the name resolution result from the DNS cache server 30 in the embodiment of the present invention. Upon receiving the name resolution result from the DNS cache server 30, the packet classification device 100 stores the packet corresponding to the name resolution result in the reception buffer RX102 via the communication IF101.
 解析部131は、名前解決要求の受信時(タイミングT1)に絶対ドメイン名を分類した結果が反映されたドメインブラックリスト及びドメインホワイトリストに基づいて再度接続先が悪性ホストであるか否かを判定する。さらに説明すると、まず、接続先の絶対ドメイン名がドメインホワイトリストに含まれているか否かを判定する。このとき、接続先の絶対ドメイン名がドメインホワイトリストに含まれている場合には(“legitimate”)、接続先が良性ホストであるため、送信バッファTX103に名前解決結果に対応するパケットを格納する。送信バッファTX103に格納されたパケットは、通信制御部121によって端末21に送信される。 The analysis unit 131 determines again whether or not the connection destination is a malicious host based on the domain black list and the domain white list that reflect the result of classifying the absolute domain names when the name resolution request is received (timing T1). To do. More specifically, first, it is determined whether or not the absolute domain name of the connection destination is included in the domain white list. At this time, if the absolute domain name of the connection destination is included in the domain white list (“legitimate”), the connection destination is a benign host, and therefore a packet corresponding to the name resolution result is stored in the transmission buffer TX103. .. The packet stored in the transmission buffer TX103 is transmitted to the terminal 21 by the communication control unit 121.
 解析部131は、絶対ドメイン名がドメインホワイトリストに含まれていない場合には(“not matched”)、絶対ドメイン名がドメインブラックリストに含まれているか否かを判定する。絶対ドメイン名がドメインブラックリストに含まれている場合には(“malicious”)、接続先が悪性ホストであるため、名前解決結果に対応するパケットを破棄する。さらに、名前解決結果に接続先のドメインのIPアドレスが含まれている場合には(“domain exist”)、悪性ホストのIPアドレスが記録されたIPブラックリストに追加(更新)する。 When the absolute domain name is not included in the domain white list (“not matched”), the analysis unit 131 determines whether the absolute domain name is included in the domain black list. If the absolute domain name is included in the domain blacklist (“malicious”), the connection destination is a malicious host, and the packet corresponding to the name resolution result is discarded. Furthermore, when the IP address of the domain of the connection destination is included in the name resolution result (“domainexist”), it is added (updated) to the IP black list in which the IP address of the malicious host is recorded.
 一方、プロセッサ110は、絶対ドメイン名がドメインブラックリストに含まれていない場合には(“not matched”)、送信バッファTX103に名前解決結果に対応するパケットを格納し、通信制御部121によって端末21に送信する。 On the other hand, when the absolute domain name is not included in the domain blacklist (“not matched”), the processor 110 stores the packet corresponding to the name resolution result in the transmission buffer TX103, and the communication controller 121 causes the terminal 21 Send to.
 以上のように、DNSキャッシュサーバー30から端末21に名前解決結果が送信されると、DNSキャッシュサーバー30が名前解決を実行している間に接続先ドメインの分類結果が反映されたドメインブラックリスト及びドメインホワイトリストに基づいて再度良性ホストであるか又は悪性ホストであるかを判定(分類)する。接続先ドメインの名前解決と並行して接続可否を判定するため、利用者は悪性ホストの判定に要する時間を意識することなく端末21を操作可能となる。なお、名前解決結果の応答時に接続先の分類が終了していない場合には、検知精度を優先して分類が終了するまで待機してもよいし、通信時間の遅延抑制を優先して悪性ホストの判定を省略してもよい。 As described above, when the name resolution result is transmitted from the DNS cache server 30 to the terminal 21, while the DNS cache server 30 is performing the name resolution, the domain blacklist and the domain blacklist in which the classification result of the connection destination domain is reflected and Based on the domain whitelist, it is judged (classified) again whether it is a benign host or a malignant host. Since it is determined whether or not the connection can be made in parallel with the name resolution of the connection destination domain, the user can operate the terminal 21 without being aware of the time required to determine the malicious host. If the connection destination is not classified at the time of responding the name resolution result, the detection accuracy may be prioritized and wait until the classification is completed, or the malicious host may be prioritized to suppress the communication time delay. The determination may be omitted.
 端末21は、DNSキャッシュサーバー30から名前解決結果を受信すると、名前解決結果に含まれる接続先のIPアドレスに基づいて接続先のWebサーバー11にアクセスする。パケット分類装置100は、Webサーバー11へのアクセス要求を受信すると(タイミングT3)、接続先のIPアドレスに対応する計算機が悪性ホストであるか否かを判定する。以下、タイミングT3における処理について説明する。 Upon receiving the name resolution result from the DNS cache server 30, the terminal 21 accesses the connection destination Web server 11 based on the connection destination IP address included in the name resolution result. Upon receiving the access request to the Web server 11 (timing T3), the packet classification device 100 determines whether the computer corresponding to the connection destination IP address is a malicious host. The processing at timing T3 will be described below.
 図9は、本発明の実施形態において端末21が接続先のWebサーバー11にアクセスするタイミングT3で悪性ホストを検知するための構成を説明する図である。パケット分類装置100は、端末21から接続先のWebサーバー11へのアクセス要求(接続要求)を受信すると、通信IF101を介してアクセス要求に対応するパケットを受信バッファRX102に格納する。 FIG. 9 is a diagram illustrating a configuration for detecting a malicious host at the timing T3 when the terminal 21 accesses the connection destination Web server 11 in the embodiment of the present invention. Upon receiving an access request (connection request) to the connection destination Web server 11 from the terminal 21, the packet classification device 100 stores the packet corresponding to the access request in the reception buffer RX102 via the communication IF 101.
 解析部131は、アクセス要求に含まれる接続先(Webサーバー11)のIPアドレスを抽出し、IPブラックリストに含まれるか否かを判定する。抽出されたIPアドレスがIPブラックリストに含まれている場合には(“domain exist”)、接続先が悪性ホストであるため、送信するパケット(アクセス要求)を破棄する。一方、抽出されたIPアドレスがIPブラックリストに含まれていない場合には(“not matched”)、送信バッファTX103に接続先へのアクセス要求に対応するパケットを格納し、通信制御部121によって接続先(Webサーバー11)に送信する。 The analysis unit 131 extracts the IP address of the connection destination (Web server 11) included in the access request and determines whether the IP address is included in the IP black list. If the extracted IP address is included in the IP blacklist (“domainexist”), the connection destination is a malicious host, so the packet to be transmitted (access request) is discarded. On the other hand, when the extracted IP address is not included in the IP blacklist (“not matched”), the transmission buffer TX103 stores the packet corresponding to the access request to the connection destination, and the communication control unit 121 connects the packet. It is sent to the destination (Web server 11).
 以上のように、本発明の実施形態によれば、端末21がWebサーバー11と通信を開始する際に、名前解決を実行する間に接続先のWebサーバー11が悪性ホストであるか否かを判定することが可能となるため、通信速度の低下を利用者に感じさせることなくサイバー攻撃をリアルタイムで検知することが可能となる。 As described above, according to the embodiment of the present invention, when the terminal 21 starts communication with the web server 11, it is possible to determine whether the connected web server 11 is a malicious host while performing name resolution. Since it is possible to make a determination, it is possible to detect a cyber attack in real time without making the user feel a decrease in communication speed.
 以上、本発明の実施形態について説明したが、上記実施形態は本発明の適用例の一部を示したに過ぎず、本発明の技術的範囲を上記実施形態の具体的構成に限定する趣旨ではない。 Although the embodiment of the present invention has been described above, the above embodiment merely shows a part of the application example of the present invention, and the technical scope of the present invention is limited to the specific configuration of the above embodiment. Absent.
 10  外部ネットワーク(第1ネットワーク)
 11  Webサーバー(サーバー装置)
 20  内部ネットワーク(第2ネットワーク)
 21  端末
 30  DNSキャッシュサーバー(DNSサーバー)
 40  ルーター
 60  権威DNSサーバー
 100  パケット分類装置(通信装置)
 101  通信インターフェース(IF)
 102  受信バッファRX(データ受信部)
 103  送信バッファTX(データ送信部)
 110  プロセッサ(CPU)
 120  メモリ
 121  通信制御部
 130  検知部(判定部)
 131  解析部
 132  特徴抽出部
 133  分類部
 140  学習部
 141  学習データ収集部
 142  ニューラルネット学習部
 160  記憶装置
 161  パケットデータ格納部
 162  学習データ格納部
 
  10 External network (first network)
11 Web server (server device)
20 Internal network (second network)
21 terminal 30 DNS cache server (DNS server)
40 router 60 authoritative DNS server 100 packet classification device (communication device)
101 Communication Interface (IF)
102 reception buffer RX (data reception unit)
103 Transmission buffer TX (data transmission unit)
110 processor (CPU)
120 memory 121 communication control unit 130 detection unit (determination unit)
131 Analysis Unit 132 Feature Extraction Unit 133 Classification Unit 140 Learning Unit 141 Learning Data Collection Unit 142 Neural Network Learning Unit 160 Storage Device 161 Packet Data Storage Unit 162 Learning Data Storage Unit

Claims (7)

  1.  ネットワークに接続された端末からサーバー装置にアクセスする場合に当該サーバー装置が悪性ホストであるか否かを判定する通信装置であって、
     前記端末は、前記サーバー装置の絶対ドメイン名を含む名前解決要求を、当該絶対ドメイン名に対応するIPアドレスを特定するDNSサーバーに送信し、
     前記DNSサーバーは、前記名前解決要求に含まれる絶対ドメイン名に対応するIPアドレスを特定し、当該特定されたIPアドレスを含む名前解決結果を前記端末に送信し、
     前記端末は、前記DNSサーバーから送信された名前解決結果に基づいて、前記サーバー装置との通信を開始し、
     前記通信装置は、
     前記端末から送信されたデータを、当該データの送信先にかかわらず受信するデータ受信部と、
     前記サーバー装置が悪性ホストであるか否かを判定する判定部と、
     前記データ受信部が受信したデータを、当該データの送信先に送信するデータ送信部と、
     を備え、
     前記データ受信部が前記DNSサーバーに送信する名前解決要求を受信した場合には、前記判定部が、当該名前解決要求に含まれる絶対ドメイン名に基づいて、前記サーバー装置が悪性ホストであるか否かを判定し、
     前記データ送信部は、前記サーバー装置が悪性ホストであるか否かの判定結果が導出されたか否かに関わらず前記名前解決要求を前記DNSサーバーに送信し、
     前記データ受信部が前記DNSサーバーから前記名前解決結果を受信した場合には、前記判定部が、当該名前解決結果に対応する名前解決要求による判定結果に基づいて、前記サーバー装置が悪性ホストであるか否かを判定することを特徴とする通信装置。     A communication device for determining whether the server device is a malicious host when accessing the server device from a terminal connected to a network,
    The terminal transmits a name resolution request including an absolute domain name of the server device to a DNS server that specifies an IP address corresponding to the absolute domain name,
    The DNS server identifies an IP address corresponding to an absolute domain name included in the name resolution request, and sends a name resolution result including the identified IP address to the terminal,
    The terminal starts communication with the server device based on the name resolution result transmitted from the DNS server,
    The communication device is
    A data receiving unit that receives the data transmitted from the terminal regardless of the destination of the data,
    A determination unit that determines whether the server device is a malicious host;
    A data transmitting unit that transmits the data received by the data receiving unit to a destination of the data;
    Equipped with
    When the data receiving unit receives the name resolution request sent to the DNS server, the determining unit determines whether the server device is a malicious host based on the absolute domain name included in the name resolution request. Determine whether
    The data transmission unit transmits the name resolution request to the DNS server regardless of whether a determination result as to whether the server device is a malicious host has been derived,
    When the data receiving unit receives the name resolution result from the DNS server, the determination unit determines that the server device is a malicious host based on the determination result by the name resolution request corresponding to the name resolution result. A communication device characterized by determining whether or not.
  2.  請求項1に記載の通信装置において、
     前記データ受信部が前記DNSサーバーから前記名前解決結果を受信したタイミングで前記名前解決要求による判定結果が導出されていない場合には、当該名前解決結果を前記端末に送信し、
     前記データ受信部が前記端末から前記サーバー装置に対するアクセス要求を受信した場合には、前記判定部が、前記名前解決要求による判定結果に基づいて、前記サーバー装置が悪性ホストであるか否かを判定することを特徴とする通信装置。     The communication device according to claim 1,
    When the determination result by the name resolution request is not derived at the timing when the data receiving unit receives the name resolution result from the DNS server, the name resolution result is transmitted to the terminal,
    When the data receiving unit receives an access request for the server device from the terminal, the determining unit determines whether the server device is a malicious host based on the determination result by the name resolution request. A communication device characterized by:
  3.  請求項1又は請求項2に記載の通信装置において、
     前記端末と前記サーバー装置との通信を制御する通信制御部をさらに備え、
     前記通信制御部は、前記サーバー装置が悪性ホストであると判定された場合には、前記端末と前記サーバー装置との通信を遮断することを特徴とする通信装置。     In the communication device according to claim 1 or 2,
    Further comprising a communication control unit for controlling communication between the terminal and the server device,
    The communication device, wherein the communication control unit cuts off communication between the terminal and the server device when it is determined that the server device is a malicious host.
  4.  請求項1から請求項3のいずれか1項に記載の通信装置において、
     前記判定部による判定結果に基づいて学習データを生成し、当該学習データを蓄積する学習部をさらに備え、
     前記判定部は、前記蓄積された学習データに基づいて、前記サーバー装置が悪性ホストであるか否かを判定することを特徴とする通信装置。     The communication device according to any one of claims 1 to 3,
    A learning unit is further provided, which generates learning data based on the determination result by the determination unit, and accumulates the learning data.
    The communication device, wherein the determination unit determines whether the server device is a malicious host based on the accumulated learning data.
  5.  請求項4に記載の通信装置において、
     前記判定部は、
     悪性ホストでないサーバー装置の絶対ドメイン名が記憶されたドメインホワイトリストを有し、
     前記学習データに基づく判定結果を前記ドメインホワイトリストに反映し、
     前記ドメインホワイトリストに基づいて、前記サーバー装置が悪性ホストでないことを判定することを特徴とする通信装置。     The communication device according to claim 4,
    The determination unit,
    It has a domain whitelist that stores the absolute domain names of server devices that are not malicious hosts,
    Reflect the determination result based on the learning data in the domain whitelist,
    A communication device, which determines that the server device is not a malicious host based on the domain whitelist.
  6.  請求項4又は請求項5に記載の通信装置において、
     前記判定部は、
     悪性ホストであるサーバー装置の絶対ドメイン名が記憶されたドメインブラックリストを有し、
     前記学習データに基づく判定結果を前記ドメインブラックリストに反映し、
     前記ドメインブラックリストに基づいて、前記サーバー装置が悪性ホストであることを判定することを特徴とする通信装置。     The communication device according to claim 4 or 5,
    The determination unit,
    It has a domain blacklist that stores the absolute domain names of server devices that are malicious hosts.
    Reflect the determination result based on the learning data in the domain blacklist,
    A communication device, characterized in that the server device is determined to be a malicious host based on the domain blacklist.
  7.  請求項6に記載の通信装置において、
     前記判定部は、
     悪性ホストであるサーバー装置のIPアドレスが記憶されたIPブラックリストを有し、
     前記ドメインブラックリストに基づく判定結果を前記IPブラックリストに反映し、
     前記IPブラックリストに基づいて、前記サーバー装置が悪性ホストであることを判定することを特徴とする通信装置。
          The communication device according to claim 6,
    The determination unit,
    It has an IP blacklist that stores the IP addresses of server devices that are malicious hosts.
    Reflecting the determination result based on the domain blacklist in the IP blacklist,
    A communication device, characterized in that the server device is determined to be a malicious host based on the IP blacklist.
PCT/JP2020/003542 2019-01-31 2020-01-30 Communication device WO2020158896A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2019015817A JP2022049717A (en) 2019-01-31 2019-01-31 Communication device
JP2019-015817 2019-01-31

Publications (1)

Publication Number Publication Date
WO2020158896A1 true WO2020158896A1 (en) 2020-08-06

Family

ID=71842254

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/003542 WO2020158896A1 (en) 2019-01-31 2020-01-30 Communication device

Country Status (2)

Country Link
JP (1) JP2022049717A (en)
WO (1) WO2020158896A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022264366A1 (en) * 2021-06-17 2022-12-22 日本電信電話株式会社 Probe device, probe range determination method, and probe range determination program

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
AKIHIRO SATOH: "D N S Clustering Malicious DNS Queries Detected by Using Blacklists", IEICE TECHNICAL REPORT, vol. 1 1 8 N, no. 6 0, 6 December 2018 (2018-12-06), pages 17 - 22, XP055728652 *
RUI TANABE, I R U S TOTAL DETECTING MALICIOUS DOMAINS USING VIRUS TOTAL AN INTEGRATED MALWARE ANALYSIS SERVICE, vol. 59, no. 9, 15 September 2018 (2018-09-15) *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2022264366A1 (en) * 2021-06-17 2022-12-22 日本電信電話株式会社 Probe device, probe range determination method, and probe range determination program

Also Published As

Publication number Publication date
JP2022049717A (en) 2022-03-30

Similar Documents

Publication Publication Date Title
CN102487339B (en) Attack preventing method for network equipment and device
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
EP1654608B1 (en) Method and system for detecting unauthorised use of a communication network
JP4083747B2 (en) System and method for detecting and tracking DoS attacks
US9088605B2 (en) Proactive network attack demand management
US20120005743A1 (en) Internal network management system, internal network management method, and program
US7757285B2 (en) Intrusion detection and prevention system
KR100862187B1 (en) A Method and a Device for Network-Based Internet Worm Detection With The Vulnerability Analysis and Attack Modeling
US20060230456A1 (en) Methods and apparatus to maintain telecommunication system integrity
WO2021139643A1 (en) Method and apparatus for detecting encrypted network attack traffic, and electronic device
CN105939231B (en) Shared access detection method and device
JPWO2008084729A1 (en) Application chain virus and DNS attack source detection device, method and program thereof
JP6502902B2 (en) Attack detection device, attack detection system and attack detection method
CN111541670A (en) Novel dynamic honeypot system
US20220263846A1 (en) METHODS FOR DETECTING A CYBERATTACK ON AN ELECTRONIC DEVICE, METHOD FOR OBTAINING A SUPERVISED RANDOM FOREST MODEL FOR DETECTING A DDoS ATTACK OR A BRUTE FORCE ATTACK, AND ELECTRONIC DEVICE CONFIGURED TO DETECT A CYBERATTACK ON ITSELF
KR101045331B1 (en) Method for analyzing behavior of irc and http botnet based on network
KR101045330B1 (en) Method for detecting http botnet based on network
CN112929376A (en) Flow data processing method and device, computer equipment and storage medium
WO2020158896A1 (en) Communication device
KR20200109875A (en) Harmful ip determining method
JP3760919B2 (en) Unauthorized access prevention method, apparatus and program
JP5568344B2 (en) Attack detection apparatus, attack detection method, and program
WO2019240054A1 (en) Communication device, packet processing method, and program
CN109309679A (en) A kind of Network scan detection method and detection system based on TCP flow state
CN112565259B (en) Method and device for filtering DNS tunnel Trojan communication data

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20749385

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20749385

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP