WO2022044334A1 - 判定装置、判定方法、および、判定プログラム - Google Patents
判定装置、判定方法、および、判定プログラム Download PDFInfo
- Publication number
- WO2022044334A1 WO2022044334A1 PCT/JP2020/032935 JP2020032935W WO2022044334A1 WO 2022044334 A1 WO2022044334 A1 WO 2022044334A1 JP 2020032935 W JP2020032935 W JP 2020032935W WO 2022044334 A1 WO2022044334 A1 WO 2022044334A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- domain name
- time
- pattern
- information
- operation mode
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 28
- 230000003211 malignant effect Effects 0.000 claims description 63
- 238000010586 diagram Methods 0.000 description 15
- 230000002123 temporal effect Effects 0.000 description 5
- 230000010365 information processing Effects 0.000 description 4
- 230000006870 function Effects 0.000 description 2
- 238000013468 resource allocation Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012946 outsourcing Methods 0.000 description 1
- 239000010454 slate Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
- H04L61/3015—Name registration, generation or assignment
- H04L61/3025—Domain name generation or assignment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/45—Network directories; Name-to-address mapping
- H04L61/4505—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
- H04L61/4511—Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1483—Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/30—Managing network names, e.g. use of aliases or nicknames
- H04L61/3015—Name registration, generation or assignment
- H04L61/302—Administrative registration, e.g. for domain names at internet corporation for assigned names and numbers [ICANN]
Definitions
- the present invention relates to a determination device, a determination method, and a determination program.
- a list called a block list or blacklist that lists the domain names (known malicious domain names) of the websites that have already been identified for the attack is web-filtered or DNS ( Domain Name System) Filtering is set.
- DNS Domain Name System
- the domain name is not continuously operated in the same state, the usage may change, or the operation may be temporarily stopped.
- domain parking there is a service called domain parking.
- This service is a service in which a business operator displays advertisements, etc. on a domain whose operation has been temporarily suspended, and pays a part of the advertisement fee to the registrant of the domain name.
- the present invention comprises an input unit that accepts input of time-series information indicating the operation mode of the domain name up to a predetermined date and time in time series, and time-series information of the input domain name. Based on the pattern information indicating the pattern of the time-series change of the operation mode of the domain name, which pattern shown in the pattern information corresponds to the time-series change of the operation mode of the input domain name. Based on the specific part that identifies and specifies the candidate for the operation form of the domain name after the specified date and time based on the specified pattern, and the candidate for the operation form of the domain name after the specified date and time. It is characterized by including a determination unit for determining whether or not the operation mode of the domain name may change to malignant use, and an output unit for outputting the result of the determination.
- a malignant domain name can be identified immediately and accurately with limited computational resources.
- FIG. 1 is a diagram showing an example of a time-series pattern of changes in the operational form of a domain name for the period from the registration of the domain name to the expiration of the domain name.
- FIG. 2 is a diagram showing an example of a time-series pattern of changes in the operation mode of a domain name before and after re-registration of the domain name.
- FIG. 3 is a diagram showing an example of a time-series pattern of changes in the operation form of a domain name when the domain name is operated by a plurality of businesses.
- FIG. 4 is a diagram showing a configuration example of the specific device.
- FIG. 5 is a diagram showing an example of a DNS data set.
- FIG. 6 is a diagram showing an example of domain name registration information.
- FIG. 1 is a diagram showing an example of a time-series pattern of changes in the operational form of a domain name for the period from the registration of the domain name to the expiration of the domain name.
- FIG. 2 is a diagram showing an
- FIG. 7 is a diagram showing an example of a blacklist of domain names.
- FIG. 8 is a flowchart showing an example of the processing procedure of the specific device.
- FIG. 9 is a diagram showing an example of the result of the specific processing by the specific device.
- FIG. 10 is a diagram showing an example of a computer that executes a program.
- the specific device reconsiders whether or not the domain name is a malignant domain name based on the time-series information showing changes in the operation mode such as the use of domain parking of the input domain name and the malignant use. Determine if the domain name needs to be determined. For example, the specific device identifies a pattern of change in the operation mode of the domain name based on the temporal relationship between the use of the domain parking of the domain name and the malicious use. Then, the specific device determines whether or not the domain name may change to a malignant domain name after a predetermined date and time based on the specified pattern.
- the temporal relationship between the use of domain parking (parking) and the malicious use between the registration (or re-registration) of the domain name and the setting of DNS until the domain name expires corresponds to any of patterns 1 to 9.
- patterns 2, 4 and 7 are patterns that change to malignant use after using domain parking. Therefore, in the specific device, when the temporal relationship between the use of the domain parking of the domain name and the malignant use corresponds to patterns 2, 4 and 7, the domain name changes to the malignant domain name after the predetermined date and time. Judge that there is a possibility.
- the specific device also checks the change in the operation form of the domain name before and after the re-registration of the domain name in which the domain name is re-registered.
- the temporal relationship between the use of domain parking and the malignant use before and after the re-registration of the domain name corresponds to any of patterns a to c.
- patterns a and c may be used maliciously by a drop catch of a domain name. Therefore, when the temporal relationship between the use of domain parking and the malignant use before and after the re-registration of the domain name corresponds to the patterns a and c, the specific device changes the domain name to the malignant domain name after the predetermined date and time. Determine that it may change.
- the domain name is used for multiple domain parking at the same time or while switching, there is a possibility of malicious use. Therefore, when the domain name is used simultaneously or while switching to a plurality of domain parkings (for example, when the domain parking operator changes as in patterns A, B, and C shown in FIG. 3), the specific device is used. It is determined that the domain name may change to a malignant domain name after a predetermined date and time.
- the specific device can specify the domain name that may change to a malignant domain name after a predetermined date and time by specifying the pattern of change in the operation mode of the domain name as described above.
- the identification device can identify the malicious domain name immediately and accurately with limited computational resources.
- FIG. 4 is a diagram showing an example of the configuration of the specific device 10. As shown in FIG. 4, the specific device 10 includes an input unit 11, a storage unit 12, a control unit 13, and an output unit 14.
- the input unit 11 receives the input of data used when the control unit 13 performs various processes.
- the input unit 11 accepts input of time-series information indicating the operation mode of each domain name in time series.
- the time-series information is, for example, a DNS data set (see FIG. 5), domain name registration information (see FIG. 6), a domain name blacklist (see FIG. 7), and the like. Details of this DNS data set, domain name registration information, and domain name blacklist will be described later using drawings.
- the storage unit 12 stores data used when the control unit 13 performs various processes.
- the control unit 13 controls the entire specific device 10. For example, the control unit 13 identifies a pattern of change in the operation mode of each domain name, and based on the specified pattern of change in the operation mode (time series pattern), each domain name changes to a malignant domain name after a predetermined date and time. Determine if there is a possibility of doing so.
- the output unit 14 outputs the processing result of the control unit 13.
- the input unit 11 includes a DNS data set input unit 111, a domain name registration information input unit 112, and a domain name blacklist input unit 113.
- the DNS data set input unit 111 accepts the input of the DNS data set.
- the DNS data set is information indicating the host name of the NS (name server) that manages the domain name, the date and time (time stamp) at which the host name of the NS is confirmed, and the like for each domain name.
- FIG. 5 is a diagram showing an example of a DNS data set.
- the IPv4 address (A record) of the domain name "example.com” as of June 1, 2020 is "192.0.2.1", and the host of NS.
- the name (NS record) indicates that it is "ns.malicious.example”.
- the data of serial number 2 is that the A record of the above domain name "example.com” on July 1, 2020 is "203.0.113.1", and the NS record is "ns.parking.example”. Is shown.
- NS records "ns.parking.example” and “ns.parking2.example” in the above DNS data set mean NS records specified by the parking operator, respectively, and are owned by different parking operators. Suppose there is.
- the NS records of the domain name "example.jp" on July 1, 2020 are “ns.parking.example” and “ns.parking2.example”, and “example.jp”. Indicates that the domain parking of multiple parking companies is used.
- the domain name registration information input unit 112 in FIG. 4 accepts input of domain name registration information.
- the domain name registration information is information indicating the registration date and expiration date (expected expiration date when registration is not continued) of the domain name for each domain name.
- FIG. 6 is a diagram showing an example of domain name registration information.
- the registration date of the domain name "example.com” is May 31, 2020, and the expiration date is May 31, 2021. Show that.
- the registration information of this domain name may include the information of the registrant of the domain name.
- the domain name blacklist input unit 113 in FIG. 4 accepts input of a domain name blacklist (list of malignant domain names).
- FIG. 7 is a diagram showing an example of a blacklist of domain names.
- the data in serial number 1 of the domain name blacklist shown in FIG. 7 indicates that the domain name "example.com" is on the domain name blacklist as of June 1, 2020. ing.
- This update frequency is not limited to the above frequency.
- the storage unit 12 stores the first pattern information, the second pattern information, and the third pattern information.
- the first pattern information is information showing a time-series pattern for a single period (life cycle) from the registration of a domain name to the expiration of the domain name. An example of this first pattern information is shown in FIG.
- Pattern 1 is a time-series pattern that is used only for domain parking within a specified period of a certain life cycle and is not used malignantly.
- Pattern 2 is a time-series pattern in which malignant use is performed after a period of time after being used for domain parking (malignant use after domain parking).
- Pattern 3 is a time-series pattern that is used for domain parking after a period of malignant use (domain parking after malignant use).
- Pattern 4 is a time-series pattern in which malignant use starts after the start of domain parking and before the end of domain parking, and both usage periods partially overlap (malignant use after domain parking (partially duplicated). )).
- Pattern 5 is a time-series pattern in which the use of domain parking starts after the start of malignant use and before the end of malignant use, and both usage periods partially overlap (domain parking (partially duplicated) after malignant use). ).
- Pattern 6 is a time-series pattern in which the period used for domain parking and the period used for malignant use are the same.
- Pattern 7 is a time-series pattern in which the period used for domain parking includes the period of malignant use.
- Pattern 8 is a time-series pattern in which the period of malignant use includes the period of use for domain parking.
- Pattern 9 is a time-series pattern for malignant use only.
- Whether or not the target domain name is used for domain parking is determined by, for example, matching the NS record corresponding to the domain name in the domain name registration information (see FIG. 6) with the parking information obtained in advance. It can be determined. Further, whether or not the target domain name is maliciously used can be determined, for example, by referring to the blacklist information of the domain name (see FIG. 7).
- the second pattern information is information showing a pattern of changes in the operation mode of the domain name before and after the re-registration of the domain name.
- An example of this second pattern information is shown in FIG.
- Pattern a is a time-series pattern in which the domain name used for domain parking expires, is re-registered, and then is used again for domain parking. In this pattern, it does not matter whether or not the domain name is used maliciously before and after the re-registration of the domain name.
- Pattern b is a time-series pattern in which the domain name used for domain parking expires and is re-registered, and then malignantly used. In the pattern, it does not matter whether or not the domain name has domain parking after re-registration.
- Pattern c is a time-series pattern used for domain parking after the maliciously used domain name expires and is re-registered. In the pattern, it does not matter whether or not the domain name is used maliciously after re-registration.
- the third pattern information is information showing a pattern of time-series changes in the operation mode when the domain name is operated while simultaneously or switching a plurality of name servers (a plurality of domain parking operators).
- the domain parking company when the domain parking company is different, the value of the NS record indicating the company is also different. Therefore, for example, when there are a plurality of NS records for the same domain name in the DNS data set (see FIG. 5), the domain name can be specified as a domain name using a plurality of domain parking operators. An example of this third pattern information is shown in FIG.
- time-series patterns are shown as time-series changes assuming domain parking operation using a plurality of domain parking operators as the operation form of the domain name.
- Pattern A is a time-series pattern in which multiple domain parking companies are used at the same time or while switching.
- Pattern B is a time-series pattern in which a plurality of domain parking companies are used at the same time.
- Pattern C is a time-series pattern in which a plurality of domain parking companies are switched and used.
- the control unit 13 includes a first specific unit 131, a second specific unit 132, a third specific unit 133, and a determination unit 134.
- the first specific unit 131 specifies the time-series pattern of the operation mode of the domain name in the period from the registration of the domain name to the expiration of the domain name based on the time-series information of the domain name and the first pattern information. do. Then, the first specific unit 131 specifies a candidate for the operation form of the domain name after a predetermined date and time (for example, the present time) based on the specific result.
- the second specific unit 132 is based on the time-series information of the domain name and the second pattern information, and when the domain name is re-registered after the expiration of the domain name, the domain before and after the re-registration of the domain name is performed. Identify the time-series pattern of changes in the name's operational form. Then, the second specific unit 132 identifies the candidate of the operation form of the domain name after the predetermined date and time (for example, the present time) based on the specific result.
- the third specific unit 133 determines whether or not the domain name has been used by a plurality of domain parking businesses, and is used by a plurality of domain parking businesses. If this is the case, specify the time-series pattern of changes in the operation mode of the domain name. Then, the third specific unit 133 identifies the candidate of the operation form of the domain name after the predetermined date and time (for example, the present time) based on the specific result.
- the determination unit 134 operates the domain name based on the candidate of the operation form of the domain name after the predetermined date and time specified by the first specific unit 131, the second specific unit 132, and the third specific unit 133. Determine if the morphology can change to malignant use.
- the determination unit 134 Judge that the operation mode of the domain name may change to malignant use after the specified date and time.
- the determination unit 134 Judge that the operation mode of the domain name may change to malignant use after the specified date and time.
- the determination unit 134 uses the operation mode of the domain name. It is determined that there is a possibility that the use will change to malignant use after the specified date and time.
- the operation mode of the domain name will change to malignant use after a predetermined date and time. It is assumed that the time-series pattern of a certain operation mode is stored in the storage unit 12, for example.
- the specific device 10 determines that the operation mode of the input domain name may change to malignant use after a predetermined date and time, the domain name is malignant. It may further include a processing unit that performs a processing for determining whether or not it is being used.
- the DNS data set input unit 111 of the specific device 10 accepts the input of the DNS data set (S1). Further, the domain name registration information input unit 112 accepts the input of the domain name registration information (S2). Further, the domain name blacklist input unit 113 accepts the input of the domain name blacklist (S3).
- the first identification unit 131 is based on the first pattern information, the DNS data set, the domain name registration information, and the domain name blacklist, and a single period from the registration of the domain name to the expiration of the domain name.
- the time-series pattern of changes in the operational form of the domain name is specified as the target (S4).
- the second specific unit 132 is targeted for the domain name in the period before and after the re-registration of the domain name based on the second pattern information, the DNS data set, the registration information of the domain name, and the blacklist of the domain name.
- the time-series pattern of the change in the operation mode of the above is specified (S5).
- the third specific unit 133 operates a plurality of domain parking operators at the same time or while switching based on the third pattern information, the DNS data set, the domain name registration information, and the domain name blacklist.
- the time-series pattern to be used is specified (S6).
- the determination unit 134 identifies a domain name that is likely to change to a specific operation mode (for example, malignant use) in the future based on the time-series pattern of the operation of the domain name in S4 to S6 above (S7). ). After that, the determination unit 134 outputs the specific result in S7 via the output unit 14 (S8).
- a specific operation mode for example, malignant use
- the specific device 10 can use a domain name that may change to a specific operation mode (for example, malignant use) in the future, that is, a domain name that needs to be re-determined as to whether or not it is a malignant domain name. Can be identified.
- a specific operation mode for example, malignant use
- FIG. 9 is a diagram showing a specific example of a domain name in the specific device 10.
- example.com was blacklisted (malignantly used) on June 1, 2020, but subsequent malignant use was confirmed. It has not been.
- example.com was registered on May 31, 2020, and has not expired as of July 2, 2020. Therefore, the specific device 10 determines that only a single life cycle (single registration period) needs to be considered for "example.com”.
- the specific device 10 corresponds to the time-series pattern (pattern 3 shown in FIG. 1) in which the time-series pattern of the operation mode of "example.com” is maliciously used and then used in domain parking. to decide.
- the specific device 10 corresponds to "example.com", for example, as a time-series pattern (time-series pattern in a plurality of registration periods) of changes in the operation mode before and after the re-registration of the domain name as shown in FIG. Judge not to.
- example.com does not use domain parking of multiple operators. Therefore, the specific device 10 determines that "example.com” does not correspond to the time-series pattern of using the domain parking of a plurality of businesses as shown in FIG. 3, for example.
- the specific device 10 specifies a time-series pattern that can be applied to the operation mode of "example.com” after July 3, 2020. As mentioned above, “example.com” has been used for domain parking since July 1, 2020. Therefore, regarding the operation mode from July 3, 2020 until the domain name expires, the specific device 10 specifies the applicable time-series pattern candidates as patterns 2, 4, and 7 in FIG. 1.
- the specific device 10 judges that the possibility that "example.com” will change to the operation mode of malignant use after July 3, 2020 is relatively “high”. Therefore, the specific device 10 determines that it is necessary to confirm whether or not "example.com” is a malignant domain name more frequently than other domain names.
- example.net has the domain parking NS record “ns.parking.example” set on June 1, 2020, and the domain on July 1, 2020.
- a non-parking NS record “ns.malicious.example” is set.
- the time-series pattern of the operation mode of "example.net” as of July 2, 2020 is domain-parked, and then the time-series pattern is used malignantly (shown in FIG. 1). It is determined that the pattern is 2).
- the specific device 10 determines that "example.net” does not correspond to the time-series pattern (time-series pattern in a plurality of registration periods) of the operation mode before and after the re-registration of the domain name as shown in FIG. ..
- example.net does not use domain parking for multiple operators. Therefore, the specific device 10 determines that "example.net” does not correspond to the time-series pattern of using the domain parking of a plurality of businesses as shown in FIG. 3, for example.
- the specifying device 10 specifies a time-series pattern that can be applied to the operation mode of "example.net” after July 3, 2020.
- “example.net” has a record of malignant use on July 1, 2020. Therefore, regarding the operation mode from July 3, 2020 until the domain name expires, the specific device 10 identifies the possible time-series pattern candidates as patterns 3, 5, 8 and 9 in FIG. do.
- the specific device 10 judges that the possibility that "example.net” will change to the operation mode of malignant use after July 3, 2020 is relatively “low”. Therefore, the specific device 10 determines that it is not necessary to confirm whether or not "example.net” is a malignant domain name more frequently than other domain names.
- example.org corresponds to the time-series pattern (time-series pattern in a plurality of registration periods) of the operation mode before and after the re-registration of the domain name as shown in FIG.
- example.org is set to the domain parking NS record “ns.parking.example” on June 1, 2020 before re-registration, and after re-registration.
- an NS record “ns.malicious.example” that is not domain parking is set.
- domain name blacklist in Fig. 7 “example.org” has been on the blacklist since July 1, 2020 after re-registration (malignant use).
- the specific device 10 determines that the time-series pattern of the operation mode of "example.org" as of July 2, 2020 is the pattern 9 shown in FIG.
- example.org has undergone domain name re-registration, and is used by domain parking before domain name re-registration (before expiration), and is used malignantly after re-registration. Therefore, the specifying device 10 identifies the time-series pattern before and after the re-registration of "example.org” as the pattern b in FIG.
- example.org does not use the main parking of multiple operators. Therefore, the specific device 10 determines that "example.org” does not correspond to the time-series pattern of using a plurality of businesses as shown in FIG. 3, for example.
- the specific device 10 specifies a time-series pattern that can be applied to the operation mode of "example.org” after July 3, 2020.
- “example.net” has a record of malignant use on July 1, 2020. Therefore, regarding the operation mode from July 3, 2020 until the domain name expires, the specific device 10 identifies the possible time-series pattern candidates as patterns 3, 5, 8 and 9 in FIG. do.
- the specific device 10 judges that the possibility that "example.org” will change to the operation mode of malignant use after July 3, 2020 is relatively “low”. Therefore, the specific device 10 determines that it is not necessary to confirm whether or not "example.org" is a malignant domain name more frequently than other domain names.
- example.jp has the domain parking NS records “ns.parking.example” and “ns.parking2.example” set on July 1, 2020. There is.
- the specific device 10 determines that the time-series pattern of the operation mode of "example.jp" corresponds to the time-series pattern used only for domain parking (pattern 1 shown in FIG. 1).
- the specific device 10 does not correspond to the time-series pattern (time-series pattern in a plurality of registration periods) of the operation mode before and after the re-registration of the domain name as shown in FIG. 2, for example, with respect to "example.jp". to decide.
- example.jp is using domain parking of multiple operators as of July 1, 2020. From this, it is determined that the specific device 10 corresponds to, for example, the patterns A and B in FIG. 3 with respect to "example.jp".
- the specific device 10 specifies a time-series pattern that can be applied to the operation mode of "example.jp” after July 3, 2020. As mentioned above, “example.jp” has been used for domain parking since July 1, 2020. Therefore, regarding the operation mode from July 3, 2020 until the domain name expires, the specific device 10 specifies the applicable time-series pattern candidates as patterns 2, 4, and 7 in FIG. 1.
- the specific device 10 judges that the possibility that "example.jp” will change to the operation form of malignant use after July 3, 2020 is relatively “high”. Therefore, the specific device 10 determines that it is necessary to confirm whether or not "example.jp" is a malignant domain name more frequently than other domain names.
- the specific device 10 has a domain name (for example, example.com and example) that is relatively likely to change to the operation mode of malicious use with respect to the plurality of domain names of serial numbers 1-4 in FIG. .jp) is specified. Then, the specific device 10 controls, for example, to confirm whether or not the specified domain name is a malignant domain with a higher frequency than other domain names (for example, example.net and example.org). As a result, the specific device 10 can find an unknown malignant domain name more efficiently with limited computational resources.
- a domain name for example, example.com and example
- the preferential computational resource allocation method known methods such as task control, resource allocation, and job management, which are generally used in information engineering and programming languages, can be used.
- each component of each of the illustrated devices is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of them may be functionally or physically distributed / physically in arbitrary units according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device is realized by a CPU (Central Processing Unit) and a program executed by the CPU, or as hardware by wired logic. Can be realized.
- CPU Central Processing Unit
- the specific device 10 described above can be implemented by installing a program as package software or online software on a desired computer.
- the information processing apparatus can function as the system of each embodiment.
- the information processing device referred to here includes a desktop type or notebook type personal computer.
- information processing devices include smartphones, mobile communication terminals such as mobile phones and PHS (Personal Handyphone System), and slate terminals such as PDAs (Personal Digital Assistants).
- the specific device of the present embodiment can be implemented as a server device in which the terminal device used by the user is a client and the service related to the above processing is provided to the client.
- the server device may be implemented as a Web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
- FIG. 9 is a diagram showing an example of a computer that executes a specific program.
- the computer 1000 has, for example, a memory 1010 and a CPU 1020.
- the computer 1000 also has a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. Each of these parts is connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
- the serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120.
- the video adapter 1060 is connected to, for example, the display 1130.
- the hard disk drive 1090 stores, for example, OS1091, application program 1092, program module 1093, and program data 1094. That is, the program that defines each process executed by the system of each embodiment is implemented as a program module 1093 in which a code that can be executed by a computer is described.
- the program module 1093 is stored in, for example, the hard disk drive 1090.
- a program module 1093 for executing a process similar to the functional configuration in the system of each embodiment is stored in the hard disk drive 1090.
- the hard disk drive 1090 may be replaced by an SSD.
- the pattern information used in the processing of the above-described embodiment is stored as program data 1094 in, for example, a memory 1010 or a hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 and executes them as needed.
- the program module 1093 and the program data 1094 are not limited to those stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Then, the program module 1093 and the program data 1094 may be read from another computer by the CPU 1020 via the network interface 1070.
- LAN Local Area Network
- WAN Wide Area Network
Abstract
Description
まず、図1~図3を用いて、本実施形態の特定装置(判定装置)の概要を説明する。例えば、特定装置は、入力されたドメイン名のドメインパーキングの利用や、悪性利用等、運用形態の変化を時系列で示した時系列情報に基づき、当該ドメイン名が悪性ドメイン名か否かの再判断が必要なドメイン名か否かを判定する。例えば、特定装置は、ドメイン名のドメインパーキングの利用と悪性利用との時間的な関係に基づき、当該ドメイン名の運用形態の変化のパターンを特定する。そして、特定装置は、特定したパターンに基づき、当該ドメイン名が所定日時以降、悪性ドメイン名に変化する可能性があるか否かを判定する。
図4は、特定装置10の構成の一例を示す図である。図4に示すように、特定装置10は、入力部11と、記憶部12と、制御部13と、出力部14とを備える。
入力部11は、DNSデータセット入力部111と、ドメイン名登録情報入力部112と、ドメイン名ブラックリスト入力部113とを備える。
次に、図4の記憶部12を説明する。記憶部12は、第1のパターン情報と、第2のパターン情報と、第3のパターン情報とを記憶する。
第1のパターン情報は、ドメイン名が登録されてから失効するまでの単一の期間(ライフサイクル)を対象にした時系列パターンを示す情報である。この第1のパターン情報の一例を図1に示す。
次に、第2のパターン情報を説明する。第2のパターン情報は、ドメイン名の再登録の前後における当該ドメイン名の運用形態の変化のパターンを示す情報である。この第2のパターン情報の一例を図2に示す。
次に、第3のパターン情報を説明する。第3のパターン情報は、ドメイン名が複数のネームサーバ(複数のドメインパーキング事業者)を同時にまたは切り替えながら運用される際の運用形態の時系列の変化のパターンを示す情報である。
次に、図4の制御部13を説明する。制御部13は、第1の特定部131と、第2の特定部132と、第3の特定部133と、判定部134とを備える。
次に、図8を用いて特定装置10の処理手順の例を説明する。まず、特定装置10のDNSデータセット入力部111は、DNSデータセットの入力を受け付ける(S1)。また、ドメイン名登録情報入力部112は、ドメイン名の登録情報の入力を受け付ける(S2)。さらに、ドメイン名ブラックリスト入力部113は、ドメイン名のブラックリストの入力を受け付ける(S3)。
次に、特定装置10が実行する処理の具体例を説明する。図9は、特定装置10におけるドメイン名に対する特定の一例を示す図である。
図9の通番1の2020年7月2日の時点における「example.com」に関する特定の例を説明する。例えば、図5のDNSデータセットを参照すると、「example.com」は、2020年6月1日にドメインパーキングではないNSレコード「ns.malicious.example」が設定され、2020年7月1日にドメインパーキングのNSレコード「ns.parking.example」が設定されている。このことから、特定装置10は、「example.com」について2020年7月1日から、ある1種類の事業者のドメインパーキングにより利用されていると判断する。
さらに、特定装置10は、2020年7月3日以後における「example.com」の運用形態について該当しうる時系列パターンを特定する。前記したとおり、「example.com」は、2020年7月1日からドメインパーキングに利用されている。よって、特定装置10は、2020年7月3日からドメイン名が失効するまでの間における運用形態について、該当しうる時系列パターンの候補は、図1のパターン2,4,7と特定する。
次に、図9の通番2の2020年7月2日時点の「example.net」に対する特定の例を説明する。
さらに、特定装置10は、2020年7月3日以後における「example.net」の運用形態について該当しうる時系列パターンを特定する。前記したとおり、「example.net」は、2020年7月1日に悪性利用の記録がある。よって、特定装置10は、2020年7月3日からドメイン名が失効するまでの間における運用形態について、該当しうる時系列パターンの候補は、図1のパターン3,5,8,9と特定する。
次に、図9の通番3の2020年7月2日時点の「example.net」に対する特定の例を説明する。
さらに、特定装置10は、2020年7月3日以後における「example.org」の運用形態について該当しうる時系列パターンを特定する。前記したとおり、「example.net」は、2020年7月1日に悪性利用の記録がある。よって、特定装置10は、2020年7月3日からドメイン名が失効するまでの間における運用形態について、該当しうる時系列パターンの候補は、図1のパターン3,5,8,9と特定する。
最後に、図9の通番4の2020年7月2日時点の「example.jp」に対する特定の例を説明する。
さらに、特定装置10は、2020年7月3日以後における「example.jp」の運用形態について該当しうる時系列パターンを特定する。前記したとおり、「example.jp」は、2020年7月1日からドメインパーキングに利用されている。よって、特定装置10は、2020年7月3日からドメイン名が失効するまでの間における運用形態について、該当しうる時系列パターンの候補は、図1のパターン2,4,7と特定する。
また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示のように構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部又は一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的又は物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部又は任意の一部が、CPU(Central Processing Unit)及び当該CPUにて実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
前記した特定装置10は、パッケージソフトウェアやオンラインソフトウェアとしてプログラムを所望のコンピュータにインストールさせることによって実装できる。例えば、上記のプログラムを情報処理装置に実行させることにより、情報処理装置を各実施形態のシステムとして機能させることができる。ここで言う情報処理装置には、デスクトップ型又はノート型のパーソナルコンピュータが含まれる。また、その他にも、情報処理装置にはスマートフォン、携帯電話機やPHS(Personal Handyphone System)等の移動体通信端末、さらには、PDA(Personal Digital Assistant)等のスレート端末等がその範疇に含まれる。
11 入力部
12 記憶部
13 制御部
14 出力部
111 DNSデータセット入力部
112 ドメイン名登録情報入力部
113 ドメイン名ブラックリスト入力部
131 第1の特定部
132 第2の特定部
133 第3の特定部
134 判定部
Claims (6)
- 所定日時までのドメイン名の運用形態を時系列で示した時系列情報の入力を受け付ける入力部と、
前記入力されたドメイン名の時系列情報と、ドメイン名の運用形態の時系列の変化のパターンを示すパターン情報とに基づき、前記入力されたドメイン名の運用形態の時系列の変化が、前記パターン情報に示されるいずれのパターンに該当するかを特定し、前記特定したパターンに基づき、前記所定日時以後における当該ドメイン名の運用形態の候補を特定する特定部と、
前記特定された前記所定日時以降の当該ドメイン名の運用形態の候補に基づき、前記ドメイン名の運用形態が悪性利用に変化する可能性があるか否かを判定する判定部と、
前記判定の結果を出力する出力部と、
を備えることを特徴とする判定装置。 - 前記ドメイン名の時系列情報は、さらに、
当該ドメイン名が悪性利用されたことがある場合、前記悪性利用された時期を示す情報を含み、
前記パターン情報は、
ドメイン名の悪性利用を含む前記ドメイン名の運用形態の時系列の変化のパターンを示す情報である
ことを特徴とする請求項1に記載の判定装置。 - 前記ドメイン名の時系列情報は、さらに、
当該ドメイン名が失効後に再登録された時期を示す情報を含み、
前記パターン情報は、さらに、
ドメイン名の再登録の前後の期間における前記ドメイン名の運用形態のパターンを示す情報を含み、
前記特定部は、
前記入力されたドメイン名の時系列情報に基づき、前記入力されたドメイン名が再登録されたものであると判定された場合、前記入力されたドメイン名の再登録の前後の期間における運用形態の変化が、前記パターン情報に示されるいずれのパターンに該当するかを特定し、前記特定したパターンに基づき、前記所定日時以後における当該ドメイン名の運用形態の候補を特定する
ことを特徴とする請求項1に記載の判定装置。 - 前記ドメイン名の時系列情報は、さらに、
当該ドメイン名の運用に用いられた1以上のネームサーバのホスト名を時系列で示した情報を含み、
前記パターン情報は、さらに、
複数のネームサーバを同時に、または、切り替えながらドメイン名が運用される場合の運用形態の時系列の変化のパターンを示す情報を含み、
前記特定部は、さらに、
前記入力されたドメイン名の時系列情報に基づき、前記入力されたドメイン名が再登録されたものであると判定された場合、前記パターン情報に基づき、前記入力されたドメイン名の再登録の前後の期間における運用形態の変化が、前記パターン情報に示されるパターンに該当するか否かを特定し、前記特定したパターンに基づき、前記所定日時以後における当該ドメイン名の運用形態の候補を特定する
ことを特徴とする請求項1に記載の判定装置。 - 判定装置により実行される判定方法であって、
所定日時までのドメイン名の運用形態を時系列で示した時系列情報の入力を受け付ける工程と、
前記入力されたドメイン名の時系列情報と、ドメイン名の運用形態の時系列の変化のパターンを示すパターン情報とに基づき、前記入力されたドメイン名の運用形態の時系列の変化が、前記パターン情報に示されるいずれのパターンに該当するかを特定し、前記特定したパターンに基づき、前記所定日時以後における当該ドメイン名の運用形態の候補を特定する工程と、
前記特定された前記所定日時以降の当該ドメイン名の運用形態の候補に基づき、前記ドメイン名の運用形態が悪性利用に変化する可能性があるか否かを判定する工程と、
前記判定の結果を出力する工程と、
を含むことを特徴とする判定方法。 - 所定日時までのドメイン名の運用形態を時系列で示した時系列情報の入力を受け付ける工程と、
前記入力されたドメイン名の時系列情報と、ドメイン名の運用形態の時系列の変化のパターンを示すパターン情報とに基づき、前記入力されたドメイン名の運用形態の時系列の変化が、前記パターン情報に示されるいずれのパターンに該当するかを特定し、前記特定したパターンに基づき、前記所定日時以後における当該ドメイン名の運用形態の候補を特定する工程と、
前記特定された前記所定日時以降の当該ドメイン名の運用形態の候補に基づき、前記ドメイン名の運用形態が悪性利用に変化する可能性があるか否かを判定する工程と、
前記判定の結果を出力する工程と、
をコンピュータに実行させることを特徴とする判定プログラム。
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/032935 WO2022044334A1 (ja) | 2020-08-31 | 2020-08-31 | 判定装置、判定方法、および、判定プログラム |
EP20951583.2A EP4187412A4 (en) | 2020-08-31 | 2020-08-31 | DETERMINATION DEVICE, DETERMINATION METHOD AND DETERMINATION PROGRAM |
JP2022545265A JPWO2022044334A1 (ja) | 2020-08-31 | 2020-08-31 | |
US18/023,034 US20230308478A1 (en) | 2020-08-31 | 2020-08-31 | Determination device, determination method, and determination program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/032935 WO2022044334A1 (ja) | 2020-08-31 | 2020-08-31 | 判定装置、判定方法、および、判定プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022044334A1 true WO2022044334A1 (ja) | 2022-03-03 |
Family
ID=80354944
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/032935 WO2022044334A1 (ja) | 2020-08-31 | 2020-08-31 | 判定装置、判定方法、および、判定プログラム |
Country Status (4)
Country | Link |
---|---|
US (1) | US20230308478A1 (ja) |
EP (1) | EP4187412A4 (ja) |
JP (1) | JPWO2022044334A1 (ja) |
WO (1) | WO2022044334A1 (ja) |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015076892A (ja) * | 2013-10-11 | 2015-04-20 | ベリサイン・インコーポレイテッド | 権威ネームサーバの変化に基づくドメイン名の特徴付け |
JP6196008B2 (ja) | 2015-03-05 | 2017-09-13 | 日本電信電話株式会社 | 通信先悪性度算出装置、通信先悪性度算出方法及び通信先悪性度算出プログラム |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11652845B2 (en) * | 2017-03-09 | 2023-05-16 | Nippon Telegraph And Telephone Corporation | Attack countermeasure determination apparatus, attack countermeasure determination method, and attack countermeasure determination program |
-
2020
- 2020-08-31 EP EP20951583.2A patent/EP4187412A4/en active Pending
- 2020-08-31 WO PCT/JP2020/032935 patent/WO2022044334A1/ja active Application Filing
- 2020-08-31 JP JP2022545265A patent/JPWO2022044334A1/ja active Pending
- 2020-08-31 US US18/023,034 patent/US20230308478A1/en active Pending
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015076892A (ja) * | 2013-10-11 | 2015-04-20 | ベリサイン・インコーポレイテッド | 権威ネームサーバの変化に基づくドメイン名の特徴付け |
JP6196008B2 (ja) | 2015-03-05 | 2017-09-13 | 日本電信電話株式会社 | 通信先悪性度算出装置、通信先悪性度算出方法及び通信先悪性度算出プログラム |
Non-Patent Citations (3)
Title |
---|
CHIBA, DAIKI ET AL.: "Detecting malicious domain names based on the time-series analysis of attackers network resources", IEICE TECHNICAL REPORT, vol. 115, no. 80, 4 June 2015 (2015-06-04), pages 51 - 56, XP055614829 * |
HARIU, TAKEO : "R&D of cyber attack countermeasure technology that supports NTT Group's security / business to confront escalating cyber attacks", NTT TECHNICAL REVIEW , vol. 30, no. 2, 1 February 2018 (2018-02-01), JP , pages 19 - 25, XP009535217, ISSN: 0915-2318 * |
See also references of EP4187412A4 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2022044334A1 (ja) | 2022-03-03 |
US20230308478A1 (en) | 2023-09-28 |
EP4187412A4 (en) | 2024-03-13 |
EP4187412A1 (en) | 2023-05-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10831466B2 (en) | Automatic patch management | |
EP3552098B1 (en) | Operating system update management for enrolled devices | |
CN112087325B (zh) | 灰度发布方法、装置、设备及可读存储介质 | |
US8255355B2 (en) | Adaptive method and system with automatic scanner installation | |
US20160197947A1 (en) | System for detecting abnormal behavior by analyzing personalized use behavior pattern during entire access period | |
CN109889511B (zh) | 进程dns活动监控方法、设备及介质 | |
US10735451B1 (en) | Systems and methods for maintaining IT infrastructure security and compliance with security policies and regulations | |
CN110740057B (zh) | 一种业务部署方法以及区块链平台 | |
CN113900941A (zh) | 一种微服务处理方法、微服务系统及电子设备和存储介质 | |
CN111147605B (zh) | 服务注册方法、装置和设备 | |
CN112954040A (zh) | 嵌入应用发布服务器的方法、系统、设备及存储介质 | |
WO2022044334A1 (ja) | 判定装置、判定方法、および、判定プログラム | |
US9348923B2 (en) | Software asset management using a browser plug-in | |
US11811587B1 (en) | Generating incident response action flows using anonymized action implementation data | |
CN109992298B (zh) | 审批平台扩充方法、装置、审批平台及可读存储介质 | |
CN111651235A (zh) | 一种虚拟机组任务管理方法及装置 | |
CN116151631A (zh) | 一种业务决策处理系统、一种业务决策处理方法和装置 | |
US10764399B2 (en) | Customized web services gateway | |
CN111784174B (zh) | 一种基于用户画像管理风险策略的方法、装置和电子设备 | |
CN110704301B (zh) | Tpc-e自动化测试方法以及tpc-e测试系统 | |
CN112291241A (zh) | 防火墙开墙方法、防火墙开墙装置及终端设备 | |
KR101042345B1 (ko) | It 자산 관리 장치 및 방법 | |
KR100881552B1 (ko) | 컴퓨터 라이프사이클 관리 방법 | |
US10938920B2 (en) | Data mining to determine asset under-utilization or physical location change | |
CN113098847B (zh) | 供应链管理方法、系统、存储介质和电子设备 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20951583 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022545265 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2020951583 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref document number: 2020951583 Country of ref document: EP Effective date: 20230224 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |