WO2022219819A1 - 判定装置、判定方法、および、判定プログラム - Google Patents

判定装置、判定方法、および、判定プログラム Download PDF

Info

Publication number
WO2022219819A1
WO2022219819A1 PCT/JP2021/015759 JP2021015759W WO2022219819A1 WO 2022219819 A1 WO2022219819 A1 WO 2022219819A1 JP 2021015759 W JP2021015759 W JP 2021015759W WO 2022219819 A1 WO2022219819 A1 WO 2022219819A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
communication
blind
communication log
logs
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/015759
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
楊 鐘本
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NTT Inc
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Priority to JP2023514312A priority Critical patent/JP7505642B2/ja
Priority to PCT/JP2021/015759 priority patent/WO2022219819A1/ja
Priority to US18/281,761 priority patent/US12381894B2/en
Publication of WO2022219819A1 publication Critical patent/WO2022219819A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Definitions

  • the present invention relates to a determination device, a determination method, and a determination program for determining whether or not a blind attack has succeeded.
  • Example 1 Blind SQL injection
  • an object of the present invention is to solve the above-described problem and determine whether or not a blind attack has succeeded.
  • the present invention uses a session extracting unit that extracts a series of communication logs of the same session from the communication log that is the target of attack detection, and a URL of the request destination of the communication log to perform a blind attack.
  • an attack detection unit that identifies the location of the target of the blind attack and the content of the attack, and the extracted series of communication logs of the same session, Extracting a communication log that matches the location of the attack target, and if it is determined that the extracted communication log has multiple types of attack content and multiple response status codes and response sizes, the series of communications It is characterized by comprising a success/failure determining unit for determining that a blind attack has succeeded based on communication indicated by a log, and a determination result output unit for outputting the result of the determination.
  • FIG. 1 is a diagram for explaining an outline of the operation of the determination device.
  • FIG. 2 is a diagram illustrating a configuration example of a determination device.
  • FIG. 3 is a diagram showing an example of the communication log in FIG. 2;
  • FIG. 4 is a diagram showing an example of detection data in FIG.
  • FIG. 5 is a diagram for explaining success/failure determination by the success/failure determination unit in FIG. 2 .
  • FIG. 6 is a flowchart illustrating an example of a processing procedure of the determination device;
  • FIG. 7 is a diagram showing a configuration example of a system including a determination device.
  • FIG. 8 is a diagram showing a configuration example of a computer that executes the determination program.
  • a blind attack is an attack in which requests with different parameters are sent to an attack target, and information is sought from differences in responses to the requests.
  • the determination device 10 obtains a request to the web server ((1)) from the communication log of the communication with the web server, and the status code and response size of the response to the request ((2) ) and get Then, based on the acquired data, the determination device 10 identifies blind attacks between the same sessions, and determines success or failure of the attacks from status codes and response sizes ((3)).
  • the determination device 10 extracts a series of communication logs of the same session (see reference numeral 101 in FIG. 1) from among the acquired communication logs. Then, the determination device 10 determines whether or not the series of communications is a blind attack from the URL of the request destination of the extracted series of communication logs.
  • the determination device 10 determines that the series of communications is a blind attack, the attack target part is the same (for example, the parameter id of the URL), and the contents of the attack (for example, the parameters set in the request) are different, In addition, when the response status code and response size are different, the determination device 10 determines that the blind attack by a series of communications indicated by reference numeral 101 has succeeded.
  • the determination device 10 can detect a blind attack and determine whether or not the blind attack was successful.
  • the determination device 10 includes a storage section 11 and a control section 12 .
  • the storage unit 11 stores data referred to when the control unit 12 executes various processes and data generated by executing various processes.
  • the storage unit 11 stores a communication log that is a target of attack detection, session data (details will be described later) extracted by the control unit 12, detection data (details will be described later), and whether or not the attack was successful. It stores determination result data and the like.
  • the communication log includes, for each identification information (No.) of the communication log targeted for attack detection, the time of occurrence of communication, the source and destination of the request, the URL of the request destination, and the response. status code, response size, etc.
  • the communication log is input via an input/output unit (not shown) of the determination device 10, for example.
  • the control unit 12 controls the entire determination device 10 .
  • the control unit 12 includes a session extraction unit 121 , a blind attack detection unit 122 , a success/failure determination unit 123 , and a determination result output unit 124 .
  • the session extraction unit 121 extracts communication logs of the same session from the communication logs. For example, the session extraction unit 121 extracts, from the communication log, a series of communications with the same source and destination and within a predetermined period of time as the communication log of the same session.
  • the session extraction unit 121 detects [1,2,5], [3,4], [ 6] are extracted as communication logs of the same session. Then, the session extraction unit 121 assigns session identification information (for example, S1, S2, S3) to each of the extracted communication logs.
  • session identification information for example, S1, S2, S3
  • the blind attack detection unit 122 uses existing signature detection, for example, to determine whether or not the request indicated by the communication log is a blind attack.
  • the blind attack detection unit 122 detects [2, 3, 4, 5] having the above detection signature from the communication log shown in FIG. 3 as the communication log of the blind attack (see FIG. 4).
  • the blind attack detection unit 122 also identifies the target location of the blind attack and the content of the blind attack from the communication log of the blind attack, for example, as shown in FIG. Then, the blind attack detection unit 122 stores the identification information (No.) of the communication log in which the blind attack was detected, the target location of the blind attack, the information indicating the details of the blind attack (see FIG. 4), etc. as detection data. 11.
  • the success/failure determination unit 123 extracts, from among the communication logs of the same session, communication logs with the same attack target location. Then, if the success/failure determination unit 123 determines that there are multiple types of attack contents in the extracted communication log and multiple response status codes and response sizes, it determines that the blind attack was successful. On the other hand, the success/failure determination unit 123 determines that the blind attack has failed when it determines that the contents of the attack in the extracted communication log are not multiple types, the response status code is not multiple, or the response size is not multiple. .
  • the success/failure determination unit 123 refers to the session data and extracts the communication log of the same session from the communication log. Then, the success/failure determination unit 123 refers to the detection data, and identifies, from the extracted communication logs, a communication log in which a blind attack is detected and the location of the attack target matches.
  • the blind attacks in communication logs Nos. 2 and 5 belong to session S1, and the attack target locations match with the parameter id. Further, since the contents of the blind attacks in the communication logs of Nos. 2 and 5 are different, and the status codes and response sizes are different, the success/failure determination unit 123 determines that the attacks have succeeded.
  • the blind attacks in the communication logs Nos. 3 and 4 belong to session S2, and the attack target locations match with the parameter pw.
  • the details of the blind attacks in communication logs Nos. 3 and 4 are different, the status code and response size are the same, so the success/failure determination unit 123 determines that the attack has failed.
  • the determination result output unit 124 outputs the determination result by the success/failure determination unit 123 .
  • the judgment result output unit 124 outputs the judgment result that the communication logs Nos. 2 and 5 indicate the blind attacks against the parameter id and that the attacks are successful.
  • the determination device 10 detects a blind attack without modifying an existing system, and determines whether or not the blind attack has succeeded from the behavior of communication between sessions in which the attack is being performed. can do.
  • the session extraction unit 121 determines whether the communication log is a new session or a part of an existing session based on the session data. Accordingly, the session data is updated (S12).
  • the process ends. If the blind attack detection unit 122 detects the new communication log as a blind attack (Yes in S13), the success/failure determination unit 123 determines whether the blind attack succeeded or failed based on the session data (S14). Then, the judgment result output unit 124 outputs the judgment result of S14 (S15). On the other hand, if the new communication log is not detected as a blind attack by the blind attack detection unit 122 (No in S13), the process ends.
  • the determination device 10 detects a blind attack without modifying the existing system, and determines whether or not the blind attack was successful from the behavior of communication between sessions in which the attack is being performed. can do. As a result, maintenance personnel and administrators can distinguish between priority alerts and non-prioritized alerts regarding the above-described attacks, so security operations can be performed efficiently.
  • the blind attack detection unit 122 in the determination device 10 may be installed outside the determination device 10 .
  • the blind attack detection unit 122 may be realized by an attack detection device such as a WAF (Web Application Firewall) installed outside the determination device 10, as shown in (1) and (2) of FIG. .
  • the determination device 10 may have a configuration (in-line configuration) that is directly connected to a web server to be used for determination of success or failure of an attack, as shown in FIG. 7(1), or as shown in FIG. 7(2).
  • a configuration (tap configuration) that connects to a web server via an attack detection device such as a WAF may be used.
  • each constituent element of each part shown in the figure is functionally conceptual, and does not necessarily need to be physically configured as shown in the figure.
  • the specific form of distribution and integration of each device is not limited to the illustrated one, and all or part of them can be functionally or physically distributed and integrated in arbitrary units according to various loads and usage conditions. Can be integrated and configured.
  • all or any part of each processing function performed by each device can be implemented by a CPU and a program executed by the CPU, or implemented as hardware based on wired logic.
  • the determination device 10 described above can be implemented by installing a program as package software or online software on a desired computer.
  • the information processing device can function as the determination device 10 by causing the information processing device to execute the above program.
  • the information processing apparatus referred to here includes a desktop or notebook personal computer.
  • information processing devices include mobile communication terminals such as smartphones, mobile phones and PHS (Personal Handyphone Systems), and terminals such as PDAs (Personal Digital Assistants).
  • the determination device 10 can also be implemented as a server device that uses a terminal device used by a user as a client and provides the client with services related to the above processing.
  • the server device may be implemented as a web server, or may be implemented as a cloud that provides services related to the above processing by outsourcing.
  • FIG. 8 is a diagram showing an example of a computer that executes a determination program.
  • the computer 1000 has a memory 1010 and a CPU 1020, for example.
  • Computer 1000 also has hard disk drive interface 1030 , disk drive interface 1040 , serial port interface 1050 , video adapter 1060 and network interface 1070 . These units are connected by a bus 1080 .
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012 .
  • the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • Hard disk drive interface 1030 is connected to hard disk drive 1090 .
  • a disk drive interface 1040 is connected to the disk drive 1100 .
  • a removable storage medium such as a magnetic disk or optical disk is inserted into the disk drive 1100 .
  • Serial port interface 1050 is connected to mouse 1110 and keyboard 1120, for example.
  • Video adapter 1060 is connected to display 1130, for example.
  • the hard disk drive 1090 stores, for example, an OS 1091, application programs 1092, program modules 1093, and program data 1094. That is, a program that defines each process executed by the determination device 10 is implemented as a program module 1093 in which computer-executable code is described. Program modules 1093 are stored, for example, on hard disk drive 1090 .
  • the hard disk drive 1090 stores a program module 1093 for executing processing similar to the functional configuration of the determination device 10 .
  • the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
  • the data used in the processes of the above-described embodiments are stored as program data 1094 in the memory 1010 or the hard disk drive 1090, for example. Then, the CPU 1020 reads out the program modules 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 as necessary and executes them.
  • the program modules 1093 and program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in a removable storage medium, for example, and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program modules 1093 and program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). Program modules 1093 and program data 1094 may then be read by CPU 1020 through network interface 1070 from other computers.
  • LAN Local Area Network
  • WAN Wide Area Network
  • determination device 11 storage unit 12 control unit 121 session extraction unit 122 blind attack detection unit 123 success/failure determination unit 124 determination result output unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
PCT/JP2021/015759 2021-04-16 2021-04-16 判定装置、判定方法、および、判定プログラム Ceased WO2022219819A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2023514312A JP7505642B2 (ja) 2021-04-16 2021-04-16 判定装置、判定方法、および、判定プログラム
PCT/JP2021/015759 WO2022219819A1 (ja) 2021-04-16 2021-04-16 判定装置、判定方法、および、判定プログラム
US18/281,761 US12381894B2 (en) 2021-04-16 2021-04-16 Determination device, determination method, and determination program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/015759 WO2022219819A1 (ja) 2021-04-16 2021-04-16 判定装置、判定方法、および、判定プログラム

Publications (1)

Publication Number Publication Date
WO2022219819A1 true WO2022219819A1 (ja) 2022-10-20

Family

ID=83640320

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/015759 Ceased WO2022219819A1 (ja) 2021-04-16 2021-04-16 判定装置、判定方法、および、判定プログラム

Country Status (3)

Country Link
US (1) US12381894B2 (https=)
JP (1) JP7505642B2 (https=)
WO (1) WO2022219819A1 (https=)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12542806B2 (en) * 2021-05-27 2026-02-03 Ntt, Inc. Analysis device, analysis method, and analysis system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002318734A (ja) * 2001-04-18 2002-10-31 Teamgia:Kk 通信ログ処理方法及びシステム
US20180349602A1 (en) * 2017-06-06 2018-12-06 Sap Se Security testing framework including virtualized server-side platform

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6432210B2 (ja) * 2014-08-22 2018-12-05 富士通株式会社 セキュリティシステム、セキュリティ方法、セキュリティ装置、及び、プログラム
US10587647B1 (en) * 2016-11-22 2020-03-10 Fireeye, Inc. Technique for malware detection capability comparison of network security devices
WO2019013266A1 (ja) 2017-07-12 2019-01-17 日本電信電話株式会社 判定装置、判定方法、および、判定プログラム
US10805345B2 (en) * 2017-09-29 2020-10-13 Paypal, Inc. Blind injection attack mitigation
US12250244B2 (en) * 2020-12-31 2025-03-11 Imperva, Inc. Batch clustering of online attack narratives for botnet detection
CN113055399A (zh) * 2021-03-31 2021-06-29 深信服科技股份有限公司 注入攻击的攻击成功检测方法、系统及相关装置

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002318734A (ja) * 2001-04-18 2002-10-31 Teamgia:Kk 通信ログ処理方法及びシステム
US20180349602A1 (en) * 2017-06-06 2018-12-06 Sap Se Security testing framework including virtualized server-side platform

Also Published As

Publication number Publication date
JP7505642B2 (ja) 2024-06-25
US12381894B2 (en) 2025-08-05
JPWO2022219819A1 (https=) 2022-10-20
US20240154976A1 (en) 2024-05-09

Similar Documents

Publication Publication Date Title
US10572240B2 (en) Operating system update management for enrolled devices
US8635700B2 (en) Detecting malware using stored patterns
CN109586282B (zh) 一种电网未知威胁检测系统及方法
EP2790122B1 (en) System and method for correcting antivirus records to minimize false malware detections
US8776236B2 (en) System and method for providing storage device-based advanced persistent threat (APT) protection
US8561180B1 (en) Systems and methods for aiding in the elimination of false-positive malware detections within enterprises
EP3258409A1 (en) Device for detecting terminal infected by malware, system for detecting terminal infected by malware, method for detecting terminal infected by malware, and program for detecting terminal infected by malware
EP3637292B1 (en) Determination device, determination method, and determination program
US20070033586A1 (en) Method for blocking the installation of a patch
CN108924139B (zh) 基于云端提升文件检测效率的方法、装置及执行服务器
EP2417551B1 (en) Providing information to a security application
CN107634947A (zh) 限制恶意登录或注册的方法和装置
US11550920B2 (en) Determination apparatus, determination method, and determination program
EP2417552B1 (en) Malware determination
CN115495740A (zh) 一种病毒检测方法和装置
US8935778B2 (en) Maintaining data integrity
JP7593483B2 (ja) 判定装置、判定方法、および、判定プログラム
JP7505642B2 (ja) 判定装置、判定方法、および、判定プログラム
CN115242608A (zh) 告警信息的生成方法、装置、设备及存储介质
US8918873B1 (en) Systems and methods for exonerating untrusted software components
CN114844691A (zh) 一种数据处理方法、装置、电子设备及存储介质
US9667649B1 (en) Detecting man-in-the-middle and denial-of-service attacks
JP7427146B1 (ja) 攻撃分析装置、攻撃分析方法、及び攻撃分析プログラム
CN119003309B (zh) 日志数据的处理方法、装置、设备、存储介质以及程序产品
JP2016218984A (ja) ログ判定装置、ログ判定方法、およびログ判定プログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21937013

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023514312

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 18281761

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21937013

Country of ref document: EP

Kind code of ref document: A1

WWG Wipo information: grant in national office

Ref document number: 18281761

Country of ref document: US