JP2013232716A - Attack determination apparatus, attack determination method and attack determination program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect unknown attacks.SOLUTION: When a normal access request known to be normal is sent to an information processing apparatus, an attack determination apparatus learns setting information set in the normal access request as normal information. The attack determination apparatus stores a set of normal information thus learned. If an unknown access request that is not known to be normal is sent to the information processing apparatus, on the other hand, the attack determination apparatus calculates an index value indicating a degree of classification of setting information set in the unknown access request under the set of normal information. The attack determination apparatus then determines whether or not the unknown access request is an attack on the information processing apparatus on the basis of the calculated index value.

Description

  Embodiments described herein relate generally to an attack determination device, an attack determination method, and an attack determination program.

  2. Description of the Related Art Conventionally, with the spread of the Internet, cyber attacks against servers that distribute applications have increased rapidly. Typical examples of cyber attacks include unauthorized HTTP (HyperText Transfer Protocol) requests, SQL (Structured Query Language) injection, and cross-site scripting attacks that target vulnerabilities in Web applications.

  As countermeasures against such attacks, there are known unauthorized intrusion detection / protection systems for networks called IDS (Intrusion Detection System), IPS (Intrusion Prevention System), WAF (Web Application Firewall) and the like. In these systems, an attack that matches a pattern is detected and prevented using a “black list” or a “signature file” obtained by patterning various attack methods.

Akira Yamada, Yu Miyake, Keisuke Takemori, Toshiaki Tanaka “Unknown attack detection system that automatically generates learning data” IPSJ Journal, vol. 46, no. 8 August 2005

  However, it is difficult to detect an unknown attack with the above-described conventional technology. Specifically, since attacks evolve every day, in the case of a method of patterning a known attack in advance, it is necessary to pattern the attack of the detection target and the defense target after the attack is known, It was difficult to respond to unknown attacks. In addition, in the case of a method for patterning an attack, it is necessary to create a patterned data by analyzing an attack each time a new attack is discovered, so there is a cost for dealing with the attack. Invite the problem.

  The technology disclosed in the present application has been made in view of the above, and an object thereof is to provide an attack determination device, an attack determination method, and an attack determination program capable of detecting an unknown attack.

  The attack determination apparatus according to the embodiment learns the setting information set in the normal access request as normal information when a normal access request that is known to be normal is transmitted to the information processing apparatus. A learning result storage unit that stores a set of normal information learned by the learning unit, and an unknown access request that is not known to be normal is transmitted to the information processing apparatus, and is set in the unknown access request A calculation unit that calculates an index value indicating a degree to which the set information being classified into the set of normal information, and the unknown access request is sent to the information processing device based on the index value calculated by the calculation unit It is provided with the determination part which determines whether it is an attack.

  The attack determination device, the attack determination method, and the attack determination program according to the embodiment have an effect that an unknown attack can be detected.

FIG. 1 is a diagram illustrating a configuration example of a network system according to the first embodiment. FIG. 2 is an explanatory diagram illustrating an example of an attack detected by the attack determination device according to the first embodiment. FIG. 3 is a diagram illustrating a configuration example of the attack determination device according to the first embodiment. FIG. 4 is an explanatory diagram illustrating a processing example by the reconstruction unit and the extraction unit according to the first embodiment. FIG. 5 is a flowchart illustrating a learning process procedure performed by the attack determination apparatus according to the first embodiment. FIG. 6 is a flowchart illustrating an attack determination processing procedure performed by the attack determination apparatus according to the first embodiment. FIG. 7 is a diagram illustrating a computer that executes an attack determination program.

  Hereinafter, embodiments of an attack determination device, an attack determination method, and an attack determination program according to the present application will be described in detail with reference to the drawings. The embodiment does not limit the attack determination apparatus, the attack determination method, and the attack determination program according to the present application.

(First embodiment)
[Network system configuration]
First, the network system according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram illustrating a configuration example of a network system 1 according to the first embodiment. The network system 1 illustrated in FIG. 1 includes user terminals 11 and 12, a network 20, a network device 30, a server device 40, a probe 50, and an attack determination device 100. The user terminals 11 and 12 and the server device 40 are communicably connected to each other via the network 20 and the network device 30.

  The number of devices included in the network system 1 is not limited to the example shown in FIG. For example, the network system 1 may include two or more user terminals 11, a user terminal 12, a network device 30, a server device 40, a probe 50, and an attack determination device 100.

  The user terminals 11 and 12 are information processing apparatuses used by a user, such as a PC (Personal Computer) or a mobile terminal apparatus. The user terminals 11 and 12 access the server device 40 in accordance with user operations. Here, in the first embodiment, the user terminal 11 is used by a non-malicious user (for example, an administrator of the attack determination device 100) and normally accesses the server device 40. . On the other hand, it is assumed that the user terminal 12 may be used by a malicious attacker to perform an attack (cyber attack such as unauthorized access) on the server device 40.

  The network 20 is, for example, a WAN (Wide Area Network) or a LAN (Local Area Network), and forms a communication network. The network 20 may form a wired network or a wireless network.

  The network device 30 is a device that mediates between the server device 40 and the network 20, and is, for example, a switch or a router.

  The server device 40 is an information processing device that provides various services. For example, the server device 40 is installed with a Web application and provides various Web services in response to a request from the user terminal 11 or 12. The server device 40 may include not only the server device but also a storage device that stores various data.

  The probe 50 acquires (captures) various communication packets flowing through the network device 30 and outputs the acquired communication packets to the attack determination device 100. The probe 50 according to the first embodiment acquires a communication packet (for example, an access request such as an HTTP request) from the user terminal 11 or 12 to the server device 40. Note that the probe 50 may be integrated with the network device 30.

  The attack determination device 100 determines whether an attack is being performed on the server device 40 using the communication packet output from the probe 50. Specifically, in the network system 1 according to the first embodiment, first, only the user terminal 11 used by an administrator or the like can access the server device 40, and the server from outside the user terminal 12 or the like A communication environment for learning that cannot access the device 40 is formed. Then, the user terminal 11 transmits an access request that is known to be normal to the server device 40 by repeatedly accessing the server device 40 in the learning communication environment. At this time, the attack determination device 100 learns the setting information (query to be described later) set in the access request that is known to be normal transmitted to the server device 40, and uses the learned setting information for the normal information. Keep as a set.

  The attack determination apparatus 100 is set to an access request when an access request that is not known to be normal is transmitted to the server apparatus 40 in a normal operation communication environment instead of a learning communication environment. An index value indicating the degree to which the setting information is classified into the above-described set of normal information is calculated. Then, the attack determination device 100 determines whether the access request is an attack on the server device 40 based on the calculated index value.

  As described above, since the attack determination device 100 according to the first embodiment performs the attack determination using the index value whose setting information is classified into a set of normal information, a pre-patterned attack signature file or black An unknown attack against the server device 40 can be detected without requiring a list. That is, the attack determination apparatus 100 can reduce the cost required for creating patterned data by an expert or the like, and can detect an unknown attack.

  Here, the attack detected by the attack determination apparatus 100 according to the first embodiment will be described with reference to FIG. FIG. 2 is an explanatory diagram illustrating an example of an attack detected by the attack determination device 100 according to the first embodiment.

  As in the example shown in Fig. 2 (1), anomaly-type IPS can be used for "network attack and DoS attack (SYN flood attack, etc.)", "system and application search", "abnormally formatted packets and contents. Detects “attack used”. Further, as in the example shown in FIG. 2B, the application type FW detects “access not permitted by the administrator”, “invalid use of P2P (Peer to Peer) application”, and the like.

  Also, as in the example shown in FIG. 2 (3), the signature type IPS is “attack or intrusion targeting OS (Operating System) and service vulnerabilities”, “part of Web application vulnerabilities”. Etc. are detected. Further, as in the example shown in FIG. 2D, the anti-virus detects “harmful contents such as viruses, worms, and Trojan horses”, “spam mail and phishing”, and the like.

  Further, as in the example shown in FIG. 2 (5), the WAF detects “illegal HTTP request”, “SQL injection”, “cross-site scripting attack”, and the like aimed at the vulnerability of the Web application. As for various attacks aimed at vulnerabilities of this type of Web application, unknown attacks are constantly being developed. A cyber attack, which is a major news, is an attack mainly targeting vulnerabilities of this type of Web application, and when such an attack is received, a big blow is given to corporate management. However, since a general WAF detects an attack using a signature file or the like obtained by patterning an attack technique in advance, it is difficult to detect an unknown attack.

  Therefore, the attack determination apparatus 100 according to the first embodiment detects an attack (FIG. 2 (5)) mainly targeting the vulnerability of the Web application among the various attacks shown in FIG. Thereby, since the attack determination apparatus 100 according to the first embodiment can always detect an attack in which an unknown attack has been developed, it can prevent a cyber attack from becoming a large-scale news, and corporate management. It is possible to prevent giving a big hit to.

[Configuration of attack determination device]
Next, the attack determination apparatus 100 according to the first embodiment will be described with reference to FIG. FIG. 3 is a diagram illustrating a configuration example of the attack determination apparatus 100 according to the first embodiment. In the following, a case where the server device 40 operates as a Web server and the user terminals 11 and 12 transmit an HTTP request to the server device 40 will be described as an example.

  As illustrated in FIG. 3, the attack determination apparatus 100 according to the first embodiment includes an IF (interface) unit 110, a learning result storage unit 120, a reconstruction unit 131, an extraction unit 132, and a learning unit 133. And a calculation unit 134 and a determination unit 135.

  The IF unit 110 is, for example, a NIC (Network Interface Card) or the like, and transmits / receives various data to / from an external device. For example, the IF unit 110 receives a communication packet from the probe 50.

  The learning result storage unit 120 learns a set of setting information (query to be described later) that can be arbitrarily set by the sender of the HTTP request among various information included in the normal HTTP request transmitted to the server device 40 (a result of learning). As normal information). In the first embodiment, the “normal HTTP request” indicates an HTTP request transmitted from the user terminal 11 to the server device 40.

  Specifically, setting information that can be arbitrarily set by the sender is set in the HTTP request as a query formed by a combination of an attribute name (attribute) and an attribute value (value). The learning result storage unit 120 stores a normal attribute value (value) corresponding to the attribute name for each attribute name (attribute) set in the normal HTTP request.

  The learning unit 133 described later includes a linear classifier (for example, a Bayes filter or the like, also called “linear classifier” or the like) realized by software or the like for each attribute name. The linear classifier for each attribute name learns such a normal attribute value by inputting a normal attribute value corresponding to the attribute name as training example data. That is, the linear classifier according to the first embodiment outputs a likelihood (also referred to as “score”) that the attribute value is normal when a predetermined attribute value is input as determination target data. Become. The learning result storage unit 120 stores a set of normal attribute values learned by such a linear classifier for each linear classifier (that is, for each attribute name).

  The learning result storage unit 120 stores a normal attribute value for each attribute name according to the size of the attribute value, or sets a normal attribute value learned by a linear classifier for each attribute name for each attribute name. It is decided whether to memorize. This will be described later together with the learning unit 133.

  Such a learning result storage unit 120 is realized by, for example, a semiconductor memory element such as a RAM (Random Access Memory) or a flash memory, a hard disk, an optical disk, or the like.

  Subsequently, the reconstruction unit 131, the extraction unit 132, the learning unit 133, the calculation unit 134, and the determination unit 135 will be described. However, the reconstruction unit 131 and the extraction unit 132 can receive only HTTP requests that are known to be normal. It operates in both a learning communication environment transmitted to the server device 40 and a normal operation communication environment in which an HTTP request that is not known to be normal is transmitted to the server device 40. On the other hand, the learning unit 133 operates in a learning communication environment and does not operate in a normal operation communication environment. The calculation unit 134 and the determination unit 135 operate in a normal operation communication environment, and do not operate in a learning communication environment.

  The reconstruction unit 131, the extraction unit 132, the learning unit 133, the calculation unit 134, and the determination unit 135 are realized by an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). . The reconstruction unit 131, the extraction unit 132, the learning unit 133, the calculation unit 134, and the determination unit 135 are stored in a storage device (not shown) by a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like, for example. The program is executed by using the RAM as a work area.

  The reconstruction unit 131 reconstructs an HTTP request for the server device 40 from the communication packet received from the probe 50 via the IF unit 110. Specifically, the communication packet acquired by the probe 50 is a bit string. The reconstruction unit 131 reconstructs an HTTP request from such a bit string.

  The extraction unit 132 extracts a query from the HTTP request reconstructed by the reconstruction unit 131. Then, the extraction unit 132 extracts the combination of the attribute name and the attribute value by decomposing the query extracted from the HTTP request for each combination of the attribute name and the attribute value. Specifically, the HTTP request query is described in the format of “attribute name = attribute value”. Further, in the HTTP request query, when a plurality of combinations of attribute names and attribute values are included, “&” is described as a delimiter character string between “attribute name = attribute value”. The extraction unit 132 analyzes the description format and extracts a combination of the attribute name and the attribute value from the query.

  The reason why the extraction unit 132 extracts the query will be described. An attacker who is a user of the user terminal 12 or the like attacks the server device 40 while pretending to be normal access. However, the query included in the HTTP request at the time of attack is generally different from normal access. Therefore, in the first embodiment, in order to determine whether the access is normal access or abnormal access, a query is extracted from the HTTP request.

  Here, the processing performed by the reconstruction unit 131 and the extraction unit 132 will be described with reference to FIG. FIG. 4 is an explanatory diagram illustrating a processing example by the reconstruction unit 131 and the extraction unit 132 according to the first embodiment. FIG. 4 shows an example in which a request URI (Uniform Resource Identifier) is transmitted as an HTTP request to the server device 40.

  In the example illustrated in FIG. 4, it is assumed that the probe 50 has acquired the communication packet P11 from the network device 30. In such a case, the reconstruction unit 131 of the attack determination device 100 reconstructs the HTTP request P12 from the communication packet P11. FIG. 4 illustrates only the HTTP header portion of the HTTP request P12 reconstructed by the restructuring unit 131.

  Then, the extraction unit 132 extracts “/redirect.php?test=a%0d%0aLocation:%20http://attack.example.com/” that is the query part q12 from the HTTP request P12 of FIG. Then, the extraction unit 132 extracts a combination of the attribute name “test” and the attribute value “a% 0d% 0aLocation:% 20http: //attack.example.com/” from the query part q12.

  In the example of FIG. 4, an example in which a set of attribute name and attribute value is included in the query part q12 is shown. However, the extraction unit 132 may extract a query such as “name =% 91% BE% 98Y & OS = win & submit =% 91% 97% 90M% 91% 97% 90M...% 91” from the HTTP request. is there. The extraction unit 132 may extract such a query when the method of the HTTP request is POST or PUT. In this example, the query includes three sets of attribute names and attribute values. That is, the extraction unit 132, from such a query, the combination of the attribute name “name” and the attribute value “% 91% BE% 98Y”, the combination of the attribute name “OS” and the attribute value “win”, and the attribute name “submit”. ”And the attribute value“% 91% 97% 90M% 91% 97% 90M...% 91 ”are extracted.

  The learning unit 133 learns the combination of the attribute name and the attribute value included in the normal access using the combination of the attribute name and the attribute value extracted by the extraction unit 132, and sets the attribute for each attribute name in the normal access. A set of values is stored in the learning result storage unit 120. Further, as described above, the learning unit 133 includes a linear classifier realized by software or the like for each attribute name.

  The processing by the learning unit 133 will be specifically described. The learning unit 133 performs the following processing for each combination of attribute name and attribute value extracted from the normal HTTP request by the extraction unit 132. First, the learning unit 133 determines whether or not the size (number of bytes) of the attribute value extracted by the extraction unit 132 is larger than a predetermined threshold (hereinafter referred to as “size threshold T1”). Then, when the size of the attribute value is larger than the size threshold T1, the learning unit 133 decodes the attribute value. Then, the learning unit 133 decomposes the decoded attribute values into features by performing morphological analysis. And the learning part 133 inputs the feature after decomposition | disassembly as training example data with respect to the linear discriminator corresponding to the attribute name extracted by the extraction part 132. FIG. Thereby, each linear classifier learns the feature after decomposition, and stores the learned feature in the learning result storage unit 120.

  In the following, the learning result by the linear classifier stored in the learning result storage unit 120 may be expressed as “lern (attribute, [feature (set)])”. That is, when the feature X1, the feature X2, and the feature X3 are learned by the linear classifier corresponding to the attribute name “submit”, the learning result by the linear classifier is “lern (submit, [feature X1, feature X2, feature X2, Feature X3]) ”.

  For example, as in the above example, a combination of the attribute name “submit” and the attribute value “% 91% 97% 90M% 91% 97% 90M...% 91” is extracted by the extraction unit 132. . Further, it is assumed that the size of this attribute value is larger than the size threshold T1. In such a case, the learning unit 133 decodes the attribute value “% 91% 97% 90M% 91% 97% 90M...% 91”. Here, it is assumed that the learning unit 133 has acquired “AAABBBCCC” as a decoding result. Then, the learning unit 133 obtains, for example, features “AAA”, “BBB”, and “CCC” by performing morphological analysis on the attribute value “AAABBBCCCC”. In such a case, the learning unit 133 causes the linear discriminator corresponding to the attribute name “submit” to learn the features “AAA”, “BBB”, and “CCC” as a set of normal attribute values. As a result, the learning result storage unit 120 stores the features “AAA”, “BBB”, and “CCC” as the learning result of the linear classifier corresponding to the attribute name “submit”. That is, the learning result storage unit 120 stores “lern (submit, [AAA, BBB, CCC])”.

  After this, it is assumed that the extraction unit 132 newly extracts a combination of the attribute name “submit” and a predetermined attribute value. The predetermined attribute value has a size larger than the size threshold T1, the decoding result by the learning unit 133 is “DDDEEEFFF”, and the morphological analysis results are the features “DDD”, “EEE”, and “FFF”. Shall. In such a case, the learning unit 133 causes the linear discriminator corresponding to the attribute name “submit” to learn the features “DDD”, “EEE”, and “FFF” as a set of normal attribute values. As a result, in addition to the features “AAA”, “BBB”, and “CCC”, the learning result storage unit 120 uses “DDD”, “EEE”, and “CCC” as the learning result of the linear classifier corresponding to the attribute name “submit”. “FFF” is stored. That is, the learning result storage unit 120 stores “lern (submit, [AAA, BBB, CCC, DDD, EEE, FFF])”.

  On the other hand, if the size of the attribute value extracted by the extraction unit 132 is equal to or smaller than the size threshold T1, the learning unit 133 may have difficulty learning the attribute value to the linear classifier. The attribute value is stored in the learning result storage unit 120 as a normal attribute value set corresponding to the attribute name included in the normal HTTP request.

  Hereinafter, a normal attribute value set corresponding to the attribute name (attribute) stored in the learning result storage unit 120 may be referred to as “Correct (attribute)”. That is, the normal attribute value set corresponding to the attribute name “submit” is “Correct (submit)”.

  For example, it is assumed that the combination of the attribute name “test” and the attribute value “% 91% 97% 90M” is extracted by the extraction unit 132. Further, it is assumed that the size of the attribute value is equal to or smaller than the size threshold T1. In this case, the learning unit 133 stores the attribute value “% 91% 97% 90M” in the learning result storage unit 120 as the learning result of the attribute name “test”. Further, it is assumed that a combination of the attribute name “test” and the attribute value “% 91% 91% 91M” is newly extracted by the extraction unit 132 thereafter. The size of the attribute value “% 91% 91% 91M” is assumed to be equal to or smaller than the size threshold T1. In this case, the learning unit 133 adds the attribute value “% 91% 91% 91M” to the learning result storage unit 120 in addition to the attribute value “% 91% 97% 90M” as the learning result of the attribute name “test”. Store. That is, the learning result storage unit 120 stores the attribute value set “Correct (test) = (% 91% 97% 90M,% 91% 91% 91M)”.

  As described above, the learning unit 133 learns the combination of the attribute name and the attribute value extracted from the normal HTTP request by the extraction unit 132 and stores the learning result in the learning result storage unit 120. Thereby, the learning result storage unit 120 stores a set of normal attribute values corresponding to the attribute name for each attribute name included in the normal HTTP request.

  When the HTTP request that is not known to be normal is transmitted to the server device 40, the calculation unit 134 includes the normal setting information in which the attribute value extracted by the extraction unit 132 is stored in the learning result storage unit 120. An index value indicating the degree of classification into the set (normal information described above) is calculated.

  Specifically, the calculation unit 134 performs the following process for each combination of attribute name and attribute value extracted by the extraction unit 132. First, the calculation unit 134 determines whether the size of the attribute value extracted by the extraction unit 132 is larger than the size threshold T1. When the size of the attribute value is larger than the size threshold T1, the calculation unit 134 decodes the attribute value and decomposes the decoded attribute value into features by performing morphological analysis. Then, the calculation unit 134 inputs the decomposed feature as the determination target data to the linear classifier corresponding to the attribute name extracted by the extraction unit 132, so that the feature is included in the normal information for each feature. Likelihood classified into a set (hereinafter, sometimes referred to as “classification likelihood”) is calculated as the index value. The classification likelihood is output by the linear classifier.

  In addition, when the size of the attribute value extracted by the extraction unit 132 is equal to or smaller than the size threshold T1, the calculation unit 134 includes an attribute value set “Correct (attribute)” stored in the learning result storage unit 120, The similarity (in other words, “difference”) with the attribute value is calculated as the index value.

  For example, the calculation unit 134 acquires the attribute value set “Correct (attribute)” corresponding to the attribute name extracted by the extraction unit 132 from the learning result storage unit 120. Then, the calculation unit 134 calculates the Levenshtein distance between the attribute value extracted by the extraction unit 132 and the attribute value set “Correct (attribute)” acquired from the learning result storage unit 120, and the calculated Levenshtein distance Among them, the minimum Levenstein distance is selected as the similarity (that is, the index value).

  This point will be described more specifically. For example, the calculation unit 134 uses a function “F (x, y)” for calculating the Levenshtein distance. Among the functions “F (x, y)”, “x” is an attribute value of the determination target data extracted by the extraction unit 132. “Y” is an attribute value set “Correct (attribute)” corresponding to the attribute name extracted by the extraction unit 132. Then, the calculating unit 134 calculates the Levenshtein distance between “x” and “y” using the function “F (x, y)”. At this time, since “y” is the attribute value set “Correct (attribute)”, there may be a plurality of attribute values. When there are a plurality of attribute values, the calculation unit 134 calculates the minimum Levenstein distance among the Levenstein distances between the attribute values included in the attribute value set “Correct (attribute)” and “x” as the index value. Calculate as

  Then, the calculation unit 134 performs calculation processing using the above-described linear classifier or similarity (for example, Levenshtein distance) for all combinations of attribute names and attribute values extracted from the HTTP request by the extraction unit 132. The calculation process using is performed.

  The determination unit 135 determines whether the HTTP request transmitted to the server device 40 is an attack based on the index value (“classification likelihood” or “similarity”) calculated by the calculation unit 134.

  Specifically, when the classification likelihood of each feature calculated by the calculation unit 134 is lower than a predetermined threshold (hereinafter referred to as “likelihood threshold T2”), the determination unit 135 determines that the feature is abnormal. If the classification likelihood of the feature is equal to or greater than the likelihood threshold T2, it is determined that the feature is normal.

  Further, when the similarity of the attribute value calculated by the calculation unit 134 is lower than a predetermined threshold (hereinafter referred to as “similarity threshold T3”), the determination unit 135 determines that the attribute value is abnormal. If the attribute value similarity is equal to or greater than the similarity threshold T3, it is determined that the attribute value is normal. When the Levenshtein distance is calculated as the similarity by the calculation unit 134, the determination unit 135 determines that the Levenstein distance is abnormal when the Levenstein distance is greater than the similarity threshold T3. When the distance is equal to or less than the similarity threshold T3, it is determined that the distance is normal.

  Then, the determination unit 135 uses determination processing using classification likelihood and similarity (for example, Levenshtein distance) for all combinations of attribute names and attribute values extracted from the HTTP request by the extraction unit 132. The determination process that was performed is performed. The determination unit 135 inputs from the probe 50 when the sum of the number of features determined to be abnormal and the number of attribute values is greater than a predetermined threshold (hereinafter referred to as “abnormal number threshold T4”). It is determined that the received HTTP request is an attack on the server device 40. On the other hand, the determination unit 135 determines that the HTTP request input from the probe 50 is not an attack on the server device 40 when the number of features and attribute values determined to be abnormal is equal to or less than the abnormal number threshold T4.

  If the determination unit 135 determines that the HTTP request is an attack, the determination unit 135 may store the log as a log in a storage unit (not shown), or an administrator terminal used by an administrator or the like via the IF unit 110. A warning may be sent to.

  In the above example, the calculation unit 134 inputs each feature obtained by decomposing the attribute value as determination target data to the linear discriminator, and obtains the classification likelihood for each feature from the linear discriminator. At this time, the calculation unit 134 may determine whether the attribute value before decomposition is normal or abnormal by comparing the classification likelihood of each feature obtained from the linear classifier and the likelihood threshold T2. Good. For example, if the number of features lower than the likelihood threshold T2 is greater than a predetermined number among the decomposed features, the calculation unit 134 determines that the attribute value before decomposition is abnormal, and the likelihood threshold If the number of features lower than T2 is less than or equal to the predetermined number, it is determined that the attribute value before decomposition is normal. Then, the determination unit 135 uses determination processing using classification likelihood and similarity (for example, Levenshtein distance) for all combinations of attribute names and attribute values extracted from the HTTP request by the extraction unit 132. When the number of attribute values determined to be abnormal is larger than the abnormal number threshold T4, it is determined that the HTTP request input from the probe 50 is an attack on the server device 40. On the other hand, the determination unit 135 determines that the HTTP request input from the probe 50 is not an attack on the server device 40 when the number of attribute values determined to be abnormal is equal to or less than the abnormality number threshold T4. Thus, the calculation unit 134 may determine whether the attribute value is normal or abnormal for each attribute value.

  Some linear classifiers output classification likelihood of attribute values before decomposition formed by a plurality of features when a plurality of features are input. In such a case, the calculation unit 134 inputs the plurality of features after decomposition to the linear classifier, and compares the classification likelihood before decomposition output from the linear classifier with the likelihood threshold T2, It may be determined whether the attribute value before decomposition is normal or abnormal.

[Learning process by attack determination device]
Next, a learning process procedure performed by the above-described attack determination apparatus 100 will be described with reference to FIG. FIG. 5 is a flowchart illustrating a learning processing procedure performed by the attack determination apparatus 100 according to the first embodiment. In addition, when performing the learning process, the attack determination apparatus 100 performs the process by the learning unit 133, but stops the processes by the calculation unit 134 and the determination unit 135.

  As illustrated in FIG. 5, the attack determination device 100 is transmitted by the user terminal 11 when normal access is made from the user terminal 11 to the server device 40 in the learning communication environment (Yes in step S101). The received communication packet is received from the probe 50 (step S102).

  Subsequently, the reconstruction unit 131 reconstructs an HTTP request from the communication packet received from the probe 50 (step S103). Then, the extraction unit 132 extracts a combination of the attribute value and the attribute name set in the HTTP request query reconstructed by the reconstruction unit 131 (step S104). Note that the extraction unit 132 may extract a plurality of combinations of attribute values and attribute names.

  Subsequently, the learning unit 133 performs the processes in steps S <b> 105 to S <b> 109 below for each combination of the attribute value and the attribute name extracted by the extraction unit 132. Specifically, the learning unit 133 determines whether or not the size of the attribute value extracted by the extraction unit 132 is larger than the size threshold T1 (Step S105).

  If the size of the attribute value is larger than the size threshold T1 (Yes at Step S105), the learning unit 133 decodes the attribute value (Step S106). Subsequently, the learning unit 133 decomposes the decoded attribute value into features by performing morphological analysis (step S107). And the learning part 133 learns each feature as normal information by inputting the feature after decomposition | disassembly as training example data with respect to the linear discriminator corresponding to the attribute name extracted by the extraction part 132 (step). S108).

  On the other hand, when the size of the attribute value is equal to or smaller than the size threshold value T1 (No at Step S105), the learning unit 133 associates the attribute value with the attribute name extracted by the extraction unit 132 and stores the attribute value in the learning result storage unit 120. (Step S109).

  Then, the learning unit 133 determines whether or not processing has been performed for all combinations of attribute values and attribute names extracted by the extraction unit 132 (step S110). At this time, when the learning unit 133 has not performed processing for all combinations of attribute values and attribute names (No in step S110), the learning unit 133 performs processing in steps S105 to S109 for unprocessed attribute values and attribute name combinations. Process. On the other hand, when the learning unit 133 has processed all combinations of attribute values and attribute names (Yes at Step S110), the learning process ends.

[Attack determination processing by the attack determination device]
Next, the procedure of the attack determination process performed by the above-described attack determination apparatus 100 will be described with reference to FIG. FIG. 6 is a flowchart illustrating an attack determination processing procedure performed by the attack determination apparatus 100 according to the first embodiment. In addition, when performing the attack determination process, the attack determination apparatus 100 performs the process by the calculation unit 134 and the determination unit 135, but stops the process by the learning unit 133.

  As illustrated in FIG. 6, the attack determination device 100 receives a communication packet from the probe 50 when the user terminal 12 or the like accesses the server device 40 in a normal operation communication environment (Yes in step S201). (Step S202). Subsequently, the reconstruction unit 131 reconstructs an HTTP request from the communication packet (step S203). Then, the extraction unit 132 extracts a combination of an attribute value and an attribute name from the HTTP request (Step S204).

  Subsequently, the calculation unit 134 and the determination unit 135 perform processing in steps S <b> 205 to S <b> 211 below for each combination of the attribute value and the attribute name extracted by the extraction unit 132. Specifically, the calculation unit 134 determines whether the size of the attribute value extracted by the extraction unit 132 is larger than the size threshold T1 (step S205).

  If the size of the attribute value is larger than the size threshold T1 (Yes at Step S205), the calculation unit 134 decodes the attribute value (Step S206). Subsequently, the calculation unit 134 decomposes the decoded attribute value into features by performing morphological analysis (step S207).

  Subsequently, the calculation unit 134 calculates the classification likelihood of the feature by inputting each of the decomposed features as determination target data to the linear classifier corresponding to the attribute name extracted by the extraction unit 132. (Step S208).

  Subsequently, the determination unit 135 determines whether or not the feature is abnormal based on the classification likelihood calculated by the calculation unit 134, and counts the number of the features determined to be abnormal (step S209). . For example, when the classification likelihood is lower than the likelihood threshold T2, the determination unit 135 adds “1” to the number of abnormal features. The determination unit 135 determines whether or not each feature obtained in step S207 is abnormal, and counts the number of abnormal features.

  On the other hand, when the size of the attribute value is equal to or smaller than the size threshold T1 (No at Step S205), the calculation unit 134 uses the above-described function F (x, y) to extract the attribute extracted by the extraction unit 132. The similarity (for example, Levenstein distance) between the attribute value set (“Correct (attribute)”) stored in the learning result storage unit 120 in association with the name and the attribute value is calculated (step S210).

  Subsequently, the determination unit 135 counts the number of attribute values that are abnormal based on the similarity calculated by the calculation unit 134 (step S211). For example, when the Levenshtein distance is larger than the similarity threshold T3, the determination unit 135 adds “1” to the number of attribute values that are abnormal.

  Then, the calculation unit 134 and the determination unit 135 determine whether or not processing has been performed for all combinations of attribute values and attribute names extracted by the extraction unit 132 (step S212). At this time, when processing is not performed for all combinations of attribute values and attribute names (No in step S212), the calculation unit 134 and the determination unit 135 perform the above steps for the combination of unprocessed attribute values and attribute names. The processing in S205 to S211 is performed.

  On the other hand, when all the combinations of attribute values and attribute names have been processed (Yes at Step S212), the determination unit 135 determines whether or not the number counted in Steps S209 and S211 is larger than the abnormal number threshold T4. Determination is made (step S213).

  When the counted number is larger than the abnormal number threshold T4 (Yes at Step S213), the determining unit 135 determines that the access performed at Step S201 is an attack on the server device 40 (Step S214). On the other hand, when the counted number is equal to or less than the abnormal number threshold T4 (No at Step S213), the determination unit 135 determines that the access performed at Step S201 is a normal access, not an attack on the server device 40. (Step S215).

[Effect of the first embodiment]
As described above, in the attack determination device 100 according to the first embodiment, the learning unit 133 determines that the HTTP request (corresponding to an example of a normal access request) known to be normal is the server device 40 (information processing If it is transmitted to a device (equivalent to an example of a device), an attribute value (corresponding to an example of setting information) set in the normal HTTP request is learned as normal information. Further, the learning result storage unit 120 stores a set of normal information learned by the learning unit 133. In addition, when an HTTP request that is not known to be normal (corresponding to an example of an unknown access request) is transmitted to the server device 40, the calculation unit 134 indicates that the setting information set in the unknown HTTP request is normal. An index value indicating the degree of classification into a set of information is calculated. Further, the determination unit 135 determines whether or not the above-described unknown HTTP request is an attack on the server device 40 based on the index value calculated by the calculation unit 134.

  Thereby, the attack determination apparatus 100 according to the first embodiment can detect an unknown attack on the server apparatus 40 without requiring a pre-patterned attack signature file or blacklist. That is, the attack determination apparatus 100 can reduce the cost required for creating patterned data by an expert or the like, and can detect an unknown attack.

  In the attack determination device 100 according to the first embodiment, the learning unit 133 learns the attribute value as normal information for each attribute name set in the normal HTTP request. The learning result storage unit 120 stores a set of normal information learned by the learning unit 133 for each attribute name. Further, the calculation unit 134 calculates an index value indicating whether or not the attribute value set in the unknown HTTP request is classified into a set of normal information corresponding to the attribute name of the attribute value.

  Thereby, the attack determination device 100 according to the first embodiment can determine whether or not the attribute value is abnormal for each attribute name set in the HTTP request. It is possible to detect unknown attacks with high accuracy.

  Further, in the attack determination device 100 according to the first embodiment, the learning unit 133 decomposes the attribute value when the size of the attribute value set in the normal HTTP request is larger than the size threshold T1. (Corresponding to an example of partial setting information) is learned as normal information. In addition, when the size of the attribute value set in the unknown HTTP request is larger than the size threshold T1, the calculation unit 134 determines whether or not the feature obtained by decomposing the attribute value is classified into a set of normal information. The index value shown is calculated.

  Thereby, since the attack determination apparatus 100 according to the first embodiment calculates the index value after subdividing the attribute value set in the HTTP request, it is possible to accurately determine whether the attribute value is abnormal. As a result, an unknown attack on the server device 40 can be detected with high accuracy.

  Further, in the attack determination device 100 according to the first embodiment, the learning unit 133 converts the attribute value set in the unknown HTTP request to the linear classifier corresponding to the attribute name of the attribute value. By inputting it as training example data, the feature is learned as normal information. In addition, when the size of the attribute value set in the unknown HTTP request is equal to or smaller than the size threshold T1, the calculation unit 134 calculates the similarity between the attribute value and the set of normal information as the above-described index value. . In addition, when the size of the attribute value set in the unknown access request is larger than the size threshold T1, the calculation unit 134 sets each feature obtained by decomposing the attribute value to a linear corresponding to the attribute name of the attribute value. A classification likelihood that is a likelihood that each feature is classified into a set of normal information is calculated as the above-described index value by inputting the data as determination target data into the discriminator. In addition, the determination unit 135 is unknown when the number of attribute values whose similarity is lower than the similarity threshold T3 or the number of features whose classification likelihood is lower than the likelihood threshold T2 is larger than the abnormal number threshold T4. Is determined to be an attack.

  Thereby, the attack determination apparatus 100 according to the first embodiment can determine that an HTTP request in which an attribute value that is highly likely to be abnormal is set is an attack.

(Second Embodiment)
The attack determination apparatus 100 described above may be implemented in various different forms other than the above embodiment. Therefore, in the second embodiment, another embodiment of the attack determination apparatus 100 will be described.

[Determination process]
In the above-described embodiment, an example has been described in which the determination unit 135 determines an attack when the sum of the number of features determined to be abnormal and the number of attribute values is greater than the abnormal number threshold T4. However, the determination process by the determination unit 135 is not limited to this example.

  For example, the determination unit 135 may determine that the HTTP request input from the probe 50 is an attack if there is even one feature determined to be abnormal using the classification likelihood. For example, the determination unit 135 may determine that the HTTP request is an attack if there is at least one attribute value determined to be abnormal using the similarity. For example, the determination unit 135 may determine that the HTTP request is not an attack when all the features and all the attribute values are not abnormal.

  Further, for example, the determination unit 135 calculates the average of each classification likelihood calculated by the calculation unit 134 and the average of each similarity, the average of the classification likelihood is lower than the likelihood threshold T2, and If the average similarity is lower than the similarity threshold T3, it may be determined that the HTTP request is an attack. For example, the determination unit 135 determines that the HTTP request is an attack when the average of the classification likelihoods is lower than the likelihood threshold T2 or the average of the similarities is lower than the similarity threshold T3. May be.

[Access request]
In the above embodiment, an HTTP request has been described as an example of an access request. However, an access request for which an attack determination process is performed by the attack determination apparatus 100 is not limited to an HTTP request. Specifically, the attack determination device 100 can perform attack determination processing for various access requests in which arbitrary setting information (parameters) can be set by a user who accesses the server device 40.

[System configuration]
In addition, among the processes described in the above embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  For example, the attack determination apparatus 100 may stop the calculation unit 134 and the determination unit 135 when the communication environment for learning is specified, but the calculation unit 134 and the determination unit 135 are manually stopped. May be. Similarly, the attack determination device 100 may stop the learning unit 133 when it is designated that the communication environment is a normal operation, but the learning unit 133 may be manually stopped.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

  For example, the calculation unit 134 and the determination unit 135 illustrated in FIG. 3 may be integrated. In addition, the learning result storage unit 120 may be separated into a first storage unit that stores “Correct (attribute)” and a second storage unit that stores “lern (attribute, [feature (set)]” ”. Good.

  Further, the reconstruction unit 131 and the extraction unit 132 may not be included in the attack determination device 100. For example, the probe 50 may include the reconstruction unit 131 and the extraction unit 132. In the first embodiment, an example has been described in which both the learning unit 133 and the calculation unit 134 perform processing for decoding attribute values and performing morphological analysis on the decoded attribute values. However, the attack determination apparatus 100 may include a decoding unit that decodes the attribute value and an analysis unit that performs morphological analysis of the attribute value separately from the learning unit 133 and the calculation unit 134. In such a case, the learning unit 133 and the calculation unit 134 cause the decoding unit to perform decoding processing and cause the analysis unit to perform morpheme analysis processing.

[program]
In addition, it is possible to create a program in which the processing executed by the attack determination apparatus 100 described in the above embodiment is described in a language that can be executed by a computer. For example, it is possible to create an attack determination program in which the processing executed by the attack determination apparatus 100 is described in a language that can be executed by a computer. In this case, when the computer executes the attack determination program, the same effect as in the above embodiment can be obtained. Further, by recording the attack determination program on a computer-readable recording medium, and reading the attack determination program recorded on the recording medium into a computer and executing it, the same processing as in the above embodiment can be realized. Good. Hereinafter, as an example, an example of a computer that executes an attack determination program that realizes the same function as the attack determination apparatus 100 illustrated in FIG. 3 will be described.

  FIG. 7 is a diagram illustrating a computer 1000 that executes an attack determination program. As illustrated in FIG. 7, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031 as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1041 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. The serial port interface 1050 is connected to, for example, a mouse 1051 and a keyboard 1052 as illustrated in FIG. The video adapter 1060 is connected to a display 1061, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 7, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the attack determination program is stored in, for example, the hard disk drive 1031 as a program module in which a command executed by the computer 1000 is described. For example, a reconstruction procedure for executing information processing similar to that of the reconstruction unit 131 illustrated in FIG. 3, an extraction procedure for executing information processing similar to that of the extraction unit 132, and information processing similar to that of the learning unit 133 are performed. A hard disk drive 1031 stores a program module 1093 in which a learning procedure, a calculation procedure for executing information processing similar to that of the calculation unit 134, and a determination procedure for executing information processing similar to that of the determination unit 135 are described.

  In addition, various data held by the learning result storage unit 120 described in the above embodiment is stored as program data, for example, in the memory 1010 or the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and program data 1094 stored in the memory 1010 and the hard disk drive 1031 to the RAM 1012 as necessary, and executes a reconstruction procedure, an extraction procedure, a learning procedure, a calculation procedure, and a determination procedure.

  Note that the program module 1093 and the program data 1094 related to the attack determination program are not limited to being stored in the hard disk drive 1031, but are stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive or the like. Also good. Alternatively, the program module 1093 and the program data 1094 related to the attack determination program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and the network interface 1070 is stored. Via the CPU 1020.

DESCRIPTION OF SYMBOLS 1 Network system 40 Server apparatus 100 Attack determination apparatus 120 Learning result storage part 131 Reconstruction part 132 Extraction part 133 Learning part 134 Calculation part 135 Determination part

Claims (6)

A learning unit that learns setting information set in the normal access request as normal information when a normal access request that is known to be normal is transmitted to the information processing apparatus;
A learning result storage unit that stores a set of normal information learned by the learning unit;
When an unknown access request that is not known to be normal is transmitted to the information processing apparatus, an index value indicating the degree to which the setting information set in the unknown access request is classified into the set of normal information is calculated A calculating unit to
An attack determination device comprising: a determination unit that determines whether or not the unknown access request is an attack on the information processing device based on the index value calculated by the calculation unit. The learning unit
For each attribute of the setting information set in the normal access request, the setting information is learned as the normal information,
The learning result storage unit
A set of normal information learned by the learning unit is stored for each attribute,
The calculation unit includes:
The index value indicating whether or not the setting information set in the unknown access request is classified into the set of normal information corresponding to the attribute of the setting information is calculated. Attack determination device. The learning unit
When the size of the setting information set in the normal access request is larger than a predetermined size threshold, the partial setting information obtained by disassembling the setting information is learned as the normal information,
The calculation unit includes:
When the size of the setting information set in the unknown access request is larger than the size threshold, an index value indicating whether or not the partial setting information obtained by disassembling the setting information is classified into the normal information set The attack determination device according to claim 2, wherein the attack determination device calculates the attack. The learning unit
By inputting the partial setting information obtained by disassembling the setting information set in the unknown access request as training example data to the linear discriminator corresponding to the attribute of the setting information, the partial setting information is learned as the normal information. ,
The calculation unit includes:
When the size of the setting information set in the unknown access request is equal to or smaller than the size threshold, the similarity between the setting information and the set of normal information is calculated as the index value and set in the unknown access request When the size of the setting information being set is larger than the size threshold, the partial setting information obtained by disassembling the setting information is input as determination target data to the linear classifier corresponding to the attribute of the setting information. The likelihood that each partial setting information is classified into the set of normal information is calculated as the index value,
The determination unit
When the number of setting information whose similarity is lower than a predetermined similarity threshold or the number of partial setting information whose likelihood is lower than a predetermined likelihood threshold is larger than a predetermined number, the unknown access request is It determines with it being an attack. The attack determination apparatus of Claim 3 characterized by the above-mentioned. An attack determination method executed by an attack determination device,
A learning step for learning, as normal information, setting information set in the normal access request when a normal access request that is known to be normal is transmitted to the information processing apparatus;
A storage step of storing a set of normal information learned in the learning step in a learning result storage unit;
When an unknown access request that is not known to be normal is transmitted to the information processing apparatus, an index value indicating the degree to which the setting information set in the unknown access request is classified into the set of normal information is calculated A calculating step to
An attack determination method comprising: a determination step of determining whether or not the unknown access request is an attack on the information processing device based on the index value calculated in the calculation step.   The attack determination program for functioning a computer as an attack determination apparatus as described in any one of Claims 1-4.

Images