JP2006106939A - Hacking detection method, hacking detection apparatus, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a hacking detection method, a hacking detection apparatus and a program for detecting computer hacking by any malicious program. <P>SOLUTION: A program to be monitored is statically analyzed in advance and a system call and information about a route to the system call are stored in association. The program to be monitored is executed, and when the system call is requested, a determination is made as to whether or not the system call and the information about the route to the system call match the previously analyzed system call and the route information matching the system call, respectively. If they do not match, a determination is made that there has been hacking and instructions are provided to inform a system manager about it and to stop or slow down the program to be monitored, etc. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an intrusion detection method, an intrusion detection device, and a program for detecting an intrusion of a malicious program into a computer.

  A malicious program such as a virus or worm that intrudes by attacking a security hole in a computer system takes control of the intruding computer, destroys the computer itself or the data stored in the computer, or creates illegal data on other computers. Send and so on. In order to deal with such unauthorized programs, there is an intrusion detection system (IDS) that monitors the behavior of programs and systems and detects whether or not control of the computer has been taken.

  As an example of intrusion detection, there is a method proposed by Wagner et al. For confirming abnormality in program execution control by an unauthorized program by static analysis of the program and monitoring of the program execution state from the outside (Non-patent Document 1). .

  In this method, a control flow of a monitoring target program is analyzed in advance, and a system call issue sequence issued by the program is analyzed in advance. The system call is to call an OS (Operating System) function by an application program operating on the OS. When the monitored program is executed, the system call issuance process is monitored from the outside, and whether the issuance sequence matches the system call issuance sequence analyzed in advance to check whether the program has performed an illegal operation. To do.

  The method of Wagner et al. Will be specifically described. FIG. 10 is a diagram for explaining a method of intrusion detection by Wagner et al. FIG. 10A shows a control flow of the monitoring target program 1001. Here, the circled elements indicate the issuance of system calls of the monitoring target program, and the arrows indicate the transition of control between system calls.

  FIG. 10B shows a system call issue sequence of the monitoring target program 1001 shown in FIG. Here, the system call issuance sequence of the monitoring target program expressed in a context-free grammar format will be described as a matching grammar. FIG. 10B is an example of the matching grammar 1002 of the monitoring target program 1001. Here, “Entry” indicates the start point of the program, and “*” indicates zero or more repetitions.

  After issuing the “open” system call, the matching grammar 1002 repeatedly issues the “read” system call zero or more times, and then issues the system calls in the order of “close”, “exec”, and “exit”. It is shown that.

  FIG. 10 (c) shows an overview of an intrusion detection system by the method of Wagner et al. The intrusion detection system according to the method of Wagner et al. Includes a monitoring target program 1001, a matching grammar 1002, a monitoring program 1003, and the like.

  The monitoring target program 1001 is analyzed in advance, and a matching grammar 1002 is generated. When issuing the system call, the monitoring target program 1001 transmits information indicating the system call to the monitoring program 1003. The monitoring program 1003 refers to the matching grammar 1002 and determines whether or not the system call issue sequence of the monitoring target program 1001 matches the system call issue sequence shown in the matching grammar 1002. If the system call sequence does not match, there is a possibility that control of the program has been lost due to intrusion from the outside, so the monitoring program 1003 stops, slows down, and notifies the system administrator of the monitored program 1001. .

D. Wagner and D. Dean. Intrusion Detection via Static Analysis, 2001 IEEE Symposium on Security and Privacy, IEEE, 2001.

  In the Wagner et al. Intrusion detection method described above, if the system call issuance sequence after the monitored program is deprived of control by an unauthorized program attack matches the original system call issuance sequence, whether or not there has been an unauthorized intrusion. It cannot be detected.

  An example of a case where unauthorized intrusion cannot be detected will be described with reference to FIG. In FIG. 11A, the monitoring target program 1101 calls the function “foo” from the function “main”. In the function “foo”, an array “buf” having a size of 10 bytes is declared, and data is read into the array “buf” by the system call “gets”. After calling "gets", return to function "main" with "return" and issue system calls "exec" and "exit".

  An example of the matching grammar of the monitoring target program 1101 by the method of Wagner et al. Is shown in the matching grammar 1102 of FIG. As shown in the matching grammar 1102, the monitoring target program 1101 issues system calls in the order of “gets”, “exec”, and “exit”.

  FIG. 11C shows an example of a stack frame state before the monitoring target program 1101 is attacked by an unauthorized program, that is, when the monitoring target program 1101 is normally executed. An area corresponding to the array “buf” 1103 is secured in the activation record of the function “foo”. A return address “main + m1” of the function “foo” is stored in “PC” 1104 under the declared array “buf” 1103.

  The monitoring target program 1101 operates as follows. The monitoring target program 1101 reads the data into the array “buf” by “gets” in the function “foo” called from the function “main”, and then refers to the “PC” 1104 by “return”. Is returned to the function “main”, and system calls “exec” and “exit” are executed.

  FIG. 11D shows an example of the state of the stack frame when the monitoring target program 1101 is executed after the unauthorized program is executed. An area corresponding to the array “buf” 1103 is secured in the activation record of the function “foo”.

  The monitoring target program 1101 operates as follows. The monitoring target program 1101 reads data into the array “buf” by the system call “gets” in the function “foo” called from the function “main”. Up to this point, the processing is the same as when the monitoring target program 1101 is normally executed.

  Due to the attack by the malicious program, illegal data exceeding the 10-byte area length of the array “buf” 1103 is read by calling “gets”. Then, invalid data read by calling “gets” is written in “PC” 1104, which should have stored the correct return address, and the return address of function “foo” is the address of attack code 1105. Changed as shown. Further, the attack code 1105 is written on the stack by an unauthorized program. If the system call of the unauthorized program that has returned according to the address is “exec”, the unauthorized program is executed.

  The intrusion detection method of Wagner et al. Detects unauthorized intrusion by matching the system call issuance sequence. Therefore, when the system call issuance sequence as described above matches between the original program and the program after being attacked by the unauthorized program, the unauthorized intrusion cannot be detected.

  The present invention has been made in view of such circumstances, and an object thereof is to provide an intrusion detection method, an intrusion detection device, and a program for detecting unauthorized intrusion into a computer.

  The present invention has been made in order to achieve the above-described object. A system call when there is no unauthorized intrusion into the monitored program and route information to the system call, a system call request by executing the monitored program, and the By comparing with the route information to the system call, it is determined whether or not the computer executing the program has been illegally intruded.

  Specifically, for example, an intrusion detection method in which a computer detects unauthorized intrusion into a monitored program, and a system call when there is no unauthorized intrusion into the monitored program, and route information to the system call. And when the system call is requested by executing the monitoring target program, information indicating the system call and route information to the system call are acquired. A third step for determining whether the information indicating the requested system call and the route information to the system call match the stored system call and the route information corresponding to the system call; If it is determined that the step matches the third step, the requested system call is executed. Characterized in that it comprises the steps of, a.

  Further, for example, the route information to the system call is a route in the monitoring target program or a route in a memory area of a computer that executes the monitoring target program.

  For example, the route information to the system call is a branch address.

  The information processing apparatus and program according to the present invention can detect unauthorized intrusion into a computer. In particular, it is possible to detect that a computer that has been illegally invaded is attacked by an unauthorized program and control of the program that operates by itself is deprived. As a result, it is possible to cope with stopping, slowing down, notifying the system administrator, and the like of a program executed on an unauthorized computer.

  Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 is a diagram illustrating an example of a configuration of an intrusion detection device according to the present embodiment. In FIG. 1, an intrusion detection device 1 includes a central processing unit (CPU) 2, a memory 3, an HDD (Hard Disk Drive) 4, an output unit 5, an input unit 6, a communication unit 7, and the like.

  The intrusion detection device 1 is, for example, a computer system. In the present embodiment, it is assumed that the intrusion detection apparatus 1 executes the monitoring target program 102 and further executes the monitoring program 101 that monitors the monitoring target program 102. The intrusion detection device 1 that executes the monitoring target program 102 is not limited to a device having a specific function. For example, the intrusion detection device 1 is applied to a device that communicates with another device via a communication network, such as a Web server or a network file server. Is preferred.

  The central processing unit 2 loads the monitoring program 101, the monitoring target program 102, the OS 103, and the path acquisition program 104 into the memory 3 and executes them.

  The monitoring program 101 is a program that monitors the monitoring target program 102. Specifically, the monitoring program 101 includes a system call requested by the execution of the monitoring target program 102 and route information to the system call, a system call when the monitoring target program 102 has not received unauthorized intrusion, and the system. The monitoring target program 102 is monitored depending on whether or not the route information corresponding to the call matches. In the intrusion detection device 1 of this embodiment, the central processing unit 2 executes the monitoring target program 102 after executing the OS 103.

  The route acquisition program 104 is a program that, when the monitoring target program 102 is executed, acquires route information up to the system call of the program. The path to the system call is, for example, a path in the monitoring target program 102 or a path of an area of the memory 3 that executes the management target program 103.

  Here, it is assumed that the route to the system call is a route in the monitoring target program 102, specifically, a branch address of the monitoring target program 102. This branch address can be acquired by using the function of the branch trace buffer, for example. The branch trace buffer is a function provided in some central processing units, and is a function for storing information on branches generated by program execution in a register on the central processing unit or an area on a memory.

  In this embodiment, the function of the branch trace buffer is used for the route acquisition program 104. The route acquisition program 104 stores the acquired route information and information acquired by the function of the branch trace buffer in a register on the central processing unit 2. Hereinafter, a register area for storing information acquired by the function of the branch trace buffer will be described as the path storage unit 105.

  The route acquisition program 104 stores a plurality of pieces of information 201 relating to branching as shown in FIG. In FIG. 2, the branch-related information 201 includes a branch source address, a branch destination address, and a branch prediction result of a branch instruction. The number of pieces of information related to the branch stored in the path storage unit 105 can be changed by the user specifying using the input unit 6. The central processing unit 2 enables the number of pieces of information related to branches stored in the path storage unit 105 to be set only for users having a specific access right by executing the OS 103 or the like.

  The branch trace buffer is described in, for example, “Intel, IA-32 Intel Architecture Software Developer's Manual Volume 3: System Programming Guide, 2003”.

  In FIG. 1, the analysis program 106 is a program for statically analyzing the monitoring target program 102 and acquiring the system call of the program and the route information to the system call. The central processing unit 2 executes the analysis program 106, acquires the system call of the monitoring target program 102 and the route information to the system call, and associates the acquired system call with the route information to the system call. Stored in the memory 3. Here, the central processing unit 2 stores information indicating a system call and route information up to the system call in an arbitrary grammar expression in the memory 3, and hereinafter referred to as a matching grammar. explain.

  An example of the matching grammar when the route information to the system call is a branch address will be described with reference to FIG. In FIG. 3, the matching grammar 301 is an example generated from the monitoring target program 1001 of FIG. 10A by the central processing unit 2 executing the analysis program 106.

  “Read.trace in {{0x2000,0x2001}}” in the matching grammar 301 indicates that a system call “read” passes through branch addresses in the order “0x2000” and “0x2001”. In addition, “open.trace in {{0x1000,0x1002}, {0x1010,0x1002}}” means that the system call “open” branches either “{0x1000,0x1002}” or “{0x1010,0x1002}” Indicates that the address is routed.

  In FIG. 1, the memory 3 stores a matching grammar 107.

  The output unit 5 includes, for example, an output device such as a display, a speaker, and a printer, and a control unit such as a driver of the output device.

  The input unit 6 includes, for example, an input device such as a keyboard, a mouse, and a microphone, and a control unit such as a driver of the input device.

  The communication unit 7 includes, for example, a communication interface such as a LAN (Local Area Network) port and a control unit for the interface. The intrusion detection device 1 may be connected to the Internet or other devices (all not shown) via a LAN or the like.

  In the above-described embodiment, the respective units in the central processing unit 2 of the intrusion detection device 1 and the matching grammar shown in FIG. 1 are provided in the central processing unit and the memory of the same device. However, the central processing unit and the memory of another device may include a part of each unit. For example, the central processing unit of the first device includes the monitoring target program 102, the route acquisition program 104, and the route storage unit 105, and is connected to the first device via a communication network. The analysis program 106, the monitoring program 101, and the memory of the second device may include the matching grammar 107.

  Next, the operation of the intrusion detection device 1 will be described. The central processing unit 2 of the intrusion detection device 1 executes the analysis program 106 in advance to generate the matching grammar 107.

  Note that the analysis program 106 may be executed before the monitoring target program 102 is attacked by an unauthorized program, such as when requested by a system administrator or when the monitoring target program 102 is installed in the intrusion detection apparatus 1. There is no particular limitation.

  The operation of generating the matching grammar 107 will be described with reference to FIG. The operation described with reference to FIG. 4 is realized by the central processing unit 2 loading the analysis program 106 into the memory 3 and executing it.

  The central processing unit 2 executes the analysis program 106, reads the monitoring target program 102, and creates a control flow graph (CFG).

  A control flow graph is a graphical representation of the control structure of a program, and shows the transition relationship of control between basic block nodes consisting of a sequence of command statements that are executed sequentially without judgment or branching. It consists of edges. A technique for generating a control flow graph is known to be used for a compiler or the like. For example, the central processing unit 2 divides a character string describing the monitoring target program 102 into units having meaning as a program language, and A control flow graph is generated by analyzing the structure of the divided character string according to the grammar of the programming language in which the monitoring target program 102 is described.

  The generation of the control flow graph is described in, for example, “A.V. Aho, R. Sethi and J.D. Ullman. Compilers: Principles, Techniques, and Tools, Addisoin-Wesley, 1986”.

  An example of a control flow graph of the monitoring target program 1101 shown in FIG. 11A is shown in FIG. In FIG. 5, the control flow graph includes basic block nodes 501 to 503. The basic block node 501 includes a statement “foo ()” in the function “main”. The basic block node 502 includes statements “gets ()” and “return” in the function “foo”. The basic block node 503 includes command statements “exec” and “exit”.

  The central processing unit 2 stores the generated control flow graph in the variable G. Further, the basic block node set constituting the control flow graph stored in the variable G is stored in the variable N (step 401 in FIG. 4). For example, a control flow graph shown in FIG. 5 will be described. The central processing unit 2 stores the control flow graph shown in FIG. 5 in the variable G, and the control flow graph shown in FIG. The basic block node set, that is, the basic block node 501, the basic block node 502, and the basic block node 503 are stored.

  Next, the central processing unit 2 determines whether or not the basic block node set N is an empty set (N = Φ) (step 402 in FIG. 4).

  When the basic block node set N is an empty set (N = Φ), the central processing unit 2 generates a matching grammar 107 from a system call acquired by processing to be described later and route information to the system call ( S408 in FIG.

  When the basic block node set N is not an empty set (N ≠ Φ), the central processing unit 2 extracts one basic block node from the basic block node set N and stores it in the variable n. Further, the branch set reaching the basic block node n is stored in the variable T. Further, the subset in the basic block node n is stored in the variable S (step 403 in FIG. 4).

  For example, using a control flow graph shown in FIG. 5 as an example, when the basic block nodes 501 to 503 are stored in the basic block node set N, the central processing unit 2 is N ≠ Φ. The basic block node 501 is extracted from the block node set N and is set to n. As a result, the basic block node set N becomes the basic block nodes 502 and 503. Since there is no branch set reaching n (basic block node 501), branch set T = Φ (empty set). Since the imperative sentence in n is “foo ()”, this is a sentence set S.

  Next, the central processing unit 2 determines whether or not the sentence set S in the basic block node n is an empty set (S = Φ) (step 404 in FIG. 4).

  When the sentence set S in the basic block node n is an empty set (S = Φ), the central processing unit 2 executes the process of step 402 again.

  When the sentence set S in the basic block node n is not an empty set (S ≠ Φ), the central processing unit 2 extracts one sentence from the sentence set S in the basic block node and stores it in the variable s (in FIG. 4). Step 405).

  For example, using the control flow graph shown in FIG. 5 as an example, when the basic block node n is the basic block node 501, the central processing unit 2 has S ≠ Φ. ) ”Is taken out to be a sentence s. The sentence set S becomes an empty set by extracting “foo ()”.

  Next, the central processing unit 2 determines whether or not the sentence s is a sentence that executes a system call (step 406 in FIG. 4).

  If the sentence s is not a sentence for executing a system call, the central processing unit 2 executes the process of step 404 again.

  When the sentence s is a sentence for executing a system call, the central processing unit 2 sets “T + {s}” as a branch set that reaches the sentence s (step 407 in FIG. 4), and stores the information in the memory 3. After storing in a specific storage unit, the process of step 404 is executed again. Note that “T” of the branch set “T + {s}” that reaches the sentence s is a branch set up to the basic block node n, and “{s}” is a branch of the sentence s that is a system call. It is. That is, the branch set “T + {s}” obtained here is the path information to the system call of the sentence s.

  For example, using a control flow graph shown in FIG. 5 as an example, if the sentence s is “foo ()”, the central processing unit 2 determines that it is not a sentence that executes a system call. Run the process again.

  Hereinafter, the process according to the above-described steps will be described using the control flow graph shown in FIG. 5 as an example. The central processing unit 2 executes the process of step 404 again. Since the sentence set S is an empty set (S = Φ) by extracting “foo ()”, the central processing unit 2 executes the process of step 402 again. That is, since the basic block node set N is N ≠ Φ, the basic block node 502 is extracted from the basic block node set N and stored in the basic block node n. As a result, the basic block node set N is only the basic block node 503. Since the branch set that reaches the basic block node n (basic block node 502) is “main + m0”, the central processing unit 2 sets this as the branch set T. Furthermore, since the command statements in n are “gets ()” and “return”, they are set as a statement set S (step 403 in FIG. 4).

  Next, the central processing unit 2 determines whether or not the sentence set S in the basic block node is an empty set (S = Φ) (step 404 in FIG. 4). In this example, since the sentence set S is not an empty set (S ≠ Φ), the command sentence “gets ()” is extracted from the sentence set S and is set as a sentence s. In the sentence set S, the instruction sentence “return” remains by taking out the instruction sentence “gets ()”.

  Next, the central processing unit 2 determines whether or not the sentence s is a sentence that executes a system call (step 406 in FIG. 4). In this example, since the statement s (gets ()) is a statement that executes a system call, the branch set that reaches the statement s is “T + {s}”, that is, “main + m0, foo + n0”. (Step 407 in FIG. 4). The central processing unit 2 stores the branch set as the path information in a specific storage unit in the memory 3 and then executes the process of step 404 again.

  The central processing unit 2 repeats the above-described processing, and acquires route information of all system calls of the monitoring target program 102. When the basic block node set N is an empty set (N = Φ) in the process of step 402, that is, when route information is acquired for all system calls, the central processing unit 2 acquires the system acquired by the above process. The matching grammar 107 is generated from the call and the route information to the system call (S408 in FIG. 4). Specifically, for example, the central processing unit 2 sequentially extracts system calls from the basic block nodes of the control flow graph G and converts them into grammatical expressions according to a predetermined format. Further, the central processing unit 2 reads out the route information (branch set “T + {s}”) up to each system call from the specific storage unit and sequentially adds it to generate the matching grammar 107.

  FIG. 6 shows an example of the matching grammar generated from the monitoring target program 1101 shown in FIG. 11A when the central processing unit 2 executes the analysis program 106. In FIG. 6, a matching grammar 601 indicates that a system call “gets” is executed via branch addresses in the order of “main + m0” and “foo + n0”. This shows that the system call “exec” is executed via the branch address “main + m1”. This shows that the system call “exit” is executed via the branch address “main + m2”.

  The operation of monitoring the monitoring target program 102 will be described with reference to FIGS. FIG. 7 illustrates the operation of the monitoring program 101, and FIG. 8 illustrates the operation of the OS 103 that implements the route acquisition program 104 as an extension module. The operation described with reference to FIG. 7 is an operation realized by the central processing unit 2 loading the monitoring program 101 into the memory 3 and executing it. The operation described with reference to FIG. 8 is an operation realized by the central processing unit 2 loading and executing the OS 103 having the path acquisition program 104 as an extension module in the memory 3 and executing it.

  Here, every time a branch occurs in all or some of the programs executed by the intrusion detection device 1 including at least the monitoring target program 102 by the OS 103 and the route acquisition program 104, the central processing unit 2 branches the branch. It is assumed that the information regarding the path storage unit 105 is stored.

  By executing the monitoring program 101, the central processing unit 2 reads the matching grammar 107 from the memory 3 and stores it in the variable G (701 in FIG. 7). In this state, the system waits until information indicating a system call and route information to the system call are acquired. The start of execution of the monitoring program 101 may be instructed by a user or the like using the input unit 6, and is executed simultaneously with setting of an execution start time by a timer, starting of the intrusion detection apparatus 1 or starting of the OS 103. You may do it.

  The central processing unit 2 executes the monitoring target program 102 in response to a user execution request or a start time setting by a timer.

  When a system call is requested by the monitoring target program 102, the central processing unit 2 realizes the operation shown in FIG. 8 by executing the OS 103. First, the central processing unit 2 determines whether or not the monitoring target program 102 is being traced (step 801 in FIG. 8).

  For this determination, for example, when the monitoring target program 102 is executed, the central processing unit 2 sets a flag for notifying that the monitoring target program 102 has been executed by executing the OS 103. The central processing unit 2 determines whether or not the monitoring target program 102 is being traced by confirming this flag or the like.

  When the monitoring target program 102 is not being traced, the central processing unit 2 executes the requested system call by executing the OS 103 (step 804 in FIG. 8).

  When the monitoring target program 102 is being traced, the central processing unit 2 reads the path information to the requested system call from the path storage unit 105 by executing the OS 103, and stores the information indicating the requested system call in the variable S. The read path information is stored in the variable T (step 802 in FIG. 8). Here, the central processing unit 2 reads the branch address to the requested system call from the information regarding the plurality of branches stored in the path storage unit 105, and stores the information in the variable T as the path information.

  When the information S indicating the system call and the route information T are acquired in this way, the central processing unit 2 executes the monitoring program 101 to set the information indicating the system call to the variable S and the route information to the system call to the variable BH. (Step 702 in FIG. 7). Here, information indicating the branch address to the system call described above is stored in the BH as route information.

  Next, the central processing unit 2 determines whether or not the information S indicating the system call is “S = exit” (step 703 in FIG. 7).

  When “S = exit”, the monitoring target program 102 ends, and thus the central processing unit 2 ends the processing of the monitoring program 101.

  If it is not “S = exit”, the central processing unit 2 refers to the matching grammar G stored in the variable G, and determines whether or not the information S indicating the system call matches the system call of the matching grammar G. (Step 704 in FIG. 7).

  If the information S indicating the system call does not match the system call of the matching grammar G, the central processing unit 2 determines that the monitored program 102 may have been deprived of control by an unauthorized program, and an intrusion warning Or the monitoring target program 102 is stopped or slowed down (step 707 in FIG. 7). The intrusion warning output includes, for example, an intrusion warning display on a display, a warning sound output to a speaker, an output to a printer, and a communication device (illustrated) such as a PC (Personal Computer) or a mobile phone connected by a communication network. E-mail or voice notification to the abbreviation). The central processing unit 2 may execute all or part of the output of the intrusion warning, the suspension of the monitoring target program 102, and the slowdown of the monitoring target program 102.

  When the information S indicating the system call matches the system call of the matching grammar G, the central processing unit 2 determines whether or not the route information BH matches the route information of the matching grammar G (FIG. 7). Step 705). Here, the central processing unit 2 determines whether the path information BH, which is a branch address to the information S indicating the system call, matches the branch address corresponding to the system call of the matching grammar G determined in step 704. To determine.

  When the path information BH and the path information of the matching grammar G do not match, the central processing unit 2 determines that there is a possibility that the monitoring target program 102 has been deprived of control by an unauthorized program, and outputs an intrusion warning. Alternatively, the monitoring target program 102 is stopped or slowed down (step 707 in FIG. 7).

  When the path information BH and the path information of the matching grammar G match, the central processing unit 2 determines that the monitoring target program 102 has not received unauthorized intrusion, and issues a request to resume execution of the monitoring target program 102 ( Step 706 in FIG. For this purpose, the central processing unit 2 sets, for example, a flag indicating the above-described determination result.

  By executing the OS 103, the central processing unit 2 determines whether the requested system call and the route information to the system call match the system call of the matching grammar and the route information of the system call based on the determination result. It is determined whether or not the call can be executed (step 803 in FIG. 8). The determination result is, for example, a flag indicating a determination result established by the execution of the monitoring program 101, a flag or a signal for executing an intrusion warning output, or the stop or slowdown of the monitoring target program 102 It can be obtained by checking the presence or absence of a flag or signal for executing the above.

  If the determination result indicates that the monitoring target program 102 has determined that it has not received unauthorized intrusion, the central processing unit 2 executes the requested system call (step 804 in FIG. 8).

  When the determination result indicates that it is determined that there is a possibility that the monitoring target program 102 has been deprived of control by an unauthorized program, the central processing unit 2 executes the OS 103 shown in FIG. 8 as an example. finish.

  Even when the central processing unit 2 requests another system call by executing the monitoring target program 102, the central processing unit 2 performs the above-described processing again to match the system call with the route information to the system call. In that case, for example, the central processing unit 2 reads out the system call that should be executed next and the path information corresponding to the system call from the matching grammar 107, stores them in a specific storage unit such as the memory 3, and requests it. The matching may be performed by comparing the information indicating the system call and the route information to the system call with the system call stored in the specific storage unit and the route information to the system call.

  By operating as described above, it is possible to detect unauthorized intrusion into the intrusion detection device 1. FIG. 9 shows an example of a system call and route information to the system call acquired by the central processing unit 2 executing the OS 103. 9, information 901 is an example of information acquired by the central processing unit 2 when the monitoring target program 1101 shown in FIG. 11A is not attacked by an unauthorized program. 9 is an example of information acquired by the central processing unit 2 when the monitoring target program 1101 shown in FIG. 11A is attacked by an unauthorized program. When attacked by this malicious program, as shown in FIG. 11D, by calling “gets”, illegal data exceeding the 10-byte area length of the array “buf” 1103 is read. The case where the return address of the function “foo” is changed to indicate the address of the attack code 1105 is shown.

  When the central processing unit 2 acquires the information 901 shown as an example in FIG. 9A, the system call and route information of the matching grammar 601 shown as an example in FIG. 6 and the information 901 shown as an example in FIG. 9A. And the system call and route information match. Therefore, the central processing unit 2 determines that the monitoring target program 102 is not attacked by an unauthorized program.

  When the central processing unit 2 acquires the information 902 shown in FIG. 9B as an example, the system call and route information of the matching grammar 601 shown in FIG. 6 and the information 902 shown in FIG. 9B as an example. Does not match the system call and route information. That is, the path information to the system call “exec” is “main + m1” in the matching grammar 601 shown in FIG. 6 as an example, whereas “STACK” is shown in the information 902 as an example in FIG. 9B. + x0 ”. Also, the route information to the system call “exit” is “main + m2” in the matching grammar 601 shown in FIG. 6 as an example, whereas “STACK” is shown in the information 902 shown in FIG. 9B as an example. + x2 ”. Thus, since the route information to the system call is different, the central processing unit 2 determines that the monitoring target program 102 may be attacked by an unauthorized program. In that case, the central processing unit 2 outputs an intrusion warning and stops or slows down the monitoring target program 102.

  In this way, even if the system call matches the original program and the program after being attacked by the unauthorized program, it is possible to detect unauthorized intrusion.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes design changes and the like within a scope not departing from the gist of the present invention.

  For example, in the above-described embodiment, the path information is a branch address acquired by the function of the branch trace buffer. However, the present invention is not limited to this. As an example of the path information, the program may use the page number of a page divided into a specific size, the type of memory area (code area, stack area, etc.), and the like.

  In addition, the path information is acquired by the function of the branch trace buffer, but the present invention is not limited to this. For example, the monitoring target program has a function of acquiring branch path information and storing it in a memory, etc., and executing the function before executing the branch instruction, thereby realizing the function of the path acquisition program. Also good. In this case, the acquisition of the route information is not limited to the execution of the OS. For example, the route information may be acquired by executing a monitoring program.

  In the above-described embodiment, the execution of the monitoring target program is monitored by comparison with the matching grammar. However, it is not always necessary to compare with the grammar expression. It is only necessary that the system call when the monitoring target program is not attacked by an unauthorized program and the path information to the system call are associated with each other. For example, the monitoring target program may be monitored with reference to a system call and route information, a state transition table indicating a control transition state by the system call, and the like.

It is a figure which shows an example of a structure of the intrusion detection apparatus of this embodiment. It is a figure which shows the example of the information regarding a branch in the same embodiment. In the embodiment, it is a figure which shows an example of the grammar for matching. FIG. 10 is a diagram for explaining an operation example for generating a matching grammar in the embodiment. In the embodiment, it is a figure explaining an example of a control flow graph. In the embodiment, it is a figure which shows an example of the grammar for matching. FIG. 6 is a diagram for explaining an operation example of a monitoring program in the embodiment. FIG. 6 is a diagram for explaining an operation example of an OS in the embodiment. In the embodiment, it is an example of a system call when a monitoring target program is executed and route information of the system call. It is a figure explaining the method of the conventional intrusion detection. It is a figure explaining the example which cannot detect an unauthorized intrusion in the conventional intrusion detection method.

Explanation of symbols

  1: intrusion detection device, 2: central processing unit, 3: memory, 4: HDD, 5: output unit, 6: input unit, 7: communication unit, 101: monitoring program, 102: monitoring target program, 103: OS, 104: route acquisition program, 105: route storage unit, 106: analysis program, 107: grammar for matching, 201: information on branching, 301: grammar for matching, 501: basic block node, 502: basic block node, 503: basic Block node, 601: matching grammar, 901: system call and path information to the system call, 901: system call and path information to the system call, 1001: monitoring target program, 1002: matching grammar, 1003: monitoring Program 1101: program to be monitored 1102: map Ching grammar 1103: Array “buf”, 1104: Array “PC”, 1105: Attack code

Claims (7)

An intrusion detection method in which a computer detects an unauthorized intrusion into a monitored program,
A first step of storing a system call when there is no unauthorized intrusion into the monitored program and path information to the system call in association with each other in a storage unit;
When requesting a system call by executing the monitoring target program, a second step of acquiring information indicating the system call and route information to the system call;
A third step of determining whether the information indicating the requested system call and the route information to the system call match the stored system call and the route information corresponding to the system call;
A fourth step of executing the requested system call if determined to match in the third step;
An intrusion detection method comprising:   2. The intrusion detection method according to claim 1, wherein the route information to the system call is a route in the monitoring target program or a route in a memory area of a computer executing the monitoring target program. .   The intrusion detection method according to claim 1, wherein the route information to the system call is a branch address.   4. The intrusion detection method according to claim 3, wherein the branch address is acquired by a function of the branch trace buffer. 5. The intrusion detection method according to claim 1, wherein when it is determined that they do not coincide in the third step, an intrusion warning is output to an output unit, execution of the monitoring target program is stopped, and the monitoring target program is slowed down. And a fifth step of executing at least one of them. A computer is an intrusion detection device that detects unauthorized intrusion into a monitored program,
Storage means for storing a system call when there is no unauthorized intrusion into the monitored program and path information to the system call in association with each other;
When requesting a system call by executing the monitoring target program, acquisition means for acquiring information indicating the system call and route information to the system call;
Determining means for determining whether the information indicating the requested system call and the route information to the system call match the stored system call and the route information corresponding to the system call;
An execution means for executing the requested system call when the determination means determines that they match,
An intrusion detection device comprising: An intrusion detection program that detects unauthorized intrusion into a monitored program,
Computer
A first step of storing a system call when there is no unauthorized intrusion into the monitored program and path information to the system call in association with each other in a storage unit;
When requesting a system call by executing the monitoring target program, a second step of acquiring information indicating the system call and route information to the system call;
A third step of determining whether the information indicating the requested system call and the route information to the system call match the stored system call and the route information corresponding to the system call;
A fourth step of executing the requested system call if determined to match in the third step;
An intrusion detection program that causes a computer to execute.

Images