JP2006127409A - Illicit access tracking device, method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To increase illicit access tracking performance for improving illicit access deterrence and a security property. <P>SOLUTION: This illicit access tracking system is provided with a tracking information processor and a relay device. If illicit access is detected, the relay device acquires a layer 3 transmission source address of a packet sent to an access target communication device to supply it to a tracking agent, and the tracking agent moves to the corresponding relay device based on the layer 3 transmission source address to specify a port, to which an access source communication terminal is connected finally, from contents accumulated in an information collection database part of the relay device and brings back port identification information showing the specified port to the tracking information processor. <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  The present invention relates to an unauthorized access tracking device, an unauthorized access tracking method, and an unauthorized access tracking program, and is suitable for application to, for example, specifying a computer used for unauthorized access on an IP network.

  As a conventional technique for tracking unauthorized access, there is one described in Patent Document 1 below.

  In Patent Document 1, a monitoring server records a pair of an IP address and a MAC address of an access source, and when tracking unauthorized access, an agent that receives an input of an IP address used for unauthorized access, By specifying the recorded MAC address that makes a pair, the computer of the criminal who performed unauthorized access can be specified.

Since the MAC address is unique identification information in a global range and is fixedly given to each computer in the manufacturing process, specifying the MAC address is almost equivalent to specifying the computer.
JP 2003-178024 A

  However, in the technique of Patent Document 1 described above, it is difficult to specify where the computer used for unauthorized access is located in the building, and unauthorized access can only be traced insufficiently. It can be said that there is a limit to access deterrence and security is low.

  In addition, even if a server allows only a predetermined computer assigned a specific IP address to access itself, another computer can illegally access the server by spoofing the IP address. In such a case, specifying the IP address of the access source computer by tracking does not lead to suppression of unauthorized access, and security is low.

  In order to solve this problem, according to the first aspect of the present invention, when unauthorized access via the network to an access target communication device is detected, a packet for unauthorized access (here, a protocol of layer 3) is traced. In an unauthorized access tracking system for identifying an access source communication terminal that is a transmission source of a packet (for example, corresponding to a MAC frame or the like) not only as a data unit but also as a layer 2 protocol data unit (1) predetermined A tracking information processing apparatus that collects and processes information related to the tracking, and (2) is interposed between the access source communication terminal and the access target communication apparatus, Or one or a plurality of relay devices that relay the packet in layer 3; (3) The apparatus includes an information collection database unit that stores a correspondence relationship between a layer 2 source address and a port and a correspondence relationship between a layer 3 transmission source address and a layer 2 transmission source address for the packet relayed by the device. When the unauthorized access is detected, the information processing apparatus acquires a layer 3 source address of a packet that has been delivered to the access target communication apparatus and supplies the layer 3 source address to the tracking agent. Move to the corresponding relay device based on the source address, and from the content stored in the information collection database section of the relay device, identify the port to which the access source communication terminal is finally connected, Port identification information indicating the specified port is brought back to the tracking information processing apparatus.

  Further, in the second aspect of the present invention, when unauthorized access via the network to the access target communication device is detected, unauthorized access that traces the trace and identifies the access source communication terminal that is the transmission source of the packet for unauthorized access In the tracking method, (1) the tracking information processing apparatus has an execution environment of a predetermined tracking agent, collects and processes the information related to the tracking, and (2) between the access source communication terminal and the access target communication apparatus. When one or a plurality of relay devices intervening in the network relay the packet at layer 2 and / or layer 3, (3) the relay device sends its information to the information collection database section about the packet relayed by itself. Correspondence between layer 2 source address and port, and layer 3 source address and layer 2 source address The tracking information processing apparatus acquires the layer 3 source address of the packet that has been delivered to the access target communication apparatus and supplies it to the tracking agent when the unauthorized access is detected. Then, the tracking agent moves to the corresponding relay device based on the layer 3 source address, and finally the access source communication terminal determines from the contents stored in the information collection database unit of the relay device. A connected port is specified, and port identification information indicating the specified port is brought back to the tracking information processing apparatus.

  Furthermore, in the third aspect of the present invention, when unauthorized access via the network to the access target communication device is detected, the unauthorized access that traces the trace and identifies the access source communication terminal that is the transmission source of the packet for unauthorized access In the tracking program, the computer has (1) a tracking information processing function for collecting and processing information relating to the tracking, and (2) the access source communication terminal and the access target communication. One or a plurality of relay functions for relaying the packet at layer 2 and / or layer 3 between the devices, and (3) the relay function is configured to perform layer 2 processing on the packet relayed by itself. Correspondence between source address and port, and correspondence between layer 3 source address and layer 2 source address And an information collection database function for storing the information, and when the unauthorized access is detected, the tracking information processing function acquires a layer 3 source address of a packet delivered to the access target communication function, and Based on the contents accumulated in the information collection database function of the relay function, the tracking agent finally moves to the corresponding relay function based on the layer 3 source address. A port to which the original communication terminal is connected is specified, and port identification information indicating the specified port is brought back to the tracking information processing function.

  According to the present invention, unauthorized access deterrence and security are improved by improving unauthorized access tracking performance.

(A) Embodiment Hereinafter, an embodiment will be described with reference to an example in which an unauthorized access tracking device, an unauthorized access tracking method, and an unauthorized access tracking program according to the present invention are applied to an IP network.

(A-1) Configuration of Embodiment FIG. 2 shows an example of the overall configuration of the communication system 10 according to the present embodiment. Of course, servers (not shown) such as a DNS server or a DHCP server may exist in the communication system 10.

  In FIG. 2, the communication system 10 includes networks 11 and 12.

  These networks 11 and 12 correspond to subnets (layer 3 segments) separated by the router 15.

  A web server 13 and a console 14 are arranged on the network 11, and a hub 16 and a computer 17 are arranged on the network 12. The physical transmission path of the networks 11 and 12 may be a wired transmission path or a wireless transmission path.

  The hub 16 is basically a normal switching hub (layer 2 switch), and relays packets (frames) at layer 2 (that is, the data link layer of the OSI reference model). However, the hub 16 is different from a normal switching hub in that it includes an MIB (Management Information Base) 16A and an execution environment for agents. Details of the hub 16 will be described later.

  The router 15 is basically a normal router, and relays packets at layer 3 (that is, the network layer of the OSI reference model). However, the router 15 is different from a normal router in that it includes an MIB 15A or agent execution environment. Details of the router 15 will be described later.

  The computer 17 is a communication device used by the user U1, and becomes an access source for unauthorized access. The computer 17 may have a low mobility such as a stationary personal computer, but may have a high mobility such as a notebook personal computer. In the following description, attention is paid to the packet PK1 transmitted from the computer 17 for unauthorized access and reaching the web server 13 via the hub 16 and the router 15.

  In a broad sense, the term “packet” is used as a protocol data unit (PDU) in various layers, but in a narrow sense, a “packet” is a protocol data unit (PDU) in the network layer. There are various network layer communication protocols. Here, the IP protocol is assumed, and the packet PK1 is an IP packet.

  The packet PK1 is transmitted in a frame that is a protocol data unit of the data link layer. There are various data link layer communication protocols. Here, IEEE802.3 is assumed, and the protocol data unit of the data link layer is a MAC frame. In this case, the packet PK1 is accommodated in the MAC frame and transmitted.

  Generally, the MAC header is changed and the MAC frame is changed when the router is crossed. Here, the MAC frame used on the network 12 on the right side of the router 15 in FIG. 11 is a MAC frame used on F11. In FIG. 2, F1 (PK1) indicates that the packet PK1 is accommodated in the MAC frame F1, and F2 (PK1) indicates that the packet PK1 is accommodated in the MAC frame F2. .

  That is, F1 (PK1) transmitted from the computer 17 reaches one interface of the router 15 via the hub 16, and is transmitted from the other interface of the router 15 in the form of F2 (PK1) to be the final packet PK1. To the web server 13, which is a typical destination.

  As is well known, various information is included in the header (MAC header) of the MAC frame, but in this embodiment, the source MAC address that specifies the source of the MAC frame is important. For example, in the case of the MAC frame F1, the transmission source MAC address is MA1, which is the MAC address of the computer 17.

  Similarly, various information is included in the header (IP header) of the IP packet, but in this embodiment, the source IP address that specifies the source of the IP packet is important. For example, in the case of the packet PK 1, the transmission source IP address is IA 1 that is the IP address assigned to the computer 17.

  The console 14 is a communication device for operation management and is used by the administrator M1. In this embodiment, two agents AG1 and AG2 are used to specify the port to which the computer 17 is connected. However, both agents initially exist on the console 14 and move on the communication system 10. The collected information is taken back to this console 14.

  The internal configuration of the console 14 is, for example, as shown in FIG.

(A-1-1) Internal Configuration Example of Console In FIG. 3, the console 14 includes an agent receiver 20, a router management table TB1, a hub management table TB2, and the agents AG1, AG2.

  Although it depends on the implementation, the agent receiver 20, the router management table TB1, the hub management table TB2, and the agents AG1 and AG2 are mainly software components. Therefore, these are present in the console 14 in a state where they are stored in a volatile or non-volatile storage means, and of course, an operation by a CPU (Central Processing Unit) (not shown) is necessary to perform the function.

  In particular, the agents AG1 and AG2 are mainly portable programs that are transmitted between nodes in the communication system 10 as necessary.

  The agent receptor 20 is a platform that provides an execution environment for the agents AG1 and AG2. The agent receiver 20 may be realized as a part of an OS (Operating System) (not shown) mounted on the console 14.

  The router management table TB1 is a table for managing routers in the communication system 10. A configuration example of the router management table TB1 is shown in FIG. As apparent from FIG. 4A, the router management table TB1 includes a network address and a router IP address as data items.

  The network address is an address that designates a network (subnet). In the case of IPv4, a part of the 32-bit IP address corresponds to the network address (network unit).

  The IP address of the router is an IP address set to the interface (network interface unit) of the router. Since one router has an IP address set for each interface, for example, in the case of the router 15, the IP address set for the interface on the network 11 side is IA2, and the IP address set for the interface on the network 12 side is IA3.

  Therefore, a pair of a network address and an IP address of the router (interface) is registered in each row (entry) of the router management table TB1. Here, a row is a horizontal arrangement excluding data items in the table. In the case of the router management table TB1, for example, the row LA1 of “NA1 192.168.10.1” is also one row.

  The hub management table TB2 is a table for managing hubs in the communication system 10. A configuration example of the hub management table TB2 is shown in FIG. As is apparent from FIG. 4B, the hub management table TB2 includes a network address, a hub identification number, and a hub IP address as data items.

  Among these, the network address is the same as the network address which is a data item of the router management table TB1.

  The hub identification number is identification information for uniquely identifying a hub in the communication system 10. As the hub identification number, any information can be used as long as the hub can be uniquely identified in the communication system 10. For example, a natural number starting from “1” may be assigned to each hub and used as a hub identification number.

  The hub IP address indicates an IP address for reaching the hub (control unit) of the hub. An IP address does not need to be assigned to the hub in order for the hub to relay the frame in the data link layer described above, which is the original function of the hub, but to deliver an IP packet for management to the hub It is necessary to assign an IP address to the hub. In the case of this embodiment, the IP address is required to deliver the agent AG2 to the hub control unit.

  Therefore, in each row (for example, LB1) of the hub management table TB2, a set of a network address, a hub identification number, and a hub IP address having a correspondence relationship is registered.

  When the agent AG1 of the two agents receives the IP address (the IA1 that is the transmission source IP address of the packet PK1), the MAC address corresponding to the IP address (the MA1 that is the transmission source MAC address of the MAC frame F1) )) Is a MAC address tracking agent that functions to identify.

  As shown in FIG. 3, the MAC address tracking agent AG1 includes an information input unit 21, a table search unit 22, a server migration unit 23, a MAC address search unit 24, a tracking log output unit 25, a tracking log 26, It has.

  Among these, the information input unit 21 is a part that is used for unauthorized access and receives an input of an IP address (here, IA1) collected from an access log of the web server 13 or the like. The IP address received by the information input unit 21 is recorded in the tracking log 26.

  The table search unit 22 is a part that searches the router management table TB1 for the IP address of the router 15 (IA3 that is an IP address set for the interface on the network 12 side). At the time of searching the router management table TB1, the IP address of the router (here, 15) that accommodates the computer 17 having the IP address IA1 used for unauthorized access directly (that is, without going through another router) Therefore, even when there are a plurality of routers in the communication system 10, the agent AG1 can be moved only to the router in which the specified IP address is set.

  The server moving unit 23 is a part having a function for the MAC address tracking agent AG1 to move between nodes (servers) in the communication system 10. Specifically, for example, a request is made to the OS of the console 14 via the agent receptor 20 to have the own agent AG1 sent to a corresponding node (for example, the router 15). The server moving unit 23 may be used.

  The MAC address search unit 24 is a part that searches for a MAC address in the destination node (in this case, the router 15). In this search, as will be described later, the IP address IA1 input to the information input unit 21 and recorded in the tracking log 26 is used as a search key.

  The tracking log output unit 25 is a part that outputs the contents recorded in the tracking log 26 to a user interface unit (for example, a screen display device) provided in the console 14. With this output, the administrator M1 can confirm the recorded contents of the tracking log 26.

  When the other agent AG2 receives the MAC address (MA1 which is the source MAC address of the MAC frame F1), the other agent AG2 specifies the port to which the computer having the MAC address (here, 17) is connected. A functioning port tracking agent.

  As shown in FIG. 3, the port tracking agent AG2 includes an information input unit 31, a table search unit 32, a server movement unit 33, a port search unit 34, a connection hub search unit 35, a tracking log output unit 36, And a tracking log 37.

  Among these, the information input unit 31 corresponds to the information input unit 21, the table search unit 32 corresponds to the table search unit 22, the server moving unit 33 corresponds to the server moving unit 23, and the port search unit 34 The tracking log output unit 36 corresponds to the MAC address search unit 24, the tracking log output unit 25 corresponds to the tracking log output unit 25, and the tracking log 37 corresponds to the tracking log 26. Therefore, detailed description thereof is omitted.

  However, the information input unit 31 receives an input of the MAC address MA1 brought back from the destination by the MAC address tracking agent AG1 on the console 14.

  The table search unit 32 searches the hub management table TB2. As is clear from the configuration of the hub management table TB2 shown in FIG. 4B, if the network address of the network (for example, 12) in which the hub exists is known, one or more of the networks arranged in the network are known. Since the IP address assigned to the hub is known, the port tracking agent AG2 can reach the control unit of the hub by transmitting to the IP address.

  The port search unit 34 is a part that searches for a port number at a destination node (here, the hub 16). In this search, as will be described later, the MAC address MA1 input to the information input unit 31 and recorded in the tracking log 37 is used as a search key. Since the port number is identification information for uniquely identifying each hub port, if the port number can be specified, the physical location of the computer 17 can be specified in detail.

  The connection hub search unit 35 performs a search using the port number as a search key at the destination hub, obtains the hub identification number (connection hub identification number) of the hub connected to the port, and records it in the tracking log 37. It is a part to do. In the example of FIG. 2, the communication system 10 includes only one hub, but generally includes a plurality of hubs and reaches the computer (for example, 17) used for unauthorized access from the console 14. Since a plurality of hubs may occur, the connection hub search unit 35 is necessary.

  The internal configuration of the router 15 is, for example, as shown in FIG. When the communication system 10 includes a plurality of routers, routers other than the router 15 may have the same internal configuration.

(A-1-2) Example of Internal Configuration of Router In FIG. 5A, the router 15 includes the MIB 15A, an agent receiver 40, and a router function unit 41.

  Of these, the router function unit 41 is a part having a function as a normal router, and relays packets in the network layer.

  Since the agent receptor 40 basically corresponds to the agent receptor 20, a detailed description thereof will be omitted. However, the agent receiver 40 has a role of providing an execution environment for the MAC address tracking agent AG1 when the MAC address tracking agent AG1 moves to the router 15.

  The MIB 15A is a table having the configuration shown in FIG.

  In FIG. 5B, the MIB 15A includes an IP address and a MAC address as data items.

  The IP address indicates a source IP address included in the IP header when the router 15 relays a packet (for example, PK1).

  The MAC address indicates a source MAC address included in the MAC header of a MAC frame that has been transmitted by accommodating a packet relayed by the router 15.

  Therefore, when the router 15 relays a packet (for example, PK1), the transmission source IP address included in the IP header and the packet are accommodated and transmitted to each row (for example, LC1) of the MIB 15A. A source MAC address pair (address pair) included in the MAC header of the MAC frame (for example, F1) is registered.

  The internal configuration of the hub 16 is, for example, as shown in FIG. When the communication system 10 includes a plurality of hubs, hubs other than the hub 16 may have the same internal configuration.

(A-1-3) Internal Configuration Example of Hub In FIG. 6A, the hub 16 includes the MIB 16A, a port management table 16B, an agent receiver 50, and a hub function unit 51.

  Among these, the hub function unit 51 is a part having a function as a normal switching hub, and relays the MAC frame in the data link layer.

  Since the agent receptor 50 basically corresponds to the agent receptor 20, a detailed description thereof will be omitted. However, the agent receiver 50 has a role of providing an execution environment of the port tracking agent AG2 when the port tracking agent AG2 moves to the hub 16.

  The MIB 16A is a table having the configuration shown in FIG.

  In FIG. 6B, the MIB 16A includes a MAC address and a port number as data items.

  The MAC address indicates a source MAC address included in the MAC header of a MAC frame (for example, F1) relayed by the hub 16.

  The port number is identification information for identifying a port that has received a MAC frame relayed by the hub 16.

  Therefore, in each row (for example, LD1) of the MIB 16A, when the hub 16 relays the MAC frame (for example, F1), the source MAC address included in the MAC header and the port of the port that received the MAC frame A number pair (address port pair) is registered.

  The port management table 16B is a table having the configuration shown in FIG.

  In FIG. 6C, the port management table 16B includes a port number and a connection hub identification number as data items.

  The port number indicates the port number of each port that the hub 16 has.

  The connection hub identification number indicates a hub identification number related to another hub connected to the port. A valid value is registered in this data item only when another hub (not shown) is connected to the hub 16. When a valid value is not registered, a predetermined null value (for example, 0) may be registered.

  Eventually, a pair of port number and connection hub identification number is registered in each row (for example, LE1) of the port management table 16B.

  The connection hub identification number corresponds to the hub identification number registered in the hub management table of FIG. Therefore, when another hub is connected to the hub 16, the port tracking agent AG2 brings back the connection hub identification number obtained by searching the port management table 16B to the console 14, and the connection hub identification number ( Based on the hub identification number) and the network address, the hub management table TB2 of the console 14 is searched to obtain the IP address of the hub, and the movement to the IP address (assigned hub) is repeated. Thus, it is possible to sequentially follow the hub. This finally allows the port tracking agent AG2 to reach the hub that connects the target computer (here, 17) directly to the port.

  The operation of the present embodiment having the above configuration will be described below with reference to the flowchart of FIG.

  The flowchart of FIG. 1 shows a process for tracking the port of the hub 16 to which the computer 17 is connected when the computer 17 performs unauthorized access to the web server 13. In FIG. 1, steps S1 to S3 indicate processing when the computer 17 performs unauthorized access, and S11 to S22 indicate processing for tracking the port of the hub 16 to which the computer 17 is connected. .

  FIG. 2 shows one router and one hub in the communication system 10, but generally there are a plurality of routers and a plurality of hubs in the communication system. Access to the network 13 is often performed via a plurality of routers and a plurality of hubs.

  In FIG. 2, only two ports of the hub 16 on the router 15 side and the computer 17 side are shown, but generally one hub has more than two ports, and each port has an arbitrary number. The nodes are connected. This also applies to the number of router ports.

  However, here, as shown in FIG. 2, the description will proceed mainly by taking as an example the case where the computer 17 accesses the web server 13 via one hub 16 and one router 15. Further, the router 15 and the hub 16 may include three or more ports, and nodes other than those illustrated may be connected to the ports. However, here, such nodes are mainly assumed not to exist.

(A-2) Operation of Embodiment The user U1 connects to an arbitrary port of the hub 16 existing in the communication system 10 and performs unauthorized access. The unauthorized access may be intentionally performed by the user U1 and the computer 17 is infected with a computer virus (including a worm or a Trojan horse) even if the user U1 itself is not malicious. Therefore, it may be performed automatically depending on the function of the computer virus.

  As shown in FIG. 6, the packet PK1 transmitted from the computer 17 for unauthorized access reaches the corresponding port of the hub 16 in the form of F1 (PK1) accommodated in the MAC frame F1 (S1). At this time, the hub 16 registers an address port pair in the MIB 16A, that is, a pair of the port number of the port that received the MAC frame F1 and the source MAC address MA1 of the MAC frame F1 (S2).

  The F1 (PK1) reaches the router 15 via the hub 16, and the router 15 sends the address pair to the MIB 15A, that is, the source IP address IA1 included in the IP header of the packet PK1 and the source MAC address of the MAC frame F1. A pair of MA1 is registered (S3). As an example, the value of IA1 may be “192.168.10.101”.

  The packet PK1 is relayed by the router 15 and sent to the network 11 in the form of F2 (PK1), and reaches the web server 13 as it is.

  That the access to the web server 14 by the packet PK1 is unauthorized access is detected by an unauthorized access detection system (not shown) such as IDS (intrusion detection system). At this time, IA1, which is the source IP address of the packet PK1, is collected from, for example, the access log of the web server 13 and supplied to the console 14 (S11). If a firewall is placed somewhere on the unauthorized access route, the corresponding port of the firewall is blocked almost simultaneously with this supply (for example, a packet having the IP address IA1 as the source IP address is passed). It is also possible to prevent unauthorized access from continuing by blocking the ports to be blocked.

  The supplied IP address IA1 is transferred to the MAC address tracking agent AG1 in the console 20. The MAC address tracking agent AG1 that has received the IP address IA1 by the information input unit 21 specifies a network address based on the value of the IA1, and based on the network address, the router shown in FIG. By searching the management table TB1, the IA3 that is the IP address set to the corresponding interface of the router 15 is specified (S12).

  For example, assuming that the value of IA1 is “192.168.10.101” and the subnet mask is “255.255.255.0”, the network address of the network 12 including the computer 17 is “192.168.16”. .10 ", if the smallest IP address of the host part (part for identifying the host in the subnet) is set to the router interface, the IP address of the host part is 0 Is excluded because it is nothing but a network address, and it can be specified that the IP address of the host part is 1, ie, “192.168.10.1” is the corresponding IP address IA3. This corresponds to the row LA1 in FIG.

  According to this method, even if there are any number of routers in the communication system 10, it is possible to directly specify the interface of only one router.

  Before and after step S12, the value of IA1 is recorded in the tracking log 26 of the MAC address tracking agent AG1.

  When the destination is specified in step S12, the server moving unit 23 of the MAC address tracking agent AG1 requests the OS of the console 14, for example, to address itself to the IP address “192.168.10.1”. And move to the router 15 (S13).

  Whether or not to perform this movement may be determined according to an instruction from the manager M1, but may be automatically moved even if there is no explicit instruction from the manager M1. desirable.

  When the router 15 is reached, the MAC address tracking agent AG1 is executed in the agent receiver 40 prepared in the router 15, and the value “192.168.10.1” of the IP address IA1 extracted from the tracking log 26 is obtained. When the MIB 15A is searched for as a search key and the MAC address MA1 of the computer 17 is obtained as a search result, the MAC address MA1 is recorded in the tracking log 26 (S14).

  Thereafter, the MAC address tracking agent AG1 moves to the console 14 (S15), and the tracking log output unit 25 operates to perform, for example, screen display output on the console 14, thereby allowing the administrator M1 to Informs the MAC address MA1. The process performed by the MAC address tracking agent AG1 in this movement may be the same as in step S13. This is the same for the movements in steps S17 and S20.

  Next, the MAC address MA1 is passed from the MAC address tracking agent AG1 to the port tracking agent AG2 on the console 14 in response to an instruction from the administrator M1 or automatically. The port tracking agent AG2 receives the MAC address MA1 at the information input unit 31 and records it in the tracking log 37. Further, the port tracking agent AG2 identifies the “192.168.10” which is a network address based on the IP address IA1, and uses the hub management table shown in FIG. 4B based on the network address. TB2 is searched to obtain the IP address of the destination hub (S16).

  Step S16 is basically the same as step S12, except that a hub identification number is also obtained as a search result, and whether or not there are a plurality of hubs on the network 12 is also checked by this search. Can do. However, the connection relationship between hubs cannot be checked only by searching the hub management table TB2. When there are a plurality of hubs in the network 12, the connection relationship between the hubs cannot be predicted only by the information on the console 20, so it may be determined how to move to which hub first. However, if the IP address assigned to each hub and end terminal (one of which is the computer 17) within the network 12 has a predetermined regularity, the computer 17 can be controlled to move to a hub closer to the beginning. there is a possibility.

  As a result of searching the hub management table TB2, when the IP address of the hub 16 is obtained, the port tracking agent AG2 moves to the hub 16 by being transmitted to the IP address (S17). When the movement is completed, the port tracking agent AG2 searches the MIB 16A on the hub 16 of the movement destination based on the MAC address MA1 recorded in the tracking log 37 by the table search unit 32 (S18). Then, the port management table 16B is searched by the port search unit 34 using the port number obtained by this search as a search key, and the connection hub identification number is acquired and recorded in the tracking log 37 (S19).

  Next, the port tracking agent AG2 returns to the console 14 by the same movement as in Step S13 (S21). The console 20 checks whether there is another hub beyond the hub 16 (that is, between the hub 16 and the computer 17) (S21). If it exists as a result of the inspection, step S21 branches to the YES side, and the process returns to step S16. Step S16 executed at this time may be basically the same processing as the previous time, but the hub management table TB2 based on the hub identification number (connection hub identification number) recorded in the tracking log 37 and brought back in step S19. In that the IP address of the destination hub is obtained.

  If the contents of the hub management table TB2 shown in FIG. 4B are recorded in the port tracking agent AG2 itself (for example, the tracking log 37), the port tracking agent AG2 sets the IP address of the hub to be moved next. It is efficient because it is not necessary to return to the console 14 for every check.

  On the other hand, if the result of the inspection in step S21 shows that there is no other hub beyond the hub 16, step S21 branches to the NO side, and the contents of the tracking log 37 at that time are transferred to the manager M1. In order to communicate, screen display output or the like is performed (S22). In this case, this is because the port number recorded in the tracking log 37 at step S18 this time is information specifying the port to be obtained, and the tracking is completed.

  The inspection in step S21 can be easily executed by checking whether the connection hub identification number recorded in the tracking log 37 in step S19 is zero at this time.

  In addition, when the IP address IA1 is spoofed, a plurality of MAC addresses may be obtained as a result of the search in step S14. In this case, for each MAC address, the computer The port tracking agent AG2 is moved to track the connected port, but the port can be tracked by the same processing as in FIG.

  Further, like the IP address, the MAC address itself is not necessarily spoofed. However, in this embodiment, if the port to which the computer 17 is connected is identified immediately after unauthorized access is detected, Even if it is misrepresented, the computer 17 and the user U1 can be identified effectively.

(A-3) Effects of the Embodiment According to the present embodiment, the unauthorized access tracking performance can be significantly improved as compared with the Patent Document 1.

  This embodiment is also effective when the unauthorized access computer (17) spoofs the IP address (IA1) or MAC address (MA1). It can be significantly improved.

(B) Other Embodiments Regardless of the above-described embodiments, it is natural that the target of unauthorized access need not be limited to a web server. As is well known, various servers, relay devices, client terminals, and the like can also be subject to unauthorized access.

  Regardless of FIG. 2, it is not always necessary for the console 14 to be in the same network (same subnet) as the unauthorized access target (for example, the web server 13).

  Further, regardless of the above embodiment, unauthorized access does not have to be performed via a router and a hub. There may be a case where it is performed only via a router or a case where it is performed only via a hub.

  Although the MIB is used in the above embodiment, any method may be used as long as a function equivalent to the MIB can be realized.

  Further, there is a possibility that the configuration of each table used in the above embodiment can be changed.

  For example, the hub management table in FIG. 4B can be divided into one table having a network address and a hub identification number as data items, and another table having a hub identification number and a hub IP address. .

  Furthermore, in the above-described embodiment, the functions arranged separately in the router 15 and the hub 16 may be arranged in one node. For example, the case where a layer 3 switch is used in the communication system 10 corresponds to this.

  In addition, it is possible to give one agent the functions of the two agents AG1 and AG2 in the above embodiment. In this case, as described above, if the contents of the hub management table TB2 shown in FIG. 4B are recorded in the agent itself, once the agent is transmitted from the console 14, the final port is specified. Therefore, the console 14 can be configured not to return until it is done, and the efficiency is increased.

  Furthermore, it is clear from the above description that the flowchart shown in FIG. 1 can be changed.

  Further, the present invention is naturally applicable to communication protocols other than those used in the above embodiment.

  As an example, there is a possibility that the IPX protocol or the like can be used as a communication protocol of the network layer.

  In the above description, most of the functions realized in hardware can be realized in software, and almost all the functions realized in software can be realized in hardware.

It is a flowchart which shows the operation example of the communication system concerning embodiment. 1 is a schematic diagram illustrating an example of the overall configuration of a communication system according to an embodiment. It is the schematic which shows the example of an internal structure of the console used by embodiment, and each agent. It is the schematic which shows the structural example of the table used by embodiment. It is the schematic which shows the internal structure example of MIB used with the router used in the embodiment and the router. It is the schematic which shows the internal structure example of MIB with which the hub used in embodiment and the hub are provided.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 10 ... Communication system 11, 12 ... Network (subnet), 13 ... Web server, 14 ... Console, 15 ... Router, 16 ... Hub, 17 ... Computer, 20, 40, 50 ... Agent receptor, 15A, 16A ... MIB , 16B ... Port management table, 21,31 ... Information input unit, 22,32 ... Table search unit, 23,33 ... Server moving unit, 24 ... MAC address search unit, 25, 35 ... Tracking log output unit, 26,37 ... Tracking log, 34... Port search unit, 35... Connection hub search unit, AG1... MAC address tracking agent, AG2... Port tracking agent, TB1... Router management table, TB2.

Claims (3)

In an unauthorized access tracking system for identifying an access source communication terminal that is a source of a packet for unauthorized access by tracking traces when unauthorized access via a network to an access target communication device is detected,
A tracking information processing apparatus that has an execution environment of a predetermined tracking agent and collects and processes information related to the tracking;
One or a plurality of relay devices that intervene between the access source communication terminal and the access target communication device and relay the packet in layer 2 and / or layer 3;
The relay device has an information collection database unit that accumulates the correspondence between the layer 2 source address and the port and the correspondence between the layer 3 source address and the layer 2 source address for the packet relayed by the relay device; When the unauthorized access is detected, the tracking information processing apparatus acquires a layer 3 source address of a packet that has been delivered to the access target communication apparatus and supplies the layer 3 source address to the tracking agent. Move to the corresponding relay device based on the layer 3 source address, and finally identify the port to which the access source communication terminal is connected from the contents stored in the information collection database section of the relay device And port identification information indicating the specified port is brought back to the tracking information processing apparatus. Positive access tracking system. In an unauthorized access tracking method for identifying an access source communication terminal that is a source of a packet for unauthorized access by tracking traces when unauthorized access via a network to an access target communication device is detected,
The tracking information processing apparatus has a predetermined tracking agent execution environment, collects and processes information related to the tracking,
When one or more relay devices interposed between the access source communication terminal and the access target communication device relay the packet at layer 2 and / or layer 3,
The relay device stores, in the information collection database unit, the correspondence between the layer 2 source address and the port and the correspondence between the layer 3 source address and the layer 2 source address for the packet relayed by the relay device, When the unauthorized access is detected, the tracking information processing apparatus acquires a layer 3 source address of a packet that has been delivered to the access target communication apparatus and supplies the layer 3 source address to the tracking agent. Move to the corresponding relay device based on the layer 3 source address, and finally identify the port to which the access source communication terminal is connected from the contents stored in the information collection database section of the relay device And port identification information indicating the specified port is brought back to the tracking information processing apparatus. Positive access tracking method. In an unauthorized access tracking program for identifying an access source communication terminal that is a source of a packet for unauthorized access by tracking traces when unauthorized access via a network to an access target communication device is detected,
An information processing function for tracking that has an execution environment of a predetermined tracking agent and collects and processes information related to the tracking;
Intervening between the access source communication terminal and the access target communication device, and realizing one or more relay functions for relaying the packet at layer 2 and / or layer 3,
The relay function has an information collection database function for storing the correspondence between the layer 2 source address and the port and the correspondence between the layer 3 source address and the layer 2 source address for the packet relayed by itself, When the unauthorized access is detected, the tracking information processing function acquires a layer 3 source address of a packet that has been delivered to the access target communication function and supplies it to the tracking agent. Move to the corresponding relay function based on the layer 3 source address, and finally identify the port to which the access source communication terminal is connected from the contents stored in the information collection database function of the relay function And port identification information indicating the identified port is taken back to the tracking information processing function. Unauthorized access tracking program that.

Images