JP5328283B2 - Information processing apparatus, program, and recording medium - Google Patents

Description

  The present invention relates to an information processing apparatus that processes information related to a result of communication executed on a network. The present invention also relates to a program for causing a computer to function as the information processing apparatus, and a recording medium on which the program is recorded.

  In recent years, damage caused by a computer virus called a bot that causes a computer infected with a computer virus to execute malicious operations has been increasing. The bot is composed of malicious code having a function of establishing a communication session with an external command server and downloading a new code, a function of receiving a command for an attack, and a function of attacking according to the command.

  It is important to specify communication (hereinafter referred to as bot communication) executed by terminals infected with bots distributed on the network. Conventionally, attention has been focused on a method of identifying communication that accesses a honeypot installed in an unallocated IP address space as bot communication that is searching for an infection destination (see, for example, Non-Patent Document 1). However, if the IP address space for the honeypot is leaked to a malicious attacker, access to the honeypot can be avoided. Also, the number of bot communications that can be specified is limited depending on the size of the IP address space.

  Therefore, a method for extracting a bot communication by monitoring a network line and detecting a specific character string included in an IRC (Internet Relay Chat) communication between the bot and the command server has been proposed (for example, non-patent literature). 2). In addition, a method for evaluating bot-likeness from an intrusion detection system (IDS) alert scenario has also been proposed (see, for example, Non-Patent Document 3). However, there is a problem in detection accuracy due to an increase in bot communication that does not involve IRC communication and an increase in bot communication that is not detected by the IDS signature.

By the way, although it is not a bot communication activity, as a method to identify P2P communication flowing over the network, focusing on the connection establishment success rate for each source IP (sender IP address), P2P A method for determining a terminal has been proposed (see, for example, Non-Patent Document 4).
Toshiaki Sudo, Satoshi Fujiwara, “Evaluation of Botnet Behavior Analysis System Using Virtual Internet”, Information, CSS2006, PP.513-518, October 2006 J. Goebel, “Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation”, In Proceeding of the HotBots '07, USENIX, April, 2007 G. Gu, P. Porras, V. Yegneswaran, M. Fong, and W. Lee, “BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlataion”, In Proceedings of the Security '07, USENIX, August 2007 Norihiro Shigemoto, Kazuya Okouchi, Masatoshi Terada, “P2P communication terminal detection method by connection analysis”, Information Processing Research Report, CSEC-42, PP.329-334, July 2008

  However, when the method described in Non-Patent Document 4 is applied to a network in which many Source IPs perform communication, the amount of memory and processing load for monitoring the connection state for each Source IP are enormous. Become. For example, in the IPv4 protocol that expresses IP addresses in 32 bits, there are about 4.3 billion IP addresses, so if a memory for monitoring the connection status is provided for each Source IP, a maximum of about 4.3 billion Memory is required, and the processing load for accessing each memory is enormous.

  The present invention has been made in view of the above-described problems, and efficiently manages the number of occurrences of a predetermined state in a process of extracting a communication result related to a predetermined state of communication executed on a network. It is an object to provide an information processing apparatus, a program, and a recording medium.

<First invention>
The present invention has been made to solve the above-described problem, and comprises a storage means for storing a communication result including an IP address related to communication executed on a network, and an IP address is configured based on the communication result. each block for each address value, appearance number acquisition for acquiring the number of occurrences of a given seen communication device infected with bots related to the communication to the IP address source or destination with the address value makes state Means for calculating for each block an entropy value indicating a degree of dispersion of the number of appearances corresponding to each address value based on the number of appearances, and selecting a block based on the entropy value of each block. Selection means for selecting an address value based on the number of appearances corresponding to each address value of the selected block; and the selected address value from the communication result Extracting means for extracting the communication result including the IP address having an information processing apparatus characterized by comprising a.

For example, in the IPv4 protocol, when a predetermined number of states are counted for each IP address, it is necessary to manage a maximum of about 4.3 billion count values with only the source IP address. On the other hand, when the number of occurrences of a predetermined state is obtained for each address value of each block constituting the IP address as in the first invention, in the IPv4 protocol, one of the source and destination IP addresses If it is only, it is only necessary to manage the count value for 256 addresses × 4 blocks, and it is only necessary to manage the count value for 256 addresses × 8 blocks for both the source and destination IP addresses. Therefore, the number of occurrences of a predetermined state can be managed efficiently.

In addition, when a device infected with a computer virus such as a bot performs abnormal communication, the amount of communication of the device increases, so that a predetermined state related to the computer virus is concentrated on a specific IP address. In such a situation, when the number of occurrences of a predetermined state is obtained for each address value of each block constituting the IP address as in the first invention, the number of occurrences of the predetermined state is specified in any block. It will be biased towards the address value. According to the first aspect, by selecting a block based on an entropy value indicating the degree of dispersion of the number of appearances, a block in which the number of appearances in a predetermined state is biased to a specific address value is an objective index. The communication result related to the communication performed by the device infected with a computer virus such as a bot can be extracted with higher accuracy.

<Second invention>
In the information processing apparatus according to the present invention, the appearance number acquisition unit acquires the number of appearances in a state where establishment of a transmission / reception relationship has failed.

<Third invention>
Further, in the information processing apparatus of the present invention, the appearance number acquisition unit is configured such that the number of appearances in a state where any one of the ports 445, 1433, and 1434 of TCP / UDP 135 to 139 is used as a destination port. It is characterized by acquiring .

<Fourth Invention>
Further, in the information processing apparatus of the present invention, the appearance number obtaining means obtains the number of appearances in a state in which a port other than 1433 and 1434 is used as a transmission destination port of TCP 1024 or more. Features.

<Fifth invention>
Further, in the information processing apparatus of the present invention, the appearance number acquisition unit requests the DNS server to resolve the name of the domain name, but there is a response that an error has occurred or an IP address corresponding to the domain name exists. It is characterized in that the number of appearances of a state that there is a response that the response is not made is acquired .

<Sixth Invention>
Further, in the information processing apparatus of the present invention, the appearance number acquisition means acquires the number of appearances in a state in which the DNS server has requested name resolution of a domain name having a country name other than a predetermined country name. And

<Seventh Invention>
In the information processing apparatus according to the present invention, the appearance number obtaining unit obtains the number of appearances in a state where a file having an extension of .exe is obtained using an HTTP GET command.

<Eighth Invention>
In the information processing apparatus according to the present invention, the appearance number acquisition unit acquires the number of appearances in a state where there is an SMTP response notifying that the user name is unknown.

In the invention of the second through eighth state occurrence number obtaining means obtains the number of occurrences, the device infected with bots are generated by communicating a unique state bot. Therefore, according to the second to eighth inventions, it is possible to extract a communication result relating to communication performed by a device infected with a bot with higher accuracy.

<Ninth Invention>
The information processing apparatus of the present invention, the number of occurrences acquiring means acquires the number of occurrences of at least two states are seen to communications device infected with bot performed for each state, the calculating means, for each state The entropy value is calculated for each state, the selecting means selects an address value for each state, and the extracting means includes an IP address having an address value selected for each state, and an IP address common between the states. A communication result is extracted.

  According to the ninth aspect, with respect to at least two types of states found in the bot, by extracting a communication result including an IP address common to the states among IP addresses having an address value selected for each state. The communication result related to the communication performed by the device infected with the bot can be extracted with higher accuracy.

<Tenth Invention>
Further, in the information processing apparatus of the present invention, the appearance number acquisition means includes a first state seen in communication performed by a device infected with a bot and a second state seen in communication performed by a command server of the bot. The number of occurrences is acquired for each state, the calculation means calculates the entropy value for each state, the selection means selects an address value for each state, and the extraction means selects for the first state A communication result including the IP address of the transmission source having the specified address value and the IP address of the transmission destination having the address value selected for the second state is extracted.

  The source IP address having an address value selected based on the number of appearances of the first state found in the communication performed by the device infected with the bot is likely to be the IP address of the device infected with the bot. On the other hand, there is a high possibility that the destination IP address having the address value selected based on the number of appearances of the second state found in the bot command server is the IP address of the command server. Therefore, according to the tenth aspect of the present invention, it is possible to extract the communication result related to the communication performed by the device infected with the bot with the command server with higher accuracy.

<Eleventh invention>
The present invention is also a program for causing a computer to function as the information processing apparatus.

<Twelfth Invention>
The present invention is a computer-readable recording medium on which the above program is recorded.

  According to the present invention, it is possible to efficiently manage the number of occurrences of a predetermined state. In addition, it is possible to extract a communication result related to communication performed by a device infected with a computer virus such as a bot with higher accuracy.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of an information processing apparatus according to an embodiment of the present invention. The communication monitoring unit 10 acquires a packet transmitted on the network and extracts communication information from the packet. The communication information storage unit 11 stores the communication information extracted by the communication monitoring unit 10.

  The communication information is information necessary for grasping the relationship between the transmission side and the reception side related to execution of communication. The communication information is also information indicating the characteristics of the communication executed on the network, and abnormal communication can be detected based on the communication information. The communication information of this embodiment includes time (Start Time, End Time), communication protocol (ICMP, TCP, UDP, etc.), IP address (Source IP, Destination IP), Port number (Source Port, Destination Port), various communication It consists of the contents and a communication ID given for each communication within the device.

  The IP address will be described using an IPv4 address in the present embodiment, but the same applies to an IPv6 address. In the following, when the IPv4 address is ABCD, the block having the address value A is the first block (the most significant block), the block having the address value B is the second block, the block having the address value C is the third block, A block having the address value D is expressed as a fourth block (least significant block). Each block has an address value between 0 and 255.

  The communication analysis unit 12 analyzes communication contents based on communication information related to a communication result within a predetermined time recorded in the communication information storage unit 11, and determines whether or not a predetermined state described later has occurred. Further, the communication analysis unit 12 controls the operation of the counter 13 based on the determination result. The counter 13 is a set of counters prepared for each block (first block to fourth block) and for each address value (0 to 255). Each counter that constitutes the counter 13 counts the number of occurrences of a predetermined state related to communication using the IP address having the address value of the corresponding block as the transmission source or transmission destination.

  In the IPv4 protocol, when a predetermined number of states are counted for each IP address, it is necessary to manage a maximum of about 4.3 billion count values even with the source IP address alone. On the other hand, when the number of occurrences of a predetermined state is counted for each block and address value constituting the IP address as in this embodiment, if only one of the source and destination IP addresses is 256 addresses × 4 It is only necessary to manage the count value for the block, and it is only necessary to manage the count value for 256 addresses × 8 blocks for both the source and destination IP addresses. Therefore, the number of occurrences of a predetermined state can be managed efficiently.

  The entropy calculation unit 14 calculates an entropy value (information entropy value) indicating the degree of dispersion of the number of appearances for each block based on the number of appearances of the predetermined state counted by the counter 13. The entropy value is small when a predetermined state appears concentrated on a specific address value, and the entropy value is large when the predetermined state appears scattered and not concentrated on a specific address value. Become.

  Based on the entropy value, the address selection unit 15 selects a block in which a predetermined state appears concentrated on a specific address value, and an address value based on the number of appearances corresponding to each address value of the selected block Select. The communication information extraction unit 16 extracts communication information including the transmission source or transmission destination IP address having the selected address value from the communication information stored in the communication information storage unit 11.

  The display control unit 17 generates graphic image data for displaying the communication information extracted by the communication information extraction unit 16 and outputs the graphic image data to the display unit 18. The display unit 18 visualizes the communication information based on the graphic image data output from the display control unit 17.

  Next, seven types of states to be detected in this embodiment will be described. These seven types of states are states that can be seen in communications performed by a device infected with a bot.

  The first state is a state in which establishment of a transmission / reception relationship has failed. A device infected with a bot searches for many Destination IPs (destination IPs) in order to spread infection, but often fails to establish a transmission / reception relationship. For this reason, a characteristic pattern that the success rate of establishment of a transmission / reception relationship is low appears in communication performed by a device infected with a bot.

The first state can be detected by monitoring the presence or absence of an ICMP Reply packet for the ICMP Echo packet. The ICMP Echo packet and the ICMP Reply packet are paired, and the ICMP Reply packet is returned to the ICMP Echo packet in the normal state, but the reply rate of the ICMP Reply packet is low in the device infected with the bot. Therefore, the difference between the number of ICMP Echo packets and the number of ICMP Reply packets can be acquired as the number of occurrences of the first state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The first state can also be detected by monitoring the presence or absence of a TCP-SYN-ACK packet for a TCP-SYN packet. A TCP-SYN packet and a TCP-SYN-ACK packet are paired, and a TCP-SYN-ACK packet is returned to the TCP-SYN packet when it is normal. Packet reply rate is low. Therefore, the difference between the number of TCP-SYN packets and the number of TCP-SYN-ACK packets can be acquired as the number of appearances of the first state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The first state can also be detected by monitoring the presence or absence of an ICMP Unreachable packet indicating connection refusal. Although ICMP Unreachable packets are rarely returned during normal operation, the response rate of ICMP Unreachable packets is high in devices infected with bots. Therefore, the number of ICMP Unreachable packets can be acquired as the number of occurrences of the first state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The second state is a state in which any one of ports 445, 1433, and 1434 of TCP / UDP 135 to 139 is used as a destination port (destination port). When a device infected with a bot spreads infection to other devices, a characteristic pattern appears in which packets destined for the port are observed. Therefore, it is possible to acquire the number of packets in which the above Port is used as the Destination Port as the number of appearances of the second state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The third state is that a TCP port of 1024 or more (excluding 1433 and 1434) of TCP is used as the Destination Port (destination port). When a device infected with a bot communicates with the command server, a characteristic pattern appears in which packets directed to the port are observed. Therefore, it is possible to obtain the number of packets in which the above Port is used as the Destination Port as the number of appearances of the third state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13. Since the ports 1433 and 1434 of TCP are to be detected as the second state, these ports are excluded from detection targets in the third state.

  The fourth state is a state in which the DNS server is requested to resolve the domain name, but there is a response that an error has occurred or that there is no IP address corresponding to the domain name. Since the IP address of the command server changes frequently, a device infected with a bot requests the DNS server to resolve the domain name of the command server, and obtains an IP address corresponding to the domain name from the DNS server.

However, a characteristic pattern in which search errors frequently occur when name resolution of a fully qualified domain name (FQDN) composed of an abnormal character string is requested and name resolution fails. At this time, Error is recorded in the DNS Recursive Response packet returned from the DNS server. In addition, there is a characteristic pattern that the domain name requested for name resolution no longer exists and the IP address cannot be found frequently. At this time, No such Name is recorded in the DNS Recursive Response packet returned from the DNS server. Therefore, the number of DNS Recursive Response packets in which Error is recorded and DNS Recursive Response packets in which No such Name is recorded (or both) can be acquired as the number of appearances of the fourth state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The fifth state is a state in which the DNS server is requested to resolve a domain name having a country name other than a predetermined country name. The command server has a global IP address and is widely distributed on the Internet. For this reason, the command server is distributed in various countries, and a characteristic pattern appears in which domain names containing various country name codes appear as domain names for which name resolution is requested from the DNS server. . Therefore, as a DNS Recursive Response packet returned from the DNS server, the number of packets in which domain names including domains other than the .jp domain are recorded can be acquired as the number of occurrences of the fifth state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The sixth state is a state where a file with an extension of .exe is acquired using an HTTP GET command. When a device infected with a bot obtains a new code from the command server, a characteristic pattern appears in which an HTTP GET command is used to obtain a file with the extension .exe. Normally, it is rare to use the HTTP GET command to get a file with the extension .exe. Therefore, it is possible to acquire the number of packets related to communication for acquiring a file having an extension of .exe using the HTTP GET command as the number of appearances of the sixth state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

The seventh state is a state in which there is an SMTP Response packet notifying that the user name is unknown. When a device infected with a bot sends spam mail, a user name for receiving the spam mail is often specified at random. For this reason, a characteristic pattern appears in which many SMTP Response packets in which User Unknown indicating that the user name is unknown are returned from the mail server. Therefore, the number of SMTP Response packets in which User Unknown is recorded can be acquired as the number of occurrences of the seventh state. In the present embodiment, the number of appearances is acquired by the communication analysis unit 12 and the counter 13.

  Next, the operation of the information processing apparatus according to the present embodiment will be described. FIG. 2 shows an operation procedure of the information processing apparatus. The communication monitoring unit 10 acquires a packet to be transmitted on the network, extracts communication information from the packet, and stores it in the communication information storage unit 11 (step S100). This operation is repeatedly executed until a predetermined unit time elapses after the communication monitoring unit 10 starts monitoring the packet.

  When a predetermined unit time has elapsed since the communication monitoring unit 10 started monitoring a packet (YES in step S102), the communication analysis unit 12 is stored in the communication information storage unit 11 within the unit time. The communication information is read out, and the communication content is analyzed based on each communication information. The communication analysis unit 12 determines whether or not a predetermined state (one of the first to seventh states) as a detection target has occurred by analyzing the communication content, and sets the counter 13 based on the determination result. Control. The counter 13 counts the number of appearances of a predetermined state for each block and for each address value according to control by the communication analysis unit 12 (step S104).

  Hereinafter, a specific example of the process of step S104 will be described. As described above, the counter 13 is a set of counters prepared for each block and each address value. 3 to 5 show an example of counting by each counter included in the counter 13. In the following, the first state (the state where establishment of the transmission / reception relationship has failed) is set as the detection target.

  3 to 5, attention is paid to the IP address 192.168.0.20. The shaft 30a corresponds to the first block, the shaft 30b corresponds to the second block, the shaft 30c corresponds to the third block, and the shaft 30d corresponds to the fourth block. The upper end of each axis corresponds to the address value 000 represented by 8 bits, and the lower end of each axis corresponds to the address value 255. The counter 13a corresponds to the address value 192 of the first block. The counter 13b corresponds to the address value 168 of the second block. The counter 13c corresponds to the address value 0 of the third block. The counter 13d corresponds to the address value 20 of the fourth block.

  FIG. 3 shows the initial state of the counters 13a, 13b, 13c, and 13d. When the communication analysis unit 12 detects communication information corresponding to the ICMP Echo packet, the communication analysis unit 12 increases the count value of the counter 13 corresponding to the Source IP included in the communication information by one. For example, when communication information corresponding to an ICMP Echo packet having 192.168.0.20 as the source IP is detected, the count values of the counters 13a, 13b, 13c, and 13d are each incremented by one. FIG. 4 shows the states of the counters 13a, 13b, 13c, and 13d at this time.

  Further, when the communication analysis unit 12 detects the communication information corresponding to the ICMP Reply packet, the communication analysis unit 12 decreases the count value of the counter 13 corresponding to the Destination IP included in the communication information by one. For example, when communication information corresponding to an ICMP Reply packet having 192.168.0.20 as the Destination IP is detected, the count values of the counters 13a, 13b, 13c, and 13d are each decreased by one. When the count values of the counters 13a, 13b, 13c, and 13d are decreased by 1 from the state shown in FIG. 4, the states of the counters 13a, 13b, 13c, and 13d are returned to the state shown in FIG.

  In normal communication, the ICMP Reply packet is returned in response to the ICMP Echo packet, so the count value does not increase. However, when a device infected with the bot performs communication, the reply rate of the ICMP Reply packet decreases, and the count value increases. FIG. 5 shows a state in which the count value has increased due to a decrease in the reply rate of the ICMP Reply packet.

  In the above, one counter is prepared for each address value, but for each address value, a counter (first counter) for counting the number of ICMP Echo packets and an ICMP Reply packet A counter (second counter) for counting the number may be prepared. In this case, the number of appearances of the first state is a value obtained by subtracting the value counted by the second counter from the value counted by the first counter. On the other hand, by counting the number of occurrences of the first state with only one counter for each address value as described above, the circuit scale of the counter 13 and the management load of the count value can be suppressed. .

  When the first state is detected by monitoring the presence or absence of the TCP-SYN-ACK packet for the TCP-SYN packet, the following may be performed. That is, along with detection of communication information corresponding to the TCP-SYN packet, the count value of the counter corresponding to the Source IP included in the communication information is incremented by 1 to detect communication information corresponding to the TCP-SYN-ACK packet. Accordingly, the count value of the counter corresponding to the Destination IP included in the communication information may be decreased by 1.

  When the first state is detected by monitoring the presence / absence of an ICMP Unreachable packet, the count value of the counter corresponding to the Destination IP included in the communication information is detected along with the detection of the communication information corresponding to the ICMP Unreachable packet. Should be increased by one.

  When detecting the second state (the state that one of the ports 135 to 139 of TCP / UDP, 445, 1433, or 1434 was used as the destination port), communication information including these specific destination ports As a result of the detection, the count value of the counter corresponding to the Source IP included in the communication information may be increased by one.

  If the third state (the state where a port of TCP 1024 or more (excluding 1433 and 1434) is used as the Destination Port) is detected, it is 1024 or more (excluding 1433 and 1434). As the communication information including the Destination Port is detected, the count value of the counter corresponding to the Source IP included in the communication information may be increased by one.

  Detects the fourth state (state that DNS server requested domain name resolution but an error occurred or that there was no IP address corresponding to the domain name) In this case, when the communication information corresponding to the DNS Recursive Response packet in which Error is recorded or the DNS Recursive Response packet in which No such Name is recorded (or both) is detected, the Destination IP included in the communication information The count value of the corresponding counter may be increased by 1.

  In the case of detecting the fifth state (a state in which the DNS server has requested the name resolution of a domain name having a country name other than the predetermined country name), a domain name including a domain other than the .jp domain is recorded. As the communication information corresponding to the DNS Recursive Response packet is detected, the count value of the counter corresponding to the Destination IP included in the communication information may be increased by one.

  When detecting the 6th state (the state that the file with the extension .exe is acquired using the HTTP GET command), the file with the extension .exe is acquired using the HTTP GET command. As the communication information corresponding to the packet related to the communication is detected, the count value of the counter corresponding to the Source IP or Destination IP included in the communication information may be increased by one.

  In the case of detecting the seventh state (the state that there is an SMTP Response packet informing that the user name is unknown), along with the detection of the communication information corresponding to the SMTP Response packet in which User Unknown is recorded, The count value of the counter corresponding to the Destination IP included in the communication information may be increased by 1.

Hereinafter, the description returns to the operation of the information processing apparatus. Subsequent to step S104, the entropy calculation unit 14 calculates an entropy value for each block based on the number of occurrences of the predetermined state counted by the counter 13 (step S106). The entropy value H _i of the block i is calculated by the following equation (1).

In the above expression, P _ij indicates the appearance probability of a predetermined state at the address value j of the block i, and the value counted by the counter corresponding to the address value j of the block i It is the value divided by the sum of the counted values. If the number of occurrences of a given state is dispersed to a large number of address values and the variation increases, the entropy value increases. . When a device infected with a bot performs abnormal communication, the predetermined state focused in the present embodiment appears biased to a specific IP address, and thus the entropy value focused on the predetermined state is reduced.

  Basically, it is only necessary to pay attention to a block having a large number of occurrences of a predetermined state and perform the processing from step S108 onward. However, as in this embodiment, by selecting a block in which the number of occurrences of a predetermined state is biased to a specific address value based on an entropy value that is an objective index value, a device infected with the bot It is possible to extract a communication result related to the performed communication with higher accuracy.

  Subsequent to step S106, the address selection unit 15 sets 1 to a variable N (0 ≦ N ≦ 3) indicating the number of processes (step S108). Subsequently, the address selection unit 15 compares the entropy values of the unprocessed blocks among the entropy values of the blocks calculated by the entropy calculation unit 14, and sets the block corresponding to the minimum entropy value as the processing target block. Select (step S110). Subsequently, the address selection unit 15 compares the number of appearances of a predetermined state corresponding to each address value of the selected block (the value counted by the counter 13), and the number of appearances reaches the upper m-th place (m ≧ 1). An address value is selected (step S112).

  After selecting the address value of the block to be processed, the address selection unit 15 determines whether or not the variable N has exceeded the specified number of times (0 ≦ specified number ≦ 3) (step S114). If the variable N does not exceed the specified number of times (NO in step S114), the address selection unit 15 increments the value of the variable N by 1 and executes the process of step S110 again.

  When the variable N exceeds the specified number of times (in the case of YES in step S114), the communication information extraction unit 16 determines the address value selected in step S112 from the communication information stored in the communication information storage unit 11. Communication information including Source IP or Destination IP is extracted (Step S118). For example, when the processing of steps S110 and S112 is repeated twice for the first state and 0 is selected as the address value of the third block and 20 is selected as the address value of the fourth block, Source IP or Destination IP is Communication information xxx.xxx.0.20 is extracted. However, x is an arbitrary number from 0 to 9. Through the above processing, communication information related to communication performed by a device infected with a bot can be extracted with higher accuracy.

  The communication information extraction unit 16 outputs the extracted communication information to the display control unit 17. The display control unit 17 generates graphic image data for displaying the communication information extracted by the communication information extraction unit 16 and outputs the graphic image data to the display unit 18. The display unit 18 visualizes the communication information based on the graphic image data output from the display control unit 17 (step S120).

  FIG. 6 shows an example of an image displayed on the display unit 18 in step S120. The left side shows Source IP, and the right side shows Destination IP. The four left axes correspond to each block constituting Source IP, and the four right axes correspond to each block constituting Destination IP. The upper end of each axis corresponds to the address value 000 represented by 8 bits, and the lower end of each axis corresponds to the address value 255. The address value of each block is displayed on each axis.

  The points on each axis at the position corresponding to the address value of each block are connected by a line. For example, a point corresponding to the address value 192 of the first block of the Source IP and a point corresponding to the address value 168 of the second block are connected by a line. The same applies to the Destination IP side. In addition, the point corresponding to the address value 20 of the fourth block of the Source IP and the point corresponding to the address value 192 of the first block of the Destination IP are connected by a line, facing from left to right. There is an arrow. This direction indicates the communication direction, and the arrow makes it easy to visually understand the communication direction.

  In the fourth block of Destination IP, five address values are displayed. That is, FIG. 6 shows a state of communication performed from one source IP to five destination IPs. Such visualization makes it possible to grasp the status of communication by a device infected with a bot.

  After step S120, if there is no instruction to cancel the process (YES in step S122), the process returns to step S100 again. If there is an instruction to stop the processing (NO in step S122), a series of processing ends.

  Next, a modification of this embodiment will be described. First, a first modification will be described. The first modified example executes the processing of steps S104 to S118 in FIG. 2 for each of a plurality of states, and includes IP addresses that are common among the states among IP addresses having address values selected for each state. The communication result is extracted.

  The details of the first modification will be described below with reference to FIG. First, with respect to the state A (any one of the first to seventh states), the processing of steps S104 to S118 in FIG. 2 is executed, and three IP addresses 80.151.182.10, 192.26.48.156, and 192.168.0.20 are assigned to, for example, Source IP The communication information included in is extracted. Subsequently, the processing of steps S104 to S118 in FIG. 2 is executed for the state B (any one of the first to seventh states) different from the state A, and three of 60.0.84.57, 192.168.0.20, and 202.216.239.122 are executed. Communication information including an IP address, for example, in Source IP is extracted.

  The communication information extraction unit 16 compares the IP address included in the communication information extracted by the process related to the state A with the IP address included in the communication information extracted by the process related to the state B, and extracts a common IP address To do. In FIG. 7, the common IP address is 192.168.0.20. Therefore, finally, the communication information extraction unit 16 extracts communication information including 192.168.0.20 in Source IP, for example. A device having 192.168.0.20 as an IP address is more likely to have been infected by a bot because it is related to a plurality of states seen by the bot.

  In this way, by extracting communication information including IP addresses that are common between states from among the IP addresses specified by the processing executed for each state, the communication result related to the communication performed by the device infected with the bot is obtained. Extraction can be performed with higher accuracy. In the above, an example in which processing is performed for two types of states has been described, but similar processing may be performed for three or more types of states. As the number of states increases, a communication result related to communication performed by a device infected with the bot can be extracted with higher accuracy.

  Next, a second modification will be described. In the second modification, communication information including the IP address of a device that may be infected with the bot in Source IP and the IP address of a device that may be a command server in Destination IP is extracted. . In the second modification, the processing of steps S104 to S118 in FIG. 2 is executed for a predetermined state (any one of the first to seventh states), and an IP address having the selected address value is included in the Source IP. Communication information is extracted. A device with the same IP address as this Source IP is likely to be infected with the bot.

  Further, the processing of steps S104 to S118 of FIG. 2 is executed for the predetermined state (third state), and communication information including the IP address having the selected address value in the Destination IP is extracted. A device having the same IP address as this Destination IP is likely to be a command server. The third state (the state that a port of TCP 1024 or more (excluding 1433 and 1434) is used as the Destination Port) is also seen in the command server, so communication including the IP address of the command server When extracting information, the third state is a detection target.

  Finally, the communication information extraction unit 16 includes the same IP address as the source IP included in the communication information related to the communication performed by the device possibly infected with the bot in the source IP, and may be a command server The communication information including the same IP address as the Destination IP included in the communication information related to the communication performed by Destination IP is extracted. This communication information relates to communication performed between a device that may be infected with a bot and a device that may be a command server. In this way, by extracting communication information that includes the IP address of the device that may have been infected with the bot in the Source IP and the IP address of the device that may be the command server in the Destination IP, the bot was infected. A communication result relating to communication performed by the apparatus with the command server can be extracted with higher accuracy.

As described above, according to the present embodiment, the number of occurrences of a predetermined state can be efficiently managed by obtaining the number of occurrences of the predetermined state for each address value of each block constituting the IP address. it can. In addition, in this embodiment in which an address value is selected for each block, a communication result related to communication performed by a device infected with a computer virus such as a bot is extracted with higher accuracy by selecting a block based on an entropy value. can do.

  The state to be detected in the present embodiment is a state specific to the bot that occurs when a device infected with the bot performs communication. Therefore, according to this embodiment, it is possible to extract a communication result related to communication performed by a device infected with a bot with higher accuracy.

  Further, according to the first modified example, with respect to at least two types of states found in the bot, a communication result including an IP address common to the states is extracted from among IP addresses having address values selected for each state. As a result, the communication result related to the communication performed by the device infected with the bot can be extracted with higher accuracy.

  Further, according to the second modification, communication information including the IP address of a device that may be infected with the bot in Source IP and the IP address of a device that may be a command server in Destination IP is extracted. As a result, the communication result related to the communication performed by the device infected with the bot with the command server can be extracted with higher accuracy.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operation and function of the information processing apparatus according to the above-described embodiment may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read and executed by the computer. Good.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of the information processing apparatus by one Embodiment of this invention. It is a flowchart which shows the procedure of operation | movement of the information processing apparatus by one Embodiment of this invention. It is a reference figure for demonstrating operation | movement of the counter with which the information processing apparatus by one Embodiment of this invention is provided. It is a reference figure for demonstrating operation | movement of the counter with which the information processing apparatus by one Embodiment of this invention is provided. It is a reference figure for demonstrating operation | movement of the counter with which the information processing apparatus by one Embodiment of this invention is provided. It is a reference figure which shows the example of a display of the process result in one Embodiment of this invention. It is a reference figure for explaining the modification of one embodiment of the present invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 ... Communication monitoring part, 11 ... Communication information storage part (storage means), 12 ... Communication analysis part (appearance number acquisition means) , 13 ... Counter ( appearance number acquisition means), 14 ... Entropy calculation unit (calculation unit), 15 ... address selection unit (selection unit), 16 ... communication information extraction unit (extraction unit), 17 ... display control unit, 18 ... display unit

Claims (12)

Storage means for storing a communication result including an IP address related to communication executed on the network;
Based on the communication result , for each address value of each block constituting the IP address, a predetermined value found in communication performed by a device infected with a bot related to communication having an IP address having each address value as a transmission source or transmission destination Appearance number acquisition means for acquiring the number of appearances of the state of
Calculation means for calculating, for each block, an entropy value indicating a degree of dispersion of the number of appearances corresponding to each address value based on the number of appearances ;
Selecting means for selecting a block based on the entropy value of each block and selecting an address value based on the number of occurrences corresponding to each address value of the selected block ;
Extraction means for extracting a communication result including an IP address having a selected address value from the communication result;
An information processing apparatus comprising: The information processing apparatus according to claim 1, wherein the appearance number acquisition unit acquires the number of appearances in a state where establishment of a transmission / reception relationship has failed. The number-of-appearance acquisition unit acquires the number of appearances in a state in which any one of ports 445, 1433, and 1434 of TCP / UDP 135 to 139 is used as a destination port. The information processing apparatus according to 1. 2. The information according to claim 1, wherein the appearance number obtaining unit obtains the number of appearances in a state in which a port other than 1433 and 1434 is used as a transmission destination port of TCP 1024 or more. Processing equipment. The appearance number acquisition means requested the DNS server to resolve the name of the domain name, but the appearance that there was a response that an error occurred or that there was no IP address corresponding to the domain name The information processing apparatus according to claim 1, wherein a number is acquired . 2. The information processing according to claim 1, wherein the appearance number obtaining unit obtains the number of appearances in a state in which a name resolution of a domain name having a country name other than a predetermined country name is requested to a DNS server. apparatus. The information processing apparatus according to claim 1, wherein the appearance number obtaining unit obtains the number of appearances in a state where a file having an extension of .exe is obtained using an HTTP GET command. The information processing apparatus according to claim 1, wherein the appearance number acquisition unit acquires the number of appearances in a state that there is an SMTP response notifying that the user name is unknown. The number-of-appearance acquisition unit acquires the number of appearances of at least two types of states seen in communication performed by a device infected with a bot for each state,
The calculation means calculates the entropy value for each state,
The selection means selects an address value for each state,
9. The extraction unit according to claim 1, wherein the extraction unit extracts a communication result including an IP address that is common between states among IP addresses having address values selected for each state. Information processing device. The appearance number acquisition means acquires, for each state, the number of appearances of the first state seen in the communication performed by the device infected with the bot and the second state seen in the communication performed by the command server of the bot,
The calculation means calculates the entropy value for each state,
The selection means selects an address value for each state,
The extraction means extracts a communication result including a source IP address having an address value selected for the first state and a destination IP address having an address value selected for the second state. the information processing apparatus according to any one of claims 1 to 8, characterized in that.   The program for functioning a computer as an information processing apparatus in any one of Claims 1-10.   The computer-readable recording medium which recorded the program of Claim 11.

Images