JPWO2019043804A1 - Log analysis device, log analysis method and program - Google Patents

Abstract

(EN) Provided is a log analysis device which facilitates discrimination of an attack type in a cyber attack, for example, discrimination of an automatic attack or a manual attack. The log analysis device is based on extraction means for extracting information related to the type of attack from the log of communication related to the attack, information related to the type of attack, and a determination rule according to the type of attack. And a determination unit that determines the type of attack related to the log. The extraction means extracts information relating to time, information relating to the size of data, and information relating to input from a keyboard, as information relating to the type of attack.

Description

The present invention relates to a log analysis device, a log analysis method, and a computer-readable recording medium.

A cyber attack such as unauthorized access or malware infection may be performed by misusing a means for operating a computer in a remote place. Examples of means for operating a computer in a remote place include CUI (Character User Interface) methods such as Telnet (Teletype Network) and SSH (Secure Shell), RDP (Remote Desktop Protocol), and VNC (Virtual Network). A GUI (Graphical User Interface) method such as Computing) is included. When such a cyber attack is performed, the behavior pattern of the attacker is analyzed in order to clarify the purpose and attack method of the attacker.

Non-Patent Document 1 classifies the types of commands executed after server intrusion into seven groups for unauthorized access using SSH (Secure Shell) and represents the action pattern of an attacker by representing the command group transition diagram. The technique shown is disclosed.

Non-Patent Document 2 proposes a method of detecting a botnet that abuses IRC (Internet Relay Chat) by comparing it with the characteristics of a message input when a human uses an IRC message.

Further, Patent Document 1 describes an unauthorized access detection system and the like. Patent Document 2 describes a device and the like for threat detection in a data processing system.

JP, 2016-71384, A Japanese Patent Publication No. 2013-503377

D. Ramsbrock, R. Berthier, and M. Cukier, “Profiling Attacker Behavior Following SSH Compromises,” in 37th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, 2007. DSN ′07, 2007, pp. 119-124. Seiichiro Mizoguchi, “Bot Detection Method by Hierarchical Clustering Based on Mechanical Communication Behavior Model” Transactions of Information Processing Society of Japan, vol.54, no.3, pp. 1087-1098, Mar. 2013.

As an example of analysis of an attacker's behavior pattern in a cyber attack, it may be determined whether the attack procedure is automated or a manual attack. A technique for easily discriminating the type of attack is required for the above-mentioned documents.

The present invention has been made to solve the above problems, and a main object of the present invention is to provide a log analysis device that facilitates the determination of the attack type in a cyber attack.

A log analysis device according to an aspect of the present invention includes an extraction unit that extracts information related to an attack type from an attack-related communication log, information related to an attack type, and an attack type according to an attack type. Determination means for determining the type of attack related to the log based on the determination rule.

Further, the log analysis method according to an aspect of the present invention extracts information related to an attack type from a log of communication related to an attack, and extracts information related to the attack type and the attack type. The type of attack related to the log is determined based on the determination rule.

Further, the computer-readable recording medium according to an aspect of the present invention includes a process for extracting information related to the type of attack from a log of communication related to the attack to the computer, and information related to the type of attack. A program for executing the processing of determining the type of attack related to the log based on the determination rule according to the type of attack is temporarily stored.

According to the present invention, it is possible to provide a log analysis device that facilitates the determination of attack types in cyber attacks.

It is a figure which shows the log analysis apparatus in the 1st Embodiment of this invention. It is a figure which shows the example of a more detailed structure of the log analysis apparatus in the 1st Embodiment of this invention. It is a figure which shows the example of the information relevant to the type of attack extracted by the extraction part. It is a figure which shows an example of the determination rule used in a determination part. It is a figure which shows the example of the automatic operation definition used in a determination part. It is a figure which shows the example of the manual operation definition used in a determination part. It is a flow chart which shows operation of a log analysis device in a 1st embodiment of the present invention. It is a figure which shows the log analysis apparatus in the 2nd Embodiment of this invention. It is a figure which shows the example of a more detailed structure of the log analysis apparatus in the 2nd Embodiment of this invention. It is a figure which shows an example of the table which manages the file of the log of the communication stored for every type of attack. It is a flowchart which shows operation|movement of the log analysis apparatus in the 2nd Embodiment of this invention. It is a figure which shows the log analysis apparatus in the 3rd Embodiment of this invention. It is a figure which shows the example of a more detailed structure of the log analysis apparatus in the 3rd Embodiment of this invention. It is a flowchart which shows operation|movement of the log analysis apparatus in the 3rd Embodiment of this invention. It is a figure which shows the log analysis apparatus in the 4th Embodiment of this invention. It is a figure which shows the example of a more detailed structure of the log analysis apparatus in the 4th Embodiment of this invention. It is a flowchart which shows operation|movement of the log analysis apparatus in the 4th Embodiment of this invention. It is a figure showing an example of an information processor which realizes a log analysis device etc. in each embodiment of the present invention.

Embodiments of the present invention will be described with reference to the accompanying drawings. In each embodiment of the present invention, each component of each device (system) represents a block of a functional unit. Some or all of the components of each device (system) are realized by an arbitrary combination of an information processing device 1000 and a program as shown in FIG. 18, for example. The information processing apparatus 1000 includes, for example, the following configuration.

-CPU (Central Processing Unit) 1001
-ROM (Read Only Memory) 1002
・RAM (Random Access Memory) 1003
Program 1004 loaded in RAM 1003
-Storage device 1005 that stores the program 1004
-Drive device 1007 for reading and writing the recording medium 1006
-Communication interface 1008 connected to the communication network 1009
.Input/output interface 1010 for inputting/outputting data
.Bus 1011 for connecting each component
Each component of each device in each embodiment is realized by the CPU 1001 acquiring and executing a program 1004 that realizes these functions. The program 1004 that realizes the function of each component of each device is stored in the storage device 1005 or the RAM 1003 in advance, for example, and is read by the CPU 1001 as necessary. The program 1004 may be supplied to the CPU 1001 via the communication network 1009, or may be stored in the recording medium 1006 in advance and the drive device 1007 may read the program and supply it to the CPU 1001.

There are various modifications to the method of realizing each device. For example, each device may be realized by an arbitrary combination of the information processing device 1000 and the program which are different for each component. Further, a plurality of constituent elements included in each device may be realized by an arbitrary combination of one information processing device 1000 and a program.

Further, some or all of the constituent elements of each device are realized by a general-purpose or dedicated circuit including a processor or the like, or a combination thereof. These may be configured by a single chip, or may be configured by a plurality of chips connected via a bus. Some or all of the constituent elements of each device may be realized by a combination of the above-described circuits and the like and a program.

When some or all of the components of each device are realized by a plurality of information processing devices, circuits, etc., the plurality of information processing devices, circuits, etc. may be centrally arranged or distributed. Good. For example, the information processing device, the circuit, and the like may be realized as a form in which a client and server system, a cloud computing system, and the like are connected to each other via a communication network.

(First embodiment)
First, a first embodiment of the present invention will be described. FIG. 1 is a diagram showing a log analysis device 100 according to the first embodiment of the present invention.

As illustrated in FIG. 1, the log analysis device 100 according to the first embodiment of the present invention includes at least an extraction unit 110 and a determination unit 120. The extraction unit 110 extracts information related to the type of attack from the log of communication related to the attack. The determination unit 120 determines the type of attack related to the log based on the information related to the type of attack and the determination rule according to the type of attack.

2 shows an example of a more specific configuration of the log analysis device 100. In the example illustrated in FIG. 2, the log analysis device 100 includes a log acquisition unit 101, an output unit 102, and a storage unit 130, in addition to the extraction unit 110 and the determination unit 120. In this configuration, all the elements may be realized as one device, or the storage unit 130 and the other elements may be realized by separate devices connected via a communication network.

The log acquisition unit 101 acquires a communication log that is a target of attack type determination. The output unit 102 outputs the result of the attack type determined by the determination unit 120 and information related to the result. The storage unit 130 mainly stores information necessary for the determination unit 120 to determine the type of attack. In the example illustrated in FIG. 2, the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, and a manual operation definition storage unit 133. The determination rule storage unit 131 stores conditions for determining the type of attack. The automatic operation definition storage unit 132 stores characteristics related to an attack performed by an automatic operation. The manual operation definition storage unit 133 stores characteristics related to an attack performed by a manual operation.

Next, each component of the log analysis device 100 will be described.

The log acquisition unit 101 acquires a communication log that is a target of attack type determination. It is assumed that the log acquired by the log acquisition unit 101 is mainly a communication log related to some attack. The type of log acquired by the log acquisition unit 101 is not particularly limited, and may be a binary file such as a pcap (packet capture) file or a text file such as a proxy log. Further, the type of attack is not particularly limited, and for example, a scan attack and an attack aimed at unauthorized access are included in the assumed attacks.

The extraction unit 110 extracts information related to the type of attack from the log of communication related to the attack. The communication log is, for example, a log acquired by the log acquisition unit 101. The extraction unit 110 extracts information related to the type of attack in units of communication sessions and other predetermined periods.

When information related to the type of attack is extracted on a session-by-session basis, sessions are distinguished by the source IP (Internet Protocol) address, source port number, destination IP address, and destination port. Numbers, protocols and other information are used.

The information related to the type of attack includes, for example, information about time, information about data size, and information about input from the keyboard. The extraction unit 110 extracts these pieces of information from the log as an example. Note that the information related to the type of attack is not limited to these, and the extraction unit 110 may acquire other information as information related to the type of attack.

The information regarding the time includes, for example, the response time from the transmission source, the packet arrival interval, and the arrival time difference between a certain packet and the packet before that. Further, a statistical value such as an average or standard deviation of these may be obtained as information regarding time. The information regarding the size of the data includes, for example, the packet size received in the target session. Further, a statistical value such as an average of packet sizes or a standard deviation may be obtained as information regarding time. The information regarding the input from the keyboard includes, for example, the presence/absence of input of a specific key. However, each of the information about time, the information about the size of data, and the information about input from the keyboard may include information other than the above-mentioned information.

The extraction unit 110 sequentially refers to the logs and extracts the above-mentioned information. Further, the extraction unit 110 may use the extracted information to further calculate the above-mentioned statistical value.
When referring to the log, the extraction unit 110 appropriately refers to the log by using a unit according to the type of the log.

When the log is a pcap file, the extraction unit 110 acquires the values stored in the pcap header and the header of each protocol layer in order from the beginning of the file. The extraction unit 110 may also acquire information that is not recorded in the header, such as the size of a TCP (Transmission Control Protocol) payload and input from a keyboard. The extraction unit 110 collects the acquired values for each session, and appropriately stores them in the storage unit 130 and other elements in a format as shown in FIG. When referring to the end of the pcap file, the extraction unit 110 may further obtain other information including the average and standard deviation such as the packet arrival interval and the packet size from the information recorded for each session.

FIG. 3 shows an example of information extracted by the extraction unit 110 when information related to the type of attack is extracted for each session. In FIG. 3, “id” indicates an identification number assigned for each session. “Src_ip” indicates the IP address of the transmission source, and “src_port” indicates the port number of the transmission source. Further, “dst_ip” indicates the destination IP address, and “dst_port” indicates the destination port number. A specific address or port number may be described in each item of “src_ip”, “src_port”, “dst_ip”, and “dst_port”. “Type” indicates the type of protocol used in the session. The example shown in FIG. 3 indicates that SSH was used in the session. Further, "keyboard_input" indicates whether or not the indicated key is input. In the example shown in FIG. 3, the value for the item is ““backspace”:True”. That is, it is shown that the input of the backspace key of the keyboard is included.

The number of sessions extracted by the extraction unit 110 is not particularly limited. Further, in the example shown in FIG. 3, the number of pieces of information related to the type of attack is not limited for each unit of extraction of a session or the like. That is, in the example shown in FIG. 3, other information such as the statistical value of the response time from the transmission source and the packet size may be further included. Depending on the determination procedure of the determination unit 120 and the like, at least a part of each of the pieces of information listed in FIG. 3 may not be extracted.

The determination unit 120 determines the type of attack related to the log based on the information related to the type of attack extracted by the extraction unit 110 and the determination rule according to the type of attack. For each unit described above, the determination unit 120 determines whether the attack related to the log is an automatic attack automatically performed by a script, malware, or the like, or a manual attack in which the attacker sequentially executes the procedure. To judge.

More specifically, the determination unit 120 compares the information related to the attack type extracted by the extraction unit 110 with the determination rule according to the attack type, so that the attack related to the log is automatically detected. Determine if it is an attack or a manual attack. The procedure performed by the determination unit 120 will be further described.

FIG. 4 shows an example of the determination rule used by the determination unit 120. The determination rule is stored in advance in the determination rule storage unit 131, for example. Note that the determination unit 120 is not limited to the determination rule stored in the determination rule storage unit 131 in advance, and the determination unit 120 may make the determination using, for example, a determination rule appropriately acquired from an external server or another external device.

In the example illustrated in FIG. 4, “ID” is assigned to each determination rule and indicates identification information that identifies each determination rule. “Protocol” indicates the type of protocol targeted by each determination rule. “Attack type” indicates the type of attack targeted by each determination rule.
Then, the “rule” indicates a condition that should be satisfied in order to determine that the log that matches the item “protocol” is related to the attack type indicated in the “attack type”.

That is, the determination rule of “ID” is “R1” means that it is possible to determine that the log is a log related to an automatic attack when the conditions A1 and A2 are both satisfied for the communication log whose protocol is Telnet. Show. Similarly, the determination rule in which the “ID” is “R2” indicates that the log can be determined to be a log related to a manual attack when the condition M2 is satisfied for the communication log whose protocol is SSH.

The details of the rule shown in FIG. 4 are defined as an automatic operation definition or a manual operation definition. FIG. 5 shows an example of the automatic operation definition. FIG. 6 shows an example of manual operation definition.

Each of the automatic operation definition and the manual operation definition is stored in advance in the automatic operation definition storage unit 132 or the manual operation definition storage unit 133, for example. Note that the determination unit 120 is not limited to the determination rule stored in advance in the automatic operation definition storage unit 132 or the manual operation definition storage unit 133, and may perform determination using a determination rule appropriately acquired from an external server or the like. Good.

In the examples shown in FIGS. 5 and 6, the “identifier” is an identifier for identifying each rule. The “feature” indicates a feature related to the type of attack in the log. “Condition” indicates a condition for a feature for determining that the rule is satisfied.

In each of FIG. 5 and FIG. 6, “response_time” in the “feature” column indicates the response time from the partner specified by the source IP address. Further, "std" indicates standard deviation and "mean" indicates average. Further, in each of FIG. 5 and FIG. 6, “s” in the “condition” column indicates seconds, and “is_true” indicates that the keyboard input specified in the “feature” column exists. That is, it can be determined that the rule A1 shown in FIG. 5 is satisfied when the standard deviation of the response time from the partner specified by the source IP address is less than 5 seconds.

In addition, in the example shown in FIG. 4, one determination rule is set for each protocol. However, a plurality of determination rules may be set for each protocol. The type of protocol is not limited to Telnet or SSH, and other protocols may be used. Further, in the example shown in FIG. 4, one determination rule is set for each of the automatic attack and the manual attack. However, a plurality of determination rules may be set for each of the automatic attack and the manual attack.

Further, the number of conditions is not limited to the number shown in the drawings for each of the automatic operation definition shown in FIG. 4 and the manual operation definition shown in FIG. The condition is not limited to the response time or the input from the keyboard. For example, conditions relating to the packet size and other conditions may be included as the conditions shown in FIG. 4 or 6. By setting many judgment rules or conditions therefor, it is possible to judge against a larger number of types of attacks.

The processing when the determination unit 120 determines the attack type for the information related to the attack type extracted by the extraction unit 110 will be described with reference to the examples illustrated in FIGS. 3 to 6.

Referring to the information shown in FIG. 3 in which the “id” extracted by the extraction unit 110 is “00001”, the “type” is “SSH”. Therefore, the determination unit 120 makes a determination by acquiring a rule whose protocol is “SSH” among the determination rules shown in FIG. That is, the determination unit 120 determines whether or not the information shown in FIG. 3 satisfies the rule R2 whose protocol is “SSH” in the determination rules shown in FIG. That is, the determination unit 120 determines whether or not the rule M2 is satisfied. When the information shown in FIG. 3 satisfies the rule M2, the determination unit 120 determines that the attack related to the log from which the information is extracted is a manual attack.

Referring to FIG. 6, the rule M2 has a feature of “keyboard_input[“backspace”]” and a condition of “is_true”. That is, it is shown that the rule is satisfied when the backspace key on the keyboard is input. On the other hand, referring to FIG. 3, there is an item "keyboard_input", and the value for the item is ""backspace":True". This indicates that the input of the backspace key of the keyboard is included as described above. That is, the rule M2 is established.

Therefore, in this case, the determination unit 120 determines that the attack related to the log from which the information whose “id” is “00001” is extracted is a manual attack.

The output unit 102 outputs the result of the attack type determined by the determination unit 120 and information related to the result. The output target of the output unit 102 is not particularly limited, and may be, for example, a console displayed on any display device (not shown) or a file. The result and other information output by the output unit 102 may be all the determined results, or may be either the automatic attack or the manual attack. Further, the output unit 102 may output the unit when the information is extracted by the extraction unit 110 and other information including the extraction criterion. When the attack type is determined for each communication session, the output unit 102 outputs the determination result, the source IP address, the source port number, the destination IP address, and the destination port number. , Protocol, etc. may be output as information related to the result of the determined attack type.

Next, the operation of the log analysis device 100 according to this embodiment will be described with reference to the flowchart shown in FIG. 7. Note that this operation example assumes that the log analysis device 100 has the configuration shown in FIG.

First, the log acquisition unit 101 acquires a communication log that is a target of attack type determination (step S101). In this step, the log acquisition unit 101 may acquire a plurality of logs.

Next, the extraction unit 110 extracts information related to the type of attack from the communication log acquired in step S101 in units of a predetermined period or session (step S102). When a plurality of logs are acquired in step S101, the operation of step S102 is repeated as appropriate.

Next, the determination unit 120 determines the type of attack based on the information related to the type of attack extracted in step S102 and the determination rule according to the type of attack (step S103). In step S102, when information is extracted for a plurality of periods, sessions, etc., the process of step S103 is repeated as appropriate.

Next, the output unit 102 outputs information such as the result of the attack type determined in step S103 (step S104).

As described above, the log analysis device 100 according to the present exemplary embodiment extracts information related to the type of attack from the communication log, and relates to the log based on the information and the determination rule according to the type of attack. Determine the type of attack to be performed. In the analysis by the log analysis device 100, various information can be used as the information related to the attack type, and a plurality of determination rules corresponding to the attack type can be used.
Therefore, the log analysis device 100 can determine the type of attack with respect to the log of communication including various patterns of attacks. Therefore, the log analysis device 100 facilitates the determination of the attack type in the cyber attack.

(Second embodiment)
Next, a second embodiment of the present invention will be described. FIG. 8 is a diagram showing a log analysis device 200 according to the second embodiment of the present invention.

As shown in FIG. 8, the log analysis device 200 according to the second exemplary embodiment of the present invention includes an extraction unit 110, a determination unit 120, and a determination rule generation unit 240. The extraction unit 110 and the determination unit 120 are the same elements as the elements included in the log analysis device 100 according to the first embodiment. The determination rule generation unit 240 generates a determination rule based on the log of the communication in which the attack type is determined. That is, the log analysis device 200 differs from the log analysis device 100 in that the log analysis device 200 includes the determination rule generation unit 240.

Further, FIG. 9 shows an example of a more specific configuration of the log analysis device 200. In the example illustrated in FIG. 9, the log analysis device 200 includes a log acquisition unit 101, an output unit 102, and a storage unit 130 in addition to the extraction unit 110, the determination unit 120, and the determination rule generation unit 240. The log acquisition unit 101 and the output unit 102 are the same elements as the elements denoted by the same reference numerals in FIG. Further, in the example illustrated in FIG. 9, the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, a manual operation definition storage unit 133, and a communication data storage unit 234. Each of the determination rule storage unit 131, the automatic operation definition storage unit 132, and the manual operation definition storage unit 133 is the same element as the element to which the same reference numeral is attached in FIG. The communication data storage unit 234 stores a log of communication related to the attack whose attack type is determined. That is, the example illustrated in FIG. 9 differs from the specific configuration example of the log analysis device 200 illustrated in FIG. 2 in that the storage unit 130 further includes the communication data storage unit 234.

Next, each component of the log analysis device 200 will be described. Note that description of the same elements as the elements included in the log analysis device 100 described above will be appropriately omitted.

The determination rule generation unit 240 generates a determination rule based on the log of the communication in which the attack type is determined. The generated determination rule is expressed, for example, in the formats shown in FIGS. 4 to 6 described above, but is not limited to this and may be appropriately determined according to the method of generating the determination rule. The determination unit 120 determines the type of attack based on the determination rule generated by the determination rule generation unit 240, not limited to the determination rule prepared in advance.

The determination rule generation unit 240 generates a determination rule using a machine learning method, for example. In this case, the determination rule generation unit 240 generates the determination rule using a method called random forest, for example.

An example of the case where the determination rule generation unit 240 generates the determination rule by the random forest will be described. In this case, the determination rule generation unit 240 extracts information related to the above-mentioned attack type from each of the logs determined to be related to the automatic attack or the manual attack in advance. That is, the determination rule generation unit 240 extracts various information including information regarding time, information regarding the size of data, or information regarding input from the keyboard from each of these logs. The extracted information is represented as shown in FIG. 3, for example.

Then, the determination rule generation unit 240 generates a plurality of decision trees that classify the information related to the above-mentioned attack type into an automatic attack and a manual attack. The number of decision trees to be generated is not particularly limited, and may be appropriately determined according to the amount of extracted information and the like. When the determination rule is generated in this way, the determination unit 120 determines the type of attack based on the generated decision tree. That is, the determination unit 120 determines the type of attack by the majority decision of the classification result of the automatic attack or the manual attack by each of the generated decision trees.

The determination rule generation unit 240 may generate the determination rule based on a machine learning method other than the random forest. The generated determination rule is appropriately stored in each of the determination rule storage unit 131, the automatic operation definition storage unit 132, or the manual operation definition storage unit 133 of the storage unit 130. The determination unit 120 determines the type of attack by referring to the determination rule stored in each element of the storage unit 130.

The communication log used by the determination rule generation unit 240 to generate the determination rule is stored in the communication data storage unit 234 in advance, for example. The communication log stored in the communication data storage unit 234 is a log determined to be either an automatic attack or a manual attack. The communication log stored in the communication data storage unit 234 may be a log in which the type of attack is determined by the determination unit 120. By doing so, the log of the communication in which the type of attack is determined by the determination unit 120 based on the highly accurate determination rule can be used in the generation of the determination rule.

In the communication data storage unit 234, the communication log is stored as a separate file according to the type of attack. Therefore, the communication data storage unit 234 holds a table for managing files. FIG. 10 shows an example of a table for managing files. In the table as shown in FIG. 10, for each of the stored files, the attack type and the information for identifying the file are described. A file path or a hash value of the file is used as the information for identifying the file.
In the example shown in FIG. 10, the log file relating to the automatic attack is the file designated by <file path>. The log file related to the manual attack is a file specified by <hash value of file>.

The determination rule generation unit 240 may generate the determination rule using a log different from the communication log stored in the communication data storage unit 234. For example, the determination rule generation unit 240 may appropriately acquire the log of the communication related to the attack, the type of which has been determined in advance, from an external server or the like, and may create the determination rule using the acquired determination rule.

Next, with reference to the flowchart shown in FIG. 11, an operation related to the generation of the determination rule of the log analysis device 200 according to this embodiment will be described. This operation example assumes that the log analysis device 200 has the configuration shown in FIG. 9. The log analysis device 200 performs the same operation as the log analysis device 100 to extract information, determine the type of attack, and the like.

First, the determination rule generation unit 240 acquires a communication log used when generating a determination rule (step S201). The determination rule generation unit 240 acquires a communication log by appropriately referring to the communication data storage unit 234 of the storage unit 130.

Next, the determination rule generation unit 240 uses the communication log acquired in step S201 to generate a determination rule (step S202).

Next, the determination rule generation unit 240 updates the content of the storage unit 130 so that the determination rule generated in step S202 is stored in each element of the storage unit 130 (step S203).

As described above, the log analysis device 200 according to this embodiment further includes the determination rule generation unit 240 that generates the determination rule. Since the determination rule generation unit 240 is provided, the determination unit 120 can determine the type of attack using more determination rules. The determination rule generation unit 240 can also generate a determination rule using the log of the communication determined by the determination unit 120. That is, when the determination rule generation unit 240 uses a machine learning method, more data can be used as learning data. Therefore, the log analysis device 200 has the same effect as the log analysis device 100, and enables the attack type to be determined with higher accuracy.

(Third Embodiment)
Next, a third embodiment of the present invention will be described. FIG. 12 is a diagram showing a log analysis device 300 according to the third embodiment of the present invention.

As illustrated in FIG. 12, the log analysis device 300 according to the third exemplary embodiment of the present invention includes an extraction unit 110, a determination unit 120, a determination rule generation unit 240, a reception unit 350, and a first observation unit 360. Equipped with. The extraction unit 110 and the determination unit 120 are the same elements as the elements included in the log analysis device 100 according to the first embodiment. The determination rule generation unit 240 is the same element as the element included in the log analysis device 200 according to the second embodiment. The receiving unit 350 receives communication related to an attack. The first observing section 360 observes the communication received by the receiving section 350. That is, the log analysis device 300 differs from the log analysis device 200 in that the log analysis device 300 includes the reception unit 350 and the first observation unit 360.

FIG. 13 shows an example of a more specific configuration of the log analysis device 300. In the example illustrated in FIG. 13, the log analysis device 300 includes the log acquisition unit 101 and the output unit 102 in addition to the extraction unit 110, the determination unit 120, the determination rule generation unit 240, the reception unit 350, and the first observation unit 360. And a storage unit 130. The log acquisition unit 101 and the output unit 102 are the same elements as the elements denoted by the same reference numerals in FIG.

In the example illustrated in FIG. 13, the storage unit 130 includes a determination rule storage unit 131, an automatic operation definition storage unit 132, a manual operation definition storage unit 133, a communication data storage unit 234, and an observation data storage unit 335. Have. Each of the determination rule storage unit 131, the automatic operation definition storage unit 132, the manual operation definition storage unit 133, and the communication data storage unit 234 is the same element as the element with the same reference numeral in FIG. 2 or 9. The observation data storage unit 335 stores a log of communication obtained by the first observation unit 360 observing the communication of the reception unit 350.

12 and 13, the configuration including the determination rule generation unit 240 and the communication data storage unit 234 is shown. However, the log analysis device 300 does not have to include these elements. That is, the log analysis device 300 may be configured such that the log analysis device 100 according to the first embodiment further includes at least the reception unit 350 and the first observation unit 360.

Next, each component of the log analysis device 300 will be described. Note that description of the same elements as those included in the log analysis apparatus 100 or the log analysis apparatus 200 described above will be appropriately omitted.

The receiving unit 350 receives communication related to an attack. That is, the receiving unit 350 receives at least the communication transmitted from the outside in association with the attack. The communication related to the attack includes, for example, a scan attack and communication for the purpose of unauthorized access, but communication other than this may be included in the communication related to the attack. The receiving unit 350 may be able to receive other communication. The receiving unit 350 may further be configured to respond to the received communication.

The reception unit 350 is realized by Telnet, SSH, or a honeypot that emulates another protocol. Further, the receiving unit 350 may be realized by any type of computer on which Telnet, SSH, or other services operate. The receiving unit 350 may be realized by other means as long as the communication related to the attack can be received.

The first observing section 360 observes the communication received by the receiving section 350. The first observing unit 360 is realized by, for example, tcpdump, Wireshare, or the like, but is not limited to these. The first observation unit 360 records the observed communication in the above-mentioned pcap file, text file, or other type of log file.

Further, in the present embodiment, the receiving unit 350 may transmit data in response to external communication. However, the data transmitted from the receiving unit 350 is generally data that is not related to external attacks. Therefore, the first observation section 360 excludes the data transmitted from the reception section 350 and records it in the log. However, the first observation unit 360 may record the data transmitted from the reception unit 350 in the log.

In the present embodiment, the log acquisition unit 101 acquires a communication log obtained by the first observation unit 360 observing the communication of the reception unit 350. When the log analysis device 300 includes the storage unit 130, the log acquisition unit 101 may acquire the log observed by the first observation unit 360 and stored in the observation data storage unit 335. With such a configuration, when an attack is made, it is possible to quickly determine the type of attack.

Next, with reference to the flow chart shown in FIG. 14, operations of the log analysis apparatus 300 according to the present embodiment mainly regarding the receiving unit 350 and the first observing unit 360 will be described. The log analysis device 300 performs the same operation as the log analysis device 100 to extract information and determine the type of attack. If the log analysis device 300 includes the determination rule generation unit 240, the determination rule generation unit 240 generates the determination rule by the same operation as the log analysis device 200.

First, the first observation unit 360 starts observation (step S301). The observation by the first observing unit 360 is started prior to the start of the reception by the receiving unit 350 so that the observation of the communication received by the receiving unit 350 does not leak.

Next, the receiving unit 350 starts receiving communication related to the attack (step S302).

Next, the processing of the communication received by the reception unit 350 and the observation of the communication by the first observation unit 360 are performed (step S303). That is, when the receiving unit 350 receives a packet from the outside, the receiving unit 350 processes and responds to the packet as necessary. In this case, the first observation unit 360 observes the communication performed by the reception unit 350. The first observing unit 360 may perform log file rotation and other necessary processing at regular intervals depending on the traffic and other conditions.

As described above, the log analysis device 300 according to this embodiment further includes the reception unit 350 and the first observation unit 360. The reception unit 350 and the first observation unit 360 receive and observe the communication regarding the attack. The type of attack is determined for the log of the communication regarding the observed attack. Therefore, the log analysis device 300 has at least the same effect as the log analysis device 100 according to the first embodiment. In addition, the log analysis device 300 enables quick attack type determination.

(Fourth Embodiment)
Next, a fourth embodiment of the present invention will be described. FIG. 15 is a diagram showing a log analysis device 400 according to the fourth embodiment of the present invention.

As illustrated in FIG. 15, the log analysis device 400 includes an extraction unit 110, a determination unit 120, a determination rule generation unit 240, a reception unit 350, a first observation unit 360, a malware execution unit 470, and a second execution unit 470. Observing section 480 and control section 490.

The extraction unit 110 and the determination unit 120 are the same elements as the elements included in the log analysis device 100 according to the first embodiment. The determination rule generation unit 240 is the same element as the element included in the log analysis device 200 according to the second embodiment. Further, the receiving unit 350 and the first observing unit 360 are the same elements as the elements included in the log analysis device 300 according to the third embodiment.

The malware execution unit 470 executes the acquired malware. The second observation unit 480 observes communication by malware executed by the malware execution unit 470. The control unit 490 controls the operations of the malware execution unit 470 and the second observation unit 480.

16 illustrates an example of a more specific configuration of the log analysis device 400. In the example illustrated in FIG. 16, the log analysis device 400 includes a log acquisition unit 101, an output unit 102, a storage unit 130, and a malware acquisition unit 451 in addition to the above-mentioned elements. Each of the log acquisition unit 101, the output unit 102, and the storage unit 130 is the same element as the element to which the same reference numeral is attached in each of the drawings from the first to the third embodiments. The malware acquisition unit 451 acquires the malware received by the reception unit 350.

The examples shown in FIGS. 15 and 16 show a configuration including the determination rule generation unit 240 and the communication data storage unit 234. However, the log analysis device 300 does not have to include these elements.

Subsequently, each component of the log analysis device 400 will be described. Note that the description of the same elements as those described in each of the above-described embodiments will be appropriately omitted.

The malware acquisition unit 451 acquires the malware received by the reception unit 350. More specifically, the malware acquisition unit 451 detects and acquires malware from the data received by the reception unit 350.

The malware acquisition unit 451 detects malware in the same manner as, for example, general antivirus software. That is, the malware acquisition unit 451 detects and acquires malware depending on whether or not the received data matches a predefined feature. When the receiving unit 350 is configured not to actively perform communication with the outside, the malware acquisition unit 451 acquires the transmitted program, assuming that all the programs transmitted to the receiving unit 350 are malware. Good. The acquired malware may be stored in an arbitrary storage unit (not shown) together with the identifier.

The malware execution unit 470 executes, for example, the malware acquired by the malware acquisition unit 451. The malware execution unit 470 may execute malware acquired by means other than the malware acquisition unit 451.

The malware execution unit 470 is realized in a general environment for executing malware. That is, the malware execution unit 470 is realized by an emulator or a virtual machine that simulates the operation of an OS (Operating System). The means for realizing the malware execution unit 470 is not limited to these, but it is preferable that the problem caused by the operation of the malware does not spread to other components or another device. Further, since malware generally attacks the outside, the malware execution unit 470 may perform communication access control so as not to affect the outside. For example, the malware execution unit 470 may be controlled so that communication can be performed only with a specific external server. In addition, when controlling access to the outside, the malware execution unit 470 may include a dummy server corresponding to an external server.

The second observation unit 480 observes the communication by the malware executed by the malware execution unit 470. For example, the second observation unit 480 observes communication between an emulator, a virtual machine, etc. and an external server, a dummy server, etc. The second observation unit 480 is realized by, for example, a tcpdump command or the like. The second observation unit 480 records the observed communication in the above-mentioned pcap file, text file, or other type of log file. The observed result is appropriately stored in the communication data storage unit 234 together with the information for identifying the malware.

The control unit 490 controls the operations of the malware execution unit 470 and the second observation unit 480. The control unit 490 transfers the malware to the malware execution unit 470, executes or stops the malware by the malware execution unit 470, starts or stops the observation by the second observation unit 480, or performs other necessary control. The control unit 490 may control each operation of the malware acquisition unit 451.

The control unit 490 transfers the malware to the malware execution unit 470 using means such as SCP (Secure Copy), SFTP (Secure File Transfer Protocol), or a shared folder. In this case, it is preferable to perform the procedure in which security is ensured.

In addition, as an example, the control unit 490 controls so that the observation by the second observation unit 480 is generally performed only while the malware execution unit 470 executes the malware. That is, in this example, the control unit 490 controls so that the observation by the second observation unit 480 is started immediately before the execution of the malware by the malware execution unit 470 is started. Then, the control unit 490 controls to stop the observation by the second observation unit 480 immediately after the execution of the malware by the malware execution unit 470 is completed.

Malware is executed by the malware execution unit 470, and the second observation unit 480 observes the communication of the malware, whereby the communication log is obtained. The obtained communication log is a log related to automatic attacks. A new determination rule is generated by the determination rule generation unit 240 using the communication log thus obtained. Then, the determination unit 120 further determines the type of attack by using the generated determination rule. By the determination unit 120 determining the type of attack using the generated determination rule, the accuracy of analysis can be improved.

Next, with reference to the flowchart shown in FIG. 17, operations of the log analysis device 400 according to the present embodiment mainly regarding the malware acquisition unit 451, the malware execution unit 470, and the second observation unit 480 will be described.

First, the malware acquisition unit 451 acquires malware from the data received by the reception unit 350 (step S401). In step S401, the malware acquisition unit 451 may operate to acquire only the unacquired malware.

Next, the control unit 490 controls the second observation unit 480 to start observation of communication by malware (step S402). In response to the control, the second observation unit 480 starts observation of communication.

Next, the control unit 490 controls the malware execution unit 470 to execute the malware (step S403). According to the control, the malware execution unit 470 starts executing the malware.

Next, the control unit 490 controls the malware execution unit 470 to stop the execution of malware (step S404). According to the control, the malware execution unit 470 stops the execution of malware.

Next, the control unit 490 controls the second observation unit 480 to stop observation of communication by malware (step S405). According to the control, the second observation unit 480 stops observation of communication.

Finally, the control unit 490 stores the log of the communication observed by the second observation unit 480 in the communication data storage unit 234 (step S406).

As described above, the log analysis device 400 according to the present embodiment further includes a configuration for executing the acquired malware and observing communication by the malware. With such a configuration, the determination rule regarding the automatic attack is further generated based on the log of the communication by the observed malware. Then, the type of attack is determined using the generated determination rule.

Therefore, the log analysis device 400 has at least the same effect as the log analysis device 100 in the first embodiment. The log analysis device 400 also enables highly accurate determination of attack type.

The whole or part of the invention can be described as, but not limited to, the following supplementary notes.
(Appendix 1)
Extraction means for extracting information related to the type of attack from the log of communication related to the attack,
Based on information related to the type of the attack, and a determination rule according to the type of the attack, a determination unit that determines the type of the attack related to the log,
A log analysis device including.
(Appendix 2)
The log analysis device according to claim 1, wherein the determination unit determines whether the attack is an automatic attack or a manual attack.
(Appendix 3)
The determining means is an automatic attack based on whether the information related to the type of attack matches the determination rule for the automatic attack or the determination rule for the manual attack. The log analysis device according to attachment 2, which determines whether it is a manual attack or a manual attack.
(Appendix 4)
The log according to any one of appendices 1 to 3, wherein the information related to the type of attack includes one or more of information about time, information about data size, and information about input from a keyboard. Analysis equipment.
(Appendix 5)
Receiving means for receiving communications related to the attack,
First observing means for observing communication received by the receiving means,
The log analysis device according to any one of appendices 1 to 4, further comprising:
(Appendix 6)
The determination means extracts information related to the type of the attack from the log of the communication observed by the first observation means,
The log analysis device according to attachment 5.
(Appendix 7)
Determination rule generating means for generating the determination rule based on the communication log in which the type is determined,
7. The log analysis device according to any one of appendices 1 to 6, further comprising:
(Appendix 8)
Malware execution means for executing malware,
Second observing means for observing the communication by the malware executed in the malware executing means,
Control means for controlling the malware execution means and the second observation means,
The log analysis device according to appendix 7.
(Appendix 9)
The determination rule generation means generates the determination rule regarding the automatic attack based on the log of the communication observed by the second observation means,
The log analysis device according to claim 8.
(Appendix 10)
Extracting information related to the type of attack from the log of communication related to the attack,
The type of attack related to the log is determined based on information related to the type of attack and a determination rule according to the type of attack,
Log analysis method.
(Appendix 11)
On the computer,
A process of extracting information related to the type of the attack from a log of communication related to the attack,
A process of determining the type of the attack related to the log based on information related to the type of the attack and a determination rule according to the type of the attack,
A program to execute.

100 Log Analysis Device 110 Extraction Unit 120 Judgment Unit 101 Log Acquisition Unit 102 Output Unit 130 Storage Unit 131 Judgment Rule Storage Unit 132 Automatic Operation Definition Storage Unit 133 Manual Operation Definition Storage Unit 234 Communication Data Storage Unit 335 Observation Data Storage Unit 240 Determination Rule Generation unit 350 Reception unit 360 First observation unit 451 Malware acquisition unit 470 Malware execution unit 480 Second observation unit 490 Control unit

The present invention relates to a log analysis device, a log analysis method and a program .

Further, the program according to an aspect of the present invention includes a process of causing a computer to extract information related to an attack type from an attack-related communication log, information related to the attack type, and an attack type. based on the determination rule in accordance with the process of determining the type of serial-related attacks log, Ru is running.

Claims (11)

Extraction means for extracting information related to the type of attack from the log of communication related to the attack,
Based on information related to the attack and a determination rule according to the type of the attack, a determination unit that determines the type of the attack related to the log,
A log analysis device including. The log analysis device according to claim 1, wherein the determination unit determines whether the attack is an automatic attack or a manual attack. Whether the attack is the automatic attack, based on whether the information indicating the type of the attack matches the determination rule for the automatic attack or the determination rule for the manual attack. The log analysis device according to claim 2, wherein it is determined whether the log is the manual attack. 4. The information related to the type of attack includes one or more of information about time, information about data size, and information about input from a keyboard, according to any one of claims 1 to 3. Log analyzer. Receiving means for receiving communications related to the attack,
First observing means for observing communication received by the receiving means,
The log analysis apparatus according to claim 1, further comprising: The determination means extracts information related to the type of the attack from the log of the communication observed by the first observation means,
The log analysis device according to claim 5. Determination rule generating means for generating the determination rule based on the communication log in which the type is determined,
The log analysis device according to claim 1, further comprising: Malware execution means for executing malware,
Second observing means for observing the communication by the malware executed in the malware executing means,
Control means for controlling the malware execution means and the second observation means,
The log analysis device according to claim 7, further comprising: The determination rule generation means generates the determination rule regarding an automatic attack based on the log of the communication observed by the second observation means,
The log analysis device according to claim 8. Extracting information related to the type of attack from the log of communication related to the attack,
The type of attack related to the log is determined based on information related to the type of attack and a determination rule according to the type of attack,
Log analysis method. On the computer,
A process of extracting information related to the type of the attack from a log of communication related to the attack,
A process of determining the type of the attack related to the log based on information related to the type of the attack and a determination rule according to the type of the attack,
A computer-readable recording medium that non-temporarily stores a program for executing.

Images