US20160323304A1

Movatterモバイル変換

Info

Publication number: US20160323304A1
Application number: US15/208,905
Authority: US
Inventors: Seigo Terada; Kazuhiro Koide; Takashi Kobayashi; Keiji Michine
Original assignee: PFU Ltd
Current assignee: PFU Ltd
Priority date: 2014-01-14
Filing date: 2016-07-13
Publication date: 2016-11-03
Also published as: US20150200956A1; US9288221B2; CN105917348B; WO2015107862A1; CN104778404B; JP6097849B2; JP6014280B2; CN105934763A; US20160323305A1; CN105917348A; US10277614B2; JPWO2015107862A1; JPWO2015107861A1; WO2015107861A1; CN104778404A

Abstract

An information processing apparatus includes: a specification unit that specifies a phase of activity of terminals by comparing communication between terminals with a pattern held in advance; and a correlation analysis unit that determines whether or not a first terminal and a second terminal are carrying out activity cooperatively, by performing a correlation analysis of communication by the first terminal and communication by the second terminal, when the phase specified currently or in the past in respect of the first terminal and the phase specified currently or in the past in respect of the second terminal are the same.

Description

CROSS-REFERENCE TO RELATED APPLICATION

This application is a continuation application of International Application PCT/JP2014/084691 filed on Dec. 26, 2014, claiming the benefit of priority of the prior Japanese Patent Application No. JP2014-004055, filed on Jan. 14, 2014, and designated the U.S., the entire contents of which are incorporated herein by reference.

FIELD

The present disclosure relates to technology for managing terminals connected to a network.

BACKGROUND

In the prior art, a method has been proposed in which concern index values are assigned to flows between hosts on a network, and an alarm is issued if the accumulated concern index values exceed a threshold value (see the specifications of U.S. Pat. No. 7,475,426 and U.S. Pat. No. 7,185,368).

Furthermore, an attack method has also be reported in which, in order to delay the discovery of information leaks, exploitable information acquired from within an organization is collected in a representative infected terminal within the organization, and is then sent outside (see Information-technology Promotion Agency, Japan (IPA), “Targeted server attacks: Case studies and countermeasure reports”, [online], 20 Jan. 2012, Information-technology Promotion Agency, Japan [retrieved 19 Dec., 2014], Internet <URL:http://www.ipa.go.jp/files/000024536.pdf>). Moreover, there is also a research report which discusses introducing an agent into a terminal in an organization and acquiring and analyzing communication contents and process information, etc., to determine whether or not the terminal is participating in a botnet, and if the terminal is participating in a botnet, analyzing the role of the terminal in the botnet (see Hailong Wang, and one other, “Role-based collaborative information collection model for botnet detection”, [online], 17 May 2000, IEEE, [retrieved 19 Dec. 2014], Internet <URL:http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5 478475&isnumber=5478444>).

SUMMARY

One example of the present disclosure is an information processing apparatus, including: a comparison unit that compares a communication by a plurality of terminals with a pattern held in advance; a specification unit that specifies a phase of activity of the terminals, in accordance with a comparison result of comparison by the comparison unit; and a correlation analysis unit that determines whether or not a first terminal and a second terminal included in the plurality of terminals are carrying out activity cooperatively, by performing a correlation analysis of communication by the first terminal and communication by the second terminal, when a phase specified currently or in the past in respect of the first terminal is the same as a phase specified currently or in the past in respect of the second terminal.

The present disclosure can be understood as an information processing apparatus, a system, a method executed by a computer, or a program which is executed in a computer.

Furthermore, the present disclosure can also be understood as a recording medium on which such a program is recorded so as to be readably by a computer, or other apparatus or machine, or the like.

Here, a recording medium which is readable by a computer, or the like, is a recording medium on which information, such as data or programs, is stored by an electrical, magnetic, optical, mechanical or chemical action, and which can be read by the computer, or the like.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic drawing showing a configuration of a system relating to an embodiment;

FIG. 2 is a diagram showing a hardware configuration of a network monitoring apparatus and a management server relating to the embodiment;

FIG. 3 is a diagram showing a schematic view of the functional configuration of the network monitoring apparatus relating to the embodiment;

FIG. 4 is a diagram showing a model of malware activity transitions, which is used by a malware behavior detection engine according to the embodiment;

FIG. 5 is a flowchart showing an overview of a flow of detection processing for each packet relating to the embodiment;

FIG. 6 is a flowchart (A) showing a flow of detection processing performed by the malware behavior detection engine relating to the embodiment;

FIG. 7 is a flowchart (B) showing a flow of detection processing performed by the malware behavior detection engine relating to the embodiment;

FIG. 8 is a flowchart (C) showing a flow of detection processing performed by the malware behavior detection engine relating to the embodiment;

FIG. 9 is a diagram showing phases in an activity transition model and the transitions therebetween, which are objects of monitoring in a first correlation analysis according to the embodiment;

FIG. 10 is a diagram showing a transition to an exploration phase, which is an object of monitoring in the second correlation analysis according to the embodiment;

FIG. 11 is a diagram showing a transition to an execution file download phase, which is an object of monitoring in the second correlation analysis according to the embodiment;

FIG. 12 is a flowchart showing a flow of correlation analysis for determining a correlation between a communication relating to the attack phase and a communication relating to the execution file download phase;

FIG. 13 is a diagram showing a transition to a C&C exploration phase, which is an object of monitoring in the second correlation analysis according to the embodiment;

FIG. 14 is a diagram showing a transition to a C&C communication phase, which is an object of monitoring in the second correlation analysis according to the embodiment;

FIG. 15 is a diagram showing a transition to an attack phase, which is an object of monitoring in the second correlation analysis according to the embodiment;

FIG. 16 is a flowchart showing a flow of a third correlation analysis process performed by the malware behavior detection engine relating to the embodiment;

FIG. 17 is a flowchart showing a flow of a role estimation correlation analysis process for the infection and invasion phase relating to the embodiment;

FIG. 18 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the infection and invasion phase according to the embodiment;

FIG. 19 is a flowchart showing a flow of a role estimation correlation analysis process for the execution file download phase relating to the embodiment;

FIG. 20 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the execution file download phase according to the embodiment;

FIG. 21 is a flowchart showing a flow of a role estimation correlation analysis process for the C&C communication phase relating to the embodiment;

FIG. 22 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the C&C communication phase according to the embodiment;

FIG. 23 is a flowchart showing a flow of a role estimation correlation analysis process for the exploited information upload phase relating to the embodiment;

FIG. 24 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the exploited information upload phase according to the embodiment; and

FIG. 25 is a schematic drawing showing a variation of the configuration of a system relating to the embodiment.

DESCRIPTION OF EMBODIMENTS

Below, embodiments of the information processing apparatus and the method and program relating to the present disclosure are described below on the basis of the drawings.

However, the embodiments given below are merely examples and the information processing apparatus and the method and program relating to the present disclosure are not limited to the specific configuration given below.

In implementing the disclosure, the concrete configurations corresponding to the embodiments can be adopted, as appropriate, and various improvements and modifications can be made.

In the present embodiment, the information processing apparatus, method and program relating to the present disclosure are described on the basis of an embodiment implemented in a system in which a terminal carrying out an unauthorized activity on a network is discovered and measures such as blocking communications or issuing an alert, etc. are implemented. The information processing apparatus, method and program relating to the present disclosure can be applied widely to technology for detecting unauthorized activity on a network, and the object of application of the disclosure is not limited to the example given in the present embodiment.

FIG. 1 is a schematic drawing showing the configuration of asystem1 relating to the present embodiment. Thesystem1 relating to the present embodiment includes anetwork segment2 to which a plurality of information processing terminals90 (called “nodes90” below) are connected, and anetwork monitoring apparatus20 for monitoring communications relating to the nodes90. Furthermore, themanagement server50 is connected so as to be able to communicate with thenetwork segment2 via arouter10. In the present embodiment, thenetwork monitoring apparatus20 acquires packets, and frames, etc. sent and received by the nodes90, by connecting with a monitoring port (mirror port) of the switch or router (the router in the example shown inFIG. 1). In this case, thenetwork monitoring apparatus20 operates in a passive mode and does not transfer the acquired packets.

Themanagement server50 gathers information from thenetwork monitoring apparatus20 and manages thenetwork monitoring apparatus20. A quarantine server may also be provided in the external network, and a quarantine service may be provided to the nodes90 connected to thenetwork segment2, and a business server may also be provided and a service for business may be provided to the nodes90 (not illustrated in the drawings).

In thesystem1 relating to the present embodiment, the various servers connected from the nodes90 are connected remotely via the Internet or a wide-area network, for example, the servers are presented by an application service provider (ASP), but these servers do not necessarily have to be connected remotely. For example, the servers may also be connected to a local network in which the nodes90 and thenetwork monitoring apparatus20 are situated.

FIG. 2 is a diagram showing a hardware configuration of anetwork monitoring apparatus20 and amanagement server50 relating to the present embodiment. InFIG. 2, the configuration apart from thenetwork monitoring apparatus20 and the management server50 (namely, therouter10, nodes90, etc.) is not illustrated. Thenetwork monitoring apparatus20 and themanagement server50 are, respectively, computers including a central processing unit (CPU)11a,11b, a random access memory (RAM)13a,13b, a read only memory (ROM)12a,12b, a

storage apparatus

14a,14b, such as an electrically erasable and programmable read only memory (EEPROM) or a hard disk drive (HDD), a communication unit such as a network interface card (NIC)15a,15b, and the like.

FIG. 3 is a diagram showing a schematic view of the functional configuration of anetwork monitoring apparatus20 relating to the present embodiment. InFIG. 3, the configuration apart from the network monitoring apparatus20 (namely, therouter10, nodes90 andmanagement server50, etc.) is not illustrated. Thenetwork monitoring apparatus20 functions as an information processing apparatus including acommunication acquisition unit21, acommunication blocking unit22, anapplication detection engine23, a protocolanomaly detection engine24 and a malwarebehavior detection engine25, by means of a program recorded in thestorage apparatus14abeing read out from theRAM13aand executed in theCPU11a. Furthermore, the malwarebehavior detection engine25 includes acomparison unit251, an evaluatedvalue acquisition unit252, acorrection unit253, aspecification unit254, a holdingunit255, atotalizing unit256, adetermination unit257, acorrelation analysis unit258, and arole estimation unit259. In the present embodiment, the various functions provided in thenetwork monitoring apparatus20 are executed by theCPU11a, which is a generic processor, but all or a part of these functions may be executed by one or a plurality of special processors. Furthermore, all or a part of these functions may be executed by a remotely situated apparatus, or a plurality of apparatuses in disperse locations, by using cloud technology, or the like.

Thecommunication acquisition unit21 acquires communication sent and received by terminals connected to the network. In the present embodiment, a “terminal” which is the object of monitoring and detection by thenetwork monitoring apparatus20 includes the nodes90 which are connected to thenetwork segment2 and other apparatuses (nodes belonging to other networks, external servers, etc.) which communicate with the nodes90 via therouter10.

Thecommunication blocking unit22 blocks a communication by a terminal, if it is determined by theapplication detection engine23, the protocolanomaly detection engine24 or the malwarebehavior detection engine25 that the terminal in question is used to conduct an unauthorized activity. In the present embodiment, an example is described in which a countermeasure for blocking the communication by the terminal is applied, if it is determined that the terminal in question is used to conduct an unauthorized activity, but the method of the countermeasure adopted when it is determined that a terminal is used to conduct an unauthorized activity is not limited to blocking of the communication. Upon determining that a terminal is used to conduct an unauthorized activity, thenetwork monitoring apparatus20 may issue an alert (warning) or implement a cure (for example, removal of malware, elimination of vulnerabilities) in the terminal conducting the unauthorized activity.

Theapplication detection engine23 is an engine which detects when an application, which is used by malware and is not required for business, is carrying out communication on the network; for example, theapplication detection engine23 detects that an application not required for business is running on a node90 by detecting communication based on the known remote access Trojan (RAT), peer-to-peer (P2P) applications, the onion router (Tor), UltraSurf (Proxy tool) and anonymous proxies, etc.

The protocolanomaly detection engine24 is an engine which detects communication that does not follow protocols on the network, for example, an HTTP anomaly detection engine, an SSL/TLS anomaly detection engine or a DNS anomaly detection engine, or the like. By detecting a communication that does not follow these protocols, the protocolanomaly detection engine24 detects a node90 which is used to conduct a communication that does not observe the protocols on the network.

The malwarebehavior detection engine25 evaluates the commonality between a communication on the network, and a “communication pattern characteristic of malware”, for each phase of unauthorized activity by malware, these phases being defined in a malware activity transition model, analyzes malware behavior by monitoring the state of transitions between phases of malware activity, and thereby detects malware infection in a node90.

FIG. 4 is a diagram showing a model of malware activity transitions, which is used by the malwarebehavior detection engine25 of the present embodiment. Phase P1 to phase P8 are defined in the malware activity transition model shown in the present embodiment, but this is one example used in the present embodiment and the malware activity transition model may be modified, as appropriate, in accordance with the embodiment. Below, each phase in the malware activity transition model relating to the present embodiment will be described.

Phase P1 is an infiltration phase, in other words, a phase where infecting malicious content (malicious code, attack code, exploit code, etc.) is downloaded by utilizing a vulnerability in the OS or applications, when, for instance, a file attachment or an e-mail URL in a targeted e-mail attack is clicked, or a URL on a web site (mainly, an SNS site) is clicked, and so on. The transition destination from phase P1 is either phase P2, phase P4 or phase P8 in the case of an autonomous malware infiltration, such as a worm, and is either phase P2 or phase P4 in the case of bot-type malware.

Phase P2 is an exploration phase, in other words, a phase of exploring an infected terminal which has a vulnerability.

Phase P3 is an infection and invasion phase (diffusion phase), in other words, a phase of targeting the vulnerability to introduce an exploit code to infect the terminal, or causing an exploit code to be introduced from another terminal to infect the terminal. In the infection and invasion phase, an exploit code is introduced into the targeted terminal via an already infected terminal, and the terminal into which the exploit code has been introduced becomes infected with the malware. For example, a diffusion activity is performed by utilizing an MS-RPC or file sharing vulnerability in the Windows OS. In the case of bot-type malware, an infection activity (malware diffusion activity) is executed based on a command issued by an attacker (herder) via a command and control (C&C) server (phase P6). The transition destination from phase P3 is either phase P4 or phase P8 in the case of autonomous malware, such as a worm, and phase P4 in the case of bot-type malware. The infection and invasion phase has two aspects. One is a phase in which an infecting terminal executes an infection activity. Another aspect is a phase in which an exploit code is introduced to infect a victim (infection target) terminal.

Phase P4 is an execution file download phase, in other words, a phase in which, after introduction of the exploit code, the execution file, which is the actual malware in itself, is downloaded and activated from a malware delivery site or from an already infected terminal, or new malware is downloaded from a site designated by a command from the attacker (via a C&C server), with the object of avoiding detection of the malware by anti-virus products and/or adding new functions, and so on. The HTTP, FTP or TFTP protocol are used principally for downloading the malware in itself. Furthermore, a protocol that is unique to the malware may also be used. The transition destination from phase P4 is either phase P5 or phase P6 in the case of remote-controlled malware, such as a bot, and is generally phase P2 or phase P8 in the case of autonomous malware, such as a worm.

Phase P5 is a C&C exploration phase, in other words, a phase of exploring the C&C server in order to receive a command from an attacker. Malware which transfers to this phase is principally remote-controlled malware, such as a bot. Generally, the FQDN of a plurality of C&C servers are incorporated into malware and a DNS query is used to resolve the address. In the case of a P2P-type botnet, a P2P protocol (generic or unique protocol) is used to search for the C&C node. Malware of a type which has a hard-coded IP address is not active in this phase. The transfer destination from phase P5 is phase P6.

The phase P6 is a C&C communication phase (including Internet connection check), in other words, a phase in which data is sent and received in connection with the C&C server, in order to receive commands from the attacker and to report the command execution results (respond), and the like. There also exists malware which checks the Internet connection before connecting to the C&C server. In the connection to the C&C server, any of the IP addresses which were successfully resolved in phase P5 or any of the IP addresses which are hard-coded in the malware are used. When a command is received from the C&C server, the malware activity transfers from phase P6 to phase P2, phase P4 or phase P8, in accordance with the commands from the attacker. The execution results are reported to the attacker via the C&C server. On the other hand, if the malware fails to connect to the C&C server, then the malware retries connection with another IP address, and if this fails also, then the malware returns to phase P5 and either searches for another C&C server or stops activity. The existence of malware which repeatedly and endlessly reconnects until the connection is successful is also reported. Furthermore, if an abnormality occurs in the C&C communication path and recovery is not possible, then the malware activity transfers to phase P5. Moreover, there is also malware which performs an operation of changing the C&C server at prescribed time intervals, and in this case, the malware activity transfers to phase P5. Furthermore, phase P6 includes a phase of waiting for an instruction from the attacker. The malware periodically accesses the C&C server to maintain the communication path, and also waits for a command from the attacker. There is also malware which performs an operation of changing the C&C server at prescribed time intervals, and in this case, the malware activity transfers to phase P5.

Phase P7 is an exploit information upload phase, in other words, a phase in which information obtained by the activity of the malware, etc. is uploaded to a server, or the like, on the attacker side.

Phase P8 is an attack activity phase, in other words, a phase in which various attack activities are carried out in accordance with a command from the attacker (bot type) or the exploit code (worm type) which is incorporated into the malware. Activity corresponding to phase P1 may be carried out in order to find an attack target. Attack activities include: DoS attacks, spam mail attacks, Web attacks (Web falsification), stepping stones, etc.

The malwarebehavior detection engine25 has acomparison unit251, an evaluatedvalue acquisition unit252, acorrection unit253, aspecification unit254, a holdingunit255, atotalizing unit256, adetermination unit257, and thecorrelation analysis unit258, and a role estimation unit259 (seeFIG. 3) and hence the malwarebehavior detection engine25 monitors the transitional states between the phases of malware activity which are defined as described above, and detects a malware infection in the nodes90. Below, the respective functional units of the malwarebehavior detection engine25 will be described.

Thecomparison unit251 compares communication newly acquired by the communication acquisition unit21 (packets, which have been newly acquired and become the object of processing; hereinafter, called “input packets”), with previously held communication patterns. Peculiar communication patterns which appear as a result of various malware activities are previously defined in the held communication patterns. In the present embodiment, a plurality of communication patterns are defined in advance for each of the phases of the malware activity transition model, and are held in thenetwork monitoring apparatus20 or the management server. A communication pattern relating to phase Pn (here, n is an integer from 1 to 7) is expressed as “Pn−m” (where m is number equal to or greater than 1). It should be noted that there are also communication patterns which are not dependent on any of the phases (in other words, which may appear in a plurality of different phases). In the present embodiment, a communication pattern which is not dependent on any of the phases P1 to P8 is expressed as “P0−m”.

Even with the same communication pattern, different grades (Gr) are assigned based on the conditions. For example, if two conditions associated with a communication pattern “A: destination does not match a C&C server” and “B: destination matches one C&C server” are set, then the conditions are determined as indicated below, and different grades are assigned depending on whether or not the destination matches a registered C&C server.

IF (Pn−m=TRUE) AND (A) THEN Gr(Pn−m)=0.1, ACTION=register in C&C server candidate list

IF (Pn−m=TRUE) AND (B) THEN Gr(Pn−m)=0.6, ACTION=No

Moreover, in the present embodiment, the evaluatedvalue acquisition unit252 acquires a grade in accordance with the results of a correlation analysis between the input packet, and other packets sent or received before or after the input packet by a terminal relating to the input packet (called “preceding packets” and “subsequent packets” below). More specifically, in the present embodiment, the evaluatedvalue acquisition unit252 determines whether or not there is continuity between a phase acquired in respect of a communication (input packet) acquired by thecommunication acquisition unit21 and a phase acquired in respect of another communication (preceding packet or subsequent packet) carried out before or after the communication in question, in respect of the terminal relating to the communication in question, and acquires a grade if it is determined that there is continuity.

Thecorrection unit253 corrects the grade acquired by the evaluatedvalue acquisition unit252, in accordance with the results of a correlation analysis between the input packet and the preceding packet or subsequent packet. More specifically, in the present embodiment, thecorrection unit253 determines whether or not there is continuity between a phase acquired in respect of a communication (input packet) acquired by thecommunication acquisition unit21 and a phase acquired in respect of another communication (preceding packet or subsequent packet) carried out before or after the communication in question, in respect of the terminal relating to the communication in question, and corrects the grade acquired by the evaluatedvalue acquisition unit252 so as to be larger, if it is determined that there is continuity, compared to when it is determined that there is no continuity.

In other words, in the present embodiment, by means of the evaluatedvalue acquisition unit252 and thecorrection unit253, a correlation analysis is carried out between a newly acquired communication (input packet) and a past or future communication (preceding packet or subsequent packet) by the terminal relating to the communication in question, and if it is considered that there is “continuity of a kind which raises the extent to which the communication is inferred to be malware activity”, between the input packet and the preceding packet or subsequent packet, then the grade corresponding to the past or future communication (preceding packet or subsequent packet) is acquired, and the grade corresponding to the newly acquired communication (input packet) is corrected.

Thespecification unit254 specifies the phase and grade relating to the terminal in question, in respect of the input packet. Thespecification unit254 specifies the phase Pn which is set in advance in respect of the communication pattern Pn−m corresponding to the input packet, based on the comparison by thecomparison unit251, to be the phase relating to the terminal in question. Furthermore, thespecification unit254 may specify the grade Gr (Pn−m) acquired by the evaluatedvalue acquisition unit252, directly, as the grade for the input packet, but if the grade is corrected by thecorrection unit253, then thespecification unit254 specifies the corrected value as the grade for the input packet.

The holdingunit255 holds the maximum values of the specified grades for each phase, for each of the terminals. In the present embodiment, for each phase Pn of the malware activity transition model, the holdingunit255 holds the maximum value of the grade Gr(Pn−m) for the communication pattern Pn−m detected in respect of the phase Pn in question, as the grade for the phase Pn, and expresses same as “PGr(Pn)”. The grade for the phase Pn in the terminal (h) is expressed as “PGr(h,Pn)” and is acquired by the following equation.

PGr(h,Pn)=max {Gr(Pn−m)|Pn−mεh}

In the present embodiment, the holdingunit255 uses a grade management table holding the maximum grade value for each phase, and each terminal, to manage the grade of each phase, in each terminal (not illustrated). A grade PGr(h,Pn) for each phase Pn is held in the grade management table, for each of the terminals (h) identified by thenetwork monitoring apparatus20. As described above, the grade PGr(h,Pn) for each phase Pn is the maximum value of the grades Gr(Pn−m) for the detected communication patterns Pn−m in respect of the phase Pn in question. Therefore, when a new grade is specified in respect of any phase, the grade PGr(h,Pn) held in the grade management table is compared with the newly specified grade and updated to the maximum value. The maximum value Gr(h,Pn−m) of the grade Gr(Pn−m) for each communication pattern Pn−m is also held in thestorage apparatus14a.

The totalizingunit256 acquires the maximum values PGr(h,Pn) of the grades of the respective phases from phase P1 to phase P8, for each terminal, and totalizes these maximum values.

Thedetermination unit257 determines whether or not the terminal is carrying out unauthorized activity, based on the maximum values PGr(h,Pn) of the grades for each phase, in the terminal (h) that is the processing object. In the present embodiment, thedetermination unit257 determines whether or not the terminal is carrying out unauthorized activity on the basis of the total value obtained by the totalizingunit256. More specifically, thedetermination unit257 applies a prescribed weighting to the total value, to calculate a “value indicating the degree of possibility of activity by malware” (called “possibility of malware activity” below), and if this value exceeds a prescribed threshold value, then thedetermination unit257 determines that the terminal in question is carrying out unauthorized activity. The possibility of malware activity for the terminal (h) indicates the degree of possibility that the terminal (h) is infected by malware, and is expressed as “IR(h)”. The possibility of malware activity for the terminal (h) takes a value between 0 (no infection) to 100 (high possibility of infection). In other words, in the present embodiment, the possibility of malware activity for the terminal (h) is defined as indicated below. Here, ψ indicates the malware activity coefficient.

IR(h)=min((φΣ_n=1⁸PGr(h,Pn)),1)×100

In general, a terminal in which communication patterns are detected in a large number of (continuous) phases in the activity transition model can be determined as having a higher possibility of being infected with malware, than a terminal in which communication patterns are detected in a small number of phases, and therefore a malware activity coefficient ψ is introduced (in the present embodiment, the coefficient is set specifically to a value of 0.5). The possibility of malware activity IR(h) described above is calculated and updated each time a communication pattern corresponding to the communication patterns relating to the terminal (h) is detected.

In the present embodiment, a terminal having a possibility of malware activity of 0 to 49 is defined as a “clean terminal”, a terminal having a possibility of malware activity of 50 to 89 is defined as a “grey terminal”, and a terminal having a possibility of malware activity of 90 to 100 is defined as a “black terminal”. The possibility of malware activity and the definition “clean”, “grey” or “black” is displayed for each terminal, as a real-time report information, on a management screen (device list screen) of an administrator terminal. Furthermore, an overview of the detected “communication patterns” and a list indicating the number of times each pattern has been detected is displayed for each terminal, as detailed information. The threshold values of the “clean”, “grey” and “black” definitions relating to the possibility of malware activity may be set by the administrator.

Thecorrelation analysis unit258 analyses the correlation between an input packet and other packets (preceding packets or subsequent packets) which are sent or received before or after the input packet by a terminal relating to the input packet. More specifically, the correlation analysis which is carried out in the present embodiment involves analyzing the presence or extent of correlation, such as continuity or commonality, etc., between two or more communications, or between two or more phases, and the result of correlation analysis is used by the evaluatedvalue acquisition unit252, thecorrection unit253, and thedetermination unit257. For example, thecorrelation analysis unit258, by carrying out correlation analysis between a first communication that is determined to be in the infiltration phase P1, and a second communication that is determined to be in an execution file download phase, by means of thespecification unit254, determines the presence or the extent of a correlation between the download of content by the first communication and the download of an execution file by the second communication. Apart from this, the specific method of the correlation analysis is described hereinafter.

Furthermore, when the phase specified currently or in the past for a first terminal in which a communication has been detected, and the phase specified currently or in the past for a second terminal, are common (the same), then thecorrelation analysis unit258 determines whether or not the first terminal and the second terminal are carrying out activity cooperatively, by performing a correlation analysis between the communication by the first terminal and the communication by the second terminal. In this, thecorrelation analysis unit258 determines whether or not the first terminal and the second terminal are carrying out activity cooperatively, by determining the presence or extent of continuity or relationship between the communication by the first terminal and the communication by the second terminal. The details of the correlation analysis between communications by different terminals is described below in “(3) Correlation analysis for role estimation)”.

Therole estimation unit259 estimates the role in the activity in the phase in question, of the first terminal or the second terminal that has been determined to be operating cooperatively by thecorrelation analysis unit258.

Next, the flow of processing executed by thesystem1 relating to the present embodiment will be described with reference to a flowchart. The specific contents of the processing and the processing sequence indicated in the flowchart described below are examples for implementing the present disclosure. The specific contents of the processing and the processing sequence may be selected, as appropriate, in accordance with the mode of implementing the present disclosure.

When thenetwork monitoring apparatus20 is connected to a new network, before starting a detection process for each packet as described below, thenetwork monitoring apparatus20 executes a network configuration analysis/learning process, as preliminary processing. More specifically, when connected to a new network, thenetwork monitoring apparatus20 acquires packets for a prescribed period of time, and by analyzing the acquired packets, analyzes the configuration of the network that is the object of monitoring, learns the information required for malware detection (a device list (device types, OS types, MAC/IP addresses, etc.), the address system of the network that is the object of monitoring, the DNS server information, mail server information proxy (HTTP/SOCKS) information, Active Directory information, etc.), and stores same in thestorage apparatus14a, or the like.

The network configuration analysis/learning process is executed by thenetwork monitoring apparatus20 continuously from the detection process described below has started. In other words, thenetwork monitoring apparatus20 compares the information obtained by analyzing the acquired packets with information learnt by the abovementioned analysis/learning process, and held in thestorage apparatus14aof thenetwork monitoring apparatus20, and if, as a result of this comparison, the newly obtained information is different from the held information, then thenetwork monitoring apparatus20 determines that the configuration in thenetwork segment2 has changed, and uses the newly obtained information to update the information held in thestorage apparatus14aof thenetwork monitoring apparatus20.

FIG. 5 is a flowchart showing an overview of the flow of detection processing for each packet relating to the present embodiment. The detection processing relating to the present embodiment is executed by thenetwork monitoring apparatus20 whenever a packet (or data comprising a plurality of packets) passing over the network is acquired.

In step S001, pre-processing for packet analysis is executed. When a new communication (input packet) is acquired by thecommunication acquisition unit21, thenetwork monitoring apparatus20 shapes and classifies the input packet, and associates the packet with a valid existing flow. Furthermore, thenetwork monitoring apparatus20 classifies the input packets and associates same with an existing flow, in terminal units, (transmission source/destination IP address (MAC address) units), and protocol units (TCP/UDP, ICMP, DNS, HTTP, HTTPS, IRC, FTP, TFTP, SOCKS, NetBIOS, etc.). Thereupon, the processing advances to step S002.

From step S002 to step S005, processing is carried out by theapplication detection engine23 and the protocolanomaly detection engine24. Thenetwork monitoring apparatus20 relating to the present embodiment uses detection engines (detection programs) of the three types described above to detect an unauthorized communication by a terminal connected to the network, but in the present embodiment, upon acquiring a packet, thenetwork monitoring apparatus20 implements detection by theapplication detection engine23 and the protocolanomaly detection engine24, and then implements detection by the malwarebehavior detection engine25. In other words, in the present embodiment, the malwarebehavior detection engine25 determines whether or not a node90 is used to conduct unauthorized activity based on communication which has not been detected as an unauthorized communication by the other detection units (theapplication detection engine23 and the protocol anomaly detection engine24). By adopting this composition, according to the present embodiment, the number of packets processed by the malwarebehavior detection engine25 is reduced, and the load created by the operation of the behavior detection engine can be reduced. However, the malwarebehavior detection engine25 may operate independently, or may operate in combination with the other detection engines. Furthermore, the processing sequence of the detection engine when the packets are acquired is not limited to the example indicated in the present embodiment.

When an unnecessary application is detected by theapplication detection engine23 or when a protocol anomaly is detected by the protocolanomaly detection engine24, the processing advances to step S012, and blocking is implemented or an alert is issued. On the other hand, if an unnecessary application or a protocol anomaly is not detected, then the processing advances to step S006. In the flow chart, the processing from step S006 to step S011 in this flowchart corresponds to the processing performed by the malwarebehavior detection engine25.

In step S006, a communication pattern judgment process is carried out. Thecomparison unit251 determines the commonality between the input packet and a previously defined communication pattern (Pn−m), by comparing the input pack and the previously defined communication pattern (Pn−m). Here, if it is determined that there is commonality between the communication pattern (Pn−m), then the phase in the activity transition model of the terminal (h) relating to the input packets is specified as the phase Pn(h). Furthermore, the evaluatedvalue acquisition unit252 acquires, as a result of the determination, the grade Gr (Pn−m) of the communication pattern determined to be matching or approximate (corresponding), to be the grade Gr(h,Pm−m) for the input packet in association with the terminal (h). Moreover, thenetwork monitoring apparatus20 registers the transmission source terminal or the destination terminal of the communication in question, in a “malware delivery server candidate list” or “C&C server candidate list”, based on the detected communication pattern. Here, a determination and evaluation is made in with respect to the communication patterns of all phases, by taking account of lost packets. In order to associate with the existing determined flow, a determination is not made with regard to an input packet which does not require an additional determination process, and only updating of the statistical information is carried out. Thereupon, the processing advances to step S007.

In step S007, a first correlation analysis is carried out. The evaluatedvalue acquisition unit252 picks up a C&C communication which cannot be detected in step S006. The evaluatedvalue acquisition unit252 picks up a communication which has triggered a transition to the exploration phase P2, the infection and invasion phase P3, the execution file download phase P4 and the attack activity phase P8, and thenetwork monitoring apparatus20 registers the transmission source terminal or the destination terminal of the communication in question, in the C&C server candidate list. The Contents of processing of the first correlation analysis are described below with reference toFIG. 6 toFIG. 8 andFIG. 9. Thereupon, the processing advances to step S008.

In step S008, a second correlation analysis is carried out. Thecorrection unit253 analyzes the correlation between the continuity of the phase which was active immediately before, and the behavior of another (infected) terminal, in respect of the activity phase Pn(h) of the terminal (h) determined in step S006. If, as a result of this analysis, a communication pattern having a high risk of malware behavior is discovered, then thecorrection unit253 corrects the grade Gr(h,Pn−m) of the communication pattern (Pn−m) in the terminal (h) determined in step S0006, using the following equation, and assigns a higher grade.

Gr(h,Pn−m)=θ·Gr(h,Pn−m)

Here, the malware behavior similarity coefficient θ is in the range of 1.0 to 2.0. Here, 1.0 means “no similarity”. The contents of processing of the second correlation analysis, and the malware behavior similarity coefficient —0 are described below with reference toFIG. 6 toFIG. 8 andFIG. 10 toFIG. 15. Thereupon, the processing advances to step S009.

In step S009, grades (PGr) are specified for the activity phases. Thespecification unit254 specifies a grade PGr(h,Pn)i for a phase Pn, from the grade Gr(h, Pn−m) of the communication pattern in the corresponding terminal h, based on the processing results from step S006 to step S008. Here, PGr(h, Pn)i−1 indicates the grade for the phase Pn up to the previous processing.

PGr(h,Pn)i=max{PGr(h,Pn)i−1,Gr(h,Pn−m)}

Thereupon, the processing advances to step S010.

In step S010, the possibility of malware activity (IR(h)) is calculated. The totalizingunit256 and thedetermination unit257 calculate the possibility of malware activity IR(h) for the terminal h. The specific calculation method is as described above in the explanation relating to thetotalizing unit256 and thedetermination unit257. Thereupon, the processing advances to step S011.

In step S011 and step S012, if the possibility of malware activity IR(h) is equal to or greater than a prescribed threshold value, then a countermeasure, such as blocking of the terminal or issuing of an administrator alert, is carried out. Thedetermination unit257 determines whether or not the possibility of malware activity in the terminal calculated in step S010 is equal to or greater than the prescribed threshold value representing “black” (step S011). If the possibility of malware activity is “black”, then thecommunication blocking unit22 carries out a countermeasure, such as blocking the communication by the terminal in question, or issuing an alert to the administrator (step S012). Furthermore, if the possibility of malware activity is “grey”, then thenetwork monitoring apparatus20 may issue an alert to the administrator. If the possibility of malware activity is “clean”, then a countermeasure such as blocking or issuing an alert is not carried out. Subsequently, the processing indicated in the flowchart is terminated.

FIG. 6 toFIG. 8 is a flowchart showing a flow of a detection process performed by the malwarebehavior detection engine25 relating to the present embodiment. The flowchart gives a more detailed explanation of the processing from step S006 to step S012 of the detection processing described in relation toFIG. 5. More specifically, step S101 to step S103 give a more detailed explanation of the communication pattern determination processing described in step S006 inFIG. 5; step S104 to step S110 give a more detailed explanation of the first correlation analysis processing described in step S007; step S111 to step S116 give a more detailed explanation of the second correlation analysis processing described in step S008; and step S117 to step S120 give a more detailed explanation of the grade specification processing for activity phases described in step S009. Furthermore, step S121 corresponds to step S010 inFIG. 5, and step S122 and step S123 correspond to step S011 and step S012.

In step S101 and step S102, it is determined whether or not the acquired packet (input packet) corresponds to any of the previously defined communication patterns. Thecomparison unit251 determines the commonality between the input packet and a previously defined communication pattern (Pn−m), by comparing the input packet and the previously held communication pattern. As a result of this determination, if it is determined that the input packet does not correspond to any communication pattern, then the processing relating to the packet in question is terminated, and the processing indicated in the flowchart is terminated. On the other hand, if it is determined that the packet does correspond to any one of the communication patterns, then the processing advances to step S103.

In step S103, the fact that a communication pattern (Pn−m) determined to be corresponding has been detected is recorded in relation to the terminal relating to the input packet. Furthermore, the evaluatedvalue acquisition unit252 acquires the phase Pn to which the communication pattern (Pn−m) corresponding to the input packet belongs, and the grade Gr (Pn−m) set in advance for the communication pattern (Pn−m), respectively, as the phase Pn(h) in the terminal (h) relating to the input packet and the grade Gr(h, Pn−m) for the phase in question. Thereupon, the processing advances to step S104.

In step S104 and step S105, if required conditions are set for the communication pattern corresponding to the input packet, then it is determined whether or not a communication corresponding to the required conditions has been acquired in the past. If required conditions have not been set, then the processing advances to step S107. Here, the required conditions are conditions for deciding whether or not a grade Gr(Pn−m) set in advance for a communication pattern (Pn−m) determined to correspond to the input packet in step S101 may be specified as the grade Gr(h, Pn−m) for the phase Pn(h) of the terminal (h) relating to the input packet in question. For example, a communication pattern of “P6-4: HTTP communication (proxy/non-proxy) having HTTP standard port (80) as the destination port” is a general communication in HTTP, and an required condition for this communication pattern is that any of the “HTTP malicious communication patterns” defined in “P0-1 to P0-15” is detected. Therefore, if these required conditions are satisfied, then the grade Gr(h, P6-4) of the communication pattern P6-4 is specified in respect of the input packet, and if the required conditions are not satisfied, then the grade Gr(h, P6-4) of the communication pattern P6-4 is not specified in respect of the input packet.

In other words, the evaluatedvalue acquisition unit252 determines whether or not there is continuity between the phase acquired in respect of the input packet and the phase acquired in respect of another communication (preceding packet) carried out before the communication in question, in respect of the terminal relating to the communication in question, by determining whether or not a communication acquired in the past satisfies the required conditions. If it is determined that the required conditions are not satisfied, then the processing advances to step S106, and the grade of the input packet is set to 0 (zero). On the other hand, if it is determined that the required conditions are satisfied, then the processing advances to step S107.

In step S107, grades are assigned for the phases in the terminal relating to the input packet. The evaluatedvalue acquisition unit252 acquires a grade Gr(Pn−m) previously defined for the communication pattern Pn−m which is determined to be corresponding, in respect of the input packet, and sets same as the grade Gr(h,Pn−m) for the phase Pn(h) in the terminal (h). Thereupon, the processing advances to step S108.

In step S108, it is determined whether or not the input packet corresponds to the required conditions of a communication pattern detected in the past. In other words, in step S108, at the current time, which corresponds to the future from the viewpoint of a communication acquired in the past (preceding packet), it is determined whether or not a communication (input packet) corresponding to the required conditions has been detected. The evaluatedvalue acquisition unit252 determines whether or not a communication pattern has been detected in the past, for which the communication pattern of the input packet has been set as a required condition. As a result of this determination, if a communication pattern having the communication pattern relating to the input packet as a required condition has not been detected in the past, the processing advances to step S111. On the other hand, if, as a result of this determination, a communication pattern having the communication pattern relating to the input packet as a required condition has not been detected in the past, the processing advances to step S110.

In step S110, grades are assigned for the phase of the communication acquired in the past (preceding packet). The evaluatedvalue acquisition unit252 acquires and assigns a grade Gr(Pn−m) previously defined for the communication pattern in question (Pn−m), to the communication detected in the past. Thereupon, the processing advances to step S111.

In step S111 and step S112, if a grade correction condition is set for the communication pattern corresponding to the input packet, then it is determined whether or not a communication corresponding to the grade correction condition has been acquired in the past. If a grade correction condition has not been set, then the processing advances to step S114. Here, a grade correction condition is a condition for determining whether or not a grade Gr(Pn−m) set previously for the communication pattern (Pn−m) determined to correspond to the input packet in step S101 should be corrected to a higher value. Thecorrection unit253 determines whether or not a communication corresponding to a grade correction condition has been detected in the past in respect of the terminal relating to the input packet. If it is determined that the grade correction condition is not satisfied, then grade correction is not carried out and the processing advances to step S114. On the other hand, if it is determined that the grade correction condition is satisfied, then the processing advances to step S113.

In step S113, grade correction is carried out. Thecorrection unit253 corrects the grade Gr(h,Pn−m) assigned in step S107, in accordance with the correction value set in advance in respect of the grade correction condition which is determined to have been satisfied in step S112. For example, if the correction value is 1.5, then the value of the grade Gr(h, Pn−m) is multiplied by 1.5 times. Thereupon, the processing advances to step S114.

In step S114, it is determined whether or not the input packet corresponds to the grade correction condition of a communication pattern detected in the past. In other words, in step S114, at the current time, which corresponds to the future from the viewpoint of a communication acquired in the past (preceding packet), it is determined whether or not a communication (input packet) corresponding to the grade correction condition has been detected. Thecorrection unit253 determines whether or not a communication pattern has been detected in the past, for which the communication pattern of the input packet has been set as a grade correction condition. As a result of this determination, if a communication pattern having the communication pattern relating to the input packet as a grade correction condition has not been detected in the past, then the processing advances to step S117. On the other hand, if, as a result of this determination, a communication pattern having the communication pattern relating to the input packet as a grade correction condition has been detected in the past, then the processing advances to step S116.

In step S116, grade correction relating to a past communication (preceding packet) is carried out. Thecorrection unit253 corrects the grade assigned to the terminal relating to the communication pattern detected in the past, by the correction value defined in advance in relation to the grade correction condition. For example, if the correction value is 1.5, then the grade is multiplied by 1.5 times. Thereupon, the processing advances to step S117.

In step S117 to step S120, a maximum grade updating process is carried out for each phase. Firstly, thenetwork monitoring apparatus20 acquires the maximum grade (the value after correction in the case of a grade which is corrected), which is held for each detection phase (P1 to P8) in the terminal relating to the input packet, from the grade management table (step S117), and determines whether or not the maximum grade has been updated, for each phase, by comparing the maximum grade with the grade specified by thespecification unit254 as a result of the processing from step S101 to step S116 (step S118). Here, if it is determined that the maximum grade has not been updated, then the processing advances to step S121. On the other hand, if it is determined that the maximum grade has been updated, then the holdingunit255 uses the newly assigned grade to update the maximum grade recorded in the grade management table, and saves this maximum grade (step S120). During this process, an audit log is kept (step S119). Thereupon, the processing advances to step S121.

In step S121, the possibility of malware activity in the terminal is calculated. The totalizingunit256 totalizes the maximum grade which has been determined for each phase in the terminal h, and thedetermination unit257 calculates the possibility of malware activity IR(h) in the terminal h, by multiplying by a malware activity coefficient. The specific calculation method is as described above in the explanation relating to thetotalizing unit256 and thedetermination unit257. Thereupon, the processing advances to step S122.

In step S122 and step S123, the presence or absence of a malware infection in the object node90 is determined. Thedetermination unit257 determines whether or not the possibility of malware activity IR(h) calculated in step S121 exceeds a prescribed threshold vale (step S122). Here, if it is determined that the possibility of malware activity IR(h) has exceeded a threshold value, then thenetwork monitoring apparatus20 implements the prescribed countermeasure for when a malware infection is detected. Examples of the countermeasure for when a malware infection is detected include: starting blocking of the communication at the node90 by thecommunication blocking unit22, and issuing an alert (warning) indicating that the node90 in question is infected with malware. On the other hand, if it is determined that the possibility of malware activity IR(h) has not exceeded the threshold value, then the countermeasure for when a malware information has been detected, such as blocking of the communication or issuing a warning, etc. is not implemented. Subsequently, the processing indicated in the flowchart is terminated.

Thenetwork monitoring apparatus20, for example, can block the communication by the node90 by using, for example, a method which discards communication data acquired from an L2/L3 switch, a method which disconnects the ports of an L2/L3 switch, a method for deriving a packet transmission destination due to ARP impersonation in respect of the node90, a method for instructing therouter10 to discard a communication relating to the node90, or a method for changing and separating the VLAN to which the node90 belongs. Furthermore, if thenetwork monitoring apparatus20 is installed (incorporated) into therouter10, then it is also possible to directly block communication which is sent or received by the node90. Moreover, thenetwork monitoring apparatus20 can issue an alert by using a method for sending a notification packet or e-mail, etc. to the management server, the node90, or a previously established administrator terminal, or the like, or, for example, a method for displaying a warning via a display apparatus (display monitor, LED, etc.) which is provided in the actualnetwork monitoring apparatus20.

Below, an example of a correlation analysis will be described. However, the correlation analysis is not limited to the example indicated in the present embodiment, provided that it is possible to analyze whether or not a plurality of communications performed by a terminal have a correlation from the viewpoint of phase transitions which accompany malware activity.

(1) First Correlation Analysis

The communication pattern determination process (see step S006) is based on previously defined “communication patterns”. Therefore, by this process alone, it is not possible to detect malware which is carrying out communications which do not match the communication patterns. Consequently, in the present embodiment, the first correlation analysis (see step S007) is carried out.

FIG. 9 is a diagram showing the phases in the activity transition model and the transitions therebetween, which are the object of monitoring in the first correlation analysis in the present embodiment. In general, malware transfers to the exploration and infection phase P2, the infection and invasion phase P3, the execution file download phase P4 or the attack activity phase P8, in accordance with a command from the C&C server. Furthermore, the time from receiving the command from the C&C server until transferring to the exploration phase P2, the infection and invasion phase P3, the execution file download phase P4 or attack activity phase P8 is generally extremely short (within one second). In the first correlation analysis, these characteristics are utilized, and when the terminal (h) has transferred to the exploration phase P2, infection and invasion phase P3, execution file download phase P4 or attack activity phase P8, the communication triggering this transfer is regarded provisionally as a C&C communication, and the terminal relating to the communication in question is registered in the C&C server candidate list. After registration in the C&C server candidate list, the processing for identifying malware information is performed in line with the malware detection method described above.

(1.1) Preparation (Gathering Evaluation Information)

In the first correlation analysis, when activity in the exploration phase P2, the infection and invasion phase P3, the execution file download phase P4 or the attack activity phase P8 of the activity transition model is observed (a communication pattern is detected), the communication triggering this activity is analyzed, and if prescribed conditions are satisfied, the transmission source of the communication triggering the activity (the connection destination as viewed from the terminal (h)) is registered in the list as a C&C server candidate. Below, the method of gathering information and the recorded contents used in the first correlation analysis will be described. The processing described below is executed each time a packet sent by a terminal that is the object of monitoring is detected. Furthermore, this preparation (evaluation information gathering) process is carried out after completion of the communication pattern determination process (see step S006).

(1.1.1) Analysis

If the packet is analyzed and the conditions described below are satisfied, then the procedure advances to the packet waiting step in (1.1.2). If these conditions are not satisfied, the procedure waits for a packet, without taking any action.

- The packet is any one of an HTTP GET, POST, PUT, or CONNECT request sent by the terminal (h); and
- The GET request is not a file download request; and
- The value of the User-Agent header does not start with “Mozilla”, or there is no User-Agent header.

The condition relating to the User-Agent described above means that only an HTTP request sent by an application other than a Web browser is the object of evaluation. (Impersonation) Since web browser communications are the object of evaluation in the communication pattern determination process, then only non-web browser communications are the object in the first correlation analysis. If the conditions described above are satisfied, then the following information is recorded in the terminal (h) management table.

- Method type (any one of GET, POST, PUT, CONNECT)
- User-Agent header value (text string). “NULL” if there is no User-Agent header
- Host header value (FQDN or IP address)

(1.1.2) Waiting for Packet

Here, the procedure waits for the subsequent packet. When a packet is received, the following processes are carried out.

- If the packet is a new HTTP request sent by a terminal (h) which satisfies the condition (1.1.1), then the processing returns to the analysis in (1.1.1). In the HTTP request and the response, only the time stamp of the latest data is required, but since there is a possibility of packet loss, a time stamp may be recorded every time an HTTP response is received, and the time stamp may be overwritten when a subsequent response is received.
- If the packet is a response to an HTTP request sent by the terminal (h) in (1.1.1), and the size of the body part of the HTTP response is zero, then the processing transfers to (1.1.1). This is because if the size of the body part of the HTTP response is zero, then this means that the response does not contain command information from the C&C server.
- The packet is a response to an HTTP request sent by the terminal (h) in (1.1.1). Furthermore, if the size of the body part of the HTTP response is not zero, then the contents indicated below are recorded and the processing transfers to (1.1.3).
- The detection (reception) time of the HTTP response packet (time stamp: milliseconds) is recorded. Hereinafter, this time stamp is expressed as “TimeStamp(C)”. Here, only the time stamp of the latest HTTP response data is required, but since there is a possibility of packet loss, a time stamp is recorded when all HTTP responses are received, and the time stamp is overwritten when a subsequent response is received.

(1.1.3) Determination

Here, the following determination and processing is carried out.

- If the packet processed in (1.1.2) is not the final data of an HTTP response, then the malwarebehavior detection engine25 halts at (1.1.2) and waits for the subsequent response.
- If the packet processed in (1.1.2) is the final data of an HTTP response, then the malwarebehavior detection engine25 returns to the analysis in (1.1.1) and waits for a new HTTP response.

(1.2) Contents of Processing Upon Transition to Exploration Phase P2

The malwarebehavior detection engine25 carries out the following processing successively, and if the conditions are satisfied, registers the terminal relating to the packet recorded in “Preparation (gathering evaluation information)”, in the C&C server candidate list.

- Recognize activity in exploration phase P2 (matches “communication pattern of exploration phase P2”), and
- The time of transition to exploration phase P2 (time stamp: TimeStamp (P2)) and the recorded TimeStamp(C) satisfy the following condition.

TimeStamp(C)+500 ms>TimeStamp(P2)

The malwarebehavior detection engine25 applies the grade (Gr)=0.3 to a communication (input packet) recorded in “Preparation (Gathering evaluation information)” which satisfies the aforementioned condition. This grade is compared with the recorded grade (PGr) of the C&C communication phase, and the larger of these grades is re-recorded as the grade (PGr) of the C&C communication phase. The TimeStamp(P2) is recorded in the communication pattern determination process, when the “communication pattern of the exploration phase P2” is detected. The TimeStamp(P2) is measured only in respect of communication patterns which correspond to “suspicious connection attempt” in the exploration phase. Furthermore, the observation time of the communication pattern is the time at which a communication pattern corresponding to “suspicious connection attempt” is detected.

(1.3) Contents of Processing Upon Transition to Execution File Download Phase P4

- Recognize activity in execution file download phase P4 (matches communication pattern of “execution file download phase P4”), and
- The time of transition to execution file download phase P4 (time stamp: TimeStamp (P4)) and the recorded TimeStamp(C) satisfy the following condition.

TimeStamp(C)+500 ms>TimeStamp(P4)

The malwarebehavior detection engine25 applies the grade (Gr)=0.3 to a communication recorded in “Preparation (Gathering evaluation information)” which satisfies the aforementioned condition. This grade is compared with the recorded grade (PGr) of the C&C communication phase, and the larger of these grades is re-recorded as the grade (PGr) of the C&C communication phase. The TimeStamp(P4) is recorded in the communication pattern determination process, when the “communication pattern of the execution file download phase P4” is detected. The TimeStamp(P4) is not the time of the start of the HTTP GET request, FTP download or TFTP download, but rather the time at which file download is completed (or the time of the last packet of the response in the case of HTTP GET). Since packet loss occurs, TimeStamp(P4) may be updated each time an individual packet of an HTTP GET response or an FTP/TFTP download packet is detected.

(1.4) Contents of Processing Upon Transition to Attack Phase P8

- Recognized as activity of the attack phase P8 (matches the “communication pattern of attack phase P8”), and
- The time of transition to attack phase P8 (time stamp TimeStamp (P8)) and the recorded TimeStamp(C) satisfy the following condition.

TimeStamp(C)+500 ms>TimeStamp(P8)

The malwarebehavior detection engine25 applies the grade (Gr)=0.3 to a communication recorded in “Preparation (Gathering evaluation information)” which satisfies the aforementioned condition. This grade is compared with the recorded grade (PGr) of the C&C communication phase, and the larger of these grades is re-recorded as the grade (PGr) of the C&C communication phase. The TimeStamp(P8) is recorded in the communication pattern determination process, when the “communication pattern of the attack phase P8” is detected. The TimeStamp(P8) is not the time at which an attack activity is recognized (ultimately from a plurality of packets), but rather the time at which the first packet of an attack communication pattern is detected.

(2) Second Correlation Analysis

Malware progressively deepens activity as it transfers through the phases of the malware activity transition model. Consequently, if the activity (communication) in the phases immediately after transition has a high possibility of being triggered by the activity (communication) in the phase one before (in other words, if there is a correlation between the phases before and after transition), then it is determined that the terminal in question has a high probability of being infected with malware. A method can be envisaged in which the trigger is determined from the data contents included in the communication pattern (for example, the contents of an instruction from a C&C server), but there are many types of malware which encrypts or obfuscates the data part, and real-time analysis and determination are difficult to achieve. Therefore, in the present embodiment, the second correlation analysis (see step S008) is carried out based on the time required to transfer phase (the time from detecting the communication pattern Pr-s until detecting the communication pattern Pm−n), the terminal (h) of the communication destination (call-back communication), the correlation and degree of match between the behavior of a plurality of terminals having a high possibility of malware infection, and information such as the type of file handled, etc. If, as a result of this analysis, it has been possible to detect that the communication is one having a high suspicion of malware behavior, then the grade Gr(Pm−n) of the communication pattern Pm−n corresponding to this communication is corrected (multiplied by a malware behavior similarity coefficient θ), to assign a higher grade.

Below, the details of the analysis performed in communication pattern correlation analysis will be described. If the sequence of transitions between phases does not match, or if the phase transitions match but a different phase is inserted between, then the pattern is not regarded as an object for analysis, and correlation analysis is not carried out. Furthermore, the malwarebehavior detection engine25 does not set all phase transitions as an object for correlation analysis. The malwarebehavior detection engine25 sets, as an object for correlation analysis, the following phase transitions in which a marked correlation with malware behavior is observed. FromFIG. 10 toFIG. 15, the solid arrows indicate a transition that is an analysis object and the dotted arrows indicate a transition that is not an analysis object.

(2.1) Contents of Processing Upon Transition to Exploration Phase P2

FIG. 10 is a diagram showing a transition to an exploration phase P2, which is the object of monitoring in the second correlation analysis in the present embodiment. The malwarebehavior detection engine25 carries out the following analysis if the terminal (h) has transferred to the exploration phase P2 in the “malware activity phase determination” processing block, and if applicable, corrects the grade for the communication pattern.

(2.1.1) Transition from C&C Communication Phase P6 to Attack Phase P2

if {condition A=TRUE} then {Gr(h,P2−m)=θ·Gr(h, P2−m)} (θ=1.2)

- Condition A: A data communication is observed in any of the C&C servers registered in the C&C server candidate list of the terminal (h) (reception of data (a command) of any kind from a C&C server), and the communication pattern P2−m of the exploration phase is then observed in the terminal (h) within N(a) seconds.

Here, the time of receiving the data (command) from the C&C server is taken to be the timing at which the following packets are observed.

- If the C&C is an HTTP type, then the reception time of the (final) data of the HTTP response not having zero data length (body part size) which corresponds to an HTTP GET/POST/PUT request
- If the C&C is HTTPS (direct or CONNECT) or an independent protocol type, then the reception time of the (final) TCP data which does not have a data length of zero, corresponding to the data packet sent by the terminal (h), on the TCP connection
- If the C&C is an IRC type, then the reception time of the final data of the IRC message which does not have a data length of zero, from the C&C server

Here, the communication pattern P2−m of the exploration and infection phase is only applied to a communication pattern which corresponds to a “suspicious connection attempt”. Furthermore, the observation time of the communication pattern is the time at which a communication pattern corresponding to “suspicious connection attempt” is detected.

(2.2) Contents of Analysis Upon Transition to Execution File Download Phase P4

FIG. 11 is a diagram showing a transition to the execution file download phase P4, which is the object of monitoring in the second correlation analysis in the present embodiment. The malwarebehavior detection engine25 carries out the following analysis if the terminal (h) has transferred to the execution file download phase P4 in the “malware activity phase determination” processing block, and if applicable, corrects the grade for the communication pattern.

(2.2.1) Transition from Exploration Phase P2 to Execution File Download Phase P4

if {condition A=TRUE} then {Gr(h,P4−m)=θ·Gr(h, P4−m)} (θ=1.5)
if {condition B=TRUE} then {Gr(h,P4−m) θ·Gr(h, P4−m)} (θ=1.3)

- Condition A The execution file download communication pattern P4−m is observed in the terminal (h), and the connection destination of P4−m (destination IP/FQDN) matches an infecting terminal (k).
- Condition B: The execution file download communication pattern P4−m is observed in the terminal (h), and the connection destination of P4−m (destination IP/FQDN) matches any one of the servers registered in the malware delivery server candidate list.

Since the download of an execution file is not always carried out within a prescribed time after malware infection (download may occur 10 seconds after, or 3 days after, for instance), then a time-related condition is not applied in the transition from phase P2 to phase P4.

(2.2.2) Transition from C&C Communication Phase P6 to Execution File Download Phase P4

if {condition C=TRUE} then {Gr(h,P4−m)=θ·Gr(h, P4−m)} (θ=1.2)
if {condition D=TRUE} then {Gr(h,P4−m)=θ·Gr(h, P4−m)} (θ=1.5)

- Condition C: A data communication is observed in any of the C&C servers registered in the C&C server candidate list of the terminal (h) (reception of data of any kind from a C&C server), and the communication pattern P4−m of the execution file download phase is then observed in the terminal (h) within N(b) seconds.
- Condition D: Condition C, and the connection destination (destination IP/FQDN) of P4−m matches any one of the servers registered in the malware delivery server candidate list.

For the time at which data (a command) is received from the C&C server, see “(2.1) Contents of analysis upon transition to exploration phase P2”. The observation time of the communication pattern P4−m of the execution file download phase is not the time of the start of the HTTP GET request, FTP download or TFTP download, but rather the time at which file download is completed (or the time of the last packet of the response in the case of HTTP GET). Since packet loss occurs, the time may be updated each time an individual packet of an HTTP GET response or an FTP/TFTP download packet is detected.

(2.2.3) Transition from Infiltration Phase P1 to Execution File Download Phase P4

In the “malware activity phase determination” processing block, when the terminal (h) transitions to the execution file download phase P4, the correlation analysis described below is carried out, and if it is determined that there is a correlation, the grade of the active communication pattern is corrected and it is determined that the terminal is infected with malware (is receiving a Drive-by Download attack) (seeFIG. 5 toFIG. 8). The presence or absence of a correlation is determined on the basis of the continuity and relationship between the communication P1-n which is mapped to the infiltration phase P1, and the communication P4−m which is mapped to the execution file download phase P4. Here, the continuity is determined on the basis of the identity of the connection, the proximity of the detection time, and the presence/absence of other packets detected between the two communication patterns P1-n and P4−m, etc., and the relationship is determined on the basis of the destination server address and the commonality of the destination server information, etc.

FIG. 12 is a flowchart showing a flow of correlation analysis for determining a correlation between a communication relating to the infiltration phase P1 and a communication relating to the execution file download phase P4. The processing shown in this flowchart corresponds to the processing of the malware behavior detection engine from step S111 to step S116 as explained usingFIG. 6 andFIG. 7, and is executed in order to detect that a Drive-by Download attack has been made in the terminal in question, if a communication mapped to the infiltration phase P1 or a communication mapped to the execution file download phase P4 is detected.

In step S701 to step S703, it is determined whether or notcorrelation conditions 1 to 3 are satisfied. If none of thecorrelation conditions 1 to 3 is satisfied, then the processing shown in the flowchart is terminated. On the other hand, if any one of thecorrelation conditions 1 to 3 is satisfied, then the processing advances to step S704. Thecorrelation conditions 1 to 3 are as indicated below.

Correlation condition 1 After detection of communication pattern P1−m (m=1 to 5) in terminal (h), the communication pattern P4-n (n=1 to 4) is detected on the same TCP connection as the detected P1−m.

if condition=TRUE) then PGr(h,P1)=0.3
if (condition=TRUE) then Gr(h,P4-1 to P4-4)=θ·Gr(h, P4-1 to P4-4) (θ=2.0)

Correlation condition 2 Immediately after detection of communication pattern P1−m (m=1 to 5) in terminal (h), the communication pattern P4-n (n=1 to 4) having the same FQDN/IP address as P1−m is detected. The TCP connections of P1−m and P4-n are different.

if (condition=TRUE) then PGr(h,P1)=0.3
if (condition=TRUE) then Gr(h,P4-1 to P4-4)=θ·Gr(h, P4-1 to P4-4) (θ=2.0)

Correlation condition 3: Immediately after detection of P1−m (m=1 to 5) in terminal (h), a normal GET request having the same FQDN/IP address as the detected P1−m and set to an IE or Java User-Agent header value is detected, and this GET request is a single unique GET request and immediately after the normal GET request (& response) described above, a communication pattern P4-n (n=1 to 4) having the same FQDN/IP address as the detected P1−m (m=1 to 5) is detected. The TCP connections of P1−m and P4-n are different.

In step S704, the grades of phase P1 and phase P4−m are corrected. Thecorrection unit253 makes this correction by, for example, setting the grade of phase P1 to 0.3 and multiplying the grade of phase P4−m by 2.0. Thereupon, the processing shown in this flowchart is terminated, and finally, the presence or absence of malware infection (Drive-by Download attack) is determined by comparison with a threshold value (see the processing shown inFIG. 8).

(2.3) Contents of Analysis Upon Transition to C&C Exploration Phase P5

FIG. 13 is a diagram showing a transition to the C&C exploration phase P5, which is the object of monitoring in the second correlation analysis according to the present embodiment. The malwarebehavior detection engine25 carries out the following analysis if the terminal (h) has transferred to the C&C exploration phase P5 in the “malware activity phase determination” processing block, and if applicable, corrects the grade for the communication pattern.

(2.3.1) Transfer from Exploration Phase P2 to C&C Exploration Phase P5

if {condition A=TRUE} then {Gr(h,P5−m)=θ·Gr(h, P5−m)} (θ=1.2)

- Condition A: Infection activity is observed in the terminal (h) on the (infected side) (in the connection destination terminal in the communication pattern P2-9 or P2-10), and the communication pattern P5−m of the C&C exploration phase is then observed in the terminal (h) within N(c) seconds.

(2.3.2) Transition from C&C Communication Phase P6 to C&C Exploration Phase P5

if {condition B=TRUE} then {Gr(h,P5−m)=θ·Gr(h, P5−m)} (θ=1.3)

- Condition B: The terminal (h) repeats transition from the C&C communication phase P6 to the C&C exploration phase P5 (the communication pattern P5−m of the C&C exploration phase P5 is detected) at a predetermined cycle (time interval).

In the present embodiment, if the past three transitions have occurred at substantially the same cycle (time interval), then it is determined that transfer to the C&C exploration phase P5 has been repeated at a predetermined cycle.

(2.4) Contents of Analysis Upon Transfer to C&C Communication Phase P6

FIG. 14 is a diagram showing a transition to the C&C communication phase P6, which is the object of monitoring in the second correlation analysis in the present embodiment. The malwarebehavior detection engine25 carries out the following analysis if the terminal (h) has transferred to the C&C communication phase P6 in the “malware activity phase determination” processing block, and if applicable, corrects the grade for the communication pattern.

(2.4.1) Transition from Exploration Phase P2 to C&C Communication Phase P6

if {condition A=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.1)
if {condition B=TRUE} then {Gr(h, P6−m) θ·Gr (h, P6−m)} (θ=1.2)
if {condition C=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.5)

- Condition A: Infection activity is observed in the terminal (h) (in the infected terminal in the communication pattern P2-9 or P2-10), and the communication pattern P6−m of the C&C communication phase P6 is then observed in the terminal (h) within N(d) seconds.
- Condition B: Condition A, and the connection destination (destination IP/FQDN) of P6−m matches any one of the C&C servers registered in the C&C server candidate list (of any terminal that is the object of monitoring).
- Condition C: Condition A, and the connection destination (destination IP/FQDN) of P6−m matches any one of the C&C servers registered in the C&C server candidate list of an infecting terminal (k).

(2.4.2) Transition from Execution File Download Phase P4 to C&C Communication Phase P6

if {condition D=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (—0=1.1)
if {condition E=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.2)
if {condition F=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.3)

- Condition D: An execution file download communication pattern P4−m is observed in the terminal (h), and the communication pattern P6−m of the C&C communication phase is then observed in the terminal (h) within N(e) seconds.
- Condition E: Condition D, and the connection destination (destination IP/FQDN) of P6−m matches any one of the C&C servers registered in the C&C server candidate list (of any terminal that is the object of monitoring).
- Condition F: Condition D, and the connection destination (destination IP/FQDN) of P6−m matches any one of the C&C servers already registered in the C&C server candidate list of the terminal (h).

(2.4.3) Transfer from C&C Exploration Phase P5 to C&C Communication Phase P6

if {condition G=TRUE} then {Gr(h,P6−m)=θ·Gr(h, P6−m)} (θ=1.2)

- Condition G: If the communication pattern P5−m of the C&C exploration phase is observed in the terminal (h), and within N(f) seconds, the communication pattern P6−m of the C&C communication phase is observed in the terminal (h), and the connection destination (destination IP/FQDN) in P6−m is any one of the C&C servers registered in the C&C server candidate list (or any of the terminals that are the object of monitoring).

(2.5) Contents of Analysis Upon Transfer to Attack Phase P8

FIG. 15 is a diagram showing a transition to an attack phase P8, which is the object of monitoring in the second correlation analysis in the present embodiment. The malwarebehavior detection engine25 carries out the following analysis if the terminal (h) has transferred to the C&C communication phase P6 in the “malware activity phase determination” processing block, and if applicable, corrects the grade for the communication pattern.

(2.5.1) Transition from Execution File Download Phase P4 to Attack Phase P8

if {condition A=TRUE} then {Gr(h,P8−m)=θ·Gr(h, P8−m)} (θ=1.2)

- Condition A: The execution file download communication pattern P4−m is observed in the terminal (h), and the attack phase communication pattern P8−m is then observed in the terminal (h) within N(g) seconds.

(2.5.2) Transition from C&C Communication Phase P6 to Attack Phase P8

if {condition B=TRUE} then {Gr(h,P8−m) θ·Gr(h, P8−m)} (θ=1.2)
if {condition C=TRUE} then {Gr(h,P8−m)=θ·Gr(h, P8−m)} (θ=1.5)

- Condition B: A data communication is observed in any of the C&C servers registered in the C&C server candidate list of the terminal (h) (reception of data (a command) of any kind from a C&C server), and the attack phase communication pattern P8−m is then observed in the terminal (h) within N(h) seconds.
- Condition C: Two or more terminals satisfying condition B are detected. (The detection does not have to occur simultaneously.)

(3) Correlation Analysis for Role Estimation

In an attack method used in a targeted attack, in order to delay the discovery of attack activity in an organization, there has been a tendency to reduce, as far as possible, the amount of communication from an infected terminal in the organization to an external terminal managed by the attacker. Here, in order to reduce the amount of communication with an external terminal, the number of infected terminals inside the organization which perform communication with an external terminal is restricted, and the infected terminals are assigned roles and are managed. For example, the roles given to infected terminals are the four following roles. One infected terminal may also have a plurality of roles.

1. Role of exploration/infection/espionage activities with the object of expanding infection of the malware within the organization
2. Role of downloading a file from an external terminal managed by the attacker, into the organization, positioning the file within own terminal, and redistributing
3. Role of relaying C&C communication from an external terminal managed by the attacker
4. Role of collecting result information of espionage activities within the organization and updating the information to the external terminal managed by the attacker

In order to investigate the behavior of this kind of an infected terminal, conventionally, it has been proposed that malware activity is detected by analyzing the type of software running on a terminal, and the contents of the processing performed in the terminal, by agent-type monitoring software which runs on the terminal. However, with conventional methods, since the communication log, communication capture information, the malware in itself, or the like, is analyzed after detecting an infected terminal, then it takes a long time from the detection of the infected terminal until identification of the activity and role of the malware.

As described above, there are cases where the attacker seeks to reduce the amount of communication between an infected terminal and an external terminal in order to delay the discovery of an attack, and for this purpose, provides a proxy infected terminal which performs communication with an external terminal managed by the attacker within the organization, instead of another infected terminal. In this case, the communication between the external terminal and the proxy infected terminal, and the communication between the proxy infected terminal and the infected terminal are communications in the same phase.

Therefore, in the present embodiment, by analyzing the correlation between communications in the same phase performed by different terminals, an infected terminal within an organization, and an infected terminal having a role of performing, by proxy, communication with an external terminal managed by an attacker, and the like, are discovered and the roles of the terminals are estimated.

The contents of the correlation analysis between communications by different terminals is described below. If the sequence of transitions between phases does not match, or if the phase transitions match but a different phase is inserted therebetween, then the communication may be omitted as an object for analysis. Furthermore, the malwarebehavior detection engine25 sets, as an object for correlation analysis, phase transitions in which a correlation with malware behavior is observed.

FIG. 16 is a flowchart showing a flow of a third correlation analysis process performed by the malwarebehavior detection engine25 relating to the present embodiment. The third correlation analysis process according to the present embodiment is executed when a packet flowing over the network (or data consisting of a plurality of packets) is acquired by thenetwork monitoring apparatus20, and a prescribed communication pattern is then detected by the communication pattern determination process described above (step S006 inFIG. 5 and step S101 to step S103 inFIG. 6).

Here, the prescribed communication pattern in the present embodiment is one of the four communication patterns indicated below.

1. Communication pattern P3−m in which there is possibility that an injection/invasion action has been carried out;
2. Communication pattern P4−m in which there is a possibility that an execution file has been transmitted;
3. Communication pattern P6−m in which there is a possibility that C&C communication has been carried out; and
4. Communication pattern P7−m in which there is a possibility that exploited information has been uploaded.

Although there is a possibility that communication based on malware is encrypted, the malware behavior detection engine according to the present embodiment detects a communication for uploading information on the basis of a communication pattern, and therefore it is possible to detect which phase the communication in question belongs to, even if the communication is encrypted.

In step S201, a role estimation correlation analysis process corresponding to the detected communication pattern is executed. The malware behavior detection engine executes the corresponding role estimation correlation analysis process in accordance with the communication pattern detected in the communication pattern determination process described above (corresponding to step S006 inFIG. 5, and step S101 to step S103 inFIG. 6). More specifically,

1. When the communication pattern P3−m in which there is a possibility that an infection/invasion action has been carried out is detected, a role estimation correlation process for the infection/invasion phase P3 is executed;
2. When the communication pattern P4−m in which there is a possibility that an execution file has been transmitted is detected, a role estimation correlation analysis process for the execution file download phase P4 is executed;
3. When the communication pattern P6−m in which there is a possibility that C&C communication is being carried out is detected, a role estimation correlation analysis process for the C&C communication phase P6 is executed;
4. When a communication pattern P7−m in which there is a possibility that exploited information has been uploaded is detected, a role estimation analysis process for the exploited information upload phase P7 is executed.

The details of the analysis correlation processes between respective terminals are described below. Thereupon, the processing advances to step S202.

In step S202, a countermeasure such as blocking of the terminal and/or issuing of an administrator alert, is carried out in accordance with the result of the role estimation correlation analysis. In the role estimation correlation analyses described above, if any of the nodes90 is inferred to have any role involved in malware activity, thenetwork monitoring apparatus20 performs a prescribed countermeasure for when a malware infection is detected. Examples of the countermeasure for when a malware infection is detected include: starting blocking of the communication at the node90 by thecommunication blocking unit22, and issuing an alert (warning) indicating that the node90 in question is infected with malware. By enabling an administrator to ascertain information of this kind, an administrator is able to ascertain what terminals having what roles are present on the network in the organization, and to ascertain a situation in which expansion of malware infection and/or attack activity has occurred, and promote suitable countermeasures. In the role estimation correlation analyses described above, if none of the nodes90 is inferred to have a role in malware activity, then a countermeasure for when a malware information is detected, such as blocking and/or issuing an alert, is not carried out. The concrete method of blocking communication and/or issuing an alert by thenetwork monitoring apparatus20 is indicated as an example in the description in step S123, etc. Subsequently, the processing indicated in the flowchart is terminated.

Next, the specific contents of each of the role estimation correction analyses is described.

(3.1) Role Estimation Correction Analysis for Infection and Invasion Phase P3

FIG. 17 is a flowchart showing a flow of a role estimation correlation analysis process for the infection and invasion phase P3 relating to the present embodiment. The flowchart gives a more detailed description of the processing when the role estimation correlation analysis process of the infection and invasion phase P3 is called up in step S201 of the third correlation analysis process described with reference toFIG. 16, because a communication pattern is detected in which there is a possibility that an infection and invasion action has been carried out. Furthermore,FIG. 18 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the infection and invasion phase P3, according to the present embodiment.

In step S301, the infection source terminal information and the infection destination terminal information are recorded. The malwarebehavior detection engine25, when a communication pattern is detected in which there is a possibility that an infection and invasion action has been carried out, records the terminal information of the terminals relating to the communication in question, in other words, the infection source terminal information and infection destination terminal information, in thestorage apparatus14a. For instance, when a communication pattern is detected in which there is a possibility that an injection and invasion action has been carried out, fromnode90btonode90c, the malwarebehavior detection engine25 records the terminal information ofnode90b(infection source) andnode90c(infection destination). The terminal information recorded here is, for example, the IP address of the terminal, etc. Thereupon, the processing advances to step S302.

In step S302, it is determined whether or not the infection source terminal has received an infection/invasion from a terminal inside the organization in the past. Thecorrelation analysis unit258 determines whether or not an infection source terminal (node90bin the example described above) relating to a communication in the infection and invasion phase P3 detected currently is communicating with any other node90 (for example,node90a) in the infection and invasion phase P3 in which there is a possibility that a similar infection and invasion action has been carried out, and whether or not the terminal is an infection destination terminal. This determination is carried out by exploring the information recorded in step S301, when the processing relating to the flowchart has been executed in the past.

In other words, when the phase P3 currently specified in relation to the infection source terminal (node90b) in which a communication has been detected is the same as the phase specified in the past in relation to any other node90, thecorrelation analysis unit258 determines whether or not these terminals are carrying out activities cooperatively, by making a correlation analysis between the communication by the infection source terminal (node90b) and the communication by another terminal (node90a, for example). If it is determined that the infection source terminal has not received an infection and invasion from a terminal inside the organization, then the processing shown in this flowchart is terminated. On the other hand, if it is determined that the infection source terminal has received an infection and invasion from a terminal inside the organization in the past, then the processing advances to step S303.

In step3303, it is estimated that a terminal that is currently carrying out infection and invasion, and a terminal that has carried out infection and invasion in the past, are terminals having an “infection and invasion role”, and the estimation results are recorded. In step S302, when it is determined that the infection source terminal has received infection and invasion from a terminal in the organization in the past, therole estimation unit259 estimates that the current infection source terminal (node90bin the example described above) and the past infection source terminal (node90ain the example described above) are operating as terminals having a malware “infection and invasion role”, and records the terminal information of these terminals. Subsequently, the processing indicated in the flowchart is terminated.

(3.2) Role Estimation Correlation Analysis Process for Execution File Download Phase P4

FIG. 19 is a flowchart showing a flow of a role estimation correlation analysis process for the execution file download phase P4 relating to the present embodiment. The flowchart gives a more detailed description of the processing when the role estimation correlation analysis process of the execution file download phase P4 is called up in step S201 of the third correlation analysis process described with reference toFIG. 16, because a communication pattern is detected in which there is a possibility that an execution file has been transmitted. Furthermore,FIG. 20 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the execution file download phase P4, according to the present embodiment.

In step S401, the detection information of the request transmission source terminal and the request reception terminal is recorded. The malwarebehavior detection engine25 records the detection information of the communication in question, in thestorage apparatus14a, when a communication pattern is detected in which there is a possibility that execution file download has been carried out. The detection information recorded here includes: terminal information of a terminal inferred to have transmitted a request for download of an execution file (for example, the IP address ofnode90c, or the like), and terminal information of a terminal inferred to have received the request (for example, the IP address ofnode90b, etc.). Thereupon, the processing advances to step S402.

In steps S402 and S403, it is determined whether or not a terminal that has received a request is a terminal that is inside the organization and has downloaded an execution file from a terminal outside the organization in the past. Thecorrelation analysis unit258 determines whether or not the terminal which has received a request in an execution file download phase P4 communication that is detected currently (node90bin the example described above) is a terminal inside the organization (step S402). There are no restrictions on the concrete method of determination, but, for example, it is possible to determine whether or not the terminal that has received a request is a terminal inside the organization, by referring to the IP address set in the packets, and the like. If the terminal that has received the request is not a terminal inside the organization, then the processing shown in the flowchart terminates.

If the terminal that has received a request is a terminal inside the organization, on the other hand, then it is determined whether or not the terminal has, in the past, performed a communication in the execution file download phase P4 in which there is a possibility that an execution file has been downloaded from a terminal outside the organization (step S403). In the example described above, the request receiving terminal is anode90band is terminal inside the organization. This determination is carried out by exploring the information recorded in step S401, when the processing relating to the flowchart has been executed in the past.

In other words, when the phase P4 currently specified in relation to the request receiving terminal (node90b) in which a communication has been detected is the same as the phase specified in the past in relation to a terminal outside the organization, thecorrelation analysis unit258 determines whether or not these terminals are carrying out activity cooperatively, by making a correlation analysis between the communication by the request receiving terminal (node90b) and the communication by the terminal outside the organization. If it is determined that an execution file has not been downloaded from a terminal outside the organization in the past, then the processing shown in the flowchart is terminated. On the other hand, when it is determined that an execution file has been downloaded from the terminal outside the organization in the past, then the processing advances to step S404. For example, if thenode90b, which is the current request receiving terminal, has downloaded an execution file from any terminal outside the organization in the past, then the determination result in this step is “YES” and the processing advances to step S404.

In step S404, it is determined whether or not there is another terminal inside the organization which has made a request for execution file download to the request receiving terminal. In other words, in step S404, it is determined whether or not there is a plurality of terminals inside the organization which have made a request for execution file download to the request receiving terminal. Thecorrelation analysis unit258 determines whether or not a terminal that has received a request in a currently detected execution file download phase P4 communication (node90bin the example described above) has received an execution file download request (a communication in the execution file download phase P4), from a terminal in the organization (node90d, for example) that is different to the terminal that sent the current request (node90c). This determination is carried out by exploring the information recorded in step S401, when the processing relating to the flowchart has been executed in the past.

In other words, if the phase P4 currently specified in relation to the request receiving terminal (node90b) in which a communication has been detected is the same as the phase specified in the past in relation to the terminal inside the organization (node90d), thecorrelation analysis unit258 determines whether or not these terminals are carrying out activities cooperatively, by making a correlation analysis in respect of these communications. When it is determined that there is no other terminal inside the organization that has made the request, then the processing shown in the flowchart is terminated. On the other hand, if it is determined that there is another terminal inside the organization that has made a request, then the processing advances to step S405.

In step S405, the terminal which has currently received a request is estimated to be a terminal having a “role of redistributing an execution file”, and the estimation result is recorded. In step S404, when it is determined that there is another terminal inside the organization that has made a request, therole estimation unit259 estimates that the request receiving terminal (node90b, for example) is a terminal that has been given a role of distributing an execution file inside the organization, in order to delay discovery by suppressing the amount of communication with the outside of the organization. Subsequently, the processing indicated in the flowchart is terminated.

(3.3) Role Estimation Correlation Analysis Process for C&C Communication Phase P6

FIG. 21 is a flowchart showing a flow of a role estimation correlation analysis process for the C&C communication phase P6 relating to the present embodiment. The flowchart gives a more detailed description of the processing when the role estimation correlation analysis process of the C&C communication phase P6 is called up in step S201 of the third correlation analysis process described with reference toFIG. 16, because a communication pattern is detected in which there is a possibility that a C&C communication has been carried out. Furthermore,FIG. 22 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the C&C communication phase P6, according to the present embodiment.

In step S501, the detection information of the command transmission source terminal and the command receiving terminal is recorded. The malwarebehavior detection engine25 records the detection information of the communication in question, in thestorage apparatus14a, when a communication pattern is detected in which there is a possibility that C&C communication has been carried out. The detection information recorded here includes: terminal information of a terminal inferred to have transmitted a C&C communication command (for example, the IP address ofnode90b, or the like), and terminal information of a terminal inferred to have received the command (for example, the IP address ofnode90c, etc.). Thereupon, the processing advances to step S502.

In steps S502 and S503, it is determined whether or not the command transmission source terminal is a terminal inside the organization, which has performed communication inferred to be a C&C communication with a terminal outside the organization in the past. Thecorrelation analysis unit258 determines whether or not the terminal which has received a communication pattern in the C&C communication phase P6 that is detected currently (node90bin the example described above) is a terminal inside the organization (step S502). There are no restrictions on the concrete method of determination, but, for example, it is possible to determine whether or not the command transmission source terminal is a terminal inside the organization, by referring to the IP address set in the packets, and the like. If the terminal that has transmitted the command is not a terminal inside the organization, then the processing shown in the flowchart terminates.

If the terminal that has transmitted a command is a terminal inside the organization, on the other hand, then it is determined whether or not the terminal has, in the past, performed a communication in the C&C communication phase P6 in which there is a possibility of C&C communication with a terminal outside the organization (step S503). In the example described above, the command transmitting terminal isnode90band is a terminal inside the organization. This determination is carried out by exploring the information recorded in step S501, when the processing relating to the flowchart has been executed in the past.

In other words, when the phase P6 currently specified in relation to the command transmission source terminal (node90b) in which a communication has been detected is the same as the phase specified in the past in relation to a terminal outside the organization, thecorrelation analysis unit258 determines whether or not these terminals are carrying out activities cooperatively, by making a correlation analysis between the communication by the command transmission source terminal (node90b) and the communication by the terminal outside the organization. If it is determined that the terminal has not carried out a communication that has a possibility of being a C&C communication with a terminal outside the organization, in the past, then the processing shown in the flowchart is terminated. On the other hand, when it is determined that the terminal has performed a communication that has a possibility of being a C&C communication with a terminal outside the organization, in the past, then the processing advances to step S504. For example, if thenode90b, which is the current command transmitting terminal, has performed a C&C communication with any terminal outside the organization in the past, then the determination result in this step is “YES” and the processing advances to step S504.

In step S504, it is determined whether or not there is another terminal inside the organization which has performed C&C communication with the command transmitting terminal. In other words, in step S504, it is determined whether or not there is a plurality of terminals inside the organization which have performed C&C communication with the command transmitting terminal. Thecorrelation analysis unit258 determines whether or not the terminal which has transmitted a command in the C&C communication phase P6 communication detected currently (node90bin the example described above) has performed a communication which has a possibility of being a C&C communication (a communication in the C&C communication phase P6), with a terminal inside the organization (for example,node90d) that is different to the terminal (node90c) which is the counterpart in the current C&C communication. This determination is carried out by exploring the information recorded in step S501, when the processing relating to the flowchart has been executed in the past.

In other words, if the phase P6 currently specified in relation to the command transmitting terminal (node90b) in which a communication has been detected is the same as the phase specified in the past in relation to the terminal inside the organization (node90d), thecorrelation analysis unit258 determines whether or not these terminals are carrying out activities cooperatively, by making a correlation analysis in respect of these communications. When it is determined that there is no other terminal in the organization that has performed a C&C communication, then the processing shown in the flowchart is terminated. On the other hand, if it is determined that there is another terminal inside the organization that has performed a C&C communication, then the processing advances to step S505.

In step S505, the terminal which has currently transmitted a command is estimated to be a terminal having a “role of relaying a C&C communication”, and the estimation result is recorded. In step S504, when it is determined that there is another terminal inside the organization that has performed a C&C communication, therole estimation unit259 estimates that the command transmitting terminal (node90b, for example) is a terminal that has been given a role of relaying a C&C communication from a C&C server outside the organization, and records the terminal information of these terminals. Subsequently, the processing indicated in the flowchart is terminated.

(3.4) Role Estimation Correlation Analysis Process for Exploited Information Upload Phase P7

FIG. 23 is a flowchart showing a flow of a role estimation correlation analysis process for the exploited information upload phase P7 relating to the present embodiment. The flowchart gives a more detailed description of the processing when the role estimation correlation analysis process of the exploited information upload phase P7 is called up in step S201 of the third correlation analysis process described with reference toFIG. 16, because a communication pattern is detected in which there is a possibility that exploited information has been uploaded. Furthermore,FIG. 24 is a diagram showing an aspect of the activity of a terminal of which the role is estimated by the role estimation correlation analysis process for the exploited information phase P7, according to the present embodiment.

In step S601, the detection information of the information upload source terminal and the upload destination terminal are recorded. The malwarebehavior detection engine25 records the detection information of the communication in question, in thestorage apparatus14a, when a communication pattern is detected in which there is a possibility that upload of exploited information has been carried out. The detection information recorded here includes: terminal information of a terminal inferred to have uploaded exploited information (for example, the IP address ofnode90b, or the like), and terminal information of a terminal inferred to have received the upload of exploited information (for example, the IP address of a server outside the organization, etc.). Thereupon, the processing advances to step S602.

In step S602, it is determined whether or not the upload destination terminal is a terminal outside the organization. Thecorrelation analysis unit258 determines whether or not the terminal which has received upload of information in the currently detected communication pattern (a server outside the organization in the example described above) is a terminal outside the organization. There are no restrictions on the concrete method of determination, but, for example, it is possible to determine whether or not the terminal that has received the upload of information is a terminal outside the organization, by referring to the IP address set in the packets, and the like. If the terminal that has received the upload of information is not a terminal outside the organization, then the processing shown in the flowchart terminates. On the other hand, if the terminal that has received the upload of information is a terminal outside the organization, then the processing advances to step S603. In the example described above, the upload destination terminal is a server (terminal) outside the organization.

In step S603, it is determined whether or not there is a plurality terminals inside the organization that have conducted information upload to the upload source terminal. Thecorrelation analysis unit258 determines whether or not the terminal which has conducted information upload in the currently detected communication in the exploited information upload phase P7 (node90bin the example described above) has, in the past, received information upload (communication in the exploited information upload phase P7) from a plurality of terminals inside the organization (

nodes

90a,90c,90d, for example). This determination is carried out by exploring the information recorded in step S601, when the processing relating to the flowchart has been executed in the past.

In other words, if the phase P7 currently specified in relation to the upload source terminal (node90b) in which a communication has been detected is the same as the phase specified in the past in relation to a plurality of terminals inside the organization (for example,

nodes

90a,90c,90d), then thecorrelation analysis unit258 determines whether or not these terminals are carrying out activities cooperatively, by making a correlation analysis in respect of these communications. If it is determined that there is not a plurality of terminals in the organization that have conducted information upload, then the processing shown in the flowchart is terminated. On the other hand, if it is determined that there is a plurality of terminals inside the organization that have conducted information upload, then the processing advances to step S604.

In step S604, the terminal which has currently conducted an upload is inferred to be a terminal having a “role of collecting and uploading exploited information”, and the inference result is recorded. In step S603, if it is determined that there is a plurality of terminals inside the organization that have conducted information upload to the upload source terminal, then therole estimation unit259 infers that the upload source terminal (for example,node90b) is a terminal that has been given a role of collecting information from inside the organization and sending the information to a server inside the organization, in order to delay discovery by suppressing the communication amount with the outside of the organization, and records the terminal information of this terminal. Subsequently, the processing indicated in the flowchart is terminated.

According to the correlation analysis for role estimation described above, by monitoring the communications inside the organization, it is possible to estimate the “role” inside the organization of a terminal that has been infected with malware, and moreover it is possible to carry out communication control corresponding to the estimated “role”. For example, in the case of a terminal which possibly has a role of uploading information, it is possible to select a countermeasure such as blocking communications, even at a stage where there is little possibility of malware activity. Furthermore, when a plurality of infected terminals are detected, it is also possible to determine countermeasures for a security incident, by carrying out an analysis that prioritizes terminals which have a high degree of threat in relation to the “role” of the infected terminal.

As stated above, thecommunication blocking unit22 blocks a communication by a terminal that has been determined to be carrying out unauthorized activity. Here, when the malware behavior detection engine detects that a terminal inside the organization has been infected with malware or when the role of a terminal inside the organization has been estimated by the malware behavior detection engine, thecommunication blocking unit22 may also identify a communication destination relating to unauthorized activity by the terminal based on a combination of communication patterns that have led to the malware detection, and block communication with said communication destination from a terminal inside the organization. Here, the communication destination relating to unauthorized activity by the terminal is, for example, a malware download source, a C&C server transmitting a command to malware, an upload server forwarding espionage activity results, or the like. Furthermore, when blocking communication from the terminal in the organization to the communication destination, it is also possible to block communication regardless of whether or not it has been determined that the terminal inside the organization is infected with malware. More specifically, when a determination of malware infection or estimation of a role has been made, thecommunication blocking unit22 controls access of a communication from a terminal inside the organization (including a terminal that is not infected with malware), to an address to which malware has been communicated (protocol, port number, URI, etc.), (by blocking, discarding or changing the destination of the communication).

The communication destination that is the object of blocking is a terminal that has transmitted malware and/or malicious content, etc. to a terminal of which the role has been estimated, in order for the terminal to perform that role, or an external server with which the terminal of which the role has been estimated communicates in order to perform that role. For example,

1. If a communication pattern in the infiltration phase P1 is detected, the connection destination from the terminal inside the organization may be a site which carries out processing that is a trigger for infection prepared by the attacker;
2. If a communication pattern in the execution file download phase P4 is detected, then the connection destination from the terminal inside the organization may be a device in which malware is stored;
3. If a communication pattern in the C&C server exploration phase P5 or C&C server communication phase P6 is detected, then the connection destination from the terminal inside the organization may be a device which issues a command to malware running on the terminal inside the organization; and
4. If a communication pattern in the exploited information upload phase P7 is detected, then the connection destination from the terminal inside the organization may be a device in which the malware stores the exploited information.

Therefore, thecommunication blocking unit22 blocks communications to these connection destinations.

According to the system disclosed in the present embodiment, in this way, by blocking communications to a device in question, including communications from devices that are not infected with malware, depending on the role relating to a communication that is determined to be malware activity, in accordance with a blocking policy that is defined previously for each role, the spread of damage can be prevented by blocking dangerous communications, and the behavior of the malware that has infiltrated can be subdued at an early stage.

Furthermore, thenetwork monitoring apparatus20 may inform an administrator of a communication destination relating to unauthorized activity identified by the process described above (for example, a malware download source, a C&C server which transmits a command to malware, an upload server which forwards espionage activity results, and so on).

In the embodiment described above, an example is given in which thenetwork monitoring apparatus20 operates in a passive mode of acquiring packets or frames, etc. which are sent and received by a node90, by being connected to a monitoring port (mirror port) of a switch or router, and thenetwork monitoring apparatus20 does not transfer the acquired packets (seeFIG. 1). However, the network configuration illustrated in the embodiment given above is one example of implementing the present disclosure, and other network configurations may be employed in implementing the disclosure.

For example, even in a case where thenetwork monitoring apparatus20 is not connected to the monitoring port (mirror port), and is simply connected to anetwork segment2, it is possible to acquire the packets and frames, etc. sent and received by the node90, by acquiring all of the frames flowing through thenetwork segment2, including those which are not directed to the MAC address of thenetwork monitoring apparatus20. In this case also, thenetwork monitoring apparatus20 operates in passive mode. Furthermore, for example, thenetwork monitoring apparatus20 may acquire passing packets and frames, etc., by being connected between the switch or router of thenetwork segment2 and another switch or router at a higher level (seeFIG. 25). In this case, thenetwork monitoring apparatus20 operates in an in-line mode for transferring those acquired packets which do not need to be blocked. Furthermore, thenetwork monitoring apparatus20 may also be incorporated into the router or switch.

In the present embodiment, a case is described in which packets flowing over a network are acquired and detection is performed in real time by the various detection engines described above, but the scope of the present disclosure is not limited to real-time detection. For example, it is also possible to accumulate data relating to communications flowing over a network, and to carry out processing by the various detection engines described above, on the accumulated data.