WO2015114804A1 - Unauthorized-access detection method and detection system - Google Patents

Abstract

Existing techniques for detecting unauthorized network access by malware-infected computers or the like cannot generate effective URL regular expressions from small samples of malicious URLs. On the basis of feature quantities for past network accesses and malicious URLs obtained from malware analysis results, this invention expands the sample of malicious URLs by searching an access log for URLs similar to said malicious URLs and generates a URL regular expression. Said URL regular expression is added to detection rules to detect unauthorized access.

Description

Unauthorized access detection method and system

The present invention relates to technology for detecting unauthorized network access performed by malware-infected computers.

Malware that infects computers in the organization communicates with external servers prepared by attackers to download new malware and upload information obtained from computers. Communication related to these activities is generally called unauthorized access.

As a technique for detecting unauthorized access, a method using a URL blacklist is known. The URL blacklist is a list of URLs (called malignant URLs) used for accessing known malware. By registering the URL blacklist in a security device such as a firewall, IDS / IPS, or proxy server, it is possible to detect access to an external server specified by the URL included in the blacklist. When unauthorized access is detected, it is possible to prevent the damage from spreading by interrupting access. Such a technique is generally called web filtering.
However, the attacker intentionally changes the URL with which the malware communicates in order to escape detection by the blacklist. For example, a technique of incorporating a random number into a part of a URL is known. In addition, an attacker may reuse existing malware for attacks. Therefore, although the domains included in the URL are different, the path portions may be the same or similar. Such a changed URL cannot be detected by an exact match search with the black list. As a method for dealing with a changed URL, a technique for expressing a URL with a regular expression is known. Regular expressions are one method for expressing a set of character strings as a single character string. Patent Document 1 discloses a method for generating a URL regular expression from a plurality of URL samples that are candidates for regular expression generation based on frequency information of character strings.

US Patent Application Publication No. 2009/0265786

According to the above-mentioned Patent Document 1, it is possible to detect a changed malicious URL. However, since the method of Patent Document 1 generates a regular expression based on frequency information of character strings appearing in the sample, it requires a certain number of URL samples. When the number of samples is small, a URL regular expression effective for detection cannot be generated.

The present invention has been made in consideration of the above problems, and an object of the present invention is to generate a URL regular expression effective for detection and detect unauthorized access even when there are few URL samples from which a regular expression is based.

In order to solve the above-described problems, the present invention analyzes an unauthorized access detection method that generates a URL regular expression for detecting unauthorized access from a trace of malware access behavior obtained from a malware analysis result and updates a detection rule. That extract malware features from trace analysis of access behavior of new malware collected by a user or infected from the network, and access that is recorded by extracting access features from past access logs on the network Searching a similar URL satisfying a distance within a predetermined threshold from a feature amount storage unit using a malware feature amount as a query, and generating a URL regular expression from the connection destination URL of the malware feature amount and the searched similar URL And accessing the URL regular expression with the step Applying the pattern matching with the connection destination URL included in the group, calculating the matching rate, and setting the URL regular expression to a new detection rule when the matching rate satisfies a recommended value or less; A method for detecting unauthorized access is proposed.

Further, in order to solve the above-described problem, in the present invention, in the unauthorized access detection method, the step of searching the access feature amount storage unit for a similar URL satisfying a distance within a predetermined threshold using a malware feature amount as a query, When the distance function value defined between the feature amount other than the connection destination URL of the malware feature amount and the feature amount other than the connection destination URL of the corresponding access feature amount is smaller than a predetermined threshold, The distance function value of the difference between character strings defined between the first step of determining and the connection destination URL of the malware feature amount and the connection destination URL included in the similar access feature amount is smaller than a predetermined threshold value. In this case, it is characterized by comprising the second step of searching for a similar URL.

Further, in order to solve the above-mentioned problems, in the present invention, an unauthorized access detection system configured on a plurality of servers connected to a network connected to the Internet is used to virtually detect new malware that has infected or collected clients. A malware analysis function that generates a trace of malware access behavior by executing it in a test environment, a malware feature extraction function that extracts malware features from the trace of malware access behavior, and a client's past access log An access feature value extraction function that appropriately manages and extracts an access feature value from an access log and stores it in an access feature value storage unit, and a malware feature value as a query from the access feature value storage unit within a predetermined threshold A similar URL search function for searching for similar URLs that satisfy a distance; A URL regular expression is generated from the connection destination URL of the malware feature amount and the searched similar URL, and the URL regular expression is applied to pattern matching with the connection destination URL included in the access log, and the matching rate is calculated. When the match rate is less than or equal to the recommended value, a regular expression generation function for adding the URL regular expression to a new detection rule, and a detection rule updated by adding the URL regular expression are updated as URLs to be accessed. And a malicious URL detection function for judging whether or not unauthorized access is made.

According to the present invention, an effective URL regular expression can be generated and unauthorized access can be detected even if there are a small number of unauthorized URL samples.

It is the figure which showed the example of the system configuration | structure of the unauthorized access detection system of this embodiment. It is the figure explaining the relationship of the function which a malware analysis server, a detection rule setting server, a log management server, and a proxy server have. It is the figure which showed the example of the malware feature-value. It is the figure which showed the example of the access feature-value. It is the figure which showed the example of detection rule management information. It is the figure which showed the example of the processing flow of the malware feature-value extraction function. It is the figure which showed the example of the processing flow of a URL regular expression production | generation function. It is the figure which showed the example of the processing flow of a similar URL search function.

Hereinafter, modes for carrying out the present invention (hereinafter referred to as “embodiments”) will be described with reference to the drawings as appropriate.

FIG. 1 is a diagram illustrating an example of a system configuration of an unauthorized access detection system 100 according to the present embodiment. As shown in FIG. 1, this system includes a proxy server 121, a log management server 122, a malware analysis server 123, and a detection rule setting server 124, and each device is configured to be connected to each other via a network 101.

The unauthorized access detection system 100 is connected together with a plurality of clients 125 to a local area network 120 installed in a certain organization. The local area network 120 is connected to the Internet 110 via the firewall 130 and the network 101.

The attacker server 111 on the Internet 110 is a server used by an attacker who attacks the organization connected to the network. When the attacker succeeds in infiltrating the malware into the organization, the attacker uses the attacker server 111 to communicate with the malware infected with the client 125 of the organization. As a result, new malware is transmitted and files acquired from within the organization are received. A plurality of attacker servers 111 are installed on the Internet 110.

The firewall 130 has a function of discarding (blocking) or permitting (passing) a packet that meets a specific condition from among packets traveling between the local area network 120 and the Internet 110. In particular, by discarding packets that do not pass through the proxy server 121, all accesses from the local area network 120 to the Internet 110 can be performed through the proxy server 121.

The proxy server 121 relays packet exchange between the client 125 and a server on the Internet. By registering a malicious URL in the proxy server 121, unauthorized access can be detected. When unauthorized access is detected, communication with the attacker can be blocked by canceling access. In addition, the proxy server 121 has a function of recording all the history of accesses performed by the client 125. This record is called an access log. Details of the processing of the proxy server 121 will be described with reference to FIG.

The log management server 122 has a function of storing an access log output by the proxy server 121 and searching for a URL used for generating a regular expression URL. Details of the processing of the log management server 122 will be described with reference to FIG.

The malware analysis server 123 has a function of executing malware in a virtual environment and recording network access behavior. In FIG. 1, the malware analysis server 123 is connected to the local area network, but may be connected to the Internet 110. Details of the processing of the malware analysis server 123 will be described with reference to FIG.

The detection rule setting server 124 uses the feature amount extracted from the data recorded by the malware analysis server 123 to record the network access behavior of the malware, and the URL regular expression using the feature amount extracted from the access log of the log management server 122. The function to generate. Furthermore, a function of setting the generated URL regular expression as a detection rule in the proxy server 121 is provided.

The client 125 has a function of accessing the Internet 110 via the network 101. The client 125 may be infected with malware by executing an executable file attached to the forged mail. The client 125 infected with malware communicates with an attacker without being noticed by a legitimate user.

The hardware configuration of each of these devices connected to the network includes at least a main storage device such as a CPU (Central Processing Unit), an auxiliary storage device such as a hard disk drive, a ROM (Read Only Memory), a RAM (Random Access Memory), An input device such as a keyboard and a mouse, an I (Input) / O (Output) interface connected to an output device such as a display, a network interface for connecting to the local area network 120 and the Internet 110 are provided.

Referring to FIG. 2, an outline of the malware analysis server 123, the detection rule setting server 124, the log management server 122, the proxy server 121, and processing performed by each server in cooperation with each other will be described.

The malware analysis server 123 includes a malware analysis function 231. The malware analysis function 231 executes malware on the malware analysis server 123 in a virtual test environment, and records file generation, registry change, access behavior via the network, and the like performed by the malware. In particular, the present invention uses a record of access via a network. In the access record, accesses made by malware are recorded in chronological order. Each access record includes the access time and the transmitted packet. By analyzing the packet, information such as a connection destination URL, a connection destination IP address, a connection destination port, a transmission source port, a protocol, and a User-Agent can be acquired. Such a malware analysis function 231 can be realized by a technique generally called dynamic analysis. In the present embodiment, the existing dynamic analysis technology is installed in the malware analysis server 123, the malware is executed by a debugger or an emulator, and a trace of the malware control flow is recorded.

There are two main methods for preparing malware in the malware analysis server 123. One is a method of manually copying (malware specimen) malware found on a computer (client 125) different from the malware analysis server 123 to the malware analysis server 123. The other is a method in which the malware analysis server 123 is installed in a place where an attacker can easily aim (for example, installed on the network 101 outside the firewall 130 where access is easy from the outside), and infecting with malware. . This method is generally called a honeypot.

The detection rule setting server 124 includes a malware feature amount 300 extraction function 241, a regular expression generation function 242, a detection rule management information storage unit 243, a detection rule setting function 244, and the like.
The malware feature quantity 300 extraction function 241 extracts information used for generating a URL regular expression from the analysis result of the malware output by the malware analysis function 231 (the time series of accesses made by the malware). Details of the malware feature 300 will be described with reference to FIG. 3, and details of the processing will be described with reference to FIG.

The regular expression generation function 242 makes an inquiry to the log management server 122 based on the information output by the malware feature quantity 300 extraction function 241 and acquires a set of similar URLs for generating a URL regular expression. A regular expression candidate is generated from the acquired set of similar URLs, and a URL regular expression 502 is generated using the access log 221. The generated URL regular expression 502 is stored in the detection rule management information storage unit 243. Details of the processing of the regular expression generation function 242 will be described with reference to FIG.

The detection rule management information storage unit 243 includes a URL regular expression generated by the regular expression generation function 242 and information on a device to which the URL regular expression is applied. Details will be described with reference to FIG.
The detection rule setting function 244 has a function of setting the URL regular expression generated by the regular expression generation function 242 in the proxy server 121.

The log management server 122 includes an access log storage unit 221, an access feature amount extraction function 222, an access feature amount storage unit 223, a similar URL search function 224, and the like.
The access log storage unit 221 includes a record of the access log 213 output from the proxy server 121 over, for example, one year or more. The access log storage unit 221 includes the date and time when the client 125 accessed, the IP address of the client 125 that accessed, the connection destination URL that accessed, the User-Agent used for the access, the referer, the size of the transmitted packet, Includes the size of the received packet. Generally, a plurality of proxy servers 121 are installed for reasons such as load distribution. For this reason, the output access log is also divided into a plurality of files. The log management server 122 merges and stores these divided logs.

The access feature amount extraction function 222 analyzes the access log 221 and calculates an access feature amount 223 for a series of accesses. Since it takes time to calculate an access feature amount from a large amount of access log data when necessary, the access feature amount 223 is appropriately calculated when the access log 221 is recorded.
The access feature amount storage unit 223 includes information necessary for searching for similar URLs. Details will be described with reference to FIG.
The similar URL search function 224 searches for a set of similar URLs necessary for the regular expression generation function 242 to generate a regular expression. Details of the processing will be described with reference to FIG.

The proxy server 121 includes a malicious URL detection function 211 and a detection rule storage unit 212.
The malicious URL detection function 211 compares whether or not the URL to be accessed by the client 125 matches a URL regular expression set in advance. If the URL matches, the malicious URL detection function 211 determines that the access is unauthorized and stops the access. Do.
The detection rule 212 includes a rule for the proxy server 121 to determine whether to permit or block access to the client 125. A URL regular expression is one of the detection rules, but also includes a detection rule 212 based on a packet size, a protocol type, and the like. For example, if the URL of the other party on the Internet that the client 125 tries to access matches the URL regular expression and the packet size is 1 MB or more, a complex rule such as stopping access can be set.

Referring to FIG. 3, malware feature quantity 300 extracted from the malware analysis result (time series of accesses made by malware) output by malware analysis function 231 by malware feature quantity extraction function 241 of detection rule setting server 124. An example will be described. The malware feature amount 300 includes a malware ID 301, a connection destination URL list 302, an average packet size 303, an access time interval 304, a User-Agent 305, a Post count 306, and the like.

The malware ID 301 is an identifier for uniquely identifying malware. For example, a hash value such as MD5 is used as the malware ID 301. The connection destination URL list 302 is a list of URLs accessed by malware analyzed by the malware analysis function 231. These are determined to be malicious URLs. The average packet size 303 is an average size of packets transmitted by malware in a series of malware accesses. The access time interval 304 is an amount representing a time pattern of access of a series of malware. For example, the average time of access intervals can be used. It may be possible to extract the periodicity of the access time as an amount representing a more advanced time pattern. User-Agent is an identifier for specifying the program that has accessed. The number of POSTs 306 is the number of times POST is performed by a series of malware accesses. These malware feature amounts are features that characterize the behavior of malware, and an access having a feature amount similar to the malware feature amount is likely to be an access by malware.

With reference to FIG. 4, an example of the access feature quantity 223 extracted from the access log 221 by the access feature quantity extraction function 222 of the log management server 122 will be described. The access feature amount 223 includes a session ID 401, an event ID list 402, a connection destination URL list 403, an average packet size 404, an access time interval 405, a User-Agent 406, a Post count 407, and the like.

The session ID 401 is an identifier for specifying an access having a series of connections made by the client 125. The event ID list 402 is an identifier for specifying a list of events belonging to the session identified by the session ID. Here, the event refers to one access included in the access log storage unit 221. The connection destination URL list 403 is a list in which URLs accessed by the client 125 during a session are recorded. The average packet size 404 is an average size of packets transmitted by the client 125 during the session. The access time interval 405 is an amount representing a time pattern of access of a series of malware. An amount similar to the access time of the malware feature amount 300 can be used. User-Agent 406 is an identifier for identifying the program that has accessed. The POST count 407 is the number of POST accesses transmitted by the client 125 during the session.

The following explains how to decide a session. First, each event included in the access log storage unit 221 is classified for each client 125. The client 125 is specified by the source IP included in the event and user authentication information. Next, the events classified by the client 125 are classified into sessions. When the difference in the access time interval exceeds a predetermined threshold (for example, 30 minutes), it is determined as another session. Furthermore, an event with a different User-Agent is determined as another session. Thereby, the access log 125 is decomposed into a plurality of sessions.

An example of the detection rule management information 243 created by the regular expression generation function 242 will be described with reference to FIG. The detection rule management information storage unit 243 includes a rule ID 501, a URL regular expression 502, a target device ID 503, a countermeasure 504, a setting date 505, and the like.
The rule ID 501 is an identifier for uniquely specifying the detection rule 243. The URL regular expression 502 represents the connection destination URL for the proxy server 121 to determine the URL to be accessed by the client 125 as unauthorized access in regular expression. The target device ID 503 is information for identifying a device to which the detection rule is applied. For example, the IP address of the proxy server 121 can be used. The countermeasure 504 is the content of control performed by the malicious URL detection function 211 of the target device (proxy server) when the connection destination URL of the client 125 matches the URL regular expression. For example, it can be used as a countermeasure such as blocking communication or notifying the administrator. The setting date represents the date and time when the detection rule is set. By using the set date, it is possible to operate such as deleting a rule that has passed for a certain period after setting.

With reference to the flowchart of FIG. 6, an example of the flow of processing of the malware feature amount extraction function 241 of the detection rule setting server 124 will be described.
In step S601, the malware feature amount extraction function 241 reads the malware analysis result (the time series of accesses made by the malware) output by the malware analysis function 231. When analyzing multiple malware, there are multiple malware analysis results.

In step S602, the malware feature quantity extraction function 241 extracts the malware feature quantity 300 shown in FIG. 3 from the malware analysis result output by the malware analysis function 231. As described above, the malware analysis result includes an OS API call and a network access log. The malware feature 300 is used for searching the access log output by the proxy server 121. For this reason, information such as an API call of the OS that is not included in the access log is excluded and a log related to network access is selected. Thereafter, the selected log is analyzed, and information included in FIG. 3 is extracted.

In step S603, the malware feature amount extraction function 241 excludes the duplicate malware feature amount 300. When the malware analysis function 231 analyzes a plurality of malware, a plurality of malware feature quantities 300 are extracted in step S602. Among them, although the malware hash values (malware ID 301) are different, there is a possibility that the same malware exists in the other malware feature amount 300. In that case, only one malware feature 300 is selected.
In step S604, the malware feature amount extraction function 241 transmits the malware feature amount 300 from which duplication is excluded in step S603 to the regular expression generation function 242.

An example of the processing flow of the regular expression generation function 242 will be described with reference to the flowchart of FIG.
In step S <b> 701, the regular expression generation function 242 acquires the malware feature quantity 300 output by the malware feature quantity extraction function 241. When a plurality of malwares are analyzed, a plurality of malware feature quantities 300 are acquired.

In step S <b> 702, the regular expression generation function 242 transmits the malware feature quantity 300 acquired in step S <b> 701 to the similar URL search function 224 of the log management server 122. The similar URL search function 224 that has received the malware feature quantity 300 searches the access feature quantity storage unit 223 for a similar URL using the malware feature quantity 300 as a query. As a result of the search, the corresponding similar URL is transmitted to the regular expression generation function 242. Details of the similar URL search function 224 will be described with reference to FIG.
In step S <b> 703, the regular expression generation function 242 receives the similar URL transmitted by the similar URL search function 224.

In step S704, the regular expression generation function 242 generates a URL regular expression from a set of similar URLs. As a method for generating a regular expression from a plurality of character strings, the method described in Patent Document 1 is adopted.
By using the above method, a regular expression can be generated from a set of similar URLs. However, a regular expression that expresses a plurality of general character strings including the above method is not uniquely determined. For example, http://www.sample.com/path[a-zA-Z]{5,10}.exe and http://www.sample.com/[a-zA-Z]*.exe Comparing two regular expressions, all URLs expressed in the former can be expressed in the latter. In that sense, the latter is a regular expression with coarse grain. If a regular expression with a coarse granularity is stored in the detection rule storage unit 212 of the proxy server 121 and a URL that the client 125 attempts to access is detected, the probability of erroneous recognition as a malicious URL increases. Therefore, it is desirable that the regular expression has a finer granularity.
In step S <b> 705, the regular expression generation function 242 uses the access log 221 to check the regular expression granularity. First, the URL regular expression generated in step S704 is applied to pattern matching with the URL of the access log 221 other than the similar URL received in step S703, and the matching rate is calculated. Here, a recommended value (for example, 3%) of the matching rate is determined in advance. If the calculated match rate is larger than the recommended value, the regular expression granularity is too rough, and the corresponding regular expression generated in step S704 is discarded.

In step S706, the regular expression generation function 242 detects only the URL regular expression whose matching rate with the URL of the access log 221 is equal to or less than the recommended value among the URL regular expressions whose granularity is confirmed in step S705. Save to 243. Here, the target device ID, countermeasure, set date, etc. are added to the URL regular expression. For the target device ID and the countermeasure, a predetermined value may be registered, or an administrator who has confirmed the regular expression generation result may manually register the value.

An example of the processing flow of the similar URL search function 224 of the log management server 122 will be described with reference to the flowchart of FIG.
In step S801, the similar URL search function 224 receives the malware feature quantity 300 transmitted by the regular expression generation function 242.

In step S <b> 802, the similar URL search function 224 searches the access feature amount stored in the access feature amount storage unit 223 using a feature amount other than the connection destination URL of the malware feature amount 300 as a search key, When the function is smaller than a preset threshold, it is assumed that the malware feature quantity 300 and the access feature quantity 223 are similar, and a set of similar access feature quantities is acquired.
The distance function d (Cm, Ca) (Equation 1) defined between the malware feature quantity Cm and the access feature quantity Ca is a weighting factor wf for each feature quantity in the absolute value of the corresponding feature quantity difference other than the connection destination URL. And use their linear sum as the distance. At this time, a non-numerical feature quantity such as User-Agent uses a discrete distance of 0 if the values match and 1 if the values do not match.
(Equation 1) d (Cm, Ca) = wf1 · | cm_pk−ca_pk | + wf2 · | cm_atime−ca_atime |
+ Wf3 · f (cm_ua, ca_ua) + wf4 · | cm_pfreq−ca_pfreq | +
Here, cm_pk, cm_atime, cm_ua, cm_pfreq: malware feature (average packet size, access time interval, User-Agent, Post count), ca_pk, ca_atime, ca_ua, ca_pfreq: access feature (average packet size, access time interval) , User-Agent, Post count), wf1, wf2, wf3, wf4: weighting factor for each feature quantity, f (cm_ua, ca_ua): distance function of feature quantity (User-Agent) = 0 (cm_ua = ca_ua) or 1 (cm_ua ≠ ca_ua).
As a result of the search, a set of corresponding access feature values (sessions) is acquired.

In step S803, the similar URL search function 224 acquires a connection destination URL included in the similar access feature amount (session) acquired in step S802.
In step S804, the similar URL search function 224 acquires a connection destination URL similar to the connection destination URL included in the malware feature amount acquired in step S801 from the connection destination URLs acquired in step S803. Specifically, a distance function is defined for the connection destination URL included in the malware feature quantity and the connection destination URL included in the similar access feature quantity (session), and a pair whose distance is smaller than a preset threshold is similar. It is considered. As the distance function, “edit distance (also called Levenshtein distance)” that makes a character string close can be used.
The edit distance (Levenstein distance) is a numerical value indicating how different two character strings are. Specifically, it is given as the minimum number of steps required to transform one character string into another character string by inserting, deleting, or replacing characters.
In step S805, the similar URL search function 224 transmits the similar URL searched in step S804 to the regular expression generation function 242.

As described above, the unauthorized access detection system 100 according to the present embodiment, as shown in FIG. 2, allows the user to insert a malware copy (malware sample) into the malware analysis server 123, or the malware analysis server 123 is connected to the network. When it is determined that the computer is infected with malware via 101, a process for creating a new URL regular expression detection rule is started.
The malware analysis server 123 analyzes the access behavior of the input or infected malware, and accumulates access records. The detection rule setting server 124 extracts the malware feature amount from the malware analysis result (the time series of the access performed by the malware), and the past access of the client 125 on the local area network managed by the log management server 122. Instruct to search similar access feature quantity from log. The log management server 122 appropriately extracts and stores the access feature amount from the past access log, and the access feature amount similar to the connection destination URL included in the malware feature amount from the access feature amount similar to the malware feature amount. The included connection destination URL is extracted and reported to the detection rule setting server 124 as a similar URL. The detection rule setting server 124 creates a new URL regular expression based on the connection destination URL and the similar URL included in the malware feature, and determines whether or not the new URL regular expression is appropriate as the detection rule. Judgment is made by calculating the matching rate with the URL included in the access log. When it is determined that the calculated matching rate is equal to or less than the recommended value, a new URL regular expression is stored in the detection rule management information storage unit 243, and the URL regular expression is set in the detection rule storage unit 212 of the proxy server 121. , Used for the subsequent malicious URL detection function.

In the present embodiment, the unauthorized access detection system 100 is divided into a proxy server 121, a log management server 122, a malware analysis server 123, and a detection rule setting server 124. However, an example in which any one of these servers is configured on the same server is also conceivable. Further, for example, an example in which the proxy server 121 or the like is configured by distributed processing of a plurality of servers can be considered. An example in which all servers are configured on the same server is also conceivable.

100: Unauthorized access detection system 101: Network 110: Internet 111: Attacker server 120: Local area network 121: Proxy server 122: Log management server 123: Malware analysis server 124: Detection rule setting server , 125: client, 130: firewall, 211: malicious URL detection function, 212: detection rule, 213: access log, 221: access log, 222: access feature amount extraction function, 233: access feature amount, 224: similar URL search Function, 231: malware analysis function, 241: malware feature extraction function, 242: regular expression generation function, 243: detection rule management information, 244: detection rule setting function, 300: malware feature

Claims (6)

A method for detecting unauthorized access by generating a URL regular expression for detecting unauthorized access from a trace of malware access behavior obtained from a malware analysis result, and updating a detection rule,
Extracting malware features from trace analysis of access behavior of new malware collected by analysts or infected from the network;
Extracting an access feature amount from the access log on the past network as needed, and searching the recorded access feature amount storage unit for a similar URL satisfying a distance within a predetermined threshold using the malware feature amount as a query;
Generating a URL regular expression from the connection destination URL of the malware feature quantity and the searched similar URL;
The URL regular expression is applied to pattern matching with a connection destination URL included in the access log, and the matching rate is calculated. When the matching rate satisfies a recommended value or less, the URL regular expression is updated to a new one. The steps to set in the detection rule;
A method for detecting unauthorized access, comprising: The step of searching for a similar URL satisfying a distance within a predetermined threshold from the access feature amount storage unit using a malware feature amount as a query,
When the distance function value defined between the feature amount other than the connection destination URL of the malware feature amount and the feature amount other than the connection destination URL of the corresponding access feature amount is smaller than a predetermined threshold, A first step of determining;
When the distance function value of the difference between the character strings defined between the connection destination URL of the malware feature amount and the connection destination URL included in the similar access feature amount is smaller than a predetermined threshold, it is determined as a similar URL. The unauthorized access detection method according to claim 1, further comprising: a second step of performing a search. The said malware feature-value and the said access feature-value have the feature-value data item of a connection destination URL, an average packet size, an access time interval, User-Agent, and the frequency | count of Post at least. Unauthorized access detection method. An unauthorized access detection system configured on a plurality of servers connected to a network connected to the Internet,
A malware analysis function that generates new traces of malware access behavior by running new malware infected or collected in a virtual test environment;
Malware feature amount extraction function for extracting malware feature amount from the trace of malware access behavior;
An access feature amount extraction function for storing and managing a client's past access log, appropriately extracting an access feature amount from the access log, and storing it in an access feature amount storage unit;
A similar URL search function for searching for similar URLs satisfying a distance within a predetermined threshold from the access feature value storage unit using a malware feature value as a query;
A URL regular expression is generated from the connection destination URL of the malware feature amount and the searched similar URL, and the URL regular expression is applied to pattern matching with the connection destination URL included in the access log, and the matching rate is calculated. A regular expression generation function for calculating and adding the URL regular expression to a new detection rule when the matching rate satisfies a recommended value or less;
Applying the detection rule updated by adding the URL regular expression to the URL to be accessed to determine whether or not it is unauthorized access;
An unauthorized access detection system comprising: The similar URL search function is a distance function value defined between the feature quantity other than the connection destination URL of the malware feature quantity and the feature quantity other than the connection destination URL of the corresponding access feature quantity from the access feature quantity storage unit. If the value is smaller than a predetermined threshold value, it is determined as a similar access feature amount and searched.
When the distance function value of the difference between the character strings defined between the connection destination URL of the malware feature amount and the connection destination URL included in the similar access feature amount is smaller than a predetermined threshold, it is determined as a similar URL. The unauthorized access detection system according to claim 4, wherein search is performed. 6. The malware feature amount and the access feature amount include feature amount data items of at least a connection destination URL, an average packet size, an access time interval, a User-Agent, and a Post count. Unauthorized access detection system.

Images