JP2002335246A - Network-based intrusion inspection method and apparatus, network-based intrusion inspection program, and recording medium therefor - Google Patents

Abstract

(57) [Summary] [Problem] An attack from the Internet without imposing a burden on a user to introduce a network device related to security such as a firewall or an IDS or to acquire knowledge for operating the introduced network device. Defend. SOLUTION: An inspection target data discriminating step for discriminating inspection target data on the basis of a user's designation on a network operator side, and attack data investigation for investigating whether or not the data designated as the inspection target is data to be attacked. Steps and
A network-based intrusion inspection method comprising a step of selecting only data that is not attacked from inspection results and data that is not specified as an inspection target and providing the user to a network operator.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method and an apparatus for protecting a device connected to a network from an attack from the network, and more particularly, to a method for controlling a network device connected to the Internet through router routing and IDS (intrusion detection system: The present invention relates to a method and an apparatus for preventing an attack related to a method of defending with an Intrusion Detection System or a firewall, and a recording medium recording a program.

[0002]

2. Description of the Related Art Attacks on systems connected to the Internet are generally classified into theft, denial of service, and intrusion. Data theft is not done by directly accessing the data owner's computer, but rather by eavesdropping while the data is being routed through the Internet. A denial-of-service attack is performed by blocking a computer that provides a service from a service user. The intrusion is performed by an attacker impersonating a target computer as a legitimate user.

[0003] Data theft can be prevented by encrypting the data itself with a high degree of encryption. However, various methods for protecting against denial of service and intrusion have been studied, and the most commonly used method is that of Firewall and IDS.

[0004] A firewall is a computer system or a router or the like which is arranged in the middle of the connection between the network to be protected and the Internet, and determines whether or not a packet can pass between the Internet and the network to be protected. Control is realized by the filtering function. The rules for passing packets are set in the firewall according to items such as the destination or source of a packet or a set of destination and source addresses, a protocol used in a specific application, a user or user group, and time.

The IDS is a device that has a database of traffic patterns defined for each type of attack and can prevent an attack while analyzing traffic in real time. The IDS is generally installed in a device such as a firewall at a connection point between the Internet and the network to be protected, such as a firewall, in order to monitor traffic sent from the Internet to the network to be protected. If the IDS detects traffic that appears to be an attack, it records the information and records packets from a firewall in which the IDS is installed or a firewall independent of the IDS that has been set in advance so that the IDS can change the settings. Prevent attacks by dynamically changing filtering settings.

[0006]

The firewall and the IDS can prevent an external attack from a connection point to the Internet. As the means of continuous connection to the Internet such as ADSL increase, S
Increasingly, private enterprises and individual users called OHO (Small Office Home Office) have their computers permanently connected to the Internet, and even if these personal computers are managed, they will always be connected to the Internet. In this regard, there is a possibility of being attacked as much as a large company network that has been protected by a firewall or IDS.

[0007] However, firewalls and IDS protection measures are introduced into computers and networks managed by individuals because of the high introduction cost for purchasing equipment and the high level of knowledge required for initial setting and operation. It is hard to be done. In fact, companies use firewalls and IDs
In most cases, a technician is assigned to operate S, but it is difficult for an individual user or the like to perform the same countermeasures.

An object of the present invention is to provide a firewall and an ID.
To provide a technology that can prevent attacks from the Internet without introducing a security-related network device such as S, and without imposing a burden on the user to acquire knowledge for operating the introduced network device. It is in.

The above and other objects and novel features of the present invention will become apparent from the description of the present specification and the accompanying drawings.

[0010]

The following is a brief description of an outline of a typical invention among the inventions disclosed in the present application.

According to a first aspect of the present invention, an inspection target data discriminating step for discriminating inspection target data based on a user's specification on the network operator side, and determining whether the data specified as the inspection target is attacking data. A network-based intrusion inspection having an attack data investigation step of investigating, and a selection data providing step of selecting only data that does not perform an attack and data not specified as an inspection target from the investigation result and providing the user with the data by a network operator Is the way.

According to a second invention, in the network-based intrusion inspection method according to the first invention, a network operated by a network operator is configured to transfer data designated by a user as an inspection target to an inspection system. And a routing step of designating a target to be inspected and a destination to which the data to be inspected are transferred to a router to be inspected.

According to a third aspect, in the network-based intrusion inspection method according to the first aspect, an attack for centrally managing an inspection for an attack on a plurality of users connected to a network operated by a network operator. It has an inspection central management step.

According to a fourth aspect of the present invention, an inspection target data discriminating means for discriminating inspection target data based on a user's specification on the network operator side, and determining whether the data specified as the inspection target is data to be attacked. Attack data investigating means for investigating, and selected data providing means for selecting only data that does not carry out an attack and data that is not designated as an inspection target from the examination result and providing the selected data to the user by the network operator. .

According to a fifth aspect, in the network-based intrusion inspection apparatus according to the fourth aspect, a network operated by a network operator is configured to transfer data designated by the user as an inspection target to the inspection system. A network-based intrusion inspection apparatus having a routing step of designating a target to be inspected and a destination to which data to be inspected is transferred to a router to be inspected.

According to a sixth aspect of the present invention, in the network-based intrusion inspection apparatus according to the fourth aspect of the present invention, an attack for intensively processing an attack inspection for a plurality of users connected to a network operated by a network operator. It is provided with inspection central management means.

[0017] A seventh invention is a program for causing a computer to function as a system for performing network-based intrusion inspection management, which is a service from a network operator to a user. The data to be inspected that distinguishes the data to be inspected, the attack data investigation unit that investigates whether the data specified as the inspection target is data that attacks, and the data that does not attack and the inspection target are not specified based on the result of the investigation This is a program that causes a computer to function as a data selection providing unit that provides only data obtained by a network operator to a user.

An eighth invention is a program for causing a computer to function as a system for performing network-based intrusion inspection management (processing), which is a service from a network operator to a user, and performs an inspection based on a user's designation. An inspection data discriminator that distinguishes the target data, an attack investigation unit that examines whether the data specified as the inspection target is the data that attacks, and the data that does not attack and the inspection target are specified based on the investigation result A data selection providing unit that selects only the data that has not been provided and is provided to the user by the network operator, and a network operated by the network operator to transfer the data specified by the user as the inspection target to the inspection system. Routing unit that specifies the inspection target and the destination to which the inspection target data is transferred to the router that configures Is a program that causes a computer to function with.

A ninth invention is a program for causing a computer to function as a system for performing network-based intrusion inspection management (processing), which is a service from a network operator to a user, and performs an inspection based on a user's designation. An inspection data discriminator that distinguishes the target data, an attack investigation unit that examines whether the data specified as the inspection target is the data that attacks, and the data that does not attack and the inspection target are specified based on the investigation result Centralized management of the selection data providing unit that the network operator provides to the user by selecting only the data that was not performed, and the inspection of attack data against multiple users connected to the network operated by the network operator This is a program that causes a computer to function as a central processing unit for (processing) an attack inspection.

According to a tenth aspect, there is provided a recording medium on which the program according to any one of the seventh to ninth aspects is recorded.

That is, in the present invention, it is assumed that network devices related to security such as a firewall and an IDS are installed not in a user's network but in a network of an Internet service provider (ISP). In other words, it is intended that the ISP implement security-related measures on behalf of the user, thereby relieving the user from purchasing and maintaining security-related network devices.

The ISP centrally manages the means for protecting the network of the connected user. That is, IS
For the router (edge router) connecting the P network and the other networks, the routing information reflecting the condition of the inspection target registered in advance by the user connected to the ISP is specified.

This routing information is such that data sent from a source designated by the user as an inspection target is transferred to the inspection system, and data sent from a source not designated by the user as an inspection target is sent to the user. By transferring,
Inspection for intrusion can be performed on the inspection target desired by the user. For this reason, the routing of all edge routers configuring the ISP network is centrally managed, and attacks on the network of the user connected to the ISP from other users connected to the ISP can be performed by the Internet or the like. Attacks from external networks can also be dropped by the ISP before reaching the user's network.

As a method for a user to specify an inspection target for an attack, data transmitted from a reliable network can be directly received by the user by distinguishing a network trusted by the user from other networks. Data sent from other networks are inspected so that the user can receive them after security is confirmed. As a result, the processing performed until the user receives data sent from the trusted network without receiving a check for intrusion detection is reduced, and the time required is reduced.

By designating a set of port numbers of packets that the user intends to receive as a security level, packets transmitted to an unspecified port number can be discarded.

Hereinafter, the present invention will be described in detail together with embodiments (examples) of the present invention with reference to the drawings.

[0027]

DESCRIPTION OF THE PREFERRED EMBODIMENTS FIG. 1 is a schematic diagram showing a network connection mode according to the present invention. As shown in FIG. 1, a user's networks 101, 102, and 103 are connected to an ISP's network 107 via routers 104, 105, and 106, respectively, and are inspected by applying the network-based intrusion inspection method and apparatus of the present invention. Server 108
Is also connected. The ISP's network 107
It is connected to the Internet 100 via the router 109. Further, the terminals 110 and 111 are terminals located somewhere on the Internet 100.

FIG. 2 shows an outline of a traffic flow realized by the present invention in the network as shown in FIG. The terminal 201 that receives data from the Internet 100 has identified that the terminal 202 is transmitting data from the reliable network 212 and the terminal 203 is transmitting data from the unreliable network 213.

The router 204 is a trusted network 2
When the data is received from the reliable terminal 202 belonging to the device 12, the data is directly transferred to the data receiving terminal 201. On the other hand, if the router 204 is an unknown network,
That is, when data from the unreliable network 213 is received, the data is transferred to the inspection server 205. The data transferred to the inspection server 205 is inspected, and if it is determined that the data is safe data as a result of the inspection, the data is transferred to the terminal 201, and if the data is determined to be not secure data as a result of the inspection, Discarded.

FIG. 3 shows another data flow in the network of FIG. FIG. 3 shows a case where the data receiving terminal 301 receives data from a terminal connected to the same ISP network 107, and the terminal 302 transmits data from the reliable network 312 and Has identified that data is being transmitted from the unreliable network 313.
When the router 304 receives data from the terminal 302, the received data is transferred to the terminal 301.

On the other hand, when the router 305 receives the data from the terminal 303, the router 305 converts the received data into the inspection server 306.
Transfer to When the data transferred to the inspection server 306 is inspected, and the inspection result indicates that the data is safe,
The data is transferred to the terminal 301, and is discarded if it is determined that the data is not secure as a result of the inspection.

FIG. 4 is a diagram showing a functional configuration of an inspection server implementing the present invention. Communication channel 401 is LAN
(Local Area Network) and other relay networks. Data divided into packets or data not divided is received by the network driver 402 via the communication channel 401.

The network driver 402 is composed of hardware or software, and hardware and software, receives data from the communication channel 401, and converts the data into a computer readable form. Also,
Upon receiving the data, the network driver 402 transfers the data to a data analysis unit 403 that analyzes the data in real time.

The data analysis unit 403 comprises a user policy execution unit 404 and an intrusion prevention unit 405. The user policy execution unit 404 is a user database 40 that stores security levels registered in advance by the user.
6 to determine whether to discard the data passed from the network driver.

The security level here can be expressed in three levels of “high, medium, low”, and the number and strictness of the items for checking whether to discard the received data for each level are determined. different. User policy execution unit 4
04 is not destroyed by the intrusion prevention unit 4
Delivered to 05. The intrusion prevention unit 405 refers to the intrusion pattern database 407 in which attack data is defined, and determines whether the data is secure. The subscriber management unit 408 manages the user database 406. When the data of the user registered in the user database 406 is changed, the routing management unit 409
Notifies the edge router (corresponding to the routers 104, 105, 106, and 109 in the case of the ISP network 107 of FIG. 1) of the change in the routing information.

FIG. 5 is a diagram for explaining a method of determining a destination to which the edge router forwards received data.
Each edge router has an access table 502, in which two types of information are described.
An address indicating a trusted network is written for each service subscriber of the network 107. The “subscriber” column indicates a subscriber who wants to check, and the “trusting source” column indicates a sender who receives data without checking.

FIG. 6 is a flowchart for explaining a processing example of a router (edge router) installed at the boundary between the ISP network managed by the inspection server to which the present invention is applied and another network.

In the following, data sent from the Internet or the network of a user using the ISP to the ISP network is referred to as data flowing into the ISP.

When the edge router receives data flowing into the ISP (s101), the edge router refers to the access table,
It is determined whether the data is transmitted to the subscriber of the inspection service (s102). If the data is not the data transmitted to the subscriber of the inspection service, the data is transferred to the receiver (s104). Conversely, if the data is being sent to a subscriber of the inspection service, the edge router checks whether the sender of the data is a trusted sender belonging to a trusted network (s1).
03).

If the sender of the data is a reliable sender, the data is transferred to the receiver. If the sender of the data is an unreliable sender, the data is transferred to a system for inspecting the data. It does (s105).

FIG. 7 is a flowchart for explaining a processing example of a system for performing data inspection by applying the present invention. Upon receiving data from the edge router (s201), the data inspection system searches the user database for a security level registered by the user in advance (s202), and the received data matches the security level searched from the user database. Is checked (s203). As a result of the check, if the user does not match the security level registered in advance, the data is discarded (s204). If the user matches the security level registered in advance by the user, the inspection system checks the IDS. The stored intrusion pattern is searched (s205), and the danger of the received data is analyzed.
If the data analysis result is determined to be data for intrusion (s206), the data is discarded (s204); otherwise, the data is transferred to the receiver (s207).

FIG. 8 shows data recording the operation of the inspection system to which the present invention is applied.
Is an example for each individual service subscriber. The illustrated recording data includes 10.10.10.1 respectively.
It was written that a terminal had the address "brute-force". However, in the record data (804) integrated by the inspection system, new information that cannot be understood by individual records is obtained. In the case of the example of FIG. 8, since it is known that the ISP attacks the inspection service subscriber in order, the ISP that has not been attacked
It is possible to give an alarm to the user connected to the server or take more effective measures.

As described above, the invention made by the present inventor is:
Although the present invention has been specifically described based on the above embodiments, the present invention is not limited to the above embodiments, and it is needless to say that various modifications can be made without departing from the gist of the present invention.

[0044]

The effects obtained by typical ones of the inventions disclosed in the present application will be briefly described as follows. According to the present invention, a user using a network can use a security solution provided by an ISP used when connecting to the Internet without installing a network device relating to security by himself / herself.

That is, the user does not purchase hardware or software to defend against attacks,
An attack via the network can be prevented without acquiring the knowledge of operating such hardware and software.

From the ISP's point of view, the present invention can be provided as an added value of the ISP's service.

DDoS consuming network bandwidth
When defending against an attack such as (Distributed Denial of Service), the present invention enables the ISP to not pass undesired traffic coming from the upstream side of the network topology, thereby Thus, it is possible to secure a band for a user to connect to an external network such as the Internet.

The attack inspection service is provided by a system that is centrally managed by a network operator such as an ISP at a single location. The range in which recorded records can be collected extends throughout the ISP. For this reason, new information that could not be obtained from individual records alone may be obtained.

[Brief description of the drawings]

FIG. 1 is a schematic diagram showing a schematic configuration of a network according to an embodiment of the present invention.

FIG. 2 is a schematic diagram for explaining an outline of a flow of traffic realized in the embodiment.

FIG. 3 is a schematic diagram for explaining an outline of another flow of traffic realized in the present embodiment.

FIG. 4 is a diagram illustrating a functional configuration of an inspection server according to the embodiment.

FIG. 5 is a flowchart illustrating a processing procedure of the edge router according to the embodiment;

FIG. 6 is a processing procedure of a system for inspecting data according to the embodiment;

FIG. 7 is a flowchart for explaining a processing example of a data inspection system according to the embodiment;

FIG. 8 shows data recording the operation of the inspection system of the present embodiment.

[Explanation of symbols]

100: Internet 101, 102, 103: User's network 104, 105, 106: Router 107: ISP
Network 108 ... inspection server 109 ... routers 110 and 111 ... terminals 201 and 20
2, 203: terminal 204: router 205: test server 212: reliable network 213: unreliable network 301: receiving terminals 302, 303
... terminals 304, 305 ... router 306 ... inspection server 312 ... reliable network 313 ... unreliable network 401 ... communication channel 402 ... network driver 403 ... data analysis unit 404 ... user policy execution unit 405 ... intrusion prevention unit 406 ... user database 407 ... Intrusion pattern database 408 ... Subscriber management unit 409 ... Routing management unit 501 ... Terminal 502 ... Access table

Continued on front page F-term (reference) 5B089 GA04 GB02 KA17 KB04 KB13 5K030 GA15 HB19 HC01 HC14 HD03 HD06

Claims (10)

[Claims] 1. An inspection target data discriminating step of distinguishing inspection target data based on a user's specification on a network operator side, and attack data for investigating whether or not the data specified as an inspection target is data to be attacked. Investigation steps;
A network-based intrusion inspection method, comprising a step of selecting only data that does not carry out an attack and data that is not specified as an inspection target from a result of the investigation and providing a selected data to a user by a network operator. 2. The network-based intrusion inspection method according to claim 1, wherein a router configuring a network operated by a network operator is inspected to transfer data designated by the user as an inspection target to the inspection system. A network-based intrusion inspection method, comprising a routing step for designating a target and a destination to which data to be inspected is transferred. 3. The network-based intrusion inspection method according to claim 1, wherein an attack inspection central management step for centrally managing an inspection for attacks on a plurality of users connected to a network operated by a network operator. A network-based intrusion inspection method, comprising: 4. A test data discriminating means for discriminating test data based on a user's specification on a network operator side, and attack data for investigating whether the data specified as a test target is data to be attacked. A network base comprising: an investigation unit; and a selection data providing unit that selects only data that does not perform an attack and data that is not specified as an inspection target from a result of the inspection and provides the user with the selected data. Intrusion inspection device. 5. The network-based intrusion inspection apparatus according to claim 4, wherein a router configuring a network operated by a network operator is inspected to transfer data designated by the user as an inspection target to the inspection system. A network-based intrusion inspection device, comprising: a routing step of designating a target and a destination to which data to be inspected is transferred. 6. The network-based intrusion inspection device according to claim 4, wherein centralized inspection management for centrally managing inspection of attack data for a plurality of users connected to a network operated by a network operator. A network-based intrusion inspection device characterized by comprising means. 7. A program for causing a computer to function as a system for performing network-based intrusion inspection management, which is a service from a network operator to a user, wherein the inspection distinguishes data to be inspected based on a user's designation. The target data discriminating unit, the attack data investigating unit that checks whether the data specified as the inspection target is the data that attacks, and the data that does not attack and the data that is not specified as the inspection target based on the inspection result A program for causing a computer to function as a selection data providing unit that is selectively provided to a user by a network operator. 8. A program for causing a computer to function as a system for performing network-based intrusion inspection management (processing), which is a service from a network operator to a user. Inspection data discriminating unit to be distinguished, Attack data investigating unit that investigates whether the data specified as the inspection target is attacking data, and data that does not attack and the inspection target were not specified from the inspection result A selection data providing unit that selects only data and provides the user to the network operator, and a network operator to transfer data specified by the user as an inspection target to the inspection system,
A program for causing a computer to function as a routing unit for designating a target to be inspected and a destination to which the data to be inspected is transferred to a router configuring an operating network. 9. A program for causing a computer to function as a system for performing network-based intrusion inspection management (processing) as a service from a network operator to a user. Inspection target data discriminating part to distinguish, attack investigation part which investigates whether the data specified as inspection target is attacking data, data that does not attack and data that is not specified as inspection target from the investigation result Intensively manages (processes) the selection data providing unit that the network operator provides to the user by selecting only and the attack data inspection for a plurality of users connected to the network operated by the network operator A program for causing a computer to function as an attack inspection central management unit. 10. A recording medium on which the program according to claim 7 is recorded.