JP2010182020A - Illegality detector and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an illegality detector and a program that can detect Bot and know the classification of Bot. <P>SOLUTION: A normal profile storage section 16 stores first identification information for identifying a file or a folder operated in a first process generated in a terminal infected with known Bot, and Bot classification information that shows the classification of Bot. A log generating module 12 monitors the behavior of a second process generated in a terminal to be monitored, and generates second identification information for identifying a file or a folder operated in the second process. A log analysis module 17 compares the first identification information with the second identification information, and acquires Bot classification information corresponding to the first identification information, from the normal profile storage section 16 when both coincide with each other. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a fraud detection device that detects fraud by a bot. The present invention also relates to a program for causing a computer to function as the fraud detection apparatus.

  In recent years, damage caused by viruses called bots that cause a computer infected with a virus to perform malicious operations has been increasing. The bot is composed of malicious code having a function of establishing a communication session with an external command server and downloading a new code, a function of receiving a command for an attack, and a function of attacking according to the command.

  However, an increasing number of bots cannot be detected by pattern-matching anti-virus software. Therefore, as a method to detect bots, a detection method focusing on the act of reading its own code (Read) when the bot infects multiple files on the PC and the act of deleting the code to destroy evidence (Delete) Has been proposed (see Non-Patent Document 1, for example).

Takahiro Sakai, Takumi Hase, Keisuke Takemori, Masakatsu Nishigaki, “A Study on the Potential of Bot Detection by Detecting Self-File READ / DELETE”, Malware Countermeasure Research Human Resource Development Workshop 2008 (MWS2008), Session M6-2, 2008 October

  Bots are classified into information leakage types that access user files, Trojan horse types that access existing EXE files (executable files), and spam mail types that access destinations used for spam mail and files that store text. The Although the bot can be detected by the above method, the type of the bot cannot be grasped.

  The present invention has been made in view of the above-described problems, and an object thereof is to provide a fraud detection device and a program capable of detecting a bot and knowing the type of the bot.

  The present invention has been made in order to solve the above-described problem, and identifies a file or folder generated by a terminal infected with a known bot and operated by the first process by the bot. The storage means for storing the identification information of 1 and the bot type information indicating the type of the bot, and the behavior of the second process generated by the monitored terminal are monitored, and the second process performs the operation. Information generating means for generating second identification information for identifying a file or folder, and comparing the first identification information with the second identification information, and if both match, the first identification information And an information acquisition unit that acquires from the storage unit the bot type information corresponding to the bot type information.

  The present invention also provides first identification information for identifying a file or a folder generated by a terminal infected with a known bot and operated by the first process by the bot, and the type of the bot. The storage means for storing the bot type information to be displayed, the behavior of the parent process generated by the monitored terminal, and the behavior of the child process started by the parent process are monitored, and the parent process performs an operation. Information generating means for generating second identification information for identifying the file or folder, and third identification information for identifying the file or folder on which the child process has operated; the first identification information; Two identification information and the first identification information and the third identification information are compared. When the first identification information and the second identification information match, the first identification information When the different information and the third identification information match, or when the first identification information and the second identification information match and the first identification information and the third identification information match An fraud detection device comprising: information acquisition means for acquiring the bot type information corresponding to the first identification information from the storage means.

  The present invention also includes first identification information for identifying a file or folder generated by a terminal infected with a known bot and operated by the first process by the bot. Storage means for storing first procedure information indicating a procedure when a process performs an operation on a file or a folder, bot type information indicating the type of the bot, and second information generated by a terminal to be monitored First information generating means for monitoring the behavior of the process and generating information including second identification information for identifying the file or folder operated by the second process and time information; and the first information Based on the information generated by the generating means, a second procedure information including the second identification information and indicating a procedure when the second process performs an operation on the file or folder is generated. The information generation means of the first and the first procedure information and the second procedure information are compared, and if they match, the bot type information corresponding to the first procedure information is acquired from the storage means And a fraud detection device characterized by comprising information acquisition means.

  The present invention also provides first identification information for identifying a file or folder generated by a terminal infected with a known bot and operated by a first parent process by the bot; Second identification information for identifying a file or folder operated by a first child process by the bot, which is started by a parent process, and the first parent process and the first child process are files. Alternatively, storage means for storing first procedure information indicating a procedure when an operation is performed on a folder and bot type information indicating the type of the bot, and a second parent process generated by the terminal to be monitored A third one for monitoring a behavior and a behavior of a second child process started by the second parent process, and identifying a file or folder operated by the second parent process; First information generation means for generating information including identification information and time information; and fourth identification information for identifying a file or folder operated by the second child process and information including time information; Based on the information generated by the first information generating means, the second parent process and the second child process operate on the file or folder including the third identification information and the fourth identification information. The second information generating means for generating the second procedure information indicating the procedure when the first procedure information is performed, the first procedure information and the second procedure information are compared, and if both match, An fraud detection apparatus comprising: information acquisition means for acquiring the bot type information corresponding to one procedure information from the storage means.

  In the fraud detection apparatus of the present invention, the second process is a process generated when a user is not operating the terminal to be monitored.

  In the fraud detection apparatus according to the present invention, the parent process and the child process are processes generated when a user is not operating the terminal to be monitored.

  In the fraud detection apparatus according to the present invention, the second parent process and the second child process are processes generated when a user does not operate the terminal to be monitored. .

  Moreover, this invention is a program for functioning a computer as said fraud detection apparatus.

  According to the present invention, when the same operation as a file or folder operation by a process generated by a normal terminal infected with a bot is detected, the type of the bot that is the source of the operation is determined from the bot type information. Since it becomes possible to identify, it is possible to detect the bot and know the type of the bot.

It is a block diagram which shows the structure of the fraud detection apparatus by one Embodiment of this invention. It is a reference figure which shows the information contained in the log in one Embodiment of this invention. It is a reference figure which shows the information contained in the log in one Embodiment of this invention. It is a reference diagram showing an image of processing in one embodiment of the present invention. It is a reference diagram showing an image of processing in one embodiment of the present invention. It is a reference figure which shows the procedure of the file operation in one Embodiment of this invention. It is a reference figure which shows the procedure of the file operation in one Embodiment of this invention. It is a reference figure which shows the procedure of the file operation in one Embodiment of this invention. It is a reference figure which shows the procedure of the file operation in one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of the fraud detection device according to the present embodiment. The fraud detection apparatus easily extracts details of an operation that may be fraudulent by associating an operation that changes the state of a file or folder with a process that executes the operation. In order to achieve this, there is provided a mechanism for hooking system call processing, generating a log relating to file operation (file change / deletion), and analyzing the log.

  A log generation module 12 is provided in the kernel portion of the OS 11 that operates on the terminal to be monitored. The log generation module 12 is a system call issued to the OS 11 when the processes 10a, 10b, and 10c as various application processes access the hardware 13 such as the storage device 13a, the input device 13b, and the output device 13c. Generate a log by hooking the process.

  Linux (registered trademark) is implemented with Linux (registered trademark) Security Module (LSM), which is a framework for extending security functions in the kernel. In LSM, when a file or process is operated, a monitoring point is provided to call a security verification mechanism defined by the user to verify authority and generate a log. The hook for system call processing of this log analysis system is implemented as a security verification mechanism at the monitoring point of LSM.

  The log generated by the log generation module 12 is stored and stored in the log storage unit 14. The operation detection module 15 detects that the user has operated the input device 13b such as a mouse or a keyboard, and generates a log including the operation time (hereinafter referred to as an operation log). The operation log generated by the operation detection module 15 is stored and stored in the log storage unit 14.

  The unauthorized profile storage unit 16 stores an unauthorized profile including information on unauthorized operations on a file or folder acquired by a terminal infected with a bot. The fraudulent profile is generated based on the result of monitoring the behavior of the process (process by the bot) of the terminal infected with the bot. The method for monitoring the behavior of the process is the same as the method for the log generation module 12 monitoring the behavior of the process. The log analysis module 17 analyzes the log stored in the log storage unit 14 and determines whether there is fraud.

  Next, details of the log generated by the log generation module 12 will be described. The LSM has monitoring points for about 160 processes such as file processing, program execution processing, and communication processing. In the present embodiment, the log generation module 12 generates a log using monitoring points related to file operations. In the present embodiment, “file_permission”, which is a monitoring point for monitoring reading and writing of files, and “inode_delete”, which is a monitoring point for monitoring file deletion, generate logs.

  2 and 3 show information included in the log generated by the log generation module 12. Information contained in this log is roughly divided into header information and monitoring point specific information. The header information is information recorded in common in the log corresponding to each monitoring point. FIG. 2 shows the contents of the header information. Specifically, the time 200 when the log was recorded, the name 202 of the monitoring point, the ID 204 (pid) of the process that performed the processing, the user ID 206 (uid), the group ID 208 (gid), the ID 210 (parent) of the parent process, The name 212 (parent cmd) of the parent process and the name 214 (cmd) of the process that performed the processing are recorded.

  The monitoring point specific information is information recorded for each monitoring point according to the argument information passed to the hook process. FIG. 3 shows the contents of the monitoring point specific information recorded by “file_permission” for monitoring the reading and writing of the file. Information 300 (inode_num) is a unique identifier assigned to the file. Information 302 (fowner) is a unique identifier indicating the owner of the file. Information 304 (fgrp) is a unique identifier indicating the group to which the file belongs. Information 306 (mode) identifies reading / writing of a file. The value of the information 306 is a value specific to the OS. By reading this value, it is possible to grasp the operation content (read / write). Information 308 (path) is information including the name of the file to be operated and the name of the folder in which the file exists. In the example shown in FIG. 3, “/ home / example /” is the name of the folder, and “path.txt” is the name of the file.

  Hereinafter, information including one header information regarding file operations that can be independently identified and one piece of monitoring point specific information is referred to as a unit log. The log stored in the log storage unit 14 is a collection of unit logs.

  Next, a log analysis method by the log analysis module 17 will be described. In the following description, an operation on a file is described as an object of fraud detection, but the same applies to an operation on a folder as an object of fraud detection.

  There is a possibility that a file operation caused by a user operating a mouse or a keyboard is erroneously detected. Therefore, in this embodiment, file operations during a period in which the user does not operate the mouse, keyboard, or the like are targeted for fraud detection. However, it is not essential that the file operation during this period be an abnormality detection target, and file operations other than this period may be the object of abnormality detection.

  The log analysis module 17 reads the log generated by the log generation module 12 from the log storage unit 14 and reads the operation log generated by the operation detection module 15 from the log storage unit 14. The operation log records the time when the user operated the mouse, the keyboard, etc., and the log analysis module 17 recognizes the predetermined period based on the time when the user performed the operation as the operation period. The log analysis module 17 extracts a log whose time (time 200 in FIG. 2) is not included in the operation period from the logs generated by the log generation module 12. The log extracted in this way is used in the subsequent processing. Hereinafter, the log extracted as described above is set as a processing target log.

  As processing after the above, four processing examples will be described below.

(First processing example)
First, a first processing example will be described. In the first processing example, when a process accesses a file that is accessed by a process by a known bot, it is determined that fraud by the bot has occurred. FIG. 4 shows an image of processing according to the first processing example.

  The unauthorized profile stored in the unauthorized profile storage unit 16 includes information (file name in this embodiment) for identifying a file accessed by a terminal process (process by the bot) infected with the bot, and the bot type (information It is recorded in association with information (hereinafter referred to as bot type information) indicating leakage type / Trojan horse type / spam mail type). In FIG. 4, the name of the user file accessible by the user is recorded together with the information leakage type bot type information, the name of the existing EXE file (executable file) is recorded together with the Trojan type bot type information, and spam mail. The name of the file used to store the destination and the text is recorded together with the spam mail type bot type information. In a terminal infected with a bot, not only a process by the bot but also a normal process operates. Therefore, it is desirable that the user checks the information obtained by monitoring the behavior of the process, and configures an unauthorized profile from the information of the process that can be confirmed as a bot process.

  Processes 400, 410, and 420 are operating in the terminal to be monitored. Since the process 400 is accessing the user file, it is determined that the fraud caused by the information leaking bot has occurred. Further, since the process 410 is accessing the EXE file, it is determined that an illegal act by a Trojan horse bot has occurred. In addition, since the process 420 accesses a file storing a destination and a text used for spam mail, it is determined that fraud due to a spam mail type bot has occurred.

  In the first processing example, the log analysis module 17 operates as follows. First, the log analysis module 17 reads the unauthorized profile from the unauthorized profile storage unit 16. Subsequently, the log analysis module 17 compares the file name (information 308 in FIG. 3) recorded in the unit log included in the processing target log with the file name included in the unauthorized profile.

  A plurality of file names are recorded in the unauthorized profile. When the file name recorded in the unit log matches one of the file names recorded in the unauthorized profile, the log analysis module 17 determines that an unauthorized operation has occurred. Further, the log analysis module 17 acquires bot type information associated with the file name when it is determined that the fraud has occurred from the fraud profile, and determines the bot type based on the bot type information.

  If the file name recorded in the unit log does not match any file name recorded in the unauthorized profile, the log analysis module 17 determines that no fraud has occurred. When a plurality of unit logs exist in the processing target log, the log analysis module 17 repeats the above processing.

  Through the above processing, it is possible to detect the bot and know the type of the bot. Note that it may be determined that an illegality has occurred when the combination of the file name and process name recorded in the unit log matches the combination of the file name and process name recorded in the unauthorized profile.

(Second processing example)
Next, a second processing example will be described. In a terminal infected with a bot, a parent process may activate a child process, and the parent process and the child process may jointly perform desired processing. In the second processing example, the presence / absence of fraud by the parent-child process is determined. FIG. 5 shows an image of processing according to the second processing example.

  Similar to the first processing example, in the unauthorized profile stored in the unauthorized profile storage unit 16, information (file name) identifying the file accessed by the process of the terminal infected with the bot is associated with the bot type information. Has been recorded. In the monitoring target terminal, a parent process 500 and child processes 510 and 520 started by the parent process 500 are operating.

  Since the parent process 500 accesses a file different from the file accessed by the terminal process infected with the bot, it is determined that the parent process 500 is not illegal. However, the child processes 510 and 520 are the processes of the terminal infected with the bot. Since the same file as the accessed file is accessed, it is determined to be illegal. As a result, it is determined that the group including the parent process 500 and the child processes 510 and 520 is illegal (bot).

  Further, the child process 510 is determined to be a process by an information leakage type bot, and the child process 520 is determined to be a process by a spam mail type bot. As a result, the group including the parent process 500 and the child processes 510 and 520 is determined to be a group of processes based on an information leakage type spam mail type bot. As described above, when a plurality of types of bots are detected in units of parent processes or child processes, a group including parent-child processes is determined to be a group of processes of a plurality of types of bots.

  In the second processing example, the log analysis module 17 operates as follows. In the unit log, in addition to the ID (ID 204 in FIG. 2) and name (name 214 in FIG. 2) of the process that performed the file operation, the ID (ID 210 in FIG. 2) and name (ID 2 name 212) is recorded. The log analysis module 17 grasps the parent-child relationship of processes recorded in any two unit logs based on these pieces of information.

  Specifically, the log analysis module 17 associates both unit logs when the ID or name of the process included in one unit log matches the ID or name of the parent process included in the other unit log. . However, although the process ID is information unique to each process that is currently operating at a point in time, it does not guarantee that the process ID is unique to each process at a different point in time. It is more desirable to use the process name for.

  The log analysis module 17 generates information (hereinafter referred to as parent-child relationship information) indicating the parent-child relationship between the two unit logs associated as described above. For example, parent-child relationship information that associates the ID or name of the parent process with the ID or name of the child process is generated. Subsequently, the log analysis module 17 reads the unauthorized profile from the unauthorized profile storage unit 16 and compares the file name recorded in the unit log included in the processing target log with the file name included in the unauthorized profile.

  A plurality of file names are recorded in the unauthorized profile. When the file name recorded in the unit log matches one of the file names recorded in the unauthorized profile, the log analysis module 17 determines that an unauthorized operation has occurred. Further, the log analysis module 17 acquires bot type information associated with the file name when it is determined that the fraud has occurred from the fraud profile, and determines the bot type based on the bot type information.

  If the file name recorded in the unit log does not match any file name recorded in the unauthorized profile, the log analysis module 17 determines that no fraud has occurred. When a plurality of unit logs exist in the processing target log, the log analysis module 17 repeats the above processing.

  The log analysis module 17 extracts the ID or name of the process that performed the file operation from the unit log that was used when it was determined that the fraud occurred, and based on the parent-child relationship information that includes the ID or name, It is determined that the group including the process is invalid. The log analysis module 17 stores the unit log information related to the group determined to be illegal in the log storage unit 14 in association with each other. In the above processing, when it is determined that the parent process is not illegal and the child process is illegal, when it is determined that the parent process is invalid and the child process is not illegal, the parent process is invalid and the child process is In some cases, the group including the parent / child process is determined to be illegal.

  Through the above processing, it is possible to detect the bot and know the type of the bot. In particular, when a parent and child process performs a desired process jointly with a bot, the behavior of the parent and child process can be known from the log information related to the group determined to be illegal. In the unit log processing, if the combination of the file name and process name recorded in the unit log matches one of the file name and process name combinations recorded in the unauthorized profile, an error occurred. May be determined.

(Third processing example)
Next, a third processing example will be described. In the third processing example, when a process accesses a file in the same procedure as when the process by the bot accesses the file, it is determined that an illegality by the bot has occurred. FIG. 6 shows an example of a procedure when a process by an information leakage type bot accesses a file.

  FIG. 6 shows how the process 600 accesses files 610, 620, and 630 in the user folder. Arrows indicate access to each file by the process 600, and characters written in the vicinity of the arrows indicate the type and order of access. Access types include “r” (read), “w” (write), and “d” (delete). Also, the order is represented by numbers, and the smaller the number, the faster the order. For example, “r1” indicates that the file is read and that the order is first.

The process 600 shown in FIG. 6 accesses each file in the following steps 1 to 3.
Step 1: The file 610 is read.
Step 2: Write to file 620.
Step 3: Write to the file 630.

FIG. 7 shows an example of a procedure when a process by a Trojan horse bot accesses a file. The meaning of the arrow and the meaning of the characters written in the vicinity of the arrow are the same as in FIG. FIG. 7 shows how the process 700 accesses the files 710, 720, and 730 in the system folder. The process 700 shown in FIG. 7 accesses each file in the following steps 1 to 3.
Step 1: Read the file 710.
Step 2: Write to the file 720.
Step 3: Write to file 730.

FIG. 8 shows an example of a procedure when a process by a spam mail type bot accesses a file. The meaning of the arrow and the meaning of the characters written in the vicinity of the arrow are the same as in FIG. FIG. 8 shows a state in which the process 800 accesses the file 810 in the system folder and the files 820 and 830 in the user folder. The process 800 shown in FIG. 8 accesses each file in the following steps 1 to 5.
Step 1: The file 810 is read.
Step 2: Write to file 820.
Step 3: Write to the file 830.
Step 4: Read the file 820.
Step 5: Read the file 830.

  In the unauthorized profile stored in the unauthorized profile storage unit 16, information indicating a procedure when a process of a terminal infected with a bot accesses a file is recorded in association with the bot type information. If the file operation procedure detected on the monitored terminal is the same as the procedure recorded in the unauthorized profile, the process that performed the file operation detected on the monitored terminal is determined to be invalid. At the same time, the type of the bot is determined. Also, if the file operation procedure detected on the monitored terminal is not the same as the procedure recorded in the unauthorized profile, it is determined that the process that performed the file operation detected on the monitored terminal is not unauthorized. Is done.

  In the third processing example, the log analysis module 17 operates as follows. First, the log analysis module 17 generates information indicating a file operation procedure detected by the monitoring target terminal based on the processing target log. Specifically, the log analysis module 17 extracts a unit log in which the ID (ID 204 in FIG. 2) and the name (name 214 in FIG. 2) of the same process are recorded, and the time (time 200 in FIG. 2). Arrange unit logs in the order of. As a result, the unit logs are arranged in the order of file operations, and the information of each unit log becomes information of each step constituting a series of procedures.

  Subsequently, the log analysis module 17 reads the unauthorized profile from the unauthorized profile storage unit 16 and compares information indicating the file operation procedure detected by the monitoring target terminal with information included in the unauthorized profile. In the unauthorized profile, information on a procedure including one or a plurality of steps is recorded. The log analysis module 17 compares information for each step. First, the log analysis module 17 compares the information on the first step of the file operation detected by the monitoring target terminal with the information on the first step of the file operation recorded in the unauthorized profile.

  The information of each step includes at least the name of the process that performed the file operation, the name of the file, and the type of file operation (read / write / delete). If any of these pieces of information do not match, the log analysis module 17 has detected an illegal operation because the file operation procedure detected by the monitored terminal is not the same as the procedure recorded in the unauthorized profile. Judge that it is not. If all of these pieces of information match, the information in the next step is compared. The above processing is performed for each step.

  For all steps, if the file operation information detected by the monitoring target terminal matches the file operation information recorded in the unauthorized profile, the log analysis module 17 determines that an unauthorized operation has occurred. Further, the log analysis module 17 acquires bot type information associated with the file name when it is determined that the fraud has occurred from the fraud profile, and determines the bot type based on the bot type information. In the unauthorized profile, information indicating the procedure of each file operation is recorded for a plurality of file operations, and the log analysis module 17 repeats the above processing for each file operation.

  Through the above processing, it is possible to detect the bot and know the type of the bot.

(Fourth processing example)
Next, a fourth processing example will be described. In the fourth processing example, the presence / absence of fraud by the parent-child process is determined. FIG. 9 shows an example of a procedure when a process by a spam mail type bot accesses a file.

FIG. 9 shows a state in which the parent process 900 and the child process 910 access the system folder files 920 and 930 and the user folder files 940 and 950. The meaning of the arrow and the meaning of the characters written in the vicinity of the arrow are the same as in FIG. The parent process 900 and the child process 910 shown in FIG. 9 access each file in the following steps 1 to 6.
Step 1: The parent process 900 reads the file 920.
Step 2: The parent process 900 writes to the file 940.
Step 3: The parent process 900 writes to the file 950.
Step 4: The child process 910 reads the file 930.
Step 5: The child process 910 reads the file 940.
Step 6: The child process 910 reads the file 950.

  In the unauthorized profile stored in the unauthorized profile storage unit 16, information indicating a series of procedures by the parent process and the child process when the process of the terminal infected with the bot accesses the file is recorded. If the sequence of file operations detected by the monitored device by the parent and child processes is the same as the procedure recorded in the unauthorized profile, the detected file operation was performed on the monitored device. The process is determined to be invalid. Also, if the file operation procedure detected on the monitored terminal is not the same as the procedure recorded in the unauthorized profile, it is determined that the process that performed the file operation detected on the monitored terminal is not unauthorized. Is done.

  In the fourth processing example, the log analysis module 17 operates as follows. First, the log analysis module 17 grasps the relationship between the parent and child processes by the same processing as in the second processing example, and generates parent-child relationship information in which the parent process ID or name is associated with the child process ID or name. To do.

  Subsequently, the log analysis module 17 generates information indicating the procedure of the file operation detected by the monitoring target terminal based on the processing target log. Specifically, the log analysis module 17 extracts a unit log in which the ID (ID 204 in FIG. 2) and the name (name 214 in FIG. 2) of the same process are recorded. The log analysis module 17 also extracts a unit log including the same ID or name as the ID or name of the parent process or child process of this process based on the parent-child relationship information. Thereby, a unit log of a process having a parent-child relationship is extracted.

  Subsequently, the log analysis module 17 arranges the extracted unit logs in order of time (time 200 in FIG. 2). As a result, the unit logs are arranged in the order of file operations, and the information of each unit log becomes information of each step constituting a series of procedures.

  Subsequently, the log analysis module 17 reads the unauthorized profile from the unauthorized profile storage unit 16 and compares information indicating the file operation procedure detected by the monitoring target terminal with information included in the unauthorized profile. In the unauthorized profile, information on a procedure including one or a plurality of steps is recorded. The log analysis module 17 compares information for each step. First, the log analysis module 17 compares the information on the first step of the file operation detected by the monitoring target terminal with the information on the first step of the file operation recorded in the unauthorized profile.

  The information of each step includes at least the name of the process that performed the file operation, the name of the file, and the type of file operation (read / write / delete). If any of these pieces of information do not match, the log analysis module 17 has detected an illegal operation because the file operation procedure detected by the monitored terminal is not the same as the procedure recorded in the unauthorized profile. Judge that it is not. If all of these pieces of information match, the information in the next step is compared. The above processing is performed for each step.

  For all steps, if the file operation information detected by the monitoring target terminal matches the file operation information recorded in the unauthorized profile, the log analysis module 17 determines that an unauthorized operation has occurred. Further, the log analysis module 17 acquires bot type information associated with the file name when it is determined that the fraud has occurred from the fraud profile, and determines the bot type based on the bot type information. In the unauthorized profile, information indicating the procedure of each file operation is recorded for a plurality of file operations, and the log analysis module 17 repeats the above processing for each file operation.

  Through the above processing, it is possible to detect the bot and know the type of the bot.

  In the first to fourth processing examples described above, the processing result may be displayed on the display device. For example, in the first processing example, information on a file operated by a process determined to be illegal and the type of bot may be displayed. In the second processing example, information on a file operated by a process determined to be illegal, information on a parent-child process group including a process determined to be illegal, and a type of bot may be displayed. In the third processing example, the procedure determined to be illegal and the type of bot may be displayed. In the fourth processing example, the procedure determined to be illegal, the information of the parent-child process group that performed the operation according to the procedure, and the type of the bot may be displayed.

  Information obtained by a host-type intrusion detection system or an unauthorized process detection system may be used. The host-type intrusion detection system is a system that detects falsification of a system file by storing a normal state of a file or directory of a monitored terminal and periodically checking consistency. The unauthorized process detection system focuses on the feature that a terminal infected with malware sends an unintended packet automatically or by external control regardless of the user's keyboard or mouse operation. It is a system that detects the unauthorized process by profiling the characteristics of the communication in the state, determining that the communication not corresponding to this is abnormal.

  In the host-type intrusion detection system, the name of the file that has detected tampering can be obtained. In the first to fourth processing examples, when it is determined that fraud has occurred, the log analysis module 17 compares the file name related to the fraud with the file name acquired by the host-type intrusion detection system. . If the two match, it is possible to know that there is a higher possibility of fraud due to the bot.

  In the unauthorized process detection system, the name of the unauthorized process is obtained. In the first to fourth processing examples, when it is determined that fraud has occurred, the log analysis module 17 compares the name of the process related to the fraud with the name of the process acquired by the fraud process detection system. If the two match, it is possible to know that there is a higher possibility of fraud due to the bot.

  In the third to fourth processing examples, the threshold θ is provided to configure the file operation procedure detected by the monitoring target terminal and the file operation procedure recorded in the unauthorized profile. If the number of steps is equal to θ or more, it may be determined that fraud has occurred.

  Moreover, you may detect the fraud by a bot as follows. A bot has the feature that its process duplicates (self-replicates) its own file (executable file). In particular, when self-replicating, there is a feature that the file is replicated to a system folder in which files related to the OS are stored.

  In bot self-replication, the bot file (and the folder in which the file was stored) that was the source of the process that performed the file operation (replication), and the file (and its file) that the process performed the file operation (replication) The folder in which the file is stored). Therefore, the file of the bot that was the source of the process that performed the file operation, or the folder in which the file was stored (hereinafter referred to as the file or folder of the operation source process), the file that the process performed the file, Alternatively, a relative relationship (more specifically, a relative path) with a folder in which the file is stored (hereinafter referred to as an operation target file or folder) is defined as an unauthorized profile.

  If the relative path of the operation target file or folder detected on the monitored terminal is the same as the relative path in the unauthorized profile (actually, the monitored terminal If the detected file or folder of the operation source process is the same as the operation target file or folder), it is determined that an illegal operation has occurred. The relative path may be obtained by calculating the absolute path of the file or folder of the operation source process and the absolute path of the operation target file or folder.

  In addition, since the bot self-replicates files in the system folder, the relative path detected above on the monitored terminal matches the relative path of the unauthorized profile, and the operation target folder is the system folder. It may be determined that fraud has occurred.

  As described above, according to the present embodiment, when the same operation as a file or folder operation by a process generated by a normal terminal infected with a bot is detected, the operation of the bot that is the source of the operation is detected. Since the type can be identified from the bot type information, it is possible to detect the bot and know the type of the bot. In addition, since the type of bot, that is, the behavior of the bot in the PC can be grasped, it is possible to promptly take a correct action when the bot is detected.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operation and function of the fraud detection device may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read by the computer and executed.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

  DESCRIPTION OF SYMBOLS 11 ... OS, 12 ... Log generation module (information generation means, 1st information generation means), 13 ... Hardware, 13a ... Storage device, 13b ... Input device, 13c ... Output device, 14 ... log storage unit, 15 ... operation detection module, 16 ... illegal profile storage unit (storage unit), 17 ... log analysis module (second information generation unit, information acquisition) means)

Claims (8)

First identification information generated by a terminal infected with a known bot and identifying a file or folder operated by the first process by the bot, and bot type information indicating the type of the bot Storage means for storing;
Information generating means for monitoring the behavior of the second process generated by the terminal to be monitored and generating second identification information for identifying the file or folder operated by the second process;
An information acquisition unit that compares the first identification information with the second identification information and acquires the bot type information corresponding to the first identification information from the storage unit when they match;
A fraud detection device characterized by comprising: First identification information generated by a terminal infected with a known bot and identifying a file or folder operated by the first process by the bot, and bot type information indicating the type of the bot Storage means for storing;
Second identification information for monitoring a behavior of a parent process generated by a monitoring target terminal and a behavior of a child process started by the parent process, and identifying a file or folder operated by the parent process; Information generating means for generating third identification information for identifying a file or folder operated by the child process;
The first identification information and the second identification information are compared, the first identification information and the third identification information are compared, and the first identification information and the second identification information match. If the first identification information and the third identification information match, or if the first identification information and the second identification information match, the first identification information and the third identification Information acquisition means for acquiring the bot type information corresponding to the first identification information from the storage means when the information matches;
A fraud detection device characterized by comprising: Including first identification information generated by a terminal infected with a known bot and identifying a file or folder operated by the first process by the bot, and the first process is stored in the file or folder. Storage means for storing first procedure information indicating a procedure when an operation is performed, and bot type information indicating a type of the bot;
The first process for monitoring the behavior of the second process generated by the terminal to be monitored and generating the information including the second identification information for identifying the file or folder operated by the second process and the time information. Information generation means,
Based on the information generated by the first information generating means, second procedure information including the second identification information and indicating a procedure when the second process has performed an operation on a file or folder is generated. Second information generating means for
Comparing the first procedure information and the second procedure information, and when the two match, information acquisition means for acquiring the bot type information corresponding to the first procedure information from the storage means;
A fraud detection device characterized by comprising: First identification information generated by a terminal infected with a known bot and identifying a file or folder operated by the first parent process by the bot, and started by the first parent process , And second identification information for identifying a file or folder operated by the first child process by the bot, and the first parent process and the first child process operate on the file or folder. Storage means for storing first procedure information indicating a procedure at the time of the operation and bot type information indicating the type of the bot;
The behavior of the second parent process generated by the monitoring target terminal and the behavior of the second child process started by the second parent process are monitored, and the second parent process performs an operation. Information including third identification information for identifying a file or folder and time information, and information including fourth identification information for identifying a file or folder operated by the second child process and time information are generated. First information generating means for
Based on the information generated by the first information generating means, the second parent process and the second child process operate on the file or folder including the third identification information and the fourth identification information. Second information generating means for generating second procedure information indicating a procedure when
Comparing the first procedure information and the second procedure information, and when the two match, information acquisition means for acquiring the bot type information corresponding to the first procedure information from the storage means;
A fraud detection device characterized by comprising:   The fraud detection apparatus according to claim 1, wherein the second process is a process generated when a user does not operate the terminal to be monitored.   The fraud detection apparatus according to claim 2, wherein the parent process and the child process are processes generated when a user does not operate the terminal to be monitored.   The fraud detection apparatus according to claim 4, wherein the second parent process and the second child process are processes generated when a user does not operate the monitoring target terminal.   The program for functioning a computer as a fraud detection apparatus in any one of Claims 1-7.

Images