JP2017142552A - Malware alerting device and method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow for displaying an alert message on a screen to alert a user who executed malware even when the malware is of a type that is executed in the background, such as downloader malware.SOLUTION: A file acquisition request from malware executed on a computer is responded not with a file requested by the malware but with a file that does no harm when executed. Execution of the file through behavior of the malware causes an alert screen to be displayed on the computer.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a technique for immediately notifying an employee when an organization employee executes malware on a computer connected to a network.

  In recent years, there has been an ever-increasing number of targeted attacks that attempt to exploit vulnerabilities in corporate systems and infiltrate systems or steal confidential information. Targeted attacks are performed by attaching a computer virus, called malware, to an email and sending it to the target company.

  Downloader-type malware that downloads and executes new malware from an external network may be used as malware sent to companies. An attacker attaches these malwares to a carefully crafted email body, and attempts to make the organization's employees misunderstand and execute them as normal files. It is currently difficult for employees with low security awareness to see such impersonation.

  For these reasons, it is important to raise employee security awareness by alerting employees when they execute suspicious files in order to counter current targeted attacks.

  For example, Patent Literature 1 discloses a malware infection countermeasure system focused on alerting employees. When malware communication is detected, this not only blocks communication performed by the malware and discards the communication content, but can also notify a malware infection alert to the computer device that executed the malware.

JP 2010-15513 A

  The technique of patent document 1 is performing communication interruption | blocking and alerting by responding an alerting message with respect to malware communication, when the unauthorized communication of malware is detected. However, for malware that communicates in the background, such as a downloader-type malware, even if a warning message is responded, it is not displayed on the screen and cannot be alerted.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide a malware alert device that alerts employees even if it is malware that performs communication in the background.

  A typical example of the present invention is as follows. That is, in the present invention, in response to a malware file acquisition request executed on the computer, a file that is not harmful even if executed instead of a file requested by the malware is returned instead. By executing this file on the computer as the behavior of the malware without noticing the switching of the file, the malware presents a warning screen to the employee as a result of executing the replaced file.

  According to the present invention, when an employee executes malware, alerting can be performed. This makes it possible for employees to take early infection measures such as isolating the terminal from the network, which helps prevent damage from spreading.

It is the figure which showed the structural example of the malware alerting device which concerns on Example 1. FIG. It is the figure which showed the structural example of the communication destination detection information data which concerns on Example 1. FIG. It is the figure which showed the structural example of the request content detection information data which concern on Example 1. FIG. It is the figure which showed the structural example of the response content detection information data which concern on Example 1. FIG. It is the figure which showed the structural example of the alert format information data based on Example 1. FIG. It is the figure which showed the structural example of the client environment data which concerns on Example 1. FIG. It is the figure which showed the structural example of the DL file process data which concerns on Example 1. FIG. 1 is a diagram illustrating an overall processing flow according to Embodiment 1. FIG. It is the figure which showed the processing flow of the communication determination function which concerns on Example 1. FIG. It is the figure which showed the processing flow of the response file production | generation function which concerns on Example 1. FIG. It is the figure which showed the processing flow of the message content determination function which concerns on Example 1. FIG. It is the figure which showed the alert message which concerns on Example 1. FIG. It is the figure which showed the structural example of the malware alerting device which concerns on Example 2. FIG. It is the figure which showed the structural example of the alert format information data which concerns on Example 2. FIG. It is the figure which showed the structural example of the communication permission status recording data which concern on Example 2. FIG. It is the figure which showed the processing flow of the message content determination function which concerns on Example 2. FIG. FIG. 10 is a diagram illustrating a processing flow of a record information update function according to the second embodiment. It is the figure which showed the alert message which concerns on Example 2. FIG.

  The present invention is a system that detects and blocks communication of malware and alerts an employee who has executed the malware when the malware is executed on a terminal in the organization. In the first embodiment, a downloader-type malware is assumed as malware executed on a terminal in an organization, and unauthorized communication by the malware is detected and alert processing is described. In the second embodiment, a method for allowing an employee to determine whether or not to allow communication from a terminal in an organization when communication cannot be determined to be illegal will be described.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram illustrating a configuration example of a malware alert device and its peripheral devices in the present embodiment. As shown in FIG. 1, the malware alert device 101 is connected to client terminals 117a and 117b via a network 118a, and is connected to the Internet 119 via a network 118b.

  The client terminals 117a and 117b are client computers used by the user. It is realized by a personal computer, a workstation, or other computer devices. Note that mail software capable of sending and receiving attached files is installed in the client terminals 117a and 117b. Although the client terminals 117a and 117b are shown in the figure, they may be referred to as client terminals 117 when it is not necessary to distinguish them. Further, although only two client terminals 117 are shown in the figure, three or more client terminals 117 may be provided.

  The networks 118a and 118b are communication lines used for transmitting and receiving information.

  The Internet 119 refers to the entire network existing outside the organization. For example, a communication destination where the downloader-type malware tries to acquire new malware is included in the Internet 119.

  The malware alert device 101 is a device that mediates communication transmitted from the client terminal 117 to the Internet 119, detects unauthorized communication, blocks communication, and responds with an alternative file. The malware alert device 101 includes a CPU (Central Processing Unit) 103, a main memory 104 for storing data necessary for the CPU 103 to execute processing, and a hard disk or flash memory having a capacity for storing a large amount of data. A storage device 105 such as, IF (InterFace) 102a and 102b for communicating with other devices, an input / output device 106 for performing input / output such as a keyboard and a display, and a communication path for connecting these devices 107, and is realized by, for example, a personal computer, a workstation, or another computer device. The communication path 107 is an information transmission medium such as a bus or cable.

  The CPU 103 executes the communication destination determination function 108 stored in the main memory 104 to perform a positive determination on the communication received from the client terminal 117, and executes the response file generation function 109 stored in the main memory 104. Thus, by generating a substitute file that is appropriately executed in the client terminal 117 and executing the message content determination function 110 stored in the main memory 104, the content of the alert message displayed on the client terminal is determined.

  The main memory 104 functions as a communication destination determination function 108, a response file generation function 109, and a message content determination function 110 by executing various programs. Specifically, when communication from the client terminal 117 to the Internet 119 is received, a positive determination of communication, generation of an alternative file, and response of an alternative file are started. The communication destination determination function 108 refers to the communication destination detection information data 111, the request content detection information data 112, and the response content detection information data 113 in the recording device 105, and in communication, the communication destination and the communication request content. From the three indicators of communication response content, communication positive determination is performed. The response file generation function refers to the alert format information data 114, the client environment data 115, and the DL file processing content data 116 in the recording device 105, and generates an alternative file for the detected unauthorized communication. . The substitute file generated in the main memory 104 is sent as a communication response to the client terminal 117 via the IF 102a.

  The storage device 105 is an alternative that responds according to the record data storing the information of the unauthorized communication and the content of the communication received from the client terminal 117, which are used to determine whether the communication received from the client terminal 117 is positive. When determining the specification of the file, recording data used for determining the specification of the alternative file is stored. Specifically, the storage device 195 stores communication destination detection information data 111 in which an illegal communication destination is recorded, request content detection information data 112 in which an illegal communication request content is recorded, and an illegal communication response content. Communicated from the client terminal 117, the recorded response content detection information data 113, the alert format information data 114 in which rules for determining the type of alert in the alternative file are recorded, the client environment data 115 in which the terminal information of the client terminal 117 is recorded, DL file processing content record data 116 in which a rule for performing the processing that the file that has been subjected to the file that was originally scheduled to be acquired on the substitute file is stored is stored.

  FIG. 2 is a diagram illustrating an example of the communication destination detection information data 111. As illustrated in FIG. 2, the communication destination detection information data 111 includes a communication destination information ID 201 and a communication destination URI 202. The communication destination detection information data 111 is used in the communication destination positive determination in step 902. Step 902 will be described later with reference to FIG.

  The communication destination information ID 201 represents information that can uniquely identify the communication destination information. The communication destination information ID 201 represents information stored in the communication destination detection result 502 in the alert format information data 114, which will be described later. A communication destination URI 202 represents a URI of an external communication destination. The communication destination URI 202 includes an IP address, a domain, path information for specifying a file, and the like. Note that when registering information in the communication destination URI 202, malware may be analyzed by dynamic analysis using a sandbox, and invalid URI information in the analysis result may be extracted and registered.

  FIG. 3 is a diagram illustrating an example of the request content detection information data 112. As illustrated in FIG. 3, the request content detection information data 112 includes a request content information ID 301 and User-Agent information 302. The request content detection information data 112 is used in the positive determination of the request content in step 903. Step 903 will be described later with reference to FIG.

  The request content information ID 301 represents information that can uniquely identify the request content information. The request content information ID 301 represents information stored in the request content detection result 503 in the alert format information data 114, which will be described later. User-Agent information 302 represents user agent information included in header information of a communication request. In the User-Agent information 302, user agent information used when malware performs communication is recorded. Note that when registering information in the User-Agent information 302, malware may be analyzed by dynamic analysis using a sandbox, and user agent information in the analysis result may be extracted and registered.

  FIG. 4 is a diagram illustrating an example of the response content detection information data 113. As shown in FIG. 4, the response content detection information data 113 includes a response content information ID 401, filename information 402, and fileHash information 403. The response content detection information data 113 is used in the response content positive determination in step 904. Step 904 will be described later with reference to FIG.

  The response content information ID 401 represents information that can uniquely identify the response content. The response content information ID 401 represents information stored in the response content detection result 504 in the alert format information data 114, which will be described later. The filename information 402 represents the file name of the malware. In the filename information 402, the file name of the file acquired by the malware file acquisition request is recorded. The file Hash information 403 is information that can uniquely identify a file. In the fileHash information 403, for example, a hash value of malware using the hash function SHA1 is recorded. When registering information in the filename information 402 and the fileHash information 403, the malware is analyzed by dynamic analysis using a sandbox, and the file name of the download file and the hash value of the download file in the analysis result are obtained. You may extract and register. Also, as indicated by C-2 in the response content information ID 401 of FIG. 4, if any information of the filename information 402 and the fileHash information 403 is unknown or no data, the corresponding information is left blank. Also good. In this case, the association with the response content information ID 401 is performed using either the filename information 402 or the fileHash information 403.

  FIG. 5 is a diagram illustrating an example of the alert format information data 114. As shown in FIG. 5, the alert format information data 114 includes an alert format information ID 501, a communication destination detection result 502, a request content detection result 503, a response content detection result 504, response presence / absence information 505, and alert specification 1. Presence / absence information 506 and alert specification 2 presence / absence information 507 are included. The alert format information data 114 is used in determining the alerting method in step 1002. Step 1002 will be described later with reference to FIG.

  The alert format information ID 501 represents information that can uniquely identify the alert format information.

  The communication destination detection result 502 represents the information of the communication destination information ID 201 recorded in the communication destination detection information data 111, and the request content detection result 503 represents the information of the request content information ID 301 recorded in the request content detection information data 112. The response content detection result 504 represents the information of the response content information ID 401 recorded in the response content detection information data 113. The response presence / absence information 505 determines whether or not to alert the malware communication by an alternative file response. If the alert is issued by the response of the alternative file, ○ is stored. Otherwise, × is stored. Further, the alert specification 1 presence / absence information 506 and the alert specification 2 presence / absence information 507 will be described later with reference to FIG.

  FIG. 6 is a diagram illustrating an example of the client environment data 115. As shown in FIG. 6, the client environment data 115 includes a client environment ID 601, a terminal IP 602, an OS 603, and an architecture 604. The client environment data 115 is used in determining the terminal environment in step 1004. Step 1004 will be described later with reference to FIG.

  The client environment ID 601 represents information that can uniquely identify the client environment information, and the terminal IP 602 represents the IP address of the client terminal 117. The OS 603 represents the OS of the terminal. In the OS 603, information representing the OS of each client terminal 117 in the organization is recorded. The architecture 604 represents the amount of information that can be handled by the CPU. Information stored in the architecture 604 is either 32 bits or 64 bits.

  FIG. 7 is a diagram illustrating an example of DL file processing content data 116. As shown in FIG. 7, the DL file processing content data 116 includes a Hash value 701, processing content 702, a conversion function 703, a start point 704, and an end point 705. The DL file processing content data 116 is used for determining processing to be performed on the alternative file in step 1005. Step 1005 will be described later with reference to FIG.

  The Hash value 701 represents the Hash value of malware based on the Hash function. Examples of the Hash function used in the Hash value 701 include MD5 and SHA1. The process content 702 represents a disguise process that the malware performs on a file that requires download. Examples of the camouflage process recorded in the process content 802 include RSA encryption (128 bits), XOR, AES encryption (128 bits), and the like. The conversion function 703 represents an encryption key used in the camouflage process performed by the malware on the file requesting download. The start point 704 represents the coordinates of the start point of the bit string to be processed in the camouflage process performed by the malware on the file requesting download, and the end point 705 is applied to the file requested by the malware. Indicates the coordinates of the end point of the bit string to be processed in the camouflage process.

  Next, the processing procedure of the present embodiment will be described.

  FIG. 8 shows a processing flow of the malware alert device 101.

  When the malware alerting device 101 receives communication from the client terminal 117, the communication destination determination function 108 performs positive determination of communication information (step 802).

  Communication information analyzed by the communication destination determination function 108 is both a request and a response in communication from the client terminal 117. For this reason, the communication request from the client terminal 117 is not blocked, and the response content from the Internet 119 is acquired after connecting to the Internet 119 via the networks 118a and 118b. Make a positive test. The processing flow of the communication determination function 108 will be described later with reference to FIG.

  Next, on the basis of the positive determination result in the communication destination determination function 108, the response file generation function 109 determines a handling method for communication from the client terminal 117 (step 803).

  When the communication destination determination function 108 determines that the communication from the client terminal 117 is “positive”, that is, it is invalid, the response file generation function generates an alternative file in which an alert program is incorporated, and the generated alternative file Is transmitted to the client terminal 117 via the IF 102a as a response file for communication from the client terminal 117. Here, when the communication from the client terminal 117 is due to the downloader type malware, the malware itself executes the substitute file transmitted as a response file in response to its own file acquisition request, thereby converting it into the substitute file. The alert program showing the content of the alert is displayed to the terminal operator of the client terminal 117 that has executed the embedded alert program and executed the malware.

  If the communication destination determination function 108 determines that the communication from the client terminal 117 is not illegal, the malware alerting device 101 does not perform any further processing on the communication from the client terminal 117 and goes to the Internet 119. Let them communicate. These processes will be described later with reference to FIG.

  FIG. 9 shows a processing flow of the communication destination determination function 108.

  The communication determination function 108 acquires URI information from a communication request from the client terminal 117. A communication destination information ID 201 such that the communication destination URI 202 in the communication destination detection information data 111 is URI information acquired from the client terminal 117 is acquired and output (step 902). Note that the communication destination determination function 108 does not perform output when the communication destination information ID 201 does not exist in the communication destination detection information data 111.

  The communication destination determination function 108 acquires user agent information from a communication request from the client terminal 117. The request content information ID 301 such that the User-Agent information 302 in the request content detection information data 112 is the user agent information acquired from the client terminal 117 is acquired and output (step 903). Note that the communication destination determination function 108 does not output the request content detection information data 112 when the corresponding request content information ID 301 does not exist.

  The communication destination determination function 108 acquires a file name and a hash value from a file included in a response to the communication request from the client terminal 117. The response content information ID 401 such that the file name information 402 and the file Hash information 403 in the response content detection information data 113 are the file name and the hash value acquired from the client terminal 117 is acquired and output (step 904). Note that the communication destination determination function 108 does not output when the corresponding response content information ID 401 does not exist in the response content detection information data 113. Further, when acquiring a hash value from a response to a communication request from the client terminal 117, a hash value automatic output tool may be used.

  Here, it has been described that the determination of the communication destination is performed in the above order for the above three viewpoints, but it is not always necessary to implement all of these viewpoints. Depending on the level of security, if a value is output from any one viewpoint, it may be determined as positive.

  FIG. 10 shows the flow of processing of the response file generation function 109.

  The response file generation function 109 acquires the communication destination information ID 301, the request content information ID 401, and the response content information ID 501 output in Step 902, Step 903, and Step 904. The response file generation function 109 includes the communication destination detection result 502, the request content detection result 503, and the response content detection result 504 in the alert format information data 114, the acquired communication destination information ID 301, the request content information ID 401, and the response Response presence / absence information 505, alert specification 1 presence / absence information 506, and alert specification 2 presence / absence information 507, which are content information ID 501, are acquired. Using the acquired response presence / absence information 505, alert specification 1 presence / absence information 506, and alert specification 2 presence / absence information 507, the response file generation function 109 implements the alert specification 1 in the alert program. And whether or not alert specification 2 is implemented in the alert program is determined (step 1002).

  The response file generation function 109 inputs the communication destination information ID 301, the request content information ID 401, and the response content information ID 501 acquired in step 1002 to the message content determination function 110 (step 1003). In step 1003, a message displayed on the client terminal 117 is implemented in the alert program. The processing flow of the message content determination function 110 will be described later with reference to FIG.

  The response file generation function 109 acquires the IP address of the client terminal 117 that is the communication source from the response to the communication request from the client terminal 117. The OS 603 and the architecture 604 are acquired such that the terminal IP 602 in the client environment data 115 is the acquired IP address of the client terminal 117. Using the acquired OS 603 and architecture 604, the response file generation function 109 implements the program so that the alert program is properly executed on the client terminal (step 1004).

  When the response to the communication request from the client terminal 117 includes a file, the response file generation function 109 acquires a hash value of the file included in the response. A processing content 702, a conversion function 703, a start point 704, and an end point 705 are acquired such that the Hash value 701 in the DL file processing content data is the acquired hash value. The response file generation function 109 uses the acquired processing content 702, the conversion function 703, the start point 704, and the end point 705 to perform a process to be performed on the substitute file, a conversion function used for the process, and a start point of the range to be processed. The end points of the range to be processed are determined (step 1005). A hash value acquisition tool may be used when acquiring the hash value of the file included in the response.

  FIG. 11 shows a process flow of the message content determination function 110 executed in step 1003.

  The message content determination function 110 acquires the response presence / absence information 505 acquired by the response file generation function 109 in step 1002. When the acquired response presence / absence information 505 is ◯, the process proceeds to step 1104, and when the acquired response presence / absence information 505 is x, the process proceeds to step 1103 (step 1102).

  The message content determination function 110 stops the alternative file generation process. In this case, the malware alert device 101 does not execute an alert for the communication from the client terminal 117, and permits the communication from the client terminal 117 to the Internet 119 (step 1103).

  The message content generation function 110 acquires the communication destination information ID 201 output from the communication destination determination function 108 in step 902. A communication destination URI 202 is acquired such that the communication destination information ID 201 in the communication destination detection information data 111 matches the communication destination information ID 201 output by the communication destination determination function 108 in step 902. The message content generation function 110 detects a communication with an unauthorized communication destination in the client terminal 117 and displays a message on the client terminal 117 indicating that a new file has been acquired. Implement. Further, a warning program is implemented so that the acquired information of the communication destination URI 202 is displayed on the detection information detail display screen 1201 (step 1104). In step 902, if the communication destination determination function 108 does not acquire a valid communication destination information ID 201, the message content generation function 110 determines whether there is connection to an unauthorized communication destination or whether there is a file acquisition behavior. Do not generate messages. The detection information detail display screen 1201 will be described later with reference to FIG.

  The message content generation function 110 acquires the request content information ID 301 output by the communication destination determination function 108 in step 903. User-Agent information 302 is acquired such that the request content information ID 301 in the request content detection information data 112 matches the request content information ID 301 output by the communication destination determination function 108 in step 903. The message content generation function 110 implements a warning program so that a message indicating that unauthorized user agent information is included in a communication request from the client terminal 117 is displayed on the client terminal 117. Furthermore, a warning program is implemented so that the acquired user-agent information 302 information is displayed on the detection information detail display screen 1201 (step 1105). In step 903, when the communication destination determination function 108 does not acquire a valid request content information ID 301, the message content generation function 110 does not generate a message regarding unauthorized user agent information. The detection information detail display screen 1201 will be described later with reference to FIG.

  The message content generation function 110 acquires the response content information ID 401 output by the communication destination determination function 108 in step 904. Filename information 402 and fileHash information 403 are acquired such that the response content information ID 401 in the response content detection information data 113 matches the response content information ID 401 output by the communication destination determination function 108 in step 904. The message content generation function 110 implements a warning program so that a message indicating that an illegal file is included in the response content to the communication request from the client terminal 117 is displayed on the client terminal 117. Further, a warning program is implemented so that the acquired filename information 402 and fileHash information 403 information are displayed on the detection information detail display screen 1201 (step 1106). In step 904, when the communication destination determination function 108 does not acquire a valid response content information ID 401, the message content generation function 110 does not generate a message regarding acquisition of an unauthorized file.

  The message content determination function 110 implements the alert program so that the alert message content 1202 and the input reception button 1203 are displayed on the client terminal 117 (step 1107). Note that the alert message content 1202 and the input reception button 1203 will be described later with reference to FIG.

  FIG. 12 shows an example of the message screen output by the message content determination function in step 1003. The message screen includes a detection information detail display screen 1201, an alert message content 1202, and an input acceptance button 1203.

  The detection information detail display screen 1201 is a message screen in which information regarding communication from the detected client terminal 117 is described. The detection information detail display screen 1201 displays messages generated in step 1104, step 1105, and step 1106 of the message content determination function. In the example in FIG. 12, information indicating that an unauthorized communication destination and an unauthorized file have been detected in steps 1104 and 1106 are displayed on the detection information detail display screen 1201.

  The alert message content 1202 is a message screen that describes the details of processing performed for the detected communication from the client terminal 117 and the alert. In the example in FIG. 12, when the malware alerting device 101 detects the communication of the malware, the fact that the communication has been blocked with respect to the detected malware communication, and that the malware executed on the client terminal 117 has been deleted. In this case, a notice to alert the operator of the client terminal 117 is displayed. These message contents are generated in step 1107 of the message contents determination function 110.

  The input acceptance button 1203 is a button for accepting input by the operator of the client terminal 117. It is assumed that the operator of the client terminal 117 presses the input reception button 1203 when reading the description content on the message screen.

  Here, the alert specification 1 presence / absence information 506 and the alert specification 2 presence / absence information 507 in the alert format information data 114 used in step 1002 will be described.

  The alert specification 1 presence / absence information 506 is information for determining presence / absence of the alert specification 1 in the alerting program for displaying the message screen shown as an example in FIG. The alert specification 1 locks the operation of the client terminal 117 on which the alert is executed by the input / output device, and locks the operation of the client terminal 117 until the input acceptance button 1203 is pressed by the operator of the client terminal 117. It is a specification to do. The information stored in the alert specification 1 presence / absence information 506 is either “O” or “X”. If the alert specification 1 is incorporated in the alert program, “O” is indicated. If the alert specification 1 is not incorporated in the alert program, “X” is indicated. Output.

  The alert specification 2 presence / absence information 507 is information for determining presence / absence of the alert specification 2 in the alerting program for displaying the message screen shown as an example in FIG. The alert specification 2 is a specification for generating an alert sound on the client terminal 117 when the alert program is executed on the client terminal 117. The information stored in the alert specification 2 presence / absence information 507 is either “O” or “X”. If the alert specification 2 is incorporated in the alert program, “O” is indicated. If the alert specification 2 is not incorporated in the alert program, “X” is indicated. Output.

  When the alert program is executed on the client terminal 117 according to the alert specification 1, all operations on the client terminal 117 are locked until the operator of the client terminal presses the input reception button 1203. Thereby, it is possible to prevent the terminal operator from ignoring the alert message and to make the content of the alert alert known.

  An alert sound is generated when the alerting program is executed on the client terminal 117 according to the alert specification 2. Thereby, not only the operator of the client terminal 117 but also the employees around the client terminal 117 can make the alerting known.

  The alerting program responding to the client terminal 117 has a function of popping up a displayed message and a function of deleting malware that has attempted unauthorized communication on the client terminal. As a result, the operator of the client terminal 117 can quickly recognize the message display, and malware removal at the client terminal 117 is simultaneously performed.

  The process of the malware alert system according to the present embodiment will be described assuming that a downloader type malware is executed on the client terminal 117.

  When malware is executed on the client terminal 117, the malware tries to communicate with the Internet 119. At this time, the malware alert device 101 receives the malware communication, and analyzes the malware communication information by the communication destination determination function 108. At this time, the communication request is communicated to the Internet 119 without blocking communication by malware.

  In the communication destination determination function 108, the communication destination URI of the malware, the user agent in the request content, the file name and the hash value of the download file included in the response content, respectively, the communication destination detection information data 111 and the request content detection information data 112, respectively. The comparison is made using the response content detection information data 113, and the positive determination of malware communication is performed using the above three indicators. Based on the positive determination result based on the above three indicators, the response file generation function 109 and the message content determination function 110 function, and an executable alert program for alerting the illegal file acquisition behavior of malware is provided. Implemented and responds to malware communications as an alternative file. In the alert program, a message in which a malware communication destination URI, a user agent in the request content, detection information regarding the download file included in the response content, and a message for alerting the operator of the client terminal 117 are recorded A screen is created. The malware on the client terminal 117 executes the substitute file acquired as a response to the communication on the client terminal 117, whereby an alert message is displayed on the client terminal by a pop-up. The alert format information data 114 selectively locks the terminal operation and generates an alert sound according to each malware. Locking the terminal operation locks the operation of the terminal until the operator of the client terminal 117 presses the input reception button 903 in the message, and the message cannot be ignored. In addition, the alert sound can be made known to the employees in the vicinity of the client terminal 117 to call attention. Furthermore, the malware that performed unauthorized communication from the client terminal 117 is deleted by the alert program.

  As described above, the behavior blocking and alerting can be performed for the illegal file acquisition behavior of the downloader type malware.

  It should be noted that a part of the present embodiment may be changed and implemented as follows. In the past, generated file information data in which a generation rule of an alternative file when a substitute file is responded to a file acquisition request from the Internet 119 of malware may be separately created in the storage device 105. If the generated file information data is created, it is possible to promptly respond to the substitute file with respect to malware communication once detected in the past.

In addition, when malware communicating from the client terminal 117 to the Internet 119 requests acquisition of a document browsing file or a document creation file instead of an executable file, communication destination detection information data 111 or response content detection information data In 113, the corresponding communication destination URI and the file name may be recorded, and the document browsing file or the document creation file may be returned as an alternative file in the same manner as the execution format file. As a result, it is possible to call attention even if the file is not an executable format. In this case, when an alternative file is executed on the client terminal 117, a document file describing that an illegal file has been executed is displayed in a pop-up.
Moreover, the method of the above Example is applicable also to the malware which acquires an HTML file. When the malware executed on the client terminal acquires an HTML file into which malicious code has been injected and attempts to deploy it on the browser, these behaviors are detected by this malware alert device and a warning message is displayed. By responding with the HTML file in which the code to be embedded is responded, it is possible to display a message indicating that there has been an illegal HTML file acquisition request on the client terminal.

In the second embodiment, for the communication from the client terminal 117 that is not necessarily illegal, the operator of the client terminal 117 determines whether the communication from the client terminal 117 is permitted or not. Then, information on how much communication by all operators of the client terminal of the organization is permitted for communication from a certain client terminal 117 is recorded, and as a result, the communication destination from the client terminal 117 is invalid. Final decision is made as to whether or not it is illegal. Therefore, in this embodiment, in addition to the communication destination detection information data 111, the request content detection information data 112, and the response content detection information data 113, which are used to make a positive determination for the communication from the client terminal 117. Thus, even for communications that are not necessarily illegal, record information data is created and communication information is recorded. As a result, the number of cases where the employees of the organization allow or disallow communication to a communication destination that is not necessarily illegal is counted, and whether the communication destination is dangerous based on the statistical results. It can be determined whether or not.
The recording information data used for the above purpose is the communication destination detection information data B and the request content detection as in the communication destination detection information data 111, the request content detection information data 112, and the response content detection information data 113 shown in FIG. Information data B and response content detection information data B are assumed. The communication destination detection information data B includes a suspected positive communication destination information ID and a suspected positive communication destination URI, and the request content detection information data B includes a suspected positive request content information ID and suspected positive User-Agent information. The response content detection information data B is assumed to have a false positive response content information ID, a false positive filename information, and a false positive fileHash information.

  FIG. 13 is a diagram illustrating a configuration example of a network including the malware alerting device 101 in the present embodiment. The same components as those in the first embodiment are denoted by the same reference numerals, and the description thereof will be omitted. Hereinafter, differences from the first embodiment will be mainly described.

  As illustrated in FIG. 13, the malware alert device 101 according to the second embodiment includes a recorded information update function 1301, a false positive communication destination detection information data, a false positive request content detection information data, and a false positive response content detection information. Data and communication permission status record data 1305.

  The record information update function 1301 is a function for referring to the communication permission information record data 1305 and determining whether communication to the Internet 119 is illegal based on the result. The record information update function 1301 performs processing to determine whether the false positive detection information data is transferred to the positive detection information data or deleted.

  The false positive communication destination detection information data is data that records communication destination information that may be illegal on the Internet 119, and the false positive request content detection information data is an illegal possibility in communication to the Internet 119. This is data in which a request content is recorded, and the false positive response content detection information data is data in which file information that can be obtained from the Internet 119 and that may be illegal is recorded. If the information of communication performed on the client terminal 117 matches any record information of the false positive communication destination detection information data, the false positive request content detection information data, and the false positive response content detection information data, the client terminal A program for causing the operator 117 to determine whether to permit the communication is executed.

  The communication permission status record data 1305 is the operation of the client terminal 117 with respect to the communication information recorded in each of the false positive communication destination detection information data, the false positive request content detection information data, and the false positive response content detection information data. This is data that records whether the person has permitted or disallowed communication including the communication information.

  FIG. 14 is a diagram illustrating an example of the alert format information data 114 in the present embodiment. FIG. 14 is configured by adding a false positive communication destination detection result 1401, a false positive request content detection result 1402, and a false positive response content detection result 1403 to FIG. 5. The false positive communication destination detection result 1401, the false positive request content detection result 1402, and the false positive response content detection result 1403 are a false positive communication destination information ID, a false positive request content information ID, and a false positive response content information ID, respectively. Represents information.

  FIG. 15 is a diagram illustrating an example of the communication permission information recording data 1305. As shown in FIG. 15, the communication permission information record data 1305 includes a communication permission information ID 1501, a permission determination number 1502, a non-permission determination number 1503, a total input number 1504, a permission determination rate 1505, and a non-permission determination rate. 1506.

  The communication permission information ID 1501 represents information that can uniquely identify information related to communication permission.

  The permission determination number 1502 represents the total number when the operator of the client terminal 117 permits communication with respect to communication from a certain client terminal 117. In the permission judgment number 1502, the record information is updated in step 1602 of the record information update function 1301. Step 1602 will be described later with reference to FIG.

  The non-permission determination number 1503 represents the total number when communication from a certain client terminal 117 is prohibited by the operator of the client terminal 117. In the non-permission judgment number 1503, the record information is updated in step 1602 of the record information update function 1301. Step 1602 will be described later with reference to FIG.

  The total number of inputs 1504 represents the total number obtained by adding the permission judgment number 1502 and the non-permission judgment number 1503 corresponding to the permission judgment number 1502.

  The permission judgment rate 1505 represents the percentage of the total number of inputs 1504 corresponding to the permission judgment number 1502 in the permission judgment number 1502, and the non-permission judgment rate 1506 is a non-permission judgment number 1503 non-permission judgment number. The percentage of the total number of inputs 1504 corresponding to the permission judgment number 1503 is expressed as a percentage.

  Next, a processing procedure in the present embodiment will be described.

  A flow of processing of the malware alert device 101 in the present embodiment will be described.

  Basically, the processing is the same as that in FIG. 8 of the first embodiment, but the communication permission status record data update processing is inserted between step 803 and step 804 in FIG. 8 of the first embodiment.

  When the substitute file generated in step 803 including the alert program is executed on the client terminal 117 and the input of the button pressing by the operator of the client terminal 117 is accepted for the displayed message content, the recording is performed. By executing the information update function 1301, the button press input information by the operator of the client terminal 117 is recorded, and the communication permission status record data is updated based on the recorded button press input information (communication permission status). Record data update processing). The processing flow of the recording information update function 1301 will be described later with reference to FIG.

  Next, a processing flow of the communication destination determination function 108 in the present embodiment will be described.

  Basically, the processing is the same as that of FIG. 9 of the first embodiment. However, between step 904 and step 905 in FIG. A process and a false positive determination process for the response content are inserted.

  The communication determination function 108 acquires URI information from a communication request from the client terminal 117. The suspected communication destination URI 1401 in the suspected positive communication destination detection information data acquires and outputs a suspected positive communication destination information ID such as the acquired URI information (communication destination suspected positive determination process). Note that the communication destination determination function 108 does not perform output when there is no corresponding false positive communication destination information ID in the false positive communication destination detection information data.

  The communication destination determination function 108 acquires user agent information from a communication request from the client terminal 117. Acquire and output a suspected positive request content information ID such that suspected positive User-Agent information in the suspected positive request content detection information data is the acquired user agent information (request suspected positive determination process). Note that the communication destination determination function 108 does not perform output when there is no corresponding suspected positive request content information ID in the suspected positive request content detection information data.

  The communication destination determination function 108 acquires a file name and a hash value from a file included in a response to the communication request from the client terminal 117. Acquire and output the false positive response content information ID such that the false positive filename information and the false positive fileHash information in the false positive response content detection information data are the acquired file name and hash value. Determination process). Note that the communication destination determination function 108 does not output the response content detection information data B113 when the corresponding false positive response content information ID does not exist. Further, when acquiring a hash value from a response to a communication request from the client terminal 117, a hash value automatic output tool may be used.

  Since the response file generation function is the same as that of the first embodiment, description thereof is omitted.

  FIG. 16 shows a processing flow of the message content determination function 110.

  Step 1101, step 1102, step 1103, step 1104, step 1105, step 1106, and step 1107 are the same as those described in FIG.

  The message content determination function 110 acquires the communication destination information ID 201, the request content information ID 301, and the response content information ID 401 output from the communication destination determination function 108 in step 902, step 903, and step 904, respectively. If any one of the acquired communication destination information ID 201, request content information ID 301, and response content information ID 401 is output, the process proceeds to step 1103, and the communication destination information ID 201, request content information ID 301, response content information ID 401 is obtained. If none of these are output, the process proceeds to step 1602 (step 1601).

  The message content generation function 110 acquires the suspect positive communication destination information ID output by the communication destination determination function 108 in the communication destination suspect positive determination process. A suspect-positive communication destination URI such that the suspect-positive communication destination information ID in the suspect-positive communication destination detection information data matches the suspect-positive communication destination information ID output by the communication destination determination function 108 in the communication destination doubt-positive determination process. get. The message content generation function 110 implements a warning program so that the client terminal 117 displays a message on the client terminal 117 that there is a possibility that an unauthorized file has been acquired from an unauthorized communication destination. To do. Furthermore, a warning program is implemented so that the information of the acquired false positive communication destination URI information is displayed on the detection information detail display screen 1201 (step 1602). If the communication destination determination function 108 does not acquire a valid false positive communication destination information ID in the communication destination false positive determination process, the message content generation function 110 connects to an unauthorized communication destination, Does not generate a message about the presence or absence of acquisition behavior.

  The message content generation function 110 acquires the suspected positive request content information ID output by the communication destination determining function 108 in the request content suspected positive determination process. Suspicious User-Agent information such that the suspected positive request content information ID in the suspected positive request content detection information data matches the suspected positive request content information ID output by the communication destination determination function 108 in the suspected positive determination process of the requested content. To get. The message content generation function 110 implements a warning program so as to display a message on the client terminal 117 that the user request information from the client terminal 117 may contain unauthorized user agent information. . Furthermore, a warning program is implemented so that the information of the acquired false positive User-Agent information is displayed on the detection information detail display screen 1201 (step 1603). In the request content false positive determination process, if the communication destination determination function 108 does not acquire a valid false positive request content information ID, the message content generation function 110 generates a message regarding unauthorized user agent information. do not do.

  The message content generation function 110 acquires the suspected positive response content information ID output by the communication destination determining function 108 in the response content suspected positive determination process. Suspected positive response content information ID such that the suspected positive response content information ID in the suspected positive response content detection information data matches the suspected positive response content information ID output by the communication destination determination function 108 in the suspected positive determination process of the response content; Get false positive fileHash information. The message content generation function 110 displays an alert program to display on the client terminal 117 a message indicating that an illegal file may be included in the response content to the communication request from the client terminal 117. Implement. Further, a warning program is implemented so that the acquired false positive filename information and information of the false positive fileHash information are displayed on the detection information detail display screen 1201 (step 1604). In the response content doubt-positive determination process, when the communication destination determination function 108 does not acquire a valid question-positive response content information ID, the message content generation function 110 generates a message regarding acquisition of an illegal file. do not do.

  The message content determination function 110 implements an alert program so that the communication permission determination content 1802, the permission input button 1803, and the non-permission input button 1804 are displayed on the client terminal 117 (step 1605). The communication permission determination content 1802, the permission input button 1803, and the non-permission input button 1804 will be described later with reference to FIG.

  FIG. 17 shows a processing flow of the record information update function 1301.

  Step 1102 is the same as that in FIG. 11, and step 1601 is the same as that in FIG.

  The recorded information update function 1301 includes the suspect-positive communication destination information output by the communication destination determination function 108 in the suspect-positive determination process of the communication destination, the suspect-positive determination process of the request content, and the suspect-positive determination process of the response content. ID, false positive request content information ID, and false positive response content information ID are acquired. When a terminal operator inputs a permission input button 1803 or a non-permission input button 1804 in response to a message displayed on the client terminal 117, if the permission input button 1803 is input, the record information update function 1301 Is the number of permission judgments such that the communication permission information ID 1501 in the communication permission status record data 1305 is one of the acquired false positive communication destination information ID, the false positive request content information ID, and the false positive response content information ID. If the numerical value of 1502 is incremented by 1 and the non-permission input button 1804 is input, the recording information update function 1301 indicates that the communication permission information ID 1501 in the communication permission status recording data 1305 is the suspected positive communication destination information ID and the suspicion. Number of non-permitted judgments that is either a positive request content information ID or a false positive response content information ID 1 03 of the numerical value, to + 1. At this time, the numerical values of the total number of inputs 1504, the permission determination rate 1505, and the disapproval determination rate 1506 also change in a similar manner corresponding to the change in the values of the permission determination number 1502 and the non-permission determination number 1503 (step 1702). ).

  The record information update function 1301 newly reads one line from the communication permission status record data 1305 and refers to it (step 1703). The permission input button 1803 and the non-permission input button 1804 will be described later with reference to FIG.

  The record information update function 1301 acquires the numerical value of the total number of inputs 1504 and the numerical value of the non-permission determination rate 1506 in the row referred to in step 1703. The numerical value of the total number of inputs 1504 exceeds a certain threshold A (for example, 30% of the total number of client terminals in the organization), and the numerical value of the non-permission judgment rate 1506 is a certain threshold B (for example, 60%) If the number of inputs does not exceed a certain threshold A or the number of non-permission judgment rates 1506 does not exceed a certain threshold B, the process proceeds to step 1705. Proceed to 1706 (step 1704). Here, it is assumed that the certain threshold A and the certain threshold B are set in advance by the administrator of the malware alerting device 101. Further, the certain threshold A may be determined in proportion to the number of client terminals 117 in the organization.

  The recorded information update function 1301 acquires the communication permission information ID 1501 in the row referenced in step 1703. When the acquired communication permission information ID 1501 is the false positive communication destination information ID in the false positive communication destination detection information data, the recorded information update function 1301 displays the information of the false positive communication destination URI referred to in step 1703 as the communication destination. The information of the line copied in the lowermost line of the communication destination information ID 201 in the detection information data 111 and referenced in step 1703 is deleted from the false positive communication destination detection information data. If the acquired communication permission information ID 1501 is a false positive request content information ID in the false positive request content detection information data, the recorded information update function 1301 requests the information of the suspect User-Agent information ID 1501 referenced in step 1703. The information of the line copied in the lowest line of the request content information ID 301 in the content detection information data 112 and referenced in step 1703 is deleted from the false positive request content detection information data. When the acquired communication permission information ID 1501 is a false positive response content information ID in the false positive response content detection information data, the recorded information update function 1301 displays the false positive filename information and the false positive fileHash information referred to in step 1703. The information of the line copied to the response content information ID 401 in the response content detection information data 113 and referenced in step 1703 is deleted from the false positive response content detection information data (step 1705).

  The record information update function 1301 acquires the numerical value of the total number of inputs 1504 and the numerical value of the permission determination rate 1505 in the row referenced in step 1703. If the numerical value of the total number of inputs 1504 exceeds a certain threshold A and the numerical value of the permission judgment rate 1505 exceeds a certain threshold C (for example, 80%), the process proceeds to step 1707 and the total number of inputs 1504 is reached. If the numerical value does not exceed a certain threshold A or the numerical value of the permission judgment rate 1505 does not exceed a certain threshold C, the process proceeds to step 1708 (step 1706). Here, the certain threshold value A and the certain threshold value C are set in advance by the administrator of the malware alerting device 101, and the certain threshold value A is a certain value determined in step 1704. It is assumed that the value is the same as the threshold value A.

  The record information update function 1301 deletes the row information referenced in step 1703 from the communication permission status record data 1305 (step 1707).

  If the row read in step 1703 is the last row in the communication permission status record data 1305, the record information update function 1301 proceeds to step 1709, and if it is not the last row in the communication permission status record data 1305, the step The process proceeds to 1703 (step 1708).

  FIG. 18 is an example of a message screen output by the message content determination function 110 when processing proceeds from step 1601 in the message content determination function 110 to step 1602. The message screen in FIG. 18 includes a detection information detail display screen 1201, a communication permission determination content 1802, a permission input button 1803, and a non-permission input button 1804. The detection information detail display screen 1201 is the same as that shown in FIG.

  The communication permission determination content 1802 determines to the operator of the client terminal 117 whether the communication request from the detected client terminal 117 is permitted or not permitted for the communication to the Internet 119. Indicates a message to ask.

  The permission input button 1803 is an input button that is pressed by the operator of the client terminal 117 when the operator of the client terminal 117 determines that communication to the Internet 119 is permitted. The record information update function 1301 updates the communication permission status record data 1305 using the operation result of the permission input button 1803.

  The non-permission input button 1804 is an input button that is pressed by the operator of the client terminal 117 when the operator of the client terminal 117 determines that communication to the Internet 119 is not permitted. The record information update function 1301 updates the communication permission status record data 1305 using the operation result of the permission input button 1803.

  When the alert program is executed on the client terminal 117 and the message screen shown in FIG. 18 is displayed, the alert specification 1 for locking the operation of the client terminal 117 and the client terminal 117 are displayed as in the first embodiment. Alert specification 2 that emits an alert sound is executed. As for the procedure for installing alert specification 1 and alert specification 2 in the alert program, the alert specification 1 presence / absence information 506 and the alert specification 2 presence / absence information 507 in the alert format information data 114 are the same as in the first embodiment. It is determined.

  In addition, it is possible to implement a method for alerting the user that malware has been executed in the past by using the method of the above embodiment. First, in the malware alert device 101, communication logs of client terminals in the organization are accumulated. Next, in the method of the present embodiment, when communication information of a certain malware is registered from the false positive communication information data to the positive communication information data, whether there is a log related to the same malware from the accumulated communication logs of the client terminals. If the corresponding log exists, the client terminal that has transmitted the corresponding log is notified that unauthorized malware has been executed in the past. Thereby, it is possible to call attention regarding malware executed in the past. Here, as a method of notifying that the malware has been executed in the past, the notification is made by e-mail, or when the malware alert device receives a file acquisition request communication from the notification target client terminal or the HTML communication, the client terminal You can respond to the alert message.

  Further, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, the constituent elements over different embodiments may be appropriately combined.

101: Malware warning device 108: Communication destination determination function 109: Response file generation function 110: Message content determination function 111: Communication destination detection information data 112: Request content detection information data 113: Response content detection information data 114: Alert format information Data 115: Client environment data 116: DL file processing content data

Claims (8)

A malware alert device connected to a terminal via a network,
A communication destination determination unit that analyzes a request for acquiring a second file transmitted from the terminal by the first file executed on the terminal;
In response to the determination result of the communication destination determination unit, a response file generation unit that generates a third file that replaces the second file;
An interface unit for transmitting the third file to the terminal;
A malware alert device characterized by comprising: In the malware alert device according to claim 1,
The malware alerting device, wherein the response file generating unit generates the third file based on pre-defined camouflage processing information. In the malware alert device according to claim 2,
The malware characterized in that the response file generation unit acquires a communication destination of the first file, communication request contents, and communication response contents, and generates the third file based on each acquired information. Alert device. In the malware alert device according to claim 3,
The malware alerting device, wherein the response file generation unit generates the third file based on hash information of the second file included in the response content. A malware alert method in a malware alert device connected to a terminal via a network,
A communication destination determination step of analyzing a request for acquiring a second file transmitted from the terminal by the first file executed on the terminal;
In response to the determination result of the communication destination determination step, a response file generation step of generating a third file that replaces the second file;
Transmitting the third file to the terminal;
A malware alert method characterized by comprising: In the malware alert method according to claim 5,
The malware alerting method, wherein the response file generating step generates the third file based on pre-defined camouflage processing information. In the malware alert method according to claim 6,
The response file generating step acquires the communication destination of the first file, the communication request content, and the communication response content, and generates the third file based on each acquired information. Attention method. In the malware alert method according to claim 7,
The method for alerting malware, wherein the response file generation step generates the third file based on hash information of the second file included in the response content.

Images