With advance of social infrastructure of the Internet, cyber attacks such as fishing and spam distribution have been increasing. Many of the cyber attacks are carried out using malicious tools called malwares created by attackers. The attackers distribute the malwares to terminals and servers of users, and remotely control the malwares to illegally control the terminals and servers.
In recent years, many of the malwares have been distributed through the hypertext transfer protocol (HTTP). One of major causes thereof is spread of technologies that use personal computers (PCs) of general users and web sites as steppingstones to hide the attack sources. For example, the PCs of general users and the web sites receive attacks that make use of vulnerability of operating systems (OSs), web browsers and its plug-ins, and web applications and are infected with the malwares, and are used as the steppingstone PCs and steppingstone sites for new attacks.
As a system to protect the attacks that infect the web sites with the malwares, a system that monitors accesses to the web sites by a security appliance such as the intrusion detection system (IDS), the intrusion prevention system (IPS), or the web application firewall (WAF), and filters an access having characteristic information that is matched with characteristic information of the attacks has been employed. To be specific, whether a portion that indicates a destination parameter of a uniform resource locator (URL) of the access is a parameter included in a vulnerable program used for the attack is inspected. Further, a system that monitors accesses to an outside, which occur at the time of infection with the malware, and filters an access with a destination URL that is matched with a malicious URL used for the attack, has been under examination.
As a technique of finding the malicious URL, a variety of techniques exist. These techniques can be roughly classified into a technique of finding the malicious URL before being used in user environments by a decoy system such as a honey pot, and a technique of finding the malicious URL after having been used in the user environments by a log analysis technology, antivirus software, or the like. In the technique of finding the malicious URL before being used in user environments, the attack can be highly accurately detected with the honey pot having a function to grasp a characteristic of the attack or a behavior of the PCs and the servers at the time of occurrence of the attack. In the technique of finding the malicious URL after having been used in the user environments, the attack can be highly accurately detected based on similarity between the attack observed in the past and the log. A URL determined as the malicious URL can be identified by extracting the destination URL from an external access, in the attack identified by either system. Hereinafter, the technique of finding the malicious URL is described as “analysis technique”.
Patent Literature 1: Japanese Patent No. 4995170
Patent Literature 2: Japanese Patent No. 5411966
Patent Literature 3: Japanese Patent No. 5415390
However, the above-described conventional technologies have a problem that detection omission of the malicious URL may occur when a URL list is created from the malicious URLs analyzed by the analysis techniques.
To be specific, as described above, there is a wide variety of the techniques of finding the malicious URL, and the detection accuracy varies among the techniques. Meanwhile, in the filtering using the malicious URL, the malicious URL list is used as a black list, and needs to be imported to the security appliance such as the IDS, IPS, or WAF, as a filter condition. The number of importable URLs has an upper limit value due to processing performance. As a result, it is difficult to import all of the malicious URLs found by the techniques to the security appliance.
The analysis technique may or may not provide scores that indicate the degree of maliciousness to the respective malicious URLs identified by itself. Further, there is a difference in a detection rate to find the malicious URL and there is also a difference in an erroneous detection rate to erroneously detect a legitimate URL as the malicious URL among the analysis techniques. Further, the number of the found malicious URLs may be changed according to the analysis techniques even if the same log is analyzed. Further, the numbers of the found malicious URLs may be changed even by the same analysis technique when different logs are analyzed.
Conventionally, when the malicious URLs found by a plurality of analysis techniques are made to one URL list, priority for each technique is determined, and the URL found by the analysis technique with high priority is preferentially described in the URL list. However, in this technique, diversity in using the plurality of analysis techniques is impaired, and a decrease in the detection rate or an increase in the erroneous detection rate may be caused. Further, a technique of writing the latest found URL to the URL list has been examined. However, there is still a risk that the malicious URL found by a specific analysis technique may be intensively described to the URL list by this technique.
Therefore, a URL selection system is required for the plurality of analysis techniques, which can write output results of the respective techniques, and can write the maximum allowable number of URLs to the URL list.
The disclosed technology has been made in view of the foregoing, and an objective is to suppress the detection omission of the malicious URL when generating the URL list from the malicious URLs analyzed by the analysis techniques.