1. Field of the Invention
The present invention relates to a communications state transition monitoring method for detecting unauthorized access in communications systems that utilize a network, and a communications state transition monitoring device that utilizes this method, and further relates to a communications state transition monitoring program and a computer-readable recording medium on which this program is recorded.
2. Description of the Related Art
Recognition that the ensuring of security during the utilization of the internet is an important task has already has already penetrated into society in general. Even in cases where there is no physical harm, the leakage or destruction of information may cause great damage to society or organizations. At the current time, with the internet becoming generally used as a means of connecting computers, maximum precautions need to be taken with regard to the transmission of information or management of information via the internet. Currently, along with firewalls, intrusion detection systems (hereafter referred to as “IDS”) are utilized as a means of improving safety.
Such an IDS is a system which checks in order to ascertain whether there is any intrusion or advance signs of intrusion by checking the status of computer files and packets that flow through networks. There are also systems which have the function of cutting off the communications involved in cases where intrusion is detected in some area. Such systems are also distinguished by the use of the name IPS, IDP or the like; in the present specification, however, systems with such a protective function will be included in the category of IDS. In existing IDS, erroneous detection and the production of extremely large amounts of log data in which behavior that is not intrusive behavior is erroneously recognized as intrusive behavior may occur. This is a serious problem in the utilization of IDS. In order to improve the precision of detection of such intrusion, a log analysis function has been added to IDS; however, the problem of the production of extremely large amounts of log data is found in the background of such a function. The present inventor believes that the cause of such production of extremely large amounts of log data is to be found in the difficulty of setting intrusion detection policies. In other words, since it is difficult to describe policies by constricting the types of events that are to be detected, the description of policies becomes partial/fragmented; as a result, it appears that the role of extracting the events that were originally to be detected is relegated to the log analysis function.
It is a basic object of the present invention to provide an IDS system in which the policy descriptiveness is improved so that events that are to be detected can be accurately described in terms of policy, thus preventing an increase in the detection flow so that the log output amount can be reduced, and the precision with which intrusion is detected can be heightened. Currently, the setting of intrusion detection policy is generally accomplished by a skilled person (hereafter called a “network specialist”) experienced in packet analysis with knowledge of the fourth level of TCP or IP OSI (hereafter referred to as a “lower level”) or lower, utilizing a policy that is distributed by the software vendor or the like, or using his own description. In this method, however, only some specialists such as network specialists or the like perform policy setting and monitoring, so that it is difficult to expand the stratum of persons utilizing such IDS as a security tool. Furthermore, it would appear that the set content of such policy could be made more precise, i.e., that unauthorized behavior that is to be detected could be defined more accurately, by performing not only monitoring at lower levels, but also monitoring of command utilization at the fifth level of OSI or higher (hereafter referred to as “higher levels”); however, network specialists do not always have a thorough knowledge of application command systems or correct utilization methods of such systems. On the other hand, there are also persons who have a deep capacity for the analysis of higher levels such as various applications or the like, even though these persons may have little knowledge of lower levels (such persons will hereafter be referred to as “persons experienced in applications”). If persons experienced in applications can described intrusion detection policies, more accurate policy description becomes possible at higher levels. In other words, in order to heighten the precision of intrusion detection, it is necessary to describe the policy as a whole accurately from lower levels to higher levels. In order to accomplish this, it would appear that a structure that allows a division of policy description work in which network specialists are responsible for the description of policies at lower levels while persons experienced in applications are responsible for the description of policies at higher levels is required in IDS.
Before the current state of existing systems is discussed, the functions that constitute an IDS will be defined. A reference model, i.e., Common Intrusion Detection Framework (CIDF), is proposed in the reference “Internet Security Systems. Real Secure Network Sensor Policy Guide Version 7.0, http://www.isskk.co.jp/manual/RS_NetSensor_PG—7.0j_pdf, 2002”. This reference model proposes event generators, event analyzers, response units and event databases as IDS constituent functions. In the present specification, the subject will be discussed using a model [a] in which the portion comprising these event generator functions is divided into data collection and data generation functions, and [b] which is constructed from the following six functions with the log analysis function added: data collection function (data collection), data generation function (data generation), data analysis function (data analysis), action function (action), recording function (record) and log analysis function (log analysis) (see FIG. 11). Below, furthermore, in order to simplify the description, the unauthorized access processing system (cracking analyzer) will be called the “CA”, the data collection function and data generation function in this CA will be referred to collectively as the “CAPS” (cracking analysis protocol stack), and the data analysis function and action function will be referred to collectively as the “AA” (application analyzer).
The development of IDS has been performed positively, whether as a commercial product or freeware; “RealSecure Network Sensor”, “Dragon Host Sensor”, “Cisco IDS”, “Snort”, “Tripwire” and the like have been developed. The former three systems are commercial products, while the latter two systems are freeware. The present applicant et al. have also proposed a network irregularity analysis method which is a method for analyzing irregularities in a network constructed so that communications are performed according to a hierarchical protocol among information communications stations, comprising a data collection step in which packets transmitted on the abovementioned network are taken in, a data generation step in which the parameters of hierarchical modules corresponding to a hierarchical protocol are set on the basis of information designated by a configuration file that has been read in beforehand, and analysis data is generated by filtering the packets from the abovementioned data collection step using the abovementioned respective hierarchical modules, and reconstructing the finely divided data of the of the abovementioned packets up to a hierarchy level that is set beforehand, and a data analysis step in which a judgment is made as to whether or not an irregularity has occurred in the analysis data from the above-mentioned data generation step on the basis of the content designated by the configuration file that has been read in beforehand (laid open by the Japanese Patent Office on Nov. 24, 1998 as publication of Japanese Patent Application No. 10-313341 “Network Irregularity Analysis Method, Network Irregularity Analysis Device Utilizing This Method, and Computer-Readable Recording Medium on Which a Network Irregularity Analysis Program is Recorded”.
Existing systems can be effectively utilized in existing places with existing materials; however, several problems have been point out in practical use. If these indicates problems are set in order, problems that are to be solved in IDS may be summarized as follows:
(1) The setting of intrusion detection policies is difficult. (2) The corresponding OS are limited. (3) Performance is inadequate. (4) Signal communications cannot be analyzed. (5) The cost of introduction is high. (6) Existing application boundaries must be altered.