There are the following references as related arts relevant to a conventional unauthorized access information collection system for monitoring unauthorized access to a honeynet constructed of plural honey pots to collect unauthorized access information.
Patent Reference 1: JP-A-2002-111727
Patent Reference 2: JP-A-2004-234401
Patent Reference 3: JP-A-2006-025354
Patent Reference 4: JP-A-2006-099590
Patent Reference 5: JP-A-2006-243878
FIG. 17 is a block diagram showing one example of a conventional unauthorized access information collection system. In FIG. 17, numeral 1 is a terminal such as a computer for gaining unauthorized access, and numeral 2 is an unauthorized access information collection device for collecting unauthorized access information, and numerals 3, 4 and 5 are honey pots which are a decoy server or a decoy network device for decoying a virus or an attacker, and numeral 100 is the Internet.
Also, numerals 2, 3, 4 and 5 construct the unauthorized access information collection system, and numerals 3, 4 and 5 construct a honeynet, respectively.
The terminal 1 is mutually connected to the Internet 100 and also one communication unit (for example, a network interface) of the unauthorized access information collection device 2 is mutually connected to the Internet 100. Also, the other communication unit of the unauthorized access information collection device 2 is mutually connected to the honey pots 3, 4 and 5.
Also, FIG. 18 is a block diagram showing a concrete example of the unauthorized access information collection device 2. In FIG. 18, numeral 6 is a communication unit for conducting communication through the Internet 100, and numeral 7 is an arithmetic control unit such as a CPU (Central Processing Unit) for controlling the whole unauthorized access information collection device, and numeral 8 is a communication unit for conducting communication through the honeynet, and numeral 9 is a storage unit such as a hard disk, ROM (Read Only Memory) or RAM (Random Access Memory). Also, numerals 6, 7, 8 and 9 construct an unauthorized access information collection device 50.
The communication unit 6 is mutually connected to the Internet 100 (not shown) and also the input and output are mutually connected to the arithmetic control unit 7. On the other hand, the communication unit 8 is mutually connected to the honeynet (not shown) and also the input and output are mutually connected to the arithmetic control unit 7. Also, input and output of the storage unit 9 are mutually connected to the arithmetic control unit 7.
An action of the conventional example shown in FIG. 17 will be now described with reference to FIGS. 19, 20, 21 and 22. FIG. 19 is a flowchart explaining an action at the time of inbound communication (packet reception from the Internet side) of the arithmetic control unit 7, and FIG. 20 is an explanatory diagram explaining an action at the time of inbound communication, and FIG. 21 is a flowchart explaining an action at the time of outbound communication (packet reception from the honeynet side) of the arithmetic control unit 7, and FIG. 22 is an explanatory diagram explaining an action at the time of outbound communication.
First, a global IP (Internet Protocol) address (hereinafter simply called a global address) is respectively allocated to each of the honey pots 3, 4 and 5 constructing the honeynet. A MAC (Media Access Control address) address and the global address of each of the honey pots 3, 4 and 5 are registered an address table, and the address table is previously stored in the storage unit 9 of the unauthorized access information collection device 50.
Also, limit information about, for example, discard of a packet or transfer to the Internet side of an IP (Internet Protocol) packet (hereinafter simply called a packet) with respect to a destination global address at the time of outbound communication is set a communication control list. The communication control list is previously stored in the storage unit 9 of the unauthorized access information collection device 50.
At the time of inbound communication (packet reception from the Internet side), in “S001” in FIG. 19, the arithmetic control unit 7 decides whether or not a packet is received from the terminal 1 of the Internet side through the communication unit 6. If deciding that the packet is received from the terminal 1 of the Internet side, the arithmetic control unit 7 retrieves whether or not a destination MAC address corresponding to a destination global address is registered in an address table previously stored in the storage unit 9 in “S002” in FIG. 19.
When the arithmetic control unit 7 decides that the MAC address is present in the address list in “S003” in FIG. 19, the arithmetic control unit 7 records information about the received packet in a log file of the storage unit 9 in “S004” in FIG. 19 and also the arithmetic control unit 7 transfers the received packet to a honey pot corresponding to the MAC address in the honeynet side through the communication unit 8 in “S005” in FIG. 19.
For example, when receiving a packet whose destination global address is “IP01”, from the terminal 1 located at the side of the Internet 100 as shown by “PC01” in FIG. 20, the unauthorized access information collection device 2 retrieves an address list. Then, when a MAC address “MC01” corresponding to the destination global address “IP01” is present the unauthorized access information collection device 2, the unauthorized access information collection device 2 records the packet information in a log file in a text format and also transfers the received packet to the honey pot 3 whose MAC address is “MC01”.
On the other hand, in the case of deciding that the MAC address is not present in the address list in “S003” in FIG. 19, in other words, in the case where a honey pot whose MAC address is to be transferred is not present, the arithmetic control unit 7 discards the received packet in “S006” in FIG. 19.
For example, when receiving a packet whose destination global address is “IP05”, from the terminal 1 located at the side of the Internet 100 as shown by “PC02” in FIG. 20, the unauthorized access information collection device 2 retrieves an address list. Then, when a MAC address corresponding to the destination global address “IP05” is not present, in other words, a honey pot whose MAC address is to be transferred is not present, the unauthorized access information collection device 2 discards the received packet.
Also, at the time of outbound communication (packet reception from the honeynet side), in “S101” in FIG. 21, the arithmetic control unit 7 decides whether or not a packet is received from a certain honey pot located at the honeynet side through the communication unit 8. Then, in the case of deciding that the packet is received from the certain honey pot located at the honeynet side, the arithmetic control unit 7 retrieves whether or not limit information about a destination private address is registered in the communication control list in “S102” in FIG. 21.
When the arithmetic control unit 7 decides that the limit information about the destination private address is not present in the communication control list in “S103” in FIG. 21, the arithmetic control unit 7 records information about the received packet in a log file of the storage unit 9 in “S104” in FIG. 21 and also the arithmetic control unit 7 transfers the received packet to a terminal corresponding to a destination global address located at the Internet side through the communication unit 6 in “S105” in FIG. 21.
For example, when receiving a packet whose private address of the honey pot 3 of the honeynet side is “IP11” as shown by “PC11” in FIG. 22, the unauthorized access information collection device 2 retrieves the communication control. Then when limit information corresponding to a destination private address “IP21” is not present, the unauthorized access information collection device 2 records information about the packet in a log file in a text format and also transfers the received packet to the terminal 1 whose destination global address is “IP11”.
On the other hand, in the case of deciding that the limit information is present in the communication control list in “S103” in FIG. 21, in other words, in the case of limiting sending of the destination private address, the arithmetic control unit 7 discards the received packet in “S106” in FIG. 21.
For example, when receiving a packet whose private address of the honey pot 5 of the honeynet side is “IP12” as shown by “PC12” in FIG. 22, the unauthorized access information collection device 2 retrieves the communication control. Then, when limit information corresponding to a destination private address “IP12” is present, in other words, sending from a destination private address is limited, the unauthorized access information collection device 2 discards the received packet.
With such an action, packet information passing through the unauthorized access information collection device 50 is recorded in a log file of the storage unit 9, so that unauthorized access to a honeynet of an attacker or a virus can be grasped by analyzing the log file.
Also, since the unauthorized access information collection device 50 performs communication control of a packet from the honeynet side to the Internet side based on the preset communication control list, for example, it is possible to prevent a honey pot to which unauthorized access is made from being used as the ladder for an attack on other networks.
As a result of this, since an unauthorized access information collection device is provided between the Internet and the honeynet, packet information passing through the unauthorized access information collection device is recorded and communication control from the honeynet side to the Internet side is performed based on a set communication control list, it is possible to collect unauthorized access information and also it is possible to prevent a honey pot to which unauthorized access is made from being used as the ladder for an attack on other networks.