In recent years, cyber attacks in networks have become more active. For example, there is a cyber attack in which the attacker makes a brute force attack on an administrator-user name such as “admin” of the host provider so as to steal the password. Also, as cyber attacks have become more active, the damage has also become more serious. Against these cyber attacks, a provider managing a communication device that has received an attack responds by taking a countermeasure in which the IP address of the attack source is identified so as to block communications from that address.
A security device called an Intrusion Detection System (IDS) for monitoring cyber attacks is known. As a general rule, an IDS determines whether or not packets flowing in a network are of a pattern of an unusual incident such as a cyber attack, and performs log registration when the packets are of a pattern of an unusual incident. In determining whether or not packets are of a pattern of an unusual incident such as a cyber attack, determination is made based on whether the packets fit into patterns of unusual incidents that are registered beforehand or based on comparisons with past patterns.
Also, a Managed Security System (MSS) is known that is a security system including a security device such as an intrusion detection system and that assists in the operation of the security device by performing pattern analysis of a log collected by the security device etc.
Further, a log analysis device that analyzes a log output from an intrusion detection system is known.
In an example of a log analysis device, first, distribution relating to time values representing arrival intervals or a continued period of events recorded in a past time period is generated and theoretical statistical distribution is generated based on the average value and the standard deviation of the generated distribution. Next, a correlation coefficient is calculated that represents the correlation between the distribution relating to time values of events recorded during a prescribed time period as an analysis target and the theoretical statistical distribution, and determines that the events as analysis targets are unusual when the value of the correlation coefficient is equal to or smaller than a prescribed value.
Also, another log analysis device obtains statistical information as a result of converting, into frequency, event information detected by a security device such as an intrusion detection system (IDS) or a firewall (FW) provided in a network and frequency component information obtained by performing frequency resolution on that statistical information, and determines the occurrence tendency of incidents based on the frequency component. By employing this configuration, efficient characterization is performed on a log of a security device that has recorded one or a plurality of attacks that occurred in a network and an unusual change therein is detected so as to detect a complicated incident. An incident used herein is an event related to computer security.
In another log analysis device, first, a parameter used for analyzing is extracted from a log so as to extract an abnormal value relating to the degree of the abnormality of the network based on the number of events belonging to that parameter. Next, the transition of the number of future events is predicted objectively by calculating conditional probability that a prescribed event will occur when a prescribed condition related to that abnormal value is met. For example, conditional probability that a prescribed incident will occur is calculated. Examples of parameters are Attack Signature, Source/Destination Port and Source/Destination ID, etc., which are recorded in logs output from network devices such as an intrusion detection system, a router, a firewall, etc. Examples of abnormal values are a ratio in ratio analysis, and the upper rarity and the lower rarity in the probability analysis.
In this type of log analysis device, it is in particular possible to detect attacks when the number of attacks is great, such as 100 times per minute, and the same attacking pattern is repeated, for example with the same attack source and same attack target over all attacks. An attack source and an attack target may be specified by an attack source IP address and an attack target IP address.
In recent years, attackers using brute force attacks have used arrangements for avoiding detection by security devices such as an Intrusion Detection System (IDS) etc. by carrying out attacks intermittently on a plurality of attack targets from different attack sources or by reducing the number of times an attack such as a log-in attempt is carried out from a single attack source from the start to the end of the attack. Accordingly, there is a problem wherein a log of a security device has to be analyzed over a long period of time in order to identify attack sources of this type of attack.