FIG. 1 illustrates an example of a targeted attack in which confidential information of a specific organization is the target. In the example in FIG. 1, an attacker's terminal that is outside an internal network of the organization transmits instruction packets A to a terminal (this terminal is a springboard) in the internal network. The springboard transmits packets B to another terminal of the internal network (this terminal is the target), which includes a RAT (Remote Administration Tool) that is malware controlled remotely, and causes the target to execute the malware. The target creates a new connection with the attacker's terminal, and transmits packets C that includes internal information of the target to the attacker's terminal. Furthermore, the target can also be used as a new springboard in spreading the RAT. Hereafter, spreading the RAT within the internal network of an organization will be called RAT propagation.
A signature method is known as a technique for detecting malware. The signature method is a technique that detects malware by defining a pattern of communication data for each kind of malware, and then comparing communication data that flows over a network with the patterns. However, in the signature method, it is only possible to detect malware for which patterns have already been created, and it is not possible to detect customized malware that has been uniquely developed. In RAT propagation, an artful RAT that has been uniquely developed may be used, so it may not be possible to detect an attack using the signature method.
Moreover, because packets related to RAT propagation are transmitted with normal packets, it is difficult to determine whether or not there is RAT propagation based on a single packet. For example, in the example in FIG. 1, the packets A and the packet C are disguised as normal web-access packets, so by simply checking an individual packet, whether or not there is RAT propagation can be determined. On the other hand, because plural terminals are related to RAT propagation, there is a problem that it is difficult for a single device to collect packets related to RAT propagation from the internal network without missing.
Furthermore, because the packets related to RAT propagation are only a small part of the packets that are transferred over a network, the processing load and the communication load become enormous when a method of simply collecting and checking all of the packets in a network is used. In conventional techniques, sufficient investigation has not been performed for problems such as described above.
In other words, there is no conventional art for detecting an attack by RAT properly.
Patent Document 1: Japanese Laid-open Patent Publication No. 2008-176753
Patent Document 2: International Publication Pamphlet No. WO 2007/081023