In enterprise networks, the cutoff and the monitoring of communication are carried out by a firewall, an IDS (Intrusion Detection System), or the like. A purpose for this is to prevent information leakage from enterprise networks, external attacks to appliances within enterprise networks, and the like.
On the other hand, sending and receiving electronic mails, browsing the World Wide Web, and the like are often indispensable in business and such communication is often permitted under certain restrictions. For example, there is a construction in which, with regard to access from a client to an external web server, only the access via a proxy server is permitted. Such a construction prevents the clients within an enterprise network from being exposed directly to an external network and makes unauthorized accesses to and intrusion acts to the clients difficult to perform.
However, as targeted attacks have become common, mere inlet countermeasures aimed at preventing unauthorized accesses and intrusion acts from the outside allow occurrences of situations where securement of security is difficult. The targeted attack herein is an attack in which, by skillfully utilizing contacts with an external network, such as mails, webs, and the like, a piece of malware, such as a RAT (Remote Access Tool, a remote management tool), is infiltrated into a terminal within an enterprise network.
Because targeted attacks are targeted at specific companies or groups, obtaining samples thereof is more difficult in comparison with obtaining ordinary viruses and pieces of adware. Therefore, it is highly likely that before security vendors update their definition files for malware, attacks will have already progressed. Thus, the attacks are difficult to be prevented by mere inlet countermeasures alone. For example, targeted attacks targeted at companies are often aimed at stealing classified information. In this case, outlet countermeasures for preventing leakage of classified information to the outside are important.
A technology that solves such a problem is described in PTL 1.
Generally, a terminal infected with malware, such as a RAT, limits processes on the terminal to be autonomously executed. Therefore, the infected terminal performs communication with a control server called C&C (Command and Control) server and, by receiving instruction from the C&C server, the infected terminal gathers information, and transmits and receives data. Therefore, if communication between the infected terminal and the C&C server can be detected as unauthorized communication, that leads to discovery of an incident and prevention of information leakage.
A malware communication detection system described in PTL 1 includes the following construction. Firstly, a proxy server, according to a request from a browser of a client to an external server, generates an authentication program and sends that authentication program to the client. Secondly, the browser of the client executes the received authentication program and sends results of the execution to the proxy server. Thirdly, based on the received results of the execution, the proxy server determines whether or not the request is a request from malware, that is, whether the access on that request is good or not.
The malware communication detection system of PTL 1 that includes the foregoing construction is capable of detecting communication performed by malware even in the case where the malware disguises itself as a browser.