A computer network typified by the Internet needs to be equipped with security measures to prevent the network or terminals connected to the network from being intruded or attacked (accessed) without authority.
As network security measures, firewalls are used commonly. For example, TCP connections are prohibited from passing a DMZ (De-Militarized Zone) constructed from a firewall on a boundary between the Internet and an intranet. Thus, direct connections from the Internet to the intranet can be prohibited by setting up firewall rules.
A router which connects networks incorporates a filtering capability to limit data communications (hereinafter referred to simply as communications) passing through it. This capability can be used to prevent unauthorized access between networks.
There are conventional techniques for tracing unauthorized access detected on a network. Such conventional techniques for tracing unauthorized access involves accumulating log data on communications packets (hereinafter referred to simply as packets) exchanged over a network in a predetermined storage (log box) together with their data size and detection time and tracing unauthorized access, if detected, by comparing the unauthorized access and accumulated log information (e.g., See Published Unexamined Patent Application No. 2001-217834 (pp. 6-8). These conventional techniques trace unauthorized access offline using the accumulated log information rather than in real time.
However, even if security measures such as firewalls and routers' filtering capabilities are installed on the network, it is not possible to prevent intrusions or attacks made via a host computer placed under the management of the security measures.
In the example above of installing a DMZ between the Internet and an intranet, since individual TCP connections via the DMZ are authorized, firewall rules cannot prohibit indirect connections from the Internet to the intranet through a TCP connection set up between the Internet and a server (e.g., Web server, DNS (Domain Name System) server, or mail server) in the DMZ and a TCP connection set up between the server in the DMZ and the intranet.
Also, when filtering capabilities of a router is used to limit communications, filtering on the router cannot prevent intrusions made in the following way. Specifically, an attacker intrudes a computer which will serve as a stepping stone, erases logs on the computer, and attacks another computer. As a result, it appears as if the attack were made from the computer serving as the stepping stone. Normally, an attacker attacks a target computer via two or more stepping stones. A computer can be used as a stepping stone even if it is not intruded itself. The use of a proxy server for relaying is a case in point. However, even if no real damage was done to the computer serving as a stepping stone, the fact that the computer was used as a stepping stone will ruin the reputation of the organization that manages the computer.
Since conventional techniques for tracing unauthorized access detected on a network does tracing through matching against communications logs, they can trace even communications conducted via a host computer placed under the management of security measures as described above. However, since they perform the matching process offline, they cannot monitor unauthorized access in real time when the communications are actually going on. Also, to trace unauthorized access, it would be advantageous to have communications logs known to be those of unauthorized access.