(1) Field of the Invention
This invention relates to a device, method and program for detecting unauthorized accesses, and more particularly, to a device, method and program for detecting unauthorized accesses with attack models.
(2) Description of the Related Art
With development of information communication techniques, more services are offered over the Internet. For example, service providers install servers which are accessible over the Internet. With the servers, various services are provided to client computers over the Internet.
Since the servers offering services are accessible over the Internet, they are vulnerable to attack by unauthorized accesses. Therefore, we need some protections including detection of such unauthorized accesses at an early stage.
Basically, unauthorized accesses can be detected by detecting access requests including commands which are for illicit purposes. Specifically, in general, a list of unauthorized commands indicative of attacks against well-known security holes is previously registered. When an access request including an unauthorized command being listed is detected, this access request is rejected and an administrator is informed of this detection of the unauthorized access.
For example, “phf” is a well-known script having weakness (security hole). “Phf” is a script executable on web servers. By sending a prescribed hypertext transfer protocol (HTTP) request to a web server running the “phf” script, an unauthorized user can get a password file. Such HTTP request sent by the unauthorized user includes a character string “phf” specifying the script. Therefore, HTTP requests including the character string “phf” can be identified as unauthorized accesses.
Some unauthorized accesses, however, are made by using a plurality of normal commands together with unauthorized commands. For example, unauthorized accesses may be allowed by sending commands to a server based on the following steps.    1. [Ping_sweep]: An attacker obtains the Internet protocol (IP) address of an active machine with a network tool “ping,” as the first stage of an attack.    2. [Port_scan]: The attacker scans every port of the active machine (to detect whether the transmission control protocol (TCP) port answers). In this step, the attacker can know the type of services being offered by the machine.    3. [Fingerprinting]: The attacker sends prescribed packets to a port to know, based on its responses, the type and version of the software of the server.    4. [Hijacking]: The attacker takes over the machine by using its weakness if he/she finds the weakness based on the type and version of the software running on the server (to cause the machine to execute a desired program).    5. [Deploy_Back_door]: The attacker installs a back door program into the machine that he/she is taking over. The back door program is a tool allowing the attacker to easily operate the machine as desired.
The check of commands included in each access request is not enough to detect such unauthorized accesses. Therefore, attack models are registered, which are state transitions indicating preparation of attacks. Then an unauthorized access is detected by relating events to each other to create a sequence of the events and comparing the sequence with the attack models (for example, refer to the third volume of the proceedings of the 65th national convention of information processing society of Japan, p. 207-208, “Method for detecting omen of DDoS with attack models” Masashi Mitomo et al.).
The conventional technique, however, causes overloads in processing of a server handling a great number of events. That is, in the conventional technique, when an event sequence is input in real time, “previous event logs” being stored are compared with the attack modes to detect an unauthorized access. In this case, every time when one event is input, the event logs should be all checked to see if a corresponding event transition appears in the attack models. As a result, unauthorized accesses could not be detected in real time if a great number of event logs are stored due to long operation.