1. Field of the Invention
The present invention relates to a network security technique and in particular to a technique effectively applicable as a technique for accomplishing a detection of, and protection against, an illegitimate intrusion to a network by using a statistical method.
2. Description of the Related Art
With the progress of an information society based on information and communication networks, ensuring a network security has become increasingly important for preventing an information leakage and avoiding an interruption of service. With the content of threats becoming more complex in the network security, an increasingly common practice is a parallel use of an anomaly analysis method for detecting a phenomenon different from a normality following comprehension of a statistical trend of telecommunication information over a long period of time, together with a pattern matching/signature analysis method for comparison with known ill intended procedures for detection (e.g., a patent document 1).
The anomaly analysis method naturally requires a learning of a flow and trend of telecommunication information in the applicable part over a long period of time. Because of this, an immediate start of a service and operation is not possible after a user introduces a network security apparatus which supports the anomaly analysis method, a trend learning period of one or two weeks being required after introducing and installing the aforementioned apparatus.
Also, an anomaly analysis item might possibly be added after the start of operation due to progress of a network security technique. In such a case, besides the learning required during a continuation of a service, a learning period is also required for an added analysis item from the viewpoint of the analysis item. And a network security is put under a threat during the learning period despite the fact that the network security apparatus actually exists.
In order to make a network security robust under the circumstances of the content of a threat (i.e., an ill intended procedure) to a network becoming highly sophisticated and the speed of change increasing as witnessed in recent years, shortening such a learning period is an important technical challenge.
A method conceived for accomplishing a shorter learning period is a utilization of a packet capture apparatus comprising a replay mode.
The packet capture apparatus is for assisting in a preservation of evidence at the time of a security problem occurrence in a network and an understanding of the security problem by understanding and recording all packets flowing through a specific part of the network. There is also a packet capture apparatus for supporting a replay mode which replays a telecommunication condition, a packet flow and a session from recorded information in order to utilize the understanding result for detecting a threat to the network thereafter.
Also conducted is input of a replay result, as a traffic, to a security apparatus such as IDS (Intrusion Detection System) to perform learning. As such, use of a packet capture apparatus is effective, and a learning period can possibly be shortened by transferring, to a security apparatus which is planned to be introduced, a result of learning by an emulation environment of a network security apparatus, or by a product equipment of the same series with a higher performance than a security apparatus to be introduced, by using information accumulated in the aforementioned packet capture apparatus.
However, an execution environment of a learning process which uses the replay function of a packet capture apparatus exists in a development and support organization in many cases, hence resulting in taking information from the packet capture apparatus having been installed at the site of an introducing customer outside thereof. As a result of this, there is a concern of avoidance of a countermeasure for shortening a learning period by using the above described information accumulated in the packet capture apparatus since a security risk of the introducing customer increases. That is, because packet capture data includes all kinds of data with a mixture of the useful and useless, and of various importance, and therefore a classification of data by the degree of importance is actually very difficult, thus making it impossible to provide a countermeasure for a security risk such as permitting a taking-out of unimportant data only.
Meanwhile, data stored by the packet capture apparatus is historical telecommunication data to begin with, hence not necessarily reflecting the latest telecommunication conditions. It is desirable to try to shorten a learning period by using, as much as possible, the latest telecommunication conditions. Furthermore, in the case of changing an applied security policy along with the introduction of a network security apparatus, the captured data, collected under the conditions of a different historical security policy can not possibly be appropriately used for the learning as is.
As described above, a prescribed period of time is required for learning a trend for a user after the introduction and installation of a network security apparatus in order to apply an anomaly analysis. If the user already possesses data suitable as a learning material which has been accumulated in the packet capture apparatus, a learning period can be shortened. That is, if the historically accumulated information is taken out to the development and support entity of the network security apparatus, a learning period can be shortened by transferring, to a security apparatus which is planned to be introduced, a learning result by an emulation environment of a network security apparatus, or by a product equipment of the same series with a higher performance than a security apparatus to be introduced.
However, an operation such as taking out and managing information with a full attention to a preservation of information levies a great burden on both the user and the support entity, thus reductions of operational procedures and labor become a challenge.
Incidentally, the above noted patent document 1 does not refer to a utilization of traffic data accumulated historically, while it assumes a learning from the traffic data flowing through a network.
In the meantime, another patent document 2 has disclosed a technique for conducting an anomaly type judgment in a packet transfer apparatus which allocates packets to a redundantly configured target as the subject of protection comprising a primary and secondary systems, and transferring a packet possibly having an maliciousness to the secondary system, thereby attempting to protect the target as the subject of protection from a critical damage caused by an intrusion. However, a technical problem of shortening a learning period for an anomaly type judgment, et cetera, is not recognized by the disclosed technique.
Yet another patent document 3 has disclosed as a statistical method for judging abnormality of a network, a technology for realizing abnormality judgment using a k-dimensional vector of which an element is the number of packets normalized for each of k-number of classifications. However, the disclosed technique also does not recognize a technical problem of shortening a learning period for an anomaly type judgment, et cetera.
[Patent document 1] Laid-open Japanese patent application publication No. 2004-312083
[Patent document 2] Laid-open Japanese patent application publication No. 2004-229091
[Patent document 3] Laid-open Japanese patent application publication No. 2004-312064