Recently, attacks that use proprietary or customized malware are frequently performed. Especially, damage examples of targeted attacks for a specific company increase. In a lot of examples, a following attack method is utilized. Namely, a user terminal in the company is infected with a remote-control-type malware, the infected user terminal is used as a springboard to intrude into other apparatuses such as user terminals in the company, and other apparatuses are infected with the remote-control-type malware.
As a conventional network monitoring technique, there is a signature method in which a pattern of communication data in the remote control is defined for each malware, and communication data that flows in the network is compared with the pattern to detect the malware. However, it is possible for the signature method to detect only the malware for which the pattern of the communication data has been created, and it is impossible to detect proprietary or customized malware.
Moreover, as illustrated in FIG. 1, there is a technique for detecting an attack in which a certain user terminal is used as a springboard by the remote control, and a new malware for the remote control is sent to other user terminals and other user terminals are infected. See Masahiro Yamada, Masanobu Morinaga, Yuki Unno, Satoru Torii and Masahiko Takenaka, “A Detection Method against Activities of Targeted Attack on The Internal Network”, Computer Security of IPSJ SIG Technical Report, 62nd CSEC and 6th SPT joint research presentation, July 2013, for example. In this technique, following communications that are determined as being normal when individual communications are observed are determined as an attack. In other words, a command is sent from an attacker's terminal outside a system by using Hyper Text Transfer Protocol (HTTP) or HTTP Secure (HTTPS) to a user terminal A in the system, and a remote control malware is sent from the user terminal A to a user terminal B by using normal Server Message Block (SMB) or the like and executed, and a new connection is established from the user terminal B to the attacker's terminal. A procedure to establish the connection is 3-way handshake, for example.
However, in an intelligence activity in which the remote control malware is not executed on the user terminal B, however, information is acquired by executing a command and/or program from the user terminal B, and the information is obtained on the attacker's terminal through the user terminal A, no egress connection from the user terminal B to the attacker's terminal occurs. Therefore, such an intelligence activity cannot be detected.    Non-Patent Document 1: Masahiro Yamada, Masanobu Morinaga, Yuki Unno, Satoru Torii and Masahiko Takenaka, “A Detection Method against Activities of Targeted Attack on The Internal Network”, Computer Security of IPSJ SIG Technical Report, 62nd CSEC and 6th SPT joint research presentation, July 2013.    Patent Document 1: Japanese National Publication of International Patent Application No. 2004-537075    Patent Document 2: Japanese Laid-open Patent Publication No. 2007-323428    Patent Document 3: Japanese Patent No. 4700884