Currently, information is usually managed using information processing apparatuses, and important information such as personal information and classified information is often stored in the information processing apparatuses. As a result, targeted attacks for stealing important information from information processing apparatuses used by particular individuals and organizations are occurring. In the targeted attacks, malicious programs called “malware” are often used.
For example, an attacker transmits a malicious program to a target organization using an electronic mail or the like in order to infect an information processing apparatus used by the target organization with the malicious program. The information processing apparatus infected with the malicious program might transmit important information stored therein to an information processing apparatus controlled by the attacker. In another case, the attacker uses the information processing apparatus infected with the malicious program as a steppingstone and transmits a malicious program to another information processing apparatus belonging to the same network or collects important information from another information processing apparatus.
On the other hand, information security systems that enable detection of attacks made by malicious programs are being studied. The information security systems include an intrusion detection system (IDS), an intrusion prevention system (IPS), and a firewall. In a network-type information security system that monitors packets flowing through a network, the following methods have been proposed as methods for detecting an attack made by a malicious program.
For example, a method for detecting an attack in real time by converting a network traffic stream into an event at a higher level and processing the event in accordance with a predetermined security policy has been proposed. In addition, a method for detecting malicious traffic and warning a system administrator by matching predefined patterns of malicious traffic and current network traffic has been proposed. In addition, a method for detecting traffic that makes an attack utilizing known vulnerability of application software in a network and filtering out the detected traffic has been proposed.
In addition, a method for detecting an aggregate of communication on the basis of the similarity of communication performed by a plurality of computers and determining computers that might have been infected with malware on the basis of the detected aggregate has been proposed. In the detection of the aggregate, software installed on the computers performing communication, the content of communication, and external networks to which the other ends of communication belong are taken into consideration.
V. Paxson, “Bro: A System for Detecting Network Intruders in Real-Time”, Proc. of the 7th USENIX Security Symposium, 1998, M. Roesch, “Snort-Lightweight Intrusion Detection for Networks”, Proc. of the 13th Systems Administration Conference, pp. 229-238, 1999, H. Wang, C. Guo, D. Simon, and A. Zugenmaier, “Shield: Vulnerability-Driven Network Filters for Preventing Known Vulnerability Exploits”, Proc. of ACM SIGCOMM '04 Conference, 2004, and T. Yen and M. Reiter, “Traffic Aggregation for Malware Detection”, Proc. of the 5th Conference on Detection of Intrusions and Malware & Vulnerability Assessment, pp. 207-227, 2008 disclose related techniques.
During an attack made by a malicious program, a certain information processing apparatus (for example, an information processing apparatus infected with the malicious program first) might scan other information processing apparatuses belonging to the same network in order to search for an information processing apparatus to be infected next. For example, the certain information processing apparatus may access another information processing apparatus and determine whether or not unauthorized intrusion utilizing known vulnerability is possible on the basis of information included in a response. Alternatively, for example, the certain information processing apparatus may transmit an authentication request including stolen login information and search for another information processing apparatus with which login is possible using the login information.
Unauthorized access for realizing unauthorized intrusion into an information processing apparatus is preferably detected by an information security system. It is not easy, however, to accurately determine whether or not access from a certain information processing apparatus to another information processing apparatus is unauthorized access.
For example, even in the case of normal access other than unauthorized access, a login operation might be frequently performed depending on an information processing apparatus to be accessed (for example, when the information processing apparatus to be accessed is a file server that performs authentication). In addition, even in the case of normal access, authentication fails when, for example, a user has transmitted incorrect login information by mistake. On the other hand, in the case of unauthorized access, an information processing apparatus that permits guest authentication (anonymous access) might determine that authentication is successful even for an authentication request including incorrect login information.
Therefore, when only one fixed condition has been set for the number of accesses, the number of authentication failures, or the like and it is determined that unauthorized access has been performed if access satisfies the condition or it is determined that unauthorized access has not been performed if access does not satisfy the condition, erroneous detection and lack of detection of unauthorized access might occur. In this case, it is difficult to effectively use information provided by the information security system.