1. Field of the Invention
The present invention relates to a network unauthorized access analysis method, an apparatus utilizing the method, and a computer-readable recording medium having a network unauthorized access analysis program recorded thereon. More particularly, the present invention relates to a network unauthorized access analysis method for analyzing whether an unauthorized access is generated in data transmitted on a network so constructed as to perform communication based on a layered protocol between information communication stations in order to enable execution of network security or network management, an apparatus using such a method, and a computer-readable recording medium having a network unauthorized access analysis program recorded thereon.
2. Description of the Prior Art
Conventionally, in a system so structured as to exchange data between information stations, there have been proposed various kinds of analysis method for analyzing whether an unauthorized access is generated in data to be exchanged.
In the first place, as a first prior art of the analysis method, for example, there has been proposed an analysis system which operates on a layer or layers being upper side of a transport layer in a seven-layer model, receives the transmitted information from the transport layer, and checks a source based on a function prepared by an operating system in order to judge whether the source has been registered in advance and is admitted (TCP WRAPPER; Mar. 19, 1996).
Further, as a second prior art of the analysis method, there is a software which does not use functions of the network communication, compresses the vast content of a hard disk by using a predetermined compression method, and detects an unauthorized access to the hard disk by periodically comparing the stored content with the current compressed content (The Design and Implementation of Tripwire; Feb. 23, 1995).
As a third prior art of the analysis method, there is one such that a typical unauthorized access (cracking) technique is stored and the technique is executed with respect to a system to be analyzed to check the unauthorized access of that system (Satan-network security scanner).
Further, as a fourth prior art of the analysis method, there is one such that analysis is performed with respect to each host computer to confirm whether the various settings of the host computer is disadvantageously set so that it is cracked by the network communication. In this prior art, confirmation is made by using commands of an operating system upon whether the various settings of the host computer is unsafe in terms of security (COPS; Nov. 17, 1991).
A fifth prior art of the analysis method is a system for checking whether a password of a user employed in the UNIX is valid. This system has a file of proposed passwords to code the proposed words, compares created words resulting from coding with the coded password, and retrieves the password by utilizing a fact that the currently coded word is the password if they coincide with each other (Crack Version 4.1; Mar. 3, 1992).
As a sixth prior art of the analysis method, there is one for analyzing each packet in a physical layer (Sniffer).
Moreover, as a seventh prior art of the analysis method, there is a system for diagnosing a network which performs communication between information stations based on a layered protocol. According to this system, a service data unit provided from a lower layer filter is analyzed in accordance with analysis directions from an input controller and a service data unit is created and provided to an upper layer filter (Japanese patent laid-open publication No. Hei 4-315343).
However, the first prior art has a drawback such that a number of items of data to be analyzed is small and it is not enough for analyzing unauthorized access because data is received from only the transport layer and no data is sent from any other layer. Further, since using functions of the operating system restructures data, satisfactory analysis of unauthorized access can not be carried out.
The second prior art has such a disadvantage, as that analysis of unauthorized access in data in the network communication is impossible because of lack of network communication functions.
In addition, according to the first and second prior arts, there is adopted a design for installing a program which realizes the analysis method in accordance with each host computer or host station (which will be simply referred to as "host" hereunder) to be monitored, and hence the system can not deal with an increase in a number of hosts.
According to the third through fifth prior arts, adoption of a design for newly performing analysis in accordance with each analysis protocol involves the system to fail to cope with an increase in a number of protocols.
The sixth prior art adopts a design such as that analysis is effected each packet in the physical layer, which makes it impossible to perform analysis each session in application layer that is necessary in cracking analysis.
On the other hand, according to the seventh prior art, since data in one layer is filtered and diagnosed based on the same module in accordance with each layer of the protocol, the unauthorized access can not be analyzed in association with other layers, and the unauthorized access analysis is not enough.