Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program

US 10,257,213 B2
Filed: 03/16/2015
Issued: 04/09/2019
Est. Priority Date: 03/19/2014
Status: Active Grant

First Claim

Patent Images

1. An extraction criterion determination method performed by an extraction criterion determination apparatus that is connected to a wide area network, the method comprising:

collecting a log information entries of a communication performed in a predetermined period of time, the log information entry being determined to be a malignant communication, the log information entries being obtained from a communication monitoring device configured to collect the log information entries in a network that connects to the wide area network, wherein the wide area network is accessible by at least one of an attacker terminal, a malware distribution server, and a malicious server;

analyzing respective communication source addresses in the collected log information entries;

generating analysis information including a plurality of statistical values, for each respective communication source address, which include at least a number of communications, a statistic related to a communication interval, and a statistic related to an amount of traffic of communications;

extracting a communication satisfying a criterion from the analysis information with reference to a memory storing an extraction criterion, the criterion being used to extract the malignant communication from the log information entries, the criterion being defined in the extraction criterion, the criterion being one of a plurality of criteria that is based on the plurality of statistical values;

determining to adopt the extraction criterion when a ratio of a number of malignant communications to the extracted communications is larger than or equal to a threshold; and

performing a control to output the adopted extraction criterion which is applied for identifying future communications as malignant.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An extraction criterion determination method performed by an extraction criterion determination apparatus includes collecting a log information entry that is in a predetermined period of time and determined to be a specific communication, extracting a communication satisfying a criterion used to extract the specific communication from log information entries from the collected log information entries with reference to a storage unit storing an extraction criterion in which the criterion is defined, determining to adopt the extraction criterion when the ratio of the specific communications to the extracted communications is larger than or equal to a threshold, and performing a control to output the adopted extraction criterion.

17 Citations

8 Claims

1. An extraction criterion determination method performed by an extraction criterion determination apparatus that is connected to a wide area network, the method comprising:
- collecting a log information entries of a communication performed in a predetermined period of time, the log information entry being determined to be a malignant communication, the log information entries being obtained from a communication monitoring device configured to collect the log information entries in a network that connects to the wide area network, wherein the wide area network is accessible by at least one of an attacker terminal, a malware distribution server, and a malicious server;
  
  analyzing respective communication source addresses in the collected log information entries;
  
  generating analysis information including a plurality of statistical values, for each respective communication source address, which include at least a number of communications, a statistic related to a communication interval, and a statistic related to an amount of traffic of communications;
  
  extracting a communication satisfying a criterion from the analysis information with reference to a memory storing an extraction criterion, the criterion being used to extract the malignant communication from the log information entries, the criterion being defined in the extraction criterion, the criterion being one of a plurality of criteria that is based on the plurality of statistical values;
  
  determining to adopt the extraction criterion when a ratio of a number of malignant communications to the extracted communications is larger than or equal to a threshold; and
  
  performing a control to output the adopted extraction criterion which is applied for identifying future communications as malignant.
- View Dependent Claims (2, 3, 4)
- - 2. The extraction criterion determination method according to claim 1, whereinthe memory stores an extraction criterion defining a plurality of criteria, anda communication satisfying the criteria is extracted from the log information entries in the extraction.
  - 3. The extraction criterion determination method according to claim 2, whereinthe memory stores an extraction criterion in which the criteria are defined in predetermined order, anda communication satisfying the criteria in the predetermined order is extracted from the log information entries in the extraction.
  - 4. The extraction criterion determination method according to claim 1, whereinan undetermined log information entry that has not been determined to be the malignant communication is collected as the log information entry in the collection,a communication satisfying the criterion is extracted from the undetermined log information entries in the extraction, andcharacteristic information indicating a characteristic of the communication extracted from the undetermined log information entries is output to the communication monitoring device in the output control so that the communication monitoring device detects a communication matching the characteristic information.

5. A communication monitoring system comprising:
- a communication monitoring device that monitors communications in a network that connects to a wide area network that is accessible by at least one of an attacker terminal, a malware distribution server, and a malicious server; and
  
  an extraction criterion determination apparatus that is connected to the wide area network,the extraction criterion determination apparatus including;
  
  a memory that stores an extraction criterion in which a criterion used to extract a malignant communication from log information entries of the communications is defined; and
  
  processing circuitry configured tocollect a log information entry from the communication monitoring device, the log information entry being log information of a communication in a predetermined period of time, the log information entry being determined to be the malignant communication;
  
  analyze respective communication source addresses in the collected log information entries;
  
  generate analysis information including a plurality of statistical values, for each respective communication source address, which include at least a number of communications, a statistic related to a communication interval, and a statistic related to an amount of traffic of communications;
  
  extract a communication satisfying the criterion from the collected log information entries with reference to the memory, the criterion being one of a plurality of criteria that is based on the plurality of statistical values;
  
  determine to adopt the extraction criterion when a ratio of a number of malignant communications to the extracted communications is larger than or equal to a threshold; and
  
  perform a control to output the adopted extraction criterion which is applied for identifying future communications as malignant.
- View Dependent Claims (6)
- - 6. The communication monitoring system according to claim 5, whereinthe processing circuitrycollects an undetermined log information entry that has not been determined to be the malignant communication as the log information entry,extracts a communication satisfying the criterion from the undetermined log information entries,outputs characteristic information indicating a characteristic of the communication extracted from the undetermined log information entries to the communication monitoring device, anddetects a communication matching the output characteristic information from the communications in the network.

7. An extraction criterion determination apparatus that is configured to connect to a wide area network comprising:
- a memory that stores an extraction criterion in which a criterion used to extract a malignant communication from log information entries of communications is defined; and
  
  processing circuitry configured tocollect a log information entry, the log information entry being log information of a communication in a predetermined period of time, the log information entry being determined to be the malignant communication, the log information entry being obtained from a communication monitoring device configured to collect the log information entry in a network that connects to the wide area network, wherein the wide area network is accessible by at least one of an attacker terminal, a malware distribution server, and a malicious server;
  
  analyze respective communication source addresses in the collected log information entries;
  
  generate analysis information including a plurality of statistical values, for each respective communication source address, which include at least a number of communications, a statistic related to a communication interval, and a statistic related to an amount of traffic of communications;
  
  extract a communication satisfying the criterion from the collected log information entries with reference to the memory, the criterion being one of a plurality of criteria that is based on the plurality of statistical values;
  
  determine to adopt the extraction criterion when a ratio of a number of malignant communications to the extracted communications is larger than or equal to a threshold; and
  
  perform a control to output the adopted extraction criterion which is applied for identifying future communications as malignant.

8. A non-transitory computer-readable recording medium having stored an extraction criterion determination program for causing an extraction criterion determination apparatus that is connected to a wide area network to execute a process comprising:
- collecting a log information entry of a communication performed in a predetermined period of time, the log information entry being determined to be a malignant communication, the log information entry being obtained from a communication monitoring device configured to collect the log information entry in a network that connects to the wide area network, wherein the wide area network is accessible by at least one of an attacker terminal, a malware distribution server, and a malicious server;
  
  analyzing respective communication source addresses in the collected log information entries;
  
  generating analysis information including a plurality of statistical values, for each respective communication source address, which include at least a number of communications, a statistic related to a communication interval, and a statistic related to an amount of traffic of communications;
  
  extracting a communication satisfying a criterion from the analysis information with reference to a memory storing an extraction criterion, the criterion being used to extract the malignant communication from the log information entries, the criterion being defined in the extraction criterion, the criterion being one of a plurality of criteria that is based on the plurality of statistical values;
  
  determining to adopt the extraction criterion when a ratio of a number of malignant communications to the extracted communications is larger than or equal to a threshold; and
  
  performing a control to output the adopted extraction criterion which is applied for identifying future communications as malignant.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Yagi, Takeshi, Chiba, Daiki, Kamiya, Kazunori, Sato, Tohru, Nakata, Kensuke
Primary Examiner(s)
Naghdali, Khalil

Application Number

US15/120,970
Publication Number

US 20160366171A1
Time in Patent Office

1,485 Days
Field of Search

726 23
US Class Current
CPC Class Codes

G06F 21/563   by source code analysis

G06F 2221/2101   Auditing as a secondary aspect

H04L 12/6418   Hybrid transport

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

H04L 63/1458   Denial of Service

Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

17 Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Extraction criterion determination method, communication monitoring system, extraction criterion determination apparatus and extraction criterion determination program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links