Attack node set determination apparatus and method, information processing device, attack dealing method, and program
First Claim
1. An attack node set determination apparatus communicably coupled to an information processing device for outputting an event log created upon a passage or a reach of a packet, comprising:
- a storage unit of event information for storing therein basic item information extracted from an event log obtained from the information processing device and attribute information newly created based on the basic item information as an event;
a storage unit of policy information for storing therein a distance function each assigned to respective items of the basic item information and the attribute information, a filter for extracting a specific event from the event information, an evaluation formula for computing a degree of similarity of characteristics among events, and a threshold associated with the filter condition and the evaluation formula; and
a computing unit for referencing the policy information of the storage unit, performing a clustering on an item of the event extracted by recording the event information read from the storage unit during a prescribed period of time or by applying the filter to a prescribed number of recorded events, based on the distance function corresponding to the item, creating a cluster having events with characteristics similar to each other, computes the degree of similarity of characteristics in the cluster as the evaluation value of the cluster, and, if the evaluation value of the cluster is more than the threshold, determining the cluster as a cluster having the similar characteristics events.
1 Assignment
0 Petitions
Accused Products
Abstract
An attack node set determination apparatus obtains an event log basic parameter extracted from collected event logs and attribute information based on the event log basic parameter. The attack node set determination apparatus performs a clustering on a space having dimensions of part or all of the obtained attribute information and event log basic parameter, computes a cluster, and transmits information on the cluster and a countermeasure against the cluster to a firewall. Upon detecting an attack packet from an attack node set, the firewall identifies a cluster including the attack packet and conducts a countermeasure against the whole identified cluster.
-
Citations
18 Claims
-
1. An attack node set determination apparatus communicably coupled to an information processing device for outputting an event log created upon a passage or a reach of a packet, comprising:
-
a storage unit of event information for storing therein basic item information extracted from an event log obtained from the information processing device and attribute information newly created based on the basic item information as an event; a storage unit of policy information for storing therein a distance function each assigned to respective items of the basic item information and the attribute information, a filter for extracting a specific event from the event information, an evaluation formula for computing a degree of similarity of characteristics among events, and a threshold associated with the filter condition and the evaluation formula; and a computing unit for referencing the policy information of the storage unit, performing a clustering on an item of the event extracted by recording the event information read from the storage unit during a prescribed period of time or by applying the filter to a prescribed number of recorded events, based on the distance function corresponding to the item, creating a cluster having events with characteristics similar to each other, computes the degree of similarity of characteristics in the cluster as the evaluation value of the cluster, and, if the evaluation value of the cluster is more than the threshold, determining the cluster as a cluster having the similar characteristics events.
-
-
2. An attack node set determination apparatus using an event log created upon a passage or a reach of a packet, comprising:
-
a computing unit; and a storage unit, wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, and wherein the computing unit extracts an event to be subject to a clustering by filtering the event logs obtained during a prescribed period of time or obtained until the number thereof reaches a prescribed number, using the filter information, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address in a prescribed manner and computes the broken down IP address as second attribute information, performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other, computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster, compares the evaluation value of the cluster to the threshold associated with the filter information and determines whether or not the cluster is regarded to have events with similar characteristics, references, upon detecting a packet having the specific event, the information related to the cluster regarded to have the events with similar characteristics and identifies in which cluster the packet is included, and applies the countermeasure to a packet corresponding to the cluster identified to include the packet having the specific event. - View Dependent Claims (3, 4, 5, 6, 7)
-
-
8. An attack node set determination apparatus capable of outputting an event log created upon a passage or a reach of a packet and communicably coupled to an information processing device for conducting a countermeasure against an unauthorized access, comprising:
-
a computing unit; and a storage unit, wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, and wherein the computing unit extracts an event to be subject to a clustering by filtering event logs obtained during a prescribed period of time, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address into octets, and computes the broken down IP address as second attribute information, performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other, computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster, compares the evaluation value of the cluster to a threshold corresponding to the filter information and determines whether or not the cluster is regarded to have events with similar characteristics, and transmits information related to the cluster regarded to have the events with similar characteristics and a countermeasure to deal with the unauthorized access corresponding to the cluster, to the information processing device. - View Dependent Claims (9, 10, 11)
-
-
12. An attack node set determination method used in an attack node set determination apparatus for creating an event log created upon a passage or a reach of a packet and conducts a countermeasure against an unauthorized access, the attack node set determination apparatus comprising:
-
a computing unit; and a storage unit, wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, and wherein the computing unit extracts an event to be subject to a clustering by filtering the event logs obtained during a prescribed period of time or obtained until the number thereof reaches a prescribed number, using the filter information, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address in a prescribed manner and computes the broken down IP address as second attribute information, performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other, computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster, compares the evaluation value of the cluster to the threshold associated with the filter information and determines whether or not the cluster is regarded to have events with similar characteristics, references, upon detecting a packet having the specific event, the information related to the cluster regarded to have the events with similar characteristics and identifies in which cluster the packet is included, and applies the countermeasure to a packet corresponding to the cluster identified to include the packet having the specific event. - View Dependent Claims (13, 14)
-
-
15. An attack node set determination method used in an attack node set determination capable of outputting an event log created upon a passage or a reach of a packet and communicably coupled to an information processing device for conducting a countermeasure against an unauthorized access, the attack node set determination apparatus comprising:
-
a computing unit; and a storage unit, wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, and wherein the computing unit extracts an event as a target to be subject to a clustering by filtering event logs obtained during a prescribed period of time using the filter information, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address into octets, and computes the broken down IP address as second attribute information, performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other, computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster, compares the evaluation value of the cluster to a threshold corresponding to the filter information and determines whether or not the cluster is regarded to have events with similar characteristics, and transmits information related to the cluster regarded to have the events with similar characteristics and a countermeasure to deal with the unauthorized access corresponding to the cluster, to the information processing device. - View Dependent Claims (16, 17, 18)
-
Specification