Attack node set determination apparatus and method, information processing device, attack dealing method, and program

US 20100050260A1
Filed: 08/10/2009
Published: 02/25/2010
Est. Priority Date: 08/25/2008
Status: Abandoned Application

First Claim

Patent Images

1. An attack node set determination apparatus communicably coupled to an information processing device for outputting an event log created upon a passage or a reach of a packet, comprising:

a storage unit of event information for storing therein basic item information extracted from an event log obtained from the information processing device and attribute information newly created based on the basic item information as an event;

a storage unit of policy information for storing therein a distance function each assigned to respective items of the basic item information and the attribute information, a filter for extracting a specific event from the event information, an evaluation formula for computing a degree of similarity of characteristics among events, and a threshold associated with the filter condition and the evaluation formula; and

a computing unit for referencing the policy information of the storage unit, performing a clustering on an item of the event extracted by recording the event information read from the storage unit during a prescribed period of time or by applying the filter to a prescribed number of recorded events, based on the distance function corresponding to the item, creating a cluster having events with characteristics similar to each other, computes the degree of similarity of characteristics in the cluster as the evaluation value of the cluster, and, if the evaluation value of the cluster is more than the threshold, determining the cluster as a cluster having the similar characteristics events.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An attack node set determination apparatus obtains an event log basic parameter extracted from collected event logs and attribute information based on the event log basic parameter. The attack node set determination apparatus performs a clustering on a space having dimensions of part or all of the obtained attribute information and event log basic parameter, computes a cluster, and transmits information on the cluster and a countermeasure against the cluster to a firewall. Upon detecting an attack packet from an attack node set, the firewall identifies a cluster including the attack packet and conducts a countermeasure against the whole identified cluster.

Citations

18 Claims

1. An attack node set determination apparatus communicably coupled to an information processing device for outputting an event log created upon a passage or a reach of a packet, comprising:
- a storage unit of event information for storing therein basic item information extracted from an event log obtained from the information processing device and attribute information newly created based on the basic item information as an event;
  
  a storage unit of policy information for storing therein a distance function each assigned to respective items of the basic item information and the attribute information, a filter for extracting a specific event from the event information, an evaluation formula for computing a degree of similarity of characteristics among events, and a threshold associated with the filter condition and the evaluation formula; and
  
  a computing unit for referencing the policy information of the storage unit, performing a clustering on an item of the event extracted by recording the event information read from the storage unit during a prescribed period of time or by applying the filter to a prescribed number of recorded events, based on the distance function corresponding to the item, creating a cluster having events with characteristics similar to each other, computes the degree of similarity of characteristics in the cluster as the evaluation value of the cluster, and, if the evaluation value of the cluster is more than the threshold, determining the cluster as a cluster having the similar characteristics events.

2. An attack node set determination apparatus using an event log created upon a passage or a reach of a packet, comprising:
- a computing unit; and
  
  a storage unit,wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, andwherein the computing unitextracts an event to be subject to a clustering by filtering the event logs obtained during a prescribed period of time or obtained until the number thereof reaches a prescribed number, using the filter information,extracts basic item information written in the extracted event,obtains information on a node related to an IP address included in the basic item information, as first attribute information,breaks down the IP address in a prescribed manner and computes the broken down IP address as second attribute information,performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other,computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster,compares the evaluation value of the cluster to the threshold associated with the filter information and determines whether or not the cluster is regarded to have events with similar characteristics,references, upon detecting a packet having the specific event, the information related to the cluster regarded to have the events with similar characteristics and identifies in which cluster the packet is included, andapplies the countermeasure to a packet corresponding to the cluster identified to include the packet having the specific event.
- View Dependent Claims (3, 4, 5, 6, 7)
- - 3. The attack node set determination apparatus according to claim 2,wherein the storage unit further stores a countermeasure to deal with an unauthorized access, andwherein the computing unit furtherreferences, upon detecting a packet related to the unauthorized access, information related to the cluster regarded to have the similar characteristics events, and identifies in which cluster the packet is included, andapplies the countermeasure to a packet corresponding to the cluster identified to include the packet having the specific event.
  - 4. The attack node set determination apparatus according to claim 2,wherein the computing unit obtains the first attribute information by transmitting a check packet capable of obtaining information on a node as a target, to the node.
  - 5. The attack node set determination apparatus according to claim 2,wherein the computing unit performs a clustering on a space having dimensions of respective items of the basic item information, the first attribute information, and the second attribute information in which a distance between two points is weighed in a prescribed manner for each item.
  - 6. The attack node set determination apparatus according to claim 2,wherein the evaluation value of the cluster is computed from any one or a combination thereof from among a ratio of events included in the computed cluster, the number of events, a variance value included in the cluster, and an average of a distance between a centroid of the cluster and an event included in the cluster.
  - 7. The attack node set determination apparatus according to claim 2,wherein the countermeasure is any one of a warning notice, bandwidth control, and packet filter.

8. An attack node set determination apparatus capable of outputting an event log created upon a passage or a reach of a packet and communicably coupled to an information processing device for conducting a countermeasure against an unauthorized access, comprising:
- a computing unit; and
  
  a storage unit,wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, andwherein the computing unit extracts an event to be subject to a clustering by filtering event logs obtained during a prescribed period of time, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address into octets, and computes the broken down IP address as second attribute information,performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other,computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster,compares the evaluation value of the cluster to a threshold corresponding to the filter information and determines whether or not the cluster is regarded to have events with similar characteristics, andtransmits information related to the cluster regarded to have the events with similar characteristics and a countermeasure to deal with the unauthorized access corresponding to the cluster, to the information processing device.
- View Dependent Claims (9, 10, 11)
- - 9. The attack node set determination apparatus according to claim 8,wherein the information related to the cluster transmitted to the information processing device and regarded to have the similar characteristics includes the filter information, the basic item information used in performing the clustering, the first attribute information, and the second information.
  - 10. An information processing device communicably coupled to the attack node set determination apparatus according to claim 8, comprising:
    - a computing unit; and
      
      a storage unit,wherein the storage unit of the information processing device stores therein the basic item information, the first attribute information, and the second attribute information, each of which is included in the received cluster regarded to have the similar characteristics events, as well as a countermeasure against a packet corresponding to the cluster, andwherein the computing unit of the information processing device,transmits, upon detecting a packet related to an unauthorized access, a check packet to each of an unauthorized access source and a node as an unauthorized access destination, obtains the first attribute information of the node, compares basic item information, first attribute information, and second attribute information of the packet, to the basic item information, the first attribute information, and the second attribute information stored in the storage unit of the information processing device, respectively, and determines in which cluster the node is included, and,if the cluster is identified, applies the countermeasure to a packet corresponding to the cluster.
  - 11. An information processing device communicably coupled to the attack node set determination apparatus according to claim 8, comprising:
    - a computing unit; and
      
      a storage unit,wherein the storage unit of the information processing device stores therein the basic item information, the first attribute information, and the second attribute information, each of which is included in the received cluster regarded to have the similar characteristics events, as well as a countermeasure against a packet corresponding to the cluster, andwherein the computing unit of the information processing device,transmits, upon detecting a packet related to an unauthorized access, a check packet to each of an unauthorized access source and a node as an unauthorized access destination, obtains the first attribute information of the node, compares basic item information, first attribute information, and second attribute information of the packet, to the basic item information, the first attribute information, and the second attribute information stored in the storage unit of the information processing device, respectively, and determines in which cluster the node is included, and,if the cluster is identified, applies the countermeasure to a packet corresponding to an IP address included in the cluster.

12. An attack node set determination method used in an attack node set determination apparatus for creating an event log created upon a passage or a reach of a packet and conducts a countermeasure against an unauthorized access, the attack node set determination apparatus comprising:
- a computing unit; and
  
  a storage unit,wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, andwherein the computing unitextracts an event to be subject to a clustering by filtering the event logs obtained during a prescribed period of time or obtained until the number thereof reaches a prescribed number, using the filter information, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address in a prescribed manner and computes the broken down IP address as second attribute information,performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information andcomputes a cluster appearing to have events with similar characteristics to each other, computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster,compares the evaluation value of the cluster to the threshold associated with the filter information and determines whether or not the cluster is regarded to have events with similar characteristics,references, upon detecting a packet having the specific event, the information related to the cluster regarded to have the events with similar characteristics and identifies in which cluster the packet is included, andapplies the countermeasure to a packet corresponding to the cluster identified to include the packet having the specific event.
- View Dependent Claims (13, 14)
- - 13. The attack node set determination method according to claim 12,wherein the evaluation value of the cluster is computed from any one or a combination thereof from among a ratio of events included in the computed cluster, the number of events, a variance value included in the cluster, and an average of a distance between a centroid of the cluster and an event included in the cluster.
  - 14. The attack node set determination method according to claim 12,wherein the countermeasure is any one of a warning notice, bandwidth control, and packet filter.

15. An attack node set determination method used in an attack node set determination capable of outputting an event log created upon a passage or a reach of a packet and communicably coupled to an information processing device for conducting a countermeasure against an unauthorized access, the attack node set determination apparatus comprising:
- a computing unit; and
  
  a storage unit,wherein the storage unit stores therein filter information for extracting a specific event from among obtained event logs, a threshold associated with the filter information, and a countermeasure against a packet having the extracted specific event, andwherein the computing unit extracts an event as a target to be subject to a clustering by filtering event logs obtained during a prescribed period of time using the filter information, extracts basic item information written in the extracted event, obtains information on a node related to an IP address included in the basic item information, as first attribute information, breaks down the IP address into octets, and computes the broken down IP address as second attribute information,performs a clustering on a space having dimensions of part or all of the items in the basic item information, first attribute information, and second attribute information and computes a cluster appearing to have events with similar characteristics to each other,computes a degree of similarity of characteristics of the events in the cluster as an evaluation value of the cluster,compares the evaluation value of the cluster to a threshold corresponding to the filter information and determines whether or not the cluster is regarded to have events with similar characteristics, andtransmits information related to the cluster regarded to have the events with similar characteristics and a countermeasure to deal with the unauthorized access corresponding to the cluster, to the information processing device.
- View Dependent Claims (16, 17, 18)
- - 16. The attack node set determination method according to claim 15,wherein the information related to the cluster transmitted to the information processing device and regarded to have the similar characteristics includes the filter information, the basic item information used in performing the clustering, the first attribute information, and the second information.
  - 17. An attack dealing method used in an information processing device communicably coupled to the attack node set determination apparatus according to claim 15, the information processing device comprising:
    - a computing unit; and
      
      a storage unit,wherein the storage unit of the information processing device stores therein the basic item information, the first attribute information, and the second attribute information, each of which is included in the received cluster regarded to have the similar characteristics events, as well as a countermeasure against a packet corresponding to the cluster, andwherein the computing unit of the information processing device,transmits, upon detecting a packet related to an unauthorized access, a check packet to each of an unauthorized access source and a node as an unauthorized access destination, obtains the first attribute information of the node, compares basic item information, first attribute information, and second attribute information of the packet, to the basic item information, the first attribute information, and the second attribute information stored in the storage unit of the information processing device, respectively, and determines in which cluster the node is included, and,if the cluster is identified, applies the countermeasure to a packet corresponding to the cluster.
  - 18. An attack dealing method used in an information processing device communicably coupled to the attack node set determination apparatus according to claim 15, the information processing device comprising:
    - a computing unit; and
      
      a storage unit,wherein the storage unit of the information processing device stores therein the basic item information, the first attribute information, and the second attribute information, each of which is included in the received cluster regarded to have the similar characteristics events, as well as a countermeasure against a packet corresponding to the cluster, andwherein the computing unit of the information processing device,transmits, upon detecting a packet related to an unauthorized access, a check packet to each of an unauthorized access source and a node as an unauthorized access destination, obtains the first attribute information of the node, compares basic item information, first attribute information, and second attribute information of the packet, to the basic item information, the first attribute information, and the second attribute information stored in the storage unit of the information processing device, respectively, and determines in which cluster the packet is included, and,if the cluster is identified, applies the countermeasure to a packet corresponding to an IP address included in the cluster.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi Information Systems Limited (Hitachi, Ltd.)
Original Assignee
Hitachi Information Systems Limited (Hitachi, Ltd.)
Inventors
Kito, Tetsuro, Tankyo, Shinichi, Kaine, Isao, Nakakoji, Hirofumi, Terada, Masato

Application Number

US12/461,363
Publication Number

US 20100050260A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/144   Detection or countermeasure...

H04L 63/0227   Filtering policies mail mes...

H04L 63/1425   Traffic logging, e.g. anoma...

Attack node set determination apparatus and method, information processing device, attack dealing method, and program

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Attack node set determination apparatus and method, information processing device, attack dealing method, and program

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links