JP5752642B2 - Monitoring device and monitoring method - Google Patents

Description

  The present invention relates to a monitoring apparatus and a monitoring method.

  Conventionally, many security incidents are caused by malware (a general term for malicious software such as computer viruses, worms, and bots), and techniques for preventing malware infection are provided by anti-virus vendors and the like. Although measures have been taken to prevent attack communication for unilateral infection from the external network to the internal network due to a fire fall, there are cases where it is not possible to prevent attacks that infect clients by accessing websites. there were.

  There are two types of malware infection via the Web: click download and drive-by download. Click download is an infection that occurs when a user downloads and executes a file without recognizing that the user is malware. This is done by creating a hyperlink to the malware program in the web page. When the user clicks on the hyperlink when accessing the web page, a dialog box asking whether to download and execute the program appears. When the user presses a button inside the dialog box indicating permission, the program (malware) is downloaded and executed. In other words, malware infection by click download has two characteristics: a hyperlink to a URL where malware is placed and user interaction (user operation).

  On the other hand, drive-by download downloads and executes malware by taking over control by attacking the vulnerability of the Web browser. An attack code for attacking the vulnerability of the Web browser and installing malware is set in the Web content in the Web site, and the Web browser can access the Web site. When the website is accessed by a vulnerable web browser, the malware is downloaded and executed without user interaction. Furthermore, there may be a site that performs automatic transfer to a Web site where an attack code is arranged.

  The role and relationship of each URL in click download and drive-by download will be described with reference to FIG. The entrance URL shown in FIG. 14 is a URL that is a starting point in malware infection. In the case of click download, there is a hyperlink to the malware distribution URL at the entrance URL. In the case of drive-by download, an automatic transfer code to another URL is included, a URL where an attack code is arranged (hereinafter referred to as “attack URL”), or a plurality of URLs between an entrance URL and an attack URL. In some cases, the platform URL is relayed. In addition, there is a case where the entrance URL is an attack URL (that is, the URL accessed first is the attack URL. The attack URL is described directly in the method of guiding the URL by describing it in the mail. is there). When the attack URL is accessed, control of the Web browser is taken, and then the malware distribution URL is forcibly accessed to download and install the malware program. Such a malicious URL network related to malware infection via the Web is called a malware distribution network.

  As illustrated in FIGS. 15 and 16, the relationship between the malicious URL groups in the malware distribution network is not necessarily one-to-one correspondence, and there may be a relationship among a plurality of malicious URLs. In order to detect such attacks such as malware infection via the Web, a technique called a honeypot has been proposed. Honeypots act as decoys posing as vulnerable terminals and lure attacks from attackers. In order to detect infection via the Web, a Web client honeypot has been proposed as a honeypot that operates as a Web browser.

  As a Web client honeypot technology, start a vulnerable Web browser, access the specified URL, modify the system, etc. (file system registry input / output, process startup not normally performed as a Web browser) There is known a technique for detecting (see, for example, Non-Patent Document 1). In addition, when automatic transfer occurs, it is possible to perform log output by associating the transfer source URL with the transfer destination URL, and further, from among the series of accessed URLs, the entrance URL, the step URL, the attack URL, and the malware distribution URL. A technique that can be determined is known (see, for example, Non-Patent Document 2).

  By the way, in such a malware distribution network, URLs do not correspond one-on-one. For example, there are cases where automatic transfer is performed from a plurality of entrance URLs to a common attack URL, and there are cases where the attack URL of the automatic transfer destination changes as time passes. Therefore, a technique for grasping unknown malicious URLs participating in the malware distribution network is required.

  For example, the search engine crawls the web space, analyzes the content, and finally returns a search query as a search result. At this time, it is analyzed what kind of text is described in the content and what URL a hyperlink is described. The former sentence is used for keyword search processing, and the latter hyperlink is used for a crawl target and a page rank. Therefore, in the search engine, connection relation information (Web graph) between URLs based on hyperlinks is held inside. A method for finding a malicious URL using this Web graph has been proposed (see Non-Patent Document 3, for example).

  In this method of discovering a malicious URL using the Web graph, when there is a certain known malware distribution URL, an unknown entrance URL that is hyperlinked to the URL can be traced from the Web graph. In addition, it is highly possible that the URL that is hyperlinked from the found entrance URL is an unknown malware distribution URL. In this way, the unknown malicious URL is discovered by tracing the known malicious URL from the Web graph held by the search engine as a starting point.

“Capture-HPC”, [online], [Search June 4, 2012], Internet <https://projects.honeynet.org/capture-hpc> Mitsuaki Akiyama, Makoto Iwamura, Yuhei Kawakoya, Kazufumi Aoki, Mitsutaka Itoh: Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks. IEICE Transactions E93-B (5): 1131-1139 (2010) Jack W. Stokes and Reid Andersen and Christian Seifert and Kumar Chellapilla, "WebCop: locating neighborhoods of malware on the web", USENIX LEET'10, 2010

  However, the technique for discovering a malicious URL using the above-described Web graph has a problem that an unknown malicious URL cannot be properly found. Specifically, the technology for discovering malicious URLs using a Web graph is based on the connection relationship between URLs connected by hyperlinks, so only malicious URLs related to click download can be found. Since the malicious URL related to the drive-by download is out of scope, the unknown malicious URL cannot be properly found for the malicious URL related to the drive-by download. In addition, since the Web graph held internally by the search engine can basically refer only to the search engine provider, other than the search engine provider cannot refer to the Web graph, and appropriately find an unknown malicious URL. I could not.

  Therefore, the present invention has been made to solve the above-described problems of the prior art, and an object thereof is to appropriately find an unknown malicious URL and appropriately monitor access to the malicious URL. .

  In order to solve the above-described problems and achieve the object, the monitoring apparatus uses an entrance URL, which is a URL accessed first when the client apparatus accesses the URL of the site provided by the server apparatus, and the entrance URL. Then, a storage unit that stores a set of an access destination URL that is a URL of a site to be finally accessed, and a URL that matches a known malicious URL among the entrance URL or the access destination URL stored in the storage unit is If there is a pair of an entrance URL and an access destination URL where a URL that matches a known malicious URL exists, the pair of the entrance URL and the access destination URL is set as a pair of malicious URLs. The client device accesses the entrance URL of the combination of the detection unit to detect and the malicious URL detected by the detection unit. And having a monitoring unit for monitoring.

  The monitoring method is a monitoring method executed by the monitoring device, and the monitoring device includes an entrance URL that is a URL accessed first when the client device accesses a URL of a site provided by the server device. A storage unit that stores a pair with an access destination URL that is a URL of a site that is finally accessed by the entrance URL, and among the entrance URL or the access destination URL stored in the storage unit, a known malicious URL and If there is a pair of an entrance URL and an access destination URL where there is a URL that matches a known malicious URL, the pair of the entrance URL and the access destination URL is determined to be malignant. A detection process for detecting as a set of URLs, and a client for an entrance URL of a malignant URL set detected by the detection process Characterized in that it includes a monitoring step of monitoring the location is accessed, the.

  The monitoring device and the monitoring method disclosed in the present application have an effect of appropriately discovering an unknown malicious URL and appropriately monitoring access to the malicious URL.

FIG. 1 is a diagram illustrating an example of the overall configuration of a communication system according to the first embodiment. FIG. 2 is a block diagram illustrating an example of the configuration of the monitoring device according to the first embodiment. FIG. 3 is a diagram illustrating an example of data stored in the connection relationship storage unit. FIG. 4 is a diagram illustrating an example of data stored in the malicious URL list storage unit. FIG. 5 is a diagram illustrating an example of data stored in the monitoring target URL storage unit. FIG. 6 is a diagram for explaining processing for detecting an unknown malicious URL from a comparison between the malicious URL and the user's access destination URL. FIG. 7 is a diagram for explaining processing for detecting an unknown malicious URL in drive-by download. FIG. 8 is a diagram for explaining processing for detecting an unknown malicious URL in click download. FIG. 9 is a flowchart for explaining an example of the flow of processing by the monitoring apparatus according to the first embodiment. FIG. 10 is a diagram for explaining an example of the overall configuration of a communication system when a client and a monitoring device are connected. FIG. 11 is a diagram illustrating an example of the overall configuration of a communication system when a monitoring device is included in a gateway. FIG. 12 is a diagram illustrating an example of the overall configuration of a communication system when a monitoring device is included in a client. FIG. 13 is a diagram illustrating a computer that executes a monitoring program. FIG. 14 is a diagram for explaining click download and drive-by download. FIG. 15 is a diagram for explaining the relationship between malicious URLs in click download. FIG. 16 is a diagram for explaining the relationship between malicious URLs in drive-by download.

  Hereinafter, embodiments of a monitoring apparatus and a monitoring method according to the present application will be described in detail with reference to the drawings. Note that the monitoring device and the monitoring method according to the present application are not limited by this embodiment.

[First embodiment]
In the following embodiments, the configuration of the communication system according to the first embodiment, the configuration of the monitoring device, and the flow of processing will be described in order, and finally the effects of the first embodiment will be described.

[Configuration of Communication System According to First Embodiment]
First, a communication system 100 according to the first embodiment will be described with reference to FIG. FIG. 1 is a diagram for explaining an example of the overall configuration of a communication system 100 according to the first embodiment. The communication system 100 includes a monitoring device 10, a gateway 20, clients 30 </ b> A to 30 </ b> C, a server 40, and the Internet 50. The clients 30A to 30C and the server 40 communicate with each other via the gateway 20 and the Internet 50. Note that when a plurality of clients 30 </ b> A to 30 </ b> C are described without distinction, they are described as “client 30”.

  The monitoring device 10 transmits a packet communicated between the gateway 20 and the clients 30 </ b> A to 30 </ b> C from the gateway 20, specifies an access destination from the header information of the transmitted packet, and monitors access to the malicious URL. The detailed configuration and processing of the monitoring device 10 will be described later in detail with reference to FIG.

  The gateway 20 is a communication device that relays between clients 30A to 30C on the LAN (Local Area Network) and the Internet 50, and forwards packets communicated between the gateway 20 and the clients 30A to 30C. The packet is also transmitted to the monitoring device 10.

  The clients 30A to 30C are user terminals arranged in a specific LAN such as a company or a university. For example, the clients 30A to 30C access the URL by accessing the URL. In addition, although the example of FIG. 1 illustrates the case where the number of clients 30A to 30C is three, it is not limited to this, and may be two or less, or may be four or more. Good.

  The server 40 is a server device that provides various websites accessed by URL. In addition, in the example of FIG. 1, although the case where the server 40 is one is illustrated, it is not limited to this, Two or more may be sufficient.

[Configuration of monitoring device]
Next, the configuration of the monitoring apparatus 10 shown in FIG. 1 will be described with reference to FIG. FIG. 2 is a block diagram illustrating a configuration of the monitoring device according to the first embodiment. As illustrated in FIG. 2, the monitoring device 10 includes a communication control unit 11, a control unit 12, and a storage unit 13. The processing of each of these units will be described below.

  The communication control unit 11 controls communication related to various information exchanged with the connected gateway 20. For example, the communication control unit 11 receives a packet communicated between the clients 30 </ b> A to 30 </ b> C and the server 40 from the gateway 20.

  The storage unit 13 stores data and programs necessary for various types of processing by the control unit 12, and particularly those closely related to the present invention include a connection relationship storage unit 13a, a malicious URL list storage unit 13b, and a monitoring target URL. A storage unit 13c is provided.

  The connection relation storage unit 13a includes an entrance URL that is a URL that is first accessed when the client 30 accesses a URL of a site provided by the server 40, and a URL of a site that is finally accessed via the entrance URL. A pair with the access destination URL is stored. For example, the connection relationship (the combination of the entrance URL and the access destination URL) stored in the connection relationship storage unit 13a is information stored in advance, and is a communication packet performed between the client 30 and the server 40. This is information indicating the relationship between URLs specified using the request URL and resource URL included in the header information.

  Specifically, the connection relation storage unit 13a stores URL connection relations from a series of user Web accesses, and stores the entrance URL and the access destination URL in association with each other as illustrated in FIG. To do. For example, referring to the example of FIG. 3, the connection relationship storage unit 13 a stores the entrance URL “URL_E” and the access destination URL “URL_B” in association with each other. The information stored in the connection relationship storage unit 13a is information that is referred to by the detection unit 12a described later.

  The malicious URL list storage unit 13b stores a list in which known malicious URLs are listed. Specifically, as shown in FIG. 4, the malicious URL list storage unit 13b first accesses when accessing a known malicious URL, and the URL of the Web site where the attack code is arranged. Is stored in association with “attack URL”. For example, referring to the example of FIG. 4, the malicious URL list storage unit 13b stores the entrance URL “URL_A” and the attack URL “URL_B” in association with each other. The information stored in the malicious URL list storage unit 13b is information referred to by the detection unit 12a described later.

  The monitoring target URL storage unit 13c stores a malicious URL to be monitored. Specifically, the monitoring target URL storage unit 13c stores the “entrance URL” to be monitored and the “attack URL” that is the URL of the Web site where the attack code is arranged in association with each other. For example, referring to the example of FIG. 5, the monitoring target URL storage unit 13c stores the entrance URL “URL_A” and the attack URL “URL_B” in association with each other. The information stored in the monitoring target URL storage unit 13c is information that is referred to by the monitoring unit 12b described later.

  Further, the malicious URL that is the monitoring target stored in the monitoring target URL storage unit 13c can be deleted. For example, when the URL is no longer a malicious URL, the access prohibition can be removed by deleting the URL from the monitoring target URL storage unit 13c.

  The control unit 12 has an internal memory for storing a program that defines various processing procedures and necessary data, and performs various processes using them, and particularly as closely related to the present invention, It has a detection unit 12a and a monitoring unit 12b.

  The detection unit 12a checks whether there is a URL that matches a known malicious URL among the entrance URL or the access destination URL stored in the connection relationship storage unit 13a, and there is a URL that matches the known malicious URL. If there is a pair of the entrance URL and the access destination URL, the pair of the entrance URL and the access destination URL is detected as a malignant URL pair. Then, the detection unit 12a stores the detected set of malicious URLs in the monitoring target URL storage unit 13c.

  Here, a process for detecting an unknown malicious URL from collation between a URL stored in the connection relationship storage unit 13a and a known malicious URL will be described with reference to FIG. FIG. 6 is a diagram for explaining processing for detecting an unknown malicious URL from a comparison between the malicious URL and the user's access destination URL. The detection unit 12a searches for a relationship between the malicious URL in the malicious URL list storage unit 13b prepared in advance and the access destination URL acquired from the user's access to determine whether the malicious URL is included.

  As a result of the collation, if a malicious URL is included, a reference source URL is extracted if the malicious URL is an attack URL, and a reference destination URL is extracted if the malicious URL is an entrance URL. If the extracted URL is not stored in the malicious URL list storage unit 13b, an unknown malicious URL has been found.

  For example, in the example of FIG. 6, there is a set of access destination URLs “URL_B” and “URL_E” that matches the attack URL “URL_B”, and a set of “URL_B” and “URL_F”. The entrance URL “URL_E” and the entrance URL “URL_F” corresponding to “URL_B” are detected as unknown entrance URLs. Further, for example, in the example of FIG. 6, there is a set of entrance URLs “URL_C” and “URL_G” that matches the entrance URL “URL_C” for accessing a malicious URL, and the access destination corresponding to the entrance URL “URL_C”. The URL “URL_G” is detected as an unknown attack URL.

  In other words, the detection unit 12a identifies the relevance of the URL from a series of Web accesses of the user and collates it with a list of malignant URLs prepared in advance to identify the matching malignant URL. Unknown malignant URLs can be detected by chain finding related URLs.

  As a result, it is possible to detect unknown malicious URLs for both malicious URLs related to drive-by download and malicious URLs related to click download. For example, a malicious URL related to drive-by download is newly identified with each malicious URL (known entrance URL, known platform URL, known attack URL) in a known malware distribution network as shown in FIG. It is possible to grasp the relationship with each URL (unknown entrance URL, unknown platform URL, unknown attack URL) in the unknown malware distribution network.

  Further, for example, for malicious URLs related to click download, as shown in FIG. 8, each malicious URL (known entrance URL, known attack URL) in a known malware distribution network and newly identified unknown It is possible to grasp the relationship with each URL (unknown entrance URL, unknown attack URL) in the malware distribution network.

  Further, the detection unit 12a may store the detected set of malicious URLs in the malicious URL list storage unit 13b. That is, by storing the newly detected malicious URL in the malicious URL list storage unit 13b, the malicious URL stored in the malicious URL list storage unit 13b is updated, and the accuracy of the process for detecting the next unknown malicious URL is improved. It is possible to improve.

  Returning to the description of FIG. 2, the monitoring unit 12b monitors the client 30 accessing the entrance URL of the malicious URL set detected by the detection unit 12a. Then, when the monitoring unit 12b detects that the client 30 accesses the entrance URL of the malicious URL set detected by the detection unit 12a, the monitoring unit 12b controls to stop the access.

  The monitoring unit 12b may delete the URL from the monitoring target URL storage unit 13c when there is no malicious URL or there is a URL that is no longer malicious. By deleting URLs and the like that are no longer malignant from the monitoring target URL storage unit 13c, the access prohibition by the monitoring unit 12b can be released, and the monitoring target URL storage unit 13c can be appropriately updated.

[Processing by monitoring device]
Next, processing by the monitoring device 10 according to the first embodiment will be described with reference to FIG. FIG. 9 is a flowchart for explaining an example of the flow of processing by the monitoring apparatus according to the first embodiment.

  As illustrated in FIG. 9, when the detection unit 12a of the monitoring device 10 receives an unknown malicious URL detection instruction (Yes in step S101), the entrance URL or the access destination URL stored in the connection relationship storage unit 13a of the storage unit 13 Among these, it is checked whether there is a URL that matches a known malicious URL (step S102).

  As a result, the detection unit 12a detects a pair of an entrance URL and an access destination URL where a URL matching a known malicious URL exists as a malicious URL pair (step S103). Then, the detected malicious URL set is added to the monitoring target URL storage unit 13c (step S104).

  Thereafter, the monitoring unit 12b monitors that the client 30 accesses the entrance URL stored in the monitoring target URL storage unit 13c (step S105). Specifically, the monitoring unit 12b monitors that the client 30 accesses the entrance URL of the malicious URL set, and the client 30 accesses the entrance URL of the malicious URL set. Is detected, the access is stopped.

[Effects of the monitoring apparatus according to the first embodiment]
As described above, in the monitoring apparatus 10 according to the first embodiment, when the client 30 accesses the URL of the site provided by the server 40, the entrance URL that is the URL accessed first, and the entrance URL are A pair with the access destination URL, which is the URL of the site that is finally accessed via, is stored in the connection relation storage unit 13a. Then, the monitoring device 10 checks whether there is a URL that matches the known malicious URL among the entrance URL or the access destination URL stored in the connection relation storage unit 13a, and there is a URL that matches the known malicious URL. If there is a pair of the entrance URL and the access destination URL, the pair of the entrance URL and the access destination URL is detected as a malicious URL pair. Then, the monitoring device 10 monitors whether the client 30 accesses the entrance URL of the detected malicious URL set. As a result, an unknown malicious URL can be appropriately found from communication performed between the client 30 and the server 40, and access to the malicious URL can be appropriately monitored.

  The monitoring apparatus 10 according to the first embodiment further includes a malicious URL list storage unit 13b that stores known malicious URLs, and stores the detected malicious URL sets in the malicious URL list storage unit 13b. The malicious URL stored in the malicious URL list storage unit 13b is updated, and the accuracy of the process for detecting the unknown malicious URL next time can be improved.

  Further, according to the first embodiment, when it is detected that the client apparatus accesses the entrance URL of the detected malicious URL set, the access is stopped. This makes it possible to appropriately prohibit access to a malicious URL.

[Honeypot]
In the above-described embodiment, a case where a known malicious URL is stored in advance has been described. However, a Web client honeypot technique may be used to collect the malicious URL. The Web client honeypot is a decoy host that simulates a vulnerable Web browser, and automatically inspects the Web site to obtain attack information related to drive-by download (entry URL, attack URL, and relationship in drive-by download). Can be collected. In addition, Marionette, which is an existing technology, can download files by automatically clicking a hyperlink, so click download based on whether the downloaded file is determined to be malware by anti-virus software, etc. It is possible to collect the entrance URL, the malware distribution URL and the relationship thereof. By collecting these pieces of information in advance and comparing the entrance URL and the access destination URL, an unknown malicious URL can be found.

[Connections of monitoring devices, etc.]
In the above embodiment, the case where the monitoring device 10 is connected to the gateway 20 has been described. However, the present invention is not limited to this, and the monitoring device 10 may be connected to the client 30. Specifically, as shown in FIG. 10, the monitoring device 10 is connected to each of the client devices 30 </ b> A to 30 </ b> C arranged in a specific LAN, and between each client device 30 </ b> A to 30 </ b> C and the server 40. A packet to be communicated is received, and the communication of the client devices 30A to 30C is monitored.

  Moreover, although the case where the monitoring apparatus 10 was provided in the communication system 100 was demonstrated in the said embodiment, you may make it the apparatus in the communication system 100 have the function of the monitoring apparatus 10. FIG. For example, as illustrated in FIG. 11, the gateway 20 may have the same function as the monitoring device 10. Further, as illustrated in FIG. 12, each of the clients 30 </ b> A to 30 </ b> C may have the same function as the monitoring device 10. According to this, it is possible to appropriately find an unknown malicious URL from communication performed between the client 30 and the server 40 without newly providing the monitoring device 10 in the communication system 100.

[System configuration]
In addition, among the processes described in the above embodiment, all or part of the processes described as being automatically performed can be performed manually, or the processes described as being performed manually can be performed. All or a part can be automatically performed by a known method. In addition, the processing procedures, specific names, and information including various data and parameters shown in the document and drawings can be arbitrarily changed unless otherwise specified.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. Can be integrated and configured.

[program]
In addition, it is possible to create a program in which processing executed by the monitoring apparatus 10 described in the above embodiment is described in a language that can be executed by a computer. For example, a monitoring program in which processing executed by the monitoring apparatus 10 according to the first embodiment is described in a language that can be executed by a computer can be created. In this case, when the computer executes the monitoring program, the same effect as in the above embodiment can be obtained. Further, the monitoring program may be recorded on a computer-readable recording medium, and the same processing as that in the first embodiment may be realized by recording the monitoring program on the recording medium and causing the computer to read and execute the monitoring program. Hereinafter, an example of a computer that executes a monitoring program that implements the same function as the monitoring device 10 illustrated in FIG. 2 will be described.

  FIG. 13 is a diagram illustrating a computer 1000 that executes a monitoring program. As illustrated in FIG. 13, the computer 1000 includes, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012 as illustrated in FIG. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1031 as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1041 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive. The serial port interface 1050 is connected to a mouse 1051 and a keyboard 1052, for example, as illustrated in FIG. The video adapter 1060 is connected to a display 1061, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 13, the hard disk drive 1031 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the above monitoring program is stored in, for example, the hard disk drive 1031 as a program module in which a command to be executed by the computer 1000 is described.

  The various data described in the above embodiment is stored as program data, for example, in the memory 1010 or the hard disk drive 1031. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1031 to the RAM 1012 as necessary, and executes various procedures.

  Note that the program module 1093 and the program data 1094 related to the monitoring program are not limited to being stored in the hard disk drive 1031, but may be stored in, for example, a removable storage medium and read out by the CPU 1020 via the disk drive or the like. Good. Alternatively, the program module 1093 and the program data 1094 related to the monitoring program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and via the network interface 1070. May be read by the CPU 1020.

DESCRIPTION OF SYMBOLS 10 Monitoring apparatus 11 Communication control part 12 Control part 12a Detection part 12b Monitoring part 13 Storage part 13a Connection relation storage part 13b Malignant URL list storage part 13c Monitoring object URL storage part 20 Gateway 30A-30C Client 40 Server 50 Internet 100 Communication system

Claims (4)

When the client device accesses the URL of the site provided by the server device, an entrance URL that is the URL accessed first, and an access destination URL that is the URL of the site that is finally accessed via the entrance URL A storage unit for storing the set;
A malicious URL list storage unit that stores a combination of an entrance URL and an attack URL in which an attack code is arranged as a known malicious URL;
Of the entrance URL or the access URL stored in the storage unit, a match is made with a URL that matches the known malicious URL stored in the malicious URL list storage unit, and the known malicious URL matches the attack URL. If the URL is a reference URL of the attack URL, the URL of the reference destination of the entrance URL is extracted if the matching known malicious URL is the entrance URL, and the extracted attack URL and reference are extracted. A detection unit that detects a set of original URLs or a set of extracted entrance URLs and reference URLs as a set of malicious URLs and stores the detected set of malicious URLs in the malicious URL list storage unit When,
A monitoring unit that monitors the client device accessing the entrance URL of the set of malicious URLs detected by the detection unit;
The monitoring apparatus characterized by having. Before Symbol detector monitoring device as claimed in claim 1, characterized in that to store the set of malignant URL detected in the malignant URL list storage unit.   The monitoring unit, when detecting that a client device accesses the entrance URL of a malicious URL set detected by the detection unit, stops the access. Or the monitoring apparatus of 2. A monitoring method executed by a monitoring device,
The monitoring device includes an entrance URL that is a URL that is first accessed when the client device accesses a URL of a site provided by the server device, and an access destination URL that is a URL of a site that is finally accessed by the entrance URL. a storage unit for storing a set of the,
A malicious URL list storage unit that stores a combination of an entrance URL and an attack URL in which an attack code is arranged as a known malicious URL ;
Of the entrance URL or the access URL stored in the storage unit, a match is made with a URL that matches the known malicious URL stored in the malicious URL list storage unit, and the known malicious URL matches the attack URL. If the URL is a reference URL of the attack URL, the URL of the reference destination of the entrance URL is extracted if the matching known malicious URL is the entrance URL, and the extracted attack URL and reference are extracted. A detection step of detecting an original URL set or an extracted entrance URL and reference destination URL set as a malicious URL set and storing the detected malicious URL set in the malicious URL list storage unit When,
A monitoring step of monitoring the client device accessing the entrance URL of the set of malicious URLs detected by the detection step;
The monitoring method characterized by including.

Images