JP6563872B2 - Communication system and communication method - Google Patents

Description

  The present invention relates to a communication system and a communication method.

  In corporate networks where many business terminals connect and communicate with internal and external terminals, security devices such as firewalls, IPS (Intrusion Prevention System), and IDS (Intrusion Detection System) are usually connected to external networks. To prevent internal terminals from being exposed to external threats.

  For example, when an internal terminal tries to download a known malware from an external network, the security device detects the download of the malware by looking for a match with the signature of the malware, and blocks the communication.

  Here, it is difficult to reliably prevent unknown malware from being downloaded by the security device. Therefore, in order to prevent infection from an internal terminal infected with malware to other internal terminals, it is important for security to monitor not only communication with the outside but also communication between internal terminals (hereinafter referred to as internal communication).

  To monitor internal communication, set mirroring to a switch on the network, copy packets that pass through the switch, or generate statistical information such as the number of packets and send it to collectors that exist in the network There is a need.

  Sending all internal communications in the network to the collector leads to an increase in the load on the switch and the bandwidth of the communication path. Therefore, some packets are usually sampled, copied and sent to the collector, or sampled. It is common to generate statistical information about a packet and send it to a collector. Note that packet sampling is performed by the techniques described in Non-Patent Document 1 and Non-Patent Document 2, for example.

  In addition, there is a dynamic analysis technique called a sandbox in order to prevent infection of internal terminals due to communication with the outside with higher accuracy.

  The sandbox is located on the mail server or web proxy server, and it operates the attached file of the mail received by the internal terminal or the file that the internal terminal intends to download on the web before transferring it to the internal terminal. Checks whether or not it behaves illegally. Here, when an illegal behavior is confirmed, the file is deleted without being transferred to the internal terminal.

Flexible NetFlow Configuration Guide Cisco IOS XE Release 3S, [Search July 14, 2016], Internet <URL: http://www.cisco.com/cisco/web/support/JP/docs/CIAN/IOSXE/ IOSXE3S / CG / 007 / fnetflow_overview_xe.html? Bid = 0900e4b182529dc2> OpenFlow Switch Specification Version 1.3.0 (Wire Protocol 0x04), [Search on July 14, 2016], Internet <URL: https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf- specifications / openflow / openflow-spec-v1.3.0.pdf>

  Here, when the internal communication is sampled and collected and analyzed by the collector as described above, since some information is lost due to the sampling, fraudulent acts of the internal terminal (for example, malware of other internal terminals) There is a risk of overlooking.

  For sandboxes, it takes time to inspect files. Therefore, it takes a considerable amount of time until the internal terminal can actually acquire the file, and the convenience of the user of the internal terminal may be reduced. Therefore, in order to improve the convenience of the user of the internal terminal, the file is transferred to the internal terminal before the inspection of the file in the sandbox is completed. There are also cases where ex-post measures such as isolation are taken. However, in such a case, there is a risk that an internal terminal infected with malware before the file inspection is completed spreads infection to other internal terminals.

  Therefore, the present invention aims to solve the above-mentioned problems and improve the convenience of the user of the internal terminal, while reducing the risk that an internal terminal infected with malware will spread infection to other internal terminals. To do.

  In order to solve the above-described problem, the present invention is a communication system including a server that transmits data to a terminal and a controller that enhances monitoring of packets transmitted and received by the terminal, and the server is connected to the terminal from the Internet. If the file includes a file, the file is transferred to an analysis device that performs file inspection by dynamic analysis, the data including the file is transferred to the terminal, and the file including identification information of the terminal When the inspection start notification is received, the controller enhances monitoring of packets transmitted / received by the terminal than before receiving the inspection start notification. .

  ADVANTAGE OF THE INVENTION According to this invention, the risk that the internal terminal infected with the malware will expand the infection to another internal terminal can be reduced, improving the convenience of the user of an internal terminal.

FIG. 1 is a diagram illustrating a configuration example of a communication system according to the first embodiment. FIG. 2 is a diagram illustrating a configuration example of the mail server in FIG. FIG. 3 is a diagram illustrating a configuration example of the controller of FIG. FIG. 4 is a sequence diagram illustrating an example of a processing procedure of the communication system in FIG. FIG. 5 is a diagram illustrating a configuration example of a communication system according to the second embodiment. FIG. 6 is a diagram illustrating a configuration example of the web proxy server of FIG. FIG. 7 is a sequence diagram illustrating an example of a processing procedure of the communication system in FIG. FIG. 8 is a diagram illustrating a configuration example of the mail gateway and the mail server. FIG. 9 is a diagram illustrating a computer that executes a program.

  Hereinafter, a form (embodiment) for carrying out the present invention will be described by dividing it into a first embodiment and a second embodiment with reference to the drawings.

[First Embodiment]
(Overview)
First, a configuration example and an outline of a communication system (system) according to the first embodiment will be described with reference to FIG. The communication system according to the first embodiment deals with malware intrusion by mail to the terminal 10.

  This communication system includes a terminal 10, a switch 20, a firewall 30, a sandbox (analysis device) 40, a mail server 50, a collector 60, and a controller 70. In the internal network, the terminal 10, the switch 20, the sandbox 40, the mail server 50, the collector 60, the controller 70 and the like are installed.

  The terminal 10 is a computer that communicates by connecting to the Internet via the switch 20 and the firewall 30. This computer is, for example, a personal computer. When the mail server 50 receives a mail addressed to the terminal 10 from the Internet or the like, the mail server 50 distributes the mail to the destination terminal 10.

  The switch 20 connects the devices and relays data between the devices. The switch 20 relays data between the terminal 10 connected to a physical port (port) and the Internet, for example. Further, the switch 20 samples a packet transmitted / received at each port based on an instruction from the controller 70 at a predetermined sampling rate, and transmits the sampled packet to the collector 60.

  The firewall 30 is installed at the boundary between the internal network and the Internet, and blocks communication determined to be unauthorized communication based on a predetermined standard.

  The sandbox 40 checks whether or not the file exhibits an illegal behavior by operating a file (program) received from the outside in a protected area. That is, the sandbox 40 performs a dynamic analysis on the file to inspect whether the file is malignant (malware) or benign (not malware).

  The mail server 50 distributes mail to the terminal 10. For example, when the mail server 50 receives a mail addressed to the terminal 10 from the Internet, the mail server 50 distributes the mail addressed to the terminal 10. In addition, when a file is attached to the mail addressed to the terminal 10, the mail server 50 transfers the file to the sandbox 40. Even when a file is attached to the mail addressed to the terminal 10, the mail server 50 delivers the mail with the file attached to the destination terminal 10 without waiting for completion of the inspection of the file in the sandbox 40.

  The collector 60 inspects the packet sampled in the switch 20. For example, the collector 60 acquires and inspects the packet sampled by the switch 20 or its statistical information.

  The controller 70 controls each of the switches 20 and, when the sandbox 40 is inspecting a file, enhances monitoring of traffic related to the terminal 10 that is the destination of the file.

  There are various methods for enhancing the monitoring here. For example, when the sandbox 40 is inspecting a file (during the monitoring enhancement period), the controller 70 samples the packets transmitted and received by the terminal 10 to the switch 20 connected to the terminal 10 that is the destination of the file. There is a method of setting the rate to be higher than usual. There is also a method in which the controller 70 changes the traffic related to the terminal 10 that is the destination of the file so as to pass through IPS (Intrusion Prevention System) or UTM (Unified Threat Management). . Furthermore, by constructing a system having a monitoring function similar to the above on the cloud, and configuring the switch 20 connected to the terminal 10 with OpenFlow, the controller 70 can control the traffic related to the terminal 10 that is the destination of the file. There is also a method of forcibly passing the above system on the cloud.

  In the following description, when the sandbox 40 is inspecting a file, the controller 70 sets the sampling rate of packets transmitted / received by the terminal 10 to be higher than usual with respect to the switch 20 connected to the terminal 10 that is the destination of the file. Although the case where it sets so is demonstrated to an example, it is not limited to this.

  According to such a communication system, the user of the terminal 10 can use the file immediately even if the file attached to the mail is being examined in the sandbox 40. In addition, during the inspection of the file in the sandbox 40, the controller 70 performs monitoring enhancement such as increasing the packet sampling rate in the terminal 10 that is the transmission destination of the file. Even if it is a case where it infects, the risk of expanding infection to other terminals 10 in the internal network can be reduced. Therefore, it is possible to reduce the risk that the terminal 10 infected with malware expands infection to other terminals 10 in the internal network while improving the convenience of the user of the terminal 10 in the internal network. In addition, since the increase in sampling rate is limited to transmission / reception packets in the terminal 10 that has received the file under inspection, the increase in the load of the switch 20 and the bandwidth of the communication path can be limited.

(Mail server)
Next, the mail server 50 will be described in detail with reference to FIG. The mail server 50 distributes mail to the terminal 10. In addition, the mail server 50 transfers the file attached to the mail to the sandbox 40 and notifies the controller 70 of the start of inspection of the file. The mail server 50 includes an input / output unit 51 and a control unit 52.

  The input / output unit 51 controls input / output of various data, for example, an interface for receiving a mail addressed to the terminal 10 from the Internet or transmitting a received mail to the destination terminal 10.

  The control unit 52 controls the entire mail server 50. The control unit 52 includes a mail receiving unit 521, an attached file transfer unit 522, a mail distribution unit 523, and an inspection notification unit 524.

  The mail receiving unit 521 receives mail addressed to the terminal 10 from the Internet. When a file is attached to the mail received by the mail receiving unit 521, the attached file transfer unit 522 transfers the file to the sandbox 40. For example, when a file of a specific type (file extension is .doc, .xls, .exe, .zip, etc.) is attached to the mail, the attached file transfer unit 522 transfers the file to the sandbox 40. To do.

  The mail delivery unit 523 delivers the mail received by the mail receiving unit 521 to the destination terminal 10 of the mail.

  When the attached file transfer unit 522 transfers the file to the sandbox 40 and the mail distribution unit 523 distributes the mail including the file to the terminal 10, the inspection notification unit 524 identifies the identification information of the terminal 10 (for example, IP (Internet (Protocol) address or MAC (Media Access Control) address) and a file inspection start notification including the identification information of the file are transmitted to the controller 70. That is, the inspection notification unit 524 notifies the controller 70 of the file for which inspection in the sandbox 40 is started and the terminal 10 to which the file is distributed.

(controller)
Next, the controller 70 will be described in detail with reference to FIG. The controller 70 controls each of the switches 20, and here, mainly sets the sampling rate of packets transmitted and received by the terminal 10 for each of the switches 20. The controller 70 includes an input / output unit 71, a storage unit 72, and a control unit 73.

  The input / output unit 71 controls input / output of various data, for example, an interface for receiving a file inspection start notification from the mail server 50 or setting a sampling rate to the switch 20.

  The storage unit 72 stores terminal management information. The terminal management information is information indicating which port of which switch 20 the terminal 10 is connected to for each piece of identification information of the terminal 10. This terminal management information may be stored in the storage unit 72 of the controller 70 or may be stored in a device outside the controller 70.

  The control unit 73 controls the entire controller 70. The control unit 73 includes a control target specifying unit 731, an inspection result receiving unit 732, and a switch control unit 733.

  When receiving the file inspection start notification from the mail server 50, the control target specifying unit 731 refers to the terminal management information, and to which port of which switch the terminal 10 indicated by the inspection start notification is connected. Is identified.

  The inspection result receiving unit 732 receives a file inspection result from the sandbox 40. The switch control unit 733 sets the sampling rate at each port of the switch 20.

  Here, the switch control unit 733 sets the sampling rate at the port of the switch 20 to, for example, α before receiving the file inspection start notification from the mail server 50, but after receiving the file inspection start notification, The sampling rate is set to β (a value higher than α) for the port of the switch 20 specified by the control target specifying unit 731.

  In addition, when the inspection result of the file received by the inspection result receiving unit 732 is benign, the switch control unit 733 sets the sampling rate for the port of the switch 20 connected to the terminal 10 that is the destination of the file. Set to return to α. On the other hand, when the inspection result of the file from the sandbox 40 is malignant, the switch control unit 733 takes measures such as blocking the port of the switch 20 connected to the destination terminal 10 of the file.

  Note that when the switch control unit 733 sets the sampling rate for the switch 20, for example, Flexible NetFlow described in Non-Patent Document 1, OpenFlow 1.3.0 described in Non-Patent Document 2, and the like. Use protocol.

  For example, when Flexible NetFlow is used, the switch control unit 733 defines a packet sampling method including a sampling rate as “flow sampler”. Then, the switch control unit 733 can assign a flow sampler to each port of the switch 20, sample packets at each sampling rate at each port, generate statistical information, and transmit the statistical information to the collector 60.

  For example, when OpenFlow 1.3.0 is used, the switch control unit 733 can use the group table select function to sample and transfer packets received at individual ports at an arbitrary sampling rate. As a transfer destination, the controller 70 that controls the switch 20 may be used, or any device can be used by designating a virtual port using GRE (Generic Routing Encapsulation). In the former case, the controller 70 transfers the transferred packet to the collector 60. In the latter case, the sampled packet can reach the collector 60 by using an arbitrary device as the collector 60.

(Processing procedure)
Next, an example of a processing procedure of the communication system according to the first embodiment will be described with reference to FIG. The switch 20 of the communication system samples the packet received at each port at the sampling rate α set by the controller 70, and transmits the sampling packet to the collector 60 (S1).

  Further, the mail receiving unit 521 of the mail server 50 receives the mail addressed to the terminal 10 (S2), and when the attached file is included in this mail, the attached file transfer unit 522 transfers the attached file to the sandbox 40. (S3). In addition, the mail delivery unit 523 of the mail server 50 delivers the mail received by the mail receiving unit 521 to the terminal 10 in response to a reception request from the terminal 10 that is the destination of the mail (S4). Further, the sandbox 40 starts analyzing the attached file transferred from the mail server 50 in S3 (S5).

  A period from when the mail server 50 transfers the attached file to the sandbox 40 in S3 until the analysis end notification message is received from the sandbox 40 (S12) is set as a mail monitoring period in the mail server 50. Then, during this monitoring period, when the mail delivery unit 523 delivers a mail including the attached file to the terminal 10 that is the destination of the mail, the inspection notification unit 524 transmits an inspection start notification of the file to the controller 70. (S6). The file inspection start notification includes the identification information of the destination terminal 10 of the mail and the identification information of the file.

  After S6, when the controller 70 receives a file inspection start notification from the mail server 50, the control target specifying unit 731 refers to the terminal management information and connects to the terminal 10 indicated in the inspection start notification. The switch 20 and the port that are present are specified (S7). Then, the switch control unit 733 sets the packet sampling rate to be high for the port of the switch 20 (S8). For example, the switch control unit 733 sets the packet sampling rate to be changed to β higher than α for the port of the switch 20.

  With this setting, the switch 20 changes the sampling rate at the port (S9), for example, changes the sampling rate from α to β. Thereafter, the switch 20 samples the packet at the port at the changed sampling rate, and transmits the sampling packet to the collector 60 (S10).

  Thereafter, when the sandbox 40 finishes analyzing the file (S11), an analysis completion notification message is transmitted to the mail server 50 (S12), and the inspection result of the file by the analysis is transmitted to the controller 70 (S13).

  After S13, the inspection result receiving unit 732 of the controller 70 receives the inspection result of the file, and if the inspection result is benign (Yes in S14), the switch control unit 733 detects the port of the switch 20 (sampled in S8). For the port of the switch 20 set to increase the rate), the packet sampling rate is set back to the original (S15). For example, the switch control unit 733 sets the packet sampling rate to return from β to α.

  With this setting, the switch 20 changes the sampling rate at the port (S16), for example, returns the sampling rate from β to α. Thereafter, the switch 20 samples the packet at the port at the changed sampling rate, and transmits the sampling packet to the collector 60 (S17).

  On the other hand, in S14, if the test result received by the test result receiving unit 732 of the controller 70 is malignant (No in S14), the switch control unit 733 sends the port of the switch 20 to the switch 20 (the sampling rate in S8). (S18) is instructed to shut off (the port of the switch 20 set to be higher).

  Although explanation is omitted here, if the collector 60 detects a fraudulent act of the terminal 10 (for example, diffusion of malware to another terminal 10) as a result of examining the packet sampled by the switch 20, the controller For example, 70 may instruct to shut off the port of the switch 20 to which the terminal 10 is connected.

  According to such a communication system, the user of the terminal 10 in the internal network can immediately use the attached file even while the sandbox 40 is checking the attached file of the mail. In addition, the controller 70 increases the packet sampling rate in the terminal 10 that is the destination of the attached file during the inspection of the attached file in the sandbox 40, so that the terminal 10 is infected with malware by the attached file. Even so, it is possible to reduce the risk of spreading infection to other terminals 10 in the internal network. Therefore, it is possible to reduce the risk that the terminal 10 infected with malware expands infection to other terminals 10 in the internal network while improving the convenience of the user of the terminal 10 in the internal network.

[Second Embodiment]
(Overview)
Next, a configuration example and an outline of a communication system according to the second embodiment of this invention will be described with reference to FIG. The communication system according to the second embodiment copes with malware intrusion by browsing the website of the terminal 10. The same configurations as those of the first embodiment described above are denoted by the same reference numerals and description thereof is omitted.

  As shown in FIG. 5, the communication system (system) of the second embodiment includes a web proxy server 80 instead of the mail server 50 (see FIG. 1) in the internal network.

  Then, the system administrator sets the terminal 10 to pass through the web proxy server 80 when the terminal 10 browses a website (access to the web server 90). When the firewall 30 receives HTTP (HyperText Transfer Protocol) communication (or HTTPS (HyperText Transfer Protocol Secure) communication) whose source or destination is not the web proxy server 80, the firewall 30 is set to block the communication. .

  The web proxy server 80 performs HTTP communication on behalf of the terminal 10 when browsing the website. For example, when the web proxy server 80 receives an HTTP request from the terminal 10 to the web server 90, the web proxy server 80 transfers the HTTP request to the web server 90 and receives an HTTP response from the web server 90 to the terminal 10. Is transferred to the terminal 10.

  Here, when a file is included in the HTTP response from the web server 90, the web proxy server 80 transfers this file to the sandbox 40. For example, if the HTTP response includes a specific type of file (files with extensions of .doc, .xls, .exe, .zip, etc.), the web proxy server 80 transfers this file to the sandbox 40. Then, the web proxy server 80 transfers the HTTP response to the terminal 10.

  Further, the controller 70 receives the file inspection start notification from the web proxy server 80 and then receives the inspection result of the file from the sandbox 40 until the switch 20 connected to the destination terminal 10 of the file. Set a higher sampling rate for the port.

  According to such a communication system, the user of the terminal 10 can use the file immediately even if the file acquired from the website is being inspected in the sandbox 40. Moreover, even if the terminal 10 is infected with malware by browsing a website, the risk of expanding infection to other terminals 10 in the internal network can be reduced.

(Web proxy server)
Next, the web proxy server 80 will be described in detail with reference to FIG. The web proxy server 80 relays HTTP communication between the terminal 10 and the web server 90. In addition, the web proxy server 80 transfers a file included in the HTTP response from the web server 90 to the sandbox 40 and notifies the controller 70 of the start of inspection of the file. The web proxy server 80 includes an input / output unit 81 and a control unit 82.

  The input / output unit 81 controls input / output of various data. For example, the input / output unit 81 controls an interface for receiving HTTP communication from the web server 90 to the terminal 10 or transferring the HTTP communication to the terminal 10.

  The control unit 82 controls the entire web proxy server 80. The control unit 82 includes a proxy processing unit 821, a file transfer unit 822, and an inspection notification unit 823.

  The proxy processing unit 821 relays HTTP communication between the terminal 10 and the web server 90. Specifically, the HTTP request from the terminal 10 is transferred to the destination web server 90, and the HTTP response from the web server 90 is transferred to the terminal 10.

  If the HTTP response received by the proxy processing unit 821 includes a file, the file transfer unit 822 transfers the file to the sandbox 40.

  When the file transfer unit 822 transfers the file to the sandbox 40 and the proxy processing unit 821 transmits an HTTP response including the file to the terminal 10, the inspection notification unit 823 identifies the identification information of the terminal 10 and the identification of the file. A file inspection start notification including information is transmitted to the controller 70. That is, the inspection notification unit 823 notifies the controller 70 of the file in which the inspection in the sandbox 40 is started and the terminal 10 to which the file is transmitted.

(Processing procedure)
Next, an example of a processing procedure of the communication system according to the second embodiment will be described with reference to FIG. The process of S1 in FIG. 7 is the same as the process of S1 in FIG.

  When receiving the HTTP request from the terminal 10 (S21), the proxy processing unit 821 of the web proxy server 80 transfers the HTTP request to the destination web server 90 (S22). Thereafter, the proxy processing unit 821 receives an HTTP response from the web server 90 (S23), and if the HTTP response includes a file, the file transfer unit 822 transfers the file to the sandbox 40 ( S24). The file inspection start notification includes the identification information of the destination terminal 10 of the mail and the identification information of the file.

  After S24, the sandbox 40 starts analyzing the file transferred from the web proxy server 80, similarly to S5 of FIG. 4 (S5). Further, the proxy processing unit 821 of the web proxy server 80 transfers the HTTP response received in S23 to the destination terminal 10 (S25). In addition, the inspection notification unit 823 transmits an inspection start notification of the file transferred to the sandbox 40 in S24 to the controller 70 (S26). The file inspection start notification includes the identification information of the destination terminal 10 of the file and the identification information of the file.

  After S26, when the controller 70 receives a file inspection start notification from the web proxy server 80, the control target specifying unit 731 refers to the terminal management information, as in S7 of FIG. The switch 20 and the port connected to the terminal 10 shown in (2) are specified (S7). Then, similarly to S8 of FIG. 4, the switch control unit 733 sets the packet sampling rate to be high for the port of the switch 20 (S8). The subsequent processes in S9 to S18 are the same as the processes in S9 to S18 in FIG.

  According to such a communication system, the user of the terminal 10 can use the file immediately even if the file acquired by browsing the web is being inspected in the sandbox 40. In addition, during the inspection of the file in the sandbox 40, the controller 70 performs monitoring enhancement such as increasing the packet sampling rate in the terminal 10 that is the transmission destination of the file. Even if it is a case where it infects, the risk of expanding infection to other terminals 10 in the internal network can be reduced. Therefore, it is possible to reduce the risk that the terminal 10 infected with malware expands infection to other terminals 10 in the internal network while improving the convenience of the user of the terminal 10 in the internal network. In addition, since the increase in sampling rate is limited to transmission / reception packets in the terminal 10 that has received the file under inspection, the increase in the load of the switch 20 and the bandwidth of the communication path can be limited.

[Other Embodiments]
Note that the function of the mail server 50 described in the first embodiment may be realized by a combination of a normal mail server and a mail gateway. For example, it may be realized by a combination of the mail gateway 50a and the mail server 50b shown in FIG. Note that the administrator of the communication system changes DNS (Domain Name System) public information so that mail addressed to the domain of the internal network reaches the mail gateway 50a instead of the mail server 50b. In addition, the mail gateway 50a and the mail server 50b are connected by the switch 20, for example.

  As shown in FIG. 8, the mail gateway 50a includes an input / output unit 51a and a control unit 52a. The control unit 52a includes a mail reception unit 521a, an attached file transfer unit 522, and an inspection notification unit 524a. When receiving mail from the Internet, the mail receiving unit 521a transfers this mail to the mail server 50b. When there is an attached file in the mail, the attached file transfer unit 522 transmits the attached file to the sandbox 40. The inspection notification unit 524a monitors the mail transmission log in the mail server 50b every predetermined period, and detects that the mail server 50b has delivered the mail to the terminal 10 that is the destination of the attached file during the monitoring period. A notification of inspection start of the attached file is transmitted to the controller 70.

  The mail server 50b has the same function as a normal mail server. That is, as shown in FIG. 8, the mail server 50b includes an input / output unit 51b and a control unit 52b, and the control unit 52b includes a mail distribution unit 523. Upon receiving the mail transferred from the mail gateway 50a via the input / output unit 51b, the mail distribution unit 523 distributes the mail to the destination terminal 10.

  By doing in this way, the function of the communication system of 1st Embodiment is realizable using a normal mail server.

  The communication system includes the mail server 50 described in the first embodiment and the web proxy server 80 described in the second embodiment, and copes with malware intrusion by mail to the terminal 10 and the terminal 10. You may be made to perform both the countermeasures against the malware intrusion by browsing the website.

  In addition, the switch control unit 733 of the controller 70 changes the sampling rate for each port of the switch 20 connected to the terminal 10, but is not limited thereto. For example, in the aforementioned OpenFlow 1.3.0, the packet processing method is specified for each flow specified by 5 tuples (a combination of a source IP address, a destination IP address, a source port number, a destination port number, and a protocol number). Can do. Therefore, for example, the switch control unit 733 sets a high sampling rate for an IP packet having a specific IP address (the IP address of the terminal 10 that received the file under examination in the sandbox 40) as a destination address or a source address. May be.

(program)
Moreover, it can implement | achieve by installing the program which implement | achieves the function of the mail server 50 described in each embodiment, the controller 70, and the web proxy server 80 in a desired information processing apparatus (computer). For example, the information processing apparatus can function as the mail server 50, the controller 70, and the web proxy server 80 by causing the information processing apparatus to execute the program provided as package software or online software. The information processing apparatus referred to here includes a desktop or notebook personal computer. In addition, the information processing apparatus may be a mobile communication terminal such as a smartphone, a mobile phone, or a PHS (Personal Handyphone System), or a PDA (Personal Digital Assistants).

  An example of a computer that executes the above program will be described below. FIG. 9 is a diagram illustrating a computer that executes a program. As shown in FIG. 9, the computer 1000 includes, for example, a memory 1010, a CPU (Central Processing Unit) 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network. Interface 1070. These units are connected by a bus 1080.

  The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012. The ROM 1011 stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090. The disk drive interface 1040 is connected to the disk drive 1100. A removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100, for example. For example, a mouse 1110 and a keyboard 1120 are connected to the serial port interface 1050. For example, a display 1130 is connected to the video adapter 1060.

  Here, as shown in FIG. 9, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. Various data and information described in the above embodiments are stored in, for example, the hard disk drive 1090 or the memory 1010.

  Then, the CPU 1020 reads out the program module 1093 and the program data 1094 stored in the hard disk drive 1090 to the RAM 1012 as necessary, and executes the above-described procedures.

  The program module 1093 and the program data 1094 related to the above program are not limited to being stored in the hard disk drive 1090. For example, the program module 1093 and the program data 1094 are stored in a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. May be issued. Alternatively, the program module 1093 and the program data 1094 related to the above program are stored in another computer connected via a network such as a LAN or a WAN (Wide Area Network) and read by the CPU 1020 via the network interface 1070. May be.

DESCRIPTION OF SYMBOLS 10 Terminal 20 Switch 30 Firewall 40 Sandbox 50, 50b Mail server 50a Mail gateway 60 Collector 70 Controller 80 Web proxy server 90 Web server 521,521a Mail receiving part 522 File transfer part 523 Mail delivery part 524, 524a, 823 Inspection notification part 731 Control target identification unit 732 Inspection result reception unit 733 Switch control unit 821 Proxy processing unit 822 File transfer unit

Claims (9)

A communication system comprising a server for transmitting data to a terminal and a controller for enhancing monitoring of packets transmitted and received at the terminal,
The server
When a file is included in data from the Internet to the terminal, the file is transferred to an analysis device that performs file inspection by dynamic analysis, and the data including the file is transferred to the terminal without waiting for completion of the inspection. Transfer, and send an inspection start notification of the file including the identification information of the terminal to the controller,
The controller is
When the inspection start notification is received, the communication system is characterized in that monitoring of packets transmitted and received by the terminal is strengthened as compared to before the inspection start notification is received. The controller is
2. The communication system according to claim 1, wherein when the file is determined not to be malignant as a result of the inspection of the file by the analysis device, monitoring enhancement of a packet transmitted and received by the terminal is canceled. The communication system further includes a switch that relays data transmitted and received at the terminal, and a collector that inspects packets sampled from the switch,
The controller is
When the inspection start notification is received, the switch connected to the terminal indicated in the inspection start notification is specified, and the sampling rate of sampling of packets transmitted and received at the terminal is specified for the specified switch. The communication system according to claim 1, wherein the monitoring enhancement is performed by setting a value higher than that before reception. The controller is
If it is determined that the file is not malicious as a result of the inspection of the file by the analysis device, the switch returns the sampling rate of packets transmitted and received at the terminal to the value before reception of the inspection start notification to the switch. The communication system according to claim 3. The controller is
4. The switch is instructed to block a port connected to the terminal if the result of the inspection of the file by the analysis device is a determination that the file is malicious. The communication system according to 1.   The communication system according to claim 1, wherein the server is a mail server.   The server is a web proxy server that forwards an HTTP request from the terminal to a web server to the web server, and forwards an HTTP response from the web server to the terminal to the terminal, and a file is included in the HTTP response. The communication system according to claim 1, wherein, if included, the file is transferred to the analysis device.   2. The communication system according to claim 1, wherein, when the data to the terminal includes a predetermined type of file, the server transfers the predetermined type of file to the analysis device. A communication method using a communication system comprising a server for transmitting data to a terminal and a controller for enhancing monitoring of packets transmitted and received at the terminal,
The server is
If the data from the Internet to the terminal includes a file, transferring the file to an analysis device that performs file inspection by dynamic analysis;
Transferring the data including the file to the terminal without waiting for the end of the inspection ;
Transmitting an inspection start notification of the file including identification information of the terminal to the controller;
The controller is
When receiving the inspection start notification, the step of strengthening monitoring of packets transmitted and received by the terminal than before reception of the inspection start notification;
The communication method characterized by including.

Images