US20200404009A1 - Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program - Google Patents

Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program Download PDF

Info

Publication number
US20200404009A1
US20200404009A1 US16/975,397 US201916975397A US2020404009A1 US 20200404009 A1 US20200404009 A1 US 20200404009A1 US 201916975397 A US201916975397 A US 201916975397A US 2020404009 A1 US2020404009 A1 US 2020404009A1
Authority
US
United States
Prior art keywords
traffic
characteristic information
information
data
predetermined condition
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US16/975,397
Other versions
US11811800B2 (en
Inventor
Kazuma SHINOMIYA
Kazunori Kamiya
Bo Hu
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nippon Telegraph and Telephone Corp
Original Assignee
Nippon Telegraph and Telephone Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nippon Telegraph and Telephone Corp filed Critical Nippon Telegraph and Telephone Corp
Publication of US20200404009A1 publication Critical patent/US20200404009A1/en
Assigned to NIPPON TELEGRAPH AND TELEPHONE CORPORATION reassignment NIPPON TELEGRAPH AND TELEPHONE CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HU, BO, SHINOMIYA, Kazuma, KAMIYA, KAZUNORI
Application granted granted Critical
Publication of US11811800B2 publication Critical patent/US11811800B2/en
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N20/00Machine learning
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/906Clustering; Classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/02Capturing of monitoring data
    • H04L43/026Capturing of monitoring data using flow identification
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection

Definitions

  • the present invention relates to a traffic characteristic information extracting device, a traffic characteristic information extracting method, and a traffic characteristic information extracting program.
  • malware In recent years, according to the spread of the Internet, cyberattacks conducted using malicious software called malware have been increasing. There has been a method of, in detecting a terminal infected with the malware, extracting characteristic information based on header information of traffic transmitted by the terminal, generating a signature, and performing matching with a blacklist.
  • a disclosed technique is devised in view of the above, and an object of the disclosed technique is to provide a traffic characteristic information extracting device, a traffic characteristic information extracting method, and a traffic characteristic information extracting program that can accurately determine whether a terminal is receiving damage.
  • a traffic characteristic information extracting device includes: an acquiring unit that acquires traffic information satisfying a predetermined condition from network traffic data; an extracting unit that extracts characteristic information from the acquired traffic information; a classifying unit that classifies the traffic information based on the extracted characteristic information; a generating unit that analyzes a classification result obtained by the classifying unit and generates signatures; and an output unit that outputs a signature satisfying a predetermined condition among the generated signatures.
  • a traffic characteristic information extracting method disclosed by this application includes: an acquiring step in which a traffic characteristic information extracting device acquires traffic information satisfying a predetermined condition from network traffic data; an extracting step in which the traffic characteristic information extracting device extracts characteristic information from the acquired traffic information; a classifying step in which the traffic characteristic information extracting device classifies the traffic information based on the extracted characteristic information; a generating step in which the traffic characteristic information extracting device analyzes a classification result obtained in the classifying step and generates signatures; and an output step in which the traffic characteristic information extracting device outputs a signature satisfying a predetermined condition among the generated signatures.
  • a traffic characteristic information extracting program disclosed by this application causes a computer to execute: an acquiring step of acquiring traffic information satisfying a predetermined condition from network traffic data; an extracting step of extracting characteristic information from the acquired traffic information; a classifying step of classifying the traffic information based on the extracted characteristic information; a generating step of analyzing a classification result obtained in the classifying step and generating signatures; and an output step of outputting a signature satisfying a predetermined condition among the generated signatures.
  • the traffic characteristic information extracting device, the traffic characteristic information extracting method, and the traffic characteristic information extracting program disclosed by this application exert an effect that it is possible to accurately determine whether a terminal is receiving damage.
  • FIG. 1 is a diagram illustrating the configuration of a reception traffic characteristic extraction server.
  • FIG. 2 is a flowchart for explaining the operation of the reception traffic characteristic extraction server.
  • FIG. 3 is a diagram illustrating that information processing by a traffic characteristic information extracting program is specifically realized using a computer.
  • traffic characteristic information extracting device An embodiment of a traffic characteristic information extracting device, a traffic characteristic information extracting method, and a traffic characteristic information extracting program disclosed by this application is explained in detail below with reference to the drawings. Note that the traffic characteristic information extracting device, the traffic characteristic information extracting method, and the traffic characteristic information extracting program disclosed by this application are not limited by the embodiment explained below.
  • FIG. 1 is a diagram illustrating the configuration of a reception traffic characteristic extraction server 10 .
  • the reception traffic characteristic extraction server 10 includes an input unit 11 , a characteristic-information extracting unit 12 , a clustering unit 13 , a signature generating unit 14 , and an output unit 15 . These constituent portions are connected such that input and output of signals and data are possible in one direction or both directions.
  • the input unit 11 acquires traffic information satisfying a predetermined condition from network traffic data 11 a .
  • the characteristic-information extracting unit 12 extracts characteristic information from the acquired traffic information.
  • the clustering unit 13 classifies the traffic information based on the extracted characteristic information.
  • the signature generating unit 14 analyzes a classification result obtained by the clustering unit 13 and generates signatures.
  • the output unit 15 outputs a signature satisfying (matching) a predetermined condition among the generated signatures.
  • FIG. 2 is a flowchart for explaining the operation of the reception traffic characteristic extraction server 10 .
  • the reception traffic characteristic extraction server 10 acquires, with the input unit 11 , traffic information satisfying a predetermined condition from the network traffic data 11 a .
  • the reception traffic characteristic extraction server 10 extracts, with the characteristic-information extracting unit 12 , characteristic information from the acquired traffic information.
  • the reception traffic characteristic extraction server 10 classifies, with the clustering unit 13 , the traffic information based on the extracted characteristic information.
  • the reception traffic characteristic extraction server 10 analyzes, with the signature generating unit 14 , a classification result obtained by the clustering unit 13 and generates signatures.
  • the reception traffic characteristic extraction server 10 outputs, with the output unit 15 , a signature satisfying a predetermined condition among the generated signatures.
  • the characteristic-information extracting unit 12 may extract the characteristic information based on at least one of information included in a header portion, information included in a transmission data portion, and information included in a reception data portion of the network traffic data.
  • the clustering unit 13 may classify the traffic information using unsupervised machine learning in which learning data serving as teacher information is not used. Consequently, it is possible to determine, based on a more highly accurate classification result, whether the terminal is receiving damage. Further, in analyzing the classification result, the signature generating unit 14 may generate the signatures through a frequently appearing pattern analysis or a frequently appearing character string analysis.
  • the frequently appearing pattern analysis may be an analysis of the information included in the header portion of the network traffic data and, more suitably, may be an analysis performed using frequently appearing pattern mining. Consequently, it is possible to determine, based on a more highly accurate analysis result, whether the terminal is receiving damage.
  • the frequently appearing pattern analysis may be an analysis of the information included in the transmission data portion and the information included in the reception data portion of the network traffic data.
  • the traffic information may be traffic information of reception traffic that the terminal receives when the terminal communicates with a specific server (for example, a malicious server).
  • the reception traffic characteristic extraction server 10 analyzes the network traffic data 11 a to thereby convert traffic received by the terminal into a signature and detects that communication with a communication destination server (for example, a malicious server) is performed. Simply by detecting the traffic transmitted by the terminal, it is sometimes unknown whether the communication destination server is malicious. However, the reception traffic characteristic extraction server 10 also extracts characteristics of the traffic received by the terminal and converts a response from the communication destination server into a signature. Therefore, it is possible to surely determine that the terminal is infected with malware or an attack is successful. That is, by examining the response from the communication destination server, it is possible to accurately determine whether the terminal is receiving damage. In the determination, more information such as information concerning a payload not used in the past is extracted as characteristics. Therefore, it is also possible to achieve improvement of a detection ratio and a reduction of a misdetection ratio.
  • a communication destination server for example, a malicious server
  • the reception traffic characteristic extraction server 10 when network traffic of a malware-infected terminal is given as input traffic data, whereby the terminal is infected with malware, the reception traffic characteristic extraction server 10 can extract characteristics of traffic received from a malicious server and convert the characteristics into a signature. Therefore, the reception traffic characteristic extraction server 10 can determine based on presence or absence of an output of a signature satisfying the predetermined condition that the terminal is infected with malware or the attack is successful. For example, when an output of a signature satisfying the predetermined condition is present, the reception traffic characteristic extraction server 10 can surely conclude that the terminal is infected with malware or the attack is successful.
  • the reception traffic characteristic extraction server 10 can find the server used by the attacker.
  • FIG. 3 is a diagram illustrating that information processing by a traffic characteristic information extracting program is specifically realized using a computer 100 .
  • the computer 100 includes, for example, a memory 101 , a CPU (Central Processing Unit) 102 , a hard disk drive interface 103 , a disk drive interface 104 , a serial port interface 105 , a video adapter 106 , and a network interface 107 . These units are connected by a bus C.
  • a bus C for example, a bus C.
  • the memory 101 includes, as illustrated in FIG. 3 , a ROM (Read Only Memory) 101 a and a RAM (Random Access Memory) 101 b .
  • the ROM 101 a stores a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 103 is connected to a hard disk drive 108 as illustrated in FIG. 3 .
  • the disk drive interface 104 is connected to a disk drive 109 as illustrated in FIG. 3 .
  • a detachable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 109 .
  • the serial port interface 105 is connected to, for example, a mouse 110 and a keyboard 111 as illustrated in FIG. 3 .
  • the video adapter 106 is connected to, for example, a display 112 as illustrated in FIG. 3 .
  • the hard disk drive 108 stores, for example, an OS (Operating System) 108 a , an application program 108 b , a program module 108 c , program data 108 d , network traffic data, traffic information, characteristic information, and a signature. That is, the traffic characteristic information extracting program according to the disclosed technique is stored in, for example, the hard disk drive 108 as the program module 108 c in which a command to be executed by the computer 100 is described.
  • OS Operating System
  • the program module 108 c in which various procedures for executing the same information processing as the information processing of each of the input unit 11 , the characteristic-information extracting unit 12 , the clustering unit 13 , the signature generating unit 14 , and the output unit 15 , which are described in the above embodiment, is stored in the hard disk drive 108 .
  • Data to be used for the information processing by the traffic characteristic information extracting program is stored in, for example, the hard disk drive 108 as the program data 108 d .
  • the CPU 102 reads out the program module 108 c and the program data 108 d stored in the hard disk drive 108 to the RAM 101 b according to necessity and executes the various procedures.
  • the program module 108 c and the program data 108 d relating to the traffic characteristic information extracting program is not limited to the storage in the hard disk drive 108 and may be stored in, for example, a detachable storage medium and read out by the CPU 102 via the disk drive 109 or the like.
  • the program module 108 c and the program data 108 d relating to the traffic characteristic information extracting program may be stored in another computer connected via a network (a LAN (Local Area Network), a WAN (Wide Area Network), or the like) and read out by the CPU 102 via the network interface 107 .
  • a network a LAN (Local Area Network), a WAN (Wide Area Network), or the like
  • the components of the reception traffic characteristic extraction server 10 explained above are not always required to be physically configured as illustrated. That is, a specific form of distribution and integration of the devices is not limited to the illustrated form. All or a part of the devices can also be configured to be mechanically or physically distributed and integrated in any units according to various loads, states of use, and the like.
  • the clustering unit 13 and the signature generating unit 14 or a frequently-appearing-pattern analyzing unit 141 and a frequently-appearing-character-string analyzing unit 142 may be integrated as one component.
  • the signature generating unit 14 may be distributed to a portion that performs the frequently appearing pattern analysis and a portion that performs the frequently appearing character string analysis.
  • the hard disk drive 108 that stores the network traffic data, the traffic information, the characteristic information, and the signature may be connected through a network or a cable as an external device of the reception traffic characteristic extraction server 10 .

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Medical Informatics (AREA)
  • Artificial Intelligence (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Evolutionary Computation (AREA)
  • Mathematical Physics (AREA)
  • Environmental & Geological Engineering (AREA)
  • Virology (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

A traffic characteristic information extracting device includes a memory, and processing circuitry coupled to the memory and configured to acquire traffic information satisfying a predetermined condition from network traffic data, extract characteristic information from the acquired traffic information, classify the traffic information based on the extracted characteristic information, analyze a classification result obtained at the classifying and generate signatures, and output a signature satisfying a predetermined condition among the generated signatures.

Description

    TECHNICAL FIELD
  • The present invention relates to a traffic characteristic information extracting device, a traffic characteristic information extracting method, and a traffic characteristic information extracting program.
    • BACKGROUND ART
  • In recent years, according to the spread of the Internet, cyberattacks conducted using malicious software called malware have been increasing. There has been a method of, in detecting a terminal infected with the malware, extracting characteristic information based on header information of traffic transmitted by the terminal, generating a signature, and performing matching with a blacklist.
    • CITATION LIST Patent Literature
  • [PTL 1] Japanese Patent No. 6053091
    • SUMMARY OF THE INVENTION Technical Problem
  • However, in the conventional technique described above, there have been problems described below. For example, since an attacker changes setting of a server acting as a playmaker in order to avoid detection, even if infection is confirmed by the matching, in some case, a communication destination server is absent or is a normal server. Even if the terminal communicates with a server of the attacker, an attack does not always succeed. Accordingly, even if the signature matches, it cannot be surely determined that the terminal is truly infected with the malware and is receiving damage (for example, operation by the attacker).
  • A disclosed technique is devised in view of the above, and an object of the disclosed technique is to provide a traffic characteristic information extracting device, a traffic characteristic information extracting method, and a traffic characteristic information extracting program that can accurately determine whether a terminal is receiving damage.
    • Means for Solving the Problem
  • In order to solve the problems and achieve the object, in an aspect, a traffic characteristic information extracting device disclosed by this application includes: an acquiring unit that acquires traffic information satisfying a predetermined condition from network traffic data; an extracting unit that extracts characteristic information from the acquired traffic information; a classifying unit that classifies the traffic information based on the extracted characteristic information; a generating unit that analyzes a classification result obtained by the classifying unit and generates signatures; and an output unit that outputs a signature satisfying a predetermined condition among the generated signatures.
  • In an aspect, a traffic characteristic information extracting method disclosed by this application includes: an acquiring step in which a traffic characteristic information extracting device acquires traffic information satisfying a predetermined condition from network traffic data; an extracting step in which the traffic characteristic information extracting device extracts characteristic information from the acquired traffic information; a classifying step in which the traffic characteristic information extracting device classifies the traffic information based on the extracted characteristic information; a generating step in which the traffic characteristic information extracting device analyzes a classification result obtained in the classifying step and generates signatures; and an output step in which the traffic characteristic information extracting device outputs a signature satisfying a predetermined condition among the generated signatures.
  • Further, in an aspect, a traffic characteristic information extracting program disclosed by this application causes a computer to execute: an acquiring step of acquiring traffic information satisfying a predetermined condition from network traffic data; an extracting step of extracting characteristic information from the acquired traffic information; a classifying step of classifying the traffic information based on the extracted characteristic information; a generating step of analyzing a classification result obtained in the classifying step and generating signatures; and an output step of outputting a signature satisfying a predetermined condition among the generated signatures.
    • Effects of the Invention
  • The traffic characteristic information extracting device, the traffic characteristic information extracting method, and the traffic characteristic information extracting program disclosed by this application exert an effect that it is possible to accurately determine whether a terminal is receiving damage.
    • BRIEF DESCRIPTION OF DRAWINGS
  • FIG. 1 is a diagram illustrating the configuration of a reception traffic characteristic extraction server.
  • FIG. 2 is a flowchart for explaining the operation of the reception traffic characteristic extraction server.
  • FIG. 3 is a diagram illustrating that information processing by a traffic characteristic information extracting program is specifically realized using a computer.
    •  DESCRIPTION OF EMBODIMENTS
  • An embodiment of a traffic characteristic information extracting device, a traffic characteristic information extracting method, and a traffic characteristic information extracting program disclosed by this application is explained in detail below with reference to the drawings. Note that the traffic characteristic information extracting device, the traffic characteristic information extracting method, and the traffic characteristic information extracting program disclosed by this application are not limited by the embodiment explained below.
  • First, the configuration of the traffic characteristic information extracting device according to an embodiment disclosed by this application is explained. FIG. 1 is a diagram illustrating the configuration of a reception traffic characteristic extraction server 10. As illustrated in FIG. 1, the reception traffic characteristic extraction server 10 includes an input unit 11, a characteristic-information extracting unit 12, a clustering unit 13, a signature generating unit 14, and an output unit 15. These constituent portions are connected such that input and output of signals and data are possible in one direction or both directions.
  • The input unit 11 acquires traffic information satisfying a predetermined condition from network traffic data 11 a. The characteristic-information extracting unit 12 extracts characteristic information from the acquired traffic information. The clustering unit 13 classifies the traffic information based on the extracted characteristic information. The signature generating unit 14 analyzes a classification result obtained by the clustering unit 13 and generates signatures. The output unit 15 outputs a signature satisfying (matching) a predetermined condition among the generated signatures.
  • Next, the operation of the reception traffic characteristic extraction server 10 according to the embodiment disclosed by this application is explained. FIG. 2 is a flowchart for explaining the operation of the reception traffic characteristic extraction server 10.
  • First, in S1, the reception traffic characteristic extraction server 10 acquires, with the input unit 11, traffic information satisfying a predetermined condition from the network traffic data 11 a. In next S2, the reception traffic characteristic extraction server 10 extracts, with the characteristic-information extracting unit 12, characteristic information from the acquired traffic information. In S3, the reception traffic characteristic extraction server 10 classifies, with the clustering unit 13, the traffic information based on the extracted characteristic information. In S4, the reception traffic characteristic extraction server 10 analyzes, with the signature generating unit 14, a classification result obtained by the clustering unit 13 and generates signatures. In S5, the reception traffic characteristic extraction server 10 outputs, with the output unit 15, a signature satisfying a predetermined condition among the generated signatures.
  • In the reception traffic characteristic extraction server 10, the characteristic-information extracting unit 12 may extract the characteristic information based on at least one of information included in a header portion, information included in a transmission data portion, and information included in a reception data portion of the network traffic data. The clustering unit 13 may classify the traffic information using unsupervised machine learning in which learning data serving as teacher information is not used. Consequently, it is possible to determine, based on a more highly accurate classification result, whether the terminal is receiving damage. Further, in analyzing the classification result, the signature generating unit 14 may generate the signatures through a frequently appearing pattern analysis or a frequently appearing character string analysis.
  • The frequently appearing pattern analysis may be an analysis of the information included in the header portion of the network traffic data and, more suitably, may be an analysis performed using frequently appearing pattern mining. Consequently, it is possible to determine, based on a more highly accurate analysis result, whether the terminal is receiving damage. Alternatively, the frequently appearing pattern analysis may be an analysis of the information included in the transmission data portion and the information included in the reception data portion of the network traffic data. Further, the traffic information may be traffic information of reception traffic that the terminal receives when the terminal communicates with a specific server (for example, a malicious server).
  • In other words, the reception traffic characteristic extraction server 10 analyzes the network traffic data 11 a to thereby convert traffic received by the terminal into a signature and detects that communication with a communication destination server (for example, a malicious server) is performed. Simply by detecting the traffic transmitted by the terminal, it is sometimes unknown whether the communication destination server is malicious. However, the reception traffic characteristic extraction server 10 also extracts characteristics of the traffic received by the terminal and converts a response from the communication destination server into a signature. Therefore, it is possible to surely determine that the terminal is infected with malware or an attack is successful. That is, by examining the response from the communication destination server, it is possible to accurately determine whether the terminal is receiving damage. In the determination, more information such as information concerning a payload not used in the past is extracted as characteristics. Therefore, it is also possible to achieve improvement of a detection ratio and a reduction of a misdetection ratio.
  • As an application example of the reception traffic characteristic extraction server 10, when network traffic of a malware-infected terminal is given as input traffic data, whereby the terminal is infected with malware, the reception traffic characteristic extraction server 10 can extract characteristics of traffic received from a malicious server and convert the characteristics into a signature. Therefore, the reception traffic characteristic extraction server 10 can determine based on presence or absence of an output of a signature satisfying the predetermined condition that the terminal is infected with malware or the attack is successful. For example, when an output of a signature satisfying the predetermined condition is present, the reception traffic characteristic extraction server 10 can surely conclude that the terminal is infected with malware or the attack is successful.
  • As another application example, by reproducing malicious traffic and discriminating a response from a server used by the attacker and responses from other servers, the reception traffic characteristic extraction server 10 can find the server used by the attacker.
  • (Traffic Characteristic Information Extracting Program)
  • FIG. 3 is a diagram illustrating that information processing by a traffic characteristic information extracting program is specifically realized using a computer 100. As illustrated in FIG. 3, the computer 100 includes, for example, a memory 101, a CPU (Central Processing Unit) 102, a hard disk drive interface 103, a disk drive interface 104, a serial port interface 105, a video adapter 106, and a network interface 107. These units are connected by a bus C.
  • The memory 101 includes, as illustrated in FIG. 3, a ROM (Read Only Memory) 101 a and a RAM (Random Access Memory) 101 b. The ROM 101 a stores a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 103 is connected to a hard disk drive 108 as illustrated in FIG. 3. The disk drive interface 104 is connected to a disk drive 109 as illustrated in FIG. 3. A detachable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 109. The serial port interface 105 is connected to, for example, a mouse 110 and a keyboard 111 as illustrated in FIG. 3. The video adapter 106 is connected to, for example, a display 112 as illustrated in FIG. 3.
  • As illustrated in FIG. 3, the hard disk drive 108 stores, for example, an OS (Operating System) 108 a, an application program 108 b, a program module 108 c, program data 108 d, network traffic data, traffic information, characteristic information, and a signature. That is, the traffic characteristic information extracting program according to the disclosed technique is stored in, for example, the hard disk drive 108 as the program module 108 c in which a command to be executed by the computer 100 is described. Specifically, the program module 108 c in which various procedures for executing the same information processing as the information processing of each of the input unit 11, the characteristic-information extracting unit 12, the clustering unit 13, the signature generating unit 14, and the output unit 15, which are described in the above embodiment, is stored in the hard disk drive 108. Data to be used for the information processing by the traffic characteristic information extracting program is stored in, for example, the hard disk drive 108 as the program data 108 d. The CPU 102 reads out the program module 108 c and the program data 108 d stored in the hard disk drive 108 to the RAM 101 b according to necessity and executes the various procedures.
  • Note that the program module 108 c and the program data 108 d relating to the traffic characteristic information extracting program is not limited to the storage in the hard disk drive 108 and may be stored in, for example, a detachable storage medium and read out by the CPU 102 via the disk drive 109 or the like. Alternatively, the program module 108 c and the program data 108 d relating to the traffic characteristic information extracting program may be stored in another computer connected via a network (a LAN (Local Area Network), a WAN (Wide Area Network), or the like) and read out by the CPU 102 via the network interface 107.
  • The components of the reception traffic characteristic extraction server 10 explained above are not always required to be physically configured as illustrated. That is, a specific form of distribution and integration of the devices is not limited to the illustrated form. All or a part of the devices can also be configured to be mechanically or physically distributed and integrated in any units according to various loads, states of use, and the like. For example, the clustering unit 13 and the signature generating unit 14 or a frequently-appearing-pattern analyzing unit 141 and a frequently-appearing-character-string analyzing unit 142 may be integrated as one component. Conversely, the signature generating unit 14 may be distributed to a portion that performs the frequently appearing pattern analysis and a portion that performs the frequently appearing character string analysis. Further, the hard disk drive 108 that stores the network traffic data, the traffic information, the characteristic information, and the signature may be connected through a network or a cable as an external device of the reception traffic characteristic extraction server 10.
    • REFERENCE SIGNS LIST
    • 10 Reception traffic characteristic extraction server
    • 11 Input unit
    • 11 a Network traffic data
    • 12 Characteristic-information extracting unit
    • 13 Clustering unit
    • 14 Signature generating unit
    • 15 Output unit
    • 15 a Signature
    • 100 Computer
    • 101 Memory
    • 101 a ROM
    • 101 b RAM
    • 102 CPU
    • 103 Hard disk drive interface
    • 104 Disk drive interface
    • 105 Serial port interface
    • 106 Video adapter
    • 107 Network interface
    • 108 Hard disk drive
    • 108 a OS
    • 108 b Application program
    • 108 c Program module
    • 108 d Program data
    • 109 Disk drive
    • 110 Mouse
    • 111 Keyboard
    • 112 Display
    • 141 Frequently-appearing-pattern analyzing unit
    • 142 Frequently-appearing-character-string analyzing unit

Claims (8)

1. A traffic characteristic information extracting device comprising:
a memory; and
processing circuitry coupled to the memory and configured to:
acquire traffic information satisfying a predetermined condition from network traffic data
extract characteristic information from the acquired traffic information
classify the traffic information based on the extracted characteristic information
analyze a classification result obtained at the classifying and generate signatures and
output a signature satisfying a predetermined condition among the generated signatures.
2. The traffic characteristic information extracting device according to claim 1, wherein the processing circuitry is further configured to extract the characteristic information based on at least one of information included in a header portion, information included in transmitted data, and information included in received data of the network traffic data.
3. The traffic characteristic information extracting device according to claim 1, wherein the processing circuitry is further configured to classify the traffic information using machine learning.
4. The traffic characteristic information extracting device according to claim 1, wherein, in analyzing the classification result, the processing circuitry is further configured to generate the signatures through a frequently appearing pattern analysis or a frequently appearing character string analysis.
5. The traffic characteristic information extracting device according to claim 4, wherein the frequently appearing pattern analysis is an analysis of information included in a header portion of the network traffic data.
6. The traffic characteristic information extracting device according to claim 4, wherein the frequently appearing pattern analysis is an analysis of information included in transmitted data and information included in received data of the network traffic data.
7. A traffic characteristic information extracting method that is performed by a traffic characteristic information extracting device, the traffic characteristic information extracting method comprising:
acquiring traffic information satisfying a predetermined condition from network traffic data;
extracting characteristic information from the acquired traffic information;
classifying the traffic information based on the extracted characteristic information;
analyzing a classification result obtained at the classifying and generating signatures; and
outputting a signature satisfying a predetermined condition among the generated signatures.
8. A non-transitory computer-readable recording medium storing therein a traffic characteristic information extracting program that causes a computer to execute a process comprising:
acquiring traffic information satisfying a predetermined condition from network traffic data;
extracting characteristic information from the acquired traffic information;
classifying the traffic information based on the extracted characteristic information;
analyzing a classification result obtained at the classifying and generating signatures; and
outputting a signature satisfying a predetermined condition among the generated signatures.
US16/975,397 2018-02-26 2019-02-22 Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program Active 2039-10-22 US11811800B2 (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
JP2018031914A JP6749956B2 (en) 2018-02-26 2018-02-26 Traffic characteristic information extraction device, traffic characteristic information extraction method, and traffic characteristic information extraction program
JP2018-031914 2018-02-26
PCT/JP2019/006880 WO2019163963A1 (en) 2018-02-26 2019-02-22 Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program

Publications (2)

Publication Number Publication Date
US20200404009A1 true US20200404009A1 (en) 2020-12-24
US11811800B2 US11811800B2 (en) 2023-11-07

Family

ID=67687260

Family Applications (1)

Application Number Title Priority Date Filing Date
US16/975,397 Active 2039-10-22 US11811800B2 (en) 2018-02-26 2019-02-22 Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program

Country Status (3)

Country Link
US (1) US11811800B2 (en)
JP (1) JP6749956B2 (en)
WO (1) WO2019163963A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11354438B1 (en) 2019-09-26 2022-06-07 Joinesty, Inc. Phone number alias generation
US11528285B2 (en) * 2019-12-16 2022-12-13 Palo Alto Networks, Inc. Label guided unsupervised learning based network-level application signature generation
US11711356B2 (en) 2016-04-05 2023-07-25 Joinesty, Inc. Apparatus and method for automated email and password creation and curation across multiple websites
US11895034B1 (en) 2021-01-29 2024-02-06 Joinesty, Inc. Training and implementing a machine learning model to selectively restrict access to traffic

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090235555A1 (en) * 2006-08-04 2009-09-24 Hu Jie Bo Fuel saving food cooker and water heater arrangement
US20150007312A1 (en) * 2013-06-28 2015-01-01 Vinay Pidathala System and method for detecting malicious links in electronic messages
US20160028750A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Signature creation for unknown attacks
US20160087925A1 (en) * 2014-09-24 2016-03-24 Yahoo! Inc. System and method for auto-formatting messages based on learned message templates
US20160127404A1 (en) * 2014-10-30 2016-05-05 Bastille Networks, Inc. Computational signal processing architectures for electromagnetic signature analysis
US9602530B2 (en) * 2014-03-28 2017-03-21 Zitovault, Inc. System and method for predicting impending cyber security events using multi channel behavioral analysis in a distributed computing environment
US20170163666A1 (en) * 2015-12-07 2017-06-08 Prismo Systems Inc. Systems and Methods for Detecting and Responding To Security Threats Using Application Execution and Connection Lineage Tracing
US20180198800A1 (en) * 2017-01-10 2018-07-12 Crowdstrike, Inc. Validation-based determination of computational models
US20180197089A1 (en) * 2017-01-10 2018-07-12 Crowdstrike, Inc. Computational modeling and classification of data streams
US10027689B1 (en) * 2014-09-29 2018-07-17 Fireeye, Inc. Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
US20190188065A1 (en) * 2017-12-15 2019-06-20 International Business Machines Corporation Computerized high-speed anomaly detection
US10984452B2 (en) * 2017-07-13 2021-04-20 International Business Machines Corporation User/group servicing based on deep network analysis
US11063814B2 (en) * 2014-09-16 2021-07-13 CloudGenix, Inc. Methods and systems for application and policy based network traffic isolation and data transfer
US11184378B2 (en) * 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Scanner probe detection
US11347707B2 (en) * 2019-01-22 2022-05-31 Commvault Systems, Inc. File indexing for virtual machine backups based on using live browse features

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2015141560A1 (en) 2014-03-19 2015-09-24 日本電信電話株式会社 Traffic feature information extraction method, traffic feature information extraction device, and traffic feature information extraction program
US10484408B2 (en) 2014-11-18 2019-11-19 Nippon Telegraph And Telephone Corporation Malicious communication pattern extraction apparatus, malicious communication pattern extraction method, and malicious communication pattern extraction program
WO2017217301A1 (en) * 2016-06-13 2017-12-21 日本電信電話株式会社 Log analyzing device, log analyzing method, and log analyzing program

Patent Citations (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090235555A1 (en) * 2006-08-04 2009-09-24 Hu Jie Bo Fuel saving food cooker and water heater arrangement
US20150007312A1 (en) * 2013-06-28 2015-01-01 Vinay Pidathala System and method for detecting malicious links in electronic messages
US9602530B2 (en) * 2014-03-28 2017-03-21 Zitovault, Inc. System and method for predicting impending cyber security events using multi channel behavioral analysis in a distributed computing environment
US20160028750A1 (en) * 2014-07-23 2016-01-28 Cisco Technology, Inc. Signature creation for unknown attacks
US11063814B2 (en) * 2014-09-16 2021-07-13 CloudGenix, Inc. Methods and systems for application and policy based network traffic isolation and data transfer
US20160087925A1 (en) * 2014-09-24 2016-03-24 Yahoo! Inc. System and method for auto-formatting messages based on learned message templates
US10027689B1 (en) * 2014-09-29 2018-07-17 Fireeye, Inc. Interactive infection visualization for improved exploit detection and signature generation for malware and malware families
US20160127404A1 (en) * 2014-10-30 2016-05-05 Bastille Networks, Inc. Computational signal processing architectures for electromagnetic signature analysis
US20170163666A1 (en) * 2015-12-07 2017-06-08 Prismo Systems Inc. Systems and Methods for Detecting and Responding To Security Threats Using Application Execution and Connection Lineage Tracing
US20180197089A1 (en) * 2017-01-10 2018-07-12 Crowdstrike, Inc. Computational modeling and classification of data streams
US10826934B2 (en) * 2017-01-10 2020-11-03 Crowdstrike, Inc. Validation-based determination of computational models
US20180198800A1 (en) * 2017-01-10 2018-07-12 Crowdstrike, Inc. Validation-based determination of computational models
US10984452B2 (en) * 2017-07-13 2021-04-20 International Business Machines Corporation User/group servicing based on deep network analysis
US20190188065A1 (en) * 2017-12-15 2019-06-20 International Business Machines Corporation Computerized high-speed anomaly detection
US11347707B2 (en) * 2019-01-22 2022-05-31 Commvault Systems, Inc. File indexing for virtual machine backups based on using live browse features
US11184378B2 (en) * 2019-01-30 2021-11-23 Palo Alto Networks (Israel Analytics) Ltd. Scanner probe detection

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11711356B2 (en) 2016-04-05 2023-07-25 Joinesty, Inc. Apparatus and method for automated email and password creation and curation across multiple websites
US12225005B2 (en) 2016-04-05 2025-02-11 Joinesty, Inc. Apparatus and method for automated email and password creation and curation across multiple websites
US11354438B1 (en) 2019-09-26 2022-06-07 Joinesty, Inc. Phone number alias generation
US11451533B1 (en) 2019-09-26 2022-09-20 Joinesty, Inc. Data cycling
US11627106B1 (en) 2019-09-26 2023-04-11 Joinesty, Inc. Email alert for unauthorized email
US11528285B2 (en) * 2019-12-16 2022-12-13 Palo Alto Networks, Inc. Label guided unsupervised learning based network-level application signature generation
US11888874B2 (en) 2019-12-16 2024-01-30 Palo Alto Networks, Inc. Label guided unsupervised learning based network-level application signature generation
US11895034B1 (en) 2021-01-29 2024-02-06 Joinesty, Inc. Training and implementing a machine learning model to selectively restrict access to traffic
US11924169B1 (en) 2021-01-29 2024-03-05 Joinesty, Inc. Configuring a system for selectively obfuscating data transmitted between servers and end-user devices
US12088559B1 (en) 2021-01-29 2024-09-10 Joinesty, Inc. Implementing a proxy server to selectively obfuscate traffic

Also Published As

Publication number Publication date
US11811800B2 (en) 2023-11-07
JP2019148882A (en) 2019-09-05
JP6749956B2 (en) 2020-09-02
WO2019163963A1 (en) 2019-08-29

Similar Documents

Publication Publication Date Title
US11811800B2 (en) Traffic feature information extraction device, traffic feature information extraction method, and traffic feature information extraction program
EP3287909B1 (en) Access classification device, access classification method, and access classification program
US9349006B2 (en) Method and device for program identification based on machine learning
CN111164575B (en) Sample data generating device, sample data generating method, and computer-readable storage medium
US11256803B2 (en) Malware detection: selection apparatus, selection method, and selection program
KR20170108330A (en) Apparatus and method for detecting malware code
US12160432B2 (en) Log analysis apparatus, log analysis method, and log analysis program
EP3051767A1 (en) Method and apparatus for automatically identifying signature of malicious traffic using latent dirichlet allocation
US11068595B1 (en) Generation of file digests for cybersecurity applications
CN109992969B (en) Malicious file detection method and device and detection platform
US12204560B2 (en) Classification device and classification method
CN110798463B (en) Network covert channel detection method and device based on information entropy
KR101268520B1 (en) The apparatus and method for recognizing image
US12081568B2 (en) Extraction device, extraction method, and extraction program
US12242606B2 (en) Forensic analysis on consistent system footprints
JP7239016B2 (en) Sorting device, sorting method, sorting program
CN112068926A (en) Method for identifying virtual machine in local area network
JP7486574B2 (en) Scalable Structure Learning via Context-Free Recursive Document Decomposition
EP4206950A1 (en) Unauthorized intrusion analysis assistance device and unauthorized intrusion analysis assistance method
JP6834126B2 (en) Information processing equipment, defect detection methods and programs
US11349856B2 (en) Exploit kit detection
CN113850329A (en) Active interference identification and classification method, device, processor and readable storage medium
US20220114823A1 (en) Inference method, inference device, and recording medium
JP6611963B2 (en) Program analysis apparatus, program analysis system, program analysis method, and analysis program
US20250021651A1 (en) Generation device, generation method, and generation program

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: APPLICATION DISPATCHED FROM PREEXAM, NOT YET DOCKETED

AS Assignment

Owner name: NIPPON TELEGRAPH AND TELEPHONE CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:SHINOMIYA, KAZUMA;KAMIYA, KAZUNORI;HU, BO;SIGNING DATES FROM 20200713 TO 20201014;REEL/FRAME:055071/0780

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

OSZAR »