Search

JP-2026075457-A - Information processing system, inspection device, inspection program, discrimination device and discrimination program

JP2026075457AJP 2026075457 AJP2026075457 AJP 2026075457AJP-2026075457-A

Abstract

[Challenge] To efficiently identify benign network scans from network scans extracted from traffic data. [Solution] The present invention relates to an information processing system. The information processing system of the present invention comprises means for performing discrimination processing related to network scans from traffic data generated on a network, and means for performing benign network scans, and is characterized in that it holds access source identification information indicating the access source when performing a benign network scan, performs a benign network scan with settings according to the access source identification information, and determines that the extracted network scan is a benign network scan when the network scan extracted from the traffic data matches the access source identification information used for the benign network scan by the network scan performing means. [Selection Diagram] Figure 1

Inventors

  • 八百 健嗣
  • 田中 俊哉

Assignees

  • 沖電気工業株式会社

Dates

Publication Date
20260508
Application Date
20241022

Claims (11)

  1. A network scan determination means that performs determination processing related to network scans that occurred on the network from traffic data generated on the network, The system includes a network scan implementation means that performs a benign network scan to inspect nodes on the network, The network scan implementation means maintains access source identification information indicating the access source when performing the benign network scan, and performs the benign network scan with settings according to the access source identification information. The network scan determination means is characterized in that, if the network scan extracted from the traffic data matches the access source identification information used for the benign network scan by the network scan implementation means, the extracted network scan is determined to be a benign network scan.
  2. The network scan implementation means changes the access source identification information when performing the benign network scan at regular or irregular intervals. The information processing system according to claim 1, wherein the network scan determination means maintains information on a benign scan setting schedule including the access source identification information and its usage period when the network scan implementation means performs the benign network scan, and determines the benign network scan from the network scans extracted from the traffic data based on the maintained information on the benign scan setting schedule.
  3. The information processing system according to claim 2, characterized in that the network scan execution means supplies the network scan determination means with information on the benign scan setting schedule.
  4. The information processing system according to claim 2, characterized in that the network scan implementation means and the network scan determination means each hold a list of common access source identification information in advance.
  5. The information processing system according to claim 4, characterized in that the network scan implementation means and the network scan determination means maintain a hash chain based on a common seed value, and generate and maintain a list of access source identification information based on the hash chain.
  6. The information processing system according to claim 1, characterized in that the access source identification information includes a MAC address and/or an IP address.
  7. The information processing system according to claim 1, characterized in that the network scan implementation means and the network scan determination means are each mounted on separate devices.
  8. The system includes a network scan implementation means for performing a benign network scan to inspect nodes on the network. The inspection device is characterized in that the network scan implementation means uses, as access source identification information indicating the access source when performing the benign network scan, content consistent with an external discrimination device equipped with a network scan discrimination means that performs discrimination processing related to network scans that occurred on the network from traffic data that occurred on the network.
  9. Computers, It functions as a network scanning means to perform a benign network scan to inspect nodes on the network. The inspection program is characterized in that the network scan implementation means uses, as access source identification information indicating the access source when performing the benign network scan, content consistent with an external discrimination device equipped with a network scan discrimination means that performs discrimination processing related to network scans that occurred on the network from traffic data that occurred on the network.
  10. The system includes a network scan determination means that performs determination processing related to network scans that occurred on the network, based on traffic data generated on the network. The network scan discrimination means is characterized by holding access source identification information indicating the access source used in a benign network scan for inspecting nodes on the network from an external inspection device, and determining that the extracted network scan is a benign network scan when the network scan extracted from the traffic data matches the held access source identification information.
  11. Computers, This network scan determination means performs determination processing related to network scans that occurred on the network, based on traffic data generated on the network. The network scan discrimination means maintains access source identification information indicating the access source used in a benign network scan for inspecting nodes on the network from an external inspection device, and the discrimination program is characterized in that, if the network scan extracted from the traffic data matches the maintained access source identification information, the extracted network scan is determined to be a benign network scan.

Description

This invention relates to an information processing system, an inspection device, an inspection program, a discrimination device, and a discrimination program, and can be applied, for example, to a system that analyzes network traffic data to detect anomalies on a network. Currently, the threat of cyberattacks is increasing, and the methods are becoming more sophisticated and refined. In recent years, even in closed networks that are not directly connected to the internet, there have been cases of intrusion from external networks and ransomware infections. Generally, when an unauthorized intrusion into a network occurs, the initial stage involves reconnaissance (e.g., network scanning) to investigate the target network or host beforehand. For organizations such as companies, it is a challenge to thoroughly manage communication equipment even within internal networks such as closed networks (e.g., whether unnecessary service ports are left open, whether password settings are left weak, etc.) in order to reduce the risk of unauthorized intrusion. Conventionally, a technology for detecting network scans exists, as described in Patent Document 1. Patent Document 1 describes a method for detecting network scans performed in the initial stages of unauthorized access. The method described in Patent Document 1 identifies the access source by IP address, ID, etc., and compares at least one of the access details (time, access host, access port) of the access made to the accessed host or network with records of previous access from that source. The likelihood of unauthorized access is then evaluated based on the compared values. Japanese Patent Publication No. 2005-175714 This is a block diagram showing the connection relationships of each device related to the first embodiment (including the functional configuration of the network scan discrimination system, discrimination device, and inspection device according to the first embodiment).This is a flowchart illustrating the operation of the network scan discrimination system according to the first embodiment.This is a block diagram showing the connection relationships of each device related to the second embodiment (including the functional configuration of the network scan discrimination system, discrimination device, and inspection device according to the second embodiment). (A) First Embodiment Hereinafter, a first embodiment of the information processing system, inspection device, inspection program, discrimination device, and discrimination program according to the present invention will be described in detail with reference to the drawings. In this embodiment, an example of applying the information processing system of the present invention to a network scan discrimination system will be described. (A-1) Configuration of the First Embodiment Figure 1 is a block diagram showing the connection relationships of each device related to the first embodiment (including the functional configuration of the network scan discrimination system 10). In this embodiment, the network scan discrimination system 10 is a device that analyzes communications (primarily communications related to network scans) of the target network N1 (the network to be analyzed). The target network N1 is connected to communication devices 30 (30-1, 30-2, ...) that are subject to network scan analysis. The number of communication devices 30 to be monitored is not limited. The communication devices 30 include various types of communication devices such as servers, clients, network devices, and IoT (Internet of Things) devices. As shown in Figure 1, the target network N1 has a network switch 20 that performs L2 switching. Multiple communication devices 30 (30-1, 30-2, ...) and a subnetwork N2 within the target network N1 (a router or L3 switch that can connect to subnetwork N2) are connected to the network switch 20. Note that the network configuration within the target network N1 is not limited to the above configuration and may be various configurations. Furthermore, the target network N1 may be connected to an external network (e.g., the Internet). As shown in Figure 1, in this embodiment, the network scan discrimination system 10 is also connected to the network switch 20. The network switch 20 is connected to the network scan discrimination system 10 via two ports, P1 and P2. The first port P1 is a mirror port configured on the network switch 20 (a port where packets relayed by the network switch 20 are mirrored). Therefore, the network scan discrimination system 10 observes the mirrored packets (hereinafter referred to as "mirrored packets") via the first port P1. The second port P2 is a port on the network switch 20 that is configured similarly to other nodes (e.g., communication devices 30, etc.) (configured to participate in/connect to the target network N1). Therefore, the network scan discrimination system 10 can monitor the traffic relayed by the network switch 20 via port P1 (packets sent