The present invention relates to a dummy information insertion device, a dummy information insertion method, and a storage medium.
In recent years, defensive measures have been proposed against cyber attack to corporations or social infrastructure. As such a defensive measure, a countermeasure is taken of monitoring, sensing and blocking cyber attack and virus intrusion. However, due to advanced manners of attacking method, technical difficulties in perfectly securing accuracy of detecting attack, and the like, it is very difficult to perfectly protect corporations and social infrastructure from virus intrusion.
Under these circumstances, as a defensive measure premised on that cyber attack intrudes into a corporation and a network with which social infrastructure is constructed, or on that viruses have already intruded inside, it is crucial to prevent damages caused by new infection (also referred to as infection spread, secondary infection) derived from the viruses.
As one method of preventing infection spread, a technique of sensing viruses (or a computer infected with viruses) using dummy information (also referred to as false information, or trap information) is proposed.
PTL 1 discloses a device which determines whether identification information set with a terminal in advance is included and, when the set identification information is not included, detects the terminal as an infected terminal.
Additionally, PTL 2 discloses a system which stores genuine setting information necessary for transmission of an electronic mail to a mail server, and dummy setting information for the setting information. This system detects an electronic mail generated using dummy setting information as a wrongful electronic mail.
[PTL 1] Japanese Unexamined Patent Publication No. 2007-266979
[PTL 2] Japanese Unexamined Patent Publication No. 2007-174386
An attacker, who externally operates a virus or a computer infected with a virus, may perfom activities of collecting, from an infected computer, information regarding other computer in a corporation or in a social infrastructure system to which the infected computer is connected in order to spread infection in some cases. This other computer becomes a target to be infected with a virus next. Here, information regarding other computer includes information set to other computer, such as, an IP (Internet Protocol) address, a host name (or a computer name), etc. Activity of collecting such information is referred to also as reconnaissance activity.
Possible countermeasures to be taken as a method of detecting the reconnaissance activity include replacing genuine information with dummy information, or adding dummy information to genuine information. This countermeasure makes a virus (an attacker) erroneously recognize the dummy setting information as genuine setting information at the time of reconnaissance activity. This enables detecting a virus (an attacker) when the virus (the attacker) do activity to spread infection by using dummy information.
PTL 1 discloses storing dummy setting information in addition to genuine setting information in advance. However, PTL 1 fails to disclose what kind of setting information is used.
In setting information of a computer, for example, it is not easy to rewrite, to dummy information, information (internal information of a computer) which always synchronizes with an operation request by a user who operates a computer or by an application, and to insert dummy information in setting information thereof. Accordingly, with the technique recited in PTL 1, a range of dummy information to be stored inside a computer is considered to be limited to just genuine information replaceable with dummy information. Here, in genuine information, information in which replacement of a set value or the like causes problems that a computer fails to operate normally, that a computer performs operation different from intended operation, and the like is referred to as genuine information irreplaceable with dummy information, and the other genuine information is referred to as genuine information replaceable with dummy information. Thus, it is difficult to apply the technique of PTL 1 to genuine information irreplaceable with dummy information. It is accordingly difficult to input dummy information to an attacker (or an infected terminal) who tries to collect genuine information irreplaceable with dummy information.
Additionally, in the technique recited in PTL 2, target information to which dummy is set is only information necessary to transmitting an electronic mail to a mail server, and no other setting information is disclosed. Accordingly, by the technique of PTL 2, it is difficult to input dummy information to an attacker (or an infected terminal) who tries to collect other setting information.
The present invention, which has been conceived in view of the foregoing problems, aims at providing a highly versatile technique enabling input of dummy information to an attacker who tries to collect genuine information irreplaceable with dummy information.
A dummy information insertion device according to one aspect of the present invention inserts dummy information into a second location determined using first location information and insertion condition information, the first location information indicating a first location which includes genuine information irreplaceable with other information, in genuine information in a computer, the insertion condition information indicating conditions for determining a second location into which dummy information is to be inserted, the dummy information resembling the irreplaceable genuine information and not being present in the computer and in a local network connected to the computer.
Additionally, a dummy information insertion method according to one aspect of the present invention includes: determining a second location using first location information and insertion condition information, the first location information indicating a first location which includes genuine information irreplaceable with other information, in genuine information in a computer, the insertion condition information indicating conditions for determining a second location into which dummy information is to be inserted, the dummy information resembling the irreplaceable genuine information and not being present in the computer and in a local network connected to the computer; and inserting the dummy information into the determined second location.
A computer program which achieves the dummy information insertion device or the dummy information insertion method desceibed above by a computer, and a computer readable storage medium which stores the computer program are also within the scope of the present invention.
The present invention enables input of dummy information to an attacker who tries to collect various genuine information irreplaceable with dummy information.
A first example embodiment of the present invention will be described in detail with reference to the drawings.
As shown in
The above-described reference codes in the drawings are assigned to the respective elements as one example for convenience' sake in order to support understanding, and reference codes are not construed to limit the present invention to the illustrated modes.
In the present example embodiment, information included (set) in a computer will be referred to as genuine information. And, in genuine information, information in which replacement of a set value or the like causes problems that a computer fails to operate normally, that a computer performs operation different from intended operation, and the like will be referred to as genuine information irreplaceable with dummy information. The other genuine information will be referred to as genuine information replaceable with dummy information.
Subsequently, configuration of each of the units in
(Reconnaissance Destination Storage Unit 210)
The reconnaissance destination storage unit 210 stores information (first location information) indicative of a location (a first location) which is highly likely to be referred to by an attacker when conducting malicious reconnaissance activity. One example of information stored in the reconnaissance destination storage unit 210 will be described with reference to
The file location information 410 is information indicative of a location on a hard disk or a memory in which a specific file is preserved. For example, the file location information 410 shown in
Thus, the file location information 410 is information indicative of a location of at least either one of a file and a cache present on a hard disk or a memory.
The setting information location information 420 is setting information about a system or an application, or information indicative of a location in which specific attribute information is preserved. The setting information location information 420, in a case of a Windows (registered trademark) based operating system, for example, is information indicative of a location in which attribute information for a registry is preserved. The setting information location information 420 illustrated in
The memory location information 430 is information indicative of a location in which specific information on a memory is preserved. The memory location information 430 shown in
As described in the foregoing, the reconnaissance destination storage unit 210 stores information that indicates a location where genuine information irreplaceable with other information (for example, dummy information), the information is at least indicative of a location in a computer, and the location is highly likely to be referred to by an attacker when conducting malicious reconnaissance activity.
(Insertion Condition Storage Unit 220)
The insertion condition storage unit 220 stores information indicative of a condition or a rule for determining a location and an amount of dummy information to be inserted. A condition or a rule for determining a location and an amount of dummy information to be inserted will be hereinafter referred to as insertion conditions. Description will be given to one example of information indicative of insertion conditions stored in the insertion condition storage unit 220 with reference to
The insertion location determination condition information 440 is information indicative of a condition to be satisfied or a rule to be conformed to when determination is made as to where the dummy information is inserted or arranged. The insertion location determination condition information 440 is, as shown in
The “Closeness to genuine information in a directory tree structure” in the above (1) will be hereinafter referred to as “the number of hops”. Regarding “the number of hops”, description will be made with reference to
As shown in
Satisfying the number of hops being zero (hereinafter, denoted as “the number of hops=0”) represents that a location in which dummy information is inserted is within the same directory or file (in
Satisfying “the number of hops=1” represents that a location in which dummy information is inserted is in a directory one layer higher than the genuine information directory (parent directory) (in
Satisfying “the number of hops=2” represents that dummy information is inserted into other directory or folder present at a location one layer higer than or one layer lower than the genuine information directory. Other directory present at a location one layer higher than the genuine information directory represents other directory or folder (in
A case where the number of hops is three or more indicates a location where higher and lower layers are increased to the number of hops from the time when the number of hops is two.
Thus, the condition (1) is a condition that, from the directory (the first location) storing genuine information as a starting point, dummy information is inserted in a location (the second location) at a distance of the number of hops.
Although for the sake of explanation, the conditions are recited as a sentence of explanation, the condition may be a character string representing a numerical value indicative of the number of hops or indicative of a preservation location. For example, the condition (1) may be represented by a character string and a numerical value such as “the number of hops=3”. The “number of hops=3” is considered as a condition that dummy information is inserted into a location having the number of hops being “3” from the directory storing genuine information as a starting point. The insertion location determination condition information 440 may be information indicative of a location where dummy information is arranged in such a case where the genuine information is used as a starting point. The condition (1) may be simply represented by a numerical value of “3”.
The number of hops included in the above conditions is not limited to the number of hops between a location in which genuine information is inserted and a location in which dummy information is inserted, and may be, for example, one of the following (a) to (c):
In a case of (a), for example, the number of hops between the genuine information and the genuine information directory is assumed to be one. In this case, the number of hops is one or more. Accordingly, in the case of (a), when dummy information is present in the same directory as that of the genuine information, the number of hops between the genuine information and dummy information is two.
In the present example embodiment, for the sake of explanation, the number of hops is assumed to be a distance between a location in which the genuine information is inserted and a location in which the dummy information is inserted. In other words, the number of hops=0 is assumed to represent that the genuine information and the dummy information are present in the same directory.
For example, the above condition may designate a range such as “the number of hops <=3”.
As described in the foregoing, the above condition (1) is a condition that positions of the genuine information and the dummy information in the file structure are within a predetermined range.
The “closeness to genuine information on a time series record” in the above (2) will be hereinafter referred to as a distance between records. In a file configured with time series records such as a log or the like, when one record in the file is displayed by one line, for example, a record-to-record distance between a record of the genuine information and a record recited in the subsequent line is considered to be “1”. In such a case, the condition (2) will be a condition that a record of genuine information and a record of dummy information are apart by a record-to-record distance (a predetermined number of lines).
In the above file, in a case where one record is, for example, a text of 256 bytes, a record-to-record distance between a record of the genuine information and a text of 256 bytes subsequent to the record of the genuine information is considered to be “1”. In such a case, the condition (2) will be a condition that the record of the genuine information and the record of the dummy information are apart by a predetermined record-to-record distance.
Accordingly, under the condition (2), a file (for example, the file location information 410 shown in
Similarly to the condition (1), the condition (2) may be represented not by a sentence of explanation but by a character string and a numerical value such as “the record (or the number of lines)=3” as information indicative of a location in which dummy information is to be arranged, with genuine information as a starting point. The above condition may be a condition that designates a range such as “record <=3”.
As described in the foregoing, the above condition (2) is a condition that a distance between genuine information and dummy information included in the first location is within a predetermined range.
And, “a file preservation location has a predetermined relation” in the above (3) represents, for example, a relation between places in a computer where pieces of information that are displayed by an application are preserved. In a case of an electronic mail, for example, “a file preservation location has a predetermined relation” represents a relation between a preservation location of a body of an electronic mail and a preservation location of an attached file which is attached to the electronic mail. In other words, the condition (3) is a condition that when genuine information is preserved in a preservation location (the first location) of a body of an electronic mail, a preservation location (the second location) of dummy information is a preservation location of an attached file of the electronic mail.
The insertion amount determination condition information 450 is information indicative of a condition to be satisfied or a rule to be conformed to at the time of determining an amount of dummy information to be inserted. The insertion amount determination condition information 450 can be also considered to be a condition to be satisfied at the time of causing a display device (not shown) to display dummy information. The insertion amount determination condition information 450 is, for example, as shown in
For example, when a display amount of dummy information is represented as a rate relative to information to be displayed, a condition indicated by the insertion amount determination condition information 450 may be also represented by a character string and a numerical value such as “rate=25%”. The “rate=25%” is considered to be a condition that an amount of dummy information to be displayed on a display screen is 25% of the total amount. The condition may be simply represented by a numerical value of “25”.
What is displayed on the display screen may be GUI (Graphical User Interface) configured, for example, with widgets or the like.
Thus, the insertion amount determination condition information 450 is information indicative of a condition for determining an amount of dummy information to be inserted. By determining an amount of dummy information to be inserted according to the condition, the dummy information insertion device 100 is allowed to more effectively input dummy information to an attacker.
The insertion amount determination condition information 450 is preferably information indicative of a condition regarding a display amount of dummy information to be displayed on a screen. This enables the dummy information insertion device 100, by making use of visual recognition of visual information by a person (an attacker) more effectively, to input dummy information to the attacker.
Although the present example embodiment is described with respect to the case where the insertion location determination condition information 440 and the insertion amount determination condition information 450 are stored in the same storage unit (the insertion condition storage unit 220) as an example, the present example embodiment is not limited thereto. The insertion location determination condition information 440 and the insertion amount determination condition information 450 may be stored in different storage units.
(Dummy Information Storage Unit 230)
The dummy information storage unit 230 stores dummy information to be inserted into a determined location. The dummy information is information wchih is similar to genuine information and not present within a computer and a local network to which the computer is connected. In genuine information, at least information similar to genuine information irreplaceable with dummy information is stored as dummy information in the dummy information storage unit 230. One example of information stored by the dummy information storage unit 230 will be described with reference to
As shown in
The MAC address 520 is a dummy MAC address of, for example, “aa:bb:cc:dd:ee:ff”.
The machine name 530 is a dummy machine name (computer name) of, for example, “abcd”. The machine name 530 may be a host name.
The user name 540 is a dummy user name (account) of, for example, xyz01″.
The mail address 550 is a dummy mail address of, for example, “xyz01@abc.co.jp”.
The URI 560 is a dummy URI of, for example, “¥¥abc.co.jp¥info.txt”.
A kind of dummy information is not limited to these kinds but may be other kind.
(Determination Unit 110)
The determination unit 110 determines a location and an amount of dummy information, which is stored in the reconnaissance destination storage unit 210, to be inserted by using information indicative of a location as a destination of reconnaissance activity, and a condition, which is stored in the insertion condition storage unit 220, for determining a location and an amount of dummy information to be inserted. The determination unit 110 determines which dummy information is to be inserted from the dummy information storage unit 230.
In the following, description will be made of determination, by the insertion location determination unit 111 of the determination unit 110, of a location in which dummy information is inserted using the setting information location information 420 in the information stored in the reconnaissance destination storage unit 210, and the insertion location determination condition information 440 stored in the insertion condition storage unit 220. The setting information location information 420 is assumed to be “ABCDE¥FGHIJ¥ABC01” shown in
The insertion location determination unit 111 determines a location satisfying the insertion location determination condition information 440 as a location in which dummy information is to be inserted (referred to also as an insertion location or an insertion destination). In the present example, since closeness to genuine information in a directory tree structure (hereinafter referred to as the number of hops) is 0, the insertion location determination unit 111 determines a location in which the dummy information is to be inserted to be the same location as that of the genuine information.
Although in the above-described example, the insertion location determination unit 111 determines a location in which dummy information is to be inserted using only “ABCDE¥FGHIJ¥ABC01” in information stored in the reconnaissance destination storage unit 210, the present example embodiment is not limited thereto. The insertion location determination unit 111 may select some of a plurality of locations indicated by the information stored in the reconnaissance destination storage unit 210, and may determine a location in which dummy information is to be inserted for each of the selected locations. When an administrator determines in advance an insertion destination of dummy information, the insertion location determination unit 111 may select in advance the insertion destination, and may determine the selected insertion destination as a location in which dummy information is to be inserted. The insertion location determination unit 111 may determine locations in which dummy information is to be inserted for all of a plurality of locations indicated by the information stored in the reconnaissance destination storage unit 210.
Description will be made of a case, for example, where the insertion location determination condition information 440 stored in the insertion condition storage unit 220 is stored in association to each OS (Operating System). In this case, the insertion location determination unit 111 may acquire information of OS of a client from the client, and determine a location in which dummy information is to be inserted using the insertion location determination condition information 440 associated with the acquired OS information.
Description will be made of a case, for example, where the insertion location determination condition information 440 stored in the insertion condition storage unit 220 is information indicative of a condition which is related to a file (for example, the file location information 410 shown in
At this time, the insertion location determination unit 111 determines, as an insertion destination, a location satisfying the condition that closeness to genuine information in a file (the first location) including the genuine information is a predetermined number. In this case, the insertion destination will be a location in a file including the genuine information.
The insertion location determination unit 111 supplies information indicative of the determined insertion location (insertion destination information) to the insertion amount determination unit 112 and the insertion data determination unit 113.
Next, description will be made of determination, by the insertion amount determination unit 112 of the determination unit 110, of an amount of dummy information to be inserted using the insertion location determined by the insertion location determination unit 111 and the insertion amount determination condition information 450 stored in the insertion condition storage unit 220. Here, the insertion amount determination condition information 450 is assumed to be information indicative of a condition that “a display amount of dummy information to be displayed on a screen is 25% of the total amount”.
The insertion amount determination unit 112 determines an amount satisfying the insertion amount determination condition information 450 as an amount of dummy information to be inserted (referred to also as an insertion amount). First, the insertion amount determination unit 112 determines whether a location indicated by the insertion destination information is a location, such as a folder or a directory, where a file or information is stored, or a location in a file such as a log.
Then, when a location indicated by the insertion destination information is a location such as the folder or the directory, the insertion amount determination unit 112 acquires, from a client, how many kinds of set values (setting information) are stored in the location indicated by the insertion destination information. Here, a total of nine set values are assumed to be stored in “ABCDE¥FGHIJ¥ABC01”. Then, from the client, the insertion amount determination unit 112 acquires how many of these set values are to be displayed when displaying these set values on a screen. In this example, it is assumed that all (nine) set values are to be displayed on the screen. The insertion amount determination unit 112 acquires the number (nine) of these set values from the client. The set value of nine is genuine information.
Then, the insertion amount determination unit 112 calculates dummy information of an amount satisfying the condition that “a display amount of dummy information to be displayed on a screen is 25% of the total amount”. Assuming that the number of dummy information is represented as x, the insertion amount determination unit 112 calculates x which satisfies (9+x)×25%=x. As a result, x=3 is obtained. Then, the insertion amount determination unit 112 determines whether all of nine pieces of genuine information and three pieces of dummy information are displayed on the screen, and when all pieces of information are to be displayed, determines that an amount of dummy information satisfying the condition that “a display amount of dummy information to be displayed on a screen is 25% of the total amount” is three.
Description will be made of a case, for example, where the insertion amount determination condition information 450 is a condition that “a display amount of dummy information to be displayed on a screen is 25% of the amount of genuine information” and an amount (the number) of kinds (e.g. the above-described set values) of genuine information is eight. In this case, the insertion amount determination unit 112 finds an amount of dummy information to be inserted which satisfies the above condition by calculating 8×25%=two (number).
Description will be made of a case where a location indicated by the insertion destination information is a location in a file such as a log. At this time, as described above, an insertion destination (the second location) is in the file (in the first location). First, the insertion amount determination unit 112 acquires, from the client, how many kinds of pieces of genuine information are present when the file is displayed such that a location indicated by the insertion destination is included. Then, the insertion amount determination unit 112 calculates an amount of dummy information to be inserted such that the condition indicated by the insertion amount determination condition information 450 is satisfied.
Then, the insertion amount determination unit 112 supplies information indicative of the determined insertion amount (insertion amount information) to the insertion data determination unit 113.
Next, description will be made of determination, by the insertion data determination unit 113 of the determination unit 110, of dummy information to be inserted using dummy information stored in the dummy information storage unit 230. Dummy information which is determined by the insertion data determination unit 113 and is adapted to an insertion format will be hereinafter referred to as insertion data in order to discriminate it from the dummy information stored in the dummy information storage unit 230. This will be described with reference to
In
First, the insertion data determination unit 113 acquires, from the client, a set value (setting information) and a format thereof which are stored in a location indicated by the insertion destination information. As described above, the location indicated by the insertion destination information includes genuine information of a set of (name, classification, and data).
Then, the insertion data determination unit 113 determines which dummy information is to be inserted from the dummy information storage unit 230. The insertion data determination unit 113 determines, for example, the following (A) to (C):
Then, the insertion data determination unit 113 determines to insert a set of (xyz01@abc.co.jp, xyz, aa:bb:cc:dd:ee:ff). Thus, the insertion data determination unit 113 determines insertion data.
The insertion data determination unit 113 may determine insertion data after confirming that the insertion data is not used in a client into which insertion data is to be inserted and other client within a local network connected with the client.
The insertion data determination unit 113 may select dummy information included in the insertion data at random or according to a predetermined rule. A method of selecting dummy information is not particularly limited.
The insertion data determination unit 113 may acquire a set value (setting information) itself or a kind of set value stored in a location indicated by insertion destination information from the client, and may determine a value approximate to the set value as dummy information to be inserted (insertion data).
A method for the determination will be described. For example, the insertion data determination unit 113 acquires a kind (name) and a value (data) of an arbitrary set value from a location shown in
Then, the insertion data determination unit 113 determines to insert a set of (link2, xyz, 0x10000001). Thus, the insertion data determination unit 113 may generate insertion data using subsequent numbers, analogous words, or the like.
As described in the foregoing, the insertion data determination unit 113 determines dummy information to be inserted on the basis of genuine information included in an insertion destination. The insertion data determination unit 113 may determine dummy information to be inserted on the basis of genuine information included in a location (the first location) indicated by the reconnaissance destination storage unit 210.
Description will be made of a case, for example, where the reconnaissance destination storage unit 210 includes a directory (a first directory) in which a set value (genuine information) is stored, and an insertion destination is another directory (a second directory). At this time, the insertion data determination unit 113 may determine dummy information on the basis of a set value of the first directory.
It is assumed, for example, that the reconnaissance destination storage unit 210 includes a log file storing genuine information, and an insertion destination is a line within a predetermined range in the log file. It is assumed, for example, that the insertion destination is from the fifth line to the tenth line of the log file. At this time, the insertion data determination unit 113 may determine insertion data (dummy information) on the basis of genuine information included in the fifth line to the tenth line (the second location) in the log file. The insertion data determination unit 113 may determine insertion data (dummy information) on the basis of genuine information included in the entire log file (the first location).
Thus, the insertion data determination unit 113 determines insertion data on the basis of at least either one of genuine information included in a location indicated by information stored in the reconnaissance destination storage unit 210 and genuine information included in an insertion destination. This enables the dummy information insertion device 100 to insert dummy information that is not easy to be identified as dummy information by an attacker.
The insertion data determination unit 113 may acquire a kind (name) and a value (data) of an arbitrary set value from a location shown in
At this time, the insertion data determination unit 113 preferably determines insertion data whose amount is not less than an insertion amount determined by the insertion amount determination unit 112.
Then, the determination unit 110 supplies, to the insertion unit 120, insertion destination information indicative of a location in which dummy information is to be inserted and which is determined by the insertion location determination unit 111, insertion amount information indicative of an amount, which is determined by the insertion amount determination unit 112, of dummy information to be inserted, and insertion data determined by the insertion data determination unit 113. The insertion destination information, insertion amount information and insertion data output by the determination unit 110 will be collectively referred to also as insertion information.
Although the insertion amount determination unit 112 of the determination unit 110 determines an amount of dummy information to be inserted by using the insertion amount determination condition information 450, the present example embodiment is not limited thereto. The insertion amount determination unit 112 may determine an amount of dummy information to be inserted at random. When an insertion amount of dummy information is large, while an attacker is more likely to use dummy information, the attacker is more likely to identify the information as dummy. Therefore, the insertion amount determination unit 112 preferably determines an amount such that an attacher does not identify the information as dummy. Accordingly, the insertion amount determination condition information 450 is preferably information indicative of such a condition which enables determining an amount of dummy information that makes a possibility of being identified as dummy low and makes a possibility of being used by the attacker high.
(Insertion Unit 120)
The insertion unit 120 receives, from the determination unit 110, insertion destination information, insertion amount information, and insertion data. Then, the insertion unit 120 inserts insertion data in an amount indicated by insertion amount information into a location, indicated by the received insertion destination information, in a client.
As a result, insertion data indicated by the codes A to C in
Although the description is made of determination of insertion data by the insertion data determination unit 113 of the determination unit 110, the insertion data determination unit 113 may be provided in the insertion unit 120. More specifically, the insertion unit 120 may determine insertion data with reference to the dummy information storage unit 230 using an insertion destination and an insertion amount determined by the determination unit 110, and insert the determined insertion data into the insertion destination.
(Processing Flow of Dummy Information Insertion Device 100)
Next, with reference to
As shown in
Then, the insertion unit 120 inserts the insertion data in an amount (number) determined by the insertion amount determination unit 112 into the insertion destination, determined by the insertion location determination unit 111, on the client, the insertion data being determined by the insertion data determination unit 113 (Step S4).
Then the dummy information insertion device 100 ends the processing of inserting dummy information. And, the dummy information insertion device 100 performs the processing shown in
(Effect)
As described in the foregoing, in the dummy information insertion device 100 according to the present example embodiment, the determination unit 110 determines an insertion destination using information, stored in the reconnaissance destination storage unit 210, indicative of a location, and information indicative of a condition for determining an insertion destination. Then, the insertion unit 120 inserts dummy information in the determined insertion destination.
As above, irrespective of whether genuine information of a computer (client) is replaceable with dummy information, the dummy information insertion device 100 inserts the dummy information in a location close to the genuine information visually and in displaying.
This enables dummy information together with genuine information to be caught by an attacker's eye during reconnaissance activity of a virus, in particular, when an attacker visually checks information using a tool having GUI or the like. Thus, it is possible to input dummy information to an attacker who tries to collect genuine information irreplaceable with dummy information.
Accordingly, when an attacker with dummy information input thereto recognizes information without discriminating between genuine information and dummy information to spread infection using the dummy information, an attack of the infection spread can be detected.
Thus, the dummy information insertion device 100 according to the present example embodiment enables input of dummy information to an attacker by utilizing visual recognition of visual information by a person (attacker) more effectively.
Additionally, information indicative of a condition for determining an insertion destination is the above insertion location determination condition information 440, and according to this condition, the determination unit 110 determines an insertion destination. This enables dummy information to be more effectively inserted into a location which is highly likely to be attacked by an attacker.
Additionally, the reconnaissance destination storage unit 210 stores at least information that is indicative of a location which is in a computer and is highly likely to be referred to by an attacker during execution of malicious reconnaissance activity, and is indicative of a location in which genuine information irreplaceable with other information is included. This enables dummy information to be more effectively inserted into a location which is highly likely to be attacked by an attacker.
Subsequently, a second example embodiment of the present invention will be described. A dummy information insertion system of the present example embodiment is equivalent to the above dummy information insertion system of the first example embodiment with operation thereof modified. In the present example embodiment, description of equivalent components as those of the above first example embodiment will be omitted and description will be made mainly of new components and operation thereof.
Similarly to the first example embodiment, the reconnaissance destination storage unit 210 stores information indicative of a location that is highly likely to be referred to by an attacker during execution of malicious reconnaissance activity, and is indicative of a location in which genuine information irreplaceable with dummy information is included. The reconnaissance destination storage unit 210 may further store information indicative of a location that is highly likely to be referred to by an attacker during execution of malicious reconnaissance activity, and is indicative of a location including only genuine information replaceable with dummy information.
Next, the determination unit 310 will be described with reference to another drawing.
Similarly to the insertion location determination unit 111 according to the first example embodiment, the insertion location determination unit 111 determines an insertion destination of dummy information with reference to the reconnaissance destination storage unit 210 and the insertion condition storage unit 220. Then, the insertion location determination unit 111 supplies the insertion destination information indicative of the determined insertion destination to the insertion amount determination unit 112, the insertion data determination unit 113 and the replacement determination unit 600.
The replacement determination unit 600 receives the insertion destination information from the insertion location determination unit 111. Then, with respect to each insertion destination indicated by the insertion destination information, the replacement determination unit 600 determines whether genuine information included in the insertion destination is replaceable with dummy information. The replacement determination unit 600 may determine whether the genuine information is replaceable with the dummy information by, for example, executing writing to or change of genuine information to determine whether it is possible or not, or by other method. Then, the replacement determination unit 600 outputs a determination result to the insertion amount determination unit 112.
The determination result includes information indicative of, for example, the following (A) to (C):
In a case of the above (B), the replacement determination unit 600 outputs, as a determination result, information indicative of the above (B) with information indicative of replaceable genuine information or information indicative of irreplaceable genuine information included. At this time, the replacement determination unit 600 may output, as a determination result, information indicative of the above (B) with an amount (number) of replaceable genuine information or an amount (number) of irreplaceable genuine information included.
In a case of the above (A), the replacement determination unit 600 may output, as a determination result, information indicative of the above (A) with information indicative of replaceable genuine information included. Similarly, in a case of the above (C), the replacement determination unit 600 may output, as a determination result, information indicative of the above (C) with information indicative of irreplaceable genuine information included.
The insertion amount determination unit 112 determines an amount satisfying insertion amount determination condition information 450 as an amount of dummy information to be inserted (insertion amount) or an amount to be replaced with dummy information (replacement amount) according to the determination result supplied from the replacement determination unit 600.
It is assumed, for example, that the determination result of the replacement determination unit 600 is (A) all genuine information included in an insertion destination is replaceable, and the insertion amount determination condition information 450 is information indicative of a condition that “a display amount of dummy information to be displayed on a screen is 25% of the total amount”.
At this time, the insertion amount determination unit 112 acquires an amount of genuine information stored in a location indicated by insertion destination information from the client. In a case, for example, when the amount of the genuine information is eight and all is to be displayed on the screen, the insertion amount determination unit 112 calculates that an amount (number) of the dummy information is two because 8×0.25=2. Then, the insertion amount determination unit 112 determines that the calculated amount (number) of the dummy information is an amount of the genuine information to be replaced with the dummy information.
In a case, for example, when the determination result of the replacement determination unit 600 is (B) a part of the genuine information included in the insertion destination is replaceable, an amount (number) of the dummy information is calculated similarly to a case where the determination result of the replacement determination unit 600 is (A). Then, when the calculated amount is not more than the amount of replaceable genuine information, the insertion amount determination unit 112 determines an amount of the genuine information to be replaced with the dummy information to become the calculated amount (number) of the dummy information. When the calculated amount exceeds the amount of replaceable genuine information, the insertion amount determination unit 112 determines an amount (replacement amont) of the genuine information to be replaced with the dummy information to become the calculated amount (number) of the dummy information, and further, newly calculates and determines an insertion amount of the dummy information such that the insertion amount determination condition information 450 is satisfied.
In a case, for example, when the determination result of the replacement determination unit 600 is that all the genuine information included in the insertion destination is irreplaceable, the insertion amount determination unit 112 performs the same processing as that of the insertion amount determination unit 112 of the determination unit 110 according to the above-described first example embodiment.
The insertion amount determination unit 112 may determine an insertion amount similarly to the insertion amount determination unit 112 in the first example embodiment irrespective of a determination result of the replacement determination unit 600. The insertion amount determination unit 112 may at random determine an amount of dummy information to be inserted similarly to the insertion amount determination unit 112 in the above-described first example embodiment.
By the same processing as that of the first example embodiment, the insertion data determination unit 113 determines dummy information to be inserted into an insertion destination, or dummy information to replace genuine information in the insertion destination. Hereinafter, dummy information to be inserted or to replace will be referred to as insertion data.
Then, the determination unit 310 associates the following (1) to (4) with each other, and supplies them as insertion information to the insertion unit 120:
The insertion unit 120 receives the above (1) to (4) from the determination unit 310. Then, the insertion unit 120 inserts insertion data into the insertion destination determined by the insertion location determination unit 111 and/or replaces the genuine information of the insertion destination with the insertion data on the basis of the determination result. At this time, the insertion unit 120 inserts insertion data by an insertion amount indicated by the insertion amount information and/or performs replacement by a replacement amount indicated by the insertion amount information.
In a case, for example, when a determination result is (A) all genuine information included in an insertion destination is replaceable, the insertion unit 120 replaces the genuine information of the insertion destination determined by the insertion location determination unit 111 with the insertion data. At this time, the insertion unit 120 replaces, with the insertion data, the genuine information by a replacement amount indicated by the insertion amount information.
In a case, for example, when the determination result is (B) a part of the genuine information included in the insertion destination is replaceable, the insertion unit 120 replaces, with the insertion data, the genuine information of the insertion destination determined by the insertion location determination unit 111. At this time, the insertion unit 120 replaces, with the insertion data, the genuine information by a replacement amount indicated by the insertion amount information. Further, when the insertion amount is indicated by the insertion amount information, the insertion unit 120 inserts the insertion data into the insertion destination determined by the insertion location determination unit 111.
In a case, for example, when the determination result is (C) all genuine information included in the insertion destination is irreplaceable, the insertion unit 120 inserts the insertion data in an amount indicated by the insertion amount information into the insertion destination determined by the insertion location determination unit 111 similarly to the insertion unit 120 in the first example embodiment.
Although the description is made with respect to an example where the replacing processing of replacing genuine information with dummy information is performed by the insertion unit 120, the present example embodiment is not limited thereto. The replacing processing may be performed by other components. The replacing processing may be performed by the replacement determination unit 600, or may be performed by both units, i.e., the insertion unit 120 and the replacement determination unit 600.
(Processing Flow of Dummy Information Insertion Device 300)
Next, with reference to
Then, the replacement determination unit 600 of the determination unit 310 determines whether genuine information included in the insertion destination is replaceable with dummy information (Step S12). Thereafter, the insertion amount determination unit 112 of the determination unit 310 determines an insertion amount and/or a replacement amount of the dummy information (Step S13).
Thereafter, the insertion data determination unit 113 of the determination unit 310 determines insertion data (Step S14). When more data usable as insertion data is present than the above insertion amount and/or replacement amount, Step S14 may be performed in paralell with Step S13 or may be performed in a reverse order.
Then, the insertion unit 120 inserts the insertion data, determined by the insertion data determination unit 113, in an amount (number), determined by the insertion amount determination unit 112, at the insertion destination, determined by the insertion location determination unit 111, on the client. Further, or alternatively, the insertion unit 120 replaces, with the insertion data determined by the insertion data determination unit 113, genuine information of the insertion destination, determined by the insertion location determination unit 111, on the client in an amount (number), determined by the insertion amount determination unit 112 (Step S15).
The processing of inserting insertion data may be performed after the processing of replacing insertion data or may be performed in paralell.
Then, the dummy information insertion device 300 ends the processing of inserting and/or replacing dummy information. Then, the dummy information insertion device 300 performs the processing shown in
The processing from Step S13 to Step S15 (the processing after replacement determination) may be performed depending on a determination result. In a case, for example, where a determination result of a certain insertion destination indicates that all is replaceable with dummy information, and a determination result of other insertion destinations indicates that all is irreplaceable with dummy information, processing for the former insertion destination may be performed first, or may be performed in an reverse order, or may be performed in paralell. The dummy information insertion device 300 may perform the processing following the replacement determination while taking into consideration of each processing load at steps from Step S13 to Step S15.
(Effect)
The replacement determination unit 600 of the determination unit 310 in the dummy information insertion device 300 according to the present example embodiment determines whether genuine information included in the insertion destination i.e. in the second location is replaceable with dummy information. Then, when the genuine information is replaceable with the dummy information, the insertion unit 120 further replaces the replaceable genuine information with the dummy information.
This enables inputting, to an attacker, more dummy information more effectively.
The insertion amount determination unit 112 in the present example embodiment determines an insertion amount and a replacement amount of dummy information on the basis of the determination result. As a result, in an amount in which dummy information can be input to an attacker, the insertion unit 120 can insert the dummy information to the insertion destination, and can replace the dummy information with the genuine information of the insertion destination. This enables the dummy information insertion device 300 to input more dummy information to an attacker. Accordingly, with the dummy information insertion device 300 according to the present example embodiment, it is possible to exert deterrent such as upset, give-up or the like on an attacker doing reconnaissance activity.
Additionally, although the above first or second example embodiment has been described assuming that the processing of each unit is automatically performed according to the flows shown in
A third example embodiment of the present invention will be described in detail with reference to the drawings.
As shown in
The determination unit 401 determines a location (a second location) in which dummy information is to be inserted using first location information including genuine information irreplaceable with other information, in genuine information in a computer to be referred to by malicious activity and using first condition information. The dummy information resembles information in the computer and is not present in the computer and in a local network connected to the computer. The dummy information preferably resembles the irreplaceable genuine information. The first condition information represents a condition for determining the second location in which the dummy information is inserted. The first condition information is insertion location determination condition information 440 stored in the insertion condition storage unit 220 in the above-described example embodiments. The determination unit 401 supplies the insertion unit 402 with information (second location information) indicative of the determined second location.
The insertion unit 402 receives the second location information from the determination unit 401. The insertion unit 402 inserts dummy information in the second location indicated by the second location information.
As described above, the dummy information insertion device 400 according to the present example embodiment is capable of inputting dummy information to an attacker trying to collect various genuine information which is irreplaceable with dummy information similarly to the above-described first and second example embodiments.
<Configuration Example of Hardware>
Here, description will be made of a configuration example of hardware which is capable of achieving the dummy information insertion devices (100, 300, 400) according to the above-described respective example embodiments. The above-described dummy information insertion devices (100, 300, 400) may be achieved as dedicated devices, or achieved using a computer (an information processing device).
The hardware of an information processing device (a computer) 90 shown in
a CPU (Central Processing Unit) 11,
a communication interface (I/F) 12,
an input/output user interface 13,
a ROM (Read Only Memory) 14,
a RAM (Random Access Memory) 15,
a storage device 17, and
a drive device 18 of a computer readable storage medium 19.
Those are connected via a bus 16. The input/output user interface 13 is a man machine interface such as a keyboard that is one example of an input device and a display as an output device. The communication interface 12 is common communication means which enables the devices (
The above-described example embodiments are achieved, for example, by providing a program (a computer program) capable of achieving the processing described in the above example embodiments for the information processing device 90 shown in
The program provided for the information processing device 90 may be stored in the readable/writable temporary storage memory (15), or the non-volatile storage device (17) such as a hard disk drive. That is, in the storage device 17, a program group 17A is, for example, a program capable of achieving the function of each of the units shown in the dummy information insertion devices (100, 300, 400) in the above-described example embodiments. Various kinds of pieces of the storage information 17B are, for example, the first location information, the insertion condition information, the dummy information, the second location information and the like in the above-described example embodiments. However, at the time of implementing the program on the information processing device 90, a constituent unit of an individual program module is not limited to sectioning of each of the blocks shown in the block diagrams (
In the above case, as a method of supplying a program into the device, such a currently common procedure as follows is able to be adopted:
a method of installing a program into the device via various kinds of computer readable storage media (19) such as a CD (Compact Disc)-ROM, a flash memory or the like, and
a method of externally downloading a program via the communication line (80) such as the Internet.
Then, in such a case, the example embodiments of the present invention can be conceived to be configured with codes (the program group 17A) forming such a computer program, or the storage medium (19) in which such codes are stored.
Then, in such a case, the present invention can be conceived to be configured with codes (the program group 17A) forming such a computer program, or the storage medium (19) in which such codes are stored.
In the foregoing, the present invention is described as an example that the present invention is applied to the exemplary example embodiments described above. However, the technical scope of the present invention is not limited to the scope recited in the above-described example embodiments. It is apparent to those skilled in the art that various modifications or improvements can be applied to such example embodiments. In such a case, a new example embodiment with such a modification or improvement added thereto also can be included in the technical scope of the present invention. And, that is apparent from the matters recited in claims.
The present application claims priority from Japanese Patent Application No. 2014-243147 filed on Dec. 1, 2014, disclosure of which is all incorporated herein.
100 Dummy information insertion device
110 Determination unit
111 Insertion location determination unit
112 Insertion amount determination unit
113 Insertion data determination unit
120 Insertion unit
210 Reconnaissance destination storage unit
220 Insertion condition storage unit
230 Dummy information storage unit
300 Dummy information insertion device
400 Dummy information insertion device
401 Determination unit
402 Insertion unit
410 File location information
420 Setting information location information
430 Memory location information
440 Insertion location determination condition information
450 Insertion amount determination condition information
510 IP address
520 MAC address
530 Machine name
540 User name
550 Mail address
560 URI
600 Replacement determination unit
Number | Date | Country | Kind |
---|---|---|---|
2014-243147 | Dec 2014 | JP | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2015/005944 | 11/30/2015 | WO | 00 |