公开(公告)号：US09407649B2

公开(公告)日：2016-08-02

申请号：US14482120

申请日：2014-09-10

申请人： FUJITSU LIMITED

发明人： Satomi Honda ,  Yuki Fujishima ,  Masahiko Takenaka ,  Satoru Torii

IPC分类号： H04L29/06

CPC分类号： H04L63/1425 ,  H04L63/1408 ,  H04L63/1433

摘要： A log analysis device that classifies, based on a log collected from a network device, a plurality of attack target communication devices receiving attacks from an attack source communication device includes a correlation coefficient calculation unit that calculates, based on the log, a correlation coefficient relating to the number of the attacks in a time period during which the attacks were carried out for a combination of the plurality of attack target communication devices, the time period including a detection time at which and the detection period of time during which the network device detected the attack, and an extraction unit that extracts, as a high-correlation communication device group, a combination of the plurality of attack target communication devices, for which the correlation coefficient is equal to or greater than a prescribed threshold and of which the attack source communication device is identical in the time period.

摘要翻译： 一种日志分析装置，其基于从网络装置收集的日志对从攻击源通信装置接收到的攻击的多个攻击目标通信装置进行分类，包括：相关系数计算部，其基于所述日志计算相关系数; 涉及针对多个攻击目标通信装置的组合进行攻击的时间段中的攻击次数，包括检测时间的检测时间和网络装置检测到的检测时间段 攻击，以及提取单元，其提取相关系数等于或大于规定阈值的多个攻击目标通信装置的组合作为高相关通信装置组，并且其中攻击源 通信设备在该时间段内是相同的。

公开(公告)号：US11233807B2

公开(公告)日：2022-01-25

申请号：US16372472

申请日：2019-04-02

申请人： FUJITSU LIMITED

发明人： Satomi Saito ,  Yuki Fujishima ,  Satoru Torii

IPC分类号： H04L29/06

摘要： An apparatus extracts a server process from a communication in a network to generate log data in which a combination of addresses of access sources in the server process is recorded, and compares a combination of past addresses recorded in the log data with a combination of addresses in a specific target access to identify a first communication apparatus performing an abnormal communication.

公开(公告)号：US09203848B2

公开(公告)日：2015-12-01

申请号：US14015439

申请日：2013-08-30

申请人： FUJITSU LIMITED

发明人： Yuki Fujishima ,  Masanobu Morinaga

IPC分类号： H04L29/06

CPC分类号： H04L63/1408

摘要： A method for detecting unauthorized access is executed by a network monitoring apparatus connected to a network in which packets are transmitted between a plurality of information processing apparatuses. The method includes obtaining, by the network monitoring apparatus, packets regarding at least one access performed from a first information processing apparatus to a second information processing apparatus. The method includes selecting at least one condition from among predefined at least two conditions. The selection is performed according to a combination between the first information processing apparatus as an access source and the second information processing apparatus as an access destination. The method includes determining whether each of the obtained packets satisfies the selected at least one condition. The method includes determining a possibility that unauthorized access has been performed on the second information processing apparatus, based on a number of conditions determined to be satisfied.

摘要翻译： 用于检测未授权访问的方法由连接到其中分组在多个信息处理设备之间传送的网络的网络监视设备执行。 该方法包括由网络监视装置获取关于从第一信息处理装置执行的至少一次访问到第二信息处理装置的分组。 该方法包括从预定的至少两个条件中选择至少一个条件。 根据作为访问源的第一信息处理装置和作为访问目的地的第二信息处理装置之间的组合进行选择。 该方法包括确定所获得的分组中的每一个是否满足所选择的至少一个条件。 该方法包括基于确定要满足的条件的数量来确定已经对第二信息处理装置执行未授权访问的可能性。

公开(公告)号：US10819614B2

公开(公告)日：2020-10-27

申请号：US16180907

申请日：2018-11-05

申请人： FUJITSU LIMITED

发明人： Yuki Fujishima ,  Masanobu Morinaga ,  Kazuyoshi Furukawa

IPC分类号： H04L12/26 ,  H04L29/06 ,  H04L29/08

摘要： There is provided a network monitoring apparatus including a memory in which information of a remote operation and a combination of one or more command codes are associated with each other, and a processor coupled to the memory and the processor configured to acquire a command code of the one or more commands codes from a header of an encrypted execution request packet for executing the one or more commands for implementing a remote operation, determine whether or not there exists the combination included in a command code list in which acquired command codes are sequentially indicated, by referring the memory, and determine that the remote operation associated with the combination is successful when it is determined that there exists the combination included in the command code list.

公开(公告)号：US20190312901A1

公开(公告)日：2019-10-10

申请号：US16372472

申请日：2019-04-02

申请人： FUJITSU LIMITED

发明人： Satomi Saito ,  Yuki Fujishima ,  Satoru Torii

IPC分类号： H04L29/06

摘要： An apparatus extracts a server process from a communication in a network to generate log data in which a combination of addresses of access sources in the server process is recorded, and compares a combination of past addresses recorded in the log data with a combination of addresses in a specific target access to identify a first communication apparatus performing an abnormal communication.

公开(公告)号：US10091225B2

公开(公告)日：2018-10-02

申请号：US15138718

申请日：2016-04-26

申请人： FUJITSU LIMITED

发明人： Yuki Fujishima ,  Masanobu Morinaga ,  Mebae Yamaoka

IPC分类号： H04L29/00 ,  H04L29/06

摘要： A device includes a processor configured to accumulate a plurality of logs in the memory, by repeating a capturing process and a logging process, the logging process including extracting a source identifier of a source computer, a destination identifier of a destination computer, and an attribute parameter which is set in an attribute item regarding an operation for the destination computer by the source computer, execute a detection process of detecting a target computer and another infected computer, the detection process including extracting a first destination identifier and a first attribute parameter, from a first log having an identifier of the infected computer in the source identifier, and extracting a second source identifier and a second destination identifier, from a second log having the first attribute parameter in the attribute parameter, and output the first destination identifier, the second source identifier, and the second destination identifier.

公开(公告)号：US20170155643A1

公开(公告)日：2017-06-01

申请号：US15363142

申请日：2016-11-29

申请人： FUJITSU LIMITED

发明人： Yuki Fujishima ,  Masanobu Morinaga

IPC分类号： H04L29/06

CPC分类号： H04L63/0823 ,  H04L63/0428 ,  H04L63/0869 ,  H04L63/105

摘要： A system includes first circuitry in a first computing device configured to issue a credential, second circuitry in a second computing device configured to perform an operation corresponding to content at a third computing device based on the credential, third circuitry in the third computing device configured to receive a request to perform the operation corresponding to the content from the second computing device, and fourth circuitry in a fourth computing device configured to monitor communication between the first computing device, the second computing device and the third computing device.

公开(公告)号：US20150013005A1

公开(公告)日：2015-01-08

申请号：US14291168

申请日：2014-05-30

申请人： FUJITSU LIMITED

发明人： Masahiro Yamada ,  Masanobu Morinaga ,  Yuki Fujishima

IPC分类号： H04L29/06

CPC分类号： H04L63/1416 ,  H04L63/168

摘要： Upon acquiring first data transmitted from an outside of a predetermined range in a network, an apparatus stores, in a memory, first information including transmission source and destination addresses of the first data. Upon acquiring second data addressed to an inside of the predetermined range and indicating predetermined communication data of service initiation, the apparatus extracts the first information including as the transmission source address a source address of the second data, and stores, in the memory, second information indicating a service initiation and including a destination address of the second data, in association with the first information. When the second information including as the transmission destination address a source address of the second data is stored in the memory and a destination address of the second data coincides with the transmission source address in the first information associated with the second information, the apparatus notifies detection of an attack.

摘要翻译： 在从网络中的预定范围的外部获取发送的第一数据时，装置在存储器中存储包括第一数据的发送源和目的地地址的第一信息。 当获取寻址到预定范围内的第二数据并且指示服务启动的预定通信数据时，该设备提取包括作为发送源地址的第一数据作为第二数据的源地址的第一信息，并将其存储在存储器中 指示与第一信息相关联的服务启动并包括第二数据的目的地地址。 当将包括第二数据的源地址的发送目的地地址的第二信息存储在存储器中时，第二数据的目的地地址与第二信息相关联的第一信息中的发送源地址一致， 的攻击。

公开(公告)号：US20140297699A1

公开(公告)日：2014-10-02

申请号：US14196179

申请日：2014-03-04

申请人： FUJITSU LIMITED

发明人： Yuki Fujishima ,  Masanobu Morinaga

IPC分类号： G06F17/30

CPC分类号： G06F3/0643 ,  G06F3/061 ,  G06F3/067 ,  G06F3/0689

摘要： An apparatus acquires a packet transmitted according to a protocol employing block access, from a communication network, and determines which one of a system attribution block storing stores file system attribution data, a file attribution block storing file attribution data, and a file name block storing file name data the packet is related to. The apparatus calculates a block number of the file attribution block, based on addresses provided to the system and file attribution blocks, when the packet is determined to be related to the file attribution block. The apparatus calculates an identification number of each piece of the file attribution data, based on the system attribution data and the calculated block number, and associates file attribution data stored in the file attribution block with file name data stored in the file name block, based on the calculated identification numbers and identification numbers provided to the file name data.

摘要翻译： 一种装置从通信网络获取根据采用块访问的协议发送的分组，并且确定存储文件系统属性数据的文件系统归属数据，文件归属块，存储文件名块的哪个系统属性块存储 与数据包相关的文件名数据。 当该分组被确定为与文件归属块相关时，该装置基于提供给系统的地址和文件归属块来计算文件归属块的块号。 该装置基于系统属性数据和计算出的块号码，计算出每个文件归属数据的识别号码，并将存储在文件归属块中的文件归属数据与文件名块中存储的文件名数据相关联 关于提供给文件名数据的计算标识号和标识号。

公开(公告)号：US10348743B2

公开(公告)日：2019-07-09

申请号：US15193264

申请日：2016-06-27

申请人： FUJITSU LIMITED

发明人： Mebae Yamaoka ,  Takanori Oikawa ,  Kazuyoshi Furukawa ,  Masahiko Takenaka ,  Yuki Fujishima ,  Masanobu Morinaga

IPC分类号： H04L29/06

摘要： A method includes executing a determination process that determines that a setting value is a search key, the setting value being for an item from among a plurality of items in a record identified in a plurality of records, the plurality of records relating to a plurality of pieces of log information that are collected from a plurality of computers; executing a first identification process that identifies, as the record, another record including the search key from among the plurality of records; executing a second identification process that identifies, as the item, a new item from among the plurality of items, the new item being different from an item used to identify the another record in the executing of the first identification process; repeating executing of the processes; and outputting information on at least one computer that is suspected of a cyber-attack, based on the identified records.