{"id":204607,"updated":"2025-01-19T20:06:32.722027+00:00","links":{},"created":"2025-01-19T01:06:51.564010+00:00","metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00204607","sets":["581:10023:10028"]},"path":["10028"],"owner":"44499","recid":"204607","title":["HIDSアラート調査のためのHTTPリクエストとホストイベントの関連付け手法"],"pubdate":{"attribute_name":"公開日","attribute_value":"2020-05-15"},"_buckets":{"deposit":"58132132-5a25-4a19-8155-4c9455508641"},"_deposit":{"id":"204607","pid":{"type":"depid","value":"204607","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"HIDSアラート調査のためのHTTPリクエストとホストイベントの関連付け手法","author_link":["507020","507016","507014","507017","507021","507015","507019","507022","507018","507023"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"HIDSアラート調査のためのHTTPリクエストとホストイベントの関連付け手法"},{"subitem_title":"Correlating HTTP Request with Host Events for Efficient Host based Intrusion Detection Alert Analysis","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"[一般論文] Webセキュリティ，HIDS，イベント関連付け，システムコール","subitem_subject_scheme":"Other"}]},"item_type_id":"2","publish_date":"2020-05-15","item_2_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"NTTセキュアプラットフォーム研究所／京都大学大学院情報学研究科"},{"subitem_text_value":"NTTセキュアプラットフォーム研究所"},{"subitem_text_value":"NTTセキュアプラットフォーム研究所"},{"subitem_text_value":"京都大学学術情報メディアセンター"},{"subitem_text_value":"京都大学学術情報メディアセンター"}]},"item_2_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"NTT Secure Platform Laboratories / Graduate School of Informatics, Kyoto University","subitem_text_language":"en"},{"subitem_text_value":"NTT Secure Platform Laboratories","subitem_text_language":"en"},{"subitem_text_value":"NTT Secure Platform Laboratories","subitem_text_language":"en"},{"subitem_text_value":"Academic Center for Computing and Media Studies, Kyoto University","subitem_text_language":"en"},{"subitem_text_value":"Academic Center for Computing and Media Studies, Kyoto University","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"jpn"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/204607/files/IPSJ-JNL6105006.pdf","label":"IPSJ-JNL6105006.pdf"},"date":[{"dateType":"Available","dateValue":"2022-05-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-JNL6105006.pdf","filesize":[{"value":"1.1 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"660","billingrole":"5"},{"tax":["include_tax"],"price":"330","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"8"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"f9322388-c5ad-44c6-bf4c-c814581eb17a","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2020 by the Information Processing Society of Japan"}]},"item_2_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"鐘本, 楊"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"青木, 一史"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"三好, 潤"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"小谷, 大祐"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"岡部, 寿男"}],"nameIdentifiers":[{}]}]},"item_2_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Yo, Kanemoto","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kazufumi, Aoki","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Jun, Miyoshi","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Daisuke, Kotani","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yasuo, Okabe","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_2_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN00116647","subitem_source_identifier_type":"NCID"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_6501","resourcetype":"journal article"}]},"item_2_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"1882-7764","subitem_source_identifier_type":"ISSN"}]},"item_2_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"攻撃ツールの進化によりWebアプリケーションに対する攻撃数は増加の一途をたどっている．IDSはこれらの攻撃を検知し，システム管理者に通知する役割を担っている．IDSはその形態からネットワーク型（NIDS）およびホスト型（HIDS）に大別される．HIDSはホスト上で観測できる細かなイベントに基づいて攻撃の成否を判定できるためより精度が高い通知が可能である．しかし，システムコールやデータベースへのSQLクエリ発行の情報のみを入力として利用しており，これらの情報がどのHTTPリクエストによって発生したものであるか関連付いていない．そのため，被害の原因調査に必要な攻撃対象のWebアプリケーションのURLや攻撃元などの情報を出力できず，管理者がこれらの情報を手動で特定する必要があり，時間を要する．本研究では，HIDSの入力であるシステムコールやSQLクエリ発行などのイベントをそれらを発生させたHTTPリクエストを処理したスレッドのIDと高精度な処理開始および終了時刻に基づいて関連付けを行うことで，HIDSで検知した際に管理者が攻撃対象のWebアプリケーションのURLや攻撃元のIPアドレスを特定できるようにする．評価では，提案手法が誤った関連付けをすることがなく，Webアプリケーションに与えるパフォーマンス低下を5%程度に抑えた実用的な手法であることを示す．","subitem_description_type":"Other"}]},"item_2_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"The number of attacks against web applications has been increasing due to the evolution of attack tools. IDS is responsible for detecting these attacks and notifying system administrators. IDS is roughly classified into two types: network type (NIDS) and host type (HIDS). NIDS is easy to deploy, but the number of alerts becomes large because NIDS send alerts when an attack was failed too. Since HIDS only notifies when the attack is successful, more accurate notification is possible. However, it is not possible that HIDS outputs information such as the URL of the target web application or the attack source that is necessary for investigating the cause of the attack, because HIDS uses only system call and SQL query which is not correlated to which HTTP request. Therefore, administrators need to identify this information manually, which takes time. In this paper, we propose a method to correlate system calls and SQL query with HTTP requests. To do so, when HIDS detected an abnormal system call or an abnormal SQL query, the administrator can identify information related to the attacked web application. The evaluation results show the proposed method is practical because it achieves no incorrect correlation and only 5% performance degradation.","subitem_description_type":"Other"}]},"item_2_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographicPageEnd":"1091","bibliographic_titles":[{"bibliographic_title":"情報処理学会論文誌"}],"bibliographicPageStart":"1080","bibliographicIssueDates":{"bibliographicIssueDate":"2020-05-15","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"5","bibliographicVolumeNumber":"61"}]},"relation_version_is_last":true,"item_2_identifier_registration":{"attribute_name":"ID登録","attribute_value_mlt":[{"subitem_identifier_reg_text":"10.20729/00204512","subitem_identifier_reg_type":"JaLC"}]},"weko_creator_id":"44499"}}