JP2002251374A - System and method for managing information, program for permitting computer to execute method, and computer readable recording medium recording the program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect the preecho of an attack on a site, to take countermeasure before the real attack is started and to minimize damage. SOLUTION: A monitor agent 203 analyzes the log of an entity. When the preecho of abnormality is detected, it is informed to a management manager 202. The management manager 202 decides countermeasure and a countermeasure request destination based on a database 201 and causes an action agent 204 being the countermeasure request destination to perform the countermeasure.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an information management system and information management system capable of detecting signs of an attack on a site and taking measures before an actual attack is started, thereby minimizing damage. The present invention relates to a method, a program for causing a computer to execute the method, and a computer-readable recording medium on which the program is recorded.

[0002]

2. Description of the Related Art With the development of network technology in recent years, WWW (Wo
The use of the rld Wide Web has expanded rapidly, and the number of HTTP servers that provide information has also increased. However, with the increase of such servers, unauthorized access is also increasing.

[0003] As this unauthorized access, one that detects a security hole on a network and attacks the system through the security hole is known.
In this case, (1) detect an operating host, (2) detect a provided service, (3) detect a network configuration,
A security hole is detected by a procedure of (4) identifying an OS, (5) identifying an application, and (6) detecting a security hole. Then, a large number of packets are sent to the target using a plurality of springboard sites, leading to a system error, and then unauthorized access is made.

[0004] Here, since this unauthorized access cannot be clearly distinguished from general access, there is a characteristic that it is usually difficult for a system administrator to detect unauthorized access until an intrusion attack is performed.

[0005] For this reason, conventionally, when a large number of packets sent to a site are recognized, a measure is generally taken to minimize the actual damage due to unauthorized access as quickly as possible.

[0006]

However, once an attack has begun on the target site, it is extremely difficult to defend against this attack, and even if ideal measures are taken, the site is temporarily The problem of having to close it arises. In particular, sites that continuously provide services to a large number of users, such as banks and transportation, may be affected by the temporary closure of the site, resulting in enormous damage. There is also.

[0007] For this reason, how to minimize the damage caused by such unauthorized access has become a very important issue. Desirably, there is a need for a framework that does not cause any damage even if the unauthorized access is performed.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-described problem of the related art, and detects a sign of an attack on a site, takes a measure before an actual attack is started, and takes measures against the damage. It is an object of the present invention to provide an information management system, an information management method, a program for causing a computer to execute the method, and a computer-readable recording medium on which the program is recorded.

[0009]

Means for Solving the Problems The above-mentioned problems are solved,
According to the first, ninth, tenth, and eleventh aspects of the present invention, the notification contents (A) and the countermeasures (B) are stored in the database 201 shown in FIG. When the communication manager 203 (communication request monitoring means) monitors the communication request and detects an abnormality to notify the management manager 202 (management means), the management manager 202 (management means) selects a countermeasure from the database 201 and
Since the action agent 204 (implementing means) executes the countermeasure, the countermeasure can be executed efficiently, and accordingly, an appropriate countermeasure can be taken for an actual attack to minimize damage.

According to the second aspect of the present invention, information relating to two or more types, contents, orders and time intervals of communication during the course of an attack event or a leak event is collected,
Since the collected and arranged information is reflected in the database, the contents of the database can be enhanced and more appropriate measures can be selected.

According to the third aspect of the present invention, the countermeasures are selected from various aspects based on the database and the mounting information, the operation management information, and / or the security information. Therefore, not only the database but also the environment surrounding the system. Considering the above, an appropriate measure can be selected.

Further, according to the invention of claim 4, the database holds the information notified by the communication request monitoring means in time series, and selects a countermeasure based on the time series information stored in the database. Therefore, a countermeasure can be selected using time-series information.

According to the fifth aspect of the present invention, a site map indicating a spatial arrangement of sites is generated based on information notified by a plurality of communication request monitoring means. Can be used to select a measure.

According to the sixth aspect of the present invention, since the vulnerability of the system is explicitly presented and information on the attack on the vulnerable part is collected, it is possible to grasp the attack method by the malicious party. it can.

Further, according to the invention of claim 7, it is determined whether or not the site is used as a stepping stone by a Service-to-Self, based on the result of the investigation of the source of the communication contents. Site can be identified efficiently.

According to the eighth aspect of the present invention, a decoy site for guiding communication to a location different from the target site to be attacked and for avoiding an attack on the target site is provided. You can protect the site and understand the attack method.

[0017]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS With reference to the accompanying drawings, an information management system, an information management method, a program for causing a computer to execute the method, and a computer-readable recording medium storing the program are described below. A preferred embodiment of the present invention will be described in detail.

First, various techniques employed in the overall system according to the present embodiment will be described. FIG. 1 is an explanatory diagram for explaining various technologies employed in the overall system according to the present embodiment. As shown in the figure, in this system, guidance / information collection technology, database creation technology,
We make full use of predictive technology, reliability avoidance technology and attack avoidance technology.

Specifically, this guidance / information gathering technology
It exposes vulnerabilities to the attack and guides the attack by the attacker (bad hacker) 101 to the decoy server 102, and collects underground information, damage site information, and information related to the attack by the induced attack. The information obtained is analyzed and recognized as an attack pattern.

The database conversion technology is a database for analyzing the analyzed attack patterns, damage predictions, and countermeasures. For example, the UG site group (good hacker) 103, the decoy server 102 and the damage The method of accessing the server 104 and its countermeasures are stored in the case database 105.

The prediction technique is based on the case database 10.
5 is used to detect a sign of an attack from the current situation and predict a possible attack. Specifically, the current situation by the attacker 101 is detected by the packet monitor group 106. Detect.

The attack avoidance technique uses the case database 105 to select an optimal avoidance measure at present from information on the progress of the attack, the environment, and the like. For example, the step group 107 in the figure is used as a step. Defense target server 10
8 to the decoy server 109 to avoid the attack. In addition, the reliability detection technology performs an inspection on a site considered to be an attack source, for example, whether or not the site is a stepping stone.

Next, the prediction technique shown in FIG. 1 will be described in more detail. This prediction technology analyzes the pattern of a real attack or an attack that has been induced and induced, and predicts not only a single shot but also a sign that an attack will be made in a form that links various events in space / time. Create a database, maintain the impact range, degree of impact, and damage level of the attack on the predictor, and update semi-automatically.

Further, not only a single event but also a plurality of various events are recognized in an associated form, and are detected as a sign or a sign candidate by referring to the case database 105. Then, it not only interprets the detected signs and candidate signs by itself, but also notifies other sites such as downstream sites.

Further, from a site detected by itself or a sign and a sign candidate notified from, for example, an upstream site,
The attack that may occur in the future is predicted in light of the case database 105. This attack is predicted based on the information in the case database 105, such as the range of influence, the degree of influence, and the damage level.

As described above, such a prediction technique includes (1) a database of an unauthorized access method and its sign phenomenon,
It includes (2) sign detection, (3) sign / sign candidate notification, and (4) attack sign.

(1) Making a Database of Unauthorized Access Techniques and Its Prediction Phenomena Unauthorized access techniques disclosed in the underground (UG) site group 103 are collected and analyzed, and are actually generated on the damage server 104 (other site). Attack techniques are collected and analyzed, and the decoy server 102 reveals vulnerabilities to guide an attack, and collects and analyzes the attack techniques.

Based on these analysis results, an attack pattern is analyzed not only in one shot but also in a form in which a plurality of various events are spatially / temporally linked, and a sign of an attack is stored in a database. . The case database 105 is semi-automatically updated in such a manner that the range of influence, the degree of influence, and the damage level of the attack on the predictor are associated with each other and the case database 105 is updated automatically.

(2) Prediction detection A packet arrival state different from the steady state toward the specific site is detected, and a packet arrival state different from the steady state at the specific site is detected, and based on these detection results, It recognizes not only a single event but also a plurality of various events in association with each other, and detects a sign or a sign candidate based on the result of the recognition, against the contents of the case database 105.

(3) Notification of Prediction / Prediction Candidate The detected predication and prediction candidate are reported to another site such as a downstream site. For example, when a request is made to send a packet that is different from the steady state to a specific site, the packet is transmitted and information that "this packet may be a sign of a XX attack" is sent.
Notify the site.

(4) Prediction of Attack By predicting an attack that may occur in the future by comparing the sign detected by itself and a sign and a sign candidate notified from another site such as the upstream site with the contents of the case database 105.

Next, the attack avoidance technique shown in FIG. 1 will be described in more detail. This attack avoidance technology considers the means of evasion in the progress of each attack from the history of the attacks for each type of attack target and environmental conditions, and creates a database in which the means of evasion are associated with signs / attacks. Update semi-automatically.

After the attack is predicted, the stage of the predicted attack at the present time is predicted, the target of the attack and the environmental conditions are found, and the optimal avoiding means is determined from the case database 105. After that, the determined evasion measures are used to prevent attacks. Therefore, such attack evasion techniques are (1) creating a database of evasion means,
(2) Selection of avoidance means, and (3) exercise of avoidance means.

(1) Creating a database of evasion means From the history of attacks, consider, develop and verify the evasion means for each type of attack target and environmental conditions based on the history of the attack, and predict the evasion means. / Create a database linked to attacks and update semi-automatically.

(2) Selection of Avoidance Means After an attack is predicted, it is predicted at which stage of the predicted attack the current time point is. Then, the target of the foreseen attack is identified, and the environmental conditions are found. And the progress of the attack,
The optimal avoiding means is determined by comparing the attack target and environmental conditions with the case database 105.

(3) Exercise of Avoidance Measures The upstream site that has notified the sign / candidate that has become a material for predicting an attack is notified to the upstream site, and the reliability of the packet source that is the source of the sign / candidate is reported. Encourage inspection. Also, in order to prevent the damage from the attack from spreading, a packet to be discarded is selected and discarded. In addition, in order to prevent the damage from the attack from spreading, a packet to be discarded is selected, and the packet is urged not to be transmitted to an upstream site that may transmit the packet. It also notifies other sites that it is under attack and encourages other sites to avoid similar attacks. Further, a decoy server 109 imitating a site where an attack is detected is provided, and subsequent attacks are guided to the decoy server 109 side.

Here, the decoy servers 102 and 1
09 will be specifically described. Such a decoy server 1
02 and 109 are servers that pretend to be vulnerable and invite an attack. (1) Change of user name (administrator authority), (2) Change of login message (OS and version number), (3) It pretends to be vulnerable through changes in the application name or version number, (4) aliasing of the operating network, and (5) aliasing of the presence of a vulnerable CGI program.

(1) Change of User Name (Administrator Authority) For example, in Windows, the user who has administrator authority at the time of initial setting is “Administrator”, but a new user “Kanrisya” is set and administrator authority is set. By removing administrator privileges from the conventional user "Administrator", it is possible to make the system seem to be vulnerable.

(2) Login message (OS and version number)
The login message on a normal Solaris machine is
It looks like this: SunOS 5.6 login: user-name Password: ******** last login: Tue Aug 29 08:52:55 on console Sun Microsystems Inc. SunOS 5.6 Generic August
1997%

Here, the login message is changed so as to be displayed as follows, and by making it appear that an OS different from the actual one (an old system in which the past vulnerability remains) is operating. It can make the system appear to be vulnerable. TurboLinax release 3.2 (***) Kernel 1.2.9 on an i386 (host.domain.company.co.jp) login: user-name Password: ********%

(3) Change of application name and version number When a HEAD message is sent to the web server,
Returns the server application name as follows: HTTP / 1.1 200 OK Data: Sat, 1 Jan 2000 10:25:12 GMT Server: Apache / 1.3.9 (Unix (registered trademark))

Here, the response message is changed as follows to make it appear that an application different from the real one (an old system that has a past vulnerability remaining) is running, thereby making the system vulnerable. You can make it seem as if HTTP / 1.0 200 OK Server: Microsoft-IIS / 3.0 Date: Sat, 01 Jan 2000 10:25:25 GMT

(4) False Name of Operating Network By using an abuse tool such as port scan, it is possible to investigate the operating network service. Port State Protocol Service 21 open tcp ftp 80 open tcp www-http 443 open tcp https

Here, a false "network service reception mechanism" is prepared, and all accesses to the false service (fragile service, ports 23, 79, 110, 111, 143) are monitored. As a result, abuse tools such as port scans can provide the following (false) findings, which can be misled as if a vulnerable service is running. Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 79 open tcp finger 80 open tcp www-http 110 open tcp pop3 111 open tcp sunrpc 143 open tcp imap 443 open tcp https

(5) False existence of a vulnerable CGI program By using an abuse tool such as a scan tool, the existence of a CGI program that can be provided can be inspected. Searching for vtiinf.html: [Not Found] Searching for service.pwd: [Not Found] Searching for users.pwd: [Not Found] Searching for authors.pwd: [Not Found] Searching for administrators: [Not Found] Searching for shtml.dll: [Not Found] Searching for shtml.exe: [Not Found] ・ ・ ・ Searching for [perl.exe].: [Not Found] Searching for [wwwboared.pl]: [Not Found] Searching for [www -sql].: [Not Found]

Here, a known CGI program (a file having the same name as that of the CGI program) for which the existence of the vulnerability is known is prepared. % touch cgi-bin / phf cgi-bin / Count cgi-bin / test-cgi
cgi-bin / phf.cgi% touch cgi-bin / webgais cgi-bin / perl.exe cgi-bin / w
ww-sql% touch vtiinf.html% mkdir vtibin inf.html vtipvt cfdocs% touch vtibin / shtml.exe vtipvt / service.pwd vtipvt
/authors.pwd% touch cfdocs / zero.cfm cfdos / root.cfm

As a result, the following (false) investigation results are obtained by an abuse tool such as a scan tool, and it can be recognized that a vulnerable CGI program exists. Searching for vtiinf.html: [Found!] Searching for service.pwd: [Found!] Searching for users.pwd: [Not Found] Searching for authors.pwd: [Found!] Searching for administrators: [Not Found] Searching for shtml.dll: [Not Found] Searching for shtml.exe: [Found!] ・ ・ ・ Searching for [perl.exe].: [Found!] Searching for [wwwboared.pl]: [Not Found] Searching for [www -sql].: [Found!]

Next, the basic configuration of the information management system according to the present embodiment will be described with reference to FIGS. FIG. 2 is a block diagram illustrating a basic configuration of the information management system according to the present embodiment. As shown in FIG. 1, the information management system includes a database (DB) 2
01, a management agent 202, a monitor agent 203, and an action agent 204.

In this database 201, data A and measure B are stored in association with each other.
02, when the notification of the data A is received from the monitor agent 203, the countermeasure B and the request destination of the countermeasure (action agent 204) are specified with reference to the contents of the database 201, and the action agent 20
4 is instructed to execute the countermeasure B. It also collects information on the type, content, order and time interval of two or more communications during the course of an attack or leak event,
The collected and arranged information is reflected in the database 201.

Specifically, the monitor agent 203
However, if an error is detected by analyzing a log of a firewall or a WWW server (hereinafter, referred to as an “entity”), it notifies the management manager 202 of data A indicating that an error has occurred. Then, the management manager 202
The measure B is specified with reference to the database 201. Specifically, the database 201 stores the data notified from the monitor agent 203 in time series, and the management manager 202 selects the measure B based on the time series data.

For example, as the countermeasure B, "WWW
When an error occurs on the server, the firewall or W
Prevent communication to WW server ". As shown in FIG. 3, the monitor agent 203 and the action agent 204
May be plural.

Here, the monitor agent 203
Is to notify the data A itself to the management manager 202 when the data A is acquired. However, as shown in FIG. 4, the management manager 202 associates the weighted data A with the weighted measure B. Can also be retained.

FIG. 5 is a block diagram showing the configuration of the monitor agent 203 in such a case. As shown in the figure, the monitor agent 203 includes a data analysis unit 203a, a data analysis unit 203b, and a data stack 20.
3c, a weight table 203d, a determination processing unit 203e, and a notification unit 203f.

That is, the monitor agent 203
The data analysis unit 203a analyzes the data A, the data analysis unit 203b analyzes the data, and stores the data in the data stack 203c. The data stored in the data stack 203c is held for each time series. Then, the weight table 2 prepared in advance
Based on 03d, the determination processing unit 203e determines the weight, and the notification unit 203f notifies the management manager 202 of the weighted event A. The weight coefficient used for the weighting can be arbitrarily set by the user.
It can also be set based on mounting information, operation management information, and / or security information.

Next, the management manager 20 shown in FIG.
2 will be described. FIG. 6 is an explanatory diagram for explaining the management manager 202 shown in FIG. As shown in the figure, when the management manager 202 receives the data A from the monitor agent 203, as described above, the management manager 202 refers to the database 201 to specify the countermeasure B. The system configuration 205 and operation status 206 are also considered.

As shown in FIG. 7, the management manager 202 obtains spatial information on the site from each module 207 and creates a physical map (site map) 208 of the site based on the obtained spatial information. Here, the module 207 includes various monitor agents 203 and action agents 204.

As shown in FIG. 8, the management manager 202 provides feedback to the monitor agent 203. Specifically, the management manager 202 uses the data analysis unit 203b of the monitor agent 203 to execute feedback. The analysis rule to be distributed is distributed to the monitor agent 203. Thus, the analysis rule of the monitor agent 203 is updated under the initiative of the management manager 202. Therefore, the site map 2
08, the type and / or time of the communication to be monitored is distributed to each monitor agent 203.

Next, referring to mutual information between modules will be described. FIG. 9 is an explanatory diagram for explaining mutual information reference between modules. Here, for convenience of explanation, a case is shown in which two management managers, monitor agents, and action agents are provided.

As described above, when the data A is transmitted from the monitor agent 203 to the management manager 202, the countermeasure B is instructed from the management manager 202 to the action agent 204. ~ Monitor Agent 2
03 ′, the action agent 204 to the action agent 204 ′, and the management manager 202 to the management manager 202 ′.

Next, the database 201 shown in FIG.
A description will be given of the automatic update of the. FIG. 10 is an explanatory diagram for explaining automatic updating (PULL type) of the database 201 shown in FIG. As shown in the figure, in the management manager 202 that updates the database 201, the collector unit 1001 issues a request to a site located on the network 1003 based on the selection data 1002, and collects the data. Specifically, when the timer 1004 times out, the collector unit 10
01 reads the selection data 1002 and requests data corresponding to the selection data 1002.

The collector unit 1001 outputs the data obtained from each site to the formatter 1005 to perform format conversion and the like, and the writer 1006 writes the result in the database 201.

Incidentally, the automatic update of the database 201 does not necessarily have to be performed in the PULL type, but can be performed in the PUSH type as shown in FIG.
If the database 201 is automatically updated by such a PUSH type, data can be automatically sent to the database 201 from a site existing on the network, and the configuration of the management manager 202 can be simplified.

As shown in FIG. 12, when a user interface 1007 is provided in the management manager 202 of the PUSH type system, a request can be issued to a desired site based on the user's intention. Further, as shown in FIG. 13, when a user interface 1007 is provided in the management manager 202 of the PULL type system, data automatically sent from a site existing on the network is taken into the database 201 based on the user's intention. be able to.

Next, the management manager 20 shown in FIG.
2. The processing procedure by the monitor agent 203 and the action agent 204 will be described. First,
A processing procedure from when the monitor agent 203 detects an abnormality to when the action agent 204 takes measures will be described.

FIG. 14 is a flowchart showing a processing procedure from when the monitor agent 203 detects an abnormality to when the action agent 204 takes measures. As shown in FIG.
Analyze the log of the entity (step S140
1) Check for abnormalities. As a result, if an abnormality is detected (Yes at Step S1402), the abnormality is notified to the management manager 202 (Step S140).
3).

The management manager 202 determines a countermeasure and a countermeasure request destination with reference to the database 201 or the like (step S1404), and requests the countermeasure to the action agent 204 that is the countermeasure request destination (step S1405).

The action agent 204 receiving the request for the countermeasure implements the specified countermeasure (Step S).
1406), and notifies the management result to the management manager 202 (step S1407). The management manager 202 that has received the countermeasure result reports the user to the user by displaying the countermeasure result on a display (step S1).
408).

By the way, the user often wants to return the entity to the state before the implementation of the countermeasure. Therefore, in the present embodiment, it is possible to restore the countermeasure of the entity. FIG. 15 is a flowchart illustrating a processing procedure when the entity is returned to the state before the implementation of the measure.

As shown in the figure, when the user selects “restoration of countermeasure” from the menu of the management manager 202 (step S1501) and specifies an entity for which the countermeasure is to be restored (step S1502), the management manager 202
Displays the measure history of the specified entity (step S1503).

Here, when the user selects a countermeasure to be restored from the countermeasure history (step S1504), the management manager 202 requests the countermeasure to the action agent 204 to which the countermeasure is requested (step S1505).

Then, the action agent 20
4 implements the requested measure (step S150
6), the management result is notified to the management manager 202 (step S1507), and the management manager 202 reports the management result to the user (step S1508).

Next, the management manager 20 shown in FIG.
The procedure for updating the countermeasure rule in Step 2 will be described. FIG. 16 is an explanatory diagram for describing a procedure for updating a countermeasure rule in the management manager 202 shown in FIG. As shown in the figure, the user places the obtained countermeasure rule in an appropriate (predetermined) directory (step S160).
1) Select "Update countermeasure rule" from the menu of the manager 202 (step S1602).

Then, if the user specifies a file path name of a new countermeasure rule (step S160)
3), the management manager 202 determines the attributes of the object,
Update the countermeasure rule file name (step S160)
4).

Next, the management manager 20 shown in FIG.
The processing procedure for customizing the measure plan in 2 will be described. FIG. 17 is a flowchart showing a processing procedure when the management manager 202 shown in FIG. 2 customizes a countermeasure plan.

As shown in the figure, the user selects “Countermeasure plan customization” from the menu of the management manager 202.
Is selected (step S1701), the management manager 202 activates a measure plan editor for editing the measure plan (step S1702).

When the countermeasure plan editor starts, the user customizes the countermeasure plan using the editor (step S1703), and the management manager 202 updates the object attribute and the countermeasure plan file name (step S1703). Step S1704).

Next, the processing procedure of the management manager 202 and the monitor agent 203 when updating the analysis rule will be described. FIG. 18 is a flowchart showing a processing procedure of the management manager 202 and the monitor agent 203 when updating the analysis rule.

As shown in the figure, the analysis rules obtained by the user are placed in an appropriate directory (step S180).
1) Select “update analysis rule” from the menu of the management manager 202 (step S1802), and specify the file path name of the new analysis rule and the monitor agent 203 to which the analysis rule is to be sent (step S180).
3), the management manager 202 distributes the analysis rule to the monitor agent 203 (step S180)
4).

Thereafter, the monitor agent 203
Updates the analysis rule (step S1805) and returns an update result to the management manager 202 (step S1).
806), the management manager 202 reports the update result to the user (step S1807).

Next, the processing procedure of the management manager 202 and the monitor agent 203 when customizing the analysis rule will be described. FIG. 19 is a flowchart showing the processing procedure of the management manager 202 and the monitor agent 203 when customizing the analysis rules.

As shown in the figure, when the user selects “analysis rule customization” from the menu of the management manager 202 (step S1901) and designates the monitor agent 203 for customizing the analysis rule (step S1902), the management manager 202 Requests the specified monitor agent 203 for an analysis item list which is a customizable part of the analysis rule (step S1903).

Then, the monitor agent 203 receiving this request sends the analysis item list to the management manager 202 (step S1904), and the management manager 202 activates the analysis item list editor for editing the analysis item list (step S1904). Step S1905).

Thereafter, the user customizes the analysis item list using the analysis item list editor (step S1906), and the management manager 202 distributes the customized analysis item list to the monitor agent 203 (step S1907).

After updating the analysis item list (step S1908), the monitor agent 203 returns the update result to the management manager 202 (step S19).
09), the management manager 202 reports the customization result to the user (step S1910).

Next, a procedure for updating the countermeasure module will be described. FIG. 20 is a flowchart illustrating a procedure for updating the countermeasure module. As shown in the figure, the user places the obtained countermeasure module in an appropriate directory (step S2001), selects “update countermeasure module” from the menu of the management manager 202 (step S2002), and sets the file path of the new countermeasure module. Action agent 20 to send name and countermeasure module
4 (step S2003), the management manager 202 distributes the countermeasure module to the corresponding action agent 204 (step S200).
4).

Then, the action agent 204
Indicates that the countermeasure module has been updated (step S20).
05), the update result is returned to the management manager 202 (step S2006), and the management manager 202 reports the update result to the user (step S2007).

Next, the detection notification and A transmitted and received between the management manager 202 and the monitor agent 203 are described.
The data structure of CK will be described. FIG. 21 is a diagram illustrating an example of a data structure of a detection notification and an ACK transmitted and received between the management manager 202 and the monitor agent 203.

As shown in FIG. 9A, when the monitor agent 203 detects an abnormality of an entity,
The detection notification is transmitted to the management manager 202, and when the detection notification is received, the management manager 202 returns an ACK to the monitor agent 203.

As shown in FIG. 9B, this detection notice 2
101 includes an OP code, an agent ID, a sequence number, an event identifier, a damage identifier, an entity ID, an entity log, a time, and a countermeasure parameter.
Here, the agent ID is an object ID that uniquely identifies the agent, and the sequence number is a serial number that the monitor agent 203 gives to the detection notification. The event identifier is information for uniquely identifying an event detected by the monitor agent 203, and the damage identifier is information indicating whether the event detected by the monitor agent 203 has caused or is likely to be damaged. is there. The entity ID is the ID of the entity for which the monitor agent 203 has detected an abnormality, and the entity log is the log of the entity for which the monitor agent 203 has detected an abnormality.

As shown in FIG.
Consists of an OP code and a sequence number. This sequence number is a serial number that the monitor agent 203 gives to the detection notification.

Next, the data structure of a measure request and a result notification exchanged between the management manager 202 and the action agent 204 will be described. FIG.
Management manager 202 and action agent 204
FIG. 9 is a diagram showing an example of a data structure of a measure request and a result notification transmitted and received between the server and the server.

As shown in FIG. 9A, when the management manager 202 determines a countermeasure and a countermeasure request destination, it sends a countermeasure request to the action agent 204. On the other hand, when receiving the countermeasure request, the action agent 204 implements the countermeasure specified in the countermeasure request, and returns the countermeasure result to the management manager 202.

[0093] As shown in FIG.
201 includes an OP code, an agent ID, a sequence number, an entity ID, a measure identifier, and a measure parameter. Here, the sequence number is a serial number given to the countermeasure request by the management manager 202, the countermeasure identifier is information for uniquely identifying the countermeasure function held by the action agent 204, and the countermeasure parameter is a The log of the entity that caused the error is divided for each field.

[0094] As shown in FIG.
2 is the OP code, sequence number, entity I
D, return value and error code. Here, the sequence number is a serial number given to the countermeasure request by the management manager 202, the entity ID is an ID of an entity whose setting has been changed by the action agent 204, and the return value is a value returned by the entity due to the setting change. is there. Also, the error code is `` EOK '' when the countermeasure is implemented, `` EUNKNOWN '' when the unknown countermeasure is passed, and `` ELESSARG '' when the countermeasure parameter is insufficient. If an error occurs, "EUNDEF" is displayed.

Next, a data structure of DB (analysis rule) distribution and result notification exchanged between the management manager 202 and the monitor agent 203 will be described. FIG. 23 is a diagram showing an example of a data structure of DB (analysis rule) distribution and result notification exchanged between the management manager 202 and the monitor agent 203.

As shown in FIG. 9A, in order to update the analysis rule of the monitor agent 203, the management manager 202
Distribute (analysis rules). Monitor agent 203
Receives this DB distribution, fetches the distributed analysis rules, and returns the fetched result to the management manager 202.

[0097] As shown in FIG.
Reference numeral 301 includes an OP code, an agent ID, and an analysis rule. Here, the agent ID is an object ID that uniquely specifies an agent, and the analysis rule is an analysis rule to be distributed.

[0098] As shown in FIG.
2 includes an OP code, an agent ID, and an error code. Here, the agent ID is an object ID that uniquely identifies the agent, and the error code is “EOK” when the update is successful,
"EUNKNOWN" if the format of the distributed rule cannot be recognized, "EOLDVER" if the distributed rule is old (including the same format), and if an unexpected error occurs during the update process. It becomes "EUNDEF".

Next, a list request and a list data structure exchanged between the management manager 202 and the monitor agent 203 will be described. FIG. 24 is a diagram showing an example of a list request and a data structure of the list transmitted and received between the management manager 202 and the monitor agent 203.

As shown in FIG. 9A, in order to customize the analysis items of the monitor agent 203, the management manager 202 requests the monitor agent 203 for an analysis item list. This monitor agent 203
Receives the list request, returns the analysis item list to the management manager 202.

As shown in FIG. 13B, this list request 2401 is composed of an OP code and an agent ID.
This agent ID is an object ID that uniquely identifies the agent.

As shown in FIG.
Consists of an OP code, an agent ID, an analysis item list, and an error code. Here, the agent ID is an object I that uniquely identifies the agent.
D, the analysis item list is the current analysis item list of the monitor agent, and the error code is usually “EOK”, and becomes “EUNDEF” if an unexpected error occurs during updating.

Next, the data structure of list distribution and result notification exchanged between the management manager 202 and the monitor agent 203 will be described. FIG. 25 is a diagram illustrating an example of a data structure of list distribution and result notification exchanged between the management manager 202 and the monitor agent 203.

As shown in FIG. 11A, in order to customize the analysis items of the monitor agent 203, the management manager 202 distributes an analysis item list to the monitor agent 203. Monitor agent 20
3 receives this list distribution, takes in the distributed analysis item list, and
Return to 02.

As shown in FIG. 13B, this list distribution 2501 includes an OP code, an agent ID, and an analysis item list. Here, this agent ID
Is an object ID that uniquely specifies an agent, and the analysis item list is an analysis item list to be distributed.

[0106] As shown in FIG.
2 includes an OP code, an agent ID, and an error code. Here, the agent ID is an object ID that uniquely identifies the agent, and the error code is “EOK” when the update is successful,
"EUNKNOWN" if the format of the distributed analysis list cannot be recognized, "EOLDVER" if the distributed analysis list is old (including the same size), and an unexpected error occurs during the update process Contains "EUNDE
F ".

Next, the data structure of countermeasure distribution and result notification exchanged between the management manager 202 and the action agent 204 will be described. FIG.
Management manager 202 and action agent 204
FIG. 9 is a diagram showing an example of a data structure of countermeasure distribution and result notification exchanged between the server and the server.

As shown in FIG. 10A, in order to update the countermeasure module of the action agent 204, the management manager 202
Distribute the countermeasure module to Upon receiving the distribution of the countermeasure module, the action agent 204 captures the distributed countermeasure module, and returns the capture result to the management manager 202.

[0109] As shown in FIG.
Reference numeral 601 includes an OP code, an agent ID, and a countermeasure module. Here, this agent ID is
The object ID uniquely identifies an agent, and the countermeasure module is a countermeasure to be distributed.

[0110] As shown in FIG.
2 includes an OP code, an agent ID, and an error code. Here, the agent ID is an object ID that uniquely identifies the agent, and the error code is “EOK” when the update is successful,
"EUNKNOWN" when the format of the distributed countermeasure module cannot be recognized, "EOLDVER" when the distributed countermeasure module is old (including the same size), and an unexpected error occurs during the update process Becomes "EUNDEF".

Next, the management manager 20 shown in FIG.
2 will be described. FIG.
FIG. 4 is an explanatory diagram for describing a countermeasure determination process performed by the management manager 202 illustrated in FIG. 2.

The management manager 202 shown in the figure determines a countermeasure using a countermeasure plan and a countermeasure request destination. Here, this countermeasure plan is a rule for determining which countermeasure rule to select when there are multiple countermeasure rules having the same event identifier, and is composed of a tuple of a damage identifier, a threat identifier, and a countermeasure identifier. Is done.

Specifically, when the management manager 202 receives the event identifier from the monitor agent 203 (step S2701), it searches for a countermeasure rule from the event identifier (step S2702) and acquires a threat identifier (step S2703). . Then, a damage identifier is separately acquired from the monitor agent 203 (step S2).
704), a countermeasure plan is searched from the damage identifier and the threat identifier (step S2705).

Then, a countermeasure rule is searched from the searched countermeasure identifier (step S2706), and the action agent 204 is selected based on the countermeasure identifier (step S2707).
To instruct measures.

Here, the damage identifier is an identifier indicating whether there is a possibility of being damaged by an event detected by the monitor agent 203. The damage identifier includes "damaged" and "no damage". "," Undetermined "
There are three. This damage identifier is stored in the management manager 202 when the monitor agent 203 detects an abnormality.
Included in the detection notification sent to the user.

The threat identifier is an identifier indicating the type (magnitude) of damage that can be caused by the event detected by the monitor agent 203. The type of damage depends on the event and is included in the countermeasure rules.

The measure identifier is an identifier that uniquely indicates a measure that can be implemented by the action agent 204.
04 included in the measure request. The countermeasure indicator is
Which action agent 2 the management manager 202
An indicator indicating whether a countermeasure request is to be sent to the server 04.

The event identifier is an identifier that uniquely indicates the event detected by the monitor agent 203. This is included in the detection notification sent to the management manager 202 when the monitor agent 203 detects an abnormality.

Next, an example of a measure plan will be described. FIG. 28 is a diagram illustrating an example of a measure plan. If there is a countermeasure plan and a countermeasure rule shown in the figure, the management manager 202 determines a countermeasure and a countermeasure request destination using the countermeasure plan and the countermeasure rule.

For example, as shown in FIG. 14A, when the monitor agent 203 detects “event 001” and notifies the management manager 202 of “damage”,
The management manager 202 searches for a countermeasure rule shown in FIG. 3B using “event 001” as a search key. Here, two countermeasure rules are hit as shown in FIG. 7B, but the threat identifiers are always the same (here, "threat 001").

Then, the management manager 202 searches for the countermeasure plan shown in FIG. 11C using “damaged” and “threat 001” as search keys, and selects “countermeasure 001” from the countermeasure identifier column of the countermeasure plan. I do.

Thereafter, as shown in FIG. 14D, a rule including “Measure 001” is selected from the two hit measure rules, and “SERVER” is selected as a measure request destination from the measure indicator field. I do. If the monitor agent 203 detects “event 001” and notifies the management manager 202 that “damage is unknown”, “measure 002” is selected as a measure.

As described above, this countermeasure rule is a list of all possible countermeasures for a certain event, and the countermeasure plan is a rule for selecting the listed countermeasure rule. Yes, depending on whether or not there is damage and the size of the damage. The countermeasure rule and the countermeasure plan can be combined into one.However, in order to be able to customize the countermeasure to be selected according to the presence or absence of damage and the magnitude of the damage according to the policy of the site that operates the system, the two are separated. ing. Therefore, the user can customize the measure plan.

Next, the management manager 20 shown in FIG.
The second functional configuration will be described. FIG. 29 and FIG.
0 is a block diagram showing a functional configuration of the management manager 202 shown in FIG.

As shown in FIG. 29, the management manager 20
2 is an object management unit 2901 and a state monitoring unit 290
2. It has a plan construction unit 2903 and an agent function management unit 2904.

The object management section 2901 is a functional section for managing the management manager 202, agent, and entity as objects, respectively, and manages countermeasures rules and countermeasures as attributes of the management manager object. Note that a measure determination unit, which will be described later, searches for a measure rule and a measure plan managed by the object management unit 2901 to determine a measure.

The object management unit 2901 manages the configuration of an object, and a countermeasure determination unit, which will be described later, refers to the configuration information managed by the object management unit 2901 to determine a countermeasure request destination.

The state monitoring unit 2902 is a function unit for confirming the operation state of the agent. The agent periodically communicates with the agent, and changes the status attribute of the agent object managed by the object management unit 2901 depending on whether or not there is a response at the time of communication.

The plan construction section 2903 is a functional section for customizing a countermeasure plan.
In step 3, the object management unit 2901 is requested to manage the customized countermeasure plan.

The agent function management unit 2904 is a function unit for updating or customizing the analysis rules of the monitor agent 203.
The countermeasure module 4 is also updated.

As shown in FIG. 30, the management manager 202 includes an object management unit 2901, a detection notification management unit 2905, a measure determination unit 2906, and a measure selection unit 2907.
And a countermeasure request unit 2908.

The detection notification management unit 2905 receives and manages the detection notification sent from the monitor agent 203, and converts the received detection notification into the countermeasure determination unit 2
906.

The countermeasure determination unit 2906 is the detection notification management unit 2
A function unit that determines a countermeasure to be requested to the action agent 204 and a countermeasure request destination from the detection notification passed from the server 905. The countermeasure determination unit 2906 searches for a countermeasure rule and a countermeasure plan managed by the object management unit 2901, determines a countermeasure and a countermeasure request destination, and outputs the countermeasure request unit 2908 to the countermeasure request unit 2908. The countermeasure determination unit 2906 selects a plurality of countermeasures and countermeasure request destinations, and selects the countermeasure selection unit 290.
7 is requested to select a user for the measure.

The countermeasure selecting section 2907 is provided with a countermeasure determining section 290.
6 is a functional unit that reports a plurality of measures passed from 6 to the user and requests the user to make a selection. Also, a countermeasure restoration request is received from the user, and the countermeasure is restored.

The countermeasure requesting unit 2908 includes a countermeasure determining unit 290
6 is a functional unit that requests the action agent 204 indicated by the countermeasure request destination passed from the countermeasure determination unit 2906 to the action agent 204 indicated by the countermeasure request destination. This countermeasure request unit 2908
Receives the result notification of the action agent 204 and notifies the user of the countermeasure result. In addition, the object management unit 2901 requests the object management unit 2901 to manage a countermeasure request or a countermeasure result indicating a state change of an entity due to the countermeasure.

Next, the object management unit 2901
An example of the object managed by the will be described. FIG.
1 is a diagram showing a management manager object, FIG. 32 is a diagram showing an agent object, and FIG. 33 is a diagram showing an entity object.

As shown in FIG. 31, the management manager objects include those related to the management manager 202, countermeasure rules, countermeasure plans, log format definitions, agent certification lists, status monitors, monitor agents 203 and action agents 204.

As shown in FIG. 32, some agent objects are related to the agent, the entity, and the manager 202. As shown in FIG. 33, the entity objects are the entity, the FW entity, and the monitor agent 203. , Action agent 204, countermeasure history, and entity-specific information.

The object management unit 2901
Is an object definition function that defines attribute values of objects, an object deletion function that deletes objects,
An object reference function that refers to the attribute value of the object, an object change function that changes the attribute value of the object, and an agent setting file creation auxiliary function that allows the user to complete the agent setting just by placing the created file Have.

Next, the measure determining unit 290 shown in FIG.
The operation of No. 6 will be described in more detail. FIG. 34 is a flowchart illustrating a processing procedure until a measure is determined by the measure determining unit 2906 illustrated in FIG. 30.

As shown in FIG.
Acquires the "threat identifier" with reference to the countermeasure rule (step S3401), and acquires the "countermeasure identifier" with reference to the countermeasure plan (step S3402).

If the countermeasure identifier is OR-joined, the user is requested to select a countermeasure (step S340).
3), the user selects a measure (step S340)
4). Thereafter, the management manager 202 determines a countermeasure and a countermeasure request destination (step S3405), and confirms the operation state of the action agent 204 (step S3).
3406).

Next, the measure determining unit 290 shown in FIG.
6 will be described. FIG. 35 is a functional block diagram showing the configuration of the measure determining unit 2906 shown in FIG. As shown in the drawing, the measure determination unit 2906 includes a detection notification management unit 2905, an object management unit 2901,
Interposed between the countermeasure request unit 2908 and the countermeasure selection unit 2907, the countermeasure determination function control unit 3501, the countermeasure rule search unit 3502, the countermeasure plan search unit 3503, the state check unit 3504, and the countermeasure determination queue management unit 3505 When,
A countermeasure determination queue 3506 is provided.

The countermeasure determining function control section 3501 is a functional section that controls the countermeasure determining function, and the countermeasure rule searching section 3501
Reference numeral 2 denotes a functional unit for searching for a countermeasure rule, a countermeasure plan search unit 3503 is a functional unit for searching for a countermeasure plan, and a status check unit 3504 is a functional unit for checking a status. The unit 3505 is a functional unit that manages the countermeasure determination waiting queue 3506.

Next, the reporting function will be described. FIG. 36 is an explanatory diagram for explaining the reporting function. As shown in the figure, when the detection target is detected by the detection engine, a determination is made based on the mounting information 3601, the operation management information 3602, and the security information 3603, and a detection notification is made. That is, based on the information (configuration, operating services, security functions, and the like) of the monitoring target site, a multifaceted operation status is determined and reported.

The mounting information 3601, the operation management information 3602 and the security information 3603 are shown in FIG.
As shown in Fig. 7, it is also used to determine defense measures. When determining a defense measure from a defense measure list, it refers to this information and selects multi-faceted defense measures, depending on the situation. Have implemented dynamic defenses. Here, whether to select a measure based on the mounting information, the operation management information, and / or the security information can be changed according to the user's selection.

Further, as shown in FIG. 38, these mounting information 3601, operation management information 3602 and security information 3603 are also used as a filter between protocol layers. That is, between the IP layer and the TCP layer,
By using as a filter between the TCP layer and the HTTP layer, between the HTTP layer and the MIME data, and between the MIME data and the CGI-AP, it is possible to limit unauthorized access methods in each layer and reduce analysis / detection costs. Can be.

Further, by filtering so that a request other than a normal request is not passed to another layer, defense against an attack can be realized. Further, the reliability and validity of the determination process can be improved by referring to information (system configuration, operation service, security function) regarding the monitoring target.

Next, integrated cooperative management using the mounting information 3601, the operation management information 3602, and the security information 3603 will be described. FIG. 39 is an explanatory diagram for describing integrated cooperative control using mounting information, operation management information, and security information.

As shown in FIG.
03 leads to an illegal method, operation management information leads to site information, and mounting information leads to software information.
Here, these fraudulent methods, site information and software information play an important role in performing detection, damage prediction / understanding, defense / avoidance / recovery.

In other words, detection (attack detection, sign detection,
Comprehensive information such as fraudulent methods, site information and software information is necessary to perform attack prediction)
In addition, similar comprehensive information is required for predicting and grasping damage, and for defense, avoidance, and recovery. Therefore, in the present embodiment, integrated cooperative control using the mounting information 3601, the operation management information 3602, and the security information 3603 is performed.

As described above, according to the present embodiment, the log of the entity is analyzed by the monitor agent 203, and when a sign of abnormality is detected, the monitor manager 203 is notified to the management manager 202. And this management manager 20
2 is configured to determine a countermeasure and a countermeasure request destination based on the database 201 or the like, and to cause the action agent 204 that is the countermeasure request destination to execute the corresponding countermeasure. Measures can be taken before an attack begins, thus minimizing damage.

(Appendix 1) Communication request monitoring means for monitoring a communication request, management means for selecting a countermeasure based on information notified from the communication request monitoring means, and countermeasure in response to an instruction from the management means. And a management unit that manages the content of the notification from the communication request monitoring unit in association with the countermeasure performed by the execution unit, and selects a countermeasure based on the database. An information management system comprising: (Supplementary Note 2) An information collecting unit that collects information relating to two or more types, contents, orders, and time intervals of communication in the course of the progress of the attack event or the leakage event, and information collected and arranged by the information collecting unit in the database. Appendix 1 further comprising: a reflection unit that reflects the
Information management system described in. (Supplementary note 3) The information management system according to Supplementary note 1 or 2, wherein the selection unit selects a measure from various aspects based on the database and the mounting information, the operation management information, and / or the security information. (Supplementary note 4) The information according to Supplementary note 3, wherein a setting of selecting a countermeasure based on the mounting information, the operation management information, and / or the security information can be changed according to a user's selection. Management system. (Supplementary note 5) The information management system according to any one of Supplementary notes 1 to 4, further comprising a plurality of communication request monitoring means, management means, and execution means. (Supplementary note 6) The information management system according to supplementary note 5, wherein the plurality of communication request monitoring means, management means, and execution means mutually exchange information between the same model or different models. (Supplementary note 7) The information management system according to any one of Supplementary notes 1 to 6, wherein the information notified by the communication request monitoring unit and / or the countermeasure selected by the management unit are weighted. (Supplementary note 8) The information management system according to supplementary note 7, wherein the weighting factor for weighting can be arbitrarily set by a user. (Supplementary note 9) The information management system according to supplementary note 7, wherein the weighting factor for weighting is set based on the mounting information, the operation management information, and / or the security information. (Supplementary Note 10) The database stores information notified by the communication request monitoring unit in time series, and the selection unit selects a measure based on the time series information stored in the database. The information management system according to any one of Supplementary notes 1 to 9. (Supplementary note 11) The vehicle according to Supplementary notes 1 to 10, further comprising a site map generating unit that generates a site map indicating a spatial arrangement of the sites based on the information notified by the plurality of communication request monitoring units. The information management system according to any one of the above. (Supplementary Note 12) A monitoring condition notifying unit that notifies the plurality of communication request monitoring units of the type and / or time of the communication to be monitored based on the site map generated by the site map generating unit. The information management system according to any one of supplementary notes 1 to 10, characterized in that: (Supplementary note 13) The management unit according to Supplementary notes 1 to 12, wherein the management unit issues a request to a site located on a network, and automatically updates the database based on information returned in response to the request. The information management system according to any one of the above. (Supplementary note 14) The information management system according to supplementary note 13, wherein the request is made in response to a user request. (Supplementary Note 15) The management means automatically updates the database based on information automatically transmitted from a site located on a network.
The information management system according to any one of the above. (Supplementary note 16) The information management system according to supplementary note 15, wherein information automatically transmitted from a site located on the network is taken into the database in response to a user request. (Supplementary note 17) Any one of Supplementary notes 1 to 16, further comprising: a vulnerability presenting unit that indicates a vulnerability of the system; and an information collecting unit that collects information on an attack on the vulnerability presenting unit. Information management system described in one. (Supplementary Note 18) Investigation means for investigating a source of communication contents;
Determining means for determining whether or not the site has been used as a stepping stone by a Service-to-Self based on the result of the investigation by the investigation means, further comprising: information according to any one of appendices 1 to 17, further comprising: Management system. (Supplementary note 19) Any one of Supplementary notes 1 to 18, further comprising a decoy site that guides communication to a location different from the attack target site to be attacked and avoids an attack on the attack target site. Information management system described. (Supplementary Note 20) The management unit performs a countermeasure based on a database that manages the communication request monitoring step of monitoring the communication request by the monitoring unit and the notification content notified by the communication request monitoring step in association with the countermeasure to be performed. An information management method comprising: a selection step of selecting; and an execution step in which an execution unit implements a countermeasure in response to an instruction from the management step. (Supplementary Note 21) An information collection step of collecting information relating to two or more types, contents, orders, and time intervals of communication in the course of an attack event or a leak event, and the information collected and arranged by the information collection step is stored in the database. 20. The information management method according to claim 20, further comprising: (Supplementary note 22) The information management method according to Supplementary note 20 or 21, wherein the selecting step selects a countermeasure in various aspects based on the database and the mounting information, the operation management information, and / or the security information. (Supplementary note 23) The information according to Supplementary note 22, wherein the setting of selecting a measure based on the mounting information, the operation management information, and / or the security information can be changed according to a user's selection. Management method. (Supplementary note 24) The information management method according to any one of Supplementary notes 20 to 23, wherein a plurality of monitoring units, a management unit, and an execution unit are provided. (Supplementary note 25) The information management method according to supplementary note 24, wherein the plurality of monitoring units, the management unit, and the execution unit mutually exchange information between the same model or different models. (Supplementary Note 26) Information notified by the monitoring unit and / or
Alternatively, the information management method according to any one of supplementary notes 20 to 25, wherein a measure selected by the management unit is weighted. (Supplementary note 27) The information management method according to supplementary note 26, wherein the weighting factor for weighting can be arbitrarily set by a user. (Supplementary note 28) The information management method according to supplementary note 26, wherein the weighting factor for weighting is set based on the mounting information, the operation management information, and / or the security information. (Supplementary note 29) The database stores information notified by the monitoring unit in a time series, and the selecting step selects a measure based on the time series information stored in the database. 20. The information management method according to any one of 20 to 28. (Supplementary note 30) The method according to Supplementary notes 20 to 29, further including a site map generating step of generating a site map indicating a spatial arrangement of the site based on the information notified by the plurality of communication request monitoring units. The information management method described in any one of the above. (Supplementary Note 31) The method further includes a monitoring condition notification step of notifying the plurality of monitoring units of the type and / or time of the communication to be monitored based on the site map generated in the site map generation step. Appendix 20
30. The information management method according to any one of -29. (Supplementary note 32) The supplementary note 20 to 31, wherein the management unit issues a request to a site located on a network and automatically updates the database based on information returned in response to the request. The information management method described in any one of the above. (Supplementary note 33) The information management method according to supplementary note 32, wherein the request is made in response to a user request. (Supplementary note 34) Supplementary notes 20 to 31, wherein the management unit automatically updates the database based on information automatically transmitted from a site located on a network.
The information management method according to any one of the above. (Supplementary note 35) The information management method according to supplementary note 34, wherein information automatically transmitted from a site located on the network is taken into the database in response to a user request. (Supplementary note 36) Any one of supplementary notes 20 to 35, further including a vulnerability presenting step indicating a vulnerability of the system, and an information collecting step of collecting information on an attack on the vulnerability presenting step. Information management method described in one. (Supplementary Note 37) An investigation step of investigating a source of communication contents;
36. The information according to any one of Supplementary Notes 20 to 36, further comprising: a determination step of determining whether the site is used as a stepping stone by a Service-to-Self based on the result of the investigation in the investigation step. Management method. (Supplementary note 38) Any one of Supplementary notes 20 to 37, further including a decoy site that guides communication to a location different from the attack target site to be attacked and avoids an attack on the attack target site. Information management method described. (Supplementary Note 39) The management unit selects a countermeasure based on a database that manages a communication request monitoring procedure for monitoring a communication request by a monitoring unit and a notification content notified by the communication request monitoring procedure in association with a countermeasure to be performed. The selection procedure to be performed,
A program for causing a computer to execute an execution procedure in which an implementation unit implements a measure in response to an instruction from the selection procedure. (Supplementary Note 40) The management unit performs a countermeasure based on a database that manages the communication request monitoring step of monitoring the communication request by the monitoring unit, and associates the notification content notified by the communication request monitoring step with the countermeasure to be performed. A computer-readable recording medium having recorded thereon a program for causing a computer to execute a selecting step of selecting and an implementing step in which an implementing unit implements a measure in response to an instruction from the managing step.

[0154]

As described above, claims 1, 9, 1
According to the inventions of 0 and 11, the content of the notification and the countermeasure are stored in the database in association with each other, and when the communication request monitoring means monitors the communication request and detects an abnormality and notifies the management means, the management means However, it is configured to select the countermeasure from the database and let the implementing means execute the countermeasure, so that the countermeasure can be executed efficiently, thereby taking appropriate countermeasures for the actual attack and minimizing the damage be able to.

According to the second aspect of the present invention, information on two or more types, contents, order and time intervals of communication during the course of an attack event or a leak event is collected.
Since the collected and arranged information is configured to be reflected in the database, the contents of the database can be enhanced and more appropriate measures can be selected.

Further, according to the third aspect of the present invention, since measures are selected from various aspects based on the database and the mounting information, the operation management information and / or the security information, not only the database but also the environment surrounding the system. In consideration of the above, appropriate measures can be taken in advance to minimize damage.

According to the invention of claim 4, the database holds the information notified by the communication request monitoring means in time series, and selects a countermeasure based on the time series information stored in the database. Therefore, a countermeasure can be selected using time-series information.

According to the fifth aspect of the present invention, a site map indicating a spatial arrangement of sites is generated based on information notified by a plurality of communication request monitoring means. Can be used to select a measure.

Further, according to the invention of claim 6, since the system is configured to explicitly present the vulnerability of the system and to collect the information on the attack on the vulnerable part, it is possible to grasp the attack method by the Service-to-Self. it can.

According to the seventh aspect of the present invention, it is determined whether or not the site is used as a stepping stone by a Service-to-Self based on the result of an investigation of the source of the communication contents. Site can be identified efficiently.

Further, according to the invention of claim 8, since the communication is directed to a location different from the attack target site to be attacked, and a decoy site for avoiding an attack on this attack target site is provided, the attack target is provided. You can protect the site and understand the attack method.

[Brief description of the drawings]

FIG. 1 is an explanatory diagram for explaining various technologies employed in an entire system according to an embodiment of the present invention;

FIG. 2 is a block diagram illustrating a basic configuration of an information management system according to the embodiment;

FIG. 3 is a block diagram showing a configuration when a plurality of monitor agents and action agents are provided.

FIG. 4 is a block diagram illustrating a case where a management manager holds weighted data A and weighted measure B in association with each other;

FIG. 5 is a block diagram showing a configuration of a monitor agent shown in FIG.

FIG. 6 is an explanatory diagram for explaining a management manager shown in FIG. 2;

FIG. 7 is an explanatory diagram for explaining creation of a physical map by the management manager shown in FIG. 2;

FIG. 8 is an explanatory diagram for explaining feedback from the management manager to the monitor agent shown in FIG. 2;

FIG. 9 is an explanatory diagram for explaining mutual information reference between modules.

FIG. 10 shows an automatic update (PU) of the database shown in FIG.
FIG. 3 is an explanatory diagram for explaining (LL type).

FIG. 11 is a table for automatically updating the database shown in FIG. 2 (PU
FIG. 4 is an explanatory diagram for explaining the SH type.

FIG. 12 is an explanatory diagram for explaining automatic update (PULL type) of a database including manual intervention.

FIG. 13 is an explanatory diagram for describing automatic updating (PUSH type) of a database including manual intervention.

FIG. 14 is a flowchart illustrating a processing procedure from when a monitor agent detects an abnormality to when an action agent implements a countermeasure;

FIG. 15 is a flowchart illustrating a processing procedure when the entity is returned to the state before the countermeasure is implemented.

FIG. 16 is an explanatory diagram illustrating a procedure for updating a countermeasure rule in the management manager shown in FIG. 2;

17 is a flowchart showing a processing procedure when the management manager shown in FIG. 2 customizes a countermeasure plan.

FIG. 18 is a flowchart illustrating a processing procedure of a management manager and a monitor agent when updating an analysis rule.

FIG. 19 is a flowchart illustrating a processing procedure of a management manager and a monitor agent when customizing an analysis rule.

FIG. 20 is a flowchart showing a procedure for updating a countermeasure module.

FIG. 21 is a diagram illustrating an example of a data structure of a detection notification and ACK transmitted and received between the management manager and the monitor agent.

FIG. 22 is a diagram showing an example of a data structure of a measure request and a result notification transmitted and received between the management manager and the action agent.

FIG. 23 is a diagram showing an example of a data structure of DB (analysis rule) distribution and result notification exchanged between a management manager and a monitor agent.

FIG. 24 is a diagram showing an example of a list request and a data structure of the list transmitted and received between the management manager and the monitor agent.

FIG. 25 is a diagram showing an example of a data structure of list distribution and result notification exchanged between a management manager and a monitor agent.

FIG. 26 is a diagram illustrating an example of a data structure of countermeasure distribution and result notification exchanged between a management manager and an action agent.

FIG. 27 is an explanatory diagram for describing a measure determination process performed by the management manager shown in FIG. 2;

FIG. 28 is a diagram showing an example of a measure plan.

FIG. 29 is a block diagram illustrating a functional configuration of a management manager illustrated in FIG. 2;

FIG. 30 is a block diagram showing a functional configuration of a management manager shown in FIG. 2;

FIG. 31 is a diagram showing a management manager object.

FIG. 32 is a diagram showing an agent object.

FIG. 33 is a diagram showing an entity object.

FIG. 34 is a flowchart showing a processing procedure until a measure is determined by a measure determining unit shown in FIG. 30;

FIG. 35 is a functional block diagram showing a configuration of a measure determining unit shown in FIG. 30;

FIG. 36 is an explanatory diagram for explaining a reporting function.

FIG. 37 is an explanatory diagram for explaining multifaceted defense measure selection using mounting information and the like.

FIG. 38 is an explanatory diagram illustrating a concept of using mounting information and the like as a filter between protocol layers.

FIG. 39 is an explanatory diagram for describing integrated cooperative control using mounting information, operation management information, and security information.

[Explanation of symbols]

 Reference Signs List 101 attacker (bad hacker) 102 decoy server 103 UG system site group (good hackers) 104 victim server 105 case database 106 packet monitor group 107 step board group 108 defense target server 109 decoy server 201 database 202 management manager 203 monitor agent 203a data analysis Unit 203b data analysis unit 203c data stack 203d weight table 203e determination processing unit 203f notification unit 204 action agent 205 system configuration 206 operation status 207 module 208 site physical map 1001 collector unit 1002 selection data 1003 network 1004 timer 1005 formatter 1006 writer 1007 user Interface 2101 detection notification 2102 ACK 2201 Countermeasure request 2202 Result notification 2301 DB distribution 2302 Result notification 2401 List request 2402 List 2501 List distribution 2502 Result notification 2601 Countermeasure distribution 2602 Result notification 2901 Object management unit 2902 State monitoring unit 2903 Plan construction unit 2904 Agent function management unit 2905 Detection Notification management unit 2906 Measure determination unit 2907 Measure selection unit 2908 Measure request unit

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Seigo Kotani 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki City, Kanagawa Prefecture Inside Fujitsu Limited (72) Inventor Fumie Takizawa 4-1-1, Kamiodanaka, Nakahara-ku, Kawasaki City, Kanagawa Prefecture No. 1 Fujitsu Limited F term (reference) 5B085 AC11 BG07

Claims (11)

[Claims] 1. A communication request monitoring means for monitoring a communication request, a management means for selecting a countermeasure based on information notified from the communication request monitoring means, and a countermeasure in response to an instruction from the management means A managing unit that manages the content of the notification from the communication request monitoring unit in association with the countermeasure to be performed by the communication unit, and selecting a countermeasure based on the database. Means, and an information management system comprising: 2. An information collecting means for collecting information relating to two or more types, contents, orders and time intervals of communication in the course of an attack event or a leak event, and information collected and arranged by said information collecting means. 2. The information management system according to claim 1, further comprising: reflection means for reflecting the data in a database. 3. The information management system according to claim 1, wherein the selection unit selects a measure from various aspects based on the database and the mounting information, the operation management information, and / or the security information. . 4. The database stores information notified by the communication request monitoring unit in a time series, and the selection unit selects a countermeasure based on the time series information stored in the database. The information management system according to claim 1, 2, or 3. 5. The apparatus according to claim 1, further comprising: a site map generating unit configured to generate a site map indicating a spatial arrangement of sites based on information notified by said plurality of communication request monitoring units. 4. The information management system according to any one of 4. 6. The apparatus according to claim 1, further comprising: a vulnerability presenting unit that indicates a vulnerability of the system; and an information collecting unit that collects information relating to an attack on the vulnerability presenting unit. Information management system according to one of the above. 7. A system according to claim 1, further comprising: an investigation unit for investigating a source of the communication content; and a determination unit for judging whether or not the site is used as a stepping stone by a Service-to-Self based on the result of the investigation by the investigation unit. The information management system according to claim 1, wherein: 8. A decoy site for guiding communication to a location different from an attack target site to be attacked, and further comprising a decoy site for avoiding an attack on the attack target site. Information management system described in one. 9. A communication request monitoring step in which a communication request is monitored by a monitoring unit, and a management unit performs a countermeasure based on a database that manages the notification content notified by the communication request monitoring step in association with a countermeasure to be performed. An information management method, comprising: a selecting step of selecting, and an executing step in which an implementing unit implements a countermeasure in response to an instruction from the selecting step. 10. A management unit performs a countermeasure based on a communication request monitoring procedure for monitoring a communication request by a monitoring unit, and a database for managing the notification content notified by the communication request monitoring procedure in association with a countermeasure to be performed. A program causing a computer to execute: a selection procedure to be selected; and an implementation procedure in which an implementation unit implements a measure in response to an instruction from the selection procedure. 11. A communication request monitoring step of monitoring a communication request by a monitoring unit, and a management unit performs a countermeasure on the basis of a database that manages the notification content notified by the communication request monitoring step in association with a countermeasure to be performed. A computer-readable recording medium having recorded thereon a program for causing a computer to execute a selecting step of selecting, and an executing step in which an implementing unit implements a measure in response to an instruction from the selecting step.