JP2018121262A - Security monitoring server, security monitoring method, program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a security monitoring server capable of using calculation resources effectively.SOLUTION: A security monitoring server includes an origin specification unit for specifying the origin of information based on the received information, an attack detection detail level determination unit for determining the detail level of attack detection for the received information, an attack detection unit for executing attack detection based on the determined detail level for the received information, and a high order detection necessity determination unit for determining necessity of high order detection for the received information. When a determination is made the high order attack detection is necessary, the attack detection detail level determination unit re-determines the detail level of attack detection for the received information, based on the attack detection results.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an IDS (Intrusion Detection System), an IPS (Intrusion Protection System), a security monitoring server, a security monitoring method, and a program that can be used in an attack detection system.

  In recent years, threats of attacks against infrastructures such as servers connected via a network are increasing. Moreover, it is predicted that the number of devices to be detected will explode in the IoT (Internet of Things) era. There exists patent document 1 as a prior art of an attack detection system. Further, there is Patent Document 2 as a conventional technique of a network monitoring device.

Japanese Patent No. 5739034 Japanese Patent No. 584438

  When attack detection involving a large amount of calculation (deep analysis) is performed on a large number of devices using the conventional technology, it is a problem that a large amount of calculation resources are required. Therefore, an object of the present invention is to provide a security monitoring server that can effectively use computing resources.

  The security monitoring server of the present invention includes a transmission source specifying unit, an attack detection detail level determination unit, an attack detection unit, and a high-order detection necessity determination unit.

  The transmission source specifying unit specifies the transmission source of the information based on the received information. The attack detection detail level determination unit collates the identified sender with a threat level database that stores the sender of the information received in the past and the threat level of the information received in the past in advance as an entry, Determine the level of detail of attack detection for the received information. The attack detection unit performs attack detection on the received information based on the determined level of detail. The higher-order detection necessity determination unit determines the necessity of higher-order attack detection for the received information based on the attack detection result. When it is determined that there is a need for higher-level attack detection, the attack detection detail level determination unit determines again the detail level of attack detection for the received information based on the result of attack detection.

  According to the security monitoring server of the present invention, computational resources can be used effectively.

1 is a block diagram illustrating a configuration of an attack detection system according to a first embodiment. 6 is a flowchart illustrating the operation of the security monitoring server according to the first embodiment. The figure explaining the item memorize | stored in a detection result database. The figure explaining the item memorize | stored in a threat level database. FIG. 3 is a block diagram illustrating a configuration of an attack detection system according to a second embodiment. 10 is a flowchart illustrating the operation of the security monitoring server according to the second embodiment. FIG. 6 is a block diagram illustrating a configuration of an attack detection system according to a third embodiment. 10 is a flowchart illustrating the operation of the security monitoring server according to the third embodiment.

  Hereinafter, embodiments of the present invention will be described in detail. In addition, the same number is attached | subjected to the structure part which has the same function, and duplication description is abbreviate | omitted.

  Hereinafter, the configuration and operation of the attack detection system according to the first embodiment will be described with reference to FIGS. 1 and 2. As shown in FIG. 1, the attack detection system 1000 according to the present embodiment includes a security monitoring server 1, an administrator terminal 91, a service providing server 92, a switch / router 93, a security appliance 94, a threat level database 95, and the like. The The threat level database 95 may be a storage area in the hardware of the security monitoring server 1.

  The security monitoring server 1 of the present embodiment includes an information receiving unit 11, a pre-processing database 11a, a transmission source specifying unit 12, a processed database 12a, an attack detection detail level determining unit 13, an attack detecting unit 14, It includes a detection result database 14a, a high-order detection necessity determination unit 15, and a result storage unit 16. As illustrated in FIG. 1, the transmission source identification unit 12 may include a decoding unit 121, a header analysis unit 122, a payload analysis unit 123, a statistics unit 124, and the like.

  The information receiving unit 11 receives arbitrary information from an arbitrary client terminal (hereinafter also referred to as a sender) (S11). The received information is stored in the pre-processing database 11a.

  In addition, as a client terminal (source) that is targeted for attack detection in this embodiment, for example, a terminal such as a PC, an IoT terminal (control system, sensing system, etc.), or a terminal that requires low delay in detection is assumed. Is done.

  The degree of abstraction of information received is a packet as a small information unit, data as a medium information unit (for example, one sensor data), a single session from a predetermined IP address as a large information unit, or a constant All the communication information transmitted in the session performed within the time can be considered. As will be described later, attack detection is performed for each predetermined information unit, and an entry for storing the detection result is generated. It is assumed that the degree of abstraction of the unit of information that is the target of attack detection and entry generation can have a degree of freedom. For example, attack detection and entry generation may be executed for each packet, or attack detection and entry generation may be executed for each data. Alternatively, attack detection and entry generation may be performed on all communication information transmitted from a predetermined IP address in a single session.

  The transmission source specifying unit 12 specifies the transmission source of information based on the information received in step S11 (S12). If it demonstrates concretely according to the structural example of the figure, the decoding part 121 will perform the decoding process of the received information. The header analysis unit 122 analyzes the header of the received information. The payload analysis unit 123 analyzes the payload part of the received information. The statistical unit 124 statistically analyzes the above data. The source can be specified by various methods using the above-described information. For example, an individual identifier such as an IP address may be extracted from the header analyzed as described above and used as a source of information. Further, for example, a session ID or the like may be extracted from the analyzed header and used as a source of information. The data generated in step S12 is stored in the processed database 12a.

  As shown in FIG. 3, in the threat level database 95, the detection result of the primary detection (analysis A) in association with information (for example, IP address or terminal ID) for specifying the source for the past communication, As a result of detection of secondary detection (analysis B), etc., the result of attack detection may be stored for each level of detail of attack detection (hereinafter also referred to as order). In addition to this, it is assumed that the threat level database 95 stores the threat level derived from the attack detection result for each detail level in association with each other. Note that the present invention is not limited to the example in FIG. 3, and the attack detection result for each level of detail may be handled as a threat level. The threat level database 95 stores various attack detection results and threat levels in association with information for specifying a communication session and a packet as well as information for specifying a source (for example, an IP address and a terminal ID). May be.

  The threat level may be a binary value of 0 or 1, or a numerical value of 3 or more may be set. For example, 10 numbers 0, 1,..., 9 are set for the threat level, and the larger the number, the stronger the malignancy, and if the number in the threat level column is 9, it is clearly malignant. Also good.

  In this specification, a set of information including at least information specifying a transmission source and a corresponding threat level is referred to as an entry. Accordingly, the threat level database 95 stores at least the source of information received in the past (eg, IP address or terminal ID) and the threat level of the information received in the past in advance as an entry. And

  The attack detection detail level determination unit 13 collates each entry in the threat level database 95 with the transmission source specified in step S12, and determines the detail level of attack detection for the information received in step S11 (S13). More specifically, the attack detection detail level determination unit 13 determines whether or not an entry corresponding to the same source exists in the threat level database 95 for the communication whose source is specified in step S12. Check. The attack detection detail level determination unit 13 may determine the detail level of attack detection for the received information according to the following rules, for example.

Specific example 1)
If there is no entry corresponding to the threat level database 95, the detail level (order) is set to primary. On the other hand, when there is an entry corresponding to the threat level database 95, the degree of detail (order) is set to the order one higher than the threat level indicated by the entry.

Specific example 2)
If there is no entry corresponding to the threat level database 95, the detail level (order) is set to primary. On the other hand, when there is an entry corresponding to the threat level database 95, the degree of detail (order) is set to an order equal to the threat level indicated by the entry.

  Assume that the attack detection algorithm prepared in advance is given a degree of detail (order) in advance. Examples of attack detection algorithms that can be used in this embodiment include rule-based attack detection, port scanning detection, port change detection, traffic flow change detection, packet reception timing change detection, DPI, and time series data. Examples include attack detection that detects anomalies based on a deviation between data predicted using acquired data and measured data. As the attack detection algorithm is more detailed and expensive, the degree of detail (order) is set higher.

  Next, the attack detection unit 14 performs attack detection on the information received in step S11 based on the degree of detail (order) determined in step S13 (S14).

  When the attack detection result is normal (S14aN), the result storage unit 16 stores the information specifying the transmission source and the detection result in the detection result database 14a and the threat level database 95 (S16). As shown in FIG. 4, the detection result database 14a includes an anomaly identifier, a time stamp, information for identifying a transmission source (IP address and terminal ID), a detection result for each detail level, a detection count for each detail level, and a final detection. As a result, a handled flag is stored.

On the other hand, when the attack detection result is not normal (if there is a concern or abnormality, S14aY), the high-order detection necessity determination unit 15 determines the necessity of high-order attack detection for the received information. (S15). When it is not determined that there is a need for high-level attack detection (S15aN), the result storage unit 16 stores information for identifying the transmission source and the detection result in the detection result database 14a and the threat level database 95 ( S16). As a case corresponding to S15aN, the following cases can be specifically considered.
1) Since it is clear that the corresponding communication is abnormal (unauthorized), it is less necessary to perform higher-order attack detection. For example, when the number in the above-mentioned threat level column is 9, since it is clear that the corresponding communication is malignant, it is possible to omit higher-order attack detection and effectively use the computational resources. Can be used.
2) The highest order attack detection has already been executed, and higher order attack detection cannot be executed.

  On the other hand, if it is determined that there is a need for higher-order attack detection (S15aY), the attack detection detail level determination unit 13 determines again the detail level of attack detection for the received information based on the result of attack detection. (S13). The attack detection unit 14 again executes attack detection based on the level of detail (order) determined again (S14). In step S14aY, the higher-order detection necessity determination unit 15 determines the necessity for higher-order attack detection (S15). Thus, as long as S14aY and S15aY are satisfied, steps S13, S14, and S15 are repeatedly executed. The following specific method can be considered as a method of redetermining the degree of detail (order) of the attack detection detail degree determination unit 13.

Specific example 1)
Always increase the detail (degree) of target attack detection by 1.

Specific example 2)
When the output of the attack detection algorithm in step S14 is expressed in three stages of normal / concerned / abnormal,
Output = Concern → Judgment result = Yes (Increment the order by 1)
Output = Abnormal → Judgment result = Yes (Order is increased by 2)
* If the output is normal (not applicable to any concern or abnormality), the process passes through the branch of S14aN, and step S16 is executed to complete the flow.

Specific example 3)
When the output of the attack detection algorithm in step S14 is expressed in three stages of normal / concerned / abnormal,
Output = Concern → Judgment result = No (Do not increase the order → S15aN → End)
Output = Abnormal → Judgment result = Yes (Order is increased by 1)
* If the output is normal (not applicable to any concern or abnormality), the process passes through the branch of S14aN, and step S16 is executed to complete the flow.

Specific example 4)
When the output of the attack detection algorithm in step S14 expresses the presence / absence of an abnormality as a numerical value. For example, when the output of the attack detection algorithm is 0.0 to 1.0, the anomaly is higher as the value approaches 1.0, and the threshold for determining whether there is an abnormality is 0.5.

Output = 0.5 or more and less than 0.6 → Judgment result = Yes (the order is increased by 1)
Output = 0.6 or more and less than 0.7 → Judgment result = Yes (increment the order by 2)
Output = 0.7 or more and less than 0.8 → Judgment result = Yes (the order is increased by 3)
Output = 0.8 or more and less than 0.9 → Judgment result = Yes (the order is increased by 4)
Output = 0.9 or higher → Judgment result = Yes (the order is increased by 5)
* When output = normal (output = less than 0.5), the process passes through the branch of S14aN, and step S16 is executed to complete the flow.

  According to the security monitoring server 1 of the present embodiment, for the client terminal (device) with a low risk, the attack detection is immediately terminated (step S14aN → step S16), so that calculation resources are not wasted.

  Similarly, the attack detection is terminated immediately for an apparently unauthorized client terminal (device) as well (step S15aN), so that computational resources are not wasted.

  When the risk of the corresponding client terminal (device) is in the gray zone (steps S14aY and S15aY), the reliability of attack detection is ensured by repeatedly executing steps S13 to S15.

  Further, for the client terminal (device) registered as an entry in the threat level database 95, the detail level corresponding to the registered threat level is set first, so that attack detection with a low level of detail is appropriately skipped, Computational resources are not wasted.

  Thus, according to the security monitoring server 1 of the present embodiment, it is possible to effectively use the computational resources.

  Hereinafter, the configuration and operation of the attack detection system according to the second embodiment will be described with reference to FIGS. 5 and 6. As shown in FIG. 5, the attack detection system 2000 of the present embodiment includes the security monitoring server 2, the administrator terminal 91, the service providing server 92, the switch / router 93, the security appliance 94, the threat level database 95, and the like. The difference from the first embodiment is only the security monitoring server 2.

  The security monitoring server 2 of the present embodiment includes an information receiving unit 11, a pre-processing database 11a, a transmission source specifying unit 12, a processed database 12a, an attack detection detail level determining unit 23, an attack detecting unit 24, It includes a detection result database 14a, a high-order detection necessity determination unit 25, a result storage unit 26, and a similar device search unit 27.

  As in the first embodiment, the security monitoring server 2 according to the present embodiment executes the flow (steps S11 to S16) illustrated in FIG. That is, the security monitoring server 2 according to the present embodiment receives information (S11), specifies the source (S12), determines the detail level of attack detection (S13), and executes attack detection (S14). If necessary, the necessity of high-order attack detection is determined (S15), loop processing is executed as necessary, and the detection result and the like are stored in the threat level database 95 (S16).

  The security monitoring server 2 according to the present embodiment performs the flow of FIG. 2 when the information corresponding to the attack detection target corresponds to S14aY, that is, when a detection result that is not normal (indicates that there is a concern or abnormality) is output. In parallel with this, the flow of FIG. 6 is executed for an entry of a similar device to be described later.

  Specifically, when the result of attack detection performed on the received information is not normal (S14aY), the similar device search unit 27 has a similar characteristic to the corresponding source, that is, similar A device entry is searched from the threat level database 95 (S27). Here, “feature” means an index indicating the client environment such as OS, model, application used, middleware, and network features. Further, as one of variations of “feature”, a data structure or a characteristic pattern of data (for example, a characteristic character string pattern to be registered as a signature) may be included. In addition to this, a “feature” that is a criterion for similarity determination can be determined by an arbitrary rule.

  The high-order detection necessity determination unit 25 determines the necessity of high-order attack detection for the searched entry (S25). If it is not determined that there is a need for higher-order attack detection (S25aN), the flow ends (end).

  On the other hand, when it is determined that there is a need for higher-order attack detection for the searched entry (S25aY), the attack detection detail level determination unit 23 determines the detail level of attack detection for the searched entry. (S23). Except in exceptional cases, the attack detection detail level determination unit 23 preferentially sets the searched entries as targets for attack detection with a high detail level (order). The attack detection detail level determination unit 23 can determine the level of detail (order) of the attack detection algorithm as a target entry according to an arbitrary rule.

  The attack detection unit 24 performs attack detection on the searched entry based on the determined level of detail (S24). If the attack detection result is not normal (S24aY), the higher-order detection necessity determination unit 25 determines the necessity for higher-order attack detection (S25). Thus, as long as S24aY and S25aY are satisfied, steps S23, S24, and S25 are repeatedly executed. When the attack detection result is normal (S24aN), the result storage unit 26 stores the detection result of the searched entry in the detection result database 14a and the threat level database 95 (S26).

  According to the security monitoring server 2 of the present embodiment, since the attack detection is performed by another flow in parallel for a device (similar device) similar to a sender whose result of attack detection is not normal, the reliability of attack detection The nature is further improved.

  Hereinafter, the configuration and operation of the attack detection system according to the third embodiment will be described with reference to FIGS. As shown in FIG. 7, the attack detection system 3000 according to the present embodiment includes the security monitoring server 3, an administrator terminal 91, a service providing server 92, a switch / router 93, a security appliance 94, a threat level database 95, and the like. The difference from the first and second embodiments is only the security monitoring server 3.

  The security monitoring server 3 of the present embodiment includes an information receiving unit 11, a pre-processing database 11a, a transmission source specifying unit 12, a processed database 12a, an attack detection detail level determining unit 33, an attack detecting unit 34, It includes a detection result database 14a, a high-order detection necessity determination unit 35, a result storage unit 36, a resource confirmation unit 38, and a sample extraction unit 39.

  The security monitoring server 3 according to the present embodiment executes the flow (steps S11 to S16) illustrated in FIG. That is, the security monitoring server 3 of the present embodiment receives information (S11), identifies the source (S12), determines the detail level of attack detection (S13), and executes attack detection (S14). If necessary, the necessity of high-order attack detection is determined (S15), loop processing is executed as necessary, and the detection result and the like are stored in the threat level database 95 (S16).

  The security monitoring server 3 of the present embodiment corresponds to S14aN for the information that is an attack detection target, that is, when a normal (not concerned or abnormal) detection result is output, In parallel with the flow, the flow of FIG. 8 is executed for an entry of a sample device to be described later.

  Specifically, the resource confirmation unit 38 confirms the current calculation resource of the security monitoring server 3 (S38) when the result of the attack detection performed on the received information is normal (S14aN).

  When the confirmed calculation resource exceeds a predetermined value (S38aY), the sample extraction unit 39 extracts a sample device, that is, an entry of the sample device from the threat level database (S39). On the other hand, if the confirmed computing resource does not exceed the predetermined value (S38aN), the parallel processing is abandoned and the flow ends (END).

  As extraction methods, for example, a method of sampling random entries, a method of extracting entries in the order of arrival, and the like can be considered. The number of entries to be extracted may be increased in proportion to the calculation resource. If no entry is extracted (S39aN), the parallel processing is abandoned and the flow ends (END).

  When the entry is extracted (S39aY), the high-order detection necessity determination unit 35 determines the necessity of high-order attack detection for the extracted entry (S35). If it is not determined that there is a need for higher-order attack detection (S35aN), the flow ends (end).

  On the other hand, when it is determined that there is a need for high-level attack detection for the extracted entry (S35aY), the attack detection detail level determination unit 33 determines the detail level of attack detection for the extracted entry. (S33). The attack detection detail level determination unit 33 preferentially sets the extracted entry as an attack detection target having a high detail level (order).

  The attack detection unit 34 performs attack detection on the extracted entry based on the determined level of detail (S34). When the result of attack detection is not normal (S34aY), the higher-order detection necessity determination unit 35 determines the necessity for higher-order attack detection (S35). Thus, as long as S34aY and S35aY are satisfied, steps S33, S34, and S35 are repeatedly executed. When the attack detection result is normal (S34aN), the result storage unit 36 stores the extracted entry detection result in the detection result database 14a and the threat level database 95 (S36).

  According to the security monitoring server 3 of the present embodiment, when the attack detection result for the attack detection target is normal, if there is a surplus in computational resources, a deeper attack can be performed on the entry by another flow in parallel. Since detection is performed, it is possible to improve the reliability of attack detection while efficiently using computational resources.

<Supplementary note>
The apparatus of the present invention includes, for example, a single hardware entity as an input unit to which a keyboard or the like can be connected, an output unit to which a liquid crystal display or the like can be connected, and a communication device (for example, a communication cable) capable of communicating outside the hardware entity. Can be connected to a communication unit, a CPU (Central Processing Unit, may include a cache memory or a register), a RAM or ROM that is a memory, an external storage device that is a hard disk, and an input unit, an output unit, or a communication unit thereof , A CPU, a RAM, a ROM, and a bus connected so that data can be exchanged between the external storage devices. If necessary, the hardware entity may be provided with a device (drive) that can read and write a recording medium such as a CD-ROM. A physical entity having such hardware resources includes a general-purpose computer.

  The external storage device of the hardware entity stores a program necessary for realizing the above functions and data necessary for processing the program (not limited to the external storage device, for example, reading a program) It may be stored in a ROM that is a dedicated storage device). Data obtained by the processing of these programs is appropriately stored in a RAM or an external storage device.

  In the hardware entity, each program stored in an external storage device (or ROM or the like) and data necessary for processing each program are read into a memory as necessary, and are interpreted and executed by a CPU as appropriate. . As a result, the CPU realizes a predetermined function (respective component requirements expressed as the above-described unit, unit, etc.).

  The present invention is not limited to the above-described embodiment, and can be appropriately changed without departing from the spirit of the present invention. In addition, the processing described in the above embodiment may be executed not only in time series according to the order of description but also in parallel or individually as required by the processing capability of the apparatus that executes the processing. .

  As described above, when the processing functions in the hardware entity (the apparatus of the present invention) described in the above embodiments are realized by a computer, the processing contents of the functions that the hardware entity should have are described by a program. Then, by executing this program on a computer, the processing functions in the hardware entity are realized on the computer.

  The program describing the processing contents can be recorded on a computer-readable recording medium. The computer-readable recording medium may be any recording medium such as a magnetic recording device, an optical disk, a magneto-optical recording medium, or a semiconductor memory. Specifically, for example, as a magnetic recording device, a hard disk device, a flexible disk, a magnetic tape or the like, and as an optical disk, a DVD (Digital Versatile Disc), a DVD-RAM (Random Access Memory), a CD-ROM (Compact Disc Read Only). Memory), CD-R (Recordable) / RW (ReWritable), etc., magneto-optical recording medium, MO (Magneto-Optical disc), etc., semiconductor memory, EEP-ROM (Electronically Erasable and Programmable-Read Only Memory), etc. Can be used.

  Further, this program is distributed by selling, transferring, or lending a portable recording medium such as a DVD or CD-ROM in which the program is recorded. Furthermore, the program may be distributed by storing the program in a storage device of the server computer and transferring the program from the server computer to another computer via a network.

  A computer that executes such a program first stores, for example, a program recorded on a portable recording medium or a program transferred from a server computer in its own storage device. When executing the process, the computer reads a program stored in its own recording medium and executes a process according to the read program. As another execution form of the program, the computer may directly read the program from a portable recording medium and execute processing according to the program, and the program is transferred from the server computer to the computer. Each time, the processing according to the received program may be executed sequentially. Also, the program is not transferred from the server computer to the computer, and the above-described processing is executed by a so-called ASP (Application Service Provider) type service that realizes the processing function only by the execution instruction and result acquisition. It is good. Note that the program in this embodiment includes information that is used for processing by an electronic computer and that conforms to the program (data that is not a direct command to a computer but has a property that defines the processing of the computer).

  In this embodiment, a hardware entity is configured by executing a predetermined program on a computer. However, at least a part of these processing contents may be realized by hardware.

Claims (8)

A source identifying unit that identifies the source of the information based on the received information;
Detecting an attack on the received information by collating the source of the information received in the past with the threat level database stored in advance as an entry in association with the threat level of the information received in the past and the specified source An attack detection detail level determination unit that determines the level of detail of
An attack detection unit that performs attack detection based on the determined degree of detail for the received information;
Based on the result of the attack detection, including a higher-order detection necessity determination unit that determines the necessity of higher-order attack detection for the received information,
The attack detection detail level determination unit
A security monitoring server that determines again the level of detail of attack detection for the received information based on the result of attack detection when it is determined that there is a need for high-order attack detection. The security monitoring server according to claim 1,
When the result of the attack detection performed on the received information is not normal, a device having characteristics similar to that of the corresponding sender, that is, a similar device that searches the threat level database for the entry of the similar device A device search unit;
The higher-order detection necessity determination unit
Determine the necessity of high-order attack detection for the searched entry,
The attack detection detail level determination unit
When it is determined that there is a need for high-order attack detection for the searched entry, the level of detail of attack detection for the searched entry is determined;
The attack detection unit
A security monitoring server that performs attack detection on the searched entry based on the determined degree of detail. The security monitoring server according to claim 2,
The security monitoring server includes any one of an OS, a model, an application being used, middleware, a network characteristic, a data structure, and a characteristic pattern of data. The security monitoring server according to claim 1,
A resource confirmation unit for confirming a current calculation resource of the security monitoring server when a result of the attack detection performed on the received information is normal;
A sample extractor for extracting the entry of a sample device, i.e., the sample device, from the threat level database when the confirmed calculation resource exceeds a predetermined value;
The higher-order detection necessity determination unit
Determine the necessity of high-level attack detection for the extracted entry,
The attack detection detail level determination unit
When it is determined that there is a need for high-level attack detection for the extracted entry, the degree of detail of attack detection for the extracted entry is determined,
The attack detection unit
A security monitoring server that performs attack detection on the extracted entry based on the determined degree of detail. A security monitoring method executed by the security monitoring server,
Identifying the source of the information based on the received information;
Detecting an attack on the received information by collating the source of the information received in the past with the threat level database stored in advance as an entry in association with the threat level of the information received in the past and the specified source Determining the level of detail of
Performing attack detection on the received information based on the determined degree of detail;
Determining the necessity of high-order attack detection for the received information based on the result of the attack detection;
A security monitoring method including a step of re-determining the level of detail of attack detection for the received information based on a result of the attack detection when it is determined that there is a need for high-order attack detection. The security monitoring method according to claim 5,
When the result of the attack detection performed on the received information is not normal, searching for an entry having a similar characteristic to the corresponding source, that is, the entry of the similar apparatus from the threat level database When,
Determining the necessity of high-order attack detection for the searched entry;
Determining the level of detail of attack detection for the searched entry when it is determined that there is a need for higher order attack detection for the searched entry;
A security monitoring method further comprising the step of performing attack detection based on the determined degree of detail for the searched entry. The security monitoring method according to claim 5,
If the result of the attack detection performed on the received information is normal, checking the current computing resource of the security monitoring server;
Extracting the entry of a sample device, i.e., a sample device, from the threat level database when the confirmed computational resource exceeds a predetermined value;
Determining the need for higher order attack detection on the extracted entries;
Determining the level of detail of attack detection for the extracted entry if it is determined that there is a need for higher order attack detection for the extracted entry;
A security monitoring method comprising a step of executing attack detection based on the determined degree of detail for the extracted entry.   The program which makes a computer function as a security monitoring server in any one of Claim 1 to 4.

Images