JP6307453B2 - Risk assessment system and risk assessment method - Google Patents

Description

  The present invention relates to a risk evaluation system and a risk evaluation method. Specifically, in addition to technical characteristics of individual vulnerabilities, vulnerability risk is evaluated based on the system configuration and topology, and the actual system situation This technology relates to a technology that enables highly effective risk assessment corresponding to.

  Currently, a wide variety of software is used, but the software may have defects called software vulnerabilities, such as defects in programs and problems in specifications. Public security organizations create a database of software vulnerability information and publish about 5,000 software vulnerabilities annually to alert them. On the other hand, it is reported that attacks using the vulnerability by malicious attackers tend to increase significantly immediately after such vulnerability information is disclosed. Therefore, the system administrator who operates the information system must react sensitively to the public information about the vulnerability and respond quickly.

  In general, in vulnerability countermeasures, information on the target system and vulnerability information are obtained, and the relationship between the two information and the risks posed by the vulnerability information are evaluated. Measures are planned and applied in practice.

  However, since a lot of vulnerability information that is irrelevant to individual systems is also disclosed, it is time consuming for system administrators to always collect vulnerability information about target systems without omission and take countermeasures against all vulnerability information. In addition, it is very difficult from the viewpoint of labor, and there is a case where it is subject to a vulnerability attack before taking countermeasures. In addition, the risk that the vulnerability poses to the system depends on the system configuration, and system knowledge and security knowledge are required. Therefore, it is difficult for a system administrator who does not have advanced security knowledge to correctly evaluate the risk posed by the vulnerability. is there.

  Therefore, there is a need for a technique for collecting and managing system information and vulnerability information, correctly associating the information, and evaluating the risk that the vulnerability poses to the system. As a conventional technique for managing and evaluating such system vulnerabilities, for example, a plurality of keywords indicating vulnerability characteristics are stored in the product DB and the vulnerability keyword DB, and the keyword extraction unit performs vulnerability related From the vulnerability information collected by the information collection unit, keywords that match the keywords stored in the product DB and the vulnerability keyword DB are extracted, and the priority determination unit determines the keyword extraction result according to the contents of the priority determination DB. An information processing apparatus (see Patent Document 1) in which the priority of vulnerability information is determined based on the output result of the priority determination result has been proposed. In this technology, the risk assessment is made more efficient by risk assessment based on product information and vulnerability information.

JP 2007-058514 A

In the prior art, by associating vulnerability information with product information, vulnerability information related to the managed system is selected from a vast amount of vulnerability information, and the vulnerability technical information indicated by the vulnerability information is displayed. Based on various characteristics, it is possible to evaluate the risks posed by the vulnerability in the system.

  However, in an actual system, there are cases where countermeasures are not necessary because technically high-risk vulnerabilities are protected from the network boundary. For example, when comparing a device that is easily accessible to a certain vulnerability from the outside with a device that has the same vulnerability but is protected deep in the network, Priority should be given to countermeasures against vulnerabilities. Therefore, in vulnerability risk assessment, it is desirable to conduct assessment based on not only product information and vulnerability information, but also system configuration and topology.

  Accordingly, an object of the present invention is to enable vulnerability assessment based on the system configuration and topology in addition to the technical characteristics of each vulnerability and enable highly effective risk assessment corresponding to the actual system situation. Is to provide.

The risk evaluation system of the present invention that solves the above-described problems includes a storage device that holds a database that associates information on devices, networks, vulnerabilities related to the devices, and security settings that constitute a target system for risk evaluation, Apply information on devices, networks, vulnerabilities, and security settings to a predetermined algorithm based on graph theory to define the relationship between vulnerabilities and security settings depending on the location of each device on the network As a simple risk evaluation model that is a risk evaluation model to be performed, the device, the vulnerability, and the security setting are nodes, and based on the network configuration of the target system indicated by the network information, the device, the vulnerability, and the Between security settings In creating a directed acyclic graph that is connected, by applying the directed acyclic graph to the inference algorithm of Bayesian network to evaluate the risk vulnerability of the target system result in an arithmetic unit for outputting the evaluation result to a predetermined device It is characterized by providing.

In addition, the risk evaluation method of the present invention is an information processing system including a storage device that holds a database that associates information on devices, networks, vulnerabilities related to the devices, and security settings that constitute a target system for risk evaluation. Applying each information of the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, the influence of the vulnerability and the security setting according to the arrangement of each device on the network As a simple risk evaluation model that is a risk evaluation model that defines a relationship , the device, the vulnerability, and the security setting are nodes, and the device and the vulnerability are based on a network configuration of the target system indicated by the network information. And security settings with The Create a directed acyclic graph connected by arcs, by applying the directed acyclic graph to the inference algorithm of Bayesian network to evaluate the risk vulnerability of the target system results, and outputs the evaluation result to a predetermined device, It is characterized by that.

  According to the present invention, it is possible to evaluate vulnerability risk based on the system configuration and topology in addition to the technical characteristics of each vulnerability and perform highly effective risk evaluation corresponding to the actual system situation.

It is a figure which shows the network structural example containing the risk evaluation system in this embodiment. It is a figure which shows the function structural example of the management object apparatus of this embodiment. It is a figure which shows the function structural example of the information collection server of this embodiment. It is a figure which shows the function structural example of the security knowledge provision organization server of this embodiment. It is a figure which shows the function structural example of the client of this embodiment. It is a figure which shows the function structural example of the risk evaluation server of this embodiment. It is a figure which shows the hardware structural example of the computer which comprises the risk evaluation system of this embodiment. It is a figure which shows the example of the list of the data table stored in the database of this embodiment. It is a figure which shows the example of the user information table of this embodiment. It is a figure which shows the example of the network information table of this embodiment. It is a figure which shows the example of the apparatus information table of this embodiment. It is a figure which shows the example of the vulnerability information table of this embodiment. It is a figure which shows the example of the security setting information table of this embodiment. It is a figure which shows the example of the state definition table of this embodiment. It is a flowchart which shows the procedure example 1 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 2 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 3 of the risk evaluation method in this embodiment. It is a figure which shows the example 1 of a screen in this embodiment. It is a flowchart which shows the procedure example 4 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 5 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 6 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 7 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 8 of the risk evaluation method in this embodiment. It is a figure which shows the example of the simple risk evaluation model in this embodiment. It is a figure which shows Example 1 of the conditional probability table | surface in this embodiment. It is a figure which shows Example 2 of the conditional probability table | surface in this embodiment. It is a flowchart which shows the procedure example 9 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 10 of the risk evaluation method in this embodiment. It is a figure which shows the example of the detailed risk evaluation model in this embodiment. It is a figure which shows Example 3 of the conditional probability table | surface in this embodiment. It is a figure which shows Example 4 of the conditional probability table | surface in this embodiment. It is a figure which shows the example 2 of a screen in this embodiment.

--- System configuration ---

  Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a network configuration diagram including a risk evaluation system 10 of the present embodiment. The risk assessment system 10 shown in FIG. 1 evaluates vulnerability risks based on the system configuration and topology in addition to the technical characteristics of each vulnerability, and enables highly effective risk assessment corresponding to actual system conditions. Computer system.

  A network 102 including the risk evaluation system 10 of this embodiment illustrated in FIG. 1 includes a management target device 101, an information collection server 103, a security knowledge public institution server 104, a database 105, and a client that constitute a risk evaluation target system. 106 and a risk assessment server 107 are connected. Among these devices, the risk evaluation system 10 is composed of at least a risk evaluation server 107, and the risk evaluation server 107 can access the database 105. Of course, the risk evaluation system 10 may include devices other than the risk evaluation server 107 as appropriate.

  Among the devices connected to the network 102 described above, the management target device 101 is a system managed by the system administrator as a risk evaluation target, that is, a device constituting the target system, and illustrates a plurality of management target devices 101_1 to 101_n. ing. In this embodiment, what is to be evaluated is a risk caused by the vulnerability possessed by the managed device 101.

  Further, the information collection server 103 is a security assessment target system, that is, information related to the management target device 101 (system information; identification information of each management target device 101, information related to a network to which it belongs), and security on the Internet 102_2. This is a device that collects security information (at least vulnerability information related to the management target device 101) disclosed by the knowledge publishing organization server 104. On the other hand, the security knowledge publishing organization server 104 is a server device of a predetermined organization that publishes security knowledge on the Internet 102_2. As an example of an operating organization of the security knowledge public organization server 104, a company that provides various security countermeasure services such as computer virus detection and countermeasures, an OS (Operating System) provider, and the like can be assumed. Such an operating organization publishes vulnerability information related to information security obtained with respect to a specific information processing apparatus, OS, or software by the security knowledge disclosure organization server 104.

  Note that the management target device 101 and the information collection server 103 are connected via the network 102_1, and the information collection server 103 and the security knowledge disclosure organization server 104 are connected via the Internet 102_2.

  The database 105 is a storage device that stores the above-described system information collected by the information collection server 103, security setting information, security knowledge, and the like, and is connected to the risk assessment server 107 via the network 102_3. . Alternatively, the database 105 may be preferably stored in the external storage device 704 (see FIG. 7) of the risk evaluation server 107. In general, security setting information represented by CCE is information that is updated less frequently than software vulnerability information. Therefore, it is assumed that the information is pre-defined in the system and held in the database 105. To do. However, as with vulnerability information, it may be collected from security knowledge providers and software vendors.

  The client 106 is a general computer terminal that is directly operated by the system administrator, and is a device that is a main output destination of the processing result by the risk evaluation server 107, that is, the risk evaluation result.

  The risk assessment server 107 is a server device that executes each procedure corresponding to the risk assessment method of the present embodiment based on information on the database 105 and a request from the system administrator received via the client 106. . The risk evaluation server 107 may be configured to include the functions and configurations of the information collection server 103 described above.

In the present embodiment, the networks 102_1, 102_2, and 102_3 are illustrated as different networks, but may be the same network. Further, the networks 102_1 and 102_2 are not essential, and the information collection server 103 may acquire data upon receiving a USB reading or a user input operation from an appropriate interface. Moreover, the component which attached | subjected the code | symbol in the network structure of FIG. 1 may be plurality according to embodiment.
--- Functional structure ---

  Then, the function with which the risk evaluation system 10 of this embodiment is provided is demonstrated. Here, not only the risk evaluation server 107 but also, for example, each device in the above-described network configuration including the risk evaluation system 10 is implemented by executing an appropriate program provided in the memory 703 or the external storage device 704. Each will be described.

  FIG. 2 is a diagram illustrating a functional configuration example of the management target device 101 according to the present embodiment. A management target device 101 illustrated in FIG. 2 includes a transmission / reception unit 201 and a control unit 202. Among these, the transmission / reception unit 201 is a processing unit that transmits / receives information to / from the information collection server 103 via the network 102_1.

  On the other hand, the control unit 202 includes a system information output unit 203 and a security setting output unit 204. Among these, the system information output unit 203 collects system information including information such as ID, device name, product ID, network segment, and relay device to be used, which is identification information of the management target device 101, and via the transmission / reception unit 201, It is a processing unit that transmits to the information collection server 103. The security setting output unit 204 is a processing unit that collects security setting information (a specific example will be described later) of the management target device 101 and transmits it to the information collection server 103 via the transmission / reception unit 201.

For collecting information in the system information output unit 203 and the security setting output unit 204 described above, a standard function of the OS in the management target device 101 may be used. In addition, a security inspection language (OVAL: Open Vulnerability and)
An information collection tool or the like based on the inspection specification defined in the “Assessment Language” may be used, and the form is not limited.

  FIG. 3 is a diagram illustrating a functional configuration example of the information collection server 103 according to the present embodiment. The information collection server 103 registered in FIG. 3 includes a transmission / reception unit 301 and a control unit 302. Among these, the transmission / reception unit 301 is a processing unit that transmits and receives information via the networks 102_1, 102_2, and 102_3. On the other hand, the control unit 302 includes a system information collection unit 303, a security knowledge collection unit 304, and a security setting collection unit 305. Among these, the system information collection unit 303 is a processing unit that receives system information from the management target device 101 via the transmission / reception unit 301 and stores the system information in the database 105. The security knowledge collection unit 304 is a processing unit that receives the security knowledge from the security knowledge providing institution server 104 via the transmission / reception unit 301 and stores it in the database 105. The security setting collection unit 305 is a processing unit that receives security setting information from the management target device 101 via the transmission / reception unit 301 and stores the security setting information in the database 105.

  FIG. 4 is a diagram illustrating a functional configuration example of the security knowledge providing institution server 104 according to the present embodiment. A security knowledge providing institution server 104 illustrated in FIG. 4 includes a transmission / reception unit 401 and a control unit 402. Among these, the transmission / reception unit 401 is a processing unit that transmits / receives information to / from the information collection server 103 via the network 102_2.

  On the other hand, the control unit 402 includes a security knowledge output unit 403. The security knowledge output unit 403 transmits security knowledge to the information collection server 103 via the transmission / reception unit 401 described above. The method of collecting and managing such security knowledge in the security knowledge providing institution server 104 is not particularly limited because it differs depending on the specifications of the security knowledge providing institution server 104 and the operating company of the security knowledge public institution server 104.

FIG. 5 is a diagram illustrating a functional configuration example of the client 106 according to the present embodiment. The client 106 illustrated in FIG. 5 includes a transmission / reception unit 501, an input / output unit 502, and a control unit 503. Among these, the transmission / reception unit 501 is a processing unit that transmits and receives information via the network 102_3. The input / output unit 502 is a processing unit that controls input from a user such as a system administrator via an interface device such as a keyboard and controls output processing for the user via an interface device such as a monitor.

  The control unit 503 includes a screen display processing unit 504, an initial screen display requesting unit 505, an attack source designation processing unit 506, and a vulnerability risk display requesting unit 507. Among these, the screen display processing unit 504 is a processing unit that performs screen display for the user via the input / output unit 502 described above, and the screen acquired by the initial screen display requesting unit 505 and the vulnerability risk display requesting unit 507. Is displayed.

  Also, the initial screen display request unit 505 described above requests the initial screen data to be presented to the user at the time of connection from the client 106 to the risk assessment server 107 via the transmission / reception unit 501, and the corresponding initial screen data is obtained. It is a processing part to receive.

  Also, the above-described attack source designation processing unit 506 designates a device that is a security attack source, such as an external device or a device that is suspected of being infected with malware, via the input / output unit 502 described above. Is a processing unit that receives data from a user such as the transmission / reception unit 501 and transmits it to the risk evaluation server 107.

  Further, the vulnerability risk display request unit 507 transmits a display request for the evaluation result of the vulnerability risk made by the risk evaluation server 107 via the transmission / reception unit 501 described above, and the vulnerability risk obtained from the risk evaluation server 107 is obtained. It is a processing unit that receives screen data of evaluation results.

  FIG. 6 is a diagram illustrating a functional configuration example of the risk evaluation server 107 of the present embodiment. The risk evaluation server 107 illustrated in FIG. 6 includes a transmission / reception unit 601 and a control unit 602. Among these, the transmission / reception unit 601 is a processing unit that transmits and receives information via the network 102_3.

  On the other hand, the control unit 602 includes an initial screen display processing unit 603, a vulnerability risk display processing unit 604, a risk evaluation model construction processing unit 605, a risk evaluation model detailing processing unit 606, a conditional probability table setting processing unit 607, and a risk. The value calculation processing unit 608 is configured.

  Among these, the initial screen display processing unit 603 receives an initial screen display request from the client 106 via the transmission / reception unit 601, and displays screen data necessary for displaying the initial screen, for example, the database 105 (in this case, the database 105 is This is a processing unit that obtains the screen data of each display screen in the client 106 in advance and returns this data.

  Further, the vulnerability risk display processing unit 604 receives a vulnerability risk display request from the client 106 via the transmission / reception unit 601, and receives a risk evaluation model construction processing unit 605, a risk evaluation model detailing processing unit 606, a conditional probability table. This is a processing unit that returns screen data of vulnerability risk evaluation results obtained by using the setting processing unit 607 and the risk value calculation processing unit 608.

  Further, the risk evaluation model construction processing unit 605 is a simple risk evaluation model for evaluating the risk caused by the vulnerability based on the information on the database 105 and the attack source (device) designated by the user input from the client 106. Is a processing unit for constructing.

  Further, the risk evaluation model detailing processing unit 606 calculates the risk value of the model based on the information on the database 105 and the risk value calculated from the simple risk evaluation model constructed by the risk assessment model construction processing unit 605 described above. It is a processing unit that builds a detailed risk evaluation model in which a portion higher than a predetermined standard is further detailed.

The conditional probability table setting processing unit 607 is a processing unit that sets a probability value (see FIGS. 25, 25, 29, and 30) for risk evaluation based on the simple and detailed risk evaluation models described above. . The risk value calculation processing unit 608 is a processing unit that calculates the risk value described above based on the simple and detailed risk evaluation models described above.

Details of processing by each functional unit in the risk evaluation server 107 described above will be described later based on a flowchart.
--- Hardware configuration ---

  Subsequently, the hardware configuration of the devices constituting the risk evaluation system 10 of the present embodiment will be described. FIG. 7 is a diagram illustrating a hardware configuration example of the computer device 701 constituting the risk evaluation system 10 of the present embodiment.

  A computer device 701 illustrated in FIG. 7 includes a CPU 702, a memory 703 including a volatile storage element such as a RAM, and an external storage device 704 including an appropriate nonvolatile storage element such as an SSD (Solid State Drive) and a hard disk drive. A transmission / reception device 705 such as a network interface card (NIC: Network Interface Card), an output device 706 such as a display, and an input device 707 such as a keyboard. Of these, the output device 706 and the input device 707 may not include any of the management target device 101, the security knowledge disclosure institution server 104, the information collection server 103, and the risk evaluation server 107.

In addition, the control units 202, 302, 402, 503, and 602 of the devices illustrated in FIGS. 2 to 6 allow the CPU 702 to load and execute an appropriate program stored in the external storage device 704 described above into the memory 703. Implemented in. In addition, the transmission / reception units 201, 301, 401, 501, and 601 of each device illustrated in FIGS. 2 to 6 are implemented by the transmission / reception device 705. Further, the input / output unit 502 in the client 106 illustrated in FIG. 5 is implemented by an output device 706 and an input device 707.
--- Data structure ---

  Next, a configuration example of the data that is used by the device that configures the risk evaluation system 10 of the present embodiment, that is, the risk evaluation server 107 will be described. Data used in the risk assessment system 10 includes at least user information of the system administrator, network information and device information of the managed system, vulnerability information disclosed as security knowledge, common security settings (CCE: Common Configuration). Security setting item information defined in advance based on (Enumeration) and the like, and definitions of states that the device can take.

  FIG. 8 is a diagram showing a list of data tables stored on the database 105 of the present embodiment. The database 105 illustrated in FIG. 8 stores a user information table 800, a network information table 810, a device information table 820, a vulnerability information table 830, a security setting information table 840, and a state definition table 850. Each table is associated with each other by a predetermined ID included in each record.

Of the tables included in the database 105, an example of the configuration of the user information table 800 is shown in FIG. A user information table 800 illustrated in FIG. 9 includes records having user IDs 801, user information 802, and a system list 803 as data items. Among these, the user ID 801 is an ID uniquely assigned to a user such as a system administrator in the risk evaluation system 10. The user information 802 is information such as the name and contact information of the user corresponding to the user ID 801 described above. The system list 803 is a list of sets of IDs and system names of systems managed by the user corresponding to the user ID 801, that is, systems that can be a risk evaluation target. If a situation is assumed in which a plurality of system administrators manage a plurality of systems, such a user information table 800 is held in the database 105, but only a single system is subject to risk evaluation. If there is, the user information table 800 may not be held in the database 105. It is assumed that the user information table 800 is generated in advance by the administrator of the risk evaluation system 10 and stored in the database 105.

  An example of the configuration of the network information table 810 is shown in FIG. The network information table 810 illustrated in FIG. 10 includes a record having a network segment ID 901, a system ID 902, and a reachable segment ID list 903 as data items. Among these, the network segment ID 901 is an ID uniquely assigned to the network segment. The system ID 902 is an ID of a system related to the network segment ID 901 described above. The reachable segment ID list 903 is an ID list of adjacent segments that can reach the message from the network segment indicated by the network segment ID 901. For example, when a message arrives at a network segment whose network segment ID 901 is “222” from a network segment whose network segment ID 901 is “111”, the reachable segment ID list 1003 of the record whose network segment ID 901 is “111” The segment ID 901 “222” is stored. This network information table 810 is generated in advance by an administrator of the risk evaluation system 10 and stored in the database 105.

An example of the device information table 820 is shown in FIG. In FIG. 11, the device information table 820 has device ID 1001, device name 1002, network segment ID list 1003, relay device ID map 1004, security setting item ID list 1005, and CIA requirement 1006 as data items. The device ID 1001 is an ID uniquely assigned to the device. The device name 1002 is a machine name given to the device corresponding to the device ID 1001. The network segment ID list 1003 is an ID list of network segments to which a device corresponding to the device ID 1001 belongs. The relay device ID map 1004 is a list of device IDs of transmission sources and destinations of communication relayed by the devices in the system configuration. For example, when communication from the device A to the device B passes through the device C, in the record of the device C, the device A is stored as KEY and the device B is stored as VALUE as an associative array. The security setting item ID list 1005 is an ID list of security setting items satisfied by the device among the security setting items. The CIA requirement 1006 is a requirement regarding confidentiality (C), integrity (I), and availability (A) in information security required for a device, and is information input by a system administrator.

An example of the vulnerability information table 830 is shown in FIG. In FIG. 12, the vulnerability information table 830 contains vulnerability ID 1101, device ID 1102, vulnerability attack probability 1103, device impact probability 1104, vulnerability attack precondition 1105, vulnerability attack postcondition 1106, vulnerability attack premise service 1107. Have as an item. The vulnerability ID 1101 is an ID uniquely assigned to the vulnerability. Common vulnerability identifier (CVE: Common Vulner), numbered by MITRE and used internationally as vulnerability ID 1101
it is possible to use a JVN number (JVN: Japan Vulnerability Notes) used in Japan, a vulnerability ID uniquely assigned by the vendor, and the like. The device ID 1102 is an ID of a device having a vulnerability corresponding to the vulnerability ID 1101. The vulnerability attack probability 1103 is an occurrence probability or score of an attack that attacks a vulnerability alone, and is a score based on the technical characteristics of the vulnerability. The device influence probability 1104 is a probability of affecting a device due to a vulnerability attack, and is a score based on the technical characteristics of the vulnerability. Generally, security knowledge providing organizations use CVSS (Common Vulnerability Scoring).
Based on standard security standards such as (System), security information is disclosed to individual software vulnerabilities by assigning scores such as ease of attack and degree of impact on equipment from the viewpoint of technical characteristics The same score can be used as the vulnerability attack probability 1103 and the device influence probability 1104. The vulnerability attack precondition 1105 is a state of a device that is a premise of the vulnerability attack. The post-vulnerability attack state 1106 is a state in which the device falls as a result of the vulnerability attack. The vulnerability attack prerequisite service 1107 is a service that is a prerequisite for the vulnerability attack.

  Next, a configuration example of the device information table 820 will be described with reference to FIG. The device information table 820 illustrated in FIG. 11 includes a device ID 1001, a device name 1002, a network segment ID list 1003, a relay device ID map 1004, and a security setting item ID collected by the information collection server 103 and stored in the table. It has a record having a list 1005 and a CIA requirement 1006 as data items.

  Among these, the device ID 1001 is an ID uniquely assigned to the above-described management target device 101 on which the information collection server 103 has collected information. The device name 1002 is a machine name given to the management target device 101 corresponding to the device ID 1001 described above. The network segment ID list 1003 is an ID list of network segments to which the managed device 101 corresponding to the device ID 1001 belongs. The relay device ID map 1004 is a list of device IDs indicating the transmission source and destination management target device 101 of the communication relayed by the management target device 101 in the system configuration. For example, when communication from “device A”, which is a management target device, passes through “device C”, “device A” is set to “KEY” in the record related to “device C” in the device information table 820. Store “device B” as an associative array with VALUE. The security setting item ID list 1005 is an ID list of security setting items satisfied in the corresponding device among the security setting items, and the CIA requirement 1006 is a CIA (Confidentiality, Integrity) required for the corresponding device. , Availability) requirements.

  Next, a configuration example of the vulnerability information table 830 will be described with reference to FIG. The vulnerability information table 830 illustrated in FIG. 12 includes a vulnerability ID 1101, a device ID 1102, a vulnerability attack probability 1103, and device effects collected by the information collection server 103 from the security knowledge disclosure organization server 104 and stored in the table. It has a record with probability 1104, vulnerability attack premise state 1105, vulnerability attack postmortem state 1106, and vulnerability attack premise service 1107 as data items.

  Among these, the vulnerability ID 1101 is an ID uniquely assigned to the vulnerability. The vulnerability ID 1101 is a common vulnerability identifier (CVE: Common Vulnerabilities and Exposures) numbered by MITRE and used internationally, and a JVN number (JVN: Japan Vulnerability Notes) used in Japan. ), Or a vulnerability ID uniquely assigned by the vendor.

The device ID 1102 is an ID of the management target device 101 having a vulnerability corresponding to the vulnerability ID 1101 described above. Further, the vulnerability attack probability 1103 is an occurrence probability or score of an attack that hits a vulnerability alone corresponding to the above-described vulnerability ID 1101, and is a score based on the technical characteristics of the vulnerability. In addition, the device influence probability 1104 is determined by the attack on the vulnerability corresponding to the vulnerability ID 1101 described above, by the corresponding managed device 101 (device ID 110).
2 is a probability based on the technical characteristics of the vulnerability. Generally, in the security knowledge public organization server 104, CVSS (Common
Based on standard security standards such as Vulnerability Scoring System, security scores are released for individual software vulnerabilities by assigning scores such as ease of attack and impact on equipment from the viewpoint of technical characteristics. The information collection server 103 described above can acquire the same score as the vulnerability attack probability 1103 and the device influence probability 1104 described above. Further, the vulnerability attack precondition 1105 is a state of the corresponding device that is a premise of the vulnerability attack, and the vulnerability attack post-state 1106 is a state in which the corresponding device falls as a result of the vulnerability attack. The attack premise service 1107 is a service that is a premise of the vulnerability attack.

  Next, a configuration example of the security setting item information table 840 will be described with reference to FIG. The security setting item information table 840 illustrated in FIG. 13 includes a record having a security setting item ID 1201, a security setting attack probability 1202, a device influence probability 1203, a security setting attack precondition 1204, and a security attack post-status 1205 as data items. .

  Among these, the security setting item ID 1201 is an ID assigned to the security setting item. The security setting attack probability 1202 is an occurrence probability or score of an attack that violates the security setting. The device influence probability 1203 is a probability of affecting the corresponding device due to a security setting attack. The security setting attack precondition 1204 is a state of a corresponding device that is a premise of the security setting attack. The post-security attack state 1205 is a state in which the corresponding device falls as a result of a security setting attack.

  Next, a configuration example of the state definition table 850 will be described with reference to FIG. The state definition table 850 illustrated in FIG. 14 includes records having the state ID 1301, the upper state ID 1302, and the lower state ID list 1303 as data items.

  Among these, the state ID 1301 is an ID uniquely assigned to the state that the corresponding device can take. The upper level ID 1302 is an ID of a higher level in the inclusion relationship. The lower state ID list 1303 is a list of IDs in a lower state in the inclusion relationship. In this state definition table 850, a tree structure is constructed based on the upper and lower relationships of the states that the corresponding device can take, and the upper states are states including lower states. It is assumed that the state definition table 850 in the present embodiment is appropriately defined in advance and held in the database 105.

In this embodiment, the user information table 800, the network information table 810, the device information table 820, the vulnerability information table 830, the security setting item information table 840, and the state definition table 850 are constructed on the database 105. However, it may be stored in the risk evaluation server 107. Further, it may be a single table in which at least one of the above-described tables is combined, or a more normalized table.
--- Example flow of information collection and registration ---

Hereinafter, the actual procedure of the risk evaluation method in the present embodiment will be described with reference to the drawings. Various operations corresponding to the risk evaluation method described below are realized by a program that configures the risk evaluation system 10 and is read and executed by the risk evaluation server 107 in a memory or the like, for example. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below. In the following description, not only the processing executed by the risk evaluation server 107 but also processing executed by other devices will be described as appropriate.

  FIG. 15 is a flowchart showing a processing procedure example 1 of the risk evaluation method in the present embodiment. Here, first, a process of generating the database 105, that is, a process of acquiring system information and security setting information of the management target device 101 by the information collection server 103 and storing in the database 105 will be described. Such processing needs to be executed in advance before (at least immediately before) the risk evaluation server 107 performs risk evaluation processing caused by the vulnerability of the management target device 101. Further, the system information, security setting information (information obtained from the managed device 101), security knowledge (information obtained from the security knowledge publishing organization server 104), etc. are stored in the managed device 101 or the security knowledge publishing organization server. Since additions and updates are made at any time in 104, in the risk evaluation system 10 (the management target device 101, the information collection server 103, or the risk evaluation server 107) included in or cooperating with the present embodiment, It is preferable that the acquisition process of each information is executed as a background process.

  In this case, first, the management target device 101 calls the scheduler according to the standard function of its own OS, for example, upon arrival of a predetermined time, and activates the system information output unit 203 (1401).

  Next, the system information output unit 203 in the management target device 101 acquires the system information of the management target device 101 and transmits it to the information collection server 103 (1402). The system information acquired by the system information output unit 203 includes information on the network information table 810 and the device information table 820, information on the device ID 1102 included in the vulnerability information table 830, and the like.

  On the other hand, the information collection server 103 that has received the system information from the management target device 101 transmits a new data addition or update request to the database 105 (1403). Upon receiving this request, the database 105 searches the device information table 820 using, for example, the device ID as a key from the system information included in the request. If there is no record related to the device ID, the database 105 generates a new record. Set the value of the corresponding item in the system information included. Also, if a record related to the corresponding device ID already exists in the device information table 820, the data is updated with the value of the corresponding item in the system information included in the request in the corresponding record. It is assumed that such processing is similarly performed on the network information table 810.

  Subsequently, the above-described managed device 101 acquires the security setting information in the managed device 101 and transmits it to the information collection server 103 (1404). Here, the security setting information acquired and transmitted by the managed device 101 is information indicating whether each setting item of the security setting item information table 840 is satisfied in the corresponding device.

  On the other hand, the information collection server 103 that has received the security setting information from the management target device 101 transmits a new data addition or update request to the database 105 (1405). Upon receiving this request, the database 105 searches whether the security setting information included in the request exists in the security setting information table 840 regarding the corresponding device. If there is no corresponding information, a new record is generated, and the request includes Set security setting information. If the security setting information for the corresponding device already exists in the security setting information table 840, the data is updated with the security setting information included in the request in the corresponding record.

The above processing, steps 1401 to 1405 are executed for each managed device 101 and are repeated by the number of managed devices 101. In this embodiment, a client server configuration is adopted between the management target device 101 and the information collection server 103, and the above-described system information acquisition processing is automated to improve operation efficiency.

  However, system information and security setting information of the management target device 101 may be described in a data file format by a system administrator who uses the client 106 and the like, and may be input to the information collection server 103. Thus, by inputting system information and security setting information by the system administrator, there is an advantage that the managed device 101 can be operated without an agent. In this embodiment, the system information is periodically transmitted. However, a change in the system information may be detected, and the system information may be transmitted at a timing when the system information changes.

  A series of processes in which the information collection server 103 collects security information from the security knowledge disclosure authority server 104 and stores it in the database 105 will be described following the description of the collection and storage of system information described above. FIG. 16 is a flowchart showing a procedure example 2 of the risk evaluation method according to the present embodiment. Specifically, FIG. 16 is a flowchart showing an example of a security knowledge acquisition process performed by the information collection server 103 as a background process.

  In this case, first, the information collection server 103 uses the scheduler function provided in the OS of the information collection server 103 itself, for example, in the same manner as the function in the management target device 101 described above, to set the security knowledge collection unit 304 according to the arrival of a predetermined time. The security knowledge collecting unit 304 transmits a security knowledge request to the security knowledge public institution server 104 (1501).

  On the other hand, the security knowledge publishing organization server 104 that has received the above-mentioned security knowledge request returns the security knowledge data held in its own storage device to the information collection server 103 by the security knowledge output unit 403 (1502). ). Here, the security knowledge returned from the security knowledge publishing organization server 104 to the information collection server 103 is information corresponding to a record item in the vulnerability information table 830.

  The information collection server 103 that has received the security knowledge data transmits a request for security knowledge, that is, new addition or update of security information, to the database 105 (1503). Upon receiving this request, the database 105 searches the vulnerability information table 830 using, for example, the device ID or the vulnerability ID as a key in the security information included in the request, and if there is no record related to the device ID, a new record is created. Generate and set the value of the corresponding item in the security information included in the above request. If a record related to the device ID or the like already exists in the vulnerability information table 830, data update is performed with the value of the corresponding item in the security information included in the request in the corresponding record.

  In the present embodiment, the above-described security information acquisition process is automated between the security knowledge publishing organization server 104 and the information collection server 103 to improve operation efficiency. However, the method of exchanging information between the security knowledge public institution server 104 and the information collection server 103 is based on the specifications of the security knowledge public institution server 104.

---- Initial screen display processing flow example ---

Next, processing for displaying an initial screen when the system administrator connects to the risk assessment server 107 via the client 160 will be described with reference to the drawings. FIG. 17 is a flowchart showing a processing procedure example 3 of the risk evaluation method in the present embodiment, and more specifically, a flowchart showing an example of the initial screen display processing.

  In this case, first, the client 106 that has received an instruction from the system administrator via the input / output unit 502 transmits a connection request to the risk assessment server 107 using the initial screen display request unit 505 (1601). On the other hand, the initial screen display processing unit 603 of the risk assessment server 107 requests and acquires the display data of the initial screen to be output to the client 106, for example, from the database 105 (1602). In this case, for example, template data of a predetermined screen corresponding to each procedure of the risk evaluation method of the present embodiment is stored in advance in the external storage device 704 of the risk evaluation server 107. The screen template data corresponding to the corresponding procedure is read from the external storage device 704 in response to a request from, and data obtained in response to the request to the database 105 is set and output.

  The data acquired by the risk assessment server 107 from the database 105 in step 1602 described above, that is, the data set in the screen template data, for example, the user information table 800 and the device information table using the user ID 801 included in the connection request as a key. Data obtained from each of 802. The data includes user information 802 associated with the user ID 801, a system list 803, a device ID 1001, a device name 1002, a network segment ID 1003, and the like associated with the system ID included in the system list 803. In this embodiment, an example in which the user ID 801 is included in the connection request from the client 106 is shown. However, other processes such as general user authentication for the connection request (eg, ID and password) The user ID 801 may be identified through the authentication process or the like. The processing mode such as user authentication is not limited.

  As described above, the initial screen display processing unit 603 of the risk evaluation server 107 sets the data obtained from the user information table 801 and the device information table 830 of the database 105 to the template data of the initial screen and generates screen data. This is returned to the client 106 (1603). FIG. 18 shows an example of the initial screen 1701 displayed on the input / output unit 502 of the client 106 as a result of the processing in step 1603.

  The initial screen 1701 illustrated in FIG. 18 includes a user information area 1702 for displaying user ID and user name information, a system list display area 1703 for displaying system list information, and a risk evaluation button 1704. It has become. Among these, the system list display area 1703 is a list (more preferably, a list of related apparatus IDs and apparatus names (derived from the apparatus information table 830) for the systems checked in the check box 17031 among the system lists displayed in the area. Includes a related device information list display area 1705 for displaying (including a network segment ID in this list). The list displayed in the related device information list display area 1705 includes an attack source designation box 17041 to be checked when the device designated by the system administrator is regarded as an attack source.

  Although details will be described later, when the risk evaluation button 1704 is pressed, regarding a system in which the check box 17031 is checked at that time, a device in which the attack source designation box 17041 is checked is set as the attack source. Risk assessment will begin.

--- Flow example of risk assessment process (main flow) ---

  Next, vulnerability risk evaluation processing executed by the risk evaluation server 107 when the risk evaluation button 1704 is pressed on the initial screen 1701 described above will be described with reference to the drawings. FIG. 19 is a flowchart showing a processing procedure example 4 of the risk evaluation method in the present embodiment, and is a diagram showing a main flow example of the risk evaluation process.

  Here, first, the client 106 receives information on the risk evaluation target system and the attack source device specified by the system administrator via the input / output unit 502 (1801). In the present embodiment, check boxes 17031 and 17041 on the initial screen 1701 in FIG. 18 are exemplified as an interface for the client 106 to receive designation of the target system and attack source from the system administrator. Devices that can be designated as attack sources by the check box 17041 by the system administrator include the managed device 101 or unmanaged devices belonging to the network segment to which the managed device 101 belongs. In the example of the initial screen 1701 in FIG. 18, not the managed device 101 but an external device (unmanaged device) is selected as the attack source.

  Subsequently, the client 106 transmits a vulnerability risk display request to the risk evaluation server 107 (1802). This transmission process is executed, for example, when a risk evaluation button 1704 is clicked on the initial screen 1701 as a trigger. The vulnerability risk display request transmitted here includes the system ID of the system to be checked in the check box 17031 of the initial screen 1701 and the device ID specified as the attack source in the check box 17041. Alternatively, the system ID of the system to be checked in the check box 17031, the predetermined identifier representing the unmanaged external device designated as the attack source in the check box 17041, and the network segment ID to which the external device belongs (example) : Included in the list of the related device information list display area 1705).

  Upon receiving the vulnerability risk display request, the risk evaluation server 107 uses the information indicated by the request as a key, the network information table 810, the device information table 820, the vulnerability information table 830, and the security setting items on the database 105. Each information of the information table 840 is acquired (1803). In the present embodiment, it is assumed that the risk evaluation server 107 collects information necessary for the vulnerability risk display process in the above-described step 1803 and expands it on the memory. However, the vulnerability risk display process It is also possible to access the database 105 each time information is required in each of these processes and acquire only the necessary information.

  Next, the risk evaluation model construction processing unit 605 of the risk assessment server 107 executes a simple risk evaluation model construction process (1804) based on the information obtained in step 1803 described above. In the process of constructing the simple risk evaluation model in the present embodiment, since the vulnerability risk evaluation is performed based on the system configuration to be evaluated and the network topology, the device (external device or managed device 101), its vulnerability and security settings Are generated as a simple risk evaluation model by a corresponding algorithm based on a predetermined graph theory. This algorithm is realized by a program corresponding to the flows shown in FIGS. 20 to 23 described later, and the corresponding program is held by the risk evaluation model construction processing unit 605 of the risk evaluation server 107.

  The above acyclic directed graph corresponds to a graph in which an arbitrary object is a node and the nodes are connected by a unidirectional arrow called an arc. In such an acyclic directed graph, there is a relationship between a parent node and a child node between the above nodes, and it is not allowed to connect an arc from a child node to an ancestor node including the parent. In general, the absence of an arc connection relationship from a child node to a parent node is referred to as “no loop”.

  In the present embodiment, a graph model is constructed in which each device constituting the evaluation target system and each vulnerability and security setting hole possessed by the device are nodes. Moreover, the relationship between the vulnerability possessing device and the vulnerability and the security setting is connected as an arc. Further, the reachability of the attack message between the devices is determined from the network topology, and if there is the reachability of the attack message via a network from a certain device A to the device B, the device B holds from the node representing the device A Connect the arc to the node representing the vulnerability or hole in the security settings. By connecting nodes as described above, a graph model representing an attack path between devices, that is, a simple risk evaluation model is constructed.

  When the system to be evaluated is, for example, a WEB system, the WEB server that is disclosed to the outside is often securely set with security, whereas the non-public application server is often poorly set with security. . For this reason, attackers have a tendency to attack WEB servers using vulnerability attacks, and then use these WEB servers as a stepping stone to attack security application holes. As shown in the example of the simple risk evaluation model shown in FIG. 24, not only the attack route that hits the vulnerability but also the attack route that hits the hole in the security setting as the attack route, Since the attack can be appropriately evaluated, it is possible to accurately evaluate the risk of vulnerability.

  By building a risk evaluation model as a directed acyclic graph in this way, it becomes possible to quantitatively evaluate vulnerability risk using a probabilistic inference method called a Bayesian network. Bayesian Network (Bayesian Network), which will be described in detail later, visualizes phenomena in the form of network diagrams and probabilities by causing multiple causes and results to affect each other by combining multiple causes and results. This is an inference technique that statistically processes a stack of causes and results that have occurred in the past, and predicts a cause that leads to a predetermined result or a result that occurs from a certain cause with probability. The risk evaluation server 107 of the present embodiment is assumed to hold an inference program corresponding to this Bayesian network in the memory 703 or the external storage device 704 in advance and can be executed as necessary.

  Here, a flow example of the above-described risk evaluation model construction process (1804) will be described with reference to FIG. For the sake of explanation, the acyclic directed graph 2300 generated in the risk evaluation model construction process (1804) illustrated in FIG. 24 is referred to as needed.

  First, the risk evaluation model construction processing unit 605 in the risk evaluation server 107 arranges the attack source device designated by the system administrator on the initial screen 1701 as a node (1901). The same applies to the subsequent processing, but the arrangement of nodes and arcs in the risk evaluation model corresponds to the nodes and arcs in a predetermined drawing plane by the drawing program for the acyclic directed graph provided in advance in the risk evaluation server 107. This is realized by the process of arranging the drawn elements (for example, icons, line segments, etc.). As a result of the execution of step 1901, only the attack source device node 2301 is placed in the simple risk evaluation model of FIG. 24, that is, the acyclic directed graph 2300.

  Next, the risk evaluation model construction processing unit 605 of the risk evaluation server 107 selects a device belonging to a plurality of networks and a node corresponding to the vulnerability among the devices indicated by the information obtained in step 1803 described above. Processing to be added in the acyclic directed graph 2300 is executed (1902). Further, the risk evaluation model construction processing unit 605 of the risk evaluation server 107 assigns a device belonging to a single network and a node corresponding to the vulnerability among the devices indicated by the information obtained in step 1803 described above. Processing to be added in the acyclic directed graph 2300 is executed (1903).

  Step 1902 described above will be described with reference to FIGS. 21 and 22, and step 1903 will be described with reference to FIG. Thus, the reason why different processes are executed depending on whether the number of networks to which a device belongs is singular or plural is to make the construction of the acyclic directed graph 2300 more efficient.

  First, processing for arranging devices belonging to a plurality of networks and nodes corresponding to the vulnerabilities and security setting holes will be described. In this processing, the attack source device is classified as level 0 which means the highest node in the parent-child relationship between nodes, and other devices are set to the size of the number of hops until the attack arrives from the attack source. The level is divided accordingly, and the corresponding node is added in the acyclic directed graph 2300 described above.

  In a vulnerability attack, when a device cannot be attacked directly from the attack source, there is a step attack that attacks and controls another device, and hops the number of devices that relay the attack during this step attack. Call it a number. In addition, as described above, a restriction condition for connecting an arc only from a higher-level device to a lower-level device is set between level-divided devices. Therefore, also in step 1902, the acyclic directed graph 2300 is constructed so as to satisfy this constraint condition.

  Therefore, first, the risk evaluation model construction processing unit 605 of the risk evaluation server 107 refers to the network segment ID list 1003 of the device information table 820 obtained from the database 105 in step 1803 described above, and identifies devices belonging to a plurality of networks. A set is constructed (2001).

  Next, the risk evaluation model construction processing unit 605 of the risk evaluation server 107 sets the device as the above-mentioned attack source as a device set “E0” of level 0, and all devices “e” belonging to this device set “E0”. (2002), the following steps 2003 to 2006 are executed.

  Among these, in step 2003, the risk evaluation model construction processing unit 605 obtains the device “e” from the network segment ID list 1003 in the device information table 820 and the reachable segment ID list 903 in the network information table 810 obtained in step 1803. Of the network to which the message belongs and the network from which the message arrives, other than the upper network is added to the level 1 network set “N1”. Since there is no level 0 network, all are added at level 1.

  Next, in step 2004, the risk evaluation model construction processing unit 605 similarly converts the devices belonging to the level 1 network subset “N′1” from the network segment ID list 1003 to the level 1 device subset “E ′”. Add to 1 ". Similarly, when adding to “E′1”, devices that already exist in the higher-level device set are excluded.

  Next, in step 2005, the risk evaluation model construction processing unit 605 performs arc connection processing from the device “e” to the devices belonging to the device set “E′1” and their vulnerability and security setting holes ( 2005). Details of this step 2005 are shown in the flow of FIG.

  In the flow of FIG. 22, the risk evaluation model construction processing unit 605 first determines whether all devices “e ′” belonging to the device subset “E′1” have been arranged as nodes in the acyclic directed graph. (2101, 2102).

When the result of the above determination is “allocated” (2102: Yes), the risk evaluation model construction processing unit 605 avoids the problem of overlapping and arranging the same device in steps 2013 to 2.
The process 105 is omitted and the process proceeds to Step 2106. On the other hand, when the result of the above determination is “not placed” (2102: No), the risk evaluation model construction processing unit 605 places the device “e ′” as a node in the acyclic directed graph (2103). In the example of the acyclic directed graph 2300 in FIG. 23, a device node 2302 is arranged.

  Next, the risk evaluation model construction processing unit 605 obtains all the vulnerabilities “ve” possessed by the device “e ′” from the device ID 1202 of the vulnerability information table 830 already obtained in step 1803 described above. Are arranged in the acyclic directed graph (2104). In the example of the acyclic directed graph 2300 in FIG. 23, a vulnerability node 2303 is arranged.

  Next, the risk evaluation model construction processing unit 605 connects an arc from the node of the vulnerability “ve” to the node of the device “e ′” (2105). In the example of the acyclic directed graph 2300 in FIG. 23, an arc 2304 connects between the vulnerability node 2303 and the device node 2302.

  Next, the risk evaluation model construction processing unit 605 connects an arc from the node of the device “e” to the node of the vulnerability “ve” (2106). In the example of the acyclic directed graph 2300 in FIG. 23, an arc 2305 connects the attack source device node 2301 and the vulnerability node 2303.

  Returning to the description of the flow of FIG. After the end of step 2005, the device subset “E′1” and the network subset “N′1” are added to the device set “E1” and the network set “N1”, respectively (2006).

  As described above, by executing steps 2002 to 2006 for the level 0 device, the relationship of the device from the level 0 device to the level 1 is added to the acyclic directed graph 2300. Through the series of processes so far, a level 0 region 2316 and a level 1 region 2317 are constructed in the directed acyclic graph 2300 as a simple risk evaluation model illustrated in FIG. In this embodiment, steps 2002 to 2006 are executed for the level 1 device to construct the level 2 area 2318. In this way, the steps 2002 to 2006 are repeatedly executed on the lower level devices sequentially from the higher level device, thereby constructing an acyclic directed graph as a simple risk evaluation model. The risk evaluation model construction processing unit 605 repeatedly performs such iterative processing until all devices belonging to all networks and a plurality of networks are added.

Details of step 2005 described above will be described with reference to FIG. In this case, the risk evaluation model construction processing unit 605 determines whether all the devices “e ′” belonging to the device subset “E′1” have been arranged as nodes (2101).

  As a result of this determination, if the node has already been arranged (2101: Yes), the risk evaluation model construction processing unit 605 omits the subsequent processes 2013 to 2107 to avoid the overlapping arrangement of the same device. Proceed to step 2108.

On the other hand, as a result of the above determination, if there is a node that has not been placed (2101: No), the risk evaluation model construction processing unit 605 places the device “e ′” as a node in the acyclic directed graph (2103). ). In the example of FIG. 24, the device node 2302 is arranged on the acyclic directed graph 2300 which is a simple risk evaluation model.

Subsequently, the risk evaluation model construction processing unit 605 performs the device ID 1102 of the device “e ′” described above.
On the basis of the vulnerability information, the vulnerability information table 830 refers to the vulnerability information regarding the corresponding device, and arranges all the vulnerabilities “ve” on the acyclic directed graph 2300 as vulnerability nodes (2104). In the example of FIG. 24, the vulnerability node 2303 is arranged on the acyclic directed graph 2300 which is a simple risk evaluation model.

Next, the risk evaluation model construction processing unit 605 performs the device ID 1102 of the device “e ′” described above.
Based on the security information, security setting information (information on security setting holes) regarding the corresponding device is referred to in the vulnerability information table 830, and all security setting holes “se” are arranged on the acyclic directed graph 2300 as security setting nodes. (2105). In the example of FIG. 24, the security setting node 2304 is arranged on the acyclic directed graph 2300 which is a simple risk evaluation model.

Next, the risk evaluation model construction processing unit 605 connects an arc from the node having the vulnerability “ve” to the node having the device “e ′” (2106). In the example of FIG. 24, an arc 2305 is connected on the acyclic directed graph 2300 which is a simple risk evaluation model.

Subsequently, the risk evaluation model construction processing unit 605 connects an arc from the node of the security setting hole “se” to the node of the device “e ′” (2107). In the example of FIG. 24, the arc 2306 is connected to the acyclic directed graph 2300 which is a simple risk evaluation model.

  Next, the risk evaluation model construction processing unit 605 connects the arc from the node of the device “e” to the node of the vulnerability “ve” (2108). In the example of FIG. 24, an arc 2307 is connected on the acyclic directed graph 2300 which is a simple risk evaluation model.

  Next, the risk evaluation model construction processing unit 605 connects an arc from the node of the device “e” to the node of the security setting “se” (2109). In the example of FIG. 24, the arc 2308 is connected to the acyclic directed graph 2300 which is a simple risk evaluation model. In this way, step 2005 in the flow of FIG. 21 is completed.

  Now, the description returns to the flowchart of FIG. As described above, after the process of connecting the nodes with arcs (step 2005), the risk evaluation model construction processing unit 605 sets the device subset “E′1” and the network subset “N′1” respectively. The device set “E1” and the network set “N1” are added (2006).

  As described above, by executing Steps 2002 to 2006 for the level 0 device, the relationship of the device from the level 0 device to the level 1 is added to the acyclic directed graph 2300. Also, through the series of processes so far, the level 0 area 2316 and the level 1 area 2317 are constructed as the simple risk evaluation model of FIG. In this embodiment, steps 2002 to 2006 are executed for the level 1 device to construct the level 2 area 2318. In this way, a simple risk evaluation model is constructed by sequentially executing steps 2002 to 2006 from the higher level device to the lower level device. The risk evaluation model construction processing unit 605 repeatedly executes processing between each level from the upper level to the lower level until all devices belonging to all networks and a plurality of networks are added (2007).

  Next, details of step 1903 in the flow of FIG. 21 will be described with reference to FIG. In this case, the risk evaluation model construction processing unit 605 classifies the devices indicated by the information obtained in the above-described step 1803 into sets “Em” (plural) and “Es” (single) according to the number of networks to which each device belongs. Then, the following steps 2201 to 2209 are executed for all devices “e” belonging to a single network.

  First, the risk evaluation model construction processing unit 605 places the device “e” as a node in the acyclic directed graph 2300 (2202). In the example of the acyclic directed graph 2300 in FIG. 24, a device node 2309 and the like are arranged.

  Next, the risk evaluation model construction processing unit 605 makes all vulnerabilities “ve” possessed by the device “e” corresponding to the device ID 1102 of the vulnerability information table 830 already obtained in the above step 1803 vulnerable. The node is arranged in the acyclic directed graph as a node (2203). In the example of the acyclic directed graph 2300 as the simple risk evaluation model in FIG. 24, the vulnerability node 2310 is arranged.

  Next, the risk evaluation model construction processing unit 605 refers to the information related to the security setting hole held by the device “e” from the device ID 1102 in the vulnerability information table 830, and sets all security setting holes “se” as security. As a setting node, it is arranged in the acyclic directed graph (2204). In the example of the acyclic directed graph 2300 as the simple risk evaluation model in FIG. 24, the security setting node 2311 is arranged.

  Next, the risk evaluation model construction processing unit 605 connects an arc from the node of the vulnerability “ve” to the node of the device “e” (2205). In the example of the acyclic directed graph 2300 as the simple risk evaluation model in FIG. 24, the arc 2312 connects the vulnerability node 2310 and the device node 2309.

  Next, the risk evaluation model construction processing unit 605 connects an arc from the node of the security setting “se” to the node of the device “e” (2206). In the example of the acyclic directed graph 2300 as the simple risk evaluation model in FIG. 24, the arc 2313 connects between the security setting node 2311 and the device node 2309.

  Subsequently, the risk evaluation model construction processing unit 605 constructs a set “E ′” of devices belonging to the same network as the device “e” and belonging to a plurality of networks (2207). Further, the risk evaluation model construction processing unit 605 connects an arc from the node of the device included in the device set “E ′” to the node of the vulnerability “ve” (2208). In the example of the acyclic directed graph 2300 as the simple risk evaluation model in FIG. 24, the arc 2314 connects between the node 2320 of the device and the node 2310 of the vulnerability.

Next, the risk evaluation model construction processing unit 605 connects an arc from the node of the device included in the device set “E ′” to the node of the security setting “se” (2209). In the example of the acyclic directed graph 2300 as the simple risk evaluation model in FIG. 24, the arc 2315 connects the node 2320 of the device and the node 2311 of the security setting.

  Thus, the acyclic directed graph 2300 illustrated in FIG. 24, that is, the simple risk evaluation model is generated. Unlike the present embodiment, in the construction of a conventional evaluation model that applies an inference method such as a Bayesian network, the above-mentioned arc connection relations and the like are input to the system administrator based on constraints such as no acyclic directed graph loops. It was common to build a model manually. On the other hand, in this embodiment, the attack source device is the highest node, and other devices are leveled according to the number of hops until the attack arrives from the attack source device, and the upper level device to the lower level device. By introducing the constraint condition for connecting the arc only to the point, it is possible to automatically build a risk evaluation model in the process of risk evaluation model construction processing (1804).

Now, the description returns to the flow of FIG. Here, the probability that each device is infringed is calculated from the distribution of the vulnerability and the security setting hole in the entire system, not limited to the specific vulnerability in the acyclic directed graph.

  After the simple risk evaluation model construction process (1804) is completed as described above, the conditional probability table setting processing unit 607 of the risk evaluation server 107 generates a conditional probability table for each node in the acyclic directed graph 2300. Set (1805). This conditional probability table is a table that defines the states that the target node can take and describes the probability that the state of the target node will occur as a conditional probability for all combinations of the states that the parent node of the target node takes. That is. The conditional probability is the probability that another event will occur under the condition that a certain event occurs. In the present embodiment, the states that can be taken by each device node are defined by binary values indicating whether the device has been hijacked or not taken over by an attack. Further, states that can be taken by the vulnerability node and the security setting node are defined by binary values indicating whether an attack has been received or not.

  An example of the conditional probability table described above is shown in FIG. The conditional probability table 2401 illustrated in FIG. 25 is an example of the conditional probability table of the node 2302 representing the device A in the directed acyclic graph 2300 of FIG. Since the node 2302 of “device A” in FIG. 24 has a node 2303 of “vulnerability 1” and a node 204 of “security setting 1” as parent nodes, the combination of the states of these parent nodes is 2 Conditional probabilities are set for the square of 4, that is, four ways.

  In the present embodiment, as the above-mentioned conditional probabilities, the values of the vulnerability device influence probability 1104 (vulnerability information table 830) and the security setting device influence probability 1203 (security setting information table 840) are used. Among the vulnerability or security setting holes possessed by the corresponding device, the device impact probability 1104, 1203 is set to the highest value among those attacked. For example, if the device impact probability 1104 of “vulnerability 1” is “0.7” and the device impact probability 1203 of “security setting 1” is “0.9”, “vulnerability 1” and “security setting” When both “1” are attacked, the conditional probability 2402 is “0.9” which is the maximum value. On the other hand, the conditional probability 2403 in the case where only “Vulnerability 1” is attacked is “0.7”. The conditional probability 2404 when all attacks are not received is “0.0” regardless of the device influence probabilities 1104 and 1203.

  Next, the risk evaluation model construction processing unit 605 similarly sets a conditional probability table for the vulnerability node and the security setting node. A conditional probability table 2501 in this case is illustrated in FIG. FIG. 26 is a diagram illustrating an example of the conditional probability table 2501 of the node 2321 representing “vulnerability 4”. 24 has a node 2302 of “device A” and a node 2322 of “device B” as parent nodes, so that the combination of the states of the parent node is 2 2 Conditional probabilities are set for multiplication, that is, four ways.

  In the present embodiment, the values of the vulnerability attack probability 1103 (vulnerability information table 830) of the corresponding vulnerability and the security setting attack probability 1202 (security setting information table 840) of the corresponding security setting are used as the conditional probabilities described above. If any parent node is hijacked, the same attack probability 1103 or 1202 is always set. For example, when the vulnerability attack probability 1103 of “vulnerability 4” is “0.8”, the conditional probability 2502 when “device A” or “device B” is hijacked is “0.8”. It becomes. Further, the conditional probability 2503 when “device A” and “device B” are not hijacked is “0.0”.

Next, the risk value calculation processing unit 608 executes probability inference using a Bayesian network inference program, and calculates the probability that each vulnerability is attacked and the probability that each device is infringed (1806). A Bayesian network is a technique for calculating a peripheral probability (a general probability without a precondition) of a state taken by each node from an acyclic directed graph and a conditional probability table. In addition, as a method of probability inference in a Bayesian network, a generally known method is adopted, and there is no limitation. In probability inference using a Bayesian network, as a result, the peripheral probabilities of all nodes constituting the acyclic directed graph are obtained.

  Next, risk assessment model detailing processing (1807) executed by the risk assessment model detailing processing unit 606 will be described. FIG. 27 shows a flow example of this risk evaluation model detailing process. In this case, the risk evaluation model detailing processing unit 606 is more detailed in a predetermined area including nodes whose risk is higher than a predetermined standard in the simple risk evaluation model constructed in the above-described risk assessment model construction processing (1804). A more detailed risk evaluation model, that is, a detailed risk evaluation model, is constructed by adding a node representing a state and correcting the connection relationship by the arc.

  Vulnerability information that is publicly disclosed includes information that is commonly included in all public information, while detailed information is disclosed only for high-risk vulnerabilities that have a large impact There is. As in this embodiment, detailed information included only in some public information is compared with a homogeneous risk evaluation graph by partially refining only around a specific node with a risk value equal to or greater than a predetermined standard. It is possible to effectively use it, and it is possible to realize risk assessment with higher accuracy. In addition, by limiting the construction of detailed risk assessment models only to areas where the risk value is higher than the predetermined standard and requires more detailed analysis, the increase in the number of nodes in the risk assessment model is suppressed, and the risk value calculation speed is increased. Can be realized.

  In this risk evaluation model detailing process (1807), the risk evaluation model detailing processing unit 606 first lists device nodes having a risk value higher than a predetermined standard (2601). In the listing process (2601), as a result of the risk value calculation (1806) described above, the device nodes exceeding a certain value are listed based on the probability that each device obtained is infringed. The risk evaluation model detailing processing unit 606 executes the following steps 2602 to 2605 for all the device nodes “e” listed by the listing process 2601.

  First, the risk evaluation model detailing processing unit 606 uses the above-described node of the device “e” whose risk value is higher than a predetermined reference and the arc connected to the node of the device “e” as a simple risk evaluation model. Are all deleted in the directed acyclic graph 2300 (2602).

  Next, the risk evaluation model detailing processing unit 606 executes the device status node addition processing (2603) of the device “e”. FIG. 28 shows a flow of processing for adding the device status node of the device “e”. In the additional processing (2603) illustrated in the flow of FIG. 28, the risk evaluation model detailing processing unit 606 executes Steps 2701 to 2703 for all the vulnerabilities “ve” possessed by the device “e”.

  In this case, the risk evaluation model detailing processing unit 606 refers to the vulnerability attack post-status 1106 in the vulnerability information table 830 and arranges it on the detailed risk evaluation model (FIG. 29) as the device status of the corresponding device “e”. . However, the same device state node that is already arranged is not duplicated. In the example of the detailed risk evaluation model 2800 shown in FIG. 29, the device state node 2801 is arranged.

Next, the risk evaluation model detailing processing unit 606 connects the arc from the vulnerability node “ve” to the device state node of the device “e” corresponding to the vulnerability attack post-status 1106 of the vulnerability information table 830. In the example of the detailed risk evaluation model 2800 shown in FIG. 29, for example, the arc 2802 is connected so as to connect the node 2801 of “device A” and the node 2805 of “vulnerability 1”.

  Next, the risk evaluation model detailing processing unit 606 executes the following steps 2704 to 2706 for all the security setting holes “se” held by the device “e”. In this case, first, the risk evaluation model detailing processing unit 606 refers to the security setting attack post-event state 1205 of the security setting information table 840 and places it on the acyclic directed graph 2800 as the detailed risk evaluation model as the device state of the device “e”. To do. However, the same device state node that is already arranged is not duplicated.

  Next, the risk evaluation model detailing processing unit 606 connects the arc from the security setting node “se” to the device status node of the device “e” corresponding to the security setting attack post-status 1205 of the security setting information table 840.

  Returning to the description of the flow in FIG. Following the above-described step 2603, the risk evaluation model detailing processing unit 606 connects the arc to the child node of the device “e” (2604). In step 2604, the risk evaluation model detailing processing unit 606 refers to the vulnerability attack precondition state 1105 of the vulnerability information table 830 and the security setting attack precondition state 1204 of the security setting information table 840 for all child nodes, The arc is connected from the device state node of the device “e” that matches the preconditions 1105 and 1204 to the child node. In the example of the acyclic directed graph 2800 as the detailed risk evaluation model in FIG. 29, the node 2806 of “Vulnerability 4” has “State β” as the vulnerability attack premise state 1105, so that the arc 2803 is connected. It becomes.

  Next, the risk evaluation model detailing processing unit 606 connects the arcs of the upper and lower relations of the device state nodes (2605). In this step 2605, the risk evaluation model detailing processing unit 606 refers to the upper state ID 1302 and the lower state ID list 1303 of the state definition table 850, and becomes the upper device in the device state node of the device “e”. Connect the arc from the state node to the lower device state node. In the example of the acyclic directed graph 2800, which is the detailed risk evaluation model in FIG. 29, since “state α” is higher than “state β” in the tree structure represented by the state definition table 850, between the corresponding node 2801 and the node 2807 , Arc 2804 is connected. As described above, by connecting the nodes of the device states with arcs based on the inclusion relationship of the device states, the device states having the inclusion relationship can be appropriately expressed. For example, in a configuration in which two device states such as “a state where ROOT authority has been taken” and “a state where LOCALUSER authority has been taken” can be assumed, if “ROOT authority” is taken, “root authority” Naturally, the “LOCALUSER authority” that can be freely controlled has a relationship of “taken state”, and the inclusion relation of the above state can be expressed.

  In the present embodiment, after the above-described risk evaluation model detailing process (1807) is completed, the probability that each device is infringed is calculated again from the vulnerability of the entire system and the distribution of security setting holes. That is, the conditional probability table setting processing unit 607 of the risk evaluation server 107 resets the conditional probability table for each node of the acyclic directed graph 2800 that is the detailed risk evaluation model (1808).

In such a conditional probability table setting process (1808), the conditional probability table setting processing unit 607 determines whether or not the state that each device state node of the acyclic directed graph 2800 can take is captured until it falls into the device state. Set in binary. In this case, the conditional probability table setting processing unit 607 sets the conditional probability table 2901 illustrated in FIG. 30 for the device state node. FIG. 30 is a diagram illustrating an example of a conditional probability table 2901 of a node representing “device state β” of “device A”. In the example of the conditional probability table 2901 in FIG. 29, “device state β” of “device A” is the parent device of “device state α” of “device A”, “vulnerability 1” node, and “security setting 1”. Therefore, the conditional probability is set for 2 to the third power, that is, eight ways as a combination of the states of the parent node. The setting method of the conditional probability 2902 when the upper state “state α” is not captured is the same as that of the conditional probabilities 2402, 2403, and 2404 in the conditional probability table setting process (1805). Description is omitted. The conditional probability 2903 when the upper state “state α” has been captured is “1.0”.

  Next, the conditional probability table setting processing unit 607 sets the conditional probability table 3001 illustrated in FIG. 31 for the vulnerability node and the security setting node on the acyclic directed graph 2300 that is the detailed risk evaluation model. FIG. 31 is a diagram illustrating an example of a conditional probability table 3001 of a node representing “vulnerability 4” after the risk evaluation model detailing process. In the example of the conditional probability table 3001 in FIG. 31, the node of “vulnerability 4” has a node of “device state β” of “device A” and a node of “device B” as parent nodes. Conditional probabilities are set for the square of 2, that is, four ways, as combinations of states of the nodes.

  In this embodiment, as the conditional probabilities to be set, the vulnerability attack probability 1103 (vulnerability information table 830) of the vulnerability node in the acyclic directed graph 2300 and the security setting attack probability 1202 (security setting information table 840) of the security setting node. ), And the attack probability 1103 or 1202 is always set when any of the parent nodes is hijacked or taken over.

  Next, the risk value calculation processing unit 608 of the risk evaluation server 107 executes probability inference using the Bayesian network again, as in step 1806 described above, and the probability that each vulnerability is attacked and each device are infringed. The probability is calculated (1809).

  Further, the vulnerability risk display processing unit 604 of the risk evaluation server 107 generates the above-described detailed risk evaluation model, that is, the screen data in which the acyclic directed graph 2800 is set as a result of such a series of processing, and transmits this to the client 106. To do. FIG. 32 shows an example of the vulnerability risk display screen 3101 displayed to the user by the client 106 that has received the above screen data. In the example of FIG. 32, the above-described acyclic directed graph 2800 is set and displayed as a diagram in the area 12502 on the vulnerability risk display screen 3101.

  Further, the vulnerability risk display processing unit 604 lists the probability of falling into the device state calculated for each device in the risk value calculation (1809) described above and displays it on the vulnerability risk display screen 3101 as an infringement probability 3103. Note that for a device that can take a plurality of device states, the vulnerability risk display processing unit 604 adds all the infringement probabilities 3103 by the probability addition theorem, and the infringement probability 3014 gives the total value on the vulnerability risk display screen 3101. indicate. Further, the vulnerability risk display processing unit 604 displays the CIA requirement 1006 of the device information table 810 on the vulnerability risk display screen 3101 as the CIA requirement 3105 in association with the device ID 1001. Further, the vulnerability risk display processing unit 604 associates the vulnerability ID 1101 with the vulnerability ID 1101, lists the probabilities that the vulnerability is infringed obtained by the risk value calculation (1809) for each vulnerability, and displays the vulnerability as an infringement probability 3106. Displayed on the sex risk display screen 3101.

As described above, the risk value based on the system configuration and network topology of the device that constitutes the evaluation target system is calculated by constructing the relationship between the vulnerability and the security setting and the device as an acyclic directed graph. Is possible. Further, the risk evaluation server 107 displays the above-described vulnerability risk display screen 3101 on the client 106, so that a system administrator or the like who views the screen displays, for example, the infringement probabilities 3103, 3104, 3106.
Therefore, it is possible to quickly grasp the current system situation and easily understand the priority of the vulnerability to be dealt with, so that it is possible to effectively deal with the vulnerability.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

  Although the best mode for carrying out the present invention has been specifically described above, the present invention is not limited to this, and various modifications can be made without departing from the scope of the invention.

  According to this embodiment, for the system administrator who operates the system and the engineer (SE) who developed the business system, the causal relationship between vulnerability and risk, based on the security settings and the state before and after the attack, etc. On the other hand, the priority of security measures, CIA requirements of each device, etc. can be presented in an easy-to-understand manner, and the system administrator can support the necessity and importance of security measures.

  Therefore, it is possible to evaluate the vulnerability risk based on the system configuration and topology in addition to the technical characteristics of each vulnerability, and perform highly effective risk evaluation corresponding to the actual system situation.

  At least the following will be clarified by the description of the present specification. That is, in the risk evaluation system according to the present embodiment, the arithmetic device applies each information of the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, so that A non-circular directed graph that prescribes the impact relationship between vulnerability and security settings according to the arrangement of each device is created as the risk assessment model, and the non-circular directed graph is applied to the inference algorithm of the Bayesian network, The risk caused by the vulnerability may be evaluated, and the evaluation result may be output to a predetermined device.

  According to this, for example, an acyclic directed graph that prescribes the impact propagation of vulnerabilities according to device placement in a network including a large number of devices without any contradiction, taking into account the security settings of each device, is used as a risk evaluation model. By evaluating based on the concept of the network, it becomes possible to perform a highly effective risk evaluation corresponding to a more realistic system situation.

Further, in the risk evaluation system of the present embodiment, the arithmetic device applies each information of the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, and the device, Based on the network configuration of the target system indicated by the network information with the vulnerability and the security setting as a node, the acyclic directed graph in which the device and the vulnerability and the security setting are connected by an arc, Created as a simple risk evaluation model as a risk evaluation model, applying the acyclic directed graph to the inference algorithm of the Bayesian network, evaluating the risk caused by the vulnerability of the target system, and outputting the evaluation result to a predetermined device It is good also as.

  According to this, a directed acyclic graph as a risk evaluation model can be created more efficiently, and as a result, a highly effective risk evaluation corresponding to a more actual system situation can be made efficient.

  Further, in the risk evaluation system of the present embodiment, the arithmetic device applies each information of the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, and the device, Based on the network configuration of the target system indicated by the network information with the vulnerability and the security setting as a node, the acyclic directed graph in which the device and the vulnerability and the security setting are connected by an arc, When creating a simple risk assessment model that is a risk assessment model, the designated device as the attack source is the highest node, and each device is assigned according to the number of hops until the attack reaches the other devices from the given device at the attack source. Divide the level and connect the arc only from the upper level equipment to the lower level equipment. Based on the constraints, create the acyclic directed graph, apply the acyclic directed graph to the inference algorithm of the Bayesian network, evaluate the risk caused by the vulnerability of the target system, and output the evaluation result to a predetermined device It is good also as what to do.

  According to this, for example, the propagation of vulnerability impacts according to device placement in a network that includes a large number of devices is more efficiently and consistently considered, taking into account the placement of the attacking device and the security settings of each device. By creating a directed acyclic graph and evaluating it based on the concept of a Bayesian network, it is possible to perform a highly effective risk evaluation corresponding to a more actual system situation.

  Further, in the risk evaluation system of the present embodiment, the storage device further stores the state definition of the device in the database, and the arithmetic device includes the device, the network, the vulnerability, and the Applying each information of security setting to a predetermined algorithm based on graph theory, using the device, the vulnerability, and the security setting as nodes, and based on the network configuration of the target system indicated by the network information, the device When creating an acyclic directed graph in which arcs are connected between the vulnerability and the security setting as the risk assessment model, the device state of the device is defined in the storage device. Instead of a device node, a node for each device status of the device is placed A directed acyclic graph in which the nodes of the device state, the vulnerability, and the security setting are connected by an arc as a detailed risk evaluation model as the risk evaluation model, and the acyclic directed graph is an inference algorithm of a Bayesian network It is good also as applying to and evaluating the risk which the vulnerability of the said target system brings, and outputting the said evaluation result to a predetermined apparatus.

According to this, based on the hierarchical structure of management authority between users in each device, etc., a state that changes with an attack on the device, etc. By creating a non-circular directed graph that prescribes more efficiently and consistently, and further evaluates this based on the concept of Bayesian network. Highly effective risk assessment corresponding to the actual system situation becomes possible.

  Further, in the risk evaluation system of the present embodiment, the storage device further stores the state definition of the device in the database, and the arithmetic device includes the device, the network, the vulnerability, and the Applying each information of security setting to a predetermined algorithm based on graph theory, using the device, the vulnerability, and the security setting as nodes, and based on the network configuration of the target system indicated by the network information, the device A non-circular directed graph in which arcs are connected between the vulnerability and the security setting as a simple risk evaluation model as the risk evaluation model, and the simple risk evaluation model is a predetermined risk evaluation model corresponding to the risk evaluation model. Applied to the inference algorithm, the target system If the risk value obtained by the evaluation is a device whose risk value is equal to or higher than a predetermined standard and the device state is defined in the storage device, instead of the device node, Create a non-circular directed graph as a detailed risk evaluation model as the risk evaluation model by placing nodes for each device state of the corresponding device and connecting each node of the device state with the vulnerability and the security setting with an arc. The acyclic directed graph may be applied to an inference algorithm of a Bayesian network to evaluate a risk caused by the vulnerability of the target system and output the evaluation result to a predetermined device.

  According to this, for devices that require special attention due to high risk, the status that changes with an attack on the devices based on the hierarchical structure of administrative authority among users in each device (eg, administrator) If the state where the authority is set is hijacked, the general user authority granted with the administrator authority will also be hijacked), creating an acyclic directed graph that prescribes more efficiently and consistently, Is evaluated based on the concept of a Bayesian network, and a highly effective risk evaluation corresponding to a more actual system situation becomes possible.

  In the risk evaluation system of the present embodiment, the storage device further stores definitions of device states before and after an attack on the device in the database, and the arithmetic device includes the device and the network. The network of the target system indicated by the network information, wherein each information of the vulnerability and the security setting is applied to a predetermined algorithm based on graph theory and the device, the vulnerability, and the security setting are used as nodes. Based on the configuration, when creating the acyclic directed graph in which the device and the vulnerability and the security setting are connected by an arc as the risk evaluation model, the device state of the device is defined in the storage device Device, instead of the device node, the corresponding device A non-circular directed graph in which nodes of each device state are arranged, nodes between the device state and the vulnerability and the security setting are connected by an arc, and the device states are connected by an arc based on the relationship before and after the attack. Is created as a detailed risk assessment model as the risk assessment model, the acyclic directed graph is applied to an inference algorithm of a Bayesian network, the risk caused by the vulnerability of the target system is evaluated, and the evaluation result is sent to a predetermined device. It is good also as what is output.

  According to this, based on the hierarchical structure of the management authority between users in each device, the relationship between the states that change with the attack on the device (for example, the administrator when hijacking the state where the administrator authority is set) By creating a non-circular directed graph that prescribes more efficiently and without contradiction, and evaluates this based on the concept of Bayesian network. Therefore, it is possible to perform a highly effective risk evaluation corresponding to the actual system situation.

Further, in the risk evaluation method of the present embodiment, the information processing system applies each piece of information on the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory on the network. Creating a non-circular directed graph that prescribes the influence relationship between vulnerability and security settings according to the arrangement of each of the devices as the risk assessment model, applying the non-circular directed graph to a Bayesian network inference algorithm, and It is also possible to evaluate a risk caused by the vulnerability and output the evaluation result to a predetermined device.

  In the risk evaluation method of the present embodiment, the information processing system applies each piece of information on the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, Based on the network configuration of the target system indicated by the network information with the vulnerability and the security setting as a node, an acyclic directed graph in which the device and the vulnerability and the security setting are connected by an arc, Create a simple risk evaluation model as the risk evaluation model, apply the acyclic directed graph to a Bayesian network inference algorithm, evaluate the risk posed by the vulnerability of the target system, and output the evaluation result to a predetermined device It is good also as.

  In the risk evaluation method of the present embodiment, the information processing system applies each piece of information on the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, Based on the network configuration of the target system indicated by the network information with the vulnerability and the security setting as a node, an acyclic directed graph in which the device and the vulnerability and the security setting are connected by an arc, When creating a simple risk assessment model as the risk assessment model, a predetermined device as an attack source is a top-level node, and each device according to the number of hops until an attack reaches each other device from the predetermined device of the attack source Level, and connect the arc only from the upper level equipment to the lower level equipment. The acyclic directed graph is created based on the constraints to be applied, and the acyclic directed graph is applied to an inference algorithm of the Bayesian network to evaluate the risk caused by the vulnerability of the target system, and the evaluation result is sent to a predetermined device. May be output.

  Further, in the risk evaluation method of the present embodiment, the information processing system further stores the state definition of the device in the database of the storage device, and stores the device, the network, the vulnerability, and the security setting. Each information is applied to a predetermined algorithm based on graph theory, and the device, the vulnerability, and the security setting are used as nodes, and the device and the vulnerability are based on the network configuration of the target system indicated by the network information. When creating a non-circular directed graph in which an arc is connected between the security setting and the security setting as the risk assessment model, the device state of the device is defined in the storage device. Instead of each device status node of the corresponding device, The acyclic directed graph in which the nodes of the state, the vulnerability, and the security setting are connected by an arc is created as a detailed risk assessment model as the risk assessment model, and the acyclic directed graph is applied to an inference algorithm of a Bayesian network. Then, the risk caused by the vulnerability of the target system may be evaluated, and the evaluation result may be output to a predetermined device.

Further, in the risk evaluation method of the present embodiment, the information processing system further stores the state definition of the device in the database of the storage device, and stores the device, the network, the vulnerability, and the security setting. Each information is applied to a predetermined algorithm based on graph theory, and the device, the vulnerability, and the security setting are used as nodes, and the device and the vulnerability are based on the network configuration of the target system indicated by the network information. A non-circular directed graph in which an arc is connected between the security setting and the security setting as a simple risk evaluation model as the risk evaluation model, and the simple risk evaluation model is converted into a predetermined inference algorithm corresponding to the risk evaluation model. Apply and vulnerability in the target system Assessing the risk to be brought, and for those devices whose risk value obtained by the evaluation is equal to or higher than a predetermined standard and whose device state is defined in the storage device, each of the corresponding device is replaced with the device node. A non-circular directed graph in which nodes of the device state are arranged and the nodes of the device state and the vulnerability and the security setting are connected by an arc is created as a detailed risk evaluation model as the risk evaluation model, and the non-circularity The directed graph may be applied to an inference algorithm of a Bayesian network, a risk caused by the vulnerability of the target system may be evaluated, and the evaluation result may be output to a predetermined device.

  Further, in the risk evaluation method of the present embodiment, the information processing system further stores definitions of each device state before and after an attack on the device in the database of the storage device, and the device, the network, and the vulnerability Each information of the security and the security setting is applied to a predetermined algorithm based on graph theory, and the device, the vulnerability, and the security setting are used as nodes, and based on the network configuration of the target system indicated by the network information Then, when creating the acyclic directed graph in which the device and the vulnerability and the security setting are connected by an arc as the risk evaluation model, the device state of the device is defined in the storage device For each item, instead of the device node, A non-circular directed graph in which each node of the device status and the vulnerability and the security setting is connected by an arc, and the device status is connected by an arc based on the relationship before and after the attack, Create a detailed risk evaluation model as a risk evaluation model, apply the acyclic directed graph to a Bayesian network inference algorithm, evaluate the risk caused by the vulnerability of the target system, and output the evaluation result to a predetermined device. It is good.

DESCRIPTION OF SYMBOLS 10 Risk evaluation system 101 Managed apparatus 102 Network 103 Information collection server 104 Security knowledge provision organization server 105 Database 106 Client 107 Risk evaluation server (Minimum configuration of risk evaluation system)
702 CPU (arithmetic unit)
703 Memory 704 External storage device (storage device)
705 Transmission / reception device 706 Output device 707 Input device 710 Program 800 User information table 810 Network information table 820 Device information table 830 Vulnerability information table 840 Security setting information table 850 State definition table 2300 Simple risk evaluation model (acyclic directed graph)
2301 Attack source node 2302 Equipment node 2303 Vulnerability node 2304 Security setting node 2401 Conditional probability table 2800 Detailed risk assessment model (acyclic directed graph)
2801 Device status node

Claims (10)

A storage device that holds a database that correlates each piece of information on devices, networks, vulnerabilities related to the devices, and security settings that constitute a target system for risk assessment;
By applying each information of the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, the influence relationship of the vulnerability and the security setting according to the arrangement of each device on the network As a simple risk evaluation model that is a risk evaluation model to be defined , the device, the vulnerability, and the security setting are nodes, and the device, the vulnerability, and the vulnerability are based on a network configuration of the target system indicated by the network information. Create an acyclic directed graph connecting the security settings with an arc, apply the acyclic directed graph to the inference algorithm of the Bayesian network, evaluate the risk posed by the vulnerability of the target system, and An arithmetic device for outputting to a predetermined device ;
A risk assessment system characterized by comprising: The arithmetic unit is
When creating the acyclic directed graph as a simple risk evaluation model that is the risk evaluation model, a predetermined device as an attack source is a top node, and a hop until an attack reaches the other devices from the predetermined device of the attack source Each device is divided into levels according to the number, and the acyclic directed graph is created based on the constraint condition that the arc is connected only from the upper level device to the lower level device, and the acyclic directed graph is inferred from the Bayesian network To evaluate the risk posed by the vulnerability of the target system, and output the evaluation result to a predetermined device,
The risk evaluation system according to claim 1, wherein: The storage device
In the database, further storing the state definition of the device,
The arithmetic unit is
When creating the acyclic directed graph as the risk assessment model, for each device whose device state is defined in the storage device, instead of the device node, each device state node of the device A non-circular directed graph in which the nodes of the device state, the vulnerability, and the security setting are connected by an arc is created as a detailed risk evaluation model as the risk evaluation model, and the non-circular directed graph is created as a Bayesian network. Is applied to the inference algorithm, and the risk caused by the vulnerability of the target system is evaluated, and the evaluation result is output to a predetermined device.
The risk evaluation system according to claim 1, wherein: The storage device
In the database, further storing the state definition of the device,
The arithmetic unit is
Said a directed acyclic graph, created as the risk assessment model serving as a simple risk assessment model,
The simple risk evaluation model is applied to a predetermined inference algorithm corresponding to the risk evaluation model, the risk caused by the vulnerability in the target system is evaluated, and the risk value obtained by the evaluation is equal to or higher than a predetermined standard For each of the device states defined in the storage device, instead of the device node, each device state node of the corresponding device is arranged, and the device state, the vulnerability, and the security setting A directed acyclic graph in which nodes are connected by arcs is created as a detailed risk assessment model as the risk assessment model, and the acyclic directed graph is applied to a Bayesian network inference algorithm, resulting in the vulnerability of the target system The risk is evaluated and the evaluation result is output to a predetermined device.
The risk evaluation system according to claim 1, wherein: The storage device
The database further stores definitions of each device state before and after an attack on the device,
The arithmetic unit is
When creating the acyclic directed graph as the risk assessment model, for each device whose device state is defined in the storage device, instead of the device node, each device state node of the device A non-circular directed graph in which each node of the device status and the vulnerability and the security setting is connected by an arc and the device status is connected by an arc based on a relationship before and after the attack, the risk evaluation Created as a detailed risk evaluation model, applying the acyclic directed graph to the inference algorithm of the Bayesian network, evaluating the risk caused by the vulnerability of the target system, and outputting the evaluation result to a predetermined device ,
The risk evaluation system according to claim 1, wherein: An information processing system comprising a storage device that holds a database that associates information on devices, networks, vulnerabilities related to the devices, and security settings that constitute a target system for risk assessment,
By applying each information of the device, the network, the vulnerability, and the security setting to a predetermined algorithm based on graph theory, the influence relationship of the vulnerability and the security setting according to the arrangement of each device on the network As a simple risk evaluation model that is a risk evaluation model to be defined , the device, the vulnerability, and the security setting are nodes, and the device, the vulnerability, and the vulnerability are based on a network configuration of the target system indicated by the network information. Create an acyclic directed graph connecting the security settings with an arc, apply the acyclic directed graph to the inference algorithm of the Bayesian network, evaluate the risk posed by the vulnerability of the target system, and Output to a given device ,
Risk assessment method characterized by this. The information processing system is
When creating the acyclic directed graph as a simple risk evaluation model that is the risk evaluation model, a predetermined device as an attack source is a top node, and a hop until an attack reaches the other devices from the predetermined device of the attack source Each device is divided into levels according to the number, and the acyclic directed graph is created based on the constraint condition that the arc is connected only from the upper level device to the lower level device, and the acyclic directed graph is inferred from the Bayesian network To evaluate the risk caused by the vulnerability of the target system, and output the evaluation result to a predetermined device,
The risk evaluation method according to claim 6. The information processing system is
In the database of the storage device, further storing the state definition of the device,
When creating the acyclic directed graph as the risk assessment model, for each device whose device state is defined in the storage device, instead of the device node, each device state node of the device A non-circular directed graph in which the nodes of the device state, the vulnerability and the security setting are connected by an arc is created as a detailed risk evaluation model as the risk evaluation model, and the non-circular directed graph is created as a Bayesian network Is applied to the inference algorithm, and the risk caused by the vulnerability of the target system is evaluated, and the evaluation result is output to a predetermined device.
The risk evaluation method according to claim 6. The information processing system is
In the database of the storage device, further storing the state definition of the device,
Said a directed acyclic graph, created as the risk assessment model serving as a simple risk assessment model,
The simple risk evaluation model is applied to a predetermined inference algorithm corresponding to the risk evaluation model, the risk caused by the vulnerability in the target system is evaluated, and the risk value obtained by the evaluation is equal to or higher than a predetermined standard For each of the device states defined in the storage device, instead of the device node, each device state node of the corresponding device is arranged, and the device state, the vulnerability, and the security setting A directed acyclic graph in which nodes are connected by arcs is created as a detailed risk assessment model as the risk assessment model, and the acyclic directed graph is applied to a Bayesian network inference algorithm, resulting in the vulnerability of the target system Assess the risk and output the assessment result to a given device;
The risk evaluation method according to claim 6. The information processing system is
In the database of the storage device, further stores the definition of each device state before and after the attack on the device,
When creating the acyclic directed graph as the risk assessment model, for each device whose device state is defined in the storage device, instead of the device node, each device state node of the device A non-circular directed graph in which each node of the device status and the vulnerability and the security setting is connected by an arc and the device status is connected by an arc based on a relationship before and after the attack, the risk evaluation Create a detailed risk evaluation model as a model, apply the acyclic directed graph to the inference algorithm of the Bayesian network, evaluate the risk caused by the vulnerability of the target system, and output the evaluation result to a predetermined device.
The risk evaluation method according to claim 6.