WO2022102110A1 - Falsification detection device, falsification detection method, and falsification detection program - Google Patents

Falsification detection device, falsification detection method, and falsification detection program Download PDF

Info

Publication number
WO2022102110A1
WO2022102110A1 PCT/JP2020/042534 JP2020042534W WO2022102110A1 WO 2022102110 A1 WO2022102110 A1 WO 2022102110A1 JP 2020042534 W JP2020042534 W JP 2020042534W WO 2022102110 A1 WO2022102110 A1 WO 2022102110A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
unit
scan order
monitored device
scan
Prior art date
Application number
PCT/JP2020/042534
Other languages
French (fr)
Japanese (ja)
Inventor
真奈美 伊藤
友貴 山中
亮太 佐藤
良彰 中嶋
伸浩 千葉
浩義 瀧口
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2020/042534 priority Critical patent/WO2022102110A1/en
Publication of WO2022102110A1 publication Critical patent/WO2022102110A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/64Protecting data integrity, e.g. using checksums, certificates or signatures

Definitions

  • the present invention relates to a falsification detection device, a falsification detection method, and a falsification detection program.
  • the cyclic scan is a scan method in which all files are scanned in order based on the file list, and all files can be reliably monitored.
  • on-access scanning is a scanning method that detects file access, hooks the access, scans the file, and permits access if it has not been tampered with (see, for example, Patent Documents 1 to 3).
  • Random scan is a scan method that randomly generates the scan order of all files.
  • on-access scan can reliably monitor all files, but since access to files is hooked once, the effect on the operation of the monitored device tends to increase. Also, in a random scan, the files to be scanned are completely random, so there is no guarantee that all files will be monitored reliably.
  • the tampering detection device has the acquisition unit that acquires predetermined information from the monitored device and the monitoring from the information acquired by the acquisition unit.
  • a determination unit that determines the scan order of files of the target device, a transmission unit that transmits the scan order determined by the determination unit to the monitored device, and a unit generated by the monitored device based on the scan order. It is characterized by including a verification unit for verifying whether or not the file has been tampered with by using a digest of the file.
  • the tampering detection method is a tampering detection method executed by a tampering detection device, and is based on an acquisition process of acquiring predetermined information from a monitored device and the information acquired by the acquisition unit.
  • the tampering detection program has an acquisition step of acquiring predetermined information from the monitored device and a determination step of determining a scan order of files of the monitored device from the information acquired by the acquisition unit.
  • the file is tampered with by using a transmission step of transmitting the scan order determined by the determination unit to the monitored device and a digest of the file generated by the monitored device based on the scan order. It is characterized by having a computer perform a verification step for verifying the presence or absence.
  • the present invention can optimally and comprehensively monitor all files in software tampering detection.
  • FIG. 1 is a diagram showing an example of a falsification detection system according to the first embodiment.
  • FIG. 2 is a block diagram showing a configuration example of the falsification detection device according to the first embodiment.
  • FIG. 3 is a block diagram showing a configuration example of the monitored device according to the first embodiment.
  • FIG. 4 is a flowchart showing an example of the flow of the falsification detection process according to the first embodiment.
  • FIG. 5 is a flowchart showing an example of the flow of calculation processing according to the first embodiment.
  • FIG. 6 is a diagram showing a computer that executes a program.
  • FIG. 1 is a diagram showing an example of a falsification detection system according to the first embodiment.
  • the falsification detection system 100 includes a falsification detection device 10 such as a server and a monitored device 20 such as various terminals.
  • the falsification detection device 10 and the monitored device 20 are connected so as to be communicable by wire or wirelessly via a predetermined communication network (not shown).
  • the falsification detection system 100 shown in FIG. 1 may include a plurality of falsification detection devices 10 and a plurality of monitored devices 20.
  • the monitored device 20 transmits information for determining the optimum scanning order to the falsification detection device 10 (step S1).
  • the information for determining the optimum scan order includes information on the inside of the monitored device (appropriately, “monitored device information”) and information on the importance of the file (appropriately, “file importance information”). And so on.
  • the monitored device information is information related to the resources of the monitored device, for example, information such as CPU processing speed, memory capacity, storage capacity, etc., but is not particularly limited. Further, the monitored device information is basic information of a file stored in the monitored device, and is, for example, the type of the file, the data capacity, the number of files, and the like, but is not particularly limited.
  • the file importance information is information related to the importance of the file stored in the monitored device, for example, the number of accesses and the access frequency for each file, the access source, the type of flag setting related to the importance of the file, and the like.
  • information such as the scan frequency that minimizes the sum of the expected values (appropriately, "expected values") of the time from the access of the file to the execution of the scan is also included, but is not particularly limited.
  • the falsification detection device 10 determines the optimum scan order based on the acquired information (step S2).
  • the scan order is the order of processing in which the monitored device 20 generates a digest of each file (appropriately, "file digest") at least once for the file group stored in the monitored device 20. It is shown.
  • the digest of the file generated by the monitored device 20 is data or the like generated by using hash calculation or the like, but is not particularly limited.
  • the tampering detection device 10 can also determine the scan order that does not include a specific file by static or dynamic settings.
  • the falsification detection device 10 can determine the scan order based on the file importance information. For example, the falsification detection device 10 determines the scan order so as to preferentially scan a file with a high number of accesses, or preferentially scan a file flagged with importance by the file creator. can do. The determination of the scan order based on the scan frequency that minimizes the sum of the expected values of time will be described in the flow of calculation processing described later.
  • the falsification detection device 10 transmits the determined scan order to the monitored device 20 (step S3). Then, the monitored device 20 generates a digest of the file according to the acquired scan order (step S4). Further, the monitored device 20 transmits a digest of the generated file to the falsification detection device 10 (step S5).
  • the tampering detection device 10 verifies whether or not the file has been tampered with based on the digest of the acquired file (step S6). At this time, the tampering detection device 10 compares the digest of the correct file stored in the tampering detection device 10 with the digest of the acquired file, and if the digests are different, it is determined that the file has been tampered with. ..
  • the optimum scan order is determined while considering the information inside the device to be determined. Therefore, in a device having a limited available CPU and memory resources, it is possible to detect software tampering with a high probability while suppressing the resources used.
  • the importance of the file is estimated from the file access frequency, and the optimum scan order for reducing the expected value of the time from the alteration of the software to the detection is determined. Therefore, in the present system 100, when the access frequency is proportional to the susceptibility to tampering, the time from the tampering of the software to the detection can be shortened as much as possible.
  • FIG. 2 is a block diagram showing a configuration example of the falsification detection device according to the present embodiment.
  • the falsification detection device 10 includes an input unit 11, an output unit 12, a communication unit 13, a control unit 14, and a storage unit 15.
  • the input unit 11 controls the input of various information to the falsification detection device 10.
  • the input unit 11 is, for example, a mouse, a keyboard, or the like, and receives input of setting information or the like to the falsification detection device 10.
  • the output unit 12 controls the output of various information from the falsification detection device 10.
  • the output unit 12 is, for example, a display or the like, and outputs setting information or the like stored in the falsification detection device 10.
  • the communication unit 13 controls data communication with other devices. For example, the communication unit 13 performs data communication with each communication device. Further, the communication unit 13 can perform data communication with a terminal of an operator (not shown).
  • the storage unit 15 stores various information referred to when the control unit 14 operates and various information acquired when the control unit 14 operates.
  • the storage unit 15 includes a monitored device information storage unit 15a, a file importance information storage unit 15b, and a file digest storage unit 15c.
  • the storage unit 15 is, for example, a RAM (Random Access Memory), a semiconductor memory element such as a flash memory, or a storage device such as a hard disk or an optical disk.
  • the storage unit 15 is installed inside the falsification detection device 10, but it may be installed outside the falsification detection device 10, or a plurality of storage units may be installed. good.
  • the monitored device information storage unit 15a stores information for the determination unit 14c of the control unit 14 to determine the scan order.
  • the monitored device information storage unit 15a is, for example, information about device resources such as CPU processing speed, memory capacity, and storage capacity, and files stored in the monitored device such as file type, data capacity, and number of files. Memorize the basic information of.
  • the file importance information storage unit 15b stores information regarding the importance of the file acquired by the acquisition unit 14a of the control unit 14. Further, the file importance information storage unit 15b stores the information calculated by the calculation unit 14b of the control unit 14. For example, the file importance information storage unit 15b minimizes the sum of the importance flag information for each file, the number of times the file is accessed, the access frequency, the access source, the calculated importance of the file, and the expected value of time. Memorize frequency etc.
  • the file digest storage unit 15c stores information on the correct monitored file for the acquisition unit 14d of the control unit 14 to verify tampering.
  • the file digest storage unit 15c stores a file digest generated based on a hash calculation from a regular file stored in the monitored device.
  • the control unit 14 controls the entire falsification detection device 10.
  • the control unit 14 includes an acquisition unit 14a, a calculation unit 14b, a determination unit 14c, a transmission unit 14d, and a verification unit 14e.
  • the control unit 14 is, for example, an electronic circuit such as a CPU or MPU (Micro Processing Unit) or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).
  • the acquisition unit 14a acquires predetermined information from the monitored device 20. For example, the acquisition unit 14a acquires the access frequency of the file of the monitored device 20. Further, the acquisition unit 14a acquires the monitored device information and the file importance information as information for determining the optimum scan order. Further, the acquisition unit 14a acquires a digest of the file generated by the monitored device 20.
  • the acquisition unit 14a stores the acquired device information to be monitored such as resources of the device to be monitored in the device information storage unit 15a to be monitored. Further, the acquisition unit 14a stores the acquired file importance information such as the access frequency in the file importance information storage unit 15b. Further, the acquisition unit 14a transmits a digest of the acquired file to the verification unit 15e.
  • the calculation unit 14b calculates the importance of the file of the monitored device 20 based on the access frequency of the file of the monitored device 20 acquired from the acquisition unit 14a. For example, the calculation unit 14b calculates the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed, as the importance of the file of the monitored device 20. On the other hand, the calculation unit 14b stores the calculated file importance information such as the scan frequency in the file importance information storage unit 15b.
  • the determination unit 14c determines the scan order of the files of the monitored device 20 from the information acquired by the acquisition unit 14a. Further, the determination unit 14c determines the scan order in which all the files are included at least once as the scan order of the files of the monitored device 20. Further, the determination unit 14c determines the scan order based on the importance of the file of the monitored device 20 calculated by the calculation unit 14b. For example, the determination unit 14c allocates the scan frequency corresponding to the scan frequency that minimizes the sum of the expected values of the time from the file access to the scan execution as the importance of the file of the monitored device 20. To determine the scan order.
  • the determination unit 14c refers to the monitoring target device information stored in the monitoring target device information storage unit 15a. Further, the determination unit 14c refers to the file importance information stored in the file importance information storage unit 15b.
  • the transmission unit 14d transmits the scan order determined by the determination unit 14c to the monitored device 20. Further, the transmission unit 14d may transmit the presence or absence of falsification of the file verified by the verification unit 14e to the monitored device 20 or another terminal.
  • the verification unit 14e verifies whether or not the file has been tampered with by using the digest of the file generated by the monitored device 20 based on the scan order. At this time, the verification unit 14e refers to the file digest of the correct monitored file stored in the file digest storage unit 15c.
  • FIG. 3 is a block diagram showing a configuration example of the monitored device according to the present embodiment.
  • the monitored device 20 has an input unit 21, an output unit 22, a communication unit 23, a control unit 24, and a storage unit 25.
  • the input unit 21 controls the input of various information to the monitored device 20.
  • the input unit 21 is, for example, a mouse, a keyboard, or the like, and receives input of setting information or the like to the monitored device 20.
  • the output unit 22 controls the output of various information from the monitored device 20.
  • the output unit 12 is, for example, a display or the like, and outputs setting information or the like stored in the monitored device 20.
  • the communication unit 23 controls data communication with other devices. For example, the communication unit 23 performs data communication with each communication device. Further, the communication unit 23 can perform data communication with a terminal of an operator (not shown).
  • the storage unit 25 stores various information referred to when the control unit 24 operates and various information acquired when the control unit 24 operates.
  • the storage unit 25 has, for example, a monitored file storage unit 25a.
  • the storage unit 25 is, for example, a semiconductor memory element such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk.
  • the storage unit 25 is installed inside the monitored device 20, but it may be installed outside the monitored device 20, or a plurality of storage units may be installed. good.
  • the monitored file storage unit 25a stores a monitored file that may be accessed from the outside and may be tampered with.
  • the control unit 24 controls the entire monitored device 20.
  • the control unit 24 includes an acquisition unit 24a, a generation unit 24b, and a transmission unit 24c.
  • the control unit 24 is, for example, an electronic circuit such as a CPU or MPU, or an integrated circuit such as an ASIC or FPGA.
  • the acquisition unit 24a acquires the file scan order from the falsification detection device 10. Further, the acquisition unit 24a may acquire the presence or absence of falsification of the file verified by the falsification detection device 10.
  • the generation unit 24b generates a digest of the file according to the scan order of the file acquired from the falsification detection device 10. Further, the generation unit 24b may store the digest of the generated file in the storage unit 25.
  • the transmission unit 24c transmits a digest of the file generated by the generation unit 24b to the falsification detection device 10. Further, the transmission unit 24c may transmit the digest of the file to a terminal other than the falsification detection device 10.
  • the i-th file is represented as file i.
  • the falsification detection device 10 acquires in advance access logs for each of n files in the monitored device 20 for a certain period of time.
  • the access frequency Pa (i) of the file i is expressed as the equation (1).
  • Pa (i) differs depending on the setting method of important files. In this process, since it is assumed that an important file is a file that is frequently accessed, Pa (i) is given by Eq. (1).
  • Pa (i) is the frequency of appearance of the file i in the scan sequence.
  • the falsification detection device 10 calculates Pc (i) that minimizes the equation (3). In this process, the higher the access frequency, the higher the scan frequency.
  • All file scan end time T is set, and the number of scans is assigned to each file based on Pc (i) for the number of possible scans in the time excluding the time required for one file cycle.
  • the falsification detection device 10 may determine the scan order in which the files with the highest number of accesses in the past files are prioritized. That is, based on the number of accesses of each file, the number of scans may be assigned to each file, and the scan order for scanning all files at least once may be determined. Further, the falsification detection device 10 may determine the scan order in consideration of the access source as well as the number of accesses.
  • the falsification detection device 10 may determine the scan order in which the file having the flag setting regarding the importance by the file creator is prioritized. That is, a flag may be set according to the importance of the file, the number of scans may be assigned to each file based on the flag, and the scan order for scanning all files at least once may be determined.
  • FIG. 4 is a flowchart showing an example of the flow of the falsification detection process according to the first embodiment.
  • the acquisition unit 14a of the falsification detection device 10 acquires information from the monitored device 20 in order to determine the optimum scan order (step S101).
  • the acquisition unit 14a may acquire information from a device other than the monitored device 20. Further, the acquisition unit 14a may acquire the information directly input via the input unit 11.
  • the determination unit 14c determines the optimum scan order based on the information acquired from the monitored device 20 (step S102).
  • the calculation unit 14b may perform calculation processing of information necessary for the determination unit 14c to determine the scan order. Further, if the scan order created in advance exists, the determination unit 14c can also adopt the scan order. Further, when a plurality of scan orders can be determined, the determination unit 14c may adopt one from the scan order, or may adopt a plurality of scan orders.
  • the transmission unit 14d transmits the scan order determined to the monitored device 20 (step S103). At this time, the transmission unit 14d may transmit the scan order in bulk, or may transmit one by one for each order. Further, the transmission unit 14d may transmit a plurality of scan sequence sequences.
  • the acquisition unit 14a acquires a digest of the file generated and transmitted by the generation unit 24b of the monitored device 20 (step S104).
  • the verification unit 14e verifies whether or not the file has been tampered with based on the digest of the file acquired by the acquisition unit 14a (step S105), and the tampering detection process ends.
  • the transmission unit 14d may transmit the presence or absence of falsification of the file verified by the verification unit 14e to the monitored device 20 or another terminal.
  • FIG. 5 is a flowchart showing an example of the flow of calculation processing according to the first embodiment.
  • the acquisition unit 14a of the falsification detection device 10 acquires the access log of the file for a certain period in the monitored device 20 (step S201).
  • the acquisition unit 14a may acquire the access log from a device other than the monitored device 20. Further, the acquisition unit 14a may acquire the access log directly input via the input unit 11.
  • the calculation unit 14b calculates the scan frequency that minimizes the sum of the expected values of the times from falsification to scan execution in all files (step S202), and determines the scan end time of all files (step S202). S203), the number of possible scans is calculated within the time obtained by excluding the time required for one round of file scanning from the determined end time (step S204).
  • the order of processing in steps S202 to S204 is an example, and the calculation unit 14b may perform processing in a different order. Further, the calculation unit 14b may omit a part of the processing of steps S202 to S204.
  • the calculation unit 14b allocates the number of scans to each file based on the calculated scan frequency (step S205). Finally, the determination unit 14c determines the scan order (step S206), and the process ends.
  • the scan order in which all the files are included at least once is determined as the scan order of the files of the monitored device. Therefore, in this process, all files can be reliably scanned in software tampering detection, and all files can be optimally and comprehensively monitored.
  • the access frequency of the file of the monitored device is acquired, the importance of the file is calculated based on the acquired access frequency, and the calculated importance of the file is calculated. Determine the scan order based on.
  • all files can be optimally and comprehensively monitored by considering the importance of each file in the detection of software tampering.
  • the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed is calculated as the importance of the file. , Assign the number of scans corresponding to the scan frequency to determine the scan order. In this process, it is possible to determine a more efficient scan order in software tampering detection, and it is possible to optimally and comprehensively monitor all files.
  • each component of each of the illustrated devices according to the above embodiment is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of them may be functionally or physically distributed / physically distributed in any unit according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.
  • ⁇ program ⁇ It is also possible to create a program in which the process executed by the falsification detection device 10 described in the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as that of the above embodiment can be obtained by executing the program by the computer. Further, the same processing as that of the above embodiment may be realized by recording the program on a computer-readable recording medium, reading the program recorded on the recording medium into the computer, and executing the program.
  • FIG. 6 is a diagram showing a computer that executes a program.
  • the computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. However, each of these parts is connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012, as illustrated in FIG.
  • the ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to the hard disk drive 1090, as illustrated in FIG.
  • the disk drive interface 1040 is connected to the disk drive 1100 as illustrated in FIG.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120, as illustrated in FIG.
  • the video adapter 1060 is connected, for example, to a display 1130, as illustrated in FIG.
  • the hard disk drive 1090 stores, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094. That is, the above program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.
  • the various data described in the above embodiment are stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 as needed, and executes various processing procedures.
  • the program module 1093 and program data 1094 related to the program are not limited to those stored in the hard disk drive 1090, and may be stored in, for example, a removable storage medium and read by the CPU 1020 via a disk drive or the like. .. Alternatively, the program module 1093 and the program data 1094 related to the program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.) and stored via the network interface 1070. It may be read by the CPU 1020.
  • LAN Local Area Network
  • WAN Wide Area Network
  • Tampering detection device 11 Input unit 12 Output unit 13 Communication unit 14 Control unit 14a Acquisition unit 14b Calculation unit 14c Determination unit 14d Transmission unit 14e Verification unit 15 Storage unit 15a Monitored device information storage unit 15b File Importance information storage unit 15c file Digest storage unit 20 Monitoring target device 21 Input unit 22 Output unit 23 Communication unit 24 Control unit 24a Acquisition unit 24b Generation unit 24c Transmission unit 25 Storage unit 25a Monitoring target file storage unit 100 Tampering detection system

Abstract

This falsification detection device (10) comprises: an acquisition unit (14a) which acquires predetermined information from a device to be monitored; a determination unit (14c) which determines, from the information acquired by the acquisition unit (14a), a scan order of files of the device to be monitored; a transmission unit (14d) which transmits the scan order determined by the determination unit (14c) to the device to be monitored; and a verification unit (14e) which uses the digest of a file generated by the device to be monitored on the basis of the scan order to verify whether the file has been tampered with.

Description

改ざん検知装置、改ざん検知方法および改ざん検知プログラムFalsification detection device, falsification detection method and falsification detection program
 本発明は、改ざん検知装置、改ざん検知方法および改ざん検知プログラムに関する。 The present invention relates to a falsification detection device, a falsification detection method, and a falsification detection program.
 従来、監視対象機器のソフトウェア等のファイルの改ざん検知を行う技術として、巡回スキャン、オンアクセススキャン、ランダムスキャンといった技術が存在する。まず、巡回スキャンは、ファイルリストをもとに、全てのファイルを順番にスキャンしていくスキャン方式であり、全てのファイルを確実に監視することが可能である。 Conventionally, there are technologies such as patrol scan, on-access scan, and random scan as technologies for detecting falsification of files such as software of monitored devices. First, the cyclic scan is a scan method in which all files are scanned in order based on the file list, and all files can be reliably monitored.
 次に、オンアクセススキャンは、ファイルのアクセスを検知してアクセスをフックし、ファイルのスキャンを行って改ざんされていなければアクセスを許可するスキャン方式である(例えば、特許文献1~3参照)。そして、ランダムスキャンは、全てのファイルのスキャン順序をランダムに生成するスキャン方式である。 Next, on-access scanning is a scanning method that detects file access, hooks the access, scans the file, and permits access if it has not been tampered with (see, for example, Patent Documents 1 to 3). Random scan is a scan method that randomly generates the scan order of all files.
特開2019-008376号公報Japanese Unexamined Patent Publication No. 2019-0086376 特開2019-008732号公報Japanese Unexamined Patent Publication No. 2019-008732 特開2019-207661号公報Japanese Unexamined Patent Publication No. 2019-207661
 しかしながら、従来の技術では、ソフトウェアの改ざん検知において、全てのファイルを最適かつ網羅的に監視することができなかった。なぜならば、巡回スキャンでは、全てのファイルを確実に監視することが可能であるが、一度スキャンされたファイルは全ファイルのスキャンが一巡するまでスキャンされない。利用可能なCPU(Central Processing Unit)やメモリリソースが限られる中、全ファイルのスキャンが一巡するまでの時間が長くなることが多く、各ファイルにおいて監視されない時間が長くなってしまう傾向にある。 However, with the conventional technology, it was not possible to optimally and comprehensively monitor all files in software tampering detection. This is because cyclic scanning can reliably monitor all files, but once scanned files are not scanned until all files have been scanned. While the available CPU (Central Processing Unit) and memory resources are limited, it often takes a long time to complete the scan of all files, and the time that each file is not monitored tends to be long.
 また、オンアクセススキャンでは、全てのファイルを確実に監視することが可能であるが、ファイルへのアクセスを一度フックするため、監視対象機器の動作への影響が大きくなってしまう傾向にある。また、ランダムスキャンでは、スキャンするファイルが完全にランダムであるため、全てのファイルを確実に監視する保証はない。 In addition, on-access scan can reliably monitor all files, but since access to files is hooked once, the effect on the operation of the monitored device tends to increase. Also, in a random scan, the files to be scanned are completely random, so there is no guarantee that all files will be monitored reliably.
 上述した課題を解決し、目的を達成するために、本発明に係る改ざん検知装置は、監視対象機器から所定の情報を取得する取得部と、前記取得部により取得された前記情報から、前記監視対象機器のファイルのスキャン順序を決定する決定部と、前記決定部により決定された前記スキャン順序を前記監視対象機器に送信する送信部と、前記監視対象機器により前記スキャン順序に基づいて生成されたファイルのダイジェストを用いて、該ファイルの改ざんの有無を検証する検証部とを備えることを特徴とする。 In order to solve the above-mentioned problems and achieve the object, the tampering detection device according to the present invention has the acquisition unit that acquires predetermined information from the monitored device and the monitoring from the information acquired by the acquisition unit. A determination unit that determines the scan order of files of the target device, a transmission unit that transmits the scan order determined by the determination unit to the monitored device, and a unit generated by the monitored device based on the scan order. It is characterized by including a verification unit for verifying whether or not the file has been tampered with by using a digest of the file.
 また、本発明に係る改ざん検知方法は、改ざん検知装置によって実行される改ざん検知方法であって、監視対象機器から所定の情報を取得する取得工程と、前記取得部により取得された前記情報から、前記監視対象機器のファイルのスキャン順序を決定する決定工程と、前記決定部により決定された前記スキャン順序を前記監視対象機器に送信する送信工程と、前記監視対象機器により前記スキャン順序に基づいて生成されたファイルのダイジェストを用いて、該ファイルの改ざんの有無を検証する検証工程とを含むことを特徴とする。 Further, the tampering detection method according to the present invention is a tampering detection method executed by a tampering detection device, and is based on an acquisition process of acquiring predetermined information from a monitored device and the information acquired by the acquisition unit. A determination step of determining the scan order of files of the monitored device, a transmission step of transmitting the scan order determined by the determination unit to the monitored device, and generation based on the scan order by the monitored device. It is characterized by including a verification step of verifying whether or not the file has been tampered with by using the digest of the file.
 また、本発明に係る改ざん検知プログラムは、監視対象機器から所定の情報を取得する取得ステップと、前記取得部により取得された前記情報から、前記監視対象機器のファイルのスキャン順序を決定する決定ステップと、前記決定部により決定された前記スキャン順序を前記監視対象機器に送信する送信ステップと、前記監視対象機器により前記スキャン順序に基づいて生成されたファイルのダイジェストを用いて、該ファイルの改ざんの有無を検証する検証ステップとをコンピュータに実行させることを特徴とする。 Further, the tampering detection program according to the present invention has an acquisition step of acquiring predetermined information from the monitored device and a determination step of determining a scan order of files of the monitored device from the information acquired by the acquisition unit. The file is tampered with by using a transmission step of transmitting the scan order determined by the determination unit to the monitored device and a digest of the file generated by the monitored device based on the scan order. It is characterized by having a computer perform a verification step for verifying the presence or absence.
 本発明は、ソフトウェアの改ざん検知において、全てのファイルを最適かつ網羅的に監視することができる。 The present invention can optimally and comprehensively monitor all files in software tampering detection.
図1は、第1の実施形態に係る改ざん検知システムの一例を示す図である。FIG. 1 is a diagram showing an example of a falsification detection system according to the first embodiment. 図2は、第1の実施形態に係る改ざん検知装置の構成例を示すブロック図である。FIG. 2 is a block diagram showing a configuration example of the falsification detection device according to the first embodiment. 図3は、第1の実施形態に係る監視対象機器の構成例を示すブロック図である。FIG. 3 is a block diagram showing a configuration example of the monitored device according to the first embodiment. 図4は、第1の実施形態に係る改ざん検知処理の流れの一例を示すフローチャートである。FIG. 4 is a flowchart showing an example of the flow of the falsification detection process according to the first embodiment. 図5は、第1の実施形態に係る計算処理の流れの一例を示すフローチャートである。FIG. 5 is a flowchart showing an example of the flow of calculation processing according to the first embodiment. 図6は、プログラムを実行するコンピュータを示す図である。FIG. 6 is a diagram showing a computer that executes a program.
 以下に、本発明に係る改ざん検知装置、改ざん検知方法および改ざん検知プログラムの実施形態を図面に基づいて詳細に説明する。なお、本発明は、以下に説明する実施形態により限定されるものではない。 Hereinafter, embodiments of the falsification detection device, the falsification detection method, and the falsification detection program according to the present invention will be described in detail with reference to the drawings. The present invention is not limited to the embodiments described below.
〔第1の実施形態〕
 以下に、本実施形態に係る改ざん検知システムの構成、改ざん検知装置の構成、監視対象機器の構成、スキャン順序の決定処理、改ざん検知処理の流れ、計算処理の流れを順に説明し、最後に本実施形態の効果を説明する。 [First Embodiment]
Below, the configuration of the falsification detection system, the configuration of the falsification detection device, the configuration of the monitored device, the scan order determination process, the flow of the falsification detection process, and the flow of the calculation process according to the present embodiment are explained in order. The effect of the embodiment will be described.
[改ざん検知システムの構成]
 図1を用いて、本実施形態に係る改ざん検知システム(適宜、本システム)100の構成を詳細に説明する。図1は、第1の実施形態に係る改ざん検知システムの一例を示す図である。改ざん検知システム100は、サーバ等の改ざん検知装置10、各種端末等の監視対象機器20を有する。ここで、改ざん検知装置10と監視対象機器20とは、図示しない所定の通信網を介して、有線または無線により通信可能に接続される。なお、図1に示した改ざん検知システム100には、複数台の改ざん検知装置10や、複数台の監視対象機器20が含まれてもよい。 [Falsification detection system configuration]
The configuration of the falsification detection system (as appropriate, this system) 100 according to the present embodiment will be described in detail with reference to FIG. FIG. 1 is a diagram showing an example of a falsification detection system according to the first embodiment. The falsification detection system 100 includes a falsification detection device 10 such as a server and a monitored device 20 such as various terminals. Here, the falsification detection device 10 and the monitored device 20 are connected so as to be communicable by wire or wirelessly via a predetermined communication network (not shown). The falsification detection system 100 shown in FIG. 1 may include a plurality of falsification detection devices 10 and a plurality of monitored devices 20.
 まず、監視対象機器20は、最適なスキャン順序を決定するための情報を改ざん検知装置10に送信する(ステップS1)。ここで、最適なスキャン順序を決定するための情報とは、監視対象機器の内部に関する情報(適宜、「監視対象機器情報」)、ファイルの重要度に関する情報(適宜、「ファイル重要度情報」)等である。 First, the monitored device 20 transmits information for determining the optimum scanning order to the falsification detection device 10 (step S1). Here, the information for determining the optimum scan order includes information on the inside of the monitored device (appropriately, "monitored device information") and information on the importance of the file (appropriately, "file importance information"). And so on.
 監視対象機器情報とは、監視対象機器のリソースに関する情報等であり、例えば、CPUの処理速度やメモリ容量、ストレージ容量等の情報であるが、特に限定されない。また、監視対象機器情報は、監視対象機器に記憶されているファイルの基本的な情報等であり、例えば、当該ファイルの種類、データ容量、ファイル数等であるが、特に限定されない。 The monitored device information is information related to the resources of the monitored device, for example, information such as CPU processing speed, memory capacity, storage capacity, etc., but is not particularly limited. Further, the monitored device information is basic information of a file stored in the monitored device, and is, for example, the type of the file, the data capacity, the number of files, and the like, but is not particularly limited.
 ファイル重要度情報とは、監視対象機器に記憶されているファイルの重要度に関する情報等であり、例えば、当該ファイルごとのアクセス回数やアクセス頻度、アクセス元、ファイルの重要度に関するフラグ設定の種類等の情報の他、当該ファイルがアクセスされてからスキャン実行までの時間の期待値(適宜、「期待値」)の和を最小化するスキャン頻度等の情報も含まれるが、特に限定されない。 The file importance information is information related to the importance of the file stored in the monitored device, for example, the number of accesses and the access frequency for each file, the access source, the type of flag setting related to the importance of the file, and the like. In addition to the information in the above, information such as the scan frequency that minimizes the sum of the expected values (appropriately, "expected values") of the time from the access of the file to the execution of the scan is also included, but is not particularly limited.
 次に、改ざん検知装置10は、取得した情報をもとに最適なスキャン順序を決定する(ステップS2)。ここで、スキャン順序とは、監視対象機器20に記憶されているファイル群に対して、監視対象機器20が各ファイルのダイジェスト(適宜、「ファイルダイジェスト」)を少なくとも1回生成する処理の順序を示したものである。なお、監視対象機器20が生成するファイルのダイジェストは、ハッシュ計算等を用いて生成したデータ等であるが、特に限定されない。また、改ざん検知装置10は、静的または動的な設定により、特定のファイルを含まないスキャン順序を決定することもできる。 Next, the falsification detection device 10 determines the optimum scan order based on the acquired information (step S2). Here, the scan order is the order of processing in which the monitored device 20 generates a digest of each file (appropriately, "file digest") at least once for the file group stored in the monitored device 20. It is shown. The digest of the file generated by the monitored device 20 is data or the like generated by using hash calculation or the like, but is not particularly limited. The tampering detection device 10 can also determine the scan order that does not include a specific file by static or dynamic settings.
 また、改ざん検知装置10は、ファイル重要度情報に基づきスキャン順序を決定することができる。例えば、改ざん検知装置10は、アクセス回数が多いファイルを優先してスキャンするようにしたり、ファイル作成者による重要度に関するフラグ設定されたファイルを優先してスキャンしたりするように、スキャン順序を決定することができる。なお、時間の期待値の和を最小化するスキャン頻度に基づくスキャン順序の決定については、後述する計算処理の流れで説明する。 Further, the falsification detection device 10 can determine the scan order based on the file importance information. For example, the falsification detection device 10 determines the scan order so as to preferentially scan a file with a high number of accesses, or preferentially scan a file flagged with importance by the file creator. can do. The determination of the scan order based on the scan frequency that minimizes the sum of the expected values of time will be described in the flow of calculation processing described later.
 続いて、改ざん検知装置10は、決定したスキャン順序を監視対象機器20に送信する(ステップS3)。そして、監視対象機器20は、取得したスキャン順序にしたがって、ファイルのダイジェストを生成する(ステップS4)。さらに、監視対象機器20は、生成したファイルのダイジェストを改ざん検知装置10に送信する(ステップS5)。 Subsequently, the falsification detection device 10 transmits the determined scan order to the monitored device 20 (step S3). Then, the monitored device 20 generates a digest of the file according to the acquired scan order (step S4). Further, the monitored device 20 transmits a digest of the generated file to the falsification detection device 10 (step S5).
 最後に、改ざん検知装置10は、取得したファイルのダイジェストをもとにファイルの改ざんの有無を検証する(ステップS6)。このとき、改ざん検知装置10は、改ざん検知装置10に記憶された正しいファイルのダイジェストと、取得したファイルのダイジェストとを比較し、ダイジェストが異なっている場合は、当該ファイルの改ざんがあったと判定する。 Finally, the tampering detection device 10 verifies whether or not the file has been tampered with based on the digest of the acquired file (step S6). At this time, the tampering detection device 10 compares the digest of the correct file stored in the tampering detection device 10 with the digest of the acquired file, and if the digests are different, it is determined that the file has been tampered with. ..
 本実施形態に係る改ざん検知システム100では、判定対象機器内部の情報等を考慮しながら最適なスキャン順序を決定する。このため、利用可能なCPUやメモリリソースが限られた機器において、使用リソースを抑えながら高い確率でソフトウェアの改ざんを検知することができる。 In the falsification detection system 100 according to the present embodiment, the optimum scan order is determined while considering the information inside the device to be determined. Therefore, in a device having a limited available CPU and memory resources, it is possible to detect software tampering with a high probability while suppressing the resources used.
 また、本システム100では、ファイルアクセス頻度からファイルの重要度を推定し、ソフトウェアが改ざんされてから検知されるまでの時間の期待値を小さくする最適なスキャン順序を決定する。このため、本システム100では、アクセス頻度と改ざんされやすさが比例する場合、ソフトウェアが改ざんされてから検知されるまでの時間をできるだけ短くすることができる。 Further, in this system 100, the importance of the file is estimated from the file access frequency, and the optimum scan order for reducing the expected value of the time from the alteration of the software to the detection is determined. Therefore, in the present system 100, when the access frequency is proportional to the susceptibility to tampering, the time from the tampering of the software to the detection can be shortened as much as possible.
[改ざん検知装置の構成]
 図2を用いて、本実施形態に係る改ざん検知装置10の構成を詳細に説明する。図2は、本実施形態に係る改ざん検知装置の構成例を示すブロック図である。改ざん検知装置10は、入力部11、出力部12、通信部13、制御部14および記憶部15を有する。 [Configuration of tampering detection device]
The configuration of the falsification detection device 10 according to the present embodiment will be described in detail with reference to FIG. FIG. 2 is a block diagram showing a configuration example of the falsification detection device according to the present embodiment. The falsification detection device 10 includes an input unit 11, an output unit 12, a communication unit 13, a control unit 14, and a storage unit 15.
 入力部11は、当該改ざん検知装置10への各種情報の入力を司る。入力部11は、例えば、マウスやキーボード等であり、当該改ざん検知装置10への設定情報等の入力を受け付ける。また、出力部12は、当該改ざん検知装置10からの各種情報の出力を司る。出力部12は、例えば、ディスプレイ等であり、当該改ざん検知装置10に記憶された設定情報等を出力する。 The input unit 11 controls the input of various information to the falsification detection device 10. The input unit 11 is, for example, a mouse, a keyboard, or the like, and receives input of setting information or the like to the falsification detection device 10. Further, the output unit 12 controls the output of various information from the falsification detection device 10. The output unit 12 is, for example, a display or the like, and outputs setting information or the like stored in the falsification detection device 10.
 通信部13は、他の装置との間でのデータ通信を司る。例えば、通信部13は、各通信装置との間でデータ通信を行う。また、通信部13は、図示しないオペレータの端末との間でデータ通信を行うことができる。 The communication unit 13 controls data communication with other devices. For example, the communication unit 13 performs data communication with each communication device. Further, the communication unit 13 can perform data communication with a terminal of an operator (not shown).
 記憶部15は、制御部14が動作する際に参照する各種情報や、制御部14が動作した際に取得した各種情報を記憶する。記憶部15は、監視対象機器情報記憶部15a、ファイル重要度情報記憶部15bおよびファイルダイジェスト記憶部15cを有する。ここで、記憶部15は、例えば、RAM(Random Access Memory)、フラッシュメモリ等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置等である。なお、図2の例では、記憶部15は、改ざん検知装置10の内部に設置されているが、改ざん検知装置10の外部に設置されてもよいし、複数の記憶部が設置されていてもよい。 The storage unit 15 stores various information referred to when the control unit 14 operates and various information acquired when the control unit 14 operates. The storage unit 15 includes a monitored device information storage unit 15a, a file importance information storage unit 15b, and a file digest storage unit 15c. Here, the storage unit 15 is, for example, a RAM (Random Access Memory), a semiconductor memory element such as a flash memory, or a storage device such as a hard disk or an optical disk. In the example of FIG. 2, the storage unit 15 is installed inside the falsification detection device 10, but it may be installed outside the falsification detection device 10, or a plurality of storage units may be installed. good.
 監視対象機器情報記憶部15aは、制御部14の決定部14cがスキャン順序を決定するための情報を記憶する。監視対象機器情報記憶部15aは、例えば、CPUの処理速度やメモリ容量、ストレージ容量等の機器のリソースに関する情報や、ファイルの種類、データ容量、ファイル数等の監視対象機器に記憶されているファイルの基本的な情報を記憶する。 The monitored device information storage unit 15a stores information for the determination unit 14c of the control unit 14 to determine the scan order. The monitored device information storage unit 15a is, for example, information about device resources such as CPU processing speed, memory capacity, and storage capacity, and files stored in the monitored device such as file type, data capacity, and number of files. Memorize the basic information of.
 ファイル重要度情報記憶部15bは、制御部14の取得部14aが取得したファイルの重要度に関する情報を記憶する。また、ファイル重要度情報記憶部15bは、制御部14の計算部14bが計算した情報を記憶する。例えば、ファイル重要度情報記憶部15bは、ファイルごとの重要度のフラグ情報、ファイルに対するアクセス回数、アクセス頻度、アクセス元、計算されたファイルの重要度、時間の期待値の和を最小化するスキャン頻度等を記憶する。 The file importance information storage unit 15b stores information regarding the importance of the file acquired by the acquisition unit 14a of the control unit 14. Further, the file importance information storage unit 15b stores the information calculated by the calculation unit 14b of the control unit 14. For example, the file importance information storage unit 15b minimizes the sum of the importance flag information for each file, the number of times the file is accessed, the access frequency, the access source, the calculated importance of the file, and the expected value of time. Memorize frequency etc.
 ファイルダイジェスト記憶部15cは、制御部14の取得部14dが改ざんを検証するための正しい監視対象ファイルに関する情報を記憶する。例えば、ファイルダイジェスト記憶部15cは、監視対象機器に記憶される正規のファイルから、ハッシュ計算に基づき生成されたファイルダイジェストを記憶する。 The file digest storage unit 15c stores information on the correct monitored file for the acquisition unit 14d of the control unit 14 to verify tampering. For example, the file digest storage unit 15c stores a file digest generated based on a hash calculation from a regular file stored in the monitored device.
 制御部14は、当該改ざん検知装置10全体の制御を司る。制御部14は、取得部14a、計算部14b、決定部14c、送信部14dおよび検証部14eを有する。ここで、制御部14は、例えば、CPUやMPU(Micro Processing Unit)等の電子回路やASIC(Application Specific Integrated Circuit)やFPGA(Field Programmable Gate Array)等の集積回路である。 The control unit 14 controls the entire falsification detection device 10. The control unit 14 includes an acquisition unit 14a, a calculation unit 14b, a determination unit 14c, a transmission unit 14d, and a verification unit 14e. Here, the control unit 14 is, for example, an electronic circuit such as a CPU or MPU (Micro Processing Unit) or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or FPGA (Field Programmable Gate Array).
 取得部14aは、監視対象機器20から所定の情報を取得する。例えば、取得部14aは、監視対象機器20のファイルのアクセス頻度を取得する。また、取得部14aは、最適なスキャン順序を決定するための情報として、監視対象機器情報やファイル重要度情報を取得する。さらに、取得部14aは、監視対象機器20により生成されたファイルのダイジェストを取得する。 The acquisition unit 14a acquires predetermined information from the monitored device 20. For example, the acquisition unit 14a acquires the access frequency of the file of the monitored device 20. Further, the acquisition unit 14a acquires the monitored device information and the file importance information as information for determining the optimum scan order. Further, the acquisition unit 14a acquires a digest of the file generated by the monitored device 20.
 一方、取得部14aは、取得した監視対象機器のリソース等の監視対象機器情報を監視対象機器情報記憶部15aに格納する。また、取得部14aは、取得したアクセス頻度等のファイル重要度情報をファイル重要度情報記憶部15bに格納する。さらに、取得部14aは、取得したファイルのダイジェストを検証部15eに送信する。 On the other hand, the acquisition unit 14a stores the acquired device information to be monitored such as resources of the device to be monitored in the device information storage unit 15a to be monitored. Further, the acquisition unit 14a stores the acquired file importance information such as the access frequency in the file importance information storage unit 15b. Further, the acquisition unit 14a transmits a digest of the acquired file to the verification unit 15e.
 計算部14bは、取得部14aから取得された監視対象機器20のファイルのアクセス頻度に基づいて、監視対象機器20のファイルの重要度を計算する。例えば、計算部14bは、監視対象機器20のファイルの重要度として、ファイルがアクセスされてからスキャンが実行されるまでの時間の期待値の和を最小化するスキャン頻度を計算する。一方、計算部14bは、計算したスキャン頻度等のファイル重要度情報をファイル重要度情報記憶部15bに格納する。 The calculation unit 14b calculates the importance of the file of the monitored device 20 based on the access frequency of the file of the monitored device 20 acquired from the acquisition unit 14a. For example, the calculation unit 14b calculates the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed, as the importance of the file of the monitored device 20. On the other hand, the calculation unit 14b stores the calculated file importance information such as the scan frequency in the file importance information storage unit 15b.
 決定部14cは、取得部14aにより取得された情報から、監視対象機器20のファイルのスキャン順序を決定する。また、決定部14cは、監視対象機器20のファイルのスキャン順序として、全てのファイルが少なくとも1回含まれるスキャン順序を決定する。さらに、決定部14cは、計算部14bにより計算された監視対象機器20のファイルの重要度に基づいてスキャン順序を決定する。例えば、決定部14cは、監視対象機器20のファイルの重要度として、ファイルがアクセスされてからスキャンが実行されるまでの時間の期待値の和を最小化するスキャン頻度に対応したスキャン回数を割り当てて、スキャン順序を決定する。 The determination unit 14c determines the scan order of the files of the monitored device 20 from the information acquired by the acquisition unit 14a. Further, the determination unit 14c determines the scan order in which all the files are included at least once as the scan order of the files of the monitored device 20. Further, the determination unit 14c determines the scan order based on the importance of the file of the monitored device 20 calculated by the calculation unit 14b. For example, the determination unit 14c allocates the scan frequency corresponding to the scan frequency that minimizes the sum of the expected values of the time from the file access to the scan execution as the importance of the file of the monitored device 20. To determine the scan order.
 このとき、決定部14cは、監視対象機器情報記憶部15aに記憶された監視対象機器情報を参照する。また、決定部14cは、ファイル重要度情報記憶部15bに記憶されたファイル重要度情報を参照する。 At this time, the determination unit 14c refers to the monitoring target device information stored in the monitoring target device information storage unit 15a. Further, the determination unit 14c refers to the file importance information stored in the file importance information storage unit 15b.
 送信部14dは、決定部14cにより決定されたスキャン順序を監視対象機器20に送信する。また、送信部14dは、検証部14eによって検証されたファイルの改ざんの有無を、監視対象機器20やその他の端末に送信してもよい。 The transmission unit 14d transmits the scan order determined by the determination unit 14c to the monitored device 20. Further, the transmission unit 14d may transmit the presence or absence of falsification of the file verified by the verification unit 14e to the monitored device 20 or another terminal.
 検証部14eは、監視対象機器20によりスキャン順序に基づいて生成されたファイルのダイジェストを用いて、ファイルの改ざんの有無を検証する。このとき、検証部14eは、ファイルダイジェスト記憶部15cに記憶された、正しい監視対象ファイルのファイルダイジェストを参照する。 The verification unit 14e verifies whether or not the file has been tampered with by using the digest of the file generated by the monitored device 20 based on the scan order. At this time, the verification unit 14e refers to the file digest of the correct monitored file stored in the file digest storage unit 15c.
[監視対象機器の構成]
 図3を用いて、本実施形態に係る監視対象機器20の構成を詳細に説明する。図3は、本実施形態に係る監視対象機器の構成例を示すブロック図である。監視対象機器20は、入力部21、出力部22、通信部23、制御部24および記憶部25を有する。 [Configuration of monitored equipment]
The configuration of the monitored device 20 according to the present embodiment will be described in detail with reference to FIG. FIG. 3 is a block diagram showing a configuration example of the monitored device according to the present embodiment. The monitored device 20 has an input unit 21, an output unit 22, a communication unit 23, a control unit 24, and a storage unit 25.
 入力部21は、当該監視対象機器20への各種情報の入力を司る。入力部21は、例えば、マウスやキーボード等であり、当該監視対象機器20への設定情報等の入力を受け付ける。また、出力部22は、当該監視対象機器20からの各種情報の出力を司る。出力部12は、例えば、ディスプレイ等であり、当該監視対象機器20に記憶された設定情報等を出力する。 The input unit 21 controls the input of various information to the monitored device 20. The input unit 21 is, for example, a mouse, a keyboard, or the like, and receives input of setting information or the like to the monitored device 20. Further, the output unit 22 controls the output of various information from the monitored device 20. The output unit 12 is, for example, a display or the like, and outputs setting information or the like stored in the monitored device 20.
 通信部23は、他の装置との間でのデータ通信を司る。例えば、通信部23は、各通信装置との間でデータ通信を行う。また、通信部23は、図示しないオペレータの端末との間でデータ通信を行うことができる。 The communication unit 23 controls data communication with other devices. For example, the communication unit 23 performs data communication with each communication device. Further, the communication unit 23 can perform data communication with a terminal of an operator (not shown).
 記憶部25は、制御部24が動作する際に参照する各種情報や、制御部24が動作した際に取得した各種情報を記憶する。記憶部25は、例えば、監視対象ファイル記憶部25aを有する。ここで、記憶部25は、例えば、RAM、フラッシュメモリ等の半導体メモリ素子、または、ハードディスク、光ディスク等の記憶装置等である。なお、図3の例では、記憶部25は、監視対象機器20の内部に設置されているが、監視対象機器20の外部に設置されてもよいし、複数の記憶部が設置されていてもよい。監視対象ファイル記憶部25aは、外部からアクセスされ、また改ざんされる可能性がある監視対象ファイルを記憶する。 The storage unit 25 stores various information referred to when the control unit 24 operates and various information acquired when the control unit 24 operates. The storage unit 25 has, for example, a monitored file storage unit 25a. Here, the storage unit 25 is, for example, a semiconductor memory element such as a RAM or a flash memory, or a storage device such as a hard disk or an optical disk. In the example of FIG. 3, the storage unit 25 is installed inside the monitored device 20, but it may be installed outside the monitored device 20, or a plurality of storage units may be installed. good. The monitored file storage unit 25a stores a monitored file that may be accessed from the outside and may be tampered with.
 制御部24は、当該監視対象機器20全体の制御を司る。制御部24は、取得部24a、生成部24bおよび送信部24cを有する。ここで、制御部24は、例えば、CPUやMPU等の電子回路やASICやFPGA等の集積回路である。 The control unit 24 controls the entire monitored device 20. The control unit 24 includes an acquisition unit 24a, a generation unit 24b, and a transmission unit 24c. Here, the control unit 24 is, for example, an electronic circuit such as a CPU or MPU, or an integrated circuit such as an ASIC or FPGA.
 取得部24aは、改ざん検知装置10からファイルのスキャン順序を取得する。また、取得部24aは、改ざん検知装置10から検証されたファイルの改ざんの有無を取得してもよい。 The acquisition unit 24a acquires the file scan order from the falsification detection device 10. Further, the acquisition unit 24a may acquire the presence or absence of falsification of the file verified by the falsification detection device 10.
 生成部24bは、改ざん検知装置10から取得したファイルのスキャン順序にしたがって、ファイルのダイジェストを生成する。また、生成部24bは、生成したファイルのダイジェストを記憶部25に格納してもよい。 The generation unit 24b generates a digest of the file according to the scan order of the file acquired from the falsification detection device 10. Further, the generation unit 24b may store the digest of the generated file in the storage unit 25.
 送信部24cは、生成部24bにより生成されたファイルのダイジェストを改ざん検知装置10に送信する。また、送信部24cは、ファイルのダイジェストを改ざん検知装置10以外の端末に送信してもよい。 The transmission unit 24c transmits a digest of the file generated by the generation unit 24b to the falsification detection device 10. Further, the transmission unit 24c may transmit the digest of the file to a terminal other than the falsification detection device 10.
[スキャン順序の決定処理]
 本実施形態に係る改ざん検知装置10のスキャン順序の決定処理を詳細に説明する。以下では、スキャン頻度に基づくスキャン順序の決定処理、その他のスキャン順序の決定処理について説明する。 [Scan order determination process]
The process of determining the scan order of the falsification detection device 10 according to the present embodiment will be described in detail. Hereinafter, the scan order determination process based on the scan frequency and other scan order determination processes will be described.
(スキャン頻度に基づく決定処理)
 以下では、ファイルが改ざんされてからすぐに発見可能な、すなわち、ファイルが改ざんされてから、スキャンが実行されるまでの時間の期待値を小さくするスキャン順序の決定について説明する。まず、重要なファイルほど攻撃されやすいこと、また、重要なファイルは頻繁にアクセスされることを仮定し、アクセスされる頻度を攻撃されやすさの指標と重要なファイルの指標とする。 (Decision processing based on scan frequency)
The following describes a scan order determination that is immediately discoverable after a file has been tampered with, that is, reduces the expected time between file tampering and scan execution. First, it is assumed that the more important files are more vulnerable to attack, and that the more important files are accessed frequently, and the frequency of access is used as an index of susceptibility to attack and an index of important files.
 監視対象機器に監視対象ファイル群{1,2,・・・,n}のn個のファイルが存在するとし、i番目のファイルをファイルiと表わす。改ざん検知装置10は、あらかじめ、監視対象機器20における一定期間のn個のファイルごとのアクセスログを取得しておく。 Assuming that n files of the monitored file group {1, 2, ..., N} exist in the monitored device, the i-th file is represented as file i. The falsification detection device 10 acquires in advance access logs for each of n files in the monitored device 20 for a certain period of time.
 上記のアクセスログより、時間Tの間にファイルiがka回アクセスされたとき、ファイルiのアクセス頻度Pa(i)を(1)式のように表わす。 From the above access log, when the file i is accessed ka times during the time T, the access frequency Pa (i) of the file i is expressed as the equation (1).
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 なお、重要なファイルの設定方法によって、Pa(i)の式は異なる。本処理では、重要なファイルをアクセスされる頻度が高いファイルと仮定するため、Pa(i)は(1)式になる。 The formula of Pa (i) differs depending on the setting method of important files. In this process, since it is assumed that an important file is a file that is frequently accessed, Pa (i) is given by Eq. (1).
 一方、時間Tの間にファイルiがkc回スキャンされるとしたとき、ファイルiのスキャン頻度Pc(i)を(2)式のように表わす。 On the other hand, assuming that the file i is scanned kc times during the time T, the scan frequency Pc (i) of the file i is expressed by the equation (2).
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
 なお、本処理において、Pa(i)は、スキャン順序列の中におけるファイルiの出現頻度となる。 In this process, Pa (i) is the frequency of appearance of the file i in the scan sequence.
 全てのファイルにおける、ファイルがアクセス(改ざん)されてからスキャンが実行されるまでの時間の期待値の和Eを(3)式のように表わす。 For all files, the sum E of the expected values of the time from when the file is accessed (tampered) until the scan is executed is expressed as in equation (3).
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 改ざん検知装置10は、(3)式を最小化するPc(i)を計算する。なお、本処理において、アクセス頻度が高いほどスキャン頻度が高い結果になる。 The falsification detection device 10 calculates Pc (i) that minimizes the equation (3). In this process, the higher the access frequency, the higher the scan frequency.
 全ファイルスキャン終了時間Tを定め、そこからファイル一巡にかかる時間を除いた時間において、可能なスキャン回数に対して、Pc(i)をもとに、各ファイルにスキャン回数を割り当てる。 All file scan end time T is set, and the number of scans is assigned to each file based on Pc (i) for the number of possible scans in the time excluding the time required for one file cycle.
 全ファイル最低1回ずつのスキャンとPc(i)をもとに計算した各ファイルのスキャン回数のスキャンを実施するようなスキャン順序を決定する。 Determine the scan order so that all files are scanned at least once and the number of scans of each file calculated based on Pc (i) is scanned.
(その他の決定処理)
 上記のスキャン頻度を計算する処理以外のスキャン順序の決定について説明する。 (Other decision processing)
The determination of the scan order other than the above-mentioned process of calculating the scan frequency will be described.
 例えば、改ざん検知装置10は、過去の各ファイルのアクセス回数が多いファイルを優先するスキャン順序を決定してもよい。つまり、各ファイルのアクセス回数をもとに、各ファイルにスキャン回数を割り当てて、全ファイルを最低1回ずつスキャンするスキャン順序を決定してもよい。さらに、改ざん検知装置10は、アクセス回数とともにアクセス元を考慮して、スキャン順序を決定してもよい。 For example, the falsification detection device 10 may determine the scan order in which the files with the highest number of accesses in the past files are prioritized. That is, based on the number of accesses of each file, the number of scans may be assigned to each file, and the scan order for scanning all files at least once may be determined. Further, the falsification detection device 10 may determine the scan order in consideration of the access source as well as the number of accesses.
 また、改ざん検知装置10は、ファイル作成者による重要度に関するフラグ設定があるファイルを優先するスキャン順序を決定してもよい。つまり、ファイルの重要性に応じてフラグを設定し、そのフラグをもとに、各ファイルにスキャン回数を割り当てて、全ファイルを最低1回ずつスキャンするスキャン順序を決定してもよい。 Further, the falsification detection device 10 may determine the scan order in which the file having the flag setting regarding the importance by the file creator is prioritized. That is, a flag may be set according to the importance of the file, the number of scans may be assigned to each file based on the flag, and the scan order for scanning all files at least once may be determined.
[改ざん検知処理の流れ]
 図4を用いて、本実施形態に係る改ざん検知処理の流れを詳細に説明する。図4は、第1の実施形態に係る改ざん検知処理の流れの一例を示すフローチャートである。まず、改ざん検知装置10の取得部14aは、最適なスキャン順序を決定するために監視対象機器20から情報を取得する(ステップS101)。このとき、取得部14aは、監視対象機器20以外の機器から情報を取得してもよい。また、取得部14aは、入力部11を介して直接入力された情報を取得してもよい。 [Flow of tampering detection processing]
The flow of the falsification detection process according to the present embodiment will be described in detail with reference to FIG. FIG. 4 is a flowchart showing an example of the flow of the falsification detection process according to the first embodiment. First, the acquisition unit 14a of the falsification detection device 10 acquires information from the monitored device 20 in order to determine the optimum scan order (step S101). At this time, the acquisition unit 14a may acquire information from a device other than the monitored device 20. Further, the acquisition unit 14a may acquire the information directly input via the input unit 11.
 次に、決定部14cは、監視対象機器20から取得した情報をもとに、最適なスキャン順序を決定する(ステップS102)。このとき、計算部14bは、決定部14cがスキャン順序を決定するために必要な情報の計算処理をしてもよい。また、決定部14cは、事前に作成されたスキャン順序が存在する場合は、当該スキャン順序を採用することもできる。さらに、決定部14cは、複数のスキャン順序が決定可能な場合は、当該スキャン順序から1つを採用することもできるし、複数を採用することもできる。 Next, the determination unit 14c determines the optimum scan order based on the information acquired from the monitored device 20 (step S102). At this time, the calculation unit 14b may perform calculation processing of information necessary for the determination unit 14c to determine the scan order. Further, if the scan order created in advance exists, the determination unit 14c can also adopt the scan order. Further, when a plurality of scan orders can be determined, the determination unit 14c may adopt one from the scan order, or may adopt a plurality of scan orders.
 続いて、送信部14dは、監視対象機器20に決定したスキャン順序を送信する(ステップS103)。このとき、送信部14dは、スキャン順序をバルク(まとまり)で送信してもよいし、順序ごとに1つずつ送信してもよい。また、送信部14dは、複数のスキャン順序列を送信してもよい。 Subsequently, the transmission unit 14d transmits the scan order determined to the monitored device 20 (step S103). At this time, the transmission unit 14d may transmit the scan order in bulk, or may transmit one by one for each order. Further, the transmission unit 14d may transmit a plurality of scan sequence sequences.
 そして、取得部14aは、監視対象機器20の生成部24bにより生成され、送信されたファイルのダイジェストを取得する(ステップS104)。最後に、検証部14eは、取得部14aにより取得されたファイルのダイジェストをもとに、当該ファイルの改ざんの有無を検証し(ステップS105)、改ざん検知処理が終了する。なお、送信部14dは、検証部14eによって検証されたファイルの改ざんの有無を、監視対象機器20やその他の端末に送信してもよい。 Then, the acquisition unit 14a acquires a digest of the file generated and transmitted by the generation unit 24b of the monitored device 20 (step S104). Finally, the verification unit 14e verifies whether or not the file has been tampered with based on the digest of the file acquired by the acquisition unit 14a (step S105), and the tampering detection process ends. The transmission unit 14d may transmit the presence or absence of falsification of the file verified by the verification unit 14e to the monitored device 20 or another terminal.
[計算処理の流れ]
 図5を用いて、本実施形態に係る計算処理の流れを詳細に説明する。図5は、第1の実施形態に係る計算処理の流れの一例を示すフローチャートである。まず、改ざん検知装置10の取得部14aは、監視対象機器20における一定期間のファイルのアクセスログを取得する(ステップS201)。このとき、取得部14aは、監視対象機器20以外の機器からアクセスログを取得してもよい。また、取得部14aは、入力部11を介して直接入力されたアクセスログを取得してもよい。 [Flow of calculation process]
The flow of the calculation process according to this embodiment will be described in detail with reference to FIG. FIG. 5 is a flowchart showing an example of the flow of calculation processing according to the first embodiment. First, the acquisition unit 14a of the falsification detection device 10 acquires the access log of the file for a certain period in the monitored device 20 (step S201). At this time, the acquisition unit 14a may acquire the access log from a device other than the monitored device 20. Further, the acquisition unit 14a may acquire the access log directly input via the input unit 11.
 次に、計算部14bは、全てのファイルにおける、改ざんからスキャン実行までの時間の期待値の和を最小化するスキャン頻度を計算し(ステップS202)、全ファイルのスキャン終了時間を決定し(ステップS203)、決定した終了時間からファイルスキャン一巡にかかる時間を除いた時間内で、可能なスキャン回数を算出する(ステップS204)。なお、ステップS202~S204の処理の順序は一例であり、計算部14bは、異なる順序で処理を行うこともできる。また、計算部14bは、ステップS202~S204の一部の処理を省略することもできる。 Next, the calculation unit 14b calculates the scan frequency that minimizes the sum of the expected values of the times from falsification to scan execution in all files (step S202), and determines the scan end time of all files (step S202). S203), the number of possible scans is calculated within the time obtained by excluding the time required for one round of file scanning from the determined end time (step S204). The order of processing in steps S202 to S204 is an example, and the calculation unit 14b may perform processing in a different order. Further, the calculation unit 14b may omit a part of the processing of steps S202 to S204.
 そして、計算部14bは、計算したスキャン頻度をもとに、各ファイルにスキャン回数を割り当てる(ステップS205)。最後に、決定部14cは、スキャン順序を決定し(ステップS206)、処理が終了する。 Then, the calculation unit 14b allocates the number of scans to each file based on the calculated scan frequency (step S205). Finally, the determination unit 14c determines the scan order (step S206), and the process ends.
[第1の実施形態の効果]
 第1に、上述した本実施形態に係る改ざん検知処理では、監視対象機器から所定の情報を取得し、取得した情報から、監視対象機器のファイルのスキャン順序を決定し、決定したスキャン順序を監視対象機器に送信し、監視対象機器によりスキャン順序に基づいて生成されたファイルのダイジェストを用いて、ファイルの改ざんの有無を検証する。このため、本処理では、ソフトウェアの改ざん検知において、全てのファイルを最適かつ網羅的に監視することができる。 [Effect of the first embodiment]
First, in the falsification detection process according to the present embodiment described above, predetermined information is acquired from the monitored device, the scan order of the files of the monitored device is determined from the acquired information, and the determined scan order is monitored. It is sent to the target device, and the presence or absence of tampering with the file is verified using the digest of the file generated by the monitored device based on the scan order. Therefore, in this process, all files can be optimally and comprehensively monitored in software tampering detection.
 第2に、上述した本実施形態に係る改ざん検知処理では、監視対象機器のファイルのスキャン順序として、全てのファイルが少なくとも1回含まれるスキャン順序を決定する。このため、本処理では、ソフトウェアの改ざん検知において、確実に全てのファイルをスキャンすることができ、全てのファイルを最適かつ網羅的に監視することができる。 Secondly, in the falsification detection process according to the present embodiment described above, the scan order in which all the files are included at least once is determined as the scan order of the files of the monitored device. Therefore, in this process, all files can be reliably scanned in software tampering detection, and all files can be optimally and comprehensively monitored.
 第3に、上述した本実施形態に係る改ざん検知処理では、監視対象機器のファイルのアクセス頻度を取得し、取得したアクセス頻度に基づいて、ファイルの重要度を計算し、計算したファイルの重要度に基づいてスキャン順序を決定する。本処理では、ソフトウェアの改ざん検知において、ファイルごとの重要度を考慮することにより、全てのファイルを最適かつ網羅的に監視することができる。 Thirdly, in the falsification detection process according to the present embodiment described above, the access frequency of the file of the monitored device is acquired, the importance of the file is calculated based on the acquired access frequency, and the calculated importance of the file is calculated. Determine the scan order based on. In this process, all files can be optimally and comprehensively monitored by considering the importance of each file in the detection of software tampering.
 第4に、上述した本実施形態に係る改ざん検知処理では、ファイルの重要度として、ファイルがアクセスされてからスキャンが実行されるまでの時間の期待値の和を最小化するスキャン頻度を計算し、スキャン頻度に対応したスキャン回数を割り当てて、スキャン順序を決定する。本処理では、ソフトウェアの改ざん検知において、より効率的なスキャン順序を決定することができ、全てのファイルを最適かつ網羅的に監視することができる。 Fourth, in the falsification detection process according to the present embodiment described above, the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed is calculated as the importance of the file. , Assign the number of scans corresponding to the scan frequency to determine the scan order. In this process, it is possible to determine a more efficient scan order in software tampering detection, and it is possible to optimally and comprehensively monitor all files.
〔システム構成等〕
 上記実施形態に係る図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示のごとく構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行なわれる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Each component of each of the illustrated devices according to the above embodiment is a functional concept, and does not necessarily have to be physically configured as shown in the figure. That is, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or part of them may be functionally or physically distributed / physically distributed in any unit according to various loads and usage conditions. Can be integrated and configured. Further, each processing function performed by each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.
 また、上記実施形態において説明した各処理のうち、自動的に行われるものとして説明した処理の全部または一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部または一部を公知の方法で自動的に行うこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Further, among the processes described in the above-described embodiment, all or a part of the processes described as being automatically performed can be manually performed, or the processes described as being manually performed can be performed. All or part of it can be done automatically by a known method. In addition, the processing procedure, control procedure, specific name, and information including various data and parameters shown in the above document and drawings can be arbitrarily changed unless otherwise specified.
〔プログラム〕
 また、上記実施形態において説明した改ざん検知装置10が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。この場合、コンピュータがプログラムを実行することにより、上記実施形態と同様の効果を得ることができる。さらに、かかるプログラムをコンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録されたプログラムをコンピュータに読み込ませて実行することにより上記実施形態と同様の処理を実現してもよい。 〔program〕
It is also possible to create a program in which the process executed by the falsification detection device 10 described in the above embodiment is described in a language that can be executed by a computer. In this case, the same effect as that of the above embodiment can be obtained by executing the program by the computer. Further, the same processing as that of the above embodiment may be realized by recording the program on a computer-readable recording medium, reading the program recorded on the recording medium into the computer, and executing the program.
 図6は、プログラムを実行するコンピュータを示す図である。図6に例示するように、コンピュータ1000は、例えば、メモリ1010と、CPU1020と、ハードディスクドライブインタフェース1030と、ディスクドライブインタフェース1040と、シリアルポートインタフェース1050と、ビデオアダプタ1060と、ネットワークインタフェース1070とを有し、これらの各部はバス1080によって接続される。 FIG. 6 is a diagram showing a computer that executes a program. As illustrated in FIG. 6, the computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. However, each of these parts is connected by a bus 1080.
 メモリ1010は、図6に例示するように、ROM(Read Only Memory)1011及びRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、図6に例示するように、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、図6に例示するように、ディスクドライブ1100に接続される。例えば、磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、図6に例示するように、例えば、マウス1110、キーボード1120に接続される。ビデオアダプタ1060は、図6に例示するように、例えばディスプレイ1130に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012, as illustrated in FIG. The ROM 1011 stores, for example, a boot program such as a BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090, as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1100 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1110 and a keyboard 1120, as illustrated in FIG. The video adapter 1060 is connected, for example, to a display 1130, as illustrated in FIG.
 ここで、図6に例示するように、ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、上記のプログラムは、コンピュータ1000によって実行される指令が記述されたプログラムモジュールとして、例えば、ハードディスクドライブ1090に記憶される。 Here, as illustrated in FIG. 6, the hard disk drive 1090 stores, for example, the OS 1091, the application program 1092, the program module 1093, and the program data 1094. That is, the above program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.
 また、上記実施形態で説明した各種データは、プログラムデータとして、例えば、メモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出し、各種処理手順を実行する。 Further, the various data described in the above embodiment are stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 into the RAM 1012 as needed, and executes various processing procedures.
 なお、プログラムに係るプログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限られず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ等を介してCPU1020によって読み出されてもよい。あるいは、プログラムに係るプログラムモジュール1093やプログラムデータ1094は、ネットワーク(LAN(Local Area Network)、WAN(Wide Area Network)等)を介して接続された他のコンピュータに記憶され、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 The program module 1093 and program data 1094 related to the program are not limited to those stored in the hard disk drive 1090, and may be stored in, for example, a removable storage medium and read by the CPU 1020 via a disk drive or the like. .. Alternatively, the program module 1093 and the program data 1094 related to the program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.) and stored via the network interface 1070. It may be read by the CPU 1020.
 上記の実施形態やその変形は、本願が開示する技術に含まれると同様に、請求の範囲に記載された発明とその均等の範囲に含まれるものである。 The above embodiments and modifications thereof are included in the invention described in the claims and the equivalent scope thereof, as included in the technique disclosed in the present application.
 10 改ざん検知装置
 11 入力部
 12 出力部
 13 通信部
 14 制御部
 14a 取得部
 14b 計算部
 14c 決定部
 14d 送信部
 14e 検証部
 15 記憶部
 15a 監視対象機器情報記憶部
 15b ファイル重要度情報記憶部
 15c ファイルダイジェスト記憶部
 20 監視対象機器
 21 入力部
 22 出力部
 23 通信部
 24 制御部
 24a 取得部
 24b 生成部
 24c 送信部
 25 記憶部
 25a 監視対象ファイル記憶部
 100 改ざん検知システム 10 Tampering detection device 11 Input unit 12 Output unit 13 Communication unit 14 Control unit 14a Acquisition unit 14b Calculation unit 14c Determination unit 14d Transmission unit 14e Verification unit 15 Storage unit 15a Monitored device information storage unit 15b File Importance information storage unit 15c file Digest storage unit 20 Monitoring target device 21 Input unit 22 Output unit 23 Communication unit 24 Control unit 24a Acquisition unit 24b Generation unit 24c Transmission unit 25 Storage unit 25a Monitoring target file storage unit 100 Tampering detection system

Claims (6)

  1.  監視対象機器から所定の情報を取得する取得部と、
     前記取得部により取得された前記情報から、前記監視対象機器のファイルのスキャン順序を決定する決定部と、
     前記決定部により決定された前記スキャン順序を前記監視対象機器に送信する送信部と、
     前記監視対象機器により前記スキャン順序に基づいて生成されたファイルのダイジェストを用いて、該ファイルの改ざんの有無を検証する検証部と
     を備えることを特徴とする改ざん検知装置。     The acquisition unit that acquires predetermined information from the monitored device,
    From the information acquired by the acquisition unit, a determination unit that determines the scan order of the files of the monitored device, and a determination unit.
    A transmission unit that transmits the scan order determined by the determination unit to the monitored device, and a transmission unit.
    A falsification detection device including a verification unit that verifies the presence or absence of falsification of the file by using a digest of the file generated by the monitored device based on the scan order.
  2.  前記決定部は、前記監視対象機器のファイルのスキャン順序として、全てのファイルが少なくとも1回含まれるスキャン順序を決定することを特徴とする請求項1に記載の改ざん検知装置。 The falsification detection device according to claim 1, wherein the determination unit determines a scan order in which all files are included at least once as a scan order of files of the monitored device.
  3.  前記取得部は、前記監視対象機器のファイルのアクセス頻度を取得し、
     前記取得部から取得された前記アクセス頻度に基づいて、前記ファイルの重要度を計算する計算部をさらに備え、
     前記決定部は、前記計算部により計算された前記重要度に基づいて前記スキャン順序を決定することを特徴とする請求項2に記載の改ざん検知装置。     The acquisition unit acquires the access frequency of the file of the monitored device, and obtains the access frequency.
    Further, a calculation unit for calculating the importance of the file based on the access frequency acquired from the acquisition unit is provided.
    The falsification detection device according to claim 2, wherein the determination unit determines the scan order based on the importance calculated by the calculation unit.
  4.  前記計算部は、前記重要度として、ファイルがアクセスされてからスキャンが実行されるまでの時間の期待値の和を最小化するスキャン頻度を計算し、
     前記決定部は、前記スキャン頻度に対応したスキャン回数を割り当てて、前記スキャン順序を決定することを特徴とする請求項3に記載の改ざん検知装置。     The calculation unit calculates, as the importance, the scan frequency that minimizes the sum of the expected values of the time from when the file is accessed until the scan is executed.
    The falsification detection device according to claim 3, wherein the determination unit allocates a number of scans corresponding to the scan frequency to determine the scan order.
  5.  改ざん検知装置によって実行される改ざん検知方法であって、
     監視対象機器から所定の情報を取得する取得工程と、
     前記取得工程により取得された前記情報から、前記監視対象機器のファイルのスキャン順序を決定する決定工程と、
     前記決定工程により決定された前記スキャン順序を前記監視対象機器に送信する送信工程と、
     前記監視対象機器により前記スキャン順序に基づいて生成されたファイルのダイジェストを用いて、該ファイルの改ざんの有無を検証する検証工程と
     を含むことを特徴とする改ざん検知方法。     It is a tampering detection method executed by a tampering detection device.
    The acquisition process to acquire the specified information from the monitored device,
    From the information acquired by the acquisition step, a determination step of determining the scan order of the files of the monitored device, and a determination step.
    A transmission step of transmitting the scan order determined by the determination step to the monitored device, and
    A tampering detection method comprising a verification step of verifying whether or not the file has been tampered with by using a digest of a file generated by the monitored device based on the scan order.
  6.  監視対象機器から所定の情報を取得する取得ステップと、
     前記取得ステップにより取得された前記情報から、前記監視対象機器のファイルのスキャン順序を決定する決定ステップと、
     前記決定ステップにより決定された前記スキャン順序を前記監視対象機器に送信する送信ステップと、
     前記監視対象機器により前記スキャン順序に基づいて生成されたファイルのダイジェストを用いて、該ファイルの改ざんの有無を検証する検証ステップと
     をコンピュータに実行させることを特徴とする改ざん検知プログラム。     The acquisition step to acquire the specified information from the monitored device,
    From the information acquired by the acquisition step, a determination step of determining the scan order of the files of the monitored device, and a determination step.
    A transmission step of transmitting the scan order determined by the determination step to the monitored device, and
    A tampering detection program characterized by causing a computer to perform a verification step of verifying whether or not the file has been tampered with by using a digest of a file generated by the monitored device based on the scan order.
PCT/JP2020/042534 2020-11-13 2020-11-13 Falsification detection device, falsification detection method, and falsification detection program WO2022102110A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/042534 WO2022102110A1 (en) 2020-11-13 2020-11-13 Falsification detection device, falsification detection method, and falsification detection program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/042534 WO2022102110A1 (en) 2020-11-13 2020-11-13 Falsification detection device, falsification detection method, and falsification detection program

Publications (1)

Publication Number Publication Date
WO2022102110A1 true WO2022102110A1 (en) 2022-05-19

Family

ID=81602164

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/042534 WO2022102110A1 (en) 2020-11-13 2020-11-13 Falsification detection device, falsification detection method, and falsification detection program

Country Status (1)

Country Link
WO (1) WO2022102110A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050132206A1 (en) * 2003-12-12 2005-06-16 International Business Machines Corporation Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network
JP2009009372A (en) * 2007-06-28 2009-01-15 Panasonic Corp Information terminal, client/server system, and program
US20160294849A1 (en) * 2015-03-31 2016-10-06 Juniper Networks, Inc. Detecting suspicious files resident on a network
US20200034534A1 (en) * 2018-07-24 2020-01-30 EMC IP Holding Company LLC Predictive scheduled anti-virus scanning

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050132206A1 (en) * 2003-12-12 2005-06-16 International Business Machines Corporation Apparatus, methods and computer programs for identifying or managing vulnerabilities within a data processing network
JP2009009372A (en) * 2007-06-28 2009-01-15 Panasonic Corp Information terminal, client/server system, and program
US20160294849A1 (en) * 2015-03-31 2016-10-06 Juniper Networks, Inc. Detecting suspicious files resident on a network
US20200034534A1 (en) * 2018-07-24 2020-01-30 EMC IP Holding Company LLC Predictive scheduled anti-virus scanning

Similar Documents

Publication Publication Date Title
US20090133125A1 (en) Method and apparatus for malware detection
JP5802848B2 (en) Computer-implemented method, non-temporary computer-readable medium and computer system for identifying Trojanized applications (apps) for mobile environments
JP6698056B2 (en) System and method for detecting abnormal events
US20220229906A1 (en) High-confidence malware severity classification of reference file set
US11475133B2 (en) Method for machine learning of malicious code detecting model and method for detecting malicious code using the same
CN107403093B (en) System and method for detecting redundant software
US20180341769A1 (en) Threat detection method and threat detection device
CN103559438A (en) Progress identification method and progress identification system
CN108234441B (en) Method, apparatus, electronic device and storage medium for determining forged access request
CN109033818B (en) Terminal, authentication method, and computer-readable storage medium
WO2022102110A1 (en) Falsification detection device, falsification detection method, and falsification detection program
CN111967016B (en) Dynamic monitoring method of baseboard management controller and baseboard management controller
CN109522683A (en) Software source tracing method, system, computer equipment and storage medium
US20090254311A1 (en) Method for monitoring computer system performance and computer readable medium thereof
KR20190020998A (en) Apparatus, method and system for detecting malicious code
KR101899774B1 (en) Data processing method against Randsomeware, computer program therefor and a computer-readable recording meduim on which the program is recorded
CN111538566A (en) Mirror image file processing method, device and system, electronic equipment and storage medium
WO2022153410A1 (en) Falsification detection device, falsification detection method, and falsification detection program
WO2022153415A1 (en) Falsification detecting device, falsification detecting method, and falsification detecting program
CN112347479B (en) False alarm correction method, device, equipment and storage medium for malicious software detection
EP3989094B1 (en) Verifying information creating system, verifying information creating method, and verifying information creating program
CN114285664A (en) Abnormal user identification method, system, device and medium
CN109635567B (en) Verification method and device for application client and server platform
US20230267202A1 (en) Fast antimalware scan
US20100306844A1 (en) Application information tampering monitoring apparatus and method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20961638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20961638

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP