WO2022113348A1 - Development side security analysis support device, operation side security analysis support device, and security analysis support system - Google Patents

Development side security analysis support device, operation side security analysis support device, and security analysis support system Download PDF

Info

Publication number
WO2022113348A1
WO2022113348A1 PCT/JP2020/044522 JP2020044522W WO2022113348A1 WO 2022113348 A1 WO2022113348 A1 WO 2022113348A1 JP 2020044522 W JP2020044522 W JP 2020044522W WO 2022113348 A1 WO2022113348 A1 WO 2022113348A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
unit
information
analysis support
support device
Prior art date
Application number
PCT/JP2020/044522
Other languages
French (fr)
Japanese (ja)
Inventor
修治 宮下
陽一郎 古賀
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2020/044522 priority Critical patent/WO2022113348A1/en
Priority to JP2022565298A priority patent/JP7403686B2/en
Priority to PCT/JP2021/042560 priority patent/WO2022113895A1/en
Publication of WO2022113348A1 publication Critical patent/WO2022113348A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/20Software design

Definitions

  • This disclosure relates to a development side security analysis support device, an operation side security analysis support device, and a security analysis support system that detect an attack on a target product and perform maintenance and operation.
  • the "development side” and “operation side” of the product could not automate the information linkage between the two, and feedback to the "development side” about new threats found on the operation side may be delayed. ..
  • the vulnerabilities known on the "development side” and their countermeasures could not be quickly and sufficiently deployed to the "operation side".
  • This disclosure is made to solve such problems, and is capable of efficiently improving the quality of security on the development side security analysis support device, the operation side security analysis support device, and the security analysis support.
  • the purpose is to provide a system.
  • the development-side security analysis support device uses a security requirement prediction model for predicting security requirements that match the development target, the characteristics of the development target, the required specifications of the development target, and the requirements.
  • a security requirement inference unit that infers security requirements by inputting data including predetermined rules to which the development target complies, and security requirements and security requirements based on the security requirements inferred by the security requirement inference unit. From the first database that stores the information indicating the correspondence, the security requirement acquisition unit that acquires the security requirements corresponding to the security requirements and the design information selection model for selecting the design information that realizes the security function suitable for the development target.
  • a design information inference unit for inputting security requirements acquired by the security requirement acquisition unit and inferring design information is provided.
  • FIG. 1 It is a block diagram which shows the outline of the whole structure of the development side security analysis support apparatus by Embodiment 1.
  • FIG. It is a block diagram which shows the detail of the structure of the development side security analysis support apparatus by Embodiment 1.
  • FIG. It is a block diagram which shows the detail of the structure of the development side security analysis support apparatus by Embodiment 1.
  • FIG. It is a block diagram which shows the detail of the structure of the development side security analysis support apparatus by Embodiment 1.
  • FIG. It is a figure which shows an example of the characteristic confirmation sheet of the product by Embodiment 1.
  • FIG. It is a figure which shows an example of the characteristic confirmation sheet of the product by Embodiment 1.
  • FIG. It is a figure which shows an example of the system feature DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the failure DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the threat DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the countermeasure DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the vulnerability information DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the operation log signature DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the project DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the specification document / design document DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the security standard DB by Embodiment 1.
  • FIG. It is a figure which shows an example of the law / regulation DB by Embodiment 1.
  • FIG. It is a figure for demonstrating a three-layer neural network. It is a flowchart which shows the acquisition and accumulation of the data in the learning part by Embodiment 1.
  • FIG. It is a flowchart which shows the acquisition and accumulation of the data in the learning part by Embodiment 1.
  • FIG. It is a flowchart which shows the generation process of the security requirement prediction model in the learning part by Embodiment 1.
  • FIG. It is a flowchart which shows the generation process of the design information selection model in the learning part by Embodiment 1.
  • FIG. It is a flowchart which shows the inference processing in the inference part by Embodiment 1.
  • FIG. It is a figure which shows an example of the security requirement information sheet by Embodiment 1.
  • FIG. It is a figure which shows an example of the security requirement information sheet by Embodiment 1.
  • FIG. It is a figure which shows an example of the security design information sheet by Embodiment 1.
  • FIG. It is a block diagram which shows the outline of the whole structure of the operation side security analysis support apparatus by Embodiment 2.
  • FIG. It is a block diagram which shows the detail of the structure of the operation side security analysis support apparatus by Embodiment 2.
  • FIG. It is a figure which shows an example of the signature update list file by Embodiment 2.
  • FIG. It is a figure which shows an example of the operation / maintenance analysis DB by Embodiment 2.
  • FIG. 2 It is a flowchart which shows the generation process of the security monitoring model in the learning part by Embodiment 2.
  • FIG. 2 It is a flowchart which shows the inference processing in the inference part by Embodiment 2.
  • FIG. It is a figure which shows an example of the knowledge file obtained from the operation of the product in the market by Embodiment 2.
  • FIG. 1 is a block diagram showing a configuration of the development side security analysis support device 10 according to the first embodiment.
  • FIGS. 2, 3 and 4 are block diagrams showing details of the configuration of the development side security analysis support device 10. 2 and 3 are connected by BL1-BL2, and FIGS. 3 and 4 are connected by BL3-BL4.
  • the development side security analysis support device 10 is a device that supports the analysis of the developer regarding the extraction of security requirements and the selection of security functions of the product to be developed. After the product development is completed and shipped to the market, it becomes a product (field) 90 (see FIGS. 26 and 27 described later), and the operation log monitoring knowledge is fed back from the operation side security analysis support device 50 to cooperate. , To enable faster extraction of security requirements and selection of security features in similar product development projects.
  • the project in the present disclosure means a project for product (device) development, system development, etc. accompanied by software development and design.
  • the development side security analysis support device 10 includes a main storage unit 100, an auxiliary storage unit 200, an interface unit 300, and a processor 400. Further, the development side security analysis support device 10 is connected to the display device 500 and the input / output device 600.
  • the development side security analysis support device 10 is, for example, a personal computer.
  • the processor 400 is connected to other hardware via a signal line.
  • the processor 400 includes a central processing unit (CPU: Central Processing Unit), MPU (MicroProcessingUnit), DSP (DigitalSignalProcessor), GPU (GraphicsProcessingUnit), microcomputer, FPGA (FieldProgrammableGateArray), and ASIC (Application). It can be realized by Specific Integrated Circuit).
  • the processor 400 realizes various functions by reading an OS (Operating System), an application program, and various data stored in an auxiliary storage unit 200, which will be described later, and executing arithmetic processing.
  • the processor 400 includes a functional configuration described later.
  • the functional configuration may be realized by firmware.
  • the hardware that combines the processor 400, the main storage unit 100 and the auxiliary storage unit 200, which will be described later, is also referred to as a "processing circuit relay".
  • the main storage unit 100 is a volatile storage unit.
  • the main storage unit 100 can be realized by a RAM (RandomAccessMemory) or the like.
  • the main storage unit 100 temporarily stores data that is used in the development side security analysis support device 10 and is generated, input / output, or transmitted / received.
  • the main storage unit 100 includes a data collection unit 101, a multimodal feature analysis unit 102, a data primary processing integration unit 103, a security request extraction data acquisition preprocessing unit 104, and a security request prediction model generation unit 105 (first model generation).
  • security function selection data acquisition pre-processing unit 106 includes a requirement acquisition unit 111, a security function inference unit 112, a security monitoring data acquisition preprocessing unit 113, a security monitoring model generation unit 114, and a threat / countermeasure comparison cooperation update unit 115.
  • the data collection unit 101 has existing data of past project data, vulnerability analysis result information, specifications / design documents, legal / regulatory information, security standards, product operation logs in the past market, and incident signature information. Is collected and sent to the data lake 210.
  • the multimodal feature analysis unit 102 combines natural language processing and image recognition results to determine product specifications, applicable laws / regulations and standards, threats, trust boundaries, demarcation of responsibilities, costs, and periods. Organize the characteristics of failure classification, countermeasures, attackers, attack routes, failure information, operation logs, and signatures, and their relationships.
  • laws, regulations and standards are also described as "predetermined rules”.
  • Data primary processing integration unit 103 deletes data check, cleansing, confidential information and unnecessary characters from the syntactic analysis results of natural language processing.
  • the security request extraction data acquisition pre-processing unit 104 inputs each of product features, requirement specifications (specifications including system configuration diagram), compliant laws and regulations, and security standards, and a security request (a security request that serves as a correct answer label for each input). Obtain and prepare teacher data showing the correspondence with threats, trust boundaries, and demarcation of responsibilities. Further, the security request extraction data acquisition preprocessing unit 104 performs preprocessing so that the prepared data can be machine-learned.
  • the security request prediction model generation unit 105 performs supervised learning using the teacher data preprocessed by the security request extraction data acquisition preprocessing unit 104, and predicts security requests (threats, trust boundaries, responsibility demarcation) (security). Demand prediction model) is generated.
  • the security function selection data acquisition pre-processing unit 106 selects security requirements (threats, trust boundaries, demarcation of responsibilities, costs, schedules) and security functions that serve as correct labels for the security requirements (fault classification, countermeasures, attackers, attacks). Acquire and prepare teacher data showing the correspondence with the route). Further, the security function selection data acquisition preprocessing unit 106 performs preprocessing so that the prepared data can be machine-learned.
  • the design information selection model generation unit 107 performs supervised learning using the teacher data preprocessed by the security function selection data acquisition preprocessing unit 106, and selects security functions (fault classification, countermeasures, attackers, attack routes). Generate a model to be performed (design information selection model).
  • the product planning data acquisition unit 108 is a feature confirmation sheet of the product to be developed entered by the developer via the input / output device 600, compliant laws / regulations and security standards, and each data of required specifications (specifications including system configuration diagram). Acquire (product planning data).
  • An example of the feature confirmation sheet is shown in FIGS. 5 and 6. 5 and 6 are connected by BL6-BL7.
  • the security requirement inference unit 109 inputs each data of the feature confirmation sheet of the product to be developed, the applicable laws / regulations and standards, and the requirement specifications (specifications including the system configuration diagram), and performs multimodal inference from the supervised learning model. Perform (infer with the security requirement prediction model) and output the expected security requirements (threat, trust boundary, demarcation of responsibility) for the product to be developed.
  • the cost / schedule adjustment unit 110 calculates the cost and schedule from the threats, trust boundaries, and responsibility demarcations assumed from the product to be developed.
  • the security requirement acquisition unit 111 acquires the security requirement data of the product to be developed according to the cost and schedule, and inputs the data to the security function inference unit 112.
  • the security function inference unit 112 inputs the security requirements of the product to be developed according to the cost and schedule, infers with the design information selection model, and outputs the security design information (recommended proposal of the security function) corresponding to the security requirements. ..
  • Security design information is design information that realizes security functions suitable for the product to be developed.
  • the security monitoring data acquisition pre-processing unit 113 preprocesses the prepared data and transmits it to the security monitoring model generation unit 114.
  • the security monitoring model generation unit 114 is a failure classification that serves as a correct answer label for inputting product information, failure information, and operation log (normal / abnormal) data of the operation log signature DB (Database, the same applies hereinafter), the failure DB, and the system feature DB. , Threats, signatures, countermeasures, attackers, and attack routes are generated so that a model (security monitoring model) that makes inferences from semi-supervised learning is generated.
  • the threat / countermeasure comparison / linkage update unit 115 of the integrated data warehouse (DH: DataWare House) 240 if there is any content leaked in the failure classification, threat, signature, countermeasure, attacker, or attack route of abnormal data. Update the information.
  • the integrated data warehouse 240 will be referred to as an integrated DH240.
  • the auxiliary storage unit 200 is a non-volatile storage unit.
  • the auxiliary storage unit 200 can be realized by a ROM (ReadOnlyMemory), an HDD (HardDiskDrive), a flash memory, or the like.
  • the auxiliary storage unit 200 stores the OS, the application program, and various data. At least a portion of the OS is loaded into the main memory 100 and executed by the processor 400.
  • the auxiliary storage unit 200 includes a data lake 210 in which both structured data and unstructured data collected from the data collection unit 101 are stored. Further, as shown in FIG. 3, the auxiliary storage unit 200, as an integrated DH240, is a system feature DB 241 which is a plurality of databases converted into structured data, a failure DB 242, a threat DB 243, a countermeasure DB 244, a vulnerability information DB 245, and an operation. Includes log signature DB246, project DB247, specification / design document DB248, security standard DB249, and law / regulation DB250.
  • the auxiliary storage unit 200 stores a security requirement prediction model storage database 220 that stores a security requirement prediction model generated based on machine learning of supervised learning, and design information generated based on machine learning of supervised learning.
  • the design information selection model storage database 230 for storing the selection model is included.
  • the system feature DB 241 stores the degree of influence in health, safety, and environment when a security incident occurs as a feature of the product system.
  • the sample data of the system feature DB 241 is shown in FIG.
  • the failure DB 242 stores the failure occurrence status when a security incident occurs, the cause analysis, the countermeasure content, and the like. Further, the failure DB 242 is composed of information such as a failure occurrence date and time, a failure classification, a product category, a unit name, a product serial number, a failure content, a cause, and countermeasures.
  • the sample data of the failure DB 242 is shown in FIG.
  • the threat DB 243 covers the types of threats assumed for the product, and stores the attacker who executes the threat and the corresponding security requirements. Further, the threat DB 243 is composed of information such as assumed threats, performers, security requirements, assumed failures, and attack routes.
  • the sample data of the threat DB 243 is shown in FIG.
  • the countermeasure DB 244 stores the types of threats assumed for the product, the security requirements thereof, the corresponding countermeasure contents, and the like.
  • the countermeasure DB 244 is composed of information such as assumed threats, security requirements, and security function candidates. Countermeasure DB 244 sample data is shown in FIG.
  • the vulnerability information DB 245 stores the vulnerabilities related to the software constituting the product, the CWE (Common Weakness Enumeration) classification, the corresponding signature, and the like.
  • the vulnerability information DB 245 is composed of the title of the vulnerability, the software type, the last update date, the countermeasure, the CWE, the signature introduction status, and the corresponding signature number.
  • FIG. 11 shows sample data of the vulnerability information DB 245.
  • the operation log signature DB 246 stores the operation log data when an abnormality occurs in a product that has already been shipped to the existing market, and the signature number in which the IPS (Intrusion Prevention System) function of the device on the trust boundary detects the abnormality. ..
  • the signature is a series of bytes (byte sequence) common to abnormal operations of a specific malware sample or the like. Further, the operation log signature DB 246 is composed of information such as a log No., a product serial number, a product code, a detected signature number, and a detection date and time.
  • FIG. 12 shows sample data of the operation log signature DB 246.
  • the project DB 247 stores the logs of abnormal and normal test results acquired in the system test and the equipment on the assumed trust boundary in the product development project. Further, the project DB 247 is composed of a project ID, a unit name, a product code, a software type, a product group, a test log No. (normal), a test log No. (abnormal), and information on devices on the trust boundary.
  • the sample data of the project DB 247 is shown in FIG.
  • the specification / design document DB248 shows the traceability of security-related requirements, requirements, and design documents, and is composed of information on the correspondence between the requirements, requirements, and external design documents.
  • the sample data of the specification / design document DB248 is shown in FIG.
  • the security standard DB 249 stores the security standard name that the product generally conforms to and the standard name that additionally conforms to each individual project. Further, the security standard DB 249 is composed of information such as a type and a standard name. The sample data of the security standard DB 249 is shown in FIG.
  • Laws / regulations DB250 shows what kind of security-related laws / regulations are applied to products in domestic and overseas regional divisions. Further, the law / regulation DB 250 is composed of information such as a region classification, a name of a law / regulation, and a product group. FIG. 16 shows sample data of the law / regulation DB 250.
  • the security request prediction model storage DB 220 stores the security request prediction model that has been learned by supervised learning generated by the security request prediction model generation unit 105.
  • the design information selection model storage DB 230 stores the design information selection model that has been learned by supervised learning generated by the design information selection model generation unit 107.
  • the display device 500 displays a character string and an image according to a user operation.
  • the display device 500 includes a liquid crystal display, an organic EL (Electro Luminescence) display, and the like.
  • the display device 500 may be integrally configured with the development side security analysis support device 10.
  • the input / output device 600 is composed of a keyboard, a mouse, a numeric keypad, and the like.
  • the user operates the development side security analysis support device 10 via the input / output device 600.
  • the input / output device 600 may include a touch panel that is integrally arranged with the display device 500 and can accept a user's touch operation.
  • the input / output device 600 may be integrally configured with the development side security analysis support device 10.
  • the interface unit 300 transmits and receives various data to and from the operation side security analysis support device 50.
  • the interface unit 300 includes a receiver and a transmitter (not shown).
  • the receiver receives various data from the operation side security analysis support device 50.
  • the transmitter transmits various data from the processor 400 to the operation side security analysis support device 50.
  • the interface unit 300 can be realized by a communication chip, a NIC (Network Interface Card), or the like.
  • the development side security analysis support device 10 includes a learning unit centered on a security request prediction model generation unit 105 and a design information selection model generation unit 107, a security request inference unit 109, and a security function inference. It is roughly divided into an inference unit centered on the unit 112.
  • the learning unit and the inference unit are used to learn the security requirements of the target product and the output of the security request function selection. For example, they are connected to the target product via a network and are separate from the target product. It may be a device. Further, the learning unit and the inference unit may be built in the target product. Further, the learning unit and the inference unit may exist on the cloud server.
  • the learning algorithm used by the security requirement prediction model generation unit 105 and the design information selection model generation unit 107 a known algorithm for supervised learning can be used. In the following, a case where a neural network is applied will be described as an example.
  • the security requirement prediction model generation unit 105 and the design information selection model generation unit 107 perform learning to output by so-called supervised learning according to, for example, a neural network model.
  • supervised learning refers to a method of learning a feature in those learning data by giving a set of input and result (label) data to the learning unit, and inferring the result from the input.
  • a neural network is composed of an input layer consisting of a plurality of neurons, an intermediate layer (hidden layer) consisting of a plurality of neurons, and an output layer consisting of a plurality of neurons.
  • the intermediate layer may be one layer or two or more layers.
  • the first neural network is the input input data (product features, requirement specifications (specifications including system configuration diagram), compliant laws / regulations and security standards) acquired by the security requirement extraction data acquisition preprocessing unit 104.
  • the output is learned by so-called supervised learning according to the learning data created based on the combination of the corresponding correct inputs (security requirements (threat, trust boundary, demarcation of responsibility)).
  • the second neural network is the input (security requirements (security requirements (threat, trust boundary, demarcation of responsibility, cost, schedule)) acquired by the security function selection data acquisition preprocessing unit 106, and the corresponding input that is the correct answer.
  • the output is learned by so-called supervised learning according to the learning data created based on the combination of (selection of security functions (fault classification, countermeasures, attackers, attack routes)).
  • the neural network learns by inputting input data as an input to the input layer and adjusting the weights W1 and W2 so that the result output from the output layer approaches the input data (correct answer).
  • the security requirement prediction model generation unit 105 and the design information selection model generation unit 107 generate and output a trained model (security requirement prediction model, design information selection model) by executing the above learning.
  • Data acquisition step> 18 and 19 are flowcharts regarding data acquisition and storage in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowcharts shown in FIGS. 18 and 19.
  • step S101 the data collection unit 101 has existing data such as past project data 601, vulnerability analysis result information 602, specification / design document 603, legal / regulatory information 604, security standard 605, and products in the past market.
  • the operation log and incident signature information 606 of the above are collected and transmitted to the data lake 210.
  • step S102 the data lake 210 accumulates the data transmitted from the data collecting unit 101.
  • step S103 the data lake 210 determines whether the accumulated data is structured data. If it is not structured data, step S104 determines whether the data has regularity. If there is no regularity, in step S105, it is determined whether or not the data is text data.
  • step S106 the syntax analysis of natural language processing is performed, and the required specifications of the product plan are extracted from the result. If it is not text data, that is, if it is image data or the like, in step S107, the system configuration diagram and the image recognition process for the system configuration diagram are performed, and the system configuration and the trust boundary are identified from the result.
  • step S108 the multimodal feature analysis unit 102 receives the processing results of steps S106 and S107, multiplies the natural language processing and the image recognition result, and the product specifications according to the system configuration and the applicable laws and regulations. And organize the characteristics and relationships of standards, threats, trust boundaries, demarcation of responsibilities, costs, duration, failure classification, countermeasures, attackers, attack routes, failure information, operation information, and signatures.
  • step S109 the data primary processing integration unit 103 is unified to the JSON format.
  • step S110 the data primary processing integration unit 103 deletes data checking, cleansing, confidential information, and unnecessary characters from the parsing result of natural language processing.
  • step S111 the data primary processing integration unit 103 converts all the data into the CSV format.
  • the integrated DH240 has a system feature DB 241, a failure DB 242, a threat DB 243, a countermeasure DB 244, a vulnerability information DB 245, an operation log signature DB 246, a project DB 247, a specification / design document DB 248, a security standard DB 249, and a law / regulation DB 250.
  • FIG. 20 is a flowchart relating to the learning process of the security requirement prediction model in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowchart shown in FIG.
  • step S201 the security requirement extraction data acquisition preprocessing unit 104 inputs the product features, requirement specifications, applicable laws / regulations and security standards, and the security requirements (threats, trust boundaries, responsibilities) that serve as correct labels for the inputs.
  • the teacher data showing the correspondence with the boundary) is acquired, and preparations are made for preprocessing of machine learning.
  • step S202 the security request extraction data acquisition preprocessing unit 104 preprocesses the prepared data so that it can be machine-learned.
  • step S203 the security requirement prediction model generation unit 105 performs supervised learning using the preprocessed teacher data, and generates a model for predicting security requirements (threat, trust boundary, responsibility demarcation).
  • step S204 the security request prediction model storage DB 220 stores the generated prediction model in its own DB.
  • FIG. 21 is a flowchart relating to the learning process of the design information selection model in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowchart shown in FIG.
  • step S301 the security function selection data acquisition preprocessing unit 106 selects security requirements (threats, trust boundaries, demarcation of responsibilities, costs, schedules) and security functions that serve as correct labels for the security requirements (fault classification, countermeasures, Acquire teacher data showing the correspondence with the attacker and attack route), and prepare to perform preprocessing for machine learning.
  • step S302 the security function selection data acquisition preprocessing unit 106 preprocesses the prepared data so that it can be machine-learned.
  • step S303 the design information selection model generation unit 107 performs supervised learning using preprocessed teacher data, and generates a model that predicts the selection of security functions (fault classification, countermeasures, attackers, attack routes). ..
  • step S304 the design information selection model storage DB 230 stores the generated prediction model in its own DB.
  • FIG. 22 is a flowchart relating to the inference processing of the inference unit. Hereinafter, the operation of the inference unit will be described according to the flowchart shown in FIG.
  • step S401 the product planning data acquisition unit 108 includes laws, regulations, standards 651, and required specifications (including a system configuration diagram) that comply with the feature confirmation sheet 653 of the product to be developed entered by the developer via the input / output device 600. Specifications) 652 is acquired.
  • step S402 the product planning data acquisition unit 108 collects the feature amount of the data in the laws / regulations and standards 651 and the required specifications 652 that comply with the feature confirmation sheet 653 of the product to be developed of the acquired product, and secures the security. Input to the request inference unit 109.
  • the security requirement inference unit 109 inputs the features of the product to be developed, the requirement specifications (specifications including the system configuration diagram), the compliant laws and regulations, and the security standard, and performs multimodal inference from the supervised learning model. Perform (infer inference with security requirement prediction model) and output security requirements (threat, trust boundary, demarcation of responsibility) to be developed.
  • system feature DB241, failure DB242, threat DB243, project DB247, specifications / design document DB248, security standard DB249, laws / regulations / regulations are used to classify security requirements for assumed threats. See DB 250.
  • step S404 the cost / schedule adjustment unit 110 calculates the cost and schedule from the threats, trust boundaries, and responsibility demarcation points assumed from the development target product, and outputs the security requirement information sheet 654 of the development target product.
  • An example of the security requirement information sheet 654 is shown in FIGS. 23 and 24.
  • step S405 the security requirement acquisition unit 111 acquires the data of the security requirement information sheet 654 of the development target product, which is the security requirement of the development target product according to the cost and schedule, and inputs the data to the security function inference unit 112. ..
  • step S406 the security function inference unit 112 infers with the design information selection model by inputting the security requirements of the product to be developed according to the cost and schedule, and is a development target that is a recommended proposal of the security function corresponding to the security requirements.
  • the countermeasure DB 244 is referred to in order to classify the correspondence of the function candidates corresponding to the security requirements for the assumed threat.
  • FIG. 25 shows an example of the security design information sheet 655.
  • the development side security analysis support device 10 automatically performs "function selection” in addition to "requirement extraction” related to security analysis at the system level. Therefore, there is an effect of shortening the time of security analysis for known threats before product shipment, and it is possible to achieve efficient security quality improvement that is not personal. That is, it is possible to efficiently improve the quality of security.
  • the development-side security analysis support device 10 described in the first embodiment generates a security design information sheet 655 or the like of the product to be developed and ends the operation.
  • the operation-side security analysis support device 50 described in the second embodiment learns a security monitoring model based on the vulnerability information and the operation log data information stored in the vulnerability information DB 245 and the operation log signature DB 246. .. Then, the abnormality is detected from the operation log of the product (product to be operated) in the actual market, the IPS signature of the product on the operation side is updated, and the threats on the development side and the contents of countermeasures are also updated.
  • FIG. 26 is a block diagram showing a configuration of the operation side security analysis support device 50 according to the second embodiment.
  • FIG. 27 is a block diagram showing details of the configuration of the operation side security analysis support device 50.
  • the operation side security analysis support device 50 analyzes the operation log after the product development is completed and shipped to the market, determines an abnormality, updates the signature, and performs security analysis on the product to be developed on the development side. Give feedback to the support device.
  • the operation side security analysis support device 50 includes a main storage unit 900, an auxiliary storage unit 1000, a communication unit 700 that communicates with the development side security analysis support device, and a communication unit 1100 that communicates with the product 90 (field). It is equipped with a processor 800. Further, the operation side security analysis support device 50 is connected to the display device 1200 and the input / output device 1300.
  • the operation side security analysis support device 50 is, for example, a personal computer.
  • the processor 800 is connected to other hardware via a signal line.
  • the processor 800 can be realized by a central processing unit (CPU), an MPU, a DSP, a GPU, a microcomputer, an FPGA, an ASIC, or the like.
  • the processor 800 realizes various functions by reading the OS, the application program, and various data stored in the auxiliary storage unit 1000, which will be described later, and executing arithmetic processing.
  • the processor 800 includes a functional configuration described later.
  • the functional configuration may be realized by firmware.
  • the hardware that combines the processor 800, the main storage unit 900 and the auxiliary storage unit 1000, which will be described later, is also referred to as a "processing circuit".
  • the main storage unit 900 is a volatile storage unit.
  • the main storage unit 900 can be realized by RAM or the like.
  • the main storage unit 900 is used in the operation side security analysis support device 50, and temporarily stores data generated, input / output, or transmitted / received.
  • the main storage unit 900 includes an operation log data acquisition unit 901, an operation log data preprocessing unit 902, a security monitoring model inference unit 903, a signature data comparison unit 904, and a signature information update unit 905.
  • the operation log data acquisition unit 901 acquires the operation / maintenance analysis log data stored in the operation / maintenance analysis DB 1002.
  • the operation log data pre-processing unit 902 performs data conversion pre-processing so that the operation log data can be machine-learned.
  • the security monitoring model inference unit 903 infers from the semi-supervised learning model by inputting product information, failure information, and operation information (normal, abnormal), and fails classification, threats, signatures, countermeasures, and attackers of the failure abnormality data. , Output the attack route.
  • the signature data comparison unit 904 transmits information on the fault classification, threat, signature, countermeasure, attacker, and attack route of abnormal data to the interface unit 300 of the development side security analysis support device 10. Further, when there is an abnormality in the log data, the signature data comparison unit 904 creates a signature update list file after comparing it with the currently registered signature data and transmits it to the signature information update unit 905.
  • FIG. 28 shows an example of the signature update list file.
  • the signature information update unit 905 issues the signature update data and the update command, and distributes the signature data to the centralized controller 2004.
  • the auxiliary storage unit 1000 is a non-volatile storage unit.
  • the auxiliary storage unit 1000 can be realized by a ROM, an HDD, a flash memory, or the like.
  • the auxiliary storage unit 1000 stores the OS, the application program, and various data. At least a portion of the OS is loaded into main memory 900 and executed by processor 800.
  • the auxiliary storage unit 1000 includes a security monitoring model storage DB 1001 that stores a security monitoring model generated based on machine learning of semi-supervised learning, and an operation / maintenance analysis DB 1002 that stores operation log data of products in the market. ..
  • the security monitoring model storage DB 1001 stores the security monitoring model that has been learned by semi-supervised learning generated by the security monitoring model generation unit 114.
  • the operation / maintenance analysis DB 1002 is composed of information such as log No., product serial number, product code, supported signature number, log acquisition date / time, failure information, and operation information.
  • FIG. 29 shows sample data of the operation / maintenance analysis DB 1002.
  • the display device 1200 displays a character string and an image according to the operation of the operation / maintenance person.
  • the display device 1200 is composed of a liquid crystal display, an organic EL display, and the like.
  • the display device 1200 may be integrally configured with the operation side security analysis support device 50.
  • the input / output device 1300 is composed of a keyboard, a mouse, a numeric keypad, and the like.
  • the operation / maintenance person operates the operation side security analysis support device 50 via the input / output device 1300.
  • the input / output device 1300 may include a touch panel that is integrally configured with the display device 1200 and can accept touch operations of maintenance / operation personnel.
  • the communication unit 700 sends and receives various data between the operation side security analysis support device 50 and the development side security analysis support device 10.
  • the communication unit 700 and the communication unit 1100 include a receiver and a transmitter (not shown).
  • the receiver receives various data from the development side security analysis support device 10 and the remote monitoring device 2001.
  • the transmitter transmits various data from the processor 800 to the development side security analysis support device 10 and the remote monitoring device 2001.
  • the communication unit 700 and the communication unit 1100 can be realized by a communication chip, a NIC, or the like.
  • the operation side security analysis support device 50 is roughly divided into a learning unit centered on the security monitoring model generation unit 114 and an inference unit centered on the security monitoring model inference unit 903.
  • the learning unit and the inference unit are used to learn the security requirements of the target product and the output of the security request function selection. For example, they are connected to the target product via a network and are separate from the target product. It may be a device. Further, the learning unit and the inference unit may be built in the target product. Further, the learning unit and the inference unit may exist on the cloud server.
  • the learning algorithm used by the security monitoring model generation unit 114 a known algorithm for semi-supervised learning can be used. As an example, a case where a neural network is applied will be described.
  • the security monitoring model generation unit 114 learns to output by so-called semi-supervised learning according to, for example, a neural network model.
  • semi-supervised learning refers to a method of learning a feature in the learning data by giving a set of input and result (label) data to the learning device, and inferring the result from the input.
  • a neural network is composed of an input layer consisting of a plurality of neurons, an intermediate layer (hidden layer) consisting of a plurality of neurons, and an output layer consisting of a plurality of neurons.
  • the intermediate layer may be one layer or two or more layers.
  • learning is performed in the following neural network model.
  • the input input data product information, failure information, operation information (normal, abnormal)
  • the security monitoring data acquisition preprocessing unit 113 acquires the input input data (product information, failure information, operation information (normal, abnormal)
  • the corresponding input fault classification, threat, signature
  • Countermeasures, attackers, attack routes are correct.
  • the output is learned by so-called semi-supervised learning according to the learning data created based on the combination.
  • the neural network learns by inputting input data as an input to the input layer and adjusting the weights W1 and W2 so that the result output from the output layer approaches the input data (correct answer).
  • the security monitoring model generation unit 114 generates and outputs a trained model (security monitoring model) by executing the above learning.
  • FIG. 30 is a flowchart regarding the learning process of the security monitoring model in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowchart shown in FIG.
  • step S501 the security monitoring data acquisition preprocessing unit 113 inputs product information, failure information, and operation information (normal, abnormal), and fails classification, threat, signature, countermeasure, attacker, which is a correct label for the input. Acquire teacher data showing the correspondence with the attack route.
  • step S502 the security monitoring data acquisition preprocessing unit 113 performs machine learning preprocessing and transmits it to the security monitoring model generation unit 114.
  • step S503 the security monitoring model generation unit 114 performs supervised learning using preprocessed teacher data, and creates a model (security monitoring model) that predicts failure classification, threats, signatures, countermeasures, attackers, and attack routes. Generate.
  • step S504 the interface unit 300 of the development side security analysis support device 10 transmits data to the communication unit 700 of the operation side security analysis support device 50.
  • step S505 the security monitoring model storage DB 1001 stores the generated prediction model (security monitoring model) in its own DB.
  • Inference phase> 31 and 32 are flowcharts related to the inference process of the inference unit. Hereinafter, the operation of the inference unit will be described according to the flowcharts shown in FIGS. 31 and 32.
  • step S601 the remote monitoring device 2001 transmits a log of operation data to the communication unit 1100 via the communication line for maintenance.
  • the communication unit 1100 stores and stores the log data of the received operation data in the operation / maintenance analysis DB 1002.
  • step S603 the operation log data acquisition unit 901 acquires the operation log from the operation / maintenance analysis DB 1002 and transmits it to the operation log data preprocessing unit 902.
  • step S604 the operation log data preprocessing unit 902 extracts product information, failure information, and operation information (normal / abnormal) from the operation log and inputs them to the security monitoring model inference unit 903.
  • step S605 the security monitoring model inference unit 903 infers from the semi-supervised learning model by inputting product information, failure information, and operation information (normal, abnormal), and performs failure classification, threat, signature, and countermeasure of abnormal data.
  • Attacker, attack route is output and transmitted to the signature data comparison unit 904.
  • the data output at this time corresponds to the knowledge file 1301 (knowledge information) obtained from the operation of the product in the market shown in FIG. 27, and an example of the knowledge file is shown in FIGS. 33 and 34. 33 and 34 are connected by BL10-BL11.
  • step S606 the signature data comparison unit 904 transmits the failure classification, threat, signature, countermeasure, attacker, and attack route of abnormal data to the interface unit 300 of the development side security analysis support device 10.
  • step S607 the interface unit 300 of the development side security analysis support device receives the failure classification, threat, signature, countermeasure, attacker, and attack route of abnormal data, and transfers the data to the threat / countermeasure comparison cooperation update unit 115. ..
  • step S608 the threat / countermeasure comparison cooperation update unit 115 compares the contents of the fault classification, threat, signature, countermeasure, attacker, and attack route of abnormal data with the values of the existing DB, and if there is any missing content. Updates the information in the integrated DH240.
  • step S609 the signature data comparison unit 904 compares the data with the currently registered signature data, creates a signature update list file 1302, and updates the signature information. It is transmitted to the unit 905. If the signature has not been registered, registration is requested from the IDS (Intrusion Detection System) on the product side.
  • IDS Intrusion Detection System
  • step S610 the signature information update unit 905 issues signature update data and an update command thereof.
  • step S611 the issued signature update command and its data are transmitted to the centralized controller 2004 of the product which is a security trust boundary, and the latest signature is applied to the IPS of the centralized controller 2004.
  • the operation side security analysis support device 50 includes a security monitoring mechanism on the cloud and can cooperate with the development side security analysis support device 10. Therefore, by grasping the signs of attacks against unknown threats and vulnerabilities after product shipment, it is possible to promptly detect unauthorized access and provide quick feedback to the development side security analysis support device 10.
  • the effect of mutual cooperation between the security analysis support device 10 and the operation side security analysis support device 50 can be achieved. That is, it is possible to efficiently improve the quality of security.
  • each embodiment can be freely combined, and each embodiment can be appropriately modified or omitted.

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The objective of the present disclosure is to provide a development side security analysis support device capable of efficiently improving the quality of security. A development side security analysis support device according to the present disclosure is provided with: a security demand inferring unit which infers a security demand by inputting data including a feature of a development target, a required specification of the development target, and a predetermined provision to which the development target conforms, into a security demand prediction model for predicting a security demand matching the development target; a security requirement acquiring unit which, on the basis of the security demand inferred by the security demand inferring unit, acquires a security requirement corresponding to the security demand, from a first database which stores information representing a correspondence between security demands and security requirements; and a design information inferring unit which infers design information by inputting the security requirement acquired by the security requirement acquiring unit into a design information selection model for selecting design information for implementing a security function matching the development target.

Description

開発側セキュリティ分析支援装置、運用側セキュリティ分析支援装置、およびセキュリティ分析支援システムDevelopment side security analysis support device, operation side security analysis support device, and security analysis support system
 本開示は、対象製品に対する攻撃を検知し、保守・運用を行う開発側セキュリティ分析支援装置、運用側セキュリティ分析支援装置、およびセキュリティ分析支援システムに関する。 This disclosure relates to a development side security analysis support device, an operation side security analysis support device, and a security analysis support system that detect an attack on a target product and perform maintenance and operation.
 従来の製品セキュリティの分析装置は、対象システムに含まれる機能アプリケーションについてシステム仕様情報を用いてモデル化した機能アプリケーションモデル情報と、事例システムに含まれる脆弱性についてシステム仕様情報を用いてモデル化した脆弱性モデル情報とに基づいて、対象システムの脅威分析を行っていた。(例えば、特許文献1参照)。また、他の脅威分析に関する技術も開示されている(例えば、非特許文献1参照)。 Conventional product security analyzers use functional application model information modeled using system specification information for functional applications included in the target system, and vulnerabilities modeled using system specification information for vulnerabilities contained in case studies. We conducted a threat analysis of the target system based on the sex model information. (See, for example, Patent Document 1). In addition, other techniques related to threat analysis are also disclosed (see, for example, Non-Patent Document 1).
国際公開第2019/093059号International Publication No. 2019/093059
 従来の脅威分析に係る技術では、製品セキュリティ上の脅威および脆弱性の分析作業に関して、ソフトウェアの概念設計レベルの「要件抽出」しか取り上げられておらず、より具体的なシステムレベルにおける要求分析の「要件抽出」及びシステム設計の「機能選定」は別途開発者の手作業が必要となっていた。そのため、セキュリティに関して「要件抽出」から「機能選定」までの工数が増大すると共に、作業者の熟練度によって品質が一定ではなく属人的となっていた。 In the conventional threat analysis technology, only "requirement extraction" at the conceptual design level of software is taken up for the analysis work of product security threats and vulnerabilities, and "requirement extraction" at the more specific system level is taken up. "Requirement extraction" and "function selection" of system design required separate manual work by the developer. Therefore, regarding security, the man-hours from "requirement extraction" to "function selection" have increased, and the quality is not constant and personalized depending on the skill level of the worker.
 更に、製品の「開発側」および「運用側」は、両者間における情報の連携が自動化できておらず、運用側で見つかった新たな脅威について「開発側」へのフィードバックが遅れる場合があった。一方、「開発側」で既知となった脆弱性およびその対策について「運用側」に迅速かつ十分に展開できていなかった。 Furthermore, the "development side" and "operation side" of the product could not automate the information linkage between the two, and feedback to the "development side" about new threats found on the operation side may be delayed. .. On the other hand, the vulnerabilities known on the "development side" and their countermeasures could not be quickly and sufficiently deployed to the "operation side".
 このように、従来の脅威分析に係る技術では、効率的にセキュリティの品質を向上させることができなかった。 In this way, the conventional threat analysis technology could not efficiently improve the quality of security.
 本開示は、このような問題を解決するためになされたものであり、効率的にセキュリティの品質を向上させることが可能な開発側セキュリティ分析支援装置、運用側セキュリティ分析支援装置、およびセキュリティ分析支援システムを提供することを目的とする。 This disclosure is made to solve such problems, and is capable of efficiently improving the quality of security on the development side security analysis support device, the operation side security analysis support device, and the security analysis support. The purpose is to provide a system.
 上記の課題を解決するために、本開示による開発側セキュリティ分析支援装置は、開発対象に合うセキュリティ要求を予測するためのセキュリティ要求予測モデルに、開発対象の特徴と、開発対象の要求仕様と、開発対象が準拠する予め定められた規定とを含むデータを入力して、セキュリティ要求を推論するセキュリティ要求推論部と、セキュリティ要求推論部が推論したセキュリティ要求に基づいて、セキュリティ要求とセキュリティ要件との対応を示す情報を格納した第1のデータベースから、セキュリティ要求に対応するセキュリティ要件を取得するセキュリティ要件取得部と、開発対象に合うセキュリティ機能を実現する設計情報を選定するための設計情報選定モデルに、セキュリティ要件取得部が取得したセキュリティ要件を入力して、設計情報を推論する設計情報推論部とを備える。 In order to solve the above problems, the development-side security analysis support device according to the present disclosure uses a security requirement prediction model for predicting security requirements that match the development target, the characteristics of the development target, the required specifications of the development target, and the requirements. A security requirement inference unit that infers security requirements by inputting data including predetermined rules to which the development target complies, and security requirements and security requirements based on the security requirements inferred by the security requirement inference unit. From the first database that stores the information indicating the correspondence, the security requirement acquisition unit that acquires the security requirements corresponding to the security requirements and the design information selection model for selecting the design information that realizes the security function suitable for the development target. , A design information inference unit for inputting security requirements acquired by the security requirement acquisition unit and inferring design information is provided.
 本開示によれば、効率的にセキュリティの品質を向上させることが可能となる。 According to this disclosure, it is possible to efficiently improve the quality of security.
 本開示の目的、特徴、態様、および利点は、以下の詳細な説明と添付図面とによって、より明白となる。 The purposes, features, aspects, and advantages of the present disclosure will be made clearer by the following detailed description and accompanying drawings.
実施の形態1による開発側セキュリティ分析支援装置の全体構成の概要を示すブロック図である。It is a block diagram which shows the outline of the whole structure of the development side security analysis support apparatus by Embodiment 1. FIG. 実施の形態1による開発側セキュリティ分析支援装置の構成の詳細を示すブロック図である。It is a block diagram which shows the detail of the structure of the development side security analysis support apparatus by Embodiment 1. FIG. 実施の形態1による開発側セキュリティ分析支援装置の構成の詳細を示すブロック図である。It is a block diagram which shows the detail of the structure of the development side security analysis support apparatus by Embodiment 1. FIG. 実施の形態1による開発側セキュリティ分析支援装置の構成の詳細を示すブロック図である。It is a block diagram which shows the detail of the structure of the development side security analysis support apparatus by Embodiment 1. FIG. 実施の形態1による製品の特徴確認シートの一例を示す図である。It is a figure which shows an example of the characteristic confirmation sheet of the product by Embodiment 1. FIG. 実施の形態1による製品の特徴確認シートの一例を示す図である。It is a figure which shows an example of the characteristic confirmation sheet of the product by Embodiment 1. FIG. 実施の形態1によるシステム特徴DBの一例を示す図である。It is a figure which shows an example of the system feature DB by Embodiment 1. FIG. 実施の形態1による障害DBの一例を示す図である。It is a figure which shows an example of the failure DB by Embodiment 1. FIG. 実施の形態1による脅威DBの一例を示す図である。It is a figure which shows an example of the threat DB by Embodiment 1. FIG. 実施の形態1による対策DBの一例を示す図である。It is a figure which shows an example of the countermeasure DB by Embodiment 1. FIG. 実施の形態1による脆弱性情報DBの一例を示す図である。It is a figure which shows an example of the vulnerability information DB by Embodiment 1. FIG. 実施の形態1による運用ログ・シグネチャDBの一例を示す図である。It is a figure which shows an example of the operation log signature DB by Embodiment 1. FIG. 実施の形態1によるプロジェクトDBの一例を示す図である。It is a figure which shows an example of the project DB by Embodiment 1. FIG. 実施の形態1による仕様書・設計書DBの一例を示す図である。It is a figure which shows an example of the specification document / design document DB by Embodiment 1. FIG. 実施の形態1によるセキュリティ規格DBの一例を示す図である。It is a figure which shows an example of the security standard DB by Embodiment 1. FIG. 実施の形態1による法令・規制DBの一例を示す図である。It is a figure which shows an example of the law / regulation DB by Embodiment 1. FIG. 3層のニューラルネットワークを説明するための図である。It is a figure for demonstrating a three-layer neural network. 実施の形態1による学習部におけるデータの取得および蓄積を示すフローチャートである。It is a flowchart which shows the acquisition and accumulation of the data in the learning part by Embodiment 1. FIG. 実施の形態1による学習部におけるデータの取得および蓄積を示すフローチャートである。It is a flowchart which shows the acquisition and accumulation of the data in the learning part by Embodiment 1. FIG. 実施の形態1による学習部におけるセキュリティ要求予測モデルの生成処理を示すフローチャートである。It is a flowchart which shows the generation process of the security requirement prediction model in the learning part by Embodiment 1. FIG. 実施の形態1による学習部における設計情報選定モデルの生成処理を示すフローチャートである。It is a flowchart which shows the generation process of the design information selection model in the learning part by Embodiment 1. FIG. 実施の形態1による推論部における推論処理を示すフローチャートである。It is a flowchart which shows the inference processing in the inference part by Embodiment 1. 実施の形態1によるセキュリティ要件情報シートの一例を示す図である。It is a figure which shows an example of the security requirement information sheet by Embodiment 1. FIG. 実施の形態1によるセキュリティ要件情報シートの一例を示す図である。It is a figure which shows an example of the security requirement information sheet by Embodiment 1. FIG. 実施の形態1によるセキュリティ設計情報シートの一例を示す図である。It is a figure which shows an example of the security design information sheet by Embodiment 1. FIG. 実施の形態2による運用側セキュリティ分析支援装置の全体構成の概要を示すブロック図である。It is a block diagram which shows the outline of the whole structure of the operation side security analysis support apparatus by Embodiment 2. FIG. 実施の形態2による運用側セキュリティ分析支援装置の構成の詳細を示すブロック図である。It is a block diagram which shows the detail of the structure of the operation side security analysis support apparatus by Embodiment 2. FIG. 実施の形態2によるシグネチャ更新リストファイルの一例を示す図である。It is a figure which shows an example of the signature update list file by Embodiment 2. FIG. 実施の形態2による運用・保守解析DBの一例を示す図である。It is a figure which shows an example of the operation / maintenance analysis DB by Embodiment 2. 実施の形態2による学習部におけるセキュリティ監視モデルの生成処理を示すフローチャートである。It is a flowchart which shows the generation process of the security monitoring model in the learning part by Embodiment 2. FIG. 実施の形態2による推論部における推論処理を示すフローチャートである。It is a flowchart which shows the inference processing in the inference part by Embodiment 2. 実施の形態2による推論部における推論処理を示すフローチャートである。It is a flowchart which shows the inference processing in the inference part by Embodiment 2. 実施の形態2による市場における製品の運用から得られる知見ファイルの一例を示す図である。It is a figure which shows an example of the knowledge file obtained from the operation of the product in the market by Embodiment 2. FIG. 実施の形態2による市場における製品の運用から得られる知見ファイルの一例を示す図である。It is a figure which shows an example of the knowledge file obtained from the operation of the product in the market by Embodiment 2. FIG.
 <実施の形態1>
 <1.構成>
 図1は、実施の形態1による開発側セキュリティ分析支援装置10の構成を示すブロック図である。図2,3,4は、開発側セキュリティ分析支援装置10の構成の詳細を示すブロック図である。図2および図3はBL1-BL2で繋がっており、図3および図4はBL3-BL4で繋がっている。 <Embodiment 1>
<1. Configuration>
FIG. 1 is a block diagram showing a configuration of the development side security analysis support device 10 according to the first embodiment. FIGS. 2, 3 and 4 are block diagrams showing details of the configuration of the development side security analysis support device 10. 2 and 3 are connected by BL1-BL2, and FIGS. 3 and 4 are connected by BL3-BL4.
 開発側セキュリティ分析支援装置10は、これから開発する製品のセキュリティ要求の抽出及びセキュリティ機能の選定に関する開発者の分析支援を行う装置である。製品の開発が完了して市場に出荷された後は、製品(フィールド)90(後述の図26,27参照)となり、運用側セキュリティ分析支援装置50から運用ログ監視の知見をフィードバックして連携し、類似の製品開発のプロジェクトにおけるセキュリティ要求の抽出及びセキュリティ機能の選定をより迅速に実施できるようにする。なお、本開示におけるプロジェクトとは、ソフトウェア開発及び設計を伴った製品(装置)開発やシステム開発等を行うプロジェクトのことをいう。 The development side security analysis support device 10 is a device that supports the analysis of the developer regarding the extraction of security requirements and the selection of security functions of the product to be developed. After the product development is completed and shipped to the market, it becomes a product (field) 90 (see FIGS. 26 and 27 described later), and the operation log monitoring knowledge is fed back from the operation side security analysis support device 50 to cooperate. , To enable faster extraction of security requirements and selection of security features in similar product development projects. The project in the present disclosure means a project for product (device) development, system development, etc. accompanied by software development and design.
 開発側セキュリティ分析支援装置10は、主記憶部100と、補助記憶部200と、インターフェース部300と、プロセッサ400とを備えている。また、開発側セキュリティ分析支援装置10は、表示装置500および入出力装置600と接続されている。開発側セキュリティ分析支援装置10は、例えば、パーソナルコンピュータである。 The development side security analysis support device 10 includes a main storage unit 100, an auxiliary storage unit 200, an interface unit 300, and a processor 400. Further, the development side security analysis support device 10 is connected to the display device 500 and the input / output device 600. The development side security analysis support device 10 is, for example, a personal computer.
 プロセッサ400は、信号線を介して他のハードウェアと接続されている。プロセッサ400は、中央演算処理装置(CPU:Central Processing Unit)、MPU(Micro Processing Unit)、DSP(Digital Signal Processor)、GPU(Graphics Processing Unit)、マイコン、FPGA(Field Programmable Gate Array)、ASIC(Application Specific Integrated Circuit)等で実現できる。プロセッサ400は、後述する補助記憶部200に記憶されたOS(Operating System)、アプリケーションプログラム、及び種々のデータを読み込んで演算処理を実行することにより、種々の機能を実現する。プロセッサ400は、後述する機能的構成を含む。当該機能的構成は、ファームウェアにより実現されてもよい。プロセッサ400と、後述する主記憶部100及び補助記憶部200とをまとめたハードウェアのことを「プロセッシングサーキットリ」ともいう。 The processor 400 is connected to other hardware via a signal line. The processor 400 includes a central processing unit (CPU: Central Processing Unit), MPU (MicroProcessingUnit), DSP (DigitalSignalProcessor), GPU (GraphicsProcessingUnit), microcomputer, FPGA (FieldProgrammableGateArray), and ASIC (Application). It can be realized by Specific Integrated Circuit). The processor 400 realizes various functions by reading an OS (Operating System), an application program, and various data stored in an auxiliary storage unit 200, which will be described later, and executing arithmetic processing. The processor 400 includes a functional configuration described later. The functional configuration may be realized by firmware. The hardware that combines the processor 400, the main storage unit 100 and the auxiliary storage unit 200, which will be described later, is also referred to as a "processing circuit relay".
 主記憶部100は、揮発性の記憶部である。主記憶部100は、RAM(Random Access Memory)等で実現できる。主記憶部100は、開発側セキュリティ分析支援装置10において使用され、生成され、入出力され、或いは送受信されるデータを一時的に記憶する。また、主記憶部100は、データ収集部101、マルチモーダル特徴解析部102、データ一次加工統合部103、セキュリティ要求抽出データ取得前処理部104、セキュリティ要求予測モデル生成部105(第1のモデル生成部)、セキュリティ機能選定データ取得前処理部106、設計情報選定モデル生成部107(第2のモデル生成部)、製品企画データ取得部108、セキュリティ要求推論部109、コスト・スケジュール調整部110、セキュリティ要件取得部111、セキュリティ機能推論部112、セキュリティ監視データ取得前処理部113、セキュリティ監視モデル生成部114、脅威・対策比較連携更新部115を含む。 The main storage unit 100 is a volatile storage unit. The main storage unit 100 can be realized by a RAM (RandomAccessMemory) or the like. The main storage unit 100 temporarily stores data that is used in the development side security analysis support device 10 and is generated, input / output, or transmitted / received. Further, the main storage unit 100 includes a data collection unit 101, a multimodal feature analysis unit 102, a data primary processing integration unit 103, a security request extraction data acquisition preprocessing unit 104, and a security request prediction model generation unit 105 (first model generation). Unit), security function selection data acquisition pre-processing unit 106, design information selection model generation unit 107 (second model generation unit), product planning data acquisition unit 108, security request inference unit 109, cost / schedule adjustment unit 110, security It includes a requirement acquisition unit 111, a security function inference unit 112, a security monitoring data acquisition preprocessing unit 113, a security monitoring model generation unit 114, and a threat / countermeasure comparison cooperation update unit 115.
 データ収集部101は、過去のプロジェクトデータ、脆弱性解析結果情報、仕様書・設計書、法令・規制情報、セキュリティ規格、過去の市場における製品の運用ログ及びインシデント・シグネチャ情報のそれぞれの既存のデータを収集し、データレイク210へ送信する。 The data collection unit 101 has existing data of past project data, vulnerability analysis result information, specifications / design documents, legal / regulatory information, security standards, product operation logs in the past market, and incident signature information. Is collected and sent to the data lake 210.
 マルチモーダル特徴解析部102は、自然言語処理と画像認識結果とをかけあわせて、システム構成に応じた製品の仕様、準拠する法令・規制及び規格、脅威、信頼境界、責任分界、コスト、期間、障害分類、対策、攻撃者、攻撃ルート、障害情報、動作ログ、シグネチャの各特徴とそれらの関係を整理する。ここで、法令・規制及び規格は「予め定められた規定」とも記載する。 The multimodal feature analysis unit 102 combines natural language processing and image recognition results to determine product specifications, applicable laws / regulations and standards, threats, trust boundaries, demarcation of responsibilities, costs, and periods. Organize the characteristics of failure classification, countermeasures, attackers, attack routes, failure information, operation logs, and signatures, and their relationships. Here, laws, regulations and standards are also described as "predetermined rules".
 データ一次加工統合部103は、自然言語処理の構文解析結果からデータのチェック、クレンジング、機密情報や不要な文字を削除する。 Data primary processing integration unit 103 deletes data check, cleansing, confidential information and unnecessary characters from the syntactic analysis results of natural language processing.
 セキュリティ要求抽出データ取得前処理部104は、製品の特徴、要求仕様(システム構成図を含む仕様)、準拠する法令・規制、セキュリティ規格の各入力と、当該各入力に対する正解ラベルとなるセキュリティ要求(脅威、信頼境界、責任分界)との対応関係を示す教師データを取得し、準備する。また、セキュリティ要求抽出データ取得前処理部104は、準備したデータに対して機械学習できるように前処理をする。 The security request extraction data acquisition pre-processing unit 104 inputs each of product features, requirement specifications (specifications including system configuration diagram), compliant laws and regulations, and security standards, and a security request (a security request that serves as a correct answer label for each input). Obtain and prepare teacher data showing the correspondence with threats, trust boundaries, and demarcation of responsibilities. Further, the security request extraction data acquisition preprocessing unit 104 performs preprocessing so that the prepared data can be machine-learned.
 セキュリティ要求予測モデル生成部105は、セキュリティ要求抽出データ取得前処理部104が前処理した教師データを用いて教師あり学習を行い、セキュリティ要求(脅威、信頼境界、責任分界)を予測するモデル(セキュリティ要求予測モデル)を生成する。 The security request prediction model generation unit 105 performs supervised learning using the teacher data preprocessed by the security request extraction data acquisition preprocessing unit 104, and predicts security requests (threats, trust boundaries, responsibility demarcation) (security). Demand prediction model) is generated.
 セキュリティ機能選定データ取得前処理部106は、セキュリティ要件(脅威、信頼境界、責任分界、コスト、スケジュール)と、当該セキュリティ要件に対する正解ラベルとなるセキュリティ機能の選定(障害分類、対策、攻撃者、攻撃ルート)との対応関係を示す教師データを取得し、準備する。また、セキュリティ機能選定データ取得前処理部106は、準備したデータに対して機械学習できるように前処理をする。 The security function selection data acquisition pre-processing unit 106 selects security requirements (threats, trust boundaries, demarcation of responsibilities, costs, schedules) and security functions that serve as correct labels for the security requirements (fault classification, countermeasures, attackers, attacks). Acquire and prepare teacher data showing the correspondence with the route). Further, the security function selection data acquisition preprocessing unit 106 performs preprocessing so that the prepared data can be machine-learned.
 設計情報選定モデル生成部107は、セキュリティ機能選定データ取得前処理部106が前処理した教師データを用いて教師あり学習を行い、セキュリティ機能の選定(障害分類、対策、攻撃者、攻撃ルート)を行うモデル(設計情報選定モデル)を生成する。 The design information selection model generation unit 107 performs supervised learning using the teacher data preprocessed by the security function selection data acquisition preprocessing unit 106, and selects security functions (fault classification, countermeasures, attackers, attack routes). Generate a model to be performed (design information selection model).
 製品企画データ取得部108は、入出力装置600を介して開発者が入力した開発対象製品の特徴確認シート、準拠する法令・規制及びセキュリティ規格、要求仕様(システム構成図を含む仕様)の各データ(製品企画データ)を取得する。特徴確認シートの一例を図5,6に示す。図5および図6はBL6-BL7で繋がっている。 The product planning data acquisition unit 108 is a feature confirmation sheet of the product to be developed entered by the developer via the input / output device 600, compliant laws / regulations and security standards, and each data of required specifications (specifications including system configuration diagram). Acquire (product planning data). An example of the feature confirmation sheet is shown in FIGS. 5 and 6. 5 and 6 are connected by BL6-BL7.
 セキュリティ要求推論部109は、開発対象製品の特徴確認シート、準拠する法令・規制及び規格、要求仕様(システム構成図を含む仕様)の各データを入力として、教師あり学習モデルよりマルチモーダルな推論を行い(セキュリティ要求予測モデルで推論を行い)、開発対象製品について想定されるセキュリティ要求(脅威、信頼境界、責任分界)を出力する。 The security requirement inference unit 109 inputs each data of the feature confirmation sheet of the product to be developed, the applicable laws / regulations and standards, and the requirement specifications (specifications including the system configuration diagram), and performs multimodal inference from the supervised learning model. Perform (infer with the security requirement prediction model) and output the expected security requirements (threat, trust boundary, demarcation of responsibility) for the product to be developed.
 コスト・スケジュール調整部110は、開発対象製品から想定される脅威、信頼境界、責任分界からコストとスケジュールを算出する。 The cost / schedule adjustment unit 110 calculates the cost and schedule from the threats, trust boundaries, and responsibility demarcations assumed from the product to be developed.
 セキュリティ要件取得部111は、コストとスケジュールに準じた開発対象製品のセキュリティ要件のデータを取得し、セキュリティ機能推論部112へデータを入力する。 The security requirement acquisition unit 111 acquires the security requirement data of the product to be developed according to the cost and schedule, and inputs the data to the security function inference unit 112.
 セキュリティ機能推論部112は、コストとスケジュールに準じた開発対象製品のセキュリティ要件を入力として、設計情報選定モデルで推論を行い、セキュリティ要件に対応するセキュリティ設計情報(セキュリティ機能の推奨案)を出力する。セキュリティ設計情報は、開発対象製品に合うセキュリティ機能を実現する設計情報である。 The security function inference unit 112 inputs the security requirements of the product to be developed according to the cost and schedule, infers with the design information selection model, and outputs the security design information (recommended proposal of the security function) corresponding to the security requirements. .. Security design information is design information that realizes security functions suitable for the product to be developed.
 セキュリティ監視データ取得前処理部113は、準備したデータを前処理し、セキュリティ監視モデル生成部114へ伝送する。 The security monitoring data acquisition pre-processing unit 113 preprocesses the prepared data and transmits it to the security monitoring model generation unit 114.
 セキュリティ監視モデル生成部114は、運用ログ・シグネチャDB(Database、以下同様)、障害DB、システム特徴DBの製品情報、障害情報、動作ログ(正常、異常)データの入力に対する正解ラベルとなる障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートを出力できるように半教師あり学習より推論を行うモデル(セキュリティ監視モデル)を生成する。 The security monitoring model generation unit 114 is a failure classification that serves as a correct answer label for inputting product information, failure information, and operation log (normal / abnormal) data of the operation log signature DB (Database, the same applies hereinafter), the failure DB, and the system feature DB. , Threats, signatures, countermeasures, attackers, and attack routes are generated so that a model (security monitoring model) that makes inferences from semi-supervised learning is generated.
 脅威・対策比較連携更新部115は、異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートで漏れていた内容がある場合は、統合データウェアハウス(DH:Data Ware House)240の情報を更新する。以下、統合データウェアハウス240は統合DH240と標記する。 The threat / countermeasure comparison / linkage update unit 115 of the integrated data warehouse (DH: DataWare House) 240 if there is any content leaked in the failure classification, threat, signature, countermeasure, attacker, or attack route of abnormal data. Update the information. Hereinafter, the integrated data warehouse 240 will be referred to as an integrated DH240.
 補助記憶部200は、不揮発性の記憶部である。補助記憶部200は、ROM(Read Only Memory)、HDD(Hard Disk Drive)、フラッシュメモリ等で実現できる。補助記憶部200は、OS、アプリケーションプログラム、種々のデータを記憶している。OSの少なくとも一部は、主記憶部100にロードされて、プロセッサ400によって実行される。 The auxiliary storage unit 200 is a non-volatile storage unit. The auxiliary storage unit 200 can be realized by a ROM (ReadOnlyMemory), an HDD (HardDiskDrive), a flash memory, or the like. The auxiliary storage unit 200 stores the OS, the application program, and various data. At least a portion of the OS is loaded into the main memory 100 and executed by the processor 400.
 補助記憶部200は、データ収集部101から収集した構造化データ及び非構造化データの両方が保管されるデータレイク210を含む。また、補助記憶部200は、図3に示すように、統合DH240として、構造化データに変換後の複数のデータベースであるシステム特徴DB241、障害DB242、脅威DB243、対策DB244、脆弱性情報DB245、運用ログ・シグネチャDB246、プロジェクトDB247、仕様書・設計書DB248、セキュリティ規格DB249、法令・規制DB250を含む。 The auxiliary storage unit 200 includes a data lake 210 in which both structured data and unstructured data collected from the data collection unit 101 are stored. Further, as shown in FIG. 3, the auxiliary storage unit 200, as an integrated DH240, is a system feature DB 241 which is a plurality of databases converted into structured data, a failure DB 242, a threat DB 243, a countermeasure DB 244, a vulnerability information DB 245, and an operation. Includes log signature DB246, project DB247, specification / design document DB248, security standard DB249, and law / regulation DB250.
 さらに、補助記憶部200は、教師あり学習の機械学習に基づいて生成されたセキュリティ要求予測モデルを記憶するセキュリティ要求予測モデル記憶データベース220、及び教師あり学習の機械学習に基づいて生成された設計情報選定モデルを記憶する設計情報選定モデル記憶データベース230を含む。 Further, the auxiliary storage unit 200 stores a security requirement prediction model storage database 220 that stores a security requirement prediction model generated based on machine learning of supervised learning, and design information generated based on machine learning of supervised learning. The design information selection model storage database 230 for storing the selection model is included.
 システム特徴DB241は、製品のシステムの特徴としてセキュリティインシデントが発生した場合の健(Health)、安全(Safety)、環境(Environment)における影響度(Effect)の度合いを格納する。システム特徴DB241のサンプルデータを図7に示す。 The system feature DB 241 stores the degree of influence in health, safety, and environment when a security incident occurs as a feature of the product system. The sample data of the system feature DB 241 is shown in FIG.
 障害DB242は、セキュリティインシデントが発生した際の障害の発生状況、その原因分析及び対策内容等を格納する。また、障害DB242は、障害発生日時、障害分類、製品部類、ユニット名、製品シリアルNo.、障害内容、原因、対策等の情報で構成される。障害DB242のサンプルデータを図8に示す。 The failure DB 242 stores the failure occurrence status when a security incident occurs, the cause analysis, the countermeasure content, and the like. Further, the failure DB 242 is composed of information such as a failure occurrence date and time, a failure classification, a product category, a unit name, a product serial number, a failure content, a cause, and countermeasures. The sample data of the failure DB 242 is shown in FIG.
 脅威DB243は、製品に対して想定される脅威の種類を網羅し、その脅威を実行する攻撃者及び対応するセキュリティ要件などを格納する。また、脅威DB243は、想定脅威、実行者、セキュリティ要件、想定する障害、攻撃ルート等の情報で構成される。脅威DB243のサンプルデータを図9に示す。 The threat DB 243 covers the types of threats assumed for the product, and stores the attacker who executes the threat and the corresponding security requirements. Further, the threat DB 243 is composed of information such as assumed threats, performers, security requirements, assumed failures, and attack routes. The sample data of the threat DB 243 is shown in FIG.
 対策DB244は、製品に対して想定される脅威の種類、そのセキュリティ要件及び対応する対策内容等を格納する。対策DB244は、想定脅威、セキュリティ要件、セキュリティ機能の候補等の情報で構成される。対策DB244のサンプルデータを図10に示す。 The countermeasure DB 244 stores the types of threats assumed for the product, the security requirements thereof, the corresponding countermeasure contents, and the like. The countermeasure DB 244 is composed of information such as assumed threats, security requirements, and security function candidates. Countermeasure DB 244 sample data is shown in FIG.
 脆弱性情報DB245は、製品を構成するソフトウェアに関連する脆弱性、CWE(Common Weakness Enumeration)分類、対応するシグネチャ等を格納する。脆弱性情報DB245は、脆弱性のタイトル、ソフトウェア種別、最終更新日、対策、CWE、シグネチャ導入状況、対応するシグネチャ番号で構成される。脆弱性情報DB245のサンプルデータを図11に示す。 The vulnerability information DB 245 stores the vulnerabilities related to the software constituting the product, the CWE (Common Weakness Enumeration) classification, the corresponding signature, and the like. The vulnerability information DB 245 is composed of the title of the vulnerability, the software type, the last update date, the countermeasure, the CWE, the signature introduction status, and the corresponding signature number. FIG. 11 shows sample data of the vulnerability information DB 245.
 運用ログ・シグネチャDB246は、既存の市場へ出荷済になっている製品の異常発生時の運用ログデータ及び信頼境界上の機器のIPS(Intrusion Prevention System)機能が異常を検出したシグネチャ番号を格納する。なお、シグネチャとは、特定のマルウェア検体等の異常動作に共通する一続きのバイト(バイトシーケンス)のことである。また、運用ログ・シグネチャDB246は、ログNo.、製品シリアルNo.、製品コード、検出されたシグネチャ番号、検出日時等の情報で構成される。運用ログ・シグネチャDB246のサンプルデータを図12に示す。 The operation log signature DB 246 stores the operation log data when an abnormality occurs in a product that has already been shipped to the existing market, and the signature number in which the IPS (Intrusion Prevention System) function of the device on the trust boundary detects the abnormality. .. The signature is a series of bytes (byte sequence) common to abnormal operations of a specific malware sample or the like. Further, the operation log signature DB 246 is composed of information such as a log No., a product serial number, a product code, a detected signature number, and a detection date and time. FIG. 12 shows sample data of the operation log signature DB 246.
 プロジェクトDB247は、製品開発のプロジェクトにおいて、システム試験で取得した試験結果の異常時及び正常時のログや想定している信頼境界上の機器などを格納する。また、プロジェクトDB247は、プロジェクトID、ユニット名、製品コード、ソフトウェア種別、製品群、試験ログNo.(正常)、試験ログNo.(異常)、信頼境界上の機器の情報で構成される。プロジェクトDB247のサンプルデータを図13に示す。 The project DB 247 stores the logs of abnormal and normal test results acquired in the system test and the equipment on the assumed trust boundary in the product development project. Further, the project DB 247 is composed of a project ID, a unit name, a product code, a software type, a product group, a test log No. (normal), a test log No. (abnormal), and information on devices on the trust boundary. The sample data of the project DB 247 is shown in FIG.
 仕様書・設計書DB248は、セキュリティに関する要件、要求及び設計書のトレーサビリティがどのようになっているかを示し、要求、要件、外部設計書のそれぞれの対応関係の情報で構成される。仕様書・設計書DB248のサンプルデータを図14に示す。 The specification / design document DB248 shows the traceability of security-related requirements, requirements, and design documents, and is composed of information on the correspondence between the requirements, requirements, and external design documents. The sample data of the specification / design document DB248 is shown in FIG.
 セキュリティ規格DB249は、製品が汎用的に準拠するセキュリティ規格名と、個別のプロジェクトごとに追加で準拠する規格名を格納する。また、セキュリティ規格DB249は、種別、規格名等の情報で構成される。セキュリティ規格DB249のサンプルデータを図15に示す。 The security standard DB 249 stores the security standard name that the product generally conforms to and the standard name that additionally conforms to each individual project. Further, the security standard DB 249 is composed of information such as a type and a standard name. The sample data of the security standard DB 249 is shown in FIG.
 法令・規制DB250は、国内及び海外の地域区分において、どのようなセキュリティ関連の法令・規制が製品に適用されるのかを示している。また、法令・規制DB250は、地域区分、法令・規制の名称、製品群等の情報で構成される。法令・規制DB250のサンプルデータを図16に示す。 Laws / regulations DB250 shows what kind of security-related laws / regulations are applied to products in domestic and overseas regional divisions. Further, the law / regulation DB 250 is composed of information such as a region classification, a name of a law / regulation, and a product group. FIG. 16 shows sample data of the law / regulation DB 250.
 セキュリティ要求予測モデル記憶DB220は、セキュリティ要求予測モデル生成部105で生成された教師あり学習により学習済みのセキュリティ要求予測モデルを保管する。 The security request prediction model storage DB 220 stores the security request prediction model that has been learned by supervised learning generated by the security request prediction model generation unit 105.
 設計情報選定モデル記憶DB230は、設計情報選定モデル生成部107で生成された教師あり学習により学習済みの設計情報選定モデルを保管する。 The design information selection model storage DB 230 stores the design information selection model that has been learned by supervised learning generated by the design information selection model generation unit 107.
 表示装置500は、ユーザ操作に従って文字列および画像を表示する。表示装置500は、液晶ディスプレイ、有機EL(Electro Luminescence)ディスプレイなどで構成される。なお、表示装置500は、開発側セキュリティ分析支援装置10と一体に構成されてもよい。 The display device 500 displays a character string and an image according to a user operation. The display device 500 includes a liquid crystal display, an organic EL (Electro Luminescence) display, and the like. The display device 500 may be integrally configured with the development side security analysis support device 10.
 入出力装置600は、キーボード、マウス、テンキーなどで構成される。ユーザは、入出力装置600を介して開発側セキュリティ分析支援装置10を操作する。また、入出力装置600は、表示装置500と一体して配置され、ユーザのタッチ操作を受け付け可能なタッチパネルを含んでもよい。なお、入出力装置600は、開発側セキュリティ分析支援装置10と一体に構成されてもよい。 The input / output device 600 is composed of a keyboard, a mouse, a numeric keypad, and the like. The user operates the development side security analysis support device 10 via the input / output device 600. Further, the input / output device 600 may include a touch panel that is integrally arranged with the display device 500 and can accept a user's touch operation. The input / output device 600 may be integrally configured with the development side security analysis support device 10.
 インターフェース部300は、運用側セキュリティ分析支援装置50と各種データを送受信する。インターフェース部300は、図示しないレシーバおよびトランスミッタを備える。レシーバは、運用側セキュリティ分析支援装置50からの各種データを受信する。トランスミッタは、プロセッサ400からの各種データを運用側セキュリティ分析支援装置50に送信する。インターフェース部300は、通信チップ、NIC(Network Interface Card)等で実現できる。 The interface unit 300 transmits and receives various data to and from the operation side security analysis support device 50. The interface unit 300 includes a receiver and a transmitter (not shown). The receiver receives various data from the operation side security analysis support device 50. The transmitter transmits various data from the processor 400 to the operation side security analysis support device 50. The interface unit 300 can be realized by a communication chip, a NIC (Network Interface Card), or the like.
 図2~4に示すように、開発側セキュリティ分析支援装置10は、セキュリティ要求予測モデル生成部105及び設計情報選定モデル生成部107を中心とする学習部と、セキュリティ要求推論部109及びセキュリティ機能推論部112を中心とする推論部とに大別される。 As shown in FIGS. 2 to 4, the development side security analysis support device 10 includes a learning unit centered on a security request prediction model generation unit 105 and a design information selection model generation unit 107, a security request inference unit 109, and a security function inference. It is roughly divided into an inference unit centered on the unit 112.
 なお、学習部及び推論部は、対象製品のセキュリティ要求及びセキュリティ要求機能選定の出力を学習するために使用されるが、例えば、ネットワークを介して対象製品に接続され、この対象製品とは別個の装置であってもよい。また、学習部及び推論部は、対象製品に内蔵されていてもよい。さらに、学習部及び推論部は、クラウドサーバ上に存在していてもよい。 The learning unit and the inference unit are used to learn the security requirements of the target product and the output of the security request function selection. For example, they are connected to the target product via a network and are separate from the target product. It may be a device. Further, the learning unit and the inference unit may be built in the target product. Further, the learning unit and the inference unit may exist on the cloud server.
 セキュリティ要求予測モデル生成部105及び設計情報選定モデル生成部107が用いる学習アルゴリズムは、教師あり学習の公知のアルゴリズムを用いることができる。以下では、一例として、ニューラルネットワークを適用した場合について説明する。 As the learning algorithm used by the security requirement prediction model generation unit 105 and the design information selection model generation unit 107, a known algorithm for supervised learning can be used. In the following, a case where a neural network is applied will be described as an example.
 セキュリティ要求予測モデル生成部105及び設計情報選定モデル生成部107は、例えば、ニューラルネットワークモデルに従って、いわゆる教師あり学習により出力を行う学習をする。ここで、教師あり学習とは、入力と結果(ラベル)のデータの組を学習部に与えることで、それらの学習用データにある特徴を学習し、入力から結果を推論する手法をいう。 The security requirement prediction model generation unit 105 and the design information selection model generation unit 107 perform learning to output by so-called supervised learning according to, for example, a neural network model. Here, supervised learning refers to a method of learning a feature in those learning data by giving a set of input and result (label) data to the learning unit, and inferring the result from the input.
 ニューラルネットワークは、複数のニューロンからなる入力層、複数のニューロンからなる中間層(隠れ層)、及び複数のニューロンからなる出力層で構成される。中間層は、1層又は2層以上でもよい。 A neural network is composed of an input layer consisting of a plurality of neurons, an intermediate layer (hidden layer) consisting of a plurality of neurons, and an output layer consisting of a plurality of neurons. The intermediate layer may be one layer or two or more layers.
 例えば、図17に示すような3層のニューラルネットワークであれば、複数の入力が入力層(X1‐X3)に入力されると、その値に重みW1(w11‐w16)を掛けて中間層(Y1‐Y2)に入力され、その結果にさらに重みW2(w21‐w26)を掛けて出力層(Z1‐Z3)から出力される。この出力結果は、重みW1とW2の値によって変わる。 For example, in the case of a three-layer neural network as shown in FIG. 17, when a plurality of inputs are input to the input layer (X1-X3), the value is multiplied by the weight W1 (w11-w16) to form an intermediate layer (w11-w16). It is input to Y1-Y2), and the result is further multiplied by the weight W2 (w21-w26) and output from the output layer (Z1-Z3). This output result depends on the values of the weights W1 and W2.
 本開示において、以下の2つのニューラルネットワークのモデルにおいて学習が行われる。1つ目のニューラルネットワークは、セキュリティ要求抽出データ取得前処理部104によって取得される入力インプットデータ(製品の特徴、要求仕様(システム構成図を含む仕様)、準拠する法令・規制及びセキュリティ規格)と、それに対応する正解である入力(セキュリティ要求(脅威、信頼境界、責任分界))の組合せに基づいて作成される学習用データに従って、いわゆる教師あり学習により出力を学習する。 In this disclosure, learning is performed in the following two neural network models. The first neural network is the input input data (product features, requirement specifications (specifications including system configuration diagram), compliant laws / regulations and security standards) acquired by the security requirement extraction data acquisition preprocessing unit 104. , The output is learned by so-called supervised learning according to the learning data created based on the combination of the corresponding correct inputs (security requirements (threat, trust boundary, demarcation of responsibility)).
 また、2つ目のニューラルネットワークは、セキュリティ機能選定データ取得前処理部106によって取得される入力(セキュリティ要件(脅威、信頼境界、責任分界、コスト、スケジュール))と、それに対応する正解である入力(セキュリティ機能の選定(障害分類、対策、攻撃者、攻撃ルート))の組合せに基づいて作成される学習用データに従って、いわゆる教師あり学習により出力を学習する。 In addition, the second neural network is the input (security requirements (security requirements (threat, trust boundary, demarcation of responsibility, cost, schedule)) acquired by the security function selection data acquisition preprocessing unit 106, and the corresponding input that is the correct answer. The output is learned by so-called supervised learning according to the learning data created based on the combination of (selection of security functions (fault classification, countermeasures, attackers, attack routes)).
 すなわち、ニューラルネットワークは、入力層に入力としてインプットデータを入力して出力層から出力された結果が、インプットデータ(正解)に近づくように、重みW1とW2を調整することで学習する。 That is, the neural network learns by inputting input data as an input to the input layer and adjusting the weights W1 and W2 so that the result output from the output layer approaches the input data (correct answer).
 セキュリティ要求予測モデル生成部105及び設計情報選定モデル生成部107は、以上のような学習を実行することで学習済モデル(セキュリティ要求予測モデル、設計情報選定モデル)を生成して出力する。 The security requirement prediction model generation unit 105 and the design information selection model generation unit 107 generate and output a trained model (security requirement prediction model, design information selection model) by executing the above learning.
 <2.動作>
 次に、以上のように構成される開発側セキュリティ分析支援装置10の学習部及び推論部の動作について、図18~22を参照して説明する。 <2. Operation>
Next, the operations of the learning unit and the inference unit of the development side security analysis support device 10 configured as described above will be described with reference to FIGS. 18 to 22.
 <2‐1.学習フェーズ>
 <2‐1‐1.データ取得ステップ>
 図18,19は、学習部におけるデータ取得と蓄積に関するフローチャートである。以下、図18,19に示すフローチャートに即して学習部の動作を説明する。 <2-1. Learning phase >
<2-1-1. Data acquisition step>
18 and 19 are flowcharts regarding data acquisition and storage in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowcharts shown in FIGS. 18 and 19.
 ステップS101において、データ収集部101は、既存のデータである過去のプロジェクトデータ601、脆弱性解析結果情報602、仕様書・設計書603、法令・規制情報604、セキュリティ規格605、過去の市場における製品の運用ログ及びインシデント・シグネチャ情報606を収集し、データレイク210へ送信する。 In step S101, the data collection unit 101 has existing data such as past project data 601, vulnerability analysis result information 602, specification / design document 603, legal / regulatory information 604, security standard 605, and products in the past market. The operation log and incident signature information 606 of the above are collected and transmitted to the data lake 210.
 ステップS102において、データレイク210は、データ収集部101から送信されたデータを蓄積する。ステップS103において、データレイク210は、蓄積したデータが構造化データであるかどうかを判定する。構造化データでない場合は、ステップS104において、そのデータに規則性があるかどうかを判定する。規則性がない場合は、ステップS105において、そのデータがテキストデータかどうかを判定する。 In step S102, the data lake 210 accumulates the data transmitted from the data collecting unit 101. In step S103, the data lake 210 determines whether the accumulated data is structured data. If it is not structured data, step S104 determines whether the data has regularity. If there is no regularity, in step S105, it is determined whether or not the data is text data.
 テキストデータである場合は、ステップS106において、自然言語処理の構文解析を実施し、その結果から製品企画の要求仕様を抽出する。テキストデータでない場合、つまり画像データ等の場合は、ステップS107において、システム構成図、およびシステム構成図に対する画像認識の処理を行い、その結果からシシステム構成及び信頼境界を識別する。 In the case of text data, in step S106, the syntax analysis of natural language processing is performed, and the required specifications of the product plan are extracted from the result. If it is not text data, that is, if it is image data or the like, in step S107, the system configuration diagram and the image recognition process for the system configuration diagram are performed, and the system configuration and the trust boundary are identified from the result.
 ステップS108において、マルチモーダル特徴解析部102は、ステップS106及びステップS107の処理結果を受けて、自然言語処理と画像認識結果をかけあわせて、システム構成に応じた製品の仕様、準拠する法令・規制及び規格、脅威、信頼境界、責任分界、コスト、期間、障害分類、対策、攻撃者、攻撃ルート、障害情報、動作情報、シグネチャの特徴と関係を整理する。 In step S108, the multimodal feature analysis unit 102 receives the processing results of steps S106 and S107, multiplies the natural language processing and the image recognition result, and the product specifications according to the system configuration and the applicable laws and regulations. And organize the characteristics and relationships of standards, threats, trust boundaries, demarcation of responsibilities, costs, duration, failure classification, countermeasures, attackers, attack routes, failure information, operation information, and signatures.
 ステップS109において、データ一次加工統合部103は、JSON形式へ統一する。ステップS110において、データ一次加工統合部103は、自然言語処理の構文解析結果からデータのチェック、クレンジング、機密情報および不要な文字を削除する。 In step S109, the data primary processing integration unit 103 is unified to the JSON format. In step S110, the data primary processing integration unit 103 deletes data checking, cleansing, confidential information, and unnecessary characters from the parsing result of natural language processing.
 ステップS111において、データ一次加工統合部103は、すべてのデータをCSV形式へ変換する。ステップS112において、統合DH240は、システム特徴DB241、障害DB242、脅威DB243、対策DB244、脆弱性情報DB245、運用ログ・シグネチャDB246、プロジェクトDB247、仕様書・設計書DB248、セキュリティ規格DB249、法令・規制DB250へデータを格納する。 In step S111, the data primary processing integration unit 103 converts all the data into the CSV format. In step S112, the integrated DH240 has a system feature DB 241, a failure DB 242, a threat DB 243, a countermeasure DB 244, a vulnerability information DB 245, an operation log signature DB 246, a project DB 247, a specification / design document DB 248, a security standard DB 249, and a law / regulation DB 250. Store data in.
 <2‐1‐2.セキュリティ要求予測モデル生成ステップ>
 図20は、学習部におけるセキュリティ要求予測モデルの学習処理に関するフローチャートである。以下、図20に示すフローチャートに即して、学習部の動作を説明する。 <2-1-2. Security requirement prediction model generation step>
FIG. 20 is a flowchart relating to the learning process of the security requirement prediction model in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowchart shown in FIG.
 ステップS201において、セキュリティ要求抽出データ取得前処理部104は、製品の特徴、要求仕様、準拠する法令・規制及びセキュリティ規格の入力と、当該入力に対する正解ラベルとなるセキュリティ要求(脅威、信頼境界、責任分界)との対応関係を示す教師データを取得し、機械学習の前処理を行う準備をする。 In step S201, the security requirement extraction data acquisition preprocessing unit 104 inputs the product features, requirement specifications, applicable laws / regulations and security standards, and the security requirements (threats, trust boundaries, responsibilities) that serve as correct labels for the inputs. The teacher data showing the correspondence with the boundary) is acquired, and preparations are made for preprocessing of machine learning.
 ステップS202において、セキュリティ要求抽出データ取得前処理部104は、準備したデータを機械学習できるよう、前処理する。ステップS203において、セキュリティ要求予測モデル生成部105は、前処理した教師データを用いて教師あり学習を行い、セキュリティ要求(脅威、信頼境界、責任分界)を予測するモデルを生成する。ステップS204において、セキュリティ要求予測モデル記憶DB220は、生成された予測モデルを自身のDBへ格納する。 In step S202, the security request extraction data acquisition preprocessing unit 104 preprocesses the prepared data so that it can be machine-learned. In step S203, the security requirement prediction model generation unit 105 performs supervised learning using the preprocessed teacher data, and generates a model for predicting security requirements (threat, trust boundary, responsibility demarcation). In step S204, the security request prediction model storage DB 220 stores the generated prediction model in its own DB.
 <2‐1‐3.設計情報選定モデル生成ステップ>
 図21は、学習部における設計情報選定モデルの学習処理に関するフローチャートである。以下、図21に示すフローチャートに即して、学習部の動作を説明する。 <2-1-3. Design information selection model generation step>
FIG. 21 is a flowchart relating to the learning process of the design information selection model in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowchart shown in FIG.
 ステップS301において、セキュリティ機能選定データ取得前処理部106は、セキュリティ要件(脅威、信頼境界、責任分界、コスト、スケジュール)と、当該セキュリティ要件に対する正解ラベルとなるセキュリティ機能の選定(障害分類、対策、攻撃者、攻撃ルート)との対応関係を示す教師データを取得し、機械学習の前処理を行う準備する。 In step S301, the security function selection data acquisition preprocessing unit 106 selects security requirements (threats, trust boundaries, demarcation of responsibilities, costs, schedules) and security functions that serve as correct labels for the security requirements (fault classification, countermeasures, Acquire teacher data showing the correspondence with the attacker and attack route), and prepare to perform preprocessing for machine learning.
 ステップS302において、セキュリティ機能選定データ取得前処理部106は、準備したデータを機械学習できるよう、前処理する。 In step S302, the security function selection data acquisition preprocessing unit 106 preprocesses the prepared data so that it can be machine-learned.
 ステップS303において、設計情報選定モデル生成部107は、前処理した教師データを用いて教師あり学習を行い、セキュリティ機能の選定(障害分類、対策、攻撃者、攻撃ルート)を予測するモデルを生成する。ステップS304において、設計情報選定モデル記憶DB230は、生成された予測モデルを自身のDBへ格納する。 In step S303, the design information selection model generation unit 107 performs supervised learning using preprocessed teacher data, and generates a model that predicts the selection of security functions (fault classification, countermeasures, attackers, attack routes). .. In step S304, the design information selection model storage DB 230 stores the generated prediction model in its own DB.
 <2‐2.推論フェーズ>
 図22は、推論部の推論処理に関するフローチャートである。以下、図22に示すフローチャートに即して、推論部の動作を説明する。 <2-2. Inference phase>
FIG. 22 is a flowchart relating to the inference processing of the inference unit. Hereinafter, the operation of the inference unit will be described according to the flowchart shown in FIG.
 ステップS401において、製品企画データ取得部108は、入出力装置600を介して開発者が入力した開発対象製品の特徴確認シート653と準拠する法令・規制及び規格651、要求仕様(システム構成図を含む仕様)652を取得する。 In step S401, the product planning data acquisition unit 108 includes laws, regulations, standards 651, and required specifications (including a system configuration diagram) that comply with the feature confirmation sheet 653 of the product to be developed entered by the developer via the input / output device 600. Specifications) 652 is acquired.
 ステップS402において、製品企画データ取得部108は、取得した製品の開発対象製品の特徴確認シート653と準拠する法令・規制及び規格651、要求仕様652の中にあるデータの特徴量を収集し、セキュリティ要求推論部109へ入力する。 In step S402, the product planning data acquisition unit 108 collects the feature amount of the data in the laws / regulations and standards 651 and the required specifications 652 that comply with the feature confirmation sheet 653 of the product to be developed of the acquired product, and secures the security. Input to the request inference unit 109.
 ステップS403において、セキュリティ要求推論部109は、開発対象製品の特徴、要求仕様(システム構成図を含む仕様)、準拠する法令・規制、セキュリティ規格を入力として、教師あり学習モデルよりマルチモーダルな推論を行い(セキュリティ要求予測モデルで推論を行い)、開発対象のセキュリティ要求(脅威、信頼境界、責任分界)を出力する。なお、セキュリティ要求予測モデルにおける推論では、想定する脅威に対するセキュリティ要件のクラス分類のために、システム特徴DB241、障害DB242、脅威DB243、プロジェクトDB247、仕様書・設計書DB248、セキュリティ規格DB249、法令・規制DB250を参照する。 In step S403, the security requirement inference unit 109 inputs the features of the product to be developed, the requirement specifications (specifications including the system configuration diagram), the compliant laws and regulations, and the security standard, and performs multimodal inference from the supervised learning model. Perform (infer inference with security requirement prediction model) and output security requirements (threat, trust boundary, demarcation of responsibility) to be developed. In the inference in the security requirement prediction model, system feature DB241, failure DB242, threat DB243, project DB247, specifications / design document DB248, security standard DB249, laws / regulations / regulations are used to classify security requirements for assumed threats. See DB 250.
 ステップS404において、コスト・スケジュール調整部110は、開発対象製品から想定される脅威、信頼境界、責任分界点からコストとスケジュールを算出し、開発対象製品のセキュリティ要件情報シート654を出力する。セキュリティ要件情報シート654の一例を図23,24に示す。 In step S404, the cost / schedule adjustment unit 110 calculates the cost and schedule from the threats, trust boundaries, and responsibility demarcation points assumed from the development target product, and outputs the security requirement information sheet 654 of the development target product. An example of the security requirement information sheet 654 is shown in FIGS. 23 and 24.
 ステップS405において、セキュリティ要件取得部111は、コストとスケジュールに準じた開発対象製品のセキュリティ要件となる開発対象製品のセキュリティ要件情報シート654のデータを取得し、セキュリティ機能推論部112へデータを入力する。 In step S405, the security requirement acquisition unit 111 acquires the data of the security requirement information sheet 654 of the development target product, which is the security requirement of the development target product according to the cost and schedule, and inputs the data to the security function inference unit 112. ..
 ステップS406において、セキュリティ機能推論部112は、コストとスケジュールに準じた開発対象製品のセキュリティ要件を入力として、設計情報選定モデルで推論を行い、セキュリティ要件に対応するセキュリティ機能の推奨案となる開発対象製品のセキュリティ設計情報シート655を出力する。なお、設計情報選定モデルにおける推論では、想定する脅威に対するセキュリティ要件に対応する機能の候補の対応関係をクラス分類するために対策DB244を参照する。セキュリティ設計情報シート655の一例を図25に示す。 In step S406, the security function inference unit 112 infers with the design information selection model by inputting the security requirements of the product to be developed according to the cost and schedule, and is a development target that is a recommended proposal of the security function corresponding to the security requirements. Output the product security design information sheet 655. In the inference in the design information selection model, the countermeasure DB 244 is referred to in order to classify the correspondence of the function candidates corresponding to the security requirements for the assumed threat. FIG. 25 shows an example of the security design information sheet 655.
 <3.効果>
 実施の形態1によれば、開発側セキュリティ分析支援装置10では、システムレベルにおけるセキュリティ分析に関する「要件抽出」に加えて「機能選定」を一気通貫で自動的に行う。そのため、製品出荷前の既知の脅威に対するセキュリティ分析の時間短縮の効果があり、属人的でない効率的なセキュリティ品質向上を達成できる。すなわち、効率的にセキュリティの品質を向上させることが可能となる。 <3. Effect>
According to the first embodiment, the development side security analysis support device 10 automatically performs "function selection" in addition to "requirement extraction" related to security analysis at the system level. Therefore, there is an effect of shortening the time of security analysis for known threats before product shipment, and it is possible to achieve efficient security quality improvement that is not personal. That is, it is possible to efficiently improve the quality of security.
 <実施の形態2>
 実施の形態1で説明した開発側セキュリティ分析支援装置10は、開発対象製品のセキュリティ設計情報シート655等を生成して動作を終了する。実施の形態2で説明する運用側セキュリティ分析支援装置50は、脆弱性情報DB245と運用ログ・シグネチャDB246に蓄積されている脆弱性情報と運用ログデータの情報に基づいて、セキュリティ監視モデルを学習させる。そして、実際の市場における製品(運用対象製品)の運用ログから異常を検知し、運用側の製品のIPSのシグネチャを更新すると共に開発側の脅威や対策の内容も更新する。 <Embodiment 2>
The development-side security analysis support device 10 described in the first embodiment generates a security design information sheet 655 or the like of the product to be developed and ends the operation. The operation-side security analysis support device 50 described in the second embodiment learns a security monitoring model based on the vulnerability information and the operation log data information stored in the vulnerability information DB 245 and the operation log signature DB 246. .. Then, the abnormality is detected from the operation log of the product (product to be operated) in the actual market, the IPS signature of the product on the operation side is updated, and the threats on the development side and the contents of countermeasures are also updated.
 <1.構成>
 図26は、実施の形態2による運用側セキュリティ分析支援装置50の構成を示すブロック図である。図27は、運用側セキュリティ分析支援装置50の構成の詳細を示すブロック図である。 <1. Configuration>
FIG. 26 is a block diagram showing a configuration of the operation side security analysis support device 50 according to the second embodiment. FIG. 27 is a block diagram showing details of the configuration of the operation side security analysis support device 50.
 運用側セキュリティ分析支援装置50は、製品の開発が完了して市場に出荷後の運用ログを解析して異常判定を行い、シグネチャを更新すると共にこれから開発する製品についてセキュリティ分析を行う開発側セキュリティ分析支援装置に対してフィードバックを行う。 The operation side security analysis support device 50 analyzes the operation log after the product development is completed and shipped to the market, determines an abnormality, updates the signature, and performs security analysis on the product to be developed on the development side. Give feedback to the support device.
 運用側セキュリティ分析支援装置50は、主記憶部900と、補助記憶部1000と、開発側セキュリティ分析支援装置と通信を行う通信部700と、製品90(フィールド)と通信を行う通信部1100と、プロセッサ800とを備えている。また、運用側セキュリティ分析支援装置50は、表示装置1200および入出力装置1300と接続されている。運用側セキュリティ分析支援装置50は、例えば、パーソナルコンピュータである。 The operation side security analysis support device 50 includes a main storage unit 900, an auxiliary storage unit 1000, a communication unit 700 that communicates with the development side security analysis support device, and a communication unit 1100 that communicates with the product 90 (field). It is equipped with a processor 800. Further, the operation side security analysis support device 50 is connected to the display device 1200 and the input / output device 1300. The operation side security analysis support device 50 is, for example, a personal computer.
 プロセッサ800は、信号線を介して他のハードウェアと接続されている。プロセッサ800は、中央演算処理装置(CPU)、MPU、DSP、GPU、マイコン、FPGA、ASIC等で実現できる。プロセッサ800は、後述する補助記憶部1000に記憶されたOS、アプリケーションプログラム、種々のデータを読み込んで演算処理を実行することにより、種々の機能を実現する。プロセッサ800は、後述する機能的構成を含む。当該機能的構成は、ファームウェアにより実現されてもよい。プロセッサ800と、後述する主記憶部900及び補助記憶部1000とをまとめたハードウェアを「プロセッシングサーキットリ」ともいう。 The processor 800 is connected to other hardware via a signal line. The processor 800 can be realized by a central processing unit (CPU), an MPU, a DSP, a GPU, a microcomputer, an FPGA, an ASIC, or the like. The processor 800 realizes various functions by reading the OS, the application program, and various data stored in the auxiliary storage unit 1000, which will be described later, and executing arithmetic processing. The processor 800 includes a functional configuration described later. The functional configuration may be realized by firmware. The hardware that combines the processor 800, the main storage unit 900 and the auxiliary storage unit 1000, which will be described later, is also referred to as a "processing circuit".
 主記憶部900は、揮発性の記憶部である。主記憶部900は、RAM等で実現できる。主記憶部900は、運用側セキュリティ分析支援装置50において使用され、生成され、入出力され、或いは送受信されるデータを一時的に記憶する。さらに、主記憶部900は、運用ログデータ取得部901、運用ログデータ前処理部902、セキュリティ監視モデル推論部903、シグネチャデータ比較部904、シグネチャ情報更新部905を含む。 The main storage unit 900 is a volatile storage unit. The main storage unit 900 can be realized by RAM or the like. The main storage unit 900 is used in the operation side security analysis support device 50, and temporarily stores data generated, input / output, or transmitted / received. Further, the main storage unit 900 includes an operation log data acquisition unit 901, an operation log data preprocessing unit 902, a security monitoring model inference unit 903, a signature data comparison unit 904, and a signature information update unit 905.
 運用ログデータ取得部901は、運用・保守解析DB1002に保管されている運用・保守解析のログデータを取得する。 The operation log data acquisition unit 901 acquires the operation / maintenance analysis log data stored in the operation / maintenance analysis DB 1002.
 運用ログデータ前処理部902は、運用ログデータを機械学習が行えるようにデータ変換の前処理をする。 The operation log data pre-processing unit 902 performs data conversion pre-processing so that the operation log data can be machine-learned.
 セキュリティ監視モデル推論部903は、製品情報、障害情報、動作情報(正常、異常)を入力として、半教師あり学習モデルより推論を行い、障害異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートを出力する。 The security monitoring model inference unit 903 infers from the semi-supervised learning model by inputting product information, failure information, and operation information (normal, abnormal), and fails classification, threats, signatures, countermeasures, and attackers of the failure abnormality data. , Output the attack route.
 シグネチャデータ比較部904は、開発側セキュリティ分析支援装置10のインターフェース部300へ異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートの情報を送信する。また、シグネチャデータ比較部904は、ログデータに異常があった場合、現状登録済のシグネチャのデータと比較後、シグネチャ更新リストファイルを作成してシグネチャ情報更新部905へ伝送する。シグネチャ更新リストファイルの一例を図28に示す。 The signature data comparison unit 904 transmits information on the fault classification, threat, signature, countermeasure, attacker, and attack route of abnormal data to the interface unit 300 of the development side security analysis support device 10. Further, when there is an abnormality in the log data, the signature data comparison unit 904 creates a signature update list file after comparing it with the currently registered signature data and transmits it to the signature information update unit 905. FIG. 28 shows an example of the signature update list file.
 シグネチャ情報更新部905は、シグネチャの更新のデータと、その更新コマンドを発行し、集中コントローラ2004へシグネチャデータを配信する。 The signature information update unit 905 issues the signature update data and the update command, and distributes the signature data to the centralized controller 2004.
 補助記憶部1000は、不揮発性の記憶部である。補助記憶部1000は、ROM、HDD、フラッシュメモリ等で実現できる。補助記憶部1000は、OS、アプリケーションプログラム、種々のデータを記憶している。OSの少なくとも一部は、主記憶部900にロードされて、プロセッサ800によって実行される。 The auxiliary storage unit 1000 is a non-volatile storage unit. The auxiliary storage unit 1000 can be realized by a ROM, an HDD, a flash memory, or the like. The auxiliary storage unit 1000 stores the OS, the application program, and various data. At least a portion of the OS is loaded into main memory 900 and executed by processor 800.
 補助記憶部1000は、半教師あり学習の機械学習に基づいて生成されたセキュリティ監視モデルを記憶するセキュリティ監視モデル記憶DB1001と、市場における製品の運用ログデータを蓄積する運用・保守解析DB1002とを含む。 The auxiliary storage unit 1000 includes a security monitoring model storage DB 1001 that stores a security monitoring model generated based on machine learning of semi-supervised learning, and an operation / maintenance analysis DB 1002 that stores operation log data of products in the market. ..
 セキュリティ監視モデル記憶DB1001は、セキュリティ監視モデル生成部114で生成された半教師あり学習により学習済みのセキュリティ監視モデルを記憶する。 The security monitoring model storage DB 1001 stores the security monitoring model that has been learned by semi-supervised learning generated by the security monitoring model generation unit 114.
 運用・保守解析DB1002は、ログNo.、製品シリアルNo.、製品コード、対応済シグネチャ番号、ログ取得日時、障害情報、動作情報等の情報で構成される。運用・保守解析DB1002のサンプルデータを図29に示す。 The operation / maintenance analysis DB 1002 is composed of information such as log No., product serial number, product code, supported signature number, log acquisition date / time, failure information, and operation information. FIG. 29 shows sample data of the operation / maintenance analysis DB 1002.
 表示装置1200は、運用・保守担当者の操作に従って文字列および画像を表示する。表示装置1200は、液晶ディスプレイ、有機ELディスプレイなどで構成される。なお、表示装置1200は、運用側セキュリティ分析支援装置50と一体に構成してもよい。 The display device 1200 displays a character string and an image according to the operation of the operation / maintenance person. The display device 1200 is composed of a liquid crystal display, an organic EL display, and the like. The display device 1200 may be integrally configured with the operation side security analysis support device 50.
 入出力装置1300は、キーボード、マウス、テンキーなどで構成される。運用・保守担当者は、入出力装置1300を介して運用側セキュリティ分析支援装置50を操作する。また、入出力装置1300は、表示装置1200と一体に構成し、保守・運用担当者のタッチ操作を受け付け可能なタッチパネルを含んでもよい。 The input / output device 1300 is composed of a keyboard, a mouse, a numeric keypad, and the like. The operation / maintenance person operates the operation side security analysis support device 50 via the input / output device 1300. Further, the input / output device 1300 may include a touch panel that is integrally configured with the display device 1200 and can accept touch operations of maintenance / operation personnel.
 通信部700は、運用側セキュリティ分析支援装置50と開発側セキュリティ分析支援装置10との間で各種データを送受信する。通信部700及び通信部1100は、図示しないレシーバ及びトランスミッタを備える。レシーバは、開発側セキュリティ分析支援装置10及び遠隔監視装置2001からの各種データを受信する。トランスミッタは、プロセッサ800からの各種データを開発側セキュリティ分析支援装置10及び遠隔監視装置2001に送信する。通信部700及び通信部1100は、通信チップ、NIC等で実現できる。 The communication unit 700 sends and receives various data between the operation side security analysis support device 50 and the development side security analysis support device 10. The communication unit 700 and the communication unit 1100 include a receiver and a transmitter (not shown). The receiver receives various data from the development side security analysis support device 10 and the remote monitoring device 2001. The transmitter transmits various data from the processor 800 to the development side security analysis support device 10 and the remote monitoring device 2001. The communication unit 700 and the communication unit 1100 can be realized by a communication chip, a NIC, or the like.
 運用側セキュリティ分析支援装置50は、セキュリティ監視モデル生成部114を中心とする学習部と、セキュリティ監視モデル推論部903を中心とする推論部とに大別される。 The operation side security analysis support device 50 is roughly divided into a learning unit centered on the security monitoring model generation unit 114 and an inference unit centered on the security monitoring model inference unit 903.
 なお、学習部及び推論部は、対象製品のセキュリティ要求及びセキュリティ要求機能選定の出力を学習するために使用されるが、例えば、ネットワークを介して対象製品に接続され、この対象製品とは別個の装置であってもよい。また、学習部及び推論部は、対象製品に内蔵されていてもよい。さらに、学習部及び推論部は、クラウドサーバ上に存在していてもよい。 The learning unit and the inference unit are used to learn the security requirements of the target product and the output of the security request function selection. For example, they are connected to the target product via a network and are separate from the target product. It may be a device. Further, the learning unit and the inference unit may be built in the target product. Further, the learning unit and the inference unit may exist on the cloud server.
 セキュリティ監視モデル生成部114が用いる学習アルゴリズムは、半教師あり学習の公知のアルゴリズムを用いることができる。一例として、ニューラルネットワークを適用した場合について説明する。 As the learning algorithm used by the security monitoring model generation unit 114, a known algorithm for semi-supervised learning can be used. As an example, a case where a neural network is applied will be described.
 セキュリティ監視モデル生成部114は、例えば、ニューラルネットワークモデルに従って、いわゆる半教師あり学習により出力を行う学習をする。ここで、半教師あり学習とは、入力と結果(ラベル)のデータの組を学習装置に与えることで、それらの学習用データにある特徴を学習し、入力から結果を推論する手法をいう。 The security monitoring model generation unit 114 learns to output by so-called semi-supervised learning according to, for example, a neural network model. Here, semi-supervised learning refers to a method of learning a feature in the learning data by giving a set of input and result (label) data to the learning device, and inferring the result from the input.
 ニューラルネットワークは、複数のニューロンからなる入力層、複数のニューロンからなる中間層(隠れ層)、及び複数のニューロンからなる出力層で構成される。中間層は、1層又は2層以上でもよい。 A neural network is composed of an input layer consisting of a plurality of neurons, an intermediate layer (hidden layer) consisting of a plurality of neurons, and an output layer consisting of a plurality of neurons. The intermediate layer may be one layer or two or more layers.
 例えば、図17に示すような3層のニューラルネットワークであれば、複数の入力が入力層(X1‐X3)に入力されると、その値に重みW1(w11‐w16)を掛けて中間層(Y1‐Y2)に入力され、その結果にさらに重みW2(w21‐w26)を掛けて出力層(Z1‐Z3)から出力される。この出力結果は、重みW1とW2の値によって変わる。 For example, in the case of a three-layer neural network as shown in FIG. 17, when a plurality of inputs are input to the input layer (X1-X3), the value is multiplied by the weight W1 (w11-w16) to form an intermediate layer (w11-w16). It is input to Y1-Y2), and the result is further multiplied by the weight W2 (w21-w26) and output from the output layer (Z1-Z3). This output result depends on the values of the weights W1 and W2.
 本開示では、以下のニューラルネットワークのモデルにおいて学習が行われる。ニューラルネットワークは、セキュリティ監視データ取得前処理部113によって取得される入力インプットデータ(製品情報、障害情報、動作情報(正常、異常))と、それに対応する正解である入力(障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルート)との組合せに基づいて作成される学習用データに従って、いわゆる半教師あり学習により出力を学習する。 In this disclosure, learning is performed in the following neural network model. In the neural network, the input input data (product information, failure information, operation information (normal, abnormal)) acquired by the security monitoring data acquisition preprocessing unit 113 and the corresponding input (fault classification, threat, signature) are correct. , Countermeasures, attackers, attack routes), and the output is learned by so-called semi-supervised learning according to the learning data created based on the combination.
 すなわち、ニューラルネットワークは、入力層に入力としてインプットデータを入力して出力層から出力された結果が、インプットデータ(正解)に近づくように、重みW1とW2を調整することで学習する。 That is, the neural network learns by inputting input data as an input to the input layer and adjusting the weights W1 and W2 so that the result output from the output layer approaches the input data (correct answer).
 セキュリティ監視モデル生成部114は、以上のような学習を実行することで学習済モデル(セキュリティ監視モデル)を生成して出力する。 The security monitoring model generation unit 114 generates and outputs a trained model (security monitoring model) by executing the above learning.
 <2.動作>
 次に、以上のように構成される運用側セキュリティ分析支援装置50の学習部及び推論部の動作について、図30~32を参照して説明する。 <2. Operation>
Next, the operations of the learning unit and the inference unit of the operation-side security analysis support device 50 configured as described above will be described with reference to FIGS. 30 to 32.
 <2-1.学習フェーズ>
 図30は、学習部におけるセキュリティ監視モデルの学習処理に関するフローチャートである。以下、図30に示すフローチャートに即して、学習部の動作を説明する。 <2-1. Learning phase >
FIG. 30 is a flowchart regarding the learning process of the security monitoring model in the learning unit. Hereinafter, the operation of the learning unit will be described according to the flowchart shown in FIG.
 ステップS501において、セキュリティ監視データ取得前処理部113は、製品情報、障害情報、動作情報(正常、異常)の入力と、当該入力に対する正解ラベルとなる障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートとの対応関係を示す教師データを取得する。 In step S501, the security monitoring data acquisition preprocessing unit 113 inputs product information, failure information, and operation information (normal, abnormal), and fails classification, threat, signature, countermeasure, attacker, which is a correct label for the input. Acquire teacher data showing the correspondence with the attack route.
 ステップS502において、セキュリティ監視データ取得前処理部113は、機械学習の前処理を行い、セキュリティ監視モデル生成部114へ伝送する。 In step S502, the security monitoring data acquisition preprocessing unit 113 performs machine learning preprocessing and transmits it to the security monitoring model generation unit 114.
 ステップS503において、セキュリティ監視モデル生成部114は、前処理した教師データを用いて教師あり学習を行い、障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートを予測するモデル(セキュリティ監視モデル)を生成する。 In step S503, the security monitoring model generation unit 114 performs supervised learning using preprocessed teacher data, and creates a model (security monitoring model) that predicts failure classification, threats, signatures, countermeasures, attackers, and attack routes. Generate.
 ステップS504において、開発側セキュリティ分析支援装置10のインターフェース部300は、運用側セキュリティ分析支援装置50の通信部700へデータを送信する。 In step S504, the interface unit 300 of the development side security analysis support device 10 transmits data to the communication unit 700 of the operation side security analysis support device 50.
 ステップS505において、セキュリティ監視モデル記憶DB1001は、生成された予測モデル(セキュリティ監視モデル)を自身のDBへ格納する。 In step S505, the security monitoring model storage DB 1001 stores the generated prediction model (security monitoring model) in its own DB.
 <2-2.推論フェーズ>
 図31,32は、推論部の推論処理に関するフローチャートである。以下、図31,32に示すフローチャートに即して、推論部の動作を説明する。 <2-2. Inference phase>
31 and 32 are flowcharts related to the inference process of the inference unit. Hereinafter, the operation of the inference unit will be described according to the flowcharts shown in FIGS. 31 and 32.
 ステップS601において、遠隔監視装置2001は、保守用の通信回線を介して運転データのログを、通信部1100へ送信する。ステップS602において、通信部1100は、受信した運転データのログデータを運用・保守解析DB1002へ保存・蓄積する。 In step S601, the remote monitoring device 2001 transmits a log of operation data to the communication unit 1100 via the communication line for maintenance. In step S602, the communication unit 1100 stores and stores the log data of the received operation data in the operation / maintenance analysis DB 1002.
 ステップS603において、運用ログデータ取得部901は、運用・保守解析DB1002から運用ログを取得し、運用ログデータ前処理部902へ伝送する。ステップS604において、運用ログデータ前処理部902は、運用ログから製品情報、障害情報、動作情報(正常、異常)を抽出し、セキュリティ監視モデル推論部903へ入力する。 In step S603, the operation log data acquisition unit 901 acquires the operation log from the operation / maintenance analysis DB 1002 and transmits it to the operation log data preprocessing unit 902. In step S604, the operation log data preprocessing unit 902 extracts product information, failure information, and operation information (normal / abnormal) from the operation log and inputs them to the security monitoring model inference unit 903.
 ステップS605において、セキュリティ監視モデル推論部903は、製品情報、障害情報、動作情報(正常、異常)を入力として、半教師あり学習モデルより推論を行い、異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートを出力し、シグネチャデータ比較部904へ伝送する。このとき出力されるデータは、図27に示す市場における製品の運用から得られる知見ファイル1301(知見情報)に相当し、当該知見ファイルの一例を図33,34に示す。図33および図34はBL10-BL11で繋がっている。 In step S605, the security monitoring model inference unit 903 infers from the semi-supervised learning model by inputting product information, failure information, and operation information (normal, abnormal), and performs failure classification, threat, signature, and countermeasure of abnormal data. , Attacker, attack route is output and transmitted to the signature data comparison unit 904. The data output at this time corresponds to the knowledge file 1301 (knowledge information) obtained from the operation of the product in the market shown in FIG. 27, and an example of the knowledge file is shown in FIGS. 33 and 34. 33 and 34 are connected by BL10-BL11.
 ステップS606において、シグネチャデータ比較部904は、開発側セキュリティ分析支援装置10のインターフェース部300へ異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートを送信する。 In step S606, the signature data comparison unit 904 transmits the failure classification, threat, signature, countermeasure, attacker, and attack route of abnormal data to the interface unit 300 of the development side security analysis support device 10.
 ステップS607において、開発側セキュリティ分析支援装置のインターフェース部300は、異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートを受信し、脅威・対策比較連携更新部115へデータを転送する。 In step S607, the interface unit 300 of the development side security analysis support device receives the failure classification, threat, signature, countermeasure, attacker, and attack route of abnormal data, and transfers the data to the threat / countermeasure comparison cooperation update unit 115. ..
 ステップS608において、脅威・対策比較連携更新部115は、異常データの障害分類、脅威、シグネチャ、対策、攻撃者、攻撃ルートの内容を既存のDBの値と比較し、漏れていた内容がある場合は、統合DH240の情報を更新する。 In step S608, the threat / countermeasure comparison cooperation update unit 115 compares the contents of the fault classification, threat, signature, countermeasure, attacker, and attack route of abnormal data with the values of the existing DB, and if there is any missing content. Updates the information in the integrated DH240.
 なお、ステップS605の処理後にログデータに異常があった場合、ステップS609において、シグネチャデータ比較部904は、現状登録済のシグネチャのデータと比較し、シグネチャ更新リストファイル1302を作成し、シグネチャ情報更新部905へ伝送する。なお、シグネチャが未登録の場合は、製品側のIDS(Intrusion Detection System)に対して登録を要求する。 If there is an abnormality in the log data after the processing of step S605, in step S609, the signature data comparison unit 904 compares the data with the currently registered signature data, creates a signature update list file 1302, and updates the signature information. It is transmitted to the unit 905. If the signature has not been registered, registration is requested from the IDS (Intrusion Detection System) on the product side.
 ステップS610において、シグネチャ情報更新部905は、シグネチャの更新のデータとその更新コマンドを発行する。ステップS611において、発行されたシグネチャの更新コマンドとそのデータは、セキュリティ上の信頼境界となる製品の集中コントローラ2004へ伝送され、集中コントローラ2004のIPSへ最新のシグネチャを適用する。 In step S610, the signature information update unit 905 issues signature update data and an update command thereof. In step S611, the issued signature update command and its data are transmitted to the centralized controller 2004 of the product which is a security trust boundary, and the latest signature is applied to the IPS of the centralized controller 2004.
 <3.効果>
 実施の形態2によれば、製品出荷後の運用において、運用側セキュリティ分析支援装置50では、クラウド上にセキュリティ監視機構を含み、開発側セキュリティ分析支援装置10と連携可能である。そのため、製品出荷後における未知の脅威および脆弱性に対する攻撃の兆候を把握することによって、早急な不正アクセス検知、及び開発側セキュリティ分析支援装置10へ迅速にフィードバックなどを行うことができるため、開発側セキュリティ分析支援装置10と運用側セキュリティ分析支援装置50との相互連携の効果を達成できる。すなわち、効率的にセキュリティの品質を向上させることが可能となる。 <3. Effect>
According to the second embodiment, in the operation after the product is shipped, the operation side security analysis support device 50 includes a security monitoring mechanism on the cloud and can cooperate with the development side security analysis support device 10. Therefore, by grasping the signs of attacks against unknown threats and vulnerabilities after product shipment, it is possible to promptly detect unauthorized access and provide quick feedback to the development side security analysis support device 10. The effect of mutual cooperation between the security analysis support device 10 and the operation side security analysis support device 50 can be achieved. That is, it is possible to efficiently improve the quality of security.
 なお、本開示の範囲内において、各実施の形態を自由に組み合わせたり、各実施の形態を適宜、変形、省略したりすることが可能である。 Within the scope of the present disclosure, each embodiment can be freely combined, and each embodiment can be appropriately modified or omitted.
 本開示は詳細に説明されたが、上記した説明は、すべての態様において、例示であって、限定的なものではない。例示されていない無数の変形例が想定され得るものと解される。 Although the present disclosure has been described in detail, the above description is exemplary in all embodiments and is not limiting. It is understood that innumerable variations not illustrated can be assumed.
 10 開発側セキュリティ分析支援装置、50 運用側セキュリティ分析支援装置、90 製品、100 主記憶部、101 データ収集部、102 マルチモーダル特徴解析部、103 データ一次加工統合部、104 セキュリティ要求抽出データ取得前処理部、105 セキュリティ要求予測モデル生成部、106 セキュリティ機能選定データ取得前処理部、107 設計情報選定モデル生成部、108 製品企画データ取得部、109 セキュリティ要求推論部、110 コスト・スケジュール調整部、111 セキュリティ要件取得部、112 セキュリティ機能推論部、113 セキュリティ監視データ取得前処理部、114 セキュリティ監視モデル生成部、115 脅威・対策比較連携更新部、200 補助記憶部、210 データレイク、220 セキュリティ要求予測モデル記憶DB、230 設計情報選定モデル記憶DB、240 統合DH、241 システム特徴DB、242 障害DB、243 脅威DB、244 対策DB、245 脆弱性情報DB、246 運用ログ・シグネチャDB、247 プロジェクトDB、248 仕様書・設計書DB、249 セキュリティ規格DB、250 法令・規制DB、300 インターフェース部、400 プロセッサ、500 表示装置、600 入出力装置、601 過去のプロジェクトデータ、602 脆弱性解析結果、603 仕様書・設計書、604 法令・規制情報、605 セキュリティ規格、606 過去の市場における製品の運用ログおよびインシデント・シグネチャ情報、651 準拠する法令・規制及びセキュリティ規格、652 開発対象製品の要求仕様、653 開発対象製品の特徴確認シート、654 開発対象製品のセキュリティ要件情報シート、655 開発対象製品のセキュリティ設計情報シート、700 通信部、800 プロセッサ、900 主記憶部、901 運用ログデータ取得部、902 運用ログデータ前処理部、903 セキュリティ監視モデル推論部、904 シグネチャデータ比較部、905 シグネチャ情報更新部、1000 補助記憶部、1001 セキュリティ監視モデル記憶DB、1002 運用・保守解析DB、1100 通信部、1301 市場における製品の運用から得られる知見ファイル、1302 シグネチャ更新リストファイル、2001 遠隔監視装置、2002 室内機、2003 室外機、2004 集中コントローラ、2005 無線LAN、2006 スマートフォン、2007 パソコン、2008 リモコン。 10 Development side security analysis support device, 50 Operation side security analysis support device, 90 products, 100 Main storage unit, 101 Data collection unit, 102 Multimodal feature analysis unit, 103 Data primary processing integration unit, 104 Before acquisition of security request extraction data Processing unit, 105 security request prediction model generation unit, 106 security function selection data acquisition pre-processing unit, 107 design information selection model generation unit, 108 product planning data acquisition unit, 109 security request inference unit, 110 cost / schedule adjustment unit, 111 Security requirement acquisition unit, 112 security function inference unit, 113 security monitoring data acquisition pre-processing unit, 114 security monitoring model generation unit, 115 threat / countermeasure comparison cooperation update unit, 200 auxiliary storage unit, 210 data lake, 220 security request prediction model Storage DB, 230 Design information selection model Storage DB, 240 Integrated DH, 241 System feature DB, 242 Failure DB, 243 Threat DB, 244 Countermeasure DB, 245 Vulnerability information DB, 246 Operation log signature DB, 247 Project DB, 248 Specification / design document DB, 249 security standard DB, 250 law / regulation DB, 300 interface part, 400 processor, 500 display device, 600 input / output device, 601 past project data, 602 vulnerability analysis result, 603 specification / Design document, 604 law / regulation information, 605 security standard, 606 product operation log and incident signature information in the past market, 651 compliant law / regulation and security standard, 652 required specifications of development target product, 653 development target product Feature confirmation sheet, 654 security requirement information sheet for the product to be developed, 655 security design information sheet for the product to be developed, 700 communication unit, 800 processor, 900 main storage unit, 901 operation log data acquisition unit, 902 operation log data preprocessing Department, 903 Security monitoring model inference unit, 904 Signature data comparison unit, 905 Signature information update unit, 1000 Auxiliary storage unit, 1001 Security monitoring model storage DB, 1002 Operation / maintenance analysis DB, 1100 Communication unit, 1301 Product operation in the market Findings file obtained from 1302 Signature update list file, 2001 Remote monitoring device, 2002 Indoor unit, 2003 outdoor unit, 2004 centralized controller, 2005 wireless LAN, 2006 smartphone, 2007 personal computer, 2008 remote control.

Claims (8)

  1.  開発対象に合うセキュリティ要求を予測するためのセキュリティ要求予測モデルに、前記開発対象の特徴と、前記開発対象の要求仕様と、前記開発対象が準拠する予め定められた規定とを含むデータを入力して、前記セキュリティ要求を推論するセキュリティ要求推論部と、
     前記セキュリティ要求推論部が推論した前記セキュリティ要求に基づいて、セキュリティ要求とセキュリティ要件との対応を示す情報を格納した第1のデータベースから、前記セキュリティ要求に対応するセキュリティ要件を取得するセキュリティ要件取得部と、
     前記開発対象に合うセキュリティ機能を実現する設計情報を選定するための設計情報選定モデルに、前記セキュリティ要件取得部が取得した前記セキュリティ要件を入力して、前記設計情報を推論するセキュリティ機能推論部と、
    を備える、開発側セキュリティ分析支援装置。     Enter data including the characteristics of the development target, the required specifications of the development target, and the predetermined rules to which the development target complies in the security requirement prediction model for predicting the security requirements that match the development target. The security requirement inference unit that infers the security requirement,
    A security requirement acquisition unit that acquires security requirements corresponding to the security requirements from a first database that stores information indicating the correspondence between the security requirements and the security requirements based on the security requirements inferred by the security requirement inference unit. When,
    With the security function inference unit that infers the design information by inputting the security requirements acquired by the security requirement acquisition unit into the design information selection model for selecting the design information that realizes the security function suitable for the development target. ,
    Development side security analysis support device equipped with.
  2.  データウェアハウスに格納された前記開発対象に対する脅威、並びに前記脅威に対する対策に関する情報に含まれる前記開発対象の特徴、前記開発対象の要求仕様、および前記開発対象が準拠する予め定められた規定からなる第1の入力と、前記第1の入力に対する正解ラベルとなる前記セキュリティ要求とを教師データとして学習することにより、前記開発対象に合う前記セキュリティ要求を予測する前記セキュリティ要求予測モデルを生成する第1のモデル生成部と、
     前記データウェアハウスに格納された情報に含まれる前記セキュリティ要件からなる第2の入力と、前記第2の入力に対する正解ラベルとなるセキュリティ機能の選定とを教師データとして学習することにより、前記開発対象に対する前記設計情報を選定する前記設計情報選定モデルを生成する第2のモデル生成部と、
    を備える、請求項1に記載の開発側セキュリティ分析支援装置。     It consists of the threat to the development target stored in the data warehouse, the characteristics of the development target contained in the information on countermeasures against the threat, the required specifications of the development target, and the predetermined provisions to which the development target complies. By learning the first input and the security requirement that is the correct answer label for the first input as teacher data, the first security requirement prediction model that predicts the security requirement that matches the development target is generated. Model generator and
    The development target is obtained by learning as teacher data a second input consisting of the security requirements included in the information stored in the data warehouse and selection of a security function that serves as a correct label for the second input. A second model generation unit that generates the design information selection model for selecting the design information for
    The development side security analysis support device according to claim 1.
  3.  前記要求仕様はシステム構成図を含む、請求項1または2に記載の開発側セキュリティ分析支援装置。 The development-side security analysis support device according to claim 1 or 2, wherein the required specifications include a system configuration diagram.
  4.  前記セキュリティ要求は、脅威、信頼境界、および責任分界を含む、請求項1から3のいずれか1項に記載の開発側セキュリティ分析支援装置。 The development-side security analysis support device according to any one of claims 1 to 3, wherein the security requirement includes a threat, a trust boundary, and a demarcation of responsibility.
  5.  前記設計情報は、障害分類、対策、攻撃者、および攻撃ルートを含む、請求項1から4のいずれか1項に記載の開発側セキュリティ分析支援装置。 The development side security analysis support device according to any one of claims 1 to 4, wherein the design information includes failure classification, countermeasures, attackers, and attack routes.
  6.  シグネチャを取得し、当該シグネチャを更新するコマンドを発行するシグネチャ情報更新部と、
     前記シグネチャ情報更新部で更新された前記シグネチャを適用した運用対象の動作情報、製品情報、および障害情報を含む運用ログ情報を受信して運用保守解析データベースに格納する通信部と、
     前記運用保守解析データベースから前記運用ログ情報を取得する運用ログデータ取得部と、
     市場における前記運用対象製品の運用から得られる知見情報を予測するための機械学習を行った学習済みのセキュリティ監視モデルに前記運用ログデータ取得部が取得した前記運用ログ情報を入力し、前記セキュリティ監視モデルを用いて演算処理を実行することで、前記知見情報を予測するセキュリティ監視モデル推論部と、
    を備える、運用側セキュリティ分析支援装置。     A signature information updater that acquires a signature and issues a command to update the signature,
    A communication unit that receives operation log information including operation information, product information, and failure information of the operation target to which the signature is applied and stores it in the operation maintenance analysis database, which is updated by the signature information update unit.
    The operation log data acquisition unit that acquires the operation log information from the operation maintenance analysis database,
    The operation log information acquired by the operation log data acquisition unit is input to the learned security monitoring model in which machine learning is performed to predict the knowledge information obtained from the operation of the operation target product in the market, and the security monitoring is performed. A security monitoring model inference unit that predicts the knowledge information by executing arithmetic processing using the model, and
    Operation side security analysis support device equipped with.
  7.  前記セキュリティ監視モデル推論部が予測した結果、前記運用ログ情報が異常であると判断された場合、シグネチャが登録済みである場合は当該登録済みのシグネチャとの比較を行い、シグネチャが未登録の場合は前記運用対象側のIDS(Intrusion Detection System)に対して登録を要求する、請求項6に記載の運用側セキュリティ分析支援装置。 If the operation log information is determined to be abnormal as a result of prediction by the security monitoring model inference unit, if the signature is registered, it is compared with the registered signature, and if the signature is not registered. Is the operation side security analysis support device according to claim 6, which requests registration from the operation target side IDS (Intrusion Detection System).
  8.  請求項1から5のいずれか1項に記載の開発側セキュリティ分析支援装置と、
     請求項6または7に記載の運用側セキュリティ分析支援装置と、
    を備え、
     前記開発側セキュリティ分析支援装置と前記運用側セキュリティ分析支援装置とがセキュリティに関する情報を相互に補完的に連携する、セキュリティ分析支援システム。     The development-side security analysis support device according to any one of claims 1 to 5.
    The operation-side security analysis support device according to claim 6 or 7.
    Equipped with
    A security analysis support system in which the development side security analysis support device and the operation side security analysis support device mutually complementarily cooperate with each other in information related to security.
PCT/JP2020/044522 2020-11-30 2020-11-30 Development side security analysis support device, operation side security analysis support device, and security analysis support system WO2022113348A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
PCT/JP2020/044522 WO2022113348A1 (en) 2020-11-30 2020-11-30 Development side security analysis support device, operation side security analysis support device, and security analysis support system
JP2022565298A JP7403686B2 (en) 2020-11-30 2021-11-19 Development side security analysis support device and security analysis support system
PCT/JP2021/042560 WO2022113895A1 (en) 2020-11-30 2021-11-19 Development-side security analysis support device, operation-side security analysis support device, and security analysis support system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/044522 WO2022113348A1 (en) 2020-11-30 2020-11-30 Development side security analysis support device, operation side security analysis support device, and security analysis support system

Publications (1)

Publication Number Publication Date
WO2022113348A1 true WO2022113348A1 (en) 2022-06-02

Family

ID=81754140

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/JP2020/044522 WO2022113348A1 (en) 2020-11-30 2020-11-30 Development side security analysis support device, operation side security analysis support device, and security analysis support system
PCT/JP2021/042560 WO2022113895A1 (en) 2020-11-30 2021-11-19 Development-side security analysis support device, operation-side security analysis support device, and security analysis support system

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/042560 WO2022113895A1 (en) 2020-11-30 2021-11-19 Development-side security analysis support device, operation-side security analysis support device, and security analysis support system

Country Status (2)

Country Link
JP (1) JP7403686B2 (en)
WO (2) WO2022113348A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017217301A1 (en) * 2016-06-13 2017-12-21 日本電信電話株式会社 Log analyzing device, log analyzing method, and log analyzing program
US10785243B1 (en) * 2018-09-28 2020-09-22 NortonLifeLock Inc. Identifying evidence of attacks by analyzing log text

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7225343B1 (en) 2002-01-25 2007-05-29 The Trustees Of Columbia University In The City Of New York System and methods for adaptive model generation for detecting intrusions in computer systems
JP2005316779A (en) 2004-04-28 2005-11-10 Intelligent Cosmos Research Institute Unauthorized access detector, detection rule generation device, detection rule generation method, and detection rule generation program
US7966659B1 (en) 2006-04-18 2011-06-21 Rockwell Automation Technologies, Inc. Distributed learn mode for configuring a firewall, security authority, intrusion detection/prevention devices, and the like
JP2010026547A (en) * 2008-07-15 2010-02-04 Fujitsu Ltd Firewall load balancing method and firewall load balancing system
US10701094B2 (en) 2017-06-22 2020-06-30 Oracle International Corporation Techniques for monitoring privileged users and detecting anomalous activities in a computing environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017217301A1 (en) * 2016-06-13 2017-12-21 日本電信電話株式会社 Log analyzing device, log analyzing method, and log analyzing program
US10785243B1 (en) * 2018-09-28 2020-09-22 NortonLifeLock Inc. Identifying evidence of attacks by analyzing log text

Also Published As

Publication number Publication date
JP7403686B2 (en) 2023-12-22
JPWO2022113895A1 (en) 2022-06-02
WO2022113895A1 (en) 2022-06-02

Similar Documents

Publication Publication Date Title
US11562304B2 (en) Preventative diagnosis prediction and solution determination of future event using internet of things and artificial intelligence
US10057144B2 (en) Remote system data collection and analysis framework
CN110020770A (en) Risk and information management based on artificial intelligence
US20180034842A1 (en) Automated machine learning scheme for software exploit prediction
CN110035049A (en) Earlier cyber-defence
JP2018045403A (en) Abnormality detection system and abnormality detection method
US11797890B2 (en) Performance manager to autonomously evaluate replacement algorithms
CN106537383A (en) Dynamic feature set management
Almalaq et al. Deep machine learning model-based cyber-attacks detection in smart power systems
JP6808588B2 (en) Elevator system
JP7409061B2 (en) Document management device and document management program
Zeng et al. Licality—likelihood and criticality: Vulnerability risk prioritization through logical reasoning and deep learning
KR20190107523A (en) System and method for handling network failure using syslog
Florez‐Perez et al. Using machine learning to analyze and predict construction task productivity
US11348013B2 (en) Determining, encoding, and transmission of classification variables at end-device for remote monitoring
WO2022113348A1 (en) Development side security analysis support device, operation side security analysis support device, and security analysis support system
KR102017889B1 (en) Fan filter unit monitoring system
CN113177396B (en) Report generation method and device, computer equipment and storage medium
CN113535260B (en) Simulator-based data processing method, device, equipment and storage medium
KR102433233B1 (en) Security compliance automation method
US20230004835A1 (en) Machine-learning-based techniques for determining response team predictions for incident alerts in a complex platform
EP3686812A1 (en) System and method for context-based training of a machine learning model
US11907045B2 (en) Information extraction from maintenance logs
EP4097546B1 (en) A method for computer-implemented identifying an unauthorized access to a wind farm
AU2021338021A1 (en) Method and system for processing electronic resources to determine quality

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20963612

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20963612

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP