JP2005044243A - Access control rule generation device, access control rule generation method and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a device and method that can streamline automatic generation processing of optimum access control rules depending on a use environment such as a user or a program in various information processing devices such as information appliances and PCs. <P>SOLUTION: For the generation of access control rules to be loaded into various information processors such as information appliances and PCs, access history information about each resource is acquired from a program execution trace, accessibility to each resource at program execution is inferred from resource relevance such as information on directory matching, type matching or network port category matching, and utility functions balanced in dependence on a use environment such as the access-control-rule-applied program, user or equipment, specifically, utility functions of balanced false positives and false negatives, are applied to set access control rules based on Bayesian estimation. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an access control rule generation device, an access control rule generation method, and a computer program. Furthermore, in detail, an access control rule generation capable of efficiently constructing an access rule for appropriately executing access control for devices, data files, etc. in various information processing apparatuses such as information appliances and PCs The present invention relates to an apparatus, an access control rule generation method, and a computer program.

  In information processing devices such as information home appliances and PCs, data processing corresponding to each device, for example, document creation, database search, chart creation, game program, communication processing, Internet connection processing, etc. Various data processing is performed. In such data processing, each program needs resources necessary for its operation, that is, resources such as data files, system files, network ports, storage devices such as hard disks, etc., as libraries and operating systems. To access via.

  However, many information processing devices such as information appliances and PCs are connected to the network, and attacks that illegally access resources on computers using bugs and security holes in programs are frequently performed. It has become. If these attacks are successful, any file will be read / tampered / deleted / executed, and so on, and will be greatly damaged. For this reason, security measures against this problem are very important issues. Even if the PC is not connected to the network, if the PC is operated by an unauthorized user other than a legitimate user, if the data or device is illegally accessed, the possibility of data falsification etc. Cause damage.

Several countermeasures against these attacks have been proposed. As direction of measures,
(1) A method of taking individual measures for each attack;
(2) A general-purpose measure that does not distinguish between attacks,
There are two types.

  As a specific example of the individual countermeasure (1), there are methods such as [Stack Guard], [Stack Smashing Protector], [PaX], and [libsafe] that are stack overflow countermeasures.

  [Stack Guard] and [Stack Smashing Protector] are methods for detecting damage of the stack and stopping the execution of the attacked program to stop the damage. [PaX] is a method of stopping execution of code that has overflowed in the attacked program by prohibiting execution of code on the stack. [Libsafe] is a method of preventing stack overflow by overriding a vulnerable function and checking input data. As other individual measures, there are symptomatic methods such as security holes and bug correction of the program itself, or changes in functions and specifications.

  As a general measure of (2), there is a method of controlling access to resources at the OS level or the application level. For example, [Access control list / table method], [TypeEnforcement method], [Role BasedAccess Control method], [Compartment method] and the like have been proposed as specific examples of the access control method. Basically, all these access control methods define what kind of access an active subject on a computer such as a PC is allowed / prohibited to a passive subject, and perform actual access control according to the contents. It is a technique to do.

  The difference between these methods is how to define active, passive, and access forms. The access control list / table format is a system that uses an active entity as a program, a passive entity as an actual computer resource such as a file or a device, and a form that allows access to each resource as it is. The Type Enforcement method is a method that uses a form in which an active subject is a set of programs, a passive subject is a set of computer resources, and access can be made to each resource. In this method, a set of programs and a set of computer resources can be defined in any combination. The Role Based Access Control method is a method in which an active subject is a user, and a passive subject and a combination of access forms (referred to as authority) are used to grant authority to the user. Users and authority can be freely defined by those who set access control. The Compartment system is a system that uses a process sub-tree as an active entity, a computer resource as a passive entity, and an access mode that can be used for each resource.

  The individual countermeasure is performed by analyzing an attack whose attack method is already known, so that it can protect optimally against the attack, but is often ineffective against an unknown attack. On the other hand, general-purpose countermeasures are not as optimal as individual countermeasures, but have a feature that they exhibit a certain protective effect against attacks regardless of whether they are known or unknown.

  In recent years, security holes in programs have been reported every day, and it is actually difficult to catch up all of them, and there is a time lag until they always respond. It has become important. When using various types of access control, which is a general measure, it is necessary to create a security policy that is a setting for access control. A security policy means that an active entity, that is, a process or a user, permits a passive entity, that is, what access mode, that is, an access mode such as read or write, to various computer resources. It is a set of rules that indicates whether to prohibit. As a prior art disclosing an access control configuration based on a security policy, for example, there is a technique described in Patent Document 1.

  However, the security policy must comprehensively include all of the objects to be protected and the programs to be operated, so there is a problem of difficulty in creating such a very large number of settings (for example, several hundred to tens of thousands of lines). is there. In addition, in order to describe how each program or user actually accesses computer resources, it is necessary to have knowledge of the program and its operational status, so very advanced knowledge and technology are required. There is a problem that it is required.

  Accordingly, it is very difficult for humans to create an optimal security policy from scratch by manual processing. As an actual problem, access control mechanisms are not so popular because of the difficulty of this work.

  Several methods for automatically generating a security policy have been proposed to solve the problem of difficulty in creating the security policy. This automatic security policy generation method can be classified into the following two types (A) and (B).

  (A) The first is a method in which a program is executed in advance, resource access according to the execution result is determined by a human, and incorporated as a security policy. Many of them adopt this method, and for example, many access control mechanisms such as [SELinux], [Linux Induction Detection System], and [Janus] are employed.

  (B) The second is a method of analyzing the source code and extracting resource access from the code. This method is proposed by IBM as a paper called [Access Rights Analysis for Java] for the security mechanism of [Java].

  In the method (A), since only the range in which the program is executed is incorporated into the security policy, it is necessary to execute all patterns of the program in order to create a highly accurate security policy. There is a problem that is very large.

  In the method (B), since parameters are extracted from the source code of the program, there is little effort for generating a security policy, but parameters (program arguments, contents of setting files, etc.) passed at the time of execution cannot be analyzed. As a result, there is a problem that the accuracy of the generated security policy is low because sufficient resource access cannot be extracted.

  As described above, the conventional automatic generation method of the security policy cannot satisfy both the accuracy of the security policy and the reduction of the generation effort at the same time. Furthermore, as a problem common to the above methods (A) and (B), the security policy is always generated without considering the risk balance of [false negative] or [false positive], regardless of the generation of the security policy. There is a point that only the balance of ignoring is applied to [false positive].

  [False negative] is to regard unauthorized access as normal access, and in this case, to generate a security policy that permits resource access to be prohibited. [False positive] means that normal access is regarded as unauthorized access, and in this case, generation of a security policy that prohibits resource access that should be permitted. When making security decisions, you should always look at the balance of risks.

Information processing apparatuses (computers) such as PCs are used for various purposes, and when considering security, it is necessary to balance various [false negative] and [false positive] according to the purpose. For example, when application of an access control mechanism to information home appliances is considered, these information home appliances are often used by general users who do not have computer knowledge. Therefore, if [false positive] in which normal access is regarded as unauthorized access is frequently generated, the user misunderstands that the correct operation is incorrect, and the user gives up the operation without performing the operation again. Will occur. It is a problem that the continuation of the operation is stopped due to the access restriction during such normal use. Accordingly, the highest priority is set to a security policy that is set for a device such as an information home appliance that is often used by a general user who does not have computer knowledge, so that no problem occurs during normal use. That is, it is required to minimize [false positive]. However, there is a problem in that an existing security policy automatic generation method cannot generate a security policy according to the request of the application destination.
JP 2002-215440 A

As mentioned above, there are two known methods for automatically generating existing security policies:
(A) A method in which a human determines resource access according to an execution result by pre-execution of a program and incorporates it as a security policy;
(B) a method of analyzing source code and extracting resource access from the code;
The above two methods are known. Since the method (A) is based on the setting of a security policy based on the execution range of the program, all patterns of the program are required to create a highly accurate security policy. There is a problem that it takes a lot of time to execute the program. The method (B) extracts the parameters from the source code of the program, so the security policy generation is less, but it is difficult to analyze the parameters (program arguments, setting file contents, etc.) passed at the time of execution. There is a problem that the accuracy of the generated security policy is low because sufficient resource access cannot be extracted.

  In addition, since both methods (A) and (B) are uniform policy setting methods, there is a problem in that it is impossible to adjust the balance between [false positive] and [false negative] according to the device or the application. There is.

  The present invention has been made in view of the problems in such an existing security policy automatic generation method, and an access control rule generation device that realizes automatic generation of a security policy with both effort and accuracy, and An object is to provide an access control rule generation method and a computer program.

  It is another object of the present invention to provide an access control rule generation device, an access control rule generation method, and a computer program capable of generating a security policy in consideration of the balance between [false positive] and [false negative]. .

  More specifically, the present invention infers whether or not the resource access that the program is supposed to perform from the resource access in the execution trace result of the program, and further, the probability / rightness that the access to the resource is illegal By realizing a method of determining the final access permission / denial in consideration of the probability and the magnitude of the damage, it is possible to achieve both a balance of less effort and accuracy and [false positive] and [false negative]. It is an object of the present invention to provide an access control rule generation device, an access control rule generation method, and a computer program that enable generation of a security policy in consideration of the balance of the above.

The first aspect of the present invention is:
An access control rule generation device that generates an access control rule for a resource of an information processing device,
Executes the program subject to access control rules, obtains a program execution trace including resource access history information, and estimates the presence / absence of access to each resource in the execution of the program based on the relevance information between resources set in advance An execution trace analysis processing unit,
A parameter input processing unit for inputting an initial function corresponding to each occurrence of access preset for each resource, its likelihood information, and a utility function set based on a balance adjustment of false positive and false negative,
Access information for each resource by Bayesian estimation processing based on the access presence / absence information of each resource during program execution input from the execution trace analysis processing unit and the initial probability, likelihood information, and utility function input from the parameter input processing unit A security policy generator that sets control rules;
The access control rule generation device is characterized by comprising:

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the security policy generation unit includes access information on each resource at the time of program execution input from the execution trace analysis processing unit, and the parameter input processing unit. Based on the input initial probability and likelihood information, the posterior probability of legitimate access of each resource, the probability calculation processing unit for calculating the posterior probability of unauthorized access, the posterior probability data calculated by the probability calculation processing unit, Based on the utility function input from the parameter input processing unit, an expected loss value associated with access prohibition for each resource, an expected loss calculation processing unit that calculates an expected loss value associated with access permission, and the expected loss calculation processing unit Access decision processing that sets access control rules for each resource based on the expected loss value calculated by And having a, the.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the utility functions set based on the balance adjustment of the false positive and the false negative are the false positive utility function fp () and the false negative utility function fn ( The utility functions fp () and fn () include weighting functions ω (fp) and ω (fn) that determine weighting coefficients for setting the balance, and the weighting functions ω (fp) and ω ( fn) is a function set based on at least one of the program or device to which the access control rule is applied, and false positive priority is set by setting the weight functions ω (fp) and ω (fn). Or it is the utility function which performed setting adjustment of false negative priority.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the utility functions fp (), fn () are false positive priority satisfying a ratio of weighting factors: ω (fn) / ω (fp)> 1. It is a utility function that has been set.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the utility functions fp (), fn () are false negative priority satisfying a ratio of weighting coefficients: ω (fp) / ω (fn)> 1. It is a utility function that has been set.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the relevance information between resources applied in the execution trace analysis processing unit is information that makes resources in the same directory relevant, and the execution The trace analysis processing unit is configured to execute a process for analogizing a resource in the same directory as a resource in which resource access has occurred in the execution of the program as an access occurrence resource in program execution.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the relevance information between resources applied in the execution trace analysis processing unit is information regarding relevance of the same type of resource, and the execution trace The analysis processing unit is configured to execute a process of analogizing a resource of the same type as a resource in which resource access has occurred during execution of the program as an access occurrence resource in program execution.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the relevance information between resources applied in the execution trace analysis processing unit is information regarding network ports of the same category as related resources, The execution trace analysis processing unit is configured to execute a process of analogizing a network port of the same category as a network port in which resource access has occurred during execution of the program as an access occurrence resource in program execution.

  Furthermore, in one embodiment of the access control rule generation device of the present invention, the resource includes hardware in the information processing device and software including a program, system data, and user data.

Furthermore, the second aspect of the present invention provides
An access control rule generation method for generating an access control rule for a resource of an information processing device,
Executes the program subject to access control rules, obtains a program execution trace including resource access history information, and estimates the presence / absence of access to each resource in the execution of the program based on the relevance information between resources set in advance Execution trace analysis processing step to perform,
A parameter input processing step for inputting an initial probability corresponding to each occurrence of access preset for each resource, its likelihood information, and a utility function set based on a balance adjustment of false positive and false negative,
Access control rules for each resource by Bayesian estimation processing based on access probability information of each resource at the time of program execution acquired in the execution trace analysis processing, initial probability input in the parameter input processing, likelihood information, and utility function A security policy generation step for setting
There is an access control rule generation method characterized by comprising:

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the security policy generation step inputs the access presence / absence information of each resource at the time of program execution acquired in the execution trace analysis process and the parameter input process. Based on the initial probability and likelihood information, the posterior probability of legitimate access of each resource, the probability calculation processing step for calculating the posterior probability of unauthorized access, the posterior probability data calculated in the probability calculation processing step, and the parameter Based on the utility function input at the input processing step, an expected loss value associated with access prohibition for each resource, an expected loss calculation step for calculating an expected loss value associated with access permission, and calculated at the expected loss calculation processing step Each based on expected loss value An access determination process step of setting access control rules for each source, and having a.

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the utility functions set based on the balance adjustment of the false positive and the false negative are respectively the false positive utility function fp () and the false negative utility function fn ( The utility functions fp () and fn () include weighting functions ω (fp) and ω (fn) that determine weighting coefficients for setting the balance, and the weighting functions ω (fp) and ω ( fn) is a function set based on at least one of the program or device to which the access control rule is applied, and false positive priority is set by setting the weight functions ω (fp) and ω (fn). Or it is the utility function which performed setting adjustment of false negative priority.

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the utility functions fp () and fn () have a false positive priority satisfying a ratio of weighting coefficients: ω (fn) / ω (fp)> 1. It is a utility function that has been set.

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the utility functions fp () and fn () are false negative priority satisfying a ratio of weighting coefficients: ω (fp) / ω (fn)> 1. It is a utility function that has been set.

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the relevance information between resources applied in the trace analysis processing step is information that makes the resources in the same directory relevant, and the execution trace The analysis processing step is characterized by executing a process of analogizing a resource in the same directory as the resource in which the resource access has occurred in the execution of the program as an access occurrence resource in the program execution.

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the relevance information between resources applied in the execution trace analysis processing step is information that makes the same type of resource relevant, and the execution trace The analysis processing step is characterized by executing a process of analogizing a resource of the same type as a resource in which resource access has occurred during execution of the program as an access occurrence resource in program execution.

  Furthermore, in one embodiment of the access control rule generation method of the present invention, the relevance information between resources applied in the execution trace analysis processing step is information regarding network ports of the same category as related resources, The execution trace analysis processing step executes a process of analogizing a network port in the same category as a network port in which resource access has occurred in the execution of the program as an access occurrence resource in program execution.

Furthermore, the third aspect of the present invention provides
A computer program for executing access control rule generation processing for resources of an information processing device,
Executes the program subject to access control rules, obtains a program execution trace including resource access history information, and estimates the presence / absence of access to each resource in the execution of the program based on the relevance information between resources set in advance Execution trace analysis processing step to perform,
A parameter input processing step for inputting an initial probability corresponding to each occurrence of access preset for each resource, its likelihood information, and a utility function set based on a balance adjustment of false positive and false negative,
Access control rules for each resource by Bayesian estimation processing based on access probability information of each resource at the time of program execution acquired in the execution trace analysis processing, initial probability input in the parameter input processing, likelihood information, and utility function A security policy generation step for setting
There is a computer program characterized by comprising:

  The computer program of the present invention is, for example, a storage medium or communication medium provided in a computer-readable format to a computer system capable of executing various program codes, such as a CD, FD, or MO. It is a computer program that can be provided by a recording medium or a communication medium such as a network. By providing such a program in a computer-readable format, processing corresponding to the program is realized on the computer system.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of the present invention, in the generation of access control rules mounted on various information processing apparatuses such as information appliances and PCs, access history information of each resource is acquired by a program execution trace, and the identity and type of the directory Based on resource relevance, such as information on network ports with the same identity and category, the presence or absence of access to each resource at the time of program execution is inferred, and the use environment of the application program, user, device, etc. of the access control rule The utility function set according to the balance, specifically, the utility function that adjusts the balance of false positive and false negative is applied to set the access control rule based on Bayesian estimation. According to the usage environment of various information processing devices Efficient automatic generation processing of a suitable access control rules can be performed.

  Further, according to the configuration of the present invention, the utility function set based on the balance adjustment of false positive and false negative is input, and the access control rule is set based on this parameter. Or, it is possible to make arbitrary settings according to the usage environment such as programs and devices to which the access control rules are applied, such as false negative priority settings, and it is easy to change the optimal access control rules according to the request only by changing the parameters. Can be generated.

Furthermore, according to the configuration of the present invention, not only the presence / absence of access in acquiring the execution trace of the program, but also the relevance of the resource, specifically,
(1) A method of extracting a file in the same directory as an access file recorded as an access resource during a program execution trace as a related file,
(2) A method of extracting a file or device of the same type as the access file recorded as an access resource during the program execution trace as a related file or device,
(3) A method for extracting a port in the same category as the network port recorded as the access resource during the program execution trace,
Since any one of these methods or a combination of these is applied to execute the analogy of whether or not each resource is accessed, each information processing apparatus has each regardless of whether or not an actual access occurs in the program execution trace. Since access analogy for resources is possible and an access control rule is generated based on the presence / absence of analogy access, an access control rule can be generated efficiently and with high accuracy.

  Hereinafter, an access control rule generation device, an access control rule generation method, and a computer program according to the present invention will be described in detail with reference to the drawings.

  First, an application processing configuration of an access control rule generated by applying the access control rule generation device and the access control rule generation method of the present invention will be described with reference to FIG. FIG. 1 is a diagram for explaining execution forms of various programs in an information processing apparatus such as an information home appliance and a PC. As shown in FIG. 1, in the information processing apparatus, various programs such as data processing executed by the user, such as document creation, database search, communication processing, and a game, operate. FIG. 1 shows a program A110, a program B120, and a program A130.

  Each program accesses a resource necessary for its operation, that is, a hardware device such as a system file data file, a network port, a hard disk, and a CPU via a library and an operating system (OS) 150. FIG. 1 shows, as resources to be accessed in the execution of each program, a device 152 consisting of devices A to C,..., A network socket 153 consisting of sockets A to C applied to network connection, and a file A such as a system file data file. A file 154 consisting of .about.C .. is illustrated.

  The access control unit shown in FIG. 1 is set as a control mechanism that judges the legitimacy of access to these resources in the execution of each program and rejects access when it is judged that the access is not legitimate.

  In FIG. 1, as an access control unit, a program-compatible access control unit A111, a program-compatible access control unit B121, a program-compatible access control unit C131, and an operating system (OS) 150 side which are access control mechanisms corresponding to each program are shown. The set OS side access control unit 151 is shown.

  For example, the validity and validity of access requests for various resources based on user operations and inputs when executing the program A110 are determined by the program-compatible access control unit A111 and the OS-side access control unit 151, and the determination result is Based on this, access permission or prohibition processing for the resource is performed. The validity and validity of access requests for various resources based on user operations and inputs when executing the program B120 are determined by the program-compatible access control unit B121 and the OS-side access control unit 151, and based on the determination results The access is permitted or prohibited for the resource.

  In the figure, a configuration example having an access control unit corresponding to a program and an access control unit on the OS side is shown, but a configuration having any one of these access control units may be adopted.

  These access control units hold a security policy as a guideline for determining the legitimacy of access in the storage unit, and determine the legitimacy and validity of an access request based on user input and operation according to the security policy. The security policy is data that defines an access rule for each resource that can be accessed in an information processing apparatus that includes hardware included in the information processing apparatus and various types of software including user data.

  An access rule generation process is executed by applying the access control rule generation device and the access control rule generation method of the present invention described below. The access control rule generation process according to the present invention is performed as an automatic generation process that accompanies an execution process of a program for which an access rule is set.

  FIG. 2 is a block diagram showing the configuration of the access control rule generation device of the present invention. The configuration diagram shown in FIG. 2 is a diagram illustrating processing functions of the access control rule generation device. Specific hardware can be configured by an information processing apparatus such as a CPU including a CPU as a so-called data processing unit, a RAM, a ROM as a memory area, a data input unit, a data output unit, and the like. An access control rule generation process is performed by executing a process according to an access control rule generation process sequence described in an information processing apparatus such as a PC. The access control rule generation processing sequence can be set as a computer program. By executing processing under CPU control in accordance with a computer program that records the access control rule generation processing sequence, access control rule automatic generation is executed. The block diagram shown in FIG. 2 is a block diagram showing each process executed in the automatic generation process of the access control rule as a function block individually.

  The access control rule generation process of the present invention will be described with reference to FIG. As shown in FIG. 2, the access control rule generation device includes an execution trace analysis processing unit 210 that acquires and analyzes an execution trace of a program for which an access rule is set, and parameters as input units for various parameters from a user. The input processing unit 220 includes a security policy generation processing unit 230 that generates a security policy from execution trace results and input parameters.

  The execution trace analysis processing unit 210 includes a resource access record processing unit 211 and a resource access analogy processing unit 212. These are composed of a secondary storage device such as a CPU, a memory, a RAM, and a ROM as hardware. The parameter input processing unit 220 includes a probability initial distribution input processing unit 221 and a utility function input processing unit 214. These are composed of a CPU, a memory, a secondary storage device, and the like as hardware. The security policy generation processing unit 230 includes a probability calculation processing unit 231, an expected loss value calculation processing unit 232, an access determination processing unit 233, and a security policy conversion processing unit 234. These are composed of a CPU, a memory, a secondary storage device and the like.

  The resource access record processing unit 211 in the execution trace analysis processing unit 210 records the execution trace result of the resource access in the course of executing the program for which the access rule is set, and uses the acquired execution trace result as the resource access analogy processing unit 212. To provide.

The resource access analogy processing unit 212 extracts resource access relevance from the program execution trace result received from the execution trace analysis processing unit 210. As a method for extracting resource access relevance, for example,
(1) A method of extracting a file in the same directory as an access file recorded as an access resource during a program execution trace as a related file,
(2) A method of extracting a file or device of the same type as the access file recorded as an access resource during the program execution trace as a related file or device,
(3) A method for extracting a port in the same category as the network port recorded as the access resource during the program execution trace,
There are a method of applying any of these methods, a method of applying them in combination, a method of applying them comprehensively, and the like.

  The file type refers to a file data format, for example, a type based on a data format such as a text data file, an audio data file, a video data file, an execution file, or an attribute, that is, a system file, a user file, etc. Each file is classified according to the type based on the attribute, and a file of the same type as the access file recorded as the access resource during the program execution trace is extracted as a related file.

  The device type is set by classifying device types, that is, individual devices such as HDD, FDD, network, audio, video, memory, and clock. Furthermore, network ports are categorized into categories defined by IANA (Internet Assigned Numbers Authority), that is, [Well-known], [Registered], [Dynamic] ports, and devices that implement TCP / IP. Apply the category classification used in.

  Note that the resource classification such as file, device, and network socket (port) is not limited to the above settings, and various settings are possible, and it is possible to determine the presence or absence of relevance based on any setting. is there.

  The parameter input processing unit 220 includes a probability initial distribution input processing unit 221 and a utility function input processing unit 222. The initial probability distribution input processing unit 221 receives an initial probability distribution composed of initial probabilities P (X) and likelihoods P (D | X) based on user input or from storage means, and generates a security policy generation unit 230. To the probability calculation processing unit 231. The utility function input processing unit 222 generates a utility function U (A | X) that expresses the balance between risk magnitude, false positive, and false negative based on user input or from storage means. It is received and output to the expected loss value calculation processing unit 232 of the security policy generation unit 230.

  False negative is an erroneous processing mode that regards unauthorized access as normal access. When access control based on a set access rule is executed, if false negative occurs, it is prohibited. It means that resource access that should be allowed is permitted. False positive is an erroneous processing mode in which normal access is regarded as unauthorized access. When access control based on a set access rule is executed, if false positive occurs, it should be permitted. This means that resource access is prohibited.

  It is difficult to generate a perfect access rule, and an access rule that considers the magnitude of risk when a false positive occurs and the magnitude of the risk when a false negative occurs It is necessary to set.

  In the access control rule generation process of the present invention, a process applying Bayesian theory is performed. Bayesian theory is a technique for predicting the probability of occurrence of a specific event under unspecified circumstances (= incomplete information). That is, it is a statistical inference method for estimating the occurrence probability of the cause (event) based on the result (situation).

  An outline of Bayesian theory will be briefly explained. Let P (X) be the initial probability for a certain random variable X. For example, when X1 = smoker and X2 = non-smoker, the probability P (X1) = 0.4 of being a smoker and the probability P (X2) = 0.6 of being a non-smoker are set as prior probabilities. The

At this time, the likelihood of the random variable X when the event D is observed, that is, the probability that D is observed in the case of the random variable X is P (D | X). Specifically, when D1 = lung cancer, the likelihood P (D1 | X1) indicates the probability that the smoker will have lung cancer, and the likelihood P (D1 | X2) indicates the probability that the non-smoker will have lung cancer. Indicates. For example,
Likelihood P (D1 | X1) = 0.09
Likelihood P (D1 | X2) = 0.03
It is calculated as follows.

  Further, the posterior probability for the random variable X under the observation result D is P (X | D). This indicates the probability of the random variable X when event D is observed. Specifically, the posterior probability that a person with lung cancer is a smoker is indicated as P (X1 | D).

The posterior probability that a person with lung cancer is a smoker is calculated by the following condition: P (X1 | D)
Initial probability P (X1) = 0.4
Initial probability P (X2) = 0.6 non-smoker
Likelihood P (D1 | X1) = 0.09
Likelihood P (D1 | X2) = 0.03
If

P (X1 | D) = 0.4 × 0.09 / (0.4 × 0.09 + 0.6 × 0.03)
≒ 0.6667
It becomes.
Thus, the Bayesian theory is a theory for estimating the cause probability based on the result.

  In the access control rule generation process of the present invention, an initial probability P (X) and likelihood P (D | X) are defined for each resource. Also, it is composed of a value representing the magnitude of loss (risk) and a weighting coefficient representing the balance of false positive and false negative based on the request of the access rule application destination (program or device). The utility function U (A | X) set as a function is also defined for each resource.

Parameters for expressing the probability model in this method: X, D, and A are parameters having the following definitions.
X = {legitimate access (X1), unauthorized access (X2)}
D = {Event could be observed (D1), event could not be observed (D2)}
A = {Access prohibition (A1), Access permission (A2)}
It becomes.

  Therefore, in this probability model, the initial probability P (X) has two types, P (X1) and P (X2), and the likelihoods are P (D1 | X1), P (D1 | X2), and P (D2 | X1). ), P (D2 | X2). The initial probabilities P (X1) and P (X2) indicate the probability of unauthorized access and the probability of proper access corresponding to each resource in the absence of prior knowledge.

  The likelihoods P (D1 | X1), P (D1 | X2), P (D2 | X1), and P (D2 | X2) are used in the inference process in the execution trace analysis processing unit 210 in the case of unauthorized access and legitimate access. Represents a conditional probability indicating the observation result of each type of event.

  FIG. 3 shows examples of initial probabilities P (X1), P (X2) and likelihoods P (D1 | X1), P (D1 | X2), P (D2 | X1), P (D2 | X2). These probability distributions can be obtained by analyzing past attack cases.

In the example shown in FIG. 3, for example, the file A as a resource is a system file of type, and the initial probability is
P (X1) = 0.9
P (X2) = 0.1
It is.
That is, the initial probability that the access to the file A is valid is 0.9, and the initial probability that it is illegal is 0.1.

The likelihood is
P (D1 | X1) = 0.95
P (D1 | X2) = 0.05
P (D2 | X1) = 0.1
P (D2 | X2) = 0.9
It is.
That is, the probability P (D1 | X1) = 0.95 that the legitimate access to the file A is observed, the probability P (D1 | X2) = 0.05 that the unauthorized access to the file A is observed, and the legitimate access to the file A The probability P (D2 | X1) = 0.1 that is not observed and the probability P (D2 | X2) = 0.9 that unauthorized access to the file A is not observed.

In the following, the initial probability and likelihood are obtained by analyzing past attack cases, etc. for each of the resources that are the target of setting access rules, such as file B, devices I and J, ports X and Y, etc. Is acquired from the user input or the storage unit, and is input to the probability calculation processing unit of the security policy generation processing unit 230 via the probability processing distribution input processing unit 211 of the parameter input processing unit 220.

The utility function U (A | X) takes four parameters with possible values of A and X, but can be defined as follows in consideration of the contents.
U (A1 | X1) = fp () (representing a loss at the time of false positive, fp () ≦ 0)
U (A1 | X2) = 0 (appropriately represents a loss when prohibited)
U (A2 | X1) = 0 (appropriately represents a loss at the time of permission)
U (A2 | X2) = fn () (representing a loss at the time of false negative, fn () ≦ 0)

  From the above, there are two types of utility functions to be input, fp () and fn ().

  fp () and fn () are composed of a value representing the magnitude of loss (risk) and a weighting coefficient representing the balance between false positive and false negative based on the request of the adaptation destination. This utility function is defined as follows.

fp () = loss (A1 | X1) × ω (fp) ≦ 0 (Expression 1)
fn () = loss (A2 | X2) × ω (fn) ≦ 0 (Expression 2)

  The loss (A | X) in the above equation is a loss function that quantitatively represents a loss when access defined for each resource is permitted or prohibited. Specifically, it is a function indicating how much damage occurs when an infringement on a certain resource occurs (leakage, tampering, etc.).

  As an example, when the loss function is represented by the damage amount, the damage amount (collection repair cost, etc.) incurred when the system file or device is destroyed is defined as the loss function. ω (fp) and ω (fn) are functions representing the weights of false positive and false negative, respectively, and by adjusting the ratio of ω (fp) and ω (fn), It is possible to freely change the setting of the access rule to be generated, such as a setting that gives priority to false positive or a setting that gives priority to false negative.

  More specifically, ω (fn) / ω (fp)> 1 is satisfied for priority setting of false positive, and ω (f (n) for priority setting of false negative. It is sufficient to satisfy fp) / ω (fn)> 1.

  The ratio of false positive decreases as the value of ω (fn) / ω (fp) is greater than 1, but the ratio of false negative increases, and similarly ω (fp) / ω (fn As the value of) becomes larger than 1, the ratio of false negative decreases, but the ratio of false positive increases.

  FIG. 4 shows a graph showing the relationship between weighting, false positive and false negative. In FIG. 4, for example, when the false positive weighting factor ω (fp) = k1 and the false negative weighting factor ω (fn) = k2, the priority of the false negative is given priority. When a point 301 is set in the area and an access rule is generated according to this setting, an access rule giving priority to false negative is set.

  Note that a weighting factor determination function ω (fp) for setting a false positive weighting factor and a weighting factor determination function ω (fn) for setting a false negative weighting factor are mutually dependent. These functions can be set as independent functions, and these functions may be freely defined according to the access rule application destination (program, information processing device, etc.). However, the utility function is a function that is always 0 or less, and the value decreases as the loss increases (the absolute value increases).

  FIG. 5 shows an example of a loss function and a weighting function that are elements of the utility function. As shown in FIG. 5, the loss function and the weighting function are defined for each resource. The loss function loss (A | X) is a loss function that quantitatively represents a loss when access is permitted or prohibited for each resource. In FIG. 5, for example, the loss function when the legitimate access to the file A as a resource is prohibited is loss (A1 | X1) = − 10,000, and the loss function when the unauthorized access to the file A is permitted is loss (A2 | X2) = − 10,000.

Further, the false function weight function ω (fp) and the false negative weight function ω (fn) corresponding to the file A have three types of setting modes a to c,
a. In the normal setting, ω (fp) = 1, ω (fn) = 1
b. In the low false positive priority setting, ω (fp) = 3, ω (fn) = 1
c. In the low false negative priority setting, ω (fp) = 1, ω (fn) = 3
There is a setting.
From these settings, it is possible to generate an access rule by selecting an appropriate setting corresponding to a program or device as an access rule application target. Note that the setting example shown in FIG. 5 is merely an example, and various other settings are possible.

  Next, returning to FIG. 2, the processing configuration of the security policy generation processing unit 230 will be described. The security policy generation processing unit 230 includes a probability calculation processing unit 231, an expected loss value calculation processing unit 232, an access determination processing unit 233, and a security policy conversion processing unit 234.

  The probability calculation processing unit 231 uses the prior probabilities P (X) and likelihood P (D | X) received from the probability initial distribution input processing unit 221 of the parameter input processing unit 220, and performs legitimate access using Bayesian estimation. The posterior probability P (X | D) of unauthorized access is calculated. As described above, Bayesian estimation is a theory that estimates the establishment of a cause based on the result. The posterior probability P (X | D) indicates the probability of the random variable X when the event D is observed.

Observed event (D = D1), that is, posterior probability P (X1 | D1) that is a legitimate access when observing that access to a certain resource has occurred
A posteriori probability P (X2 | D1) for unauthorized access
The calculation formulas are as shown in the following (formula 3) and (formula 4).

When D = D1 P (X1 | D1)
= {P (X1) P (D1 | X1)} / {P (X1) P (D1 | X1) + P (X2) P (D1 | X2)}
... (Formula 3)
P (X2 | D1)
= {P (X2) P (D1 | X2)} / {P (X1) P (D1 | X1) + P (X2) P (D1 | X2)}
... (Formula 4)

In addition, the posterior probability P (X1 | D2) is a legitimate access when the event is not observed (D = D2), that is, when the access to a certain resource cannot be observed.
Possibilities P (X2 | D2) for illegitimate access
Are calculated by the following equations (Equation 5) and (Equation 6).

When D = D2 P (X1 | D2)
= {P (X1) P (D2 | X1)} / {P (X1) P (D2 | X1) + P (X2) P (D2 | X2)}
... (Formula 5)
P (X2 | D2)
= {P (X2) P (D2 | X2)} / {P (X1) P (D2 | X1) + P (X2) P (D2 | X2)}
... (Formula 6)

As shown in the above equations,
Possibilities of legitimate access when an event can be observed (Formula 3)
Possibilities of unauthorized access when events can be observed (Formula 4)
Possibilities of legitimate access when event cannot be observed (Formula 5)
Possibilities of unauthorized access when no events can be observed (Formula 6)
Are calculated in the probability calculation processing unit 231.

  The expected loss value calculation processing unit 232 uses the utility function U (A | X) received from the utility function input unit 222 of the parameter input processing unit 220 and the posterior probability P (X | D) calculated by the probability calculation processing unit 231. To calculate the expected loss value E [U (A), D]. Also in the process of calculating the expected loss value, when an event is observed (D = D1), that is, when an access to a certain resource can be observed, and when an event is not observed (D = D2), that is, for a certain resource When it cannot be observed that the access has occurred, each is calculated as follows.

A. When an event is observed (D = D1), that is, when an access to a certain resource can be observed,
(A1) Expected loss value due to access prohibition: E [U (A1), D1]
E [U (A1), D1]
= U (A1 | X1) P (X1 | D1) + U (A1 | X2) P (X2 | D1)
= Fp () * P (X1 | D1) + 0 * P (X2 | D1)
= Fp () * P (X1 | D1)
... (Formula 7)

(A2) Expected loss value associated with access permission: E [U (A2), D1]
E [U (A2), D1]
= U (A2 | X1) P (X1 | D1) + U (A2 | X2) P (X2 | D1)
= 0 × P (X1 | D1) + fn () × P (X2 | D1)
= Fn () x P (X2 | D1)
... (Formula 8)

  As described above, the event is observed (D = D1), that is, when the access to a certain resource can be observed, the expected loss value associated with the access prohibition: E [U (A1), D1] and the access permission The accompanying expected loss value: E [U (A2), D1] is calculated by the above (formula 7) and (formula 8).

  In (Expression 7) and (Expression 8), specific numerical values can be obtained by substituting the posterior probabilities P (X1 | D1) and P (X2 | D1) calculated in (Expression 3) and (Expression 4). it can.

B. If an event cannot be observed (D = D2), that is, if an access to a certain resource cannot be observed,
(B1) Expected loss value due to access prohibition: E [U (A1), D2]
E [U (A1), D2]
= U (A1 | X1) P (X1 | D2) + U (A1 | X2) P (X2 | D2)
= Fp () * P (X1 | D2) + 0 * P (X2 | D2)
= Fp () * P (X1 | D2)
... (Formula 9)

(B2) Expected loss value associated with access permission: E [U (A2), D2]
E [U (A2), D2]
= U (A2 | X1) P (X1 | D2) + U (A2 | X2) P (X2 | D2)
= 0 × P (X1 | D2) + fn () × P (X2 | D2)
= Fn () * P (X2 | D2)
... (Formula 10)

  In (Expression 9) and (Expression 10), specific numerical values can be obtained by substituting the posterior probabilities P (X1 | D2) and P (X2 | D2) calculated in (Expression 5) and (Expression 6). it can.

As a specific example, file A shown in FIG.
P (X1) = 0.9
P (X2) = 0.1
That is, the initial probability that the access to the file A is valid is 0.9, the initial probability that it is illegal is 0.1, and the likelihood is set as follows:
P (D1 | X1) = 0.95
P (D1 | X2) = 0.05
P (D2 | X1) = 0.1
P (D2 | X2) = 0.9
It is.

  That is, the probability P (D1 | X1) = 0.95 that the legitimate access to the file A is observed, the probability P (D1 | X2) = 0.05 that the unauthorized access to the file A is observed, and the legitimate access to the file A The expected loss value for the file A in which the probability P (D2 | X1) = 0.1 that is not observed and the probability P (D2 | X2) = 0.9 that the unauthorized access to the file A is not observed is the loss function loss shown in FIG. (A | D), each of the posterior probability P (X | D) as a result calculated by setting each of the weighting functions ω (fp) and ω (fn) and the expected loss value E [U (A), D] The values are shown in FIGS.

As shown in FIG.
About file A
When the event is observed (D = D1), that is, when access to file A can be observed,
Probability of posterior access P (X1 | D1) = 0.888439
Poor probability of unauthorized access P (X2 | D1) = 0.011561
Is calculated.

At this time, the false function weight function ω (fp) and the false negative weight function ω (fn) corresponding to the file A are set in three types of setting modes a to c, that is,
a. In the normal setting, ω (fp) = 1, ω (fn) = 1
b. In the low false positive priority setting, ω (fp) = 3, ω (fn) = 1
c. In the low false negative priority setting, ω (fp) = 1, ω (fn) = 3
The expected loss value for each of the settings is calculated as follows.

a. When normal setting, ω (fp) = 1, ω (fn) = 1,
Expected loss value due to access prohibition: E [U (A1), D1] = − 9884.39
Expected loss value associated with access permission: E [U (A2), D1] = − 115.607

b. Low false positive priority setting, ω (fp) = 3, ω (fn) = 1,
Expected loss value due to access prohibition: E [U (A1), D1] =-29653.2
Expected loss value associated with access permission: E [U (A2), D1] = − 115.607

c. In the case of low false negative priority setting, ω (fp) = 1, ω (fn) = 3,
Expected loss value due to access prohibition: E [U (A1), D1] = − 9884.39
Expected loss value associated with access permission: E [U (A2), D1] =-346.821

  FIG. 7 shows a graph showing these expected loss values.

For file A,
If no event was observed (D = D2), that is, it could not be observed that access to file A occurred,
Probability of posterior access P (X1 | D2) = 0.333333
Poor probability of unauthorized access P (X2 | D2) = 0.666667
Is calculated.

At this time, the expected loss value is calculated as follows.
a. When normal setting, ω (fp) = 1, ω (fn) = 1,
Expected loss value due to access prohibition: E [U (A1), D2] = − 3333.33
Expected loss value associated with access permission: E [U (A2), D2] = − 666666.667

b. Low false positive priority setting, ω (fp) = 3, ω (fn) = 1,
Expected loss value due to access prohibition: E [U (A1), D2] = − 10,000
Expected loss value associated with access permission: E [U (A2), D2] = − 66666.67

c. In the case of low false negative priority setting, ω (fp) = 1, ω (fn) = 3,
Expected loss value due to access prohibition: E [U (A1), D2] = − 3333.33
Expected loss value associated with access permission: E [U (A2), D2] = − 20,000

  FIG. 8 is a graph showing these expected loss values.

  The access determination processing unit 233 of the security policy generation processing unit 230 shown in FIG. 2 compares the expected loss value at the time of access prohibition / permission calculated by the expected loss value calculation processing unit 232, and the larger one (the one closer to 0) ) As an access rule for the resource. That is, access prohibition / permission is set. This selection result is an access right to be given to resource access. These settings are made for each resource.

  The security policy conversion processing unit 234 converts the access right calculated by the access determination processing unit 233 and the target resource designation into a setting format used by the access control mechanism that is actually used. There are no specific conditions for the target access control mechanism. As an example, an output result when LIDS (Linux Induction Detection System) is used as an access control mechanism is shown below.

  Since LIDS requires a command input for setting, the security policy conversion processing unit converts the access permission result for each resource into a set of LIDS command inputs.

#! / bin / sh
# begin of security policy for LIDS
LIDSCONF = / sbin / lidsconf
$ LIDSCONF -A -o / sbin -j READONLY
$ LIDSCONF -A -o / bin -j READONLY
$ LIDSCONF -A -o / boot -j READONLY
$ LIDSCONF -A -o / lib -j READONLY
$ LIDSCONF -A -o / usr -j READONLY
$ LIDSCONF -A -o / etc -j READONLY
$ LIDSCONF -A -o / etc / lids -j DENY
$ LIDSCONF -A -o / etc / shadow -j DENY
$ LIDSCONF -A -o / var / log -j APPEND
$ LIDSCONF -A -o / var / log / wtmp -j WRITE
$ LIDSCONF -A -s / bin / login -o / etc / shadow -j READONLY
$ LIDSCONF -A -s / bin / su -o / etc / shadow -j READONLY
$ LIDSCONF -A -s / bin / login -o / var / log / lastlog -j WRITE
$ LIDSCONF -A -s /etc/rc.d/rc -o CAP_KILL_PROTECTED -j GRANT
$ LIDSCONF -A -s /etc/rc.d/rc -o CAP_NET_ADMIN -j GRANT
$ LIDSCONF -A -s /etc/rc.d/rc -o CAP_SYS_ADMIN -j GRANT
$ LIDSCONF -A -s /etc/rc.d/init.d/halt -o CAP_KILL_PROTECTED -j GRANT
$ LIDSCONF -A -s /etc/rc.d/init.d/halt -o CAP_SYS_ADMIN -j GRANT
$ LIDSCONF -A -s /etc/rc.d/init.d/halt -o CAP_SYS_RAWIO -j GRANT
$ LIDSCONF -A -s /etc/rc.d/init.d/halt -o CAP_NET_ADMIN -j GRANT
$ LIDSCONF -A -s / usr / sbin / sshd -o / etc / shadow -j READONLY
$ LIDSCONF -A -s / usr / sbin / sshd -o CAP_NET_BIND_SERVICE 22-22 -j GRANT
$ LIDSCONF -A -s / usr / bin / ssh -o CAP_NET_BIND_SERVICE 0-1023 -j GRANT
$ LIDSCONF -A -s / usr / bin / sudo -o / etc / shadow -j READONLY
$ LIDSCONF -A -s / sbin / init -o / etc -j WRITE
$ LIDSCONF -A -o / var / lock / subsys -j WRITE
# end of security policy for LIDS

  As described above, in the access control rule generation processing of the present invention, in order to reduce the trouble of taking a resource access trace, a large number of resource accesses that the program is supposed to perform are inferred from a small number of resource access results. Furthermore, in order to determine whether or not resource access is possible, both a parameter (utility function) indicating a loss when access is permitted and a loss when access is prohibited and a probability that access is illegal / legitimate are used. Thereby, it is possible to improve the accuracy of accessibility and to consider the balance between false positive and false negative.

  Next, the access control rule generation processing procedure of the present invention will be described with reference to the flowchart of FIG. The process of each step will be described. First, in step S101, a program that is an access control rule generation process target is executed, and history information (program execution trace) of resources accessed in program execution is acquired. This processing is performed in the resource access record processing unit 211 of the execution trace analysis processing unit 210 in FIG.

  The next steps S102 to S104 are steps for determining the presence or absence of parameter input in the parameter input processing unit. In steps S102 and S103, input of the initial probability and likelihood via the probability initial distribution input processing unit 221 is confirmed. These pieces of information may be user input by an input unit, or may be executed as reading of data stored in advance in a storage unit. Step S104 is an input confirmation of the utility functions fp () and fn () in the utility function input processing unit 222.

Parameters for expressing the probability model in this method: X, D, A are
X = {legitimate access (X1), unauthorized access (X2)}
D = {Event could be observed (D1), event could not be observed (D2)}
A = {Access prohibition (A1), Access permission (A2)}
The initial probabilities P (X) are two types, P (X1) and P (X2), and the likelihoods are P (D1 | X1), P (D1 | X2), P (D2 | X1), P There are four types (D2 | X2). The initial probabilities P (X1) and P (X2) indicate the probability of unauthorized access and the probability of proper access corresponding to each resource without prior knowledge. The likelihoods P (D1 | X1), P (D1 | X2), P (D2 | X1), and P (D2 | X2) are used in the inference process in the execution trace analysis processing unit 210 in the case of unauthorized access and legitimate access. Represents the conditional probability that an event of each type is observed.

  The utility functions fp () and fn () are functions indicating weighting information indicating the balance between false positive and false negative.

When all the parameter inputs in steps S102 to S104 are performed, the resource access analogy processing unit next obtains the resource access related information from the trace result by the following method:
(1) A method of extracting a file in the same directory as an access file recorded as an access resource during a program execution trace as a related file,
(2) A method of extracting a file or device of the same type as the access file recorded as an access resource during the program execution trace as a related file or device,
(3) A method for extracting a port in the same category as the network port recorded as the access resource during the program execution trace,
A method of applying any of these methods, or a method of applying them in combination, or comprehensively setting whether to access each resource that generates an access rule based on the program execution trace and relevance judgment To do.

  The resource access analogy processing unit 212 performs a process of estimating whether or not it should be determined that there is an access in the program execution trace for each resource for which an access rule is set based on the program execution trace and the above-described resource relevance determination criteria. Do. Even if it is a resource such as a device or file that is not actually accessed in the program execution trace, if the resource access analogy processing unit 212 determines that there is a relationship with a device or file that is actually accessed, the program In the execution trace, it will be regarded as having been accessed. Relevance is preset such as directory commonality, data format commonality, category commonality, etc., and the resource access analogy processing unit 212 is a resource for setting an access rule based on preset information. Is set to whether or not there is access in the program execution trace.

  Next, for resources determined to have been accessed, the process proceeds to step S106, and for resources determined to have not been accessed, the process proceeds to step S107.

  When it is determined that there is access to the resource to be set as the access rule, that is, event observation is successful, in step S106, D1 is set in the variable D (D = D1), and there is no access. If it is determined that the event cannot be observed, D2 is set to the variable D (D = D2) in step S107.

  Next, in step S108, the probability calculation processing unit 231 of the security policy generation processing unit 230 shown in FIG. 2 receives the initial probability distribution and likelihood received from the probability initial distribution input processing unit 221, and the resource access analogy processing unit 212. The posterior probability P (Xn | Dn) is calculated using the received variable D.

  At this time, when there is resource access, that is, when an event is observed (D = D1), (Equation 3) and (Equation 4) described above are applied, and when there is no resource access, that is, when no event is observed ( For D = D2), the posterior probability P (Xn | Dn) is calculated by applying (Expression 5) and (Expression 6).

  When the posterior probability is obtained, in step S109, the expected loss value calculation processing unit 232 uses the utility function received from the utility function input processing unit 222 and the posterior probability received from the probability calculation processing unit 231 to calculate the expected loss value E [U (An), Dn] is calculated. When there is resource access, that is, when an event is observed (D = D1), the above-described (Expression 7) and (Expression 8) are applied, and when there is no resource access, that is, when no event is observed (D = D2) ), The expected loss value E [U (An), Dn] is calculated by applying (Equation 9) and (Equation 10).

  When the expected loss value is obtained, in step S110, the access determination processing unit 233 compares the expected loss value at the time of access prohibition with the expected loss value at the time of access permission, and if the expected loss value at the time of access prohibition is large, the access is prohibited. If the expected loss value at the time of access permission is large, a selection is made to set the access permission as an access rule for the resource.

  In step S113, it is determined whether there is still a resource for which access permission is to be determined. If it remains, the processing in step S105 and subsequent steps is executed for the unprocessed resource. When the processing for all access rule setting target resources is completed (S113: No). Proceeding to step S114, the security policy conversion processing unit 234 performs a process of converting into a data format that can be understood by the access control mechanism that is actually used as the access control information, based on the access control rule set corresponding to each resource. Execute and set as security policy. This completes the access control rule generation process.

  FIG. 10 shows the processing procedures of the three processing units shown in FIG. 2, that is, the execution trace analysis processing unit 210, the parameter input processing unit 220, and the security policy generation processing unit 230, and the data input / output between the processing units. It is a figure which shows correspondence.

  With reference to FIG. 10, processing of each processing unit and transmission / reception data between the processing units will be described. First, the process of step S201 is a process of the execution trace analysis processing unit 210. The execution trace analysis processing unit 210 executes a program that is an access rule generation processing target, and acquires an execution trace of the program, that is, history information of the accessed resource. Further, the presence / absence of an access to each resource, that is, the occurrence of an event, is determined based on a resource relevance determination criterion such as the same directory and the recorded program execution trace. This determination result is passed to the security policy generation processing unit as a resource access inference result.

The parameter input processing unit 220 executes parameter input processing in steps S202 and S203. In step S202, initial probabilities P (X1), P (X2) and likelihoods P (D1 | X1), P (D1 | X2), P (D2 | X1), P (D2 | X2) corresponding to each resource Is entered. In step S203, utility functions fp () and fn () corresponding to each resource are input. Each of these input parameters, ie the initial probability,
The likelihood and utility functions are passed to the security policy generation processing unit.

  Note that the sequence of steps S201 to S203 is not fixed, and any of them may be executed first or in parallel.

  In the security policy generation processing unit 230, first, in step S204, the resource access inference result received from the execution trace analysis processing unit 210, the initial probabilities P (X1), P (X2), and the likelihood received from the parameter input processing unit 220. A posteriori probability P (Xn | Dn) is calculated based on the degrees P (D1 | X1), P (D1 | X2), P (D2 | X1), and P (D2 | X2).

  In calculating the posterior probability P (Xn | Dn), the above-described (Expression 3) and (Expression 4) are applied to D = D1 for the resource determined to have been accessed based on the resource access inference result. To calculate. Based on the resource access inference result, the resource determined to have not been accessed is calculated by applying (Equation 5) and (Equation 6) described above as D = D2.

  Next, in step S205, the expected loss value E [U (An), Dn] is calculated using the utility function received from the parameter input processing unit 220 and the posterior probability calculated in the probability calculation processing step in step S204. . When there is resource access, that is, when an event is observed (D = D1), the above-described (Expression 7) and (Expression 8) are applied, and when there is no resource access, that is, when no event is observed (D = D2) ), The expected loss value E [U (An), Dn] is calculated by applying (Equation 9) and (Equation 10).

  Next, in step S206, the expected loss value at the time of access prohibition is compared with the expected loss value at the time of access permission. If the expected loss value at the time of access prohibition is large, access is prohibited and the expected loss value at the time of access permission is large. In this case, access permission is set as an access rule for the resource.

  Finally, in step S207, the access rule set corresponding to the resource is converted into a data format that can be understood by the access control mechanism that is actually used as access control information to obtain a security policy.

  As described above, in the access control rule generation process of the present invention, the presence / absence of access for each resource is determined based on the execution trace of the program and the relevance of each resource, and the determination result and each resource are determined. The preset initial probabilities P (X1), P (X2) and the likelihoods P (D1 | X1), P (D1 | X2), P (D2 | X1), P (D2 | X2) Based on this, the posterior probability P (Xn | Dn), that is, the posterior probability of legitimate access and the posterior probability of unauthorized access are calculated.

  Furthermore, an access rule application target, for example, a utility function set in advance according to a program or device, that is, a value representing the magnitude of loss (risk), and a false positive based on the access rule application target, Based on a function composed of weighting coefficients representing a false negative balance, an expected loss value associated with access prohibition and an expected loss value associated with access permission are calculated.

The utility function is, for example,
a. Normal setting, ω (fp) = 1, ω (fn) = 1
b. Low false positive priority setting, ω (fp) = 3, ω (fn) = 1
c. Low false negative priority setting, ω (fp) = 1, ω (fn) = 3
Any one of these is selected and set according to an access rule application target, for example, a program or a device.

  After calculating the expected loss value associated with access prohibition and the expected loss value associated with access permission for each resource, the next two expected loss values are compared, and the expected loss value when access is prohibited is large. Sets access prohibition as an access rule for the resource when access is prohibited, and when the expected loss value at the time of access permission is large.

  In the access control rule generation processing according to the present invention, since the access rule for each resource is set by the above-described method, automatic setting of the optimum access rule for many resources can be efficiently performed. . In addition, it is possible to change and set the utility function setting, that is, the balance setting of false positive and false negative according to the application target of the access rule, and access according to the rule application environment. It is possible to set a control rule.

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.

  As described above, according to the configuration of the present invention, in various information processing apparatuses such as information home appliances, it is possible to efficiently generate an optimal access control rule according to a use environment such as a user or a program, A security policy generating device having an access control rule mounted on various information processing apparatuses such as information home appliances and PCs, and a security policy having an access rule generated according to the present invention can be applied as a generation method. It can be mounted on various information processing apparatuses such as a PC.

It is a figure explaining an information processor configuration with an access control mechanism and access control processing. It is a block diagram which shows the structure of the access control rule production | generation apparatus of this invention. It is a figure shown about the initial probability and likelihood data example for every resource applied to the access control rule production | generation process of this invention. It is a figure explaining the balance of a false positive and a false negative. It is a figure which shows the example about the utility function applied to the access control rule production | generation process of this invention, and a loss function. It is a figure explaining the example of the posterior probability calculated in the access control rule production | generation process of this invention, and an expected loss value. It is a graph which shows the example (with event observation) of the expected loss value calculated in the access control rule production | generation process of this invention. It is a graph which shows the example (no event observation) of the expected loss value calculated in the access control rule production | generation process of this invention. It is a flowchart explaining the process sequence in the access control rule production | generation process of this invention. It is a figure explaining the process of each process part in the access control rule production | generation process of this invention.

Explanation of symbols

110, 120, 130 Program 111, 121, 131 Program-compatible access control unit 150 Operating system 151 OS-side access control unit 152 Device 153 Network socket 154 File 210 Execution trace analysis processing unit 211 Resource access record processing unit 212 Resource access analogy processing unit 220 Parameter Input Unit 221 Established Initial Distribution Input Processing Unit 222 Utility Function Input Processing Unit 230 Security Policy Generation Processing Unit 231 Probability Calculation Processing Unit 232 Expected Loss Calculation Processing Unit 233 Access Determination Processing Unit 234 Security Policy Conversion Processing Unit

Claims (18)

An access control rule generation device that generates an access control rule for a resource of an information processing device,
Executes the program subject to access control rules, obtains a program execution trace including resource access history information, and estimates the presence / absence of access to each resource in the execution of the program based on the relevance information between resources set in advance An execution trace analysis processing unit,
A parameter input processing unit for inputting an initial function corresponding to each occurrence of access preset for each resource, its likelihood information, and a utility function set based on a balance adjustment of false positive and false negative,
Access information for each resource by Bayesian estimation processing based on the access presence / absence information of each resource during program execution input from the execution trace analysis processing unit and the initial probability, likelihood information, and utility function input from the parameter input processing unit A security policy generator that sets control rules;
An access control rule generation device characterized by comprising: The security policy generation unit
Based on the access presence / absence information of each resource at the time of program execution input from the execution trace analysis processing unit, and the initial probability input from the parameter input processing unit, likelihood information, A probability calculation processing unit for calculating the posterior probability of unauthorized access;
Based on the posterior probability data calculated by the probability calculation processing unit and the utility function input from the parameter input processing unit, an expected loss value associated with access prohibition for each resource and an expected loss value associated with access permission are calculated. Expected loss calculation processing unit,
An access determination processing unit that sets an access control rule for each resource based on the expected loss value calculated by the expected loss calculation processing unit;
The access control rule generation device according to claim 1, comprising:   The utility functions set based on the balance adjustment of the false positive and the false negative are the false positive utility function fp () and the false negative utility function fn (), respectively, and the utility functions fp () and fn () are Weighting functions ω (fp) and ω (fn) for determining weighting coefficients for balance setting are included, and the weighting functions ω (fp) and ω (fn) are programs or devices to which access control rules are applied. That is set based on at least one of the following functions, and is a utility function that has been adjusted for false positive priority or false negative priority by setting the weight functions ω (fp) and ω (fn). The access control rule generation device according to claim 1, wherein   4. The utility function fp (), fn () is a utility function with a false positive priority setting that satisfies a ratio of weighting coefficients: ω (fn) / ω (fp)> 1. The access control rule generation device described.   4. The utility function fp (), fn () is a utility function having a false negative priority setting that satisfies a ratio of weighting coefficients: ω (fp) / ω (fn)> 1. The access control rule generation device described. Relevance information between resources applied in the execution trace analysis processing unit is as follows:
Information that makes resources in the same directory relevant,
The execution trace analysis processing unit
2. The access control rule generation device according to claim 1, wherein the access control rule generation apparatus is configured to execute processing for analogizing a resource in the same directory as a resource in which resource access has occurred in execution of the program as an access occurrence resource in program execution. . Relevance information between resources applied in the execution trace analysis processing unit is as follows:
Information that makes the same type of resource relevant.
The execution trace analysis processing unit
The access control rule generation device according to claim 1, wherein the access control rule generation device according to claim 1 is configured to execute a process of analogizing a resource of the same type as a resource in which resource access has occurred in execution of the program as an access occurrence resource in program execution. Relevance information between resources applied in the execution trace analysis processing unit is as follows:
Information regarding network ports of the same category as related resources,
The execution trace analysis processing unit
2. The access control rule generation according to claim 1, wherein a process for analogizing a network port in the same category as a network port in which resource access has occurred in execution of the program as an access occurrence resource in program execution is executed. apparatus.   2. The access control rule generation device according to claim 1, wherein the resource includes hardware in an information processing device and software including a program, system data, and user data. An access control rule generation method for generating an access control rule for a resource of an information processing device,
Executes the program subject to access control rules, obtains a program execution trace including resource access history information, and estimates the presence / absence of access to each resource in the execution of the program based on the relevance information between resources set in advance Execution trace analysis processing step to perform,
A parameter input processing step for inputting an initial probability corresponding to each occurrence of access preset for each resource, its likelihood information, and a utility function set based on a balance adjustment of false positive and false negative,
Access control rules for each resource by Bayesian estimation processing based on access probability information of each resource at the time of program execution acquired in the execution trace analysis processing, initial probability input in the parameter input processing, likelihood information, and utility function A security policy generation step for setting
An access control rule generation method characterized by comprising: The security policy generation step includes:
Based on the access presence / absence information of each resource at the time of program execution acquired in the execution trace analysis process and the initial probability and likelihood information input in the parameter input process, the posterior probability of legitimate access of each resource, and unauthorized access A probability calculation processing step for calculating the posterior probability of
Based on the posterior probability data calculated in the probability calculation processing step and the utility function input in the parameter input processing step, an expected loss value associated with access prohibition for each resource and an expected loss value associated with access permission are calculated. Expected loss calculation processing step;
Based on the expected loss value calculated in the expected loss calculation processing step, an access determination processing step for setting an access control rule for each resource;
The access control rule generation method according to claim 10, further comprising:   The utility functions set based on the balance adjustment of the false positive and the false negative are the false positive utility function fp () and the false negative utility function fn (), respectively. The utility functions fp () and fn () are Weighting functions ω (fp) and ω (fn) for determining weighting coefficients for balance setting are included, and the weighting functions ω (fp) and ω (fn) are programs or devices to which access control rules are applied. That is set based on at least one of the following functions, and is a utility function that has been adjusted for false positive priority or false negative priority by setting the weight functions ω (fp) and ω (fn). The access control rule generation method according to claim 10, wherein:   13. The utility function fp (), fn () is a utility function having a false positive priority setting that satisfies a ratio of weighting coefficients: ω (fn) / ω (fp)> 1. The access control rule generation method described.   13. The utility function fp (), fn () is a utility function with a false negative priority setting that satisfies a ratio of weighting coefficients: ω (fp) / ω (fn)> 1. The access control rule generation method described. Relevance information between resources applied in the trace analysis processing step is:
Information that makes resources in the same directory relevant,
The execution trace analysis processing step includes:
11. The access control rule generation method according to claim 10, wherein a process of analogizing a resource in the same directory as a resource in which resource access has occurred during execution of the program as an access occurrence resource in program execution is executed. Relevance information between resources applied in the execution trace analysis processing step is:
Information that makes the same type of resource relevant.
The execution trace analysis processing step includes:
11. The access control rule generation method according to claim 10, wherein a process of analogizing a resource of the same type as a resource in which resource access has occurred in execution of the program as an access occurrence resource in program execution is executed. Relevance information between resources applied in the execution trace analysis processing step is:
Information regarding network ports of the same category as related resources,
The execution trace analysis processing step includes:
11. The access control rule generation method according to claim 10, wherein a process of analogizing a network port in the same category as a network port in which resource access has occurred in execution of the program as an access occurrence resource in program execution is executed. A computer program for executing access control rule generation processing for resources of an information processing device,
Executes the program subject to access control rules, obtains a program execution trace including resource access history information, and estimates the presence / absence of access to each resource in the execution of the program based on the relevance information between resources set in advance Execution trace analysis processing step to perform,
A parameter input processing step for inputting an initial probability corresponding to each occurrence of access preset for each resource, its likelihood information, and a utility function set based on a balance adjustment of false positive and false negative,
Access control rules for each resource by Bayesian estimation processing based on access probability information of each resource at the time of program execution acquired in the execution trace analysis processing, initial probability input in the parameter input processing, likelihood information, and utility function A security policy generation step for setting
A computer program characterized by comprising:

Images