JP2009123052A - Policy generation system, program and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a policy generation system generating policy information without depending on an operator's skill, and to provide a program and a recording medium. <P>SOLUTION: An event collecting unit 1 collects event information output from either an NIDS or both a VDS and an HIDS. An event processing unit 4 associates the event information with one another according to the time of detecting each event. Based on the event information associated with one another, the event processing unit 4 calculates statistical values for the appearance frequency of events due to attack. Based on the statistical values, a policy file generation unit 6 calculates index values for monitoring by the HIDS, and generates information for specifying a target to be monitored by the HIDS and policy information including the index values. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a policy generation system that generates policy information indicating a policy (policy) when a host-type intrusion detection system performs monitoring. The present invention also relates to a program for causing a computer to function as a policy generation system, and a computer-readable recording medium on which the program is recorded.

  As one of the typical intrusion detection methods of the Host-based Intrusion Detection System (HIDS), the normal status of files managed by the monitored host is recorded in the database in advance. There is a method of detecting file tampering by periodically monitoring the system status of the system and comparing it with the normal status. This is a method that pays attention to the fact that a file is falsified in many intrusions.

In order for HIDS to accurately detect an intrusion to a host due to an attack, it is important to properly set a policy file (policy information) that defines the file to be monitored. The policy file of HIDS includes, for example, information on which file in which directory is monitored and at what interval. In addition to HIDS, there are devices that set policy files. For example, Patent Document 1 describes a technique for automatically updating a policy file of a firewall using an unauthorized access detection function of a network-based intrusion detection system (NIDS). Patent Document 2 describes a technology for automatically updating a policy file of a router based on DoS (Denial of Service) attack information detected by a firewall.
JP 2005-71218 A JP 2005-197823 A

  However, it is difficult to set the HIDS policy file appropriately because the attack target file varies depending on the OS and application, and normal file changes by the OS and application that are not under attack are diverse. . For this reason, the creation of a policy file for HIDS depends on the skill of the operator, and there is a risk of incomplete settings.

  The present invention has been made in view of the above-described problems, and an object thereof is to provide a policy generation system, a program, and a recording medium that can generate policy information without depending on the skill of an operator. To do.

  In order to solve the above-described problems, the present invention has been made based on the following matters. By associating event information output from a network-type intrusion detection system or virus detection system with a host-type intrusion detection system, it becomes possible to identify an event caused by an attack and an event that is not affected by the attack. . For example, if a network type intrusion detection system or virus detection system and a host type intrusion detection system detect an event independently at approximately the same time, the event indicates that an influence of an attack has appeared.

  In addition, when only the host-type intrusion detection system detects the event, or when only the network-type intrusion detection system or virus detection system detects the event, the event is a normal operation or attack by the OS or application has failed. It is shown that. From the above, by collecting event information from actual attacks and generating policy information that reflects the impact of the attack based on the event information, the operator's skill is eliminated in the generation of policy information Is possible.

  In view of the above, the present invention provides a network type intrusion detection system or virus detection system, event collection means for collecting event information output from the host type intrusion detection system, and the event based on the event detection time. An association means for associating information with each other, a statistical value calculation means for calculating a statistical value related to an appearance frequency of an event due to an attack based on the event information associated with each other, and an index value relating to monitoring performed by the host-type intrusion detection system Index value calculating means for calculating based on a statistical value, information specifying means for generating policy information including the index value and information for specifying an object to be monitored by the host-type intrusion detection system This is a policy generation system.

  In the policy generation system of the present invention, the index value calculation means calculates a monitoring interval at which the host-type intrusion detection system performs monitoring as the index value.

  In the policy generation system of the present invention, the index value calculation means calculates, as the index value, a reliability indicating that the event detected by the host-type intrusion detection system may be due to an attack. And

  In the policy generation system according to the present invention, the index value calculation unit may further detect an event detected by the host-type intrusion detection system based on the event importance and the reliability output from the host-type intrusion detection system. The correspondence priority is calculated, and the information generation unit further generates information including event identification information and the correspondence priority.

  In the policy generation system of the present invention, the index value calculation means may further detect an event detected by the host-type intrusion detection system or the virus detection system and the network-type intrusion detection system based on the statistical value. The degree of correlation with the event is calculated, and the information generation unit further generates information including event identification information and the degree of correlation.

  The policy generation system according to the present invention includes an initial state storage means for storing information on an initial state of the host type intrusion detection system or the virus detection system, and the host type intrusion detection system based on the information on the initial state. Alternatively, it further includes activation control means for activating the virus detection system in a virtual environment.

  Moreover, this invention is a program for functioning a computer as said policy production | generation system.

  The present invention is a computer-readable recording medium on which the above program is recorded.

  According to the present invention, it is possible to generate policy information without depending on the skill of the operator.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 shows the configuration of a policy generation system according to an embodiment of the present invention. First, each configuration shown in FIG. 1 will be described. This policy generation system is connected to the Internet 100. The event collection unit 1 collects event information output from a network type intrusion detection system (NIDS), a host type intrusion detection system (HIDS), and a virus detection system (Virus Intrusion Detection System: VDS), and an event information storage unit 2 is stored. The event information storage unit 2 stores event information collected by the event collection unit. HIDS and VDS start in the same host, but NIDS may be a separate device from the host where HIDS and VDS start, or NIDS may be installed in the host where HIDS and VDS start . In this embodiment, the NIDS, HIDS, and VDS monitor attacks.

  The NIDS 10 monitors communications on the Internet 100, and considers that an attack has been detected when, for example, the pattern of a packet flowing on the network line matches a predefined attack pattern. When the NIDS 10 detects a packet including an attack pattern, the NIDS 10 outputs event information regardless of whether the packet affects the attack destination system.

  HIDS and VDS are realized by a virtual machine (VM) operating on a virtual environment in the host. In this embodiment, VMs 11, 12, and 13 are provided in the host, and HIDSs 11a, 12a, and 13a, and VDSs 11b, 12b, and 13b are provided in each VM. Assume that the OS and application configurations of each VM are different. The operation of each VM is controlled by a VMM (Virtual Machine Monitor) 14, and each VM shares CPU and memory resources in the host via the VMM 14. Although three VMs are shown in FIG. 1, the number of VMs is not limited to this.

  When a real machine is used instead of a virtual environment, as shown in FIG. 2, for example, an environment must be individually constructed for three hosts 20a, 20b, and 20c. If an attack is received, the environment of each host must be constructed again in order to continue monitoring the attack. Therefore, when an actual machine is used, it takes time to construct the environment.

  On the other hand, in a virtual environment using VMM, all hosts are handled as files. As shown in FIG. 3, for example, a new host can be easily added by creating a file 30b by copying a file 30a corresponding to one host. For example, even when an attack enters a host and the file 30c corresponding to the host is tampered with, the host can be recovered by rewriting the contents of the file and returning it to the original state. Thus, by constructing a host in a virtual environment, it is possible to easily create hosts with various configurations, and to easily restore a normal state even when the host is attacked.

  Returning to the description of the configuration shown in FIG. In the present embodiment, the host is provided with a function of periodically restarting the VMs 11, 12, and 13 in order to reduce the labor involved in collecting event information related to attacks. The restart control unit 15 controls restart of the VMs 11, 12, and 13 via the VMM 14. At the time of restart, the restart control unit 15 acquires information on the initial state of each VM stored in the initial state storage unit 3, and rewrites a file corresponding to each VM based on the information. Restart each VM.

  The initial state storage unit 3 stores a disk image and various setting files as information on the initial state of each VM. A disk image is a file that mimics the host's hard disk environment. In addition, the various setting files include information on the memory usage and network settings of each host.

  The event processing unit 4 executes processing for associating event information and statistical processing using event information associated with each other. The statistical information storage unit 5 stores statistical information generated by statistical processing. The policy file generation unit 6 calculates an index value related to the monitoring performed by the HIDS, and executes processing for generating an HIDS policy file including the index value and information associated therewith. The policy file storage unit 7 stores an HIDS policy file and information associated therewith. The HIDS policy file or the like stored in the policy file storage unit 7 is used as appropriate by other hosts that implement HIDS.

  Next, event information collected in the present embodiment will be described. Each HIDS periodically monitors all directories on each VM and the files in them to determine whether directories and files have been changed, added, or deleted. Each HIDS outputs event information when there is any change, addition, or deletion to a directory or file compared to the previous monitoring. As shown in FIG. 4A, the HIDS event information 40 includes information of date and time 40a, directory name 40b, file name 40c, and event content 40d.

  The NIDS 10 detects a packet that matches the attack pattern via the Internet 100 and outputs event information. As shown in FIG. 4B, NIDS event information 41 includes date and time 41a, attack name 41b, Source IP and Port 41c (source IP address and port number), Destination IP and Port 41d (destination IP address and Port number) information.

  Each VDS periodically monitors the files on each VM and performs pattern matching with a virus pattern that has been changed or added to determine whether or not there is a virus. When a pattern that matches the virus pattern is detected from the file, each VDS outputs event information. As shown in FIG. 4 (c), the VDS event information 42 includes information of date and time 42a, virus name 42b, directory name 42c, and file name 42d.

  Next, details of processing in which the event processing unit 4 associates event information will be described. The event processing unit 4 uses the date and time information (event detection time) included in the event information output from NIDS, HIDS, and VDS to determine the OS and application of the host (VM) on which HIDS and VDS are running. Each event information is associated with each combination. The processing described below is executed for each combination of OS and application, and a policy file corresponding to each combination is generated.

  FIG. 5 shows the time series relationship of each event information. Times t1, t2, t3, t4, and t5 indicate times when the VM is restarted. A time interval between each time is defined as a time slot. In time slot TS1 (t1 to t2), when HIDS detects the influence on the host and outputs event information 50a, NIDS and VDS also output event information 50b and 50c. I understand that. Accordingly, the event information 50a, 50b, 50c indicates an event due to an attack.

  In the time slot TS2 (t2 to t3), the HIDS and VDS do not detect the event, so the host (VM) is not affected. However, NIDS outputs the event information 51a and 51b, and it can be seen that a redundant event due to an attack packet that did not reach intrusion has been detected. In time slot TS3 (t3 to t4), even though HIDS and VDS output event information 52a, 52b, and 52c, NIDS has not detected the event, so an event caused by an attack packet unknown to NIDS It can be seen that is detected. In time slot TS4 (t4 to t5), only HIDS outputs event information 53a, which is considered to be a false detection of HIDS (detection of normal operation by the OS or application).

  In the following, if both “HIDS” and “NIDS or VDS” detect an event in a time slot, the event is called a HIDS Positive event. If only “HIDS” detects an event, the event is HIDS. Let's call it a Negative event. In short, the HIDS Positive event means that an influence of an attack has appeared, and the HIDS Negative event means an automatic update by the system or an attack failure.

  The event processing unit 4 associates the event information detected in the same time slot between the VM restart timings, and generates the table 60 shown in FIG. In the table 60, events detected by NIDS and VDS are associated with each other based on events detected by HIDS. One table 60 is generated in each time slot. If a HIDS detects an event in one time slot, but one or both of the NIDS and VDS do not detect the event, the column describing the NIDS or VDS event is blank.

  The event processing unit 4 uses the individual NIDS events as search keys, searches the table 60 for records of NIDS events that match the search keys, and extracts them. The event processing unit 4 aggregates the extracted table information and generates a table 61 based on NIDS events. Also, the event processing unit 4 searches the table 60 for a table in which combinations of NIDS events that match the search key are recorded using the combinations of individual NIDS events as search keys, and extracts them. The event processing unit 4 aggregates the extracted table information and generates a table 62 based on the combination of NIDS events. Instead of the above, a table similar to the above may be generated using a VDS event or a combination thereof as a search key.

  Further, the event processing unit 4 calculates the appearance probability (statistical value) of each event. The appearance probability of each event calculated by the event processing unit 4 is the positive appearance probability of the HIDS event, the negative appearance probability of the HIDS event, the appearance probability of the NIDS event, and the appearance probability of the VDS event.

  The Positive appearance probability of the HIDS event is a ratio of the HIDS Positive event when each event detected by the HIDS is classified into the HIDS Positive event and the HIDS Negative event. That is, the positive appearance probability of the HIDS event is represented by the ratio between the number of time slots in which the HIDS Positive event has appeared and the number of time slots in which the HIDS Positive event and the HIDS Negative event have appeared. Similarly, the negative appearance probability of the HIDS event is represented by a ratio between the number of time slots in which the HIDS Negative event has appeared and the number of time slots in which the HIDS Positive event and the HIDS Negative event have appeared. The sum of Positive appearance probability of HIDS event and Negative appearance probability of HIDS event for one type of HIDS event is 1. For each type of HIDS event, a Positive appearance probability and a Negative appearance probability are calculated.

  The appearance probability of the NIDS event is the appearance probability of each event detected by NIDS, which is associated with the HIDS Positive event. In other words, the probability of occurrence of NIDS events is expressed as the ratio of the number of specific NIDS events that occurred in the time slot in which the HIDS Positive event occurred and the total number of NIDS events that occurred in the time slot in which the HIDS Positive event occurred. The Similarly, the appearance probability of a VDS event is expressed as the ratio of the number of specific VDS events that occurred in the time slot in which the HIDS Positive event occurred and the total number of VDS events that occurred in the time slot in which the HIDS Positive event occurred. Is done. The tables 61 and 62 also include the appearance probability of each event calculated as described above.

  The event processing unit 4 generates statistical information shown in FIG. 7 based on the tables 61 and 62 and stores the statistical information in the statistical information storage unit 5. This statistical information includes HIDS event information 70, NIDS event information 71, and VDS event information 72 associated with each other. The HIDS event information 70 is statistical information related to events detected by the HIDS, and includes a directory name 70a, a file name 70b, an event content 70c (either change / addition / deletion), and an appearance probability 70d (Positive appearance probability of an HIDS event). And Negative appearance probability).

  The NIDS event information 71 is statistical information regarding events detected by NIDS, and includes an event name 71a and an appearance probability 71b. Statistical information of one or more types of events detected by NIDS is associated with one type of event detected by HIDS. The VDS event information 72 is statistical information regarding events detected by the VDS, and includes an event name 72a and an appearance probability 72b. Statistical information of one or more types of events detected by VDS is associated with one type of event detected by HIDS. Statistical information shown in FIG. 7 is generated for each event detected by HIDS.

  Next, the details of the process in which the policy file generating unit 6 generates the HIDS policy file and the accompanying information will be described. FIG. 8 shows the contents of the policy file generated by the policy file generating unit 6. A policy file 80 shown in FIG. 8A is a policy file related to a monitoring interval monitored by HIDS, and a policy file 81 shown in FIG. 8B shows whether an event detected by HIDS is due to an attack. This is a policy file related to the reliability of an event that indicates

  The policy file 80 includes a directory name 80a and a file name 80b for specifying an object to be monitored by HIDS, and a monitoring interval 80c. Since HIDS may monitor by directory, there may be no file name. The monitoring interval is expressed by the following equation (1) with the VM restart cycle as a unit. In equation (1), HIDS_Positive_Rate (P) is the positive appearance probability of the HIDS event.

  When the positive appearance probability of the HIDS event is high (when the appearance probability of the event related to the attack is high), the monitoring interval is shortened. When the positive appearance probability of the HIDS event is low (when the appearance probability of the event related to the attack is low), The monitoring interval becomes longer. By setting the monitoring interval according to the policy file 80, it is possible to set a monitoring interval suitable for monitoring according to the appearance frequency of events related to attacks.

  Host monitoring by HIDS includes a method of periodically detecting the presence or absence of an attack and a method of detecting the presence or absence of an attack when a request for verifying the presence or absence of an attack occurs. When periodically detecting the presence or absence of an attack, monitoring is performed at the monitoring interval defined in the policy file. When detecting the presence or absence of an attack when a request occurs, all directories and files are monitored when the request occurs.

The policy file 81 includes a directory name 81a and a file name 81b for specifying an object to be monitored by HIDS, an event name 81c, and an event reliability 81d. Since HIDS may monitor by directory, there may be no file name. The reliability of event i detected by HIDS is expressed by the following equation (2). In equation (2), HIDS_Positive_Rate (P _i ) is a positive appearance probability of event i.

HIDS event reliability (C _i ) = HIDS_Positive_Rate (P _i ) (2)

  By displaying various types of information based on the policy file 81, it is possible to give a guideline for event confirmation to the operator. FIG. 9 shows a design example of a display item of the Web interface that displays the relationship between the event detected by HIDS and its reliability. FIG. 9A shows a state in which information is arranged in order from a highly reliable event. HIDS operators can check the events in order starting with the highest reliability. FIG. 9B shows a state in which information is arranged using the event type as a key. The HIDS operator can grasp the files to be changed / added / deleted and their reliability.

  In addition, the policy file generation unit 6 calculates a HIDS event cause estimated value and a HIDS event virus estimated value described below as information accompanying the policy file. The event information output from the conventional HIDS can only know that the monitored file has been changed / added / deleted. Therefore, when only HIDS is installed to monitor an attack, when the event information is output from HIDS, it is completely unknown what kind of attack caused the event. Therefore, in the present embodiment, the policy file generation unit 6 calculates an estimated value indicating the possibility of an attack that is the cause of the occurrence of the event detected by HIDS.

The estimated HIDS event cause value indicates the possibility of an NIDS event that is the cause of the occurrence of an event detected by HIDS, and is calculated by equation (3). In other words, the HIDS event cause estimation value indicates the degree of correlation between the event detected by HIDS and the event detected by NIDS. In Equation (3), HIDS_Positive_Rate (P _i ) is the positive appearance probability of event i detected by HIDS, NIDS_Rate (I _j ) is the appearance probability of event j detected by NIDS, and each is statistical information. It is stored in the information storage unit 5.
HIDS event cause estimated value (EI _i ) = HIDS_Positive_Rate (P _i ) × NIDS_Rate (I _j ) (3)

The estimated value of the HIDS event virus indicates the possibility of the VDS event causing the occurrence of the event detected by the HIDS, and is calculated by the equation (4). In other words, the HIDS event virus estimated value indicates the degree of correlation between the event detected by HIDS and the event detected by VDS. In equation (4), HIDS_Positive_Rate (P _i ) is the positive appearance probability of event i detected by HIDS, VDS_Rate (V _j ) is the appearance probability of event j detected by VDS, and each is statistical information. It is stored in the information storage unit 5.
HIDS event virus estimated value (EV _i ) = HIDS_Positive_Rate (P _i ) × VDS_Rate (V _j ) (4)

  The policy file generation unit 6 stores the calculated HIDS event cause estimated value and HIDS event virus estimated value in the policy file storage unit 7 in association with the event names of HIDS and NIDS. This information is used as follows. When HIDS detects an event, the NIDS or VDS event name associated with this event and the above estimated value are displayed on the screen. This allows the HIDS operator to infer the attack that caused the event detected by HIDS.

Further, the policy file generation unit 6 calculates the priority corresponding to the event by the equation (5) as information accompanying the policy file. In the equation (5), the HIDS event risk level (R _i ) indicates the risk level (importance level) of the event output from the HIDS. Many HIDS have a predefined risk level for each event. This degree of risk is defined according to the location where the directory or file is changed. For example, the risk level of events related to directories and files that are highly likely to affect the system in the host is high, and the risk level of events related to directories and files that are likely to be changed by the user is low.
HIDS event response priority (A _i ) = HIDS event risk (R _i ) × HIDS event reliability (C _i ) (5)

  The policy file generation unit 6 stores the calculated HIDS event response priority in the policy file storage unit 7 in association with the HIDS event name. This information is used as follows. When HIDS detects an event, the event response priority associated with this event is displayed on the screen. If the event risk level is high and the event reliability level is high, there is a high possibility that an attack has been performed on a directory or file that affects the system. Should. Also, if the event risk level is low and the event reliability level is low, it is unlikely that an attack has been performed on the directory or file that affects the system, and the response to such an event is postponed. But you can. Therefore, the HIDS operator can easily determine which event detected by HIDS should be preferentially handled according to the event response priority.

  As described above, according to the present embodiment, it is possible to generate a policy file that reflects the influence of an actual attack without depending on the skill of the operator. Further, by classifying event information for each combination of OS and application and generating a policy file for each combination, a highly accurate policy file can be generated.

  In addition, in the conventional HIDS, there is no guideline for determining the monitoring interval, so there is a problem such as a wasteful load on the CPU of the host due to frequent monitoring. In contrast, in the present embodiment, a policy file including a monitoring interval corresponding to the frequency of attacks is generated. By setting this monitoring interval to HIDS, useless load on the host CPU can be suppressed.

  Also, in an environment where only HIDS is implemented in the past, when HIDS detects an event, it is not known whether the event occurred due to an attack or the normal operation of the system in the host. There is. On the other hand, in this embodiment, the reliability indicating the possibility that the event detected by HIDS is due to an attack is calculated. By presenting this reliability to the operator, it is possible to give a guideline for event confirmation to the operator. Furthermore, in this embodiment, the event response priority based on the reliability and the event risk is calculated. By presenting this event response priority to the operator, the operator can easily determine which event detected by HIDS should be preferentially handled.

  Further, in the present embodiment, an estimated value indicating the possibility of an attack that is a cause of occurrence of an event detected by HIDS is calculated. By presenting this estimated value to the operator, the operator can infer the attack that caused the occurrence of the event detected by HIDS.

  In this embodiment, HIDS and VDS are activated in the virtual environment. As a result, it is possible to easily create hosts having various configurations, and it is possible to easily restore a normal state even when the host is attacked.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, in the above embodiment, both NIDS and VDS are provided, but only one of NIDS and VDS may be provided.

  Further, the program for realizing the operation and function of the policy generation system according to the above embodiment may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read and executed by the computer. Good.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of the policy production | generation system by one Embodiment of this invention. In one Embodiment of this invention, it is explanatory drawing for demonstrating the difference of the host construction method by a real machine and a virtual environment. In one Embodiment of this invention, it is explanatory drawing for demonstrating the difference of the host construction method by a real machine and a virtual environment. FIG. 5 is a reference diagram showing a format of event information output by HIDS, NIDS, and VDS in an embodiment of the present invention. It is a reference figure which shows the relationship on the time series of the event information in one Embodiment of this invention. It is explanatory drawing for demonstrating the processing method of the event information in one Embodiment of this invention. It is a reference figure which shows the content of the statistical information in one Embodiment of this invention. It is a reference figure which shows the content of the policy file in one Embodiment of this invention. It is a reference figure which shows the relationship between the event which HIDS detects in one Embodiment of this invention, and its reliability.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Event collection part (event collection means), 2 ... Event information storage part, 3 ... Initial state storage part (initial state storage means), 4 ... Event processing part (association means, statistical value) (Calculation means), 5... Statistical information storage section, 6... Policy file generation section (index value calculation means, information generation means), 7... Policy file storage section, 10. , 13 ... VM, 14 ... VMM, 15 ... Restart control unit (startup control means)

Claims (8)

Event collection means for collecting event information output from the network type intrusion detection system or virus detection system and the host type intrusion detection system;
Association means for associating the event information with each other based on an event detection time;
Based on the event information associated with each other, a statistical value calculating means for calculating a statistical value related to the appearance frequency of an event due to an attack,
Index value calculation means for calculating an index value related to monitoring performed by the host-type intrusion detection system based on the statistical value;
Information generating means for generating policy information including information specifying the target monitored by the host-type intrusion detection system and the index value;
A policy generation system comprising:   The policy generation system according to claim 1, wherein the index value calculation unit calculates a monitoring interval at which the host-type intrusion detection system performs monitoring as the index value.   2. The policy generation according to claim 1, wherein the index value calculation unit calculates, as the index value, a reliability indicating that an event detected by the host-type intrusion detection system may be due to an attack. system. The index value calculation means further calculates a response priority for the event detected by the host-type intrusion detection system based on the event importance and the reliability output from the host-type intrusion detection system,
The policy generation system according to claim 3, wherein the information generation unit further generates information including event identification information and the correspondence priority. The index value calculation means further calculates a correlation degree between the event detected by the host-type intrusion detection system or the virus detection system and the event detected by the network-type intrusion detection system based on the statistical value,
The policy generation system according to claim 1, wherein the information generation unit further generates information including event identification information and the degree of correlation. Initial state storage means for storing information on an initial state of the host-type intrusion detection system or the virus detection system;
Based on the initial state information, a start control means for starting the host-type intrusion detection system or the virus detection system in a virtual environment;
The policy generation system according to claim 1, further comprising:   A program for causing a computer to function as the policy generation system according to any one of claims 1 to 6.   A computer-readable recording medium on which the program according to claim 7 is recorded.

Images