JP2010237975A - Incident monitoring apparatus, method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an apparatus for outputting analytical information that reduces the time for analyzing a detected incident in order to minimize damage to an object to be monitored. <P>SOLUTION: The incident monitoring apparatus 1 acquires log information of incidents detected by a sensor 3 from an event log storage unit 10 and determines their degrees of importance based on the number of detected incidents, etc. Also, a determination is made as to whether or not the number of incidents detected within a certain period of time and the number of incidents satisfying a predetermined combination condition are equal to or greater than threshold values. Information about the names of incidents having high degrees of importance and the names of incidents exceeding in number the threshold value is edited and output to a manager terminal 6. Analytical information for the name of each incident detected is generated based on the information edited. During generation, information on an organization to which a global IP in the incident log is allocated is inquired of a management server 5 of an Internet registry, and analytical information including the organization information is generated and output. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  In order to detect unauthorized access to a computer system, the present invention monitors the occurrence of an incident in a computer system connected to a network and performs incident detection notification and output of incident analysis information. It relates to devices, methods, and programs.

  There are known an intrusion detection device (IDS), an intrusion prevention device (IPS) and the like that detect data communication between computers, and detect an event (security incident) that causes a security problem by monitoring events in the computer.

  In addition, communication logs are collected by a firewall provided between the monitored system and the network, the collected communication logs are analyzed to detect security incidents, and advice information on the detected security incidents is notified to a predetermined destination. Thus, a monitoring device that enables browsing is known (for example, see Patent Document 1).

JP 2006-295232 A

  There are many different types of events (hereinafter referred to as incidents) detected by the above-described detection devices (hereinafter referred to as sensors) such as IDS and IPS, and the degree of threat to the monitored computer system is also different. . Therefore, it is necessary to analyze the impact of detected incidents on the system so that priority actions can be taken for incidents with large threats.

  In addition, in order to detect unauthorized access to the monitored system using the above IDS, IPS, etc., and take measures to minimize the impact on the system, it is necessary to analyze the detected incidents quickly. is there.

  However, a large number of incidents with different levels of threats to the system continue to be detected from the sensor from time to time, including incidents that do not affect the system. Under such circumstances, it is difficult to analyze all incidents while giving priority to incidents that are considered to have a large impact on the system.

  In addition, for many incidents, the degree of impact on the system cannot be determined by the notified incident name alone. For more detailed analysis processing, for example, the direction of the attack, the number of incidents detected per unit time, the trigger and the attack target It is necessary to confirm the relevance of the vulnerabilities. However, analyzing incidents in priority order according to priority from incident log information (incident log) that contains a large number of incidents output by sensors requires a lot of time and effort.

  The following problems occur during conventional incident analysis.

  (1) Some incidents have different effects on the system depending on the number of detections per unit time. Depending on the number of incidents detected per unit time, etc., there are things that lead to unauthorized access called denial of service attacks. The threshold value for determining that the incident is an unauthorized access such as a DOS attack or a DDOS attack differs depending on the processing capability of the system. In this case, it is necessary to grasp the number of incidents detected per hour for the same transmission destination, and a large amount of time and labor are required for aggregation.

  (2) A lot of information is added to the incident log. For example, occurrence date, incident name, number of detected cases, priority, source IP address, source port number, destination IP address, destination port number A lot of information such as triggers is included. Therefore, it is necessary to select and refer to information necessary for analysis, but it takes a lot of time and effort to extract necessary information from an incident log including a large amount of information.

  (3) Information required for incident analysis differs depending on the type of incident, and is not stored in the same field among incident log fields output by different types of sensors. Since there is no information such as the association between the incident name and the field name in which the information that triggers the output of notification and analysis information is stored, it takes time to collect information.

  (4) In order to analyze the impact level of incidents on the system, examine countermeasures, etc., organization information (for example, organization name and device name) of the transmission source and transmission destination is required. However, the incident log does not include source or destination organization information. Therefore, it is necessary to investigate what kind of organization the transmission source or the transmission destination is separately, and much time and labor are required for this investigation work.

  In particular, when the transmission source / transmission destination is outside the monitored system, the organization information of the transmission source / transmission destination must be collected using some kind of information retrieval service.

  Furthermore, when the attack target (transmission destination) is the own system to be monitored, it is difficult to determine the degree of influence on the system only by the IP address.

  (5) In order to quickly detect unauthorized access signs or unknown attacks from the incident log, it is necessary to monitor the incident detection status, and it is necessary to determine whether the detection status is illegal. In addition, there is no fixed method for unauthorized access, etc., and there is a limit to judgment based on information for each incident, and it is necessary to correlate with the following multiple incidents and grasp the current situation.

  It takes a lot of time and labor to identify an unknown attack from an incident log that contains a large number of incidents, and to detect an unknown attack.

  (6) On the console screen that displays incident logs, new incidents are displayed one after another and data is accumulated. Therefore, it is very difficult to perform analysis while viewing the displayed incident logs. Become. Specifically, it is not possible to analyze all incidents without omission while associating and prioritizing incidents on a console screen whose display contents are updated as needed.

  Furthermore, it is actually impossible to analyze incidents while watching the console screen for 24 hours on 365 days.

  In order to minimize damage to the system, the object of the present invention is to monitor the detection and detection status of incidents in order to discover unauthorized access to the system and signs of unauthorized access, and analyze the incident log. It is to realize an incident monitoring apparatus, method, and program that outputs analysis information that can shorten the processing time.

  An incident monitoring apparatus according to the present invention is an apparatus that monitors an incident that occurs in a computer system connected to a network, and includes the following storage unit and processing unit. That is, the incident monitoring apparatus includes an internal IP address information storage unit that stores internal IP address information in which an internal IP address used in the monitored computer system and an assignment destination of the internal IP address are registered, and a computer system. Information related to the incident detected by the sensor to be monitored, including the incident name, the detection date and time, the source IP address, the destination IP address, and the priority indicating the degree of the incident threat added by the sensor. An incident log storage unit for storing log information and an analysis information storage unit for storing creation information for creating incident analysis information are provided.

  Further, the above incident monitoring device extracts the incident log information of incidents detected from the incident log storage unit within a time range from the present time to a point in time that is a predetermined time interval at a predetermined time interval. In addition, based on the extracted incident log information, for each incident name, the process of determining the importance based on the number of detected incidents and priority within the time range and the incident information for each incident name. An event monitoring unit is provided that performs a process of editing and storing the importance for the incident name and the edited information as first creation information in the analysis information storage unit.

  Further, the above incident monitoring device extracts the incident log information of incidents detected from the incident log storage unit within a time range from the present time to a point in time that is a predetermined time interval at a predetermined time interval. Based on the extracted incident log information, the number of incidents detected for each incident name and the number of hits that are the number of hits in a given combination condition are calculated. Processing for comparison and processing for editing incident information for each incident name with respect to the incident name for which the number of detected cases or the number of hits is greater than or equal to the threshold, and storing the edited information in the analysis information storage unit as second creation information An event detection status monitoring unit is provided.

  Furthermore, the incident monitoring device described above specifies a global IP address assignment destination among the transmission source or transmission destination IP addresses included in the first creation information and the second creation information in the analysis information storage unit. Information to be assigned from the management server of the Internet registry that is responsible for IP address allocation, and the global IP acquired by the first creation information, the second creation information, and the assignment destination information search unit And an analysis information generation unit that generates and outputs incident analysis information related to the detected incident using the address assignment destination information.

  The above incident monitoring device uses the event monitoring unit to detect the number of incidents detected and their priority for each incident name from the incident log information of incidents detected within a certain time range among the event logs detected by the sensor. The importance is determined based on the above. Further, the event monitoring unit edits the incident information for each incident name, and stores the importance for the incident name and the edited information in the analysis information storage unit as first creation information.

  Furthermore, the incident monitoring device determines the number of incidents detected per incident name based on the incident log information from the incident log information of incidents detected within a certain time range by the event detection status monitoring unit. The number of hits, which is the number of hits in the combination condition, is calculated, and the number of hits detected and the hit count are compared with a predetermined threshold. Then, for the incident names for which the number of detected cases or the number of hits is equal to or greater than the threshold, the incident information is edited for each incident name, and the edited information is stored in the analysis information storage unit as second creation information.

  Then, during the generation of the incident analysis information, the incident monitoring device causes the assignment destination information search unit to perform a transmission source or a transmission destination included in the first creation information and the second creation information in the analysis information storage unit. Among the IP addresses, information specifying the global IP address assignment destination is acquired from the management server of the Internet registry that manages the global IP address allocation.

  Then, the analysis information generation unit uses the first creation information, the second creation information, and the global IP address assignment destination information acquired by the assignment destination information search unit to analyze the incident related to the detected incident. Generate and output usage information.

  The above incident monitoring device can notify an incident detected within a certain time together with its importance. As a result, the administrator can be notified of the urgency of the detected incident.

  In addition, the incident monitoring device can monitor the detection status of an incident, and can notify the detection status when the number of detected incidents and the number of hits indicating the detection status exceed a certain threshold. As a result, the tendency of incident detection within a certain period of time can be grasped, and the occurrence or sign of occurrence of an incident can be notified.

  In addition, the incident monitoring device acquires organization information (for example, organization name, organization name, etc.) related to the destination or the IP address assignment destination included in the incident log information, and collects the incidents in units of incident names. The information for analysis which stored organization information with the information about can be generated.

  As a result, the partner of data communication in which the incident is detected can be specified from the analysis information, and the analysis of the incident becomes easy.

  According to the incident monitoring apparatus described above, the processing time for analyzing the detected incident can be shortened, so that damage to the computer system to be monitored can be minimized.

It is a figure which shows the structural example of the system by which the incident monitoring apparatus is implemented in one Example of this invention. It is a figure which shows the structural example of the incident monitoring apparatus in one Example of this invention. It is a figure which shows the example of the incident log preserve | saved at an incident log memory | storage part. It is a figure which shows the example of a trigger correlation table. It is a figure which shows the example of the work table of an event monitoring part. It is a figure which shows the example of the data for creation of the sheet | seat for incident analysis. It is a figure which shows the example of an internal IP address list. It is a figure which shows the data structural example of a detected incident list. It is a figure which shows the example of a display of a detected incident list display screen. It is a figure which shows the example of a display of the list of detected incidents of a detected incident list display screen. It is a figure which shows the data structural example of detailed information. It is a figure which shows the example of a detection incident detailed information display screen. It is a figure which shows the example of a global IP address list. It is a figure which shows the example of the extraction data of allocation destination information. It is a figure which shows the example of an internal allocation table. It is a figure which shows the example of an IP address allocation table. It is a figure which shows the example of the sheet | seat for incident analysis (left half). It is a figure which shows the example of the sheet | seat for incident analysis (right half). It is a figure which shows the example of the response message of allocation destination information search. It is a processing flow figure of the outline processing of an incident monitoring device.

  FIG. 1 is a diagram illustrating a configuration example of a system in which an incident monitoring apparatus 1 is implemented in an embodiment of the present invention.

  The incident monitoring apparatus 1 accesses the incident log storage unit 10 to acquire an incident log within a predetermined time range, analyze the acquired incident log, and determine whether an incident has occurred or a sign of occurrence. Notification is made by a predetermined screen display on the terminal 6 and the incident analysis sheet 20 is output as incident analysis information.

  Further, the incident monitoring device 1 accesses the management server 5 of the Internet registry that manages the global IP address through the Internet 4 and acquires information (organization information) regarding the IP address assignment destination.

  Here, the incident is not particularly limited to unauthorized access, and simply refers to an unusual event (abnormal event).

  The incident log is information related to an incident detected by a sensor 3 such as IDS or IPS provided in a monitoring target system or a monitoring target network (hereinafter simply referred to as a monitoring target) 2.

  The sensor 3 is a NIDS (Network IDS) that monitors packets flowing through the network, and a HIDS (Host IDS) that monitors logs and events of the host server.

  The Internet registry is an organization that manages allocation and registration of Internet resources (both IPv4 and IPv6 addresses and AS (autonomous system) numbers). By performing “Whois information search” in the Internet registry management server 5 of each jurisdiction of IP address management (by country / region), information (organization information) regarding the global IP address assignment destination can be acquired.

  First, the process executed by the incident monitoring apparatus 1 and its effect will be outlined.

  1. The incident monitoring device 1 automatically searches for incident logs within a certain time range (a predetermined time range that goes back from the present to the past) at regular intervals (at regular time intervals), and all the items that need to be analyzed. Edit and output the incident information. The incident analysis information is output as one incident analysis sheet, for example.

  As a result, it is possible to carry out incident analysis processing with no omission in order of priority in chronological order.

  2. The incident monitoring device 1 searches for incidents within a certain time range. As a result, it is possible to perform a determination process having a threshold value for the number of cases per unit time in consideration of the degree of influence on the system. For example, the number of incidents detected for the same incident name and the same destination or source IP address is counted.

  When the number of incidents exceeds a threshold (a certain number), the incident monitoring apparatus 1 notifies the incident detection to the administrator terminal 6, for example, edits the analysis information of the incident, and outputs it to the incident analysis sheet 20 To do.

  The incident monitoring device 1 ranks the importance level as “normal, warning, abnormal, or confirmation required” according to the number of detected incidents. For example, incidents with priority = High are distinguished and treated as importance = abnormal and included in notification and analysis information.

  The priority is the degree of threat given to the monitored object 2 by the incident. The priority is determined by the sensor 3 that detects the incident based on a predetermined security policy. For example, values of Low, Medium, and High are assigned for each incident name. Low, Medium, and High have low, medium, and high threat levels, respectively.

  More specifically, the incident monitoring apparatus 1 handles incidents as follows from the relationship between priority and importance.

  (1) When the incident has priority = Low, it is determined that importance is normal and analysis is unnecessary.

  (2) When the incident has priority = Medium, the importance is determined based on the incident name and the detected number of transmission destination IP addresses. If the number of detected cases is less than the number of warnings, the importance level is normal and it is determined that analysis is unnecessary. If the number of detected cases is greater than or equal to the number of warnings and less than the number of abnormalities, it is determined that importance = warning. If the number of detected cases is equal to or greater than the number of abnormalities, it is determined that importance = abnormal.

  (3) When the incident is priority = High, it is determined that importance = abnormal.

  (4) If the incident is Priority = High and there is clearly a problem, it is determined that importance = confirmation required.

  3. The incident monitoring apparatus 1 extracts and outputs only the minimum information necessary for the primary analysis to the incident analysis sheet 20 which is a form of incident analysis information. The incidents are sorted in descending order of importance, incident name, transmission destination IP address, transmission source IP address, detection time, etc., and output to the incident analysis sheet. This makes it easier to analyze because related incidents are collected.

  4). Information in the incident log that is used as information for determining whether to detect the detected incident as incident information or to create information for analysis is called trigger information. In the trigger information, the field (data item) of the incident log used differs for each incident name, and the field name of the incident log output by each sensor 3 differs.

  The incident monitoring device 1 has association information between the incident name and the field name of the trigger information, and extracts trigger information corresponding to each incident name based on the association information.

  Further, the incident monitoring apparatus 1 extracts the trigger information of the first field name of the incident log as a default setting for the incident name having no association information. In addition, if there are multiple target field names exclusively, the association information should have multiple field names, the corresponding field names are searched in order, and the trigger for the field name found earlier Extract information.

  5. The incident monitoring apparatus 1 outputs an incident analysis sheet 20 with an access direction indicating whether the monitoring target 2 is a perpetrator or a victim.

  The incident monitoring apparatus 1 determines the access direction based on the transmission destination IP address and the transmission source IP address of the incident log.

  The access direction is the packet transmission direction, which is either transmission from the outside to the monitoring target 2 (outside to inside), transmission from the monitoring target 2 to outside (inside to outside), or communication within the monitoring target 2 (inside to inside) Is stored.

  6). The incident monitoring apparatus 1 adds the organization information of the destination and destination IP addresses to the incident analysis sheet 20 and outputs them.

  The incident monitoring apparatus 1 holds in advance internal IP address information in which IP addresses existing in the monitoring target 2 and allocation destination information are registered. Further, the incident monitoring device 1 uses the “Whois information search” in the management server 5 of the Internet registry for the organization information of the global IP address assignment destination in the incident log when editing the incident analysis sheet 20. get.

  7). The incident monitoring device 1 periodically detects all incidents within a certain time range (regardless of priority), and the number of incidents detected or the number of detections that meet a given condition (number of cases) exceeded the threshold. In this case, the administrator terminal 6 is notified that there is a possibility that an unauthorized access sign or an unknown attack may occur, and information on the incident is output to the incident analysis sheet 20.

  Here, thresholds are set for the number of detected cases and the corresponding number of cases, and compared with the values calculated under the following conditions.

  The threshold is a judgment condition for the incident names of all priorities of incidents by the sensor 3, and the number of cases exceeds a certain threshold in order to detect an incident indicating an attack, an incident indicating an abnormality on the network, etc. It is for editing as notification and analysis information. Thresholds are prepared for all incident names and for individual incident names.

(1) Number of incidents detected with the same incident name, the same destination IP address, and the same source IP address,
(2) Number of detected incidents with the same incident name and the same destination IP address,
(3) Number of detected incidents with the same incident name,
(4) number of combinations of the same incident name, the same destination IP address, and the same source IP address,
(5) Number of combinations of the same incident name and the same destination IP address,
(6) Number of incident name combinations.

  8). The incident monitoring apparatus 1 notifies the administrator terminal 6 of the detection of an incident for which the necessity of analysis of the incident is determined by the following method.

(1) Notification by screen display The incident monitoring apparatus 1 displays incident information in colors and characters corresponding to the importance as notification by screen display on the console screen of the administrator terminal 6. For example, if severity = abnormal, the incident name and “possibility of unauthorized access” are displayed in “red”, and if severity = warning, the incident name and “possibility of unauthorized access” “Yes” is displayed in “Yellow”, if severity = normal, “no problem” is displayed in “green”, and if importance = confirmed, the incident name and “permitted” If there are no problems, “Indicates that there is no problem (usually an apparently problematic incident)” is displayed in “red”.

  In addition, when incidents of a plurality of types of importance occur at the same time, the incident monitoring apparatus 1 displays the items with the highest importance in the order of “abnormality <warning <normality <confirmation required”.

  Further, for example, the following display is performed as more detailed contents of the incident information.

  (a) As a summary display, a list of incidents that need to be analyzed is displayed as a list of detected incidents by collecting the number of detected cases by incident name and destination IP address in the order of analysis (for example, in descending order of importance).

  (b) By selecting the incident to be referenced from the detected incident list, all information for each selected incident is displayed in a list.

  In addition, information necessary for the primary analysis is displayed with a number.

  Also, the access direction that can be regarded as the attack direction is displayed.

(2) Notification by sound The incident monitoring device 1 uses a predetermined sound via the administrator terminal 6 or other audio output device when incident analysis is necessary (for example, when there is an incident with a non-normal importance level). Is output.

(3) Notification by E-mail (E-mail) When the incident monitoring apparatus 1 requires incident analysis, the incident monitoring sheet 20 or a summary (for example, a list of detected incidents) is sent to the administrator terminal 6 or predetermined as an e-mail. To the destination.

(4) Notification by Event Log Output to Application Program When incident analysis is required, the incident monitoring apparatus 1 outputs an incident summary to an application program log of the operating system Windows, for example. For example, the incident monitoring device 1 transmits an SNMP trap by the SNMP communication management function of Windows OS and notifies the administrator terminal 6 of the incident log.

(5) Notification by application activation The incident monitoring apparatus 1 activates the application program of the administrator terminal 6 or a predetermined apparatus when incident analysis is necessary. For example, an application such as activation of a warning light is executed.

  FIG. 2 is a diagram showing a configuration example of the incident monitoring apparatus 1 in one embodiment of the present invention.

  The incident monitoring apparatus 1 includes a trigger association information storage unit 101, an internal IP address list storage unit 102, a local IP address information storage unit 103, an inquiry destination storage unit 105, an analysis information storage unit 106, an IP address list storage unit 108, a global An IP address information storage unit 109, an event monitoring unit 11, an event detection status monitoring unit 12, an analysis information generation unit 13, and an assignment destination information search unit 14 are provided.

  The trigger association information storage unit 101 is a trigger association information (association table) that indicates correspondence between the notification of the incident name to the administrator terminal 6, the trigger information for generating the incident analysis sheet 20, and the incident log field. Is a storage unit.

  The internal IP address list storage unit 102 is a storage unit that stores a list (internal IP address list) in which a range of IP addresses existing in the monitoring target 2 is recorded.

  The local IP address information storage unit 103 stores information (internal allocation table) indicating an allocation destination device and the like for each of the local IP address existing in the monitoring target 2 and the global IP address handled as the internal IP address in the monitoring target 2. A storage unit for storing.

  The inquiry destination storage unit 105 is a storage unit that stores address information of the Internet registry management server 5.

  The analysis information storage unit 106 is a storage unit that stores creation information for creating the incident analysis sheet 20 output by the event monitoring unit 11 and the event detection status monitoring unit 12.

  The IP address list storage unit 108 is a storage unit that stores a list of global IP addresses (global IP address list) to be searched in the Internet registry management server 5.

  The global IP address information storage unit 109 is a storage unit that stores correspondence information (IP address allocation table) between a global IP address and information on an allocation destination extracted from a search result in the management server 5 of the Internet registry.

  The event monitoring unit 11 extracts, from the incident log storage unit 10, incident log information of incidents detected within a time range from the present to a time point that is a predetermined time backward at a predetermined time interval; Based on the extracted incident log information, for each incident name, the incident log is analyzed based on the number of detected incidents and priority within the time range, and the importance is determined.

  In addition, the event monitoring unit 11 edits the incident information for each incident name having high importance, and displays the importance for the incident name and a part or all of the edited information on a predetermined screen of the administrator terminal 6. The process and the process of storing the importance level and the edited information in the analysis information storage unit 106 as information for creating the incident analysis sheet 20 are performed.

  The event detection status monitoring unit 12 extracts, from the incident / log storage unit 10, incident / log information of incidents detected within a time range from a present time to a point in time that is a predetermined time interval at predetermined time intervals. Based on the extracted incident log information, for each incident name, calculate the number of incidents detected and the number of incidents that are the number of detected incidents corresponding to the specified combination. Is compared with a predetermined threshold.

  The event detection status monitoring unit 12 edits incident information for each incident name with respect to an incident name for which the calculated number of detected cases or the number of hits is equal to or greater than the threshold value, and part or all of the edited information is transferred to the administrator terminal 6. And a process of storing the edited information in the analysis information storage unit 106 as second creation information.

  The analysis information generation unit 13 includes the first creation information and the second creation information stored in the analysis information storage unit 106, and the global IP address assignment destination information acquired by the assignment destination information search unit 14. Using the information stored in the global IP address information storage unit 109 and the information stored in the local IP address information storage unit 103, an incident analysis sheet 20 that is analysis information is created and output.

  The assignment destination information search unit 14 stores an internal IP address list among the IP addresses of the transmission source or the transmission destination included in the first creation information and the second creation information stored in the analysis information storage unit 106. Processing for transmitting a “Whois information search” request for a global IP address not registered in the unit 102 to the management server 5 of the Internet registry, and obtaining a result of the search request from the management server 5 to obtain a global IP address The allocation destination information is acquired, and the global IP address and the allocation destination information are stored in the global IP address information storage unit 109.

  Hereinafter, the processing operation of the incident monitoring apparatus 1 will be described in more detail.

[Event monitoring processing]
(1) Acquisition of Incident Log The event monitoring unit 11 searches the incident log storage unit 10 at time intervals within the search time range by using a scheduler (not shown in FIG. 2) of the incident monitoring apparatus 1.

  FIG. 3 is a diagram illustrating an example of an incident log stored in the incident log storage unit 10. 3A is a diagram illustrating a data configuration example of the incident log parent table 200, and FIG. 3B is a diagram illustrating a data configuration example of the incident log child table 201.

  The incident log includes a parent table 200 that accumulates information detected by the sensor 3 for each incident name, and a child table 201 that accumulates field names of the table serving as trigger information and storage information associated with each record. Including.

  The parent table 200 of the incident log in FIG. 3A stores a “record ID” in which record identification information is set, an “incident name” indicating the name of the incident, and a “detection date / time” in which the date / time when the incident was detected is stored. "Sensor name" indicating the name of the detected sensor 3, "Priority" storing the priority of the incident determined by the sensor 3, "Sensor IP address" storing the IP address of the sensor 3, and the incident "Source IP address, source port number, destination IP address, and destination port number" where data communication source and destination information is stored, and "Number of cases" where the number of detected incidents is stored , Including a “response” indicating the action taken for the incident.

  The incident log child table 201 in FIG. 3B includes “record ID”, “attribute” in which the field name of the trigger information is stored, “trigger information” that is storage information of the field, and the like.

  The parent table 200 and the child table 201 of the incident log are related by the record ID, and the relationship between the parent table 200 and the child table 201 may be one-to-multiple (n). The number of child tables 201 and the output order are variable.

  The event monitoring unit 11 stores the event log in the search time range extracted from the incident log storage unit 10 in a work table in the work memory. The event monitoring unit 11 refers to the trigger association table 202 stored in the trigger association information storage unit 101 of the child table 201 when the field name storing the incident log trigger information differs depending on the sensor 3. , Get the corresponding field name and trigger information and store them in the work table.

  FIG. 4 is a diagram illustrating an example of the trigger association table 202.

  The trigger association table 202 in FIG. 4 is an attribute of a child table (field name of the parent table) in which trigger information for each incident name is stored, and information output as detailed information of the incident analysis sheet 20 Correspondence is set.

  The trigger association table 202 includes “incident name”, “Detil1, Detail1W” indicating the attribute of the child table 201 output as the detailed information 1 to the incident analysis sheet 20, and similarly the child table 201 output as the detailed information 2. It has “Detil2, Detil2W” indicating an attribute.

  The child table 201 is searched in the order of “Detil1, Detil1W”, and the trigger information of the child record 201 searched first is output to the detailed information 1 of the incident analysis sheet 20. Also, “Detil2, Detil2W” are processed in the same manner.

  For incident names not registered in the trigger association table 202, the trigger information of the first item of the child table 201 is output to the detailed information 1 of the incident analysis sheet 20, and the trigger information of the second item is detailed. Processing is performed so that the information 2 is output.

  FIG. 5 is a diagram illustrating a data configuration example of the work table of the event monitoring unit 11.

  FIG. 5A shows an example of a work table 203 that holds a parent record 200 of an incident log, and FIG. 5B shows an example of a work table 204 that holds a child record 201 of an incident log.

  The work table 203 includes “record ID” of record identification information, “detection date” of date and time information when an incident was detected, “incident name” of incident name, “priority” indicating priority by the sensor 3, and “transmission” “Source IP address”, “source port”, “destination IP address”, “destination port”, “sensor IP address” indicating the sensor 3 storing the incident log, and the type (NIDS, HIDS) of the sensor 3 “Sensor type”, “number of incidents” that stores the number of detected incidents, “number of warnings (threshold)” that sets a threshold (number of detected cases) that determines the importance as “warning”, and “abnormal” as the degree of importance It has “abnormality number (threshold value)” in which a threshold value (number of detected cases) is set.

  The work table 204 outputs “record ID” of record identification information, “attribute” in which attributes of the child table 201 are stored, “trigger information” in which trigger information of corresponding attributes in the child table 201 is stored. It has a “type” indicating detailed information designation (detailed information 1, detailed information 2).

  The incident monitoring device 1 can edit and output incident information that needs to be analyzed over 24 hours and 365 days by processing incident logs detected within a predetermined time range that goes back from the present. .

(2) Determining the severity of incidents The event monitoring unit 11 evaluates incidents in the order of the following processing in order to determine the severity for each incident name in the extracted incident log. Determine the importance of.

  Thereby, the incident monitoring apparatus 1 can distinguish and output the urgency of incident analysis in the time range to be searched.

  Process ST1: If the incident priority is High and there is an incident with HIDS, the importance is set to “confirmation required”.

  Process ST2: If there is an incident with high priority, the importance is set to “abnormal”.

  Process ST3: If the priority is Medium, and the incident with the incident name and destination IP address is greater than or equal to the individually specified number of abnormalities (excluding the number of abnormalities = 0), the importance is set to “abnormal”.

  Process ST4: If the priority is Medium, the incident with the incident name and destination IP address is not individually specified, and the total number of abnormalities (excluding the number of abnormalities = 0) or more, the severity is “abnormal” And

  Process ST5: If the priority is Medium, and the incident with the incident name and destination IP address is greater than or equal to the individually specified number of warnings (excluding the number of warnings = 0), the importance is set to “warning”.

  Process ST6: If the priority is Medium, the incident of the incident name and the destination IP address is not individually specified, and the total number of warnings (excluding the number of warnings = 0) or more, the severity is “warning”. And

  Process ST7: The importance is set to “normal”.

(3) Screen Display of Importance Level and Search Range Time Zone The event monitoring unit 11 displays the importance level and search range time on the screen of the administrator terminal 6. Also, the display color of the incident name displayed on the screen is changed based on the determined importance, or a predetermined message is displayed.

  Thereby, the incident monitoring apparatus 1 can provide the administrator with the urgency of incident analysis in the search range time zone and information that allows the occurrence time zone of the incident to be seen at a glance.

  The event monitoring unit 11 displays the message by changing the display color of the incident name as follows according to the determined importance.

    ・ Incident names with "abnormal" severity level are displayed in red and "possible unauthorized access" is displayed.

    -Displays the name of the incident with a warning level of “Warning” in “yellow” and the message “Unauthorized access”.

    • When the importance is “Normal”, “Normal” and “Green” are displayed, and “No problem” message is displayed.

    -Display the name of the incident whose importance is “Confirmed” in “Vermilion”, and display the message “No problem if allowed (normally apparently problematic incident)”.

(4) Output of incident analysis information The event monitoring unit 11 performs incident analysis based on the data in the work table 203 when there is an incident having a severity of “warning”, “abnormal” or “necessary confirmation”. Data for creating the production sheet 20 (creation data) is edited and output and stored in the analysis information storage unit 106. The creation data created by the event monitoring unit 11 corresponds to first creation information.

  FIG. 6 is a diagram illustrating a data configuration example of the creation data 206.

  The creation data 206 includes “importance, detection date / time, incident name, number of cases, transmission source IP address, transmission source port number, transmission destination IP address, transmission destination port number, priority, access direction, trigger information 1, trigger information 2 , Response, sensor IP address ”and the like.

  The access direction is identified as “in” if the destination IP address and source IP address are internal IP addresses (local IP addresses or global IP addresses registered as internal IP addresses), and “in”. The IP address other than the IP address is identified as “outside”, and the packet direction of “outside → inside”, “inside → outside”, “inside → inside”, or “outside → outside” is stored.

  The output order of the records of the creation data 206 is the descending order of importance and the ascending order of incident name, transmission destination IP address, transmission source IP address, and detection time.

  By sorting in this way, related incidents can be gathered, and the incident analysis sheet 20 that can be analyzed in descending order of priority can be created.

  More specifically, the event monitoring unit 11 performs the following processing.

  Process ST10: Records of all incidents of importance “warning”, “abnormal”, and “confirmation required” are edited.

  Process ST11: The incident records are sorted by importance, incident name, transmission destination IP address, transmission source IP address, or detection date (time).

  Process ST12: Priority, detection time, incident name, number of cases, source IP address, source port number, destination IP address, destination port number, record ID, etc. are extracted from the parent record 202 of the incident.

  Process ST13: The “access direction” is determined based on the following judgment conditions.

    If the source IP address or destination IP address is an IP address registered in the local IP address or internal IP address list 207, the IP address side is specified as “in”.

    When the source IP address or the destination IP address is not registered in the internal IP address list 207, the IP address side is specified as “outside”.

  FIG. 7 is a diagram illustrating an example of the internal IP address list 207 stored in the internal IP address list storage unit 102.

  The internal IP address list 207 in FIG. 7 describes the “start IP address” indicating the start address value in the range of the internal IP address, the “end IP address” indicating the end address value in the range of the internal IP address, and the range “ It has a "memo".

  Process ST14: All child records of the work table 204 that match the record ID of the work table 203 are searched.

  If the record is from the NIDS type sensor 3, the trigger information in the first child record of the work table 204 is saved. If the field names of the second and subsequent child records match the registered field names, the trigger information is saved again, the creation data 206 is edited and output, and the next incident is processed.

  If the work table 203 does not have a field name that matches the child record of the work table 204, the creation data 206 is edited and output with the trigger information of the first child record of the work table 204, and the next incident is processed. .

  When the record is from the HIDS type sensor 3, the trigger association table 202 is referenced to obtain field names (two) that match the incident name. Then, search the child record of the work table 204 with the registered field name (first), save the trigger information if there is a record, edit and output the creation data 206, and process the next incident To do.

  In addition, the child record of the work table 204 is searched with the registered field name (second), and if there is a record, the trigger information is saved, the creation data 206 is edited and output, and the next incident is processed. To do. If there is no record in the trigger association table 202 that matches the incident name in the work table 203, the trigger information in the first child record of the work table 204 is saved, the editing data 206 is edited and output, and the next incident Process.

  Process ST15: When the importance is “warning”, “abnormal”, or “necessary confirmation”, the detected incident list 208 and detailed information of each incident are displayed on the administrator terminal 6.

  The incident monitoring device 1 can automatically provide summary information such as a detected incident list, thereby providing information that allows an administrator to check the occurrence status of the entire incident in the monitoring target 2.

  Based on the work table 203, the event monitoring unit 11 sums up the number of detections for each importance, incident name, or destination IP address, and displays “importance, incident name, number of cases, transmission as shown in FIG. A detected incident list 208 including information such as “destination IP address” is generated. Then, the detected incident list display screen 300 as shown in FIG. 9 is displayed on the administrator terminal 6, and the detected incident list 208 is displayed in descending order of importance and in ascending order of incident name and destination IP address. .

  As shown in FIG. 10, the event monitoring unit 11 displays the detected incident list display screen 300 including the detected incident list display unit 301 generated from the detected incident list 208 (see FIG. 9).

  Further, the event monitoring unit 11 generates detailed information 209 including data as shown in FIG. 11 for each of all incidents in the detected incident list 208. The detailed information 209 is arranged in order of detection date and time.

  The event monitoring unit 11 generates a detected incident detailed information display screen 310 including detailed information 209 as shown in FIG.

  The detection which displays the detailed information 209 of the selected incident by selecting the incident displayed on the detection incident list display part 301 of the detection incident list display screen 300 of FIG. 9 and clicking the “event details” button 302 An incident detail information display screen 310 is displayed.

  On the detected incident detailed information display screen 310, information for primary analysis among the detailed information 209 corresponding to the incident log information is numbered and displayed. Also, the “access direction” indicating the direction of the attack is displayed.

  On the detected incident detailed information display screen 310, a selection button group for selecting an incident (forward selection buttons (“<”, “<<”), jump selection buttons (GO TO)) and backward selection buttons (“>”, “>>”). ")) When 311 is clicked, detailed information 209 of the selected incident is displayed.

  Thereby, the incident monitoring apparatus 1 can provide information that allows the administrator to analyze details of the detected incident.

(5) Notification of Incident Detection When the importance level is “warning”, “abnormal”, or “necessary confirmation”, the event monitoring unit 11 further notifies a detected incident according to a predetermined notification mode.

  When the notification mode is sound notification, the designated WAVE file is reproduced on the administrator terminal 6 or another audio output device.

  When the notification mode is e-mail notification, “monitoring terminal ID + importance + search range time” is set in the subject (Subject), and the creation data 206 of the incident analysis sheet 20 or the detected incident is set in the text. A mail message with the same contents as the list 208 is generated and notified.

  When the notification mode is an event log notification by Windows, the same contents as the detected incident list 208 are output.

  When the notification mode is application activation, an application such as a patrol lamp is activated.

[Event detection status monitoring processing]
(1) Acquisition of incident logs The event detection status monitoring unit 12 uses the scheduler of the incident monitoring device 1 to detect incidents in a time range retroactive to the past from the current time in the search time range at the time interval of the search time range. Log information is retrieved and extracted from the incident / log storage unit 10.

  Details of the processing are the same as “acquisition of incident / log” of the event monitoring unit 11 and will not be described.

(2) Judgment of Incident Detection Status For each incident name, the event detection status monitoring unit 12 compares the number of incident occurrences and the number of detections (corresponding number) corresponding to a predetermined combination condition with a predetermined threshold value for each. .

  As a result, the incident monitoring apparatus 1 can provide information that allows the administrator to check whether the incident detection tendency is different from the normal number of incidents per incident name and the number of incident combinations.

  The event detection status monitoring unit 12 edits the creation data 210 of the incident analysis sheet 20 and outputs it to the analysis information storage unit 106 in the following cases. The creation data 210 includes the same data as the creation data 206 shown in FIG. The creation data 210 corresponds to second creation information that is edited and output by the event detection status monitoring unit 12.

-If the number of incidents with the same incident name, the same destination IP address, and the same source IP address exceeds the threshold,
・ If the number of the same incident name and the same destination IP address exceeds the threshold,
・ If the number of incidents with the same incident name exceeds the threshold,
・ If the number of combinations of the same incident name, the same destination IP address, and the same source IP address exceeds the threshold,
・ If the number of combinations of the same incident name and the same destination IP address exceeds the threshold,
・ When the number of incident name combinations exceeds the threshold.

(3) Notification of incident detection status The event detection status monitoring unit 12 notifies the incident detection status according to a predetermined notification mode when the incident detection status (number of detections or number of hits) exceeds a threshold. .

  When the notification mode is display notification, a pop-up window indicating information on incidents exceeding the threshold is displayed on the screen of the administrator terminal 6 for notification.

  When the notification mode is sound notification, the designated WAVE file is reproduced by the administrator terminal 6 or another audio output device.

  When the notification mode is e-mail notification, “event warning + monitoring terminal ID + search range time” is set in the subject (Subject), and the same text as the creation data 210 of the incident analysis sheet 20 is set in the text. Generate and notify a mail message with the contents set.

  When the notification mode is an event log notification by Windows, the same contents as the creation data 210 of the incident analysis sheet 20 are output.

  When the notification mode is application activation, an application such as a patrol lamp is activated.

[Creating information for incident analysis]
(1) Acquisition of Data for Creating Incident Analysis Sheet 20 The analysis information generating unit 13 acquires the creation data 206 and 210 for the incident analysis sheet 20 from the analysis information storage unit 106.

(2) Acquisition of global IP address assignment destination The analysis information generation unit 13 extracts a global IP address from the transmission source IP address and transmission destination IP address included in the creation data 206 and 210 of the incident analysis sheet 20. Then, a global IP address list 211 as shown in FIG. 13 is created and stored in the IP address list storage unit 108.

  Further, the analysis information generation unit 13 passes the global IP address list 211 to the assignment destination information search unit 14 via the IP address list storage unit 108, and waits for completion of the search processing of the assignment destination information search unit 14, As shown in FIG. 14, retrieval result extraction data 212 including information (organization name and the like) of the assignment destination of each global IP address is acquired.

  The search result extraction data 212 includes an “IP address” indicating a global IP address to be searched, an “organization name” indicating an assignment destination obtained from the search result, and a country or region to which the global IP address to be searched is allocated. “Country name code”, “Internet registry” indicating the search destination Internet registry, “IP address range” indicating the range of allocated IP addresses, and the like.

  The processing of the assignment destination information search unit 14 will be described later.

  Thereby, the incident monitoring apparatus 1 can provide the administrator with the incident analysis sheet 20 to which the latest organization name for the global IP address is added.

(3) Generation of Incident Analysis Information The analysis information generation unit 13 edits the creation data 206 and 210 of the analysis information storage unit 106 to generate incident analysis sheet data for each incident. The incident analysis sheet data is intermediate data of the incident analysis sheet 20 shown in FIGS. 17 and 18.

  The analysis information generation unit 13 obtains IP address assignment destination information (organization name, device name, etc.) for each of the transmission source IP address and transmission destination IP address of the creation data 206 and 210, and generates an incident analysis sheet. Stored in the corresponding field of the data.

  By adding information on the IP address to the incident analysis sheet 20, information that facilitates incident analysis can be provided.

  More specifically, the analysis information generation unit 13 performs the following processing on the transmission source IP address and the transmission destination IP address.

  Process ST30: The internal allocation table 213 is searched, and if the IP address corresponding to the source IP address / destination IP address exists in the internal allocation table 213, the user name (device name etc.) of the corresponding IP address ) Is stored in "Sender name" or "Destination name" of the incident analysis sheet data.

  FIG. 15 is a diagram illustrating an example of the internal allocation table 213. The internal allocation table 213 includes “SourceAddressName” indicating an IP address existing inside the monitoring target 2 and “user name” indicating a device to which the IP address is allocated.

  Process ST31: When the IP address corresponding to the source IP address / destination IP address does not exist in the internal allocation table 213, the IP address allocation table 214 is searched. If an IP address corresponding to the source IP address / destination IP address exists in the IP address allocation table 214, the user name (organization name) of the corresponding IP address is set to “source of incident analysis sheet data”. Store in "Name" or "Destination name".

  FIG. 16 is a diagram illustrating an example of the IP address allocation table 214.

  The IP address allocation table 214 includes “SourceAddressName” indicating a global IP address and “user name” indicating an organization to which the global IP address is allocated.

  Process ST32: If the IP address corresponding to the source IP address / destination IP address does not exist in the IP address assignment table 214, the “source name” or “destination name” of the incident analysis sheet data is set. Leave blank.

  Further, when the importance level is “abnormal” and the priority level is “High” among the importance levels of the incident analysis sheet 20, the analysis information generation unit 13 adds “<<” to both sides of the importance levels. In addition, “<< abnormality >>”. This is for distinguishing from an incident having an importance level of “abnormal” and a priority level of “Medium”.

  Further, the analysis information generation unit 13 edits the incident analysis sheet data of all incidents into the output format of the incident analysis sheet 20 and sets the file name to “monitoring terminal ID +“ event report ”/“ event warning ”+ Create as "Search range time".

  17 and 18 are diagrams showing examples of the incident analysis sheet 20. FIG. 17 shows the left half portion of the incident analysis sheet 20 output as one sheet, FIG. 18 shows the right half portion, and the right end of the incident analysis sheet 20 in FIG. It is output in a state of being connected to the left end of the incident analysis sheet 20 of FIG.

  The incident analysis sheet 20 includes “item number” indicating a record number, “alert” indicating importance, “date” indicating detection date and time, “incident name”, “number” indicating the number of detections, and “source IP”. , Transmission source name, transmission source port, transmission destination IP, transmission destination name, transmission destination port, access direction, detailed information 1 "incident content" and "sensor IP / adapter" identifying the detected sensor 3 It includes a “Resolved” column for filling in that the incident has been resolved.

(4) Output of incident analysis information The analysis information generation unit 13 outputs a file of the incident analysis sheet 20. The analysis information generation unit 13 outputs the incident analysis sheet 20 to a printer when printing of the incident analysis sheet 20 is requested.

  If transmission of the incident analysis sheet 20 by e-mail is requested, an e-mail message attached with the data file of the incident analysis sheet 20 is generated, and “Subject sheet” / “incident sheet” / "Event warning" + "Send" + search range time "is set, and" Monitoring terminal ID + "" + Search range time + "Incident sheet" / "Event warning" + "Send" "is set in the text. Generate and send a set email message.

  Further, when print output or email transmission of the incident analysis sheet 20 is not requested, a pop-up screen for notifying completion of creation of the incident analysis sheet 20 is displayed on the console screen of the administrator terminal 6.

[Allocation information search processing]
The assignment destination information search unit 14 extracts the global IP address list 211 stored by the analysis information generation unit 13 from the IP address list storage unit 108, and from the global IP address list 211, the local IP address and the invalid IP address. Address and duplicate IP address are deleted.

  The assignment destination information search unit 14 reads the IP addresses to be searched one by one, refers to the inquiry destination storage unit 105, and performs an Internet registry management server 5 that performs “Whois information search” based on the value of the IP address. The inquiry destination (IP address) is specified. Then, a Whois information search of the read IP address is performed on the acquired inquiry destination. The inquiry contents are all information (responses of a plurality of blocks such as parent, child, grandchild) for the target IP address.

  When the assignment destination information search unit 14 receives a response message as shown in FIG. 19 from the management server 5 of the Internet registry, “IP address, organization name and country code (two characters of ISO 3166-1) are received from the response message. Are extracted and edited, and output to the extracted data (intermediate file) 212 shown in FIG.

  Note that the format is specified in order to obtain the information range (block length) of the response message. As a specific method, the format is narrowed down based on the management server 5 of the Internet registry, and a matching format is found from a plurality of patterns to obtain the block length. Further, a keyword search is performed for a specific character string (with a plurality of patterns) in the response message, and the position of the IP address, organization name, country code, etc. is specified and extracted.

  The assignment destination information search unit 14 searches the IP address assignment table 214 of the global IP address information storage unit 109 with the contents of the extracted data 212 extracted from the response message after the inquiry of all IP addresses in the global IP address list 211 is completed. Update.

  FIG. 20 is a process flow diagram of the outline process of the incident monitoring apparatus 1.

  When each processing unit of the incident monitoring apparatus 1 acquires a predetermined parameter and performs an initialization process (step S100), the event monitoring unit 11 and the event detection status monitoring unit 12 periodically read from the incident / log storage unit 10. In addition, incident logs in a certain time range are collected (step S101).

  The event monitoring unit 11 determines the importance of each incident name in the collected incident log from the number of occurrences and the priority of the incident (step S102). Then, the event monitoring unit 11 displays the incident name and the message with the display time range of the incident log and the display color corresponding to the determined importance (step S103).

  Further, the event monitoring unit 11 determines whether the determined importance has an importance other than “normal” (step S104), and if there is an importance other than “normal” (Y in step S104), the event monitoring unit 11 determines the importance. The incident information is edited for incidents other than “normal” (step S105), the edited incident information is displayed on the administrator terminal 6 and a predetermined notification is given (step S106).

  The event detection status monitoring unit 12 calculates the number of detected incidents in the collected incident log and the number of hits detected by a predetermined combination, and the detected number of hits or the number of hits exceeds a predetermined threshold. It is determined whether there is any (step S107). If there is a detection situation in which the number of occurrences or the number of hits exceeds the threshold (Y in step S107), the incident information is edited for the incident that exceeds the threshold (step S108), and the edited incident information is displayed on the administrator terminal 6 , A predetermined notification is made (step S109).

  Further, the analysis information generating unit 13 edits the analysis information based on the incident information edited for the incident whose importance is not “normal” and the incident related to the detection situation exceeding the threshold (step S1). S110). During the editing process in step S110, the assignment destination information search unit 14 searches the Internet registry management server 5 for the information on the assignment destination of the global IP address included in the incident information, acquires the response result, The global IP address information is updated (step S111).

  The analysis information generation unit 13 outputs the edited analysis information (incident analysis sheet 20) (step S112).

  If the interrupt is not completed (N in step S113), the process returns to step S101. If the interrupt is terminated (Y in step S113), the process is terminated.

  As described above, as described in the present embodiment, the effects obtained by the incident monitoring apparatus 1 will be briefly described as follows.

  ・ For incidents that continue to be detected in large numbers, incidents can be automatically edited and output without omission in order of priority, preventing oversight of high-priority incidents.

  ・ There is no need to constantly check the occurrence of incidents, and only the incidents subject to analysis can be automatically reported for a certain period of time.

  ・ By notifying the highest level of importance, it becomes easier to understand the urgency of an incident that has occurred.

  ・ The priority of the analysis target is easy to understand by notifying the importance for each incident in, for example, “normal, warning, abnormal, and confirmation required” in four stages.

  -The priority of the analysis target is easy to understand by notifying in three stages, normal, warning, and abnormal, based on the number of detections per unit time for each type of incident.

  -Only the information required for the primary analysis process, which differs for each incident type, can be extracted and output, facilitating analysis.

  ・ Incidents that occurred within a certain time range can be sorted and output by incident name / destination / source / detection time, and related incidents can be collected and analyzed easily.

  -The latest organization information (organization name, etc.), the direction of attack, etc., regarding the source / destination IP address can be automatically assigned, facilitating analysis.

  -The latest organization name can be obtained by simply searching the database without being conscious of the inquiry destination of the Internet registry, and the processing time of the report creation process can be shortened.

  ・ The incident occurrence status for the same destination can be analyzed periodically within a certain time range, and the status can be notified when it is different from the normal time, so that a sign of unauthorized access can be found early.

  In addition, the incident monitoring apparatus 1 according to the present invention can be constructed by realizing a processing unit included in the incident monitoring apparatus 1 by reading and executing a program by a computer. This program can be stored in an appropriate recording medium such as a portable medium memory, a semiconductor memory, or a hard disk, which can be read by a computer, and is provided by being recorded on these recording media. Alternatively, this program is provided by transmission and reception using various communication networks via a communication interface.

DESCRIPTION OF SYMBOLS 1 Incident monitoring apparatus 10 Incident log storage part 11 Event monitoring part 12 Event detection status monitoring part 13 Analysis information generation part 14 Allocation destination information search part 101 Trigger correlation information storage part 102 Internal IP address list storage part 103 Local IP address information Storage unit 105 Inquiry destination storage unit 106 Analysis information storage unit 108 IP address list storage unit 109 Global IP address information storage unit 20 Incident analysis sheet 2 Monitoring target 3 Sensor 4 Internet 5 Internet registry management server 6 Administrator terminal

Claims (6)

A device that monitors incidents that occur in computer systems connected to a network,
Information related to the incident detected by the sensor that monitors the computer system, including the incident name, the detection date, the source IP address, the destination IP address, and the priority indicating the degree of the incident threat added by the sensor. An incident log storage unit for storing incident log information including,
An internal IP address information storage unit for storing internal IP address information in which an internal IP address used inside the computer system to be monitored and an assignment destination of the internal IP address are registered;
An analysis information storage unit for storing creation information for creating incident analysis information;
A process for extracting incident log information of incidents detected within a time range from the present time to a time point that is a predetermined time later from the present time at a predetermined time interval, and the extracted incident log Based on the information, for each incident name, determine the importance based on the number of detected incidents in the time range and the priority, edit the incident information for each incident name, and edit the incident name. An event monitoring unit that performs processing for storing the importance level and the edited information in the analysis information storage unit as first creation information;
A process of extracting the incident log information from the incident log storage unit;
Based on the extracted incident log information, the number of incidents detected for each incident name and the corresponding number of detected cases under a predetermined combination condition are calculated, and the detected number and the corresponding number of cases are calculated as a predetermined threshold value. For the incident name for which the number of detected cases or the number of hits is greater than or equal to the threshold value, the incident information is edited for each incident name, and the edited information is used as second creation information for the analysis information. An event detection status monitoring unit that performs processing to be stored in the storage unit;
Of the IP addresses of the source or destination included in the first creation information and the second creation information, the information specifying the global IP address assignment destination is assigned to the global IP address allocation. An allocation information retrieval part obtained from an Internet registry management server;
Using the first creation information, the second creation information, and the global IP address assignment destination information acquired by the assignment destination information search unit, generate and output incident analysis information related to the detected incident An incident monitoring apparatus comprising: an information generation unit for analysis. The incident monitoring apparatus according to claim 1, wherein the event monitoring unit notifies, in a predetermined manner, the name of an incident in which an incident with the incident name has occurred according to the importance of the incident name. The event monitoring unit specifies whether the IP address of the transmission destination or transmission source included in the incident log information is an IP address existing in the monitoring target, and the access direction of the data communication determined as an incident The incident monitoring device according to claim 1, wherein the first creation information including the specified access direction is generated. The event detection status monitoring unit notifies the occurrence of a situation exceeding an incident threshold in a predetermined manner for the incident name for which the number of detected cases or the number of relevant cases is equal to or greater than a predetermined notification threshold. The incident monitoring apparatus according to any one of claims 1 and 3. A processing method executed by an incident monitoring system for monitoring incidents occurring in a computer system connected to a network,
A sensor that monitors the occurrence of incidents in the monitored computer system;
Information related to the incident detected by the sensor that monitors the computer system, including the incident name, the detection date, the source IP address, the destination IP address, and the priority indicating the degree of the incident threat added by the sensor. An incident log storage unit for storing incident log information including,
An internal IP address information storage unit for storing internal IP address information in which an internal IP address used inside the computer system to be monitored and an assignment destination of the internal IP address are registered;
The incident monitoring system comprising an analysis information storage unit for storing creation information for creating incident analysis information,
A process of extracting, from the incident log storage unit, incident log information of incidents detected within a time range from a present time to a time point that is a predetermined time later at a predetermined time interval;
A process of determining the importance based on the number of detected incidents and the priority within the time range for each incident name based on the extracted incident log information,
A process of editing incident information for each incident name, storing the importance for the incident name and the edited information in the analysis information storage unit as first creation information;
Based on the extracted incident log information, the number of incidents detected for each incident name and the corresponding number of detected cases under a predetermined combination condition are calculated, and the detected number and the corresponding number of cases are calculated as a predetermined threshold value. A process to compare with,
Processing for editing incident information for each incident name and storing the edited information as second creation information in the analysis information storage unit for the incident name for which the number of detected cases or the number of hits is equal to or greater than the threshold value Process,
Of the IP addresses of the source or destination included in the first creation information and the second creation information, the information specifying the global IP address assignment destination is assigned to the global IP address allocation. The process of obtaining from the Internet registry management server;
Using the first creation information, the second creation information, and the global IP address assignment destination information acquired by the assignment destination information search unit, generate and output incident analysis information related to the detected incident An incident monitoring method characterized by comprising: A program that causes a computer to function as an incident monitoring device that monitors incidents that occur in a computer system connected to a network.
Said computer,
Information related to the incident detected by the sensor that monitors the computer system, including the incident name, the detection date, the source IP address, the destination IP address, and the priority indicating the degree of the incident threat added by the sensor. An incident log storage unit for storing incident log information including,
An internal IP address information storage unit for storing internal IP address information in which an internal IP address used inside the computer system to be monitored and an assignment destination of the internal IP address are registered;
An analysis information storage unit for storing creation information for creating incident analysis information;
A process for extracting incident log information of incidents detected within a time range from the present time to a point that is a predetermined time backward from the present time at a predetermined time interval from the incident log storage unit; and the extracted incident log Based on the information, for each incident name, determine the importance based on the number of detected incidents in the time range and the priority, edit the incident information for each incident name, and edit the incident name. An event monitoring unit that performs processing for storing the importance level and the edited information in the analysis information storage unit as first creation information;
A process of extracting the incident log information from the incident log storage unit;
Based on the extracted incident log information, the number of incidents detected for each incident name and the corresponding number of detected cases under a predetermined combination condition are calculated, and the detected number and the corresponding number of cases are calculated as a predetermined threshold value. For the incident name for which the number of detected cases or the number of hits is greater than or equal to the threshold value, the incident information is edited for each incident name, and the edited information is used as second creation information for the analysis information. An event detection status monitoring unit that performs processing to be stored in the storage unit;
Of the IP addresses of the source or destination included in the first creation information and the second creation information, the information specifying the global IP address assignment destination is assigned to the global IP address allocation. An allocation information retrieval part obtained from an Internet registry management server;
Using the first creation information, the second creation information, and the global IP address assignment destination information acquired by the assignment destination information search unit, generate and output incident analysis information related to the detected incident An incident monitoring program characterized by functioning as an analysis information generation unit.

Images