JP2015121968A - Log analyzer, log analysis method, and log analysis program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reduce detection omission in a case of analyzing log along an attack scenario and detecting a cyber attack.SOLUTION: In a security log analyzer 100, a relevant attack extraction unit 104 extracts an attack that is not detected yet by a detector provided in a computer system from among a plurality of attacks defined in an attack scenario 204 and that precedes at least one attack already detected by the detector in order defined by the attack scenario 204. An attack determination unit 107 analyzes the log of the computer system and determines whether the computer system has suffered the attack extracted by the relevant attack extraction unit 104, and determines that attack detection omission occurs.

Description

  The present invention relates to a log analysis device, a log analysis method, and a log analysis program. The present invention relates to a security log analysis apparatus that detects a cyber attack by analyzing a security log, for example.

  In recent years, accidents in which malware leaks confidential information outside the organization have become a problem. Cyber attacks using malware are becoming more sophisticated, and include, for example, attacks called APT (Advanced and Persistent Threat) shown in Non-Patent Document 1.

  In APT, malware that has invaded an organization via an attached email etc. communicates with a C & C (Command & Control) server on the Internet operated by the attacker from a computer infected with the malware, and downloads new malware and attack tools. Or update. The malware receives an instruction from the C & C server, scouts the organization, finds the file server, and leaks the confidential file to the C & C server by communication. If each of these activities is regarded as an attack, each attack is performed in stages over a long period of time. For example, malware that has infected a computer hides itself for one month after infection and begins to communicate with the C & C server one month later. Thus, in APT, a plurality of attacks are performed with time.

  There are various methods for dealing with APT. As products for APT measures, there are products that prevent intrusion by e-mail, products that prevent information leakage, and the like. Further, there is a method of automatically analyzing a log as one of APT countermeasure methods. Logs can be automatically analyzed by analyzing the logs of network devices such as computers, servers and routers, firewalls, security devices such as intrusion detection systems, etc., and checking the correlation between them, or abnormal recording from the logs. There is a method of detecting APT by observing or observing the progress.

  SIEM (Security Information and Event Management: Security, Information, and Event Management) is an example of a product that automatically detects anomalies by examining the correlation of logs of security devices such as firewalls or intrusion detection systems. There is a system (see, for example, Patent Document 1). Sometimes called an integrated log monitoring system.

  In addition, there is a log analysis system in which humans discover abnormalities by drilling down various logs with various keywords or displaying status changes in time series.

Special table 2004-537075 gazette

Design and Operation Guide for Countermeasures against “New Type of Attack”, Second Revised Edition, IPA, November 2011

  Since the SIEM system monitors events in real time on-memory, complex correlation analysis and correlation analysis of frequently occurring events are virtually impossible, and there is a problem that sufficient measures cannot be taken against APT. .

  The log analysis system can interactively analyze the accumulated logs from various angles. However, when multiple attacks progress over time, such as APT, how can the logs be analyzed? Whether analysis should be performed depends on the knowledge of the operator, and in the case of an operator with little knowledge, detection failure occurs.

  That is, in the detection of APT by the method of analyzing the log, there is a possibility that the APT may be missed when both the SIEM system and the log analysis system are operated.

  Here, when a log analysis system is operated, an attempt to detect an APT by searching a log according to a predefined attack scenario can be considered. This method has the advantage that the log can be analyzed without relying on the operator's knowledge. However, depending on the security device that outputs the log to be analyzed, detection may be missed due to the limitation of the detection function. There is a problem that cannot be detected as an APT according to the scenario.

  An object of the present invention is to reduce detection omissions when, for example, a log is analyzed along an attack scenario to detect a cyber attack.

A log analysis apparatus according to one aspect of the present invention includes:
A log database for storing a log of a computer system equipped with a detection device for detecting an attack;
An attack scenario database for storing an attack scenario defining a plurality of attacks targeting the computer system and an order of the plurality of attacks;
Of the multiple attacks defined in the attack scenario stored in the attack scenario database, the detection device has not yet detected the attack, and the order defined in the attack scenario has already been detected by the detection device. A related attack extraction unit that extracts an attack prior to at least one attack,
Analyzing the log stored in the log database to determine whether or not the computer system has received an attack extracted by the related attack extraction unit. And an attack determination unit for determining that it has been performed.

  In the present invention, out of a plurality of attacks defined in the attack scenario, an attack prior to at least one attack that has not yet been detected and whose order defined in the attack scenario has already been detected is extracted. To do. Then, the log is analyzed to determine whether or not there is an extracted attack. If it is determined that there is an attack, it is determined that an attack detection failure has occurred. For this reason, according to the present invention, it is possible to reduce detection omissions when analyzing a log according to an attack scenario and detecting a cyber attack.

FIG. 2 is a block diagram showing a configuration of a security log analysis apparatus according to the first embodiment. FIG. 4 is a diagram illustrating an example of a configuration of detection results according to the first embodiment. FIG. 3 is a diagram illustrating an example of a configuration of an attack scenario according to the first embodiment. FIG. 3 is a diagram illustrating an example of a configuration of security countermeasure information according to the first embodiment. FIG. 3 is a diagram illustrating an example of a configuration of inventory information according to the first embodiment. 5 is a flowchart showing attack determination processing of an attack determination unit according to the first embodiment. 5 is a flowchart showing attack determination processing of an attack determination unit according to the first embodiment. 5 is a flowchart illustrating an example of a log search process of a log search unit according to the first embodiment. 9 is a flowchart showing another example of log search processing of the log search unit according to the first embodiment. 4 is a table showing determination results of an attack determination unit according to the first embodiment. FIG. 4 is a block diagram showing a configuration of a security log analysis apparatus according to a second embodiment. 10 is a table showing an example of an attack scenario score according to the fifth embodiment. 20 is a table showing an example of e-mail address reliability according to the seventh embodiment. 10 is a table showing an example of a determination result according to the ninth embodiment. FIG. 25 shows an exemplary configuration of a control command according to the tenth embodiment. The figure which shows an example of the hardware constitutions of the security log analyzer which concerns on Embodiment 1-10.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a block diagram showing a configuration of a security log analysis apparatus 100 according to the present embodiment.

  In FIG. 1, a security log analysis device 100 is an example of a log analysis device, and includes an input unit 101, an interpretation unit 102, an attack scenario search unit 103, a related attack extraction unit 104, a security countermeasure search unit 105, an inventory search unit 106, An attack determination unit 107, a log search unit 108, and an output unit 109 are provided. The security log analysis apparatus 100 includes an attack scenario database 111 (attack scenario DB), a security countermeasure database 112 (security countermeasure DB), an inventory database 113 (inventory DB), and a log database 114 (log DB).

  In the following, the outline of the operation of the security log analysis device 100 (the log analysis method according to the present embodiment and the processing procedure of the log analysis program according to the present embodiment) will be described with reference to FIG.

  The input unit 101 inputs a detection result 301 and outputs detection data 201.

  The interpretation unit 102 receives the detection data 201 and outputs detection information 202 and inventory search information 208.

  The attack scenario search unit 103 inputs the detection information 202 and the scenario extraction condition 302, outputs the attack identification information 203, and searches the attack scenario database 111. The attack scenario search unit 103 inputs an attack scenario 204 that is a search result. Further, the attack scenario search unit 103 outputs the input attack scenario 204 to the related attack extraction unit 104 and the attack determination unit 107.

  The attack scenario database 111 stores a plurality of attack sequences for executing cyber attacks as an attack scenario 204. The attack scenario 204 is scenario information including a plurality of identifiers for identifying each of a plurality of attacks predicted to occur on the monitored system.

  The related attack extraction unit 104 inputs the related attack extraction condition 303 and outputs the related attack information 205 to the security countermeasure search unit 105, the inventory search unit 106, and the attack determination unit 107.

  The security countermeasure search unit 105 inputs the related attack information 205 and searches the security countermeasure database 112 using the related attack search information 206. And the security countermeasure search part 105 inputs the countermeasure presence information 207 which is the search result. The security countermeasure search unit 105 outputs the countermeasure presence / absence information 207 to the attack determination unit 107.

  The security countermeasure database 112 stores information relating to implementation of countermeasures against attacks by an intrusion detection / defense device or the like.

  The inventory search unit 106 inputs the inventory search information 208 and the related attack information 205 and searches the inventory database 113 using the inventory search information 208. The inventory search unit 106 inputs the inventory information 209 that is the search result.

  The inventory database 113 stores information such as an asset ID (identifier) such as a PC (personal computer) or a server, an IP (Internet Protocol) address, an OS (Operating System), an application, a patch application status, and the like.

  The attack determination unit 107 inputs the inventory information 209, the related attack information 205, the attack scenario 204, the detection information 202, the countermeasure presence / absence information 207, and the already detected result 304, and the log search information 213 as the log search unit 108. Output to. The attack determination unit 107 also receives a search result 215 that is a result of the log search unit 108 searching the log database 114, determines the occurrence of a cyber attack, and outputs the determination result 216 to the output unit 109.

  The log database 114 receives a search command 214 and outputs a search result 215.

  The output unit 109 outputs the determination result 216 as the determination result 310 to the outside of the security log analyzer 100.

  Hereinafter, details of the operation of the security log analysis device 100 will be described with reference to FIGS.

  The input unit 101 inputs the detection result 301.

  FIG. 2 is a diagram illustrating an example of the configuration of the detection result 301.

As shown in FIG. 2, the detection result 301 is information in which the following contents are formatted.
(A) Date and time: Date and time when the attack occurred.
(B) Attack ID: Information for identifying an attack.
(C) Attack type: Attack type (for example, DoS (Denial of Service) attack, privilege escalation, etc.).
(D) Vulnerability ID: This is identification information (for example, CVE number (vulnerability identification number)) when an attack is made by exploiting a vulnerability such as software.
(E) Attack source information: information on the attack source, such as source IP / port and asset ID.
(F) Attack destination information: information on the attack destination, such as the destination IP / port and asset ID.

  Such information is notified as an attack detection result by a security device such as IPS (Intrusion / Prevention / System).

  The security log analysis apparatus 100 inputs the detection result 301 as, for example, a UDP (User Datagram Protocol) or TCP (Transmission, Control, Protocol) packet. The detection result 301 is formatted in such a manner that information as shown in FIG. 2 is stored in the body part of the packet. The detection result 301 may be a log entry recorded in the log file of the security device. Further, the detection result 301 may be an audit log of a terminal (hereinafter, sometimes referred to as “computer” or “computer”). In that case, it is composed of date / time, terminal ID, and event ID, and the event ID represents an abnormal action (authentication failure) on the terminal. The detection result 301 may be obtained by analyzing a communication abnormality from a proxy log in a device or the like that analyzes the log and making the result into a log entry or notifying in a packet.

  When the detection result 301 is a packet from the detection result 301 (the information is information formatted as shown in FIG. 2), the input unit 101 reads the detection data 201 that is the body part of the log entry. In this case, the detection data 201 that is the entry is extracted and output to the interpretation unit 102. That is, the detection data 201 is a detection result 301.

  The interpretation unit 102 inputs detection data 201 that is the detection result 301. The interpretation unit 102 decomposes (interprets) the input detection data 201 into components such as date and time, attack ID, attack type, vulnerability ID, attack source information, and attack destination information. The interpretation unit 102 outputs the result as detection information 202 to the attack scenario search unit 103. The content of the detection information 202 is the same as the content of the detection result 301.

  The attack scenario search unit 103 extracts an attack ID, an attack type, and a vulnerability ID from the detection information 202, and outputs them as attack identification information 203 to the attack scenario database 111. At this time, the attack scenario search unit 103 inputs a scenario extraction condition 302. The scenario extraction condition 302 is a condition for designating the number of attack scenarios 204 to be searched from the attack scenario database 111. As the scenario extraction condition 302, for example, one, a plurality, or a designated number is used as a condition. Here, the scenario extraction condition 302 designates the number of attack scenarios 204 searched from the attack scenario database 111 as “one”.

  In the attack scenario database 111, based on the attack identification information 203, an attack scenario 204 including an attack ID, an attack type, or a vulnerability ID is searched.

  FIG. 3 is a diagram illustrating an example of the configuration of the attack scenario 204.

  As shown in FIG. 3, the attack scenario 204 is a sequence of a plurality of attack scenario elements Ai. For example, “attack scenario element A1 → attack scenario element A2 → attack scenario element A3 → attack scenario element A4 → attack scenario element A5” "(When i = 1, 2, 3, 4, 5).

  The attack scenario element Ai (i = 1, 2, 3, 4, 5) is information on each attack. Each attack scenario element Ai (i = 1, 2, 3, 4, 5) includes attack identification information 401, attack information 402, countermeasure identification information 403, and countermeasure information 404.

As shown in FIG. 3, the attack identification information 401, the attack information 402, the countermeasure identification information 403, and the countermeasure information 404 are the following information.
(A) Attack identification information 401: includes an attack ID, an attack type, and a vulnerability ID.
(B) Attack information 402: Includes affected products (product ID, version information, patch ID), necessary execution authority, keywords, and other information.
(C) Countermeasure identification information 403: Contains a countermeasure ID.
(D) Countermeasure information 404: includes patch ID, workaround ID, workaround content, and other information.

  Here, the keyword of the attack information 402 indicates an event that may occur in the occurrence of an attack. For example, if rewriting of the OS setting occurs, the keyword is “OS, configuration, modification”.

  In the attack scenario 204 shown in FIG. 3, the attack scenario element A1 occurs first, then the attack scenario element A2 occurs, then the attack scenario element A3 occurs, then the attack scenario element A4 occurs, Shows a scenario in which attack scenario element A5 occurs.

  Based on past cases, the attack scenario 204 as described above is created and stored in the attack scenario database 111. The attack scenario element Ai constituting the attack scenario 204 is one or more, and may be two, three, or more.

  The attack scenario search unit 103 searches the attack scenario database 111 using the attack identification information 203. For example, the attack scenario search unit 103 searches for an attack scenario 204 in which the attack ID that is a constituent element of the attack identification information 203 is included in the attack identification information 401 of the attack scenario element Ai.

  If the attack scenario search unit 103 cannot obtain a search result with the attack ID, the attack scenario search unit 103 searches with the vulnerability ID and the attack type. The attack scenario search unit 103 extracts the search result as described above from the attack scenario database 111 as the attack scenario 204.

  As described above, the security log analysis device 100 extracts the attack scenario 204 including the attack notified by the detection result 301 from the attack scenario database 111.

  The attack scenario search unit 103 outputs the attack scenario 204 input from the attack scenario database 111 to the related attack extraction unit 104.

  The related attack extraction unit 104 inputs the attack scenario 204 and analyzes the attack scenario 204. The related attack extraction unit 104 extracts information related to the attack included in the notified attack scenario 204.

  At this time, the related attack extraction unit 104 inputs a related attack extraction condition 303. The related attack extraction condition 303 is n (1 to all) as the number of attacks occurring after the notified attack, or m (1 to all) as the number of attacks occurring before the notified attack. Is a condition for specifying.

  For example, when the related attack extraction condition 303 specifies “1” as the number of attacks that occur after the notified attack, only information on the attack that occurs after the notified attack is extracted. When “all” is designated, information on all attacks that occur after the notified attack is extracted. Further, for example, when the related attack extraction condition 303 specifies “1” as the number of attacks that occur before the notified attack, only information on the attacks that occur before the notified attack is extracted. . When “all” is designated, information on all attacks that occur before the notified attack is extracted. Alternatively, a combination thereof may be used. Alternatively, all information of the attack scenario 204 may be extracted (full). The attack extracted by the related attack extraction unit 104 is an example of an analysis target attack that is predicted to occur before and after the notified attack.

  Here, it is assumed that the related attack extraction condition 303 is designated as “Extract all information: full” for the attack scenario 204.

  For example, it is assumed that the attack ID included in the detection information 202 is the attack ID of the attack scenario element A4. The attack scenario search unit 103 extracts the attack scenario 204 shown in FIG. 3 from the attack scenario database 111. Then, the related attack extraction unit 104 inputs the related attack extraction condition 303 “Extract all information: full”, and from the attack scenario 204 “attack scenario element A1 → attack scenario element A2 → attack scenario element A3 → attack scenario” Element A4 → attack scenario element A5 ”is extracted. As described above, the related attack extraction unit 104 extracts the related attack information 205.

  Next, the related attack extraction unit 104 outputs the related attack information 205 to the security countermeasure search unit 105. The security countermeasure search unit 105 searches the security countermeasure database 112 using the input related attack information 205. Specifically, the security countermeasure search unit 105 uses “attack scenario element A1, attack scenario element A2, attack scenario element A3, attack scenario element A4, attack scenario element A5” included in the input related attack information 205. The security countermeasure database 112 is searched.

  FIG. 4 is a diagram illustrating an example of the configuration of the security countermeasure information 500 stored in the security countermeasure database 112.

As shown in FIG. 4, the security countermeasure information 500 includes attack identification information 501, attack information 502, countermeasure identification information 503, countermeasure information 504, and countermeasure implementation information 505. The attack identification information 501, attack information 502, countermeasure identification information 503, countermeasure information 504, and countermeasure execution information 505 are the following information.
(A) Attack identification information 501: includes an attack ID, an attack type, and a vulnerability ID.
(B) Attack information 502: Includes affected products (product ID, version information, patch ID), necessary execution authority, keywords, and other information.
(C) Countermeasure identification information 503: Contains a countermeasure ID.
(D) Countermeasure information 504: includes signature ID (such as IPS signature), virus pattern file ID, patch ID, avoidance measure ID, avoidance measure content, and other information.
(E) Countermeasure implementation information 505: includes information indicating the presence or absence of countermeasure implementation (whether or not countermeasures are currently implemented by IPS or the like).

  The security countermeasure search unit 105 extracts the corresponding security countermeasure information 500 from the security countermeasure database 112 using the input related attack information 205. Specifically, the security countermeasure search unit 105 configures “attack scenario element A1, attack scenario element A2, attack scenario element A3, attack scenario element A4, attack scenario element A5” included in the input related attack information 205. Each attack identification information 401 (that is, attack identification information 401 of attack scenario element A1, attack identification information 401 of attack scenario element A2, attack identification information 401 of attack scenario element A3, attack identification information 401 of attack scenario element A4, attack An entry of the security countermeasure information 500 including the attack ID, vulnerability ID, or attack type included in the attack identification information 401) of the scenario element A5 is extracted from the security countermeasure database 112. The security countermeasure information 500 stored in the security countermeasure database 112 includes attack identification information 501, which includes an attack ID, an attack type, and a vulnerability ID. An entry including the attack ID, attack type, or vulnerability ID included in the attack identification information 401 of the scenario element Ai may be extracted.

  The security countermeasure search unit 105 generates the countermeasure presence / absence information 207 by pairing the security countermeasure information 500 and the attack identification information 401 extracted as described above. The countermeasure presence / absence information 207 includes attack identification information 401 and security countermeasure information 500 of attack scenario element A1, attack identification information 401 and security countermeasure information 500 of attack scenario element A2, attack identification information 401 and security countermeasure information of attack scenario element A3. 500, attack identification information 401 and attack countermeasure information 500 of attack scenario element A4, attack identification information 401 and attack countermeasure information 500 of attack scenario element A5 are included. Here, the security countermeasure information 500 of the attack scenario element Ai is the security countermeasure information 500 in which the attack identification information 501 matches the attack identification information 401 of the attack scenario element Ai. The security measure search unit 105 outputs the measure presence / absence information 207 extracted from the security measure database 112 to the attack determination unit 107.

  The inventory search unit 106 inputs the inventory search information 208 from the interpretation unit 102. Also, the related attack information 205 is input from the related attack extraction unit 104. The inventory search information 208 is a part of the detection information 202 (corresponding to the detection result 301 in FIG. 2) and corresponds to attack destination information (the attack source information may correspond depending on the attack type). The attack destination information is information related to the attack destination, such as the destination IP / port and asset ID. This information may include information on a plurality of attack destinations (or a plurality of attack sources) (for example, an attack on a plurality of terminals, an attack on a network, etc.).

  The inventory search unit 106 sets information that can identify an asset, such as a destination IP (or MAC (Media / Access / Control)) and an asset ID, as the inventory search information 208 for search. Similarly, the inventory search unit 106 sets information for identifying an asset in the input related attack information 205 as inventory search information 208 for search. The inventory search information 208 may be information that can identify a plurality of assets (for example, an attack on a plurality of terminals, an attack on a network, etc.). The inventory search unit 106 outputs the inventory search information 208 for search to the inventory database 113. The inventory search unit 106 searches the inventory database 113 using the inventory search information 208 (information that can identify the inventory (assets)).

  The inventory search unit 106 extracts an entry that matches the inventory search information 208 as inventory information 209 from the inventory database 113.

  FIG. 5 is a diagram illustrating an example of the configuration of the inventory information 209 managed by the inventory database 113.

As shown in FIG. 5, the inventory information 209 includes asset identification information 601, asset OS information 602, asset application information 603, asset execution information 604, and asset security measure information 605. The asset identification information 601, asset OS information 602, asset application information 603, asset execution information 604, and asset security measure information 605 constituting the inventory information 209 are, for example, the following information.
(A) Asset identification information 601: Includes asset ID, IP address, MAC address, and user ID.
(B) Asset OS information 602: Contains information on OS (product ID, version information), application patch (patch ID) / application avoidance measure (workaround measure ID).
(C) Asset application information 603: Contains information on application (product ID, version information), applied patch (patch ID) / applied workaround (workaround ID).
(D) Asset execution information 604: includes information indicating execution authority.
(E) Asset security measure information 605: Contains information related to security measures (security settings, software, etc.).

  The inventory database 113 searches the entry stored in itself for an entry whose destination IP (or MAC) / asset ID of the inventory search information 208 (attack destination information) matches the asset identification information 601, and stores the inventory information. The data is output to the inventory search unit 106 as 209. Depending on the attack type, the inventory search information 208 may be attack source information (source IP (or MAC) / asset ID).

  The inventory search unit 106 outputs the inventory information 209 input from the inventory database 113 to the attack determination unit 107.

  The attack determination unit 107 inputs inventory information 209, related attack information 205, attack scenario 204, detection information 202, countermeasure presence / absence information 207, and already detected result 304 described later, and outputs log search information 213. The attack determination unit 107 outputs log search information 213 by executing an attack determination process.

  FIG. 6 is a flowchart showing the attack determination process of the attack determination unit 107.

  In S <b> 11 of FIG. 6, the attack determination unit 107 searches the log database 114 for an attack trace corresponding to the related attack information 205. For this purpose, log search information 213 that is information for searching the log database 114 from the related attack information 205 is generated and output to the log search unit 108. The log search unit 108 generates a search command 214 from the input log search information 213 and outputs it to the log database 114. As a result, the log database 114 returns the search result 215 to the log search unit 108. The log search unit 108 outputs the search result 215 to the attack determination unit 107.

  In S12 of FIG. 6, the attack determination unit 107 sorts the attack notified by the detection information 202 and the already detected result 304 indicating the already detected attack in order of time stamp (date and time corresponding to the occurrence of the attack). Here, the configuration of the detection result 304 is the same as that of the detection result 301 shown in FIG.

Here, it is assumed that information on certain attacks A1 and A2 is given to the attack determination unit 107 as the already detected result 304. Assume that the attack A4 is given to the input unit 101 as the detection result 301. In this situation, the result of sorting by the attack determination unit 107 as described above is as follows. The oldest one (left) and the new one (right) are listed.
(1) Attack A1 (from detection result 304), attack A2 (from detection result 304), attack A4 (from detection information 202)

  In S13 of FIG. 6, the attack determination unit 107 refers to the attack scenario 204 and checks whether there is an attack that has not been detected in comparison with the currently detected attack.

  FIG. 7 is a flowchart showing the process of S13 of FIG.

In S <b> 21 of FIG. 7, the attack determination unit 107 checks whether an attack has occurred in the order of the attack scenario 204. Assume that the attack scenario 204 is as follows.
(2) Attack A1 → Attack A2 → Attack A3 → Attack A4 → Attack A5

  Then, as compared with the attack shown in (1), it can be seen that the attack A4 is detected without detecting the attack A3 when the attack scenario 204 is followed. Therefore, the attack determination unit 107 determines “NO”, and proceeds to S22 of FIG. If “YES”, the process of FIG. 7 is terminated.

  In S <b> 22 of FIG. 7, the attack determination unit 107 refers to information on the attack Ak that has already been detected and has not been detected yet. In this case, Ak is A3 (k = 3). As information of the attack A3, information included in the attack scenario element Ai of the attack scenario 204 is referred to. For example, attack ID.

  In S23 of FIG. 7, the attack occurrence flag A3_occ and the detection omission determination flag A3_eva are set to 0 (because k = 3 in S22 of FIG. 7).

  In S24 of FIG. 7, the attack determination unit 107 checks whether the security countermeasure means of the monitored system is compatible with the attack A3. Here, for example, it is assumed that IPS is operated as a security measure. Therefore, it is checked whether it is compatible with IPS. Since the attack ID corresponding to the attack A3 is referred to in S22 of FIG. 7, the countermeasure presence / absence information 207 checks whether there is an entry corresponding to this attack ID. The countermeasure presence / absence information 207 includes the attack identification information 401 and security countermeasure information 500 of the attack scenario element A1, the attack identification information 401 and security countermeasure information 500 of the attack scenario element A2, and the attack identification information 401 and security countermeasure information 500 of the attack scenario element A3. These are attack identification information 401 and security countermeasure information 500 of attack scenario element A4, and attack identification information 401 and security countermeasure information 500 of attack scenario element A5. The attack identification information 401 of the attack scenario element A3 includes an attack ID, and includes an attack ID corresponding to the attack A3. Next, the attack determination unit 107 refers to the paired security countermeasure information 500. If the countermeasure implementation information 505 constituting the security countermeasure information 500 indicates that the countermeasure is being implemented, the countermeasure against the attack A3 is implemented by IPS or the like. "YES" is determined, and the process proceeds to S25 of FIG. If no countermeasure is taken, it is determined as “NO”, and the process proceeds to S26 of FIG. Here, the countermeasure implementation information 505 indicates whether the countermeasure indicated by the signature ID, the patch ID, or the avoidance countermeasure ID indicated in the countermeasure information 504 is being implemented. For example, the countermeasure implementation information 505 includes “signature ID = 1234, countermeasure implementation = implemented (or not implemented)”, “patch ID = 5678, countermeasure implementation = implemented (or not implemented)”, “avoidance countermeasure ID”. = 9999, countermeasure implementation = implemented (or not implemented) ”.

  In S25 of FIG. 7, the attack determination unit 107 sets A3_eva to 1, and proceeds to S26 of FIG. A3_eva = 1 means that although the countermeasure is implemented by IPS or the like, it is not detected (that is, detection is omitted).

  In S26 of FIG. 7, the attack determination unit 107 checks whether there is a computer (terminal) that may receive the attack A3. For that purpose, the information included in the attack scenario element A3 of the attack scenario 204 and the inventory information 209 are referred to. It is checked whether, for example, information on the attacked product in the attack information 402, which is a constituent element of the attack scenario element A3, corresponds to the asset OS information 602 and the asset application information 603 in the inventory information 209. If there is a corresponding terminal, the inventory information 209 is referred to. If there are a plurality of corresponding terminals, the inventory information 209 of the plurality of terminals is referred to. In this case, the attack determination unit 107 determines “YES” and proceeds to S27 of FIG. If there is no corresponding item, the attack determination unit 107 determines “NO”, and the process proceeds to S32 of FIG.

  In S27 of FIG. 7, the attack determination unit 107 checks whether there is a workaround in a terminal that may receive the attack A3. It is checked whether the countermeasure information 404 in the attack scenario element A3 includes an avoidance measure ID. If there is, the attack determination unit 107 determines “YES”, and the process proceeds to S28 of FIG. If not, the attack determination unit 107 determines “NO” and proceeds to S29 in FIG.

  In S28 of FIG. 7, the attack determination unit 107 checks whether an avoidance measure is being implemented. For example, whether or not the countermeasure information 404 in the attack scenario element A3 is included in the asset OS information 602 in the inventory information 209 and the application avoidance measures in the asset application information 603 for a computer (terminal) that may be currently attacked. Investigate. If included, the workaround has been implemented in these terminals, so the attack determination unit 107 determines “YES” and proceeds to S32 in FIG. If it is not included, the avoidance measure has not been implemented, so the attack determination unit 107 determines “NO” and proceeds to S29 in FIG.

  In S29 of FIG. 7, the attack determination unit 107 investigates the trace of the attack by causing the log search unit 108 to execute log search processing.

  FIG. 8 is a flowchart showing an example of the log search process in S29 of FIG.

  In S41 of FIG. 8, the log search unit 108 sets 1 to the variable p.

  In S42 of FIG. 8, the log search unit 108 determines whether p ≦ n. Here, n is the number of log search functions called in S43 of FIG. If p ≦ n, the log search unit 108 determines “YES” and proceeds to S43 in FIG. If p ≦ n is not satisfied, the log search unit 108 determines “NO” and ends the process of FIG. 8.

  In S43 of FIG. 8, the log search unit 108 calls the log search function f_p. At this time, the search period is specified as a function parameter. However, an arbitrary period may be specified, or a period between the occurrence date and time of attack A2 and the occurrence date and time of attack A4 may be specified.

  In S44 of FIG. 8, the log search unit 108 determines “YES” when the trace of the attack is extracted from the log by the log search function f_p, and ends the process of FIG. When not extracted, it determines with "NO" and progresses to S45 of FIG.

  In S45 of FIG. 8, the log search unit 108 adds 1 to the variable p and returns to S42 of FIG.

  As described above, the log search unit 108 searches for a trace of the attack in the log by calling the log search function f_p prepared in advance. In this example, since n is the number of log search functions f, if n = 5, f_1, f_2, f_3, f_4, and f_5 are called, but the log search function f is called by other methods. May be.

  FIG. 9 is a flowchart showing another example of the log search process in S29 of FIG.

  In S51 of FIG. 9, the log search unit 108 specifies q = 1, 3, and 5, and specifies 1 (the first value of q) for the variable p.

  In S <b> 52 of FIG. 9, the log search unit 108 determines whether all q have been designated for p. If all qs are not designated, the log search unit 108 determines “NO” and proceeds to S53 in FIG. If all the qs are designated, the log search unit 108 determines “YES” and ends the process of FIG. 9.

  In S53 of FIG. 9, the log search unit 108 calls the log search function f_p, similarly to S43 of FIG.

  In S54 of FIG. 9, the log search unit 108 determines “YES” when the trace of the attack is extracted from the log by the log search function f_p, similarly to S44 of FIG. 8, and ends the process of FIG. . When not extracted, it determines with "NO" and progresses to S55 of FIG.

  In S55 of FIG. 9, the log search unit 108 specifies the next value of q for the variable p, and returns to S52 of FIG.

  In this example, f_1, f_3, and f_5 are determined to be called in advance, but other functions may be determined to be called.

  In S30 of FIG. 7, the attack determination unit 107 determines that an attack may have occurred if the trace of the attack is found in the log as a result of the process of S29 of FIG. 7 (determines “YES”). The process proceeds to S31 in FIG. At this time, information for identifying the attack A3 (attack ID, etc.), information on the terminal under attack (IP address obtained from the log entry retrieved by the log retrieval function f), information on the computer that issued the attack (log retrieval) The IP address obtained from the log entry searched by the function f) and the date and time of the log entry where the trace of the attack was found are output as the detection date and time. If no trace of attack is found in the log, it is determined as “NO” and the process proceeds to S32 in FIG.

  In S31 of FIG. 7, the attack determination unit 107 sets A3_occ to 1. A3_occ = 1 means that an attack was found in the log search.

  In S32 of FIG. 7, the attack determination unit 107 determines the occurrence of an attack from the values of A3_occ and A3_eva.

  FIG. 10 is a table showing determination results 216 corresponding to combinations of values of Ak_occ and Ak_eva.

  As shown in FIG. In the case of 1 (Ak_occ = 0, Ak_eva = 0), since the attack Ak is not supported by the IPS, no detection occurs in the IPS, and no trace of the attack Ak is detected in the log analysis. Judge that it is not.

  The attack determination unit 107 has a No. 2 (Ak_occ = 0, Ak_eva = 1), attack AK is supported by IPS but not detected by IPS (if attack Ak is detected, “YES” is obtained in S21 of FIG. 7) Since the process of FIG. 7 is completed, the process does not proceed to S22 of FIG. 7). Since the trace of the attack is not detected even in the log analysis, it is determined that no attack has occurred.

  The attack determination unit 107 has a No. 3 (Ak_occ = 1, Ak_eva = 0), attack AK is not supported by IPS, so no detection has occurred, but since traces of attack are detected by log analysis, attack Ak has occurred to decide.

  The attack determination unit 107 has a No. 4 (Ak_occ = 1, Ak_eva = 1), attack AK is supported by IPS but not detected by IPS (if attack Ak is detected, “YES” in S21 of FIG. 7) Since the process of FIG. 7 is completed, the process does not proceed to S22 of FIG. 7). Since the trace of the attack is detected by log analysis, it is determined that the attack has occurred. In this case, an attack that should originally be detected by IPS is missed, and the missed detection is avoided by log analysis. When the signature method is adopted in IPS, an attack may be performed so as to avoid the signature, resulting in detection failure. When the behavior detection is adopted in the IPS, the detection omission occurs when the behavior criterion is not satisfied.

  As a result of the above processing, the attack determination unit 107 results in No. in FIG. 1, no. 2, no. 3, no. 4 is output to the output unit 109. At this time, the attack determination unit 107 performs No. 3, no. In the case of 4, information for identifying the attack A3 (attack ID, etc.), information on the terminal that has been attacked (IP address obtained from the log entry retrieved by the log retrieval function f, etc.), information on the computer that issued the attack ( The IP address obtained from the log entry searched by the log search function f) and the date and time of the log entry where the trace of the attack was found are included in the determination result 216 as the detection date and time.

  In the process of S29 of FIG. 7 (that is, FIG. 8 or FIG. 9), the log search function f outputs log search information 213, which is a command for searching for a log from the log database 114, to the log search unit 108. The log search unit 108 converts the log search information 213 into a search command 214 and outputs it to the log database 114. The log database 114 searches the log and outputs the result as a search result 215 to the log search unit 108. The log search unit 108 outputs the search result 215 to the attack determination unit 107. The search command 214 is issued to the log database 114, and corresponds to, for example, an SQL query. The search result 215 corresponds to, for example, an SQL response. The search condition 305 is a parameter such as a log search period.

  The output unit 109 outputs the attack determination result 216 as the determination result 310 to the outside of the security log analysis apparatus 100. For example, the judgment result 310 is “attack information = A3 (attack ID = 1234)”, “attacked terminal = 192.168.1.10”, “attacked terminal = 192.168.1.50”. ”,“ Detection date / time = 2013/9/20 12:00: 00 ”,“ Detection status = not detected by IPS. Since signature corresponds, IPS detection is missing ”. When an attack is detected as an operation in a certain terminal (for example, the setting is changed), the terminal that issued the attack may be the same as the terminal that was attacked.

  The attack A5 that will occur in the future may be notified as the detection result 301 after 10 days, for example. Alternatively, instead of waiting for the detection result 301, the attack determination unit 107 may periodically detect the attack A5 by calling the log search function f and detecting the trace of the attack from the log. Then, when the last attack A5 is detected, the fact that a cyber attack according to the attack scenario has occurred is output to the output unit 109, and the output unit 109 outputs the determination result 310 to the outside of the security log analyzer 100. May be. At this time, the attack determination unit 107 assumes that a cyber attack has occurred in accordance with the attack scenario for the set of the detection result 301 (the original information of the detection information 202), the already detected result 304, and the attack scenario 204 that has been processed. The determined date and time and a mark (flag) “processed” are given. When the attack A5 is not detected, only a mark (flag) “processing” is given.

  In the above example, the information of the attack that has already been detected is given from the outside of the security log analyzer 100 as the already detected result 304, but the detection result 301 (detection information) given after the security log analyzer 100 starts operating. 202) may be stored in the attack determination unit 107 (as the already detected result 304). In such an operation, the already detected result 304 may not be given from the outside of the security log analyzing apparatus 100. If given, the attack determination unit 107 may discard the existing detection result 304 given from the outside of the security log analysis apparatus 100 and use the stored previous detection result 304. The processing when the detection result 301 stored by the attack determination unit 107 is used (as the stored detection result 304) is replaced with the detection result 301 stored in the above description. Further, the attack determination unit 107 may store all the determination results 216 detected by the attack determination unit 107 as the already detected results 304.

  In the above example, IPS is used as an example of the security countermeasure means, but other security countermeasure means such as a firewall, anti-virus software, a security server, etc. may be used.

  In the above example, only one attack (attack A3) of the attack scenario 204 has not occurred, but when a plurality of attacks of the attack scenario 204 have not been found, an attack determination unit for finding traces of the attack A3 The processing of 107 may be applied to each attack that has not been discovered. For example, the attack scenario 204 is “attack A 1 ′ → A 2 ′ → A 3 ′ → A 4 ′ → A 5 ′ → A 6 ′ → A 7 ′”, and based on the detection result 301 input to the security log analyzer 100, this attack It is assumed that the scenario 204 is extracted. It is assumed that the currently detected attacks are an attack A1 ', an attack A4', an attack A5 ', and an attack A6' based on the already detected results 304 and the detected results 301. At this time, the same process as the process performed by the attack determination unit 107 for the attack A3 in the above example is performed for each of the attack A2 'and the attack A3'. Alternatively, for example, in the attack scenario 204, it is assumed that the currently detected attacks are the attack A2 ', the attack A3', and the attack A5 'based on the already detected result 304 and the detected result 301. At this time, the same processing as the processing performed by the attack determination unit 107 for the attack A3 in the above example is performed for each of the attacks A1 'and A4'. When searching retroactively like the attack A1 ′, the search period (for example, m days) is held in the attack determination unit 107 in advance, and the retroactive search is performed for m days before the occurrence of the attack A2 ′. That's fine.

  In the above example, the attack scenario search unit 103 searches for an attack scenario 204 including an attack corresponding to the detection information 202 based on the detection result 301. Here, it is assumed that “information indicating an attack such as an attack ID, attack type, and vulnerability ID of the detection result 301 newly received by the security log analysis apparatus 100 and attack source information / attack destination information” are the same detection result 301. Alternatively, it is assumed that the already detected result 304 is already stored in the security log analysis apparatus 100. Further, when there is an attack scenario 204 that is “in process” in the attack determination unit 107, an attack that has already been notified to the security log analysis apparatus 100 and has been processed for detection according to the attack scenario 204 is “repeat”. It may be determined that it has occurred and ignored. In this determination, the attack determination unit 107 stores the input detection information 202 (information based on the detection result 301), the already detected result 304, and the attack scenario 204 being processed corresponding to these as a set, When the flag “processing” is given and the detection result 301 is newly given and input to the attack determination unit 107 as detection information 202, the determination may be made using this stored information.

  When searching the log, if it is known in advance that a specific attack is recorded in the specific log, the log information recorded in the “other information” of the countermeasure information 404 of the attack scenario element Ai Information may be included. For example, for the attack A2, the information for searching the IPS log and the proxy log is “LogToBeInspected = IPS, Proxy”, or more specifically, including the identification number of the device in which the log is recorded, “LogToBeInspected = IPS — 1234 , Proxy — 5678 ”may be included in“ other information ”of the countermeasure information 404. The attack determination unit 107 calls the search function f using this information as a parameter.

  When searching the log, if it is known in advance which search function f should be called for a specific attack, information on the function to be used in the “other information” of the countermeasure information 404 of the attack scenario element Ai May be included. For example, for attack A2, information that f1 and f2 are used may be included in the “other information” of the countermeasure information 404 in the form of “UseFunction = f1, f2.” The attack determination unit 107 uses a function designated in accordance with this information.

  In this embodiment, if “NO” in S26 of FIG. 7 and “YES” in S28 of FIG. 7, the process of S29 of FIG. 7 is omitted, but if there is an undetected attack Ak, The log may be analyzed by necessarily executing the process of S29 in FIG.

  As described above, in the present embodiment, the log database 114 stores a log of a computer system (that is, a computer system to be monitored) provided with a detection device (for example, IPS) that detects an attack. The attack scenario database 111 stores an attack scenario 204 that defines a plurality of attacks targeting the computer system and the order of the plurality of attacks. The related attack extraction unit 104 has not yet been detected by the detection device among a plurality of attacks (for example, attacks A1 to A5) defined in the attack scenario 204 stored in the attack scenario database 111. An attack (for example, attack A3) prior to at least one attack (for example, attack A4) in which the order defined in the scenario 204 has already been detected by the detection device is extracted. The attack determination unit 107 analyzes the log stored in the log database 114 to determine whether or not the computer system was subjected to the attack extracted by the related attack extraction unit 104. It is determined that an attack detection failure has occurred. Therefore, according to the present embodiment, for example, even if an attack detection failure occurs in IPS, the attack can be detected by analyzing the log along the attack scenario 204. It is possible to reduce detection omissions.

  In the present embodiment, the security countermeasure database 112 stores information indicating security countermeasures implemented for the detection device. In the attack scenario 204 stored in the attack scenario database 111, security measures corresponding to each of a plurality of attacks on the computer system are defined. The attack determination unit 107 refers to the information stored in the security countermeasure database 112 and corresponds to the attack extracted by the related attack extraction unit 104 defined in the attack scenario 204 stored in the attack scenario database 111. If it is determined whether security measures are being implemented for the detection device and it is determined that security measures are being implemented, if it is determined that the computer system has been attacked by the related attack extraction unit 104, It is determined that an attack detection failure has occurred in the detection device. For this reason, according to the present embodiment, for example, when an attack detection failure occurs, it is possible to determine whether or not the attack has occurred in IPS.

  In the present embodiment, the inventory database 113 stores a plurality of computers included in the computer system and information indicating security measures implemented for each of the plurality of computers. In the attack scenario 204 stored in the attack scenario database 111, a computer targeted for each of a plurality of attacks on the computer system and a security measure corresponding to each of the plurality of attacks are defined. The attack determination unit 107 refers to the information stored in the inventory database 113, and defines the security corresponding to the attack extracted by the related attack extraction unit 104 defined in the attack scenario 204 stored in the attack scenario database 111. The log stored in the log database 114 when it is determined whether the countermeasure is defined in the attack scenario 204 and the attack is being performed on the target computer. Analyze. Therefore, according to the present embodiment, for example, when there is no (or low) possibility of an attack, by omitting the process of analyzing the log to confirm whether or not an attack detection omission has occurred. , Efficiency can be improved.

  Further, in the present embodiment, when the attack determination unit 107 analyzes the log stored in the log database 114, among the multiple attacks defined in the attack scenario 204 stored in the attack scenario database 111, The attack (for example, attack A2) immediately before the attack (for example, attack A3) that has already been detected by the detection device and whose order defined in the attack scenario 204 is extracted by the related attack extraction unit 104 is selected. The log is analyzed for a period after the time when the computer system receives the identified attack. For this reason, according to this Embodiment, since the range made into an analysis object by a log can be limited, efficiency can be improved.

  In the present embodiment, the security log analysis apparatus 100 detects the occurrence of an attack by log analysis for an attack that may have occurred but has not been detected based on the attack scenario 204 and information on the attack that has already been detected. Existence can be checked, and detection omission due to existing security measures can also be determined. By using this determination, the administrator of the organization that performs security measures can determine whether or not an attack that may have occurred but has not been detected has actually occurred. In this case, it is possible to obtain information on deficiencies in existing security measures, and to review existing security measures.

Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  In the first embodiment, the security log analysis apparatus 100 refers to “information of currently applied security countermeasure means (IPS as an example in the first embodiment)” stored in the security countermeasure database 112. Then, according to the attack scenario 204, an attack that should have already occurred but has not yet been detected (an attack A3 as an example in the first embodiment) is “detected” in the “currently applied security measure”. (Fig. 7).

  In this embodiment, the attack determination unit 107 checks whether the security countermeasure device (such as IPS) or software supports (can detect) vulnerability or attack information that has already been released to the world, and has already occurred. Determine whether or not the security countermeasure device can handle the attack that should have been done, and conduct more detailed log analysis.

  FIG. 11 is a block diagram showing a configuration of the security log analysis apparatus 100 according to the present embodiment.

  In FIG. 11, the attack determination unit 107 inputs public vulnerability information 321 and attack information 322 from the outside of the security log analysis apparatus 100.

  The public vulnerability information 321 is software vulnerability information published by NVIST (National Vulnerability Database) of NIST (National Institute of Standards and Technology). This vulnerability information is generally given a vulnerability identification number. For example, CVE (Common Vulnerabilities and Exposures) numbers. The public vulnerability information 321 is composed of one or more types of vulnerability information (entries).

  The attack information 322 may be “attack in which damage has already been reported by an attack that exploits the public vulnerability information 321” or “an attack that has not been reported yet but exploits the public vulnerability information 321. Information on “expected attacks”. The attack information 322 is composed of one or more types of information (entries) identified by the attack ID. Further, in order to identify vulnerabilities exploited in attacks, the attack information 322 is generally assigned a vulnerability identification number (for example, a CVE number). The attack information 322 is provided from a service or the like that discloses security information.

  Further, the attack determination unit 107 inputs attack response information 323 that is information on response to an attack in a security countermeasure vendor (not shown) (security countermeasure device (such as IPS) or software vendor).

  The attack response information 323 is information on response (detection / protection) to an attack, such as an IPS signature and anti-virus software pattern file information. The attack response information 323 includes an identifier (for example, CVE number) of the public vulnerability information 321 that is exploited by an attack to be handled (detected / defended). Moreover, the attack ID of the target attack may be included. The attack response information 323 includes one or more types of information identified by the countermeasure ID.

  Next, processing of the attack determination unit 107 will be described.

  The attack determination unit 107 determines from the input public vulnerability information 321, attack information 322, and attack response information 323 whether security measures can cope with the publicly disclosed attack as follows. .

  The attack determination unit 107 extracts one entry of the public vulnerability information 321 or the attack information 322, and the vulnerability identification number described (for example, CVE number = xxx) is the same in the entry of the attack response information 323. Check for items that contain numbers. If there is an entry including this number, it is determined that CVE number = xxx can be protected by security measures (for example, IPS). The attack determination unit 107 checks whether the vulnerability identification number (for example, CVE number = xxx) included in the entry of the attack response information 323 is included in all entries of the public vulnerability information 321 or the attack information 322. Thus, it is determined whether or not all the public vulnerability information 321 or attack information 322 can be handled by security measures (for example, IPS).

The attack determination unit 107 classifies the entries of the public vulnerability information 321 and the attack information 322 into the following through the above processing.
Security countermeasure correspondence information (not shown): An entry of public vulnerability information 321 or attack information 322 that can be dealt with by the adopted security countermeasure means (for example, IPS).
Security countermeasure non-corresponding information (not shown): An entry of public vulnerability information 321 or attack information 322 that cannot be handled by the security countermeasure means employed (for example, IPS).

  The attack determination unit 107 performs this classification before performing the process of S24 of FIG.

  Next, the attack determination unit 107 executes the process of FIG. 6 and performs the process of FIG. 7. At this time, in S24 of FIG. 7, it is checked whether or not the attack Ak is included in the security countermeasure correspondence information. For the attack Ak, the vulnerability ID (for example, the CVE number) is included in the attack identification information 401 of the attack scenario element Ai. Therefore, it is only necessary to check whether this vulnerability ID is included in the security countermeasure correspondence information. If it is not included (or if the vulnerability ID is included in the security countermeasure non-compliant information), it can be determined that the security countermeasure (for example, IPS) is not compatible in the first place.

  If the attack Ak is included in the security countermeasure correspondence information, in S24 of FIG. 7, the countermeasure against the attack Ak is taken (for example, the signature applied to the IPS) as in the processing of the first embodiment. Check if the measure is taken. If no countermeasure has been taken, the security countermeasure vendor responds to the attack Ak as the security countermeasure correspondence information (for example, provides an IPS signature), and therefore corrects the security countermeasure (for example, updates the IPS signature). Is necessary for the output unit 109 as warning information 324, for example, an attack Ak number (for example, attack ID or vulnerability ID = CVE number) and security countermeasure correction (for example, an IPS signature) A message recommending (update) is output. Furthermore, this situation is because the security measure (for example, IPS) is not properly operated (for example, because the signature of the IPS is not updated), and the attack Ak is not detected. Since there is a high possibility that it has occurred (that is, overlooked), the number of log search functions f to be called in S29 of FIG. 7 is increased, or the parameters given to the functions are searched in more detail. Examine the log.

  The parameters to be given to the log search function f may be stored in advance as a set value in the attack determination unit 107. For example, when it is determined in S24 in FIG. In addition to f_1, f_2, and f_3 that are called by default, it may be defined that f_4, f_5, and f_6 are called. Alternatively, a parameter passed to f_1, f_2, and f_3, for example, p = 10 (for example, a parameter that specifies the sensitivity of detection of an attack trace by log search) may be increased to p = 20. Alternatively, when the log type of the search destination is specified as a parameter to be passed to f_1, f_2, and f_3, the search may be performed throughout the range by adding a log to be searched.

  In other words, in situations where security measures need to be corrected, there is a possibility that an attack has been missed and there is a high possibility that traces of the attack remain in various logs. To strengthen.

  On the other hand, if the attack Ak is not included in the security countermeasure correspondence information, it can be determined that the security countermeasure (IPS) cannot respond to the attack Ak in the first place. In this case, the specified log search may be left as it is, or the log search may be strengthened as described above.

  As described above, in this embodiment, the attack scenario 204 stored in the attack scenario database 111 defines vulnerabilities used by each of a plurality of attacks on the computer system to be monitored. The attack determination unit 107 accesses an external system that discloses information related to the vulnerability, and is used by the attack extracted by the related attack extraction unit 104 defined by the attack scenario stored in the attack scenario database 111. It is determined whether or not information related to the vulnerability is disclosed by the external system. When it is determined that the information is disclosed, the log stored in the log database 114 is analyzed.

  In the present embodiment, by comparing the public vulnerability information 321 and the attack information 322 with the attack response information 323, it is possible to respond (detect / protect) an attack existing in the world with the security measures currently used. As a result, the attack determination unit 107 checks in advance, and as a result, “the security countermeasure vendor supports the attack”, but “the security countermeasure is not applied in the operational environment (the security countermeasure needs to be corrected)”. In this case, the log search is performed in detail because there is a possibility of detection omission due to security measures. This process has the effect of increasing the chance of detecting from the log attacks that may have occurred but have not been detected. In addition, an attack that “security measures are not supported” has an effect that it is possible to proceed with a specified log search or to perform a search in detail.

Embodiment 3 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  In the process of FIG. 7, when communication occurs for the attack Ak, for example, a trace of the communication may remain in the proxy log. Therefore, the attack determination unit 107 searches for proxy logs as follows.

  For example, when the attack A1, the attack A2, and the attack A4 are detected in the first embodiment, the attack target terminal may be specified from the information. For example, if the detected security measure is IPS, the identifier (for example, IP address) of the attack destination terminal is recorded in the detection alert (log).

  Further, as one of the security measures, when suspicious communication is analyzed from the proxy log and an attack is detected, the identifier of the terminal that is performing suspicious communication is specified.

  As one of the security measures, when a terminal whose security setting has been changed is detected by examining the audit log of the terminal, the attack source is specified instead of the attack destination depending on the type of attack. For example, if a terminal is infected with malware, the security setting of the terminal is changed, and if the proxy log analysis detects unauthorized communication from the terminal, that terminal becomes the source of the attack .

  In these cases, the presence or absence of a website to be accessed for the first time is investigated in the terminal specified as the attack destination (original). This means that if the corresponding terminal is infected with malware, etc., it accesses a website (Command & Control (C & C) server) controlled by an attacker on the Internet, receives instructions, and leaks information. This is because the website is often a website that the terminal has not accessed before (although not necessarily).

Therefore, the attack determination unit 107 searches the proxy logs stored in the log database 114 via the log search unit 108, obtains the host names of websites accessed during a certain period, and creates a list thereof. (Past access host name list (not shown)). The certain period may be an arbitrary period, but here, since access to a website that has not been accessed in A3 is examined, it is preferable that the period be before the attack A2. Then, the log search function f processes as follows.
・ Parameters given:
(1) Log search period (from the occurrence date and time of attack A2 to n hours later)
(2) Attacker (original) terminal identifier (eg, IP address)
(3) Log information to be searched (for example, proxy log identifier)
(4) List of host names of websites accessed during a certain period of attack (source) terminal (past access host name list)
・ Process: Search the log entry corresponding to the identifier of the attack destination (original) terminal in (2) from the log specified in (3), and access in the searched log entry It is checked whether or not the host name of the previous web server is in the list of host names in (4). If it is not in the list, it is added to the first access host name list (not shown).

  As described above, the log search function f can obtain the host names of websites accessed for the first time by the terminal specified in (2) during the period when the attack A3 will occur in the first access host name list. .

  Next, the first access host name list is checked for suspicious websites by web reputation (a service for determining whether or not a website is suspicious). There are services that provide web reputation online. Using such services, the host names listed in the first access host name list are investigated one by one for suspiciousness. In this investigation, u web reputation services are used, and v or more are suspicious and the host name is determined to be suspicious. When the web reputation service returns the determination result as a score, it may be determined to be suspicious if the sum of the determination results of the u services is greater than or equal to w. Further, if the web reputation service provides reputation information on a medium such as a CD (Compact Disc) in addition to online, the web reputation service may be used for determination.

  In the web reputation service, the country / region / period in which the host of the host name is located may be presented together with the determination result. A blacklist of the country / region where the host is located is created in advance, and if the location is listed in this blacklist as a result of web reputation, it may be determined that the host is suspicious (where the host is located). Or online services that only look up information such as who is managing them, and so on.) Alternatively, a black list of host names may be created, and a suspicious determination may be made when this is the case. Alternatively, a white list of host names may be created, and it may be determined as suspicious when the host name does not fall under this.

  As a result of the above determination, if y or more of x host names in the first access host name list are determined to be suspicious, it may be determined that an attack has occurred.

  The following determination may be added to the above-described attack determination.

  For one host name in the first access host name list, it is determined that an attack has occurred when it is accessed r times or more in q hours during the log search period (or any period exceeding that period) in (1). May be. Further, when the access method is random, it may be determined that an attack has occurred, and the access method may be periodic. Such a random or periodic access method may be determined using a known determination method.

  In addition, by setting the list of host names of websites accessed during a certain period of time (4) to NULL, the function f processing allows (1) from the log specified in (3). ), The log entry corresponding to the identifier of the attack destination (original) terminal in (2) is searched, and the host name of the website of the access destination in the searched log entry is all the first access host name Add to list. In this way, it may be determined whether or not all websites are suspicious regardless of whether or not the website is the first access website.

  As described above, in the present embodiment, the computer system to be monitored is provided with a relay device (for example, a proxy server) that relays communication between a plurality of computers included in the computer system and the outside. The attack determination unit 107 analyzes at least the log of the relay device among the logs stored in the log database 114 to determine whether or not the computer system has been attacked by the related attack extraction unit 104 .

  As described above, in the present embodiment, in the period between the attacks that have already occurred, when the occurrence of another attack is considered due to an attack scenario or the like, the website accessed during that period is suspicious. By using the web reputation service to determine whether it is an access, it is possible to determine that a suspicious site has been accessed as a result of an attack that has already occurred, and as a result, it is possible to determine that another attack has occurred. .

Embodiment 4 FIG.
The difference between the present embodiment and the third embodiment will be mainly described.

  In the third embodiment, the search function f for searching the proxy log is used. However, in this embodiment, the search function f for searching the log in the terminal is used.

  When the occurrence of the attack A1, the attack A2, and the attack A4 is confirmed, for example, in the attack destination / original terminal, the operation of the terminal due to the attack that occurs following the occurrence of the attack A1 and the attack A2 may occur. For example, a process operation, a file operation, a setting operation (search / change), an account operation, and a log operation occur. There is software that monitors these behaviors and outputs them to a log. In such software, a log in which all these behaviors are recorded is referred to as a terminal behavior log (not shown).

The attack determination unit 107 searches the log accumulated in the log database 114 via the log search unit 108, checks the terminal behavior log observed for a certain period in the corresponding terminal, and checks for suspicious behavior. For this purpose, the following log search function f is used.
・ Parameters given:
(1) Log search period (until n hours after the date of occurrence of attack A2 or from the date of occurrence of attack A2 to the date of occurrence of attack A4)
(2) Attacker (original) terminal identifier (eg, IP address)
(3) Log information to be searched (for example, identifier of terminal behavior log)
(4) Suspicious process operation criterion, Suspicious file operation criterion, Suspicious setting operation criterion, Suspicious account operation criterion, Suspicious log operation criterion, Suspicious access criterion / Process: Terminal behavior log specified in (3) From the search period specified in (1), an entry corresponding to the identifier of the attack destination (original) terminal in (2) is searched, and in the searched log entry (investigation target log entry), in (4) Check if there is something that meets the criteria.

  The suspicious process operation criteria will be described.

  For example, a normally activated process is included in the suspicious process operation criterion as a white list, and if there is a process name activated in the log entry to be investigated, it is checked whether there is a name in this white list. If there is no match, it is determined that the process is suspicious. Alternatively, the suspicious process name may be included in the suspicious process operation determination criterion as a black list in advance, and if there is a process name activated in the investigation target log entry, it may be determined that the suspicious process is activated.

  The suspicious file operation criteria will be described.

  For example, if v files are “copied” within a certain u time, the judgment condition for judging suspicious is included in the suspicious file operation judgment criteria, and there is a file operation satisfying this condition in the investigation target log entry. For example, it is determined that a suspicious file operation has occurred. Alternatively, in the above judgment condition, the “copy” portion may be replaced with “file name change”, “new file created under system folder of operating system”, or the like. Further, when any of a plurality of determination conditions is satisfied, or when an arbitrary combination of a plurality of determination conditions is satisfied, it may be determined that the file operation is suspicious.

  The suspicious setting operation judgment criteria will be described.

  For example, a determination condition for determining suspiciousness when “addition, deletion, or change of a specific setting value” occurs in x operating systems (or applications) within w hours is included in the suspicious setting operation determination criterion. If there is a setting operation that satisfies this condition in the investigation target log entry, it is determined that a suspicious setting operation has occurred. Examples of “change / addition of specific setting values” include addition / change of an application that automatically starts when the operating system is started, addition of a trusted digital certificate, and the like. In addition, the permitted conditions may be relaxed, such as permitting a specific transmission source in a local firewall, or permitting access to a specific port or protocol. Conversely, in the local firewall, specific communication may be blocked, such as blocking the anti-virus software from communicating with the outside for the update of the pattern file. An example of “deletion of a specific setting value” includes deletion of transmission source information blocked by a local firewall.

  The suspicious account operation criteria will be described.

  For example, as a suspicious account operation judgment criterion, a judgment condition for judging suspicious when r “specific account operations” occur within q hours is included in the suspicious account operation judgment criterion, If there is an account operation that satisfies this condition, it is determined that a suspicious account operation has occurred. Examples of “specific account operations” include adding a high-privileged account, elevating the authority of an existing account, reducing the number of password locks, and failing authentication.

  The suspicious log operation judgment criteria will be described.

  For example, a judgment condition for judging suspicious when t “specific log operations” occur within s time is included in the suspicious log operation judgment criteria, and a log operation satisfying this condition in the log entry to be investigated is included. If there is, it is determined that a suspicious log operation has occurred. Examples of “specific log operations” include browsing, deleting, and changing security audit logs.

  The suspicious access criteria will be described.

  For example, if b “specific access” occurs within a time period “b”, a determination condition for determining suspiciousness is included in the suspicious access determination criterion, and if there is an access satisfying this condition in the investigation target log entry, Judge as suspicious access. Examples of “specific access” include a local firewall log with a network scan denial log, an access to a specific folder resulting in a deny log, or an authentication error. There is.

  In the log search function f, any one of these determination criteria may be selected for the suspicious process operation determination criterion, the suspicious file operation determination criterion, the suspicious setting operation determination criterion, the suspicious account operation determination criterion, the suspicious log operation determination criterion, and the suspicious access determination criterion. If only one suspicious is determined, it may be determined that an attack has occurred. Alternatively, it may be determined that an attack has occurred when it is determined that there are z or more determination criteria as suspicious. Further, the determination criteria of (4) given to the log search function f may be all or some of them.

  Further, the target of examining the terminal behavior log may be not only the terminal of the attack source (destination) but also other terminals accessible from the terminal via the network, such as a PC, a file server, a database server, etc. It may be a server. In this case, other terminals accessed by the attacking source (destination) terminal after the date and time of occurrence of the attack A2 may be determined by examining the network log or logs of other terminals. For example, a flow log generated by a router, which is a type of network log, records when and which terminal has accessed which terminal, and a terminal's local firewall log accesses a remote terminal. Recorded records and memories accessed from remote terminals remain. Therefore, from these logs, not only the terminal of the attack source (destination) but also other terminals accessible from the terminal via the network may be examined.

  In addition, for each terminal behavior log, individual logs may be output for each behavior. In this case, the corresponding function f may be applied to each log.

  As described above, in the present embodiment, the attack determination unit 107 analyzes the log of at least one computer included in the computer system to be monitored among the logs stored in the log database 114, and It is determined whether or not the computer system has been attacked by the related attack extraction unit 104.

  As described above, in the present embodiment, in the period between attacks that have already occurred, the occurrence of another attack is considered by an attack scenario or the like, and the attack is not detected by IPS or the like As a result of an attack that has already occurred, it is determined whether or not suspicious behavior has occurred in the terminal behavior log for the attack source (destination) terminal or other terminals accessible from that terminal during that period. Therefore, it is possible to determine that another behavior has occurred, and from this, it is possible to determine that another attack has occurred.

Embodiment 5 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 12 is a table showing an example of the score 405 of the attack scenario 204.

  As shown in FIG. 12, in the present embodiment, a score 405 representing the degree of risk of the attack is assigned to the attack scenario element Ai constituting the attack scenario 204. The attack determination unit 107 has already obtained the attack scenario 204 corresponding to the attack given by the detection result 301 or the already detected result 304 via the attack scenario search unit 103. Therefore, the attack determination unit 107 can obtain the score 405 for the attack given by the detection result 301 or the already detected result 304 from the attack scenario 204. Furthermore, the attack determination part 107 adds those scores 405 together.

  Here, the attack scenario 204 is “attack A1 → attack A2 → attack A3 → attack A4 → attack A5”, and as in the example described in the first embodiment, attack A1, attack A2, attack A4 Is detected. At this time, the total score 405 is S = 30 + 10 + 10 = 50 points.

  In the case where it is determined that a cyber attack has occurred when the total S of detected scores is equal to or greater than the threshold value m = 90 points (4/5 of the maximum 100 of the total S), as a result of the processing of FIG. Suppose that it was not detected. In that case, if an attack A5 occurs, only 20 points are added, and S = 70 points <m, and even if 4 out of 5 attacks are detected, it is not considered that a cyber attack has occurred. Therefore, when the attack A3 is not detected as a result of the processing of FIG. 6, the threshold value m is lowered to 70 points. Alternatively, the score 405 of attack A5 is changed to 50 points. Alternatively, 30 points are added to 50 points, which is the total S of the current score 405. In this way, even if the attack A3 is not detected from the log, the determination criterion is dynamically changed so that it can be determined that a cyber attack has occurred when the attack A5 is detected.

  If an attack with a high score 405 (for example, attack A3 is 30 points) is not searched, it is dangerous to overlook the occurrence, and in this case, the attack determination unit 107 dynamically sets the log search function f as Change the settings to increase the sensitivity of detection by adding a different function from the specified function and calling it, or changing the specified parameter given to the log search function f. Log detection may be enhanced dynamically.

  Further, in the security countermeasure information 500, when it is known by the security countermeasure that the likelihood of occurrence of detection omission and the possibility of occurrence of erroneous detection is known, the accuracy is taken as the detection omission accuracy Fn and the error detection accuracy Fp. It adds to the information 504. For example, in IPS, a detection failure occurs when signature update is delayed, and when an attack is detected by behavior detection, a normal behavior may be erroneously detected. May be added to

  Here, it is assumed that the detection omission probability Fn is given in the countermeasure presence / absence information 207 input to the attack determination unit 107. In this case, the attack determination unit 107 determines the cyber attack in the attack scenario 204 by dynamically reducing the attack score 405 corresponding to this countermeasure.

  For example, the score 405 is set to 30 points for an attack A3 that should have been detected in accordance with the attack scenario 204 and has not been detected yet. The attack A3 is determined to be detectable by the countermeasure presence / absence information 207 (by the attack identification information 401 that is information for identifying the attack A3 and the corresponding security countermeasure information 500), but is not actually detected, It is assumed that the detection omission probability Fn = 50% in the countermeasure presence / absence information 207. This means that detection failure occurs with a probability of 50%. Therefore, the cyber attack is determined by dynamically subtracting the threshold value m = 90 points from (30 points + 10 points + 30 points × 50% + 10 points + 20 points) × 4/5 = 68 points.

  Further, instead of subtracting the threshold value m, the attack determination unit 107 dynamically adds the log search function f to the specified function and calls it, or changes the specified parameter given to the log search function f. The setting may be changed so that the detection sensitivity becomes higher, and the detection by the log search of the attack having a high score 405 may be strengthened. For example, if the detection omission probability Fn = 50%, the type and number of f to be called are doubled, or the parameters are adjusted so that the sensitivity of the function f is doubled. In other words, because the countermeasure in the countermeasure presence / absence information 207 causes a detection failure with a probability of 50%, the detection of A3 by the log search function f may be dynamically detailed.

  Further, for example, when the attack determination unit 107 detects that the attack A2 has been detected based on the already detected result 304, the attack determination unit 107 determines whether the attack A2 has been detected by the security measure search unit. It can be known from the countermeasure presence / absence information 207 obtained from the security countermeasure database 112 via 105. For example, by inputting the attack ID included in the detected result 304 as the related attack information 205 to the security countermeasure search unit 105, a security countermeasure that can be taken against this attack ID is searched (the security countermeasure information 500 includes Attack identification information 501 is included, and this information includes an attack ID). As a result, the attack determination unit 107 obtains the countermeasure presence / absence information 207, and it is assumed that this information includes the erroneous detection accuracy Fp. Here, it is assumed that the false detection accuracy Fp = 50%. This means that when attack A2 is detected, it is a false detection with a probability of 50%. In this case, the attack determination unit 107 calls the log search function f for this attack A2 and searches the log for the occurrence of the attack A2. If a search is made, it is determined that the detection of attack A2 is not a false detection. That is, when the attack A2 is detected by countermeasures such as IPS indicated by the countermeasure presence / absence information 207 and the countermeasure is 50% false detection, the log search function f is called to trace the attack A2 from other logs. If it is found, it is detected by countermeasures such as IPS, and since traces of attacks are found from other logs, it is determined that there is no false detection.

  The method of calling the function f is, for example, if the false detection accuracy Fp = 50%, for the function f that detects the attack A2, the type and number of calls f are doubled, or the sensitivity of the function f is doubled. Adjust the parameters as follows.

  In order to determine whether the log search function f is called to search the log when the number is more than the rule for dynamically changing the threshold value of the total value of the score 405, the detection failure probability Fn, and the false detection probability Fp. The threshold value may be stored in advance in the security log analysis apparatus 100.

  As described above, in this embodiment, in the attack scenario 204 stored in the attack scenario database 111, a score (that is, a score 405) is set for each of a plurality of attacks on the computer system to be monitored. . The attack determination unit 107 selects all attacks (for example, attacks) that have already been detected by the detection device provided in the computer system from among a plurality of attacks defined in the attack scenario 204 stored in the attack scenario database 111. A1, attack A2, and attack A4) are identified, and whether or not the attack scenario 204 has been executed based on the comparison result of the total number of points set for the identified attack and the threshold value in the attack scenario 204 Determine.

  Further, in this embodiment, when the attack determination unit 107 determines that an attack detection failure has occurred, at least one of the score set in the attack scenario 204 stored in the attack scenario database 111 and the above threshold value is used. To adjust.

  As described above, in the present embodiment, when the occurrence of a cyber attack is detected from the score 405 based on the occurrence of an attack according to the attack scenario 204, the attack does not occur as in the attack scenario 204 Is to dynamically lower the threshold for judging the occurrence of a cyber attack, dynamically change the assigned score, add a log search function to be called, or change the sensitivity of parameters that determine the attack Thus, even if there is an attack that does not occur as in the attack scenario 204, a cyber attack can be detected. Also, if the accuracy of occurrence of detection omissions and false detections is known in advance by security measures, the information may be added to the security measures information, and by using these information, detection may be leaked by security measures For potential attacks, detection by the log analysis function f is detected from the log to reduce detection omissions. For attacks that have already been detected, the log analysis function f is used to detect the attack from the log. There is an effect that can be determined.

Embodiment 6 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  In the present embodiment, a predetermined search timing is changed in accordance with the attack detection status with respect to the log search timing.

  In the example used in the description of the first embodiment, the attack scenario 204 is “attack A1 → attack A2 → attack A3 → attack A4 → attack A5”. The detected attacks are attack A1, attack A2, and attack A4, and an attempt to detect the occurrence of attack A3 by searching the log. For the attack A5 that will occur in the future, for example, it may wait for notification as the detection result 301 after 10 days, but instead of waiting for the detection result 301, the attack determination unit 107 periodically The attack may be detected by calling the log search function f and searching the trace of the attack from the log. The detection by the search may be performed in parallel with the detection by the log search by the attack determination unit 107 for the attack A3 (an attack that may have already occurred in accordance with the attack scenario 204). .

  At this time, with respect to an attack A5 that may occur in the future, it is stored in advance in the security log analysis device 100 whether to wait for the detection result 301 or whether to detect the log by the log search function f. (Stored in the attack determination unit 107 and the like). For example, if the period of waiting for the occurrence of the next attack from an attack with the attack scenario 204 is stored as “every 30 days”, the period of waiting for the detection result 301 for the attack A5 is 30 days after the detection of the attack A4. Become. Further, the log search timing is 30 days after the detection of the attack A4 (searches the logs for 30 days after the detection of the attack A4). If the search timing for searching for the attack A5 from the log is stored as “search every 10 days and do it until the 30th”, the log search timing for the attack A5 is detected after the attack A4 is detected. It is the 10th day (search for 10 days elapsed from the previous search), the 20th day (search for 10 days elapsed from the previous search), and the 30th day (search for 10 days elapsed from the previous search).

  However, when the detection of the occurrence of an attack that may occur in the future is performed according to the period stored in the security log analysis apparatus 100 for the attack scenario 204 as described above, the period for waiting for the detection result 301 or the log is searched. For example, when an attack occurs after the “last” of the timing exceeds one day, for example, an attack according to the attack scenario 204 is not searched, so it is determined that no cyber attack according to the attack scenario 204 has occurred. .

  In this embodiment, regarding a period of waiting for the detection result 301 and a timing for searching the log, if an attack is not detected (by the detection result 301 or log search) even after waiting for a predetermined date and time, In addition, the time to wait for the attack and the timing to search the log are extended. Hereinafter, in the description of the present embodiment, “attack detection” means that there is a detection result 301 or that an attack is detected by log search.

  In this embodiment, a period T for waiting for the prescribed “attack detection” is determined, and if an attack is not detected after this period, it is extended to wait for “attack detection”. A period TEXT is determined. Further, the number of times of extension n is determined and stored in the security log analyzer 100. For example, T = 30 days, TEXT = 10 days, and n = 3 times.

  By doing in this way, even if 30 days (T = 30 days) after the occurrence of the attack A4, the attack A5 is not notified by the detection result 301, and if the trace of the attack is not searched even by log search, then 10 Similarly, the notification of the detection result 301 is waited for one day. Alternatively, after 10 days, an attack is detected by searching a log of differences from the previous search.

  If no detection is made, the notification of the detection result 301 is waited for another 10 days. Alternatively, after 10 days, an attack is detected by searching a log of differences from the previous search.

  If no detection is made, the notification of the detection result 301 is waited for another 10 days. Alternatively, after 10 days, an attack is detected by searching a log of differences from the previous search.

  As a result, when there is no “attack detection”, it is determined that a cyber attack according to the attack scenario 204 has not occurred.

  Further, when the score 405 is given to the attack scenario element Ai of the attack scenario 204 as in the fifth embodiment, the total score 405 for the detected attacks (for example, the attack A1, the attack A2, and the attack A4). If S is lower than the threshold value M for determining the occurrence of a cyber attack, that is, if it is not yet determined as a cyber attack detection, it is determined that the possibility of an attack according to the attack scenario 204 is low, and the attack A5 The period of waiting for the detection of the attack may be shortened.

For example, when S <M, the saved T = 30 days, TEXT = 10 days, and n = 3 times may be reduced to TEXT = 5 days or may be reduced to n = 1 time. Conversely, if S> M, the criterion for determining the occurrence of a cyber attack has already been satisfied, and the possibility of the occurrence of attack A5 is high, so that the stored T = 30 days, TEXT = 10 days, n = In three times, TEXT = 20 days may be increased, or n = 6 times may be increased. Both TEXT and n may be changed. The rules may be stored in the security log analysis apparatus 100. For example,
T = 30 days, TEXT = 10 days, n = 3 times M = 80
if “S> M” then “TEXT = 20 days”
if “S <M” then “TEXT = 5 days”
And set. Or, for example,
T = 30 days, TEXT = 10 days, n = 3 times M = 80
if “S> M” then “n = 6 times”
if “S <M” then “n = 1”
And set. In this way, if the rules are stored in the security log analysis device 100, the attack determination unit 107 can read these values and execute the processing.

  Moreover, the rule which reversed the magnitude relationship of said S and M may be sufficient. Further, in the above-described magnitude relationship between S and M, a coefficient (for example, 0.8) may be multiplied by M to determine what percentage of M is compared with the magnitude of S.

Alternatively, a threshold m may be set for the value (s) of the score 405 of the attack A5 (the next attack that will occur), and a similar rule may be described. For example,
T = 30 days, TEXT = 10 days, n = 3 times m = 20
if “s> m” then “TEXT = 20 days” (s is the score 405 of attack A5)
if “s <m” then “TEXT = 5 days” (s is attack A5 score 405)
And set. In this case, if the attack score 405 notified next by the detection result 301 or detected by log search is high (greater than the threshold value m), it is dangerous, so the attack detection (notification of the detection result 301) is extended. (Or detection by log search) is extended to increase the chances of catching an attack. On the contrary, if the score 405 is low, the period of waiting for detection of an attack is reduced.

Further, these values may be changed according to the “attack type” of the attack A5 (attack that will occur next). For example, if the attack A5 is Type = InfoLeak (information leakage),
T = 30 days, TEXT = 10 days, n = 3 times if “Type = InfoLeak” then “TEXT = 20 days”
if “Type = FileDelete” then “TEXT = 5 days”
And In this case, if the next attack detected by the detection result 301 or detected by log search is a dangerous type of attack, the opportunity to catch the attack by extending the period of waiting for the attack detection. Increase. Conversely, if the same type is not a very dangerous type, the period of waiting for detection of an attack is reduced if the score 405 is low.

  In the above example, there is one attack that is not detected as an attack that should be detected, but even when there are a plurality of such attacks, the attack determination unit 107 may operate for each of them. Similarly, the number of attacks detected in the future is one, but the attack determination unit 107 may operate for each case even when there are a plurality of attacks.

  As described above, in the present embodiment, the attack determination unit 107 uses the detection device provided in the computer system among a plurality of attacks defined in the attack scenario 204 stored in the attack scenario database 111. An attack (for example, attack A5) that has not yet been detected and that is one after the last attack (for example, attack A4) in which the order defined in the attack scenario 204 was detected last by the detection device, is extracted. When the period during which the extracted attack is not detected by the detection device exceeds the threshold, it is determined that the attack scenario 204 has not been executed.

  In this embodiment, in the attack scenario 204 stored in the attack scenario database 111, a score (that is, a score 405) is set for each of a plurality of attacks against the computer system. The attack determination unit 107 selects all attacks (for example, attack A1, attack A2, and attack) that have already been detected by the detection device from among a plurality of attacks defined in the attack scenario 204 stored in the attack scenario database 111. A4) is specified, and the threshold value is adjusted according to the total number of points set for the specified attack in the attack scenario 204. Or the attack determination part 107 adjusts the said threshold value according to the score set with respect to the extracted attack (for example, attack A5) in the said attack scenario 204. FIG.

  As described above, in the present embodiment, when detection does not occur according to the attack scenario 204, the period of waiting for the occurrence of an attack is dynamically changed depending on the attack score 405, type, etc. An attack that slightly exceeds the waiting period is effectively detected as a cyber attack in accordance with the attack scenario 204.

Embodiment 7 FIG.
The difference between the present embodiment and the third embodiment will be mainly described.

  In the third embodiment, when the suspicious is determined from the result of analyzing the proxy log or the like, it is determined whether or not the accessed website is suspicious using web reputation or the like. In this embodiment, when such a suspicious HTTP (HyperText, Transfer, Protocol) communication is discovered, an event that triggered the occurrence of the suspicious HTTP communication is specified using an attack scenario. .

For example, when a suspicious HTTP communication is detected, an attack scenario 204 including the suspicious HTTP communication is searched. As a result, an attack scenario 204 including an attack A1, an attack A2, an attack A3, and an attack A4 is searched, and the attack Assume that A2 corresponds to this suspicious communication. In this case, if the attack A2 is communication by malware, the attack A1 corresponds to a chance to be infected by malware. Such a trigger is generally as follows.
(1) E-mail with malware attached (2) E-mail with a link (URL (Uniform, Resource, Locator)) to an unauthorized website (3) Access to an unauthorized website (4) Infection with malware (5) Infection via a network from a terminal infected with other malware

  A method for discovering whether the attack A1 is any one of (1) to (5) will be described below. The following method is processed by the attack determination unit 107. It is assumed that the log database 114 stores various logs such as a proxy log, a mail server log, and a software log (terminal operation log) that records terminal operations used below. Log search is performed on the log database 114 by the attack determination unit 107 using the log search unit 108. When the attack determination unit 107 refers to information stored in the inventory database 113, the attack determination unit 107 searches for information in the inventory database 113 using the inventory search unit 106 (not shown).

  Below, the case where attack A1 is (1) or (2) is demonstrated.

  The attack determination unit 107 extracts, from the proxy log, the identifier of the terminal where the attack A2 is found (issues suspicious HTTP communication), and acquires the identifier of the user who is using this terminal. For example, an organization may have a correspondence table that “the user of the terminal X is a user U” and information corresponding to the correspondence table, and by referring to such information, the user identifier U can be obtained. get.

  Furthermore, since the organization often manages information that “the email address of the user U is MailAddressU”, the email address of the user U is acquired by referring to this information.

  Next, the information of the mail received to this mail address is searched from the log of the mail server retroactively for the past m hours before the attack A2 is detected.

  Next, the attack determination unit 107 performs the following determinations (a) and (b) for the information of each retrieved mail.

  (A) Check the reliability of the email address.

  The security log analysis device 100 includes a table as shown in FIG. In this table, the reliability is assigned to each category of the sender mail address. For example, if the mail is sent from the same department in the same company, the reliability of the mail is high. If it is an email sent from a different company, the information is reflected in this table if it is known in advance that the company is highly secure, and the reliability of the email is high. And If the mail is sent from a free mail address, the reliability of the mail is low. Then, after such reliability is determined for the mail, mails other than those with high reliability are treated as suspicious mail candidates.

  Further, for the same company, information from the personnel database may be reflected in the reliability by referring to the personal tendency of the user who uses the corresponding email address. For example, if there is a tendency of “many work mistakes”, the reliability is medium, and if it is “careful”, the reliability is not changed.

  Assuming that there is a correlation between busyness and mistakes in work, the reliability may be medium if “work is busy”, and the reliability may not be changed if “work is not busy”. Assuming that there is a correlation between physical condition and mistake, the reliability may be medium if it is “bad”, and the reliability may not be changed if it is “healthy”.

  Assuming that there is a correlation between the years of service and prudence, the reliability may be high if the years of service are long, and the reliability may be medium if the years of service are short.

  When the average number of received emails is large or when emails are sent / received to / from various companies, there is an opportunity to browse various emails, and it is considered that there is a high chance of being exposed to danger, and the reliability may be medium. In such a judgment such as “many received mails” and “sending / receiving mails with various companies”, a threshold is set first, and if a number of emails exceeding the threshold is received per day, “ If it is determined that there are many received emails, or if the number of outside companies that sent and received emails exceeds the threshold value, it may be determined that emails are being sent and received with various companies.

  Alternatively, if the transmission time of the searched mail is business hour, the reliability is not changed, and if it is late at night, the reliability may be medium (assuming there is a possibility of fatigue).

  (B) Check email reliability.

  First, a case where the mail is an attached mail will be described.

  If the attached file of the attached mail is encrypted, the security level may be low because there is a possibility that security measures such as security scanning of the attached file are avoided.

  Next, a case where the mail is a mail in which a URL is described will be described.

  The URL described is examined for suspiciousness using web reputation. If judged suspicious, the reliability of the mail is lowered. Alternatively, for the terminal X that has received the mail, the proxy log is searched for the web access of the terminal X in the n hours going back from the reception time of the mail, and if the corresponding URL is not accessed, the website that is accessed for the first time Therefore, the reliability may be low. That is, if the URL described in the e-mail is determined to be suspicious by web reputation or is a site accessed for the first time, the reliability is set low. If the URL described in the email is a URL that does not correspond to the white list of URLs held by the organization instead of web reputation, the reliability may be low. When the URL corresponds to the black list of URLs held by the organization, the reliability may be extremely low.

  Next, a case where the mail is a mail with an electronic signature will be described.

  When the electronic signature is given to the mail and the validity of the electronic signature is verified, the reliability of the mail may be increased. In addition, when the electronic certificate used for verifying the signature is trusted by the organization of the mail recipient, the mail reliability may be high. Alternatively, the reliability rank of the electronic certificate may be defined, and the reliability may be high when the rank is higher than a certain rank. For example, a certificate authority that issues an electronic certificate issues an electronic certificate within the electronic certificate after a rigorous review of the organization and person to whom the electronic certificate is issued in the electronic certificate issuing process. May be included, and the identifier may be used as the reliability of the electronic certificate.

  Finally, a case where the mail is an encrypted mail will be described.

  If the mail is encrypted, security measures such as security scanning may be avoided, so the reliability is low.

  Below, the case where attack A1 is (3) is demonstrated.

  The attack determination unit 107 extracts the identifier of the terminal X where the attack A2 is found from the proxy log, and searches the proxy log for the URL of the website accessed by the terminal X before the attack A2 is detected, going back in the past m hours. (The log may be searched with the identifier of the terminal X). Next, the suspiciousness of the retrieved URL is examined using web reputation. If it is determined to be suspicious, the reliability of this URL is lowered. Otherwise, the reliability may be high.

  Below, the case where attack A1 is (4) is demonstrated.

  The attack determination unit 107 extracts the identifier of the terminal X in which the attack A2 is found from the proxy log, and when the terminal X uses an external storage medium before the detection of A2, the terminal X uses this external storage medium. The reliability of is low. Whether or not the terminal X has used an external storage medium is realized by searching the terminal operation log. In the terminal operation log, using the identifier of the terminal X as a key, search for the past m hours before the detection of A2. Then, it is checked whether or not an external storage medium is connected. Also, depending on the software that records the operation of the terminal, there is a function of identifying external storage media managed by the organization and those that are not (individually owned) by the serial number of the external storage media. If it is found that an external storage medium that is not an external storage medium managed by the organization is connected, the reliability of the external storage medium is lowered, and the external storage medium managed by the organization is trusted. The degree may be high.

  Below, the case where attack A1 is (5) is demonstrated.

  The attack determination unit 107 extracts the identifier of the terminal X where the attack A2 is found from the proxy log, checks whether the terminal X has been accessed from another terminal Y before the attack A2 is detected, and accesses If there is, the reliability of this terminal Y is set low. Whether the terminal X has been accessed by another terminal is searched from the terminal operation log of the terminal X or the log recorded by the function of the local firewall held by the OS before the attack A2 is detected, from the other terminal. Check for access. When terminal Y is accessing multiple ports (TCP / UDP ports) of terminal X (determining which port is open), the reliability of terminal Y is lowered, otherwise In that case, the reliability may be high. Also, the patch application history at the terminal Y when the terminal Y accesses the terminal X is checked from the inventory database 113, and the reliability of the terminal Y when the terminal Y has not applied the latest patch at that time May be low. Further, the reliability of the terminal Y may be lowered when the latest patch at that time is not applied to the terminal X (assuming there is a possibility of being infected by an attack from the terminal Y). Alternatively, when the terminal X is accessed from the terminal X before the attack A2 is detected in the past m hours, the terminal Y ′ is accessed at a plurality of ports, or the terminal Y ′ is the latest at that time. When the patch is not applied, the reliability of the terminal Y ′ may be low.

  In these examples, when an attack A2 is detected, the logs are traced back, the reliability of the received mail, the reliability of the accessed URL, the reliability of the used external storage medium, and the reliability of the other terminal accessed. The degree is determined. Then, when such reliability is low, it is determined that there is an attack corresponding to the attack A1. For example, when an email with low reliability is received retroactively from the occurrence of attack A2, it is determined that attack A1 has occurred.

  Further, in these examples, when an event for determining that the attack A1 has occurred is found from the log (for example, when it is retrieved from the mail server log that the terminal X has received the attached mail (the attack A1 is (1))), the application status of the latest patch of the terminal X at that time point is examined, and when the latest patch is applied, each reliability may be high. This is because if the latest patch is applied, the risk of infection is low even if the attached mail is malware.

  Further, when the security state is managed uniformly within the organization, and the mail transmission source is the same organization, the security state of the transmission source may be referred to. For example, if the patch application status at the date and time of mail transmission is not the latest, there is a possibility of being infected with malware, so the reliability of the mail may be low. Even if the emails are not from the same organization, if the sender's security information can be referred to by some means, the same determination may be made.

  The reliability is high, medium, low, extremely low, etc., but may be a score of 100 points, 50 points, 20 points, 0 points, or the like. In that case, for example, when an encrypted attached mail is received, the reliability of the mail address is 50 points, and since the encrypted attached mail is given, the reliability is 20 points, and the total trust When the threshold of the degree is 100 points, it is 70 points in total, and it may be determined that it is not reliable. In this case, it is determined that the encrypted attached mail is the attack A1 that triggered the attack A2.

  As described above, in the present embodiment, when suspicious HTTP communication is detected from a log, it is considered that the suspicious HTTP communication is generated by an attack such as malware, and various triggers for the occurrence of the attack are various. By examining the log retroactively, it is possible to determine whether or not there is a cause of suspicious HTTP communication.

Embodiment 8 FIG.
The difference between the present embodiment and the third embodiment will be mainly described.

  In the third embodiment, when it is determined suspicious from the result of analyzing the proxy log or the like, it is determined whether or not the accessed website is suspicious using reputation or the like. In this embodiment, when such a suspicious HTTP communication is found, it is determined whether or not these communication are suspicious from the security state of the terminal X which is the corresponding terminal. This process is executed by the attack determination unit 107.

  It is assumed that proxy logs are stored in the log database 114. Log search is performed on the log database 114 by the attack determination unit 107 using the log search unit 108. When the attack determination unit 107 refers to information stored in the inventory database 113, the attack determination unit 107 searches for information in the inventory database 113 using the inventory search unit 106 (not shown).

Although the same applies to the third embodiment, for example, when the communication corresponding to the following is searched from the proxy log, it is regarded as suspicious.
The terminal X is accessing URL_S, which is a URL not in the white list.
The terminal X periodically accesses this URL_S.

In the present embodiment, the HTTP communication is determined to be suspicious when any one or more of the following (1) to (3) is applicable.
(1) As a result of examining the referrer that is the transition source URL in the access to the first URL_S, if the referrer does not exist (it is considered that a single repeated communication has suddenly occurred), or even if the referrer exists When the URL of the referrer has not been accessed before (2) When the referrer of another HTTP communication accessed after accessing the URL_S is checked, the referrer is not URL_S (irrelevant to the URL_S) Assume that another communication occurred)
(3) Cases described below

  For (3), the patch status history of terminal X is examined m days after the occurrence of communication with URL_S. For one patch Patch_i released during this period, ΔTi_X = Patch_i patch application date / time at terminal X−Patch_i patch release date / time, where ΔTi_X is the time difference from when Patch_i is released until it is applied to terminal X It is. If ΔTi_X> n hours, it is determined that there is a period during which Patch_i has not been applied to Patch_i, and it is determined that the communication is suspicious. The patch application history and patch information of the terminal X are stored in the inventory database 113. For example, for Patch_i (i = 1 to k), it is determined that AllΔT_X = ΣΔTi_X, i = 1 to k, and when AllΔT_X <p time, it is determined to be in a safe state, and HTTP communication is not suspicious. May be. For example, if k = 3 and p = 4, Patch_1, Patch_2, and Patch_3 are released m days before the first communication to URL_S, and the date and time applied to terminal X from each release date and time. It is determined that the value obtained by adding the differences ΔT1_X, ΔT2_X, and ΔT3_X is less than 4 hours. In this case, since the time from the release of each patch to the application is less than 4 hours, it is determined that “the terminal X has maintained a safe state”. Therefore, it is determined that there is no attack, and therefore it is determined that this HTTP communication is not suspicious.

  Alternatively, it may be determined that the HTTP communication is not suspicious when the maximum of ΔTi_X, i = 1 to k is less than p.

  Alternatively, for Patch_i (i = 1 to k), Patch_i used for determination may be selected from the impact of the vulnerability corresponding to the patch. For example, it is assumed that the vulnerability addressed by the patch with i = 1 has a DoS impact. If this vulnerability is attacked, it will only increase the load on the terminal's CPU (Central, Processing, Unit), which will lead to further attacks such as execution of arbitrary code and elevation of authority. There is no danger. Therefore, Patch_1 may be excluded from the patch used for the above determination.

  Alternatively, a patch that is highly difficult to attack against a vulnerability may not be used in the determination. An example of the difficulty level is whether or not an attack code or attack method that attacks the vulnerability is widespread in the world.

  Alternatively, patches for vulnerabilities that can be attacked remotely, or vulnerabilities that require local attacks, may not be used in the determination.

  Alternatively, a patch for a vulnerability that requires authentication for an attack may not be used in the determination.

  Information on these vulnerabilities may be disclosed on a website on the Internet, and the security log analysis apparatus 100 can access the information by periodically accessing the website and capturing the information. Vulnerability information is stored in the inventory database 113.

  Alternatively, for Patch_i (i = 1 to k), the period between the patch release date / time of Patch_i and the Patch_i patch application date / time at terminal X is NST_i. For example, when the patch release date and time of Patch_i is 00: 00: 2013/10/22 and the patch application date and time is 12: 00: 2013/10/23, NST_i = 2013/10/22 00:00: It becomes 12: 00: 00: 00 of 00-2013 / 10/23. Then, NST_i is checked from the proxy log whether or not terminal X has accessed the website. When the terminal X accesses NST_i to the website, it is determined whether or not an attack has been made based on the suspiciousness of the URL of the site. The suspiciousness of the URL is determined based on a site not included in the URL white list of the organization, a site listed in the URL black list, or a determination by web reputation. In other words, if the website is accessed during NST_i during which the patch is not applied, there is a possibility of being attacked. Therefore, whether or not there is a possibility of being attacked is determined based on the suspicious URL. . At this time, the URL white list / black list and web reputation may refer to those in a period when the patch is not applied, or may refer to the latest one. Alternatively, both of them may be referred to, and in that case, it may be determined as suspicious when it is determined to be suspicious on one side, and may be determined as suspicious when determined as suspicious on both sides.

  Further, when the number of times that the terminal X has accessed the website is less than a predetermined threshold value for NST_i, it may be determined that the attack has not been received, and when it is equal to or greater than the threshold value, it may be determined that the attack has been received.

  In addition, when the terminal X receives a mail at NST_i, if the mail is suspicious, it may be regarded as being attacked. A method similar to that of the seventh embodiment may be used for determining the suspiciousness of the mail.

  In addition, regarding the vulnerability that Patch_i deals with in NST_i, if the number of attacks targeting the same vulnerability in the world is less than a separately determined threshold, it is determined that the attack has not occurred, and if it is greater than or equal to the threshold, You may decide that you have been attacked.

In the above example, the terminal X is considered suspicious because the URL_S is periodically accessed, but the access from the terminal X to the URL_S may be random. Randomness is determined by defining one access to URL_S as HTTP_j and its time stamp as HTTP_TS_j, and defining the interval between temporally adjacent accesses as Δj below. Then, it is sufficient to check whether Δj is random.
Δj = HTTP_TS_ (j + 1) −HTTP_TS_j (where j = 1 to h)

Also, access to URL_S from terminal X may be rare. The method for determining whether or not it is rare is, for example, as follows.
-Access to URL_S is less than β times in α time.
Access is made a fixed number of times during a certain period, such as α times in the morning (9 to 10 o'clock), β times in the daytime (12 to 13 o'clock), and γ times in the evening (17:00 to 18:00)

  In the above example, the application status of the patch in the terminal X is used for the determination. However, even if the released patch is not applied to the terminal X, it is vulnerable in another security device (the patch corresponds). Such a security device setting history may be taken into the security log analysis device 100 (for example, stored in the inventory database 113 or the attack determination unit 107) and referred to. For example, even if the terminal X has a patch unapplied period and the vulnerability remains, if it is protected by such a security device, it is determined that it has not been attacked. You may decide that you are under attack.

  As described above, in the present embodiment, when a suspicious HTTP communication is found in a terminal, the security status of the corresponding terminal is examined retroactively, and this communication occurs due to an attack. This has the effect of determining whether or not.

Embodiment 9 FIG.
The difference between the present embodiment and the eighth embodiment will be mainly described.

  In the eighth embodiment, whether or not this HTTP communication is really suspicious is determined for one terminal in which suspicious HTTP communication is detected, but in this embodiment, a plurality of terminals are suspicious. A determination is made as to when HTTP communication is detected.

For example, when a communication corresponding to the following is searched from the proxy log, it is determined to be suspicious.
Terminal X and terminal Y are accessing URL_S, which is a URL not in the white list.
-The URL_S is periodically accessed from the terminal X.
The URL is regularly accessed from the terminal Y.

In the present embodiment, the HTTP communication is determined to be suspicious when any one or more of the following (1) to (3) is applicable.
(1) As a result of examining the referrer that is the transition source URL in the access to the first URL_S of the terminal X and examining the referrer that is the transition source URL in the access to the first URL_S of the terminal Y, When these referers in terminal Y are the same (2) In terminal X, the referrer of another HTTP communication accessed after accessing URL_S is examined, and in terminal Y, another HTTP communication accessed after accessing URL_S When these referers are not URL_S as a result of examining the referrers, (3) the site accessed at “previous q hours / rear r hours” of access to URL_S at terminal X is defined as URL_X, and URL_S at terminal Y UR is the site that is accessing “q hours / r hours after” When the _Y, if a match in URL_X and URL_Y is a certain proportion or more (4) when describing the case (5) below, described below

  As for (4), if there is a period in which the patch is not applied in the terminal X and the terminal Y after the patch is released, the presence / absence of web access in that period is checked. Then, whether the web access is suspicious is checked by web reputation, URL white list, black list or the like. By comparing the web access states in this period between the terminal X and the terminal Y, it may be determined whether the terminal X and the terminal Y have been attacked as shown in FIG.

  For example, if there is a period in which the patch has not been applied in terminal X and there is a suspicious web access, if there is a period in which patch is not applied in terminal Y and there is a suspicious web access, both terminals are not secure Since the suspicious website was accessed during the period, it was infected with malware, and as a result, it was determined that the URL_S was periodically accessed later.

  For example, if there is a period in which the patch is not applied in the terminal X and there is no suspicious web access, if there is a period in which the patch is not applied in the terminal Y and there is a suspicious web access, only the terminal Y is safe Since a suspicious website was accessed during a period other than that, it was infected with malware, and as a result, it was later determined that access to URL_S occurred regularly. Periodic communication to URL_S at terminal X is regarded as a false detection. The period when the patch is not applied may be according to the eighth embodiment.

  As for (5), if there is a period in which the patch is not applied, it is checked whether or not suspicious mail is received during that period. Then, by comparing the presence / absence of suspicious mail in this period between the terminal X and the terminal Y, it may be determined whether the terminal X and the terminal Y have been attacked as shown in FIG. At this time, “suspicious web access” in FIG. 14 is replaced with “suspicious mail”.

  Further, in the present embodiment, the URL of the suspicious HTTP communication destination performed by the terminal X and the terminal Y that triggers log analysis is the same (URL_S), but another URL may be used (terminal X: URL_S). , Terminal Y: URL_S ′). However, those URLs are not in the white list.

  In the present embodiment, the URL accessed by the terminal X during the patch non-application period may be URL_S or another URL. Similarly, regarding the terminal Y, the communication during the patch non-application period may be URL_S or another.

  In the present embodiment, URL_S and URL_S ′ are not in the white list, but may be in the black list. Moreover, a score may be below a threshold value by web reputation.

  In the above example, two terminals X and Y are targeted, but a plurality of terminals may be targeted.

  As described above, in the present embodiment, when a suspicious HTTP communication is detected in a plurality of terminals, the security status of the corresponding terminal is examined retroactively, and a suspicious website is accessed during an unsafe period. By checking whether or not a suspicious mail is received, it is possible to determine whether or not these communications are caused by an attack.

  In the present embodiment, an organization that does not manage security measures may perform processing when the security measure information 500 is not retrieved. Further, in an organization that does not manage the inventory, the process when the inventory information 209 is not searched may be performed.

Embodiment 10 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  In the present embodiment, as a result of detecting an attack according to the attack scenario 204, if the information leakage attack is suspected or if it is known that it can occur in the future according to the attack scenario 204, the security log analysis device 100 performs proxy processing. The HTTP communication is forcibly controlled in cooperation with the server.

  FIG. 15 is a diagram illustrating an example of the configuration of the control command 217.

  For example, when the total attack score 405 currently detected exceeds the threshold value as in the fifth embodiment, the attack determination unit 107 controls the control command when information leakage is included in a possible attack in the future. 217 is generated and output to the output unit 109.

As shown in FIG. 15, the control command 217 includes the following information.
(A) Period: Period during which control is performed (for example, 2013/10/01 00:00:00 to 2013/10/31 23:59:59).
(B) Transmission source information: Information (for example, IP address) of a terminal that the attack determination unit 107 determines that there is a possibility of being attacked by the attack scenario 204 and log analysis.
(C) Destination information: Information of the communication partner (for example, the host name of the web server) determined by the attack determination unit 107 as the attack source based on the attack scenario 204 and log analysis.
(D) Control information: a control command for the proxy server.

  The control command 217 is data for instructing to perform control indicated by the control information while designating as a period for communication from the terminal indicated by the transmission source information to the server indicated by the transmission destination information. The contents of the control information command include, for example, blocking all HTTP, blocking HTTP GET, blocking HTTP POST, blocking CONNECT, and forcing authentication (providing authentication information for sending an HTTP request). . In addition, these may be combined with conditions such as “block communication once per m times”, “block randomly”. For example, the control information is “Deny HTTP = ON, Method = POST, CONDITION = 1: m” (meaning that the POST method of HTTP communication is blocked once every m times).

  As transmission destination information, ANY (all transmission destinations) may be specified, and all communication may be controlled for a terminal that may be attacked. Further, ANY (all transmission sources) may be designated as the transmission source information, and communication from all terminals may be controlled for a communication partner (for example, a web server) suspected of having attacked.

  Upon receiving the control command 217, the output unit 109 outputs the control command 217 to the proxy server. When the proxy server inputs the control command 217, the proxy server interprets the control command 217 and controls the corresponding communication. The interpretation of the control command 217 in the proxy server desirably uses a function already provided in these servers. Therefore, the control command 217 may be transformed into a format that can be interpreted by these servers. In addition, as a method for the output unit 109 to output the control command 217 to the proxy server, any method can be used as long as the proxy server can input it. For example, if these servers can receive SNMP (Simple Network, Management, Protocol) trap messages and interpret the control command 217, include the control command 217 in the trap message and connect the network to these servers. You may send via.

  The control information may be specified not only to block communication but also to force use of the workflow system if the proxy server is linked to the workflow system. For example, the control information is “UseWorkFlow = ON, Protocol = HTTP, Method = POST” (meaning that a workflow is compulsorily applied to a POST method of HTTP communication).

The workflow system here is a system that has a mechanism that allows a user to send data such as a file to a website without permission from the senior manager. A simple procedure is used.
(1) User A transmits a 1-megabyte file to website X using HTTP POST (HTTP / POST request). This HTTP / POST request is transmitted to the proxy server.
(2) The HTTP / POST request from the user A is forwarded to the workflow system linked with the proxy server and held.
(3) The workflow system notifies user A's superior B that the user A is going to send data outside the organization by mail.
(4) The superior B accesses the workflow system and visually confirms the corresponding HTTP / POST request. If there is no problem with the destination or transmission data (file), it is permitted on the workflow.
(5) When the permission from the superior B is given, the workflow system forwards the corresponding HTTP / POST request to the proxy server.
(6) The proxy server transmits the corresponding HTTP / POST request to the website X.

  When “UseWorkFlow = ON” is specified in the control command 217, the proxy server forwards the corresponding request to the workflow system and forces the use of the workflow system. As a result, for example, even if the malware tries to transmit data by using HTTP POST, since the upper manager B is checked, suspicious POST is prevented.

  If the proxy server and the inspection server are linked and the inspection server receives the control of communication as described above and controls the proxy server, the control command 217 may be transmitted to the inspection server, and the format is The format can be interpreted by the inspection server. If the proxy server and the workflow system are linked, and the workflow system receives the control of communication as described above and controls the proxy server, the control command 217 may be transmitted to the workflow system, and the format is also A format that can be interpreted by the workflow system may be used.

  As described above, in the present embodiment, when the attack determination unit 107 determines that the attack scenario 204 stored in the attack scenario database 111 has been executed, a plurality of attacks defined in the attack scenario 204 are detected. Among them, the detection device provided in the computer system has not yet been detected, and the order defined in the attack scenario 204 is later than the last attack detected by the detection device (for example, attack A4). An attack (for example, attack A5) is extracted, and the communication that becomes the route of the extracted attack is limited to the computer system.

  As described above, in the present embodiment, when a suspicious HTTP communication or future information leakage is suspected according to the suspicious attack scenario 204, by sending an instruction to control the HTTP communication to the proxy server or the workflow system to cooperate with, Thereafter, there is an effect that the expansion of damage can be suppressed by controlling the HTTP communication.

  FIG. 16 is a diagram illustrating an example of a hardware configuration of the security log analysis apparatus 100 according to the first to tenth embodiments.

  In FIG. 16, the security log analysis device 100 is a computer and includes hardware such as an output device 910, an input device 920, a storage device 930, and a processing device 940. The hardware is used by each unit of the security log analysis device 100 (described as “unit” in the description of the embodiment of the present invention).

  The output device 910 is, for example, a display device such as an LCD (Liquid / Crystal / Display), a printer, or a communication module (communication circuit or the like). The output device 910 is used for outputting (transmitting) data, information, and signals by each unit (“˜unit”).

  The input device 920 is, for example, a keyboard, a mouse, a touch panel, or a communication module (communication circuit or the like). The input device 920 is used for input (reception) of data, information, and signals by each unit (“˜unit”).

  The storage device 930 is, for example, a ROM (Read / Only / Memory), a RAM (Random / Access / Memory), a HDD (Hard / Disk / Drive), or an SSD (Solid / State / Drive). The storage device 930 stores a program 931 and a file 932. The program 931 includes a program for executing processing (function) of each unit (“˜unit”). The file 932 includes data, information, signals (values), and the like that are calculated, processed, read, written, used, input, output, and the like by each unit (“˜unit”).

  The processing device 940 is, for example, a CPU. The processing device 940 is connected to other hardware devices via a bus or the like, and controls those hardware devices. The processing device 940 reads the program 931 from the storage device 930 and executes the program 931. The processing device 940 is used for performing calculation, processing, reading, writing, use, input, output, and the like by each unit (“˜ unit”).

  In the description of the embodiments of the present invention, what is described as “to part” may be “to circuit”, “to device”, and “to device”, and “to step” and “to process”. , “˜procedure”, and “˜processing”. That is, what is described as “˜unit” is realized by software alone, hardware alone, or a combination of software and hardware. The software is stored in the storage device 930 as the program 931. The program 931 causes the computer to function as “˜unit” described in the description of the embodiment of the present invention. Alternatively, the program 931 causes the computer to execute the processing of “˜unit” described in the description of the embodiment of the present invention.

  As mentioned above, although embodiment of this invention was described, you may implement in combination of 2 or more among these embodiment. Alternatively, one of these embodiments may be partially implemented. Alternatively, two or more of these embodiments may be partially combined. For example, any one of those described as “to part” in the description of these embodiments may be adopted, or any two or more arbitrary combinations may be adopted. In addition, this invention is not limited to these embodiment, A various change is possible as needed.

  DESCRIPTION OF SYMBOLS 100 Security log analyzer 101 Input part 102 Interpretation part 103 Attack scenario search part 104 Related attack extraction part 105 Security countermeasure search part 106 Inventory search part 107 Attack determination part 108 Log search part 109 Output part 111 attack scenario database, 112 security countermeasure database, 113 inventory database, 114 log database, 201 detection data, 202 detection information, 203 attack identification information, 204 attack scenario, 205 related attack information, 206 related attack search information, 207 presence of countermeasure Information, 208 inventory search information, 209 inventory information, 213 log search information, 214 search command, 215 search result, 216 judgment result, 217 control command, 301 detection result, 302 scenario extraction condition, 303 related attack extraction condition, 304 already detected result, 305 search condition, 310 determination result, 321 public vulnerability information, 322 attack information, 323 attack response information, 324 warning information, 401 attack identification information, 402 attack Information, 403 Countermeasure identification information, 404 Countermeasure information, 405 score, 500 Security countermeasure information, 501 Attack identification information, 502 Attack information, 503 Countermeasure identification information, 504 Countermeasure information, 505 Countermeasure implementation information, 601 Asset identification information, 602 Asset OS Information, 603 asset application information, 604 asset execution information, 605 asset security measure information, 910 output device, 920 input device, 930 storage device, 931 program, 932 file, 940 processing device.

Claims (15)

A log database for storing a log of a computer system equipped with a detection device for detecting an attack;
An attack scenario database for storing an attack scenario defining a plurality of attacks targeting the computer system and an order of the plurality of attacks;
Of the multiple attacks defined in the attack scenario stored in the attack scenario database, the detection device has not yet detected the attack, and the order defined in the attack scenario has already been detected by the detection device. A related attack extraction unit that extracts an attack prior to at least one attack,
Analyzing the log stored in the log database to determine whether or not the computer system has received an attack extracted by the related attack extraction unit. A log analysis device comprising: an attack determination unit that determines that an attack has occurred. A security measure database for storing information indicating security measures implemented for the detection device;
In the attack scenario stored in the attack scenario database, security measures corresponding to each of a plurality of attacks on the computer system are defined,
The attack determination unit refers to information stored in the security countermeasure database, and is defined by an attack scenario stored in the attack scenario database, and corresponds to an attack extracted by the related attack extraction unit. When it is determined whether a countermeasure is being implemented for the detection device and it is determined that the countermeasure is being implemented, when it is determined that the computer system has received an attack extracted by the related attack extraction unit, 2. The log analysis apparatus according to claim 1, wherein it is determined that an attack detection failure has occurred in the detection apparatus. An inventory database that stores information indicating a plurality of computers included in the computer system and security measures implemented for each of the plurality of computers;
In the attack scenario stored in the attack scenario database, a computer targeted by each of a plurality of attacks against the computer system and a security measure corresponding to each of the plurality of attacks are defined,
The attack determination unit refers to the information stored in the inventory database, and is defined by the attack scenario stored in the attack scenario database, and the security measures corresponding to the attack extracted by the related attack extraction unit Determines whether the attack defined in the attack scenario is being performed on the target computer, and if it is determined that the attack is not being performed, analyzes the log stored in the log database The log analysis apparatus according to claim 1 or 2, wherein In the attack scenario stored in the attack scenario database, vulnerabilities used by each of a plurality of attacks on the computer system are defined,
The attack determination unit accesses an external system that discloses information on vulnerability, and is used by an attack extracted by the related attack extraction unit, which is defined by an attack scenario stored in the attack scenario database. 4. The information stored in the log database is analyzed when it is determined whether or not information relating to the vulnerability is disclosed by the external system. One of the log analyzers.   The attack determination unit, when analyzing the log stored in the log database, has already been detected by the detection device among a plurality of attacks defined in the attack scenario stored in the attack scenario database The attack defined in the attack scenario identifies the attack immediately before the attack extracted by the related attack extraction unit, and the period is later than the time when the computer system received the identified attack. The log analyzer according to any one of claims 1 to 4, wherein the log is analyzed. The computer system includes a relay device that relays communication between a plurality of computers included in the computer system and the outside.
The attack determination unit analyzes at least the log of the relay device among the logs stored in the log database, and determines whether or not the computer system has been attacked by the related attack extraction unit The log analyzer according to any one of claims 1 to 5, wherein   The attack determination unit analyzes at least one computer log included in the computer system from among the logs stored in the log database, and detects the attack extracted by the related attack extraction unit. 7. The log analysis apparatus according to claim 1, wherein it is determined whether or not it has been received. In the attack scenario stored in the attack scenario database, a score is set for each of a plurality of attacks on the computer system,
The attack determination unit identifies all attacks that have already been detected by the detection device among a plurality of attacks defined in the attack scenario stored in the attack scenario database, and has identified the attack using the attack scenario. 8. The log analysis device according to claim 1, wherein it is determined whether or not the attack scenario is executed based on a comparison result between a total of points set for the attack and a threshold value.   The attack determination unit adjusts at least one of the score set in the attack scenario stored in the attack scenario database and the threshold when determining that an attack detection failure has occurred. The log analysis apparatus according to claim 8.   When the attack determination unit determines that the attack scenario stored in the attack scenario database is executed, the attack determination unit has not yet been detected by the detection device among a plurality of attacks defined in the attack scenario, The attack defined in the attack scenario is extracted after the attack detected last by the detection device, and the communication that becomes the route of the extracted attack is limited to the computer system. The log analysis device according to claim 8 or 9.   The attack determination unit is not yet detected by the detection device among a plurality of attacks defined in the attack scenario stored in the attack scenario database, and the order defined in the attack scenario is the detection An attack after the last attack detected by the device is extracted, and when the period during which the extracted attack is not detected by the detection device exceeds a threshold, it is determined that the attack scenario has not been executed. The log analyzer according to any one of claims 1 to 7. In the attack scenario stored in the attack scenario database, a score is set for each of a plurality of attacks on the computer system,
The attack determination unit identifies all attacks that have already been detected by the detection device among a plurality of attacks defined in the attack scenario stored in the attack scenario database, and has identified the attack using the attack scenario. The log analysis apparatus according to claim 11, wherein the threshold value is adjusted according to a total number of points set for the attack. In the attack scenario stored in the attack scenario database, a score is set for each of a plurality of attacks on the computer system,
12. The log analysis apparatus according to claim 11, wherein the attack determination unit adjusts the threshold according to the number of points set for the extracted attack in the attack scenario stored in the attack scenario database. . A log database that stores a log of a computer system provided with a detection device that detects an attack, and an attack scenario database that stores a plurality of attacks targeting the computer system and an attack scenario that defines the order of the plurality of attacks Log analysis method using
Of the plurality of attacks defined by the attack scenario stored in the attack scenario database, the related attack extraction unit has not yet been detected by the detection device, and the order defined in the attack scenario is the detection. Extract at least one attack that is already detected by the device,
The attack determination unit analyzes the log stored in the log database to determine whether or not the computer system has been subjected to the attack extracted by the related attack extraction unit. A log analysis method characterized in that it is determined that an omission of detection has occurred. A log database that stores a log of a computer system provided with a detection device that detects an attack, and an attack scenario database that stores a plurality of attacks targeting the computer system and an attack scenario that defines the order of the plurality of attacks On a computer equipped with
Of the multiple attacks defined in the attack scenario stored in the attack scenario database, the detection device has not yet detected the attack, and the order defined in the attack scenario has already been detected by the detection device. A related attack extraction process for extracting an attack prior to at least one attack,
Analyzing the log stored in the log database to determine whether or not the computer system was subjected to the attack extracted by the related attack extraction process. A log analysis program characterized by causing an attack determination process to be determined to have been performed.

Images