JP2016110411A - Controller state verification system and controller state verification method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To allow the mixing of an unauthorized program to be detected without imposing a processing load on a controller.SOLUTION: A controller state verification system includes: a communication device 11 that communicates with a controller via a network; a storage device 13 for storing evaluation object specification information in a memory map of the controller and initial configuration information on information corresponding to the evaluation object in the memory map of the controller; and a computing device 14 (CPU) that collects memory maps of the controller, extracts information corresponding to the evaluation object in the collected memory maps on the basis of the specification information, compares the extracted evaluation object information with the initial configuration information, detects a change from the initial state in the evaluation object in the memory maps, and performs processing to transmit alert information to a prescribed device if a change is detected.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a control device state verification system and a control device state verification method, and more specifically to a technique that enables detection of unauthorized program mixing without imposing a processing load on the control device.

  Control systems used in social infrastructure and automobiles such as electric power, railway, water, and gas are equipped with a dedicated OS and protocol, and are set in advance by operating devices such as valves and actuators based on sensor information. It is configured to automatically maintain pressure and temperature. Since such a control system is installed in an isolated state without being connected to an external network such as the Internet, it has been considered that it is free from cyber attacks such as so-called computer viruses and DoS attacks.

  However, cases where a general-purpose OS or a general-purpose protocol is used in a control system are increasing for cost reduction, and a form of connecting to an information system is increasing for improving efficiency. In recent years, computer viruses targeting control systems have been discovered, and technologies that detect malicious programs such as malware, as well as information systems, have been developed in control systems that were previously unrelated to cyber attacks. It has become necessary.

  As a technology to deal with such a problem, for example, using the characteristic of accessing the file system when starting the program in the device, hooking the access of the file system, and whether the hash value of the program matches the hash value of the legitimate program A technique (see Patent Document 1) that permits activation after verification has been proposed.

  In addition, there has been proposed a technique (see Patent Document 2) that detects mixing of an illegal program by comparing a program list that is permitted to be activated in the apparatus with a program list that is being activated.

JP 2001-337864 A JP 2004-302657 A

  On the other hand, some control devices used in the control system do not have a file system inside, and develop and execute programs and data on a memory at startup. For such a control device, it has been difficult to apply a technology for detecting access to a file system and controlling activation as in the past.

On the other hand, as described above, in the control system, in order to automatically perform device control based on sensor information or the like, it is common to periodically perform various processes, which are executed by each device in the control system. The process is required to be completed within one cycle. In addition, since the processing is always completed within one cycle, there are various restrictions on the processing time, such as the processing time of each processing being required to be constant without changing depending on the situation. For this reason, even a control device having a file system is difficult to confirm whether or not it can be activated using a CPU or a memory resource when the program is activated due to the above-described limitations on processing time.

  Further, there is a problem that even if the activated program list is verified, it cannot be detected if an illegal program overwrites a valid program.

  SUMMARY OF THE INVENTION An object of the present invention is to provide a technique that enables detection of unauthorized program mixing without imposing a processing load on a control device.

  The control device state verification system of the present invention that solves the above problems includes a communication device that communicates with a control device via a network, designation information of an evaluation target in a memory map of the control device, and a memory map of the control device A storage device that stores initial configuration information of information corresponding to the evaluation target, and a memory map of the corresponding control device is collected by communicating with the control device, and corresponds to the evaluation target in the collected memory map Information is extracted based on the designation information, the extracted evaluation object information is compared with the initial configuration information, and the presence or absence of a change from the initial state in the evaluation object of the memory map is detected, and the change is detected. And an arithmetic unit that executes processing for transmitting alert information to a predetermined device.

  Further, the control device state verification method of the present invention includes a communication device that communicates with a control device via a network, designation information of an evaluation target in a memory map of the control device, and the evaluation target of the memory map of the control device. And a storage device for storing the initial configuration information of information corresponding to the information, the computer system communicates with the control device and collects a memory map of the control device, and the evaluation target of the collected memory map Is extracted based on the designation information, the extracted evaluation object information is compared with the initial configuration information, the presence or absence of a change from the initial state in the evaluation object of the memory map is detected, and the change When the error is detected, a process of transmitting alert information to a predetermined device is executed.

  According to the present invention, it is possible to detect mixing of unauthorized programs without imposing a processing load on the control device.

It is a figure which shows the network structural example of the control apparatus state verification system in 1st Embodiment. It is a figure which shows the hardware structural example of the monitoring apparatus and monitoring server in 1st Embodiment. It is a figure which shows the hardware structural example of the control apparatus in 1st Embodiment. It is a flowchart which shows process sequence example 1 of the control apparatus state verification method in 1st Embodiment. It is a flowchart which shows process sequence example 2 of the control apparatus state verification method in 1st Embodiment. It is a figure which shows the structural example of the memory map acquired from each control apparatus in 1st Embodiment. It is a figure which shows the structural example of the evaluation object information in 1st Embodiment. It is a figure which shows the structural example of the initial structure information in 1st Embodiment. It is a flowchart which shows process sequence example 3 of the control apparatus state verification method in 1st Embodiment. It is a figure which shows the network structural example of the control apparatus state verification system in 2nd Embodiment. It is a flowchart which shows the process sequence example of the control apparatus state verification method in 2nd Embodiment. It is a figure which shows the network structural example of the control apparatus state verification system in 3rd Embodiment. It is a figure which shows the structural example of the memory dump information acquired from each control apparatus in 3rd Embodiment. It is a flowchart which shows the process sequence example of the control apparatus state verification method in 3rd Embodiment.

--- First Embodiment ---

  Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a network configuration diagram including a monitoring device 10 (hereinafter, monitoring device 10) which is a control device state verification system in the first embodiment. A monitoring device 10 that is a control device state verification system shown in FIG. 1 is a computer system that can detect mixing of unauthorized programs without imposing a processing load on the control device 30 to be monitored.

Note that the monitoring device 10 according to the first embodiment may be configured as a single control device state verification system, or may be communicable via the network 40 as shown in the network configuration example of FIG. The monitoring server 20 and the control devices 30 _{1 to} 30 n may be included. In any case, the device that executes the control device state verification method independently is the monitoring device 10.

  The monitoring device 10 having such a configuration includes, for example, a memory map collection unit 101, an evaluation target acquisition unit 102, a cryptographic operation unit 103, a falsification detection unit 104, and an alert generation as functional units that are implemented by executing a predetermined program. Part 105 is provided. The monitoring apparatus 10 includes an initial configuration information storage unit 106 and an evaluation target storage unit 107 as storage units for data necessary for processing. In addition, the monitoring device 10 further includes a communication unit 108 that accesses the network 40 and communicates with other devices.

Among the functions of the monitoring device 10 described above, the memory map collection unit 101 collects memory information from each of the control devices 30 ₁ to 30 n to be monitored via the communication unit 108. Moreover, the evaluation object acquisition unit 102 acquires information on an area to be evaluated in the memory information of the control devices 30 _{1 to} 30 n without changing the configuration or internal data during operation of the corresponding control device. The cryptographic operation unit 103 performs cryptographic operations on the initial configuration information and the memory information obtained by the memory map collection unit 101 to reduce the data size. Further, the tampering detection unit 104 detects whether or not the memory information collected by the memory map collection unit 101 has been tampered with. The alert generation unit 105 notifies the monitoring server 20 of an alert when tampering is detected by the tampering detection unit 104.

The above-described initial configuration information storage unit 106 provided in the monitoring device 10 stores initial memory information before the operation of the control devices 30 _{1 to} 30n is started. Moreover, the evaluation object storage unit 107 stores information to be evaluated in the memory information of the control devices 30 _{1 to} 30 n without changing the configuration or internal data during operation.

  On the other hand, the monitoring server 20 that can communicate with the monitoring device 10 via the network 40 functions as an alert collecting unit 201 that collects alerts notified from the monitoring device 10 and a communication unit 202 that communicates with the network 40. I have. Each unit in the monitoring server 20 is a function that is implemented by executing an appropriate program.

In addition, the above-described control devices 30 _{1 to} 30 n to be monitored include memory map acquisition units 301 _{1 to} 301 n that acquire memory information inside the corresponding control device, communication units 302 _{1 to} 302 n that communicate with the network 40, and I have. The functions of the control devices 30 _{1 to} 30 n are functions that are implemented by executing an appropriate program, or functions that are provided in appropriate hardware such as a chip set.

  Of the above-described devices, the hardware configurations of the monitoring device 10 and the monitoring server 20 are the same as those of a general computer device as follows. That is, a communication device 11 such as a network interface card that performs data communication by connecting to the network 40 through an appropriate interface, an input / output device 12 that takes input from a user and outputs processing results, an SSD (Solid State Drive), a hard disk A storage device 13 composed of an appropriate non-volatile storage element such as a drive, and data stored in the storage device 13 and an appropriate program are read out and executed in the memory 15 to perform overall control of the device itself and make various determinations. Each component such as a CPU 14 (arithmetic unit) that performs arithmetic and control processing, a memory 15 that includes a volatile storage element such as a RAM, and a reading device 16 that reads a storage medium 17 is connected by an internal communication line 18 such as a bus. ,It is configured.

On the other hand, an example of the hardware configuration of the control devices 30 _{1 to} 30n to be monitored is shown in FIG. The control devices 30 _{1 to} 30 n exemplified here are small-scale computer devices included in a control system used in social infrastructure such as electric power, railway, water supply, and gas, and automobiles, as described above. Includes a communication device 31 that accesses the network 40 and performs data communication, an input / output device 32 that receives instructions, outputs processing results, and the like, a storage device 33 that includes nonvolatile storage elements, a CPU 34, and volatile storage A memory 35 composed of elements is connected and configured by an internal communication line 36 such as a bus.

Next, the actual procedure of the control device state verification method in the first embodiment will be described with reference to the drawings. The processing flow described below is implemented on each device by loading a program stored in each storage device of the monitoring device 10, the monitoring server 20, and the control devices 30 _{1 to} 30n into the memory and executing it by the CPU. It is executed by each processing unit. Each program may be stored in a storage device in advance, or may be introduced when necessary via another storage medium or communication medium (network 40 or a carrier wave propagating through network 40).

FIG. 4 is a flowchart illustrating a processing procedure example 1 of the control device state verification method according to the first embodiment. Specifically, the processing performed by the monitoring device 10 and the like during a test run and operation of the control devices 30 _{1 to} 30 n. It is the figure which showed the flow.

Here, first, when commissioning of the control device ₃₀ 1 _~30n, executes an initialization process between the monitoring device 10 control device ₃₀ 1 _~30n (S401). Details of the initialization process in step S401 will be described later with reference to FIG.

Then, during operation of the control device ₃₀ 1 _~30n, the monitoring device 10, control device ₃₀ 1 _~30n, and executes the detection process with the monitoring server 20 (S402). The details of the detection process in step S402 will be described later with reference to FIG.

Next, the monitoring apparatus 10 activates a predetermined timer using a clock function or the like normally provided as a computer apparatus, and determines whether or not a predetermined time has elapsed since the execution of the above-described detection process (S402) (S403). As a result of this determination, when it is determined that the predetermined time has not elapsed (S403: N), the monitoring apparatus 10 executes the determination in step S403 again and determines that the predetermined time has elapsed here (S403: Y), the detection process in step S402 described above is executed again. In addition, although it is set as the structure which controls the timing which re-executes a detection process here by determination of time passage, it is good also as a structure which the monitoring apparatus 10 re-executes according to generation | occurrence | production of a specific event.

Next, details of the initialization process in step S401 will be described with reference to FIG. FIG. 5 is a flowchart showing a processing procedure example 2 of the control device state verification method according to the first embodiment. Specifically, the initial memory state of each control device is acquired during a trial run of the control devices 30 _{1 to} 30n. It is the figure which showed the processing flow at the time.

In this case, the monitoring device 10 to obtain one in memory information control unit 30 ₁ is monitored, and generates a memory map acquisition command A 501 ₁ (S501 _1), this memory map acquisition command A 501 _1, and it transmits to the control device 30 _1. Here generated memory map acquisition command A 501 ₁ was has a command according to the protocol of the memory map acquiring unit 301 ₁ in the control unit ₃₀ 1 _~30n.

On the other hand, the control unit 30 ₁ receives a memory map acquisition command A 501 ₁ described above from the monitoring device 10, in response to the command, acquires a memory map which is configuration information of a memory held in the memory 35 ( S502 ₁ ), and the acquired memory map (A502 ₁ ) is transmitted to the monitoring apparatus 10.

  A configuration example of the above-described memory map is shown in FIG. FIG. 6 is a diagram illustrating a configuration example of a memory map acquired from each control device in the first embodiment. The memory map A 701 exemplified here has each of an area start address A 703 indicating the start address of each area and an area size A 704 indicating the size of each area, using an area name A 702 that is a name for identifying an area in the memory as a key. It is a collection of records with associated values. Note that the constituent elements of the memory map A701 are not limited to the above example, and it is sufficient that at least the above-described elements of the area name A702, the area head address A703, and the area size A704 are included. Further, the arrangement order of the components of the memory map A701 is not limited to the example of FIG.

Now, the description returns to the flow of FIG. Then the monitoring device 10, from the evaluation target storage unit 107, acquires the evaluation object information retained with respect to the control apparatus 30 ₁ (S503 _1). This evaluation target information is the designation information of the evaluation target in the memory map of the corresponding control device, and its configuration example is as shown in FIG.

  FIG. 7 is a diagram illustrating a configuration example of the evaluation target information held by the monitoring device 10 according to the first embodiment. The evaluation object information A801 exemplified here is an evaluation indicating a list of area names that are assumed not to change during operation of the control device in the memory 35 in the corresponding control device, with the device type A802 identifying the type of the corresponding control device as a key. It is an aggregate of records in which the target area name list A 803 is associated. Note that the constituent elements of the evaluation target information A801 are not limited to those described above, and it is sufficient that at least the device type A802 and the evaluation target area name list A803 are included. Further, the arrangement order of each component in the evaluation target information A801 is not limited to that illustrated in FIG.

Now, the description returns to the flow of FIG. Then the monitoring device 10, each information from the memory map A 502 ₁ mentioned above received from the control device 30 _1, corresponding to the evaluation target area indicated by the acquired evaluation target information the control device 30 ₁ in step S503 ₁ above, That is, each value of area name A702, area head address A703, and area size A704 is acquired, and a cryptographic operation is performed on the acquired values (S504 ₁ ). Examples of cryptographic operations performed here include
An operation such as a hash operation that outputs a digest of the original data is assumed, but the present invention is not limited to this. Note that the purpose of such cryptographic computation is to reduce the data size.

Then the monitoring device 10, the result of the cryptographic operation in step S504 ₁ described above, the relevant control device 30 _first identification information and the device type (eg: "ABC") together with the initial configuration information storage unit 106 as the initial configuration information Store (S505 ₁ ). This initial configuration information is initial information of information corresponding to the evaluation target in the memory map of the corresponding control device, and its configuration example is as shown in FIG.

  FIG. 8 is a diagram illustrating a configuration example of initial configuration information held by the monitoring device 10 according to the first embodiment regarding each control device. The initial configuration information A901 exemplified here is a device type A903 that identifies the type of the corresponding control device using the device IDA902 that is an ID for identifying the corresponding control device as a key, and a memory that the corresponding control device holds before operation. This is an aggregate of records in which each value of the initial configuration data A904 indicating information is associated.

Of these, the initial configuration data A904 is the calculation result of S504 ₁ (to S504n) described above, and indicates a value obtained by performing a hash calculation on the memory information of the evaluation target area in the memory map of each control device. Another value such as a feature amount may be used. Note that the constituent elements of the initial configuration information A901 are not limited to the above-described device IDA 902, device type A903, and initial configuration data A904, and at least these elements may be included. Further, the arrangement order of the components of the initial configuration information A901 is not limited to that illustrated in FIG.

Thereafter, the monitoring device 10 executes the same procedure as that of S501 _{1 to} S505 ₁ for the other control devices 30 _{2 to} 30n, and each control device 30 _{1 to} 30n in the initial configuration information storage unit 106. Stores memory information.

Next, details of the detection process (S402) shown in FIG. 4 will be described with reference to the drawings. FIG. 9 is a flowchart showing a processing procedure example 3 of the control device state verification method according to the first embodiment. Specifically, when verifying the memory state of each control device during operation of the control devices 30 _{1 to} 30 n. It is the figure which showed the processing flow.

In this case First, monitoring device 10, to get the memory information control unit 30 ₁ of the example, the control device ₃₀ 1 ～30N, as in step S501 ₁ described above, generates a memory map acquisition command A 601 ₁ (S601 ₁ ) This is transmitted to the control device 30 ₁ .

On the other hand, the control unit 30 ₁ receives a memory map acquisition command A 601 ₁ described above from the monitoring device 10, based on this command, acquires a memory map A 602 ₁ is a configuration information memory stored in the internal memory 35 (S602 ₁ ), this is transmitted to the monitoring device 10.

Subsequently, the monitoring device 10 acquires the evaluation target information related to the control device 30 ₁ from the evaluation target storage unit 107 (S603 ₁ ). Further, the monitoring device 10 acquires memory information corresponding to the evaluation target area indicated by the evaluation target information acquired in step S603 ₁ from the memory map A602 ₁ transmitted by the control device 30 _{1 in} step S602 ₁ described above. Then, a cryptographic operation is performed for this (S604 ₁ ). Here cryptographic operations in the same manner as Step S504 ₁ described above, assumes a hash operation and the like, but is not limited thereto.

Then the monitoring device 10, from the initial configuration information storage unit 106, obtains the initial configuration information to a control system 30 _first described above (S605 _1). Next, the monitoring apparatus 10 performs the above-described step S604.
Comparing the results with the (memory map based on the control unit during operation) of the cryptographic operation resulting in _1, and the acquired initial configuration information in step S605 ₁ (S606 _1). This comparison is performed by, for example, matching processing of each digit of each value to be compared.

Result of the above comparison, if the initial configuration information and the encryption operation result matches were found (S606 _1: match), the monitoring device 10, the contamination or the like of the illegal program regarding the relevant control device 30 ₁ generated It recognizes that to not be shifted to the process for the next control device 30 ₂ (S601 _2).

On the other hand, the result of the above comparison, if the initial configuration information and the encryption operation result do not match is found (S606 _1: mismatch), the monitoring apparatus 10 for preventing entry of unauthorized programs with respect to the relevant control device 30 _1, etc. there is recognition that there is a risk that has occurred, sends the alert information a 603 ₁ indicating that the monitoring server 20.

On the other hand, the monitoring server 20 via the communication unit 202 receives from the monitoring device 10 to alert information A 603 ₁ described above, which alerts the collection unit 201 is stored in the storage device 33 (S607 _1).

Thereafter, the monitoring device 10, the same procedure as Step S601 ₁ ~S606 ₁ above, was executed for the other control device ₃₀ 2 _~30n, each memory information control unit ₃₀ 2 _~30n is related to the corresponding control It will be verified whether it matches the initial configuration information.
--- Second Embodiment ---

FIG. 10 is a diagram illustrating a network configuration example including the control device state verification system according to the second embodiment. The network configuration of the control device state verification system according to the second embodiment is the same as that of the first embodiment illustrated in FIG. 1, but the monitoring device 10 includes the control device in addition to the components in the first embodiment. A memory map temporary storage unit 109 that temporarily stores memory information 30 _{1 to} 30 n is included. In the second embodiment, a process in which the monitoring apparatus 10 generates evaluation target information using the memory map temporary storage unit 109 will be described.

  FIG. 11 is a flowchart illustrating an example of a processing procedure of the control device state verification method according to the second embodiment. Specifically, the flow generates the evaluation target information stored in the evaluation target storage unit 107 of the monitoring device 10. FIG.

In this case, since the monitoring device 10 acquires the memory information of the control devices 30 ₁ to 30 n before the trial operation of the control device, the memory map is acquired for each control device in the same manner as the above-described steps S501 ₁ and S601 _1. A command A1101 is generated (S1101) and transmitted to the corresponding control devices 30 ₁ to 30n.

On the other hand, each of the control devices 30 ₁ to 30 n receives the memory map acquisition command A 1101 from the monitoring device 10, and acquires a memory map that is memory configuration information held in the memory 35 based on this command. This is transmitted to the monitoring apparatus 10 (S1102).

On the other hand, the monitoring device 10 receives the memory map of each control device transmitted from the control devices 30 ₁ to 30 n as described above, and stores it in the memory map temporary storage unit 109 (S1103).

Subsequently, a predetermined test operation process is performed between the monitoring device 10 and the control devices 30 ₁ to 30 n (S1104). This trial operation process can be assumed to start the control device and execute a predetermined operation based on a predetermined protocol according to an instruction from the monitoring device 10. In the control device in which the trial operation is performed, it is assumed that any part of the memory map in the memory 35 has changed from the time of non-activation due to a predetermined process accompanying the trial operation.

Next, the monitoring device 10 generates a memory map acquisition command A1103 (S1105) and controls it to acquire memory information of the control devices 30 ₁ to 30n again after the above-described trial operation, as in step S1101 described above. and it transmits to the device 30 ₁ to the control unit 30n.

On the other hand, the control devices 30 ₁ to 30 n receive the memory map acquisition command A 1103 transmitted from the monitoring device 10, and acquire a memory map that is memory configuration information held in the memory 35 based on this command. This is transmitted to the monitoring device 10 (S1106).

  On the other hand, the monitoring apparatus 10 acquires the memory map (the one before the trial operation) stored in step S1103 described above from the memory map temporary storage unit 109 (S1107). In addition, the monitoring device 10 includes the memory map A1104 transmitted and received from the control device in step S1106 described above, and the memory map (after the trial operation) acquired from the memory map temporary storage unit 109 in step S1107 described above. In comparison, a static item whose memory map information does not change before and after the trial run is extracted (S1108).

The monitoring device 10 stores the static item extracted in step S1108 described above as evaluation target information regarding the corresponding control device in the evaluation target storage unit 107 (S1109), and ends the process. In this way, the monitoring apparatus 10 can automatically acquire the evaluation object information, that is, the evaluation object designation information, and use it for the subsequent processing.
--- Third Embodiment ---

  Next, in addition to the processing based on the memory map shown in the first and second embodiments described above, processing based on a memory dump indicating a binary value held in the memory 35 of the control device will be described. FIG. 12 is a diagram illustrating a network configuration example of the control device state verification system in the third embodiment.

The network configuration of the control device state verification system of the third embodiment is the same as that of the first embodiment illustrated in FIG. 1, but the monitoring device 10 is replaced with the memory map collection unit 101 and the memory dump acquisition unit 110. It is included. The control devices 30 ₁ to 30 n also include memory dump acquisition units 303 _{1 to} 303 n instead of the memory map acquisition units 301 ₁ to 301 n. The third embodiment is the same as the first embodiment except that the configuration in which the memory map is acquired from each control device is a configuration in which a memory dump is acquired and used. Each flow of 5 and 9 also becomes the flow of the second embodiment by replacing the corresponding wording with a memory dump. Therefore, the description regarding these flows is omitted in the third embodiment.

A specific example of the memory dump used in the third embodiment will be described with reference to FIG. FIG. 13 is a diagram illustrating a configuration example of memory dump information acquired from each control device in the control device state verification system according to the third embodiment. In this case, the memory dump A 1301 is an aggregate of records in which the memory information A 1303 actually stored in each area is associated with the area name A 1302 for identifying the area in the memory 35 of the corresponding control device as a key. . Note that the constituent elements of the memory dump A1301 are not limited to the area name A1302 and the memory information A1303 described above, and it is sufficient that at least these elements are included. Further, the arrangement order of the components of the memory dump A 1301 is not limited to that illustrated in FIG.

Here, a series of processes for transmitting alert information to the monitoring server 20 based on the memory map shown in the first embodiment, and a series of processes for transmitting alert information to the monitoring server 20 based on the memory dump in the third embodiment. A configuration for executing the above processing in combination will be described. FIG. 14 is a flowchart showing a processing procedure example of the control device state verification method according to the third embodiment. In this case, the monitoring apparatus 10 includes not only the memory dump collection unit 110 illustrated in FIG. 12 but also the memory map collection unit 101 in the first embodiment. Similarly, each of the control devices 30 _{1 to} 30 n has a memory map acquisition unit 301 and a memory dump acquisition unit 303.

In this case, the monitoring apparatus 10 repeatedly determines at predetermined time intervals whether a predetermined time period t1 or t2 has elapsed (s4000). As a result of the determination, when the elapse of the predetermined period t1 is detected (s4000: t1), the monitoring device 10 executes the above-described steps S601 _{1 to} S606 ₁ for each of the control devices 30 _{1 to} 30n as in the flow of FIG. (S4001). The predetermined period t2 is longer than the predetermined period t1, that is, t2> t1.

  After execution of the above-described step S4001, the monitoring apparatus 10 executes the above-described step S4000 again unless there is a stop instruction from the user or a predetermined program (s4003: n). Step S4001 described above is repeated until t2 is detected.

In any subsequent step S4000, when it is determined that the elapse of the predetermined period t2 is detected as a result of the determination (S4000: t2), the monitoring apparatus 10 stores the above-described steps S601 _{1 to} S606 ₁ in the memory instead of the memory map. The dump is executed in the same manner as the flow of FIG. 9 for each of the control devices 30 _{1 to} 30 n (s4002).

  After execution of the above-described step S4002, the monitoring apparatus 10 executes the above-described step S4000 again unless there is a stop instruction from a user or a predetermined program (s4003: n). It will be in a standby state until the passage of t1 is detected, and thereafter, the above-described steps S4001 and S4002 accompanying the passage of the predetermined periods t1 and t2 will be repeated.

  As described above, if the series of processes based on the memory map and the series of processes based on the memory dump are alternately executed at a predetermined frequency, the above-described change presence / absence detection process based on the memory map with a lighter processing load is performed. While executing routinely, it is possible to detect malicious programs by executing highly accurate change detection processing based on memory dumps at a lower frequency (or with an instruction from a user or a specific trigger). It is possible to establish a highly accurate detection process together with an efficient detection process such as mixing, which is preferable.

  According to the present embodiment, it is possible to detect unauthorized program mixing without imposing a processing load on the control device.

  Although the best mode for carrying out the present invention has been specifically described above, the present invention is not limited to this, and various modifications can be made without departing from the scope of the invention.

For example, the control device has a function of acquiring both a memory map and a memory dump, and is configured to selectively execute according to a predetermined timing (eg, elapse of a predetermined time, arrival of a predetermined time, occurrence of a predetermined event). Can be assumed. A configuration in which the functions of the monitoring device and the monitoring server are integrated into a single computer can also be assumed. Alternatively, it is possible to assume a configuration in which the control device does not include a communication function with the network and communicates with the network via another device. In addition, it is possible to assume a configuration in which the monitoring device does not have the initial configuration information or the evaluation target information and is acquired from another device. However, in any form, there is no essential change in the processing performed in the entire control device state verification system.

  At least the following will be clarified by the description of the present specification. That is, in the control device state verification system of the present embodiment, the arithmetic device communicates with the control device at the time of trial operation and collects a memory map of the corresponding control device, and the evaluation among the collected memory maps at the time of test operation. Information corresponding to a target may be extracted based on the designation information, and a process of storing the extracted evaluation target information in the storage device as the initial configuration information may be further executed.

  According to this, it is possible for the system side to automatically acquire appropriate initial configuration information and use it in the subsequent processing without requiring a presetting operation by a user or the like. Eventually, the overall processing efficiency is improved.

  Further, in the control device state verification system according to the present embodiment, the arithmetic device compares the extracted evaluation object information with the initial configuration information and detects the presence or absence of the change, during the operation after the trial operation. And collecting the memory map of the corresponding control device by communicating with the control device, extracting information corresponding to the evaluation target from the collected memory map at the time of operation, and extracting the evaluation target information And the initial configuration information based on the memory map at the time of the test operation, and the presence or absence of a change between the test operation time and the operation time in the evaluation target of the memory map may be detected.

  According to this, it is possible to perform processing between the trial operation and the operation during which the difference in the memory map is easily clarified, and to increase the accuracy of detection of unauthorized program mixing.

  Further, in the control device state verification system according to the present embodiment, the arithmetic device, in the process of storing the initial configuration information in a storage device, information corresponding to the evaluation object in the memory map in the control device at the time of trial operation. Is stored in the storage device as initial configuration information information processed by a predetermined data size reduction algorithm, and in the process of comparing the evaluation object information and the initial configuration information, among the collected memory map during operation Information corresponding to the evaluation target is extracted based on the specified information, and the information obtained by processing the extracted evaluation target information by the data size reduction algorithm is compared with the initial configuration information based on the memory map at the time of the test run. It is good also as what to do. As a means for configuring the above-described data size reduction algorithm, for example, a hash function can be assumed.

  According to this, the memory map and the initial configuration information can be used while being reduced to information of a predetermined size regardless of the original size, and the processing efficiency and data management efficiency can be improved. As a result, the processing load on the control device is reduced.

  Further, in the control device state verification system according to the present embodiment, the arithmetic device communicates with the control device before and after the trial run, collects a memory map of the corresponding control device for each before and after the trial run, and stores the memory before and after the trial run. A process of comparing the maps, specifying a region having no difference between the memory maps before and after the test run as the evaluation target, and storing information indicating the specified region in the storage device as the evaluation target designation information It is good also as what to do.

  According to this, it becomes possible for the system side to automatically acquire appropriate information to be evaluated and use it for the subsequent processing without requiring a user or the like to perform presetting work. Eventually, the overall processing efficiency is improved.

  Further, in the control device state verification system of the present embodiment, the arithmetic device may execute a series of processes leading to detection of the presence / absence of change and transmission of the alert information at predetermined time intervals.

  According to this, it becomes possible to quickly identify a change in the target control device, that is, an illegal program mixture.

  Further, in the control device state verification system according to the present embodiment, the storage device includes, as the evaluation target designation information, the type of the corresponding control device and a memory area that is considered not to change during operation of the corresponding type of control device. Information corresponding to the evaluation object among the identification information of the corresponding control device, the type, and the memory map is stored as the initial configuration information, and the arithmetic device is the control device. As a memory map of the corresponding control device, each information of the area name for identifying the area of the memory, the area start address indicating the start address of the area, and the area size indicating the size of the area is collected, Information corresponding to the evaluation target is extracted from the collected memory map based on the designation information, and the extracted evaluation target information, the initial configuration information, In comparison, the detected changes whether from the initial state in the evaluation of the memory map, in which the change is to send the alert information to a predetermined device when it is detected may be.

  According to this, the identification of the evaluation target in the memory map and the detection of the above-described change can be made efficient.

  Further, in the control device state verification system of the present embodiment, the storage device includes the designation information to be evaluated in a memory dump indicating a binary value held in the internal memory of the control device, and the memory dump of the control device. The initial configuration information of information corresponding to the evaluation target is further stored, and the arithmetic device communicates with the control device during operation to collect a memory dump of the corresponding control device, and the collected operation time The information corresponding to the evaluation target is extracted from the memory dump based on the designation information, and the extracted evaluation target information is compared with the initial configuration information related to the memory dump. Further detecting the presence or absence of a change from the initial state, and further executing a process of sending alert information to a predetermined device when the change is detected In it, it may be.

  According to this, by detecting whether there is a change in the memory dump, that is, the data itself held in the memory, it is possible to efficiently detect even a malicious program mixed without changing the memory map. .

  Further, in the control device state verification system according to the present embodiment, the arithmetic device communicates with the control device at the time of trial operation and collects a memory dump of the corresponding control device, and the evaluation of the collected memory dump at the time of test operation. Information corresponding to a target may be extracted based on the designation information, and a process of storing the extracted evaluation target information in the storage device as the initial configuration information may be further executed.

  According to this, it becomes possible for the system side to automatically acquire appropriate initial configuration information based on the memory dump and use it for the subsequent processing without requiring a presetting operation by the user or the like. Eventually, the overall processing efficiency is improved.

  Further, in the control device state verification system according to the present embodiment, the arithmetic device, in the process of storing the initial configuration information related to the memory dump in the storage device, to the evaluation target among the memory dump in the control device at the time of test operation. The information obtained by processing the corresponding information by a predetermined data size reduction algorithm is stored in the storage device as initial configuration information, and the collected memory at the time of processing is compared with the evaluation target information and the initial configuration information. Information corresponding to the evaluation target in the dump is extracted based on the specified information, information obtained by processing the extracted evaluation target information by the data size reduction algorithm, and the initial configuration information based on the memory dump during the test run And may be compared.

  According to this, it is possible to perform processing between the trial operation and the operation during which the difference between the memory dumps is easily clarified, and to increase the accuracy of detection of unauthorized program mixing.

  Further, in the control device state verification system according to the present embodiment, the arithmetic device detects whether or not the memory map has changed from an initial state in the evaluation target, and when the change is detected, alert information is sent to a predetermined device. A series of processes to be transmitted, and a series of processes for detecting presence or absence of a change from the initial state in the evaluation target of the memory dump and transmitting alert information to a predetermined device when the change is detected, are performed at a predetermined frequency. It is good also as what is performed by turns.

  According to this, while the above-described change presence / absence detection processing based on a memory map with a lighter processing load is routinely executed, it is performed less frequently or with an instruction from a user or a specific trigger (eg, other monitoring device) High-precision detection processing as well as efficient detection processing such as mixing of illegal programs, such as execution of high-precision change detection processing based on memory dumps at the timing of receiving an alert etc.) It can be established at the same time.

10 Monitoring device (Control device status verification system)
11 Communication Device 12 Input / Output Device 13 Storage Device 14 CPU
DESCRIPTION OF SYMBOLS 15 Memory 16 Reading apparatus 17 Storage medium 18 Internal signal line 101 Memory map collection part 102 Evaluation object acquisition part 103 Cryptographic operation part 104 Tampering detection part 105 Alert generation part 106 Initial structure information storage part 107 Evaluation object information storage part 108 Communication part 109 Memory map temporary storage unit 110 Memory dump collection unit 20 Monitoring server 201 Alert collection unit 202 Communication unit 30 _{1 to} 30n Control device 301 _{1 to} 301n Memory map acquisition unit 302 _{1 to} 302n Communication unit 303 _{1 to} 303n Memory dump acquisition unit 40 Network A501 ₁ ~A501n memory map acquisition command A502 ₁ ~A502n memory map A601 ₁ ~A601n memory map acquisition command A602 ₁ ~A602n memory map A603 ₁ ~A603n alert information A7 1 memory map A702 area name A703 area start address A704 area size A801 evaluated information A802 equipment types A803 evaluation area name list A901 initial configuration information A902 device ID
A903 Device type A904 Initial configuration data A1101 Memory map acquisition command A1102 Memory map A1103 Memory map acquisition command A1104 Memory map A1301 Memory dump A1302 Area name A1303 Memory information

Claims (12)

A communication device that communicates with the control device via a network;
A storage device for storing designation information of an evaluation target in the memory map of the control device, and initial configuration information of information corresponding to the evaluation target in the memory map of the control device;
Communicating with the control device, collecting a memory map of the control device, extracting information corresponding to the evaluation object from the collected memory map based on the designation information, and extracting the evaluation object information and the initial configuration An arithmetic unit that compares information and detects whether there is a change from the initial state of the evaluation target of the memory map, and executes processing for transmitting alert information to a predetermined device when the change is detected;
A control device state verification system comprising: The arithmetic unit is:
Collecting a memory map of the corresponding control device by communicating with the control device at the time of the test run, extracting information corresponding to the evaluation target from the collected memory map at the time of the test run based on the specified information, and extracting the extracted evaluation A process of storing target information in the storage device as the initial configuration information is further executed.
The control device state verification system according to claim 1. The arithmetic unit is:
In the process of comparing the extracted evaluation object information and the initial configuration information to detect the presence or absence of the change, the memory map of the corresponding control device is collected by communicating with the control device during operation after the trial operation, Based on the specified information, information corresponding to the evaluation target is extracted from the collected memory map during operation, and the extracted evaluation target information is compared with the initial configuration information based on the memory map during the trial operation. , Detecting whether or not there is a change during the operation from the trial operation in the evaluation target of the memory map,
The control device state verification system according to claim 2. The arithmetic unit is:
In the process of storing the initial configuration information in the storage device, the information corresponding to the evaluation target in the memory map in the control device at the time of trial operation is processed as a predetermined data size reduction information as initial configuration information. Stored in a storage device,
In the process of comparing the evaluation object information and the initial configuration information, information corresponding to the evaluation object is extracted based on the designation information in the collected memory map at the time of operation, and the extracted evaluation object information is The information processed by the data size reduction algorithm is compared with the initial configuration information based on the memory map during the trial run.
The control device state verification system according to claim 3. The arithmetic unit is:
Before and after the test run, communicate with the control device to collect the memory map of the corresponding control device before and after the test run, compare the memory map before and after the test run, and identify areas where there is no difference between the memory maps before and after the test run. The process of specifying the evaluation target and storing information indicating the specified area in the storage device as the evaluation target designation information is further executed.
The control device state verification system according to claim 1. The arithmetic unit is:
A series of processes leading to detection of the presence / absence of change and transmission of the alert information is performed at predetermined time intervals,
The control device state verification system according to claim 1. The storage device
As the evaluation target designation information, information about the type of the corresponding control device and the area of the memory that is considered not to change during operation of the corresponding type of control device is stored,
As the initial configuration information, the identification information of the corresponding control device, the type, the information corresponding to the evaluation object among the memory map is stored,
The arithmetic unit is:
Communicate with the control device and collect each information of the area name that identifies the memory area, the area start address that indicates the start address of the area, and the area size that indicates the size of the area as a memory map of the corresponding control apparatus Then, information corresponding to the evaluation target is extracted from the collected memory map based on the designation information, the extracted evaluation target information is compared with the initial configuration information, and the evaluation result of the memory map The presence or absence of a change from the initial state is detected, and alert information is transmitted to a predetermined device when the change is detected.
The control device state verification system according to claim 1. The storage device
It further stores the designation information of the evaluation target in the memory dump indicating the binary value held by the internal memory of the control device and the initial configuration information of the information corresponding to the evaluation target in the memory dump of the control device. Yes,
The arithmetic unit is:
Collecting a memory dump of the corresponding control device by communicating with the control device during operation, extracting information corresponding to the evaluation object from the collected memory dump during operation based on the specified information, and extracting the evaluation object Information is compared with the initial configuration information related to the memory dump to detect whether the memory dump has changed from the initial state in the evaluation target, and when the change is detected, alert information is transmitted to a predetermined device To perform further processing,
The control device state verification system according to claim 1. The arithmetic unit is:
Collecting a memory dump of the corresponding control device by communicating with the control device at the time of the test run, extracting information corresponding to the evaluation target from the collected memory dump at the time of the test run, and extracting the extracted evaluation A process of storing target information in the storage device as the initial configuration information is further executed.
The control device state verification system according to claim 8. The arithmetic unit is:
In the process of storing the initial configuration information related to the memory dump in the storage device, the information corresponding to the evaluation target in the memory dump in the control device at the time of the test operation is initially processed by a predetermined data size reduction algorithm. Store it in the storage device as configuration information,
In the process of comparing the evaluation object information and the initial configuration information, information corresponding to the evaluation object is extracted from the collected memory dump during operation based on the designation information, and the extracted evaluation object information is The information processed by the data size reduction algorithm is compared with the initial configuration information based on the memory dump during the test run.
The control device state verification system according to claim 9. The arithmetic unit is:
From the initial state in the evaluation target of the memory dump, a series of processes for detecting presence or absence of a change from the initial state in the evaluation target of the memory map, and transmitting alert information to a predetermined device when the change is detected A series of processes for detecting the presence or absence of a change and transmitting alert information to a predetermined device when the change is detected are alternately executed at a predetermined frequency.
The control device state verification system according to claim 8. A communication device that communicates with a control device via a network, specification information of an evaluation target in a memory map of the control device, and initial configuration information of information corresponding to the evaluation target in the memory map of the control device are stored A computer system comprising a storage device
Communicating with the control device, collecting a memory map of the control device, extracting information corresponding to the evaluation object from the collected memory map based on the designation information, and extracting the evaluation object information and the initial configuration Comparing the information, detecting the presence or absence of a change from the initial state in the evaluation target of the memory map, and executing processing to send alert information to a predetermined device when the change is detected,
A control device state verification method.

Images