JP2017167695A - Attack countermeasure determination system, attack countermeasure determination method and attack countermeasure determination program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an attack countermeasure determination system capable of more properly determining a countermeasure of a constitution against attack means.SOLUTION: An attack countermeasure determination system comprises: a detection information generation part 102 for generating attack detection information 121 containing attack means of cyber attack, detection means for detecting the attack means, and detection accuracy of the detection means to the attack means; and a countermeasure state determination part 104 for acquiring the attack detection information 121, and constitution countermeasure information 15 containing detection means which is executed as a countermeasure against the attack means in a constitution which is an object of the cyber attack, as constitution detection means, then based on the detection accuracy included in the attack detection information 121 and the constitution countermeasure information 15, determining an effective degree indicating a degree of effectiveness of a countermeasure in the constitution.SELECTED DRAWING: Figure 2

Description

  The present invention relates to an attack countermeasure determination system, an attack countermeasure determination method, and an attack countermeasure determination program for determining a shortage or reinforcement in cyber attack countermeasures for an organization information system.

  In recent years, accidents in which malware leaks confidential information outside the organization have become a problem. Cyber attacks using malware are becoming more sophisticated. Specific examples include attacks called APT (advanced, persistent, threat) shown in Non-Patent Document 1.

  In APT, malware that has invaded the organization via attached emails, etc. infects computers, and communicates with C & C (Command & Control) servers on the Internet operated by attackers to download new malware and attack tools or update itself. To do. Then, the malware receives an instruction from the C & C server, scouts the organization, finds a file server, and leaks a confidential file to the C & C server by communication. If each of these activities is regarded as an attack, each attack is performed in stages over a long period of time. As a specific example, a malware that has infected a computer hides itself for one month after infection and begins to communicate with the C & C server one month later.

  As existing technologies for APT countermeasures, there are various technologies such as technology for detecting suspicious HTTP (Hypertext, Transfer, Protocol) communication, and virus detection technology using a pattern file. Non-Patent Document 1 is an example of such an APT countermeasure.

  In addition, there are many attacking measures to be taken when implementing cyber attack countermeasures, and in order to protect the information system safely, after investigating which attacking measures should be taken against comprehensive attack information, It is necessary to take security measures to detect and take measures against attacks. Non-Patent Document 2 is an example of comprehensive attack means information. The list of attack means shown in this document shows an outline of attack means, attack methods, effects, detection and countermeasure methods.

  Further, there is Non-Patent Document 3 as a format for sharing information on what kind of attack has occurred with respect to a cyber attack.

  Patent Document 1 discloses a function for displaying whether or not an attack means currently occurring can be avoided by changing the security service menu and countermeasures contracted by the service user in the security monitoring service. .

Japanese Patent Laying-Open No. 2015-026182

Design and Operation Guide Revised Second Edition for Countermeasures against “New Type of Attack”, IPA, November 2011, https: // www. ipa. go. jp / files / 000013308. pdf Examples of attack means list, CAPEC: Common Attack Pattern Enumeration and Classification, https: // capec. mitre. org / An example of a list of attack means, STIX: Structured Thread Information eExpression, https: // stix. mitre. org /

Since cyber attacks are performed using various attack means, it is indicated by CAPEC (Common Attack, Pattern, Enumeration, and Classification: List of Common Attack Patterns) to ensure cyber attack countermeasures in information systems. It is necessary to refer to a comprehensive list of attack means and to examine what kind of detection and countermeasure should be taken for each attack means.
Here, detection and countermeasures will be described.
Detection is to find the means of attack. As a specific example, detecting an attack packet by IDS (Intrusion / Detection / System) is applicable.
Countermeasures are measures that, when implemented, will not be damaged even if the attack means are executed. As a specific example, patch application that applies a vulnerability correction patch of software and is not affected even if an attack to the vulnerability occurs is applicable.
Malware may be detected and removed by anti-malware software. This measure includes both detection and countermeasures.
Hereinafter, the terms “detection” and “countermeasure” are used in the above-mentioned meaning.

In addition, there are cases in which detection and countermeasures cannot be performed for all attack means due to cost and operational load increase due to the introduction of detection and countermeasures, and it is necessary to extract attack means to preferentially take countermeasures. .
Furthermore, even if a security product or a detection technology having a function of detecting an attack means is applied as a detection / countermeasure for a certain attack means, detection failure may occur depending on the method. As a specific example, even if there is a product that detects a malicious program such as a virus by detecting suspicious behavior of the program, if the malicious program performs illegal activities within the range of behavior similar to that of a normal program, it will not be detected There are things to do. In addition, in the case of a product with many false detections, there is an operation that judges that an attack has been detected only when the same detection alert occurs more than the threshold number of times within a certain period of time, and attacks that do not satisfy this condition will be missed. become. Therefore, even if detection / countermeasures are implemented for attack means, detection may be missed, so detection needs to be strengthened.

However, conventionally, there has been no technology that indicates whether or not the detection / countermeasures already implemented for the attack means should be strengthened by other detection / countermeasures, and how they should be strengthened.
Japanese Patent Laid-Open No. 2004-228867 deals with currently occurring attack means by changing the contracted detection / countermeasure service menu to an appropriate one from other prepared detection / countermeasure service menus. It has been shown. However, the detection / countermeasure service menu that has been prepared does not show a method for strengthening the detection / countermeasure service menu in consideration of omissions and false detections.

  It is an object of the present invention to provide an attack countermeasure determination system that can more accurately determine an organization countermeasure against an attack means based on detection accuracy in consideration of detection omissions and false detections of the detection means.

The attack countermeasure determination system according to the present invention includes:
A detection information generation unit that generates attack detection information including attack means for cyber attack, detection means for detecting the attack means, and detection accuracy of the detection means for the attack means;
The attack detection information and organization countermeasure information including, as an organization detection means, detection means implemented as a countermeasure against the attack means in an organization that is a target of the cyber attack, the detection included in the attack detection information And a countermeasure status determination unit that determines an effect level indicating the degree of the effect of the countermeasure in the organization based on the accuracy and the organization countermeasure information.

  In the attack countermeasure determination system according to the present invention, the detection information generation section generates attack detection information including the detection accuracy of the detection means for the attack means, and the countermeasure status determination section determines the attack detection information and the countermeasure against the attack means in the organization. The organization countermeasure information including the detecting means implemented as the tissue detecting means is acquired, and the degree of effectiveness representing the degree of the effect of the countermeasure in the organization is determined based on the detection accuracy and the organization countermeasure information. As described above, according to the attack countermeasure determination system according to the present invention, it is possible to determine the countermeasure of the organization against the attack means based on the detection accuracy, and it is possible to determine the countermeasure of the organization more accurately. .

The figure which shows the relationship between the countermeasure status production | generation apparatus 1, the attack example determination apparatus 2, and the countermeasure candidate extraction apparatus 3 which concern on Embodiment 1. FIG. 1 is a configuration diagram of a countermeasure status generation apparatus 1 according to Embodiment 1. FIG. FIG. 6 is a flowchart of attack countermeasure determination processing S100 of the attack countermeasure determination method 510 and the attack countermeasure determination program 520 according to the first embodiment. FIG. 6 is a configuration diagram of input / output of attack information generation processing S110 according to the first embodiment. FIG. 3 is a flowchart of attack information generation processing S110 according to the first embodiment. FIG. 5 is a configuration diagram of input / output of detection information generation processing S120 according to the first embodiment. The figure which shows the example of the detection countermeasure means information 12 which concerns on Embodiment 1. FIG. The figure which shows another example of the detection countermeasure means information 12 which concerns on Embodiment 1. FIG. FIG. 5 is a diagram showing an example of a keyword conversion table according to the first embodiment. FIG. 6 is a flowchart of detection information generation processing S120 according to the first embodiment. The figure which shows the determination table 1201 used by detection information generation process S120 which concerns on Embodiment 1. FIG. The block diagram of the input / output of the risk determination processing S130 according to the first embodiment. The figure which shows an example of the attack example information 13 which concerns on Embodiment 1. FIG. FIG. 6 is a diagram showing an example of weighting information 14 according to the first embodiment. FIG. 5 is a flowchart of risk determination processing S130 according to the first embodiment. FIG. 5 is a configuration diagram of input / output of attack countermeasure situation determination processing S140 according to the first embodiment. FIG. 4 is a diagram showing an example of organization countermeasure information 15 according to the first embodiment. FIG. 6 is a flowchart of attack countermeasure situation determination processing S140 according to the first embodiment. The block diagram of the countermeasure status generation apparatus 1 which concerns on the modification of Embodiment 1. FIG. The figure which shows the structure and input / output of the attack example determination apparatus 2 which concern on Embodiment 2. FIG. The flowchart of attack case determination processing S200 by the attack case determination part 201 which concerns on Embodiment 2. FIG. The figure which shows the structure and input / output of the countermeasure candidate extraction apparatus 3 which concern on Embodiment 3. FIG. The figure which shows the structure of the countermeasure candidate extraction apparatus 3 which concerns on Embodiment 3, and another example of input / output. The flowchart of countermeasure candidate extraction process S300 which concerns on Embodiment 3. FIG. The figure which shows the structure and input / output of the countermeasure candidate extraction apparatus 3 which concern on Embodiment 4. FIG. FIG. 18 is a configuration diagram of organization countermeasure information 15a according to the tenth embodiment.

Embodiment 1 FIG.
*** Explanation of configuration ***
With reference to FIG. 1, the relationship among the countermeasure status generation device 1, the attack case determination device 2, and the countermeasure candidate extraction device 3 according to the present embodiment will be described.
The countermeasure status generation apparatus 1 outputs countermeasure status information 16 for the attack information 11 using detection countermeasure means information 12, organization countermeasure information 15, attack case information 13, and weighting information 14. The attack information 11 is information relating to attack means. The detection countermeasure means information 12 is detection / countermeasure information including information on detection failure and possibility of erroneous detection. The organization countermeasure information 15 is countermeasure information that has already been implemented in the target organization whose countermeasure status against the attack is investigated by the countermeasure status generation device 1. The attack case information 13 is cyber attack case information. The weighting information 14 is information for determining the risk level. The countermeasure status information 16 is information including an evaluation determination on the countermeasure status of the organization against the attack means included in the attack information 11.

  The attack case determination device 2 uses the countermeasure status information 16 to determine whether a countermeasure is taken against certain attack case information 13a, and outputs attack case correspondence information 17.

  The countermeasure candidate extraction device 3 outputs the strengthening countermeasure information 18 which is information for strengthening the countermeasure against the attack means determined to be erroneously detected or avoidable in the attack case correspondence information 17.

The configuration of the countermeasure status generation apparatus 1 according to the present embodiment will be described with reference to FIG.
In the present embodiment, the countermeasure status generation apparatus 1 is a computer. The countermeasure status generation apparatus 1 includes hardware such as a processor 910, a storage device 920, an input interface 930, and an output interface 940.
Further, the countermeasure status generation apparatus 1 has an attack information generation unit 101, a detection information generation unit 102, a risk level determination unit 103, a countermeasure status determination unit 104, a countermeasure status output unit 105, and a storage unit 150 as functional configurations. With. In the following description, the functions of the attack information generation unit 101, the detection information generation unit 102, the risk level determination unit 103, the countermeasure status determination unit 104, and the countermeasure status output unit 105 in the countermeasure status generation device 1 are described as countermeasures. This is referred to as a “part” function of the situation generating device 1. The function of “part” of the countermeasure status generation apparatus 1 is realized by software.
The storage unit 150 is realized by the storage device 920. The storage unit 150 stores attack means information 111, attack detection information 121, and attack detection risk information 131. Countermeasure status information 16 output by the countermeasure status output unit 105 may be stored.

The processor 910 is connected to other hardware via a signal line, and controls these other hardware.
The processor 910 is an integrated circuit (IC) that performs processing. The processor 910 is specifically a CPU (Central Processing Unit).

  The storage device 920 includes an auxiliary storage device 921 and a memory 922. Specifically, the auxiliary storage device 921 is a ROM (Read / Only / Memory), a flash memory, or an HDD (Hard / Disk / Drive). The memory 922 is specifically a RAM (Random Access Memory). The storage unit 150 is realized by the memory 922. Note that the storage unit 150 may be realized by the auxiliary storage device 921 or may be realized by both the auxiliary storage device 921 and the memory 922.

  The input interface 930 is a port connected to an input device such as a mouse, a keyboard, and a touch panel. The input interface 930 takes the attack information 11, detection countermeasure means information 12, attack case information 13, weighting information 14, and organization countermeasure information 15 into the countermeasure status generation apparatus 1. Specifically, the input interface 930 is a serial interface such as a USB (Universal, Serial, Bus) terminal or RS-232C. The input interface 930 may be a port connected to a LAN (Local / Area / Network).

  The output interface 940 is a port to which a cable of a display device such as a display is connected. The output interface 940 is, as a specific example, a serial interface such as a USB terminal, an HDMI (registered trademark) (High Definition, Multimedia, Interface) terminal, or RS-232C. Specifically, the display is an LCD (Liquid / Crystal / Display).

  The auxiliary storage device 921 stores a program that realizes the function of “unit”. This program is loaded into the memory 922, read into the processor 910, and executed by the processor 910. The auxiliary storage device 921 also stores an OS (Operating System). At least a part of the OS is loaded into the memory 922, and the processor 910 executes a program that realizes the function of “unit” while executing the OS.

  The countermeasure status generation apparatus 1 may include only one processor 910 or may include a plurality of processors 910. A plurality of processors 910 may execute a program for realizing the function of “unit” in cooperation with each other.

  Information, data, signal values, and variable values indicating the results of processing by the function of “unit” are stored in the auxiliary storage device 921, the memory 922, or a register or cache memory in the processor 910. In FIG. 2, an arrow connecting each part of “part” and the storage unit 150 indicates that the result of processing by each part is stored in the storage unit 150 or that each part reads information from the storage unit 150. . Moreover, the arrow which connects each part represents the flow of control. Note that the memory 922 indicating that information is exchanged between the units via the memory 922 and an arrow between the units are omitted.

The program for realizing the function of “part” may be stored in a portable recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a Blu-ray (registered trademark) disk, or a DVD (Digital Versatile Disc).
A program that realizes the function of “part” is also referred to as an attack countermeasure determination program 520. The attack countermeasure determination program is a program that realizes the function described as “part”. Also, what is called an attack countermeasure determination program product is a storage medium and a storage device in which the attack countermeasure determination program is recorded, and is loaded with a computer-readable program regardless of the appearance format. .

*** Explanation of operation ***
FIG. 3 is a flowchart of the attack countermeasure determination processing S100 of the attack countermeasure determination method 510 and the attack countermeasure determination program 520 according to the present embodiment.
As shown in FIG. 3, the attack countermeasure determination process S100 includes an attack information generation process S110, a detection information generation process S120, a risk determination process S130, a countermeasure situation determination process S140, and a countermeasure situation output process S150. .

<Attack information generation process S110>
The input / output configuration of the attack information generation process S110 according to the present embodiment will be described with reference to FIG.
The attack information generation unit 101 receives a plurality of pieces of attack information 11 such as CAPEC expressing the attack means of a cyber attack, and outputs attack means information 111. The attack information 11 is composed of attack means ID, attack name, description, severity, detection / countermeasure, affected software name information, and the like. In the present embodiment, the attack information generation unit 101 extracts the attack means ID, attack name, and description from one attack information 11 and records them as one line of information in the attack means information 111. One line of information is also called an entry. This process is performed for all attack information 11. As a result, the attack information generation unit 101 outputs attack means information 111 shown in FIG. In FIG. 4, the attack means information 111 is represented as a table. It is assumed that the cyber attacking means 21 is specified from at least either the attacking means ID or the attack name. The explanatory text is also simply referred to as an explanation.

Next, the flow of the attack information generation process S110 according to the present embodiment will be described with reference to FIG.
In step S111, the attack information generation unit 101 sets the number of attack information 11 in a variable a, that is, how many pieces of attack information 11 exist. Further, the attack information generation unit 101 selects attack information i from the attack information 11. Here, i is a natural number from 1 to the number of attack information 11.
In step S112, the attack information generation unit 101 ends the process when i> a. If i> a is not satisfied, the process proceeds to step S113.
In step S113, the attack information generation unit 101 extracts the attack means ID, the attack name, and the description from the attack information i, and adds them to the attack means information 111 as one line of information.
In step S114, the attack information generation unit 101 increments i.

  This is the end of the description of the attack information generation process S110.

<Detection information generation process S120>
The input / output configuration of the detection information generation process S120 according to the present embodiment will be described with reference to FIG.
The detection information generation unit 102 generates attack detection information 121 including a cyber attack attack means 21, a detection means 22 for detecting the attack means 21, and a detection accuracy 23 of the detection means 22 for the attack means 21.

  Specifically, the detection information generation unit 102 inputs the attack means information 111 including the attack means 21 and the detection countermeasure means information 12 regarding the detection / countermeasure technology / product, and outputs the attack detection information 121. Here, the detection / countermeasure technology / product is assumed to be detection means 22 for detecting / countering the attack means 21. The detection means 22 is also called detection / countermeasure or detection / countermeasure means. The attack detection information 121 is obtained by mapping the information of the detection means 22 for the attack means 21 identified by the attack means ID in the attack means information 111. The attack detection information 121 is set with a detection accuracy 23 indicating how effective the detection unit 22 is against the attack unit 21. The attack detection information 121 is also referred to as attack means / detection countermeasure means information.

As a specific example, the detection countermeasure means information 12 includes detection / countermeasure technology and product information such as IDS / FW (FireWall) / mail filter, and log analysis information such as analysis of proxy log / analysis of FW log. It comprises detection means 22. In this case, the detection accuracy 23 indicates which detection / countermeasure technology or product / log analysis is effective as a countermeasure to the attack means 21: ○: Detectable, ×: Undetectable, △: False detection possible There is a possibility, □: There is a possibility of detection omission, ◇: It is expressed in the expression that detection is possible, detection is impossible, and there is a false detection. That is, the detection accuracy 23 includes a first detection accuracy (x: detection is impossible) where the detection means 22 cannot detect the attack means 21 and a second detection accuracy (□ where the detection means 22 may fail to detect the attack means 21). : There is a possibility of detection omission), the third detection accuracy in which the detection means 22 may erroneously detect the attack means 21 (Δ: possibility of erroneous detection), and the detection means 22 erroneously detected the attack means 21 The detection means 22 detects the attack means 21 and the detection means 22 can detect the attack means 21; and the detection means 22 detects the attack means 21. It has a fifth detection accuracy (◇: detectable, undetectable, with false detection) where the detection means 22 may detect the attack means 21 erroneously. The detection accuracy 23 includes a first detection accuracy (×: detection impossible), a second detection accuracy (□: detection may be missed), and a third detection accuracy (Δ: possibility of false detection). And at least one of fourth detection accuracy (◯: detectable) and fifth detection accuracy (◇: detectable / not detectable / with false detection).
Here, “the detection means 22 erroneously detects the attack means 21” means that the detection means 22 erroneously detects normal communication / processing other than the attack means 21 and attacks other than the attack means 21 as the attack means 21. It means to end up.

FIG. 7 is a diagram showing an example of detection countermeasure means information 12 according to the present embodiment. FIG. 7 shows an example in which a security product is indicated in the detection countermeasure means information 12. Moreover, in FIG. 7, the detection countermeasure means information 12 is expressed as a table. The meanings of the table columns are described below.
“CM_ID” is an ID for distinguishing one piece of detection / measure information.
“Product category” indicates a category of security products such as FW and behavior detection. Here, the product category includes a category of a product such as hardware, software, and a system, a category of hardware, software, and a system that is disclosed free of charge, a category of security technology, and the like.
“Detectable” indicates an attack means that can be detected by this product.
“Undetectable” indicates an attack that cannot be detected by this product.
“Error detection” indicates a process or communication erroneously detected by this product.

A specific example will be described using the first line of the detection countermeasure means information 12 of FIG.
“CM_ID” is a security product with CM_ID_1.
The “product category” is the next generation FW, and the name “next generation FW” indicating the “product category” and the keyword indicating the “product category” are set as [NGFW] (Next Generation Generation Fire Wall). The This product is a product that detects a suspicious HTTP communication when a reputation function and a large amount of HTTP traffic occur. Here, with the reputation function, it is determined whether or not an HTTP communication website is illegal by using a database storing information that determines whether or not various websites are malignant. In this case, the function is to detect that suspicious HTTP communication is being performed.
“Detectable” is “suspicious HTTP communication” and means that it can be detected as suspicious HTTP communication by the reputation function and a large amount of HTTP communication detection function provided in this product. [URL, Suspicous, HTTP] is set as a keyword indicating “suspicious HTTP communication”.
“Undetectable” is “HTTP communication with a legitimate site that has been altered”. In the reputation function, if a legitimate site that has been tampered with has been tampered with immediately, the information that it has been tampered with and is a malicious website may not be reflected in the database. In this case, communication with this website is not possible. Is not detected as suspicious. [URL, legitimate, HTTP] is set as a keyword indicating “HTTP communication with an altered legitimate site”.
The “false detection” is “regular mass HTTP communication”. When a large amount of communication with a legitimate website occurs by accident, it is erroneously detected as suspicious communication. [URL, Legitimate, HTTP] is set as a keyword indicating “regular mass HTTP communication”.
Note that CM_ID_2 in the second line is an example of behavior detection (AP: Application), and CM_ID_3 in the third line is an example of IDS (signature type). It should be noted that when there is no applicable matter like the erroneous detection of CM_ID_3, it is described as “no”.
The keyword will be explained in detail later.
As described above, the detection countermeasure means information 12 of FIG. 7 stores information on the possibility of detection, the detection impossible, and the possibility of erroneous detection for each type of security product.

FIG. 8 is a diagram showing another example of detection countermeasure means information 12 according to the present embodiment. FIG. 8 shows an example in which log analysis is shown in the detection countermeasure means information 12. The meaning of the columns in the table of FIG. 8 will be described below.
“CM_ID” is an ID for distinguishing one detection / measure.
“Log type” indicates the type of log to be analyzed in order to detect attack means.
“Detectable” indicates an attack means that can be detected by this log analysis.
“Undetectable” indicates an attack means that cannot be detected by this log analysis.
“Error detection” indicates processing or communication erroneously detected in the log analysis.

A specific example will be described using the first line of the detection countermeasure means information 12 in FIG.
“CM_ID” is log analysis of CM_ID_11.
“Log type” is a proxy log, and “PROXY” is set as a name “proxy log” indicating “log type” and a keyword indicating “product category”.
This log analysis is an attack (suspicious communication) when one Web site and one terminal communicates periodically (Periodic) when the number of times of communication per unit time is equal to or greater than a threshold. Detect as.
“Detectable” is “periodic C & C communication”. When the number of times that one Web site (C & C server) and one terminal communicate per unit time is equal to or greater than the threshold, the communication with the C & C server is performed. It is detected that [HTTP, Periodic] is set as a keyword indicating “periodic C & C communication”.
“Undetectable” is “irregular C & C communication”. As a specific example, when one website (C & C server) and one terminal communicate at random intervals, the number of times that one website and one terminal communicate per unit time may not exceed the threshold. In this case, it cannot be detected. [HTTP, unperiodic] is set as a keyword indicating “irregular C & C communication”.
“Error detection” is “regular HTTP communication”. A false detection occurs when the number of times that one regular website and one terminal communicate per unit time is equal to or greater than a threshold value. [HTTP, uniental, periodic] is set as a keyword indicating “regular HTTP communication”.
Note that CM_ID_12 in the second line records an event such as an authentication error in an audit log of the OS or the like, and CM_ID_13 in the third line is FW (Fire / Wall) and records a policy violation communication or the like. It is an example.
As described above, the detection countermeasure means information 12 of FIG. 8 stores information on the possibility of detection, the possibility of detection failure, and the possibility of erroneous detection for each log to be analyzed and analysis content.

As the above keywords, words that appear in common in the attack information 11 and the attack case information 13 are used in advance. When using public information for the attack information 11 and the attack case information 13, the wording expressing the attack means and the wording indicating the detection means (detection / measures such as product category and log type) are the same. First of all, the common words are extracted. Next, when the detection countermeasure means information 12 is generated, by setting the extracted word as a keyword, the attack means, detection means (detection / countermeasure) in the attack information 11, the detection countermeasure means information 12, and the attack case information 13 You can share the wording that represents.
The detection countermeasure means information 12 is created in advance outside the countermeasure status generation apparatus 1 from the product category and the technology category using the above-described method. Note that the detection countermeasure means information 12 may be manually created in advance from the product category and the technology category using the above-described method.

FIG. 9 is a diagram showing an example of a keyword conversion table according to the present embodiment.
If the attack information 11, the attack case information 13 and the detection countermeasure means information 12 cannot be shared with the wording expressing the attack means and the detection means (detection / countermeasure of product category, log type, etc.), Then, a keyword conversion table is created and stored in the countermeasure status generation apparatus 1.
In the example of the keyword conversion table of FIG. 9, in the No. 1 row, the keyword “Virus” in the detection countermeasure means information 12 is regarded as the same as “Malware” which is the corresponding wording in the “description” in the attack information 11. . Although the attack information 11 includes a plurality of pieces of attack information 11, since these terms are generally unified in these “descriptions”, such one conversion may be defined. Similarly, in No. 2, “Web” in the detection countermeasure means information 12 is converted into “URL” or “Web site” in the “description” in the attack case information 13. In No3, “Malicious” is converted to “Suspious”. In No. 4, “HTTP” is converted to the same “HTTP”. In No. 5, “HTTPS”, which is present in the corresponding text in the “description” in the attack information 11, is represented by diagonal lines because there is no corresponding keyword in the detection countermeasure means information 12.

Similar keyword conversion tables may be created between the attack information 11 and the attack case information 13, and between the detection countermeasure means information 12 and the attack case information 13.
Such a keyword conversion table is created outside the countermeasure status generation apparatus 1.

Next, the flow of the detection information generation process S120 according to the present embodiment will be described with reference to FIG.
First, the outline of the detection information generation process S120 will be described below.
The detection information generation unit 102 generates attack detection information 121 including a cyber attack attack means 21, a detection means 22 for detecting the attack means 21, and a detection accuracy 23 of the detection means 22 for the attack means 21. The detection information generation unit 102 includes attack measure information 111 including an explanatory text describing the attack means 21 and detection measure means information including a keyword for acquiring the attack means 21 detected by the detection means 22 according to the detection accuracy 23. 12 is acquired. Then, the detection information generation unit 102 searches the explanatory text included in the attack means information 111 using the keyword, and detects the attack means 21 detected by the detection means 22 according to the detection accuracy 23. Then, the detection information generation unit 102 generates the attack detection information 121 using the information of the attack means 21 detected according to the detection accuracy 23.

Hereinafter, the detection information generation process S120 will be described in detail with reference to FIG.
The detection information generation unit 102 extracts one line of the input attack means information 111. The attack means ID corresponding to the extracted row is indicated by attack means ID_j. Here, j is a natural number from 1 to the number of attack means ID (that is, the number of lines of attack means information 111). It is assumed that the detection countermeasure unit information 12 includes CM_ID_i. Here, i is a natural number from 1 to the number of rows of the detection countermeasure means information 12. Here, the number of rows of the detection countermeasure means information 12 is n.

In step S121, the detection information generation unit 102 sets an initial value in the variable. The detection information generation unit 102 sets i = 1, detect_flag = False, undetect_flag = False, and falsedetect_flag = False.
In step S122, the detection information generation unit 102 extracts “description” in the entry of the attack means information 111 corresponding to the attack means ID_j. As a specific example, “descriptive text” is “A malware maliciously accessed data files on an affected computer, ten leaks.
them to a C & C server by HTTP. URLs of the C & C server cow be supicious. ”.
In step S123, the detection information generation unit 102 determines whether i> n. If “yes”, the process is terminated. If “no”, the process proceeds to step S124.
In step S <b> 124, the detection information generation unit 102 extracts the CM_ID_i entry from the detection countermeasure unit information 12.

In step S125, the detection information generation unit 102 searches whether the “detectable” keyword in the entry of CM_ID_i is included in the “description” corresponding to the attack means ID_j. "Description" = "A malwarely accessed data files on an infected computer, then leaks the to the C & C server by HTTP. URLs of the C & C server. Assuming that CM_ID_1 in FIG. 7 is currently referred to CM_ID_i (i = 1), the keywords “detectable” are “URL”, “suspicious”, and “HTTP”, and these are “description”. include.
In addition, when the keyword of the detection countermeasure information 12 and the wording in the “description” of the attack information 11 cannot be shared, a keyword conversion table is used. In this case, for the keyword “detectable” in the entry of CM_ID_i, the keyword is converted using the keyword conversion table, and whether the converted word is included in the “description” is searched.
If the keyword conversion table is not used, the degree of similarity between the “detectable” keyword and the text included in the “description” is examined using existing technology. By determining that the keyword “possible” is included, a search process may be performed to determine whether the keyword “detectable” is included. Here, the existing technique for examining the similarity between words is a technique for identifying and mapping keywords having the same meaning from the similarity and length of character strings. As a specific example, there is a technique using Levenshtein distance.

In step S126, the detection information generation unit 102 proceeds to step S127 if the search result in step S125 is “included”, and proceeds to step S128 if it is not “included”.
In step S127, the detection information generation unit 102 determines that the attack means identified by the attack means ID_j can be detected by CM_ID_i, and sets detect_flag = True.

In step S128, the detection information generation unit 102 refers to “undetectable” in the entry of CM_ID_i.
In step S129, when the “detection impossible” is empty, the detection information generation unit 102 proceeds to step S1211. In step S129, if “undetectable” is not empty, the detection information generation unit 102 may be “undetectable”. Therefore, in step S1210, undetect_flag = True is set.
In FIG. 7, a keyword is also set for “undetectable”, but in this embodiment, the flag is set to True without checking whether this keyword is in the “description”. . This is because the limitation of the function of the product category and log analysis is shown in FIG. On the other hand, with regard to “detectable” in step S125, it is necessary to check whether the detection countermeasure means listed in the detection countermeasure means information 12 is applicable to the attack means, and therefore a search by keyword is essential. . That is, it is checked whether or not the “detectable” keyword is included in the “description”, and it is determined whether the detection countermeasure means corresponds to the detection / countermeasure to the attack means. Thereafter, it is checked whether there is a restriction that detection is impossible (false detection).

In step S1211, the detection information generation unit 102 refers to “false detection” in the entry of CM_ID_i.
In step S1212, if the “false detection” is empty, the detection information generation unit 102 proceeds to step S1214. In step S1212, the detection information generation unit 102 may be “false detection” when “false detection” is not empty. In step S1213, the detection information generation unit 102 sets falsedetect_flag = True.
In FIG. 7, a keyword is also set for “false detection”, but in this embodiment, the flag is set to True without checking whether this keyword is in the “description”. This is because the product category and the log analysis function limitation that “false detection” exists are shown in FIG.

FIG. 11 is a diagram showing a determination table 1201 used in the detection information generation process S120 according to the present embodiment.
In step S1214, the detection information generation unit 102 refers to the determination table 1201 of FIG. X is determined. These symbols have the following meanings.
○: Detectable ×: Undetectable △: There is a possibility of false detection □: There is a possibility of detection failure ◇: Detectable, undetectable, with false detection Detected / countermeasures for detection failure are identified by CM_ID_i This means that the attack means can be detected, but the detection / countermeasure is avoided due to the limitation of the function / performance of the detection / countermeasure method, and there is a possibility that detection failure may occur.

In step S <b> 1215, the detection information generation unit 102 assigns the determination result acquired in step S <b> 1214 to the attack means ID_j as to whether or not the countermeasure by CM_ID_i is possible. As a result, in the attack detection information 121 in FIG. 6, whether or not correspondence is possible is assigned to one piece of detection / countermeasure means information for one attack means ID. Specifically, if the attack means ID_j is Add_0001 and the CM_ID_i is product category = IDS, the determination result of step S1214 is assigned to the square of the detection means information 162 in which the attack means ID is Add_0001 and the column is IDS. . In FIG. 6, x is assigned.
In step S1216, the detection information generation unit 102 increments i and returns to S123.

  Even when the detection countermeasure means information 12 is log analysis as shown in FIG. 8, the same processing as in FIG. 10 is performed, so that the effect of the detection / measure measures as in the log analysis column of the detection means information 162 in FIG. For, determination results of ○, △, □, ◇ and × can be set.

The attack means information 111 shown in FIG. 4 is determined by determining, according to FIG. 10, whether one or more detection countermeasure means information 12 as shown in FIGS. 7 and 8 can be taken for every attack means ID. Information such as 6 attack detection information 121 can be created. The attack detection information 121 in FIG. 6 represents the determination of whether or not the countermeasure of the detection countermeasure means information 12 in FIG. That is, the attack detection information 121 is information including the attack means 21 for cyber attack, the detection means 22 for detecting the attack means, and the detection accuracy 23 of the detection means 22 for the attack means 21. In the attack detection information 121, the attack means information 111 is expressed as attack means information 161, and the detection countermeasure means information 12 is expressed as detection means information 162.
Although not shown in FIG. 6, corresponding CM_ID_i is associated with an element (IDS, FW, etc.) of the detection means information 162 in the attack detection information 121.

<Danger degree determination process S130>
The input / output configuration of the risk determination process S130 according to the present embodiment will be described with reference to FIG.
The risk determination unit 103 receives the attack detection information 121, the attack case information 13, and the weighting information 14, and outputs the attack detection risk information 131. The risk determination unit 103 determines the risk 163 of the attack means 21 based on the detection accuracy 23 of the detection means 22. Further, the risk level determination unit 103 determines the risk level 163 based on the detection accuracy 23 of the detection unit 22 and the attack phase in the cyber attack in which the attack unit 21 is performed.
In FIG. 12, attack case information 13 is data representing a case of a cyber attack, and is information indicating what attack means is active in what order, that is, in which attack phase.

FIG. 13 is a diagram showing an example of attack case information 13 according to the present embodiment.
Cyber attacks are carried out in multiple attack phases. In general, the “preliminary investigation” phase, such as investigating the attacking party and obtaining an email address, the “intrusion” phase, in which an email is attached with malware, etc., “Backdoor communication” phase where attackers send and receive attacks while communicating with malware, “Internal reconnaissance” phase to check what servers exist in the invaded organization, “Information leak” It consists of a “leak” phase. A series of such flows composed of a plurality of attack phases 31 is called a kill chain. Moreover, in order to implement | achieve each attack phase, an attack is performed using one or more attack means in each attack phase. The attack case information 13 is composed of a No identifying entry, an attack phase in the kill chain, an attack means ID and an attack name of the attack means implemented in each attack phase.

Specifically, in FIG. 13, in the “preliminary investigation” phase, an attack identified by attack means ID = 405 and attack name = Social Information Gathering Via Research is performed. In the “intrusion” phase, an attack is performed with attack means ID = 163, attack name = Spare Phishing, attack means ID = 542, attack name = Targeted Malware. In this case, Spear Phishing means a fraudulent act such as sending an e-mail focused on the targeted party, and Targeted Malware means using a malware specialized for the target. In other words, it means that the malware specialized for the target is sent to the target only by an attached mail (fraud mail) or downloaded only to the target by Web access (guided by fraud).
Since the subsequent attack phases in FIG. 13 are the same information structure, description thereof is omitted.

In FIG. 12, weighting information 14 is information for performing risk determination.
FIG. 14 is a diagram showing an example of the weighting information 14 according to the present embodiment.
As described above, the risk determination unit 103 determines the risk 163 based on the detection accuracy 23 of the detection unit 22 and the attack phase in the cyber attack in which the attack unit 21 is performed. The weighting information 14 in this embodiment defines weights depending on which attack phase the attack means 21 is used in. FIG. 14 shows that in the case of the attack means used for the preliminary investigation, since the preliminary investigation itself has not yet begun, the weight is as low as 5, but the information leakage is as high as 100 because the damage is the largest. In this example, the weight increases as the phase progresses. The setting of the weight value in FIG. 14 is an example, and the weight may be increased from the beginning to the middle of the attack phase such as intrusion or backdoor communication. A serial number is assigned to each entry as No.

Next, the flow of the risk determination process S130 according to the present embodiment will be described with reference to FIG.
In step S131, the risk determination unit 103 selects one attack means ID in the attack means information 161 of the attack detection information 121 and sets it as the attack means ID_i. Here, i is a natural number from 1 to the number of attack means ID in the attack means information 161.
In step S132, the risk determination unit 103 refers to j in the attack case information 13 as j, so j = 1. Here, j is a natural number from 1 to n. n is the maximum value of No in the attack case information 13.

In step S133, the risk determination unit 103 checks whether j> n. If j> n, the process ends. If j> n, the process proceeds to step S134.
In step S134, the risk determination unit 103 extracts an entry corresponding to No = j from the attack case information 13.
In step S135, the degree-of-risk determination unit 103 extracts the attack means ID, that is, the attack means ID_j in the entry No = j of the attack case information 13.
In step S136, the risk determination unit 103 checks whether the attack means ID_i and the attack means ID_j are the same. If they are the same, the process proceeds to step S137, and if not, the process proceeds to step S1313.

In step S137, the risk determination unit 103 sets k = 1 in order to refer to No in the weighting information 14 as k. Here, k is a natural number from 1 to m. m is the maximum value of No in the weighting information 14.
In step S138, the risk determination unit 103 checks whether k> m. If k> m, the process proceeds to step S1313. If k> m is not satisfied, the process proceeds to step S139.
In step S139, the risk determination unit 103 determines that the “attack phase” in the No = j entry of the attack case information 13 is “the attack phase of the kill chain in which the attack means is used” in the No = k entry of the weighting information 14. ”Is checked. In step S1310, the risk determination unit 103 proceeds to S1311 if they are the same and proceeds to S1314 if they are not the same.

In step S1311, the risk determination unit 103 acquires the “weight” in the entry No = k of the weighting information 14.
In step S1312, the degree-of-risk determination unit 103 sets the degree of danger of the attack means ID_i to the acquired “weight”, and the process proceeds to step S1313.
In step S1313, the degree-of-risk determination unit 103 increments j and proceeds to step S133.
In step S1314, the risk determination unit 103 increments k and proceeds to step S138.

  As described above, in step S1312, the degree of danger 163 is assigned to the attack means ID_i. The risk level 163 is given to the attack means information 161 by performing the risk level determination processing S130 of FIG. 15 for all the attack means IDs of the attack means information 161. As a result, the attack detection risk information 131 shown in FIG. 12 is generated.

<Attack countermeasure status determination processing S140>
The input / output configuration of the attack countermeasure status determination process S140 according to the present embodiment will be described with reference to FIG.
As shown in FIG. 16, the countermeasure status determination unit 104 receives the attack detection risk information 131 and the organization countermeasure information 15 generated by the risk determination unit 103 as input, and includes the effectiveness of the organization countermeasures against the attack means. The countermeasure status information 16 is output.

FIG. 17 is a diagram showing an example of the organization countermeasure information 15 according to the present embodiment.
In the organization countermeasure information 15, CMA_ID is given as an ID for identifying each entry (each row), and information corresponding to the ID of the detection means in each entry is “corresponding CM_ID”. Further, “operational restrictions” information is given to each entry. The “operational restriction” includes “threshold suppression (number of times)”, “threshold suppression (severity)”, and “white list”. “Threshold suppression (number of times)” indicates an operation of notifying as a detection when the same detection occurs more than the threshold number of times. “Threshold suppression (severity)” indicates an operation for reporting only detections of a certain severity or higher. The “white list” indicates an operation in which notification is not performed if processing of a program described in the white list is detected even if a detection occurs. Alternatively, the “white list” may be operated such that communication from a terminal described in the white list is detected but not notified. In the organization countermeasure information 15, “applied” is set when the corresponding operation is applied in the organization, and “unapplied” is set when the corresponding operation is not applied in the organization.

  Next, the flow of the attack countermeasure status determination process S140 according to the present embodiment will be described with reference to FIG. The processing will be described using the attack detection risk information 131 as information expressed in a table.

In step S <b> 141, the countermeasure status determination unit 104 adds a table similar to the detection means information 162 in the attack detection risk information 131 next to the risk 163 column. In the added table, the countermeasure status determination unit 104 clears the contents other than the detection unit 22, that is, the column of the detection accuracy 23, and temporarily stores the information of the detection accuracy 23 in the memory. Here, it is assumed that the attack means 21 and the detection means 22 are associated with the information of the detection accuracy 23 stored in the memory. This added table is referred to as organization countermeasure status information 164. As shown in FIG. 16, the organization countermeasure status information 164 includes IDS, FW, mail filter,..., Behavior detection (terminal), behavior detection (AP), and various log analysis as in the table of the detection means information 162. And the like.
In step S142, the countermeasure status determination unit 104 selects one entry, that is, a row of the attack detection risk information 131, and acquires the attack means ID_i and the organization countermeasure status information 164_i of the corresponding attack means information 161. Here, i is a natural number from 1 to the number of attack means ID of the attack means information 161.
In step S143, the countermeasure status determination unit 104 selects one CMA_ID in the organization countermeasure information 15 and sets it as CMA_ID_j. Further, “CM_ID corresponding to CMA_ID_j” is set as CM_ID_j. Here, j is a natural number from 1 to p. p is the number of CMA_IDs in the organization countermeasure information 15, that is, the number of entries in the organization countermeasure information 15.
In step S144, the countermeasure status determination unit 104 confirms whether j> p. If j> p, the process ends. If j> p is not satisfied, the process proceeds to S145.

In step S145, the countermeasure status determination unit 104 sets k = 1.
In step S146, the countermeasure status determination unit 104 sets CM_ID associated with the elements constituting the organization countermeasure status information 164_i as CM_ID_i_k. In step S141, the organization countermeasure status information 164 is generated as a copy of the detection unit information 162, and the CM_ID associated with the detection unit information 162 is also copied. Specifically, the organization countermeasure status information 164_i is composed of elements such as IDS (k = 1) and FW (k = 2) in FIG. 16, and CM_ID as an identifier is assigned to each. Even if i changes, if k is the same, the CM_ID is the same. That is, when viewed in one column (referred to by k) of the organization countermeasure status information 164, the CM_ID is the same regardless of the attack means ID (referred to as i). Specifically, k = 1 in the organization countermeasure status information 164 in FIG. 16 is IDS, and any attack means ID is viewed as a column, so the CM_ID of the IDS is referred to. Further, as described above, in the organization countermeasure status information 164, the determination of ○ Δ □ ◇ × for each attack means ID of the detection means information 162, that is, the detection accuracy 23 is stored in the memory. Therefore, the determination of ○ Δ □ ◇ × for each attack means ID in the detection means information 162 is obtained from information stored in the memory.

In step S147, the countermeasure status determination unit 104 sets q as the number of components (number of elements such as IDS and FW) of the organization countermeasure status information 164_i, and checks whether k> q. If k> q, the countermeasure status determination unit 104 proceeds to step S1411. If k> q is not true, the countermeasure status determination unit 104 proceeds to step S148.
In step S148, the countermeasure status determination unit 104 checks whether CM_ID_i_k is the same as CM_ID_j. In the same case, the countermeasure status determination unit 104 proceeds to step S149, and sets a value in the square of the organization countermeasure status information 164_i corresponding to CM_ID_i_k. If not, the countermeasure status determination unit 104 proceeds to step S1410.

In step S149, the countermeasure status determination unit 104 sets “completed” in the field of the organization countermeasure status information 164_i corresponding to CM_ID_i_k if the element of the detection means information 162 corresponding to CM_ID_i_k is ◯ Δ □ ◇. In the case of ×, set “-(hyphen)”. Specifically, in the line of attack means ID = 542, the IDS of the organization countermeasure status information 164 is “Done”. This is because the IDS of the corresponding detection means information 162 is □. Similarly, the FW of the organization countermeasure status information 164 of the bank is “−” because the FW of the corresponding detection means information 162 is “x”.
In step S1410, the countermeasure status determination unit 104 increments k and proceeds to S147.

  In step S1411, the countermeasure status determination unit 104 sets a cell that is not set to “completed” or “−” to “not yet” in the organization countermeasure status information 164_i. This indicates that the detection countermeasure means information 12 is one of ○ Δ □ ◇, but the detection means 22 is not implemented in the organization. The countermeasure status determination unit 104 increments j and proceeds to step S144.

  As described above, the countermeasure status determination unit 104 executes the processing of FIG. 18 for all of the attacking means ID_i, so that the countermeasures in the organization are “completed” and “not yet” as shown in the organizational countermeasure status information 164 of FIG. "-" Is set. As a result, it is possible to indicate the state of the countermeasure state of the organization for each attack means ID as the countermeasure state information 16 shown in FIG.

When the setting of the organization countermeasure status information 164 of the countermeasure status information 16 illustrated in FIG. 16 is completed, the countermeasure status determination unit 104 sets a determination result in the determination information 165 of the countermeasure status information 16. The determination information 165 includes an effect level 1651 and a priority countermeasure item 1652.
As described above, the countermeasure status determination unit 104 includes the attack detection information 121 and the organization countermeasure information 15 including the detection means 22 implemented as a countermeasure against the cyber attack in the organization targeted by the cyber attack as the organization detection means. Based on the detection accuracy 23 and the organization countermeasure information 15 that are acquired and included in the attack detection information 121, the effectiveness 1651 representing the degree of the effect of the countermeasure in the organization is determined. Further, the countermeasure status determination unit 104 determines the effectiveness 1651 based on the detection accuracy 23 of the detection means 22 and information (organization countermeasure status information 164) indicating whether or not the detection means 22 is implemented in the organization. To do.

Below, the process which sets the effectiveness 1651 by the countermeasure status determination part 104 is demonstrated.
The countermeasure status determination unit 104 extracts all the values of the detection means information 162 corresponding to the component whose organization countermeasure status information 164 is “completed” for one attack means ID in the countermeasure status information 16 of FIG. The countermeasure status determination unit 104 sets “effectiveness 1651” as in (a1) to (a5) below based on the extracted value.
(A1) If the extracted value includes ◯, the effectiveness 1651 is set as ◯.
(A2) If not applicable to (a1), if Δ is included in the extracted value, Δ is set to the effectiveness 1651.
(A3) If the above does not apply to (a2), if the extracted value includes □, □ is set to the effectiveness 1651.
(A4) If the above does not apply to (a3), if the extracted value contains ◇, ◇ is set to the effect level 1651.
(A5) When the above does not apply to (a4), x is set to the effectiveness 1651.
In the countermeasure status information 16 of FIG. 16, when there are a plurality of components whose organization countermeasure status information 164 is “completed”, the corresponding detecting means information 162 is also plural. Accordingly, in the plurality of detection means information 162, all may be o or o, Δ, □, and ◇ may be mixed, but according to the above processing (a1) to (a5), the “efficiency 1651 "Is determined to be one.
As a specific example, in the attack means ID = 542 in FIG. 16, IDS, mail filter, and behavior detection (terminal) are “done”, and according to the above processing, the behavior detection (terminal) is Δ, In 1651, Δ is set.

Next, processing for setting the “priority countermeasure item 1652” by the countermeasure status determination unit 104 will be described.
For one attack means ID in the countermeasure status information 16 of FIG. 16, an item whose “efficacy 1651” is other than ○ is determined as a “priority countermeasure item 1652”, and “applicable” is set.

<Countermeasure status output process S150>
In the countermeasure status output process S150, the countermeasure status output unit 105 outputs the countermeasure status information 16 including the attack detection information 121 (attack means information 161 and detection means information 162) and the effectiveness 1651. The countermeasure status information 16 includes a risk 163.
The countermeasure status output unit 105 displays the countermeasure status information 16 on a display device or the like via the output interface 940.

  This is the end of the description of the attack countermeasure determination processing S100 according to the present embodiment.

*** Other configurations ***
In the present embodiment, the countermeasure status generation apparatus 1 is configured to acquire information via the input interface 930 and output information via the output interface 940. However, the countermeasure status generation apparatus 1 may include a communication device and receive information via the communication device. Moreover, the countermeasure status generation apparatus 1 may transmit information via a communication apparatus. In this case, the communication device includes a receiver and a transmitter. Specifically, the communication device is a communication chip or a NIC (Network, Interface, Card). The communication device functions as a communication unit that communicates data. The receiver functions as a receiving unit that receives data, and the transmitter functions as a transmitting unit that transmits data.

In the present embodiment, the countermeasure status output unit 105 outputs the countermeasure status information 16 illustrated in FIG. 16, but the countermeasure status information 16 having other configurations may be output. Specific examples are shown below.
First, the countermeasure status output unit 105 outputs countermeasure status information 16 including the attack means 21 and the effectiveness 163. That is, the attack means information 161 and the effectiveness 1651 shown in FIG. 16 may be output as the countermeasure status information 16.
Second, the countermeasure status output unit 105 outputs the countermeasure status information 16 including the attack means 21 and the effectiveness 163 including the detection means 22 for detecting the attack means 21 and the detection accuracy 23 of the detection means 22. To do. That is, the attack means information 161, the detection means information 162, and the effectiveness 1651 shown in FIG.
Thirdly, the countermeasure status output unit 105 outputs the countermeasure status information 16 including the attack means 21, the effectiveness 163, the detection means 22, and the detection accuracy 23 including the organization countermeasure status information 164. That is, the attack means information 161, the detection means information 162, the organization countermeasure status information 164, and the effectiveness 1651 shown in FIG. 16 may be output as the countermeasure status information 16.

Further, in the present embodiment, the function of “part” of the countermeasure status generation apparatus 1 is realized by software, but as a modification, the function of “part” of the countermeasure status generation apparatus 1 may be realized by hardware. Good.
The configuration of the countermeasure status generation apparatus 1 according to a modification of the present embodiment will be described using FIG.
As illustrated in FIG. 19, the countermeasure status generation apparatus 1 according to the modification includes a processing circuit 909 instead of the processor 910 and the storage device 920 illustrated in FIG. 2.

  The processing circuit 909 is a dedicated electronic circuit that realizes the function of the “unit” and the storage unit 150 described above. Specifically, the processing circuit 909 includes a single circuit, a composite circuit, a programmed processor, a processor programmed in parallel, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or , FPGA (Field-Programmable Gate Gate Array).

  The function of “unit” may be realized by one processing circuit 909 or may be realized by being distributed to a plurality of processing circuits 909.

  As another modification, the function of the countermeasure status generation apparatus 1 may be realized by a combination of software and hardware. That is, a part of the functions of the countermeasure status generation apparatus 1 may be realized by dedicated hardware, and the remaining functions may be realized by software.

  The processor 910, the storage device 920, and the processing circuit 909 are collectively referred to as a “processing circuit”. That is, regardless of the configuration of the countermeasure status generation apparatus 1 shown in FIGS. 2 and 19, the function of “unit” and the storage unit 150 are realized by a processing circuit.

  “Part” may be read as “step” or “procedure” or “processing”. Further, the function of “unit” may be realized by firmware.

*** Explanation of effects of this embodiment ***
As described above, the countermeasure status determination unit 104 of the countermeasure status generation apparatus 1 generates the countermeasure status information 16 shown in FIG. 16 and displays it on the display device.
The countermeasure status generation apparatus 1 in the present embodiment shows the mapping of detection / countermeasure information to attack information, further assigns a risk level from the attack case information, and further attacks from the status of the organization's attack countermeasure implementation. This has the effect of showing the status of countermeasures against information. Furthermore, the effect level 1651 can be determined from the detection / countermeasure information, and the priority measure item 1652 can be illustrated.
The user of the countermeasure status generation apparatus 1 in the present embodiment can confirm whether the security countermeasures of his / her organization are effective or invalid with respect to various attack information (means) with an effectiveness 1651. The priority countermeasure item 1652 can be confirmed for the attack means that should be strengthened.

Embodiment 2. FIG.
In the present embodiment, a part added to the first embodiment or a part different from the first embodiment will be mainly described. In the present embodiment, the same components as those in the first embodiment are denoted by the same reference numerals, and the description thereof is omitted. Also, the description of the same functions as those in Embodiment 1 is omitted.
In the present embodiment, a process will be described in which the attack case determination apparatus 2 shown in FIG. 1 determines the countermeasure status of an organization using the individual attack case information 13a.

*** Explanation of configuration ***
The configuration and input / output of the attack case determination apparatus 2 according to the present embodiment will be described with reference to FIG.
The attack case determination apparatus 2 is a computer, and includes hardware similar to that of the countermeasure status generation apparatus 1 described in FIG. The attack case determination apparatus 2 includes an attack case determination unit 201 as a functional configuration. That is, the function of “part” of the attack case determination device 2 is the function of the attack case determination unit 201. Similar to the countermeasure status generation apparatus 1, the function of “unit” is realized by software. Further, similarly to the countermeasure status generation apparatus 1, the function of “unit” may be realized by hardware such as the processing circuit 909.

The attack case determination apparatus 2 receives the countermeasure status information 16 and the attack case information 13a as inputs, and outputs attack case correspondence information 17.
In the present embodiment, the attack case determination device 2 uses the countermeasure status information 16 to output the countermeasure status to the attack case information 13 a as the attack case correspondence information 17. In this embodiment, the attack case correspondence information 17 is represented by a table.

*** Explanation of operation ***
The attack case determination process S200 by the attack case determination unit 201 according to the present embodiment will be described with reference to FIG.
In the attack case determination process S200, the attack case determination unit 201 receives the countermeasure status information 16 and the attack case information 13a as input, and performs the following processing shown in FIG. The attack case information 13a is one example of the attack case information 13 of FIG.
The attack case determination unit 201 acquires attack case information 13a including the attack phase of the cyber attack and the attack means implemented in the attack phase, and countermeasure status information 16, and uses the countermeasure status information 16 to use the attack case information. For 13a, the countermeasure status of the organization is determined for each attack means in the attack phase. Further, the attack case determination unit 201 outputs the attack case information 13a and the determined countermeasure status of the organization as the attack case correspondence information 17.

In step S211, the attack case determination unit 201 refers to the first attack means ID in the attack case information 13a. The attack means ID indicates the head of the first attack phase (first attack of a series of attacks) in the attack case information 13a.
In step S212, when the attack case determination unit 201 refers to the last attack means ID in a series of attacks in the attack case information 13a, the process proceeds to S2111. If not, the process proceeds to S213.
In step S213, the attack case determination unit 201 extracts the attack means ID included in the attack phase in the attack case information 13a. This is referred to as a reference attack means ID.
In step S214, the attack case determination unit 201 searches the countermeasure status information 16 for the reference attack means ID.
In step S <b> 215, the attack case determination unit 201 refers to the information on the row for the attack means ID searched for in the countermeasure status information 16, that is, the reference attack means ID. This line includes information on the detection unit information 162 and the like.
In step S216, the attack case determination unit 201 is other than the constituent elements (detection / measures such as FW and IDS) with “x” in the detection means information 162 corresponding to the reference attack means ID in the countermeasure status information 16. Select to extract the name. That is, the attack case determination unit 201 extracts the names of components that have some effect.
In step S217, the attack case determination unit 201 adds “detection / countermeasure means” (column) to the row corresponding to the reference attack means ID in the attack case information 13a, and sets the name of the component extracted in step S216. Set. If a plurality of samples are extracted in step S216, all of them are set.
This will be described using a specific example. As shown in FIG. 20, if the attack means ID = 163, the mail filter is applicable. If attack means ID = 542, IDS, mail filter, behavior detection (terminal), behavior detection (AP), and log analysis (terminal) are applicable. If there is only “x” in the detection means information 162, “None” is set.

In step S <b> 218, the attack case determination unit 201 extracts the “effectiveness 1651” of the reference attack means ID from the countermeasure status information 16.
In step S219, the attack case determination unit 201 adds “organization countermeasure status” (column) for the reference attack means ID in the attack case information 13a, and sets the “effectiveness 1651” extracted in step S218. As a specific example, if the attack means ID = 542, Δ is applicable as shown in FIGS. As described above, the meaning of “effectiveness 1651” (□, Δ, etc.) is as shown in the determination table 1201 of FIG.
In step S2110, the attack case determination unit 201 refers to the next attack means ID in the attack case information 13a, and returns to step S212.

In step S2111, the attack case determination unit 201 adds “overall determination” (column) to the attack case information 13a, and sets values as follows.
For the initial attack phase such as intrusion, if the countermeasure status of the organization is ○, it is determined as “excellent”.
If the organization's countermeasure status is ○ for the initial next attack phase such as backdoor communication, it is determined as “good”. This is because intrusion is allowed but can be detected in the next stage.
Furthermore, if the countermeasure status of the organization is ○ for the subsequent attack phase, “Yes” is set.
If the countermeasure state of the organization is △ for the initial stage or the initial next attack phase, “Yes” is set.
If this is not the case, it is determined as “impossible”.
The “total determination” is given to the attack case information 13a, and is not given for each attack means ID.
In addition, the comprehensive determination method (excellent, good, acceptable, unacceptable determination method) in the present embodiment is not limited to the above. As a specific example, if any of the initial and initial attack phases is not marked with a circle, all may be impossible, and if an information leakage attack phase is marked with a circle, it may be acceptable.

This is the end of the description of the attack case determination process S200 according to the present embodiment.
In this way, the attack case determination unit 201 determines the countermeasure state of the organization using the countermeasure state information 16 for the attack case information 13a, and outputs the attack case correspondence information 17 to which the comprehensive determination information is added.

*** Explanation of effects of this embodiment ***
As described above, according to the attack case determination apparatus 2 according to the present embodiment, referring to the attack case correspondence information 17, the countermeasure status of the organization for each attack means ID in the attack case information 13a can be confirmed. As a specific example, an attack means ID of □ or ◇ of the organization countermeasure means that there is a case where a countermeasure is missed but a detection failure (avoidance) may occur, and an attack means ID of △ or ◇ It means that there is a case where a false positive may occur although measures are taken. Moreover, the comprehensive judgment with respect to this attack case information can be confirmed.
Further, according to the attack case determination apparatus 2 according to the present embodiment, there is an effect that the countermeasure state of the organization can be illustrated as the attack case correspondence information 17 by using the countermeasure state information 16 for the attack case information 13a. The user of the attack case determination apparatus 2 according to the present embodiment confirms the comprehensive determination of the attack case response information 17 and determines that the organization has taken countermeasures if it is good or bad. If so, it can be determined that additional measures should be considered.

Embodiment 3 FIG.
In the present embodiment, a part added to the first and second embodiments or a part different from the first and second embodiments will be mainly described. In the present embodiment, the same components as those in the first and second embodiments are denoted by the same reference numerals, and the description thereof is omitted. Further, the description of the same functions as those in Embodiments 1 and 2 is omitted.
In the present embodiment, a process in which the countermeasure candidate extraction device 3 shown in FIG. 1 determines an additional countermeasure will be described.

*** Explanation of configuration ***
The configuration and input / output of the measure candidate extraction apparatus 3 according to the present embodiment will be described with reference to FIGS.
The countermeasure candidate extraction device 3 is a computer, and includes hardware similar to the countermeasure status generation device 1 of the first embodiment and the attack case determination device 2 of the second embodiment although not shown. Moreover, the countermeasure candidate extraction device 3 includes a countermeasure candidate extraction unit 301 as a functional configuration. That is, the function of “part” of the countermeasure candidate extraction device 3 is a function of the countermeasure candidate extraction unit 301. Similar to the countermeasure status generation device 1 and the attack case determination device 2, the function of “part” is realized by software. Further, like the countermeasure status generation device 1 and the attack case determination device 2, the function of “unit” may be realized by hardware such as the processing circuit 909.

  The countermeasure candidate extraction unit 301 acquires the attack example information 133 including the selected attack means 171 selected based on the countermeasure status of the organization and attack means other than the selected attack means 171, and is used in combination with the selected attack means 171. Is determined from the attack case information 133. Further, the countermeasure candidate extraction unit 301 outputs the attack means used in combination with the selected attack means 171 as the strengthening countermeasure information 18. At this time, the attack case information 133 includes at least a selection attack unit 171 and an attack unit other than the selection attack unit 171. Further, the attack case information 133 may be one or plural.

Specifically, the countermeasure candidate extraction device 3 includes one or a plurality of attack case information 133 and attack means X (selective attack) with a large number of false detections with △ or ◇ in the countermeasure state of the organization in the attack case correspondence information 17. Means 171). As a specific example, attack means X shown in FIG. The attack means X is an attack means that has been determined in the attack case correspondence information 17 as having many false detections in the countermeasure status of the organization. The countermeasure candidate extraction device 3 extracts attack means Y to be detected together in order to reduce false detection of the attack means X.
The “attack means X with many false detections” means that the organization measures against the attack means X often mistakenly detect other than the attack means X as the attack means X.

*** Explanation of operation ***
The countermeasure candidate extraction process S300 performed by the countermeasure candidate extraction apparatus 3 will be described below.
First, the countermeasure candidate extraction device 3 extracts the attack means ID_X of the attack means X.
Next, the countermeasure candidate extraction device 3 extracts attack case information 13 including the attack means ID_X from one or a plurality of attack case information 133. Here, the countermeasure candidate extraction device 3 extracts one or more attack case information 13. Let the extraction result be attack case information 13_i.

Next, the countermeasure candidate extraction device 3 extracts a common attack means ID in addition to the attack means ID_X in the attack case information 13_i, and counts the number. As a specific example, it is assumed that the attack case information 13_i is as follows. Here, i = 1, 2, 3.
Attack case information 13_1 = {attack means ID_X, attack means ID_e, attack means ID_f, attack means ID_g}
Attack case information 13_2 = {attack means ID_X, attack means ID_e, attack means ID_g, attack means ID_h}
Attack case information 13_3 = {attack means ID_X, attack means ID_e, attack means ID_i, attack means ID_j}
At this time, the attack means ID_e is included in all of the attack case information 13_1, the attack case information 13_2, and the attack case information 13_3, so the number of appearances is three. Similarly, the number of appearances of attack means ID_g is 2, the number of appearances of attack means ID_f, attack means ID_h, attack means ID_i, and attack means ID_j is 1.
That is, in the above three attack case information 13_i including the attack means ID_X, the attack means ID_e is included in all and the attack means ID_g is included in two in addition to the attack means ID_X. Therefore, it can be seen that in the attack case information 13, the attack means ID_X and the attack means ID_e are always used together, and then the attack means ID_g is used together.
The countermeasure candidate extraction device 3 outputs the attack means Y to be detected as the strengthening countermeasure information 18 by combining the attack means ID_e and the attack means ID_g extracted in this way with the attack means ID_X.

The countermeasure candidate extraction process S300 according to the present embodiment will be described with reference to FIG.
In step S <b> 311, the countermeasure candidate extraction unit 301 extracts information including the attack means ID_X from the attack case information 13 </ b> _i. Here, i is a natural number from 1 to r. r is the number of attack case information 13.
In step S312, the countermeasure candidate extraction unit 301 sets the extracted attack case information as extracted attack case information j for subsequent processing. Here, j is a natural number from 1 to s. s is the number of attack case information 13 extracted in step S311.
In step S313, the countermeasure candidate extraction unit 301 sets the variable j to 1 and prepares an empty attack means ID list.
In step S314, the countermeasure candidate extraction unit 301 checks whether j> s. If j> s, the process is terminated. If j> s is not satisfied, the process proceeds to step S315.

In step S315, the countermeasure candidate extraction unit 301 sets the number of attack means ID included in the extracted attack case information j to t.
In step S316, the countermeasure candidate extraction unit 301 sets the variable k to 1.
In step S317, the countermeasure candidate extraction unit 301 checks whether k> t. If k> t, the process proceeds to step S3113. If k> t is not satisfied, the process proceeds to step S318.

In step S318, the countermeasure candidate extraction unit 301 acquires attack means ID_k that is one of attack means ID included in the extracted attack case information j.
In step S319, the countermeasure candidate extraction unit 301 checks whether the attack means ID_k exists in the attack means ID list. If it exists, the process proceeds to step S3111.
In step S3110, the countermeasure candidate extraction unit 301 adds attack means ID_k to the end of the attack means ID list, and sets its count to 1. Here, the attack means ID list is information having the following structure.
Attack means ID list = {(attack means ID_1, count_1), (attack means ID_2, count_2), ...}
Here, curly braces are a sequence of information. In parentheses, the value of the attack means ID and the number of times that the attack means ID appears over a plurality of pieces of attack case information are shown.

In step S3111, the countermeasure candidate extraction unit 301 increments the count (count_k) of the element of the attack means ID_k on the attack means ID list.
In step S3112, the countermeasure candidate extraction unit 301 increments k.
In step S3113, the countermeasure candidate extraction unit 301 increments j.

  This is the end of the description of the countermeasure candidate extraction process S300 according to the present embodiment.

*** Other configurations ***
Further, as shown in FIG. 22B, the countermeasure candidate extraction device 3 uses the attack case information 133 and the attack means (attack means X1) with □ or ◇ in the countermeasure state of the organization in the attack case correspondence information 17. (Selective attack means 171) may be input. An attack means (attack means X1) with □ or ◇ is an attack means (attack means X1) that may be missed (avoided). And the countermeasure candidate extraction apparatus 3 extracts the attack means which should be detected together in order to reduce the detection omission of the attack means X1.
Here, the processing of the countermeasure candidate extraction device 3 is the same as that of the attack means X ((a) of FIG. 22). As a result of the processing, the countermeasure candidate extraction device 3 outputs the attack means ID_e and attack means ID_g extracted in this way as the attack means attack Y1 to be detected in combination with the attack means ID_X1.

  Further, as shown in FIG. 23, the countermeasure candidate extraction device 3 inputs the attack case information 133 and the attack means U (selected attack means 171) whose priority countermeasure item 1652 in the countermeasure status information 16 is “applicable”. It is good. Then, the countermeasure candidate extraction device 3 may extract the attack means to be detected in combination with the attack means U and output it as the attack means V. Also in this case, the processing of the countermeasure candidate extraction device 3 is the same as that of the attack means X ((a) of FIG. 22).

*** Explanation of effects of this embodiment ***
The countermeasure candidate extraction apparatus 3 according to the present embodiment extracts attack means that are frequently used in combination with statistics from attack case information for attack means with false detections or omissions. Then, the extracted attack means can be presented as an attack means that is a candidate for attempting detection together with an attack means having false detection or detection omission. As a result, according to the countermeasure candidate extraction device 3 according to the present embodiment, by detecting the presented attack means together with the attack means with false detection and detection omission, the false detection and detection omission are reduced. There is an effect that can be done.

Embodiment 4 FIG.
In the present embodiment, differences from Embodiment 3 will be mainly described. In the present embodiment, the same components as those in the first to third embodiments are denoted by the same reference numerals, and the description thereof is omitted. The description of the same functions as those in the first to third embodiments will be omitted.
In the present embodiment, the process of presenting additional countermeasures by the countermeasure candidate extraction apparatus 3 described in the third embodiment is different from that in the third embodiment.

FIG. 25 is a diagram showing the configuration and input / output of the measure candidate extraction apparatus 3 according to the present embodiment.
As shown in FIG. 25, the countermeasure candidate extraction device 3 has one or a plurality of attack case information 133 and attack means X having many false detections with Δ or ◇ in the countermeasure state of the organization in the attack case correspondence information 17. Or, the attack countermeasure X1 with □ or ◇ in the countermeasure status of the organization in the attack case response information 17 that may be missed, or the priority countermeasure item 1652 in the countermeasure status information 16 is “applicable”. The attack means U is taken as input. Further, countermeasure status information 16 is input.

Detects in combination with attack means X that has many false detections, attack means X1 that may be missed, or attack means U for which the priority countermeasure item 1652 in the countermeasure status information 16 is “applicable”. The method for extracting the power attack means is the same as in the third embodiment.
In the present embodiment, out of the attack means to be detected in combination, the countermeasure status information 16 is used to narrow down and present the countermeasures already taken by the organization.
As a specific example, when the attack means to be detected in combination is the attack means ID = 542 in the countermeasure status information 16 of FIG. 16, the IDS / mail filter / behavior that is “done” in the organization countermeasure status information 164. The detection (terminal) is extracted, and the attack means W is output as the strengthening countermeasure information 18 in addition to the information of the attack means ID = 542.
If there is no attack status to be detected in combination in the countermeasure status information 16 in the organization countermeasure status information 164, there is no corresponding attack means W. Accordingly, the attack means W may not be output, or a warning that there is no strengthening countermeasure information 18 may be output.

*** Explanation of effects of this embodiment ***
The countermeasure candidate extraction device 3 according to the present embodiment refers to the attack means that has already been taken countermeasures in the organization with reference to the organization countermeasure status information 164 for the attack means to be detected in combination with the input attack means of the third embodiment. By presenting only in the above, there is an effect that it is possible to enhance the detection by using the measures already applied in the organization.

Embodiment 5. FIG.
In the present embodiment, differences from the first embodiment will be mainly described. In the present embodiment, the same components as those in the first to fourth embodiments are denoted by the same reference numerals, and the description thereof is omitted. The description of the same functions as those in Embodiments 1 to 4 is omitted.

In the first embodiment, the detection information generation unit 102 determines whether or not the “descriptive text” of the attack measure ID_j includes the “detectable” keyword in the CM_ID_i entry of the detection measure measure information 12 in S125 of FIG. By investigating, the attack means ID_j is linked to the “detectable” attack of CM_ID_i.
In the present embodiment, a description will be given of “detectable” in the CM_ID_i entry of the detection countermeasure means information 12 including an attack means ID that is “detectable” instead of a keyword. The same applies to the items “undetectable” and “false detection”. That is, the detection information generation unit 102 acquires the detection countermeasure unit information 12 that is an attack unit detected by the detection unit and includes an attack unit according to the detection accuracy of the detection unit, and based on the detection countermeasure unit information 12 The attack means detected by the detection means is detected according to the detection accuracy.

When using the detection countermeasure means information 12 described above, the process of step S125 may be replaced with “confirm whether the“ detectable ”attack means ID in the entry of CM_ID_i matches the attack means ID_j”. Step S126 may be changed such that the confirmation proceeds to step S127 if they match, and to step S128 if they do not match.
In the present embodiment, it is assumed that when the detection countermeasure means information 12 is generated, an attack means ID is set instead of a keyword. As described in the first embodiment, the detection countermeasure means information 12 including the attack means ID instead of the keyword is generated outside the countermeasure status generation apparatus 1.

*** Explanation of effects of this embodiment ***
The countermeasure status generation apparatus 1 in the present embodiment is the same as that in the first embodiment by using an attack means ID instead of using a keyword in “detectable” of the detection countermeasure means information 12 according to the first embodiment. An effect is obtained.

Embodiment 6 FIG.
In the present embodiment, differences from the first embodiment will be mainly described. In the present embodiment, the same components as those in the first to fifth embodiments are denoted by the same reference numerals, and the description thereof is omitted. The description of the same functions as those in the first to fifth embodiments is omitted.

  In the first embodiment, the risk determination unit 103 assigns the risk 163 to the attack means ID using the attack case information 13 and the weighting information 14. Although not shown in FIG. 3, the attack information 11 may include risk level information such as a risk level = 1, 2, 3, 4, 5 (the higher the risk, the higher the risk). In this case, in the present embodiment, the risk determination unit 103 refers to the risk level assigned to each attack means ID in the attack information 11 without using the attack case information 13 and the weighting information 14. The risk level value is set to the risk 163 of the attack means ID in the countermeasure status information 16. That is, the risk level determination unit 103 acquires the attack means information 111 including the risk level (risk level) of the attack means, and the countermeasure status output unit 105 includes the countermeasure status including the risk level (risk level) of the attack means. Information 16 is output.

*** Explanation of effects of this embodiment ***
The countermeasure status generation apparatus 1 according to the present embodiment has an effect that when the attack information 11 includes risk level (risk level) information, this can be set as the risk level 163 in the countermeasure status information 16.

Embodiment 7 FIG.
In the present embodiment, differences from the first embodiment will be mainly described. In the present embodiment, the same components as those in the first to sixth embodiments are denoted by the same reference numerals, and the description thereof is omitted. The description of the same functions as those in the first to sixth embodiments will be omitted.

  In the first embodiment, the countermeasure status generation apparatus 1 sets only three types of “completed”, “not yet”, and “−” in the elements of the countermeasure countermeasure organization information 164 in the countermeasure status information 16. In the present embodiment, “detection impossible” and “false detection” information described in the detection countermeasure means information 12 is additionally set as information of the organization countermeasure status information 164 in the countermeasure status information 16.

  In the present embodiment, in step S1210 of FIG. 10, the detection information generation unit 102 associates the “undetectable” information of the CM_ID_i being referred to with the attack means ID_j in addition to setting undetect_flag = True. . Further, in step S1213, the “false detection” information of the CM_ID_i being referred to is linked to the attack means ID_j. Further, in step S1215, in addition to setting whether or not countermeasures by CM_ID_i are set for attack means ID_j, information on “undetectable” and “false detection” of CM_ID_i associated with attack means ID_j is additionally set. .

Furthermore, in the present embodiment, in step S149 of FIG. 18 showing the process of the countermeasure status determination unit 104, in addition to the process of setting “completed” in the column of the organization countermeasure status information 164_i corresponding to CM_ID_i_k, the CM_ID_i_k “Undetectable” and “false detection” set in association with the ID as described above are set. As a specific example, in addition to setting “done” in the same field, “detection impossible” and “false detection” linked as follows are set.
A setting example of the log analysis / proxy log cell of the organization countermeasure status information 164 in the attack means ID = Add_0001 of the countermeasure status information 16 is shown below.
・ Done ・ Undetectable: HTTP communication with a legitimate website that has been altered ・ Error detection: Regular HTTP communication

*** Explanation of effects of this embodiment ***
The countermeasure status generation apparatus 1 according to the present embodiment can check the countermeasure status of the attack means in the countermeasure status information 16 and can detect non-detection (missing detection) or misdetection when the countermeasure has been taken. Can be included for sex. For this reason, the user of the countermeasure status generation device 1 can grasp the risk of undetectable (missing detection) and false detection even if a certain attack means has been countermeasured.

Embodiment 8 FIG.
In the present embodiment, differences from Embodiments 3 and 4 will be mainly described. In the present embodiment, the same components as those in the first to seventh embodiments are denoted by the same reference numerals, and the description thereof is omitted. The description of the same functions as those in the first to seventh embodiments is omitted.

  In the present embodiment, the countermeasure candidate extraction device 3 performs a process different from that of the third and fourth embodiments in the process of presenting the additional countermeasure. In the third embodiment, the countermeasure candidate extraction device 3 takes statistics of attack means used in combination with the attack means X, attack means X1, and attack means U in the attack case information 13, and for example, most frequently used with the attack means X The attack means Y to be used was extracted and output as strengthening countermeasure information 18.

In the present embodiment, statistics of attack means used in combination with attack means X and attack means X1 are further collected, and further, detection means effective for attack means often used in combination with reference to countermeasure status information 16 Information 162 is also output.
This will be described using the following three attack case information described in the third embodiment. Here, a case will be described in which other attacking means to be detected together with the attacking means X are extracted.
Attack case information 13_1 = {attack means ID_X, attack means ID_e, attack means ID_f, attack means ID_g}
Attack case information 13_2 = {attack means ID_X, attack means ID_e, attack means ID_g, attack means ID_h}
Attack case information 13_3 = {attack means ID_X, attack means ID_e, attack means ID_i, attack means ID_j}
When the processing of FIG. 18 is performed on these attack case information, attack means ID list = {(attack means ID_e, count_e = 3), (attack means ID_g, count_g = 2)}.

As a result, the attack means ID_e or both the attack means ID_e and the attack means ID_g are output as the attack means Y. In the present embodiment, the following determinations (b1) to (b3) are performed on this output.
(B1) Of the attacking means IDs recorded in the attacking means ID list, the detecting means information 162 of the countermeasure status information 16 that has detection / countermeasure information with a circle is extracted, and the attacking means thus extracted The ID is output as attack means Y. If there are a plurality of attack means IDs that meet this condition on the attack means ID list, these are output as attack means Y. As a specific example, when the behavior detection (terminal) is set to ○ in the detection means information 162 of the countermeasure status information 16 for the attack means ID_e, the attack means ID_e is output as the attack means Y. (B2) If there is no attack means with a circle in the process of (b1), an attack means ID with a triangle is extracted in the detection means information 162 of the countermeasure status information 16. The extracted attack means ID is output as the attack means Y.
(B3) If there is no attack means attached with Δ in the processing of (b2), the attack means ID with □ is extracted in the detection means information 162 of the countermeasure status information 16. The extracted attack means ID is output as the attack means Y.
Note that only (b1) may be processed, only (b1) and (b2) may be processed, or (b1), (b2), and (b3) may be processed.
Further, for the attack means ID extracted in the process of (b1), the detection means information 162 (as a specific example, IDS) indicated by ○ may be output as the attack means Y together with the attack means ID. Similarly, detection means information 162 that is Δ in (b2) and detection means information 162 that is □ in (b3) may be output as attack means Y together with the attack means ID.

The countermeasure candidate extraction device 3 can output the same attack means Y1 by the same process for the attack means X1.
In the fourth embodiment, the attack means X, attack means X1, and attack means U are limited to those that have already been implemented in the organization using the countermeasure status information 16 among attack means that should be detected in combination. presentation. In the present embodiment, as for (b1), (b2), and (b3), those with a circle, those with a triangle, and those with a square are extracted and output as attack means W1.

*** Explanation of effects of this embodiment ***
In addition to the effects of the third and fourth embodiments, the countermeasure candidate extraction apparatus 3 according to the present embodiment has an effect that can determine which detection means should be applied specifically to the attack means to be countermeasured together. There is.

Embodiment 9 FIG.
In the present embodiment, differences from the first embodiment will be mainly described. In the present embodiment, the same components as those in the first to eighth embodiments are denoted by the same reference numerals, and the description thereof is omitted. Also, the description of functions similar to those in the first to eighth embodiments is omitted.

In the present embodiment, the processing in step S149 in FIG. 18 is changed with reference to the operational restrictions in the organization countermeasure information 15 in the first embodiment.
In step S149 of the first embodiment, when it is determined that the setting of the column of the organizational countermeasure status information 164_i corresponding to CM_ID_i_k is “completed” in the first embodiment, the organizational countermeasure corresponding to CM_ID_j (equal to CM_ID_i_k) Refer to the entry of information 15 and refer to the applicable operational restriction. In this operational restriction, when threshold suppression (number of times), threshold suppression (severity), and whitelisting are applied, “done / avoidance” is set instead of “done” in the column of the organization countermeasure status information 164_i. To do.
At the same time, the contents (item names on the organization countermeasure information 15) of operational suppression measures such as threshold suppression (number of times), threshold suppression (severity), and white list may be set as additional information. By referring to this additional information, the user of the countermeasure status generation device 1 can know the reason why the countermeasure is performed but it can be avoided (example: threshold suppression (number of times)).

A process in which the countermeasure status determination unit 104 gives the effect level 1651 to the countermeasure status information 16 will be described. For one attack means ID in the countermeasure status information 16 of FIG. 6, when the organization countermeasure status information 164 is “completed”, the setting values (○ △ □ ◇ ×) of the corresponding detection means information 162 are extracted as they are. Then, it is stored in the countermeasure status determination unit 104 as implementation detection means information 1621.
When the organization countermeasure status information 164 is “completed / avoided”, the setting value (○ △ □ ◇ ×) of the corresponding detection means information 162 is extracted, ○ is converted into □, and △ is converted into □ It is stored in the countermeasure status determination unit 104 as execution detection means information 1621. The countermeasure status determination unit 104 processes the execution detection means information 1621 extracted and converted as described above as follows.
(C1) If the execution detection means information 1621 includes ◯, the effectiveness 1651 is set as ◯.
(C2) If it does not apply to (c1), if Δ is included, Δ is set to the effectiveness 1651.
(C3) If it does not apply to (c2), if □ is included, □ is set to the effectiveness 1651.
(C4) If the above does not apply to (c3), if ◇ is included, ◇ is set to the effect level 1651.
(C5) When the above does not apply to (c4), x is set to the effectiveness 1651.
As a specific example, it is assumed that the behavior detection (AP) of the organization countermeasure status information 164 is “Done / Avoid” and the behavior detection (AP) of the detection means information 162 is Δ for a certain attack means ID. In this case, the behavior detection (AP) detection means information 162 is changed from Δ to □ and stored in the execution detection means information 1621. Assume that the IDS of the organization countermeasure status information 164 is “completed” and the IDS of the detection means information 162 is □ for the same attack means ID. In this case, the IDS detection means information 162 is not converted and stored in the execution detection means information 1621 as □. At this time, the execution detection means information 1621 is □ (behavior detection (AP)) and □ (IDS), and corresponds to the above (c3), so □ is set for the effectiveness 1651.

  In this way, if the organization places operational restrictions on detection / countermeasures, even if the detection / countermeasure product or log analysis can detect attack means, the operational restriction may reduce the detection capability. For the effectiveness 1651, an evaluation with a possibility of detection omission (avoidance) is given. Although (c3) and (c4) are originally evaluated as having a detection omission (avoidance), (c3) may be set to an effect 1651 as □ + and ◇ +. This “+” means that there is a possibility that detection omission (avoidance) may occur rather than normal □ and ◇.

*** Explanation of effects of this embodiment ***
The countermeasure status generation apparatus 1 according to the present embodiment refers to the organization countermeasure information 15 so that the detection and countermeasures implemented as countermeasures against the attack means cause detection omission (avoidance) due to operational restrictions. This can be shown in the countermeasure status information 16, and the user can recognize the risk of detection omission due to operation restrictions.

Embodiment 10 FIG.
In the present embodiment, differences from the first embodiment will be mainly described. In the present embodiment, the same components as those in the first to ninth embodiments are denoted by the same reference numerals, and the description thereof is omitted. Also, the description of functions similar to those in the first to ninth embodiments is omitted.

In the first embodiment, the detection countermeasure means information 12 and the organization countermeasure information 15 are processed separately. However, in this embodiment, the corresponding detection means of the detection countermeasure means information 12 is merged with the organization countermeasure information 15, Used as organization countermeasure information 15a.
In the present embodiment, the processing of the attack information generation unit 101 in the countermeasure status generation apparatus 1 is the same as that in the first embodiment.

  In the present embodiment, the processing in the detection information generation unit 102 uses the organization countermeasure information 15 a instead of the detection countermeasure means information 12. The other processes are the same as those in the first embodiment. As a result, the detection means distinguished by CM_ID in the organization countermeasure information 15a is set in the detection means information 162 of the attack detection information 121.

  In the present embodiment, the process of the risk determination unit 103 is the same as that of the first embodiment.

In the present embodiment, in the processing of the countermeasure status determination unit 104, the organization countermeasure information 15a is referred to instead of the organization countermeasure information 15. In the present embodiment, first, the process of S141 in FIG. 18 is performed. Next, in the countermeasure status information 16, the detection means information 162 is referred to for each attack means ID, and “completed” is set for the same component of the organizational countermeasure status information 164 for the component for which △△ □ ◇ is set. To do. Finally, for each attack means ID, “-” is set for a part where “done” is not set in the organization countermeasure status information 164. In the present embodiment, all the detection means information 162 has been implemented, and ◯ △ □ ◇ is given when the detection means can be used as the attack means. Otherwise it is not granted.
Other processing of the countermeasure status generation apparatus 1 is the same as that of the first embodiment.
FIG. 26 is a diagram showing an example of the configuration of the organization countermeasure information 15a according to the present embodiment. Each row of the organization countermeasure information 15a is configured by information on detection means already implemented in the organization and operational restrictions.

*** Explanation of effects of this embodiment ***
The countermeasure status generation apparatus 1 according to the present embodiment is implemented by referring to organization countermeasure information 15a that is a combination of already implemented detection / countermeasure information and operational restriction information, instead of the detection countermeasure means information 12. It is possible to output the status of effects for already detected and countermeasures.

  As described above, in the first to tenth embodiments, the countermeasure situation generation apparatus 1, the attack case determination apparatus 2, and the countermeasure candidate extraction apparatus 3 have been described as separate apparatuses. The functions of the case determination device 2 and the countermeasure candidate extraction device 3 may be installed. Further, the attack countermeasure determination system 500 may not have the device configuration illustrated in FIG. 1, and may have any device configuration as long as the above-described functions can be realized.

  In addition, only one of those described as “parts” in the description of Embodiments 1 to 10 may be adopted, or some arbitrary combinations may be adopted. That is, the functional configurations of the countermeasure status generation apparatus 1, the attack case determination apparatus 2, and the countermeasure candidate extraction apparatus 3 are arbitrary as long as the functions described in the above embodiments can be realized. The attack countermeasure determination system 500 may be configured with any combination or arbitrary functional configuration of functional configurations.

Moreover, you may implement combining several among these Embodiment 1-10. Alternatively, one of these embodiments may be partially implemented. In addition, these embodiments may be implemented in any combination in whole or in part.
In addition, said embodiment is an essentially preferable illustration, Comprising: It does not intend restrict | limiting the range of this invention, its application thing, or a use, A various change is possible as needed. .

DESCRIPTION OF SYMBOLS 1 Countermeasure situation production apparatus, 11 Attack information, 12 Detection countermeasure means information, 13, 13a Attack case information, 14 Weight information, 15, 15a Organization countermeasure information, 16 Countermeasure status information, 17 Attack case correspondence information, 18 Strengthening countermeasure information 21, X, X1, U Attack means, 22 detection means, 23 detection accuracy, 24 description, 31 attack phase, 101 attack information generation section, 102 detection information generation section, 103 risk level determination section, 104 countermeasure status determination section , 105
Countermeasure status output unit, 150 storage unit, 111, 161 Attack means information, 121 Attack detection information, 131 Attack detection risk information, 133 Attack case information, 162 Detection means information, 1621 Implementation detection means information, 163 Risk degree, 164 organization Countermeasure status information, 165 determination information, 1651 effectiveness, 1652 priority countermeasure item, 171 selection attack means, 2 attack case determination apparatus, 201 attack case determination section, 3 countermeasure candidate extraction apparatus, 301 countermeasure candidate extraction section, 500 attack countermeasure Determination system, 510 attack countermeasure determination method, 520 attack countermeasure determination program, 909 processing circuit, 910 processor, 920 storage device, 921 auxiliary storage device, 922 memory, 930 input interface, 940 output interface, S100 attack countermeasure determination processing, S110 attack Information generation process, S120 Intellectual information generating process, S130 risk assessment process, S140 measure status determination process, S150 measures situation output processing.

Claims (17)

A detection information generation unit that generates attack detection information including attack means for cyber attack, detection means for detecting the attack means, and detection accuracy of the detection means for the attack means;
The attack detection information and organization countermeasure information including, as an organization detection means, detection means implemented as a countermeasure against the attack means in an organization that is a target of the cyber attack, the detection included in the attack detection information An attack countermeasure determination system comprising: a countermeasure status determination unit that determines an effect level representing the degree of the effect of the countermeasure in the organization based on accuracy and the organization countermeasure information. The attack countermeasure determination system further includes:
The attack countermeasure determination system according to claim 1, further comprising a countermeasure status output unit that outputs the attack means and the effectiveness as countermeasure status information. The countermeasure status output unit
The attack countermeasure determination system according to claim 2, wherein the countermeasure state information includes the detection means for detecting the attack means and the detection accuracy of the detection means. The countermeasure status determination unit
Based on the detection accuracy and the organization countermeasure information, organization countermeasure status information indicating whether or not the detection means is implemented in the organization is generated, and the effectiveness is determined based on the organization countermeasure status information. The attack countermeasure determination system according to claim 2 or 3. The countermeasure status output unit
The attack countermeasure determination system according to claim 4, wherein the organization countermeasure status information is included in the countermeasure status information. The attack countermeasure determination system further includes:
Based on the detection accuracy of the detection means, comprising a risk determination unit for determining the risk of the attack means,
The countermeasure status output unit
The attack countermeasure determination system according to any one of claims 2 to 5, wherein a risk level of the attack means is included in the countermeasure status information. The risk determination unit
The attack countermeasure determination system according to claim 6, wherein the risk level is determined based on the detection accuracy of the detection unit and an attack phase in the cyber attack in which the attack unit is implemented. The detection information generation unit
The attack means information including the explanatory text describing the attack means, and the detection countermeasure means information including a keyword for acquiring the attack means detected by the detection means according to the detection accuracy, and using the keyword The attack countermeasure determination system according to any one of claims 1 to 7, wherein the explanatory text included in the attack means information is searched and an attack means detected by the detection means is detected according to the detection accuracy. The detection information generation unit
Attack countermeasures detected by the detection means, including detection countermeasure means information including attack means according to the detection accuracy of the detection means, and detected by the detection means based on the detection countermeasure means information The attack countermeasure determination system according to any one of claims 1 to 7, wherein a means is detected according to the detection accuracy. The detection information generation unit
As the detection accuracy, a first detection accuracy in which the detection unit cannot detect the attack unit, a second detection accuracy in which the detection unit may fail to detect the attack unit, and the detection unit erroneously detects the attack unit. Third detection accuracy that may be detected, fourth detection accuracy in which the detection means does not erroneously detect the attack means, and the detection means does not miss the attack means, and the detection means is the attack The apparatus has at least one of a fifth detection accuracy in which the detection means can detect the attack means and the detection means may detect the attack means in error. The attack countermeasure determination system according to any one of 9 above. The attack countermeasure determination system further includes:
A risk determination unit for acquiring attack means information including the risk of the attack means,
The countermeasure status output unit
The attack countermeasure determination system according to any one of claims 2 to 7, wherein a risk level of the attack means is included in the countermeasure status information. The attack countermeasure determination system further includes:
The attack phase information including the attack phase of the cyber attack and the attack means implemented in the attack phase and the countermeasure status information are obtained, and the attack phase information is used for the attack phase information using the countermeasure status information. The attack countermeasure determination system according to any one of claims 2 to 7, further comprising an attack case determination unit that determines a countermeasure status of the organization for each attack means. The attack case determination unit
The attack countermeasure determination system according to claim 12, wherein the attack case information and the countermeasure status of the organization are output as attack case correspondence information. The attack countermeasure determination system further includes:
The attack case information including the selected attack means selected based on the countermeasure status of the organization and the attack means other than the selected attack means is acquired, and the attack means used in combination with the selected attack means is the attack case. The attack countermeasure determination system according to claim 12 or 13, further comprising a countermeasure candidate extraction unit that is determined from information. The countermeasure candidate extraction unit
The attack countermeasure determination system according to claim 14, wherein attack means used in combination with the selected attack means is output as strengthening countermeasure information. The detection information generation unit generates attack detection information including attack means for cyber attack, detection means for detecting the attack means, and detection accuracy of the detection means for the attack means,
The countermeasure status determination unit acquires the attack detection information and organization countermeasure information including, as an organization detection means, a detection means implemented as a countermeasure against the attack means in the organization that is the target of the cyber attack, and the attack detection An attack countermeasure determination method for determining an effect level indicating a degree of the effect of the countermeasure in the organization based on the detection accuracy and the organization countermeasure information included in the information. A detection information generating process for generating attack detection information including attack means for cyber attack, detection means for detecting the attack means, and detection accuracy of the detection means for the attack means;
The attack detection information and organization countermeasure information including, as an organization detection means, detection means implemented as a countermeasure against the attack means in an organization that is a target of the cyber attack, the detection included in the attack detection information An attack countermeasure determination program for causing a computer to execute countermeasure state determination processing for determining an effect level indicating the degree of effect of the countermeasure in the organization based on accuracy and the organization countermeasure information.

Images