JP2018160170A - Output program, information processing apparatus, output method, generating program, and generating method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide information which is useful in narrowing down terminal devises having risk of being infected with a malware.SOLUTION: There is provided an output program for making a computer execute processing such that when a notice indicating malware infection risk of a first terminal device is received, with reference to a storage unit 11 for storing an execution history 11a of processing by a plurality of terminal devices, a second terminal device which executed processing including access to any of information A stored in the first terminal apparatus is identified on the basis of the history 11a, among the plurality of terminal devices, and that on the basis of execution contents of the identified second terminal device, degree of malware infection of the second terminal device is evaluated, and a result of the evaluation is output.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an output program, an information processing apparatus, an output method, a generation program, and a generation method.

  In recent years, damage from targeted attacks has become serious. For example, the attacker sends an email with a harmful file attached to the computer of the attacked person. Since the body of the e-mail is a content that appears to be a normal job or request, the attacker may easily open a harmful file attached to the e-mail. When the attacker opens the harmful file, the computer of the attacker is guided to a malicious website and infected with malware. For example, a computer infected with malware leaks information stored in the computer to the outside.

  As described above, in the targeted attack, since the attack proceeds by a method of impersonating a legitimate operation or communication, it takes a long time to detect the infection damage of malware, and the spread of the infection damage becomes serious. Therefore, if a malware infection damage is detected, the risk of spreading the infection damage can be suppressed by quickly ascertaining the extent of the infection damage and performing infection removal work on the computers within that range. .

  As a method of grasping the scope of infection damage, for example, collecting logs of other computers or network devices that are accessed by the attacker's computer at present or in the past and collecting the scope of infection damage based on the analysis result of the logs There is a way to narrow down. However, when the amount of logs is enormous, analysis takes a long time, and logs such as server devices that handle confidential company information and personal information may not be easily provided. For example, it is often difficult to collect a file server log even when there is evidence that an attacker's computer is accessing a file in a shared folder on the file server.

  Virus detection systems that detect viruses such as malware and spread activities due to targeted attacks with high accuracy at an early stage have been proposed. In this virus detection system, the communication between terminal devices and the activity of each terminal device are monitored, and the work of collecting communication and activity information in the diffusion activity detection device is performed. Further, the diffusion activity detection device determines whether the communication and activity are suspicious based on the first policy, and determines whether the terminal device is suspicious based on the second policy. Furthermore, this spreading activity detection device expresses the relationship between suspicious terminal devices in a graph, and detects the virus spreading activity based on the graph.

  However, in the proposed technique, learning is performed using the communication and activity performed in normal business and the suspicious communication and activity as a template, and based on the learning result, a criterion for determining whether or not it is suspicious (No. 1 A mechanism for constructing the second policy) is employed.

JP, 2006-66282, A

  If the log of the file server cannot be obtained for administrative reasons, or if the attacker is using cloud storage and cannot obtain the log from the server device to access, quickly narrow down the scope of infection damage Is difficult. If the damage range of an attack that impersonates the communication and activity of a terminal device performed in a normal business without using a log of a file server or the like can be grasped, the risk of spreading infection damage can be reduced. Therefore, firstly, it becomes one problem to be able to grasp the risk of malware infection in each terminal device without using a log of a file server or the like.

  According to one aspect, an object of the present invention is to provide an output program, an information processing device, an output method, a generation program, and a generation method that can provide information useful for narrowing down terminal devices that are at risk of malware infection. It is in.

  According to one aspect, when the notification indicating the risk of malware infection of the first terminal device is acquired, the storage unit that stores the execution history of the processing by the plurality of terminal devices is referred to, and the first of the plurality of terminal devices is selected. The second terminal device that has executed the process involving access to any information held by the terminal device is identified based on the execution history, and the second terminal device is identified based on the execution content of the identified second terminal device. An output program for evaluating the risk of device malware infection and outputting an evaluation result to cause a computer to execute processing is provided.

  Information useful for narrowing down terminal devices at risk of malware infection can be provided.

It is the figure which showed an example of the information processing apparatus which concerns on 1st Embodiment. It is the figure which showed an example of the information processing system which concerns on 2nd Embodiment. It is a figure for demonstrating expansion of malware infection. It is the block diagram which showed an example of the hardware which can implement | achieve the function of the information processing apparatus which concerns on 2nd Embodiment. It is the block diagram which showed an example of the function which the information processing apparatus which concerns on 2nd Embodiment has. It is the 1st figure which showed an example of the state determination table which concerns on 2nd Embodiment. It is the 2nd figure showing an example of the state judgment table concerning a 2nd embodiment. It is the figure which showed an example of the determination result table which concerns on 2nd Embodiment. It is the figure which showed an example of the property update history contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example of the same name file list contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example of the APP access log among the file access logs contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example of RF property log among the file access logs contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example of LF property log among the file access logs contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example of the alert history among the event logs contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example of the access history among the event logs contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example (for PC # 1) of the log for analysis contained in the log information which concerns on 2nd Embodiment. It is the figure which showed an example (for PC # 2) of the log for analysis contained in the log information which concerns on 2nd Embodiment. It is a figure for demonstrating accumulation | storage of the APP access log which concerns on 2nd Embodiment. It is a figure for demonstrating accumulation | storage of RF property log which concerns on 2nd Embodiment. It is a figure for demonstrating the output of the analysis result (malware infection risk) which concerns on 2nd Embodiment. It is a sequence diagram for demonstrating operation | movement of the information processing system which concerns on 2nd Embodiment. It is the flowchart which showed the flow of the process regarding accumulation | storage of the APP access log which concerns on 2nd Embodiment. It is the flowchart which showed the flow of the process regarding accumulation | storage of RF property log which concerns on 2nd Embodiment. It is the flowchart which showed the flow of the process regarding accumulation | storage of LF property log which concerns on 2nd Embodiment. It is the flowchart which showed the flow of the production | generation process of the log for analysis concerning 2nd Embodiment. It is the 1st flow figure showing the flow of the judgment processing concerning a 2nd embodiment. It is the 2nd flow figure showing the flow of the judgment processing concerning a 2nd embodiment. It is a figure for demonstrating the flow of the determination process which concerns on 2nd Embodiment, and the update process of a determination result table. It is the figure which showed an example of the non-tracking rule table which concerns on the modification of 2nd Embodiment. It is the figure which showed an example of the non-tracking machine table which concerns on the modification of 2nd Embodiment. It is the flowchart which showed the flow of the addition process of PC to the object list which concerns on the modification of 2nd Embodiment.

  Embodiments of the present invention will be described below with reference to the accompanying drawings. In addition, about the element which has the substantially same function in this specification and drawing, duplication description may be abbreviate | omitted by attaching | subjecting the same code | symbol.

<1. First Embodiment>
The first embodiment will be described with reference to FIG. The first embodiment relates to a mechanism for evaluating the degree (risk level) of infection risk in each terminal device using information that can be easily collected from the terminal device, and outputting the evaluation result. FIG. 1 is a diagram illustrating an example of an information processing apparatus according to the first embodiment. Note that the information processing apparatus 10 illustrated in FIG. 1 is an example of an information processing apparatus according to the first embodiment.

As illustrated in FIG. 1, the information processing apparatus 10 includes a storage unit 11 and a calculation unit 12.
The storage unit 11 is a volatile storage device such as a RAM (Random Access Memory) or a nonvolatile storage device such as an HDD (Hard Disk Drive) or a flash memory. The arithmetic unit 12 is a processor such as a CPU (Central Processing Unit) or a DSP (Digital Signal Processor). However, the arithmetic unit 12 may be an electronic circuit such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA). For example, the calculation unit 12 executes a program stored in a memory such as the storage unit 11.

  The information processing apparatus 10 communicates with the terminal devices 21, 22, 23, and the storage device 30 via the network NW. The network NW is, for example, a wired and / or wireless communication network such as a LAN (Local Area Network), a WAN (Wide Area Network), or a WLAN (Wireless LAN) or a mobile phone line.

The terminal devices 21, 22, and 23 are, for example, PCs (Personal Computers), server devices, communication devices (wireless base stations, wireless relay stations, mobile terminals, routers).
The storage device 30 is a storage device such as a NAS (Network Attached Storage), a file server, or a cloud storage. The storage device 30 includes, for example, a recording medium such as an HDD or an SSD (Solid State Drive), or a redundant array of inexpensive disks (RAID) device that is made redundant by connecting a plurality of recording media. The storage device 30 is a storage area in which access by the terminal devices 21, 22, and 23 is permitted. In the example of FIG. 1, information A held by the terminal device 21 is stored in the storage device 30. The terminal device 21 is an example of a first terminal device.

  The storage unit 11 stores an execution history 11a of processing by the terminal devices 21, 22, and 23. The execution history 11a includes information related to events (operations and processes) executed in the past by the terminal devices 21, 22, and 23.

  The execution history 11a in FIG. 1 includes information on the time when the event was executed, the contents of the event, the target of the event, and the terminal device that executed the event. The information included in the execution history 11 a is obtained from, for example, logs of the terminal devices 21, 22, and 23, and information properties (Property) in the storage device 30. This property is information that can be easily collected from the terminal devices 21, 22, and 23.

  In the example of FIG. 1, the execution history 11 a associates the time “10:05”, the event “creation”, the target “A @ SV”, and the terminal device “21”. SV represents the storage device 30. “A @ SV” represents information A in the storage device 30. These pieces of information indicate that the terminal device 21 created the information A in the storage device 30 at time 10:05. Note that “22 (via 23)” in the column of the terminal device indicates that an event by the terminal device 22 was executed by a remote operation by the terminal device 23.

  The storage unit 11 may further store risk level information 11b regarding the risk level of malware infection. The risk information 11b illustrated in FIG. 1 is information that associates the risk of malware infection (the magnitude of infection risk) with the execution content.

  The risk level information 11b associates, for example, a combination of the holding / non-holding of the corresponding information, the type of logon (local / remote), and the number of failed logons with the risk level. The relevant information is information having the same name as information held by a terminal device at risk of infection or information satisfying the same criteria. As the standard, for example, whether the attributes such as the file size and the update date / time are the same can be applied. The attribute can be acquired by referring to, for example, a property added to the information.

  The terminal device infection risk is determined by, for example, malware detection products (terminal devices 21, 22, 23, anti-virus software installed in the storage device 30, and infection detection devices (not shown; hardware) on the network NW). Can be detected.

  The terminal device that is remotely logged on is likely to be a stepping stone for the attack. A terminal device with a large number of failed logon attempts is likely to be under attack. In addition, a terminal device that holds the relevant information is highly likely to be infected with malware through access to information held by a terminal device that is at risk of infection. The risk information 11b illustrated in FIG. 1 is set in consideration of these factors. The risk information 11b shown in FIG. 1 is an example, and the item of execution content and the setting of the risk may be modified.

  When the calculation unit 12 obtains the notification 12a indicating the malware infection risk of the terminal device 21, the calculation unit 12 executes a process involving access to any information A held by the terminal device 21 among the terminal devices 21, 22, and 23. The terminal device 22 is specified based on the execution history 11a (12b). The terminal device 22 is an example of a second terminal device.

Moreover, the calculating part 12 evaluates the risk of malware infection of the terminal device 22 based on the execution content in the specified terminal device 22, and outputs an evaluation result (12c).
In the example of FIG. 1, the risk level of the terminal device 22 is evaluated as “medium” based on the risk level information 11b, and information indicating the risk level “medium” is output as the evaluation result. For example, the computing unit 12 includes a display device (not shown) connected to the information processing device 10 or a display device (not shown) of a management terminal (not shown) connected to the information processing device 10 via the network NW. ) Display the evaluation results.

  As described above, by using the information that can be easily collected from the terminal devices 21, 22, and 23, and outputting the evaluation result relating to the infection risk, useful information for grasping the range of infection spread is provided. . In addition, since the degree of infection risk is indicated for each terminal device, it is possible to appropriately select a location where communication interruption or access restriction is performed, which contributes to prevention of spread of infection.

The first embodiment has been described above.
<2. Second Embodiment>
Next, a second embodiment will be described. The second embodiment relates to a mechanism for evaluating the degree (risk level) of infection risk in each PC using information that can be easily collected from the PC, and outputting the evaluation result.

[2-1. system]
An information processing system according to the second embodiment will be described with reference to FIG. FIG. 2 is a diagram illustrating an example of an information processing system according to the second embodiment. An information processing system (System) 100 illustrated in FIG. 2 is an example of an information processing system according to the second embodiment.

  As illustrated in FIG. 2, the information processing system 100 includes an information processing apparatus 101, PCs 102 and 103, an FSV (File Server) 201, and a storage apparatus (Storage) 202. The information processing apparatus 101, the PCs 102 and 103, and the FSV 201 are connected via a network NW. The network NW is, for example, a LAN or WAN, or a communication line network such as a WLAN or a mobile phone line.

  The storage device 202 is, for example, a recording device such as an HDD or an SSD, or a RAID device that is made redundant by combining a plurality of recording media. The storage device 202 is connected to the FSV 201. A storage area such as an LV (Logical Volume) is set in the storage device 202. In the storage area of the storage apparatus 202, for example, a shared folder (Share) 202a that allows access by the PCs 102 and 103 is set.

  In the example of FIG. 2, the number of PCs is two, but three or more PCs can be connected to the network NW. In the following description, for convenience of description, PC 102 may be referred to as PC # 1, and PC103 may be referred to as PC # 2. The notation PC # k (k = 3, 4,...) May mean a PC (not shown) connected to the network NW. Further, the functions of the information processing apparatus 101 to be described later can be installed in the PCs 102 and 103.

Hereinafter, the description will be given by taking the information processing system 100 shown in FIG. 2 as an example.
As described above, the shared folder 202a is set in the storage apparatus 202, and access by the PCs 102 and 103 is permitted. In this case, if the PC 102 is infected with malware and the file (shared file 202b) on the shared folder 202a held by the PC 102 is rewritten to a harmful file, there is a risk that the infection will spread to other PCs by accessing the shared folder 202a. Arise.

  For example, as shown in FIG. 3, when malware infection occurs in PC # 1, the shared file 202b may be rewritten as a harmful file by malware. FIG. 3 is a diagram for explaining the spread of malware infection. When the shared file 202b rewritten as a harmful file is used by the PC # 2, the PC # 2 can be infected with malware. Similarly, when PC # 2 rewrites other files in the shared folder 202a, there is a risk that infection will spread to other PCs connected to the network NW.

  In the information processing system 100, each PC performs logon / logoff monitoring, logon account monitoring, local file system monitoring, handle operation monitoring, and the like, and information processing apparatuses using information that each PC can collect 101 evaluates the risk of infection. In the information processing system 100, it is assumed that the log of the FSV 201 is not provided to the information processing apparatus 101. However, information that can be referred to by each PC without special authority, such as the properties of the shared file 202b, can be used by the information processing apparatus 101.

The information processing system 100 has been described above.
[2-2. hardware]
Here, the hardware of the information processing apparatus 101 will be described with reference to FIG. FIG. 4 is a block diagram illustrating an example of hardware capable of realizing the functions of the information processing apparatus according to the second embodiment.

  The functions of the information processing apparatus 101 can be realized using, for example, hardware resources shown in FIG. That is, the functions of the information processing apparatus 101 are realized by controlling the hardware shown in FIG. 4 using a computer program.

  As shown in FIG. 4, this hardware mainly includes a CPU 902, a ROM (Read Only Memory) 904, a RAM 906, a host bus 908, and a bridge 910. Further, this hardware includes an external bus 912, an interface 914, an input unit 916, an output unit 918, a storage unit 920, a drive 922, a connection port 924, and a communication unit 926.

  The CPU 902 functions as, for example, an arithmetic processing unit or a control unit, and controls the overall operation of each component or a part thereof based on various programs recorded in the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928. . The ROM 904 is an example of a storage device that stores a program read by the CPU 902, data used for calculation, and the like. The RAM 906 temporarily or permanently stores, for example, a program read by the CPU 902 and various parameters that change when the program is executed.

  These elements are connected to each other via, for example, a host bus 908 capable of high-speed data transmission. On the other hand, the host bus 908 is connected to an external bus 912 having a relatively low data transmission speed via a bridge 910, for example. As the input unit 916, for example, a mouse, a keyboard, a touch panel, a touch pad, a button, a switch, a lever, or the like is used. Furthermore, as the input unit 916, a remote controller capable of transmitting a control signal using infrared rays or other radio waves may be used.

  As the output unit 918, for example, a display device such as a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), a PDP (Plasma Display Panel), or an ELD (Electro-Luminescence Display) is used. As the output unit 918, an audio output device such as a speaker or headphones, or a printer may be used. In other words, the output unit 918 is a device that can output information visually or audibly.

  The storage unit 920 is a device for storing various data. As the storage unit 920, for example, a magnetic storage device such as an HDD is used. Further, as the storage unit 920, a semiconductor storage device such as an SSD or a RAM disk, an optical storage device, or a magneto-optical storage device may be used.

  The drive 922 is a device that reads information recorded on a removable recording medium 928 that is a removable recording medium or writes information on the removable recording medium 928. As the removable recording medium 928, for example, a magnetic disk, an optical disk, a magneto-optical disk, or a semiconductor memory is used.

  The connection port 924 is a port for connecting an external connection device 930 such as a USB (Universal Serial Bus) port, an IEEE 1394 port, a SCSI (Small Computer System Interface), an RS-232C port, or an optical audio terminal. For example, a printer or the like is used as the external connection device 930.

  The communication unit 926 is a communication device for connecting to the network 932. Examples of the communication unit 926 include a wired or wireless LAN communication circuit, a WUSB (Wireless USB) communication circuit, an optical communication circuit or router, an ADSL (Asymmetric Digital Subscriber Line) communication circuit or router, A communication circuit for a mobile phone network can be used. A network 932 connected to the communication unit 926 is a wired or wireless network, and includes, for example, the Internet, a LAN, a broadcast network, a satellite communication line, and the like.

The hardware of the information processing apparatus 101 has been described above.
Note that the functions of the PCs 102 and 103 and the FSV 201 can also be realized using the hardware shown in FIG. Therefore, detailed description of the hardware of the PCs 102 and 103 and the FSV 201 is omitted.

[2-3. Information processing device]
The function of the information processing apparatus 101 will be described with reference to FIG. FIG. 5 is a block diagram illustrating an example of functions of the information processing apparatus according to the second embodiment.

As illustrated in FIG. 5, the information processing apparatus 101 includes a storage unit 111, an alert monitoring unit 112, a history collection unit 113, a risk evaluation unit 114, and a display control unit 115.
Note that the functions of the alert monitoring unit 112, the history collection unit 113, the risk evaluation unit 114, and the display control unit 115 can be realized using the above-described CPU 902 or the like. The functions of the storage unit 111 can be realized using the above-described RAM 906, the storage unit 920, and the like.

  The storage unit 111 stores a state determination table (TBL) 111a, a determination result table (TBL) 111b, and log information 111c. The state determination table 111a is a table in which conditions serving as determination criteria for determining the state of each PC related to infection risk are registered. The determination result table 111b is a table in which the determination result of each PC based on the state determination table 111a is recorded.

  The log information 111c is information related to logs acquired from the storage apparatus 202 and each PC. The log information 111c includes a property update history L1, a file list L2 with the same name, a file access log L3, an event log L4, and an analysis log L5.

  The property update history L1 is a history of file properties (file size, update date / time, etc.) regarding files in the shared folder 202a. The same name file list L2 is information on a PC holding a file having the same name as a file in the shared folder 202a. Note that the same reference file list describing information on files having the same attribute information included in the file properties may be used. The name of the file is an example of attribute information. In addition to file properties, the same reference file list describing information on files having the same reference may be used based on file attribute information that can be easily acquired by each PC.

  The file access log L3 includes an APP access log L3a, an RF property log L3b, and an LF property log L3c. The APP access log L3a is an access log to files stored in application software of each PC.

  The RF property log L3b is a file property log related to files in the shared folder 202a accumulated by each PC. The LF property log L3c is a log of file properties related to local files accumulated by each PC.

  The event log L4 includes an alert history L4a and an access history L4b. The alert history L4a is a log in which the content of alerts output from malware detection products is accumulated. The malware detection product is, for example, anti-virus software installed in each PC or FSV 201, or an infection detection device (such as a communication device or a network monitoring device) on the network NW. The access history L4b is a history of access (logon, logoff, access attempt, etc.) to each PC and the shared folder 202a.

The analysis log L5 is information obtained by integrating the file access log L3, the event log L4, and the like. The analysis log L5 is used when evaluating the infection risk of each PC.
Hereinafter, the state determination table 111a, the determination result table 111b, and the log information 111c will be further described. Here, for convenience of explanation, the contents of the log information 111c are described separately from L1 to L5. However, for example, modifications such as eliminating duplicate contents are possible. Further, the log information 111c may be organized in a format that can be easily searched and edited by using an RDBMS (Relational Database Management System).

(Status judgment table / judgment result table)
The state determination table 111a will be further described with reference to FIGS. FIG. 6 is a first diagram illustrating an example of a state determination table according to the second embodiment. FIG. 7 is a second diagram illustrating an example of a state determination table according to the second embodiment.

  As shown in FIG. 6, the state determination table 111a includes information source items (uppermost row) and condition items (second row from the top). The information source “L4a” means that information collated with the corresponding condition is obtained from the alert history L4a. Further, the information source “L4b” means that information collated with a corresponding condition is obtained from the access history L4b.

  The information source “L3a” means that information collated with the corresponding condition is obtained from the APP access log L3a. The information source “L3b” means that information collated with the corresponding condition is obtained from the RF property log L3b. Further, the information source “L4b, L3a” means that information collated with the corresponding condition is obtained from the access history L4b and the APP access log L3a.

  The condition “FILE” of the information source “L4a” means detection of a suspicious file in the target PC. For example, when an alert having the content of a suspicious file is output from a malware detection product, the condition “FILE” of the information source “L4a” is met. The condition “action” means detection of a suspicious action in the target PC.

  For example, when an alert indicating that a suspicious operation is detected is output from a malware detection product, the condition “operation” is met. The condition “communication” means detection of suspicious communication in the target PC. For example, when an alert indicating that suspicious communication is detected is output from the malware detection product, the condition “communication” is satisfied.

  The condition “logon” of the information source “L4b” means that the target PC is logged on within the target period. The target period is set to, for example, a predetermined period (for example, 2 hours) before the time when malware infection is detected on a certain PC. Whether or not the target PC is logged on within the target period corresponds to the condition “logon” when there is a record indicating the logon of the target PC in the access history L4b corresponding to the target period.

  The condition “FILE” of the information source “L3a” means that it can be determined from the APP access log L3a that the target PC holds a suspicious file (such as a program used for an attack). The condition “FILE” of the information source “L3b” means that it can be determined from the RF property log L3b that the target PC holds a file with the same name as the suspicious file in the shared folder 202a. It should be noted that in the determination regarding the condition “FILE” of the information source “L3b”, a modification using the file name L2 with the same name may be employed.

  The condition “remote” of the information source “L4b” means that it is determined from the access history L4b that the target PC is remotely logged on. The condition “access” of the information source “L3a” means that it is determined from the APP access log L3a that the target PC has accessed the suspicious shared file 202b in the shared folder 202a.

  For example, referring to the above condition “logon” and condition “remote”, whether or not the target PC was remotely logged on during a predetermined period (target period) before the time when a malware infection was detected on a certain PC. I understand. There is a high possibility that operations and processes that cause malware infection are executed through remote operations by the Service-to-Self. Therefore, it is preferable that the target PC that is remotely logged on during the target period is included in the target of the investigation for checking whether the operation or the process causing the malware infection is performed. For this reason, as described above, the target period is set based on the time of malware infection.

  The condition “failure” of the information source “L4b, L3a” indicates that the target PC has failed to access or log on to another PC or FSV 201 at least a predetermined number of times (for example, five times) from the access history L4b and the APP access log L3a. It means that it is judged.

  The numbers in the leftmost column of the state determination table 111a are item numbers. LvX, Lv0, Lv1, Lv2, and Lv3 on the right side of the item number indicate the state of another PC (access source) accessing the target PC or another PC (access destination) accessed by the target PC. Represents. On the other hand, Lv0, Lv1, Lv2, and Lv3 in the rightmost column of the state determination table 111a represent the degree of risk (degree of infection risk) in the target PC.

  Lv3 represents a suspicious operation or communication and a case in which a suspicious file is confirmed (risk-high state). Lv2 represents a case where a suspicious operation or communication is confirmed (risk state). Lv1 represents a case where a suspicious file is confirmed (low risk state). Lv0 represents a suspicious operation, suspicious communication, or a case where a suspicious file is not confirmed (risk minimal state). LvX represents a case where the risk of infection is not determined (risk not determined).

  In the state determination table 111a, “◯” means that the condition is met, and “x” means that the condition is not met. Further, “-” means that it does not matter whether the condition is met or not. The relationship between the specific combination of conditions and the degree of risk is as shown in the state determination table 111a shown in FIGS.

  However, the conditions illustrated in FIGS. 6 and 7 are examples, and conditions may be added according to the types of alerts that can be acquired and the contents of conditions that can be practically determined. It may be omitted. Such a modification is also possible.

  The determination result based on the state determination table 111a is recorded in the determination result table 111b shown in FIG. FIG. 8 is a diagram illustrating an example of a determination result table according to the second embodiment. In the determination result table 111b, information on the state of the target PC and information on the state of the PC (access PC) that is the access source or access destination of the target PC are recorded. A method for recording information in the determination result table 111b will be described later.

(Log information)
Next, the log information 111c will be further described with reference to FIGS.
First, FIG. 9 will be referred to. FIG. 9 is a diagram illustrating an example of the property update history included in the log information according to the second embodiment.

  The property update history L1 is a property history regarding a file (target file) in the shared folder 202a. The property includes, for example, information such as update date / time, access date / time, creation date / time, file size, setting change contents, file owner, and attributes (such as read authority). For example, whenever the property of the target file is updated, the property update history L1 as shown in FIG. 9 is obtained by acquiring the property of the target file and adding it to the property update history L1.

Reference is now made to FIG. FIG. 10 is a diagram showing an example of the same name file list included in the log information according to the second embodiment.
The same name file list L2 is information regarding a local file (same name file) having the same name as a file (target file) in the shared folder 202a. In the example of FIG. 10, the name (PC name) of the PC holding the file with the same name, the update date / time, the size, the hash value, the owner, the creation date / time, and the location (PC local folder) are stored in the same name file list L2. It has been described. The hash value is a value obtained by inputting the same name file into the hash function. By comparing hash values, it is possible to easily determine the identity of files.

Reference is now made to FIG. FIG. 11 is a diagram showing an example of the APP access log among the file access logs included in the log information according to the second embodiment.
The APP access log L3a is a set of logs output by application software of each PC. In the example of FIG. 11, the APP access log L3a includes the log occurrence date and time, the event that caused the log, the path to the target file of the event, the owner of the target file, the PC name, the user name, and the information source. It has been described.

  The information source described in the APP access log L3a is information indicating which application software is the log. By referring to the APP access log L3a, it can be determined whether or not the application software has accessed the file in the shared folder 202a.

Reference is now made to FIG. FIG. 12 is a diagram illustrating an example of the RF property log among the file access logs included in the log information according to the second embodiment.
The RF property log L3b is a set of logs obtained from file properties (shared file properties) in the shared folder 202a. In the example of FIG. 12, the RF property log L3b includes the log occurrence date and time, the event that caused the log, the path to the target file of the event, the size of the target file, the contents of the setting change, the owner of the target file, And information sources (shared file properties) are described.

Reference is now made to FIG. FIG. 13 is a diagram showing an example of the LF property log among the file access logs included in the log information according to the second embodiment.
The LF property log L3c is a set of logs obtained from file properties (file properties) in a local folder of each PC. In the example of FIG. 13, the LF property log L3c includes the log occurrence date and time, the event that caused the log, the path to the event target file, the size of the target file, the owner of the target file, the PC name, and the user name. , And information sources (file properties) are described.

  Reference is now made to FIG. FIG. 14 is a diagram illustrating an example of an alert history among event logs included in log information according to the second embodiment. As shown in FIG. 14, the alert history L4a includes the date and time of occurrence of the alert, the event that caused the alert, the path to the event target file (“-” for an event that does not have a target file), PC Name and information source (malware detection product) are described.

  Reference is now made to FIG. FIG. 15 is a diagram illustrating an example of an access history among event logs included in log information according to the second embodiment. As shown in FIG. 15, the access history L4b includes the occurrence date and time of the event (logon, logoff, or access attempt), the contents of the event, and the path to the event target file (in the case of an event having no target file, “- "), The PC name, the user name, and the logon form are described.

  The logon form indicates whether it is a local logon that logs on directly to a PC or a remote logon that is performed via another PC. In the case of remote logon, information on the PC used for logon is described in the access history L4b. For example, “via PC # 3” in the logon column means a logon form in which the user remotely logs on via PC # 3.

(Log information collection / analysis log generation)
Of the log information 111c, the analysis log L5 is obtained by integrating the file access log L3 and the event log L4. FIG. 16 is a diagram illustrating an example of the analysis log (for PC # 1) included in the log information according to the second embodiment. FIG. 17 is a diagram illustrating an example of the analysis log (for PC # 2) included in the log information according to the second embodiment.

  The analysis log L5 is generated for each target PC. For example, when the various logs shown in FIGS. 11 to 15 are integrated for PC # 1, an analysis log L5 as shown in FIG. 16 is obtained. As shown in FIG. 16, in the analysis log L5, the event occurrence date and time, the contents of the event, the path to the event target file (“-” if there is no target file), the PC name, the user name, and the logon And information sources.

  For example, information related to the event “logon” is obtained from the access history L4b included in the event log L4. Information regarding the event “file creation” having “C: ¥ exp.docx” (local file) as a target file is obtained from the LF property log L3c. Information regarding the event “file creation” with “¥¥ FSV ¥ exp.docx” (shared file) as a target file is obtained from the RF property log L3b.

  As described above, the analysis log L5 for PC # 1 is obtained by extracting the information related to PC # 1 from the file access log L3 and the event log L4 and arranging them in the order of occurrence date and time. Similarly, by extracting information related to PC # 2 from the file access log L3 and event log L4 and arranging them in the order of occurrence date and time, an analysis log L5 for PC # 2 as shown in FIG. 17 is obtained.

(Log accumulation / risk level judgment / judgment result output)
Refer to FIG. 5 again.
The alert monitoring unit 112 monitors an alert output from the malware detection product. When an alert is output from the malware detection product, the alert monitoring unit 112 stores the content of the alert in the storage unit 111 as the alert history L4a. Note that the alert monitoring unit 112 may acquire an alert notified to each PC from each PC, and store the acquired alert content in the storage unit 111 as the alert history L4a.

  The history collection unit 113 collects the log by the application software of each PC, the property log of the local file stored in each PC, and the shared file property log. Then, the history collection unit 113 stores the collected logs in the storage unit 111 as an APP access log L3a, an RF property log L3b, and an LF property log L3c.

The accumulation of the APP access log L3a is performed, for example, according to a procedure as shown in FIG. FIG. 18 is a diagram for explaining accumulation of the APP access log according to the second embodiment.
In the example of FIG. 18, the application software installed on the PC # 1 accesses a file (shared file) in the shared folder 202a. At this time, the application software accumulates information such as the date and time of occurrence described in the APP access log L3a in the PC # 1. In this way, the information accumulated in the PC # 1 is collected by the history collection unit 113 and stored in the storage unit 111 as the APP access log L3a. The same applies to other PCs.

  Further, the accumulation of the RF property log L3b is performed, for example, according to a procedure as shown in FIG. FIG. 19 is a diagram for explaining accumulation of the RF property log according to the second embodiment.

  In the example of FIG. 19, the PC # 1 monitors the update of the shared file property, and the PC # 1 acquires the information of the shared file property at the update timings t1, t2, and t3. At this time, the PC # 1 accumulates information such as the occurrence date and time described in the RF property log L3b. In this way, information accumulated in the PC # 1 is collected by the history collection unit 113 and stored in the storage unit 111 as the RF property log L3b. The same applies to other PCs.

  The risk evaluation unit 114 determines the risk level of each PC based on the state determination table 111a. For example, when the malware infection of PC # 2 is notified, the risk evaluation unit 114 generates the analysis log L5 for each PC by integrating the file access log L3 and the event log L4 whose occurrence date and time is before the notification, The risk level of each PC is determined based on the state determination table 111a. The display control unit 115 outputs the determination result by the risk evaluation unit 114.

  For example, the display control unit 115 outputs information as shown in FIG. FIG. 20 is a diagram for explaining the output of the analysis result (malware infection risk) according to the second embodiment.

  In the example of FIG. 20, the connection relationship between FSV, PC # 1,..., # 6 is shown on the display screen 203, and the degree of risk (magnitude of malware infection risk) is indicated by the colors of FSV, PC # 1,. Is expressed. By adopting such an expression, it becomes easy to quickly and appropriately take measures such as narrowing the infection range, estimating the infection route, and specifying the cutting route.

The function of the information processing apparatus 101 has been described above.
[2-4. Process flow]
Hereinafter, the flow of processing executed in the information processing system 100 will be described, and the description of the functions of the information processing apparatus 101 and each PC will be supplemented.

  In the following description, for the convenience of description, the description will be given by taking as an example a situation in which the information processing system 100 includes the PCs 102, 103,. Further, the PCs 102, 103,..., 105 may be referred to as PC # 1, PC # 2,.

  When the functions of the PCs 102, 103,..., 105 are realized using the hardware shown in FIG. 4, the processing described below can be executed using the CPU 902 or the like. In addition, when accumulating logs, the PCs 102, 103,..., 105 accumulate RAM 906, storage unit 920, removable recording medium 928, or external storage connected via the communication unit 926 or connection port 924. Use.

(Sequence: Information processing system)
First, an overall flow of processing executed by the information processing system 100 will be described with reference to FIG. FIG. 21 is a sequence diagram for explaining the operation of the information processing system according to the second embodiment.

  (S101) The information processing apparatus 101 monitors the alert output from the malware detection product by the alert monitoring unit 112. When an alert is output from the malware detection product, the alert monitoring unit 112 stores the content of the output alert in the storage unit 111 as the alert history L4a of the event log L4.

  (S102, S103, S104) As shown in FIG. 18, the PC 102 monitors the access to the shared folder 202a by the application software and accumulates the access log of the application software. Like the PC 102, the PCs 103, ..., 105 also store application software access logs. The application software access log accumulated by the PCs 102, 103,... 105 is used as the APP access log L3a (see FIG. 11).

  Further, as shown in FIG. 19, the PC 102 monitors the shared file property of the file in the shared folder 202a, and acquires the shared file property information at the timing when the shared file property is updated. Note that the shared file property monitored by the PC 102 may be only the shared file property of the file held by the PC 102.

  The PC 102 accumulates the acquired shared file property information as a shared file property log. Similar to the PC 102, the PCs 103, ..., 105 also store the shared file property log. The shared file property log accumulated by the PCs 102, 103,... 105 is used as the RF property log L3b (see FIG. 12).

  Further, the PC 102 monitors the file property of the local file, and accumulates the file property information as a file property log when the file property is updated. Like the PC 102, the PCs 103,..., 105 also store file property logs. The file property log accumulated by the PCs 102, 103,... 105 is used as the LF property log L3c (see FIG. 13).

  (S105, S106) The information processing apparatus 101 receives, from the malware detection product, a notification that the PC 103 (PC # 2) has a suspected malware infection, for example, by the alert monitoring unit 112. In this case, the information processing apparatus 101 uses the risk evaluation unit 114 to generate the determination result table 111b (see FIG. 8) of the initial state, and the information of the starting PC (PC # 2 in this example) is determined as the determination result table. This is described in 111b. The initial state is a state in which only values are described in the “name” column and “log” column of the target PC.

  For example, the risk evaluation unit 114 describes FSV, PC # 1, PC # 2,..., PC # 4 in the “name” column of the target PC, “None”, PC # 1 in the “log” column of the FSV. , PC # 2,..., A determination result table 111b in which “Yes” is described in the “Log” column of PC # 4 is generated.

  In addition, the risk evaluation unit 114 describes the state (Lv3) of PC # 2 that is the target of infection notification in the corresponding column of the determination result table 111b (the “state” column corresponding to the name “PC # 2” of the target PC). To do. Further, the risk evaluation unit 114 describes “[starting point]” in the “name” column and “LvX” in the “status” column of the access PC corresponding to the name “PC # 2” of the target PC.

Here, PC # 2 that is the target of infection notification is set as the starting point, but another PC may be set as the starting point.
(S107) The information processing apparatus 101 uses the history collection unit 113 to send a log information transmission request to the PCs 102, 103,..., 105 (target PC whose “log” column in the determination result table 111b is “Yes”). . For example, the history collection unit 113 notifies the PCs 102, 103,..., 105 of the time when the malware infection of the PC # 2 is detected or the time when the infection notification is received (start time), and a predetermined period ( For example, it requests transmission of log information related to an event that occurred in 2 hours.

(S108) The PCs 102, 103, ..., 105 receive a log information transmission request from the information processing apparatus 101, and transmit the log information to the information processing apparatus 101 in response to the transmission request.
For example, the PCs 102, 103,..., 105 transmit log information including the application software access log, the shared file property log, and the file property log of the local file stored therein to the information processing apparatus 101. When the start time is notified from the information processing apparatus 101, the PCs 102, 103,..., 105 may extract log information whose event occurrence date and time is earlier than the start time and transmit the log information to the information processing apparatus 101.

  (S109) The information processing apparatus 101 generates the APP access log L3a, the RF property log L3b, and the LF property log L3c from the log information received from the PCs 102, 103,. In addition, the risk evaluation unit 114 analyzes the log L5 corresponding to each of the PCs 102, 103,..., 105 based on the APP access log L3a, the RF property log L3b, and the LF property log L3c (see FIGS. 16 and 17). Create

  (S110) The information processing apparatus 101 uses the risk evaluation unit 114 to collate the analysis log L5 with the state determination table 111a, and sequentially determine the states of the PC 102, PC 104,.

  For example, the risk evaluation unit 114 refers to the analysis log L5 for PC # 2, and identifies a PC or FSV with a trace accessed by the PC 103 (PC # 2) as the starting point. And the risk evaluation part 114 determines the state of identified PC or FSV, and describes a determination result in the determination result table 111b.

  Further, the risk evaluation unit 114 identifies an undecided PC or FSV that is the access destination or access source of the determined PC or FSV, and describes the determination result related to the specified PC or FSV state in the determination result table 111b. . In such a procedure, the risk evaluation unit 114 sequentially determines the states of the PC and the FSV.

  (S111) The information processing apparatus 101 causes the display control unit 115 to output the PC and FSV states based on the state determination table 111a. For example, as shown in FIG. 20, the display control unit 115 displays the connection relationship between the PC and the FSV on the display screen 203, and attaches a color corresponding to the state to the display object representing each PC and FSV. When the processing of S111 is completed, the series of processing illustrated in FIG.

(APP access log accumulation: PC)
Here, the flow of processing (corresponding to a part of S102) of accumulating application software access logs (logs corresponding to the APP access log L3a) will be further described with reference to FIG. FIG. 22 is a flowchart showing a flow of processing relating to accumulation of the APP access log according to the second embodiment. Here, the processing by the PC 102 (PC # 1) will be described as an example, but the same applies to the PCs 103,.

(S121) The PC 102 refers to the access log of the installed application software.
Some application software has a function of recording a history (access log) such as a file path, access date and time, and access contents of a recently accessed file.

  For example, widely used presentation software records “recently used presentation” as an access log unique to the software. The access log is saved as a shortcut file. Therefore, the file path information is obtained from the link destination of the stored shortcut file, and the access date information is obtained from the shortcut file update date.

  (S122) The PC 102 determines whether or not the access log of the application software has been updated. If the access log has been updated, the process proceeds to S123. On the other hand, if the access log has not been updated, the process proceeds to S124.

  (S123) The PC 102 extracts information related to file access (for example, the above-mentioned file path, access date and time, access content) from the access log referred to in S121, and holds it as an access log used as the APP access log L3a.

  (S124) The PC 102 determines whether or not to end the accumulation of the access log. For example, when there is a power-off of the PC 102, termination of application software, an explicit termination operation by the user, etc., the PC 102 determines to finish accumulating access logs. When the accumulation of the access log is terminated, the series of processes illustrated in FIG. 22 is terminated. On the other hand, if the accumulation of access logs is not terminated, the process proceeds to S121.

(RF property log accumulation: PC)
Next, the flow of processing (corresponding to a part of S102) relating to accumulation of the shared file property log (log corresponding to the RF property log L3b) will be further described with reference to FIG. FIG. 23 is a flowchart showing a flow of processing relating to accumulation of the RF property log according to the second embodiment. Here, the processing by the PC 102 (PC # 1) will be described as an example, but the same applies to the PCs 103,.

  (S131) The PC 102 refers to a property (shared file property) of a file that has been accessed in the past among files in the shared folder 202a. The reference timing of the shared file property is set to “every 5 minutes” or “every day at midnight”, for example.

  (S132) The PC 102 determines whether or not there is a target file (a file corresponding to the shared file property to be referenced). If there is a target file, the process proceeds to S133. On the other hand, if there is no target file, the process proceeds to S135.

  (S133) The PC 102 determines whether or not the shared file property of the target file has been updated. If the shared file property has been updated, the process proceeds to S134. On the other hand, if the shared file property has not been updated, the process proceeds to S135.

  (S134) The PC 102 acquires information (file creation date, path, size, owner, etc.) from the referenced shared file property, and holds it as a shared file property log used as the RF property log L3b.

  (S135) The PC 102 determines whether or not to end the storage of the shared file property log. For example, when there is a power interruption of the PC 102, a communication interruption between the PC 102 and the FSV 201, an explicit end operation by the user, etc., the PC 102 determines to end the storage of the shared file property log. When the accumulation of the shared file property log is finished, the series of processes shown in FIG. 23 is finished. On the other hand, when the accumulation of the shared file property log is not terminated, the process proceeds to S131.

(LF property log accumulation: PC)
Next, the flow of processing (corresponding to a part of S102) relating to the accumulation of the file property log (log corresponding to the LF property log L3c) will be further described with reference to FIG. FIG. 24 is a flowchart showing a flow of processing relating to accumulation of the LF property log according to the second embodiment. Here, the processing by the PC 102 (PC # 1) will be described as an example, but the same applies to the PCs 103,.

(S141) The PC 102 monitors the operation on the local file having the same name as the file in the shared folder 202a.
For example, when a file in the shared folder 202a is copied to the PC 102, an operation for creating a file with the same name as the file in the shared folder 202a on the PC 102 or an operation for overwriting a local file with the same name is detected. When a file in the local folder is overwritten with a file with the same name in the shared folder 202a, a read operation of the file in the local folder is detected.

  (S142) The PC 102 determines whether a target operation (operation on a local file having the same name as a file in the shared folder 202a) has been detected. If the target operation is detected, the process proceeds to S143. On the other hand, if the target operation is not detected, the process proceeds to S145. The target operation may be monitored at a preset timing, or may be continuously performed while the PC 102 is powered on.

  (S143, S144) The PC 102 creates the same name file list describing information on the local file with the same name, and stores the information of the target operation in the same name file list (PC # 1 in the same name file list L2 illustrated in FIG. 10). Add to the corresponding record). Further, the PC 102 holds the contents of the operation on the local file with the same name as a file property log used as the LF property log L3c.

  (S145) The PC 102 determines whether or not to end the storage of the file property log. For example, when there is a power interruption of the PC 102, a communication interruption between the PC 102 and the FSV 201, an explicit end operation by the user, etc., the PC 102 determines to end the storage of the file property log. When the accumulation of the file property log is finished, the series of processes shown in FIG. 24 is finished. On the other hand, if the accumulation of the file property log is not terminated, the process proceeds to S141.

When the same reference file list for attribute information other than the name is used, the same reference file is processed in the same manner as the file with the same name in the above processing.
(Analysis log generation: Information processing device)
Next, the flow of processing (corresponding to S109) relating to generation of the analysis log L5 will be further described with reference to FIG. FIG. 25 is a flowchart showing a flow of analysis log generation processing according to the second embodiment. It is assumed that the APP access log L3a, the RF property log L3b, and the LF property log L3c are stored in the storage unit 111.

(S151) The risk evaluation unit 114 selects an unselected PC as a target PC.
(S152, S153, S154) The risk evaluation unit 114 acquires the occurrence date, event, path, and PC name from the record corresponding to the target PC in the APP access log L3a (see FIG. 11). Further, the risk evaluation unit 114 acquires the occurrence date, event, path, PC name, user name, and logon status from the record corresponding to the target PC in the RF property log L3b (see FIG. 12). Further, the risk evaluation unit 114 acquires the occurrence date, event, path, and PC name from the record corresponding to the target PC in the LF property log L3c (see FIG. 13).

  (S155, S156) The risk evaluation unit 114 acquires the occurrence date, event, path, and PC name from the record corresponding to the target PC in the alert history L4a (see FIG. 14). Further, the risk evaluation unit 114 acquires the occurrence date and time, the event, the PC name, the user name, and the logon state from the record corresponding to the target PC in the access history L4b (see FIG. 15).

  (S157, S158) The risk evaluation unit 114 arranges the information acquired in S152 to S154 in time series, and records the information in the storage unit 111 as the analysis log L5 for the target PC (see FIGS. 16 and 17). When the selection of the target PC is completed (when there is no unselected PC to be the target PC), the series of processes illustrated in FIG. 25 ends. On the other hand, if there is an unselected PC to be the target PC, the process proceeds to S151.

(Determination process)
Next, the flow of determination processing (corresponding to S110) will be further described with reference to FIGS. FIG. 26 is a first flowchart showing a flow of determination processing according to the second embodiment. FIG. 27 is a second flowchart showing the flow of determination processing according to the second embodiment. It is assumed that the analysis log L5 for each PC is stored in the storage unit 111.

  (S161) The risk evaluation unit 114 sets a period to be analyzed. For example, the risk evaluation unit 114 sets a predetermined period (for example, 2 hours) before the time when malware infection is detected by the malware detection product or when the infection notification is received as the period to be analyzed. However, the risk evaluation unit 114 may include a certain period after the infection notification in the period to be analyzed.

  (S162, S163) The risk evaluation unit 114 generates the determination result table 111b, and sets information about the PC that is the starting point in the determination result table 111b. In the example of FIG. 21, the initial state of the determination result table 111b is set at the timing of S106. However, as shown in FIG. 26, the initial state may be set at the timing of S110. In addition, the risk evaluation unit 114 generates a target list for registering a PC or FSV (target device) that is a target of the determination process, and registers the starting PC in the target list.

  (S164) The risk evaluation unit 114 determines whether or not the target list is empty. When the target list is empty, the series of processing illustrated in FIGS. 26 and 27 ends. On the other hand, if the target list is not empty, the process proceeds to S165.

  (S165, S166) The risk evaluation unit 114 selects one target device from the target list. Further, the risk evaluation unit 114 determines whether or not the selected target device is an FSV. If the target device is an FSV, the process proceeds to S167. On the other hand, if the target device is not an FSV (if it is a PC), the process proceeds to S170.

  (S167) The risk evaluation unit 114 detects an alert for the FSV with reference to the alert history L4a. Further, the risk evaluation unit 114 refers to the analysis log L5 of each PC, and detects a PC (access PC) having the FSV as an access destination or access source.

  (S168) The risk evaluation unit 114 refers to the state determination table 111a (see FIGS. 6 and 7) and identifies the state of the access PC and the state corresponding to the alert. Further, the risk evaluation unit 114 records the specified state in the determination result table 111b.

  (S169) The risk evaluation unit 114 detects a PC having an LvX state (undecided PC) from the access PCs detected in S167. The risk evaluation unit 114 adds the detected PC to the target list and deletes the FSV from the target list. When the process of S169 is completed, the process proceeds to S172.

  (S170) The risk evaluation unit 114 refers to the state determination table 111a and identifies a state corresponding to the analysis log L5 of the target device (PC). Further, the risk evaluation unit 114 records the specified state in the determination result table 111b.

  (S171) The risk evaluation unit 114 refers to the analysis log L5 of each PC, and detects a PC or FSV (access PC) whose target device (PC) is the access destination or access source. Further, the risk evaluation unit 114 detects a PC or FSV whose state is LvX among the detected access PCs (undecided PC or FSV). Then, the risk evaluation unit 114 adds the detected PC or FSV to the target list, and deletes the target device (PC) from the target list.

  (S172) The risk evaluation unit 114 records the name of the target device and the state of the target device in the “access PC” column of the determination result table 111b with the PC or FSV added to the target list as the target PC. When the process of S172 is completed, the process proceeds to S164.

By executing the processing shown in FIGS. 26 and 27, for example, a determination result table 111b as shown in FIG. 8 is obtained.
Here, the transition of the determination result table 111b in the above-described determination process will be described with reference to FIG. FIG. 28 is a diagram for explaining a flow of determination processing and determination result table update processing according to the second embodiment. In the example of FIG. 28, it is assumed that the information processing system 100 includes four PCs # 1, # 2, # 3, and # 4.

FIG. 28A shows an example of an initial state of the determination result table 111b.
The risk evaluation unit 114 describes FSV, PC # 1, # 2, # 3, and # 4 in the “name” column of the target PC in the determination result table 111b. Further, considering that log information such as access logs cannot be obtained from the FSV, the risk evaluation unit 114 describes “none” in the “log” column corresponding to the FSV. On the other hand, since log information is obtained from the PCs # 1, # 2, # 3, and # 4, the risk evaluation unit 114 has “Yes” in the “Log” column corresponding to the PCs # 1, # 2, # 3, and # 4. ".

  For example, when the notification of malware infection targeting PC # 2 is received, the risk evaluation unit 114 determines that the infection risk of PC # 2 is the maximum, and the “state” of the target PC corresponding to PC # 2 Enter “Lv3” in the column. In addition, the risk evaluation unit 114 determines a PC that is a starting point when conducting an infection range survey. For example, the risk evaluation unit 114 uses the PC (PC # 2 in this example) that is the subject of the infection notification as the starting point of the investigation. Note that the starting PC may be set to a PC other than the PC that is the target of infection notification.

When PC # 2 is the starting point, the risk evaluation unit 114 describes “starting point” in the “name” column and “LvX” in the “status” column of the access PC corresponding to PC # 2.
Here, as information for specifying the starting PC, predetermined information is described in the “name” column and “status” column of the access PC corresponding to the starting PC, but the starting PC is The expression of information about the starting point may be modified by using a flag for specifying. Based on the above description, the initial state determination result table 111b is generated. At this time, the display control unit 115 may display a state corresponding to the determination result table 111b in the initial state on the display screen 203.

(B) of FIG. 28 is an example showing a situation in which an infection investigation has progressed for the PC or FSV that is the access destination or the access source of the PC # 2 that is the starting point.
In the example of FIG. 28, there is PC # 2 access to the FSV and PC # 4 access to PC # 2. That is, PC # 2 becomes an access PC of FSV and PC # 4. In this case, the risk evaluation unit 114 describes “PC # 2” in the “Name” column and “Lv3” (PC # 2 state) in the “Status” column of the access PC corresponding to the FSV. Similarly, the risk evaluation unit 114 describes “PC # 2” in the “Name” column and “Lv3” in the “Status” column of the access PC corresponding to PC # 4.

  Further, the risk evaluation unit 114 determines the state of the FSV by comparing the alert history L4a regarding the FSV that is the access PC of the PC # 2 and the state of the PC # 2 (access PC of the FSV) with the state determination table 111a. In the example of FIG. 28, the FSV state corresponds to “Lv3”. In this case, the risk evaluation unit 114 describes “Lv3” in the “status” column of the target PC corresponding to the FSV.

  Further, the risk evaluation unit 114 determines the state of the PC # 4 by comparing the analysis log L5 related to the PC # 4 that is the access PC of the PC # 2 with the state determination table 111a. In the example of FIG. 28, the state of PC # 4 corresponds to “Lv1”. In this case, the risk evaluation unit 114 describes “Lv1” in the “status” column of the target PC corresponding to PC # 4.

  The display control unit 115 may display the state of each PC on the display screen 203 based on the determination result table 111b corresponding to the state in the state (B) corresponding to the progress of the infection investigation. For example, the display control unit 115 connects PCs with access and PCs and FSVs with lines, and expresses the state of each PC that has been determined by the risk evaluation unit 114 with a color or the like.

(C) of FIG. 28 is an example showing a situation in which infection investigation is executed by sequentially selecting PCs for which determination results are obtained and FSV access PCs.
In the state of FIG. 28 (B), the infection investigation of PC # 2, # 4 and FSV is completed. In this case, for example, the risk evaluation unit 114 refers to the analysis log L5 of the PCs # 1 and # 3 and identifies a PC (access PC) that has access to any of the PCs # 2 and # 4 and the FSV. . In the example of FIG. 28, there is PC # 1 access to the FSV. In this case, the risk evaluation unit 114 describes “FSV” in the “Name” column and “Lv3” (FSV state) in the “Status” column of the access PC corresponding to PC # 1 in the determination result table 111b. .

  Further, the risk evaluation unit 114 compares the analysis log L5 of PC # 1 with the state determination table 111a to determine the state of PC # 1. In the example of FIG. 28, the state of PC # 1 is determined as “Lv2”. In this case, the risk evaluation unit 114 describes “Lv2” in the “status” column of the target PC corresponding to PC # 1.

  Further, the risk evaluation unit 114 searches for the access PC of PC # 3 with reference to the analysis log L5 of PC # 3. In the example of FIG. 28, PC # 1 is an access PC of PC # 3. In this case, in the determination result table 111b, the risk evaluation unit 114 displays “PC # 1” in the “Name” column and “Lv2” (PC # 1 state) in the “Status” column of the access PC corresponding to PC # 3. ). Further, the risk evaluation unit 114 compares the analysis log L5 of PC # 3 with the state determination table 111a to determine the state of PC # 3, and uses the determination result (in this example, “Lv2”) as “ Describe in the “Status” column.

  Through the above processing, the infection investigation is completed, and the determination result table 111b in which the state of each PC is described is obtained. The display control unit 115 displays the state of each PC and the presence / absence of access between PCs or between PCs and FSVs on the display screen 203 based on the determination result table 111b. If the above method is applied, even if log information cannot be obtained from the FSV, it is possible to sequentially determine the state of the PC and the FSV that are accessed in order from the starting PC. As a result, it becomes easier to grasp the infection range and contribute to the suppression of infection spread.

[2-5. Modified example]
Here, a modification of the second embodiment will be described with reference to FIGS. 29 to 31. FIG. 29 is a diagram illustrating an example of a non-tracking rule table according to a modification of the second embodiment. FIG. 30 is a diagram illustrating an example of a non-tracking machine table according to a modification of the second embodiment. FIG. 31 is a flowchart showing the flow of the process of adding a PC to the target list according to a modification of the second embodiment.

  So far, a method has been described for conducting an infection investigation while sequentially tracking PCs and FSVs that are accessed starting from a specific PC. By applying this method, it is possible to investigate the infection range without omission. On the other hand, when the information processing system 100 includes a large number of PCs and FSVs, the investigation time may be long. Therefore, in this modified example, a method (acceleration method) is proposed in which investigation is advanced for PCs and FSVs with a high infection risk, and a part of the PCs and FSVs is excluded from the tracking target.

  In adopting the speed-up method, a non-tracking rule table 111d as shown in FIG. 29 and a non-tracking machine table 111e as shown in FIG. 30 are introduced. The non-tracking rule table 111d and the non-tracking machine table 111e are stored in the storage unit 111.

  As shown in FIG. 29, the non-tracking rule table 111d associates non-tracking network addresses with forced tracking conditions. The non-tracking network address is a range of network addresses excluded from the tracking target of the infection investigation. The compulsory tracking condition is a condition for compulsorily including the target in the infection investigation tracking target. The non-tracking network address and the forced tracking condition are set in advance by an administrator or the like.

  For example, a part having “Lv1, Lv3” in the “status” column means that a PC or FSV whose status is Lv1 or Lv3 is included in the tracking target of the infection investigation even when it corresponds to the non-tracking network address. In addition, the part “PC # 1, PC # 2” in the “PC name” column indicates that PC # 1 and PC # 2 are included in the tracking targets of the infection investigation even if they correspond to non-tracking network addresses. means.

  On the other hand, as shown in FIG. 30, the non-tracking machine table 111e includes items of tracking interruption PC, access PC / FSV, and network address. The non-tracking machine table 111e is a table for storing information on a PC or FSV when there is a PC or FSV for which the tracking of infection investigation is suspended based on the non-tracking rule table 111d.

  In the “tracking interruption PC” column, information (PC name, etc.) of the PC and FSV corresponding to the non-tracking rule table 111d is described. In the “access PC / FSV” column, information on the PC or FSV that is the access source or access destination of the tracking interrupted PC is described. In the “network address” column, a non-tracking network address that is a condition for interrupting tracking is described.

  When the above-described speed-up method is applied, the addition processing to the target list executed in S171 in the determination processing illustrated in FIGS. 26 and 27 is modified as illustrated in FIG. Further, the history collection unit 113 acquires a network address from each PC and FSV in advance, and a process of storing in the storage unit 111 is added. Hereinafter, the processing of FIG. 31 will be described.

  (S181) The risk evaluation unit 114 refers to the analysis log L5 of each PC, and detects a PC or FSV (access PC) whose target device (PC) is the access destination or access source. Further, the risk evaluation unit 114 detects a PC or FSV whose state is LvX among the detected access PCs (undecided PC or FSV).

  (S182) The risk evaluation unit 114 collates the detected PC or FSV network address with the non-tracking network address of the non-tracking rule table 111d, and determines whether the PC or FSV belongs to the non-tracking network address. Determine. If the PC or FSV belongs to the non-tracking network address, the process proceeds to S184. On the other hand, if the PC or FSV does not belong to the non-tracking network address, the process proceeds to S183.

  (S183) The risk evaluation unit 114 adds the detected PC or FSV to the target list, and deletes the target device (PC) from the target list. When the process of S183 is completed, the series of processes illustrated in FIG. 31 ends.

  (S184) The risk evaluation unit 114 records the detected PC or FSV information in the non-tracking machine table 111e. At this time, the risk evaluation unit 114 describes the name of the detected PC or FSV in the “tracking interrupted PC” column, and describes the detected PC or FSV access PC name in the “access PC / FSV” column. Note that the display control unit 115 outputs information of the non-tracking machine table 111e to the display screen 203. When the process of S184 is completed, the series of processes shown in FIG. 31 ends.

The second embodiment has been described above.
When the technology of the second embodiment is applied, even when the FSV log information cannot be collected, the access to the FSV can be specified by using the file property update history and the log information held by each PC. It contributes to the grasp of infection damage by the administrator. Further, it is possible to follow up the infection damage along the accelerator route based on the access status to the FSV and each PC, and to grasp the infection range expanding through the FSV and the PC. In addition, the system administrator can easily grasp the situation by outputting the access situation and the state of each PC by a display method that is easy to grasp.

DESCRIPTION OF SYMBOLS 10 Information processing apparatus 11 Memory | storage part 11a Execution log | history 11b Risk level information 12 Calculation part 12a Notification 12b Process 12c Output 21, 22, 23 Terminal apparatus 30 Storage apparatus A Target information NW network

Claims (13)

When the notification indicating the malware infection risk of the first terminal device is acquired, the first terminal device among the plurality of terminal devices is referred to the storage unit that stores the execution history of the processing by the plurality of terminal devices. Identifying the second terminal device that has executed the process involving access to any of the information held based on the execution history,
Based on the execution contents in the identified second terminal device, evaluate the risk of malware infection of the second terminal device, and output the evaluation result;
An output program for causing a computer to execute processing. Referring to the storage unit for further storing risk information for associating the risk of malware infection with the execution content, and specifying the execution history using the risk information;
The output program according to claim 1, which causes a computer to execute processing. When the property of the information having the same name as the one of the information stored in the storage device accessible by the plurality of terminal devices or the information satisfying the same standard as the information is updated, the plurality of terminal devices Receiving the property information from the terminal device that has executed the update process, and generating the execution history for the terminal device based on the received property information.
The output program according to claim 1, which causes a computer to execute processing. The output program is
Among the plurality of terminal devices, the information having the same name as the information or the information satisfying the same standard as the information and the same name in the target period including the update time of the information Or a terminal device that has copied the information satisfying the same criteria to the storage device is specified as the second terminal device.
The output program according to claim 3, which causes a computer to execute processing. The risk information includes, as the execution content, whether or not the process involves access to information in the storage device, whether or not the access involves remote logon, and the number of times that the access or remote logon fails exceeds a threshold. Whether or not
The execution content is specified based on log information obtained from the plurality of terminal devices.
The output program according to claim 2, wherein: When the notification indicating the malware infection risk of the first terminal device is acquired, the first terminal device among the plurality of terminal devices is referred to the storage unit that stores the execution history of the processing by the plurality of terminal devices. Identifying the second terminal device that has executed the process involving access to any of the information held based on the execution history,
Based on the execution content in the identified second terminal device, the risk of malware infection of the second terminal device is evaluated,
An information processing apparatus having an arithmetic unit that outputs an evaluation result. Computer
When the notification indicating the malware infection risk of the first terminal device is acquired, the first terminal device among the plurality of terminal devices is referred to the storage unit that stores the execution history of the processing by the plurality of terminal devices. Identifying the second terminal device that has executed the process involving access to any of the information held based on the execution history,
Based on the execution content in the identified second terminal device, the risk of malware infection of the second terminal device is evaluated,
An output method characterized by outputting an evaluation result. A property of any file stored in a storage device accessible by a plurality of terminal devices is received from a terminal device that has executed update processing to the file among the plurality of terminal devices, and the received property of the file is Based on the execution history of the terminal device that executed the update process to the file, the execution history of the terminal device that executed the update process to the file is generated,
A generation program that causes a computer to execute processing. Computer
A property of any file stored in a storage device accessible by a plurality of terminal devices is received from a terminal device that has executed update processing to the file among the plurality of terminal devices, and the received property of the file is A generation method of generating an execution history of the terminal device that has executed the update process to the file based on an execution history of the terminal device that has executed the update process to the file.   A property of any file stored in a storage device accessible by a plurality of terminal devices is received from a terminal device that has executed update processing to the file among the plurality of terminal devices, and the received property of the file is An information processing apparatus comprising: an arithmetic unit that generates an execution history of the terminal device that has executed the update process to the file based on an execution history of the terminal device that has executed the update process to the file. Identify the file held by the first terminal device,
Identifying a second terminal device having a file that satisfies the same criteria as the identified file;
Based on the identified execution history of the second terminal device, the second terminal device is evaluated,
Output evaluation results,
An output program for causing a computer to execute processing. Computer
Identify the file held by the first terminal device,
Identifying a second terminal device having a file that satisfies the same criteria as the identified file;
Based on the identified execution history of the second terminal device, the second terminal device is evaluated,
An output method characterized by outputting an evaluation result. Identify the file held by the first terminal device,
Identifying a second terminal device having a file that satisfies the same criteria as the identified file;
Based on the identified execution history of the second terminal device, the second terminal device is evaluated,
An information processing apparatus comprising an arithmetic unit that outputs an evaluation result.

Images