JP2019159877A - Security system, encoding method therefor and network control method - Google Patents

Abstract

To provide a security system capable of detecting vulnerability related to security of a network system by a simple analysis method, an encoding method therefor, and a network control method.SOLUTION: A security system SQ applied to network systems NWS1 to NWS3 is divided into a plurality of zones including a plurality of information devices and networks. The security system includes an information acquisition unit that acquires zone information comprising information on an information device and information on a network for each zone, an encoding unit that encodes the zone information acquired by the information acquisition unit for each zone, and an analysis unit that obtains vulnerability information about the zone information based on the zone information encoded by the encoding unit, and analyzes a risk of the zone.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a security system of a network system in which information devices are arranged on a network, an encoding method thereof, and a network control method.

  Various network systems in which information devices are arranged on a network are known. These network systems realize, for example, factory automation (FA), process automation (PA), and IoT (Internet of Things) systems, and control devices such as DCS (distributed control system) and PLC (Programmable Logic Controller) as appropriate. Control systems such as SCADA (Supervision Control And Data Acquisition) and various information devices are connected to a network and used.

  For example, Patent Document 1 is known as a system management technique in such a network system. In this Patent Document 1, there is a description “in order to manage an industrial network, data is collected in various sections of the industrial network and the collected data is analyzed”.

Japanese Patent Laid-Open No. 2006-029798

  In Patent Document 1, for the analysis of data collected in an industrial network, an analysis method according to each section is used, and there is no particular mention of a uniform or highly versatile analysis method.

  Therefore, in order to analyze data using a highly versatile analysis technique such as DL (Deep Learning), it is necessary to convert the collected data into a format that can be analyzed by some method.

  In addition, there is no particular mention of the confidentiality of data collected from multiple systems. For example, when a large amount of data is collected from various heterogeneous systems, how to securely manage the collected data becomes an issue. .

  In view of the above, an object of the present invention is to provide a security system capable of detecting vulnerabilities related to the security of a network system by a simple analysis method, an encoding method thereof, and a network control method.

  As described above, the present invention is “a security system applied to a network system, and the network system is divided into a plurality of zones including a plurality of information devices and a network. An information acquisition unit that acquires zone information including device information and network information, an encoding unit that encodes the zone information acquired by the information acquisition unit for each zone, and zone information encoded by the encoding unit Based on this, it is configured as “a security system characterized by including an analysis unit that obtains vulnerability information about the zone information and analyzes the risk of the zone”.

  Further, the present invention is “a security system encoding method implemented in an encoding unit in a security system for acquiring configuration information of information devices and networks existing in a zone and encoding configuration information” As the necessary setting conditions, one or a plurality of setting conditions are selected from among the information disclosure range, the compression rate of information, the reversibility of information conversion, and the strength of information encryption, and a plurality of encoding conditions are encoded. The coding system is configured as “a coding system of a security system characterized in that a coding system suitable for configuration information is selected from the coding system and the configuration information is encoded”.

  Further, the present invention is “a network control method in a security system, and when a zone has a vulnerability, the importance of the zone in which the vulnerability is pointed out and the adjacent zone adjacent to the zone in which the vulnerability is pointed out The network control method in the security system is characterized in that the zone information is acquired and the connection between the zones is disconnected or the communication is restricted from the zone information.

  According to the present invention, it is possible to detect a vulnerability related to the security of a network system by a simple analysis method.

  Further, according to the embodiment of the present invention, when performing system management divided by zone in an IoT system or control system constituted by various devices and networks, an analysis means of existing technology is used from system configuration information. , Security vulnerabilities can be detected. In addition, based on the vulnerability detection results, it is possible to automatically control the connection between zones and realize a secure system operation.

The figure which shows an example of the network system assumed in this invention. The figure which shows the specific structural example of small network system NWS1 and security system SQ. The figure which shows typically an example of the information handled in each main part of security system SQ. FIG. 3 is a diagram illustrating a processing flow of an encoding unit 2 according to the first embodiment. FIG. 6 is a diagram illustrating a processing flow of the analysis unit 5 in the first embodiment. The figure which shows the processing flow of the result presentation / execution part 7 in Example 1. FIG. FIG. 7 is a diagram in which combinations of importance determinations in FIG. 6 are arranged in a matrix and processes performed as a result are organized. The figure which shows an example of the process sequence in each main part of security system SQ. The figure which shows the example which comprised the encoding system selection part 4 for every network hierarchy. FIG. 10 is a diagram illustrating a configuration example of a security system SQ according to a third embodiment. FIG. 10 is a diagram illustrating a processing flow of the encoding unit 2 according to the third embodiment. The figure which divides | segments a system structure for every some zone Z, and implements encoding for each zone Z. FIG. The figure which shows connecting a some system structure and implementing encoding collectively. FIG. 10 is a diagram illustrating a configuration example of a security system SQ according to a fourth embodiment. FIG. 10 is a diagram illustrating a processing flow of the encoding unit 2 according to the fourth embodiment. The figure which shows the encoding system P in the security system SQ of Example 5. FIG.

  Hereinafter, embodiments will be described with reference to the drawings.

  FIG. 1 shows an example of a network system assumed in the present invention. The entire network system NWS shown here is an aggregate of small network systems NWS1, NWS2, and NWS3, and the small network systems NWS1, NWS2, and NWS3 are networks formed in, for example, the head office, branch office, and office of the A company. The system is connected by a network NW. Here, the small network systems NWS1, NWS2, and NWS3 are managed by a company A which is the same network administrator. Company A may be a management consignment company.

  Further, in the small network systems NWS1, NWS2, and NWS3, networks according to the respective circumstances are formed. Here, DCS (distributed control system) used for factory automation (FA) and process automation (PA) Control devices such as PLC (Programmable Logic Controller), control systems such as SCADA (Supervision Control And Data Acquisition), and IoT (Internet of Things) systems where various information devices are connected to the network. .

  In the present invention, the small network systems NWS1, NWS2, and NWS3 are each divided into zones Z. The small network system NWS1 is divided into zones Z10, Z11, Z12, Z13, and Z14, the NWS2 is divided into zones Z20, Z21, Z22, Z23, and Z24, and the NWS3 is divided into zones Z30, Z31, Z32, Z33, Z34, and Z35. It is divided.

  Each of the zones Z is composed of a plurality of information devices and networks, and forms a network configuration (a tree shape, a hierarchy shape, a ring shape, a hybrid shape, etc.) to be described later. The network in the zone Z may be configured by either wired connection or wireless connection. As described above, the zone Z is a combination of information devices and networks necessary for realizing a predetermined function in the IoT system and the control system. Here, each information device and network in the system may belong to one or a plurality of zones Z, and the number of information devices in the zone Z and the network connection relationship are not particularly limited.

  As the concept of setting the zone Z in the small network systems NWS1, NWS2, and NWS3, an appropriate one can be adopted. There are zone settings according to the building hierarchy, zone settings for each control function such as a plant, and zone settings according to the security level for safeguarding.

  In the present invention, the network system NWS is targeted, and the security system SQ is arranged in a part thereof. FIG. 2 is a diagram showing a specific configuration example of the small network system NWS1 and the security system SQ. The small network system NWS1 is connected to the small network systems NWS2, NWS3, and the security system SQ via the network NW. Each zone Z (Z10, Z11.Z12 in FIG. 2) in each of the small network systems NWS1, NWS2, and NWS3 is connected to the network NW via the connection unit 11. The small network systems NWS2 and NWS3 are also configured in the same manner as the small network system NWS1.

  Although the small network systems NWS1, NWS2, and NWS3 are security managed by the security system SQ, the small network systems NWS1, NWS2, and NWS3 themselves have a function as the zone management unit 8.

  The zone management unit 8 includes one or more zones Z, a network control unit 10, and one or more connection units 11. The zones Z are connected to each other by the connection unit 11, and the zone management unit 8 performs the zone Z connection in the connection unit 11 by the network control unit 10 according to a command from the result presentation / execution unit 7 in the security system SQ described later. Has a function of managing communication. In FIG. 2, the network control unit 10 means the network NW and its control function.

  The security system SQ arranged in common in the small network systems NWS1, NWS2, and NWS3 includes a configuration information acquisition unit 1, an encoding unit 2, an encoding condition setting unit 3, an encoding method selection unit 4, and an analysis unit. 5, a vulnerability information acquisition unit 6, and a result presentation / execution unit 7.

  In the security system SQ, the configuration information acquisition unit 1 has a function of acquiring, from the zone management unit 8, the system configuration information SZ formed for each divided zone Z unit. The system configuration information SZ includes, for example, hardware information SZa, software information SZb, network information SZc, and zone Z information SZd of information devices constituting the IoT system and the control system.

  The information device hardware information SZa includes, for example, information device-specific information such as information device serial number, manufacturing number, network hardware address, information device product name and general name, information device type information, model name, This includes model information indicating a category, hardware specification information of information equipment, hardware setting information, and the like.

  The software information SZb of the information device is, for example, the name (OS), middleware, application, library, etc. installed in the information device, type information version information, network address, setting information of these software, and the like.

  The network information SZc is the type and name of the network to which the information device is connected, information on the communication specifications of the network such as the communication speed and communication band allowable latency, or a list of addresses of the information devices connected to the network. Information device connection status, network connection route, and the like.

  The zone information SZd is, for example, the name or unique identification information of the zone Z, the name or identification information of the zone Z that is adjacent via the connection unit 11, or a list of devices or networks that constitute the specific zone Z, the zone Z , The security level required for the zone Z, information indicating the classification, type, and category of the zone Z, and information regarding the function and role that the zone Z should satisfy in the system.

  In this way, the system configuration information SZ formed for each unit of the divided zone Z is acquired in the configuration information acquisition unit 1 of the security system SQ. FIG. 3 is a diagram schematically showing an example of information handled in each main part of the security system SQ. In FIG. 3, the configuration information acquisition unit 1 exemplifies system configuration information SZ10 and SZ11 of zones Z10 and Z11 as specific examples of the acquired system configuration information SZ. FIG. 3 schematically shows an example of the system configuration information SZ, which is illustrated for easy understanding of the present invention. Therefore, the system configuration information SZ itself may be other information. Needless to say, it is good.

  For example, according to the system configuration information SZ10 of the zone Z10, the system configuration has a hierarchical configuration in which two information devices C are arranged below the information device A and three information devices E are arranged below one information device C. Is adopted. Further, according to the system configuration information SZ11 of the zone Z11, a system configuration of a hybrid configuration in which five information devices SS are arranged in a ring shape and information devices E are arranged in the lower part of three of the information devices SS. Is adopted. The system configuration information SZ10 and SZ11 includes a lot of information from the viewpoint of the hardware information SZa, software information SZb, network information SZc, and zone Z information SZd. In FIG. 3, the encoding method is appropriately registered and held in the encoding method registration unit 20.

  Returning to FIG. 2, the encoding unit 2 has a function of encoding the system configuration information SZ according to the setting of the encoding condition setting unit 3 and the selection result of the encoding method in the encoding method selection unit 4. A detailed description of the processing contents of the encoding unit 2 will be described later. Here, the concept of processing examples in the encoding unit 2 and the encoding method selection unit 4 will be described in advance with reference to FIG.

  In FIG. 3, for example, four patterns of encoding methods P1, P2, P3, and P4 are prepared in the encoding method selection unit 4. The encoding method P1 defines a tree-like connection relationship as the connection state of information devices in the zone Z, and the encoding method P2 defines a hierarchical structure connection relationship as the connection state of information devices in the zone Z. The encoding method P3 defines a ring-like connection relationship as a connection state of information devices in the zone Z, and the encoding method P4 defines a hybrid state as a connection state of information devices in the zone Z. The connection relation of is defined.

  The encoding method selection unit 4 provides the encoding unit 2 with the encoding methods P1, P2, P3, and P4 selected automatically or artificially. For example, when the encoding unit 2 is given the encoding method P2, Z10 is extracted as a zone Z having a hierarchical configuration connection relationship, and encoding system configuration information SZ10 ′ is generated from the system configuration information SZ10. The encoding system configuration information SZ10 ′ encoded by the encoding unit 2 is a code having an expression “P2-A-CC-EEE”, for example, and thus the configuration of the zone Z10 is expressed by a code. Similarly, for example, when the encoding unit 2 is given the encoding method P4, Z11 is extracted as a zone Z having a hybrid connection relationship, and the encoded system configuration information SZ11 ′ is generated from the system configuration information SZ11. To do. The encoding system configuration information SZ11 ′ encoded by the encoding unit 2 is a code having an expression “P4-SS-SSS-EEE”, for example, and thus the configuration of the zone Z11 is expressed by a code.

  Returning to FIG. 2 again, the encoding condition setting unit 3 has a function of setting a constraint condition L necessary for the processing of the encoding unit 2. The restriction conditions L set here are broadly divided into a restriction condition L1 for the system configuration, a restriction condition L2 for the disclosure range, a restriction condition L3 for the compression rate, and the like.

  Among these, the constraint condition L1 regarding the system configuration is various conditions for determining the encoding method P described above, for example.

  The restriction condition L2 regarding the disclosure range is, for example, that the disclosure range of the system configuration information SZ acquired by the configuration information acquisition unit 1 is within the own organization (for example, the system configuration information SZ10 of the zone Z10 is limited to the small network system NWS1), The disclosure range is set such as whether it is limited within the company (for example, the system configuration information SZ of the zone Z10 is limited to the network system NWS), within an affiliated company, or can be externally disclosed via the Internet.

  Further, the constraint condition L3 regarding the compression rate sets a compression rate of information when the system configuration information is encoded, an information amount when omitting or deleting some information, and the like.

  In addition to these, settings relating to the reversibility of information, such as whether to use a hash function, may be executed. Furthermore, when encrypting information, the strength of encryption and the encryption method to be used may be set. One or more of the above settings may be set. Details will be described later.

  In the analysis unit 5, the coding system configuration information SZ ′ of the zone Z having the coding method P selected by the coding method selection unit 4 is input from the coding unit 2. On the other hand, the same system configuration as that of the zone Z having the selected encoding method P is searched, and vulnerability information in the searched same system configuration is obtained from the vulnerability information acquisition unit 6. In this search, it is the restriction condition L2 regarding the above-described public range that defines the range to which the inside and outside of the network system NWS should be searched.

  The result presentation / execution unit 7 has a function of presenting the analysis result of the analysis unit 5 or a function of executing network control between the zones Z for the zone management unit 8 based on the analysis result.

  The zone management unit 8 includes a network control unit 10, a connection unit 11, and a zone Z. Each zone Z includes one or more devices and networks as described above. The network control unit 10 has a function of controlling the network connection between the zones Z in the connection unit 11 in accordance with an instruction from the result presentation / execution unit 7. The network connection control includes, for example, network disconnection and connection, filtering of data passing through the connection unit 11, and communication capacity limitation.

  The detailed operation of each part of the security system SQ according to the first embodiment of the present invention will be described below.

  FIG. 4 is a processing flow of the encoding unit 2 in the first embodiment. The processing of the encoding unit 2 is executed for each zone Z unit.

  First, in processing step S201, the encoding unit 2 determines whether or not new system configuration information SZ has been acquired from the configuration information acquisition unit 1. Here, if there is system configuration information SZ that has already been acquired, the configuration information acquisition unit 1 may receive the notification from the zone management unit 8 only when there is a change from the information. Alternatively, the system configuration information SZ for the zone Z in the system managed by the zone management unit 8 may be acquired by a method such as periodically monitoring whether the system configuration information SZ is changed.

  If there is a change in the system configuration information SZ, it is determined in the processing step S202 whether or not an encoding condition needs to be set. If it is necessary to newly execute the encoding, the process proceeds to the processing step S203, where the encoding is performed. A new encoding condition is acquired from the condition setting unit 3. If the setting change is not required or the setting from the encoding condition setting unit 3 cannot be acquired, the process proceeds to processing step S204, and the default condition setting may be used.

  Next, in processing step S <b> 205, it is checked whether or not the encoding scheme that matches the encoding condition set by the encoding condition setting unit 3 is selected by the encoding scheme selection unit 4. For example, it is verified whether conditions necessary for the encoding method are set. If an encoding method suitable for the encoding condition setting is selected, encoding is executed in processing step S206.

  In processing step S207, it is determined whether or not the encoding has been normally completed. If the encoding has been normally completed, the system configuration information encoded in the processing step S208 is transmitted to the analysis unit 5. When it is determined that the encoding is not normally completed in the process at the process step S208, or when the setting of the encoding condition and the selection of the encoding method are not matched in the process at the process step S205, In processing step S209, it is selected whether or not to review the encoding condition setting or encoding method selection.

  When the encoding condition setting and the selection of the encoding method are not reviewed, the process proceeds to processing step S210, error notification or the like is performed, and the process is terminated. When reviewing the setting and selection, the process moves again to step S202 to execute the process, and setting of a new encoding condition or selection of an encoding method is performed. Here, if the encoding is not normally completed even if the processes from the process step S202 to the process 207 are repeated a predetermined number of times, the process may automatically move to the process step S210.

  FIG. 5 is a processing flow of the analysis unit 5 in the first embodiment. First, in processing step S301, the analysis unit 5 determines whether or not there is a notification of selection or change of a new encoding method P from the encoding method selection unit 4. When there is no selection of the new encoding system P, it moves to process step S302 and selects a predetermined analysis means.

  When there is a selection of a new encoding method P, it is determined whether or not there is an analysis unit corresponding to the encoding method P in processing step S303. If there is a corresponding analysis unit, the vulnerability is determined in processing step S304. It is determined whether or not information related to the security vulnerability can be acquired from the information acquisition unit 6. The determination as to whether there is an analysis unit corresponding to the encoding method P is, for example, determining whether there is another zone having a corresponding system configuration.

  Here, the information on the vulnerability is, for example, vulnerability information to cert such as National Vulnerability Database (NVD), Japan Vulnerability Notes (JVN), Open Source Vulnerability Database (OSVDB) ) And STIX (Structured Threat Information Expression) and other information related to security vulnerabilities described in a standard format.

  Here, when the specific vulnerability information is not acquired by the determination in the processing step S304, the processing proceeds to the processing step S305, and the default vulnerability information may be selected. If the vulnerability information is necessary according to the determination in the processing step S304, the process proceeds to the processing step S306, and it is verified whether or not the selected analysis means is supported. If the vulnerability information corresponds to the analysis means, the analysis is started in processing step S307, and it is determined in processing step S308 whether the analysis has been normally completed. If the analysis is normally completed, the analysis result is transmitted to the result presentation / execution unit 7 in processing step S309, and the process is terminated.

  Here, the analysis means is, for example, a numerical value or mathematical analysis using establishment or statistical means, machine learning represented by DL (Deep Learning) or reinforcement learning, etc. Any analysis means that can output learning and analysis results may be used. Since it is a feature of the present invention that an existing general-purpose analysis technique can be used, specific means for analysis are excluded from the scope of the present invention. Further, vulnerability information may be used as teacher data in the case of the machine learning, and vulnerability information is not necessarily required if it is an analysis means that does not require teacher data such as reinforcement learning.

  On the other hand, if there is no corresponding analysis means in processing step S303, there is no vulnerability information corresponding to the analysis means in processing step S306, and analysis is not completed normally in processing step S308, the encoding is performed in processing step S310. It is determined whether the selection of the method, the analysis means, and the vulnerability information are reviewed. When reviewing one or a plurality of selections, the processing flow is executed again from processing step S301. If the selection or the like is not reviewed, an error notification or the like may be executed in processing step S305 to complete the processing. Here, whether or not to review the selection may be set in advance. For example, it is effective to perform processing from processing step S301 to processing step S308 up to a predetermined number of times, and to notify an error without reexamining the selection when the processing is not completed normally after a certain number of times. .

  FIG. 6 is a processing flow of the result presentation / execution unit 7 in the first embodiment. The result presentation / execution unit 7 first determines whether or not an analysis result indicating that there is a security vulnerability exists in any zone Z in the system from the analysis unit 5 in the processing step S401.

  If it is determined that there is a vulnerability, for example, the importance level of the vulnerable zone Z is acquired and determined in processing step S402. Regardless of the determination result in processing step S402, the importance of the adjacent zone Z is determined in processing step S403, processing step S405, and processing step S407. Here, for the sake of brevity, the level of importance is set to “high”, “medium”, and “low”, but there are no particular restrictions on the level of importance, and multiple levels or other numerical expressions are used. May be.

  The processing performed as a result of dividing the importance of the target zone and the importance of the adjacent zone into three stages of “high”, “medium”, and “low” is processing step S404, processing step S406, processing step S408, and processing step. One of S409.

  FIG. 7 is an arrangement of the processing performed as a result of the combinations of importance determinations of FIG. 6 being arranged in a matrix. According to this, assuming that the combination when the importance determination of the target zone is “high” and the importance determination of the adjacent zone is “high” is expressed as “high”, in this case, the processing step In S404, all the connecting portions 11 connected to the target zone Z are disconnected. In the following description, the combination notation is performed according to the above “high / high”.

  When the combination of importance determination of the target zone and the adjacent zone is “high / medium” or “medium / high”, for example, only the specific connection unit 11 is disconnected in the processing step S406.

  When the combination of the importance determination of the target zone and the adjacent zone is “high / low”, “medium / medium”, “low / high”, or “low / medium”, the data transmission / reception of the connection unit 11 is restricted in processing step S408. To do.

  When the combination of the importance level judgment of the target zone and the adjacent zone is “medium low” or “low low”, only the execution result is presented in the processing step S409.

  In the above processing, the restriction on data transmission / reception in the processing step S408 means that the data transmission capacity is restricted to a certain amount or less, for example, the data payload monitoring or filtering collation processing is strengthened. There are methods such as restricting the transmission direction of one of them to only one direction.

  The network control unit 10 actually performs network disconnection and data transmission / reception of the connection unit 11. The network control unit 10 is, for example, a network router, a switch, a firewall, an IDS (Intrusion Detection System), an IPS (Intrusion Prevention System), a UTM (Unified Threat Management), or the like.

  In the notification of the result in the processing step S409, for example, even if it is determined that there is a vulnerability in the processing step S401, the determination that the connection between the zones Z is not changed and the processing result may be presented. In addition, when all or any of the connection portions 11 is disconnected, information on the connection portion 11 that has been disconnected may be notified. When the data transmission / reception of the connection unit is restricted, the restriction content may be notified.

  In the processing flow shown in FIG. 6, the processing method based on the combination of the importance levels of the target zone Z and the adjacent zone Z is merely an example, and may be changed according to the requirements of the target system. For example, even if a vulnerability is discovered in a specific zone of the system, if the system must continue to operate, the processing in this flow is judged as high importance and low importance. You may replace the process in the case of.

  That is, when the importance level of the target zone Z is determined to be “low” and the importance level of the adjacent zone Z is also determined to be “low”, all the connection portions 11 are disconnected. Conversely, if both the importance level of the target zone Z and the importance level of the adjacent zone Z are determined to be “high”, the system operation may be continued without executing any control to the connection unit 11. . Further, when the importance is not three levels as in this example, the levels of importance of the target zone Z and the adjacent zone Z are compared, and the processing may be changed according to the result, or a predetermined mathematical formula The calculation result by etc. may be utilized.

  Furthermore, in this example, only the importance level of the adjacent zone Z is used as an index for executing the control of the connection unit 11, but other information and indexes related to the zone such as the security level and function of the zone Z, and those Processing contents may be determined by combining information and indicators.

  As described above, according to the first embodiment, when performing system management divided by the zone Z in the IoT system or control system configured by various devices and networks, the analysis means of the existing technology from the system configuration information Can be used to detect security vulnerabilities. In addition, based on the vulnerability detection results, it is possible to automatically control the connection between zones and realize a secure system operation.

  3 is used for the purpose of schematically showing an example of information handled in each main part of the security system SQ in the first embodiment, but in the second embodiment, specific information in each main part of the security system SQ is shown in FIG. The details of the processing will be described.

  FIG. 3 is a configuration diagram relating to the encoding method selection unit 4, the configuration information acquisition unit 1, the encoding unit 2, and the encoding method registration unit 20 in the security system SQ according to the second embodiment of the present invention.

  Here, the functions of the zone management unit 8, the analysis unit 5, the vulnerability information acquisition unit 6, and the result presentation / execution unit 7 are the same as those in the first embodiment, and are therefore omitted. The configuration information acquisition unit 1 according to the second embodiment may have a function of transmitting the acquired system configuration information to the encoding scheme selection unit 4 in addition to the function of the configuration information acquisition unit 1 according to the first embodiment.

  3, in addition to the function of the encoding method selection unit 4 in the first embodiment, the encoding method selection unit 4 receives a system configuration information from the configuration information acquisition unit 1, and an encoding method registration unit 20 described later. 1 has one or more new encoding methods P, or has a function of deleting or updating an already registered encoding method P. In addition, the encoding method selection unit 4 allows the system user to select the encoding method P used by the encoding unit 2 according to the system configuration information acquired from the configuration information acquisition unit 1 or from an external input interface or the like. It has a function of selecting an encoding method.

  In addition to the function of the encoding unit 2 in the first embodiment, the encoding unit 2 requests the encoding method selection unit 4 to reselect the encoding method P when the encoding cannot be completed normally. It may have the function to do. Details regarding specific processing of the encoding unit 2 will be described later.

  The encoding method registration unit 20 has a function of newly registering, deleting, and updating an encoding method P described later in the encoding method selection unit 24.

  FIG. 8 is a diagram illustrating a processing sequence related to the configuration information acquisition unit 1, the encoding method selection unit 4, the encoding unit 2, and the encoding method registration unit 20 according to the second embodiment of the present invention. The time-series exchange between each part will be described with reference to this figure.

  First, the coding method registration unit 20 creates a coding method P that is selected by the coding method selection unit 4 (processing step S601) and transmits it to the coding method selection unit 4 (processing step S602).

  The encoding method selection unit 4 registers the encoding method P transmitted from the encoding method registration unit 20, or deletes or updates the already registered encoding method P (processing step S603). For example, as in the encoding methods P1, P2, P3, and P4 shown in FIG. 3, a system configuration diagram and a code pattern corresponding to each system device are registered.

  The configuration information acquisition unit 1 acquires the configuration information SZ (processing step S604), and transmits the system configuration information SZ to the encoding method registration unit 20, the encoding method selection unit 4, and the encoding unit 2, respectively (processing step S605, S607, S608).

  Next, the encoding method selection unit 4 collates the system configuration information SZ acquired from the configuration information acquisition unit 1 with the encoding method P (processing step S609), and selects the encoding method P having the most approximate configuration ( Processing step S613). For example, in the case of the system configuration information SZ10 shown in FIG. 3, the encoding method P2 having the closest form is selected from the encoding method selection unit 4. Similarly, in the case of the system configuration information SZ11, the encoding method P4 having the closest form is selected from the encoding method selection unit 4.

  Here, if an appropriate encoding scheme P is not registered, the encoding scheme registration unit 20 may be notified to request registration of a new encoding scheme P (processing step S610). When receiving the request for the encoding method P, the encoding method registration unit 20 newly creates an appropriate encoding method P (processing step S611) and transmits it to the encoding method selection unit 4 (processing step S612). ). The encoding method P may be created manually by the user from an external input interface or the like, or the encoding method registration unit 20 may receive the system configuration information SZ from the configuration information acquisition unit 1 and automatically create it. good.

  The encoding method registration unit 20 sends the newly generated or acquired encoding method P to the encoding method selection unit 4 (processing step S614). The encoding unit 2 encodes the system configuration information SZ according to the encoding method P received from the encoding method selection unit 4.

  For example, in the system configuration information SZ10 shown in FIG. 3, when the encoding method P2 is selected, the device information included in the system configuration information SZ10 is converted into a predetermined code. Following “P2” indicating that the encoding method P2 has been selected, codes “A”, “C, C”, “E, E, E” indicating device information are listed from the upper layer side of the network configuration. , “P2-A-CC-EEE” is generated as encoded system configuration information SZ10 ′.

  Similarly, when the encoding method P4 is selected in the system configuration information SZ11, the device information is indicated from the upper layer side of the network configuration following “P4” indicating that the encoding method P4 is selected. The codes “S, S”, “S, S, S”, “E”, “E”, and “E” are listed, and “P4-SS-SSS-EEE” is generated as the encoded system configuration information SZ11 ′.

  Note that the encoding method P and the encoded system configuration information SZ ′ of the encoding method selection unit 4 shown in FIG. 3 are merely examples, and are methods using other data formats, encoding methods, symbols, and the like. May be.

  Further, as in the configuration example of the encoding method selection unit 4 illustrated in FIG. 9, the encoding method selection unit 4 includes, for example, an encoding method selection unit 4-1 to an encoding method selection unit 4-4 for each network hierarchy of the system. N may be divided and configured. A new encoding method P may be created by selecting and combining the encoding methods P for each network hierarchy of the system by the encoding method combination unit 27.

  Returning to FIG. 8, in the processing step S615, when the encoding unit 2 completes the encoding normally, the encoded system configuration information is transmitted to the analysis unit 5 and the processing is ended. If the encoding is not completed normally, the encoding method selection unit 4 may be requested to reselect the encoding method (processing step S617).

  When the encoding unit 2 is requested to reselect the encoding method P by the encoding unit 2, the encoding method selection unit 4 performs again the processing of, for example, processing step S611 to processing step S613, and reselects the encoding method. (Processing step S618). Thereafter, the encoding scheme P may be transmitted again to the encoding unit 2 (processing step S619). The encoding unit 2 executes encoding again (processing step S620). Any one of a series of processing from processing step S601 to processing step S618 may be repeated until encoding is normally completed, or error information may be notified after repeating a certain number of times, and the processing may be terminated.

  As described above, according to the second embodiment, by encoding complex system configuration information as simple numerical information or character string information in an IoT system or control system including various information devices and networks. It is possible to utilize various existing analysis means that input numerical information.

  FIG. 10 is a diagram illustrating a configuration example of the security system SQ according to the third embodiment. In particular, FIG. In the security system SQ of the third embodiment, the functions of the zone management unit 8, the analysis unit 5, the vulnerability information acquisition unit 6, and the result presentation / execution unit 7 are the same as those in the first or second embodiment, and are omitted. To do.

  Also in FIG. 10, according to the processing flow similar to that of the first embodiment or the second embodiment, the encoding unit is obtained by the system configuration information SZ acquired by the configuration information acquiring unit 1 and the encoding method P selected by the encoding method selecting unit 4. 2 encodes the system configuration information SZ to generate encoded system configuration information SZ ′.

  In the description of FIG. 3, only the configuration using the network configuration (tree shape, hierarchical shape, ring shape, hybrid shape, etc.) by the information device and the network is illustrated as the encoding method P. However, in FIG. A plurality of types of encoding methods P, such as an encoding method Pa from the viewpoint, an encoding method Pb from the viewpoint of the OS adopted by the information device, and an encoding method Pc from the viewpoint of the application adopted by the information device. The example which implements is shown. Therefore, the encoding unit 2 uses the encoding system configuration information SZa ′ from the viewpoint of the model of the information equipment, the encoding system configuration information SZb ′ from the viewpoint of the OS adopted by the information equipment, and the information equipment. The encoding system configuration information SZc ′ from the viewpoint of the existing application is given.

  Further, in the following description, the description will be made on the assumption that the information device configuration illustrated in the encoding unit 2 in FIG. According to the assumed information device configuration, a configuration list of an N-stage network 38 and M information devices 37 is defined on a lattice or mesh as an encoding method. For example, on the network 38 (1), a list of all information devices 37 that can be connected to the network 38 (1) from the information device 37 (11), the information device 37 (12) to the information device 37 (1M), and the corresponding items. The code information of the information device 37 to be held is held.

  Similarly, the list information of all information devices 37 that can be connected to the network 38 (2) is registered from the information device 37 (21), the information device 37 (22) to the information device 37 (2M). Thereafter, similarly to the network 38 (N) that can exist in the system, the code information regarding the information device 37 (NM) that can be connected to each network is registered.

  Here, in order to simplify the explanation, each information device 37 is connected only to the nearest higher-order or lower-order network, but may be connected across layers. The information device information includes, for example, the type of the information device 37, the type of OS and application installed in the information device 37, version information, and the like, as in the first embodiment. Here, the processing of the encoding unit 2 will be described using the type (model) of the information device 37 as an example.

  FIG. 11 shows a processing flow of the encoding unit 2 in the third embodiment. It is assumed that the encoding unit 2 in FIG. 10 has acquired the encoding method Pa from the encoding method selection unit 4.

  The encoding unit 2 performs the following processing flow on the encoding method Pa selected by the encoding method selection unit 4 and the system configuration information SZ acquired from the configuration information acquisition unit 1.

  First, it is verified whether or not the information device 37 of the highest network 38 (1) of the system configuration information SZ matches the information device 37 mapped to the network 38 (1) of the encoding scheme Pa (processing). Step S901).

  If they match, for example, “(11)” is acquired as the code information of the corresponding information device 37 (processing step S902). Next, the information of all the information devices 37 is collated in order on the same network 38 (1), and if there are other matching information devices 37, the information of the corresponding information devices 37 is acquired sequentially. That is, it is determined whether or not collation of all the information devices 37 has been completed (processing step S903), and until completion, the target is changed to the next information device information (processing step S904), and processing steps S901 and processing steps are performed. S902 is repeatedly executed. For example, on the network 38 (1), information devices 37 (12) to 37 (1M) correspond to the information device 37 (11).

  Next, the network 38 is changed and the same processing (processing step S901 to processing step S904) is repeatedly executed. For example, in the network 38 (2), since the information device 37 (22) and the information device 37 (2M) are connected, the code information “22” to “2M” of these information devices 37 is acquired.

  Thereafter, similarly, the verification process of the information device 37 is repeated for all the networks 38 included in the system configuration information SZ. When all the encoding processes for one encoding method, for example, Pa, are completed, the same processing may be repeated for another encoding method, for example, Pb (processing step S907, Processing step S908). Finally, it is determined whether or not all the encoding processes have been normally completed (processing step S909). If the encoding processes have been normally completed, the process is terminated.

  On the other hand, if encoding cannot be performed normally, error processing may be performed (processing step S910). For example, as in the second embodiment, the encoding method selection unit 4 may be requested to re-transmit the encoding method, and the process from step S901 may be executed again using the new encoding method P. .

  Here, as a system for encoding, as shown in FIG. 12A, the system configuration may be divided into a plurality of zones Z, and encoding may be performed for each zone Z. Also, as shown in FIG. 12b, a plurality of system configurations may be connected and encoded together. As described above, the shape and division of the network configuration may take various forms.

  As described above, according to the third embodiment, by encoding complex system configuration information as simple numerical information or character string information in an IoT system or control system configured with various information devices and networks. It is possible to utilize various existing analysis means that input numerical information.

  FIG. 13 is a security system according to the fourth embodiment of the present invention, and is a diagram of a configuration example related to the encoding method selection unit 4, the configuration information acquisition unit 1, and the encoding unit 2 in particular. In the security system of the fourth embodiment, the functions of the zone management unit 8, the analysis unit 5, the vulnerability information acquisition unit 6, and the result presentation / execution unit 7 are the same as those in the first embodiment or the second embodiment, and are omitted. To do.

  According to the same processing flow as in the first embodiment or the second embodiment, the encoding unit 2 uses the system configuration information SZ acquired by the configuration information acquisition unit 1 and the encoding method P selected by the encoding method selection unit 4 to cause the encoding unit 2 to Is encoded.

  In FIG. 13, the system configuration information SZ is assumed to be configured by the information device 37 and the network 38 exemplified in the configuration information acquisition unit 1, and the encoding method P in the encoding method selection unit 4 is as shown in FIG. Coding method Pa from the viewpoint of hue for the type of information equipment, coding system Pb from the viewpoint of saturation for the OS adopted by the information equipment, and coding from the viewpoint of lightness for the application adopted by the information equipment The conversion method Pc is performed.

  In the encoding in the encoding unit 2, as shown in the mesh arrangement 43, first, paying attention to the arrangement positions of the information device 37 and the network 38 exemplified in the configuration information acquisition unit 1, the entire region is divided by mesh, and the information The device 37 is represented by 4 mesh, for example.

  In addition, for the 4 meshes of each information device 37, for example, the upper left mesh is information on the model of the information device, the lower left mesh is information on the application that the information device uses, and the upper right mesh is used by the information device. Encoding to control the OS information and the lower right mesh with other information is executed. That is, for the four meshes of each information device 37, for example, encoding is performed using hue information for the upper left mesh, saturation information for the lower left mesh, and lightness information for the upper right mesh. According to the mesh-like encoding state 46 indicating after encoding, the state after encoding is expressed for each mesh.

  FIG. 14 shows a processing flow of the encoding unit 42 in the fourth embodiment.

  In the processing flow of FIG. 14, first, regarding the system configuration information SZ acquired by the system configuration information acquisition unit 1, whether or not the coordinate system and the coordinate system of the encoding method P selected by the encoding method selection unit 4 match. Are compared (processing step S1201).

  For example, as shown in FIG. 13, it is determined whether or not the encoding unit 2 can map the positional relationship between the information device 37 and the network 38 of the system configuration information SZ on the coordinates (mesh). If the coordinate systems do not match, error processing is executed and the processing ends (processing step S1208). The error process is, for example, a process of requesting the configuration information acquisition unit 1 to acquire new system configuration information 5 or requesting the encoding method selection unit 4 to request another encoding method P again.

  If the coordinate systems match, it is determined whether the information device information in the system configuration information SZ has corresponding color information (processing step S1202). For example, the type (model) of the information device 37 is assigned to a specific hue. In addition to hue, saturation or brightness, or color information obtained by integrating them may be used.

  If there is color information corresponding to the information device information, the color information is registered at the matching coordinates (processing step S1203). Next, it is determined whether or not the corresponding information device 37 has more detailed information and there is color information corresponding to the detailed information (processing step S1204). The detailed information of the information device 37 is, for example, the OS of the information device 47, the type of application, version information, and the like, as in the first embodiment.

  It is determined whether or not there is color information corresponding to any of color information corresponding to the detailed information of the information device 37, that is, any one of hue, saturation, brightness, or a combination of a plurality of combinations. If there is color information corresponding to the detailed information, the detailed information is registered in the corresponding coordinates in addition to the information device information (processing step S1203).

  Here, the corresponding coordinates are, for example, adjacent coordinates such as the periphery of the information device information as shown in FIG. Note that the arrangement of these coordinates and the correspondence between the information device information and the color information may be acquired from the encoding method selection unit 4 or may have a predetermined correspondence table in advance.

  Next, it is determined whether or not all color information corresponding to all the detailed information included in the information device information has been registered in the corresponding coordinates (processing step S1205). Here, when an error occurs in any of the processing steps from processing step S1201 to processing step S1205, a predetermined error processing may be executed and the processing may be terminated (processing step S1208). When the registration of all the detailed information is completed, the processing from step S1202 to step S1205 is executed again for another information device 37. Here, even if there is no color information corresponding to the specific information device information, the processing is not terminated as an error, the processing related to the information device 37 is skipped, and processing steps S1202 onward for other information devices 37. This processing may be continued.

  Next, it is determined whether the processing has been completed for all information devices 37 registered in the acquired system configuration information SZ (processing step S1206). When the processing is completed for all the information devices 37, the same processing is executed for the network 38. That is, it is determined whether there is color information corresponding to each network 48 for the network information (processing step S1207).

  If there is corresponding color information, the color information is similarly registered in the corresponding coordinates (processing step S1203). The corresponding coordinates include, for example, a method of linearly registering all the positions adjacent to the coordinates where the information of the information device 37 is registered. If there is also detailed information for the network 38, it is determined whether there is corresponding color information as in the detailed information of the information device 37 (processing step S1204). If there is color information corresponding to the detailed information of the network 38, the color information is registered at the corresponding coordinates (processing step S1203).

  Here, the corresponding coordinates are, for example, any one or a plurality of coordinates of the network 38 registered in a straight line. Further, the detailed information of the network 38 is, for example, specification information about the network such as the type of network, the communication speed, and the communication band as in the first embodiment.

  Finally, it is determined whether or not color information registration has been completed for all the networks 38 included in the system configuration information SZ (processing step S1208). When all the processes are completed, the encoding process ends. Similarly to the information device 37, if there is no color information corresponding to a specific network 38 for the network 38, the process for the network 38 may be skipped and the process for the other network 38 may be executed. .

  In the processing flow from the processing step S1202 to the processing step S1208, there is no particular limitation on the order of the processing related to the information on the information device 37 and the processing related to the information on the network 38. May be. Processing of information on the information device 47 and information on the network 38 may be executed alternately. In addition, there is no particular limitation on the width and shape of the coordinate system for registering color information corresponding to information on the information device 37 and information on the network 38. In process step S1209, error processing is performed.

  As described above, according to the fourth embodiment, complicated and diverse system configuration information SZ can be encoded as image information by registering it as color information in a certain coordinate system. The image information is encoded data such as BMP (bitmap) format or JPEG format. By using image information in this way, various analysis techniques used for image recognition and the like can be used for system security analysis.

  FIG. 15 is a configuration diagram showing an encoding method P in the security system according to the fifth embodiment of the present invention.

  In the security system SQ of the fifth embodiment, the functions of the zone management unit 8, the analysis unit 5, the vulnerability information acquisition unit 6, and the result presentation / execution unit 7 are the first, second, third, or The same as in any of the fourth embodiment. Also, the processing flow of the encoding unit 2 is the same as any one of the first embodiment, the second embodiment, the third embodiment, or the fourth embodiment.

  Regarding each encoding method P, in the case of the second embodiment, the system configuration information SZ configured in two dimensions can be replaced with the system configuration information SZ configured in three dimensions.

  Similarly, in the case of the third embodiment, it is possible to process the system configuration information SZ and the encoding method P, which are configured in a two-dimensional lattice (mesh) shape, as three-dimensional information.

  Similarly, in the case of the fourth embodiment, it is possible to process a two-dimensional coordinate system using a three-dimensional coordinate system. That is, two-dimensional image information can be processed as three-dimensional image information.

  As described above, according to the fifth embodiment, it is possible to acquire and encode the system configuration information of a system configured in three dimensions.

1: configuration information acquisition unit 2: encoding unit 3: encoding condition setting unit 4: encoding method selection unit 5: analysis unit 6: vulnerability information acquisition unit 7: result presentation / execution unit 8: zone management unit Z: Zone 10: Network control unit 11: Connection unit 20: Coding method registration unit P: Coding method SZ: System configuration information SZ ': Encoded system configuration information 37: Information device 38: Network

Claims (16)

A security system applied to a network system,
The network system is divided into a plurality of zones including a plurality of information devices and a network,
The security system includes an information acquisition unit that acquires information about the information device and information about the network for each zone, and an encoding that encodes the zone information acquired by the information acquisition unit for each zone. And a security system comprising: an analysis unit that obtains vulnerability information about the zone information based on the zone information encoded by the encoding unit and analyzes the risk of the zone. The security system according to claim 1,
The security system includes an encoding condition setting unit that sets a restriction condition necessary for the processing of the encoding unit, and the encoding condition setting unit includes a restriction condition and information of a system configuration in the zone. A security system, wherein encoding is performed using at least one constraint condition among a constraint condition for an open range and a constraint condition for a compression rate. The security system according to claim 1 or 2,
The security system includes an encoding method selection unit having a plurality of encoding methods when encoding the zone information for each zone, and the encoding unit is selected by the encoding method selection unit A security system that performs encoding according to an encoding method. The security system according to any one of claims 1 to 3,
The security system includes a result presentation / execution unit that instructs network control in a zone where a vulnerability is pointed out based on an analysis result by the analysis unit. The security system according to any one of claims 1 to 4,
The encoding unit performs encoding based on an information disclosure range, information compression rate, information conversion reversibility, information encryption strength, or a plurality of setting conditions, and a selected encoding method. Security system characterized by The security system according to any one of claims 1 to 5,
Having a plurality of encoding methods for configuration information indicating a connection relationship between the information device and the network in the zone, and the encoding unit selects an encoding method that matches the configuration information from the plurality of encoding methods; A security system that encodes the configuration information. The security system according to any one of claims 1 to 6,
It has grid-like configuration information indicating the connection relationship between all the information devices that can exist in the zone and the network, and the encoding unit collates with the grid-like configuration information from the actually acquired configuration information, A security system characterized by acquiring code information of an information device or a network that matches information, and encoding the configuration information. The security system according to any one of claims 1 to 7,
The encoding unit encodes the configuration information by arranging configuration information of the information device and the network in a coordinate system, and registering information on the information device and the network as color information in the coordinate system. A featured security system. The security system according to any one of claims 1 to 7,
The said encoding part encodes the structure information of the information equipment and network arrange | positioned on three dimensions, The security system characterized by the above-mentioned. An encoding method of a security system implemented in an encoding unit in the security system according to any one of claims 1 to 7,
The information disclosure range, the compression rate of information, the reversibility of information conversion, and information encryption are set as necessary conditions for acquiring configuration information of information devices and networks existing in the zone and encoding the configuration information. One or a plurality of setting conditions is selected from among the intensities, and an encoding scheme suitable for the configuration information is selected from a plurality of encoding schemes for encoding the information, and the configuration information is encoded An encoding method for a security system. An encoding method for a security system according to claim 10,
It has a plurality of encoding methods indicating a connection relationship between an information device and a network, and selects an encoding method that matches configuration information from the plurality of encoding methods, and encodes the configuration information. Security system encoding method. An encoding method for a security system according to claim 11,
There are a plurality of encoding schemes indicating the connection relationship between the information device and the network depending on the hierarchy of the network, and a new code is created by combining a plurality of encoding schemes matching the configuration information from the plurality of encoding schemes. An encoding method for a security system, wherein a coding method is generated and the configuration information is encoded by the encoding method. An encoding method for a security system according to claim 10,
A configuration of a security system, wherein the configuration information is encoded by arranging configuration information of an information device and a network in a coordinate system and registering the information on the information device and the network as color information in the coordinate system. Encoding method. An encoding method for a security system according to any one of claims 10 to 13,
An encoding method for a security system that encodes configuration information of information devices and networks arranged in three dimensions. A network control method for a security system according to any one of claims 1 to 9,
If there is a vulnerability in the zone, obtain zone information about the importance of the zone where the vulnerability was pointed out and the adjacent zone adjacent to the zone where the vulnerability was pointed out. A network control method for security systems characterized by disconnecting connections and restricting communications. The security system according to any one of claims 1 to 9,
The network system is configured by connecting a plurality of small network systems including a plurality of information devices and a network,
The small network system is divided into a plurality of zones including a plurality of information devices and a network.

Images