JP2022069989A - Action evaluation device and method for cyber defense training - Google Patents

Abstract

To provide an action evaluation device for a cyber defense training that automatically acquires real-time data on trainee's actions and evaluation thereof, in a training using a simulator, and provide a related method.SOLUTION: An action evaluation device includes an evaluation data collection apparatus 116, a server/terminal 117, an action detection device 118, and an information sharing device 119. The evaluation data collection apparatus acquires scenario data including scheduled time of a cyber-attack and multiple incidents indicating contents thereof, and executes ideal action data creation processing for creating ideal action data including a response action that a trainee should take for each incident of the cyber-attack and expected time based on the scheduled time, implementation action data creation processing for creating implementation action data including the trainee's action for each incident of the cyber-attack and implementation time of this action, and evaluation data creation processing for creating evaluation data based on the difference between the expected time and the implementation time by comparing the ideal action data with the implementation action data.SELECTED DRAWING: Figure 1

Description

The present invention relates to a technique for carrying out cyber defense training. Among them, it is related to the technique for evaluating the behavior of the trainees.

In addition, the action means that the student performs the simulated cyber attack in the training, and the expression such as the action, the response, the coping, and the answer does not matter. In addition to so-called evaluation such as scoring for behavior, evaluation includes acquiring data on behavior.

Currently, so-called cyber attacks on computer resources (computer systems, network systems, etc.) are occurring. A cyber attack affects the operation of computer resources. As this effect, malfunction, system stop, etc. occur. Therefore, in the computer resources that control the equipment, the operation of the equipment is affected. In particular, the effects of cyber attacks are widespread in society on infrastructure equipment including plants such as factories and power plants. For example, if the computer resources of a power plant are hit by a cyber attack, a power outage may occur. For this reason, it is necessary to train infrastructure system operators in their actions against cyber attacks on the computer resources (infrastructure systems) of infrastructure equipment.

For example, Patent Document 1 discloses a security measure training system that executes training on security measures for enterprise networks and computers. In Patent Document 1, "the security level of the network is improved by performing training simulating a cyber attack and feeding back the training result to the trainee and the security countermeasure device".

International Publication 2015/072041

Here, in Patent Document 1, it is described that "the training result 1132 and the achievement target of the training scenario C1 are compared and the result of the training is evaluated" in order to provide feedback (paragraph 882). However, it is necessary to consider time requirements in the evaluation of cyber defense training. In other words, it is necessary to judge whether or not they are acting in a timely manner.

However, in Patent Document 1, only the contents of actions such as the infection rate, the attachment file open rate, and the reporting rate are used as the training result 1132. For this reason, it has not been determined whether a certain action is being performed at an appropriate timing. In Patent Document 1, as the training result 1132, the result for the training of a plurality of people or the number of times is used instead of the action here, and the evaluation of each training is not considered, and the improvement of the trainees in the training. No points have been derived.

Therefore, it is an object of the present invention to evaluate whether the student's behavior is performed in a timely manner, to derive the improvement points of the student, and to contribute to the improvement of the cyber attack skill.

In order to solve the above problems, in the present invention, a process for evaluating the behavior is executed based on the difference between the predicted time and the execution time of the behavior for the simulation of the cyber attack on the attack target system, which is a computer resource. ..

A more specific embodiment of the present invention shows the scheduled time and content of the cyber attack in the behavior evaluation device of the cyber defense training for evaluating the behavior of the student in the defense training against the cyber attack. Ideal behavior data creation processing unit that acquires scenario data including multiple incidents and creates ideal behavior data including the response behavior that the student should take for each incident of the cyber attack and the expected time based on the scheduled time. And, the action data creation processing unit that creates the action action data including the action of the student for each incident of the cyber attack and the action time of the action, and the action action data are compared with the action action data. It is a behavior evaluation device having an evaluation data creation processing unit that creates evaluation data based on the difference between the expected time and the implementation time. Further, the present invention also includes a method for evaluating the behavior of cyber defense training in the behavior evaluation device for cyber defense training, a computer program for making the behavior evaluation device for cyber defense training function as a computer, and a storage medium containing the computer program. included.

Further, the present invention also includes a system including a behavior evaluation device for cyber defense training and other devices, a method using this system, and other devices.

According to the present invention, it is possible to evaluate whether or not the student has performed appropriate actions in a timely manner during the training, and to derive the improvement points of the student in the training, and to derive the improvement points of the student. It can contribute to improving the skills of cyber attacks. Issues, configurations and effects other than those described above will be clarified by the following description of the embodiments.

The figure which shows the configuration requirement and the processing content in Example 1. The figure which shows the structure of the simulator in Example 1 and the connection relation of other apparatus. A flowchart showing the ideal behavior data creation process in the first embodiment. The figure explaining the concept of the ideal behavior data creation process in Example 1 using a data structure. Flow chart of correspondence data creation processing and correspondence data transmission processing in Example 1. Flow chart of evaluation data creation process in Example 1 Data structure diagram of ideal behavior data, implementation behavior data, and evaluation data used in the evaluation data creation process in Example 1. The figure which shows the configuration which made the simulator remote in Example 1. The figure which shows the configuration which made the simulator in Example 1 into a cloud.

Hereinafter, each embodiment of the present invention will be described with reference to the drawings.

FIG. 1 is a diagram showing the configuration requirements and the processing contents thereof in the first embodiment. The system configuration of the first embodiment includes an evaluation data collection device 116, a server / terminal 117, a behavior detection device 118, and an information sharing device 119, which are examples of behavior evaluation devices for cyber defense training. These are realized by so-called computers. That is, each of them executes various processes described later by an arithmetic unit such as a CPU according to a computer program stored in the medium. Note that these various processes may be realized by hardware. Therefore, the main body of various processes described below can be expressed as being executed in each part. That is, the processing subject of each embodiment may be realized by either a program (software) or hardware. Further, since each configuration requirement can be realized by a computer, it has a storage device or a storage medium.

Further, the server / terminal 117 is a plurality of servers and terminals, and constitutes a cyber defense training simulator 12 (hereinafter, simply referred to as a simulator 12) described later. That is, the server / terminal 117 acts as the simulator 12 and accepts actions against cyber attacks for training from the students. The simulator 12 will be described with reference to FIG.

In addition, the behavior detection device 118 detects the behavior of the student by using images, sounds, and the like. For example, the behavior detection device 118 may be realized by a photographing device that photographs a student, or may be configured to be connected to this photographing device. Further, the behavior detection device 118 may detect the voice of the student and realize voice recognition by the device. Further, these functions may be combined and realized. That is, the action detection device 118 has a function of detecting a physical action as an action. As a result, the student can detect reports, contacts, consultations, etc. to other students by oral, telephone, memo, or the like.

Further, the information sharing device 119 is provided with information sharing functions such as chat, SNS, and mail, and has a function of collecting various information exchanged by these functions. Therefore, for example, it can be realized by a device such as a mail server. In this way, the information sharing device 119 can acquire the reports and the like of the students by the information sharing function as described above. The information sharing device 119 can also be used by the students during the training to keep in touch with each other.

The behavior detection device 118 and the information sharing device 119 of this embodiment are not indispensable configurations, and a configuration without these may be adopted.

Next, the contents of various processes in FIG. 1 will be described.

First, the evaluation data collecting device 116 has the corresponding flow data 101 in its own storage device. The correspondence flow data 101 is data indicating a correspondence flow to be performed by the student, which is set in advance. The response flow data 101 shows the incident content of the cyber attack. Specifically, each record has an estimated time, a corresponding action, an actor, a target, and a parameter.

Further, the evaluation data collecting device 116 has the scenario data 102 in its own storage device. This scenario data 102 shows a scenario of a cyber attack (simulated attack) executed in training, and is data defining an incident that occurs. Specifically, the scenario data has a scheduled time, an incident, and a target device.

Then, the ideal behavior data creation processing unit of the evaluation data collection device 116 executes the ideal behavior data creation processing (103). The ideal behavior data creation process 103 is a process of creating ideal behavior data from an array of corresponding flow data according to an incident of scenario data. Details of this process will be described later with reference to FIGS. 3 and 4.

Next, the evaluation data acquisition device 116 stores the ideal behavior data 104, which is the result of the ideal behavior data creation process 103, in the storage device. The contents of the ideal behavior data 104 are shown in FIG. As shown in FIG. 7, the ideal behavior data 104 has an expected time, a corresponding behavior, an actor, an object, and a parameter. Here, the estimated time is the time when the student should take action against the cyber attack. In addition, the response action indicates the content of the action that the student should take. An actor indicates an actor who should take an action. The target indicates the person to whom the action should be taken, such as the report destination. The parameters are related to the action and include the status of implementation, presence or absence, and so on.

Further, the corresponding data creation processing unit of the server / terminal 117 executes the corresponding data creation processing from the contents input by the student as an action to the server / terminal 117 (105).

Further, the corresponding data creation processing unit of the behavior detection device 118 executes the corresponding data creation processing (107). The behavior data creation process 107 is a process of analyzing the behavior of the student from the data captured by the behavior detection device 118 or the imaging device connected to the behavior detection device 118 and creating the corresponding data.

Further, the corresponding data creation processing unit of the information sharing device 119 executes the information sharing data creation process (109). In this correspondence data creation process, correspondence data is created from the contents of information sharing in chats and the like performed by the students.

Then, the corresponding data transmission processing unit of the server / terminal 117 executes the corresponding data transmission processing for transmitting the created corresponding data (106). In addition, the behavior detection device 118 executes a behavior data transmission process for transmitting the created behavior data (108). Further, the information sharing device 119 executes an information sharing data transmission process for transmitting the created information sharing data (110). Each of these transmission processes is a process of transmitting each of the created data to the evaluation data collection device 116.

The correspondence data, action data, and information sharing data created and transmitted as described above are data constituting the implementation action data. That is, these have the same structure as the implementation behavior data and are created as implementation behavior data. The details of the creation and transmission of the implementation behavior data will be described later with reference to FIG. 5, using the corresponding data as an example.

The implementation action data may include at least one of the corresponding data, the action data, and the information sharing data. Of these, it is particularly preferable to use behavioral data.

Further, the implementation behavior data creation processing unit of the evaluation data collection device 116 may create the corresponding data, the behavior data, and the information sharing data which are the implementation behavior data.

Next, the evaluation data acquisition device 116 receives the data transmitted in the processes 106, 108, 110. Then, the implementation action data creation processing unit of the evaluation data collection device 116 merges these transmitted corresponding data, action data, and information sharing data to create the final implementation action data 111. The implementation action data 111 has an implementation time, a corresponding action, an actor, a target, and a parameter. Therefore, the creation of the implementation action data 111 can be realized by using the implementation time, the response action, the actor, the target, and the parameters possessed by the response data, the behavior data, and the information sharing data. Here, the implementation time is the time of the action performed by the student, the corresponding action is the information that identifies the action, the actor is the student who performed the action, the target is the person who performed the action such as the report destination, and the parameter is the action. It includes the status of implementation, presence or absence, etc.

Then, the evaluation data creation processing unit of the evaluation data collection device 116 executes the evaluation data creation process (112) using the ideal behavior data and the implementation behavior data. In this processing, the evaluation data creation processing unit determines from the implementation behavior data whether the combination of the target device of the ideal behavior data and the corresponding behavior is executed at an appropriate time. Then, the evaluation data creation processing unit adds an evaluation to the implementation behavior data based on the judgment result and creates the evaluation data. This detail will be described with reference to FIG.

Here, the created evaluation data 113 will be described. The evaluation data 113 has an expected time, an implementation time, a corresponding action, an actor, an object, a parameter, and an evaluation. Since the evaluation data 113 includes the response behavior of the trainee during the training, it is used for feedback of the response flow data 101.

Then, the evaluation data collecting device 116 stores the created evaluation data 113 in the evaluation database 114 of the storage device. In this evaluation, the other base stores the evaluation data 113 for each training. Further, the evaluation data collecting device 116 creates a report 115 based on the created evaluation data 113, and outputs the report 115. This output includes on-screen display, printing, and transmission over the network. Further, the report 115 is a report issued to the students after the training, and includes the contents of the evaluation data 113.

Next, the simulator 12 will be described with reference to FIG. As described above, it is realized by the server / terminal 117. The simulator 12 is connected to the evaluation data collection device 116, the behavior detection device 118, and the information sharing device 119 via the evaluation data collection network 11.

The simulator 12 has an information system server 13 and an information system terminal 14 connected to the information system network 15, and a control system server 17 and a control system terminal 18 connected to the control system network 19. Further, the simulator 12 has a FW16 (firewall) at the boundary between the information system network and the control system network. Here, the information system server 13, the information system terminal 14, the control system server 17, and the control system terminal 18 correspond to the server / terminal 117 of FIG. Communication is performed with each of these servers and terminals via the evaluation data collection network 11. Further, a plurality of each device may be installed.

In this embodiment, since infrastructure equipment is assumed as a target of a cyber attack, a control system server 17, a control system terminal 18, and a control system network 19 for controlling this operation are provided. Therefore, the infrastructure equipment may be connected to the control system network 19. Further, when there is no control target such as infrastructure equipment, it is not necessary to provide the control system server 17, the control system terminal 18, and the control system network 19. Then, the student uses the information system terminal 14 and the control system terminal 18. This use includes action against cyber attacks. At this time, Naito who has contacted by e-mail or the like is stored in the information sharing device 119.

Further, the simulator 12 may be remotened or made into a cloud, and a configuration in which the simulator 12 is connected to the simulator 12 via a wide area network may be adopted. These configurations are shown in FIGS. 8 and 9. FIG. 8 is a diagram showing a remote configuration of the simulator 12 of this embodiment. Remoteization in this embodiment means enabling remote access to the simulator 12 from a remote location. Therefore, as shown in FIG. 8, the simulator 12 further includes FWs 21 and 22 in addition to the configuration of FIG. Further, each of the FWs 21 and 22 is connected to an external network 23 (for example, the Internet). Then, the remote terminal A24-1 can remotely access the information system terminal 14 via the network 23. That is, the student can use the remote terminal A24-1 as the information terminal 14. Similarly, the remote terminal B24-2 can remotely access the control system terminal 18 via the network 23. That is, the student can use the remote terminal B24-2 as the control system terminal 18. Here, the remote terminal A24-1 and the remote terminal B24-2 can be realized by an information processing device (computer) such as a so-called PC or tablet.

In the training using the remote terminal A24-1 and the remote terminal B24-2, the evaluation data acquisition device 116 and the information sharing device 119 have the same configurations and functions as those in FIG. Further, it is desirable that the behavior detection device 118 is provided in an area (office or the like) where the remote terminal A24-1 or the remote terminal B24-2 is installed. As described in the description of FIG. 2, the behavior detection device 118 and the information sharing device 119 are not indispensable configurations, and a configuration in which these are not provided may be adopted.

Next, FIG. 9 is a diagram showing a configuration in which the simulator 12 of this embodiment is made into a cloud. As shown in FIG. 9, instead of the simulator 12, a cloud server 26 is provided, and a cloud terminal 25 connected via the network 23 is provided. The cloud server 26 can be realized by a so-called information processing device (computer), and has a storage unit 261 that stores various software that can be processed by the cloud terminal 25. In addition, it has a processing unit, a memory, and a connection unit for connecting to other devices and networks (not shown). The storage unit 261 stores a screen UI 2611 for displaying the display screen on the cloud terminal 25, a scenario progress management program 2612 for proceeding according to the training scenario, and a training result management analysis program 1613 for analyzing the training results. Of these, the training result management analysis program 1613 overlaps with the function of the evaluation data collection device 116, so one of them may be omitted. When the training result management analysis program 1613 is omitted, the cloud server 26 analyzes the evaluation result in cooperation with the evaluation data collection device 116.

Further, the information system terminal 14 and the control system terminal 18 in FIG. 2 may be taken out, that is, they may be realized in the cloud by a configuration in which they are connected to the simulator 12 via the network 23. Further, a plurality of cloud terminals 25 may be provided.

Next, the ideal behavior data creation process 103 in the evaluation data acquisition device 116 will be described with reference to FIGS. 3 and 4. FIG. 3 is a flowchart showing the ideal behavior data creation process 103. FIG. 4 is a diagram illustrating the concept of the ideal behavior data creation process 103 using a data structure.

Hereinafter, the details of the ideal behavior data creation process 103 will be described with reference to FIG.

First, in step 31, the ideal behavior data creation processing unit extracts the scheduled time, the incident, and the target from the scenario data 102. Next, in step 32, the ideal behavior data creation processing unit extracts the estimated time, the corresponding behavior, the actor, the target, and the parameters corresponding to the incident from the corresponding flow data 101.

Next, in step 33, the ideal behavior data creation processing unit specifies the expected time from the scheduled time extracted in step 31 and the estimated time extracted in step 32. Specifically, the ideal behavior data creation processing unit calculates the expected time by adding the estimated time to the scheduled time. This indicates that the estimated time of the response flow data 101 is the time required for the cyber attack, which is the training content, and the estimated time can be calculated by adding the scheduled time, which is the time information, to this.

As a result, in step 34, the ideal behavior data creation processing unit creates the ideal behavior data 104 by adding the expected time, the corresponding behavior, the actor, the target, and the parameters to the scenario data 102. Here, the ideal behavior data creation processing unit uses the predicted time calculated in step 33. Further, the ideal behavior data creation processing unit may provide the item shown in FIG. 4 as the ideal behavior data 104, and may not be created based on the scenario data 102.

Next, FIG. 5 is a flowchart of the corresponding data creation process 105 and the corresponding data transmission process 106, which are examples of the above-mentioned implementation action data. In addition to these, this flowchart also refers to the end determination process. These processes are executed by the server / terminal 117, that is, the information system server 13, the information system terminal 14, the control system server 17, and the control system terminal 18. The details will be described below.
(Corresponding data creation process 105)
In step 41, the corresponding data creation processing unit in the information system terminal 14 and the control system terminal 18 used by the student monitors the target NIC (network card) and checks whether the NIC is connected to the network.

Next, in step 42, when the network is not connected to the target NIC, the corresponding data creation processing unit turns on the target NIC disconnection action in the corresponding data, and records this time as the implementation time.

Further, in step 43, the corresponding data creation processing unit monitors the process of the target malware and checks whether this process has been executed, that is, whether it has been started. If the process has already been started, the process proceeds to step 44. In step 44, the corresponding data creation processing unit monitors the started malware process and checks whether the malware has been deleted. As a result, if it is deleted, the process proceeds to step 45, and if it is not deleted, the process proceeds to step 46.

In step 45, the response data creation processing unit turns on the target malware deletion action in the response data, and records the time when the deletion action is performed as the execution time in the response data. This is the end of the description of the corresponding data creation process 105, and the corresponding data transmission process 106 started from step 46 will be described.
(Corresponding data transmission process 106)
First, in step 46, the corresponding data transmission processing unit checks whether the corresponding data has been updated (changed). As a result, if there is a change, the process proceeds to step 47. If there is no change, the process proceeds to step 48. Here, in the flow shown in FIG. 6, the corresponding data transmission processing unit may determine that it has been changed when it goes through step 44 or step 45. Therefore, the transition may be made directly from step 44 or step 45 to step 47.

Next, in step 47, the corresponding data transmission processing unit transmits the updated implementation action data 111 to the evaluation data collection device 116. This completes the description of the corresponding data transmission process 106, and the end determination process (step 48) will be described below.
(End judgment processing)
In step 48, the corresponding data creation processing unit confirms whether the training is completed, and if the training is completed, ends the processing. If it continues, the process returns to step 31 and the monitoring is repeated periodically. This is the end of the description of FIG.

Next, the details of the evaluation data creation process 112 will be described with reference to FIGS. 6 and 7.

FIG. 6 is a flowchart of the evaluation data creation process 112 operated by the evaluation data acquisition device 116 of this embodiment. FIG. 7 is a data configuration diagram of data used in the evaluation data creation process 112 of this embodiment. Hereinafter, the details of the evaluation data creation process 112 will be described with reference to the flowchart of FIG.

First, in step 51, the evaluation data creation processing unit extracts the expected time, the corresponding action, the actor, the target, and the parameters, which are the data items of each record of the ideal action data 104. In the example of the ideal behavior data 104 shown in FIG. 7, No. In the case of 1 record, the expected time "12:00", the corresponding action "contact", the actor "student 1", the target "student 2", and the parameter "1" are extracted. As shown in FIG. 4, the ideal behavior data 104 is created by the evaluation data creation processing unit executing a matching process on the corresponding flow data 101 and the scenario data 102.

Further, in step 52, the evaluation data creation processing unit extracts the implementation time corresponding to the data item extracted in step 51 from the implementation action data 111. More specific processing is as follows. First, the evaluation data creation processing unit identifies a record having each of the data other than the expected time among the data extracted in step 51 from the execution action data 111. For example, the implementation action data 111 is searched using the corresponding action of the ideal action data 104 as a key. In the case of the above-mentioned example (No. 1 record of the ideal action data 104), the evaluation data creation processing unit has set the record No. 1 of the execution action data 111. Search for 1).

Then, the execution time (12:11) of the searched record (No. 1) is extracted. It should be noted that the ideal action data 104 and the execution action data 111 are sorted and recorded according to the expected time and the execution time, respectively, and when specific, the corresponding record is specified by searching in the sort order, so that the processing speed can be increased.

In specifying the record, the evaluation data creation processing unit may specify a record in which at least one of the corresponding processing, the actor, the target, and the parameter matches other than the expected time as the corresponding record. You may identify a record in which these are exactly the same.

Next, in step 53, the evaluation data creation processing unit compares the estimated time extracted in step 51 with the implementation time extracted in step 52, and calculates the difference (deviation) as an evaluation. In the above example, the evaluation data creation processing unit calculates "+1 minute" as the difference between the estimated time "12:00" and the implementation time "12:11".

Further, when the corresponding record is not specified in step 52, it indicates that the actor (student) has not performed the action to be performed. Therefore, in step 53, the evaluation data creation processing unit specifies the evaluation as “not performed”.

Next, in step 54, the evaluation data creation processing unit merges the data extracted in steps 51 and 52 with the evaluation calculated in step 53 to create the evaluation data 113. That is, as each record, No. , An evaluation data 113 having an estimated time, an implementation time, an actor, an object, a parameter, and an evaluation is created.

In this embodiment, the evaluation is calculated for each corresponding action of the ideal behavior data 104, but the evaluation may be calculated as the whole training (the whole ideal behavior data 104). For example, the evaluation data creation processing unit performs evaluation according to whether or not each corresponding action is implemented. In this case, it is desirable that the higher the number, the higher the evaluation.

Further, in this embodiment, the improvement points of the students may be added to the evaluation data 113. For this purpose, the evaluation data creation processing unit may derive the improvement points of the students and create the evaluation data 113 including them, or the instructor or the like who performs the scoring may derive the points and manually evaluate the evaluation data 113. May be added to. Here, the evaluation data creation processing unit may derive, for example, a corresponding action that has not been implemented as an improvement point. Further, the evaluation data creation processing unit may derive a corresponding action in which the difference between the expected time and the implementation time satisfies a predetermined condition as an improvement point.

As a result, the evaluation data creation processing unit stores the created evaluation data 113 in the evaluation database 114. This is the end of the description of the first embodiment.

In this embodiment, instead of the evaluation data collection network 11 in the first embodiment, the implementation behavior data 111 is transmitted to the evaluation data collection device 116 in real time, for example, during training with a wireless LAN device. Here, communication is performed through the evaluation data collection network 11, but a method of communicating via a wireless network may be used instead of the wired network.

This embodiment does not have the evaluation data collection network 11 in the first embodiment, and is configured to omit the transmission of the implementation behavior data 111 to the evaluation data collection device 116 in real time during the training and copy it after the training is completed. It is a thing. Therefore, steps 46 to 48 in the flowchart in FIG. 5 are changed as compared with the first embodiment. Therefore, only the steps that are changed from the first embodiment are shown below.

Step 46 and step 47 are skipped because they do not have the evaluation data collection network 11.

Then, the process transitions from step 43, step 44, and step 45 to step 48. In this step 48, after the training is completed, the corresponding data creation processing unit stores the created corresponding data in a portable storage medium. Then, a person related to the training moves the storage medium, and the evaluation data collecting device 116 reads out the contents and stores the contents in the storage device.

In this embodiment, the simulator 12 and the evaluation data acquisition device 116 in the first embodiment are constructed in a virtual environment by using virtualization technology. In the first embodiment described above, the simulator 12 and the evaluation data collection device 116 communicate with each other through the evaluation data collection network 11, but a virtual network may be used instead of the real network.

This is the end of the description of each embodiment. In each of the above embodiments, the cyber defense training simulator has been described as an example, but it can be applied to various training simulators. For example, if the implementation behavior data acquired by using the implementation behavior data creation transmission process corresponds to a specific driving operation, it can be applied to the behavior evaluation of training using the driving training simulator.

The present invention is not limited to the above-described embodiment, and includes various modifications. For example, the above-described embodiment has been described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one including all the described configurations. Further, it is possible to replace a part of the configuration of one embodiment with the configuration of another embodiment, and it is also possible to add the configuration of another embodiment to the configuration of one embodiment. Further, it is possible to add / delete / replace a part of the configuration of each embodiment with another configuration. Moreover, each of the above-mentioned configurations, functions, processing units, processing means and the like may be realized in a part or all of them in a virtual environment, for example. Information such as programs, tables, and files that realize each function can be placed in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

11 ... Evaluation data collection network, 12 ... Simulator, 13 ... Information server, 14 ... Information terminal, 15 ... Information network, 16 ... FW, 17 ... Control System server, 18 ... control system terminal, 19 ... control system network, 116 ... evaluation data collection device, 117 ... server / terminal, 118 ... behavior detection device, 119 ... information sharing Device.

Claims (10)

In the behavior evaluation device of cyber defense training for evaluating the behavior of students in cyber defense training against cyber attacks
Ideal to acquire scenario data including the scheduled time of the cyber attack and a plurality of incidents showing the contents thereof, and to include the response action to be taken by the student for each incident of the cyber attack and the estimated time based on the scheduled time. The ideal behavior data creation processing unit that creates behavior data,
The implementation behavior data creation processing unit that creates implementation behavior data including the behavior of the student for each incident of the cyber attack and the implementation time of the behavior.
A cyber defense training behavior evaluation device comprising an evaluation data creation processing unit that compares the ideal behavior data with the implementation behavior data and creates evaluation data based on the difference between the expected time and the implementation time. In the behavior evaluation device for cyber defense training according to claim 1,
The ideal behavior data creation processing unit creates the ideal behavior data by using the response flow data indicating the incident content of the cyber attack and the scenario data indicating the response flow to be performed by the student. Training behavior evaluation device. In the behavior evaluation device for cyber defense training according to claim 1,
The evaluation data creation processing unit uses the data items included in the records constituting the ideal behavior data as a key to search the execution behavior data record and specify the execution time. Behavior evaluation device. In the behavior evaluation device for cyber defense training according to claim 3,
If the record of the implementation action data is not searched, the evaluation data creation processing unit evaluates that the record has not been executed, and if it is searched, the evaluation data creation processing unit creates the evaluation data. Evaluation device. In the behavior evaluation device for cyber defense training according to claim 1,
The evaluation data creation processing unit is a behavior evaluation device for cyber defense training, characterized in that it creates either evaluation data for each corresponding action included in the ideal behavior data or evaluation data for the entire ideal behavior data. In the behavior evaluation method of cyber defense training for evaluating the behavior of students in cyber defense training against cyber attacks
Ideal to acquire scenario data including the scheduled time of the cyber attack and a plurality of incidents showing the contents thereof, and to include the response action to be taken by the student for each incident of the cyber attack and the estimated time based on the scheduled time. Create behavior data and
Created implementation behavior data including the behavior of the student for each incident of the cyber attack and the implementation time of the behavior.
A behavior evaluation method for cyber defense training, which comprises comparing the ideal behavior data with the implementation behavior data and creating evaluation data based on the difference between the expected time and the implementation time. In the behavior evaluation method of cyber defense training according to claim 6,
A behavior evaluation method for cyber defense training, characterized in that the ideal behavior data is created using the response flow data indicating the incident content of the cyber attack and the scenario data indicating the response flow to be performed by the student. In the behavior evaluation method of cyber defense training according to claim 6,
A behavior evaluation method for cyber defense training, characterized in that a record of the implementation behavior data is searched and the implementation time is specified by using a data item included in a record constituting the ideal behavior data as a key. In the behavior evaluation method of cyber defense training according to claim 8,
A behavior evaluation method for cyber defense training, characterized in that if a record of the implementation behavior data is not searched, it is evaluated as not implemented, and if it is searched, the evaluation data is created. In the behavior evaluation method of cyber defense training according to claim 6,
A behavior evaluation method for cyber defense training, which comprises creating either evaluation data for each corresponding behavior included in the ideal behavior data or evaluation data for the entire ideal behavior data.

Images