JP2022131621A - Threat scenario analysis device and threat scenario analysis method - Google Patents

Abstract

To reliably discover a threat scenario when a system did not operate exactly as in specification.SOLUTION: A threat scenario analysis system is configured to: store an event list being information including a listing of events that may occur when the system to be analyzed is operated exactly as in specification, and time points at which the respective events should occur as in specification; generate event occurrence data being data that combines, in a time-series manner, events occurring at time points at which they should occur as in specification and events occurring at times of day at which they should not occur as in specification; generate in plurality a state transition pattern of the system to be analyzed which is obtained by causing each event of the event occurrence data to act sequentially in time series upon the preliminarily set initial state; retrieve, as a threat scenario, a pattern in which the state of the system to be analyzed reaches a preliminarily set threat state, among the generated state transition patterns; and output information regarding the retrieved threat scenario.SELECTED DRAWING: Figure 1

Description

The present invention relates to a threat scenario analysis device and a threat scenario analysis method.

In order to ensure the safety security of systems such as information processing systems and equipment control systems, possible threats to the system and their causes are identified from the design stage (this process of identifying causes is hereinafter referred to as "threat analysis"). ), it is necessary to take appropriate countermeasures against possible threats and their causes.

Methods of systematic threat analysis in the design stage include, for example, attack tree analysis, 5w analysis, and STAMP/STPA analysis (Systems-Theoretic Accident Model and Processes/System-Theoretic Process Analysis). However, all of these threat analysis methods are based on the assumption that the analysis will be done manually by analysts. However, there is a problem that many threats and their causes are overlooked.

Regarding the above problem, for example, in Patent Document 1, in the stage of product design, a state transition model describing product specifications is operated using all parameters in the product specifications, and security "should not occur" is described. A specification defect verification system configured for the purpose of easily verifying the state of defects is described. The specification defect verification system uses the system specification as a state transition model of one or more combinations of state transitions due to changes in state nodes due to the occurrence of events, and when verifying the system specifications by state transition simulation, the state transition model is generated. A risk file of states that should not be allowed is stored, an event and the states before and after the transition of the state node due to the event are read from the state transition model, the events are sequentially executed, and if a predetermined condition is satisfied, the state node is changed according to the state information. State transitions between states are performed, and it is detected whether or not the state of the changed state node matches a combination of state nodes that should not occur.

JP 2009-75886 A

In Patent Document 1, a model that describes the state transition rules of the system to be analyzed, which is created based on the specifications of the system to be analyzed (hereinafter referred to as the "system to be analyzed"), and threats are input into the simulator. , patterns of state transitions leading to the occurrence of threats (hereinafter referred to as “threat scenarios”) are identified.

However, in Patent Document 1, only the patterns of state transitions that lead to threats that can occur when the system to be analyzed operates "according to specifications" are simulated, and the system "does not operate according to specifications" due to a defect or failure. It does not consider the case of For this reason, for example, events that cause state transitions in the system to be analyzed can be “too early than system specifications,” “too late,” or “excessive occurrences compared to system specifications.” It is not possible to discover threat scenarios in which the system does not work as specified.

The present invention has been made based on such a background, and aims to provide a threat scenario analysis device and a threat scenario analysis method capable of discovering a threat scenario when the system does not operate according to specifications. aim.

One of the present inventions for achieving the above object is an information processing system (threat scenario analysis system) for analyzing a threat scenario, which is a pattern of state transitions leading to threats that may occur in an analysis target system, comprising: and storing an event list that is information including a list of events that can occur when the system to be analyzed operates according to the specifications and the time at which each of the events should occur according to the specifications. generating event occurrence data, which is data obtained by chronologically combining an event occurring at a time that should occur and an event occurring at a time that should not occur according to the specifications, and generating the event occurrence in a preset initial state; generating a plurality of state transition patterns of the system to be analyzed obtained by sequentially acting on the events of the data in the time series, and among the generated state transition patterns, the state of the system to be analyzed is: A pattern that reaches a preset threat state is searched as a threat scenario, and information about the searched threat scenario is output.

Problems, configurations, and effects other than those described above will be clarified by the following description of the mode for carrying out the invention.

According to the present invention, it is possible to discover a threat scenario in which a threat occurs because the system does not operate according to specifications due to a problem, failure, or the like.

It is a figure which shows the schematic structure of a threat scenario analysis apparatus. 1 is an example of a physical configuration of a client device; It is an example of a physical configuration of a threat scenario analysis device. FIG. 4 is a sequence diagram showing an example of processing of the threat scenario analysis device; It is an example of an event list. It is an example of initial state information. It is a figure showing an example of threat information. It is an example of threat scenario data. It is an example of threat scenario classification data. It is an example of an event list input screen. It is a figure which shows an example of an initial state input screen. It is a figure which shows an example of a threat information input screen. It is a flow chart explaining input check processing. It is an example of state transition pattern data. FIG. 11 is a flowchart for explaining threat scenario search processing; FIG. 10 is a flowchart for explaining classification processing; It is an example of a threat scenario list screen. It is an example of a threat scenario detail screen.

Embodiments of the present invention will be described below with reference to the drawings. The following description and drawings are examples for explaining the present invention, and are appropriately omitted and simplified for clarity of explanation. The present invention can also be implemented in various other forms. Unless otherwise specified, each component may be singular or plural.

In the following description, various types of information may be described using expressions such as “table”, “list”, “queue”, etc. However, various types of information may be expressed in data structures other than these. "XX table", "XX list", etc. are sometimes referred to as "XX information" to indicate that they do not depend on the data structure. When describing the identification information, expressions such as “identification information”, “identifier”, “name”, “ID”, “number”, “No.” are used, but these can be replaced with each other. .

In the following description, the character "S" attached before the reference sign means a processing step. In the following description and drawings, "program" may be abbreviated as "PG", "interface" as "IF", and table as "TBL".

FIG. 1 shows a schematic configuration of a threat scenario analysis system 100 shown as one embodiment of the present invention. As shown in the figure, the threat scenario analysis system 100 is a requester side requesting analysis of a state transition pattern (hereinafter referred to as "threat scenario") that leads to the occurrence of a threat in the system to be analyzed. It comprises a client device 110, which is an information processing device, and a threat scenario analysis device 120, which is an analyst side device that performs analysis based on a request. Client device 110 is connected to threat scenario analysis device 120 via communication network 130 in a state in which two-way communication is possible. The communication network 130 is, for example, a LAN (Local Area Network
), WAN (Wide Area Network), Internet, public communication network, leased line, and the like.

The requester's device 110 has, as main functions, a requester's input reception unit 111, a requester's output unit 112,
and a storage unit 116. The storage unit 116 stores a client input/output PG 215 which is a program for realizing various functions of the client device 110 .

The threat scenario analysis device 120 includes an analyst input reception unit 121, an input check unit 122, a threat scenario search unit 123, a classification unit 124, an analyst output unit 125, and a storage unit 126 as main functions. Storage unit 126 stores threat scenario analysis PG 315, which is a program that implements various functions of threat scenario analysis device 120, event list 500, initial state information 600, threat information 700, threat scenario data 800, threat scenario classification data 900, and State transition pattern data 1400 is stored. The storage unit 126 manages these pieces of information (data) as files managed by a database table or a file system, for example.

FIG. 2 shows an example of the physical configuration of client device 110 . The client device 110 includes a device main body 210 and an input/output device 220 .

Among them, the device main body 210 includes a processor 211, a storage device 212, a communication IF 213, and a bus 214.
Prepare.

The processor 211 is a CPU (Central Processing Unit), MPU (Micro Processing Unit), GPU (Graphics Processing Unit), or the like. The processor 211 has a storage device 212
Various functions of the client device 110 are realized by reading and executing the programs stored in the .

The storage device 212 includes various storage elements (RAM (Random Access Memory), ROM (Read Only Memory), non-volatile memory ( non-volatile RAM)) and various recording media (SSD (Solid State Drive), hard disk drive, optical recording medium, etc.). As shown in the figure, the storage device 212 stores programs and data for realizing various functions of the client device 110 . A part or all of the program and data may be stored in advance in the storage device 212, and if necessary, the recording medium may be read from a non-temporary recording medium or a non-temporary storage device of another device. It can be read into the storage device 212 via the device or the communication IF 213 .

The communication IF 213 is a device for connecting the client device 110 to the communication network 130, and is, for example, a LAN (Local Area Network) card. Bus 214 connects processor 211 , storage device 212 , communication IF 213 , bus 214 and input/output device 220 .

The input/output device 220 is a device for inputting data from the client to the device 110 for client and for outputting data in the device 110 for client. Examples of the input/output device 220 include a keyboard, mouse, touch panel, voice input device (microphone), display, and printer.

The client device 110 includes, for example, an operating system, a file system, a DB
MS (DataBase Management System) (relational database, NoSQL, etc.), KVS (Key-Value Store), etc. may be introduced.

FIG. 3 shows an example physical configuration of the threat scenario analyzer 120. As shown in FIG. Threat scenario analysis device 120 includes device main body 310 and input/output device 320 .

Among them, the device main body 310 includes a processor 311, a storage device 312, a communication IF 313, and a bus 314.
Prepare.

The processor 311 is a CPU, MPU, GPU, or the like. The processor 311 has a storage device 312
threat scenario analysis device 120 by reading and executing the program stored in
Realize various functions of

The storage device 312 includes various storage elements (RAM, ROM, non-volatile memory) and various recording media (SSD, hard disk drive, optical recording media, etc.). As shown in the figure, the storage device 312 stores programs and data for implementing various functions of the threat scenario analysis device 120 . Programs and data can be read into the storage device 312 via a recording medium reading device or the communication IF 313 .

Communication IF 313 is a device for connecting threat scenario analysis device 120 to communication network 130, and is, for example, a LAN card. Bus 314 connects processor 311 , storage device 312 , communication IF 313 , bus 314 and input/output device 320 .

The input/output device 320 is a device for inputting data by an analyst to the threat scenario analysis device 120 and for outputting data in the threat scenario analysis device 120 . Examples of the input/output device 320 include a keyboard, mouse, touch panel, voice input device (microphone), display, and printer.

For example, an operating system, file system, DBMS (DataBase Management System) (relational database, NoSQL, etc.), KVS (Key-Value Store), etc. may be installed in the threat scenario analysis device 120 .

In addition, all or part of the information processing device used to realize the client device 110 and the threat scenario analysis device 120, for example, virtualization technology and process space separation, such as a virtual server provided by a cloud system It may be implemented using virtual information processing resources provided using technology or the like. Also, all or part of the functions provided by the information processing apparatus may be realized by services provided by the cloud system via an API (Application Programming Interface) or the like, for example. In addition, all or part of the functions provided by the information processing device are realized using, for example, SaaS (Software as a Service), PaaS (Platform as a Service), IaaS (Infrastructure as a Service), etc. can be anything. Further, the client device 110 and the threat scenario analysis device 120 may be configured using a plurality of information processing devices that are communicatively connected.

FIG. 4 is a sequence diagram outlining main processing (hereinafter referred to as “threat scenario analysis processing S400”) performed among various functions of the threat scenario analysis system 100, the client, and the analyst. . The threat scenario analysis processing S400 will be described below with reference to FIG.

First, the requester input reception unit 111 receives input of system information from the requester (S401).
). Here, system information is information including event list 500 and initial state information 600 .

Specifically, requester input reception unit 111 displays event list input screen 1000, which will be described later, on input/output device 220, and the requester operates input/output device 220 to display event list input screen 1000. Enter event list 500 in . In addition, the requester input reception unit 111 displays an initial state input screen 1100, which will be described later, on the input/output device 220, and the requester operates the input/output device 220 to display the initial state on the displayed initial state input screen 1100. Enter information 600.

Subsequently, the requester input reception unit 111 receives input of the threat information 700 from the requester (S402). Specifically, requester input reception unit 111 displays threat information input screen 1200, which will be described later, on input/output device 220, and the requester operates input/output device 220 to display threat information input screen 1200. Enter threat information 700.

Subsequently, when the requester input reception unit 111 receives an analysis request issued by the requester operating the input/output device 220 (S403), the input system information (event list 500, initial state information 600, ) and threat information 700 (hereinafter referred to as “input information”) to analyst input reception unit 121 (S404).

The analyst input reception unit 121 displays the received input information on the input/output device 320 (S405). The analyst refers to the input information and corrects the input information by operating the input/output device 320 as necessary. information”) is received (S406). The screens used in the processes of S405 and S406 may have the same screen configuration as the event list input screen 1000, the initial state input screen 1100, and the threat information input screen 1200.

Analyst input reception unit 121, upon receiving an analysis start request issued by the analyst operating input/output device 320 (S407), receives the corrected input information received in S406 and sends it to input check unit 122.
(S408).

Upon receiving the corrected input information, the input check unit 122 determines whether or not there is a contradiction in the corrected input information (S409). If no contradiction exists, the input check unit 122 sends the corrected input information to the threat scenario search unit 123 (S410). On the other hand, if a contradiction exists (
If "error exists"), the input check unit 122 displays an error message to the analyst and terminates the process (S419). In FIG. 4, the processing in the case of “with error” and the processing in the case of “without error” are separately shown in the frame indicated by “alt” in the lower row.

When the threat scenario searching unit 123 receives the corrected input information from the input checking unit 122 ("
no error”), the received corrected input information is used to search for state transition patterns (S411), and one or more searched (discovered) threat scenarios (threat scenario data 800) are analyzed and classified by the classification unit 124 (S412).

The classification unit 124 classifies the threat scenario received from the threat scenario search unit to generate threat scenario classification data 900 (S413), and the threat scenario data 800 and the threat scenario classification data 900 are generated.
is sent to the analyst output unit 125 as the analysis result (S414).

The analyst output unit 125 displays the analysis result received from the classification unit 124 to the analyst (S415). Specifically, analyst output unit 125 displays on input/output device 320 a threat scenario list screen 1700 and a threat scenario detail screen 1800, which will be described later. When the analysis result transmission request is transmitted from the client device 110 to the analyst output unit 125 of the threat scenario analysis device 120 by operating the input/output device 320 by the analyst who confirmed the analysis result (S416), The analyst's output unit 125 transmits the analysis result to the client's output unit 112 (S417).

The client output unit 112 displays the analysis results (threat scenario list screen 1700 and threat scenario detail screen 1800 described later) received from the analyst output unit 125 on the input/output device 220 (S418).

Next, the details of the threat scenario analysis processing S400 shown in FIG. 4 will be described together with a specific example. In the following, the system to be analyzed operates to maintain the water temperature of the water tank within a predetermined range by feedback-controlling the thermostat by the control device (hereinafter referred to as "thermostat system"). An example will be described. A thermostat system includes a water tank, a sensor, and a heater. The thermostat system starts heating when the water temperature measured by the sensor reaches 24°C, and stops heating when the water temperature reaches 26°C. Operate to keep below 26°C above. In this example, it is assumed that the threats to the thermostat system are "water temperature reaching 23°C" and "water temperature reaching 27°C", and threat scenarios leading to these threats are searched.

An example of an event list 500 is shown in FIG. The illustrated event list 500 includes one or more event information. Each event information has an event name 510, a list of state transition rules, a precondition 540, and occurrence necessity 550 as fields.

The system state (before event) 520 and the system state (after event) 530 both store one or more conditional expressions representing the state of the system, which are combined with the "AND" or "OR" operator. . In addition, in the figure, the case where there is one conditional expression (for example, "water temperature = 23°C") is exemplified.

In the following description, a set of system state (before event) 520 and system state (after event) 530 is referred to as a "state transition rule". One state transition rule is that when the event occurs when the system state is specified as the system state (before the event) 520, the system state is specified as the system state (after the event) 530 after the event occurs. It means to change into something else.

In the event list 500, a plurality of state transition rules can be assigned to one event. This makes it possible to express state transition patterns such as "a state transition that differs from the original specification occurs" when an event occurs "too early" or "too late". When 123 searches for a threat scenario in S411 of FIG. 4, it can search for a state transition pattern that "a state transition different from the original specification occurs."

In the figure, for example, the event information whose event name 510 is "temperature rise" has the system state (before the event) 520 as "water temperature = 23°C" and the system state (after the event) 530 as "water temperature = 24°C". contains state transition rules that are This means that if the event "temperature rise" occurs while the value of the system parameter "water temperature" is "23℃", the value of the parameter "water temperature" after the event will change to "24℃". means.

Further, for example, in the state transition rule of one piece of event information in the event list 500, the system state (before event) 520 and the system state (after event) 530 are "output=3 kW" and "output=4 kW", respectively. Consider a state transition rule and a state transition rule of "output=4 kW" and "output=5 kW". In this case, if the event is given with a power of 3 kW, the power will change to 4 kW, and if the event is given with a power of 4 kW, the power will change to 5 kW. In this way, it is also possible to express that different state transitions occur depending on the time when an event occurs.

Among the fields shown in the figure, a precondition 540 includes a condition (one or more individual preconditions (hereinafter referred to as "individual preconditions") specifying when an event occurs, either "AND" or combined with the "OR" operator) is stored.

In this example, the requester input/output PG 215 of the requester device 110 and the threat scenario analysis PG 315 of the threat scenario analysis device 120 have, as individual preconditions, "(numerical value) seconds after the previous (event name) After", "while (conditional expression)", "(number) seconds after becoming (conditional expression)", "(number) seconds after (event name)", etc. and specific values assigned to the placeholders (event name), (numerical value), (conditional expression), and (event name) in the above fields shall be used as individual preconditions in the preconditions 540. do.

Of the fields shown in the figure, the occurrence necessity 550 contains "True", which indicates that the event will always occur once if the precondition is met, or an event that occurs only when the precondition is met. Either "False" is stored to indicate that the event is not required to occur, although it may be possible. Occurrence need 550 is used in generating threat scenarios. Hereinafter, an event whose occurrence necessity 550 is "True" is referred to as an "inevitable event", and an event whose occurrence necessity is "False" is referred to as an "incidental event".

FIG. 6 shows an example of initial state information 600. As shown in FIG. The initial state information 600 is tabular data having parameter names 610 and values 620 as fields. The initial state information 600 is the initial state (hereinafter referred to as the "initial state") of the system to be analyzed (hereinafter referred to as the "analyzed system") when performing the threat scenario search in S411 of FIG. ). As will be described later, when the threat scenario search unit 123 searches for a threat scenario in S411 of FIG.
Search for state transition patterns starting from the initial state.

An example of threat information 700 is shown in FIG. The threat information is tabular data having threat name 710 and threat status 720 as fields. The threat state 720 stores one or more conditional expressions combined with an "AND" or "OR" operator. The threat scenario search unit 123 determines that "a threat has occurred" when the system state matches any of the threat states 720 in the threat scenario search in S411 of FIG. That is, the threat scenario search unit 123 searches for a state transition pattern leading to one of the threat states 720 in the threat scenario search in S411 of FIG.

FIG. 8 shows an example of threat scenario data 800 generated by the threat scenario searching unit 123. As shown in FIG. Threat scenario data 800 is data describing the content of a threat scenario, and is generated for each searched threat scenario. As shown in the figure, the threat scenario data 800 includes a threat scenario No. 810 field, state transition data 820, threat occurrence data 830, and event occurrence data 840. FIG.

Of these, threat scenario No. 810 stores a number that uniquely identifies the threat scenario. The illustrated threat scenario data 800 is data of a threat scenario whose threat scenario No. 810 is "13".

The state transition data 820 is data representing the state transition of the analysis target system in the threat scenario. The state transition data 820 is tabular data having a state number 821, a parameter name 822, and a value 823 as fields. State No. 821 stores identification information of the state of the system to be analyzed (in this example, it is a numerical value, and the state changes in ascending order of the numerical value). Records having the same state No. 821 in the state transition data 820 represent one state as a whole. For example, in the case of FIG. 8, the two records whose state No. 821 is "0" collectively represent the initial state of "water temperature=25° C. AND heating state=heating stopped". In addition, the two records whose state No. 821 is "1" represent states to be transitioned to after the initial state, and collectively represent the state "water temperature=24° C. AND heating state=heating stopped".

The threat occurrence data 830 is data representing a state corresponding to the threat state in the threat scenario, and is tabular data having state No. 831 and threat name 832 as fields. In the example of the figure, state No.5 "water temperature = 27°C AND heating state = heating" and state No.6 "water temperature = 27°C AND
Since "heating state=heating stopped" corresponds to the threat state with the threat name "overheating" defined in the threat information 700, a record corresponding to the threat occurrence data 830 is stored.

The event occurrence data 840 is time-series data representing events that occur in the threat scenario. data in tabular form.

Of these, event identification information is stored in event No. 841 . In this example, the event No. 841 stores numerical values given in order of event occurrence (in order of occurrence time 845).
An event whose event No. 841 is “n” causes a transition from the state where the state No. 821 in the state transition data 820 is “n” to the state where the state No. 821 is “n+1”.

The status 843 contains information indicating the type of the event (in this example, "as per specification", "
too early", "too late", or "excessive") is stored.

Specified time to occur 844 stores a single time or range of times. The time 844 that should occur by design stores a single time or a range of times depending on the preconditions 540 of the event in the event list 500 .

Occurrence time 845 stores the time when the event occurs in the threat scenario. In this example, the time of occurrence 845 stores the elapsed time from the start of the threat scenario.

An example of threat scenario classification data 900 is shown in FIG. The threat scenario classification data 900 manages the results of classification (grouping) of the threat scenarios (threat scenario data 800) generated by the threat scenario searching unit 123. FIG. Threat scenario classification data 900 is tabular data having threat scenario classification No. 910, threat scenario No. list 920, representative threat scenario No. 930, and description 940 as fields.

Threat scenario classification No. 910 stores a number that uniquely identifies a group of threat scenario classification destinations (hereinafter referred to as "threat scenario classification").

The threat scenario No. list 920 stores the threat scenario No. 810 of the threat scenario (threat scenario data 800) classified into the relevant threat scenario classification.

In the representative threat scenario No. 930, the threat scenario No. of the threat scenario (threat scenario data 800) displayed as a representative example when displaying the analysis results (S415, S418) in FIG. 810 is stored.

Description 940 stores information describing the threat scenario classification.

FIG. 10 is an example of a screen (hereinafter referred to as "event list input screen 1000") displayed on the input/output device 220 by the requester input reception unit 111 when system information is input (S401) in FIG. . The requester inputs the event list 500 via the event list input screen 1000. FIG.

As shown in the figure, the event list input screen 1000 includes an event name field 1010, a system state (before the event) input field 1020, a system state (after the event) input field 1030, and a It has an event list table 1001 with an occurrence condition field 1040 . One piece of event information is entered as one row of the event list table 1001 .

The requester inputs a character string representing the name of each event in the event name field 1010 by operating the input/output device 220 . When the requester operates the event addition button 1011 (by left-clicking with a mouse or the like), the requester input reception unit 111 adds one row to the event list table 1001 . When the requester operates each line of the event name field 1010 (right-clicking with a mouse, etc.), the requester input reception unit 111 displays a context menu. When the requester selects the option "delete event" from the context menu, the corresponding row of the event list table 1001 is deleted.

The requester operates the input/output device 220 to change the system state (
Pre-event) and system state (post-event) are entered in system state (pre-event) input field 1020 and system state (post-event) input field 1030, respectively. When the requester operates the state transition addition buttons 1021 to 1024 (by left-clicking with a mouse, etc.), the requester input reception unit 111 fills the relevant positions with the system state (before event) input field 1020 and the system state (after event). Add one row of input fields 1030 .

When the requester operates (eg, right-clicks with a mouse) each line of the system state (before event) input field 1020 or the system state (after event) input field 1030, requester input reception unit 111 displays a context menu. The requester's selection of the context menu option "delete event" causes the corresponding System State (Pre-Event) Entry Field 1020 and System State (Post-Event) Entry Field 1030 rows to be deleted.

The requester inputs the occurrence condition in the occurrence condition field 1040 by operating the input/output device 220 . Specifically, the requester enters individual preconditions in individual precondition input fields 1051-1056. When the requester operates (left-clicks with the mouse) any of the individual precondition input fields 1051 to 1056, the requester input reception unit 111 displays the items in the individual precondition template as a pull-down menu. When the requester selects one of the items by operating (left-clicking with a mouse, etc.), the item is reflected in the operated individual precondition input field. At this time, the placeholder portion in the item is displayed as a selectable object, and the requester can input a value by operating (left-clicking with a mouse, etc.) the placeholder portion.

For example, if the requester selects "After (numerical value) seconds after the previous (event name)" from the template in the individual precondition input field 1051, click "(event name)" to select "Temperature rise ”, by operating (left-clicking with a mouse, etc.) and entering “10”, the individual precondition “10 seconds after the previous temperature rise” can be entered.

Also, when the requester operates the AND/OR input fields 1061 to 1062 (by left-clicking with a mouse, etc.), the requester input reception unit 111 displays "AND" and "OR" as a pull-down menu. When the requester operates one of them (left-clicking with a mouse, etc.), the selected item is reflected in the relevant AND/OR input field.

When the requester operates the occurrence necessity information input fields 1071 to 1074 (by left-clicking with a mouse, etc.), the requester input reception unit 111 displays "may occur" and "always occurs" as a pull-down menu. . When the requester operates one of them (left-clicking with a mouse, etc.), the selected item is reflected in the occurrence necessity information input column.

When the requester operates the condition addition buttons 1081 and 1082 (by left-clicking with a mouse, etc.), the requester input receiving unit 111 adds a set of an AND/OR input field and an individual precondition input field to the corresponding positions. .

When the requester operates the initial state input screen transition button 1090 (by left-clicking with a mouse or the like), the requester input reception unit 111 displays the initial state input screen 1100, which will be described later.

FIG. 11 is an example of a screen (hereinafter referred to as “initial state input screen 1100”) displayed on input/output device 220 by requester input reception unit 111 when system information is input (S401) in FIG. . The requester enters the initial state information 600 via the initial state input screen 1100 .

As shown in the figure, initial state input screen 1100 has initial state table 1101 having parameter name field 1110 and initial value field 1120 .

The requester operates the input/output device 220 to input the parameter name and the value that the parameter takes in the initial state into the parameter name field 1110 and the initial value field 1120, respectively. In the figure, the initial state is set such that the value of the parameter "water temperature" is "25°C" and the value of the parameter "overheating state" is "heating stopped".

When the requester operates the parameter addition button 1111 (by left-clicking with a mouse or the like), the requester input reception unit 111 adds one row to the initial state table 1101 . When the requester operates the return button 1130 (by left-clicking with a mouse, etc.), the requester input reception unit 111 displays the event list input screen 1000 . When the requester operates the threat information input screen transition button 1140 (by left-clicking with a mouse or the like), the requester input reception unit 111 displays the threat information input screen 1200 described later.

FIG. 12 is an example of a screen (hereinafter referred to as "threat information input screen 1200") displayed on the input/output device 220 by the client input reception unit 111 when the threat information is input (S402) in FIG. . The requester enters the threat information 700 via the threat information input screen 1200. FIG.

As shown in the figure, the threat information input screen 1200 has a threat table 1201 having a threat name field 1210 and a threat status field 1220. FIG. The requester inputs a threat name into the threat name field 1210 by operating the input/output device 220, and the corresponding threat state is obtained by combining one or more conditional expressions with "AND" or "OR". in the corresponding row of the threat status field 1220 as .

When the requester operates the add threat button 1211 (by left-clicking with a mouse or the like), the requester input reception unit 111 adds one row to the threat table 1201 . When the requester operates the return button 1230 (by left-clicking with a mouse, etc.), the requester input reception unit 111 displays the initial state input screen 1100 .
When the requester operates the analysis request button 1240 (by left-clicking with a mouse, etc.), the requester input reception unit 111 transmits the input information to the analyst input reception unit 121 (S404 in FIG. 4).

FIG. 13 is a flowchart for explaining the details of the process performed by the input check unit 122 in S409 of FIG. 4 (hereinafter referred to as "input check process S409"). The input check processing S409 will be described below with reference to FIG.

First, in step S4091, the input checking unit 122 determines whether or not there is an error in the format of the corrected input information received by the input receiving unit 121 for analyst. The types of errors in the format are not necessarily limited. character string is entered), duplicate event names or threat names exist, and so on.

In process S4092, the input checking unit 122 determines whether or not there is a conflicting state transition rule in the event list 500 included in the corrected input information received from the input receiving unit 121 for analyst. Here, two state transition rules contradict each other means that there is a system state that simultaneously applies to both system states (before the event) 520 and that the system states (after the event) 530 are different (after the event) state is not uniquely determined). For example, for a certain event, the system state (before the event) 520 and the system state (after the event) 530 are "water temperature = 23°C" and "water temperature = 24°C", and "water temperature = 23°C" and "water temperature = 25°C", respectively. ℃” exists. In this case, the value of the parameter "water temperature" is "23
The two state transitions are inconsistent because the value of the parameter "water temperature" after the event occurs in the state of "temperature" is not uniquely determined.

In process S4093, the input checking unit 122 determines whether or not the initial state information 600 included in the corrected input information received from the analyst input receiving unit 121 is sufficient. For example, among the parameter names described in the system state (before event) 520 and system state (after event) 530 in the event list 500, the occurrence condition 540, and the threat state 720 in the threat information 700, the initial state information 600 If there is any parameter name 610 that is not described as the parameter name 610, the input check unit 122 determines that the initial state information 600 is not sufficient.

If there is no problem in the results of processes S4091 to S4093, that is, if there is no error in the input format, no conflicting state transition rules exist, and the initial state information is sufficient, the input check unit 122 corrects as process S410. The completed input information is sent to the threat scenario searching unit 123, and the process ends. On the other hand, if there is a problem as a result of processing S4091 to S4093, the input check unit 122 outputs an error message to the input/output device 330 as processing S419, and terminates the processing.

14 is generated internally in the storage device 312 when the threat scenario search process (hereinafter referred to as "threat scenario search process S411") is performed by the threat scenario search unit 123 in the process S411 of FIG. This is an example of data (hereinafter referred to as “state transition pattern data 1400”).

As shown in the figure, state transition pattern data 1400 includes state transition data 1410, event occurrence data 1420, scheduled event data 1430, and parameter condition data 1440. FIG. Of these fields, the state transition data 1410 and event occurrence data 1420 fields are the same as the state transition data 820 and event occurrence data 840 in the threat scenario data 800 illustrated in FIG. On the other hand, for the time 1424 that should occur according to the specification and the time 1425 that should occur, values expressed using parameters such as "t0+0.1" are stored.

The scheduled event data 1430 is tabular data having two fields of an event name 1431 and a time 1432 to occur according to specifications. The scheduled event data 1430 is an event that is determined to occur according to the specification when the analysis target system operates according to the state transition data 1410 and the event occurrence data 1420, that is, the event list 500 illustrated in FIG. It is a list of events for which the pre-condition 540 is confirmed to be satisfied and the need-to-occur 550 is "True".

The parameter condition data 1440 lists the conditions imposed on the parameters stored at the times 1424 and 1432 that should occur according to the specification of the event occurrence data 1420 and the time 1425 that should occur. Setting of the parameter condition data 1440 will be described later.

FIG. 15 is a flow chart for explaining the details of the process performed by the threat scenario search unit 123 in S411 of FIG. 4 (hereinafter referred to as "threat scenario search process S411"). The threat scenario search processing S411 will be described below with reference to FIG.

First, the threat scenario searching unit 123 secures a storage area for a queue for storing a string of state transition patterns (hereinafter referred to as a “state transition pattern queue”) in the storage device 312, and stores the state transitions representing the initial state. The pattern data 1403 is stored in the state transition pattern queue (S41101). Here, the state transition pattern data 1403 representing the initial state includes, for example, "0" in the state No. 1411, parameter name 610 and value 620 of the initial state information 600 in the parameter name 1412 and value 1413.
is the state transition pattern data 1400 in which the contents of the state transition data 1410 each having a stored record, the event occurrence data 1420, the scheduled event data 1430, and the parameter condition data 1440 are all blank.

The processing after S41102 is a loop processing that is repeatedly performed while the state transition pattern is stored in the state transition pattern queue. Threat scenarios are generated exhaustively by repeatedly executing this loop process. For example, the analyst may set a time limit in advance, and the above loop processing may be repeated until the execution time of the threat scenario analysis PG 315 reaches the set time limit.

In S41102, the threat scenario searching unit 123 first retrieves one piece of state transition pattern data 1400 stored in the state transition pattern queue.

Subsequently, the threat scenario searching unit 123, based on the extracted state transition pattern data 1400,
State transition pattern data 1400 (hereinafter referred to as "normal pattern data") in which the status 1423 of the event occurrence data 1420 is all "according to specification" is generated (S41103). Specifically, the threat scenario searching unit 123 deletes one of the scheduled occurrence event data 1430 and adds it to the end of the event occurrence data 1420, or adds an accidental event that satisfies the precondition 540 to the event occurrence data. A state transition pattern added to the end of 1420 is generated, "according to specification" is stored for status 1423 of any record, and time 1424 that should occur according to specification is stored in time 1425 of occurrence.

Along with the normal pattern data generation, the threat scenario searching unit 123 refers to the state transition rule of the event list 500 and updates the state transition data 1410 based on the event occurrence data 1420. FIG. The threat scenario searching unit 123 also refers to the preconditions 540 of the event list 500 and adds to the scheduled occurrence event data 1430 events for which the preconditions 540 have been confirmed to be satisfied. For example, if the precondition 540 of the event "heating stop" is "0.1 seconds after the water temperature reaches 26°C" and the parameter "water temperature" reaches "26°C" at time "t3", the event name 1431 is A record is added to the event occurrence data 1420 in which the time 1432 that should occur according to the specifications is set to "t3+0.1".

Subsequently, the threat scenario searching unit 123 determines whether or not there is an event with the status 1423 other than "according to specification" in the state transition pattern data 1400 extracted from the state transition pattern queue in S41102 (S41104). If there is no event whose status 1423 is other than "according to specification" (S41104: NO), the threat scenario search unit 123 determines that the event occurrence data 1420 has the status 1423 based on the state transition pattern data 1400 extracted in S41102. Generate state transition pattern data 1400 (hereinafter referred to as "abnormal pattern data") based on an event in which any one of "too early", "too late", and "excessive" is stored.

For example, the threat scenario search unit 123 changes the status 1423 of one event in the event occurrence data 1420 to "too early" and does not change the order of occurrence of the event (the order of occurrence is the same as when according to the specifications). ), or by changing the order of occurrence of the event to be earlier (become earlier than the order of occurrence according to the specifications) to generate abnormal pattern data. In addition, the threat scenario search unit 123 changes the status 1423 of one event included in the event occurrence data 1420 to "too late" and does not change the order of occurrence of the event (the order of occurrence is the same as when according to the specifications). ), or late (later than the order of occurrence when according to the specifications) to generate abnormal pattern data obtained by changing.

The threat scenario search unit 123 changes the time 1425 at which the selected event occurs in the abnormal pattern data generated by the above processing to a parameter such as "t4". Subsequently, the threat scenario searching unit 123 inserts one inevitable event in the event list 500 into an arbitrary position of the event occurrence data 1420 of the state transition pattern data 1400 extracted in S41102. to generate At this time, the status 1423 of the inserted event is represented by parameters such as "superfluous", the time 1424 that should occur according to the specification is "None", and the time 1425 to occur is "t4".

Subsequently, threat scenario search unit 123 refers to the state transition rule of event list 500 for the state transition pattern data generated by the above processing, and updates state transition data 1410 based on event occurrence data 1420 . At this time, the threat scenario searching unit 123 determines that the precondition 540 of any of the events whose status 1423 in the event occurrence data 1420 is "according to specification", "too early", or "too late" is If it is no longer satisfied, discard the state transition pattern data. In addition, the threat scenario searching unit 123 determines whether the precondition 540
is not included in the event occurrence data 1420, the state transition pattern data is discarded.

Next, threat scenario search unit 123 refers to precondition 540 of event list 500, and selects occurrence scheduled event data 1430 of state transition pattern data 1400 extracted in S41102 for events for which precondition 540 is confirmed to be satisfied. Add to

Regarding the state transition pattern data 1400 generated in S41103 and S41105, if the state with the same value 1413 in the state transition data 1410 exists two or more times, that is, if the state transition is looped, the subsequent state transition pattern data 1400 Duplicate state transition pattern data may be discarded in order to reduce the processing load.

Subsequently, the threat scenario searching unit 123 repeats the processing of S41106 to S41111 for each state transition pattern (normal pattern data, abnormal pattern data) generated in S41103 and S41105.

First, the threat scenario searching unit 123 determines the time 1424 that should occur according to the specifications and the time 1425 that should occur.
(S41106). At this time, as a condition imposed on the parameter, at least one of two types of conditions between the time 1425 to occur and a condition between the time 1424 to occur and the time 1425 to occur according to the specification is imposed. . As for the former, for example, if the times 1425 at which the events whose event numbers 1421 are n and n+1 occur are t_n and t_{n+1}, respectively, the condition t_n<t_{n+1} is imposed. As for the latter, for example, if the time 1424 that should occur according to the specifications of the event is t' and the time 1425 that should occur is t, if the status 1423 is "too early", t <t',"too late impose the condition t>t'. Also, if the time 1424 that should occur according to the specifications of the event is (t', t'') and the time 1425 that should occur is t, if the status 1423 is "too early", t <t',"too late imposes the condition t>t''. The threat scenario search unit 123 determines whether or not there is a parameter solution that satisfies the imposed conditions.

If no solution exists (S41106: NO), threat scenario searching section 123 discards the state transition pattern (S41107). On the other hand, if a solution exists (S41106: YES), the threat scenario searching unit 123 stores the necessary and sufficient condition that the set of parameters satisfies the condition as the parameter condition data 1440 (S41108).

In S41109, the threat scenario searching unit 123 refers to the state transition data 1410 and determines whether or not there is a system state corresponding to any of the threat states 720 of the threat information 700. If there is no system state corresponding to the threat state (S41109: NO), threat scenario searching section 123 adds the state transition pattern data to the state transition pattern queue (S41110).

On the other hand, if there is a system state corresponding to a threat state (S41109: YES), threat scenario searching section 123 stores (saves) the state transition pattern as a threat scenario (threat scenario data 800) (S41111). At this time, the threat scenario searching unit 123 stores the event occurrence data 840 in which the parameters that appear at the time 1424 and the time 1425 that should occur according to the specifications are replaced with numerical values that satisfy all the conditions described in the parameter condition data 1440. . Threat scenario searching unit 123 also stores state No. 1411 corresponding to the threat state and corresponding threat name 710 as threat occurrence data 830 .

FIG. 16 is a flowchart for explaining details of process 3 performed by the classification unit 124 in S413 of FIG. 4 (hereinafter referred to as "classification process S413"). The classification processing S413 will be described below with reference to FIG.

First, the classification unit 124 repeats the loop processing of S4131 to S4132 for any pair of the threat occurrence data 830 stored by the threat scenario search unit 123. FIG.

In S4131, the classification unit 124 determines whether or not the threat scenario pair satisfies the merge condition. Here, the merge condition refers to a condition under which two threat scenarios are classified in the same manner.
shall be pre-defined in As a merge condition, for example, "similarity of patterns that reach the threat state (for example, similarity based on commonality of causes (too late, too early, extra, etc.) and results (water temperature drop, overheating, etc.)) exceeds the threshold,", "In the event occurrence data 1420 of the two threat scenarios, the merge condition is met when only the order of occurrence of two consecutive events is changed", " If the order has been changed more than a threshold number of times, the merge condition is not satisfied." However, the method of setting the merge condition is not necessarily limited.

At S4132, the classification unit 124 updates the threat scenario classification data 900 according to the result of S4131. That is, threat scenario classification No. 910 of threat scenario classification data 900 and threat scenario classification No. 910 of threat scenario classification data 900 and threat Scenario number list 920 is updated.

After the loop processing, the classification unit 124 then selects a representative threat scenario for the classification destination (group) of each threat scenario, and stores it in representative threat scenario No. 930 (S4133). As a criterion for selecting a representative threat scenario, for example, ``select a threat scenario with the smallest number of events included in the event occurrence data 840 (that is, select a threat scenario that has a simple configuration and is easy to understand)'', etc. The selection criteria for representative threat scenarios are not necessarily limited.

Subsequently, the classification unit 124 generates contents to be stored in the description 940 of the threat scenario classification data 900 for each threat scenario classification (S4134). For example, based on the event name 842, the status 843, and the threat name 832, the classification unit 124 generates an explanation such as "the event 'heating start' is too late, resulting in the threat 'water temperature drop'". Note that the method of generating the description is not necessarily limited.

FIG. 17 is a diagram showing an example of a threat scenario list screen 1700. As shown in FIG. As shown in the figure, the threat scenario list screen 1700 includes a threat scenario classification explanation list 1710 and an analysis result send button 1720. FIG.

The threat scenario classification description list 1710 lists the contents of the descriptions 940 in the threat scenario classification data 900 . When the analyst operates the input/output device 320 to operate one row of the threat scenario classification description list 1710 (by left-clicking with a mouse, etc.), the analyst output unit 125 outputs the corresponding row of the threat scenario classification data 900. representative threat scenario No. 930, and generates and displays a screen (hereinafter referred to as "threat scenario detail screen 1800") describing the information of the representative threat scenario.

When the analyst operates the input/output device 320 and operates the analysis result transmission button 1720 (by left-clicking with a mouse, etc.), the analysis result transmission request in S416 of FIG. Analyst output unit 125 , upon receiving the analysis result transmission request, transmits the analysis result to client output unit 112 .

FIG. 18 is a diagram showing an example of a threat scenario detail screen 1800. As shown in FIG. The threat scenario detail screen 1800 includes a threat scenario description display 1810, system status displays 1821-1827, threat status displays 1831-1832, event displays 1841-1846, event detailed data displays 1851-1856, a return button 1860, and a similar scenario display button. Including 1870.

The threat scenario description display 1810 displays the description of the threat scenario selected in the threat scenario category description list 1710. FIG. In addition, information on representative threat scenarios of the threat scenario classification corresponding to the description is displayed as system status displays 1821-1827, threat status displays 1831-1832, event displays 1841-1846, and event detailed data displays 1851-1856. .

Analyst output unit 125 displays parameter names 822 and values 823 of state transition data 820 in ascending order of state No. 821 in tabular format as system state displays 1821 to 1827 . Analyst output unit 125
displays the corresponding threat name 832 as threat status displays 1831-1832 adjacent to the system status displays 1821-1827 corresponding to the status No. 831 of the threat occurrence data 830. FIG.

Analyst output unit 125 displays event names 842 of event occurrence data 840 in the order of event numbers 841 in tabular format as event displays 1841 to 1846 . The output unit for analyst 125 displays the status 843, the time 844 that should occur according to the specifications, and the time 845 that should occur among the event occurrence data 840 as event detailed data displays 1851 to 1856 in tabular form in ascending order of the event No. 841. indicate.

When the analyst operates the return button 1860 (by left-clicking with a mouse, etc.), the output unit for analyst 125 displays the threat scenario list screen 1700 . When the analyst operates the similar scenario display button 1870 (by left-clicking with a mouse or the like), the analyst output unit 125 displays threat scenarios of the same classification as the representative threat scenario side by side with the representative threat scenario. However, the operation of the analyst's output unit 125 when the analyst operates the similar scenario display button 1870 (left-clicking with a mouse, etc.) is not limited to this. You may display another screen to display.

According to the threat scenario analysis system 100 of the present embodiment described above, the case where the system to be analyzed does not operate according to the specifications is treated as a state transition pattern in which the time at which the event should occur differs from the time at which it should occur according to the specification of the event. can be expressed. Therefore, in addition to the threat scenario where the system to be analyzed operates according to specifications but a threat occurs, if the system to be analyzed does not operate according to specifications, for example, an event may occur earlier than the specifications of the system to be analyzed. It is possible to discover threat scenarios in which events occurred too late, too late, or too late compared to the specifications of the system under analysis.

In addition, the threat scenario analysis system 100 outputs information (information on a representative threat scenario for each classification destination) obtained by classifying a plurality of searched threat scenarios based on the similarity of their state transition patterns. So users can efficiently analyze threat scenarios.

In addition, the threat scenario analysis system 100 analyzes the state transition pattern of the threat scenario, information indicating the threat state, the event that occurred in the threat scenario, the time that should occur according to the specifications of each state of the pattern, and the occurrence of each state of the pattern. Since the threats are displayed in chronological order along with the time of occurrence, etc., the user can efficiently identify the process and cause leading to the threat.

Although one embodiment of the present invention has been described above, it goes without saying that the present invention is not limited to the above-described embodiment, and can be variously modified without departing from the scope of the invention. For example, the above embodiments have been described in detail in order to explain the present invention in an easy-to-understand manner, and are not necessarily limited to those having all the configurations described. Moreover, it is possible to add, delete, or replace some of the configurations of the above embodiments with other configurations.

A part or all of the above components, functional units, processing units, processing means, etc. may be realized by hardware, for example, by designing them with an integrated circuit. Moreover, each of the above configurations, functions, etc. may be realized by software by a processor interpreting and executing a program for realizing each function. Information such as programs, tables, and files that implement each function can be stored in recording devices such as memories, hard disks, SSDs (Solid State Drives), and recording media such as IC cards, SD cards, and DVDs.

The arrangement form of various functional units, various processing units, and various databases of the information processing apparatus described above is merely an example. The arrangement form of various functional units, various processing units, and various databases can be changed to an optimum arrangement form from the viewpoint of the performance, processing efficiency, communication efficiency, etc. of hardware and software provided in these devices.

The configuration of the database (schema, etc.) that stores the various data described above can be flexibly changed from the viewpoints of efficient use of resources, improvement of processing efficiency, improvement of access efficiency, improvement of search efficiency, and the like.

100 Threat Scenario Analysis System 110 Apparatus for Client 111 Input Receiving Unit for Client 112 Output Unit for Client 116 Storage Unit 120 Threat Scenario Analysis Device 121
Analyst input reception unit 122 input check unit 123 threat scenario search unit 124
classification unit 125 output unit for analyst 126 storage unit 215 input/output PG for requester 315 threat scenario analysis PG 500 event list 600 initial state information 800
Threat scenario data 900 Threat scenario classification data 1000 Event list input screen 1100 Initial state input screen 1200 Threat information input screen 1400 State transition pattern data 1700 Threat scenario list screen 1800 Threat scenario detail screen S400 Threat scenario analysis processing, S411 threat scenario search processing, S413 classification processing, S900 input check processing

Claims (15)

An information processing system that analyzes threat scenarios, which are patterns of state transitions that lead to threats that can occur in an analysis target system,
configured using an information processing device,
storing an event list, which is information including a list of events that can occur when the system to be analyzed operates according to specifications and the time at which each of the events should occur according to the specifications;
generating event occurrence data, which is data obtained by chronologically combining an event that occurs at a time that should occur according to the specifications and an event that occurs at a time that should not occur according to the specifications;
generating a plurality of patterns of state transitions of the system to be analyzed obtained by sequentially applying events of the event occurrence data to a preset initial state in the time series;
searching, as a threat scenario, for a pattern in which the state of the system to be analyzed reaches a preset threat state among the generated state transition patterns;
outputting information about the threat scenarios that have been explored;
Threat scenario analyzer. A threat scenario analysis device according to claim 1,
An event that occurs at a time that should not occur according to the specifications includes an event that occurs earlier than the time that should occur according to the specifications, an event that occurs later than the time that should occur according to the specifications, and an event that occurs at a time later than the time that should occur according to the specifications. is either an extra event that cannot occur if it works,
Threat scenario analyzer. A threat scenario analysis device according to claim 2,
The event that occurs at a time that should not occur according to the specifications is an event that occurs earlier in the order of occurrence than when operating according to the specification, or an event occurs later in the order of occurrence than when operating according to the specification.
Threat scenario analyzer. A threat scenario analysis device according to claim 1,
Among the generated state transition patterns, a condition imposed between the times when each of the events occurs, and a condition imposed between the times when each of the events should occur according to the specification and the time when the event occurs. Exclude from the search target those that do not satisfy at least one of
Threat scenario analyzer. A threat scenario analysis device according to claim 1,
outputting information obtained by classifying the searched threat scenarios based on the similarity of their state transition patterns;
Threat scenario analyzer. A threat scenario analysis device according to claim 5,
Selecting and outputting a representative threat scenario for each classification destination of the threat scenario;
Threat scenario analyzer. A threat scenario analysis device according to claim 6,
electing the threat scenario with the fewest number of occurrences of events to reach the threat state as the representative;
Threat scenario analyzer. A threat scenario analysis device according to claim 1,
displaying patterns of state transitions of the threat scenario in chronological order;
Threat scenario analyzer. A threat scenario analysis device according to claim 8,
The state transition pattern of the threat scenario is selected from the information indicating the threat state, the event that occurred in the threat scenario, the time that each state of the pattern should occur according to the specifications, and the time that each state of the pattern occurs. displayed in chronological order with at least one of
Threat scenario analyzer. A threat scenario analysis device according to claim 1,
communicatively connected to a requestor device operated by a requestor for threat scenario analysis;
obtaining information indicative of the initial state, information indicative of the threat state, and the event list from the client device;
Threat scenario analyzer. A threat scenario analysis device according to claim 10,
Searching for the threat scenario based on the information indicating the initial state, the information indicating the threat state, and the event list, and transmitting information about the searched threat scenario to the client device;
Threat scenario analyzer. An information processing method for analyzing a threat scenario, which is a pattern of state transitions leading to threats that can occur in an analysis target system,
The information processing device
a step of storing an event list, which is information including a list of events that can occur when the system to be analyzed operates according to specifications and the time at which each of the events should occur according to the specifications;
a step of generating event occurrence data, which is data obtained by chronologically combining an event that occurs at a time that should occur according to the specifications and an event that occurs at a time that should not occur according to the specifications;
a step of generating a plurality of patterns of state transition of the system to be analyzed, which are obtained by sequentially applying each event of the event occurrence data to a preset initial state in the time series;
a step of searching, as a threat scenario, for a pattern in which the state of the system to be analyzed reaches a preset threat state among the generated state transition patterns;
outputting information about the detected threat scenario;
A threat scenario analysis method that performs A threat scenario analysis method according to claim 12, comprising:
Among the state transition patterns generated by the information processing apparatus, a condition imposed between times when each of the events occurs, and a time when each of the events should occur according to the specification and a time when the event occurs. excluding from the search objects those that do not satisfy at least one of the conditions imposed between
Threat scenario analysis method. A threat scenario analysis method according to claim 12, comprising:
The information processing device further executes a step of outputting information obtained by classifying the searched threat scenarios based on the similarity of their state transition patterns.
Threat scenario analysis method. The threat scenario analysis method of claim 14, comprising:
The information processing device further executes a step of selecting and outputting a representative threat scenario for each classification destination of the threat scenario.
Threat scenario analysis method.

Images