JP2022191649A - Cybersecurity management device, cybersecurity management method and cybersecurity management system - Google Patents

Abstract

To determine priority of cyberattack in real time, on the basis of a state of the cyberattack evolving in real time, and to facilitate determination of optimal measures for minimizing damage of the cyberattack.SOLUTION: In a cybersecurity management system 200, a cybersecurity management device 250 includes: an information acquisition unit 252 which acquires attack evaluation information for evaluating cyberattack to an attack object being an object of the cyberattack; a parameter determination unit 254 which determines a time-dependent parameter which depends on time, and a non-time-dependent parameter which does not depend on the time, as an evaluation reference for evaluating the cyberattack, on the basis of the attack evaluation information; and a priority determination unit 256 which determines priority about the cyberattack, on the basis of the time-dependent parameter and the non-time-dependent parameter.SELECTED DRAWING: Figure 2

Description

The present disclosure relates to a cybersecurity management device, a cybersecurity management method, and a cybersecurity management system.

In recent years, cyberattacks continue to evolve year by year due to the discovery of new vulnerabilities and the emergence of new attack methods. Under these circumstances, the question of whether information systems are equipped with defense functions against cyberattacks and the extent of damage caused by cyberattacks has become an important matter of concern for society and organizations.

In order to suppress the damage of cyberattacks, there is known a method of first evaluating the severity of cyberattacks and implementing countermeasures according to the severity.

For example, US Patent Application Publication No. 2020/0007574 states, "The systems, methods, and software described herein provide enhanced functionality for performing security actions in a computing environment. In one example, a method of operating an advice system to recommend actions in a computing environment includes identifying security incidents in the computing environment, identifying asset criticality, and one or Obtaining enrichment information about the security incident from multiple internal or external sources, the method also includes identifying a severity of the security incident based on the enrichment information, one or more Determining a plurality of security actions is provided, and the method identifies an effect of the one or more security actions on operation of the computing environment based on the importance and severity; identifying a subset of one or more security actions for responding to a security incident.' technology is described.

U.S. Patent Application Publication No. 2020/0007574

Patent Document 1 describes means for determining security actions for responding to cyberattacks according to the importance of assets targeted by cyberattacks and the degree of severity based on the type of cyberattack. there is
However, with the method of Patent Document 1, security actions for responding to cyberattacks are static information that does not change over time, such as the importance of assets targeted for attack and the types of cyberattacks (hereafter referred to as "non- It is difficult to take countermeasures against cyberattacks based on the situation of cyberattacks evolving in real time. As a result, the execution of measures to suppress cyberattacks may be delayed, and the damage caused by cyberattacks may increase.

Therefore, the present disclosure minimizes the damage of cyberattacks by determining the priority of cyberattacks using not only non-time-dependent parameters but also time-dependent parameters that indicate the real-time progress of cyberattacks. The purpose is to provide a cyber security management tool that facilitates real-time judgment of the optimal countermeasures for

In order to solve the above problems, one of the typical cybersecurity management devices of the present disclosure includes an information acquisition unit that acquires attack evaluation information for evaluating cyberattacks against attack targets that are targets of cyberattacks. a parameter determination unit that determines a time-dependent parameter and a non-time-dependent parameter as evaluation criteria for evaluating the cyber attack based on the attack evaluation information; and the time-dependent parameter and , and a priority calculator that calculates a priority for the cyber attack based on the non-time dependent parameters.

According to the present disclosure, not only non-time-dependent parameters but also time-dependent parameters that indicate the real-time progress of cyber-attacks are used to determine the priority of cyber-attacks, thereby minimizing the damage caused by cyber-attacks. It is possible to provide a cyber security management tool that facilitates real-time determination of the optimal countermeasures for
Problems, configurations, and effects other than the above will be clarified by the description in the following modes for carrying out the invention.

FIG. 1 is a diagram illustrating a computer system for implementing embodiments of the present disclosure. FIG. 2 is a diagram illustrating an example configuration of a cybersecurity management system according to an embodiment of the present disclosure. FIG. 3 is a flow chart illustrating data flow in a cybersecurity management system according to an embodiment of the present disclosure. FIG. 4 is a diagram illustrating an example data configuration of an attack technique table according to the embodiment of the present disclosure. FIG. 5 is a diagram illustrating an example of calculation of time intervals between security events in cyberattacks. FIG. 6 is a diagram illustrating an example data configuration of an attack speed table according to the embodiment of the present disclosure. FIG. 7 is a diagram showing a specific example of an attack speed table according to the embodiment of the present disclosure. FIG. 8 is a diagram illustrating an example data configuration of an asset information table according to the embodiment of the present disclosure. FIG. 9 is a diagram illustrating an example data configuration of a priority evaluation table according to the embodiment of the present disclosure. FIG. 10 is a flowchart showing the flow of priority determination processing according to the embodiment of the present disclosure. FIG. 11 is a diagram showing an asset importance confirmation screen for confirming asset importance according to the embodiment of the present disclosure. FIG. 12 is a diagram showing an attack progress confirmation screen for confirming the degree of progress of a cyber attack according to the embodiment of the present disclosure. FIG. 13 is a diagram showing an attack speed confirmation screen for confirming the speed of cyberattacks according to the embodiment of the present disclosure. FIG. 14 is a diagram showing a priority confirmation screen for confirming the priority of cyberattacks according to the embodiment of the present disclosure.

As mentioned above, in recent years, cyberattacks continue to evolve year by year due to the discovery of new vulnerabilities and the emergence of new attack methods. Under these circumstances, the question of whether information systems are equipped with defense functions against cyberattacks and the extent of damage caused by cyberattacks has become an important matter of concern for society and organizations.
The cyberattack here means extracting data, falsifying data, destroying a system, etc., and may include indiscriminate attacks and targeted attacks aimed at specific assets.

Many of the conventional countermeasures against cyber-attacks are aimed at measures to prevent cyber-attacks and measures to limit damage after cyber-attacks are over. As a means of evaluating the severity of a cyberattack during a cyberattack, the above-mentioned Patent Document 1 exists. Severity ratings are based solely on non-time dependent parameters that do not change over time. For this reason, it is difficult to implement cyberattack countermeasures based on the situation of cyberattacks evolving in real time. be.

Therefore, the present disclosure determines the priority of cyberattacks using not only non-time-dependent parameters but also time-dependent parameters that indicate the real-time progression of cyberattacks. For example, in certain embodiments of the present disclosure, in addition to non-time-dependent parameters, such as an asset importance parameter that indicates the importance of the attack target, an attack progression parameter that indicates the degree of progress of a cyber attack, A time-dependent parameter, such as a security event velocity parameter that indicates velocity, may be used to determine cyber-attack priority. This priority determination may be made in real-time, for example, before the cyberattack ends.
This makes it possible to determine in real time the optimal measures to minimize damage from cyberattacks.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. It should be noted that the present invention is not limited by this embodiment. Moreover, in the description of the drawings, the same parts are denoted by the same reference numerals.

First, referring to FIG. 1, a computer system 100 for implementing an embodiment of the present disclosure will be described. The mechanisms and apparatus of various embodiments disclosed herein may be applied to any suitable computing system. The major components of computer system 100 include one or more processors 102 , memory 104 , terminal interfaces 112 , storage interfaces 113 , I/O (input/output) device interfaces 114 , and network interfaces 115 . These components may be interconnected via memory bus 106 , I/O bus 108 , bus interface unit 109 and I/O bus interface unit 110 .

Computer system 100 may include one or more general purpose programmable central processing units (CPUs) 102A and 102B, collectively referred to as processors 102 . In some embodiments, computer system 100 may include multiple processors, and in other embodiments, computer system 100 may be a single CPU system. Each processor 102 executes instructions stored in memory 104 and may include an on-board cache.

In some embodiments, memory 104 may include random access semiconductor memory, storage devices, or storage media (either volatile or non-volatile) for storing data and programs. Memory 104 may store all or part of the programs, modules, and data structures that implement the functions described herein. For example, memory 104 may store cybersecurity management application 150 . In some embodiments, cybersecurity management application 150 may include instructions or descriptions that perform the functions described below on processor 102 .

In some embodiments, cybersecurity management application 150 may be implemented in semiconductor devices, chips, logic gates, circuits, circuit cards, and/or other physical hardware instead of or in addition to processor-based systems. It may be implemented in hardware via a device. In some embodiments, cybersecurity management application 150 may include data other than instructions or descriptions. In some embodiments, a camera, sensor, or other data input device (not shown) may be provided in direct communication with bus interface unit 109, processor 102, or other hardware of computer system 100. .

Computer system 100 may include bus interface unit 109 that provides communication between processor 102 , memory 104 , display system 124 , and I/O bus interface unit 110 . I/O bus interface unit 110 may be coupled to I/O bus 108 for transferring data to and from various I/O units. I/O bus interface unit 110 connects via I/O bus 108 a plurality of I/O interface units 112, 113, 114, also known as I/O processors (IOPs) or I/O adapters (IOAs); and 115.

Display system 124 may include a display controller, a display memory, or both. The display controller can provide video, audio, or both data to display device 126 . Computer system 100 may also include devices such as one or more sensors configured to collect data and provide such data to processor 102 .

For example, the computer system 100 may include a biometric sensor that collects heart rate data, stress level data, etc., an environmental sensor that collects humidity data, temperature data, pressure data, etc., and a motion sensor that collects acceleration data, motion data, etc. may include Other types of sensors can also be used. The display system 124 may be connected to a display device 126 such as a single display screen, television, tablet, or handheld device.

The I/O interface unit provides the ability to communicate with various storage or I/O devices. For example, the terminal interface unit 112 may be a user output device such as a video display, speaker television, or user input device such as a keyboard, mouse, keypad, touchpad, trackball, button, light pen, or other pointing device. Such user I/O devices 116 can be attached. Using the user interface, the user inputs input data and instructions to the user I/O device 116 and the computer system 100 by manipulating the user input devices, and receives output data from the computer system 100. good too. The user interface may be displayed on a display device, played by speakers, or printed via a printer, for example, via user I/O device 116 .

Storage interface 113 connects to one or more disk drives or direct access storage devices 117 (typically magnetic disk drive storage devices, but arrays of disk drives or other storage devices configured to appear as a single disk drive). ) can be attached. In some embodiments, storage device 117 may be implemented as any secondary storage device. The contents of memory 104 may be stored in storage device 117 and read from storage device 117 as needed. I/O device interface 114 may provide an interface to other I/O devices such as printers, fax machines, and the like. Network interface 115 may provide a communication pathway to allow computer system 100 and other devices to communicate with each other. This communication path may be, for example, network 130 .

In some embodiments, computer system 100 is a device that receives requests from other computer systems (clients) that do not have a direct user interface, such as multi-user mainframe computer systems, single-user systems, or server computers. There may be. In other embodiments, computer system 100 may be a desktop computer, handheld computer, laptop, tablet computer, pocket computer, phone, smart phone, or any other suitable electronic device.

Next, with reference to FIG. 2, the configuration of the cybersecurity management system according to the embodiment of the present disclosure will be described.

FIG. 2 is a diagram illustrating an example configuration of a cybersecurity management system 200 according to an embodiment of the present disclosure. As shown in FIG. 2, cybersecurity management system 200 includes security agency 210, client environment 220 including a plurality of client devices 221-223, communication network 230, and cybersecurity management device 250. As shown in FIG. Security authority 210 , client environment 220 and cybersecurity manager 250 are interconnected via communications network 230 . The communication network 230 here may include, for example, the Internet, LAN (Local Area Network), MAN (Metropolitan Area Network), WAN (Wide Area Network), and the like.

Security agency 210 is a third-party organization whose purpose is to promote cybersecurity. Security agency 210 may be a governmental or private organization that develops strategies to combat cyber-attacks and provides various information and tools to identify and mitigate cyber-attacks. For example, the security agency 210 may create and provide attack technique information for identifying attack techniques of cyberattacks.
As shown in FIG. 2, security authority 210 may include server device 212 . Server device 212 is a device for communicating information between security agency 210 , client environment 220 , and cybersecurity management device 250 via communication network 230 . For example, the security agency 210 may transmit attack technique information for specifying the attack technique of a cyber attack to the cyber security management device 250 via the communication network 230 .

Client environment 220 is a private network containing computing assets that are targeted by cyberattacks. As used herein, "attack target" means any device, network, or data subject to a cyberattack.
As shown in FIG. 2, client environment 220 includes a plurality of client devices 221-223 as computing assets. These client devices 221-223 are computing devices included in the private network of the client environment 220, and may include any computing device such as servers, personal computers, storage units, smart phones, and the like. Also, in the present disclosure, an example will be described in which some or all of the client devices 221 to 223 included in the client environment 220 are targeted for cyberattacks.
For convenience of explanation, the client environment 220 including three client devices is shown as an example, but the present disclosure is not limited to this, and the number of client devices and the network configuration of the client environment 220 are arbitrary.

The cybersecurity management device 250 is a device for determining the priority of cyberattacks (for example, cyberattacks against the client environment 220). As shown in FIG. 2, the cybersecurity management device 250 includes an information acquisition unit 252, a parameter determination unit 254, a priority determination unit 256, and a storage unit 258.

The information acquisition unit 252 is a functional unit that acquires attack evaluation information for evaluating cyberattacks against attack targets in the client environment 220 . For example, the information acquisition unit 252 acquires data log information indicating security events related to attack targets, attack method information for identifying attack methods of cyber attacks, attack target information related to attack targets, and network structures including attack targets. You may acquire the network structure information shown as attack evaluation information. As described below, this information may be obtained, for example, from the security agency 210 or from the attacked client environment 220 .

Based on the attack evaluation information acquired by the information acquisition unit 252, the parameter determination unit 254 determines time-dependent parameters and non-time-dependent parameters as evaluation criteria for evaluating cyberattacks. It is a functional part that Here, a time-dependent parameter means information that changes with time during the period in which a cyberattack is being carried out. On the other hand, time-independent parameters refer to information that does not change with time during the period in which the cyberattack is being carried out.

For example, the parameter determination unit 254 may determine an asset importance level parameter indicating the importance level of an attack target as a non-time-dependent parameter. The importance of an attack target according to embodiments of the present disclosure is determined according to the rank of the attack target in the network structure and does not change during an attack, so it is one of the time-independent parameters.
Further, the parameter determination unit 254 may determine a progress parameter indicating the degree of progress of a cyber attack or a speed parameter indicating the progress speed of a cyber attack as time-dependent parameters. The degree and speed of cyber-attack progress are time-dependent parameters, as they can fluctuate in real-time during an attack.

In addition, in this disclosure, the asset importance parameter indicating the importance of the attack target is a non-time-dependent parameter, and the progress parameter indicating the degree of progress of the cyber attack and the speed parameter indicating the progress speed of the cyber attack are time-dependent. Although the case of using parameters will be described as an example, the present disclosure is not limited to this, and the non-time-dependent parameters and time-dependent parameters are appropriately selected based on the configuration of the attack target, the nature of the cyberattack, etc. good too.

The priority determination unit 256 is a functional unit that calculates the priority regarding cyberattacks based on the time-dependent parameters determined by the parameter determination unit 254 and the non-time-dependent parameters. This priority is an indicator of the relative importance of cyberattacks. This priority may be expressed as one of three levels such as "high", "medium", and "low", for example, and expressed as a value selected from a numerical range such as "0 to 10". You may
In the present disclosure, for convenience of explanation, a case where the priority is expressed in three levels such as "high", "middle", and "low" will be described as an example.

The priority determination unit 256 uses the time-dependent parameters determined by the parameter determination unit 254, the non-time-dependent parameters, and a priority evaluation table 260, which will be described later, to determine a cyberattack. For example, the priority determination unit 256 can determine the priority regarding cyberattacks by comparing the speed parameter, progress parameter, and asset importance parameter to the priority evaluation table 260 .

The storage unit 258 is a storage unit for storing various information used by the cybersecurity management device 250 . The storage unit 258 may be any storage medium such as flash memory, hard disk drive, or the like.
As shown in FIG. 2, the storage unit 258 stores a priority evaluation table 260. FIG. This priority evaluation table 260 is a table that associates each non-time-dependent parameter and time-dependent parameter with a predetermined priority, and is used to determine the priority of a particular cyberattack. The priority evaluation table 260 may be created in advance and stored in the storage unit 258, for example.

The functional units of the cybersecurity management device 250 described above may be implemented as independent hardware, or may be implemented as software modules in the cybersecurity management application 150 shown in FIG. 1, for example.

According to the cybersecurity management system 200 described above, the priority of cyberattacks is determined using not only non-time-dependent parameters but also time-dependent parameters that indicate the real-time progress of cyberattacks. Real-time determination of the optimal countermeasures for minimizing damage can be facilitated.

Next, with reference to FIG. 3, data flow in the cybersecurity management system according to the embodiment of the present disclosure will be described.

FIG. 3 is a flow chart illustrating data flow 300 in cybersecurity management system 200 in accordance with an embodiment of the present disclosure. As shown in FIG. 3 , in cybersecurity management system 200 information is communicated between client environment 220 , cybersecurity management device 250 and security agency 210 .
It should be noted that the data flow 300 shown in FIG. 3 may occur during a cyberattack. This allows the priority to be determined dynamically as the cyberattack progresses in real time.

First, in step S<b>302 , the client environment 220 transmits attack target information, network structure information, and data log information to the cybersecurity management device 250 . The attack target information, network structure information, and data log information here may be sent from any of the client devices 221 , 222 , and 223 in the client environment 220 .
In some embodiments, client environment 220 may send attack surface information, network structure information, and data log information to cybersecurity manager 250 upon detection of a cyberattack. In some embodiments, cybersecurity manager 250 may also request network configuration information and datalog information from client environment 220 .

Attack target information is information that specifies computing assets such as devices, networks, or data that are affected by cyberattacks as attack targets in the client environment 220 . For example, this attack target information may designate some or all of the client devices 221, 222, and 223 as attack targets.

Network structure information is information indicating the network configuration of the client environment 220 . For example, this network structure information is information indicating each node (for example, computing devices such as client devices 221, 222, and 223) on the network of the client environment 220 and connection routes between the nodes (so-called network topology). good too. This network structure information may also include information indicating the role of each node on the network of client environment 220 . For example, in one embodiment, this network structure information indicates that the role of sensor devices in the network of client environment 220 is "raw data collection," "raw data preprocessing," "data aggregation," or "data analysis." You can show that

Data log information is information indicating security events related to targets of cyberattacks. For example, data log information may include the detection time of each security event, the computing assets affected, the type, severity, and the like.
A security event here is a process for achieving the purpose of a cyberattack, such as network intrusion, data collection, and system modification. Generally, one cyber-attack consists of one or more security events. For example, if the cyber attack is a DDoS attack, each data sent to cause server overload is detected as a different "security event" and recorded in the data log information.

Next, in step S<b>304 , the security agency 210 transmits attack technique information to the cybersecurity management device 250 . The attack method information here may be transmitted from the server device 212 of the security organization 210 .
In some embodiments, security agency 210 may send attack technique information to cybersecurity manager 250 in response to a request from cybersecurity manager 250 .

The attack method information here is information for specifying the attack method of the cyber attack. More specifically, this attack technique information indicates an attack technique that an attacker may use at each stage of a particular type of cyber-attack. As an example, this attack method information includes "Active Scanning, Gather Victim Host Information, Gather Victim Identity, Gather Victim Identity, Gather Victim Identity, Gather Victim Identity, Gather Victim Network Information" may be indicated. By using this attack method information and attack target data log information, a cyber attack method can be specified.

Next, in step S306, the information acquisition unit of the cybersecurity management device 250 receives the attack target information, network structure information, and data log information transmitted from the client environment 220, and also receives the attack technique transmitted from the security organization 210. receive information;
Here, a case in which various types of information are transmitted to the cybersecurity management device 250 is described as an example, but the present disclosure is not limited to this, and the cybersecurity management device 250 spontaneously transmits various types of information. may be obtained.

Next, in step S308, the parameter determination unit of the cybersecurity management device 250 creates each table used when determining the priority of cyberattacks based on the various information received in step S306. For example, here, the cyber security parameter determination unit includes an attack method table (see FIG. 4), an attack speed table (see FIG. 6), an asset information table (see FIG. 8), and a priority evaluation table (see FIG. 9). may be created.
The details of each table created here will be described later.

Next, in step S310, the parameter determination unit of the cybersecurity management device 250 uses time-dependent parameters and time-dependent Determine non-time-dependent parameters that do not For example, here, the cybersecurity parameter determination unit may determine an asset importance parameter indicating the importance of an attack target as a non-time-dependent parameter based on an asset information table. Further, the cybersecurity parameter determination unit may create a progress parameter indicating the degree of progress of the cyberattack as a time-dependent parameter based on the attack technique table. Further, the cybersecurity parameter determination unit may create a speed parameter indicating the progress speed of the cyberattack as a time-dependent parameter based on the attack speed table.

Next, in step S312, the priority determination unit of the cybersecurity management device 250 calculates the priority of cyberattacks based on the time-dependent parameters and non-time-dependent parameters determined in step S310. More specifically, the cybersecurity manager 250 may calculate the priority of cyberattacks by comparing the velocity parameter, the progress parameter, and the asset importance parameter to a priority rating table.

Next, in step S314, the priority determination unit of the cybersecurity management device 250 transmits priority information indicating the priority of the cyber attack calculated in step S312 to the client environment 220. FIG. This priority information may be sent in real-time, for example before the cyber-attack is finished. This makes it possible to determine and implement optimal cyberattack countermeasures as cyberattacks progress in real time.

Next, in step S316, when the information acquisition unit of the cybersecurity management device 250 receives additional information (for example, the latest data log information, updated attack target information, network structure information, or attack method information), this process returns to step S306 and additional information is processed in steps S308-S312.

According to the data flow described above, the cybersecurity management device 250 can acquire various types of information for determining the priority of cyberattacks. This allows the priority to be determined dynamically as the cyberattack progresses in real time.

Next, an attack technique table according to the embodiment of the present disclosure will be described with reference to FIG.

As described above, in the present disclosure, as one of the time-dependent parameters for determining the priority of cyberattacks, a progression parameter that indicates the degree of progress of a cyberattack (that is, how far the cyberattack has progressed at the present time) Use This progression parameter is determined based on the attack techniques used in security events in cyberattacks. Also, this attack method is identified based on the attack method table 400 created based on the attack method information obtained from the security agency and the data log information obtained from the client environment.
In principle, as cyberattacks progress, their objectives and attack methods change according to predictable patterns (network intrusions, data collection, system modifications), so the attack methods used in the most recent security events should be identified. By doing so, it is possible to estimate the degree of progress of the cyberattack at the present time.

FIG. 4 is a diagram illustrating an example of an attack technique table 400 according to an embodiment of the present disclosure. As described above, this attack technique table 400 is created based on the attack technique information obtained from the security agency. As shown in FIG. 4, the attack technique table 400 stores information on progression parameters 410 , attack technique objectives 412 , and attack technique 414 . Each attack technique 414 is classified according to purpose. For example, "Reconnaissance" and "Defense Evasion" are classified into the same category because they are attack techniques for the purpose of network intrusion.
Although FIG. 4 shows an example of the attack method table 400, the present disclosure is not limited to this, and the configuration of the attack method table 400 (purpose of attack method, information on attack method, etc.) may be changed as appropriate. may be

In general, the objectives of security events in cyberattacks change in order of network intrusion, data collection, and system modification. Therefore, since the attack technique whose purpose is network intrusion is carried out at the beginning of the cyberattack, that is, when the degree of progress of the cyberattack is low, it is associated with the progress parameter of "low". In addition, since the attack method whose objective is data collection is carried out in the middle stage of the cyberattack, that is, when the cyberattack is progressing moderately, it is associated with the progress parameter of "medium". In addition, the attack method whose purpose is to change the system is carried out at the end of the cyber attack, that is, when the cyber attack is progressing to a high degree, so it is associated with the progress parameter of "high".

The parameter determination unit of the cybersecurity management device uses the data log information acquired from the client environment and the attack method table 400 shown in FIG. 4 to identify the attack method of a specific security event in the cyber attack, Progression parameters associated with the technique can be determined. More specifically, the parameter determination unit identifies an attack method of a specific security event in data log information obtained from the client environment. The specific security event here can be any security event that has been detected, but in order to determine the current degree of progress of a cyberattack, the most recent security event should be used. Here, existing means may be used to identify the attack technique of the security event, and the present disclosure is not particularly limited.
After the attack technique of the security event is identified, the parameter determination unit refers to the attack technique table 400 to determine progression parameters associated with the identified attack technique. As an example, if the attack method of the security event is "Exfiltration", the parameter determination unit determines the progress parameter as "high" because the purpose of the cyber attack has progressed to the stage of system change, so the degree of progress is high. do.

As described above, by using the data log information obtained from the client environment and the attack method table 400 created based on the attack method information obtained from the security agency, the degree of progress of the cyber attack at the present time can be estimated. Determining progression parameters can be determined. By using this progress parameter, it becomes possible to determine the priority of cyberattacks by taking into account the current progress of cyberattacks, facilitating real-time determination of the optimal countermeasures for minimizing damage caused by cyberattacks.

Next, velocity parameters according to embodiments of the present disclosure will be described with reference to FIGS. 5-7.

As described above, in the present disclosure, as one of the time-dependent parameters for determining the priority of cyberattacks, a speed parameter indicating the progress speed of cyberattacks is used. This velocity parameter is determined based on the time interval between each security event detected in a cyberattack.
First, the parameter determination unit calculates the time interval between security events based on the detection time of each security event recorded in the data log information acquired from the client environment. Here, the parameter determination unit may calculate the time intervals between all security events recorded in the data log information, or may calculate the time intervals between security events within a specific period.

Next, the parameter determiner computes a weighted average of the time intervals between each security event in the cyberattack. By comparing the weighted average of the time intervals between security events calculated in this way to a pre-created attack speed table, a speed parameter indicating the progress speed of a cyber-attack can be determined.

FIG. 5 is a diagram illustrating an example of calculation of time intervals between security events in cyberattacks. FIG. 5 shows a timeline 500 of chronological security events in a particular cyber-attack. As shown in FIG. 5, this timeline 500 shows five security events: event 0, event 1, event 2, event 3, event 4 and event 5. FIG. As mentioned above, these security events are steps to achieve the objectives of a cyberattack (network intrusion, data collection, system modification, etc.). Each security event is performed by the same or different attack techniques.

First, the parameter determination unit defines an analysis target period ATW including the target security event. This analysis target period ATW may be defined as appropriate based on, for example, the time when a cyberattack is detected. For example, as shown in FIG. 5, the analysis target period ATW may be defined as a period including event 1 to event 5, excluding event 0. FIG.

Next, the parameter determination unit calculates the time interval (Time Between Incidents; TBI) of each security event in the analysis target period ATW. For example, the parameter determination unit determines the time interval TBI ₁₂ between event 1 and event 2, the time interval TBI ₂₃ between event 2 and event 3, the time interval TBI ₃₄ between event 3 and event 4, and the time interval TBI between event 4 and event 5. ₄₅ may be calculated.

After that, the parameter determination unit calculates the weighted mean WMTBI (Weighted Mean Time Between Incidents) of the time intervals between security events in cyberattacks using Equation 1 below.

Note that the weight w used to calculate the weighted average WMTBI of the time intervals between security events in cyberattacks may be determined by a so-called MCDM (Multiple-criteria decision analysis) algorithm, and is not particularly limited in the present disclosure.

FIG. 6 is a diagram illustrating an example of an attack speed table 600 according to an embodiment of the present disclosure. Attack velocity table 600 is a table for determining the velocity parameter of a cyberattack based on the weighted average WMTBI of the time intervals between security events in the cyberattack.

As shown in FIG. 6, in attack velocity table 600, three different ranges are defined by minimum and maximum values for the weighted average WMTBI of the time interval between security events in a cyberattack. Also, each range is associated with a different velocity parameter.
More specifically, the range from "0" to "ATW/3-MTBI" is associated with the "high" speed parameter. Also, the range from "ATW/3-MTBI" to "ATW/3+MTBI" is associated with the "medium" speed parameter. Also, the range from "ATW/3+MTBI" to "ATW" is associated with the "low" speed parameter. Here, a speed parameter of "high" means that the speed of cyberattacks is relatively fast, and a speed parameter of "low" means that it is relatively aggressive.
Here, “ATW” is the above-described analysis target period, and MTBI (Mean Time Between Incidents) is the average time interval between security events in cyberattacks. This MTBI is obtained by setting the weight w to 1 in Equation 1, for example.

By comparing the value of the weighted average WMTBI of the time interval between security events in the cyber attack calculated by Equation 1 with the range defined in the attack speed table 600 and determining which range it belongs to, the A speed parameter of the attack can be determined.

FIG. 7 is a diagram showing a specific example of an attack speed table 700 according to an embodiment of the present disclosure. As shown in FIG. 7, in attack velocity table 700, three different ranges are defined by minimum and maximum values for the weighted average WMTBI of the time interval between each security event in a cyberattack.
More specifically, the range of "0" to "24 hours" is associated with the "high" speed parameter. The range of "24 hours" to "48 hours" is associated with the "medium" speed parameter. The range of "48 hours" to "72 hours" is associated with the "low" speed parameter.
If the weighted average WMTBI value of the time interval between security events in a cyber attack calculated by Equation 1 is within the range of '0' to '24 hours', the speed parameter of the cyber attack is determined to be 'high'. . When the value of WMTBI is within the range of '24' to '48 hours', the speed parameter of the cyberattack is determined as 'medium'. If the value of WMTBI is within the range of '48' to '72 hours', the speed parameter of the cyberattack is determined to be 'low'.

As explained above, the time interval between security events is calculated based on the detection time of each security event recorded in the data log information obtained from the client environment, and the calculated time interval between security events is used in the attack speed table. By comparing with , it is possible to determine a speed parameter that indicates the progress speed of the cyberattack. By using this speed parameter, it becomes possible to determine the priority taking into consideration the speed at which cyberattacks are progressing, facilitating real-time determination of the optimal countermeasures for minimizing the damage of cyberattacks.

Next, an asset information table according to an embodiment of the present disclosure will be described with reference to FIG.

As described above, the present disclosure uses an asset importance parameter that indicates the importance of an attack target as one of the non-time-dependent parameters for determining the priority of cyberattacks. This asset importance parameter is determined based on the asset information table 800 created from the network structure information obtained from the client environment. FIG. 8 is a diagram illustrating an example of an asset information table 800 according to an embodiment of the present disclosure.

As described above, the asset information table 800 is created based on the network structure information acquired from the client environment, and as shown in FIG. , asset name 802 indicating the name of the computing asset, asset ID 804 indicating the identifier of the computing asset, IP address 806 indicating the IP address of the computing asset, MAC address 808 indicating the MAC address of the computing asset, It may also include gateway 810, which indicates a gateway address, and network class 812, which indicates a network class of the computing asset.

This network class 812 is information indicating the logical position of a particular computing asset in the network, and is determined based on the role of the computing asset, for example. In one embodiment, the network tier of computing assets may be divided into five levels as follows.
Level 0: Devices with physical interfaces such as sensors, relays, connectors, etc. Level 1: Devices for controlling Level 1 devices such as RTU (Remote Terminal Unit), PLC (Programmable Logic Controller), etc. Level 2: Devices for controlling level 2 devices, such as HMI (Human Machine Interface), Supervisory Control Unit, Communication Processor, Real Time Database, etc. Level 3: Devices such as web service servers, firewalls, application databases, etc. Devices for IT management, operations management, and system management Level 4: Devices for managing application business planning and logistics information, such as ICS (Integrated Computer Solutions) web clients and ICS business application clients

As a general rule, the higher the level of network hierarchy, the more important the computing asset is in the network. Therefore, in the present disclosure, the parameter determination unit can determine an importance parameter indicating the importance of the attack target based on the network class of the attack target computing asset.

More specifically, the parameter determination unit compares the attack target information acquired from the client environment with the asset information table 800 created based on the network structure information acquired from the client environment, and determines whether the target has been attacked. Determine the network class of a computing asset. After that, the parameter determination unit determines, based on a predetermined standard, that the network class of the computing asset targeted for attack is one of the three importance parameter levels of "high", "medium", and "low". Decide which one to go with.
As an example, in one embodiment, an attack target with a network class of level 1 has an asset importance parameter of "low", and an attack target with a network class of level 2 or 3 has an asset importance parameter of "medium", An attack target whose network rank is level 4 may be set as a "high" asset importance parameter. Here, an asset importance parameter of "low" means that the computing asset has relatively low importance in the network, and an asset importance parameter of "high" means that the computing asset has a relatively low importance in the network. It means that the importance in is relatively high.

As described above, by comparing the attack target information acquired from the client environment with the asset information table 800 created based on the network structure information acquired from the client environment, the network of computing assets targeted for attack can be determined. Depending on the rank, an importance parameter can be determined that indicates the importance of the network asset. By using this asset importance parameter, it is possible to determine the priority of the computing assets targeted for attack in consideration of their importance in the network, and to make real-time decisions on the optimal countermeasures to minimize the damage of cyberattacks. becomes easier.

Next, a priority evaluation table according to an embodiment of the present disclosure will be described with reference to FIG.

As described above, in the embodiment of the present disclosure, the cyberattack priority is determined based on the speed parameter, the progress parameter, the asset importance parameter, and the priority evaluation table 260 determined by the parameter determination unit described above. determined by This priority evaluation table 260 is a table that associates the speed parameter, progress parameter, and asset importance parameter with the priority of cyberattacks, and is used to determine the priority of a specific cyberattack. The priority evaluation table 260 may be created in advance based on, for example, the criteria of the administrator of the client environment, and stored in the storage unit of the cybersecurity management device.

FIG. 9 is a diagram showing an example of a priority evaluation table 260 according to an embodiment of the present disclosure. As shown in FIG. 9, priority rating table 260 stores progress parameter 262, speed parameter 264, asset importance parameter 266 and priority 268 information. More specifically, in the priority evaluation table 260, for each of the progress parameter 262, speed parameter 264, and asset importance parameter 266, the corresponding priority 268 degrees.
Although FIG. 9 shows an example of the priority evaluation table 260, the present disclosure is not limited to this. It may be changed as appropriate.

After the speed, progress and asset criticality parameters have all been determined for a particular cyberattack, the priority determination unit of the cybersecurity management device uses these parameters and the priority evaluation table 260 to: A priority of the cyber attack can be determined. More specifically, the priority determination unit identifies elements corresponding to the determined values of the speed parameter, the progress parameter, and the asset importance parameter in the priority evaluation table 260, and applies the values described in the identified elements to the cyber Determined as attack priority.
As an example, if it is determined that the progress parameter 262 is “medium”, the speed parameter 264 is “low”, and the asset importance parameter 266 is “high” for a particular cyber attack, the priority 268 of the cyber attack is “medium”. ” is determined.

Thus, by using the velocity parameter, the progress parameter, the asset importance parameter, and the priority evaluation table, the priority of the cyberattack can be determined not only by the non-time-dependent parameters, but also by the real-time progress of the cyberattack. is determined using a time-dependent parameter that indicates Using the velocity parameter, progress parameter, and asset criticality parameter, we can determine the current progress of the cyberattack, how fast the cyberattack is progressing, and the network criticality of the attacked computing assets. This makes it possible to make priority judgments that take account of cyberattacks, making it easier to make real-time judgments about the optimal measures to minimize damage from cyberattacks.

Next, a flow of priority determination processing according to the embodiment of the present disclosure will be described with reference to FIG. 10 .

FIG. 10 is a flow chart showing the flow of priority determination processing 1000 according to an embodiment of the present disclosure. The priority determination process 1000 is a process for determining the priority of cyberattacks, and is performed by each functional unit of the cybersecurity management apparatus shown in FIG. 2, for example.

First, in step S1004, the information acquisition unit of the cybersecurity management device (for example, the information acquisition unit 252 shown in FIG. 2) receives data log information. Here, the information acquisition unit
Datalog information may be obtained from the client environment described above. This datalog information is
Information indicating a security event related to a target of a cyberattack. For example, data log information may include the detection time of each security event, the computing device affected, type, severity, and the like.

Next, in step S1006, the parameter determination unit of the cybersecurity management device (for example, the parameter determination unit 254 shown in FIG. 2) analyzes the data log information received in step S1004 and detects security events corresponding to cyberattacks. do. As described above, a security event here is a process for achieving the purpose of a cyberattack. Generally, one cyber-attack consists of one or more security events. For example, if the cyber attack is a DDoS attack, each data sent to cause server overload is detected as a different "security event" and recorded in the data log information.

Next, in step S1008, the parameter determination unit uses the data log information obtained from the client environment and the attack method table created based on the attack method information 1005 obtained from the security agency to determine the current state of the cyber attack. A progress parameter is determined that indicates the degree of progress in .
Since the details of determining the progress parameter have been described with reference to FIG. 4, the description thereof will be omitted here.

Next, in step S1010, the parameter determination unit determines an importance parameter indicating the importance of the attack target based on the attack target information and the network structure information 1015 acquired from the client environment.
Since the details of determining the importance parameter have been described with reference to FIG. 8, the description thereof will be omitted here.

Next, in step S1012, the parameter determination unit calculates the time interval between security events based on the detection time of each security event recorded in the data log information acquired from the client environment in step S1004.
Since the details of calculating the time interval between security events have been described with reference to FIG. 5, the description thereof will be omitted here.

Next, in step S<b>1014 , the parameter determination unit determines a speed parameter indicating the speed of the cyberattack based on the time interval between security events calculated in step S<b>1012 and the attack speed table 600 .
Since the details of determining the speed parameter have already been described with reference to FIGS. 6 and 7, the description thereof will be omitted here.

Next, in step S1016, the priority determination unit of the cybersecurity management device (for example, the priority determination unit 256 shown in FIG. 2) determines the progress parameter determined in step S1008 and the asset importance parameter determined in step S1010. , the speed parameter determined in step S1014 and the priority evaluation table 260 created in advance are used to determine the priority of the cyberattack.
The details of determining the priority of a cyberattack using the progress parameter, the asset importance parameter, the speed parameter, and the priority evaluation table 260 have been described with reference to FIG. Description is omitted.

Next, in step S1018, the priority determination unit transmits priority information indicating the cyber attack priority calculated in step S1016 to the client environment. This priority information may be sent in real-time, for example before the cyber-attack is finished. This makes it possible to determine and implement optimal cyberattack countermeasures as cyberattacks progress in real time.

Next, in step S1020, if the information acquisition unit receives additional information (for example, the latest data log information, updated attack target information, network structure information, or attack method information), the process returns to step S1004, Additional information is processed in steps S1006-S1016.

According to the priority determination processing 1000 described above, the priority of a cyber attack is determined using not only non-time-dependent parameters but also time-dependent parameters that indicate the real-time progress of a cyber attack. It is possible to facilitate the determination of the optimum countermeasures for minimizing the damage.

Next, a user interface according to an embodiment of the present disclosure will be described with reference to FIGS. 11 to 14. FIG. Each of the screens shown in FIGS. 11-14 may be displayed on a display (not shown in FIG. 2) or the like connected to cybersecurity management device 250 or client environment 220 .

FIG. 11 is a diagram showing an asset importance confirmation screen 1100 for confirming asset importance according to an embodiment of the present disclosure. As shown in FIG. 11 , asset importance confirmation screen 1100 includes network configuration window 1110 , screen switching window 1120 , and data log information table 1130 .

Network configuration window 1110 displays the network configuration of the network (eg, client environment 220 shown in FIG. 2) that includes the computing assets targeted by the cyberattack. As noted above, in one embodiment, the network configuration of this network is displayed divided into network tiers of varying relative importance. As an example, the network configuration of this network may be divided into three classes of importance: "high", "medium", and "low". Assets that have been attacked may then be highlighted in the network configuration divided by importance. As a result, a user who browses the asset importance confirmation screen 1100 can easily confirm the importance of the attack target computing asset.

The screen switching window 1120 displays buttons for switching to the asset importance confirmation screen, attack speed confirmation screen, attack progress confirmation screen, and attack priority confirmation screen. The user can switch to a desired confirmation screen by pressing any button.

The data log information table 1130 displays the data log information acquired for the computing asset targeted by the cyber attack. For example, as shown in FIG. 11, this data log information table 1130 includes the detection time of each security event in a cyberattack, target device, type of data log, attack method, and target computing assets. may include information such as the importance of According to the data log information table 1130, the user can check the information about the ongoing cyber attack in real time.

FIG. 12 is a diagram showing an attack progress confirmation screen 1200 for confirming the degree of progress of a cyber attack according to an embodiment of the present disclosure. As shown in FIG. 12 , the attack progress confirmation screen 1200 includes an attack method information display window 1210 , a screen switching window 1120 and a data log information table 1130 .

Attack method information display window 1210 displays attack method information for specifying the attack method of a cyber attack. The attack method information displayed in this attack method information display window 1210 is information acquired from, for example, the above-described security agency (for example, the security agency 210 shown in FIG. 2), and is substantially similar to the attack method table 400 shown in FIG. may be similar information. As shown in FIG. 12, in the attack technique information display window 1210, the attack technique used in the ongoing cyberattack may be highlighted. As described above, these attack techniques are one of the indicators of the progress of cyberattacks. Therefore, the user viewing the attack progress confirmation screen 1200 can easily confirm the degree of progress of the cyber attack.

FIG. 13 is a diagram showing an attack speed confirmation screen 1300 for confirming the speed of cyberattacks according to an embodiment of the present disclosure. As shown in FIG. 13 , attack speed confirmation screen 1300 includes cyber attack speed window 1310 , screen switching window 1120 , and data log information table 1130 .

In the cyberattack speed window 1310, transition of time intervals of security events in cyberattacks is displayed in graph form. As described above, the time interval between security events in cyberattacks is one of the indicators of the progress speed of cyberattacks. In some embodiments, the graph displayed in the cyberattack velocity window 1310 may be divided into three tiers of cyberattack velocity: "high", "medium", and "low". These stages may be separated by color. In this way, the user viewing the attack speed confirmation screen 1300 can easily confirm the speed of the cyber attack.

FIG. 14 is a diagram showing a priority confirmation screen 1400 for confirming the priority of cyberattacks according to an embodiment of the present disclosure. As shown in FIG. 14, the priority confirmation screen 1400 includes a priority evaluation window 1410 showing a priority evaluation table, a screen switching window 1120, and a data log information table 1130. FIG.

A priority evaluation table is displayed in the priority evaluation window 1410 . This priority evaluation table is, for example, a table used to determine the priority of cyberattacks, as described above. As shown in FIG. 14, in an embodiment, the cyberattack evaluation result (that is, priority information indicating priority) may be reflected in a priority evaluation table. As a result, the user viewing the priority confirmation screen 1400 can confirm the priority determination results for each time-dependent parameter and non-time-dependent parameter.

According to the user interfaces shown in FIGS. 11 to 14 described above, the user can confirm in real time each of the time-dependent parameters and non-time-dependent parameters that characterize cyberattacks.

Aspects of the present invention may be embodied in any form such as an apparatus, method, system, or program. In one embodiment, the present invention may be implemented as a program that is installed in any computing environment from a storage medium of an external device, via a communication network, or via a portable storage medium.
In this case, one aspect of the present invention provides, as attack evaluation information for evaluating a cyberattack against an attack target that is a target of a cyberattack, data log information indicating a security event in the cyberattack, and an attack method of the cyberattack. acquiring attack method information for identifying the attack target, attack target information about the attack target, and network structure information indicating a network structure including the attack target; and based on the data log information, the security event calculating a time interval; determining, based on the security event time interval, a speed parameter indicating the progress speed of the cyber attack; and determining the attack method of the cyber attack, based on the attack method information. determining a progression parameter indicating the degree of progress of the cyber attack based on the determined attack technique; attack target information about the attack target; and a network structure indicating a network structure including the attack target. determining a network class in the network structure of the attack target based on the information; and determining an asset importance parameter indicating importance of the attack target based on the determined network class of the attack target. , a priority evaluation table that associates the speed of progress of the cyber attack, the degree of progress of the cyber attack, and the importance of the attack target with the priority of the cyber attack; the speed parameter, the progress parameter, and the asset importance; determining the priority of the cyberattack based on a degree parameter; and generating and outputting priority information indicating the determined priority before the cyberattack ends. It may also include a storage medium storing a computer program for causing.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and various modifications are possible without departing from the gist of the present invention.

200 cyber security management system 210 security agency 212 server device 220 client environment 221, 222, 223 client device 230 communication network 250 cyber security management device 252 information acquisition unit 254 parameter determination unit 256 priority determination unit 258 storage unit 260 priority evaluation table

Claims (9)

A cybersecurity management device,
an information acquisition unit that acquires attack evaluation information for evaluating a cyberattack against an attack target that is the target of a cyberattack;
a parameter determination unit that determines, based on the attack evaluation information, a time-dependent parameter that depends on time and a non-time-dependent parameter that does not depend on time as evaluation criteria for evaluating the cyber attack;
a priority determination unit that determines the priority of the cyber attack based on the time-dependent parameter and the non-time-dependent parameter;
A cyber security management device comprising: The information acquisition unit
As the attack evaluation information,
data log information indicating security events in the cyberattack against the attack target;
Attack method information for identifying the attack method of the cyber attack;
attack target information about the attack target; network structure information indicating a network structure including the attack target;
The cybersecurity management device according to claim 1, characterized in that it acquires The parameter determination unit is
calculating a time interval for the security event based on the datalog information;
Based on the time interval of the security event, determine a speed parameter indicating the progress speed of the cyber attack as the time-dependent parameter;
The cyber security management device according to claim 2, characterized by: The parameter determination unit is
Based on the attack method information, determine the attack method of the cyber attack,
Determining a progress parameter indicating the degree of progress of the cyber attack as the time-dependent parameter based on the determined attack technique;
The cyber security management device according to claim 3, characterized in that: The parameter determination unit is
Determining a network class in the network structure of the attack target based on attack target information about the attack target and network structure information indicating a network structure including the attack target,
Determining an asset importance parameter indicating the importance of the attack target as the non-time-dependent parameter based on the determined network class of the attack target;
The cyber security management device according to claim 4, characterized in that: The cybersecurity management device,
further comprising a storage unit that stores a priority evaluation table that associates the progress speed of the cyber attack, the degree of progress of the cyber attack, and the importance of the attack target with the priority of the cyber attack,
The priority determination unit,
determining the priority of the cyber attack by comparing the velocity parameter, the progression parameter, and the asset importance parameter to the priority evaluation table;
The cyber security management device according to claim 5, characterized in that: The priority determination unit,
generating and outputting priority information indicating the priority of the cyber attack before the cyber attack ends;
The cyber security management device according to claim 1, characterized by: A cybersecurity management method comprising:
As attack evaluation information for evaluating a cyber attack against an attack target that is a target of a cyber attack, data log information indicating security events in the cyber attack, attack method information for specifying the attack method of the cyber attack, acquiring attack target information about the attack target and network structure information indicating a network structure including the attack target;
calculating a time interval between the security events based on the datalog information;
determining a velocity parameter indicative of a rate of progress of the cyber-attack based on the time interval of the security events;
a step of determining an attack method of the cyber attack based on the attack method information;
Determining a progress parameter indicating the degree of progress of the cyber attack based on the determined attack technique;
Determining a network class in a network structure of the attack target based on attack target information about the attack target and network structure information indicating a network structure including the attack target;
Determining an asset importance parameter indicating the importance of the attack target based on the determined network class of the attack target;
a priority evaluation table that associates the speed of progress of the cyber attack, the degree of progress of the cyber attack, and the importance of the attack target with the priority of the cyber attack; the speed parameter, the progress parameter, and the asset importance; determining the priority of the cyberattack based on a parameter;
a step of generating and outputting priority information indicating the determined priority before the cyber attack ends;
A cyber security management method comprising: A cyber security management system,
a security agency server device that provides information for countering cyber attacks;
a client device to be attacked by a cyber attack;
a cyber security manager for determining the priority of cyber attacks;
including
The cybersecurity management device,
Acquiring data log information indicating a security event in the cyber attack from the client device as attack evaluation information for evaluating the cyber attack against the target of the cyber attack,
Acquiring attack method information for identifying the attack method of the cyber attack from the security authority server device;
attack target information about the attack target, network structure information indicating a network structure including the attack target, and an information acquisition unit acquired from the client device;
calculating a time interval of the security event based on the data log information; determining a speed parameter indicative of a speed of progression of the cyber attack based on the time interval of the security event;
Determining an attack method of the cyber attack based on the attack method information, determining a progress parameter indicating the degree of progress of the cyber attack based on the determined attack method,
determining a network class in the network structure of the attack target based on attack target information about the attack target and network structure information indicating a network structure including the attack target; and based on the determined network class of the attack target , a parameter determination unit that determines an asset importance parameter indicating the importance of the attack target;
a priority evaluation table that associates the speed of progress of the cyber attack, the degree of progress of the cyber attack, and the importance of the attack target with the priority of the cyber attack; the speed parameter, the progress parameter, and the asset importance; determining the priority of the cyberattack based on the parameters;
a priority determination unit that generates priority information indicating the determined priority before the cyber attack ends and transmits the priority information to the client device;
A cyber security management system comprising:

Images