JP2023023000A - Apparatus and method for managing signature - Google Patents

Abstract

To appropriately carrying out security management using a signature while taking account of effects upon business.SOLUTION: An apparatus for managing a signature is allowed to acquire threat information, generate a candidate signature that is a candidate of a signature to be applied to security management at a scene where business is to be carried out, based on the threat information acquired, acquire business information that is information about business at the scene, determine an affection degree that is a value indicative of an effect degree on business if the candidate signature is applied to security management based on the business information, determine an applicability/non-applicability of the candidate signature to the security management based on the effect degree, and output information indicative of the applicability/non-applicability determined. The apparatus for managing a signature automatically generates a candidate signature based on object-of-signaturizing information that is information obtained by analyzing threat information.SELECTED DRAWING: Figure 2

Description

The present invention relates to a signature management device and a signature management method.

Patent Document 1 describes a system that analyzes communication packets and identifies device types and device names by signature matching, and a system that controls communication using a blacklist, such as a firewall, for the purpose of appropriately controlling application communication. A communication terminal device configured as a The communication terminal device acquires communication of the application, controls the communication of the application based on the first control condition, analyzes the communication acquired by the acquisition control unit, and determines whether the application is subject to communication control. generating a first control condition based on a normal communication range of an application subject to communication control, and transmitting at least part of first shared information including identification information of the application and the first control condition to another communication terminal; Send to device.

Patent Literature 2 describes an unauthorized communication inspection device configured for the purpose of accurately inspecting communication data generated in a network and reliably preventing unauthorized communication. The unauthorized communication inspection device obtains from the engineering station via the communication function unit, etc., an operation definition, which is an operation definition that should be followed by devices that communicate using the control network, and a controller setting program, and based on this operation definition , generate an inspection definition that defines normal communication data, inspect communication data acquired from the control network, permit only communication data defined by the inspection definition, and record the acquired communication data.

Non-Patent Document 1 describes a suspected common subgraph shared among known instances of a malware family (shared among multiple applications in terms of calling relationships between components and their semantic metadata (data flow properties, etc.)). It describes detecting malware by searching for (description of the functionality of a particular malware family) and determining if an application matches a semantic signature that characterizes a particular malware family.

In Non-Patent Document 2, by analyzing the structural similarity of traces of malicious HTTP traffic, we identify similarities between malware that may not be captured in the current situation, and thereby detect malware at the network level. A system for clustering and automatically generating high-quality signatures is described.

JP 2020-135655 A Japanese Unexamined Patent Application Publication No. 2016-201603

Yu Feng, Osbert Bastani, Ruben Martins, Isil Dillig, Saswat Anand: Automated Synthesis of Semantic Malware Signatures using Maximum Satisfiability, NDSS 2017, [online], 2021-7-14 Search, URL<https://www.ndss-symposium .org/ndss2017/ndss-2017-programme/automated-synthesis-semantic-malware-signatures-using-maximum-satisfiability/> Roberto Perdisci, Wenke Lee, and Nick Feamster: Behavioral clustering of HTTP-based malware and signature generation using malicious network traces, OSDI 2010, [online], 2021-7-14 search, URL<https://dl.acm.org /doi/abs/10.5555/1855711.1855737>

As described in patent documents and non-patent documents, as a mechanism for security management against malicious behavior (attacks) caused by malware and unauthorized access, signatures (characteristic data contained in information describing communication data) to detect security incidents and take countermeasures.

However, if signatures are used to mechanically detect malicious behavior and countermeasures are taken, it may have an excessive impact on on-site operations. For example, when a benign behavior is erroneously detected as a malignant behavior, taking countermeasures such as blocking communication unnecessarily affects on-site operations. Therefore, in security management using signatures, it is required to take appropriate measures while considering the impact on business. On the other hand, the evaluation of the impact of the measures to be taken on the business needs to be done carefully by a person who has sufficient knowledge of the business and the information processing system at the site. is high. It should be noted that none of the patent documents and non-patent documents mention consideration of the impact on business in security management using signatures.

SUMMARY OF THE INVENTION The present invention has been made in view of such a background, and provides a signature management apparatus and signature management method capable of appropriately performing security management using signatures while considering the impact on business. for the purpose.

One of the present inventions for achieving the above object is a signature management device, which is configured using an information processing device having a processor and a storage device, and includes a threat information acquisition unit for acquiring threat information; a candidate signature generation unit that generates a candidate signature that is a candidate for a signature applied to security management at a site where work is performed, a business information acquisition unit that acquires business information that is information related to the business, and the candidate a business impact evaluation unit that obtains, based on the business information, an impact, which is a value indicating the degree of impact on the business when the signature is applied to the security management, and the security management of the candidate signature based on the impact. and a signature information providing unit for outputting the determination result of whether or not to apply the signature.

In addition, the problems disclosed by the present application and their solutions will be clarified by the description of the mode for carrying out the invention and the drawings.

Advantageous Effects of Invention According to the present invention, security management using signatures can be appropriately performed while considering the impact on business.

1 is a diagram showing a schematic configuration of an information processing system shown as a first embodiment; FIG. FIG. 2 is a diagram showing main functions of the signature management device of the first embodiment; FIG. It is an example of a threat information acquisition destination management table in the first embodiment. It is an example of candidate signature information in the first embodiment. It is a configuration example of an information processing device used to realize a signature management device. 6 is a flowchart for explaining signature generation processing in the first embodiment; FIG. 10 is a flowchart for explaining the details of business impact degree evaluation processing; FIG. FIG. 10 is a flowchart for explaining the details of a signature application propriety determination process; FIG. 4 is a flowchart for explaining details of signature application processing; 9 is a flowchart for explaining signature information providing processing; It is an example of a signature information provision screen. FIG. 10 is a diagram showing main functions of a signature management device according to the second embodiment; FIG. It is an example of a threat information acquisition source management table in the second embodiment. It is an example of the threat information analysis result in 2nd Embodiment. FIG. 11 is a flowchart for explaining signature generation processing in the second embodiment; FIG. 10 is a flowchart for explaining the details of threat information analysis processing; FIG. 11 is a flowchart illustrating details of candidate signature generation processing; FIG.

Hereinafter, embodiments will be described with reference to the drawings. The following description and drawings are examples for explaining the present invention, and are appropriately omitted and simplified for clarity of explanation. The present invention can also be implemented in various other forms. Unless otherwise specified, each component may be singular or plural.

In the following description, the same or similar configurations may be denoted by the same reference numerals, and redundant description may be omitted. In the following description, the letter "S" attached before the reference sign means a processing step. In the following description, notations such as "first" and "second" are used to identify constituent elements, and do not necessarily limit the number or order. In the following description, various types of information may be described using expressions such as “table” and “information”, but the information may be expressed in a data structure other than these. In the following description, "application software" is abbreviated as "application".

[First embodiment]
FIG. 1 shows a schematic configuration of an information processing system 1 shown as the first embodiment. The information processing system 1 includes a plurality of information processing devices (computers) connected to an internal network 51, which is an internal communication network of an organization such as a company or government office. The information processing system 1 is also connected to a DMZ 53 (DMZ: DeMilitarized Zone), which is a communication network interposed between an external network 52 (including the Internet), which is a communication network outside the organization, and the internal network 51. It includes one or more information processing devices.

The internal network 51 and the DMZ 53 are wired or wireless communication networks, such as LANs (Local Area Networks) and WANs (Wide Area Networks). As shown in the figure, a large number of internal devices 2, intrusion detection/prevention devices 3, and signature management device 100 are connected to an internal network 51. FIG. A proxy server 4 is connected to the DMZ 53 .

Each of the internal devices 2 is an information processing device (computer). A device (application server, database server, etc.).

The signature management device 100 is an information processing device that uses signatures to perform on-site security management (detection and countermeasures against security incidents) of the internal network 51 and the like. The signature management device 100 acquires information including malware signatures (hereinafter referred to as "threat information") from an information acquisition source 6 such as a Web server on the Internet via an external network 52, and stores the acquired threat information. Based on this, candidate signatures (hereinafter referred to as “candidate signatures”) to be used for detecting security incidents (including detection of signs of security incidents; the same shall apply hereinafter) in the internal network 51 and DMZ 53 are generated. The signature management device 100 evaluates the degree of impact on the operations of the organization when the generated candidate signatures are applied to the above security management. The signature management device 100 determines whether or not to apply the candidate signature based on the degree of impact, and uses the candidate signature as a signature to be used for on-site security management according to the result of the determination. provide to

The intrusion detection/prevention system 3 (IDS: Intrusion Detection System, IPS: Intrusion prevention system) acquires and monitors communications in the internal network 51 by means of packet capture or the like, thereby detecting security incidents and detecting security incidents. Notify administrators of information related to security incidents, and take countermeasures against detected security incidents (interruption of communication, removal of malware, etc.). The intrusion detection/prevention device 3 uses signatures provided by the signature management device 100 to detect security incidents.

The proxy server 4 is, for example, a forward proxy that acts as a proxy for requests from the internal device 2 of the internal network 51 to the information processing device connected to the external network 52 , and a proxy server that forwards requests from the information processing device connected to the external network 52 to the internal network 51 . functions as a reverse proxy that substitutes requests to the internal device 2 of the . The proxy server 4 detects a security incident by monitoring communication performed via the DMZ 53, notifies the administrator of information about the detected security incident, and implements countermeasures against the detected security incident (blocking of communication, malware extermination, etc.). The proxy server 4 uses signatures provided by the signature management device 100 to detect security incidents.

FIG. 2 is a block diagram showing main functions of the signature management device 100. As shown in FIG. As shown in the figure, the signature management device 100 includes a storage unit 110, a threat information acquisition unit 120, a candidate signature generation unit 125, a business information acquisition unit 130, a business impact evaluation unit 135, a signature application appropriateness determination unit 140, and It has each function of the signature information providing unit 150 .

Among the functions described above, the storage unit 110 stores a threat information acquisition destination management table 111 , threat information 112 , candidate signature information 113 , and business information 114 .

Of these, the threat information acquisition source management table 111 manages information related to the information acquisition source 6 from which threat information is acquired. The contents of the threat information acquisition destination management table 111 are set by, for example, an administrator of the signature management device 100 via a user interface provided by the signature management device 100 . In this embodiment, the threat information acquisition source management table 111 manages information of information acquisition sources 6 (security vendors, etc.) that provide threat information including signatures themselves.

The threat information 112 manages threat information acquired by the threat information acquisition unit 120 from the information acquisition source 6, threat information registered by an administrator or the like via a user interface, and the like.

The candidate signature information 113 manages information about candidate signatures generated based on threat information.

The work information 114 manages information used to evaluate the degree of impact on the organization's work when the candidate signature is applied to security management at the site. The business information 114 is, for example,
They are information captured in the internal network 51 (hereinafter referred to as "communication log"), system logs and application logs managed in the internal device 2 (hereinafter referred to as "apparatus log").

Among the functions shown in FIG. 2, the threat information acquisition unit 120 accesses the information acquisition source 6 managed in the threat information acquisition source management table 111, acquires the threat information provided by the information acquisition source 6, and acquires The obtained threat information is managed as threat information 112 . The threat information acquisition unit 120 may receive threat information input from an administrator or the like via a user interface and manage the received threat information as the threat information 112 .

Candidate signature generator 125 generates candidate signatures based on threat information 112 and manages the generated candidate signatures as candidate signature information 113 . In the first embodiment, the threat information 112 contains the signature itself, and the candidate signature generation unit 125 generates the signature itself as the candidate signature.

The business information acquisition unit 130 acquires business information from the internal device 2 or the like, and manages the acquired business information as the business information 114 . Note that the business information acquisition unit 130 may receive input of business information from an administrator or the like via a user interface and manage the received business information as the business information 114 .

The business impact evaluation unit 135 obtains the impact of the candidate signature based on the business information 114 and reflects the obtained impact in the candidate signature information 113 . For example, the business impact evaluation unit 135 estimates the magnitude of the impact on the internal network 51 when countermeasures (interruption of communication, removal of malware, etc.) were taken in the past against the behavior of candidate signatures or signatures similar to candidate signatures. Calculated as impact. The business impact evaluation unit 135 evaluates the magnitude of the impact, for example, based on the history of the impact on business when candidate signatures are applied to on-site security management, which are obtained from communication logs and device logs, which are business information. Ask from Specific examples of the magnitude of the above-mentioned influence include the blocking rate of access from the internal device 2 to the Web server of the external network 52, the rate of decrease in the average communication speed of the internal network 51, the rate of decrease in response, and the number of applications that become unusable. There is a ratio to all applications that are operated in the field, and so on.

The signature applicability judging unit 140 judges whether the candidate signatures managed in the candidate signature information 113 are applicable to on-site security management, and reflects the judgment result in the candidate signature information 113 .

The signature application unit 145 determines (determines) whether or not to provide the candidate signature to the intrusion detection/prevention device 3 or the proxy server 4 according to the contents of the application yes/no 1135 of the candidate signature information 113. Send candidate signatures to intrusion detection/prevention device 3 or proxy server 4 .

The signature information providing unit 150 provides the content of the candidate signature information 113 to a user such as an administrator via a user interface.

<Data example>
FIG. 3A shows an example of the threat information acquisition source management table 111. As shown in FIG. The illustrated threat information acquisition source management table 111 includes a plurality of records (entries) having respective items (fields) of acquisition source ID 1111, name 1112, type 1113, location 1114, last acquisition date and time 1115, and acquisition frequency 1116. One of the records in the threat information acquisition source management table 111 corresponds to one of the information acquisition sources 6 .

Of the above items, the acquisition source ID 1111 stores the identifier of the information acquisition source 6 (hereinafter referred to as “acquisition source ID”; in this example, “0”, “1”, etc.).

The name 1112 stores the name of the information acquisition source 6 ("signature 1", "signature 2", etc. in this example).

The type 1113 stores information indicating the type of the information acquisition source 6 ("signature distribution site" in this example).

The location 1114 stores the location of the information acquisition source 6 (in this example, the URL (Uniform Resource Locator) of the information acquisition source 6).

The most recent date and time when the information was acquired from the information acquisition source 6 is stored in the last acquisition date and time 1115 . Note that the data format of the date and time is not necessarily limited, and any data format such as Unixtime in which the date and time can be determined can be used.

The acquisition frequency 1116 stores information indicating the frequency of acquiring threat information from the information acquisition source 6 (every 3 hours, 48 hours, etc.).

An example of candidate signature information 113 is shown in FIG. 3B. The candidate signature information 113 illustrated includes a plurality of records (entries) having respective items (fields) of signature ID 1131 , date and time of generation 1132 , signature 1133 , degree of impact 1134 , whether or not to apply 1135 , and application status 1136 . One of the records in candidate signature information 113 corresponds to one of the candidate signatures.

Among the above items, the signature ID 1131 stores identifiers of candidate signatures (hereinafter referred to as “signature IDs”).

The date and time of generation 1132 stores the date and time when the candidate signature was generated by the candidate signature generator 125 . Note that the data format of the date and time is not necessarily limited, and any data format such as Unixtime in which the date and time can be determined can be used.

The signature 1133 stores the content (entity) of the candidate signature (".*/mal/index.html", "rule.example.com", "example.com/sig", etc. in this example). . Note that the type and format of the signature are not necessarily limited as long as it can detect and block what contributes to an attack. Other examples of signatures include paths and registries accessed by malware, paths of files created/deleted by malware, and characteristics of binary strings of malware itself.

The impact level 1134 stores the impact level (eg, "0.1%", "40.0%", etc. in this example) evaluated by the business impact level evaluation unit 135 for the candidate signature. Note that the data format of the degree of influence is not necessarily limited.

In the applicability 1135, information indicating the result of determination by the signature applicability determining unit 140 as to whether or not the candidate signature is applicable to security management at the site is set. In this example, if the candidate signature is determined to be applicable (yes) by the signature application judging unit 140, "yes" is determined, and if the candidate signature should not be applied (no). otherwise, "no" is set. Note that when it is determined that the candidate signature should not be applied (not applicable), for example, the degree of impact when the candidate signature is applied to on-site security management is extremely large, and there is a high possibility of impeding normal operations.

The application status 1136 is set with information indicating whether or not the candidate signature is currently applied to on-site security management. In this example, "yes" is set if the candidate signature is currently applied to security management in the field, and "no" is set if it is not applied.

<Hardware configuration example>
FIG. 4 shows an example of the hardware configuration of an information processing device (computer) used to implement the signature management device 100. As shown in FIG.

The illustrated information processing apparatus 10 includes a processor 11 , a main storage device 12 (memory), an auxiliary storage device 13 (external storage device), an input device 14 , an output device 15 and a communication device 16 . These are communicably connected via a bus, a communication cable, or the like. Examples of the information processing device 10 include a personal computer, a server device, a smart phone, a tablet, a general-purpose machine (mainframe), and the like.

The information processing apparatus 10 uses virtual information processing resources, all or part of which are provided using virtualization technology, process space separation technology, etc., such as virtual servers provided by a cloud system. It may be realized by Further, all or part of the functions provided by the information processing apparatus 10 may be realized by services provided by the cloud system via an API (Application Programming Interface) or the like, for example.
Further, all or part of the functions provided by the information processing device 10 are realized using, for example, SaaS (Software as a Service), PaaS (Platform as a Service), IaaS (Infrastructure as a Service), etc. can be anything. The signature management device 100 may be realized as a function of the proxy server 4 or the intrusion detection/prevention device 3, for example.

The processor 11 is, for example, a CPU (Central Processing Unit), MPU (Micro Processing Unit), GPU (Graphics Processing Unit), FPGA (Field Programmable
Gate Array), ASIC (Application Specific Integrated Circuit), AI (Artificial Intelligence) chip, and the like.

The main storage device 12 is a device that stores programs and data, and is, for example, a ROM (Read
Only Memory), RAM (Random Access Memory), nonvolatile memory (NVRAM (Non Volatile RAM)), and the like. The functions realized by the constituent elements of the signature management device 100 are realized by the processor 11 reading and executing programs stored (stored) in the main storage device 12 .

The auxiliary storage device 13 is, for example, an SSD (Solid State Drive), a hard disk drive, an optical storage device (CD (Compact Disc), DVD (Digital Versatile Disc), etc.), a storage system, an IC card, an SD card, or an optical recording device. Examples include reading/writing devices for non-temporary recording media such as media, and non-temporary storage areas of cloud servers. Programs and data can be read into the auxiliary storage device 13 from another information processing device having a non-temporary recording medium or a non-temporary storage device via a recording medium reading device or communication device 16. . Programs and data stored (stored) in the auxiliary storage device 13 are read into the main storage device 12 at any time.

The input device 14 is an interface that accepts input of information from the outside, and includes, for example, a keyboard, mouse, touch panel, card reader, pen-input tablet, voice input device, and the like.

The output device 15 is an interface that outputs various types of information such as processing progress and processing results to the outside. The output device 15 is, for example, a display device (liquid crystal monitor, LCD (Liquid Crystal Display), graphic card, etc.) that visualizes the above various information, a device (audio output device (speaker, etc.)) that converts the above various information into sound. , a device (printing device, etc.) that converts the above various information into characters. For example, the information processing device 10 may be configured to input and output information with another device via the communication device 16 .

The input device 14 and the output device 15 constitute a user interface that realizes interactive processing (acceptance of information, provision of information, etc.) with the user.

The communication device 16 is a device that realizes communication with other devices. The communication device 16 is a wired or wireless communication interface that realizes communication with another device via the communication medium 5, and includes, for example, a NIC (Network Interface Card), a wireless communication module, a USB module, and the like. is.

For example, an operating system, a file system, a DBMS (DataBase Management System) (relational database, NoSQL, etc.), a KVS (Key-Value Store), etc. may be installed in the information processing apparatus 10 .

Next, processing performed by the signature management device 100 will be described.

<Signature generation processing>
FIG. 5A illustrates a process performed by the signature management device 100 to generate signatures (candidate signatures) based on threat information and apply them to on-site security management (hereinafter referred to as "signature generation process S500"). It is a flow chart. The signature management apparatus 100 executes the signature generation process S500, for example, when an execution instruction is received from a user such as an administrator via a user interface, or when a preset timing (periodic, etc.) arrives. Execute. The signature generation processing S500 will be described below with reference to FIG.

First, the threat information acquisition unit 120 of the signature management device 100 accesses the information acquisition source 6 with reference to the threat information acquisition source management table 111, and acquires one or more pieces of threat information (S511). The threat information acquisition unit 120 accesses the information acquisition source 6 at the timing specified by the content of the last acquisition date 1115 and the acquisition frequency 1116 of the threat information acquisition source management table 111 .

Subsequently, the candidate signature generation unit 125 determines whether or not the threat information acquired in S511 is new information (S512). Candidate signature generation unit 125 determines that the acquired threat information is new if, for example, the time stamp attached to the acquired threat information is later than the last update date and time of the threat information. For example, the candidate signature generation unit 125 accumulates and manages the threat information acquired each time, and if the acquired threat information is not included in the accumulated and managed threat information, the acquired threat information is Determined to be new. If the candidate signature generation unit 125 determines that the threat information acquired in S511 is new information (S512: YES), the process proceeds to S513. On the other hand, if the candidate signature generation unit 125 determines that the threat information acquired in S511 is not new information (S512: NO), the signature generation processing S500 ends.

In S<b>513 , the candidate signature generation unit 125 manages (stores) the threat information determined to be new in S<b>512 as the threat information 112 .

Subsequently, the candidate signature generation unit 125 generates candidate signatures based on the new threat information acquired in S511 (S514). In this embodiment, the candidate signature generator 125 generates the signature itself included in the new threat information as the candidate signature. Candidate signature generator 125 manages the generated candidate signatures as candidate signature information 113 .

Subsequently, the signature management apparatus 100 sequentially selects one or more candidate signatures based on the one or more pieces of new threat information acquired in S511, and executes loop processing from S515S to S515E.

First, the business impact evaluation unit 135 of the signature management device 100 obtains the impact of the candidate signature by comparing the candidate signature being selected with the business information, and reflects the obtained impact in the candidate signature information 113 (S520). ). The details of this process (hereinafter referred to as "business impact evaluation process S520") will be described later.

Subsequently, the signature applicability judgment unit 140 judges whether the candidate signatures managed in the candidate signature information 113 are applicable to security management at the site, and the judgment result is reflected in the application propriety 1135 of the candidate signature information 113. (S530). The details of this process (hereinafter referred to as "signature application propriety determination process S530") will be described later.

Subsequently, the signature applying unit 145 determines whether or not the content of the application whether or not to apply the selected candidate signature 1135 is "yes" (S516). If the content of whether to apply 1135 is "yes" (S516: yes), the process proceeds to S540. End the process.

In S<b>540 , the signature application unit 145 performs processing for transmitting the currently selected candidate signature to the intrusion detection/prevention device 3 and the proxy server 4 . The details of this process (hereinafter referred to as "signature application process S540") will be described later.

When the processing of S515S to S515E ends, the signature generation processing S500 ends.

FIG. 5B is a flowchart for explaining the details of the business impact level evaluation process S520 in FIG. 5A. The business impact degree evaluation processing S520 will be described below with reference to FIG.

First, the business impact evaluation unit 135 compares the candidate signature being selected with the business information, and obtains the impact of the candidate signature (S521).

Subsequently, the business impact evaluation unit 135 stores the determined impact in the candidate signature impact 1134 of the candidate signature information 113 (S522).

FIG. 5C is a flowchart for explaining the details of the signature application propriety determination process S530 in FIG. 5A. The signature application propriety determination processing S530 will be described below with reference to FIG.

First, the signature application advisability determination unit 140 determines whether the candidate signature being selected is applicable to security management at the site based on the contents stored in the impact level 1134 of the candidate signature information 113 (S531). For example, if the value stored in the degree of influence 1134 is equal to or less than a preset threshold, the signature application propriety determination unit 140 determines that the signature can be applied (yes), and if the value exceeds the threshold, the signature can be applied. It is determined that it should not be (non).

Note that the signature management apparatus 100 may provide a user interface for a user such as an administrator to set the threshold. By using this function, the user can easily set the threshold, and can easily adjust the threshold to a value suitable for the situation and needs of the site.

Subsequently, the signature application propriety determination unit 140 stores the result of the above determination in the application propriety 1135 of the candidate signature information 113 (S532).

FIG. 5D is a flowchart illustrating details of the signature application process S540 of FIG. 5A. It is assumed that the candidate signature application status 1136 of the candidate signature information 113 is prestored with "no" as a default value. The signature application processing S540 will be described below with reference to FIG.

As shown in the figure, the signature application unit 145 first transmits the candidate signature being selected to the intrusion detection/prevention device 3 and the proxy server 4 (S541).

Subsequently, the signature application unit 145 stores “yes” in the candidate signature application status 1136 of the candidate signature information 113 .

<Signature information provision processing>
The signature information providing unit 150 of the signature management apparatus 100 shown in FIG. 2 provides the content of the candidate signature information 113 set by the above processing to a user such as an administrator via a user interface.

FIG. 6 is a flowchart for explaining the processing (hereinafter referred to as "signature information providing processing S600") performed by the signature information providing unit 150 when providing signature information. The signature information provision processing S600 will be described below with reference to FIG.

The signature information providing unit 150 monitors in real time whether or not a request for providing signature information has been received from the user (S611). When the signature information provision unit 150 receives a signature information provision request from the user (S611: YES), the processing from S612 is performed.

At S<b>612 , the signature information providing unit 150 acquires the content of the candidate signature information 113 .

Subsequently, the signature information provision unit 150 generates a screen for displaying the acquired content (hereinafter referred to as “signature information provision screen 700”) based on the obtained content (S613), and the generated signature information provision screen 700 is displayed through the user interface (S614).

FIG. 7 shows an example of a signature information providing screen 700. As shown in FIG. The exemplary signature information providing screen 700 describes the contents of the candidate signature information 113 illustrated in FIG. 3B (signature ID, date and time of generation, signature, degree of influence, applicability, application status). By referring to the signature information provision screen 700, the user can see what kind of signature is currently being applied, and if a security incident is detected based on the applied signature and countermeasures are taken, what kind of impact will it have? You can easily see what happens. In addition, the user can use the signature information providing screen 700 to improve the efficiency of signature-related work. Note that the form of the signature information provision screen 700 is not necessarily limited to that shown in FIG. For example, the signature information providing screen 700 may further display other information about the signature.

As described above, the signature management device 100 of the present embodiment evaluates the degree of impact on organizational operations when candidate signatures are applied, and applies candidate signatures to on-site security management based on the degree of impact. judge right or wrong. Further, the signature management device 100 provides the candidate signatures to the intrusion detection/prevention device 3 and the proxy server 4 as signatures to be used for detecting security incidents on the internal network 51 according to the result of the determination. Therefore, for example, it is possible to prevent the unnecessary application of signatures that have a large impact on on-site operations to security management, and it is possible to appropriately perform security management using signatures while considering the impact on operations. can be done. In addition, since the signature management apparatus 100 automatically evaluates the degree of influence of candidate signatures on business and determines whether or not to apply them, it is possible to solve problems such as human load and individuality.

By the way, in the above examples, communication logs and business logs were shown as examples of business information to be compared with candidate signatures when determining the degree of impact. The business impact level evaluation unit 135 may obtain the impact level according to the content of the business information. For example, in evaluating the degree of impact of a candidate signature generated based on threat information targeting an IoT environment or a factory environment, the business impact evaluation unit 135 determines that the business environment specified from the business information is the IoT environment or the factory environment. If the business environment specified from the business information is a general office, the degree of influence is judged to be low. Further, the scale of the organization is stored as business information, and the business impact level evaluation unit 135 increases or decreases the level of impact according to the scale of the organization (for example, the greater the desire of the organization, the higher the level of impact). etc.).

In the above example, whether or not to apply a candidate signature is determined by comparing the degree of impact with a preset threshold. The business impact evaluation unit 135 adjusts the criteria for determining whether to apply the candidate signature according to the degree of threat corresponding to the candidate signature, such as determining that the candidate signature is applicable (yes) from the viewpoint of prioritizing safety You may do so.

Further, in the above example, the determination of whether or not to apply the candidate signature is mechanically performed by comparison with a preset threshold. In such cases, the signature applicability decision unit 140 accepts input from a user such as an analyst to decide whether or not to apply a candidate signature via a user interface, etc., and accepts it. Applicability of the candidate signature may be determined based on the content obtained. By doing so, even if mechanical judgment is difficult, it is possible to appropriately judge whether or not to apply the candidate signature, and it is possible to realize a security management mechanism that meets the situation and needs of the site. can.

[Second embodiment]
Although the signature management device 100 of the first embodiment acquires threat information including the signature itself from the information acquisition source 6 and generates the signature itself included in the threat information as a candidate signature, the signature management device 100 of the second embodiment 100 generates candidate signatures by analyzing threat information. Since the information processing system 1 and the signature management device 100 of the second embodiment have the same basic configuration, the following description focuses on the differences from the first embodiment.

FIG. 8 is a block diagram showing main functions of the signature management device 100 of the second embodiment. As shown in the figure, the signature management device 100 of the second embodiment further includes a threat information analysis unit 123 in addition to the components of the signature management device 100 of the first embodiment. Further, the candidate signature generator 125 of the signature management device 100 of the second embodiment further has functions different from those of the signature management device 100 of the first embodiment. Further, the storage unit 110 of the signature management device 100 of the second embodiment stores threat information analysis results 115 in addition to the information stored by the storage unit 110 of the signature management device 100 of the first embodiment.

FIG. 9A is an example of the threat information acquisition destination management table 111 stored in the storage unit 110 of the signature management apparatus 100 of the second embodiment. Each item of the threat information acquisition destination management table 111 illustrated as an example is common to the threat information acquisition destination management table 111 of the first embodiment. The illustrated threat information acquisition source management table 111 stores information acquisition sources 6 that provide threat information that does not necessarily include the signature itself. For example, a record with an acquisition source ID 1111 of “0” is a site that provides malware analysis results, and a record with an acquisition source ID 1111 of “1” is a site that provides CTI (Cyber Threat Intelligence). A record whose ID 1111 is "2" is a site that distributes an RSS feed.

The threat information analysis unit 123 provided in the signature management device 100 of the second embodiment analyzes the threat information 112 acquired from the information acquisition source 6 and stores the result in the threat information analysis result 115 .

FIG. 9B is an example of the threat information analysis result 115 stored in the storage unit 110 of the signature management device 100 of the second embodiment. As shown in the figure, the exemplary threat information analysis result 115 is composed of one or more records (entries) having threat information ID 1121, acquisition date and time 1122, type 1123, and signature target information 1124. . One of the records of the threat information analysis result 115 corresponds to one of the threat information analysis results.

Among the above items, the threat information ID 1121 stores an identifier assigned to each threat information analysis result (hereinafter referred to as “threat information analysis result ID”).

Acquisition date 1152 stores the acquisition date and time of the threat information that is the analysis source of the analysis result. Note that the data format of the date and time is not necessarily limited, and any data format such as Unixtime in which the date and time can be determined can be used.

The type 1153 stores the type of threat information that is the analysis source of the analysis result.

The signature target information 1154 stores signature target information (hereinafter referred to as “signature target information”) extracted by the threat information analysis unit 123 from the threat information that is the analysis source of the analysis result. be.

FIG. 10A shows processing performed by the signature management apparatus 100 of the second embodiment when analyzing threat information, generating candidate signatures based on the analysis results, and applying them to on-site security management (hereinafter referred to as “signature generation processing S1000 ”). Unlike the signature generation processing S500 of the first embodiment, the signature generation processing S1000 of the second embodiment includes threat information analysis processing S1020 and candidate signature generation processing S1030 instead of the signature generation processing S500 S513 and S514 of the first embodiment. are executed in order. Other processes of the signature generation processing S1000 of the second embodiment are the same as those of the signature generation processing S500 of the first embodiment, so description thereof will be omitted. The signature management apparatus 100 executes the signature generation process S1000, for example, when an execution instruction is received from an administrator or the like via a user interface, or when a preset timing (periodic, etc.) arrives. .

FIG. 10B is a flow chart explaining details of the threat information analysis processing S1020 of FIG. 10A. The threat information analysis processing S1020 will be described below with reference to FIG.

The loop processing of S1021S to S1021E shown in FIG. 10A is repeatedly executed for each piece of new threat information acquired in S1011 of FIG. 10A.

In the above loop processing, first, the threat information analysis unit 123 of the signature management device 100 extracts signature target information from the selected new threat information (S1022). For example, the threat information analysis unit 123 extracts the URL of the malicious site accessed by the malware, the registry operated by the malware, the file path accessed by the malware, the binary string of the malware, etc., as the signature target information. For example, when new threat information is described in a structured manner, the threat information analysis unit 123 mechanically extracts signature target information using a script or the like. In addition, for example, when new threat information is not structured like CTI, the threat information analysis unit 123 extracts signature target information from information such as URLs and registries using regular expressions. . The illustrated signature target information is only an example, and may be of other types.

Subsequently, the threat information analysis unit 123 stores the signature target information extracted in S1022 in the threat information analysis result 115 (S1023).

FIG. 10C is a flowchart illustrating details of the candidate signature generation process S1030 of FIG. 10A. The candidate signature generation processing S1030 will be described below with reference to FIG.

First, the candidate signature generator 125 acquires unprocessed threat information from the threat information analysis result 115 (S1031).

Subsequently, the candidate signature generation unit 125 clusters the threat information analysis results obtained in S1031 based on the similarity of each piece of signature target information (S1032). For example, the candidate signature generation unit 125 generates the similarity of the URL character string, the packet length of the response sentence, the character string of the file path of the access destination, and the character string of the registry name of the access destination, which are included in the signature target information. etc. are used as feature amounts to perform the above clustering. The clustering method is not necessarily limited, and for example, a machine learning mechanism may be used.

The subsequent loop processing from S1033S to S1033E is repeated by sequentially selecting the clusters clustered at S1032.

In the loop process described above, the candidate signature generation unit 125 first extracts a matching portion of the signature target information of each threat information analysis result belonging to the selected cluster (S1034). For example, the candidate signature generation unit 125 extracts the matching part of the URL character string, which is the signature target information.

Subsequently, the candidate signature generator 125 abstracts the extracted matching portion. For example, the candidate signature generation unit 125 performs the above abstraction in multiple stages using a hierarchical clustering method (S1035).

Subsequently, the candidate signature generation unit 125 stores the abstracted result as the candidate signature in the candidate signature information (S1036).

As described above, the signature management apparatus 100 of the second embodiment automatically generates candidate signatures based on threat information. can be done. Therefore, for example, the user can use the signature management device 100 to use the signature management device 100 based on threat information such as malware analysis results obtained in the malware analysis environment operated by the organization or threat information manually input in the organization. You can generate your own signature. In addition, since candidate signatures are automatically generated, the user can efficiently generate candidate signatures while solving the problems of implementation cost and individuality.

By the way, in the determination of whether or not to apply S1014 of the signature generation processing S1000 of FIG. If the unit 140 determines that it is not applicable (not applicable), the process returns to S1030, and the candidate signatures are regenerated by changing the clustering conditions and the combination of the information to be converted into signatures (changed the parameters), and regenerated. The loop processing of S1013S to S1013E may be re-executed for candidate signatures. By doing so, for example, the possibility of generating candidate signatures applicable to on-site security management increases, and the quality of security management can be improved while suppressing the impact on business.

1 information processing system 2 internal device 3 intrusion detection/prevention device 4 proxy server 6 information acquisition destination 51 internal network 52 external network 53 DMZ 100 signature management device 110 storage unit 111 threat information acquisition destination management table 112 threat information 113 candidate signature information 114 business information 115 threat information analysis result 120 threat information acquisition unit 123 threat information analysis unit 125 candidate signature generation unit 130 business information acquisition unit 135 business impact Evaluation unit 140 signature application appropriateness determination unit 145 signature application unit 150 signature information provision unit S500 signature generation processing S520 business impact evaluation processing S530 signature application appropriateness determination processing S540 signature application processing S600 signature information provision processing , 700 signature information provision screen, S1000 signature generation processing, S1020 threat information analysis processing, S1030 candidate signature generation processing

Claims (15)

configured using an information processing device having a processor and a storage device,
a threat information acquisition unit that acquires threat information;
a candidate signature generation unit that generates candidate signatures, which are candidates for signatures applied to security management at a site where business is performed, based on the threat information;
a business information acquisition unit that acquires business information that is information about the business;
a business impact evaluation unit that obtains, based on the business information, an impact, which is a value indicating the degree of impact on the business when the candidate signature is applied to the security management;
a signature application propriety determination unit that determines whether or not to apply the candidate signature to the security management based on the degree of impact;
a signature information providing unit that outputs the determination result of whether or not to apply;
A signature management device, comprising: The signature management device of claim 1, comprising:
The business information is log information acquired when the candidate signature is applied to security management,
Signature management device. A signature management device according to claim 2, wherein
The business impact evaluation unit determines whether the information processing device operated on site accesses another information processing device when the candidate signature acquired based on the log information is applied to the security management. Blockage rate, rate of decrease in average communication speed of the communication network at the site, percentage of applications used at the site whose response has decreased, and out of the applications used at the site, which have become unusable determining the degree of impact based on at least one of: proportion of applications;
Signature management device. The signature management device of claim 1, comprising:
The business information is at least one of the nature of the business, the nature of equipment used for the business, the environment in which the business is performed, and the size of the organization that performs the business.
Signature management device. The signature management device of claim 1, comprising:
storing information indicating the degree of threat to be detected by the candidate signature;
The signature application suitability determination unit adjusts the application suitability determination criteria according to the degree of threat.
Signature management device. The signature management device of claim 1, comprising:
the threat information includes the signature itself;
wherein the candidate signature generation unit generates the signature itself included in the threat information as the candidate signature;
Signature management device. The signature management device of claim 1, comprising:
Further comprising a threat information analysis unit that analyzes the threat information,
The candidate signature generation unit generates the candidate signatures based on signature target information, which is information obtained by analyzing the threat information.
Signature management device. A signature management device according to claim 7, comprising:
When the degree of influence obtained for the generated candidate signature exceeds a preset threshold value, the candidate signature generation unit generates the candidate signature by a method different from the generation method of the candidate signature, based on the signature target information. to regenerate the
Signature management device. A signature management device according to claim 7, comprising:
The candidate signature generation unit classifies a plurality of pieces of the signature target information obtained by analyzing the threat information into clusters, and abstracts a matching portion of the signature target information for each cluster. generating the obtained result as the candidate signature;
Signature management device. A signature management device according to claim 7, comprising:
The signature target information is at least one of information indicating the location of a malicious site accessed by malware, a registry operated by malware, a file path accessed by malware, and a binary string of malware.
Signature management device. The signature management device of claim 1, comprising:
The signature information providing unit generates and outputs a screen that describes the degree of influence obtained for the candidate signature;
Signature management device. A signature management device according to claim 11, comprising:
The signature information providing unit generates and outputs the screen further describing whether or not the candidate signature is applied or the application status of the candidate signature to the security management.
Signature management device. The signature management device of claim 1, comprising:
The signature application propriety determination unit
Determine whether the application is appropriate by comparing the degree of influence with a preset threshold,
Receiving an input to determine whether or not to apply the previous candidate signature via a user interface when the degree of influence is within a predetermined range from the threshold, and determining whether or not to apply the previous candidate signature based on the received content;
Signature management device. The signature management device of claim 1, comprising:
communicably connected to another information processing device that performs security management;
The signature information providing unit determines whether or not to provide the candidate signature to another information processing device used for the security management according to the determination result of whether or not to apply it.
Signature management device. An information processing device having a processor and a storage device,
obtaining threat information;
a step of generating candidate signatures, which are candidates for signatures to be applied to security management at the site where business is conducted, based on the threat information;
a step of acquiring business information that is information about the business;
obtaining, based on the business information, an impact level, which is a value indicating the degree of impact on the business when the candidate signature is applied to the security management;
determining whether to apply the candidate signature to the security management based on the degree of impact;
a step of outputting the determination result of whether or not to apply;
A signature management method that implements

Images