JP6047463B2 - Evaluation apparatus and method for evaluating security threats - Google Patents

Evaluation apparatus and method for evaluating security threats Download PDF

Info

Publication number
JP6047463B2
JP6047463B2 JP2013170899A JP2013170899A JP6047463B2 JP 6047463 B2 JP6047463 B2 JP 6047463B2 JP 2013170899 A JP2013170899 A JP 2013170899A JP 2013170899 A JP2013170899 A JP 2013170899A JP 6047463 B2 JP6047463 B2 JP 6047463B2
Authority
JP
Japan
Prior art keywords
information
threat
subsystem
evaluation
step
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
JP2013170899A
Other languages
Japanese (ja)
Other versions
JP2015041167A (en
Inventor
伸義 森田
伸義 森田
信 萱島
信 萱島
英里子 安藤
英里子 安藤
Original Assignee
日立オートモティブシステムズ株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日立オートモティブシステムズ株式会社 filed Critical 日立オートモティブシステムズ株式会社
Priority to JP2013170899A priority Critical patent/JP6047463B2/en
Publication of JP2015041167A publication Critical patent/JP2015041167A/en
Application granted granted Critical
Publication of JP6047463B2 publication Critical patent/JP6047463B2/en
Application status is Active legal-status Critical
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Description

  The present invention defines the data required for risk evaluation according to the input instructions of the tool when the designer of the in-vehicle network system defines the evaluation target model based on information that can be input objectively such as a design document The present invention relates to an apparatus and a method for automatically calculating a risk value of a threat without depending on the skill level of an analyst.

  Similar to the field of information systems, in the design of an in-vehicle network of an automobile and an electronic control device connected to the in-vehicle network, it is required to be able to confirm that an appropriate security function is correctly implemented.

  For example, in the field of information systems, ISO / IEC15408, which is an international standard for the development, manufacture, and operation of security products (hardware / software) and systems, is utilized to improve the assurance level of security implementation. In ISO / IEC15408, it is required to formulate a security requirement specification based on threat analysis, which is an analysis for a security threat, and to create a security requirement specification (ST: Security Target) in a predetermined format. In the ST, it is necessary to extract a security threat that is a security threat assumed for the system or apparatus and to indicate that technical or operational measures are being taken against the threat. In such threat analysis, it is important to implement security functions without excess or deficiency. For this reason, it is required to perform risk assessment on the extracted security threats and take measures against high-risk threats.

  For example, as an apparatus for evaluating the risk of a threat, Japanese Patent Application Laid-Open No. 2009-230278 preliminarily quantifies the magnitude of damage (confidentiality, integrity, availability) against a threat by a tool developer. And, when assessing threat risk, the analyst quantifies the probability of occurrence of the threat, and calculates the product of the “damage magnitude” and “occurrence probability” of the threat extracted by the tool as the threat risk value of the threat Is disclosed.

JP 2009-230278 A

  The technique described in Patent Document 1 can determine the risk for each threat when the occurrence probability is known in advance, as in a system or apparatus that is actually operated. However, at the time of design, the probability of occurrence of a threat in the system or apparatus is not known. For this reason, in order to quantify the probability of occurrence of a threat in a system or apparatus, knowledge and experience regarding security are required, and a high level of skill is required for a risk analyst.

  The present invention has been made in view of the above problems, and an object of the present invention is to enable an analyst to determine a high-risk threat without depending on the skill level of the analyst.

  In order to achieve the above object, an evaluation apparatus for evaluating a security threat to a system to be evaluated is provided from one aspect of the present invention. The evaluation apparatus stores an input unit that receives design information related to a plurality of design items in the system, a plurality of evaluation items related to security threats, and information related to a plurality of design items input from the input unit in association with each other. Security threats in the system based on information related to multiple design items, and security threats for the extracted threats based on evaluation items associated with information related to multiple design items A control unit that calculates a threat risk value that is a value indicating the magnitude of the threat and displays the threat in the extracted system and the threat risk value for the threat on the display unit.

  More preferably, the information related to the plurality of design items in the system input to the input unit is information related to the subsystem to be evaluated in the system, and the information related to the subsystem is information on the externally connected equipment of the subsystem, Information on the number of externally connected devices indicating the number of externally connected devices, path type information between the subsystem and externally connected devices, information on the number of authentications that occur when communicating between the subsystem and externally connected devices, Participant type information that may cause a threat, and protected asset information related to protected assets.

  According to another aspect of the present invention, an evaluation method in an apparatus for evaluating a security threat to a system to be evaluated is provided. The apparatus in the evaluation method receives design information on a plurality of design items in the system, associates a plurality of evaluation items on security threats with information on the received plurality of design items, and based on information on the plurality of design items System security threats, and based on evaluation items associated with information on multiple design items, a threat risk value is calculated that indicates the size of the security threats for the extracted threats. Then, the threat in the extracted system and the threat risk value for the threat are displayed on the display unit.

  More preferably, the information related to the plurality of design items in the system received by the apparatus is information related to the subsystem to be evaluated in the system, and the information related to the subsystem is the externally connected device information of the subsystem and the externally connected device of the subsystem. Number of externally connected devices indicating the number of devices, route type information between subsystems and externally connected devices, information on the number of authentications that occur when communicating between subsystems and externally connected devices, and security threats Information on the type of participant who may be allowed to be protected, and protected asset information related to the protected asset.

  According to the present invention, it is possible to extract threats and calculate risk values of the threats using information obtained from the design document as input, and to present the risk values of each threat to the analyst. become. This makes it possible to evaluate the threat risk without depending on the analyst's security knowledge and experience.

Diagram showing the configuration of the threat risk assessment support device The figure which shows the table structure of the subsystem division information in risk evaluation independent information The figure which shows the table structure of the life cycle division information in risk evaluation independent information The figure which shows the table structure of ASIL division | segmentation information in risk evaluation non-dependent information. The figure which shows the table structure of the participant classification information in risk evaluation independent information Diagram showing the table structure of participant / life cycle / motivation correspondence information in risk assessment independent information Diagram showing the table structure of asset type / threat response information in risk assessment independent information Diagram showing the table structure of threat list information in risk assessment independent information The figure which shows the table constitution of threat risk value information in risk evaluation independent information The figure which shows the table structure of the route division information in risk evaluation dependence information The figure which shows the table structure of the influence degree information to the confidentiality in the risk evaluation dependence information The figure which shows the table structure of the subsystem detailed information in risk evaluation dependence information The figure which shows the table structure of the external connection apparatus information in risk evaluation dependence information The figure which shows the table structure of the participant detailed information in risk evaluation dependence information The figure which shows the table structure of the internal connection apparatus information in risk evaluation dependence information The figure which shows the table constitution of the protection asset information in the risk evaluation dependence information The figure which shows the table structure of risk value calculation method list information The figure which shows the table structure of the CVSS determination information in risk evaluation determination information. Diagram showing overall processing sequence for threat risk assessment Diagram showing the processing sequence during model definition The figure which shows the processing sequence at the time of the detailed information registration of a subsystem Diagram showing the processing sequence when extracting a threat event The figure which shows the processing sequence at the time of risk value calculation The figure which shows the process sequence in CIA calculation Diagram showing an example of a screen for selecting a risk assessment method when defining a model The figure which shows the example of a screen of selective addition of a subsystem The figure which shows the example of a screen of the selection of the subsystem to edit The figure which shows the example screen of the input of the number of externally connected devices at the time of model definition The figure which shows the example screen of the detailed information input of the external connection device at the time of model definition The figure which shows the example screen of detailed information input of the participant at the time of model definition The figure which shows the example of a screen of the input of the number of internal connection devices at the time of model definition The figure which shows the example screen of detailed information input of the internal connection equipment at the time of model definition Figure showing an example of the screen for entering the number of protected assets in the model definition Figure showing an example of a screen for entering detailed information on protected assets in the model definition The figure which shows the example of a screen of the input of ASIL information of a subsystem at the time of model definition The figure which shows the example of a screen of the defined subsystem display at the time of model definition The figure which shows the example of a screen of the display of the risk assessment execution possible state at the time of model definition Diagram showing an example of the screen for threat risk assessment results

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  In this embodiment, the threat risk assessment support apparatus inputs data necessary for risk value calculation using a common vulnerability assessment system (CVSS: Common Vulnerability Scoring System) based on a design document or known information. , By managing the data held in advance and the data necessary for calculating the risk value using CVSS in association with each other, it is possible to extract the threat in the evaluation target and automatically calculate the risk value of the threat Examples of support devices and methods are used. However, the technical idea of the present invention is not limited to this example.

  FIG. 1 shows the configuration of a threat risk evaluation support apparatus 99 according to an embodiment of the present invention. In the threat risk evaluation support device 99, the threat risk evaluation support device 99 is connected to the input device 1 and the output device 2 via the input / output control unit 3, and the input / output control unit 3, the CPU 4, the memory 5, and the disk 6 are connected to the bus 7. Are connected to each other. The input device 1 is, for example, a keyboard, a mouse, a scanner, or the like, and receives input from a user of the threat risk evaluation support device. The output device 2 is, for example, a display, and outputs an intermediate result and an evaluation result by the threat risk evaluation support device.

  The input / output control unit 3 controls input / output in the threat risk assessment support apparatus. The CPU 4 controls each hardware in the apparatus and executes a program. In the memory 5, a model definition support unit 51 that supports model definition of an evaluation target, a threat extraction unit 52 that extracts a threat in the evaluation target, a threat risk value calculation unit 53 that calculates a risk value in the extracted threat, and a threat risk value A countermeasure priority determination unit 54 that determines priority based on, a threat risk evaluation creation unit 55 that creates a threat risk evaluation result to be output to the output device, and a threat risk that is output in response to a request input from the input device 1 It is assumed that the threat risk list sorting unit 56 that sorts the list of evaluation results operates as a program.

  The disk 6 is a non-volatile storage device such as a hard disk drive, for example, a risk evaluation-independent information storage unit 61 that does not depend on the risk evaluation method, a risk evaluation-dependent information storage unit 62 that depends on the risk evaluation method, and a determination in the risk evaluation method A risk evaluation determination information storage unit 63 is provided as information.

  In the risk evaluation independent information storage unit 61, the subsystem classification information 611 indicating the classification of the subsystem in the in-vehicle system, the life cycle classification information 612 indicating the life cycle classification of the car, and the functional safety standard in the car device or system ASIL classification information 613 indicating a classification of a certain ASIL (Automatic Safety Integrity Level), participant classification information 614 indicating a classification of a participant in a car, a participant, a life cycle, an association of a participant, a life cycle, and a motive Motivation correspondence information 615, asset type / threat correspondence information 616 that associates asset types with corresponding threats, and threat types, threat contents, impact ranges, and possible life cycles in order to guide threat events Threat list information 617, threats and It holds the threat risk value information 618 which holds the risk value of the threat.

  The risk evaluation dependence information storage unit 62 holds an input table that matches the requirements of the risk value calculation method. For example, in the case of using CVSS, route classification information 6211 indicating the attack route classification for the attack target, confidentiality impact information 6212 indicating the impact on the confidentiality of the evaluation target, and detailed subsystem information on the evaluation target Subsystem detailed information 6213 indicating external connection device information 6214 indicating an external connection device connected to the evaluation target, participant detailed information 6215 indicating a participant who uses the external connection device, and internal connection device communicating with the attack target It holds connected device information 6216 and protected asset information 6217 indicating the protected assets in the attack target.

  The risk evaluation determination information storage unit 63 holds risk value calculation method list information 631 as a list of risk value calculation methods and, for example, CVSS determination information 631 as determination information used for risk value calculation using the risk evaluation method.

  FIG. 2 shows an example of the table configuration of the subsystem classification information 611 held in the risk evaluation independent information storage unit 61, FIG. 3 shows the life cycle classification information 612, and FIG. 4 shows the ASIL classification information 623.

  When selecting a subsystem in the evaluation target, the model definition support unit 51 refers to the subsystem classification information 611 to display the subsystem name 6112 as a selection item on the output device 2 and is added using the input device 1. The added subsystem is added to the subsystem classification information 611. The S-ID 6111 is a unique value for identifying the subsystem. The subsystem name 6112 is a name of the subsystem. The validity determination 6113 indicates whether the S-ID 6111 subsystem is included in the model. For example, when the S-ID 6111 subsystem is included in the model, “◯” may be set, and when the S-ID 6111 subsystem is not included in the model, “X” may be set. As the in-vehicle system and subsystem, there are a GW (GateWay), an information system subsystem, an engine drive system subsystem, a body system subsystem, a chassis system subsystem, and the like.

  When selecting the protection period 62176 in the protected asset information 6217, the model definition support unit 51 refers to the life cycle classification information 612 as a protection period selection item. The L-ID 6121 is a unique value for identifying the life cycle. The life cycle name 6122 is a name of a life cycle in the automobile.

  When inputting the ASIL value in the subsystem, the model definition support unit 51 refers to the ASIL classification information 613 and displays it on the output device 2 as a selection item. The ASIL-ID 6131 is a unique value for identifying the ASIL section. The ASIL value 6132 is a classification of the ASIL value in the automobile.

  FIG. 5 shows an example of the table configuration of the participant classification information 614 held in the risk evaluation independent information storage unit 61, and FIG. 6 shows the table configuration of the participant / life cycle / motivation correspondence information 615.

  When selecting the participant classification in the participant detailed information 6215, the model definition support unit 51 refers to the participant classification information 615 and displays it as a selection item on the output device 2 and is selected using the input device 1 The participant is registered in the participant category 62152. W-ID 6141 is a unique value for identifying a participant.

  When inputting the participant detailed information, the model definition support unit 51 refers to the life cycle type 6152 as a selection item of the participant and the attack timing corresponding to the participant and displays it on the output device 2, and the threat extraction unit 52 , The motive corresponding to the participant is extracted from the motive 6153. The participant type 6151 is a unique value for identifying a participant, and the participant name can be specified by referring to the W-ID 6141 in the participant classification information 614. The life cycle type 6152 is a life cycle related to the participant indicated by the participant type 6151. The motive 6153 is a motive related to the participant indicated by the participant type 6151.

  FIG. 7 shows an example of the table configuration of the asset type / threat response information 616 held in the risk evaluation independent information storage unit 61, the threat list information 617 in FIG. 8, and the threat risk value information 618 in FIG.

  The threat extraction unit 52 refers to the asset type / threat response information 616 and extracts a corresponding threat according to the type of the protected asset. The asset type 6161 is the asset type of the protected asset. The threat 6162 is a threat that can occur with respect to the asset type 6161. This table is an example, and the asset type and threat items are not limited to this.

  The threat extraction unit 52 selects a threat 6162 in the asset type / threat correspondence information 616, and extracts an influence range and an influence content corresponding to the threat. The threat 6171 is a list of threats. The influence range 6172 indicates whether the influence of the threat 6171 affects only the confidence or the communication destination. The influence content 6173 is the influence content when the threat 6171 occurs. The life cycle 6174 is a timing when the threat 6171 occurs.

  The countermeasure priority determination unit 54 refers to the threat risk value information 618 and extracts a threat with a high countermeasure priority. T-ID 6181 is a unique value for identifying a threat event. The threat event 6182 is a threat event extracted by the threat extraction unit 52. The risk value 6183 is a threat risk value for the threat event 6182. The S-ID 6184 is the S-ID of the subsystem that is the attack target in the threat event 6182, and the subsystem name can be specified by referring to the subsystem classification information 611. The E-ID 6185 is the E-ID of the externally connected device that is the attack source in the threat event 6182, and the externally connected device name can be specified by referring to the externally connected device information 6214. The P-ID 6186 is a P-ID of a protected asset to be protected in the threat event 6182, and a protected asset name can be specified by referring to the protected asset information 6217. The threat type 6187 is the threat type of the threat in the threat event 6182.

  FIG. 10 shows route classification information 6211 held in the risk evaluation dependent information storage unit 62, FIG. 11 shows confidentiality impact information 6212, FIG. 12 shows subsystem detailed information 6213, and FIG. 13 shows externally connected device information 6214. An example of the table configuration is shown.

  When registering the route classification of the external device, the model definition support unit 51 refers to the route classification information 6211 and displays it on the output device 2 as a selection item. The R-ID 62111 is a unique value for identifying a route segment. A route 62112 indicates a local, a neighbor, or a network as a route. For example, the case where the vehicle is directly connected to the in-vehicle network is regarded as local, the case where the connection is made using short-range communication is set as the adjacent, and the case where the connection is made using communication from a long distance, such as the Internet or a mobile communication network, is distinguished To do. Note that the route distinction is an example, and the present invention is not limited to this.

  When registering the degree of influence of protected asset information on confidentiality, the model definition support unit 51 refers to the degree of influence information 6212 on confidentiality and displays it on the output device 2 as a selection item. The C-ID 62121 is a unique value for identifying the degree of influence on confidentiality. The degree of influence 62122 is a classification of the degree of influence on confidentiality given by the protected asset. For example, according to the asset value, it may be classified as non-target, partial, or full.

  The model definition support unit 51 stores detailed information regarding the subsystem of the automobile to be evaluated in the subsystem detailed information 6213. The threat risk value calculation unit 53 uses the external connection number 62132 and the ASIL value 62135 stored in the subsystem detailed information 6213 when calculating the risk value. A risk value calculation method using the external connection number 62132 and the ASIL value 62135 will be described later. The S-ID 62131 is a unique value for identifying a subsystem, and the subsystem name can be specified by referring to the subsystem classification information 611. The external connection number 62132 is the number of externally connected devices connectable to the subsystem indicated by the S-ID 62131. The internal connection number 62133 is the number of internal connection devices that communicate with the subsystem indicated by the S-ID 62131. The number of protected assets 62134 is the number of protected assets in the subsystem indicated by the S-ID 62131. The ASIL value 62135 indicates the ASIL value defined in the subsystem indicated by the S-ID 62131, and holds the ASIL-ID selected based on the ASIL division information 613.

  The Dell definition support unit 51 registers the external connection device information 6214 according to the number of external connections 62132 registered in the subsystem detailed information 6213. The threat risk value calculation unit 53 uses the path classification 62144 and the authentication count 62145 stored in the externally connected device information 6214 when calculating the risk value. A risk value calculation method using the route classification 62144 and the authentication count 62145 will be described later. The S-ID 62141 is a unique value for identifying a subsystem, and the subsystem name can be specified by referring to the subsystem classification information 611. The E-ID 62142 is a unique value that identifies an externally connected device corresponding to the S-ID 62141. The external connection device name 62143 is the name of the external connection device corresponding to the E-ID 62142. The route classification 62144 indicates the route classification of the externally connected device corresponding to the E-ID 62142, and holds the R-ID 62111 selected based on the route classification information 6211. The number of authentication times 62145 is the number of authentication times that occurs when the externally connected device of the E-ID 62142 communicates with the corresponding S-ID 62141. The number of participants 62145 is the number of participant types that communicate with the corresponding subsystem of S-ID 62141 using the externally connected device of E-ID 62142.

  FIG. 14 shows an example of the table configuration of the participant detailed information 6215 held in the risk evaluation dependence information storage unit 62, the internal connection device information 6216 in FIG. 15, and the protected asset information 6217 in FIG.

  The model definition support unit 51 registers the participant detailed information 6215 according to the number of participants registered in the external device information 6214. In addition, when extracting the threat, the threat extraction unit 52 extracts the externally connected device serving as an entry point, the corresponding participant, and the attack timing from the participant detailed information 6215. The E-ID 62151 is a unique value for identifying the externally connected device, and the externally connected device name can be specified by referring to the externally connected device information 6214. The participant category 62152 is a participant who uses an external connection device corresponding to the E-ID 62151, and the participant name can be specified by referring to the participant category information 614. The attack timing 62153 indicates the timing at which the participant corresponding to the participant category 62152 attacks using the E-ID 62151 as an entry point, and the life cycle name can be identified by referring to the life cycle category information 612.

  The model definition support unit 51 registers the internal connection device information 6216 according to the number of internal connections 62133 registered in the subsystem detailed information 6213. The threat risk value calculation unit 53 uses the authentication count 62164 stored in the internal connection device information 6216 when calculating the risk value. The risk value calculation method using the authentication count 62164 will be described later. The S-ID 62161 is a unique value for identifying the subsystem, and the subsystem name can be specified by referring to the subsystem classification information 611. The I-ID 62162 is a unique value for identifying the internally connected device. The internal connection device 62163 is a subsystem with which the subsystem corresponding to the S-ID 62161 communicates, and the subsystem name can be specified by referring to the subsystem classification information 611. The authentication count 62164 is the authentication count required when the subsystem corresponding to the S-ID 62161 communicates with the internal connection device 62163.

  The model definition support unit 51 registers the protected asset information 6217 according to the number of protected assets 62134 registered in the subsystem detailed information 6213. The threat extraction unit 52 uses the protected asset name 62173, the asset type 62174, and the protection organization 62176 stored in the protected asset information 6217 when extracting the threat. Further, the threat risk value calculation unit 53 uses the confidentiality impact level 62175 and the data flow 62177 stored in the protected asset information 6217 at the time of risk value calculation. The threat extraction method using the protected asset name 62173, the asset type 62174, and the protection organization 62176, the degree of influence on confidentiality 62175, and the risk value calculation method using the data flow 62177 will be described later. The S-ID 62171 is a unique value for identifying a subsystem, and the subsystem name can be specified by referring to the subsystem classification information 611. The P-ID 62172 is a unique value for identifying the protected asset. The protected asset name 62173 is a protected asset in the S-ID 62171. The asset type 62174 is the asset type of the protected asset name 62173 corresponding to the P-ID 62172. The confidentiality impact level 62175 is the confidentiality impact level of the protected asset name 62173 corresponding to the P-ID 62172, and holds the C-ID selected based on the confidentiality impact level information 6212. . The protection period 62176 is the protection period of the protected asset name 62173 corresponding to the P-ID 62172, and the life cycle name can be specified by referring to the life cycle classification information 612. The data flow 62177 shows the data flow between subsystems of the protected asset name 62173 corresponding to the P-ID 62172, and the subsystem name can be specified by referring to the subsystem classification information 611.

  FIG. 17 shows an example of a table configuration of risk value calculation method list information 631 held in the risk evaluation determination information storage unit 63, and FIG. 18 shows a table configuration of CVSS determination information 632.

  The model definition support unit 51 refers to the risk value calculation method list information 631, displays the determination method as a selection item on the output device 2, and changes the input items in the model definition based on the input using the input device 1. To do. The technique name 6311 is the name of the technique for calculating the risk value. The reference information 6312 is specific determination information to be referred to according to the method name 6311.

  The threat risk value calculation unit 53 refers to the CVSS determination information 632 and calculates a threat risk value. Parameters 6321 are six items necessary for obtaining the basic value of CVSS. The section 6322 indicates a range to be referred to for each parameter 6321. The determination value 6323 indicates a value provided in the section 6322 in the parameter 6321.

  FIG. 19 shows an overall outline processing flow in this embodiment from model definition to threat event extraction, threat risk value calculation, countermeasure priority determination, and threat risk value list output.

  In step 511, the model definition support unit 51 displays a risk evaluation method selection screen on the output device 2, and when a risk evaluation method is selected using the input device 1, the process proceeds to step 512 and the risk evaluation method is selected. If not, the process waits in step 511.

  In step 512, the model definition support unit 51 displays input items corresponding to the method name 6311 of the risk value calculation method list information 631 selected in step 511, and the risk evaluation independent information storage unit 61 and the risk evaluation dependent Based on information stored in advance in the information storage unit 62, information input via the input device 1 is converted into subsystem detailed information 6213, externally connected device information 6214, participant detailed information 6215, and internal device connection information 6216. By storing in the protected asset information 6217, a model to be evaluated is defined.

  In step 521, the threat extraction unit 52 includes information previously stored in the risk evaluation independent information storage unit 61 and the risk evaluation dependency information storage unit 62, and the subsystem detailed information 6213, the external device information 6214, Threats are extracted based on the information stored in the participant detailed information 6215, internal device connection information 6216, and protected asset information 6217, and registered in the threat event 6182 in the threat risk value information 618.

  In step 531, the threat risk value calculation unit 53 acquires each threat extracted in step 521 from the threat event 6182, and in step 512, subsystem detailed information 6213, externally connected device information 6214, participant detailed information 6215, Based on the information stored in the internal device connection information 6216 and the protected asset information 6217, the risk value of each threat is calculated and registered in the risk value 6183.

  In step 541, the countermeasure priority determination unit 54 calculates a priority based on the risk value 6183 and registers it in the threat risk value information 618. For example, the threat risk value information 618 may be arranged in order from the threat events having a high risk value to rank the priorities, or another method may be used. The countermeasure priority determination unit 54 does not execute the countermeasure priority determination process when no threat event is extracted in step 521.

  In step 551, the threat risk evaluation creating unit 55 acquires the threats and risk values prioritized in step 541 from the threat risk value information 618 and displays them on the output device 2. For example, you may display on the output device 2 in order with a high priority. Alternatively, it may be output as a CSV file. Note that the threat risk evaluation creation unit 54 does not execute the threat risk evaluation result output process if no threat event is extracted in step 521.

  Through the above steps, the threat risk evaluation support apparatus can present a threat risk with a high countermeasure priority to the analyst.

  FIG. 20 shows an outline process flow of the model definition process when CVSS is selected as an example of the risk determination method in step 512.

  In step 5121, the model definition support unit 51 displays a subsystem addition / deletion screen.

  In step 5122, the model definition support unit 51 proceeds to step 5123 if the addition or deletion of the subsystem is selected in step 5121, and proceeds to step 5124 if the addition or deletion of the subsystem is not selected. move on.

  In step 5123, the model definition support unit 51 adds the S-ID 6111 and the subsystem name 6112 of the subsystem classification information 611 based on the subsystem selected or added in step 5122, and validates the validity determination 6113. Let

  In step 5124, the model definition support unit 51 displays a parameter information registration screen for the subsystem on the output device 2.

  In step 5125, if the subsystem for registering parameter information using the input device 2 is selected in step 5124, the model definition support unit 51 proceeds to step 5125 and displays information input via the input device 1. It is stored in subsystem detailed information 6213, externally connected device information 6214, participant detailed information 6215, internal device connection information 6216, and protected asset information 6217. On the other hand, if the subsystem for registering the parameter information using the input device 2 is not selected in step 5124, the model definition support unit 51 waits for the processing in step 5125.

  In step 5126, the model definition support unit 51 ends this process when the parameter information registration processing of all subsystems is completed, and proceeds to step 5125 when there is a subsystem for which parameter information registration processing has not been completed. .

  Through the above steps, the model definition support unit 51 can define a model to be evaluated.

  FIG. 21 shows an outline processing flow of parameter information registration for the subsystem in step 5125.

  In step 51251, the model definition support unit 51 registers the number of externally connected devices for the subsystem input using the input device 1 as the externally connected number 62132 of the subsystem detailed information 6213.

  In step 51252, the model definition support unit 51 uses the input device 1 as the detailed information of the externally connected device according to the number of externally connected devices input in step 51251, as the externally connected device name 62143, route classification 62144, The number of authentications is 62145, and the number of participant types is 62145. Here, the route category 62144 may display selection items on the output device 1 based on the route category information 6211 and may be selected using the input device 1.

  In step 51253, the model definition support unit 51 uses the input device 1 as the detailed information of the participants in the externally connected device according to the number of participant types input in step 51252. 62153 is registered. The participant category 62152 may display a selection item on the output device 2 based on the participant category information 614 and select the selected item using the input device 1. The attack timing 62153 displays the life cycle corresponding to the life cycle type 6152 corresponding to the participant type 6151 on the output device 2 as a selection item based on the participant / life cycle / motivation correspondence information 615, and the input device 1 You may make it select using.

  In step 51254, the model definition support unit 51 uses the input device 1 to register the number of internal connection devices with which the subsystem communicates in the internal connection number 62133 of the subsystem detailed information 6213.

  In step 51255, the model definition support unit 51 registers the internal connection device 62163 and the authentication count 62164 as detailed information of the internal connection device using the input device 1 in accordance with the number of internal connection devices input in step 51254. To do. Here, the internal connection device 62163 may display a selection item on the output device 2 based on the subsystem classification information 611 and select it using the input device 1.

  In step 51256, the model definition support unit 51 uses the input device 1 to register the number of protected assets in the subsystem in the number of protected assets 62134 in the subsystem detailed information 6213.

  In step 51257, the model definition support unit 51 uses the input device 1 as the detailed information of the protected assets in accordance with the number of protected assets input in step 51256, and converts the protected asset name 62173, asset type 62174, and confidentiality. The degree of influence 62175, the protection period 62176, and the data flow 62177 are registered. For the asset type 62174, selection items may be displayed on the output device 2 based on the asset type 6161 of the asset type / threat response information 616 and may be selected using the input device 1. The confidentiality impact level 62175 may be selected using the input device 1 by displaying a selection item on the output device 2 based on the confidentiality impact level information 6212. In the protection period 62176, selection items may be displayed on the output device 2 based on the life cycle classification information 612 and may be selected using the input device 1. The data flow 62177 may display a selection item on the output device 2 based on the subsystem classification information 611 and select it using the input device 1.

  In step 51258, the model definition support unit 51 registers the ASIL value defined in the subsystem in the ASIL value 62135 using the input device 1. Here, the ASIL value 62135 may be selected using the input device 1 by displaying a selection item on the output device 2 based on the ASIL division information 613.

  In step 51259, the model definition support unit 51 displays an activation screen indicating the subsystem for which parameter registration has been completed in the processing from step 51251 to susumu 51258.

  Through the above steps, parameter information for the subsystem selected in step 5125 can be registered.

  FIG. 22 shows an outline processing flow of threat event extraction in the evaluation target in the above step 521.

  In step 52101, the threat extraction unit 52 acquires the subsystem name 6122 from the subsystem classification information 611.

  In step 52102, the threat extraction unit 52 proceeds to step 52103 when the subsystem name of the subsystem classification information 611 exists in the above step 52101, and ends this processing when the subsystem name of the subsystem classification information 611 does not exist. To do.

  In step 52103, the threat extraction unit 52 acquires an unselected subsystem name 6122 in the subsystem classification information 611 as an attack target in the evaluation target. For example, the threat extraction unit 52 acquires the total number of subsystem names 6122 and increases the value of the counter every time the subsystem name 6122 is selected using a counter, so that the total number of subsystem names 6122 and the counter value are increased. May be acquired in the memory, and subsystem names 6122 that are not selected may be acquired by acquiring the subsystem names 6122 in order.

  In step 52104, the threat extraction unit 52 corresponds to the S-ID 62141 of the externally connected device information 6214 based on the S-ID 6111 of the subsystem classification information 611 as the externally connected device corresponding to the subsystem acquired in the above step 52103. The name of the externally connected device 62143 that has not been selected is acquired. For example, the threat extraction unit 52 acquires the total number of externally connected device names 62143 corresponding to the subsystem acquired in step 52103 and increases the counter value each time the externally connected device name 62143 is selected using a counter. Then, the total number of the externally connected device names 62143 and the counter value may be held in the memory, and the externally connected device names 62143 may be acquired in order to acquire the externally connected device names 62143 that are not selected.

  In step 52105, the threat extraction unit 52 corresponds to the E-ID 62151 of the participant detailed information 6215 based on the E-ID 62141 of the externally connected device information 6214 as a participant related to the externally connected device acquired in the above step 52104. The participant name 6142 is acquired from the participant category information 614 with reference to the participant category 62152 that is not selected. For example, the threat extraction unit 52 acquires the total number of participant names 6142 corresponding to the externally connected devices acquired in step 52104, and increases the value of the counter each time the participant name 6142 is selected using the counter. The total number of the participant names 6142 and the counter value may be held in a memory, and the participant names 6142 that are not selected may be acquired by acquiring the participant names 6142 in order.

  In step 52106, the threat extraction unit 52 refers to the attack timing 62153 that is not selected based on the participant classification 62152 of the participant detailed information 6215 as the attack timing of the participant acquired in step 52105, and determines the life cycle. The life cycle name 6122 of the division information 612 is acquired. For example, the threat extraction unit 52 acquires the total number of attack timings 62153 corresponding to the participants acquired in step 52105, and increases the counter value each time the attack timing 62153 is selected using the counter. The attack timing 62153 which is not selected may be acquired by holding the total number of timings 62153 and the counter value in the memory and acquiring the attack timings 62153 in order.

  In step 52107, the threat extraction unit 52 uses the participant classification 6151 of the participant / life cycle / motivation correspondence information 615 based on the participant classification 62152 of the participant detailed information 6215 as the motive of the participant acquired in 52105. To obtain the motivation 6153 that is not selected. For example, the threat extraction unit 52 acquires the total number of motivation 6153 corresponding to the participant acquired in step 52105 and increases the value of the counter each time the motivation 6153 is selected using the counter. The motivation 6153 which is not selected may be acquired by holding the total number and the counter value in the memory and acquiring the motivation 6153 in order.

  In step 52108, the threat extraction unit 52 selects, as the protected asset corresponding to the subsystem acquired in step 52103, the S-ID 62171 of the protected asset information 6217 based on the S-ID 6111 of the subsystem classification information 611. An unprotected asset name 62173 is acquired. For example, the threat extraction unit 52 acquires the total number of protected asset names 62173 corresponding to the subsystem acquired in step 52103 above, and increases the value of the counter each time the protected asset name 62173 is selected using the counter. The total number of the protected asset names 62173 and the counter value may be held in a memory, and the protected asset names 62173 may be acquired in order to acquire the protected asset names 62173 that are not selected.

  In step 52109, the threat extraction unit 52 corresponds to the asset type 6161 of the asset type / threat correspondence information 616 based on the asset type 62174 of the protected asset name 62173 as the threat corresponding to the protected asset acquired in step 52108. An unselected threat 6162 is acquired. For example, the threat extraction unit 52 acquires the total number of threats 6162 corresponding to the protected assets acquired in step 52108 and increases the counter value each time the threat 6162 is selected using the counter. The unselected threat 6162 may be acquired by holding the total number and the counter value in the memory and acquiring the threats 6162 in order.

  In step 52110, the threat extraction unit 52 acquires the influence content 6173 corresponding to the threat 6171 in the threat list information 617 as the influence content corresponding to the threat acquired in step 52109. For example, the threat extraction unit 52 acquires the total number of the influence contents 6173 corresponding to the threat obtained in the above step 52109, and increases the counter value each time the influence contents 6173 are selected using the counter. The total number of 6173 and the counter value may be held in the memory, and the influence contents 6173 that are not selected may be obtained by obtaining the influence contents 6173 in order.

  In step 52111, when the attack timing acquired in step 52106 exists in the life cycle 6174 corresponding to the influence content acquired in step 52110, the threat extraction unit 52 proceeds to step 52112, and the attack timing acquired in step 52106. Is not present in the life cycle 6174 corresponding to the influence content acquired in step 52110, the process proceeds to step 52113.

  In step 52112, the threat extraction unit 52 registers the attack target, external connection device, participant, attack timing, motive, protected asset, threat, and influence content acquired in steps 52103 to 52110 in the threat event 6182. For example, for the “attack target”, the “participant” “threats” the “protected asset” via the “external device” at the “motivation” at the “attack timing”. " May be created and registered in threat event 6182. Further, the threat extraction unit 52 registers an S-ID for identifying an attack target, an E-ID for identifying an external device, and a P-ID for identifying a protected asset in S-ID 6184, E-ID 6185, and P-ID 6186. .

  In step 52113, the threat extraction unit 52 compares the total number of influence contents 6173 held in the memory in step 52110 with the counter value. If the total number of influence contents 6173 and the counter value are equal, the threat extraction unit 52 deletes the counter value and proceeds to step 52114. If the total number of influence contents 6173 and the counter value are not equal, the threat extraction unit 52 proceeds to step 52110. .

  In step 52114, the threat extraction unit 52 compares the counter value with the total number of threats 6162 held in the memory in step 52109. If the counter value is equal to the total number of threats 6162, the threat extraction unit 52 deletes the counter value and proceeds to Step 52115. If the total number of threats 6162 and the counter value are not equal, the threat extraction unit 52 proceeds to Step 52109.

  In step 52115, the threat extraction unit 52 compares the counter value with the total number of protected asset names 62173 held in the memory in step 52108. If the total number of protected asset names 62173 is equal to the counter value, the threat extraction unit 52 deletes the counter value and proceeds to step 52116. If the total number of protected asset names 62173 and the counter value are not equal, the threat extraction unit 52 proceeds to step 52108. .

  In step 52116, the threat extraction unit 52 compares the counter value with the total number of motivation 6153 held in the memory in step 52107. If the total number of motives 6153 is equal to the counter value, the threat extraction unit 52 deletes the counter value, and the process proceeds to step 52117. If the total number of motives 6153 and the counter value are not equal, the process proceeds to step 52107.

  In step 52117, the threat extraction unit 52 compares the counter value with the total number of attack timings 62153 held in the memory in step 52106. If the counter value is equal to the total number of attack timings 62153, the threat extraction unit 52 deletes the counter value and proceeds to step 52118. If the total number of attack timings 62153 and the counter value are not equal, the threat extraction unit 52 proceeds to step 52106.

  In step 52118, the threat extraction unit 52 compares the counter value with the total number of participant names 6142 held in the memory in step 52105. If the total number of participant names 6142 and the counter value are equal, the threat extraction unit 52 deletes the counter value and proceeds to step 52119. If the total number of participant names 6142 and the counter value are not equal, the threat extraction unit 52 proceeds to step 52105. .

  In step 52119, the threat extraction unit 52 compares the counter value with the total number of externally connected device names 62143 held in the memory in step 52104. When the total number of externally connected device names 62143 is equal to the counter value, the threat extraction unit 52 deletes the counter value, and proceeds to step 52120. When the total number of externally connected device names 62143 is not equal to the counter value, the above step 52104 is performed. Proceed to

  In step 52120, the threat extraction unit 52 compares the counter value with the total number of subsystem names 6122 held in the memory in step 52103. If the total number of subsystem names 6122 is equal to the counter value, the threat extraction unit 52 deletes the counter value, ends this processing, and if the total number of subsystem names 6122 is not equal to the counter value, the threat extraction unit 52 proceeds to step 52103 above. move on.

  Through the above steps, threat events in the evaluation target can be extracted in step 521.

  FIG. 23 shows an outline processing flow for calculating the risk value of the threat event extracted in step 531.

  In step 5310, the threat risk value calculation unit 53 obtains S-ID 6184, E-ID 6185, P-ID 6186, and threat type 6187 of threat events for which risk values have not been calculated from the threat events 6182 extracted in step 521. get.

  In step 5311, if the threat risk value calculation unit 53 stores S-ID 6184, E-ID 6185, P-ID 6186, and threat type 6187 of the threat event in the threat event 6182 in step 5310, the process proceeds to step 5312. If S-ID 6184, E-ID 6185, P-ID 6186, and threat type 6187 of the threat event are not stored in event 6182, this process ends.

  In step 5312, the threat risk value calculation unit 53 acquires the path segment 62144 corresponding to the E-ID 6185 acquired in step 5310, refers to the segment 6322 in AV of the parameter 6321 of the CVSS determination information 632, and determines the determination value 6323. To get.

In step 5313, the threat risk value calculation unit 53 compares the number of external connections 62132 in the S-ID 6184 acquired in step 5310 with the total number of externally connected devices in the evaluation target to calculate the complexity of the attack condition. For example, if the total number of externally connected devices is “n”, “Y 1 = n / 3”, “Y 2 = 2Y 1 ”, and the external connection number 62132 is smaller than Y 1, then “high” and the external connection number 62132 is If it is Y 1 or more and smaller than Y 2, it is set to “medium”, and if the external connection number 62132 is Y 2 or more, it is set to “low”, referring to the AC classification 6322 of parameter 6321 of the CVSS determination information 632 get.

  In step 5314, the threat risk value calculation unit 53 obtains the minimum value from the authentication count 62145 corresponding to the E-ID 6185 acquired in step 5312 and the internal connection device 62163 corresponding to the S-ID 6184 acquired in step 5310. The total number of authentication times 62164 is “m”, “unnecessary” when m is 0, “single” when m is 1, “multiple” when m is 2 or more, and CVSS determination information The determination value 6323 is obtained by referring to the section 6322 in Au of the parameter 6321 of 632.

  In step 5315, the threat risk value calculation unit 53 “C: influence on confidentiality”, “I: influence on integrity”, “A: availability” according to the threat type 6187 acquired in step 5310. The calculation method of the “effect level” is changed, and the determination value 6323 is acquired.

  In step 5316, the threat risk value calculation unit 53 substitutes the determination value 6323 acquired in steps 5312 to 5315 in the CVSS basic value calculation formula, and registers the calculation result as the risk value 6183.

  In step 5317, if the threat risk value calculation unit 53 has calculated the risk values 6183 in all the threat events 6182 in steps 5310 to 5316, the present processing is terminated, and in steps 5310 to 5316, all If the risk value 6183 for the threat event 6182 is not calculated, the process proceeds to step 5310.

  Through the above steps, the risk value of the threat event extracted in step 531 can be calculated.

  FIG. 24 calculates “C: influence on confidentiality”, “I: influence on integrity”, and “A: influence on availability” in step 5315 according to the threat type 6187. An outline processing flow is shown.

  In step 531501, if the threat type 6187 acquired in step 5310 is “reference”, the threat risk value calculation unit 53 proceeds to step 531502, and the threat type 6187 is “tampered”, “deleted”, or “executed”. In this case, the process proceeds to step 531505, and if the threat type 6187 is “communication interruption”, the process proceeds to step 531509.

  In step 531502, the threat risk value calculation unit 53 sets the degree of influence on integrity and the degree of influence on availability to “0”.

  In step 531503, the threat risk value calculation unit 53 acquires the degree of influence 62175 on the confidentiality of the P-ID 6186 acquired in step 5310.

  In step 531504, the threat risk value calculation unit 53 refers to the classification 6322 in C of the parameter 6321 of the CVSS determination information 632 based on the confidentiality influence level 62175 acquired in step 531504, and sets the determination value 6323. get.

  In step 531505, the threat risk value calculation unit 53 sets the degree of influence on confidentiality to “0”.

  In step 531506, the threat risk value calculation unit 53 acquires the S-ID 62131 stored as the data flow 62177 of the P-ID 6186 acquired in step 5310.

  In step 531507, the threat risk value calculation unit 53 acquires the highest ASIL value 62135 from the S-ID 62131 acquired in step 531507.

  In step 531508, the threat risk value calculation unit 53 refers to the classification 6322 in I and A of the parameter 6321 of the CVSS determination information 632 based on the highest ASIL value 62135 acquired in step 531507, and determines the determination value 6323. Get each.

  In step 531509, the threat risk value calculation unit 53 sets the influence degree to the confidentiality and the influence degree to the integrity to “0”.

  In step 531510, the threat risk value calculation unit 53 acquires the corresponding ASIL value 62135 based on the S-ID 6184 acquired in step 5310.

  In step 531511, the threat risk value calculation unit 53 refers to the section 6322 in the parameter 6321 of the CVSS determination information 632 based on the ASIL value 62135 acquired in step 531510, and acquires the determination value 6323.

  Through the above steps, in step 5315, “C: impact on confidentiality”, “I: impact on integrity”, and “A: impact on availability” are calculated according to threat type 6187. it can.

  FIG. 25 shows a risk evaluation method selection screen displayed in step 511, FIG. 26 shows a subsystem change screen displayed in step 5121, and FIG. 27 shows subsystem parameter information registration displayed in step 5124. An example of a screen is shown.

  In FIG. 25, the model definition support unit 51 selects a risk evaluation method to be used (step 511). For example, the risk evaluation method 51002 may be selected in a pull-down format based on the method name 6311 of the risk value calculation method list information 631. After the selection is completed, a next button 51001 is pressed to shift to the screen in FIG.

  In FIG. 26, the model definition support unit 51 selects or adds a subsystem to be evaluated (step 5121). For example, the subsystem selection item 51004 may be selected in a radio box format based on the subsystem name 6112 of the subsystem classification information 611. When the column addition button 51005 is pressed, the model definition support unit 51 inputs the subsystem using the input device 1 and registers it in the subsystem classification information 611. When the return button 51003 is pressed, the screen of FIG. 25 is displayed. When the next button 51006 is pressed, the screen of FIG. 27 is displayed.

  In FIG. 27, the model definition support unit 51 displays the subsystem selected or added in step 5121 on the output device 2 in a deactivated state, and selects a subsystem for inputting detailed parameter information (step 5124). ). For example, the information system subsystem object 51007 may be pressed as a subsystem to display the screen of FIG. 28 in a pop-up format. When the return button 51006 is pressed, the screen returns to the screen of FIG.

  FIG. 28 shows the externally connected device number registration screen displayed in step 51251, FIG. 29 shows the externally connected device detailed information registration screen displayed in step 51252, and FIG. 30 shows the participants displayed in step 5163. An example of a detailed information registration screen is shown.

  In FIG. 28, the model definition support unit 51 registers the number of externally connected devices (step 51251). For example, addition or subtraction may be performed using a selection button like the number of externally connected devices 51,090, or direct input may be performed using the input device 1. When the return button 51008 is pressed, the pop-up screen is closed and the screen returns to the screen of FIG. 27. When the next button 51010 is pressed, the screen of FIG. 29 is displayed.

  In FIG. 29, the model definition support unit 51 inputs detailed information of the externally connected device (step 51252). For example, the name 51012 may be directly input using the input device 1, and the route segment 51013 may be selected in a pull-down format based on the route 62112 of the route segment information 6211. The authentication count 51014 and the number of participant types 51015 may be added or subtracted using a selection button.

  When the next button 51017 is pressed, if all the external connection devices 51016 to be input have been input, the screen of FIG. 30 is displayed. If all the external connection devices 51016 to be input have not been input, the input is performed. The cursor is moved to the externally connected device 51016 that has not been displayed, and a screen for inputting the input item 51015 from the input item 51012 is displayed in the same manner as described above.

  When the return button 51011 is pressed, if no external connection device 51016 to be input has been input, or if there is only one external connection device 51016 to be input, the screen of FIG. When there are a plurality of target external connection devices 51016 and at least one input has been completed, the cursor is moved from the external connection device 51016 to which the cursor is currently positioned to the previous external connection device 51016, and the same as described above. A screen for inputting the input item 51019 and the input item 51020 is displayed.

  In FIG. 30, the model definition support unit 51 inputs detailed information of participants (step 51253). For example, the participant name 51019 may select the participant name 6142 in a pull-down format based on the participant category 62152 corresponding to the externally connected device, and the attack timing 51020 selects the attack timing 62153 of the participant category 62152. An item may be selected in a radio button format. When the next button 51022 is pressed, if all the participants 51021 to be input have been input, the screen of FIG. 31 is displayed, and if all the participants 51021 to be input have not been input, the input has been made. Move the cursor to the participant 51021 who is not present, display the screen for inputting the input item 51019 and the input item 51020 in the same manner as described above, and when the return button 51018 is pressed, all the participants 51021 to be input have already been input. If there is only one participant 51021 to be input, the screen of FIG. 29 is displayed. If there are a plurality of participants 51021 to be input and at least one participant has been input, the current cursor is displayed. Move the cursor from the matching participant 51021 to the previous participant 51021 and enter the input item 51 as described above. 19, and displays a screen to enter the input item 51020.

  FIG. 31 shows an example of the internal connection device number registration screen displayed in step 51254, and FIG. 32 shows an example of the internal connection device detailed information registration screen displayed in step 51255.

  In FIG. 31, the model definition support unit 51 inputs the number of internally connected devices (step 51254). For example, the number of internally connected devices 51024 may be added or subtracted using a selection button. When the return button 51023 is pressed, the screen returns to the screen of FIG. 30, and when the next button 51025 is pressed, the screen of FIG. 32 is displayed.

In FIG. 32, the model definition support unit 51 inputs detailed information of the internal connection device (step 51255). For example, the name 51027 may be selected in a pull-down format based on the subsystem name 6112 of the subsystem classification information 611, and the authentication count 51028 may be added or subtracted using a selection button. When the next button 51030 is pressed, if all the internal connection devices 51029 to be input have been input, the screen of FIG. 33 is displayed, and if all the internal connection devices 51029 to be input have not been input, the input is performed. When the cursor is moved to the internal connection device 51029 that has not been displayed, a screen for inputting the input item 51027 and the input item 51028 is displayed in the same manner as described above, and when the return button 51026 is pressed, the internal connection device 51029 to be input is If no input has been completed, or if there is only one internal connection device 51029 to be input, the screen of FIG. 31 is displayed, and there are a plurality of internal connection devices 51029 to be input, and even one has been input. In the case of, the internal connection device 5102 of the previous one from the internal connection device 51029 on which the cursor is currently positioned. Move the cursor to the displays a screen for inputting the same manner as described above input items 51019, and the input item 51020.
FIG. 33 shows the protected asset number registration screen displayed in step 51256, FIG. 34 shows the protected asset detailed information registration screen displayed in step 51257, and FIG. 35 shows the ASIL information registration screen displayed in step 5168. An example is shown.

  In FIG. 33, the model definition support unit 51 registers the number of protected assets (step 51256). For example, the number of protected assets 51032 may be added or subtracted using a selection button. When the return button 51031 is pressed, the screen returns to the screen of FIG. 32, and when the next button 51033 is pressed, the screen of FIG. 34 is displayed.

  In FIG. 34, the model definition support unit 51 inputs detailed information on protected assets (step 51257). For example, the asset name 51035 may be directly input using the input device 1, and the asset type 51036 may be selected in a pull-down format based on the asset type 6161 of the asset type / threat correspondence information 616. (Confidentiality) 51037 may be selected in a pull-down format based on the influence degree 62122 of the influence degree information 6212 on confidentiality, and the attack timing 51038 is a check box based on the life cycle name 6122 of the life cycle classification information 612. The data flow 51039 may be selected in a pull-down format based on the subsystem name 6112 of the subsystem classification information 611. When a column addition button 51040 is pressed, an input item of the data flow 51039 is added. When the next button 51042 is pressed, if all the protected assets 51041 to be input have been input, the screen of FIG. 35 is displayed, and if all the protected assets 51041 to be input have not been input, the input has been made. Move the cursor to the protected asset 51041 that is not present, display the screen for inputting the input item 51040 from the input item 51035 in the same manner as described above, and when the return button 51034 is pressed, no protected asset 51041 to be input has been input If there is only one protected asset 51041 to be input, the screen of FIG. 33 is displayed. If there are a plurality of protected assets 51041 to be input and at least one has been input, the current cursor is set. Move the cursor from the protected asset 51041 to the previous protected asset 51041, and the same as above To display the screen to enter the input item 51040 from the input item 51035.

  In FIG. 35, the model definition support unit 51 inputs an ASIL value (step 51258). For example, the selection may be made in a pull-down format based on the ASIL value 6132 of the ASIL classification information 613. When the return button 51043 is pressed, the screen returns to the screen of FIG. 34, and when the completion button 51045 is pressed, the same screen displayed as a pop-up is closed.

  FIG. 36 shows an example of the registered subsystem activation screen displayed in step 51259, and FIG. 37 shows an example of the threat risk evaluation execution screen displayed in step 521. 36 and FIG. 37 are obtained by updating the display contents of FIG. 27 based on steps 5125 to 5126.

  In FIG. 36, the model definition support unit 51 adds a route line 51046 and an externally connected device object 51047 to the subsystem object 51048 selected at step 5125 based on the parameters input at step 51251 to step 51258. At the same time, the subsystem object 51048 is activated and displayed (step 51259).

  In FIG. 37, the threat extraction unit 52 displays a screen for executing threat event extraction and threat risk value calculation as a threat risk evaluation (step 521). Here, if the risk evaluation button 51049 is pressed, the processing from step 521 to step 541 is executed.

  FIG. 38 shows an example of the threat risk evaluation result screen displayed in step 551 above.

  In FIG. 38, the threat extraction unit 52 displays a threat event, a risk value, and a priority on the screen as a result of the threat risk evaluation in the processing from step 511 to step 541 (step 551). For example, as the threat risk evaluation result 51051, the threats and risk values of the threat risk value information 618 that are prioritized in step 541 may be displayed in a table format. At this time, in the display item 51050, a display method may be selected in a pull-down format based on the entire evaluation target and the subsystem name 6112 of the subsystem classification information 611, and the threat risk evaluation result of the entire evaluation target may be displayed. Then, the threat risk evaluation result in each subsystem may be displayed.

  As described above, this threat risk evaluation support device automatically extracts threats in the evaluation target and automatically calculates the risk value of the threat without depending on the security knowledge and experience of the analyst, and sends each threat to the analyst. Risk value can be presented.

  Although this embodiment is described for an in-vehicle network, this threat risk assessment support device is not limited to this, and can also be applied to threat risk assessment for control systems and information systems. It is.

1 Input Device 2 Output Device 3 Input / Output Control Unit 4 CPU
5 Memory 6 Disk 7 Bus

Claims (10)

  1. An evaluation device for evaluating a security threat to a system to be evaluated,
    Design information on a plurality of design items in the system, wherein the information on the plurality of design items is an input unit to which design information that is information on a subsystem to be evaluated in the system is input,
    A plurality of evaluation items related to security threats, information on the number of externally connected devices input from the input unit, and the number of externally connected devices in the subsystem, and path type information between the subsystem and the externally connected devices A storage unit that associates and stores information related to the subsystem including authentication count information generated when communicating between the subsystem and the externally connected device, the externally connected device number information being Associating with the identification information of the subsystem, associating the path type information with the identification information of the subsystem and the identification information of the externally connected device, and associating the authentication count information with the identification information of the subsystem and the internally connecting device. A storage unit for storing the identification information in association with each other,
    The storage unit retrieves the number of externally connected devices, path type information, and authentication count information corresponding to each of the subsystem identification information, the externally connected device identification information, and the internally connected device identification information acquired by the evaluation apparatus. , Based on the searched number of externally connected devices, path type information and authentication count information , to extract security threats in the system,
    Based on the evaluation items associated with the information on the plurality of design items, a threat risk value that is a value indicating the size of the security threat with respect to the extracted threat is calculated,
    A control unit that causes a display unit to display a threat in the extracted system and a threat risk value for the threat;
    The evaluation apparatus characterized by having.
  2. The evaluation device according to claim 1,
    The control unit displays information on a plurality of types of evaluation methods for evaluating security threats on the display unit, and displays the information on the display unit according to the type of the evaluation method input to the input unit. An evaluation apparatus characterized by determining information on an item.
  3. The evaluation device according to claim 1,
    An evaluation apparatus using CVSS (Common Vulnerability Scoring System) as a technique for evaluating a security threat.
  4. The evaluation device according to claim 1,
    The information about the previous SL subsystem participants type information that might cause a security threat, and the evaluation device, characterized that you protect asset information protected assets is further included.
  5. The evaluation device according to claim 4,
    The storage unit corresponds to first correspondence information in which the participant type information is associated with motive information relating to a motive for generating a security threat, and the protected asset information and threat type information relating to a threat type are associated with each other. Second correspondence information attached, and third correspondence information in which the threat type information, threat influence range information indicating a threat influence range, and threat content information indicating a threat content are associated with each other. ,
    The control unit extracts a threat in the subsystem based on the first correspondence information, the second correspondence information, the third correspondence information, and the design information input from the input unit; An evaluation apparatus characterized by.
  6. An evaluation method in an apparatus for evaluating a security threat to a system to be evaluated,
    The device is
    Design information on a plurality of design items in the system, wherein the information on the plurality of design items accepts design information that is information on a subsystem to be evaluated in the system ,
    A plurality of evaluation items related to security threats, the received number of externally connected devices indicating the number of externally connected devices of the subsystem, path type information between the subsystem and the externally connected devices, and the subsystem And the information related to the subsystem consisting of the authentication count information generated when communicating with the externally connected device , the externally connected device number information is correlated with the identification information of the subsystem, and the route The storage unit of the apparatus associates the type information with the identification information of the subsystem and the identification information of the externally connected device, and associates the authentication count information with the identification information of the subsystem and the identification information of the internally connected device. Stored in
    The storage unit retrieves the number of externally connected devices, path type information, and authentication count information corresponding to each of the subsystem identification information, the externally connected device identification information, and the internally connected device identification information acquired by the evaluation apparatus. , Based on the searched number of externally connected devices, path type information and authentication count information , to extract security threats in the system,
    Based on the evaluation items associated with the information on the plurality of design items, a threat risk value that is a value indicating the size of the security threat with respect to the extracted threat is calculated,
    An evaluation method comprising: displaying the extracted threat in the system and a threat risk value for the threat on a display unit.
  7. The evaluation method according to claim 6 , wherein
    The apparatus displays information on a plurality of types of evaluation methods for evaluating security threats on the display unit, accepts evaluation method information indicating the evaluation method,
    The evaluation method characterized by determining the information regarding the said design item displayed on the said display part according to the kind of the said evaluation method which the said evaluation method information received has received.
  8. The evaluation method according to claim 6 , wherein
    An evaluation method characterized by using CVSS (Common Vulnerability Scoring System) as a technique for evaluating a security threat.
  9. The evaluation method according to claim 6 , wherein
    The information about the previous SL subsystem participants type information that might cause a security threat, and the evaluation method, wherein a protective asset information protected assets is further included.
  10. The evaluation method according to claim 9 , comprising:
    The apparatus associates first correspondence information in which the participant type information and motive information on a motive for generating a security threat are associated with each other, and the protected asset information and the threat type information on a threat type. Second correspondence information, and third correspondence information in which the threat type information, the threat influence range information indicating the threat influence range, and the threat content information indicating the threat content are associated with each other, and
    Evaluation based on the first correspondence information, the second correspondence information, the third correspondence information, and the design information input from the input unit, to extract a threat in the subsystem. Method.
JP2013170899A 2013-08-21 2013-08-21 Evaluation apparatus and method for evaluating security threats Active JP6047463B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2013170899A JP6047463B2 (en) 2013-08-21 2013-08-21 Evaluation apparatus and method for evaluating security threats

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013170899A JP6047463B2 (en) 2013-08-21 2013-08-21 Evaluation apparatus and method for evaluating security threats
PCT/JP2014/070298 WO2015025694A1 (en) 2013-08-21 2014-08-01 Scoring device and method for scoring security threat

Publications (2)

Publication Number Publication Date
JP2015041167A JP2015041167A (en) 2015-03-02
JP6047463B2 true JP6047463B2 (en) 2016-12-21

Family

ID=52483475

Family Applications (1)

Application Number Title Priority Date Filing Date
JP2013170899A Active JP6047463B2 (en) 2013-08-21 2013-08-21 Evaluation apparatus and method for evaluating security threats

Country Status (2)

Country Link
JP (1) JP6047463B2 (en)
WO (1) WO2015025694A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP3338424A1 (en) * 2015-08-21 2018-06-27 Renesas Electronics Europe Limited Design support system
EP3151114A1 (en) 2015-09-29 2017-04-05 Panasonic Intellectual Property Management Co., Ltd. Software development system in system development based on model-based method
US10268824B2 (en) 2016-03-01 2019-04-23 Wipro Limited Method and system for identifying test cases for penetration testing of an application

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4084914B2 (en) * 1999-09-29 2008-04-30 株式会社日立製作所 Security evaluation method and apparatus, security measure creation support method and apparatus
JP2002352062A (en) * 2001-05-24 2002-12-06 Hitachi Ltd Security evaluation device
JP4663484B2 (en) * 2005-04-25 2011-04-06 株式会社日立製作所 System security design / evaluation support tool, system security design support tool, system security design / evaluation support program, and system security design support program
JP2009015570A (en) * 2007-07-04 2009-01-22 Nippon Telegr & Teleph Corp <Ntt> System and method for distributing vulnerability information
JP5413010B2 (en) * 2009-07-17 2014-02-12 日本電気株式会社 Analysis apparatus, analysis method, and program
US9141805B2 (en) * 2011-09-16 2015-09-22 Rapid7 LLC Methods and systems for improved risk scoring of vulnerabilities

Also Published As

Publication number Publication date
WO2015025694A1 (en) 2015-02-26
JP2015041167A (en) 2015-03-02

Similar Documents

Publication Publication Date Title
US8813039B2 (en) Method and system for software defect reporting
Heravizadeh et al. Dimensions of business processes quality (QoBP)
US8539586B2 (en) Method for evaluating system risk
JPH08190587A (en) Simulation system for application process
US9118713B2 (en) System and a method for automatically detecting security vulnerabilities in client-server applications
US20080271147A1 (en) Pattern matching for spyware detection
US8938395B2 (en) Cursor path vector analysis for detecting click fraud
US8799869B2 (en) System for ensuring comprehensiveness of requirements testing of software applications
US8595171B2 (en) System and method for rule set validation
US9372785B2 (en) Identifying implicit assumptions associated with a software product
US8768651B2 (en) System and method for automatic standardization and verification of system design requirements
Lee et al. AMC: verifying user interface properties for vehicular applications
US9160762B2 (en) Verifying application security vulnerabilities
Folmer et al. Scenario-based Assessment of Software Architecture Usability.
CN104123493B (en) The safety detecting method and device of application program
CN103544430A (en) Computing environment security method and electronic computing system
US20090327943A1 (en) Identifying application program threats through structural analysis
US20150089478A1 (en) Systems and methods for extracting cross language dependencies and estimating code change impact in software
DE112016004922T5 (en) Construction and analysis system of the touch screen user button behavior mode and its identity recognition method
US20100185992A1 (en) System for Quickly Specifying Formal Verification Environments
DE112012000279T5 (en) Determine the vulnerability of computer software applications to rights extension attacks
Phan et al. Quantifying information leaks using reliability analysis
US20100057667A1 (en) Detection rule-generating facility
US8370808B2 (en) Apparatus and a method for generating a test case
Dallmeier et al. WebMate: Generating test cases for web 2.0

Legal Events

Date Code Title Description
A621 Written request for application examination

Free format text: JAPANESE INTERMEDIATE CODE: A621

Effective date: 20160415

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20160415

A131 Notification of reasons for refusal

Free format text: JAPANESE INTERMEDIATE CODE: A131

Effective date: 20160809

A521 Written amendment

Free format text: JAPANESE INTERMEDIATE CODE: A523

Effective date: 20161005

TRDD Decision of grant or rejection written
A01 Written decision to grant a patent or to grant a registration (utility model)

Free format text: JAPANESE INTERMEDIATE CODE: A01

Effective date: 20161025

A61 First payment of annual fees (during grant procedure)

Free format text: JAPANESE INTERMEDIATE CODE: A61

Effective date: 20161121

R150 Certificate of patent or registration of utility model

Ref document number: 6047463

Country of ref document: JP

Free format text: JAPANESE INTERMEDIATE CODE: R150