JP6294847B2 - Log management control system and log management control method - Google Patents

Description

  The present invention relates to a log management control system and a log management control method, and more specifically, effective log collection can be efficiently performed according to the status of the corresponding system in monitoring related to risks derived from vulnerabilities. It relates to the technology.

  In the information society, a wide variety of software exists and is used. On the other hand, it is inevitable that such software contains software vulnerabilities due to program defects or specification problems. For this reason, it is difficult to avoid all risks from targeted attacks using such vulnerabilities in advance. In particular, in recent years, about 5,000 software vulnerabilities are discovered and disclosed annually, and the amount of attacks by malicious attackers using such vulnerabilities tends to increase significantly immediately after the information disclosure of the vulnerabilities. It has been reported.

  Therefore, the system administrator who operates the information system needs to efficiently implement countermeasures for the vast amount of vulnerability information discovered and disclosed as described above. Generally, in vulnerability countermeasures, information on the target system and vulnerability information are acquired, the relationship between the two information and the risks posed by the vulnerability information are evaluated, and effective countermeasures are based on this. Measures are planned and measures are actually applied.

  Here, as a countermeasure against vulnerability, a fundamental countermeasure is taken by partially or completely updating a program that directly corrects a problem of software. Such a program update may affect the operation of an application installed in the system. For this reason, a regression test or the like is necessary, and it has been difficult to take fundamental measures quickly in a system that is always in operation.

  Therefore, for example, log monitoring must be performed for an attack using the vulnerability targeted for countermeasure until the fundamental vulnerability countermeasure is completed. On the other hand, it is difficult and inefficient to directly monitor a large amount of logs generated in the target device due to restrictions on the log transfer amount and storage capacity in the monitoring system. For this reason, a technique has been proposed in which a summary log is generated according to log similarity and the presence or absence of a result, and only a summary log with a large amount of information is stored and transferred (see Patent Document 1).

JP 2010-39878 A

  According to the prior art, it is possible to reduce the computing resource load for monitoring by transferring and storing a summary log in which logs are aggregated. However, the original purpose of log monitoring is to monitor attacks using system vulnerabilities, and when performing log aggregation that depends on similarity and the amount of information as in the prior art, the amount of information necessary for attack monitoring cannot be secured. There is a fear.

  Therefore, an object of the present invention is to provide a technique that enables effective log collection in monitoring related to a risk derived from vulnerability depending on the situation of the corresponding system.

  The log management control system of the present invention that solves the above-mentioned problems is held in the database, a storage device that holds a database that correlates each piece of information about the devices, networks, and vulnerabilities related to the devices that constitute the managed system. Based on each piece of information on the device, the network, and the vulnerability, risk assessment is performed by a predetermined algorithm for the influence relationship of the vulnerability according to the arrangement of each device in the network, and the height of the risk is equal to or higher than a predetermined standard An arithmetic device that instructs the device to collect logs is provided.

  Also, the log management control method of the present invention is an information processing system comprising a device that configures a management target system, a network, and a storage device that holds a database that associates vulnerability information related to the device with each other. Based on the information on the device, the network, and the vulnerability held in the above, a risk evaluation is performed by a predetermined algorithm for the influence relationship of the vulnerability according to the arrangement of each device in the network, and the height of the risk is predetermined. It is characterized in that log collection is instructed to a device exceeding the standard.

  According to the present invention, it is possible to efficiently execute log collection that is effective in monitoring related to a risk derived from vulnerability depending on the situation of the corresponding system.

It is a figure which shows the example of a network structure containing the log management control system in this embodiment. It is a figure which shows the function structural example of the management object apparatus in this embodiment. It is a figure which shows the function structural example of the information collection server in this embodiment. It is a figure showing an example of functional composition of a security knowledge public organization server in this embodiment. It is a figure which shows the function structural example of the client in this embodiment. It is a figure which shows the function structural example of the risk evaluation server in this embodiment. It is a figure which shows the function structural example of the log collection management server in this embodiment. It is a figure which shows the hardware structural example of the computer apparatus which comprises the log management control system in this embodiment. It is a figure which shows the data table list stored in the database in this embodiment. It is a figure which shows the example of the user information table in this embodiment. It is a figure which shows the example of the network information table in this embodiment. It is a figure which shows the example of the apparatus information table in this embodiment. It is a figure which shows the example of the vulnerability information table in this embodiment. It is a figure which shows the example of the collection setting of the log collection management setting information table in this embodiment. It is a figure which shows the example of the analysis rule setting of the log collection management setting information table in this embodiment. It is a flowchart which shows the procedure example 1 of the log management control method in this embodiment. It is a flowchart which shows the procedure example 2 of the log management control method in this embodiment. It is a flowchart which shows the procedure example 3 of the log management control method in this embodiment. It is a flowchart which shows the procedure example 4 of the log management control method in this embodiment. It is a figure which shows the example 1 of a screen in this embodiment. It is a flowchart which shows the example 2 of a screen in this embodiment. It is a flowchart which shows the example 5 of a procedure of the log management control method in this embodiment. It is an example of the setting table of the collection log by the vulnerability classification in this embodiment. It is an example of the setting table of the collection log for every product in this embodiment. It is an example of the setting table regarding the collection level of each log in this embodiment. It is a figure which shows the example 3 of a screen in this embodiment. It is a figure which shows the example 4 of a screen in this embodiment. It is a figure which shows the example 6 of a procedure of the log management control method in this embodiment.

--- System configuration ---

  Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a network configuration diagram including a log management control system 10 of the present embodiment. The log management control system 10 shown in FIG. 1 is a computer system that evaluates vulnerability risk based on the system configuration and topology in addition to the technical characteristics of each vulnerability and performs log management control based on the evaluation result. is there. As a result, it becomes a system that can efficiently execute log collection effective in monitoring related to the risk derived from the vulnerability according to the situation of the corresponding system.

  A network 102 including the log management control system 10 of this embodiment illustrated in FIG. 1 includes an information collection server 103, a security knowledge public organization server 104, a database, in addition to a management target device 101 constituting a risk evaluation target system. A server 105, a client 106, a risk evaluation server 107, and a log collection management server 108 are connected. Among these devices, at least the risk evaluation server 107 and the log collection management server 108 constitute the log management control system 10. Among these, at least the risk evaluation server 107 can access the database server 105. Of course, the log management control system 10 may include a device other than the risk evaluation server 107 and the log collection management server as appropriate.

  Of the devices connected to the network 102 described above, the management target device 101 is a device that constitutes a system that is managed as a risk evaluation target by the system administrator, that is, the management target system 20. FIG. 1 illustrates a plurality of management target devices 101_1 to 101_n. In this embodiment, what is monitored by log collection and management is a risk posed by the vulnerability possessed by the managed device 101.

  Further, the information collection server 103 connected to the network 102 described above is information related to the management target system 20, that is, the management target device 101 (system information, identification information of each management target device 101, information related to the network to which the management target device 101 belongs. And the like, and the security information (at least vulnerability information related to the management target device 101 described above) disclosed by the security knowledge disclosure organization server 104 on the Internet 102_2.

  On the other hand, the security knowledge publishing organization server 104 is a server device of a predetermined organization that publishes security knowledge on the Internet 102_2. As an example of an operating organization of the security knowledge public organization server 104, a company that provides various security countermeasure services such as computer virus detection and countermeasures, an OS (Operating System) provider, and the like can be assumed. Such an operating organization publishes vulnerability information related to information security obtained with respect to a specific information processing apparatus, OS, or software by the security knowledge disclosure organization server 104.

Note that the management target device 101, the information collection server 103, and the log collection management server 108 are connected via a network 102_1. Further, the information collection server 103 and the security knowledge publishing organization server 104 are connected via the Internet 102_2.

  The database server 105 is a server device that stores the above-described system information and security knowledge collected by the information collection server 103, and is connected to at least the risk assessment server 107 via the network 102_3. Alternatively, the stored information in the database server 105 may be stored in the external storage device 704 (see FIG. 7) of the risk evaluation server 107. In that case, the database server 105 may be omitted.

  The client 106 connected to the network 102 is a general computer terminal that is directly operated by a system administrator. The client 106 is a device that is a main output destination of the processing result by the risk evaluation server 107, that is, the risk evaluation result and the log management control content of the present embodiment.

  Further, the risk evaluation server 107 constituting the log management control system 10 evaluated the vulnerability of the managed system 20 based on the information on the database server 105 and the request of the system administrator received through the client 106. It is a server apparatus which performs each procedure corresponding to the log management control method of this embodiment above. The risk evaluation server 107 may be configured to include the functions and configurations of the information collection server 103 described above.

  The log collection management server 108 is a server device that constitutes the log management control system 10 together with the risk evaluation server 107 described above. The log collection management server 108 collects log information generated by the management target system 20, that is, the management target device 101 described above. It is a device to manage. The risk evaluation server 107 is a device for adding / changing parameters for log collection and log monitoring based on the result processed by the risk evaluation server 107 and a request from the system administrator received via the client 106. .

In the present embodiment, the networks 102_1, 102_2, and 102_3 are illustrated as different networks, but may be the same network. Moreover, the component which attached | subjected the code | symbol in the network structure of FIG. 1 may be plurality according to embodiment.
--- Functional structure ---

  Next, functions provided in the log management control system 10 of this embodiment will be described. As described above, the functions described below can be said to be functions that are implemented by executing the programs included in the risk evaluation server 107 and the log collection management server 108 that constitute the log management control system 10, for example. Here, not only the risk evaluation server 107 but also the functions implemented by each device in the above-described network configuration including the log management control system 10 executing an appropriate program provided in the memory or the external storage device, for example. Each will be explained.

  FIG. 2 is a diagram illustrating a functional configuration example of the management target device 101 according to the present embodiment. A management target device 101 illustrated in FIG. 2 includes a transmission / reception unit 201 and a control unit 202. Among these, the transmission / reception unit 201 is a processing unit that transmits / receives information to / from the information collection server 103 and the log collection management server 108 via the network 102_1.

On the other hand, the control unit 202 includes a system information output unit 203 and a log information output unit 205. Among these, the system information output unit 203 collects system information including information such as device ID, device name, product ID (product ID), network segment ID, and relay device to be used, which is identification information of the management target device 101, and transmits / receives it. It is a processing unit that transmits to the information collection server 103 via the unit 201. For collecting system information in the system information output unit 203, a standard function of the OS installed in the management target device 101 may be used, but other methods may be adopted, and the form is not limited.

  In addition, the log information output unit 205 accesses the local log storage unit 204 generated and recorded by the management target device 101, extracts log information of a specified condition from the log collection management server 108, and transmits / receives this It is a processing unit that transmits to the log collection management server 108 via the unit 201.

  FIG. 3 is a diagram illustrating a functional configuration example of the information collection server 103 according to the present embodiment. The information collection server 103 illustrated in FIG. 3 includes a transmission / reception unit 301 and a control unit 302. Among these, the transmission / reception unit 301 is a processing unit that transmits and receives information via the networks 102_1, 102_2, and 102_3.

  On the other hand, the control unit 302 includes a system information collection unit 303 and a security knowledge collection unit 304. Among these, the system information collection unit 303 receives the above-described system information from the management target device 101 via the transmission / reception unit 301 and stores it in the database server 105. Further, the security knowledge collecting unit 304 receives the security knowledge from the security knowledge public institution server 104 via the transmission / reception unit 301 and stores it in the database server 105.

  FIG. 4 is a diagram illustrating a functional configuration example of the security knowledge publishing organization server 104 according to the present embodiment. The security knowledge publishing organization server 104 illustrated in FIG. 4 includes a transmission / reception unit 401 and a control unit 402. Among these, the transmission / reception unit 401 is a processing unit that transmits / receives information to / from the information collection server 103 via the network 102_2.

  On the other hand, the control unit 402 includes a security knowledge output unit 403. The security knowledge output unit 403 transmits the security knowledge held in the security knowledge storage unit 404 to the information collection server 103 via the transmission / reception unit 401 described above. The method of collecting and managing the security knowledge in the security knowledge publishing organization server 104 differs depending on the specifications of the security knowledge publishing organization server 104 and the operating company of the security knowledge publishing organization server 104, and is not particularly limited here.

  FIG. 5 is a diagram illustrating a functional configuration example of the client 106 according to the present embodiment. The client 106 illustrated in FIG. 5 includes a transmission / reception unit 501, an input / output unit 502, and a control unit 503. Among these, the transmission / reception unit 501 is a processing unit that transmits and receives information via the network 102_3. The input / output unit 502 is a processing unit that controls input from a user such as a system administrator via an interface device such as a keyboard and controls output processing for the user via an interface device such as a monitor.

  The control unit 503 includes a screen display processing unit 504, a screen display request unit 505, a vulnerability risk display request unit 506, a log management cooperation display request unit 507, a log display request unit 508, and a log analysis display request unit 509. It is composed of

  Among these, the screen display processing unit 504 is a processing unit that performs screen display for the user via the above-described input / output unit 502, and includes a screen display request unit 505, a vulnerability risk display request unit 506, and a log management linkage display. The screen acquired by the request unit 507, the log display request unit 508, and the log analysis display request unit 509 is displayed.

  In addition, the screen display request unit 505 requests the risk evaluation server 107 for the initial screen data to be presented to the user when connected from the client 106 via the transmission / reception unit 501 and receives the corresponding data. Part.

  Also, the vulnerability risk display request unit 506 and the log management cooperation display request unit 507 send the vulnerability risk evaluation result performed by the risk evaluation server 107 and the display request regarding the log management cooperation processing via the transmission / reception unit 501. A processing unit that transmits to the risk evaluation server 107 and receives screen data of a processing result obtained from the risk evaluation server 107.

  Also, the log display request unit 508 and the log analysis display request unit 509 accept a request regarding the log collection management server 108 from the user via the input / output unit 502 described above, and receive the request via the transmission / reception unit 501. The processing unit transmits the data to 108 and receives the screen data obtained from the log collection management server 107.

  FIG. 6 is a diagram illustrating a functional configuration example of the risk evaluation server 107 of the present embodiment. The risk evaluation server 107 illustrated in FIG. 6 includes a transmission / reception unit 601 and a control unit 602. Among these, the transmission / reception unit 601 is a processing unit that transmits and receives information via the network 102_3.

  On the other hand, the control unit 602 includes an initial screen display processing unit 603, a vulnerability risk display processing unit 604, a log management cooperation display processing unit 605, a risk value calculation processing unit 607, and a log management cooperation processing unit 608.

  Among these, the screen display processing unit 603 receives a screen display request from the client 106 via the transmission / reception unit 601, and transmits screen data necessary for screen display to, for example, the database server 105 (in this case, the database server 105 is a client). 106 is stored in advance on the screen data of each display screen in 106, and returns this.

  Further, the vulnerability risk display processing unit 604 receives a vulnerability risk display request from the client 106 via the transmission / reception unit 601, and obtains screen data of the vulnerability risk evaluation result obtained by using the risk value calculation processing unit 607. This is a processing unit that sends a reply.

  Further, the log management cooperation display processing unit 605 receives the log management cooperation display request from the client 106 via the transmission / reception unit 601, and obtains the screen data of the log cooperation processing result obtained by using the log management cooperation processing unit 608. Is a processing unit that sends back.

  In addition, the risk value calculation processing unit 607 determines the network configuration of the management target system 20 based on the information on the database server 105 (information collected from the management target device 101 and information collected from the security knowledge publishing organization server 104). It is a processing unit that calculates a risk value that takes into account. Here, the following is known as a technique for calculating the risk value.

  ・ M. Schiffman et al .: "CVSS: A Common Vulnerability Scoring System", National Infrastructure Advisory Council (NIAC), 2004

  ・ O. Sheyner et al .: “Tools for Generating and Analyzing Attack Graphs”, Lecture Notes in Computer Science Volume 3188, 2004, pp 344-371

  ・ Sugimoto et al .: Risk assessment system based on dynamic modeling, CSS2014, pp.100-107

  It is assumed that the risk value of each vulnerability inherent in the managed system 20 is obtained based on these methods, but the risk value calculation method is not limited to these in the present embodiment.

  Further, the log management cooperation processing unit 608 performs log collection setting and monitoring setting according to the risk value based on information on the database server 105 (information for log collection setting and monitoring setting of each device 101). It is a processing part which performs the process for this.

  Details of processing by each functional unit in the above-described risk evaluation server 107 will be described later based on a flowchart.

FIG. 7 is a diagram illustrating a functional configuration example of the log collection management server 108 according to the present embodiment. The log collection management server 108 illustrated in FIG. 7 includes a transmission / reception unit 701, a control unit 702, and a storage unit 703. Among these, the transmission / reception unit 701 is a processing unit that transmits and receives information via the network 102.

  On the other hand, the control unit 702 includes a log collection processing unit 705, a log collection setting processing unit 706, a log display processing unit 707, a log analysis processing unit 708, a log analysis setting processing unit 709, and a log analysis display processing unit 710. Yes.

  Among these, the log display processing unit 707 and the log analysis display processing unit 710 receive a log display and log analysis display request from the client 106 via the transmission / reception unit 701, and are necessary for displaying the log screen and the log analysis screen. This is a processing unit that acquires and processes data from, for example, the storage unit 704, and returns the data.

  The log collection processing unit 705 is a processing unit that collects log information from the management target device 101 based on information in the setting information storage unit 711 of the storage unit 704, and stores and manages the log information in the log storage unit 712. At this time, the log collection processing unit 705 standardizes and records and manages the format of description items common to each log such as date and time in preparation for the later analysis processing.

  In addition, the log analysis processing unit 708 is a processing unit that performs log analysis based on the information in the setting information storage unit 711 described above, generates monitoring information corresponding to the setting, and stores this in the log storage unit 712. is there.

In addition, the log collection setting processing 706 and the log analysis setting processing unit 709 update the information in the setting information storage unit 711 to the settings specified by the user request from the client 106, and update the information in the database server 105 in synchronization. Is a processing unit. The information in the setting information storage unit 711 described above is the same as the information in the log collection management setting information table 905 in the database server 105 described later.
--- Hardware configuration ---

  Next, the hardware configuration of the devices that constitute the log management control system 10 of this embodiment will be described. FIG. 8 is a diagram illustrating a hardware configuration example of the computer apparatus 801 constituting the log management control system 10 of the present embodiment.

The computer device 801 illustrated in the figure includes a CPU 802, a memory 803 configured by a volatile storage element such as a RAM, an external storage device 804 configured by an appropriate nonvolatile storage element such as an SSD (Solid State Drive) or a hard disk drive, A transmission / reception device 805 such as a network interface card (NIC), an output device 806 such as a display, and an input device 807 such as a keyboard are included. Of these, the output device 806 and the input device 807 may not include any of the management target device 101, the security knowledge disclosure institution server 104, the information collection server 103, the risk evaluation server 107, and the log collection management server 108.

2 to 7, the control units 202, 302, 402, 503, 602, and 702 of each device load the CPU 802 to load the appropriate program stored in the external storage device 804 and execute it. To be implemented. In addition, the transmission / reception units 201, 301, 401, 501, 601, and 701 of each device illustrated in FIGS. 2 to 7 are implemented by the transmission / reception device 805. Further, the input / output unit 502 in the client 106 illustrated in FIG. 5 is implemented by an output device 806 and an input device 807. The storage units 404 and 704 of the nuclear device illustrated in FIGS. 4 and 7 are implemented by the external storage device 804.
--- Data structure example ---

  Next, a configuration example of data mainly used by the risk evaluation server 107 among the devices constituting the log management control system 10 of the present embodiment will be described. The data used in the risk assessment server 107 of the log management control system 10 includes at least system administrator user information, network information of the management target system 20, device information, vulnerability information disclosed as security knowledge, and This is setting information of the log collection management server 108.

  FIG. 9 is a diagram showing a list of data tables stored on the database server 105 of the present embodiment. The database server 105 illustrated in FIG. 9 stores a user information table 901, a network information table 902, a device information table 903, a vulnerability information table 904, and a log collection management setting information table 905. Each table is associated with each other by a predetermined ID included in each record.

  A configuration example of the user information table 901 among the tables included in the database server 105 is shown in FIG. A user information table 901 illustrated in FIG. 10 includes records having user IDs 1001, user information 1002, and a system list 1003 as data items. Among these, the user ID 1001 is an ID uniquely assigned to a user such as a system administrator in the log management control system 10. The user information 1002 is information such as the name and contact information of the user corresponding to the user ID 1001 described above. The system list 1003 is a list of systems managed by the user corresponding to the user ID 1001, that is, a set of IDs and system names of the management target systems 20. In this embodiment, since it is assumed that a plurality of system administrators manage a plurality of systems, the user information table 901 is held in the database server 105. However, only a single system is evaluated for risk. If the situation is a target, the user information table 901 may not be held in the database server 105. This user information table 901 is generated in advance by an administrator of the log management control system 10 and stored in the database server 105.

  Next, a configuration example of the network information table 902 will be described with reference to FIG. The network information table 902 illustrated in FIG. 11 includes records having network segment IDs 1101, system IDs 1102, and reachable segment ID lists 1103 as data items. Among these, the network segment ID 1101 is an ID uniquely assigned to the network segment including the management target system 20. The system ID 1102 is an ID of the management target system 20 to which the above-described network segment ID 1101 is related. The reachable segment ID list 1003 is an ID list of adjacent segments that can reach the message from the network segment indicated by the network segment ID 1101.

  For example, when a message arrives at a network segment whose network segment ID 1101 is “222” from a network segment whose network segment ID 1101 is “111”, the reachable segment ID list 1103 of the record whose network segment ID 1101 is “111” The segment ID 1001 “222” is stored.

  Such a network information table 902 is generated in advance by an administrator of the log management control system 10 and stored in the database server 105.

  Next, a configuration example of the device information table 903 will be described with reference to FIG. The device information table 903 illustrated in FIG. 12 includes a device ID 1201, a device name 1202, a product ID 1103, a network segment ID list 1204, and a relay device ID collected by the information collection server 103 and stored in the table. It has a record with the map 1205 as a data item. In addition, the log collection management server 108 has a record having the management ID for the management target device 101 as a data item with an alias 1206.

  Among these, the device ID 1201 is an ID uniquely assigned to the above-described management target device 101 on which the information collection server 103 has collected information. The device name 1202 is a machine name given to the management target device 101 corresponding to the device ID 1201 described above. The product ID 1203 is a product ID that configures the management target device 101 corresponding to the device ID 1201. The network segment ID list 1204 is an ID list of network segments to which the management target device 101 corresponding to the device ID 1201 belongs. The relay device ID map 1205 is a list of device IDs indicating the transmission source and destination management target device 101 of the communication relayed by the management target device 101 in the system configuration. For example, when communication from “device A”, which is a management target device, passes through “device C”, “device A” is set to KEY in the record related to “device C” in the device information table 903. Store “device B” as an associative array with VALUE. Also, the alias 1206 stores a management ID that identifies the management target device in the log collection management server 108. Assume that the correspondence with the device ID 1201 is identified by IP address information, MAC address, or the like.

  Next, a configuration example of the vulnerability information table 904 will be described with reference to FIG. The vulnerability information table 904 illustrated in FIG. 13 includes a vulnerability ID 1301, a device ID 1302, a vulnerability attack probability 1303, a device impact probability 1304, and the information collected by the information collection server 103 from the security knowledge disclosure authority server 104. It has a record with vulnerability items 1305, vulnerability target software 1306, vulnerability threat content 1307, planned countermeasure date 1308, and countermeasure status 1309 as data items.

  Among these, the vulnerability ID 1301 is an ID uniquely assigned to the vulnerability. The vulnerability ID 1301 includes a common vulnerability identifier (CVE: Common Vulnerabilities and Exposures) numbered by MITRE and used internationally, and a JVN number (JVN: Japan Vulnerability Notes) used in Japan. ), Or a vulnerability ID uniquely assigned by the vendor.

The device ID 1302 is an ID of the management target device 101 having a vulnerability corresponding to the vulnerability ID 1301 described above. The target product 1306 is information specifying a product ID such as software constituting the device 101 corresponding to the device ID 1302 and a product matching the vulnerability ID 1301 described above. In addition, vulnerability attack probability 1303
Is an occurrence probability or score of an attack that hits the vulnerability alone corresponding to the vulnerability ID 1301, and is a score based on the technical characteristics of the vulnerability. The device influence probability 1304 is a probability that the attack on the vulnerability corresponding to the vulnerability ID 1301 described above affects the device to be managed 101 (device indicated by the device ID 1302), and technical characteristics of the vulnerability. It is a score based on. The vulnerability type 1305 is a vulnerability type (clustered class) corresponding to the vulnerability ID 1301 described above. In general, the security knowledge publishing organization server 104 is based on a standard security standard such as CVSS (Common Vulnerability Scoring System), and it is easy to attack each software vulnerability from the viewpoint of technical characteristics and the impact on equipment. Security information is disclosed by assigning a score such as degree and a vulnerability type CWE (Common Weekness Enumeration). Therefore, the information collection server 103 described above can acquire the same score and type from the security knowledge public institution server 104 as the vulnerability attack probability 1303, the device influence probability 1304, and the vulnerability type 1305 described above.

  Further, in the present embodiment, the planned countermeasure date 1308 and the countermeasure status 1309 indicate information on the planned countermeasure date and implementation status of the vulnerability by the system administrator. It is assumed that these pieces of information are updated by the system administrator.

  Next, a configuration example of the log collection management setting information table 905 will be described with reference to FIGS. First, the first log collection management setting information table 905_1 illustrated in FIG. 14 stores collection log ID 1401, device ID 1402, device name 1403, product ID 1404, which stores information related to the log collection setting of the log collection management server 108 described above. It has a record with a log file name 1405 and a collection level 1406 as data items.

Among these, the collection log ID 1401 is an ID that uniquely identifies a plurality of local logs (stored in the local log storage unit 204) generated by the management target device 101 for each file. Further, the device ID 1402, the device name 1403, the product ID 1404, and the log file name 1405 are attribute information for specifying the collection log ID 1401. The collection level 1406 is a data item for setting the amount of information transferred from the local log 204 of the management target device 101 specified by the device ID 1402 to the log collection management server 108. This collection level 1406 includes binary forms of “0: not collect” and “A: collect all”, and a product I for generating a log.
It is assumed that an arbitrary form such as an arbitrary level form for each D1404 can be set. For example, for an access log such as a Web server, “0: Do not collect”, “1: Collect only access success”, “2: Collect only access failure”, “A: Collect all”, etc. A collection level is defined and held.

  Subsequently, the second log collection management setting information table 905_2 illustrated in FIG. 15 stores the analysis log ID 1501, the analysis rule 1502, and the post-matching process 1503 that store information related to the analysis settings of the log collection management server 108 described above. Has a data item as a data item.

Among these, the analysis ID 1501 is an ID that uniquely specifies an analysis rule for a log collected and managed by the log collection management server 108. In this embodiment, the analysis rule is specified by the ID 1401 of the collection log used for analysis, and a plurality of sets of matching conditions for the specified collection log are defined by logical expressions. However, the present invention is not limited to this notation method. Absent. A process when a match is output in the logical expression of the analysis rule 1502 is defined in a process 1503 after the match. For example, in this embodiment, it is assumed that the table is inserted into a monitoring table record defined by the system administrator.
--- Example flow of information collection and registration ---

  Hereinafter, an actual procedure of the log management control method according to the present embodiment will be described with reference to the drawings. Various operations corresponding to the log management control method described below are realized by a program that is read and executed by, for example, the risk evaluation server 107 constituting the log management control system 10 in a memory or the like. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below.

  In the following description, not only the processing executed by the risk evaluation server 107 but also processing executed by other devices will be described as appropriate.

  FIG. 16 is a flowchart showing a processing procedure example 1 of the log management control method according to the present embodiment. Specifically, FIG. 16 is a flowchart showing a system information collection processing procedure example. Here, first, a process of generating each table of the database server 105, that is, a process of acquiring system information and security information of the management target device 101 by the information collection server 103 and storing in the database server 105 will be described.

  Such processing needs to be executed in advance before (at least immediately before) the risk evaluation server 107 performs risk evaluation processing caused by the vulnerability of the management target device 101. Further, the above-described system information (information obtained from the management target device 101) and security knowledge (information obtained from the security knowledge public organization server 104) can be added or updated at any time by the management target device 101 or the security knowledge public organization server 104. In the log management control system 10 of this embodiment (the management target device 101, the information collection server 103, the risk evaluation server 107, or the log collection management server 108) included in or cooperating with this embodiment, It is preferable that each information acquisition process is executed as a background process.

  In this case, first, the management target device 101 activates the system information output unit 203 by the scheduler function included in the standard function of its own OS, for example, when a predetermined time comes (1601).

  Next, the system information output unit 203 in the management target device 101 acquires the system information of the management target device 101 and transmits it to the information collection server 103 (1602). The system information acquired by the system information output unit 203 is information corresponding to items (eg, device ID, device name, network segment ID, etc.) included in each record in the device information table 903 and the network information table 902.

  On the other hand, the information collection server 103 that has received the system information from the management target device 101 transmits a request for new addition or update of data to the database server 105 (1603). Upon receiving this request, the database server 105 searches the device information table 903 using, for example, the device ID as a key in the system information included in the request, and generates a new record if there is no record related to the device ID. Set the value of the corresponding item in the system information included in the request. If a record related to the corresponding device ID already exists in the device information table 903, the data is updated with the value of the corresponding item in the system information included in the request in the corresponding record. Such processing is also executed for the network information table 902 in the same manner.

The above processing, step 1601 to step 1603, is executed for each managed device 101, and is repeated by the number of managed devices 101. In this embodiment, a client server configuration is adopted between the management target device 101 and the information collection server 103, and the above-described system information acquisition process is automated to improve the efficiency of operation. However, system information of the management target device 101 may be described in a data file format by a system administrator who uses the client 106 and the like, and may be input to the information collection server 103. Thus, by inputting the system information by the system administrator, there is an advantage that the managed device 101 can be operated without an agent. In this embodiment, the system information is periodically transmitted. However, the system information may be transmitted at a timing when a change in the system information is detected or when a system configuration is updated.

  A series of processes in which the information collection server 103 collects security information from the security knowledge public authority server 104 and stores it in the database server 105 will be described following the description of the collection and storage of system information described above.

  FIG. 17 is a flowchart showing a procedure for collecting security information in the log management control method according to the present embodiment, and specifically shows a flow example of security knowledge acquisition processing performed by the information collection server 103 as background processing. FIG.

  In this case, first, the information collection server 103 activates the security knowledge collection unit 304 in response to the arrival of a predetermined time by the scheduler function provided in the OS or the like of the information collection server 103 (1701), and the security knowledge collection unit 304 Then, a security knowledge request is transmitted to the security knowledge public organization server 104 (1702).

  On the other hand, the security knowledge publishing institution server 104 that has received the above-described security knowledge request causes the security knowledge output unit 403 to transfer the security knowledge data held in the security knowledge storage unit 404 of its own storage device to the information collection server 103. A reply is made (1703). Here, the security knowledge returned from the security knowledge publishing organization server 104 to the information collection server 103 is information corresponding to a record item in the vulnerability information table 904.

  The information collection server 103 that has received the above-mentioned security knowledge data transmits a request for security knowledge, that is, a new addition or update of security information, to the database server 105 (1704). On the other hand, upon receiving this request, the database server 105 searches the vulnerability information table 904 using, for example, the device ID or the vulnerability ID as a key in the security information included in the request. A record is generated, and the value of the corresponding item in the security information included in the above request is set. If a record related to the device ID or the like already exists in the vulnerability information table 904, data update is performed with the value of the corresponding item in the security information included in the request in the corresponding record.

  In the present embodiment, the above-described security information acquisition process is automated between the security knowledge publishing organization server 104 and the information collection server 103 to improve operation efficiency. However, the method of exchanging information between the security knowledge public institution server 104 and the information collection server 103 is based on the specifications of the security knowledge public institution server 104.

  Further, a flow showing an example of a log information collection processing procedure of the log management control method according to the present embodiment will be described (FIG. 18). Here, acquisition of log information of the management target device 101 by the log collection management server 108 will be described. In addition, since log information is generated as needed, the management target device 101, the information collection server 103, the risk evaluation server 107, or the log collection management server included in or cooperating with the log management control system 10 (this embodiment). In 108), it is preferable that the log information acquisition process is executed as a background process.

  In this case, first, the management target device 101 activates the log information output unit 205, for example, when a predetermined time comes by using the scheduler function included in the standard function of its own OS (1801).

  Next, the log information output unit 205 in the managed device 101 transfers the local log list generated by the managed device 101 to the log collection management server 108 and logs the log settings collected by the log collection management server 108. A request is made to the collection management server 108 (1802). As a result, the management target device 101 obtains setting information regarding the log to be transferred to the log collection management server 108. Subsequently, the log information output unit 205 extracts and acquires the local log information of the management target device 101 to be transferred according to the setting information described above, and transmits this to the log collection management server 108 (1803).

  On the other hand, the log collection management server 108 that has received the log information from the managed device 101 described above stores the received log information in the storage device, searches the log analysis setting, performs log analysis, and obtains the log information Confirms whether or not the predetermined condition is met, and if it matches, the defined process is executed. Here, it is assumed that the log collection setting and the log analysis setting are set by the system administrator in the processing described later.

  The above processing, steps 1801 to 1803 are executed for each managed device 101 and are repeated by the number of managed devices 101. In this embodiment, a client server configuration is adopted between the management target device 101 and the log collection management server 108, and the above-described log information acquisition process is automated to improve operation efficiency. In this embodiment, the log information is periodically transmitted. However, the log information is transmitted at the timing of some event detected by the OS or other software of the managed device 101 (for example, malware detection). You may do it.

  Next, screen display processing for the client 106 by the risk assessment server 107 when the client 106 is connected to the risk assessment server 107 by the operation of the system administrator will be described with reference to the drawings. FIG. 19 is a flowchart showing an example of a screen display processing procedure of the log management control method according to this embodiment.

  In this case, first, the client 106 that has received an instruction from the system administrator via the input / output unit 502 transmits a request to the risk assessment server 107 using the screen display request unit 505 (1901). This connection request includes at least the user ID 1001.

  On the other hand, the screen display processing unit 603 of the risk evaluation server 107 requests and acquires screen display data to be output to the client 106, for example, from the database server 105 (1902). Furthermore, the screen display processing unit 603 of the risk evaluation server 107 requests the log collection management server 108 to acquire necessary log information, for example, according to the request of the client 106 received in Step 1901 ( 1903). In this case, for example, template data of a predetermined screen corresponding to each procedure of the risk evaluation method of the present embodiment is stored in advance in the external storage device 804 of the risk evaluation server 107. The screen template data corresponding to the corresponding procedure is read from the external storage device 804 in response to the request from the server, and the data obtained in response to the request to the database server 105 and the log collection management server is set and output. Shall.

The data acquired by the risk assessment server 107 from the database server 105 and the log collection management server 108 in step 1902 and step 1903 described above, that is, the data set in the screen template data is, for example, the user ID 100 included in the request described above.
Data obtained from each of the user information table 901 and the device information table 903 using 1 as a key. The data includes user information 1002 associated with the user ID 1001, a system list 1003, a device ID 1201, a device name 1202, a network segment ID 1204 associated with the system ID included in the system list 1003, and the like.

  In this embodiment, an example in which the user ID 1001 is included in the request from the client 106 is shown. However, in addition to this, processing such as general user authentication for the request (for example, a combination of ID and password) The user ID 1001 may be specified through the authentication process or the like. The processing mode such as user authentication is not limited.

  As described above, the screen display processing unit 603 of the risk assessment server 107 collects and manages logs according to the data obtained from each of the user information table 901 and the device information table 903 of the database server 105 and the request content from the client 106. Information obtained from the server 108 is set in template data of a predetermined screen to generate screen data, which is returned to the client 106 (1904). FIG. 20 shows an example of a screen 2001 displayed on the input / output unit 502 of the client 106 as a result of the processing of step 1904.

  A screen 2001 illustrated in FIG. 20 includes a user information area 2002 that displays each information of a user ID and a user name, a system list display area 2003 that displays information of a system list, and a system device selected in the system list. The system includes a system information display area 2004 for displaying a list and a configuration, and a log cooperation button 2005.

  Among these, the system list display area 2003 displays an ID for identifying the system, a system name, and a representative risk value for each system. In the example of FIG. 20, the attack reachability to the most important protection target device registered by the system administrator is displayed as the representative risk value. However, this risk value calculation method is not limited in the present embodiment as described above. A system information display area 2004 displays system component device IDs and device names, an attack reachability to each device, and an attack reachability path diagram at this time. Although details will be described later, when the log link button 2005 is pressed, a log link display screen is requested for a system and a device whose check boxes 2010 and 2011 are checked at that time.

  An example of the log cooperation display screen 2101 of this embodiment is illustrated in FIG. In the screen 2101 illustrated in FIG. 21, a user information area 2101 that displays each information of the user ID and the user name inherited from the screen 2001, and a log allowable amount information display area that displays the log allowable amount of the log collection management server 108. 2103, an area 2104 for displaying collected log information related to the system specified in the check box 2010 in the system list list 2003 on the screen 2001, and a vulnerability related to the equipment specified in the device list check box 2011 in the system information area 2004 on the screen 2001. The area 2105 for displaying the property is included.

Of these, the allowable log information 2103 is “80 MBPS” (80 Me) in the example of FIG.
gaByte Per Sec. ) Etc., and the maximum allowable average generated log amount per unit time (allowable value of the total collected log amount per unit time), and the log amount generated per unit time by the log collection specified and set by the log management control system 10 The relationship with the estimated value (in the figure, 0.001 MBPS) is illustrated. It is assumed that the value of the maximum allowable average generated log amount described above is calculated in advance based on, for example, the log storage capacity in the log collection management server 108, the log storage period, and the estimated generation amount of each log. .

As an example, if the log storage capacity at a certain point in the log collection management server 108 is 642 terabytes and the retention period of each log is three months, the amount of log data that can be stored for three months from the corresponding point Is a total of 642 terabytes. In this case, the maximum allowable average generated log amount per unit time is 642 tera / (3 month × 31 days * 24 hour * 60 min. *
60 sec.) ≈80 MBPS. In addition, based on the log generation history (log storage management server 108 holds in the storage device) generated in each product of each device in the past, the average log generation amount per unit time in the managed system 20 A value may be calculated and used as an estimated value of the log amount generated per unit time.

  In addition, in the collected log information display area 2104 regarding the designated system such as “XX company personnel management system”, logs generated by each device constituting the corresponding system locally (that is, within each corresponding device) are listed 2110. Listed. In the example of FIG. 21, the corresponding devices are listed and displayed in the order that the devices are specified in the device list check box in the system information area 2004 on the screen 2001 from the device reachable on the network.

  In addition, the collection log list 2110 in this display example includes, for each collection log ID, a device ID for collecting the log, a software ID that uniquely indicates a product that generates the log, a level of information amount for transferring the log, and a unit time Log volume, and log retention period. When the log collection optimization button 2105 is pressed for the collected log information 2104, the log collection setting optimization process is started. Details of this processing will be described later.

  Further, the vulnerability information display area 2105 for each device includes a vulnerability list 2111 included in each device. The vulnerability list 2111 includes a vulnerability ID that uniquely identifies the vulnerability, a possibility (probability) that the vulnerability can be used in an attack, a type of the vulnerability, and a planned countermeasure date for the vulnerability. And an analysis log ID for monitoring the vulnerability. In the example of FIG. 21, the records of the respective vulnerabilities are displayed in descending order of the attack availability value. Further, in accordance with the designation in the check box 2112 of the vulnerability list 2111, the summary of the vulnerability, the target product, the content of the threat, and the like are displayed as detailed information on the designated vulnerability. These contents assume that the client 106 obtains the relevant data from the vulnerability information table 904 via the risk assessment server 107 and displays it.

  Of the items in the vulnerability list 2111, the scheduled countermeasure date is assumed to be the regular maintenance date of the corresponding system by default. This regular maintenance date is input in advance by the system administrator. The analysis log ID is an ID that designates a log analysis rule to be added to monitor the corresponding vulnerability attack. Here, if an analysis log rule has already been registered, the corresponding analysis log ID 2113 is displayed, and if it has not been registered, an add button 2114 is displayed. It is assumed that the client 106 calls a log analysis setting / confirmation screen (FIG. 27: described later) in response to the user clicking the analysis ID 2113 or the add button 2114. The log analysis setting will be described later.

--- Generation flow of log collection settings when registering system information ---

  Next, a generation flow of log collection setting information for the risk evaluation result when the system information of the management target system 20 including the management target devices 101_1 to 101_n is registered in the log management control system 10 of the present embodiment will be described. FIG. 22 is a flowchart showing a processing procedure example 5 of the log management control method according to this embodiment.

In this case, for example, the risk evaluation server 107 receives an information registration request regarding the new management target system 20 from the client 106, and configures the management target system 20 based on each piece of information included in the request and predetermined information thereof. Information obtained from the management target device 101 is generated and registered in the network information table 902 and the device information table 903 of the database server 105 (2201).

  Here, the information registered in the database server 105 includes various attribute information such as the name, ID, and network segment to which the management target system 20 belongs, obtained from the client 106, and the management target devices 101_1 to 101_n constituting the management target system 20. The system information output unit 203 includes the system information (device ID, device name, product ID, network segment, relay device ID map, alias), etc., of each device 101 that the risk evaluation server 107 or client 106 requested and acquired. . In addition, about the system ID, the risk evaluation server 107 may be numbered according to a predetermined rule regarding the corresponding management target system 20.

  Next, the risk evaluation server 107 stores the information stored in the network information table 902 and the device information table 903, and the public security knowledge public institution server, for which information registration of the corresponding managed system 20 has been started by the system administrator in step 2201 described above. Based on the vulnerability information held and accumulated in 104, information of the vulnerability information table 904 is generated, and the attack availability in the vulnerability of each managed device 101 is calculated and stored as a risk value ( 2202).

  The probability that a certain attack source makes an attack using the vulnerabilities of each managed device 101 connected to the network (to each managed device 101), that is, the attack availability calculation method described above is based on the database server 105. Information of the management target device 101 held in the device information table 903, network segment and reachable segment ID list information held in the network information table 902, vulnerability attack probability 1303 held in the vulnerability information table 904, device Based on the information such as the impact probability 1304 and the vulnerability type 1305, a risk evaluation is performed by using a predetermined algorithm (the existing one may be applied) for the influence relationship of the vulnerability according to the arrangement of each managed device 101 in the network. Assume what you want to do.

  The processing result in step 2202 is displayed on the log cooperation screen 2101 illustrated in FIG. When the log collection optimization button 2105 is pressed on the log linkage screen 2101, the subsequent processing is started.

  Next, the risk evaluation server 107 calculates the above-described maximum allowable average generated log amount per unit time by the above-described method or the like, or obtains it from the client 106 and stores it (2203).

  Subsequently, the risk evaluation server 107 uses the information on the managed device 101 described above (held in the work storage area in the memory or the like after the start of the flow, the same applies hereinafter) of the attack availability value calculated in step 2202. Sort in ascending order (in order of high possibility), and also sort vulnerability information for each managed device 101 in ascending order of attack availability (2204). For example, each list 2110 in the screen 2101 in FIG. The display position of each record in 2111 is also updated according to the sort result.

  Next, among the vulnerabilities obtained in step 2204 described above, the risk evaluation server 107 has not been set with information in the predetermined table. For example, for the vulnerabilities with the highest attack availability, Setting information related to log collection is added to the predetermined table (2205).

  An example of the predetermined table 2300 is shown in FIG. The risk evaluation server 107 uses the type ID as a key for vulnerabilities to be registered, and explains the relevant vulnerabilities, necessary monitoring contents, log files including logs necessary for relevant monitoring, and relevant vulnerability monitoring. A record in which each information of a necessary level (information amount level) defining a necessary log amount is associated is generated and registered. Among these, the description, the monitoring content, the log file, and the necessary level information are obtained by the user operating the client 106 and inputting them.

  Subsequently, the risk evaluation server 107 performs an estimate calculation of the log amount generated in the product of the managed device 101 including the vulnerability for which the information setting for the table 2300 is added in the above step 2205 (2206). . Here, estimation calculation using the table 2400 illustrated in FIG. 24 is assumed. This table 2400 includes a standard log EPS (Event Per Sec.) For each product ID, a product name, a log file that is a storage destination of an occurrence log, a log level (a value that increases according to a log collection amount), and A standard BPE (Byte Per Event) or other standard log amount per unit time is an aggregate of records. Note that both the above-described table 2300 and table 2400 are held in the external storage device by the risk evaluation server 107.

In this case, the risk assessment server 107 in the step 2206 firstly selects the vulnerability type “CWE78” and the target product “Tomcat” regarding the vulnerability “VUL14013” specified by the user on the screen 2101 in FIG. Based on the vulnerability type “CWE78”, the corresponding log file “access_log” and each information of the necessary level “2” are specified in the table 2300. Further, the risk evaluation server 107 searches the table 2400 regarding the log file “access_log” of the target product “Tomcat” and its necessary level “2”, and sets “2.5” as the standard log EPS and “500” as the standard BPE. Get each value. The risk evaluation server 107 multiplies the standard log EPS “2.5” obtained here by the standard BPE “500” to calculate an estimated BPS “1250” that is an estimated value of the log amount.

  In addition, about such log amount, it is assumed easily that generated amount varies for every system and every device. Therefore, a statistical value such as an average log generation amount per unit time or a maximum log generation amount per unit time may be calculated for each log of each managed device 101 and reflected in this estimation.

  Next, the risk evaluation server 107 uses the estimated log amount calculated in the above step 2206 as the estimated log amount related to other vulnerabilities that have already been calculated (of course, this step 2205 is related to the corresponding managed system 20). If it is the first time, the estimated log amount calculated for other vulnerabilities is zero), and the total value is the maximum allowable average occurrence log per unit time obtained in step 2203 above. It is determined whether the amount is exceeded (2207). At this time, the risk evaluation server 107 also determines whether or not the vulnerability to be determined this time is the last vulnerability in the vulnerability information sorted in step 2204 described above.

  As described above, if the estimated value of the log amount calculated this time is “1250” BPS and the estimated value of the log amount of another vulnerability already obtained is “400” BPS, the risk evaluation server 107 The total “1650” BPS is compared with the “80M” BPS which is the maximum allowable average generated log amount per unit time described above, and the total value “1650” BPS is the maximum allowable average generated log amount “per unit time“ It is determined that 80M "BPS is not exceeded.

As a result of the above determination, when the total value of the estimated log amount exceeds the maximum allowable average generated log amount per unit time, or when the vulnerability to be determined this time is the last vulnerability (2207) : Yes), the risk assessment server 107 advances the process to Step 2208. In other cases (2207: No), the risk evaluation server 107 returns the process to the above-described step 2205 and sequentially repeats steps 2205 to 2207 for the unprocessed information on the above-described sorted vulnerabilities.

  On the other hand, the risk evaluation server 107 in step 2208 transmits and displays the log collection setting information added to the table 2300 in steps 2205 to 2207 described above to the client 106, and the client 106 views the setting information. Upon receiving the confirmation instruction from the system administrator, the log collection management server 108 is notified of the corresponding setting information and reflected in the storage information of the setting information storage unit 711 (2208).

  An example of the screen displayed on the client 106 in step 2208 is shown in FIG. The log collection setting / confirmation screen 2601 shown in FIG. 26 includes a message area 2602 for displaying a predetermined message 2610 regarding the result of the processing flow, a display area 2603 for the added collection log setting information list 2611, and an added collection log. Button 2604 for receiving an instruction to execute processing for reflecting the setting information of the log to the log collection management server 108, the level (information amount level) in the setting information list 2611 is changed according to the user instruction, and the above-described log amount estimation is reexecuted The button 2605 is used to receive an instruction to perform.

Here, the setting information list 2611 described above includes, for each collection log, the name of the device that generates the log, the product ID, the log collection level (information amount level), and the estimated BPS (Byte Per).
Sec. ), The log retention period. When the user clicks on the “collection level” column, the risk evaluation server 107 that receives this refers to the log level related to the corresponding log file of the corresponding product in the table 2400 and displays a list of collection levels corresponding to this log level. A pull-down display is displayed on the client 106. The user can select a change to any collection level from this list. The risk evaluation server 107 that has received such a change in the collection level setting activates the above-described button 2605 and executes a re-estimation calculation of the log amount in response to pressing of the button 2605.

  When the risk evaluation server 107 notifies the log collection management server 108 of the data in the table 2300 and sets the contents of the log collection by executing the above step 2208, the contents of the table 2500 shown in FIG. Notification and setting shall be made. A table 2500 illustrated in FIG. 25 is a table that stores rules relating to the log level for each log file of each product. The table 2500 has a structure in which each information of a log file name, a log level, and a log content for each log level is stored for each product that generates a log. For example, in the case of a web server access log, the log level contents are defined for each HTTP status code as follows.

  Log level 1: HTTP status code 2xx code only (if successful)

  Log level 2: In addition to log level 1, 4xx and 5xx codes (in case of failure)

Log level 3: In addition to log level 1, 3xx code (in case of Redirect)
Log level A: All (ALL)

  The log collection management server 108 receives the processing of step 2208 described above, and executes log collection from each managed device 101 with contents based on the vulnerability of the product.

  Note that the analysis rule setting may be received from the user and processed for the log set as described above. An example of a screen 2701 in this case is shown in FIG. This screen 2701 includes a list display area 2702 for displaying a collection log selected according to the level of risk based on the vulnerability, an area 2703 for accepting the setting of the above analysis rule, and the analysis rule to the log collection management server 108. The button 2704 receives an instruction to execute the process to be reflected. In addition, this screen 2701 is displayed in response to a click operation on a predetermined interface in the vulnerability list display area 2105 of the log linkage screen 2101, for example.

  Here, the analysis rule setting area 2703 is a check box 2710 for specifying an ID of a collection log to be dealt with by setting an analysis rule, and a field 2711 for setting a condition such as including a specific character string as an analysis rule for the corresponding collection log. It is assumed that a field 2712 for setting a process to be executed when the corresponding collection log matches the condition described in the field 2711 is assumed.

  Further, as a process set in the field 2712, an interface capable of selecting a process of generating an intermediate log in addition to a process of registering alert information in a predetermined table is provided. In this example, we assume that the intermediate log generated here can be set as a collection log by assigning a collection log ID and making it possible to set analysis / monitoring rules under more complicated conditions. Yes. As a result, monitoring rules can be managed on a vulnerability basis, and unnecessary monitoring rule settings and collection log settings can be canceled when countermeasures are completed depending on the status of vulnerability countermeasures. Also, by setting the collected logs in order of the probability of attack, the log capacity to be collected can be optimized in the order of higher threats. As a result, effective and efficient log management control can be realized.

---- Log collection flow when new vulnerability information is disclosed ---

  Next, update processing of log collection settings when vulnerability information is newly disclosed from the security knowledge disclosure organization server 104 will be described with reference to the drawings. FIG. 28 is a flowchart showing a processing procedure example 6 of the log management control method according to this embodiment.

  In this case, the information collection server 103 accesses the security knowledge publishing organization server 104 and collects newly disclosed vulnerability information (same as step 1701 in FIG. 17) by a scheduler call in its own OS or the like ( 2801), this is transmitted to the risk assessment server 107.

  Next, the risk evaluation server 107 determines the vulnerability of each device based on the new vulnerability information obtained from the information collection server 103 and each information of the network information table 902 and the device information table 903 of the database server 105. The attack availability in FIG. 22 is calculated again as a risk value in the same manner as in step 2202 in FIG. 22, and a record including information on a predetermined item (information included in the vulnerability information table 904) including the information on the attack availability is included. It is generated and stored in the vulnerability information table 904 of the database server 105 (2802).

  Subsequently, the risk evaluation server 107 calculates the maximum allowable average generated log amount per unit time in the same manner as Step 2203 in FIG. 22 or obtains it from the client 106 and stores it in a memory or the like (2803).

Next, the risk evaluation server 107 sorts the information of the above-described managed devices 101 in ascending order of the attack availability values calculated in Step 2802 (in descending order of probability), and further, for each managed device 101. Vulnerability information is also sorted in ascending order of attack availability (2804).

  Next, the risk evaluation server 107 searches the log collection management setting information table 905 of the database server 105 to determine whether log collection has already been performed on the product having the new vulnerability collected in step 2801 (2805). ).

  As a result of this determination, if log collection has been performed on the product corresponding to the vulnerability (2805: No), the risk assessment server 107 is the vulnerability with the next highest attack potential after sorting in step 2804. Is identified (28051), and step 2805 is executed again for this vulnerability. On the other hand, as a result of the above determination, if log collection is not performed for the product corresponding to the vulnerability (2805: Yes), the risk evaluation server 107 advances the process to step 2806.

  Thereafter, the risk evaluation server 107 executes steps 2806 to 2808 in the same manner as steps 2205 to 2207 in FIG. 22, and transmits the log collection setting information updated in the above steps to the client 106. After receiving the confirmation instruction of the system administrator who has browsed the setting information with the client 106, the setting information is notified to the log collection management server 108 and reflected in the storage information of the setting information storage unit 711.

  Although the best mode for carrying out the present invention has been specifically described above, the present invention is not limited to this, and various modifications can be made without departing from the scope of the invention.

  According to this embodiment, log collection that is effective in monitoring related to a risk derived from vulnerability can be efficiently executed according to the status of the corresponding system.

  At least the following will be clarified by the description of the present specification. That is, in the log management control system of the present embodiment, the computing device performs risk assessment by a predetermined algorithm for the influence relationship of vulnerability according to the arrangement of each device in the network, and performs vulnerability assessment for each device. Identify the possibility of exploitation that can be used for attacks from a given attack source, and in the log collection instructions, collect logs for devices with a high degree of attack availability that are higher than a predetermined rank among devices It is good also as instructing.

  According to this, it is possible to set log collection with the product for a predetermined number of devices ranked in view of the possibility of exploitation of vulnerability regarding the necessity of log collection. As a result, effective log collection for monitoring risks related to vulnerabilities can be performed efficiently according to the status of the system.

  In the log management control system according to the present embodiment, the storage device further stores a table that defines a relationship between the type of vulnerability and the information amount level of log collection. In the evaluation, risk assessment using a predetermined algorithm is performed for the impact relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device is identified as the possibility of exploitation used for attacks from a predetermined attack source. In the log collection instruction, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and each of the information based on the specified information amount level Identifies devices that have a high attack exploitability higher than a predetermined rank among devices with the restriction that the total amount of logs collected from devices does not exceed a predetermined allowable value. May be is an indication of the log collection for the equipment.

According to this, it is possible to specify a predetermined number of devices ranked in view of the possibility of exploitation of vulnerability in terms of the log amount, and set log collection. Eventually, effective log collection can be performed more efficiently depending on the status of the system in question regarding the risks related to vulnerabilities.

  In the log management control system according to the present embodiment, the storage device further stores a table that defines a relationship between the type of vulnerability and the information amount level of log collection. In the evaluation, risk assessment using a predetermined algorithm is performed for the impact relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device is identified as the possibility of exploitation used for attacks from a predetermined attack source. In the log collection instruction, the information collection level of log collection according to the type of vulnerability in the corresponding device is specified in the table in the descending order of the possibility of using the attack, and according to the specified information volume level The total log generation amount per unit time on each device does not exceed the maximum log generation amount that can be collected per unit time according to the storage capacity of the log storage destination. About, the attack availability of height to identify more devices specified rank among the devices may be is an indication of the logging to the specified device.

  According to this, it is possible to specify a predetermined number of devices ranked from the viewpoint of the possibility of exploitation of vulnerability in terms of the log generation amount per unit time, and set log collection. Eventually, effective log collection can be performed more efficiently depending on the status of the system in question regarding the risks related to vulnerabilities.

  Further, in the log management control system of the present embodiment, the arithmetic device accepts the setting of vulnerability monitoring content, which is a log generation condition related to vulnerability, by the input device and stores it in the storage device, and in response to the log collection instruction, An instruction may be given including the vulnerability monitoring content related to the vulnerability of the corresponding device.

  According to this, for example, it is possible to receive a designation from a user who has knowledge about the configuration or situation peculiar to the managed system, and to set log collection that matches this. Eventually, effective log collection can be performed more efficiently depending on the status of the system in question regarding the risks related to vulnerabilities.

  Further, in the log management control system according to the present embodiment, when the computing device acquires new vulnerability information from the predetermined device for the predetermined device holding the vulnerability information in the database, the vulnerability The information is further stored in the database in association with the predetermined device, and the risk assessment by the predetermined algorithm is re-executed with respect to the influence relationship of the vulnerability according to the arrangement of each device in the network, including the new vulnerability. Execute and identify the attack availability that the vulnerability of each device is used for an attack from a predetermined attack source, and when instructing the log collection, the attack availability is higher than a predetermined rank between devices If a device based on the possibility of exploitation of the new vulnerability is included as a device, the device may instruct the corresponding device to collect a new log. There.

  According to this, when new vulnerability information is disclosed from a server on the Internet that discloses vulnerability information, it becomes possible to set log collection that is necessary again. Eventually, effective log collection can be performed more efficiently depending on the status of the system in question regarding the risks related to vulnerabilities.

Further, in the log management control method of the present embodiment, the information processing system performs risk assessment by a predetermined algorithm for the influence relationship of the vulnerability according to the arrangement of each device in the network at the time of the risk assessment. Specify the attack availability that the vulnerability is used for an attack from a predetermined attack source, and when the log collection instruction is issued, log the high attack availability level to devices with a predetermined rank or higher among the devices. Collection may be instructed.

  In the log management control method of the present embodiment, the information processing system further stores a table defining a relationship between the type of vulnerability and the information amount level of log collection in the storage device. , Perform a risk assessment by a predetermined algorithm for the influence relationship of the vulnerability according to the arrangement of each device in the network, identify the attack availability that the vulnerability of each device is used for an attack from a predetermined attack source, When instructing log collection, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and from each device based on the specified information amount level With the constraint that the total amount of collected logs does not exceed a predetermined allowable value, a device with a high degree of attack availability is specified among the devices, and the specified It may be used to indicate the log collection to the device.

  In the log management control method of the present embodiment, the information processing system further stores a table defining a relationship between the type of vulnerability and the information amount level of log collection in the storage device. , Perform a risk assessment by a predetermined algorithm for the influence relationship of the vulnerability according to the arrangement of each device in the network, identify the attack availability that the vulnerability of each device is used for an attack from a predetermined attack source, When instructing log collection, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and each device corresponding to the specified information amount level The total log generation amount per unit time in the system does not exceed the maximum log generation amount that can be collected per unit time according to the storage capacity of the log storage destination. In the attack availability of height to identify more devices specified rank among the devices, it may instruct the logging to the specified device.

  Further, in the log management control method of the present embodiment, the information processing system accepts the setting of vulnerability monitoring content, which is a log generation condition related to vulnerability, by the input device and stores it in the storage device, and in response to the log collection instruction In addition, it may be instructed including the vulnerability monitoring content related to the vulnerability in the corresponding device.

  Further, in the log management control method according to the present embodiment, when the information processing system acquires new vulnerability information from a predetermined device for a predetermined device holding vulnerability information in the database, the corresponding vulnerability The risk information is further stored in the database in association with the predetermined device, and the risk evaluation by the predetermined algorithm is performed on the influence relationship of the vulnerability according to the arrangement of each device in the network, including the new vulnerability. Re-execute, specify the vulnerability of each device that can be used for the attack from a predetermined attack source, and when the log collection instruction is given, When the above devices include those based on the possibility of exploitation of the new vulnerability, the device may be instructed to collect a new log.

DESCRIPTION OF SYMBOLS 10 Log management control system 20 Management target system 101 Management target apparatus 102 Network 103 Information collection server 104 Security knowledge public organization server 105 Database server 106 Client 107 Risk evaluation server 108 Log collection management server 802 CPU (computing device)
803 Memory 804 External storage device 805 Transmission / reception device 806 Output device 807 Input device 901 User information table 902 Network information table 903 Device information table 904 Vulnerability information table 905 Log collection management setting information table

Claims (12)

A storage device that holds a database that correlates each piece of vulnerability information related to devices, networks, and the devices constituting the managed system;
Based on the information on the device, the network, and the vulnerability held in the database, risk assessment by a predetermined algorithm is performed for the influence relationship of the vulnerability according to the arrangement of each device in the network, and the level of the risk An arithmetic device for instructing log collection to a device having a predetermined standard or higher,
A log management control system comprising: The arithmetic unit is
In performing the risk assessment, risk assessment is performed by a predetermined algorithm for the influence relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device can be used for an attack from a predetermined attack source. Identify,
When instructing the log collection, the high possibility of attack use is to instruct the log collection to a device having a predetermined rank or higher among the devices.
The log management control system according to claim 1. The storage device
It further stores a table that defines the relationship between the type of vulnerability and the information level of log collection.
The arithmetic unit is
In performing the risk assessment, risk assessment is performed by a predetermined algorithm for the influence relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device can be used for an attack from a predetermined attack source. Identify,
In the log collection instruction, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and each device based on the specified information amount level The total collected log amount from the above is not restricted to exceed a predetermined allowable value, and a device with a high possibility of exploitation is specified among devices with a predetermined rank or higher, and the specified device is instructed to collect logs Is,
The log management control system according to claim 1. The storage device
It further stores a table that defines the relationship between the type of vulnerability and the information level of log collection.
The arithmetic unit is
In performing the risk assessment, risk assessment is performed by a predetermined algorithm for the influence relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device can be used for an attack from a predetermined attack source. Identify,
When instructing the log collection, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and each of the information according to the specified information amount level is specified. Due to the constraint that the total log generation amount per unit time in the device does not exceed the maximum log generation amount that can be collected per unit time according to the storage capacity of the log storage destination, the high possibility of attack use is high. Identify devices with a predetermined order or higher and instruct the specified devices to collect logs.
The log management control system according to claim 1. The arithmetic unit is
The setting of vulnerability monitoring content that is a log generation condition related to vulnerability is received by the input device and stored in the storage device,
Instructing the log collection, including the vulnerability monitoring content related to the vulnerability in the corresponding device,
The log management control system according to claim 1. The arithmetic unit is
When new vulnerability information is acquired from a predetermined device for a predetermined device holding vulnerability information in the database, the vulnerability information is further stored in the database in association with the predetermined device,
Re-execute the risk assessment based on a predetermined algorithm for the influence relationship of vulnerabilities according to the placement of each device in the network, including the new vulnerability, and use the vulnerabilities of each device for attacks from a predetermined attack source Identify the potential for exploitation
In the case of the log collection instruction, when the high possibility of attack use includes devices based on the attack availability of the new vulnerability as a device having a predetermined rank or higher among devices, Instructing a new log collection,
The log management control system according to claim 1. An information processing system including a storage device that holds a database that associates each piece of vulnerability information related to a device, a network, and the device constituting the managed system,
Based on the information on the device, the network, and the vulnerability held in the database, risk assessment by a predetermined algorithm is performed for the influence relationship of the vulnerability according to the arrangement of each device in the network, and the level of the risk Instructs log collection to devices that exceed the specified criteria.
A log management control method characterized by that. The information processing system is
In performing the risk assessment, risk assessment is performed by a predetermined algorithm for the influence relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device can be used for an attack from a predetermined attack source. Identify,
When instructing the log collection, instruct the log collection to a device having a high possibility of attack use that is higher than a predetermined rank among the devices.
The log management control method according to claim 7. The information processing system is
In the storage device, further stores a table that defines the relationship between the type of vulnerability and the information amount level of log collection,
In performing the risk assessment, risk assessment is performed by a predetermined algorithm for the influence relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device can be used for an attack from a predetermined attack source. Identify,
In the log collection instruction, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and each device based on the specified information amount level With the restriction that the total collected log amount from the limit does not exceed a predetermined allowable value, the device having a high attack availability is determined to be higher than a predetermined rank among the devices, and the log collection is instructed to the specified device.
The log management control method according to claim 7. The information processing system is
In the storage device, further stores a table that defines the relationship between the type of vulnerability and the information amount level of log collection,
In performing the risk assessment, risk assessment is performed by a predetermined algorithm for the influence relationship of vulnerabilities according to the arrangement of each device in the network, and the vulnerability of each device can be used for an attack from a predetermined attack source. Identify,
When instructing the log collection, the information amount level of log collection corresponding to the type of vulnerability in the corresponding device is specified in the table in descending order of the possibility of using the attack, and each of the information according to the specified information amount level is specified. Due to the constraint that the total log generation amount per unit time in the device does not exceed the maximum log generation amount that can be collected per unit time according to the storage capacity of the log storage destination, the high possibility of attack use is high. Identify devices that are higher than the specified order, and instruct the specified devices to collect logs.
The log management control method according to claim 7. The information processing system is
The setting of vulnerability monitoring content that is a log generation condition related to vulnerability is received by the input device and stored in the storage device,
Instructing the log collection, including the vulnerability monitoring content related to the vulnerability of the corresponding device,
The log management control method according to claim 7. The information processing system is
When new vulnerability information is acquired from a predetermined device for a predetermined device holding vulnerability information in the database, the vulnerability information is further stored in the database in association with the predetermined device,
Re-execute the risk assessment based on a predetermined algorithm for the influence relationship of vulnerabilities according to the placement of each device in the network, including the new vulnerability, and use the vulnerabilities of each device for attacks from a predetermined attack source Identify the potential for exploitation
In the case of the log collection instruction, when the high possibility of attack use includes devices based on the attack availability of the new vulnerability as a device having a predetermined rank or higher among devices, Instruct new log collection,
The log management control method according to claim 7.