JP6312578B2 - Risk assessment system and risk assessment method - Google Patents

Description

  The present invention relates to a risk evaluation system and a risk evaluation method. Specifically, in addition to technical characteristics of individual vulnerabilities, vulnerability risk is evaluated based on the system configuration and topology, and the actual system situation This technology relates to a technology that enables highly effective risk assessment corresponding to.

  In the information society, a wide variety of software exists and is used. On the other hand, it is unavoidable that such software contains software vulnerabilities due to program defects or specification problems, and it is also difficult to avoid all risks from targeted attacks using the vulnerabilities in advance. In particular, in recent years, about 5,000 software vulnerabilities are discovered and released annually, and the amount of attacks by malicious attackers using such vulnerabilities has increased significantly immediately after the vulnerability information was released. It is reported that there is a tendency to.

  Therefore, the system administrator who operates the information system needs to efficiently implement countermeasures for the vast amount of vulnerability information discovered and disclosed as described above. In general, in vulnerability countermeasures, information on the target system and vulnerability information are obtained, and the relationship between the two information and the risks posed by the vulnerability information are evaluated. Measures are planned and applied in practice.

  However, since a lot of vulnerability information that is irrelevant to individual systems is also disclosed, it is difficult for the system administrator to always collect vulnerability information about the target system without omission. In addition, the risk that the vulnerability poses to the system depends on the system configuration. Where system knowledge is required along with security knowledge, if the system administrator does not have such advanced security knowledge, the risk posed by the vulnerability is appropriately evaluated. It is difficult.

  Therefore, there is a need for a technique for collecting and managing system information and vulnerability information, correctly associating the information, and evaluating the risk that the vulnerability poses to the system. As a conventional technique for managing and evaluating such system vulnerabilities, for example, a plurality of keywords indicating vulnerability characteristics are stored in the product DB and the vulnerability keyword DB, and the keyword extraction unit performs vulnerability related From the vulnerability information collected by the information collection unit, keywords that match the keywords stored in the product DB and the vulnerability keyword DB are extracted, and the priority determination unit determines the keyword extraction result according to the contents of the priority determination DB. An information processing apparatus (see Patent Document 1) in which the priority of vulnerability information is determined based on the output result of the priority determination result has been proposed. In this technology, the risk assessment is made more efficient by risk assessment based on product information and vulnerability information.

JP 2007-058514 A

  In the conventional technology, by associating vulnerability information with product information, the information related to the managed system is selected from the vast amount of vulnerability information, and the technical characteristics of the vulnerability indicated by the vulnerability information Based on the above, it is possible to evaluate the risks posed by the vulnerability in the system.

  However, in an actual system, there are cases where countermeasures are not necessary because technically high-risk vulnerabilities are protected from the network boundary. For example, when comparing a device that is easily accessible to a certain vulnerability from the outside with a device that has the same vulnerability but is protected deep in the network, Measures should be prioritized against vulnerabilities. Therefore, in vulnerability risk assessment, it is desirable to conduct assessment based on not only product information and vulnerability information, but also system configuration and topology.

  Accordingly, an object of the present invention is to enable vulnerability assessment based on the system configuration and topology in addition to the technical characteristics of each vulnerability and enable highly effective risk assessment corresponding to the actual system situation. Is to provide.

The risk assessment system of the present invention that solves the above problems includes a device that constitutes a risk assessment target system, a network, and a storage device that holds a database that associates each vulnerability information related to the device, the device, The network and each vulnerability information are applied to a predetermined algorithm based on graph theory, and the devices constituting the target system and the vulnerabilities possessed by the devices are used as nodes, and the network system indicates the target system Based on the network configuration, by connecting arcs between the devices and the vulnerabilities, an acyclic directed graph that prescribes the influence relationship of the vulnerabilities according to the arrangement of each device on the network , a risk evaluation model created as said a directed acyclic graph, the Bayesian network inference Arugori It is applied to beam, to assess the risk of weaknesses in the target system brings, characterized in that and a calculation unit for outputting the evaluation result to a predetermined device.

Further, the risk evaluation method of the present invention includes an information processing apparatus including a device that configures a risk evaluation target system, a network, and a storage device that holds a database that associates vulnerability information related to the device with each other. Applying each information of the device, the network, and the vulnerability to a predetermined algorithm based on graph theory, the device constituting the target system and the vulnerability possessed by the device are nodes, and the network information indicates the Based on the network configuration of the target system, an acyclic directed graph that specifies the influence relationship of the vulnerability according to the arrangement of each device on the network by connecting the device and the vulnerability with an arc , create a risk assessment model, the directed acyclic graph, the Bayesian network inference Al It is applied to rhythm, and assess the risk of weaknesses in the target system results, and outputs the evaluation result to a predetermined apparatus, characterized in that.

  According to the present invention, it is possible to evaluate vulnerability risk based on the system configuration and topology in addition to the technical characteristics of each vulnerability and perform highly effective risk evaluation corresponding to the actual system situation.

It is a figure which shows the network structural example containing the risk evaluation system in this embodiment. It is a figure which shows the function structural example of the management object apparatus in this embodiment. It is a figure which shows the function structural example of the information collection server in this embodiment. It is a figure showing an example of functional composition of a security knowledge public organization server in this embodiment. It is a figure which shows the function structural example of the client in this embodiment. It is a figure which shows the function structural example of the risk evaluation server in this embodiment. It is a figure which shows the hardware structural example of the computer apparatus which comprises the risk evaluation system in this embodiment. It is a figure which shows the data table list stored in the database in this embodiment. It is a figure which shows the example of the user information table in this embodiment. It is a figure which shows the example of the network information table in this embodiment. It is a figure which shows the example of the apparatus information table in this embodiment. It is a figure which shows the example of the vulnerability information table in this embodiment. It is a figure which shows the example of the virtual patch information table in this embodiment. It is a flowchart which shows the procedure example 1 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 2 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 3 of the risk evaluation method in this embodiment. It is a figure which shows the example 1 of a screen in this embodiment. It is a flowchart which shows the procedure example 4 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 5 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 6 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 7 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 8 of the risk evaluation method in this embodiment. It is a figure which shows the example of the acyclic directed graph in this embodiment. It is a figure which shows the example of the conditional probability table | surface in this embodiment. It is a figure which shows the example 2 of a screen in this embodiment. It is a flowchart which shows the procedure example 9 of the risk evaluation method in this embodiment. It is a flowchart which shows the procedure example 10 of the risk evaluation method in this embodiment. It is a figure which shows the example 3 of a screen in this embodiment.

--- System configuration ---

  Embodiments of the present invention will be described below in detail with reference to the drawings. FIG. 1 is a network configuration diagram including a risk evaluation system 10 of the present embodiment. The risk assessment system 10 shown in FIG. 1 evaluates vulnerability risks based on the system configuration and topology in addition to the technical characteristics of each vulnerability, and enables highly effective risk assessment corresponding to actual system conditions. Computer system.

  A network 102 including the risk evaluation system 10 of this embodiment illustrated in FIG. 1 includes a management target device 101, an information collection server 103, a security knowledge public institution server 104, a database 105, and a client that constitute a risk evaluation target system. 106 and a risk assessment server 107 are connected. Among these devices, the risk evaluation system 10 is composed of at least a risk evaluation server 107, and the risk evaluation server 107 can access the database 105. Of course, the risk evaluation system 10 may include devices other than the risk evaluation server 107 as appropriate.

  Among the devices connected to the network 102 described above, the management target device 101 is a system managed by the system administrator as a risk evaluation target, that is, a device constituting the target system, and illustrates a plurality of management target devices 101_1 to 101_n. ing. In this embodiment, what is to be evaluated is a risk caused by the vulnerability possessed by the managed device 101.

Further, the information collection server 103 is a security assessment target system, that is, information related to the management target device 101 (system information; identification information of each management target device 101, information related to a network to which it belongs), and security on the Internet 102_2. This is a device that collects security information (at least vulnerability information related to the management target device 101) disclosed by the knowledge publishing organization server 104. On the other hand, the security knowledge publishing organization server 104 is a server device of a predetermined organization that publishes security knowledge on the Internet 102_2. As an example of an operating organization of the security knowledge public organization server 104, a company that provides various security countermeasure services such as computer virus detection and countermeasures, an OS (Operating System) provider, and the like can be assumed. Such an operating organization publishes vulnerability information related to information security obtained with respect to a specific information processing apparatus, OS, or software by the security knowledge disclosure organization server 104.

  Note that the management target device 101 and the information collection server 103 are connected via the network 102_1, and the information collection server 103 and the security knowledge disclosure organization server 104 are connected via the Internet 102_2.

  The database 105 is a storage device that stores the system information and security knowledge collected by the information collection server 103, and is connected to the risk assessment server 107 via the network 102_3. Alternatively, the database 105 may be preferably stored in the external storage device 704 (see FIG. 7) of the risk evaluation server 107.

  The client 106 is a general computer terminal that is directly operated by the system administrator, and is a device that is a main output destination of the processing result by the risk evaluation server 107, that is, the risk evaluation result.

  The risk assessment server 107 is a server device that executes each procedure corresponding to the risk assessment method of the present embodiment based on information on the database 105 and a request from the system administrator received via the client 106. . The risk evaluation server 107 may be configured to include the functions and configurations of the information collection server 103 described above.

In the present embodiment, the networks 102_1, 102_2, and 102_3 are illustrated as different networks, but may be the same network. Moreover, the component which attached | subjected the code | symbol in the network structure of FIG. 1 may be plurality according to embodiment.
--- Functional structure ---

  Then, the function with which the risk evaluation system 10 of this embodiment is provided is demonstrated. Here, not only the risk evaluation server 107 but also, for example, each device in the above-described network configuration including the risk evaluation system 10 is implemented by executing an appropriate program provided in the memory 703 or the external storage device 704. Each will be described.

  FIG. 2 is a diagram illustrating a functional configuration example of the management target device 101 according to the present embodiment. A management target device 101 illustrated in FIG. 2 includes a transmission / reception unit 201 and a control unit 202. Among these, the transmission / reception unit 201 is a processing unit that transmits / receives information to / from the information collection server 103 via the network 102_1.

  On the other hand, the control unit 202 includes a system information output unit 203. The system information output unit 203 collects system information including information such as ID, device name, product ID, network segment, and relay device to be used, which is identification information of the management target device 101, and sends information via the transmission / reception unit 201. It is a processing unit that transmits to the collection server 103. For collecting system information in the system information output unit 203, a standard function of the OS installed in the management target device 101 may be used, but other methods may be adopted and the form is not limited.

FIG. 3 is a diagram illustrating a functional configuration example of the information collection server 103 according to the present embodiment. The information collection server 103 illustrated in FIG. 3 includes a transmission / reception unit 301 and a control unit 302. Among these, the transmission / reception unit 301 is a processing unit that transmits and receives information via the networks 102_1, 102_2, and 102_3.

  On the other hand, the control unit 302 includes a system information collection unit 303 and a security knowledge collection unit 304. Among these, the system information collection unit 303 receives the above-described system information from the management target device 101 via the transmission / reception unit 301 and stores it in the database 105. Further, the security knowledge collecting unit 304 receives the security knowledge from the security knowledge public institution server 104 via the transmission / reception unit 301 and stores it in the database 105.

  FIG. 4 is a diagram illustrating a functional configuration example of the security knowledge publishing organization server 104 according to the present embodiment. The security knowledge publishing organization server 104 illustrated in FIG. 4 includes a transmission / reception unit 401 and a control unit 402. Among these, the transmission / reception unit 401 is a processing unit that transmits / receives information to / from the information collection server 103 via the network 102_2.

  On the other hand, the control unit 402 includes a security knowledge output unit 403. The security knowledge output unit 403 transmits security knowledge to the information collection server 103 via the transmission / reception unit 401 described above. The method of collecting and managing the security knowledge in the security knowledge publishing organization server 104 differs depending on the specifications of the security knowledge publishing organization server 104 and the operating company of the security knowledge publishing organization server 104, and is not particularly limited here.

  FIG. 5 is a diagram illustrating a functional configuration example of the client 106 according to the present embodiment. The client 106 illustrated in FIG. 5 includes a transmission / reception unit 501, an input / output unit 502, and a control unit 503. Among these, the transmission / reception unit 501 is a processing unit that transmits and receives information via the network 102_3. The input / output unit 502 is a processing unit that controls input from a user such as a system administrator via an interface device such as a keyboard and controls output processing for the user via an interface device such as a monitor.

  The control unit 503 includes a screen display processing unit 504, an initial screen display request unit 505, an attack source designation processing unit 506, a vulnerability risk display request unit 507, a virtual patch designation processing unit 508, and a virtual patch effect display request. Part 509. Among these, the screen display processing unit 504 is a processing unit that performs screen display for the user via the above-described input / output unit 502, and includes an initial screen display request unit 505, a vulnerability risk display request unit 507, and a virtual patch. The screen acquired by the effect display request unit 509 is displayed.

  Further, the initial screen display request unit 505 requests the initial screen data to be presented to the user at the time of connection from the client 106 to the risk assessment server 107 via the transmission / reception unit 501, and receives the corresponding data. It is a processing unit.

  The attack source designation processing unit 506 also designates a device that is a security attack source, such as a device outside the company or a device that is suspected of being infected with malware, via the input / output unit 502 described above. It is a processing unit that receives from a user and transmits it from the transmission / reception unit 501 to the risk evaluation server 107.

  Further, the vulnerability risk display request unit 507 transmits a display request regarding the evaluation result of the vulnerability risk made by the risk evaluation server 107 to the risk evaluation server 107 via the transmission / reception unit 501, and the risk evaluation server 107 It is a processing unit that receives screen data of the obtained vulnerability risk evaluation result.

  The virtual patch designation processing unit 508 is a processing unit that accepts a virtual patch designation input to be verified for the countermeasure effect when applied to the vulnerability via the input / output unit 502 described above. Further, the virtual patch effect display request unit 509 transmits a display request regarding the effect verification result of the virtual patch performed by the risk evaluation server 107 to the risk evaluation server 107 via the transmission / reception unit 501, and obtains the request from the risk evaluation server 107. It is a processing unit that receives the screen data of the effect verification result of the virtual patch.

  FIG. 6 is a diagram illustrating a functional configuration example of the risk evaluation server 107 of the present embodiment. The risk evaluation server 107 illustrated in FIG. 6 includes a transmission / reception unit 601 and a control unit 602. Among these, the transmission / reception unit 601 is a processing unit that transmits and receives information via the network 102_3.

  On the other hand, the control unit 602 includes an initial screen display processing unit 603, a vulnerability risk display processing unit 604, a virtual patch effect display processing unit 605, a risk evaluation model construction processing unit 606, a conditional probability table setting processing unit 607, and a risk value. The calculation processing unit 608 is configured.

  Among these, the initial screen display processing unit 603 receives an initial screen display request from the client 106 via the transmission / reception unit 601, and stores screen data necessary for displaying the initial screen, for example, the database 105 (in this case, the database 105 is , The screen data of each display screen in the client 106 is obtained in advance, and this is returned.

  Further, the vulnerability risk display processing unit 604 receives a vulnerability risk display request from the client 106 via the transmission / reception unit 601, and receives a risk evaluation model construction processing unit 606, a conditional probability table setting processing unit 607, and a risk value calculation. It is a processing unit that returns screen data of vulnerability risk evaluation results obtained by using the processing unit 608.

  Further, the virtual patch effect display processing unit 605 receives a virtual patch effect display request from the client 106 via the transmission / reception unit 601, and receives a risk evaluation model construction processing unit 606, a conditional probability table setting processing unit 607, and a risk value. This is a processing unit that returns the screen data of the virtual patch effect verification result obtained by using the calculation processing unit 608.

  Further, the risk evaluation model construction processing unit 606 is a model for evaluating the risk caused by the vulnerability based on the information on the database 105 and the attack source (device) designation specified by the user input from the client 106. That is, it is a processing unit that builds a risk assessment model.

  The conditional probability table setting processing unit 607 is a processing unit that sets each probability value (see FIG. 24) for performing risk evaluation based on the risk evaluation model constructed by the risk assessment model construction processing unit 606 described above. is there.

  The risk value calculation processing unit 608 is a processing unit that calculates a risk value based on the risk evaluation model constructed by the above-described risk evaluation model construction processing unit 606.

Details of processing by each functional unit in the risk evaluation server 107 described above will be described later based on a flowchart.
--- Hardware configuration ---

Subsequently, the hardware configuration of the devices constituting the risk evaluation system 10 of the present embodiment will be described. FIG. 7 is a diagram illustrating a hardware configuration example of the computer device 701 constituting the risk evaluation system 10 of the present embodiment.

  The computer device 701 illustrated in the figure includes a CPU 702, a memory 703 configured by volatile storage elements such as a RAM, an external storage device 704 configured by appropriate nonvolatile storage elements such as an SSD (Solid State Drive) and a hard disk drive, A transmission / reception device 705 such as a network interface card (NIC), an output device 706 such as a display, and an input device 707 such as a keyboard are included. Of these, the output device 706 and the input device 707 may not include any of the management target device 101, the security knowledge disclosure institution server 104, the information collection server 103, and the risk evaluation server 107.

The control units 202, 302, 402, 503, and 602 of each device illustrated in FIGS. 2 to 6 are implemented by the CPU 702 loading and executing an appropriate program stored in the external storage device 704 described above into the memory 703. Is done. In addition, the transmission / reception units 201, 301, 401, 501, and 601 of each device illustrated in FIGS. 2 to 6 are implemented by the transmission / reception device 705. Further, the input / output unit 502 in the client 106 illustrated in FIG. 5 is implemented by an output device 706 and an input device 707.
--- Data structure ---

  Next, a configuration example of the data that is used by the device that configures the risk evaluation system 10 of the present embodiment, that is, the risk evaluation server 107 will be described. Data used in the risk evaluation system 10 is at least system administrator user information, network information of managed systems, device information, vulnerability information published as security knowledge, and virtual patch information.

  FIG. 8 is a diagram showing a list of data tables stored on the database 105 of the present embodiment. The database 105 illustrated in FIG. 8 stores a user information table 801, a network information table 802, a device information table 803, a vulnerability information table 804, and a virtual patch information table 805. Each table is associated with each other by a predetermined ID included in each record.

  Of the tables included in the database 105, an example of the configuration of the user information table 801 is shown in FIG. A user information table 801 illustrated in FIG. 9 includes records having user IDs 901, user information 902, and a system list 903 as data items. Among these, the user ID is an ID uniquely assigned to a user such as a system administrator in the risk evaluation system 10. The user information 902 is information such as the name and contact information of the user corresponding to the user ID 901 described above. The system list 903 is a list of a set of IDs and system names of systems managed by a user corresponding to the user ID 901, that is, a system that can be a risk evaluation target. In this embodiment, since it is assumed that a plurality of system administrators manage a plurality of systems, such a user information table 801 is held in the database 105. However, only a single system is evaluated for risk. This user information table 801 does not need to be stored in the database 105 in a target situation. This user information table 801 is generated in advance by an administrator of the risk evaluation system 10 and stored in the database 105.

Next, a configuration example of the network information table 802 will be described with reference to FIG. The network information table 802 illustrated in FIG. 10 includes records having network segment IDs 1001, system IDs 1002, and reachable segment ID lists 1003 as data items. Among these, the network segment ID 1001 is an ID uniquely assigned to the network segment included in the processing target by the risk evaluation system 10. The system ID 1002 is an ID of a system related to the network segment ID 1001 described above. The reachable segment ID list 1003 is an ID list of adjacent segments that can reach the message from the network segment indicated by the network segment ID 1001. For example, when a message arrives at a network segment whose network segment ID 1001 is “222” from a network segment whose network segment ID 1001 is “111”, the reachable segment ID list 1003 of the record whose network segment ID 1001 is “111” The segment ID 1001 “222” is stored. This network information table 802 is generated in advance by an administrator of the risk evaluation system 10 and stored in the database 105.

  Next, a configuration example of the device information table 803 will be described with reference to FIG. The device information table 803 illustrated in FIG. 11 includes a device ID 1101, a device name 1102, a product ID 1103, a network segment ID list 1104, and a relay device ID map 1105 collected by the information collection server 103 and stored in the table. It has a record as a data item.

  Among these, the device ID 1101 is an ID uniquely assigned to the above-described management target device 101 that the information collection server 103 has collected information. The device name 1102 is a machine name given to the management target device 101 corresponding to the device ID 1101 described above. The product ID 1103 is a product ID that configures the management target device 101 corresponding to the device ID 1101. The network segment ID list 1104 is an ID list of network segments to which the management target device 101 corresponding to the device ID 1101 belongs. The relay device ID map 1105 is a list of device IDs indicating the transmission source and destination management target devices 101 of the communication relayed by the management target device 101 in the system configuration. For example, when communication from “device A”, which is a management target device, passes through “device C”, “device A” is set to “KEY” in the record related to “device C” in the device information table 803. Store “device B” as an associative array with VALUE.

  Next, a configuration example of the vulnerability information table 804 will be described with reference to FIG. The vulnerability information table 804 illustrated in FIG. 12 includes a vulnerability ID 1201, a device ID 1202, a vulnerability attack probability 1203, and a device collected by the information collection server 103 from the security knowledge disclosure institution server 104 and stored in the table. It has a record with the influence probability 1204 as a data item.

  Among these, the vulnerability ID 1201 is an ID uniquely assigned to the vulnerability. The vulnerability ID 1201 includes a common vulnerability identifier (CVE: Common Vulnerabilities and Exposures) numbered by MITRE and used internationally, and a JVN number (JVN: Japan Vulnerability Notes) used in Japan. ), Or a vulnerability ID uniquely assigned by the vendor.

The device ID 1202 is an ID of the management target device 101 having a vulnerability corresponding to the vulnerability ID 1201 described above. The vulnerability attack probability 1203 is an occurrence probability or score of an attack that hits a vulnerability alone corresponding to the above-described vulnerability ID 1201, and is a score based on the technical characteristics of the vulnerability. The device influence probability 1204 is a probability that the attack on the vulnerability corresponding to the vulnerability ID 1201 described above affects the corresponding managed device 101 (device indicated by the device ID 1202), and technical characteristics of the vulnerability. It is a score based on. Generally, in the security knowledge public organization server 104, CVSS (Common
Based on standard security standards such as Vulnerability Scoring System, security scores are released for individual software vulnerabilities by assigning scores such as ease of attack and impact on equipment from the viewpoint of technical characteristics. The information collection server 103 described above can acquire the same score as the vulnerability attack probability 1203 and the device influence probability 1204 described above.

  Next, a configuration example of the virtual patch information table 805 will be described with reference to FIG. Here, the virtual patch is one of typical countermeasures for software vulnerability, and is a means for blocking an attack using the vulnerability by a security product such as IPS (Intrusion Prevention System). In general, the best way to resolve software vulnerabilities is to eliminate the software vulnerabilities themselves by applying legitimate patches to the software. Not just applicable situations. Therefore, there are many cases where a virtual patch is used that can be quickly taken and does not adversely affect the target system.

  The virtual patch information table 805 illustrated in FIG. 13 includes records having virtual patch IDs 1301, vulnerability ID lists 1302, and product IDs 1303 as data items. Among these, the virtual patch ID 1301 is an ID uniquely assigned to the virtual patch. The vulnerability ID list 1302 is an ID list of vulnerabilities that can block a virtual patch corresponding to the virtual patch ID 1301 described above. The product ID 1303 is a product ID corresponding to the virtual patch ID 1301 described above. In general, a vendor who develops a product releases a virtual patch and vulnerability information that can be protected by the virtual patch on the security knowledge release organization server 104. Such information is stored in the virtual patch information table 805 described above. It will be stored as information.

In this embodiment, the user information table 801, the network information table 802, the device information table 803, the vulnerability information table 804, and the virtual patch information table 805 are constructed on the database 105, but this is merely an example. Thus, a predetermined storage unit may be arranged in the external storage device 704 of the risk evaluation server 107 and arranged on the storage unit. Further, any one of the above-described tables 801 to 805 may be combined to form one table. Alternatively, any of the above-described tables 801 to 805 may be a further segmented table.
--- Example flow of information collection and registration ---

  Hereinafter, the actual procedure of the risk evaluation method in the present embodiment will be described with reference to the drawings. Various operations corresponding to the risk evaluation method described below are realized by a program that configures the risk evaluation system 10 and is read and executed by the risk evaluation server 107 in a memory or the like, for example. And this program is comprised from the code | cord | chord for performing the various operation | movement demonstrated below. In the following description, not only the processing executed by the risk evaluation server 107 but also processing executed by other devices will be described as appropriate.

FIG. 14 is a flowchart showing a processing procedure example 1 of the risk evaluation method in the present embodiment. Here, first, a process of generating the database 105, that is, a process of acquiring system information and security information of the management target device 101 by the information collection server 103 and storing in the database 105 will be described. Such processing needs to be executed in advance before (at least immediately before) the risk evaluation server 107 performs risk evaluation processing caused by the vulnerability of the management target device 101. Further, the above-described system information (information obtained from the management target device 101) and security knowledge (information obtained from the security knowledge public organization server 104) can be added or updated at any time by the management target device 101 or the security knowledge public organization server 104. Since the update has been made, the risk evaluation system 10 (the management target device 101, the information collection server 103, or the risk evaluation server 107) included in or cooperating with the risk evaluation system 10 of the present embodiment performs the acquisition process of these pieces of information. It is preferable to execute it as a background process.

  In this case, first, the managed device 101 activates the system information output unit 203 according to the arrival of a predetermined time, for example, by the scheduler function included in the standard function of its own OS (1401).

  Next, the system information output unit 203 in the management target device 101 acquires the system information of the management target device 101 and transmits it to the information collection server 103 (1402). The system information acquired by the system information output unit 203 is information corresponding to items (eg, device ID, device name, network segment ID, etc.) included in each record in the device information table 803 and the network information table 802.

  On the other hand, the information collection server 103 that has received the system information from the management target device 101 transmits a new data addition or update request to the database 105 (1403). Upon receiving this request, the database 105 searches the device information table 803 by using, for example, the device ID as a key in the system information included in the request, and generates a new record if there is no record related to the device ID. Set the value of the corresponding item in the system information included. If a record related to the corresponding device ID already exists in the device information table 803, data is updated with the value of the corresponding item in the system information included in the request in the corresponding record. It is assumed that such processing is similarly performed on the network information table 802.

  The above processing, step 1401 to step 1403 is executed for each managed device 101 and is repeated by the number of managed devices 101. In this embodiment, a client server configuration is adopted between the management target device 101 and the information collection server 103, and the above-described system information acquisition process is automated to improve the efficiency of operation. However, system information of the management target device 101 may be described in a data file format by a system administrator who uses the client 106 and the like, and may be input to the information collection server 103. Thus, by inputting the system information by the system administrator, there is an advantage that the managed device 101 can be operated without an agent. In this embodiment, the system information is periodically transmitted. However, a change in the system information may be detected, and the system information may be transmitted at a timing when the system information changes.

  A series of processes in which the information collection server 103 collects security information from the security knowledge disclosure authority server 104 and stores it in the database 105 will be described following the description of the collection and storage of system information described above.

  FIG. 15 is a flowchart showing a procedure example 2 of the risk evaluation method in the present embodiment. Specifically, FIG. 15 is a flowchart showing an example of a security knowledge acquisition process performed by the information collection server 103 as a background process.

  In this case, first, the information collection server 103 uses the scheduler function provided in the OS of the information collection server 103 itself, for example, in the same manner as the function in the management target device 101 described above, to set the security knowledge collection unit 304 according to the arrival of a predetermined time. The security knowledge collecting unit 304 transmits a security knowledge request to the security knowledge public institution server 104 (1501).

On the other hand, the security knowledge publishing organization server 104 that has received the above-mentioned security knowledge request returns the security knowledge data held in its own storage device to the information collection server 103 by the security knowledge output unit 403 (1502). ). Here, the security knowledge returned from the security knowledge public institution server 104 to the information collection server 103 is information corresponding to the item of the record in the vulnerability information table 804 and the virtual patch information table 805.

  The information collection server 103 that has received the security knowledge data transmits a request for security knowledge, that is, new addition or update of security information, to the database 105 (1503). Upon receiving this request, the database 105 searches the vulnerability information table 804 using, for example, the device ID or the vulnerability ID as a key in the security information included in the request, and if there is no record related to the device ID, a new record is created. Generate and set the value of the corresponding item in the security information included in the above request. If a record relating to the device ID or the like already exists in the vulnerability information table 804, data update is performed with the value of the corresponding item in the security information included in the request in the corresponding record. It is assumed that such processing is similarly executed for the virtual patch information table 805.

  In the present embodiment, the above-described security information acquisition process is automated between the security knowledge publishing organization server 104 and the information collection server 103 to improve operation efficiency. However, the method of exchanging information between the security knowledge public institution server 104 and the information collection server 103 is based on the specifications of the security knowledge public institution server 104.

---- Initial screen display processing flow example ---

  Next, processing for displaying an initial screen when the system administrator connects to the risk assessment server 107 via the client 160 will be described with reference to the drawings. FIG. 16 is a flowchart showing a processing procedure example 3 of the risk evaluation method in the present embodiment, and more specifically, a flowchart showing an example of the initial screen display processing.

  In this case, first, the client 106 that has received an instruction from the system administrator via the input / output unit 502 transmits a connection request to the risk assessment server 107 using the initial screen display request unit 505 (1601). This connection request includes at least the user ID 901.

  On the other hand, the initial screen display processing unit 603 of the risk assessment server 107 requests and acquires the display data of the initial screen to be output to the client 106, for example, from the database 105 (1602). In this case, for example, template data of a predetermined screen corresponding to each procedure of the risk evaluation method of the present embodiment is stored in advance in the external storage device 704 of the risk evaluation server 107. The screen template data corresponding to the corresponding procedure is read from the external storage device 704 in response to a request from, and data obtained in response to the request to the database 105 is set and output.

The data acquired by the risk assessment server 107 from the database 105 in step 1602 described above, that is, the data set in the screen template data, for example, the user information table 801 and the device information table using the user ID 901 included in the connection request as a key. Data obtained from each of 803. The data includes user information 902 associated with the user ID 901, a system list 903, a device ID 1101 associated with the system ID included in the system list 903, a device name 1102, a network segment ID 1104, and the like. In the present embodiment, an example in which the user ID 901 is included in the connection request from the client 106 is shown. However, other processes such as general user authentication for the connection request (eg, ID and password) The user ID 901 may be specified through the authentication process or the like. The processing mode such as user authentication is not limited.

  As described above, the initial screen display processing unit 603 of the risk assessment server 107 sets the data obtained from each of the user information table 801 and the device information table 803 of the database 105 in the template data of the initial screen, and stores the screen data. It is generated and returned to the client 106 (1603). That is, FIG. 17 shows an example of the initial screen 1701 displayed on the input / output unit 502 of the client 106 as a result of the processing of 1603. The initial screen 1701 illustrated in FIG. 17 includes a user information area 1702 for displaying user ID and user name information, a system list display area 1703 for displaying system list information, and a risk evaluation button 1705. It has become.

  Among these, the system list display area 1703 is a list (more preferably, a list of related device IDs and device names (derived from the device information table 803) for the systems checked in the check box 17031 among the system lists displayed in the region. Includes a related device information list display area 1704 for displaying (including a network segment ID in this list). The list displayed in the related device information list display area 1704 includes an attack source designation box 17041 to be checked when the system administrator designates a device regarded as an attack source.

  Although details will be described later, when the risk evaluation button 1705 is pressed, regarding a system in which the check box 17031 is checked at that time, a device in which the attack source designation box 17041 is checked is set as the attack source. Risk assessment will begin.

--- Flow example of risk assessment process (main flow) ---

  Next, vulnerability risk evaluation processing executed by the risk evaluation server 107 when the risk evaluation button 1705 is pressed on the initial screen 1701 described above will be described with reference to the drawings. FIG. 18 is a flowchart showing a processing procedure example 4 of the risk evaluation method in the present embodiment, and is a diagram showing a main flow example of the risk evaluation process.

  Here, first, the client 106 receives information on the risk evaluation target system and the attack source device specified by the system administrator via the input / output unit 502 (1801). In the present embodiment, check boxes 17031 and 17041 on the initial screen 1701 of FIG. 17 are exemplified as an interface for the client 106 to receive designation of the target system and attack source from the system administrator. Devices that can be designated as attack sources by the check box 17041 by the system administrator include the managed device 101 or unmanaged devices belonging to the network segment to which the managed device 101 belongs. In the example of the initial screen 1701 in FIG. 17, not the managed device 101 but an external device (unmanaged device) is selected as the attack source.

Subsequently, the client 106 transmits a vulnerability risk display request to the risk evaluation server 107 (1802). This transmission process is executed with, for example, a click on the risk evaluation button 1705 on the initial screen 1701 as a trigger. The vulnerability risk display request transmitted here includes the system ID of the system to be checked in the check box 17031 of the initial screen 1701 and the device ID specified as the attack source in the check box 17041. Alternatively, the system ID of the system to be checked in the check box 17031, the predetermined identifier representing the unmanaged external device designated as the attack source in the check box 17041, and the network segment ID to which the external device belongs (example) : Included in the list of related device information list display area 1704).

  Upon receiving the vulnerability risk display request, the risk evaluation server 107 uses the information indicated by the request as a key, the network information table 802 on the database 105, the device information table 803, the vulnerability information table 804, and the virtual patch information. The corresponding information in the table 805 is acquired (1803). In the present embodiment, it is assumed that the risk evaluation server 107 collects information necessary for the vulnerability risk display process in the above-described step 1803 and expands it on the memory. However, the vulnerability risk display process It is also possible to access the database 105 each time information is required in each of these processes and acquire only the necessary information.

  Next, the risk evaluation model construction processing unit 606 of the risk assessment server 107 executes risk assessment model construction processing (1804) based on the information obtained in step 1803 described above. In the risk evaluation model construction process according to the present embodiment, since vulnerability risk evaluation is performed based on the system configuration to be evaluated and the network topology, the relationship between the devices (external devices and managed devices 101) and each of the vulnerabilities. A non-circular directed graph representing the sex is generated as a risk evaluation model by an algorithm based on a corresponding predetermined graph theory. This algorithm is realized by a program corresponding to the flows shown in FIGS. 19 to 22 described later, and the corresponding program is held by the risk evaluation model construction processing unit 606 of the risk evaluation server 107.

  The above acyclic directed graph corresponds to a graph in which an arbitrary object is a node and the nodes are connected by a unidirectional arrow called an arc. In such an acyclic directed graph, there is a relationship between a parent node and a child node between the above nodes, and it is not allowed to connect an arc from a child node to an ancestor node including the parent. In general, the absence of an arc connection relationship from a child node to a parent node is referred to as “no loop”.

  In the present embodiment, a graph model is constructed in which each device constituting the evaluation target system and each vulnerability possessed by the device are nodes. In addition, the relationship between the device having the vulnerability and the vulnerability is connected as an arc. In addition, when there is a vulnerability on the device to which the attack message arrives from the device via the network, the connection is made as an arc. By connecting the nodes in the above two cases, a graph model representing the relationship between the vulnerability and the device, that is, a risk evaluation model is constructed.

  By building a risk evaluation model as a directed acyclic graph in this way, it becomes possible to quantitatively evaluate vulnerability risk using a probabilistic inference method called a Bayesian network. Bayesian Network (Bayesian Network), which will be described in detail later, visualizes phenomena in the form of network diagrams and probabilities by causing multiple causes and results to affect each other by combining multiple causes and results. This is an inference technique that statistically processes a stack of causes and results that have occurred in the past, and predicts a cause that leads to a predetermined result or a result that occurs from a certain cause with probability. The risk evaluation server 107 of the present embodiment is assumed to hold an inference program corresponding to this Bayesian network in the memory 703 or the external storage device 704 in advance and can be executed as necessary.

--- Example of risk assessment model construction process ---

Here, a flow example of the above-described risk evaluation model construction process (1804) will be described with reference to FIG. For the sake of explanation, the risk evaluation model construction process (1804) exemplified in FIG.
The non-circular directed graph 2300 generated in (1) is referred to as needed.

  First, the risk evaluation model construction processing unit 606 in the risk evaluation server 107 arranges the attack source device designated by the system administrator on the initial screen 1701 as a node (1901). The same applies to the subsequent processing, but the arrangement of nodes and arcs in the risk evaluation model corresponds to the nodes and arcs in a predetermined drawing plane by the drawing program for the acyclic directed graph provided in advance in the risk evaluation server 107. This is realized by the process of arranging the drawn elements (for example, icons, line segments, etc.). As a result of the execution of step 1901, only the attack source device node 2301 is arranged in the risk evaluation model of FIG. 23, that is, the acyclic directed graph 2300.

  Next, the risk evaluation model construction processing unit 606 of the risk evaluation server 107 selects a device belonging to a plurality of networks and a node corresponding to the vulnerability among the devices indicated by the information obtained in step 1803 described above. Processing to be added in the acyclic directed graph 2300 is executed (1902). In addition, the risk evaluation model construction processing unit 606 of the risk evaluation server 107 assigns a device belonging to a single network and a node corresponding to the vulnerability among the devices indicated by the information obtained in the above step 1803 to the above-described nodes. Processing to be added in the acyclic directed graph 2300 is executed (1903).

  Step 1902 described above will be described with reference to FIGS. 20 and 21, and step 1903 will be described with reference to FIG. Thus, the reason why different processes are executed depending on whether the number of networks to which a device belongs is singular or plural is to make the construction of the acyclic directed graph 2300 more efficient.

  First, processing for arranging devices belonging to a plurality of networks and nodes corresponding to the vulnerabilities will be described. In this processing, the attack source device is classified as level 0 which means the highest node in the parent-child relationship between nodes, and other devices are set to the size of the number of hops until the attack arrives from the attack source. The level is divided accordingly, and the corresponding node is added in the acyclic directed graph 2300 described above. In a vulnerability attack, when a device cannot be attacked directly from the attack source, there is a step attack that attacks and controls another device, and hops the number of devices that relay the attack during this step attack. Call it a number. In addition, as described above, a restriction condition for connecting an arc only from a higher-level device to a lower-level device is set between level-divided devices. Therefore, also in step 1902, the acyclic directed graph 2300 is constructed so as to satisfy this constraint condition.

  Therefore, first, the risk evaluation model construction processing unit 606 of the risk evaluation server 107 refers to the network segment ID list 1104 of the device information table 803 obtained from the database 105 in the above-described step 1803, and identifies devices belonging to a plurality of networks. A set is constructed (2001).

  Next, the risk evaluation model construction processing unit 606 of the risk evaluation server 107 sets the device as the above-mentioned attack source as the device set “E0” of level 0, and all the devices “e” belonging to the device set “E0”. On the other hand, the following steps 2003 to 2006 are executed.

  Among these, in step 2003, the risk evaluation model construction processing unit 606 determines the device “e” from the network segment ID list 1104 of the device information table 803 and the reachable segment ID list 1003 of the network information table 802 obtained in step 1803. Of the network to which the message belongs and the network from which the message arrives, other than the upper network is added to the level 1 network set “N1”. Since there is no level 0 network, all are added at level 1.

  Next, in step 2004, the risk evaluation model construction processing unit 606 determines that a device belonging to the subset “N′1” of the level 1 network from the network segment ID list 1104 is a subset “E ′” of the level 1 device. Add to 1 ". Similarly, when adding to “E′1”, devices that already exist in the higher-level device set are excluded.

  In step 2005, the risk evaluation model construction processing unit 606 performs connection processing from the device “e” to devices belonging to the device set “E′1” and their vulnerabilities (2005). Details of this step 2005 are shown in the flow of FIG.

  In the flow of FIG. 21, the risk evaluation model construction processing unit 606 first determines whether all devices “e ′” belonging to the device subset “E′1” have been arranged as nodes in the acyclic directed graph. (2101, 2102).

  When the result of the above determination is “allocated” (2102: Yes), the risk evaluation model construction processing unit 606 omits steps 2013 to 2105 in order to avoid the problem of overlapping and arranging the same device. The process proceeds to 2106. On the other hand, when the result of the above determination is “not placed” (2102: No), the risk evaluation model construction processing unit 606 places the device “e ′” as a node in the acyclic directed graph (2103). In the example of the acyclic directed graph 2300 in FIG. 23, a device node 2302 is arranged.

  Next, the risk evaluation model construction processing unit 606 obtains all the vulnerabilities “ve” possessed by the device “e ′” from the device ID 1202 of the vulnerability information table 804 already obtained in step 1803 described above. Are arranged in the acyclic directed graph (2104). In the example of the acyclic directed graph 2300 in FIG. 23, a vulnerability node 2303 is arranged.

  Next, the risk evaluation model construction processing unit 606 connects the arc from the node of the vulnerability “ve” to the node of the device “e ′” (2105). In the example of the acyclic directed graph 2300 in FIG. 23, an arc 2304 connects between the vulnerability node 2303 and the device node 2302.

  Next, the risk evaluation model construction processing unit 606 connects an arc from the node of the device “e” to the node of the vulnerability “ve” (2106). In the example of the acyclic directed graph 2300 in FIG. 23, an arc 2305 connects the attack source device node 2301 and the vulnerability node 2303.

  Returning to the description of the flow of FIG. After the end of step 2005, the device subset “E′1” and the network subset “N′1” are added to the device set “E1” and the network set “N1”, respectively (2006).

  As described above, by executing steps 2002 to 2006 for the level 0 device, the relationship of the device from the level 0 device to the level 1 is added to the acyclic directed graph 2300. Through the series of processing up to this point, a level 0 region 2310 and a level 1 region 2311 are constructed in the directed acyclic graph 2300 as a risk evaluation model illustrated in FIG. In the present embodiment, steps 2002 to 2006 are executed for the level 1 device, and the level 2 area 2311 is constructed. In this way, the steps 2002 to 2006 are repeatedly executed on the lower level devices sequentially from the upper level device, thereby constructing an acyclic directed graph as a risk evaluation model. The risk evaluation model construction processing unit 606 repeatedly executes such an iterative process until all devices belonging to all networks and a plurality of networks are added.

  Here, the details of step 1903 in the flow of FIG. 19, that is, the process of adding a device belonging to a single network and its vulnerable node to the acyclic directed graph will be described. FIG. 22 is a flowchart showing a processing procedure example 8 of the risk evaluation method in the present embodiment.

  In this case, the risk evaluation model construction processing unit 606 classifies the devices indicated by the information obtained in the above-described step 1803 into sets “Em” (plural) and “Es” (single) according to the number of networks to which each device belongs. Then, the following steps 2201 to 2206 are executed for all devices “e” belonging to a single network.

  First, the risk evaluation model construction processing unit 606 arranges the device “e” as a node in the acyclic directed graph (2202). In the example of the acyclic directed graph 2300 in FIG. 23, a device node 2306 is arranged.

  Next, the risk evaluation model construction processing unit 606 makes all vulnerabilities “ve” possessed by the device “e” corresponding to the device ID 1202 of the vulnerability information table 804 already obtained in the above step 1803 vulnerable. The node is arranged in a non-circular directed graph as a node (2203). In the example of the acyclic directed graph 2300 in FIG. 23, a vulnerability node 2307 is arranged.

  Next, the risk evaluation model construction processing unit 606 connects the arc from the node of the vulnerability “ve” to the node of the device “e” (2204). In the example of the acyclic directed graph 2300 of FIG. 23, an arc 2308 connects between the vulnerability node 2307 and the device node 2306.

  Next, the risk evaluation model construction processing unit 606 constructs a set “E ′” of devices that belong to the same network as the device “e” and belong to a plurality of networks (2205). Further, the risk evaluation model construction processing unit 606 connects the arc from the node of the device included in the device set “E ′” to the node of the vulnerability “ve” (2206). In the example of the acyclic directed graph 2300 in FIG. 23, an arc 2309 connects between the device node 2302 and the vulnerability node 2307.

  In this way, the acyclic directed graph 2300 illustrated in FIG. 23, that is, the risk evaluation model is generated. Unlike the present embodiment, in the construction of a conventional evaluation model in which an inference method such as a Bayesian network is applied, it is common to have the system administrator input the above-described arc connection relationship and manually construct the model. there were. On the other hand, in this embodiment, the attack source device is the highest node, and other devices are leveled according to the number of hops until the attack arrives from the attack source device, and the upper level device to the lower level device. By introducing the constraint condition for connecting the arc only to the point, it is possible to automatically build a risk evaluation model in the process of risk evaluation model construction processing (1804).

  Returning to the description of the flow of FIG. Here, first, the probability that each vulnerability is attacked and the probability that each device is infringed are calculated from the distribution state of the entire vulnerability, without being limited to specific vulnerabilities in the acyclic directed graph.

After the risk evaluation model construction process (1804) is completed as described above, the conditional probability table setting processing unit 607 of the risk evaluation server 107 sets a conditional probability table for each node in the acyclic directed graph 2300. (1805). This conditional probability table is a table that defines the states that the target node can take and describes the probability that the state of the target node will occur as a conditional probability for all combinations of the states that the parent node of the target node takes. That is. The conditional probability is the probability that another event will occur under the condition that a certain event occurs. In this embodiment, two states are defined as states that can be taken by each node: a state that is not infringed by an attack and a state that is not invaded.

  An example of the conditional probability table described above is shown in FIG. The conditional probability table 2501 illustrated in FIG. 24 is an example of the conditional probability table of the vulnerability node 2307 in the directed acyclic graph 2300 in FIG. Since the vulnerability node 2307 in FIG. 23 has two parent nodes (device A and device B), the conditional probability table 2501 in FIG. Conditional probabilities are set for multiplication, that is, four ways. In the conditional probability table 2501 of FIG. 24, if any of the parent nodes is compromised, it is assumed that a similar attack can be made against the vulnerable node 2307 from either parent node. The value of the vulnerability attack probability 1203 in the vulnerability information table 804 (FIG. 12) based only on the technical characteristics is set as the conditional probability 2502. On the other hand, if none of the parent nodes is infringed, it is assumed that an attack on the vulnerable node 2307 is impossible, and the conditional probability 2503 is “0”. In this conditional probability table setting process (1805), since the conditional probability table of the attack source node is defined as the attack source, the infringed state is set to “1”.

  Next, the risk value calculation processing unit 608 executes probability inference using a Bayesian network inference program, and calculates the probability that each vulnerability is attacked and the probability that each device is infringed (1806). A Bayesian network is a technique for calculating a peripheral probability (a general probability without a precondition) of a state taken by each node from an acyclic directed graph and a conditional probability table. In addition, as a method of probability inference in a Bayesian network, a generally known method is adopted, and there is no limitation. In probability inference using a Bayesian network, as a result, the peripheral probabilities of all nodes constituting the acyclic directed graph are obtained.

  Subsequently, the risk value calculation process 608 limits the specific vulnerability in the acyclic directed graph, and calculates the probability that the vulnerability will cause the device to be affected. Therefore, the conditional probability table setting processing unit 607 sets different conditional probability tables for all vulnerabilities one by one in the acyclic directed graph. In order to perform the probability inference similar to the above, the conditional probability table setting processing (1807) by the conditional probability table setting processing unit 607 and the risk value calculation (1808) by the risk value calculation processing unit 608 are repeatedly executed.

  Among these, in the conditional probability table setting process (1807), the conditional probability table setting processing unit 607 corrects the result of the conditional probability table setting process (1805). In this case, the conditional probability table of the attack source node is reset so that the infringed state becomes “0”, and only the conditional probability table of the target vulnerability has the peripheral probability of the risk value calculation (1806). Update to match the results. In the risk value calculation (1808), the risk value calculation processing unit 608 calculates a risk value in the same manner as the risk value calculation (1806). By this risk value calculation (1808), it is possible to calculate the infringement probability for each device limited to only attacks through the targeted vulnerability.

FIG. 25 shows an example of the vulnerability display screen 2501 displayed to the user by the client 106 as a result of the processing of FIG. In the vulnerability risk display screen 2501 illustrated in FIG. 25, the display forms such as the user ID and the user information are the same as the initial screen 1701. On the other hand, the vulnerability risk display processing unit 604 of the risk evaluation server 107 displays the risk evaluation model constructed in the above-described risk assessment model construction processing (1804) in an area 12502 on the screen 2501. Further, the vulnerability risk display processing unit 604 lists and displays the probability that each device is infringed calculated in the above risk value calculation (1806) in association with the device ID 1101 as the degree of risk 2503 on the screen 2501. To do. In addition, vulnerability risk display processing unit 6
04, the probability that each vulnerability is attacked, calculated by the risk value calculation (1806) described above, is made reachability 2504, and is listed and displayed in association with the vulnerability ID 1201 on the screen 2501.

  Further, the vulnerability risk display processing unit 604 calculates the total infringement probability for each device limited to only the attack through the specific vulnerability calculated in the above-described risk value calculation (1808). , The degree of influence 2505 is listed in association with the vulnerability ID 1201 and displayed. In addition, the vulnerability risk display processing unit 604 uses the vulnerability ID list 1302 of the virtual patch information table 805 to provide virtual patch information effective for dealing with the vulnerability on the vulnerability risk display screen 2501. The virtual patch ID related to the vulnerability is displayed in the area 2506. The check box 25061 and the countermeasure effect button 2507 in the area 2506 will be described later.

  As described above, it is possible to calculate risk values based on the system configuration and network topology of the devices that constitute the evaluation target system by building the relationship between the vulnerability and the device as a directed acyclic graph. . In addition, the risk evaluation server 107 displays the above-described vulnerability risk display screen 2501 on the client 106, so that the system operation administrator who browses the information displays information on the degree of risk 2503, for example. It is possible to quickly grasp and easily determine the priority of the vulnerability to be countermeasured from the size of the reachability 2504 and the influence degree 2505. As a result, it is possible to efficiently take measures against vulnerability.

---- Display processing example of effects related to virtual patch application ---

  Next, processing for verifying and displaying the effect of applying a virtual patch to the vulnerability included in the above-described risk evaluation model will be described with reference to the drawings. In general, virtual patches can block messages that attack attacks on vulnerabilities, but attacks can be performed without going through devices with virtual patches installed, such as using other vulnerabilities as a stepping stone. Is not an effective measure. Legitimate patches for vulnerabilities provide countermeasures that completely eliminate vulnerabilities, but whether countermeasures using virtual patches are effective depends on the system configuration and topology. It is necessary to assist the system operator in planning countermeasures by evaluating the effect of virtual patches. Therefore, the risk evaluation server 107 according to the present embodiment recreates a risk evaluation model for evaluating the system state after applying the virtual patch based on the virtual patch information table 805, and the risk evaluation model to which the virtual patch is not applied and the virtual The effect of the virtual patch is evaluated by calculating the difference between each risk evaluation result and the risk evaluation model to which the patch has been applied.

  FIG. 26 is a flowchart showing a processing procedure example 9 of the risk evaluation method in the present embodiment. In this flow, in response to an operation by the system administrator, the client 106 checks the virtual patch to be applied regarding a certain vulnerability on the above-described vulnerability risk display screen 2501 and checks the countermeasure effect button 2507. Is clicked (2601).

  In the example of FIG. 25, an example in which one virtual patch is designated by the system administrator is shown, but a plurality of virtual patches may be selected. In that case, the risk evaluation server 107 may evaluate the effect of combining the virtual patches. The virtual patches that can be specified as the verification target of the effect are only virtual patches that have an effect on the vulnerability possessed by the management target device 101 described above.

Subsequently, the client 106 transmits the above-described virtual patch effect display request to the risk evaluation server 107 (2602). This virtual patch effect display request includes the virtual patch ID 1301 specified by the system administrator on the client 106 as an effect verification target.

  On the other hand, the virtual patch effect display processing unit 605 of the risk evaluation server 107 that has received this request acquires all the tables on the database 105 in a lump and expands them in the memory, as in the above-described table reference processing (1803). (2603).

  Subsequently, the virtual patch effect display processing unit 605 executes a risk evaluation model construction process (2604). This risk evaluation model construction process (2604) is similar to the risk evaluation model construction process (1804) illustrated in FIG. However, a risk assessment model is added that adds the vulnerability blocking effect of virtual patches. For this reason, in the processing (1902) for adding devices belonging to a plurality of networks and their vulnerabilities, the contents of the processing for connecting the devices and their vulnerabilities (FIG. 20: 2005) are different. Here, the connection process (2005) in the process flow illustrated in FIG. 26 is referred to as a connection process (2005_2), and only the connection process (2005_2) will be described. Description of other processing is omitted.

  Here, an example of connection processing (2005_2) in the processing flow is shown in the flow of FIG. In the connection process 2005_1 already described, the number of hops for the device subset “E′i + 1” is counted only based on the network configuration, but here, the number of hops from the attack source increases due to the effect of the virtual patch. In order to exclude a device, first, all devices “e ′” belonging to the device subset “E′i + 1” have only a vulnerability that the device “e ′” can prevent with a designated virtual patch. It is determined that the attack from the device “e” to the device “e ′” is blocked by the designated virtual patch (2701, 2702).

  As a result of the above determination, when either of the two conditions is not satisfied (2702: No), the virtual patch effect display processing unit 605 executes Steps 2703 to 2707. Since Steps 2703 to 2708 have the same processing contents as Steps 2102 to 2706 exemplified in the flow of FIG. 21, description thereof is omitted here. On the other hand, when the above two conditions are satisfied as a result of the above determination (2702: Yes), the patch effect display processing unit 605 excludes the device “e ′” from the device subset “E′i + 1”, and The process returns to the routine of step 2701. In this way, a risk evaluation model is constructed based on the relationship between the devices and their vulnerabilities in the system state after applying the virtual patch. By using the risk evaluation model after applying this virtual patch, the effect of the virtual patch can be verified.

  Now, the description returns to the flowchart of FIG. After building the risk evaluation model based on the system state after applying the virtual patch as described above, the risk evaluation server 107 executes conditional probability table setting processing (2605) to risk value calculation (2608). The conditional probability table setting process (2605) to risk value calculation (2608) are the same processes as the conditional probability table setting process (1805) to risk value calculation (1808) in FIG. Description is omitted.

Next, the virtual patch effect display processing unit 605 of the risk evaluation server 107 calculates the risk 2503, the reachability 2504 calculated by the risk evaluation model when the virtual patch is not applied, which has already been obtained in the flow of FIG. And each value of the degree of influence 2505 are compared with each value of the degree of risk, the reachability, and the degree of influence calculated by the risk evaluation model at the time of applying the virtual patch in the above-described steps 2606 and 2608, and the respective differences are obtained. Calculate (2609). The larger the difference value obtained by this calculation, the greater the effect of the corresponding virtual patch. In the present embodiment, the difference value described above corresponds to the effect of the virtual patch. However, the ratio between the values before and after the application of the virtual patch may correspond to the effect of the virtual patch. Alternatively, the difference calculation is not executed, and each value before and after the virtual patch application is acquired as a comparison target.
6 may be displayed in parallel.

  FIG. 28 shows an example of the vulnerability display screen 2801 when the difference information obtained by the calculation in step 2609 is displayed on the client 106. In the vulnerability display screen 2801, the display form such as the user ID and the user information is the same as the initial screen 1701 illustrated in FIG. On the other hand, the virtual patch effect display processing unit 605 generates and displays a table 28021 in the area 2802 for each difference value of the risk, reachability, and influence obtained by the difference calculation process (2609). The table 28021 in the area 2802 is configured to display information related to one virtual patch “PAT303”, but may be configured to display information related to a plurality of virtual patches. In addition, the risk level 2803, the impact level 2804, and the reachability level 2805 include both values calculated by the risk evaluation model when the virtual patch is not applied and results calculated by the risk evaluation model when the virtual patch is applied. , Displayed in parallel via arrows, and the state of the value changed by applying the virtual patch is clearly shown to the user.

  As described above, a risk evaluation model based on the system state after applying the virtual patch is constructed, and the results of the virtual patch are verified by comparing the risk evaluation results before and after applying the virtual patch, and the results are managed by the system. Can be clearly presented to the person.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be stored in a memory, a recording device such as a hard disk or SSD (Solid State Drive), or a recording medium such as an IC card, SD card, or DVD.

  Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

  According to this embodiment, the system administrator who operates the system and the engineer (SE) who developed the business system understand the causal relationship between information security vulnerabilities and risk in the system that is subject to risk assessment. It can be displayed easily. In addition, it is possible to perform risk assessment based on the device and network configuration of the target system, and display the results of the assessment with more accurate prioritization of countermeasures (eg, applying virtual patches). Can help people easily determine the necessity and importance of countermeasures. In addition, by calculating the countermeasure effect by the virtual patch and clearly indicating it to the system administrator, it is possible to easily determine the effectiveness of the countermeasure by the virtual patch.

  Accordingly, it is possible to evaluate the vulnerability risk based on the system configuration and topology in addition to the technical characteristics of each vulnerability, and to perform highly effective risk evaluation corresponding to the actual system situation. In addition, according to the present invention, it is possible to efficiently deal with security incidents.

  At least the following will be clarified by the description of the present specification. That is, in the risk evaluation system of the present embodiment, the arithmetic device applies each piece of information on the device, the network, and the vulnerability to a predetermined algorithm based on graph theory, and arranges each device on the network. Create a directed acyclic graph that defines the impact relationship of vulnerabilities according to the risk assessment model, and apply the acyclic directed graph to a Bayesian network inference algorithm to evaluate the risk posed by the vulnerability of the target system Then, the evaluation result may be output to a predetermined device.

  According to this, for example, an acyclic directed graph that prescribes the influence propagation of vulnerability according to device arrangement in a network including a large number of devices without contradiction is used as a risk evaluation model, and this is evaluated based on the concept of Bayesian network. This makes it possible to perform highly effective risk assessment corresponding to the actual system situation.

  Further, in the risk evaluation system of the present embodiment, when the computing device creates the acyclic directed graph, the devices that constitute the target system and the vulnerabilities possessed by the devices are nodes, and the network information indicates Based on the network configuration of the target system, an acyclic directed graph may be created by connecting the device and the vulnerability with an arc.

  According to this, a directed acyclic graph as a risk evaluation model can be created more efficiently, and as a result, a highly effective risk evaluation corresponding to a more actual system situation can be made efficient.

  Further, in the risk evaluation system of the present embodiment, when the arithmetic device creates the acyclic directed graph, the predetermined device as the attack source is set as the highest node, and the predetermined device as the attack source attacks the other devices. Each device is divided into levels according to the number of hops to reach, and the acyclic directed graph is created based on the constraint that connects arcs only from the upper level device to the lower level device. Good.

  According to this, for example, an acyclic directed graph that prescribes the effect propagation of vulnerability according to device arrangement in a network including a large number of devices more efficiently and consistently is created, and this is based on the concept of Bayesian network. By performing the evaluation, it becomes possible to perform a highly effective risk evaluation corresponding to a more actual system situation.

  Further, in the risk evaluation system of the present embodiment, the arithmetic device applies the risk evaluation model to a predetermined inference algorithm corresponding to the risk evaluation model, and the device is regarded as a risk caused by vulnerability in the target system. The probability that each of the vulnerabilities will be infringed, the probability that each of the vulnerabilities will be attacked, and the probability that each of the vulnerabilities will affect the device are calculated, and the calculated results are output to a predetermined device. It may be a thing.

  According to this, by outputting the information of each probability described above as a risk evaluation result, the risk evaluation result is presented to the user in a form that is more specifically understandable, and the judgment accuracy and efficiency of the risk evaluation for the user are presented. Will improve.

Further, in the risk evaluation system of the present embodiment, the storage device further holds a database that stores information on virtual patches that deal with the vulnerability in association with the vulnerability information, and the arithmetic device includes: Based on the virtual patch information, a virtual patch application risk evaluation model is created when a virtual patch is applied to a predetermined vulnerability, and the virtual patch application risk evaluation model is applied to the inference algorithm. , Evaluate the risk posed by the vulnerability in the target system, identify the difference in the evaluation result between the risk evaluation model and the risk evaluation model at the time of applying the virtual patch, and store the difference in the evaluation result in a predetermined device The output process may be further executed.

  According to this, it is possible to clearly present to the user the difference between the risk evaluation results before and after the virtual patch application, and it becomes easy for the corresponding user to determine the effectiveness of the virtual patch application.

  Further, in the risk evaluation method of the present embodiment, the information processing apparatus applies each piece of information on the device, the network, and the vulnerability to a predetermined algorithm based on graph theory, so that each device on the network Create a non-circular directed graph that defines the impact relationship of vulnerabilities according to the placement as the risk assessment model, and apply the acyclic digraph to the Bayesian network inference algorithm to determine the risk posed by the vulnerability of the target system It is good also as evaluating and outputting the said evaluation result to a predetermined apparatus.

  Further, in the risk evaluation method of the present embodiment, when the information processing apparatus creates the acyclic directed graph, the network information indicates that the devices constituting the target system and the vulnerabilities possessed by the devices are nodes. Based on the network configuration of the target system, an acyclic directed graph may be created by connecting the device and the vulnerability with an arc.

  Further, in the risk evaluation method of the present embodiment, when the information processing apparatus creates the acyclic directed graph, a predetermined device serving as an attack source is set as the highest node, and the predetermined device serving as the attack source is transferred to each other device. Each device may be divided into levels according to the number of hops until the attack arrives, and the acyclic directed graph may be created based on a constraint condition in which an arc is connected only from a higher level device to a lower level device.

  Further, in the risk evaluation method of the present embodiment, the information processing apparatus applies the risk evaluation model to a predetermined inference algorithm corresponding to the risk evaluation model, and the risk caused by the vulnerability in the target system, Calculate the probability that each device will be infringed, the probability that each of the vulnerabilities will be attacked, and the probability that each of the vulnerabilities will affect the device, and output the calculated results to a predetermined device You may do it.

  Further, in the risk evaluation method of the present embodiment, the information processing apparatus further holds a database that stores information on virtual patches that deal with the vulnerability in association with vulnerability information in the storage device, Based on the virtual patch information, a virtual patch application risk evaluation model is created when a virtual patch is applied to a predetermined vulnerability, and the virtual patch application risk evaluation model is applied to the inference algorithm. , Evaluate the risk posed by the vulnerability in the target system, identify the difference in the evaluation result between the risk evaluation model and the risk evaluation model at the time of applying the virtual patch, and store the difference in the evaluation result in a predetermined device The output process may be further executed.

DESCRIPTION OF SYMBOLS 10 Risk evaluation system 101 Managed apparatus 102 Network 103 Information collection server 104 Security knowledge public organization server 105 Database 106 Client 107 Risk evaluation server (Minimum configuration of risk evaluation system)
702 CPU (arithmetic unit)
703 Memory 704 External storage device 705 Transmission / reception device 706 Output device 707 Input device 801 User information table 802 Network information table 803 Device information table 804 Vulnerability information table 805 Virtual patch information table 2300 Acyclic directed graph 2301 Attack source node 2302 Device node 2303 Vulnerability Sex node

Claims (6)

A storage device that holds a database that correlates each piece of information about the devices, networks, and vulnerabilities related to the devices constituting the target system for risk assessment;
By applying each piece of information on the device, the network, and the vulnerability to a predetermined algorithm based on graph theory, the device constituting the target system and the vulnerability possessed by the device are used as nodes, and the network information indicates Based on the network configuration of the target system, an acyclic directed graph that defines the influence relationship of the vulnerability according to the arrangement of each device on the network by connecting the device and the vulnerability with an arc. , created as risk assessment model, the directed acyclic graph, by applying the inference algorithm of Bayesian network to evaluate the risk of weaknesses in the target system brings an arithmetic unit for outputting the evaluation result to a predetermined device,
A risk assessment system characterized by comprising: The arithmetic unit is:
When creating the acyclic directed graph, the predetermined device as the attack source is the highest node, and each device is leveled according to the number of hops until the attack reaches the other devices from the predetermined device of the attack source, Based on the constraint condition that connects the arc only from the upper level equipment to the lower level equipment, the acyclic directed graph is created.
The risk evaluation system according to claim 1, wherein: The arithmetic unit is:
The risk evaluation model is applied to a predetermined inference algorithm corresponding to the risk evaluation model, and as a risk caused by the vulnerability in the target system, the probability that each of the devices is infringed and each of the vulnerabilities are attacked And the probability that each of the vulnerabilities affects the device, respectively, and outputs the calculated result to a predetermined device.
The risk evaluation system according to claim 1, wherein: An information processing apparatus comprising a storage device that holds a database that correlates each piece of vulnerability information related to a device, a network, and the device constituting a target system for risk assessment,
By applying each piece of information on the device, the network, and the vulnerability to a predetermined algorithm based on graph theory, the device constituting the target system and the vulnerability possessed by the device are used as nodes, and the network information indicates Based on the network configuration of the target system, an acyclic directed graph that defines the influence relationship of the vulnerability according to the arrangement of each device on the network by connecting the device and the vulnerability with an arc. , created as risk assessment model, the directed acyclic graph, by applying the inference algorithm of Bayesian network to evaluate the risk of weaknesses in the target system results, and outputs the evaluation result to a predetermined device,
Risk assessment method characterized by this. The information processing apparatus is
When creating the acyclic directed graph, the predetermined device as the attack source is the highest node, and each device is leveled according to the number of hops until the attack reaches the other devices from the predetermined device of the attack source, Creating the acyclic directed graph based on a constraint that connects arcs only from higher level equipment to lower level equipment;
The risk evaluation method according to claim 4, wherein: The information processing apparatus is
The risk evaluation model is applied to a predetermined inference algorithm corresponding to the risk evaluation model, and as a risk caused by the vulnerability in the target system, the probability that each of the devices is infringed and each of the vulnerabilities are attacked And the probability that each of the vulnerabilities affects the device, respectively, and outputs the calculated result to a predetermined device.
The risk evaluation method according to claim 4, wherein: