JP6384465B2 - Threat analysis device, threat analysis method, and threat analysis program - Google Patents

Description

  The present invention relates to a threat analysis device that analyzes security threats in components such as a server, a terminal, and a communication path that constitute a system.

  In order to design the security of the system, it is first necessary to clarify the security measures implemented in the system. Therefore, it is necessary to perform security threat analysis on the system to be developed (hereinafter referred to as the analysis target system) and clarify the security threats in the components such as servers, terminals, and communication paths that constitute the analysis target system. .

  Possible threats to the system include unauthorized access to the server and wiretapping on the communication path. As for conventional threat analysis related to remote unauthorized access to a server, for example, Patent Document 1 discloses a security threat analysis support system. In the conventional threat analysis of Patent Document 1, an analyst manually specifies a threat to a component called a server. Specifically, when extracting a threat to a component, other components that can access the component, that is, components such as servers and terminals, and unauthorized An analyst manually specifies a communication path that can connect various terminals and devices.

JP 2008-234409 A

  In the conventional threat analysis, the analyst manually identifies the source of the threat, so it is difficult to exhaustively identify the source of the threat, and there is a possibility that leakage may occur in identifying the threat to be identified. . In particular, in a large-scale system, since it is confirmed visually from the configuration diagram of the analysis target system, it takes a lot of work to identify the sender, and there is a risk of leaks in identifying the components that are the source of the threat. It was. Therefore, all threats that should be considered in the analysis target system cannot be extracted, and there is a possibility that the necessary security measures will not be implemented in the end.

  The present invention has been made to solve the above-described problems, and in threat analysis of a system to be analyzed, regarding a threat of unauthorized access from a remote location, a component (hereinafter also referred to as a component) that is a source of the threat. It is an object of the present invention to provide a threat analysis device that can extract a threat without omission by automatically extracting a communication channel without omission.

And configuration elements of the analyzed system of threat analysis, the a-specific seed components, analyte information storage that the component stores configuration list associating the destination channel indicating a communication path connecting And an access source that extracts, as an access source, a component that can be accessed by the connection destination communication path with respect to the component of the configuration list based on a threat assumed in the analysis target system and the configuration list The access source extraction unit includes a transmission determination unit that determines whether or not a component that is not a communication channel is handled as a communication channel, and the component that the transmission determination unit determines to handle as a communication channel transmitted through that to extract accessible the access source.

Also, threat analysis method of the present invention, associates the configuration elements of the analyzed system of threat analysis, and another kind of the component, and a destination communication channel indicating a communication path in which the components are connected an analysis target information storage step of storing the configuration list, before Symbol analyzed based threats envisioned in the target system to said configuration list, accessible by the destination channel to the components of the configuration list An access source extraction step for extracting a component as an access source, and the access source extraction step includes a transmission determination step for determining whether or not a component that is not a communication channel is handled as a communication channel. The access source that can be accessed through a component determined to be treated as a path is extracted .

  According to the present invention, since a communication path that is indirectly connected is searched using a search list, all access sources are efficiently searched from the communication path to which the components of the analysis target system are directly connected. Can be extracted. In particular, in the case of a large-scale analysis target system, there is an effect that an access source can be efficiently extracted without making a mistake that may occur due to manual work.

1 is a diagram illustrating a configuration example of a threat analysis device according to Embodiment 1. FIG. 2 is a diagram illustrating an example of a hardware configuration of a threat analysis device 1. FIG. 1 is a diagram illustrating a configuration example of an analysis target system that performs threat analysis using a threat analysis device 1 according to Embodiment 1. FIG. 3 is a flowchart showing a flow of threat analysis processing in the first embodiment. It is a figure which shows an example of the structure list with respect to the analysis object system of FIG. It is a figure which shows an example of the threat database. 6 is a diagram illustrating an example of a threat analysis result by a threat extraction unit 5 according to Embodiment 1. FIG. 6 is a flowchart (part 1) illustrating a flow of access source extraction processing according to the first embodiment; 6 is a flowchart (part 2) illustrating a flow of access source extraction processing according to the first embodiment; 9 is a flowchart (part 3) illustrating a flow of access source extraction processing according to the first embodiment; It is a figure which shows the example of 1 structure of the threat analyzer which concerns on Embodiment 2. FIG. FIG. 20 is a diagram showing an example of a configuration list in the second embodiment. 10 is a flowchart showing a flow of access source extraction processing in the second embodiment. FIG. 10 is a diagram illustrating a configuration example of a threat analysis apparatus according to a third embodiment. FIG. 11 is a diagram illustrating a configuration example of an analysis target system that performs threat analysis using the threat analysis device 1 according to the third embodiment. FIG. 20 is a diagram showing an example of a configuration list in the third embodiment. FIG. 10 is a diagram showing an example of a characteristic table in the third embodiment. 10 is a flowchart showing a flow of access source extraction processing in the third embodiment.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating a configuration example of a threat analysis apparatus according to the first embodiment.
The configuration of the threat analysis device will be described below with reference to FIG.

  In FIG. 1, the threat analysis device 1 includes an input / output unit 2, a common information storage unit 3, an analysis target information storage unit 4, a threat extraction unit 5, and a control unit 6.

  The input / output unit 2 is a man-machine interface with an analyst. The input / output unit 2 includes a configuration list input unit 7 for inputting components and types of servers and terminals constituting the analysis target system by the analyst, and a threat selection unit for selecting the threat of the analysis target system by the analyst. 8 is provided.

  The common information storage unit 3 stores common information necessary for performing threat analysis. The common information storage unit 3 stores a threat database 9 in which a plurality of threat templates are stored as an example of common information. Details of the threat database 9 will be described later.

  The analysis target information storage unit 4 stores information unique to the analysis target system. Specifically, the analysis target information storage unit 4 stores the configuration list 10 input by the analyst from the configuration list input unit 7 and the analysis result 11 obtained using the threat analysis device 1. The analysis target information storage unit 4 is an example of an analysis target information storage unit.

  The threat extraction unit 5 extracts the threat of the analysis target system from the configuration list 10 and the threat database 9. The threat extraction unit 5 according to this embodiment includes an access source extraction unit 12 that extracts an access source to each component described in the configuration list 10 from the configuration list 10. Further, the access source extraction unit 12 determines whether or not to treat a component that is not a communication channel such as a terminal or a device as a communication channel when extracting the access source in the process of extracting the access source described later. The unit 13 is provided. The access source extraction unit 12 is an example of an access source extraction unit.

  The control unit 6 controls the overall operation of the input / output unit 2, the common information storage unit 3, the analysis target information storage unit 4, and the threat extraction unit 5 included in the threat analysis device 1.

  The threat analysis apparatus 1 as described above can be configured by a stand-alone PC, a client server system, or a Web system including a Web terminal and a Web server.

Next, the hardware configuration of the threat analysis device 1 will be described.
FIG. 2 is a diagram illustrating an example of a hardware configuration of the threat analysis device 1.

  The threat analysis device 1 is a computer, and each component of the threat analysis device 1 can be realized by a program. As a hardware configuration of the threat analysis device 1, an arithmetic device 14, an external storage device 15, a main storage device 16, a communication device 17, and an input / output device 18 are connected to a bus.

  The arithmetic device 14 is a processor such as a CPU (Central Processing Unit) that executes a program. The external storage device 15 is, for example, a ROM (Read Only Memory), a flash memory, a hard disk device, or the like. The main storage device 16 is, for example, a RAM (Random Access Memory). The communication device 17 is an electronic circuit that executes data communication processing, and is, for example, a communication board. The input / output device 18 is a device that processes input / output data for the threat analysis device 1, and is, for example, a mouse, a keyboard, a display device, or the like.

  The program is normally stored in the external storage device 15, and is loaded into the arithmetic device 14 and executed in order while being loaded in the main storage device 16. This program is a program that realizes the functions described as the input / output unit 2, the common information storage unit 3, the analysis target information storage unit 4, the threat extraction unit 5, and the control unit 6 that constitute the threat analysis device 1. .

  Furthermore, an operating system (OS) is also stored in the external storage device 15, at least a part of the OS is loaded into the main storage device 16, and the arithmetic device 14 executes the above program while executing the OS. .

  In addition, information and data stored in the common information storage unit 3 and the analysis target information storage unit 4, information, data, signal values, and variable values indicating processing results of the input / output unit 2 and the threat extraction unit 5 are stored in the main storage device. 16 is stored as a file.

  2 is merely an example of the hardware configuration of the threat analysis device 1, and the hardware configuration of the threat analysis device 1 is not limited to the configuration illustrated in FIG. May be.

Next, the operation of the threat analysis device 1 according to the first embodiment will be described.
FIG. 3 is a diagram illustrating a configuration example of an analysis target system that performs threat analysis using the threat analysis apparatus 1 according to the first embodiment.

  In FIG. 3, the analysis target system includes a subsystem 1 (19), a subsystem 2 (20), and a subsystem 3 (21). The subsystem 1 (19) and the subsystem 2 (20) are connected to the internal network 22. The subsystem 1 (19) and the subsystem 3 (21) are connected by an external network 23. The subsystem 1 (19) includes a server X, a server Y, and a terminal Z inside, and is connected by a network 24 within the subsystem 1. The subsystem 2 (20) has a server α, a terminal β, and a device γ inside, and is connected by a network 25 in the subsystem 2. The device γ is assumed to be a communication device such as a network switch, and the server and terminal in the subsystem 1 (19) and the server and terminal in the subsystem 2 can communicate with the device γ.

Next, the flow of threat analysis processing in the first embodiment will be described.
FIG. 4 is a flowchart showing a threat analysis process according to the first embodiment.

  First, in step S <b> 100, the analyst uses the configuration list input unit 7 to input the components constituting the analysis target system, their types, and the like.

FIG. 5 is a diagram showing an example of a configuration list for the analysis target system of FIG.
In the first embodiment, the configuration list 10 includes a component name, a component type such as a component or a communication channel, a transparency flag, and a connection destination communication channel indicating a communication channel to which each component is directly connected. Here, the transparency flag is a flag that means that a component having a type of component passes through this component and can access other components, so that it is handled as a communication path at the time of access source extraction. In this case, “1” is treated as a communication path, and “0” means treated as a normal component.

  For example, since the server X is a server, the type is component, the transparency flag is “0”, and the directly connected communication path is the network within the subsystem 1. The device γ is “component” and the transparency flag is “1” because it can access other components through this device. The directly connected communication path is the network in the subsystem 2 and the internal network. .

  In the present embodiment, the above information is described in the configuration list 10, but information indicating the location of each component or whether or not to extract a threat may be added separately. In the present embodiment, the analyst inputs the communication path of the connection destination. However, the communication path extracted by the threat analysis device 1 in the form of a list from the components and the types input by the analyst. It may be an input form that is displayed and selected by the analyst. Alternatively, the communication path and the constituent elements extracted by the threat analysis device 1 may be displayed in a table format, and the analyzer may selectively input the connection destination communication path on the table. With such an input form, it is possible to reduce the description mistake of the analyst.

  Next, in step S101, the threat extraction unit 5 uses the configuration list 10 input by the analyst and the threat database 9 of the common information storage unit 3, and is assumed by the access source to the component and the analysis target system. For each component. The threat database 9 is an example of a threat storage unit.

FIG. 6 is a diagram illustrating an example of the threat database 9.
In FIG. 6, the threat database 9 includes an ID that is an identifier of a threat, a threat, and a threat target that is a type of component that is the target of the threat. During the description of the threat, the content of [] is extracted as a threat specific to the analysis target system by the access source extraction unit 12 specifying an accessible component or communication path according to the analysis target system. The processing of the access source extraction unit 12 will be described later.

  Finally, in step S102, the threat extraction unit 5 records the threat analysis result in the analysis target information storage unit 4 after the threat is extracted by the above processing, and ends the threat analysis.

FIG. 7 is a diagram illustrating an example of a threat analysis result by the threat extraction unit 5 according to the first embodiment.
In the threat of the server X in FIG. 7, during the description of the threat in the threat database 9, the [component] part in the threat with ID 1 is replaced with the server Y, the terminal Z, etc. [Path] is replaced with the network in the subsystem 1 and extracted as a threat unique to the analysis target system. An eavesdropping threat without [] is described as it is.

Next, processing of the access source extraction unit 12 will be described with reference to FIGS.
FIG. 8 is a flowchart (part 1) illustrating the flow of access source extraction processing according to the first embodiment.
FIG. 9 is a flowchart (part 2) illustrating the flow of access source extraction processing according to the first embodiment.
FIG. 10 is a flowchart (part 3) illustrating the flow of the access source extraction process according to the first embodiment.
8 to 10 are processes for extracting the access source for one component having the type of component in the configuration list 10 shown in FIG. As described above, the objects to be extracted as the access sources are components and other components of the communication path.

  First, in step S200, the access source extraction unit 12 refers to the configuration list 10 and stores all connection destination communication paths of the target component in the search list. Here, the search list is a list that stores connection destination communication paths to be searched for by the access source extraction unit 12. For example, in FIG. 5, which is the configuration list 10 of the analysis target system shown in FIG. 3, when the target component is the server X, the network in the subsystem 1 is stored in the search list.

  Next, in step S201, the access source extraction unit 12 sets one communication path in the search list as a search communication path. In the case of the server X in FIG. 5, since the network within the subsystem 1 is stored in the search list, the network within the subsystem 1 is set as the search communication path.

  Next, in step S <b> 202, the access source extraction unit 12 selects one component in order to search for all the components described in the configuration list 10.

  Next, in step S203, the access source extraction unit 12 determines whether the search communication path is included in the connection destination communication path of the selected component.

  If the search communication path is not included in the connection destination communication path of the selected component, the process proceeds to No, and it is determined in step S212 whether all the components have been searched.

  When the search communication path is included in the connection destination communication path of the selected component, the process proceeds to a Yes branch. In step S204, the type of the selected component is a component or a communication path. Or other than these. In this determination, since the type in the configuration list 10 shown in FIG. 5 is a component or a communication path, it is not determined as a type other than these. For example, when there is a type of medium for storing a backup, It is determined that it is not a component or communication path.

  Next, when the type of the component selected by the determination in S204 is a component, in step S205, the access source extraction unit 12 determines whether or not the selected component has been extracted as the access source. If the selected component is not yet extracted as an access source, the process proceeds to a branch of No, and in step S206, the access source extraction unit 12 determines that the selected component can access the target component. The selected component is identified as the access source.

  Next, in step S207, the transparency determining unit 13 determines whether to treat the component extracted as the access source as a communication path, using the transparency flag in the configuration list 10 of FIG.

  If the transparency flag is “0”, the process proceeds to step S212, and all components are processed in the same manner as in the case where the type is not a component or communication path in the process of S204, or in the case of the component extracted in the process of S206. Determine if you have searched.

  If the transparency flag is “1”, the process advances to step S208 to determine whether the connection destination communication path of the component extracted as the access source is in the search list.

  When the connection destination communication path is not in the search list, the process proceeds to step S209, and the connection destination communication path of the component extracted as the access source is added to the search list. Thereafter, the process proceeds to step S212, and it is determined whether or not all the constituent elements have been searched in the same manner as in the search list.

  Next, when the type of the component selected in the process of S204 is a communication channel, the process proceeds to step S210, and it is determined whether or not the communication channel of the selected component is in the search list.

  If the communication path of the selected component is not in the search list, the process proceeds to step S211 to add the selected component to the search list. Thereafter, the process proceeds to step S212, and it is determined whether or not all the constituent elements have been searched in the same manner as in the search list.

  The above processing will be specifically described for the case where the access source of the server X in FIG. 5 is extracted.

  First, when selecting one component in S202, since the server X is the same component, it is removed from the selection target. The server Y, which is the next component, proceeds to step S205 because the type is a component. Next, since the server Y is not extracted as the access source in S205, the server Y is specified as the access source in S206. Next, in step S207, since the transparency flag of the server Y is “0” from the configuration list 10 of FIG. 5, the process proceeds to S212.

  Next, since the access source extraction unit 12 has not searched for all the components yet, the access source extraction unit 12 selects the next component in the process of S202. The next component is the terminal Z, and the access source extraction unit 12 performs the above-described processing in step S203. Since the connection destination communication path includes the network in the subsystem 1 that is the search communication path, the terminal Z Extracted as access source.

  The network within subsystem 1, which is the next component, is the same as the search communication path, and is not selected in S202. In step S203, the server α is not extracted as an access source because the connection destination communication path does not include the network in the subsystem 1 that is the search communication path.

  The access source extraction unit 12 repeats the above-described processing, and when an external network is selected as a component in the processing of S202, the network within subsystem 1 that is a search communication channel is used as the connection destination communication channel of the external network. Therefore, the process proceeds to Yes branch in the process of S203. Next, in S204, since the type of the external network that is the selected component is a communication path, in S210, it is determined whether or not there is an external network in the search list. In step S211, the external network is added to the search list. Similarly, the internal network is added to the search list.

  In the above processing, since all the constituent elements have been searched for one search communication path, the process proceeds to Yes in the processing of S212.

  Next, in step S212, the access source extraction unit 12 determines whether all communication paths stored in the search list have been searched.

  When all the communication paths stored in the search list have not been searched, the access source extraction unit 12 proceeds to step S201 and sets the next communication path as the search communication path.

  When all the communication paths stored in the search list have been searched, the access source extraction unit 12 proceeds to step S214 and sets the communication path stored in the search list as the access source.

  With the above processing, the extraction of components and communication paths as access sources is completed for one component whose type is a component.

  Further, when the access source of the server X in FIG. 5 is extracted, since the external network 23 and the internal network 22 remain as unsearched communication paths in S213, the access source extraction unit 12 performs the same process again from S201. To do.

  When the search communication path is the external network 23, since the subsystem 3 is the only component connected to the external network 23, the subsystem 3 (21) is extracted as the access source in S206.

  When the search communication path is the internal network 22, since the component connected to the internal network 22 is the device γ, the device γ is extracted as an access source in S206.

  Next, in the determination processing of S207, since the transmission flag of the device γ is “1”, the process proceeds to S208, and the network 2 in the subsystem 2 that is the connection destination communication path of the device γ is not in the search list. The intra-subsystem 2 network 25 is added to the search list.

  Next, in S201, the intra-subsystem 2 network 25 is set as the search communication path, and the server α and the terminal β that include the intra-subsystem 2 network 25 in the connection destination communication path are extracted as access sources.

  By performing the processing as described above, the server Y, the terminal Z, the subsystem 3 (21), the device γ, the server α, and the terminal β are extracted as components that are access sources of the server X. In addition, as the access source communication path, the subsystem 1 internal network 24, the external network 23, the internal network 22, and the subsystem 2 internal network 25 stored in the search list are extracted.

  In the first embodiment, the threat analysis apparatus 1 focused on extracting the threat of the analysis target system has been described. However, after extracting the threat, the risk is derived from the possibility and the influence of each threat. You may make it do. The existing method of deriving the risk is possible.

  Further, a protected asset such as an entity causing the threat or information targeted by the threat may be added to the content of the threat.

  Furthermore, in the first embodiment, the transmission determining unit 13 determines using the transmission flag. However, since it is only necessary to be able to determine the presence / absence of transmission, for example, the presence / absence of transmission may be distinguished based on the component type. .

  In the first embodiment, processing is performed using the configuration list 10 input by the analyst. However, a user interface that enables input of the system configuration diagram may be used, or a specific language, for example, An interface capable of inputting the configuration list 10 described in XML may be used.

  As described above, in the invention of the first embodiment, since a communication path that is indirectly connected is searched using a search list, a communication path in which components of the analysis target system are directly connected is used. , All access sources can be extracted efficiently. In particular, in the case of a large-scale analysis target system, there is an effect that an access source can be efficiently extracted without making a mistake that may occur due to manual work.

  Further, threats can be extracted not only in an analysis target system in which only components are connected to one communication path, but also in an analysis target system including a configuration in which a communication path and a communication path are connected. Therefore, threats can be extracted even in analysis target systems including security measures such as firewalls. Since the transmission determining unit 13 can determine access to other components that have passed through the component, it can be applied to various types of analysis target systems including network devices such as firewalls and switches, and gateways realized by computers. Can extract threats.

  In addition, since all access sources can be extracted from the communication path to which the component is directly connected, the analyst does not need to consider the communication path that is indirectly connected, and it is easy to create a configuration list As a result, errors of the analyst can be reduced.

Embodiment 2. FIG.
In the first embodiment described above, the access source whose type exceeds the component of the component is extracted using the transparent flag when the access source is extracted. Embodiment 2 shows an embodiment in which threat analysis is performed on an analysis target system including a component having control of the communication direction.

FIG. 11 is a diagram illustrating a configuration example of the threat analysis apparatus according to the second embodiment.
In FIG. 11, the access source extraction unit 12 includes a direction determination unit 26. Since the configuration other than the direction determination unit 26 is the same as the configuration of the first embodiment, the description thereof is omitted.

Next, the operation of the threat analysis device 1 according to the second embodiment will be described.
The configuration of the analysis target system that performs threat analysis using the threat analysis device 1 according to the second embodiment is the same as that shown in FIG. However, it is assumed that the device γ permits communication from the internal network 22 to the network 2 in the subsystem 2 but does not permit communication from the network 25 in the subsystem 2 to the internal network 22.

Next, the threat analysis processing flow in the second embodiment will be described.
The threat analysis processing flow using the threat analysis device 1 according to the second embodiment is basically the same as that shown in FIG. Hereinafter, the flow of threat analysis processing will be described focusing on differences from the first embodiment.

  In S100 of FIG. 4, the analyst uses the configuration list input unit 7 to input the components constituting the analysis target system, their types, and the like.

FIG. 12 is a diagram illustrating an example of a configuration list according to the second embodiment.
In the second embodiment, the configuration list includes a component name, a component type such as a component and a communication channel, a transparency flag, a connection destination communication channel indicating a communication channel to which each component is directly connected, and a connection destination communication channel. It consists of a direction flag meaning a possible communication direction.

  The direction flag in the second embodiment is set to “1” when the transparent flag is set for the component of “1” and communication is permitted in the connection destination communication path as the communication source, and when not permitted. Is “0”. In FIG. 12, the connection destination communication path of the device γ whose transparency flag is “1” is the network 25 in the subsystem 2 and the internal network 22. As described above, the device γ is set to permit communication from the internal network 22 to the network 2 in the subsystem 2 but not to allow communication from the network 25 in the subsystem 2 to the internal network 22. The direction flag of the internal network 22 that is the communication source of the permitted communication is set to “1”, and the intra-subsystem 2 network 25 that is the communication source of the communication that is not permitted is set to “0”.

Next, the process of the access source extraction unit 12 in the second embodiment will be described with reference to FIG.
FIG. 13 is a flowchart illustrating a flow of access source extraction processing according to the second embodiment.
FIG. 13 shows a part of the process of extracting the access source for one constituent element whose type is a component in the configuration list shown in FIG. The processing flow not described in FIG. 13 is the same as the processing flow in FIGS. That is, the processing flow of FIG. 13 starts the access source extraction process in FIG. 8, sets one communication path in the search list as a search communication path in step S201, and connects the components selected in step S202. In step S203, it is determined whether or not the search communication path is included in the previous communication path. If the result of determination is that the search communication path is included, the process B branches.

  First, when the type of the component selected in S202 is a component, in step S305, the access source extraction unit 12 determines whether the selected component has been extracted as an access source. If the selected component is not yet extracted as an access source, the process proceeds to a branch of No, and in step S306, the access source extraction unit 12 determines that the selected component can access the target component. The selected component is identified as the access source.

  Next, in step S307, the transparency determining unit 13 determines whether to treat the component extracted as the access source as a communication path, using the transparency flag in the configuration list 10 in FIG.

  If the transparency flag is “0”, the process proceeds to step S212, and all the components are the same as in the case where the type is not a component or communication path in the process of step S204, or in the case of the component extracted in the process of step S206. Determine if the element has been searched.

  When the transparency flag is “1”, the process proceeds to step S308, and the direction determination unit 26 determines whether communication is possible using the direction flag of the connection destination communication path other than the search communication path in the configuration list of FIG.

  If the direction flag is “0”, the process proceeds to step S212, and all components are processed in the same manner as in the case where the type is not a component or a communication path in step S204, or in the case of components extracted in step S206. Determine if you have searched.

  If the direction flag is “1”, the process advances to step S309 to determine whether the connection destination communication path of the component extracted as the access source is in the search list.

  When the connection destination communication path is not in the search list, the process proceeds to step S310, and the connection destination communication path of the component extracted as the access source is added to the search list. Thereafter, the process proceeds to step S212, and it is determined whether or not all the constituent elements have been searched in the same manner as in the search list.

The above process will be specifically described for the case where the access source to the server X is extracted.
For example, in step S306, in the process of extracting the access source to the server X, if the search communication path is the internal network 22, the device γ is specified as the access source as a component connected to the internal network 22. Here, the device γ is connected to the internal network 22 and the network 2 in the subsystem 2.

  Next, in step S307, the transmission determining unit 13 determines that the device γ is handled as a communication path because the transmission flag of the device γ is “1”, and the process proceeds to step S308.

  Next, in step S308, the direction determination unit 26 determines that communication is not possible because the direction flag of the intra-subsystem 2 network 25 that is a connection destination communication path other than the internal network 22 is “0”, and thus determines that communication is not possible (step S212). In step S204, it is determined whether or not all types of components have been searched, as in the case where the type is not a component or a communication path in the processing of S204, or in the case of the components extracted in the processing of S206.

  In the process of extracting the access source to the server α, if the search communication path is the intra-subsystem 2 network 25, the device γ is a component connected to the intra-subsystem 2 network 25 in step S306. Identified as the access source.

  Next, in step S307, the transmission determining unit 13 determines that the device γ is handled as a communication path because the transmission flag of the device γ is “1”, and the process proceeds to step S308.

  Next, in step S308, the direction determination unit 26 determines that communication is possible because the direction flag of the internal network 22 that is a connection destination communication path other than the network 25 in the subsystem 2 is “1”, and step S309 is performed. In the above, it is determined whether or not the internal network 22 is in the search list. If there is no internal network 22, the internal network 22 is added to the search list.

  By performing the processing as described above, the server Y, the terminal Z, the subsystem 3 (21), and the device γ are extracted as the access source of the server X, and the network 24 in the subsystem 1 is used as the communication path. The external network 23 and the internal network 22 are extracted. Further, as the access source of the server α, the component is extracted from the terminal β, the device γ, the server X, the server Y, the terminal Z, and the subsystem 3 (21), and the communication path is the network 25 in the subsystem 2, The network 22, the intra-subsystem 1 network 24, and the external network 23 are extracted.

  In the second embodiment, the threat analysis apparatus 1 focused on extracting the threat of the analysis target system has been described. However, after extracting the threat, the risk is derived from the possibility and the influence of each threat. You may make it do. The existing method of deriving the risk is possible.

  Further, a protected asset such as an entity causing the threat or information targeted by the threat may be added to the content of the threat.

  Furthermore, in the second embodiment, the transmission determination unit 13 determines using the transmission flag. However, since it is only necessary to be able to determine the presence / absence of transmission, for example, the presence / absence of transmission may be distinguished based on the component type. .

  In the second embodiment, the direction flag is set for the component whose transparency flag is “1”, but the direction flag is set for all the connection destination communication paths of the component whose type is the component. You may make it do.

  In the second embodiment, processing is performed using the configuration list 10 input by the analyst. However, a user interface that enables input of the system configuration diagram may be used, or a specific language, for example, An interface capable of inputting the configuration list 10 described in XML may be used.

  As described above, according to the invention of the second embodiment, in addition to the effects described in the first embodiment, accessible communication is determined by the direction determination unit 26, so that a firewall, a data diode, etc. In the embodiment reflecting the possible communication according to the above, an effect that a threat can be extracted is obtained. Therefore, only threats that have not been countermeasures are extracted, and threats that have been countermeasures by security countermeasures are not extracted, so that threat analysis can be performed efficiently.

Embodiment 3 FIG.
In the second embodiment described above, an embodiment related to two-way communication is shown. Next, in the third embodiment, a firewall 3 having a DMZ (demilitized zone) is provided. An embodiment in which threat analysis is performed on an analysis target system including a component having direction communication control will be described.

FIG. 14 is a diagram illustrating a configuration example of the threat analysis apparatus according to the third embodiment.
In FIG. 14, the access source extraction unit 12 includes a second direction determination unit 27. Since the configuration other than the second direction determination unit 27 is the same as that of the first embodiment, the description thereof is omitted.

Next, the operation of the threat analysis device 1 according to the third embodiment will be described.
FIG. 15 is a diagram illustrating a configuration example of an analysis target system that performs threat analysis using the threat analysis device 1 according to the third embodiment.

  In FIG. 15, the analysis target system includes a subsystem 1 (19) and a subsystem 2 (20) connected via an external network. The subsystem 1 (19) includes a server X, a server Y, a terminal Z, and a device W inside. The server Y and the terminal Z are connected to the device W via the internal network 1 (28), and the server X is connected to the device W via the internal network 2 (29). The device W is connected to the subsystem 2 (20) via the internal network 3 (30) and the external network (23). The device W is assumed to be a communication device such as a firewall, communication from the internal network 1 (28) to the internal network 2 (29) and the internal network 3 (30) is permitted, and the internal network 2 (29) to the internal network. 1 (28) and communication to internal network 3 (30) are not permitted, communication from internal network 3 to (30) internal network 1 (28) is not permitted, and communication to internal network 2 (29) is permitted Suppose that it is set.

Next, the threat analysis process flow in the third embodiment will be described.
The threat analysis processing flow using the threat analysis device 1 according to the third embodiment is basically the same as that shown in FIG. Hereinafter, the flow of threat analysis processing will be described focusing on differences from the first embodiment.

  In S100 of FIG. 4, the analyst uses the configuration list input unit 7 to input the configuration list and the characteristic table.

FIG. 16 is a diagram illustrating an example of a configuration list according to the third embodiment.
FIG. 17 is a diagram illustrating an example of a characteristic table according to the third embodiment.
The configuration list of the third embodiment includes a component name, a component type such as a component and a communication channel, a transparency flag, and a connection destination communication channel indicating a communication channel to which each component is directly connected. The same as in the first embodiment. The characteristic table of FIG. 17 means possible communication directions for the connection destination communication path in the component whose transparency flag is “1”. The characteristic table in the third embodiment is “1” when communication from the communication source to the communication destination in the connection destination communication path is permitted, and “0” when the communication is not permitted. In FIG. 15, the connection destination communication path of the device W whose transparency flag is “1” is the internal network 1, the internal network 2, and the internal network 3. The characteristic table of the device W set as described above is as shown in FIG.

Next, the process of the access source extraction unit 12 in the third embodiment will be described with reference to FIG.
FIG. 18 is a flowchart showing the flow of access source extraction processing in the third embodiment.
FIG. 18 shows a part of the process of extracting the access source for one constituent element whose type is a component in the configuration list shown in FIG. The processing flow not described in FIG. 18 is the same as the processing flow in FIGS. That is, the processing flow of FIG. 18 starts the access source extraction process in FIG. 8, sets one communication path in the search list as a search communication path in step S201, and connects the components selected in step S202. In step S203, it is determined whether or not the search communication path is included in the previous communication path. If the result of determination is that the search communication path is included, the process B branches.

  First, in step S404, the access source extraction unit 12 determines the type of the component selected in S202. If the type is component, in step S405, the access source extraction unit 12 determines whether the selected component has been extracted as the access source. If the selected component has not yet been extracted as an access source, the process proceeds to a branch of No, and in step S406, the access source extraction unit 12 determines that the selected component can access the target component. The selected component is identified as the access source.

  Next, in step S407, the transparency determination unit 13 determines whether to treat the component extracted as the access source as a communication path, using the transparency flag in the configuration list 10 in FIG.

  If the transparency flag is “0”, the process proceeds to step S212, and all components are processed in the same manner as in the case where the type is not a component or communication path in the process of S204, or in the case of the component extracted in the process of S206. Determine if you have searched.

  When the transparency flag is “1”, the process proceeds to step S408, and in the characteristic table of FIG. 17, the second direction determination unit 27 has a communication source that is “1” with the search communication path as the communication destination in the characteristic table. No, that is, whether or not communication with a connection destination communication path other than the search communication path is possible.

  If the communication source with the search communication path as the communication destination is “1” in the characteristic table, the process proceeds to step S212 due to the branch of Yes. If the type is not a component or communication path in the process of step S204, As in the case of the components already extracted in the process, it is determined whether all the components have been searched.

  If the communication source with the search communication path as the communication destination is “1” in the characteristic table, the process proceeds to No branch. In step S409, the access source extraction unit 12 determines whether the connection destination communication path is in the search list. Determine whether or not.

  If the connection destination communication path is not in the search list, the process proceeds to step S410, and the connection destination communication path of the component extracted as the access source is added to the search list. Thereafter, the process proceeds to step S212, and it is determined whether or not all the constituent elements have been searched in the same manner as in the search list.

The above process will be specifically described for the case where the access source to the server X is extracted.
For example, in step S406, when the search communication path is the internal network 2 in the process of extracting the access source to the server X, the device W is selected as a component connected to the internal network 2, and the device W accesses Identified as original.

  Next, in step S407, since the transmission flag of the device W is “1”, the transmission determination unit 13 determines that the device W is handled as a communication path, and the process proceeds to step S408.

  Next, in step S408, in the characteristic table of FIG. 17, the communication paths whose communication destination is the internal network 2 and “1” are the internal network 1 and the internal network 3. Therefore, in step S409, the access source extraction unit 12 determines whether or not these communication paths are in the search list, and if not, proceeds to the No branch, and adds to the search list in step S410.

  In the process of extracting the access source to the server Y, if the search communication path is the internal network 1, the device W is selected as a component connected to the internal network 1, and the device W is selected in step S406. Identified as the access source. Since the transmission flag is “1”, the device W proceeds to step S408 based on the determination in step S407.

  Next, in step S408, the access source extraction unit 12 refers to the characteristic table in FIG. 17 and determines whether the communication destination is the internal network 1 and the communication path “1” is in the characteristic table. Here, in the characteristic table of FIG. 17, the communication destination is the internal network 1 and there is no communication path “1”. Therefore, it is not added to the search list, and the process proceeds to step S212 due to the branch of Yes. In the case where the type is not a component or a communication path in the process of S204, or in the case of the component extracted in the process of S206, Determine whether all components have been searched.

  By performing the processing as described above, the server Y, the terminal Z, the subsystem 2 (20), and the device W are extracted as the access source of the server X, and the internal network 1 (28), The internal network 2 (29), the internal network 3 (30), and the external network 23 are extracted. Further, the terminal Z and the device W are extracted as the access source of the server Y, and only the internal network 1 (28) is extracted as the communication path.

  In the third embodiment, the threat analysis apparatus 1 focused on extracting the threat of the analysis target system has been described. However, after extracting the threat, the risk is derived from the possibility and the influence of each threat. You may make it do. The existing method of deriving the risk is possible.

  Further, a protected asset such as an entity causing the threat or information targeted by the threat may be added to the content of the threat.

  Furthermore, in the third embodiment, the transmission determination unit 13 determines using the transmission flag. However, since it is only necessary to be able to determine the presence / absence of transmission, for example, the presence / absence of transmission may be distinguished based on the component type. .

  In the third embodiment, processing is performed using the configuration list 10 input by the analyst. However, a user interface that enables input of the system configuration diagram may be used, or a specific language, for example, An interface capable of inputting the configuration list 10 described in XML may be used.

  As described above, according to the invention of the third embodiment, in addition to the effects described in the first embodiment, accessible communication is determined by the second direction determination unit 27, so that DMZ (demilitized) There is an effect that threat analysis can be performed on an analysis target system including a component having communication control in three directions such as a firewall provided with a zone). Therefore, only threats that have not been countermeasures are extracted, and threats that have been countermeasures by security countermeasures are not extracted, so that threat analysis can be performed efficiently.

DESCRIPTION OF SYMBOLS 1 Threat analyzer 2 Input / output part 3 Common information storage part 4 Analysis object information storage part 5 Threat extraction part 6 Control part 7 Configuration list input part 8 Threat selection part 9 Threat database 10 Configuration list , 11 Analysis result, 12 Access source extraction unit, 13 Transmission determination unit, 14 Arithmetic device, 15 External storage device, 16 Main storage device, 17 Communication device, 18 Input / output device, 19 Subsystem 1, 20 Subsystem 2, 21 Subsystem 3, 22 Internal network, 23 External network, 24 Subsystem 1 internal network, 25 Subsystem 2 internal network, 26 Direction determination unit, 27 Second direction determination unit, 28 Internal network 1, 29 Internal network 2, 30 Internal network 3.

Claims (5)

And configuration elements of the analyzed system of threat analysis, the a-specific seed components, analyte information storage that the component stores configuration list associating the destination channel indicating a communication path connecting And
An access source extraction unit that extracts, as an access source, a component that can be accessed by the connection destination communication path with respect to the component of the configuration list based on a threat assumed in the analysis target system and the configuration list; With
The access source extraction unit
A transmission determining unit that determines whether or not a component that is not a communication path is handled as a communication path,
A threat analysis apparatus that extracts an access source that is accessible through a component that the transmission determination unit determines to handle as a communication path . The access source extraction unit
A direction determining unit that determines a direction in which the component that the transmission determining unit determines to handle as a communication path can communicate;
The direction determining unit threat analyzer according to claim 1 for extracting accessible the access source by communicable way communication was determined. The access source extraction unit
A second direction determination unit that determines whether communication from the communication source to the communication destination in the connection destination communication path is permitted;
It said second direction determining unit threat analyzer according to claim 1 for extracting accessible the access source by communicable way communication was determined. And configuration elements of the analyzed system of threat analysis, the a-specific seed components, analyte information storage that the component stores configuration list associating the destination channel indicating a communication path connecting Steps,
Based on the threat the configuration list that is assumed in the previous SL analyte system, access source extracting accessible component by the destination channel as an access source to the components of the configuration list And
The access source extraction step includes:
A transmission determination step for determining whether to treat a component that is not a communication path as a communication path;
A threat analysis method for extracting the access source accessible through a component determined to be handled as a communication path . Computer
Threat storage means for storing a threat assumed in an analysis target system of threat analysis in association with a type of a component of the analysis target system;
Analysis target information storage means for storing a configuration list in which the component of the analysis target system, the type of the component, and a connection destination communication path indicating a communication path to which the component is connected are stored;
Based on the threat and the configuration list, function as an access source extraction unit that extracts, as an access source, a component that can be accessed by the connection destination communication path with respect to the component of the configuration list ;
The access source extraction means includes
Having a transmission determining means for determining whether to treat a component that is not a communication path as a communication path;
It said transmission determining means because the threat analysis program to extract treated as transmitted through the determined components accessible the access source as the communication path.

Images