JP6531601B2 - Diagnostic program, diagnostic method and diagnostic device - Google Patents

Description

  The present invention relates to a diagnostic program, a diagnostic method and a diagnostic device.

  Vulnerabilities may exist in Operating System (OS), middleware, application programs, and the like that operate in the information processing apparatus. In order to investigate the vulnerability, for example, a technique of transmitting a diagnostic packet along a signature to the information processing apparatus and performing a diagnosis of the vulnerability based on a response from the information processing apparatus is used.

  As a related technology, there is proposed a technology for instructing a security diagnosis agent to perform security diagnosis and analyzing security diagnostic data received from the agent (for example, see Patent Document 1).

JP 2012-48556 A

  When the frequency of vulnerability diagnosis for the information processing device to be diagnosed becomes low, the time during which the vulnerability diagnosis is not performed becomes long, so the vulnerability diagnosis for the vulnerability information added during this time becomes the information processing device It is not done against. It is not preferable from the viewpoint of security that vulnerability assessment is not performed for an information processing apparatus for a long time.

  On the other hand, when the frequency of vulnerability diagnosis on the information processing apparatus to be diagnosed becomes high, the diagnostic load on the information processing apparatus becomes high. In addition, since the vulnerability diagnosis is performed by the communication using the diagnosis packet, the network load also increases.

  In one aspect, the present invention aims to reduce the load of vulnerability diagnosis on an information processing apparatus.

  In one aspect, the diagnosis program stores, in the storage unit, device information acquired from the information processing apparatus to be diagnosed when the vulnerability diagnosis based on the first diagnosis rule is executed in the computer, When performing new vulnerability diagnosis based on a second diagnostic rule different from the first diagnostic rule after execution of the information processing apparatus, the information processing apparatus to be diagnosed based on the device information stored in the storage unit Perform vulnerability assessments on and about.

  According to one aspect, the load of vulnerability diagnosis on the information processing apparatus can be reduced.

It is a figure which shows an example of a diagnostic device and a diagnostic target terminal. It is a figure which shows an example of the database in the 1st example of a vulnerability diagnosis. It is a figure for demonstrating the 1st example of vulnerability diagnosis. It is a figure which shows an example of the database in the 1st example of a vulnerability diagnosis, and a list | wrist. It is a figure which shows an example of the database in the 2nd example of a vulnerability diagnosis. It is a figure for demonstrating the 2nd example of vulnerability diagnosis. It is a figure which shows an example of the database in the 2nd example of a vulnerability diagnosis, and a list | wrist. It is a figure which shows an example of the database in the 3rd example of a vulnerability diagnosis. It is a flowchart (the 1) showing an example of processing of an embodiment. It is a flowchart (the 2) which shows an example of the process of embodiment. It is a flowchart (the 3) which shows an example of the process of embodiment. It is a figure showing an example of the hardware constitutions of a diagnostic device.

<Example of Diagnostic Device of Embodiment>
Hereinafter, embodiments will be described with reference to the drawings. FIG. 1 shows an example of a diagnostic device 1 and a terminal 2 to be diagnosed according to the embodiment. The diagnostic device 1 is a computer that diagnoses the vulnerability of the terminal 2 to be diagnosed. The diagnosis target terminal 2 is an example of an information processing apparatus.

  The OS is executed in the diagnosis target terminal 2, and the middleware operates on the OS. Also, on the middleware, one or more application programs (hereinafter referred to as applications) operate. In the embodiment, it is assumed that a plurality of applications are operating on the middleware.

  The OS, middleware, and applications are programs executed by a central processing unit (CPU). Each of these programs may have vulnerabilities.

  From the viewpoint of security, it is not preferable that a program having vulnerability operate on the terminal 2 to be diagnosed. The diagnostic device 1 diagnoses whether each of the programs operating in the diagnosis target terminal 2 has a vulnerability or whether a vulnerability may exist.

  Hereinafter, the above diagnosis performed by the diagnosis device 1 on the diagnosis target terminal 2 is referred to as vulnerability diagnosis. The diagnostic device 1 performs vulnerability diagnosis on each of the OS, middleware, and applications.

  Next, each part of the diagnostic device 1 will be described. The diagnosis device 1 includes a processing unit 11, a communication unit 12, a screen unit 13, a scan information DB 14, a vulnerability information DB 15, and a list storage unit 16. DB is an abbreviation of database. The scan information DB 14 is an example of a storage unit.

  The processing unit 11 includes an acquisition unit 21, an estimation unit 22, a diagnosis unit 23, a list processing unit 24, and an expiration date management unit 25.

  The acquisition unit 21 acquires various types of information (hereinafter referred to as device information) for performing vulnerability diagnosis from the diagnosis target terminal 2. The device information acquired by the acquisition unit 21 is stored in the scan information DB 14 as scan information.

  The acquisition unit 21 acquires device information from the diagnosis target terminal 2 or the scan information DB 14. When the acquisition unit 21 acquires device information from the diagnostic target terminal 2, communication occurs between the diagnostic device 1 and the diagnostic target terminal 2.

  That is, in this case, device information is obtained online. Hereinafter, acquisition of device information from the diagnosis target terminal 2 by the acquisition unit 21 is referred to as network scan.

  The acquisition unit 21 may also acquire device information from the scan information DB 14. The device information acquired by the acquisition unit 21 from the scan information DB 14 is referred to as scan information. When the acquisition unit 21 acquires scan information from the scan information DB 14, communication does not occur between the diagnostic device 1 and the terminal 2 to be diagnosed.

  That is, in this case, device information (scan information) is acquired off-line. Hereinafter, acquisition of scan information from the scan information DB 14 by the acquisition unit 21 is referred to as cache scan.

  The estimation unit 22 estimates the type of OS and middleware operating on the diagnosis target terminal 2 based on the device information (scan information). In the embodiment, the device information includes information on the OS, middleware, and application operating on the diagnosis target terminal 2.

  In the embodiment, the information on the OS includes, for example, the fingerprint of the OS, banner information (information indicating the name of the OS, etc.), etc. The information on the middleware includes, for example, an open port, fingerprint, banner information, etc. Shall be included. However, the information on the OS and the information on the middleware are not limited to the above example.

  The estimation unit 22 estimates the type of OS and middleware operating on the diagnosis target terminal 2 based on these pieces of information. For example, the estimation unit 22 estimates the type and version of the OS and middleware as the type.

  The diagnosis unit 23 diagnoses the vulnerability of the terminal 2 to be diagnosed. The diagnosis unit 23 collates the estimated OS type and middleware type, the information on whether the application is operating, and the vulnerability information stored in the vulnerability information DB 15, and the vulnerability of the terminal 2 to be diagnosed. Make a sex diagnosis.

  The list processing unit 24 performs processing such as recording and updating on a list indicating the result of vulnerability diagnosis by the diagnosis unit 23. In the embodiment, the list processing unit 24 performs processing such as recording and updating on the two lists of the vulnerability detection list and the vulnerability possibility list.

  The vulnerability detection list is a list showing the vulnerabilities detected from the diagnosis target terminal 2 as a result of the vulnerability diagnosis by the diagnosis unit 23. The vulnerability detection list is an example of a first list.

  The vulnerability possibility list is a list showing the vulnerabilities that may be present in the diagnosis target terminal 2 as a result of the vulnerability diagnosis by the diagnosis unit 23. The vulnerability possibility list is an example of the second list.

  The expiration date management unit 25 manages the expiration date of the scan information stored in the scan information DB 14. A predetermined expiration date is set in the scan information, and the expiration date management unit 25 invalidates the scan information whose expiration date has been exceeded.

  The communication unit 12 communicates with the diagnosis target terminal 2. The screen unit 13 displays predetermined information. The scan information DB 14 stores the device information acquired by the acquisition unit 21 as scan information. Scan information is stored in the scan information DB 14 each time the acquisition unit 21 acquires device information.

  The vulnerability information DB 15 stores vulnerability information. Vulnerability information is information on vulnerabilities existing in the OS, middleware, applications, and the like. Every time new vulnerability information is detected, vulnerability information is stored in the vulnerability information DB 15.

  For example, when a device (not shown) performing collection of vulnerability information detects new vulnerability information, the diagnostic device 1 may acquire newly detected vulnerability information from the device. The acquired new vulnerability information is stored in the vulnerability information DB 15.

<Example of individual request and individual reaction>
Next, individual requirements and individual reactions will be described. The individual request is a request including information on instructions for causing the application to execute. The individual request is transmitted to the diagnosis target terminal 2.

  When the application corresponding to the individual request is effectively operating in the diagnosis target terminal 2, the application transmits information indicating that the application based on the individual request is executed to the diagnosis device 1.

  When the application corresponding to the individual request is not operating effectively at the terminal 2 to be diagnosed, the application transmits information indicating that the application based on the individual request has not been executed to the diagnostic device 1.

  Information indicating whether an application based on an individual request has been executed is an individual response. The individual reaction is transmitted from the terminal 2 to be diagnosed to the diagnostic device 1 as a response. The individual request may be a request to execute a predetermined function other than the application.

  For example, the instruction "GET / usage / index.cgi HTTP / 1.1" is an example of an individual request. Of these instructions, "index.cgi" indicates an application. When the application is operating effectively at the terminal 2 to be diagnosed, an instruction of individual request is executed.

  For example, when an application corresponding to the above individual request in the diagnostic target terminal 2 is operating effectively, the application outputs an execution result of “HTTP / 1.1 200 OK”. Individual responses include the results of this run. The individual reaction indicates that the application corresponding to the individual request at the terminal 2 to be diagnosed is operating effectively.

  For example, when the application corresponding to the above-mentioned individual request in the diagnostic target terminal 2 is not operating effectively, the application outputs an execution result of “HTTP / 1.1 404 NOT FOUND”. Individual responses include the results of this run. The individual reaction indicates that the application corresponding to the individual request at the terminal 2 to be diagnosed is not operating effectively.

  Therefore, the diagnostic device 1 can recognize whether the application corresponding to the individual request is effectively operating on the diagnosis target terminal 2 based on the individual reaction.

<First example of vulnerability diagnosis>
Next, a first example of vulnerability diagnosis will be described. FIG. 2 shows an example of the scan information DB 14 and the vulnerability information DB 15 in “2015/02/26”. The scan information stored in the scan information DB 14 will be described.

  Among the scan information, "Target IP" indicates the Internet Protocol (IP) address of the terminal. In the example of FIG. 2, scan information of two terminals having IP addresses “10.y.y.y” and “10.z.z.z” is stored in the scan information DB 14.

  "Time to Live" indicates the expiration date of the scan information. The scan information that has exceeded the expiration date is invalidated by the expiration date management unit 25. The invalidated scan information may be deleted from the scan information DB 14 or may be overwritten.

  The above expiration date may be set to any period. Although the embodiment describes an example in which the expiration date is set to one month, the expiration date may be one week or two months.

  "OS Fingerprint" shows the fingerprint of OS. "OS Barner" indicates banner information of the OS. "Mid port No." indicates the open port number of middleware. "Mid Fingerprint" indicates a fingerprint of middleware. "Mid Barner" indicates middleware banner information.

  The individual reaction is the individual reaction described above. In the example of FIG. 2, the individual reaction 1 showing the reaction to the individual demand 1, the individual reaction 2 showing the reaction to the individual demand 2, and the individual reaction 3 showing the reaction to the individual demand 3 are stored in the scan information DB.

  Next, vulnerability information stored in the vulnerability information DB 15 will be described. In the case of the example of FIG. 2, four pieces of vulnerability information of vulnerability 1 to vulnerability 4 are stored in the vulnerability information DB 15. Vulnerability information includes items of level and condition.

  The level indicates the vulnerability level of vulnerability information. In FIG. 2, the vulnerability level shows the example which is three steps of "high", "medium", and "low". There may be four or more levels of vulnerability levels, or two levels.

  The condition is a condition for specifying a vulnerable OS type. The condition may further include one or both of a condition specifying a middleware type and a condition of an individual response to an individual request.

  Among the conditions of the vulnerability information, “individual request = individual reaction” is assumed to indicate that the individual reaction indicates that the application corresponding to the individual request is operating effectively.

  For example, in the example of FIG. 2, the vulnerability information of vulnerability 1 indicates that the high-level vulnerability exists in the environment where the OS type is “OS 1” and the middleware type is “Mid 1”. .

  The vulnerability information of vulnerability 2 has an OS type of “OS 2” and a reaction to individual request 1 is an individual reaction 1 (an environment in which an application corresponding to individual request 1 is effectively operating): Indicates that a vulnerability with level "medium" exists.

  For example, vulnerability 3 is a low-level vulnerability in an environment where an application with an OS type of “OS 3”, a middleware type of “Mid 2”, and a response to individual request 3 of 3 is operating. Indicates that it exists.

  In the example of FIG. 2, at the time of “2015/02/26”, the scan information DB 14 stores scan information of the two terminals 2, and the vulnerability information DB 15 stores four vulnerability information. There is.

  Hereinafter, a case where the diagnostic device 1 sets the terminal having the IP address “10.x.x.x” as the diagnosis target terminal 2 as the target of vulnerability diagnosis will be described. The acquisition unit 21 confirms whether or not scan information of the diagnosis target terminal 2 (IP address is “10.x.x.x”) is stored in the scan information DB 14.

  In the case of the example of FIG. 2, the scan information (device information) of the diagnosis target terminal 2 is not stored in the scan information DB 14. In this case, the acquisition unit 21 controls the communication unit 12 to perform a network scan.

  The communication unit 12 transmits a request for acquiring device information to the diagnosis target terminal 2. FIG. 3 is a diagram for explaining a first example of vulnerability diagnosis. In FIG. 3, the network scan is denoted as "NW scan". The acquisition unit 21 performs a network scan on the diagnosis target terminal 2.

  As described above, the IP address of the diagnosis target terminal 2 is “10.x.x.x”. It is assumed that the OS type operating on the diagnosis target terminal 2 is “OS1” and the middleware type is “Mid1”.

  In addition, the acquisition unit 21 includes the individual request included in each piece of vulnerability information stored in the vulnerability information DB 15 in the request for network scan. In the example of FIG. 2, the acquisition unit 21 includes the individual request 1 and the individual request 3 in the network scan request.

  For example, it is assumed that the individual request 1 is the information of the command “GET / usage / index.cgi HTTP / 1.1” described above. When the application corresponding to the individual request 1 is effectively operating in the diagnosis target terminal 2, the individual reaction 1 is, for example, information “HTTP / 1.1 200 OK”.

  On the other hand, when the application corresponding to the individual request 1 does not operate effectively in the terminal 2 to be diagnosed, the individual reaction 1 is, for example, information “HTTP / 1.1 404 NOT FOUND”.

  The device information includes information on the OS (fingerprint, banner information, etc.), information on middleware (open port, fingerprint, banner information, etc.) and information on individual reactions.

  The diagnostic target terminal 2 transmits the above-described device information to the diagnostic device 1 as a response. Thus, the acquisition unit 21 acquires device information. The acquisition unit 21 stores the acquired device information in the scan information DB 14.

  FIG. 4 shows an example in which the device information (scan information) of the diagnosis target terminal 2 whose IP address is “10.x.x.x” is added to the scan information DB 14.

  In the example of FIG. 4, the individual response 1 “aaaaaaa” indicates that the application corresponding to the individual request 1 is operating effectively. Similarly, "ccccccc" which is individual reaction 3 indicates that the application corresponding to individual request 3 is operating effectively.

  The acquisition unit 21 acquires scan information of the diagnosis target terminal 2 from the scan information DB 14. Since this acquisition is acquisition of scan information from the scan information DB 14, it is a cache scan.

  The estimation unit 22 estimates the OS type and the middleware type based on the scan information acquired by the acquisition unit 21.

  The diagnosis unit 23 collates all the vulnerability information stored in the vulnerability information DB 15 with the estimated OS type, the estimated middleware type, and the individual reaction to diagnose the vulnerability of the terminal 2 to be diagnosed. Do.

  When there is vulnerability information in which the estimated OS type, the estimated middleware type, and the individual reaction all match the conditions of the vulnerability information stored in the vulnerability information DB 15, the diagnosis unit 23 determines that the diagnostic target terminal 2 Detect that the vulnerability information vulnerability exists.

  Further, the diagnostic unit 23 is vulnerable to the diagnosis target terminal 2 when the estimated OS type and the middleware type match among the conditions of the above-mentioned vulnerability information and the individual information is insufficient for the scan information. Detect what may be present.

  If it is detected that a vulnerability exists in the diagnosis target terminal 2, the list processing unit 24 adds information indicating that the vulnerability is detected to the vulnerability detection list. If it is detected that there is a possibility that a vulnerability exists in the terminal 2 to be diagnosed, the list processing unit 24 adds information indicating the possibility of the presence of the vulnerability to the possibility of vulnerability list.

  When a network scan is performed and the acquired device information is stored in the scan information DB 14, the diagnosis unit 23 diagnoses a vulnerability based on the vulnerability information stored in the vulnerability information DB 15 at that time. Do.

  The vulnerability information in this case is an example of a first diagnosis rule. Also, the vulnerability diagnosis to be performed is an example of the vulnerability diagnosis based on the first diagnosis rule.

  The request for performing the network scan includes all the individual requests stored in the vulnerability information DB 15. Therefore, the device information acquired from the diagnosis target terminal 2 includes the individual reaction corresponding to each individual request.

  Therefore, the scan information DB 14 stores all the individual reactions to be subjected to the vulnerability diagnosis for the terminal 2 to be diagnosed, so that the scan information does not run short of individual reactions. That is, when the network scan is performed, the diagnosis unit 23 does not detect the vulnerability as the possibility.

  For this reason, as shown in the example of FIG. 4, the possible vulnerability list does not record possible vulnerability information. On the other hand, the vulnerability 1 for which the diagnostic unit 23 has detected the vulnerability is added by the list processing unit 24 to the vulnerability detection list.

<Second example of vulnerability diagnosis>
Next, a second example of vulnerability diagnosis will be described. FIG. 5 shows an example of the scan information DB 14 and the vulnerability information DB 15 at the time of “2015/02/27”. Among the scan information stored in the scan information DB 14, the scan information of the terminals with IP addresses "10. yyy" and "10. zzz" exceeds the expiration date "2015/02/26" .

  Therefore, the expiration date management unit 25 invalidates these scan information. The invalidated scan information is shaded. In addition, at the time of "2015/02/27", vulnerability information 5 of vulnerability 5 and vulnerability 6 is added to the vulnerability information database 15.

  FIG. 6 is a diagram for describing a second example of vulnerability diagnosis. The acquisition unit 21 checks whether the scan information DB 14 stores valid scan information of the diagnosis target terminal 2 (IP address is “10.x.x.x”).

  As of "2015/02/27", valid scan information of the diagnosis target terminal 2 whose IP address is "10.x.x.x" is stored. In this case, the diagnosis unit 23 diagnoses the vulnerability of the terminal 2 to be diagnosed based on the valid scan information stored in the scan information DB 14.

  The vulnerability diagnosis of the second example is performed after the vulnerability diagnosis of the first example described above is performed. Further, in the second example of the vulnerability diagnosis, vulnerability information of the vulnerability 5 and the vulnerability 6 is added to the vulnerability information DB 15 as compared to the first example of the vulnerability diagnosis.

  Therefore, in the second example of vulnerability diagnosis, vulnerability diagnosis is performed based on vulnerability information different from the first example of vulnerability diagnosis. Each piece of vulnerability information stored in the vulnerability information DB 15 in the second example of vulnerability diagnosis is an example of a second diagnosis rule.

  In the second example of the vulnerability diagnosis, the acquisition unit 21 performs a cache scan without performing a network scan, and acquires scan information of the diagnosis target terminal 2 from the scan information DB 14.

  The estimation unit 22 estimates the OS type and the middleware type based on the acquired scan information. The diagnosis unit 23 performs vulnerability diagnosis by collating the estimated OS type, the estimated middleware type, and the individual reaction with each piece of vulnerability information stored in the vulnerability information DB 15.

  The diagnosis unit 23 determines whether the individual response of the condition stored in the vulnerability information DB 15 is insufficient for the scan information of the terminal 2 to be diagnosed stored in the scan information DB 14.

  In the example of FIG. 5, “individual request 5 = individual reaction 5” is added to vulnerability information DB 15 as the condition of vulnerability 5, and “individual request 6 = individual reaction 6” as the condition of vulnerability 6 Has been added. Therefore, the individual reaction 5 and the individual reaction 6 are insufficient in the scan information of the terminal 2 to be diagnosed.

  The diagnosis unit 23 determines whether the vulnerability level of the vulnerability information corresponding to the missing individual reaction is equal to or higher than a predetermined level (the vulnerability level is “high”). The vulnerability level of vulnerability 5 is "medium" and the vulnerability level of vulnerability 6 is "high".

  Among the individual reactions lacking in the scan information of the terminal 2 to be diagnosed, the acquiring unit 21 performs a network scan individually only for the individual reactions 6 whose vulnerability level is “high”. This individual network scan is referred to as an individual network scan.

  In this case, in order to perform an individual network scan, the acquisition unit 21 transmits a request of the individual request 6 to the diagnosis target terminal 2. The diagnostic target terminal 2 transmits the individual reaction 6 to the diagnostic device 1 in response to the request of the individual request 6.

  The individual reaction 6 may indicate that the application corresponding to the individual request 6 is operating effectively at the diagnosis target terminal 2 or may indicate that the application is not operating effectively.

  In the example of FIG. 6, “dddddd” indicates that the application corresponding to the individual request 6 is effectively operating on the diagnosis target terminal 2. After acquiring the individual reaction 6, the acquisition unit 21 adds the individual reaction 6 to the scan information of the diagnosis target terminal 2 stored in the scan information DB 14.

  The acquisition unit 21 acquires scan information of the diagnosis target terminal 2 illustrated in the example of FIG. 7 from the scan information DB 14. This acquisition is a cache scan.

  Among the vulnerability information stored in the vulnerability information DB 15, the diagnosis unit 23 detects vulnerability information that matches the estimated OS type and middleware type and has an individual response corresponding to an individual request.

  In the case of the example of FIG. 7, each condition of vulnerability 6 matches the estimated OS type, middleware type, and individual reaction of the diagnosis target terminal 2. In this case, the diagnostic unit 23 detects the presence of the vulnerability 6 in the terminal 2 to be diagnosed. The list processing unit 24 adds the vulnerability 6 to the vulnerability detection list.

  On the other hand, vulnerability level of vulnerability 5 is "medium", not "high". In this case, the acquisition unit 21 does not perform the individual network scan for the individual request 5 of the vulnerability 5. Therefore, the individual reaction 5 is not included in the scan information of the diagnosis target terminal 2 stored in the scan information DB 14.

  In this case, among the conditions of the vulnerability 5, the estimated OS type and middleware type of the terminal 2 to be diagnosed match, but the individual information 5 is insufficient in the scan information. Therefore, the diagnosis unit 23 detects that the terminal 2 to be diagnosed has a possibility of the presence of the vulnerability 5. The list processing unit 24 adds the vulnerability 5 to the vulnerability possibility list.

  In the case of the second example of the vulnerability diagnosis, the diagnostic device 1 performs, with respect to the terminal 2 to be diagnosed, an individual network scan in which only individual reactions corresponding to individual requests lacking in scan information are acquired. On the other hand, in the case of a network scan, the diagnostic device 1 acquires device information from the diagnosis target terminal 2.

  The device information includes information on the OS, information on the middleware, and individual responses to individual requests for a plurality of applications. Therefore, the individual network scan has a lower load on the diagnosis target terminal 2 and the network than the network scan.

  For this reason, it is possible to perform vulnerability diagnosis of the diagnosis target terminal 2 at a high frequency while suppressing an increase in load on the diagnosis target terminal 2 and the network. Therefore, efficient vulnerability diagnosis is realized.

  In the second example of vulnerability diagnosis, when there is a shortage of information for performing vulnerability diagnosis using scan information stored in the scan information DB 14, an individual network scan is performed, and the shortage is Get information

  For example, in the example of FIG. 7, when the vulnerability level of the vulnerability 6 is “medium”, the acquiring unit 21 does not perform the individual network scan. In this case, communication does not occur between the diagnostic device 1 and the terminal 2 to be diagnosed, and a load for diagnosing the vulnerability of the terminal 2 to be diagnosed and the network does not occur.

  That is, the diagnostic device 1 can perform vulnerability diagnosis of the diagnosis target terminal 2 off-line. Therefore, even if the vulnerability diagnosis is performed frequently, the load on the terminal 2 to be diagnosed and the network will not be high.

  However, when the vulnerability level is “high”, it is preferable that the diagnostic device 1 quickly acquire the latest information of the terminal 2 to be diagnosed. Thus, in this case, an individual network scan is performed.

  In addition, it is possible to suppress the load with respect to the diagnostic target terminal 2 by preparing a system for reproducing the diagnostic target terminal 2 and performing the vulnerability diagnosis on the system. However, in this case, it is necessary to prepare a system similar to the terminal 2 to be diagnosed, which will increase the hardware resources in the future.

  Moreover, it is difficult to prepare a system for reproducing the terminal 2 to be diagnosed, and a difference occurs between the system and the terminal 2 to be diagnosed, and the difference reduces the diagnostic accuracy of the vulnerability diagnosis. Therefore, it is preferable that vulnerability diagnosis be performed on the actual terminal 2 to be diagnosed.

<Third Example of Vulnerability Diagnosis>
FIG. 8 shows an example of the scan information DB 14 and the vulnerability information DB 15 in the third example of vulnerability diagnosis. The scan information DB 14 and the vulnerability information DB 15 illustrated in the example of FIG. 8 indicate information at the time of “2015/03/27”.

  At the time of “2015/03/27”, the scan information of the diagnosis target terminal 2 (IP address “10.x.x.x”) stored in the scan information DB 14 exceeds the expiration date. The expiration date management unit 25 invalidates the above scan information of the scan information DB 14.

  The acquisition unit 21 confirms whether valid scan information of the diagnosis target terminal 2 is stored in the scan information DB 14 or not. Since valid scan information of the diagnosis target terminal 2 is not stored in the scan information DB 14, the acquiring unit 21 performs a network scan on the diagnosis target terminal 2.

  When a network scan is performed, the diagnostic device 1 acquires, from the terminal 2 to be diagnosed, individual responses to all individual requests to be subjected to vulnerability diagnosis. Therefore, since all the individual reactions are stored in the scan information DB 14, the diagnostic unit 23 does not determine that the individual reactions are insufficient for the scan information.

  Therefore, the list processing unit 24 adds the same vulnerability information as the estimated OS type and middleware type of the terminal 2 to be diagnosed to the vulnerability detection list regardless of the vulnerability level. On the other hand, the list processing unit 24 does not record the vulnerability information in the vulnerability possibility list because it is not determined that there is no individual response in the scan information.

<An example of a flowchart showing the flow of processing of the embodiment>
Next, an example of processing of the embodiment will be described with reference to a flowchart. The acquisition unit 21 confirms whether valid scan information of the diagnosis target terminal 2 is stored in the scan information DB 14 (step S1).

  When valid scan information of the diagnosis target terminal 2 is not stored in the scan information DB 14 (NO in step S2), the acquiring unit 21 performs a network can (step S3). Thus, the acquisition unit 21 acquires device information from the diagnosis target terminal 2.

  The acquisition unit 21 stores the acquired device information as scan information in the scan information DB 14 (step S4). In the case of YES at step S2, the processes at steps S3 and S4 are not performed. That is, when valid scan information of the terminal 2 to be diagnosed is stored in the scan information DB 14, no network scan is performed.

  The acquisition unit 21 executes a cache scan for acquiring scan information of the diagnosis target terminal 2 from the scan information DB 14 (step S5). The estimation unit 22 estimates the OS type and the middleware type of the terminal 2 to be diagnosed based on the acquired scan information (step S6).

  The diagnosis unit 23 collates the estimated OS type, the estimated middleware type, and the individual reaction with the conditions of the respective vulnerability information stored in the vulnerability information DB 15 (step S7). Then, the process proceeds to "A". The processes after “A” will be described with reference to the example of FIG.

  Among the conditions of each vulnerability information stored in the vulnerability information DB 15, the diagnosis unit 23 determines whether or not there is vulnerability information in which the OS type and the middleware type match and the individual reaction is insufficient. (Step S8).

  If the OS type and the middleware type match, and there is vulnerability information lacking an individual response (YES in step S8), the diagnostic unit 23 determines whether the vulnerability level of the vulnerability information is "high" or not. It is determined (step S9).

  If the vulnerability level of the vulnerability information to be determined is “high” (YES in step S10), the acquiring unit 21 performs an individual network scan for acquiring an individual request corresponding to the lacking individual reaction ( Step S10).

  The acquisition unit 21 acquires, from the diagnosis target terminal 2, information of an individual reaction corresponding to an individual request. Then, the acquisition unit 21 stores the acquired information of the individual reaction in the scan information DB 14 (step S11). At this time, the acquisition unit 21 adds the information of the acquired individual reaction to the scan information of the terminal 2 to be diagnosed among the scan information stored in the scan information DB 14.

  In the case of NO in step S8 and in the case of NO in step S9, the processes of step S10 and step S11 are not performed. In this case, the acquisition unit 21 does not perform an individual network scan on the diagnosis target terminal 2.

  The diagnosis unit 23 diagnoses the vulnerability of the diagnosis target device 2 based on each vulnerability information stored in the vulnerability information DB 15 and the OS type, middleware type and individual reaction of the diagnosis target terminal 2 (step S12).

  The diagnosis unit 23 determines whether or not there is vulnerability information that matches all the conditions of the OS type, middleware type, and individual reaction of the terminal 2 to be diagnosed among the vulnerability information stored in the vulnerability information DB 15. judge.

  If there is the above-mentioned vulnerability information, the list processing unit 24 records the vulnerability information in the vulnerability detection list stored in the list storage unit 16 (step S13).

  Among the conditions of each vulnerability information stored in the vulnerability information DB 15, the diagnosis unit 23 matches the OS type and the middleware type of the terminal 2 to be diagnosed, and the vulnerability information for which the individual response is insufficient for the scan information Determine if there is.

  If there is the above-mentioned vulnerability information, the list processing unit 24 records the vulnerability information in the vulnerability possibility list stored in the list storage unit 16 (step S14).

  The processing unit 11 presents the vulnerability detection list and the vulnerability possibility list stored in the list storage unit 16 (step S15). For example, the processing unit 11 may perform presentation by displaying the vulnerability detection list and the vulnerability list on the screen unit 13.

  Further, the processing unit 11 may perform fixed time by printing the vulnerability detection list and the vulnerability list on, for example, a printer or the like. Thereby, for example, it is presented to the operator (for example, maintenance staff) who operates the diagnosis apparatus 1 that not only the vulnerability is detected in the diagnosis target terminal 2 but also that there is a possibility of the vulnerability. You can also

  Next, an example of the process of the expiration date management unit 25 will be described with reference to the flowchart of FIG. The expiration date management unit 25 searches the scan information stored in the scan information DB 14 for scan information whose expiration date has been exceeded (step S21).

  As a result of the search, when the scan information whose expiration date is exceeded is found (YES in step S22), the expiration date management unit 25 invalidates the scan information whose expiration date is over (step S23). As a result of the search, when the scan information whose expiration date is exceeded is not found (NO in step S22), the process of step S23 is not performed.

<Example of hardware configuration of diagnostic device>
Next, an example of the hardware configuration of the diagnostic device 1 will be described with reference to the example of FIG. As shown in the example of FIG. 12, the processor 111, the RAM 112, the ROM 113, the auxiliary storage device 114, the medium connection unit 115, the communication interface 116, and the input / output interface 117 are connected to the bus 100. In FIG. 12, the interface is shown abbreviated as "IF".

  The processor 111 is an arbitrary processing circuit. The processor 111 executes the program developed in the RAM 112. As a program to be executed, a diagnostic program for performing the process of the embodiment may be applied. The ROM 113 is a non-volatile storage device that stores a program developed in the RAM 112.

  The auxiliary storage device 114 is a storage device for storing various information, and for example, a hard disk drive or a semiconductor memory may be applied to the auxiliary storage device 114. The medium connection unit 115 is provided to be connectable to the portable recording medium 119.

  As the portable recording medium 119, a portable memory or an optical disc (for example, a Compact Disc (CD), a Digital Versatile Disc (DVD), or the like) may be applied. A program for performing the process of the embodiment may be recorded on the portable recording medium 119.

  The input / output interface 117 is an interface connected to an external device. As an external device, for example, a display 117A, a printer 117B, etc. may be applied.

  The processing unit 11 of the diagnostic device 1 may be realized by the processor 111 executing the provided diagnostic program. The communication interface 116 may be applied to the communication unit 12.

  The display 117 </ b> A may be applied to the screen unit 13. The RAM 112, the auxiliary storage device 114, and the like may be applied to the scan information DB 14, the vulnerability information DB, and the list storage unit 16.

  The RAM 112, the ROM 113, the auxiliary storage device 114, and the portable recording medium 119 are all examples of a computer-readable tangible storage medium. These tangible storage media are not temporary media such as signal carriers.

<Others>
The present embodiment is not limited to the embodiment described above, and various configurations or embodiments can be taken without departing from the scope of the present embodiment.

Reference Signs List 1 diagnostic device 2 terminal to be diagnosed 11 processing unit 12 communication unit 13 screen unit 14 scan information DB
15 Vulnerability Information DB
16 list storage unit 21 processing unit 22 estimation unit 23 diagnosis unit 24 list processing unit 25 expiration date management unit 111 processor 112 RAM
113 ROM

Claims (8)

On the computer
Storing device information acquired from the information processing apparatus to be diagnosed when vulnerability diagnosis based on the first diagnosis rule is executed, in the storage unit;
In the case where a new vulnerability diagnosis is performed based on a second diagnosis rule different from the first diagnosis rule after the execution of the vulnerability diagnosis, the diagnosis target is generated based on the device information stored in the storage unit. Perform vulnerability diagnosis on the information processing apparatus;
A diagnostic program characterized by performing processing. Furthermore, on the computer,
When the valid device information is not stored in the storage unit, vulnerability diagnosis based on the first diagnostic rule is performed on the information processing device, and the valid device information is stored in the storage unit. Execute vulnerability diagnosis based on the second diagnosis rule,
The diagnostic program according to claim 1, wherein the processing is executed. Furthermore, on the computer,
The device information is invalidated after a predetermined time has elapsed since the device information is stored in the storage unit.
The diagnostic program according to claim 1 or 2, wherein the processing is executed. Furthermore, on the computer,
When performing a new vulnerability diagnosis based on the second diagnosis rule, if the information used for the vulnerability diagnosis is insufficient, only the insufficient information is acquired from the information processing apparatus.
The diagnostic program according to any one of claims 1 to 3, wherein the processing is executed. Furthermore, on the computer,
The vulnerability information detected to be present in the information processing apparatus is recorded in a first list based on the result of performing a new vulnerability diagnosis based on the second diagnosis rule,
The vulnerability information detected to be possibly present in the information processing apparatus is recorded in a second list based on the result of performing a new vulnerability diagnosis based on the second diagnosis rule.
Presenting the first list and the second list,
The diagnostic program according to any one of claims 1 to 4, wherein the processing is executed. On the computer
As a result of performing new vulnerability diagnosis based on the second diagnosis rule, vulnerability information satisfying all the conditions of the device information and having a vulnerability level equal to or higher than a predetermined level is recorded in the first list;
As a result of performing a new vulnerability diagnosis based on the second diagnosis rule, a part of the condition of the device information is insufficient, or the vulnerability information of which the vulnerability level is less than the predetermined level is Record in the list of
The diagnostic program according to claim 5, wherein the processing is executed. The computer is
Storing device information acquired from the information processing apparatus to be diagnosed when vulnerability diagnosis based on the first diagnosis rule is executed, in the storage unit;
In the case where a new vulnerability diagnosis is performed based on a second diagnosis rule different from the first diagnosis rule after the execution of the vulnerability diagnosis, the diagnosis target is generated based on the device information stored in the storage unit. Perform vulnerability diagnosis on the information processing apparatus;
A diagnostic method comprising performing a process. A storage unit configured to store device information acquired from an information processing device to be diagnosed when vulnerability diagnosis based on the first diagnosis rule is executed;
In the case where a new vulnerability diagnosis is performed based on a second diagnosis rule different from the first diagnosis rule after the execution of the vulnerability diagnosis, the diagnosis target is generated based on the device information stored in the storage unit. A diagnosis unit that performs vulnerability diagnosis on the information processing apparatus;
A diagnostic device comprising:

Images