JP6552136B1 - Exercise display program for cyber attacks - Google Patents

Abstract

[PROBLEMS] To easily grasp the status of cyber attacks. When a specific information processing apparatus that has been attacked is detected from among a plurality of information processing apparatuses, a program according to an embodiment includes a first display area that displays a timeline and that corresponds to the specific information processing apparatus. One timeline is newly displayed, and the computer is caused to execute a process of displaying a first symbol indicating that an attack has occurred on the first timeline. In addition, when the program detects that an attack has been made from a specific information processing device to another information processing device, the program displays a second symbol indicating that the attack has been made on the first timeline, and In response to the detection of the other information processing apparatus received, a second timeline corresponding to the other information processing apparatus is newly displayed at a position adjacent to the first timeline, and is displayed on the second timeline. Causes the computer to execute a process of displaying a first symbol indicating that an attack has occurred. [Selection] Figure 1

Description

  Embodiments described herein relate generally to a program.

  Conventionally, exercises for cyber attacks are performed using a simulated exercise system that serves as an exercise ground. In this exercise system, a virus that actually performs a cyber attack, for example, by infecting with a virus, is injected into the information processing apparatus. Then, the exercise target person operates the terminal device to practice dealing with the cyber attack by the virus injected into the information processing apparatus.

International Publication No. 2015/029195

  However, in the above-mentioned prior art, there is a problem that it is difficult to grasp the situation of the cyber attack at the time of the exercise. For example, from the display screen of the terminal device operated by the exercise subject, the operation content of the exercise subject can be grasped, but the cyber attack such as which information processing device in the exercise system is being attacked It is difficult to grasp the situation.

  Another object of the present invention is to provide a program capable of easily grasping the situation of cyber attack.

  In the first proposal, a program causes a computer to execute a process of monitoring an exercise for a cyber attack that defines a cyber attack and a countermeasure schedule as a scenario using a system including a plurality of information processing apparatuses. In addition, when the program detects a specific information processing apparatus that has been subjected to a cyber attack among a plurality of information processing apparatuses, a first timeline corresponding to the specific information processing apparatus is displayed in a first display area that displays a timeline. Causes the computer to execute a process of newly displaying. Furthermore, the program causes the computer to execute processing of displaying a first symbol indicating that a cyber attack has been received on the first timeline. In addition, when the program detects that a cyber attack has been made on another information processing apparatus from a specific information processing apparatus, the program displays a second symbol indicating that the cyber attack has been made on the first timeline. Let the computer run. Further, the program newly displays a second timeline corresponding to the other information processing apparatus at a position adjacent to the first timeline in response to detection of the other information processing apparatus that has received a cyber attack. Let the computer run. Furthermore, the program causes the computer to execute processing of displaying a first symbol indicating that a cyber attack has been received on a second timeline.

  According to one embodiment of the present invention, it is possible to easily grasp the status of a cyber attack.

FIG. 1 is a block diagram showing the configuration of a training system according to the embodiment. FIG. 2 is an explanatory diagram for explaining the exercise system according to the embodiment. FIG. 3 is an explanatory diagram for explaining an attack scenario. FIG. 4 is an explanatory view for explaining a planned response scenario. FIG. 5 is an explanatory diagram for explaining the attack history in the log. FIG. 6 is an explanatory diagram for explaining the operation history in the log. FIG. 7 is a block diagram illustrating a functional configuration of the exercise system according to the embodiment. FIG. 8 is a flowchart illustrating an operation example of the exercise system according to the embodiment. FIG. 9 is an explanatory diagram illustrating a display screen. FIG. 10 is a flowchart illustrating display processing of the training status. FIG. 11 is an explanatory diagram for explaining a timeline display area. FIG. 12 is an explanatory diagram illustrating a display screen. FIG. 13 is an explanatory diagram illustrating a display screen. FIG. 14 is an explanatory diagram illustrating a display screen. FIG. 15 is an explanatory diagram illustrating a display screen. FIG. 16 is an explanatory diagram illustrating a display screen. FIG. 17 is a block diagram illustrating an example of a hardware configuration of the management device, the information processing device, and the terminal device according to the embodiment.

  Hereinafter, a program according to an embodiment will be described with reference to the drawings. In the embodiment, configurations having the same functions are denoted by the same reference numerals, and redundant description is omitted. Note that the programs described in the following embodiments are merely examples, and do not limit the embodiments. In addition, each of the following embodiments may be appropriately combined within the scope of no contradiction.

  FIG. 1 is a block diagram illustrating a configuration of an exercise system 100 according to the embodiment. As shown in FIG. 1, the exercise system 100 includes a management device 1, information processing devices 2A, 2B, 2C,..., Terminal devices 3A, 3B, and a surveillance camera 4.

  The management device 1, the information processing devices 2A, 2B, 2C,... And the terminal devices 3A, 3B,... Are communicably connected to each other via a communication network N such as a LAN (Local Area Network). Further, the monitoring camera 4 is connected to the management device 1 through communication such as USB (Universal Serial Bus), for example. The management apparatus 1 and the other devices (the information processing apparatuses 2A, 2B, 2C,... And the terminal apparatuses 3A, 3B,...) Are separate communications configured separately from the communication network N by VLAN (Virtual LAN) or the like. You may connect via a network. Further, the connection between the management apparatus 1 and the monitoring camera 4 may be via the communication network N, and is not limited to the connection form in the illustrated example.

  For example, a computer such as a PC (personal computer), a workstation, and a server can be applied to the management device 1, the information processing devices 2A, 2B, 2C,... And the terminal devices 3A, 3B,. Further, a digital camera such as a web camera can be applied to the monitoring camera 4.

  The management device 1 manages cyber attacks on the information processing devices 2A, 2B, 2C... And the terminal devices 3A, 3B. The information processing devices 2A, 2B, 2C,... Are server devices that provide various services to the terminal devices 3A, 3B, etc., such as file servers, mail servers, web servers, and the like. In the information processing apparatuses 2A, 2B, 2C,..., A cyber attack is performed under the management of the management apparatus 1.

  In the terminal devices 3A, 3B,..., Cyber attacks are performed under the management of the management device 1 as in the information processing devices 2A, 2B, 2C,. The terminal devices 3A, 3B,... Are terminals used by the exercise target person who exercises the cyber attacks on the information processing devices 2A, 2B, 2C,... And the terminal devices 3A, 3B,.

  In this embodiment, in the exercise system 100, the configuration in which the information processing devices 2A, 2B, 2C,... And the terminal devices 3A, 3B,. This practice site is appropriately prepared in imitation of an actually operated system or the like, and is not limited to the configuration exemplified in the present embodiment.

  The number of the information processing devices 2A, 2B, 2C,... May be one or more, and the number is not limited. Similarly, the number of terminal devices 3A, 3B,... May be one or more, and the number is not limited. The information processing devices 2A, 2B, 2C,... Are referred to as the information processing device 2 unless otherwise specified. Similarly, the terminal devices 3A, 3B,... Will be referred to as the terminal device 3 unless otherwise specified.

  The monitoring camera 4 is a digital camera for monitoring the state of the exercise, and outputs a captured image (moving image) to the management device 1. The monitoring camera 4 is installed in the vicinity of the terminal devices 3A, 3B,. In the management device 1, by displaying the image captured by the monitoring camera 4 on a display or the like, it is possible to easily confirm the state of the exercise, for example, the state or behavior of the person being the subject of the exercise.

  FIG. 2 is an explanatory diagram for explaining the exercise system according to the embodiment. Specifically, FIG. 2 is a diagram illustrating a case where a cyber attack AT is performed in the information processing apparatus 2B. The terminal devices 3A, 3B,... Are not shown, but the terminal devices 3A, 3B,... Are similar to the information processing devices 2A, 2B, 2C. As illustrated in FIG. 2, the management apparatus 1 includes a scenario management unit 101, a cyber attack control unit 102, and a display unit 11.

  The scenario management unit 101 manages the attack scenario 141 and the countermeasure scheduled scenario 142. The attack scenario 141 is data in which a scenario of the entire cyber attack of the information processing devices 2A, 2B, 2C... And the terminal devices 3A, 3B. The coping scenario 142 is data in which the operation content (coping operation) assumed for each cyber attack of the attack scenario 141 is described.

  FIG. 3 is an explanatory diagram for explaining the attack scenario 141. As shown in FIG. As shown in FIG. 3, the attack scenario 141 sequentially describes cyber attacks in the exercise system 100 after the exercise starts. Specifically, the attack scenario 141 includes, for each cyber attack numbered “No.”, “attack type”, “start time”, “end time”, “attack source”, “attack destination”, and Parameters such as “Supplemental parameters” are described.

  The “attack type” indicates the type of cyber attack such as “portable storage medium intrusion”, “direct diffusion”, “stealthization”, “traffic transmission”, “file tampering” and the like. The “start time” and “end time” indicate the time to start a cyber attack and the time to end a cyber attack after the start of the exercise. For example, by shortening the time interval of the “start time” in each cyber attack, the attack speed of continuous cyber attacks, that is, cyber attacks will be increased. Conversely, increasing the time between “start times” in each cyber attack slows down the speed of sporadic cyber attacks, that is, cyber attacks.

  For “attack source” and “attack destination”, information indicating attack routes such as the device that is the source of cyber attack and the device that is the attack destination (for example, host name or network address such as “device A” or “device B”) Is shown. The “supplementary parameter” indicates a value that supplements the content of the cyber attack. Specifically, the "supplementary parameter" indicates the value of the cyber attack magnitude. For example, the size of the cyber attack indicates the size of the resource occupied by the cyber attack, and may be the processing load condition in the cyber attack. As an example, if the size of a cyber attack is large and more resources are occupied compared to normal processing, it is considered as "high load". Conversely, if the size of the cyber attack is small and resource occupancy is small compared to normal processing, "low load" is used.

  FIG. 4 is an explanatory diagram for explaining the planned response scenario 142. As shown in FIG. As shown in FIG. 4, the action schedule scenario 142 describes operation contents such as “scheduled action apparatus”, “scheduled action type”, and “action category” for each cyber attack in the attack scenario 141.

  “Countermeasure device” describes a device on which a countermeasure operation is scheduled to be performed against a cyber attack. The “planned action type” describes the type of operation for the cyber attack such as “error detection”, “network disconnection”, “process stop”, “file recovery” and the like. For example, "abnormality detection" indicates the execution of a predetermined survey command. Also, "network disconnection" indicates the execution of a command to stop the network function. Also, “process stop” indicates the stop of the process of performing a cyber attack by a kill command. Also, "file recovery" indicates recovery of a tampered file by a recovery command.

  The "action category" indicates the category (type) of action to be taken by the person subject to the exercise, and includes, for example, "survey", "initial action", "action for cause", "restoration" and the like.

  Returning to FIG. 2, the cyber attack control unit 102 reads the attack scenario 141 managed by the scenario management unit 101, and executes the cyber attack described in the attack scenario 141 in each of the information processing apparatuses 2A, 2B, 2C,. Send cyber commands to control cyber attacks. Specifically, the cyber attack control unit 102 identifies the cyber attack whose start time is the time after the start of the exercise, based on the “start time” parameter of the attack scenario 141. Next, the cyber attack control unit 102 reads out the identified cyber attack parameters from the attack scenario 141. Next, the cyber attack control unit 102 transmits a command for executing a cyber attack according to the read parameter to the device specified by the parameter of “attack source”.

  The information processing apparatus 2 starts a process of executing a cyber attack in accordance with an instruction (parameter) from the cyber attack control unit 102 by processing of a resident program (for example, a daemon or the like) according to a cyber attack exercise. The process activated in the information processing apparatus 2 is an entity of a virus that implements various cyber attacks. In the information processing apparatus 2, a process corresponding to parameters such as “attack type”, “attack destination” and “supplementary parameter” is activated to perform cyber attack such as data tampering or denial of service attack (Denial of Service attack). Do. Specifically, in response to an instruction from the cyber attack control unit 102 based on the attack scenario 141, an internal cyber attack AT such as data tampering is performed in the information processing device 2B.

  Further, each of the information processing apparatuses 2A, 2B, 2C,... Records backup data 221A, 221B, 221C,... And logs (parts) 222A, 222B, 222C,. The backup data 221A, 221B, 221C,... Are referred to as backup data 221 unless otherwise specified. Similarly, the logs (parts) 222A, 222B, 222C,... Are also referred to as the log (parts) 222 unless otherwise specified.

  The backup data 221 is data for restoring the state of the information processing apparatus 2 to the time when the exercise is started. Each of the information processing apparatuses 2A, 2B, 2C,... Records data such as a file and various statuses stored at the start of the exercise as backup data 221A, 221B, 221C,.

  A log (part) 222 is an operation history of a cyber attack attack and an operation history of a user such as a person who is the subject of the exercise and the like. Each of the information processing devices 2A, 2B, 2C,... Monitors its own process and records the extracted attack history and operation history as logs (parts) 222A, 222B, 222C,.

  As for the operation history, not all the operation histories but the operation history corresponding to the coping operation described in the coping scenario 142, that is, the coping action against the cyber attack of the attack scenario 141 may be recorded. For example, the information processing apparatus 2 receives the scheduled handling scenario 142 from the management apparatus 1, and extracts the operation content received from the user corresponding to the “scheduled handling type” of the scheduled handling scenario 142. For example, when the “planned action type” is “network disconnection”, the execution of the command for stopping the network function is extracted as the action action from the operation content received from the user. Then, the information processing apparatus 2 logs the content of the extracted coping action (for example, “network disconnection”), the type corresponding to the content (for example, “initial coping”), the coping apparatus and the coping time as an operation history log (part) 222 To record. Specifically, an operation history is recorded in which the content of the coping behavior is “coping behavior”, the type corresponding to the content is “coping category”, the coping device is “coping device”, and the coping time is “coping time”.

  The management apparatus 1 collects logs (parts) 222A, 222B, 222C,... Recorded by each of the information processing apparatuses 2A, 2B, 2C,. The management device 1 displays the exercise situation in the exercise system 100 on the display unit 11 based on the acquired log (whole) 143. Thereby, the user (for example, exercise supervisor) of the management apparatus 1 can grasp the exercise status.

  FIG. 5 is an explanatory diagram for explaining the attack history in the log. As shown in FIG. 5, each of the information processing apparatuses 2A, 2B, and 2C records an attack history corresponding to the cyber attack of the attack scenario 141 as logs (parts) 222A, 222B, and 222C. The information processing devices 2A, 2B, and 2C are respectively referred to as “device A”, “device B”, and “device C”.

  For example, the attack history of the logs (parts) 222A, 222B, and 222C includes “attack type”, “start time”, “end time”, “attack destination”, “supplement parameter”, “attack” for each cyber attack. "Result", "Start time (Result)" and "End time (Result)" are recorded. “Attack type”, “start time”, “end time”, “attack destination”, and “supplement parameter” are parameters corresponding to the attack scenario 141. The “attack result” is a parameter indicating failure / success of the attack. The “start time (result)” and the “end time (result)” are parameters indicating the actual start and end times of the cyber attack.

  FIG. 6 is an explanatory diagram for explaining the operation history in the log. As illustrated in FIG. 6, each of the information processing apparatuses 2A, 2B, and 2C records an operation history indicating a response operation for a cyber attack in the attack scenario 141 as logs (parts) 222A, 222B, and 222C. For example, coping behavior corresponding to the coping operation of the coping scenario 142 is recorded in the operation history of the logs (parts) 222A, 222B, 222C. Specifically, action plans such as “attack type”, “start time”, “end time”, “attack source”, “attack destination”, “supplementary parameter”, “action plan type”, “action category”, etc. The parameter corresponding to 142 is recorded. In the operation history, a “coping device” indicating a coping device actually dealt with, a “coping action” indicating the actual operation content, and a “coping time” indicating the operation time are recorded. The management apparatus 1 collects these logs (parts) 222A, 222B, and 222C from the information processing apparatuses 2A, 2B, and 2C and aggregates them to obtain a log (whole) 143.

  FIG. 7 is a block diagram illustrating the functional configuration of the exercise system 100 according to the embodiment. As illustrated in FIG. 7, the management device 1 includes a control unit 10, a display unit 11, an operation unit 12, a communication unit 13, and a storage unit 14.

  The control unit 10 has an internal memory for storing various programs and control data, and executes various processes by these. In one embodiment, the control unit 10 is implemented as a central processing unit, so-called CPU (Central Processing Unit). In addition, the control part 10 does not necessarily need to be mounted as a central processing unit, and may be mounted as a MPU (Micro Processing Unit). The control unit 10 can also be realized by hard wired logic such as an application specific integrated circuit (ASIC) or a field programmable gate array (FPGA).

  The display unit 11 is a display device such as an LCD (Liquid Crystal Display), and performs display under the control of the control unit 10. The operation unit 12 is an input device such as a keyboard, a mouse, and a touch panel, receives an operation from a user (for example, a monitor of an exercise), and outputs the operation to the control unit 10. The communication unit 13 is an interface that performs communication with other devices (for example, the information processing device 2 and the terminal device 3) and the monitoring camera 4 connected via the communication network N under the control of the control unit 10. .

  The storage unit 14 is a storage device that stores various programs executed by the control unit 10 and data used for the various programs. In one embodiment, the storage unit 14 is implemented as a main storage in the device. For example, various storage devices such as a random access memory (RAM) or a flash memory can be adopted as the storage unit 14. The storage unit 14 can also be implemented as an auxiliary storage device. In this case, a hard disk drive (HDD), an optical disk, a solid state drive (SSD), or the like can be employed. For example, the storage unit 14 stores an attack scenario 141, a countermeasure scheduled scenario 142, a log (whole) 143, and network information 144.

  The network information 144 indicates the address and connection path of each node (for example, the management device 1, the information processing device 2, the terminal device 3, and the network device such as a router or a switch) connected to the communication network N in the exercise system 100. Information. The management device 1 can display, for example, a network configuration diagram of the information processing devices 2A, 2B, 2C,..., The terminal devices 3A, 3B, and the communication network N by referring to the network information 144.

  The information processing device 2 and the terminal device 3 have a communication unit 20, a control unit 21 and a storage unit 22. The communication unit 20 is an interface that communicates with another device (for example, the management device 1) connected via the communication network N under the control of the control unit 21.

  The control unit 21 executes various processes according to various programs and control data. In one embodiment, the control unit 21 is implemented as a central processing unit, a so-called CPU. For example, the control unit 21 executes execution of a cyber attack, recording of the backup data 221 and the log (portion) 222, and the like by the processing of the above-mentioned resident program.

  The storage unit 22 is a storage device that stores various programs executed by the control unit 21 and data used for the various programs. As one embodiment, the storage unit 22 is implemented as a main storage device in the apparatus. For example, various storage devices such as a RAM and a flash memory can be adopted as the storage unit 22. The storage unit 22 can also be implemented as an auxiliary storage device. In this case, an HDD, an optical disk, an SSD, or the like can be employed. For example, the storage unit 22 stores backup data 221 and a log (part) 222.

  The control unit 10 implements the functions of the scenario management unit 101, the cyber attack control unit 102, the log collection unit 103, and the display control unit 104 by executing a program.

  The scenario management unit 101 manages the attack scenario 141 and the countermeasure scheduled scenario 142. The attack scenario 141 is data in which a scenario of the entire cyber attack of the information processing devices 2A, 2B, 2C... And the terminal devices 3A, 3B. The coping scenario 142 is data in which the operation content (coping operation) assumed for each cyber attack of the attack scenario 141 is described.

  Based on the attack scenario 141, the cyber attack control unit 102 transmits a command instructing execution of the cyber attack described in the attack scenario 141 to each of the information processing apparatuses 2A, 2B, 2C,. To do.

  The log collection unit 103 collects the recorded log (portion) 222 via the communication unit 13 from the devices related to the exercises such as the information processing device 2 and the terminal device 3. Specifically, the log collection unit 103 transmits a command for requesting the log 222 to each node described in the network information 144 via the communication unit 13. Each device such as the information processing device 2 and the terminal device 3 reads the log (portion) 222 from the storage unit 22 according to the command requesting the log (portion) 222 from the management device 1 and transmits the log (portion) 222 to the management device 1. The log collecting unit 103 merges the logs (parts) 222 transmitted from the devices such as the information processing device 2 and the terminal device 3 and stores the log (whole) 143 of the entire exercise system 100 in the storage unit 14.

  The display control unit 104 performs display control on the display screen of the display unit 11. For example, the display control unit 104 displays graphics such as icons, buttons, and symbols in a GUI (Graphical User Interface) on the display screen of the display unit 11. The display control unit 104 receives an operation instruction from the operation unit 12 in the GUI displayed on the display unit 11, and displays the processing result corresponding to the operation on the display screen.

  As an example, the display control unit 104 causes the display unit 11 to display a display screen for creating the attack scenario 141 and the countermeasure scenario 142. The scenario management unit 101 receives an operation instruction from the operation unit 12 on the display screen displayed on the display unit 11 and creates an attack scenario 141 and a countermeasure planned scenario 142. Next, the scenario management unit 101 registers the created attack scenario 141 and the countermeasure planned scenario 142 in the storage unit 14. The log collection unit 103 also reads the log (whole) 143 and the network information 144 from the storage unit 14 and displays the training status of the exercise system 100 on the display screen of the display unit 11 (details will be described later).

  FIG. 8 is a flowchart illustrating an operation example of the exercise system 100 according to the embodiment. As shown in FIG. 8, the management apparatus 1 creates an attack scenario 141 and a countermeasure scheduled scenario 142 under the control of the display control unit 104. Next, the scenario management unit 101 creates the attack scenario 141 and the countermeasure planned scenario 142 based on the operation instruction from the storage unit 14 (S1). Next, the scenario management unit 101 registers the created attack scenario 141 and countermeasure scenario 142 in the storage unit 14 (S2).

  In S <b> 1, the content of the countermeasure operation for each cyber attack in the attack scenario 141 is set as a parameter of the countermeasure scheduled scenario 142. For example, with regard to “traffic transmission” of the attack scenario 141 illustrated in FIG. 3, as shown in FIG. 4, the contents of three types of countermeasure operations are set in the countermeasure planned scenario 142 as parameters.

  When the exercise is started based on the operation instruction of the exercise start, etc., the scenario management unit 101 of the management device 1 starts the exercise by starting the exercise by the information network 2 and the like by broadcasting to the communication network N via the communication unit 13. The terminal device 3 is notified (S3). When an operation history corresponding to the handling operation described in the handling schedule scenario 142 is recorded as a log (part) 222, the handling schedule scenario 142 is transferred to the information processing device 2 and the terminal device 3 at the start of the exercise in S3. Notice.

  The information processing device 2 and the control unit 21 of the terminal device 3 that have received the notification of the exercise start start recording of the log (part) 222 (S4).

  After starting the exercise, the log collection unit 103 of the management device 1 starts collection of the logs (parts) 222 recorded in the information processing device 2 and the terminal device 3 (S5). Collection of this log (part) 222 is performed at a predetermined cycle (for example, every one second). As a result, the log (entire) 143 of the entire exercise system 100 is sequentially recorded in the storage unit 14.

  Next, the control unit 10 of the management device 1 determines the presence / absence of backup creation based on the presence / absence of the instruction input for creating the backup data of the exercise in the operation unit 12 (S6).

  When creating the exercise backup (S6: YES), the control unit 10 notifies the information processing apparatus 2 and the terminal device 3 of the exercise backup creation via the communication unit 13 (S7). Further, when the exercise backup is not created (S6: NO), the control unit 10 skips the process of S7.

  The control unit 21 of the information processing device 2 and the terminal device 3 determines whether to create a backup of the exercise from the management device 1 (S8). When there is a notification to create a backup of the exercise (S8: YES), the control unit 21 of the information processing device 2 and the terminal device 3 collects data such as files stored by itself and various statuses to generate backup data 221 (S9). Next, the control unit 21 stores the generated backup data 221 as data to be restored to the time of exercise start, for example, with a time stamp indicating the time of exercise start, etc., in the storage unit 22.

  Next, the cyber attack control unit 102 determines whether or not a cyber attack has started based on the attack scenario 141 (S10). Specifically, the cyber attack control unit 102 determines, among the cyber attacks of the registered attack scenario 141, the presence or absence of a cyber attack that has become the start time after the start of the exercise.

  If there is a cyber attack that has become the start time, and it is determined that the cyber attack has started (S10: YES), the cyber attack control unit 102 executes the cyber attack that has become the start time from the attack scenario 141 to the information processing device 2 and the terminal Notification is made to the attack source device in the device 3 (S11). Specifically, the cyber attack control unit 102 reads out the parameters of the cyber attack that has become the start time from the attack scenario 141, and notifies the device of "attack source" of a notification for executing the cyber attack according to the read out parameter. Send. The control unit 21 of the information processing device 2 and the terminal device 3 determines whether or not a cyber attack is performed from the management device 1 (S12). If there is a cyber attack execution notification (S12: YES), the attack source device in the information processing device 2 and the terminal device 3 executes a cyber attack based on the notification in S11 (S13).

  If there is no cyber attack that has reached the start time and there is no cyber attack start (S10: NO), the cyber attack control unit 102 skips the process of S11.

  Next, the display control unit 104 of the management device 1 performs display processing to display the exercise situation in the exercise system 100 on the display screen of the display unit 11 (S14).

  FIG. 9 is an explanatory diagram for explaining the display screen G. FIG. As shown in FIG. 9, the display screen G for displaying the exercise situation is a screen configuration having an entire display area G1, a scenario situation display area G2, and a player situation display area G3.

  The entire display area G1 is an area for displaying the entire configuration. The display control unit 104 displays, for example, a network configuration diagram in the entire display area G1 based on the network information 144. Specifically, the symbols G12A, G12B, G12C, G13A, G13B, and G1N corresponding to the information processing devices 2A, 2B, 2C, and the terminal devices 3A, 3B, and the communication network N are displayed in the entire display area G1. indicate. Note that the overall configuration displayed in the overall display area G1 is not limited to the network configuration diagram in the illustrated example. For example, the display control unit 104 may display the information of each of the configured nodes in the entire display area G1 in a table format for each row.

  The scenario status display area G2 is an area for displaying the progress of the scenario concerning the exercise, and has a scenario display area G21 and a timeline display area G22. The scenario display area G21 is an area for displaying a list of cyber attacks in the attack scenario 141 in time series. The display control unit 104 displays the attack event of the cyber attack described in the attack scenario 141 as NO. It reads out in order and displays it on the scenario display area G21 in tabular form.

  The timeline display area G22 is an area showing various events in a line, with a predetermined axial direction (horizontal axis in the illustrated example) as a time axis. The display control unit 104 performs a display process described later based on the log (entire) 143 of the entire exercise system 100, thereby displaying the cyber attack performed at the time of the exercise in a line.

  The player situation display area G3 is an area for displaying the situation of the exercise subject. The display control unit 104 displays the operation screens G33A to G33E acquired from the terminal device 3 (3A, 3B...) Used by the exercise subject and the camera image G31 acquired from the monitoring camera 4 in the player status display area G3. .

  Specifically, the control unit 10 refers to the network information 144 and specifies the terminal device 3 (3A, 3B,...) Used by the person to be trained by the host name or the like. Next, the control unit 10 requests data transmission of the operation screen to each of the specified terminal devices 3 and acquires display data of the operation screen. The display control unit 104 displays the operation screens G33A to G33E together with the host name and the like in the player status display area G3 based on the display data sequentially acquired from each terminal device 3 used by the exercise subject. The display control unit 104 also displays image data (for example, moving image data) acquired from the monitoring camera 4 via the communication unit 13 as a camera image G31 in the player status display area G3.

  After the display control unit 104 displays the display screen G described above, the display control unit 104 performs display processing to display the exercise status based on the log (entire) 143 of the entire exercise system 100, thereby displaying the display content of the display screen G as the current. Update to the one that matches your practice situation.

  FIG. 10 is a flowchart illustrating the display process of the practice situation. As shown in FIG. 10, when the process is started, the display control unit 104 refers to the attack history of the log (entire) 143, and whether the attack result is successful at this point and there is a device that has received a cyber attack It is determined whether or not (S101). For example, in the attack history illustrated in FIG. 5, the cyber attack of “No. 1” was successful at “00:15:00” after the start of the exercise, and is determined to be a cyber attack against “device A” itself. The

  When there is a device subjected to a cyber attack (S101: YES), the display control unit 104 displays a timeline corresponding to the device subjected to the cyber attack and a symbol indicating that the cyber attack has been received in the scenario status display area G2. It is displayed (S102). If there is no device that has received a cyber attack (S101: NO), the display control unit 104 skips the processing of S102 and S103.

  FIG. 11 is an explanatory diagram for explaining the timeline display area G22. As shown in FIG. 11, in the timeline display area G22, timelines G201 to G205 starting from an attack intrusion symbol G210 indicating that an attack has occurred are displayed for each device that has received a cyber attack. The timelines G201 to G205 are continuously displayed until the countermeasure against the cyber attack is made, and are lines extending along the time axis. The current time symbol G220 is a symbol indicating the current time on the time axis.

  When a cyber attack is performed on another device using the device subjected to the cyber attack as a foothold, an attack spread source symbol G211 is displayed on the timeline (G201, G204) of the attack source device. In addition, for the attack target device that has received a cyber attack, a timeline (G202 to G205) starting from the attack / invasion symbol G210 is displayed. In the timelines G201 to G205, the attack countermeasure symbol G212 is displayed when the countermeasure against the cyber attack is made by the countermeasure operation, and the extension along the time axis is stopped.

  In S102, a timeline is displayed at a location corresponding to the current time symbol G220 in the timeline display area G22, starting from the attack / invasion symbol G210. For example, when the device at the time of “10:00” receives a cyber attack, the display control unit 104 displays the attack / invasion symbol G210 at the time of “10:00”. Then, the display control unit 104 displays a timeline G201 starting from the attack intrusion symbol G210. By confirming the display content of the scenario status display area G2, the user can easily grasp the presence / absence of the device which has been subjected to the cyber attack and the current state thereof.

  Next, the display control unit 104 refers to the network information 144 based on the value of “attack destination” in the attack history of the log (overall) 143, and identifies a device that has received a cyber attack in the entire configuration. Next, the display control unit 104 displays the symbol of the device identified as the device subjected to the cyber attack in the entire display area G1 separately from the symbols of other devices (S103).

  FIG. 12 is an explanatory diagram illustrating the display screen G. As shown in FIG. 12, the display control unit 104 includes an attack target symbol G101 as a symbol G13A of a device subjected to a cyber attack among symbols (G1N, G12A to G12C... G13A, B...) In the entire display area G1. Is displayed. The display control unit 104 also displays an unhandled symbol G102 indicating that the cyber attack has not been dealt with in the vicinity of the symbol G13A. This allows the user to easily check the device under cyber attack, including the non-attack against cyber attack.

  The display form of the attack target symbol G101 and the untreated symbol G102 is not particularly limited to the illustrated example, and may be a display form such as a blinking display as long as it can be distinguished from other devices. .

  Next, the display control unit 104 refers to the attack history of the log (whole) 143, and in a cyber attack where the attack result is successful at present, from a specific device (attack source) to another device (attack destination) It is determined whether or not there is a cyber attack (S104). Specifically, the display control unit 104 selects one of the logs (parts) 222A, 222B, 222C,... Recorded by each of the information processing apparatuses 2A, 2B, 2C,. Whether "attack source" in the cyber attack is identified by the correspondence or "attack destination" is specified from "attack destination" in the log (total) 143, and "attack source" and "attack destination" match? Determine whether or not.

  For example, in the attack history illustrated in FIG. 5, the “No. 2” cyber attack is successful at “00:30:00” after the start of the exercise. The “No. 2” cyber attack is that of the log (portion) 222A of the information processing apparatus 2A (“apparatus A”), so the attack source is “apparatus A”. Therefore, based on the attack target values (“devices B, C, D”) in the “No. 2” cyber attack, it is a cyber attack from “device A” to “devices B, C, D” It is determined.

  If there is a cyber attack from a specific device (attack source) to another device (attack destination) (S104: YES), the display control unit 104 places the timeline display area G22 at a position adjacent to the attack source timeline. The timeline corresponding to the attack target device and the attack intrusion symbol are displayed. Further, the display control unit 104 displays an attack spread source symbol G211 indicating that a cyber attack on another device has been performed on the attack source timeline (S105). If there is no cyber attack from the attack source to the attack destination (S104: NO), the display control unit 104 skips the processing of S105 to S106.

  For example, in the example of FIG. 11, at the time of "13:00", a cyber attack on another device whose attack source is the device corresponding to the timeline G201 is executed. Therefore, the attack spread source symbol G211 indicating the implementation of the cyber attack is displayed on the timeline G204 at "13:00". In addition, immediately below the timeline G204, a timeline G205 starting from the attack entry symbol G210 is displayed. Thus, the user can easily grasp the progress of the cyber attack from the attack source to the attack destination.

  Next, the display control unit 104 refers to the network information 144 for the attack source device and the attack destination device, and identifies the corresponding device in the overall configuration. Next, the display control unit 104 displays the attack source device and the attack destination device separately from other devices in the entire display area G1 (S106).

  FIG. 13 is an explanatory diagram for explaining the display screen G. FIG. As shown in FIG. 13, the display control unit 104, among symbols (G1N, G12A to G12C..., G13A, B...) In the entire display area G1, the attack source device symbol G13A and the attack destination device symbol. The attack target symbol G101 is displayed on G12C. Further, the display control unit 104 displays an attack symbol G103 indicating a cyber attack from the attack source to the attack destination. Note that the attack target symbol G101 may be displayed differently from the attack source to the attack destination, such as, for example, blinking the attack destination and not blinking the attack source. As a result, the user can easily confirm the attack source and the attack destination apparatus with respect to the cyber attack that is performed from the attack source to the attack destination.

  Next, the display control unit 104 displays, for each attack event, the total number of attack targets and the total number of attacked devices in the scenario display area G21 displaying a list of cyber attacks in tabular form for each attack event. (S107).

  Specifically, the display control unit 104 selects No. 1 in the attack scenario 141. The attack event contents ("attack type", "start time", "attack source", "attack destination") are acquired for each attack event described in order. Next, the display control unit 104 sets the total number of “attack destinations” as the total number of attack targets in the attack event. Next, the display control unit 104 extracts an attack history that matches the content of the attack event (“attack type”, “start time”, “attack source”, “attack destination”) from the log (whole) 143. Next, in the extracted attack history, if the attack result is successful, the display control unit 104 sets the total number of “attack destinations” as the total number of devices subjected to the attack.

  Next, the display control unit 104 displays the obtained total number of attack targets and the total number of attacked devices in an item column such as “attack progress” of an attack event. For example, “attack progress” with (total number of attack target) as the denominator, (total number of attacked device) as numerator, (total number of attacked device) / (total attack target), etc. Is displayed in the item column. The user can easily grasp the total number of attack targets scheduled for the attack event and the total number of devices actually attacked by confirming the “attack progress” for each attack event.

  For example, for the second “direct diffusion” attack event in the attack scenario 141 illustrated in FIG. 3, the “attack destination” is “devices B, C, and D”, so the total number of attack targets is “3”. " In addition, among the logs (entire) 143 illustrated in FIG. 5, the attack type “direct type diffusion”, the start time “00:30:00”, the attack source “device A” and the attack source “apparatus A” as matching the attack event. The attack history of the attack destination “apparatus B, C, D” is extracted. In this attack history, since the attack result is successful, “3”, which is the total number of attack destinations “devices B, C, D”, is the total number of devices attacked. Therefore, "3/3" is displayed in the "attack progress" item field.

  Next, the display control unit 104 determines, based on the planned response scenario 142, whether there is a device currently scheduled to perform the response operation (a device scheduled to be processed) (S108). Specifically, the display control unit 104 specifies a scenario in which the current time satisfies a start time to an end time in the countermeasure schedule scenario 142, and determines whether or not there is a “scheduled apparatus” in the identified scenario. For example, if the current time after the exercise is "00:30:00", the first and second scenarios among the to-be-planned scenario 142 illustrated in FIG. 4 are identified, and "to-be-planned device" Device X "is determined as the device to be supported.

  If there is a device scheduled to be supported (S108: YES), the display control unit 104 refers to the network information 144 based on the value of the device scheduled to be handled in the scenario scheduled to be processed 142, and takes measures in the overall configuration. Identify the device. Next, the display control unit 104 displays the planned handling symbol on the device scheduled to be handled in the entire display area G1 (S109). Next, the display control unit 104 displays a measure-to-measure symbol on the operation screen of the measure-to-measure device in the player status display area G3, and displays the screen of the measure-to-measure device (S110). When there is no device to be supported (S108: NO), the display control unit 104 skips the processes of S109 and S110.

  FIG. 14 is an explanatory diagram for explaining the display screen G. As shown in FIG. 14, the display control unit 104 displays the handling schedule symbol G104 on the symbol G13B of the apparatus to be handled among the symbols (G1N, G12A to G12C..., G13A, B...) In the entire display area G1. To do. This allows the user to easily confirm the device that is scheduled to deal with the cyber attack. In addition, the display control unit 104 displays the handling schedule symbol G301 on the operation screen G33E of the apparatus to be handled among the operation screens G33A to G33E in the player status display area G3. As a result, the user can easily confirm the operation screen G33E of the device scheduled to cope with the cyber attack.

  Next, the display control unit 104 determines whether or not there is a countermeasure (coping operation) for the current cyber attack based on the operation history of the log (whole) 143 (S111). For example, when all the operation histories are collected as the log (whole) 143, the display control unit 104 extracts one whose “action time” in the operation history of the log (whole) 143 is more than the current time. . Next, the display control unit 104 determines the presence or absence of the extracted operation history that corresponds to the countermeasure planned scenario 142, that is, the presence or absence of the countermeasure against the cyber attack. Note that when each device records not all operation histories but countermeasures against cyber attacks, the display control unit 104 indicates that the “response time” in the operation history of the log (whole) 143 is past the current time. Determine the presence or absence of things.

  If there is no coping operation (S111: NO), the display control unit 104 does not display the coping operation, so the display control unit 104 skips the processing of S112 to S116 and returns the display processing.

  If there is a coping operation (S111: YES), the display control unit 104 determines whether the coping destination is the attack destination based on the values of “attack destination” and “coping device” in the operation history of the log (whole) 143. It is determined whether or not (S112).

  For example, the operation history of the log (partial) 222A in the log (entire) 143 illustrated in FIG. 6 is the countermeasure device “device E” with respect to the attack destination “device E”, and therefore the countermeasure destination is the attack destination. It is determined that there is. Further, with regard to the operation history of the log (portion) 222B in the log (entire) 143 illustrated in FIG. 6, the countermeasure destination is “device B” with respect to the attack destination “device E”, so the countermeasure destination is not the attack destination It is determined to be a thing.

  When the destination is the attack destination (S112: YES), the display control unit 104 refers to the network information 144 based on the value of the "target device" of the operation history, and the destination (= attack) in the overall configuration. Identify the first device. Next, the display control unit 104 displays a measure symbol indicating measure against the attack destination on the measure target device in the entire display area G1 (S113).

  Further, when the measure destination is not the attack destination (S112: NO), the display control unit 104 refers to the network information 144 based on the value of the “measure device” of the operation history, and measures the measure destination (≠ Identify the attacking device. Next, the display control unit 104 displays a coping symbol indicating coping with the other on the device of the coping destination in the entire display area G1 (S114).

  Subsequent to S113 and S114, the display control unit 104 sets the type of countermeasure based on the value of “handling category” (“investigation”, “initial countermeasure”, “cause countermeasure”, “recovery”, etc.) of the operation history. The corresponding action type icon is displayed on the operation source device (S115).

  15 and 16 are explanatory diagrams for explaining the display screen G. Specifically, FIG. 15 is a diagram for explaining the display when the countermeasure destination is an attack destination (a countermeasure destination = attack destination). FIG. 16 is a diagram for explaining the display when the countermeasure destination is not the attack destination (challenge destination—attack destination).

  When the response destination is the attack destination, as shown in FIG. 15, the direct response to the attack destination is indicated by a straight line for the response destination device (symbol G13A) in the entire display area G1. A symbol G105A is displayed. If the response destination is not the attack destination, as shown in FIG. 16, the response symbol G105B having a display form different from the response symbol G105A is displayed for the response destination device (symbol G1N) in the entire display area G1. Is displayed. Thus, the user can easily recognize direct countermeasures against the attack destination and indirect countermeasures such as disconnection of a network device in the middle, not direct countermeasures against the attack destination.

  Further, the display control unit 104 displays an action type icon G106 corresponding to the action type (for example, “cause action”) to the operation source device (G13B). As a result, the user can easily recognize the type of action currently taken.

  Next, the display control unit 104 displays, in the timeline display area G22, a symbol indicating that the handling has been completed on the timeline of the device for which the handling has been performed by S111: YES (S116), and returns the display processing. For example, when “12:00” is dealt with for the device of the timeline G202 in the timeline display region G22 illustrated in FIG. 11, the display control unit 104 displays the attack countermeasure symbol G212 on the timeline G202. , The extension of the timeline G202 along the time axis after “12:00” is stopped. Thereby, the user can easily recognize from the display of the timeline display area G22 whether or not the cyber attack has been dealt with.

  Returning to FIG. 8, the processing after S14 will be described. Subsequent to S14, the control unit 10 of the management device 1 determines whether or not to repeat the exercise based on the presence or absence of an instruction input to perform the exercise again on the operation unit 12 (S15).

  When redoing an exercise (S15: YES), the control unit 10 notifies the information processing device 2 and the terminal device 3 of redoing the exercise via the communication unit 13 (S16). If the exercise is not redone (S15: NO), the control unit 10 skips the process of S16.

  The control unit 21 of the information processing device 2 and the terminal device 3 determines the presence or absence of a notification from the management device 1 to repeat the exercise (S17). When there is a notification to redo the exercise (S17: YES), the control unit 21 of the information processing device 2 and the terminal device 3 reads the backup data 221 at the start of the exercise from the storage unit 22, and the state at the time of creating the backup data (file And various statuses) (S18), and the process returns to S8. When there is no notification of reworking the exercise (S17: NO), the control unit 21 of the information processing device 2 and the terminal device 3 advances the process to S20.

  As described above, in the exercise system 100, when the management apparatus 1 instructs to redo the exercise, the information processing device 2 and the terminal device 3 restore the state at the start of the exercise using the backup data 221 at the start of the exercise. Can be easily realized.

  Next, the control unit 10 of the management device 1 determines whether or not the exercise has ended based on whether the current time has reached the end time in the attack scenario 141 (S19). If it is not the end (S19: NO), the control unit 10 returns the process to S6 and continues the exercise. When it is end (S19: YES), the control unit 10 notifies the information processing device 2 and the terminal device 3 of the end and ends the exercise.

  The control unit 21 of the information processing device 2 and the terminal device 3 determines the presence or absence of the end of the exercise based on the presence or absence of the notification of the end from the management device 1 (S20). When it is not the end (S20: NO), the control unit 21 returns the process to S11 and continues the exercise. When it is the end (S20: YES), the control unit 21 ends the exercise.

  As described above, in the exercise system 100, when the management apparatus 1 detects a specific information processing apparatus (the information processing apparatus 2 or the terminal apparatus 3) that has been subjected to a cyber attack (S101: YES), the timeline display area G22 (second A timeline corresponding to a specific information processing apparatus is newly displayed in the display area 1). In addition, the management device 1 displays an attack intrusion symbol G210 (first symbol) indicating that the cyber attack has been received on the timeline. Further, when the management device 1 detects that a cyber attack has been made on another information processing device from a specific information processing device (S104: YES), the attack spreading source symbol indicating that the cyber attack has been made on the timeline G211 (second symbol) is displayed. In addition, the management device 1 adjoins the timeline corresponding to the information processing device subjected to the cyber attack to the timeline corresponding to the information processing device that is the attack source in response to detection of another information processing device subjected to the cyber attack. A new display will be displayed. Further, the management device 1 displays an attack intrusion symbol G210 indicating that an attack has been received on a timeline corresponding to the information processing device which has received a cyber attack. Therefore, the user can easily recognize the situation of the cyber attack from the display in the timeline display area G22.

  In the exercise system 100, the management apparatus 1 displays the configuration of a system including a plurality of information processing apparatuses in the entire display area G1. In addition, the management apparatus 1 identifies an information processing apparatus that is scheduled to perform a countermeasure operation based on the countermeasure schedule scenario 142 when any of the plurality of information processing apparatuses is cyber-attacked. In addition, the management apparatus 1 displays the countermeasure schedule symbol G104 on the information processing apparatus specified in the system configuration of the entire display area G1, and displays the information processing apparatus scheduled to perform the countermeasure operation so that it can be distinguished from other information processing apparatuses. To do. Therefore, the user can easily recognize the information processing apparatus which is scheduled to perform the countermeasure operation against the cyber attack.

  Further, in the exercise system 100, the management apparatus 1 determines whether the information processing apparatus to be dealt with by the coping operation is the information processing apparatus to be attacked or another information processing apparatus (S112). Further, the management device 1 sets the display indicating that the coping to the coping destination information processing device is in progress to a different display form (coping symbol G105A or coping symbol G105B) according to the determination result. Therefore, the user can easily recognize whether the information processing apparatus of the countermeasure destination by the countermeasure operation is the information processing apparatus of the attack destination or another information processing apparatus.

  Further, in the exercise system 100, the management apparatus 1 selects an information processing apparatus for which a countermeasure operation is to be performed based on a countermeasure scenario 142 for an attack event when any of a plurality of information processing apparatuses is cyber-attacked. Identify. Further, the management device 1 arranges and displays operation screens (operation screens G33A to G33E) of a plurality of information processing devices in the player status display area G3. In addition, the management device 1 displays the handling schedule symbol G301 on the operation screen of the identified information processing device in the player status display area G3, and displays the operation screen of the information processing device on which the handling operation is scheduled to be performed on another information processing device. It is displayed so that it can be distinguished from the operation screen. Therefore, the user can easily recognize the operation screen of the information processing apparatus for which the coping operation is to be performed.

  Further, in the exercise system 100, the information processing device 2 and the terminal device 3 store the backup data 221 at an arbitrary timing of the exercise. In addition, when an instruction to return to the state before the start of the exercise is issued after the start of the exercise (S17: YES), the information processing device 2 and the terminal device 3 are restored to the state before the start of the exercise using the backup data 221 To do. Therefore, in the exercise system 100, it is possible to easily realize the display of the exercise situation in the middle of the exercise by reworking the exercise.

  It should be noted that each component of each illustrated apparatus does not necessarily have to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions. It can be integrated and configured.

  For example, the backup processing (S6 to S9, S15 to S18) after the exercise starts and the exercise status display processing (S4 to S5, S10 to S14) may be performed separately. Also, part of the exercise status display processing (S101 to S116) may be performed separately. For example, processing concerning display of scenario status display area G2 (S101 to S104, S116 etc.), processing concerning display of whole display area G1 (S108 to S110 etc), processing concerning display of player status display area G3 (S108 to S108) S111 etc.) may be carried out separately.

  Various processing functions performed by the management device 1, the information processing device 2, and the terminal device 3 are all or some of the functions performed on the CPU (or a microcomputer such as an MPU or MCU (Micro Controller Unit)). You may make it perform. In addition, various processing functions may be executed in whole or in any part on a program that is analyzed and executed by a CPU (or a microcomputer such as an MPU or MCU) or hardware based on wired logic. Good.

  Various processes described in the above embodiments can be realized by executing a prepared program on a computer. Therefore, in the following, an example of a computer (hardware) that executes a program having the same function as in the above embodiment will be described. FIG. 17 is a block diagram illustrating an example of a hardware configuration of the management device 1, the information processing device 2, and the terminal device 3 according to the embodiment. In the illustrated example, the configuration of the management device 1 is illustrated as an example, but the configurations of the information processing device 2 and the terminal device 3 are also the same.

  As illustrated in FIG. 17, the management device 1 includes a CPU 501 that executes various arithmetic processes, an input device 502 that receives data input, a monitor 503, and a speaker 504. In addition, the management apparatus 1 includes a medium reading device 505 that reads a program and the like from a storage medium, an interface device 506 for connecting to various devices, and a communication device 507 for communication connection with an external device by wire or wireless. . The management device 1 also includes a RAM 508 that temporarily stores various types of information and a hard disk device 509. Each unit (501 to 509) in the management apparatus 1 is connected to the bus 510.

  The hard disk device 509 stores a program 511 for executing various processes by the control unit 10 described in the above embodiment. The hard disk device 509 stores various data 512 (attack scenario 141, countermeasure scenario 142, log (whole) 143, network information 144, etc.) referred to by the program 511. The input device 502 receives, for example, an input of operation information from the operator of the management device 1. The monitor 503 displays, for example, various screens operated by the operator. For example, a printing device is connected to the interface device 506. The communication device 507 is connected to a communication network such as a LAN (Local Area Network) and exchanges various information with an external device via the communication network N.

  The CPU 501 reads out the program 511 stored in the hard disk device 509, develops it in the RAM 508, and executes it to perform various processes. The program 511 may not be stored in the hard disk device 509. For example, the management apparatus 1 may read and execute the program 511 stored in a storage medium that can be read by the management apparatus 1. The storage medium that can be read by the management apparatus 1 is, for example, a portable storage medium such as a CD-ROM, a DVD disk, or a USB (Universal Serial Bus) memory, a semiconductor memory such as a flash memory, a hard disk drive, or the like. Alternatively, the program may be stored in a device connected to a public line, the Internet, a LAN, or the like, and the management device 1 may read and execute the program from these.

DESCRIPTION OF SYMBOLS 1 ... Management apparatus 2, 2A, 2B, 2C ... Information processing apparatus 3, 3A, 3B ... Terminal device 4 ... Monitoring camera 10, 21 ... Control part 11 ... Display part 12 ... Operation part 13, 20 ... Communication part 14, 22 ... storage unit 100 ... exercise system 101 ... scenario management unit 102 ... cyber attack control unit 103 ... log collection unit 104 ... display control unit 141 ... attack scenario 142 ... planned action scenario 143 ... log (whole)
144 ... Network information 221, 221A, 221B, 221C ... Backup data 222, 222A, 222B, 222C ... Log (part)
501 ... CPU
511: Program 512 ... Various data AT ... Cyber attack G ... Display screen G1 ... Whole display area G2 ... Scenario situation display area G3 ... Player situation display area G1N, G12A to G12C, G13A, G13B ... Symbol G21 ... Scenario display area G22 ... Timeline display area G31 ... Camera images G33A to G33E ... Operation screen G101 ... Attack target display G102 ... Unhandled display G103 ... Attack display G104, G301 ... Schedule symbols G105A, G105B ... Measured display G106 ... Action type icons G201-G205 ... Timeline symbol G210 ... Attack intrusion symbol G211 ... Attack diffusion source symbol G212 ... Attack countermeasure symbol G220 ... Current time symbol N ... Communication network

Claims (10)

In a program that uses a system that includes multiple information processing devices to monitor exercises against cyber attacks that define attacks and countermeasures as scenarios,
When a specific information processing apparatus which has been attacked is detected among the plurality of information processing apparatuses, a first timeline corresponding to the specific information processing apparatus is newly displayed in a first display area for displaying a timeline. And displaying a first symbol on the first timeline to indicate that an attack has been received,
When it is detected that an attack on another information processing apparatus is made from the specific information processing apparatus, a second symbol indicating that the attack is made is displayed on the first timeline, and the attack is received In response to detection of another information processing apparatus, a second timeline corresponding to the other information processing apparatus is newly displayed at a position adjacent to the first timeline, and on the second timeline. A program causing a computer to execute a process of displaying the first symbol indicating that the attack has been made. When it is detected that a response to the attack has been taken, the computer is caused to execute processing for displaying a third symbol indicating that the response has been taken on the first timeline and / or the second timeline. The program according to claim 1. In the second display area for displaying the attack event, for each attack event, the computer is caused to execute processing for displaying the total number of information processing devices targeted by the attack event and the total number of information processing devices subjected to the attack. The program according to claim 1 or 2, characterized in that In a program that uses a system that includes multiple information processing devices to monitor exercises against cyber attacks that define attacks and countermeasures as scenarios,
Displaying a configuration of a system including the plurality of information processing apparatuses;
When one of the plurality of information processing devices is attacked in response to a specific attack event included in an attack scenario, the action for the specific attack event stored in association with the specific attack event Identify an information processing apparatus for which a coping operation is to be performed based on the scheduled scenario,
In the system configuration, a program for causing a computer to execute a process of displaying an information processing apparatus scheduled to perform the coping operation so as to be distinguishable from other information processing apparatuses. 5. The program according to claim 4, wherein the computer executes a process of displaying the information processing apparatus attacked in response to the specific attack event so as to be distinguishable from other information processing apparatuses. Among the information processing devices attacked in response to the specific attack event, the computer is caused to execute processing for displaying the information processing device attacked in an distinguishable manner from the information processing device not attacked. The program according to claim 5, wherein In a program that uses a system that includes multiple information processing devices to monitor exercises against cyber attacks that define attacks and countermeasures as scenarios,
Displaying a configuration of a system including the plurality of information processing apparatuses;
When a first information processing apparatus among the plurality of information processing apparatuses is attacked in response to a specific attack event included in an attack scenario and a coping operation using the second information processing apparatus is performed, the coping operation It is determined whether the information processing apparatus to which the system is to be addressed is the first information processing apparatus or another information processing apparatus,
A program characterized by causing a computer to execute processing for changing the display indicating that the second information processing apparatus is in the middle of performing measures to the information processing apparatus of the handling destination according to the determination result. The second information processing apparatus causes the computer to execute processing for displaying an icon indicating the type of handling of the information processing apparatus to which the second information processing apparatus copes with the second information processing apparatus. Item 7. The program according to Item 7. In a program that uses a system that includes multiple information processing devices to monitor exercises against cyber attacks that define attacks and countermeasures as scenarios,
Operation screens of a plurality of predetermined information processing devices among the plurality of information processing devices are arranged and displayed;
When any of the plurality of information processing devices is attacked in response to a specific attack event included in an attack scenario, a countermeasure schedule for the specific attack event stored in association with the specific attack event Based on the scenario, identify an information processing apparatus for which a coping operation is to be performed,
Among the predetermined plurality of information processing apparatuses displayed side by side, the operation screen of the information processing apparatus scheduled to perform the specified coping operation is displayed distinguishably from the operation screens of other information processing apparatuses. A program characterized by having it run. In a program that uses a system that includes multiple information processing devices to monitor exercises against cyber attacks that define attacks and countermeasures as scenarios,
Based on the attack scenario, the timing before the start of the attack event is detected,
Store the backup data of the system at the detected timing,
When an instruction to return to the state before the start of the attack event of the attack scenario is made after the start of the attack event, the system is restored to the state before the start of the attack event using the backup data,
A program causing a computer to execute a process of generating the attack event after restoration.

Images