JP6889673B2 - Security Countermeasure Planning Equipment and Methods - Google Patents

Description

The present invention relates to a security countermeasure planning device and a method. For example, even if an alarm indicating that a cyber attack has occurred from the outside is detected while the user is working on some business on a terminal connected to the network, the user's business by the terminal is unique. It relates to a security countermeasure planning device and a method for formulating a security countermeasure that can deal with a cyber attack while continuing business without stopping.

In recent years, cyber attacks targeting private companies, defense-related companies, and public institutions have become apparent, increasing the risk of damaging the interests and security of individuals, companies, and the nation. In addition, attack methods are becoming more sophisticated, and targeted attacks that use advanced malware to infiltrate the networks of specific government offices, companies, and organizations to steal confidential information or destroy systems are security measures. It is a big threat. Immediate action needs to be applied to minimize the damage caused by these threats.

As one of such countermeasures, for example, there is a technique described in Japanese Patent Application Laid-Open No. 2005-70218 (Patent Document 1). In this document 1, "a policy management device that automatically updates the policy of the firewall by using the unauthorized access detection function of the network type intrusion detection system is provided, and the prevention of unauthorized access is automatically executed by the administrator. It reduces the load and makes it feasible by using commercially available products. " That is, an unauthorized access prevention system that automatically updates the policy of the firewall by using the unauthorized access detection function of the network-type intrusion detection system and automatically executes the prevention of unauthorized access is disclosed.

Japanese Unexamined Patent Publication No. 2005-71218

According to the technique of Patent Document 1, it is possible to quickly perform from the detection of a cyber attack to the implementation of countermeasures. However, in Patent Document 1, since no consideration is given to the user's business, for example, by taking security measures such as blocking the communication destination of malware, communication related to the user's business is transmitted to the generated policy. If it is included, the communication may be blocked, which may adversely affect the user's business.
The present invention has been made in view of the above circumstances, and an object of the present invention is to provide a technique for devising a security countermeasure that does not adversely affect a user's business.

In order to solve the above problem, one of the typical security countermeasure planning devices and methods of the present invention is to keep the communication used by the user in business as a white list for each terminal and detect a cyber attack. In addition, a countermeasure is devised for each terminal, and if the devised countermeasure exists in the white list of the terminal, a new countermeasure with a more limited scope of countermeasure is formulated.

According to the present invention, it is possible to devise a security countermeasure that does not adversely affect the user's business by the terminal.
Issues, configurations and effects other than those described above will be clarified by the description of the following embodiments.

The figure which shows the configuration example of the security measure planning apparatus which concerns on embodiment of this invention. The figure which shows an example of the white list which concerns on embodiment of this invention. The figure which shows an example of the terminal activity log which concerns on embodiment of this invention. The figure which shows an example of the coping measure template which concerns on embodiment of this invention. The flowchart which shows the series of processing which concerns on embodiment of this invention. The flowchart which shows the diffusion activity determination processing which concerns on embodiment of this invention. The explanatory view of the diffusion activity determination processing which concerns on embodiment of this invention. The flowchart which shows the coping terminal determination process which concerns on embodiment of this invention. The flowchart which shows the coping measure planning process which concerns on embodiment of this invention.

In order to respond to malware threats, security measures such as blocking malware communication destinations are effective as described above. However, the application of easy security measures such as blocking the communication destination of malware may adversely affect the user's business. For this reason, it is necessary to carefully examine the planning of security countermeasures, and there is a problem that it takes time.
Therefore, in the present embodiment, in order to correct the above problem, information on communication used by the user in business is stored in advance as a white list for each terminal, and a countermeasure (communication direction) devised at the time of cyber attack detection is performed. When "Out" and "In") are included in the white list, a new countermeasure that limits the scope of countermeasures is devised.
For example, the information including the IP address, communication method, port, protocol, and size related to the communication of the terminal in the white list, and the communication direction of the coping terminal, for example, "IP address" 10.0.0.1 "" If the first countermeasure of level "1" that "blocks communication to the port" TCP / 445 "with Out" exists in the white list, the communication range is better than the first countermeasure of the level "1". Countermeasures for level "2" that "IP address" 10.0.0.1 "blocks protocol" SMVv2 "to port" TCP / 445 "in communication direction" Out "" with limited (range of action) Make a plan.
This makes it possible to formulate security measures that do not affect the user's business.
In the embodiment, the security countermeasure planning device is provided with each program that realizes the white list generation processing function, the terminal activity acquisition processing function, the diffusion activity judgment processing function, the countermeasure terminal judgment processing function, and the countermeasure planning processing function. It is a thing. Hereinafter, the embodiment will be described with reference to the drawings.
In the following examples, a table will be described as a means for storing each information, but each information may be represented by a data structure other than the table. Further, each program is executed by a processor, for example, an MP (microprocessor), a CPU, a microcontroller, or the like, and performs a predetermined process.

FIG. 1 is a diagram showing a configuration example of a security countermeasure planning device according to an embodiment of the present invention.
The security countermeasure planning device 101 is connected to the terminal 117 and the security appliance 118 via the network 116.

The terminal 117 is a terminal used by a user for business, and includes a plurality of terminals, for example, a terminal A117a, a terminal B117b, and a terminal C117c, which are an information processing device having an information processing and communication processing function and a business. It consists of a server and so on.
Although not shown, the terminal 117 has existing antivirus software and security countermeasure functions such as HIDS (Host-based IDS).

The security appliance 118 is connected to the Internet 119 and is composed of services, hardware, software, and the like that take security measures on the network.
Examples of the security appliance 118 include FW (FireWall), IDS (Intrusion Detection System), IPS (Intrusion Prevention System), WAF (Web Application Firewall), UTM (Unified Term), and the like.

The security countermeasure planning device 101 has, for example, a CPU (Central Processing Unit) 103, a main memory 104 for storing each program required for the CPU 103 to execute processing, and a capacity for storing a large amount of data and information. A storage device 105 such as a hard disk or flash memory, an IF (interface) 102 for communicating with other devices (terminal 117, security appliance 118), and an input / output device for input / output such as a keyboard and a display. It is composed of a computer including 106 and a communication path 107 connecting each of these devices.
The communication path 107 is, for example, an information transmission medium such as a bus or a cable.

The CPU 103 generates the white list 113 for each terminal 117 by executing the white list generation program 108 stored in the main memory 104, and executes the terminal activity acquisition program 109 to generate the terminal activity for each terminal 117. By generating the log 114 and executing the spread activity determination program 110, the server attack for each terminal 117, for example, the diffusion activity used for spreading malware is determined, and the coping terminal determination program 111 is executed. As a result, the terminal 117 to which the security countermeasure is applied is determined, and the countermeasure planning program 112 is executed to formulate a countermeasure for each terminal 117 that does not adversely affect the user's business.

The white list generation program 108 constitutes a white list generation unit that generates a white list, and the terminal activity acquisition program 109 constitutes a terminal activity acquisition unit that acquires a terminal activity log 114 indicating the activity status of the terminal 117, and spreads the information. The activity determination program 110 constitutes a spread activity determination unit that determines the spread activity of malware, and the coping terminal determination program 111 is a terminal 117 that is or may be infected with malware due to the spread activity. The countermeasure terminal determination unit is configured to determine as a countermeasure terminal (preventive countermeasure terminal / preventive countermeasure terminal), and the countermeasure planning program 112 constitutes a countermeasure planning unit that formulates countermeasures against malware for the countermeasure terminal. ..

The white list 113 is generated for each terminal 117, for example, from the terminal activity log 114 of each terminal.
The terminal activity log 114 acquires a packet of communication performed by the terminal 117, constructs communication information from the packet, and generates it.
The countermeasure is planned using, for example, the countermeasure template 115 prepared in advance.
The spreading activity represents a set of communications performed by malware to spread the infection to other terminals.

The storage device 105 has information on a white list 113 that defines the communication used by the user of the terminal 117 in business, a terminal activity log 114 that records the communication of the terminal 117, and a countermeasure template 115 that indicates a rule for formulating a countermeasure. It has each storage unit for storing (data).
Each of the above programs and information (data) may be stored in the main memory 104 or the storage device 105 in advance, or may be installed (loaded) from the input / output device 106 when necessary. Alternatively, it may be installed (loaded) from another device via IF102.

FIG. 2 is a diagram showing an example of the white list 113.
As shown in the figure, the white list 113 includes an area for storing information of ID 201, IP address 202, communication direction 203, port 204, protocol 205, and size 206. “Out” and “In” in the communication direction 203 represent one of the countermeasures.

ID 201 represents information (1, 2, etc.) that uniquely identifies the white list 113, and IP address 202 is the IP (Internet Protocol) address (10.0) of the terminal (handling terminal) 117 that is the target of the white list 113. The communication direction 203 represents the direction of communication that is the target of the white list 113 drafted by the countermeasure planning program 112, and the port 204 is the port that is the target of the white list 113 (port 204, etc.). UDP / 53, TCP / 80, etc.), the protocol 205 represents the protocol (DNS, HTTP1.1, etc.) that is the target of the white list 113, and the size 206 is the packet size of the communication that is the target of the white list 113. Represents (82-88, 54-822, etc.).

In addition, "Out" or "In" is stored in the communication direction 203. “Out” indicates that the white list 113 targets the communication transmitted by the terminal 117 (source) having the IP address 202 (10.0.0.1, 10.0.0.2). “In” is a terminal 117 having an IP address 202 (10.0.0.3, 10.0.0.254, 10.0.0.0100, 10.0.0.101) in the white list 113. Indicates that (destination) is intended for the communication received.
When the target protocol of the white list 113 is unknown, "-" is stored in the protocol 205.

The size 206 stores, for example, the minimum packet size and the maximum packet size of the communication to be the target of the white list 113.
If the packet size of the communication targeted by the white list 113 is unknown, "-" is stored in the size 206.

In FIG. 2, for example, the ID 201 is "1", the IP address 202 is "10.0.0.1", the communication direction 203 is "Out", the port 204 is "UDP / 53", and the protocol 205 is "DNS". When the size 206 is the white list 113 of "82-88", the terminal with the IP address "10.0.0.1" uses "DNS (Port 53 of User Datagram Protocol)" and "DNS (DNS). A "Domain Name System) query" is transmitted, indicating that the packets included in the communication are "82 bytes to 88 bytes".

The ID 201 is "5", the IP address 202 is "10.0.0.3", the communication direction 203 is "In", the port 204 is "TCP / 445", the protocol 205 is "SMBv2", and the size 206 is "". In the case of the white list 113 of "54-200", the terminal whose IP address is "10.0.0.3" uses "Port 445 of TCP (Transmission Control Protocol)" and "SMB (Server Message Block)". It means that the communication of "v2 (version2)" is received and the packet included in the communication is "54 to 200 bytes".

As described above, the white list 113 defines the communication used by the user of the terminal 117 for business, and is used in the security countermeasure planning device 101 for each terminal 117 based on the information related to the communication for each terminal 117. Generate a white list of.
The information in the white list 113 may be input or updated by the administrator of the security countermeasure planning device 101 as necessary, and the white list generation program 108 executed by the CPU 103 is stored in the terminal activity log 114. It may be generated using the stored terminal activity.
The specific processing of the white list generation program 108 will be described later.
Further, the white list 113 is used when the countermeasure planning program 112 executed by the CPU 103 plans a countermeasure.
The specific processing of the countermeasure planning program 112 will be described later with reference to FIG.

FIG. 3 is a diagram showing an example of the terminal activity log 114.
The terminal activity log 114 shows the terminal activity of the terminal 117, and stores ID 301, date and time 302, source 303, destination 304, port 305, protocol 306, and size 307, respectively, as shown in the figure. It is composed including an area.

ID301 represents information (1, 2, etc.) that uniquely identifies the terminal activity log 114, and date and time 302 is the date and time when terminal communication (terminal activity) occurred (2017/1/1 00: 00: 00, 2017 / 1/100: 00: 03, etc.), the source 303 represents the terminal of the communication source (10.0.0.1, 10.0.0.2, etc.), and the destination 304 is. Represents the terminal of the communication destination (10.0.0.254, 10.0.0.0100, etc.), port 305 represents the communication destination port (UDP / 53, TCP / 80, etc.), and the protocol. Reference numeral 306 represents a communication protocol (DNS, HTTP1.1, etc.), and size 307 represents the size of packets included in the communication (82-88, 54-822, etc.).
If the communication protocol is unknown, "-" is stored in the protocol 306. Further, the size 307 stores, for example, the minimum size and the maximum size of the information (packet) included in the communication.

In FIG. 3, for example, the ID 301 is “1”, the date and time 302 is “2017/1/1 00: 00: 00”, the source 303 is “10.0.0.1”, and the destination 304 is “10.0”. In the case of terminal activity log 114 with "0.254", port 305 "UDP / 53", protocol 306 "DNS", and size 307 "82-88", the date and time "2017/1/1 00:00: From the terminal 117 (source) whose IP address is "10.0.0.1" to "00", the "UDP / 53" of the terminal 117 (destination) whose IP address is "10.0.0.254" It indicates that "DNS" communication has occurred to the "port" and "82 bytes to 88 bytes" of communication has been used for the "DNS" communication.
Each piece of information in the terminal activity log 114 is generated by the terminal activity acquisition program 109 executed by the CPU 103.
The specific processing of the terminal activity acquisition program 109 will be described later.

The terminal activity log 114 is used when the spreading activity determination program 110 executed by the CPU 103 determines the spreading activity of malware and when the coping terminal determination program 111 executed by the CPU 103 determines the coping terminal. To.
The specific processing of the diffusion activity determination program 110 will be described later with reference to FIG. 6, and the specific processing of the coping terminal determination program 111 will be described with reference to FIG.

FIG. 4 is a diagram showing an example of the countermeasure template 115.
As shown in the figure, the countermeasure template 115 includes an area for storing each information of the ID 401, the communication direction 402, the level 403, and the planning template 404.

ID 401 represents information that uniquely identifies the countermeasure template 115, communication direction 402 represents the direction in which the countermeasure is applied, level 403 represents the level of the countermeasure, and planning template 404 represents the countermeasure. Represents the template used when doing so.
When the communication direction 402 is "Out", it means that the communication transmitted by the terminal 117 is blocked, and when the communication direction 402 is "In", it means that the communication received by the terminal 117 is blocked.
For example, when any one of the terminals 117 is already infected with malware, a countermeasure for the communication direction "Out" is devised so that the other terminals are not infected and the number of infected terminals does not increase.
In addition, when the terminal 117 is not yet infected with malware, a countermeasure for the communication direction "In" is devised in order to prevent the terminal from being infected with malware.
Further, the level 403 is a value defined by the size of the communication range (countermeasure range) affected by the countermeasure. The smaller the level value, the wider the coping range, and the larger the level value, the narrower the coping range.

The planning template 404 represents which attribute included in the spreading activity (for example, source, destination, port, protocol, size, etc. in FIG. 3) is used to plan the countermeasure.
For example, if the countermeasure of the planning template 404 is "block the port", it means that the communication using the port included in the spreading activity is blocked, and the countermeasure of the planning template 404 is "block the port and the protocol". If there is, it means that the port included in the spreading activity and the communication using the protocol are blocked.
If the countermeasure of the planning template 404 is "block the port, protocol, and size", it means that the communication using the port, protocol, and size included in the spreading activity is blocked, and the countermeasure of the planning template 404 is If "blocks port, protocol, size, and terminal", it means that the port, protocol, size, and communication using the terminal included in the spreading activity are blocked.
Then, for example, in the case of the countermeasure template 115 in which the ID 401 is "1", the communication direction 402 is "Out", the level 403 is "1", and the planning template 404 is "block the port", the terminal 117 is engaged in spreading activity. Indicates that a countermeasure for blocking communication transmitted to the included port (UDP / 53) is devised.

The information of the countermeasure template 115 may be input or updated by the administrator as needed.
The countermeasure template 115 is used when the countermeasure planning program 112 executed by the CPU 103 plans a countermeasure.
The specific processing of the countermeasure planning program 112 will be described later with reference to FIG.

Next, a process in which the white list generation program 108 generates the white list 113 from the terminal activity log 114 will be described.

When the administrator activates the security countermeasure planning device 101, the white list generation program 108 generates the white list 113 using the terminal activity log 114 for a specific period instructed by the administrator.
At this time, in order to prevent malware communication from being mixed in the white list 113, the administrator shall indicate the period during which the malware has not invaded the organization.

Further, the white list generation program 108 acquires the terminal activity log 114 performed in a specific period from the terminal activity log 114, and has a white list whose communication direction 203 regarding the source 303 is "Out" and a communication direction regarding the destination 304. 203 generates a white list of "In" (see FIG. 2).

The processing of the white list generation program 108 will be described below using a specific example.
Here, for example, the terminal activity log 114 illustrated in FIG. 3 is stored, and the period used by the administrator for white list generation is "2017/1/1 00: 00: 00-2017 / 1/1 00: 00: It is assumed that "00:02" is instructed.

Then, the white list generation program 108 acquires the terminal activity log 114 that matches the period used for white list generation from the terminal activity log 114.
At this time, the terminal activity log 114 with ID 301 of "1" matches the period specified by the administrator.
That is, in the white list generation program 108, the ID 301 is "1", the date and time 302 is "2017/1/1 00:00", the source 303 is "10.0.0.1", and the destination 304 is "10.0.0.1". White list 113 is generated from the terminal activity log 114 of "10.0.0.254", port 305 is "UDP / 53", protocol 306 is "DNS", and size 307 is "82-88".

At this time, information 1131 with IP202 of "10.0.0.1", communication direction 203 of "Out", port 204 of "UDP / 53", protocol 205 of "DNS", and size 206 of "82-88". (White list with ID 201 of "1" in FIG. 2), IP202 is "10.0.0.254", communication direction 203 is "In", port 204 is "UDP / 53", protocol 205 Is generated as a white list containing information 1132 having a size of "DNS" and a size of 206 of "82-88" (a white list having ID 201 of "6" in FIG. 2).

Next, a process in which the terminal activity acquisition program 109 generates the terminal activity log 114 will be described.

The terminal activity acquisition program 109 acquires the communication (packet) performed by the terminal 117 via the IF201.
Specifically, it is assumed that the communication packet performed by the terminal 117 is acquired by mirroring the ports of the switches and routers existing in the network 116.

The terminal activity program 109 constructs communication information from acquired communication packets and records it in the terminal activity log storage unit 114 as a terminal activity log (see FIG. 3).
If the protocol cannot be determined, "-" is recorded in the protocol 306.

Hereinafter, a specific example of the processing procedure will be described.
For example, from the terminal 117 with the IP address "10.0.0.1" to the UDP / UDP of the terminal 117 with the IP address "10.0.0.254" on the date and time of "2017/1/1 00: 00: 00". When a DNS packet (packet size 82) is transmitted to port 53 and there is a DNS packet response (packet size 88) from the terminal 117 with the IP address "10.0.0.254", the terminal activity acquisition program 109 , Date and time 302 is "2017/1/1 00:00", Source 303 is "10.0.0.1", Destination 304 is "10.0.0.254", Port 305 is "UDP" / 53 ”, protocol 306 is“ DNS ”, size 307 is“ 82-88 ”, and a terminal activity log (terminal activity log with ID 301 of“ 1 ”in FIG. 3) is recorded.

Next, a process in which the spreading activity determination program 110 determines the spreading activity of malware, the coping terminal determination program 111 determines the terminal to be dealt with, and the coping measure planning program 112 devises a coping measure will be described.

FIG. 5 is a flowchart showing a series of processing flows from diffusion activity determination to countermeasure planning.

The operation based on the flowchart of FIG. 5 is as follows.
Step 5011:
When the security appliance 118 detects an attack from a foreign enemy, the diffusion activity determination program 110 receives a detection alert indicating that fact via the IF 102.

Step 502:
When the diffusion activity determination program 110 receives the detection alert in step 501, the diffusion activity determination program 110 determines the diffusion activity and activates the coping terminal determination program 111.
The details of the diffusion activity determination process will be described later with reference to FIG.

Step 503:
The coping terminal determination program 111 determines the coping terminal and activates the coping countermeasure planning program 112.
The details of the coping terminal determination process will be described later with reference to FIG.

Step 504:
The countermeasure planning program 112 plans a countermeasure and ends the process.
The details of the countermeasure planning process will be described later with reference to FIG.

Next, an example of the malware spreading activity determination process (step 502) performed by the spreading activity determination program 110 after receiving the detection alert of the security appliance 118 will be described.

FIG. 6 is a flowchart showing the flow of the process (step 502) of determining the spread activity of malware performed by the spread activity determination program 110.

The operation based on the flowchart of FIG. 6 is as follows.
Step 601:
The diffusion activity determination program 110 determines the terminal activity that occurred between a certain point in time (threshold time before) and the alert generation as the diffusion activity in the alert target terminal. That is, the terminal 117 that is the target of the detection alert is marked as the investigation target terminal, the investigation target terminal is the source or the investigation target terminal from the terminal activity log 114, going back to the threshold second (for example, 3600 seconds) before the detection alert occurrence date and time. The terminal activity log included in the destination is judged as spreading activity.

Step 602:
The diffusion activity determination program 110 determines the terminal activity generated during the alert generation from a certain point (threshold time before) as the diffusion activity for all the terminals during the diffusion activity. That is, among the terminals 117 included in the source or destination of the spreading activity determined in step 601, the terminal 117 that is not marked as the survey target terminal is marked as the survey target terminal, and the threshold second (from the detection alert occurrence date and time) For example, going back to 3600 seconds), the terminal activity log in which the surveyed terminal is included in the source or destination is determined as the spreading activity from the terminal activity log 114.
Hereinafter, the determination of the diffusion activity is repeated until all the destinations of the diffusion activity or the terminals 117 included in the transmission destination are marked, and the process is completed.

FIG. 7 is a diagram for explaining the flow of processing from step 601 to step 602, and shows the relationship between the terminal activities (702a to 702g) of a plurality of terminals 117 (terminals A117a to E117e) and the occurrence of alert 701. It is a time chart schematically shown.

It is assumed that the alert 701 is generated at the terminal A117a and the terminal activities 702a to 702g represented by the arrow 702 are performed before the alert 701 is generated.
Here, for example, the terminal activity 702a indicates that communication from the terminal A117a to the terminal B117b is occurring, and the terminal activity 702f indicates that communication is occurring from the terminal A117a to the terminal D117d. The activities 702d and 702g indicate that communication from the terminal B117b to the terminal A117a is occurring.
For the sake of simplicity, the ports, protocols, and sizes used for terminal activities are omitted.

When the diffusion activity determination program 110 determines from the terminal activity log 114 the terminal activity log included in the source or destination as the diffusion activity in step S601, the terminal A117a is marked as the investigation target terminal. , Terminal activity 702d, terminal activity 702f, terminal activity 702g are determined as diffusion activity.

In step 602 of FIG. 6, when the terminal activity determination program 110 determines the terminal activity log included in the source or destination as the diffusion activity, the diffusion activity determination program 110 determines the diffusion activity 702d, 702f, 702g in step 601. Therefore, the terminal B117b and the terminal D117d are marked as the investigation target terminals, and subsequently, the diffusion activity 702e is determined as a new diffusion activity from the terminals B117b and the terminal D117d marked as the investigation target terminals. Further, from the newly determined diffusion activity 702e, the terminal C117c is marked as the investigation target terminal.

At this time, since the terminal C117c does not perform the terminal activity in the period from the detection alert occurrence date and time to the threshold second (for example, 3600 seconds) before, the process ends.

Next, the coping terminal determination process (step 503) performed by the coping terminal determination program 111 will be described.
FIG. 8 is a flowchart showing the flow of the processing (step 503) for determining the coping terminal, which is performed by the coping terminal determination program 111.

The operation based on the flowchart of FIG. 8 is as follows.
Step 801:
The coping terminal determination program 111 determines a terminal included in the spreading activity as a preventive coping terminal. That is, the terminal 117 included in the source or destination of the diffusion activity determined in step 502 is determined as the preventive action terminal.

Step 802:
The coping terminal determination program 111 determines whether or not the communication destination of the spreading activity is equal to or greater than the threshold value. That is, the number of terminals 117 included in the transmission destination of the diffusion activity determined in step 502 is calculated, and when the number of terminals is a threshold value, for example, 3 or more (Yes), the process proceeds to step 803 and the number of terminals is a threshold value. If it is smaller (No), the process ends.

Step 803:
The coping terminal determination program 111 determines all terminals 117 as preventive coping terminals.

The flow of processing from step 801 to step 802 described above will be described in more detail with reference to FIG.

The coping terminal determination program 111 determines the terminal 117 included in the source or destination of the diffusion activity determined in step 502 of FIG. 5 as the prevention coping terminal in step 801 of FIG. At this time, from the diffusion activity 702d and 702g of the terminal B117a, the diffusion activity 702e of the terminal A117a, and the diffusion activity 702e of the terminal D117d, the terminal A117a, the terminal B117b, the terminal C117c, and the terminal D117d are determined as preventive countermeasure terminals.

The coping terminal determination program 111 calculates the number of terminals 117 (terminal A, terminal C, terminal D) included in the transmission destination of the diffusion activity determined in step 502 as described above, and the number of terminals is a threshold value, for example. If it is 3 or more, the process proceeds to step 803, and if the number of terminals is smaller than the threshold value, the process ends. At this time, the number of terminals 117 (terminal A117a, terminal C117c, terminal d117d) included in the transmission destination of the spreading activity is Since it is 3, the process proceeds to step 803.

The coping terminal determination program 111 determines all terminals 117 as preventive coping terminals (step 803).
At this time, the terminal A117a, the terminal B117b, the terminal C117c, the terminal D117d, and the terminal E117e are determined as preventive countermeasure terminals.

Here, the preventive countermeasure terminal means that it is determined that the terminal is already infected with malware or may already be infected with malware, and in the planning of countermeasures described later, it is further infected. In order to prevent the number of terminals from increasing, devise countermeasures for the communication direction "Out".
Further, in the preventive countermeasure terminal, in order to prevent the terminal from being infected with malware, a countermeasure for the communication direction "In" is planned in the planning of the countermeasure to be described later.

In step 803, all terminals 117 are determined as preventive countermeasure terminals, but terminals that have already been determined to be preventive countermeasure terminals may be excluded from the targets of preventive countermeasure terminals.
The presence or absence of preventive measures terminals is determined by the number of terminals included in the destinations of diffusion activities. This is a measure to take proactive measures (prevention) against malware that spreads quickly, such as worm-type malware.

Next, the countermeasure planning process (step 504) performed by the countermeasure planning program 112 will be described.

FIG. 9 is a flowchart showing a flow of a process (step 504) for planning a countermeasure, which is performed by the countermeasure planning program 112.

The operation based on the flowchart of FIG. 9 is as follows.
Step 901:
The countermeasure planning program 112 includes the preventive countermeasure terminal determined in step 503 (see terminal A117a, terminal C117c, terminal d117d in FIG. 7) and the diffusion activity determined in step 502 (diffusion activity 702d, 702e, 702f in FIG. 7). , 702g), the prevention countermeasure terminals for which countermeasures have not yet been devised and their diffusion activities are extracted, and the combinations of all prevention countermeasure terminals and all diffusion activities are described in steps 902 to 908 below. Repeat the process up to.

Step 902:
The countermeasure planning program 112 sets the level “i” to 1.

Step 903:
The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115.
Here, for example, when the communication direction 402 is "Out" and the planning template 404 is a countermeasure template of "blocking the port", the countermeasure to be planned is transmitted by the preventive countermeasure terminal extracted in step 901, step 901. Develop a countermeasure to block communication to port 305 used by the diffusion activity extracted in.

Step 904:
The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure for the terminal 117 planned in step 903. Then, if the proposed countermeasure exists in the white list 113 (Yes), the process proceeds to step 905, and if it does not exist (No), the process proceeds to step 906.

Step 905:
The countermeasure planning program 112 determines whether or not all levels of countermeasures have been tried. Then, as a result of the determination, if all levels of countermeasures have been devised (Yes), the process proceeds to step 907, and if there are countermeasures of levels that have not yet been devised (No), the process proceeds to step 908.

Step 906:
The countermeasure planning program 112 notifies the administrator of the countermeasures planned in step 904.
If the countermeasure devised in step 904 is the same as the countermeasure already notified, the notification to the administrator may be omitted.

Step 907:
The countermeasure planning program 112 notifies the administrator that the countermeasure cannot be planned in the preventive countermeasure terminal extracted in step 901 and the spreading activity.

Step 908:
The countermeasure planning program 112 adds 1 to i and returns to step 903.

Step 909:
The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the preventive measures are taken. The following processes from step 910 to step 916 are repeated for the combination of the coping terminal and all the spreading activities.

Step 910:
The countermeasure planning program 112 sets i to 1.

Step 911:
The countermeasure planning program 112 plans countermeasures for the communication direction “In” and the level “i” by utilizing the countermeasure template 115 for the diffusion activity extracted in step 909.
Here, for example, when the communication direction 402 is "In" and the planning template 404 is a countermeasure template of "blocking the port", the countermeasure to be planned is received by the preventive countermeasure terminal extracted in step 909, step 909. Develop a countermeasure to block communication to port 305 used by the diffusion activity extracted in.

Step 912:
The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 909 with the countermeasure planned in step 911. Then, as a result of comparison, if the communication matching the proposed countermeasure exists in the white list 113 (Yes), the process proceeds to step 913, and if it does not exist (No), the process proceeds to step 914. move on.

Step 913:
The countermeasure planning program 112 determines whether or not the countermeasures of all levels (levels 1 to 4) have been tried. Then, as a result of the determination, if the countermeasures for all levels have been devised (Yes), the process proceeds to step 915, and if there are countermeasures for the levels that have not yet been devised (No), the process proceeds to step 916.

Step 914:
The countermeasure planning program 112 notifies the administrator of the countermeasures planned in step 912.
If the countermeasures devised in step 912 are the same as the countermeasures already notified, the notification to the administrator may be omitted.

Step 915:
The countermeasure planning program 112 notifies the administrator that the countermeasure cannot be planned in the preventive countermeasure terminal extracted in step 909 and the spreading activity.

Step 916:
The countermeasure planning program 112 adds 1 to i and returns to step 911.

Next, the flow of processing from step 901 to step 916 will be described with reference to a specific example.
For example, in the diffusion activity determination (step 502), the terminal activities of the terminal activity log 114 with ID 301 of "6", "7", and "8" shown in FIG. 3 are determined as diffusion activity, and the coping terminal is determined. In the determination (step 503), it is assumed that the terminal A117a and the terminal B117b are determined as the preventive countermeasure terminal, and the terminal C117c is determined as the preventive countermeasure terminal.

Here, for the sake of simplicity, it is assumed that only the above-mentioned terminal activity is determined as the diffusion activity, and only the above-mentioned terminal is determined as the prevention coping terminal and the prevention coping terminal. Further, the IP address of the terminal A117a is set to "10.0.0.1", the IP address of the terminal B117b is set to "10.0.0.2", and the IP address of the terminal C117c is set to "10.0.0.3". To do. It should be noted that the white list 113 shown in FIG. 2 and the countermeasure template 115 shown in FIG. 4 are used to formulate countermeasures.

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the prevention measures are taken. The processes from step 902 to step 908 are repeated for the combination of the coping terminal and all the spreading activities (step 901). Here, it is assumed that the terminal A117a is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "6" is extracted as the diffusion activity.

The countermeasure planning program 112 sets i to 1 (step 902). At this time, the value of i is 1.

The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115 (step 903). At this time, the countermeasure to be devised is "to block the communication to the TCP / 445 number transmitted by the terminal A117a".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure planned in step 903, and the proposed countermeasure exists in the white list 113. In that case, the process proceeds to step 905, and if it does not exist, the process proceeds to step 906 (step 904). At this time, since the proposed countermeasure "blocking the communication sent by the terminal A117a to the TCP / 445 address" exists in the white list of the ID 201 "3" of the white list 113, the process proceeds to step 905.

The countermeasure planning program 112 proceeds to step 907 if countermeasures for all levels (levels 1 to 4) have been formulated, and proceeds to step 908 if there is a countermeasure for a level that has not yet been formulated. (Step 905). At this time, since there is a countermeasure at a level that has not yet been planned, the process proceeds to step 908.

The countermeasure planning program 112 adds 1 to i and returns to step 903 (step 908). At this time, the value of i is 2.

The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115 (step 903). At this time, the countermeasure to be devised is "block the SMBv1 protocol communication sent by the terminal A117a to the TCP / 445 number".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure planned in step 903, and the proposed countermeasure exists in the white list 113. In that case, the process proceeds to step 905, and if it does not exist, the process proceeds to step 906 (step 904). At this time, since the proposed countermeasure "blocking SMBv1 communication transmitted by the terminal A117a to TCP / 445" does not exist in the white list 113, the process proceeds to step 906.

The countermeasure planning program 112 notifies the administrator of the countermeasures planned in step 904 (step 906). At this time, the administrator is notified of the proposed countermeasure "blocking the SMBv1 communication sent by the terminal A117a to the TCP / 445 number".

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the prevention measures are taken. The processes from step 902 to step 908 are repeated for the combination of the coping terminal and all the spreading activities (step 901).
Here, it is assumed that the terminal A117a is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "7" is extracted as the diffusion activity. At this time, since the same countermeasure as the spreading activity with ID 301 of "6" is devised from the spreading activity with ID 301 of "7", the description thereof will be omitted.

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the prevention measures are taken. The processes from step 902 to step 908 are repeated for the combination of the coping terminal and all the spreading activities (step 901).
Here, it is assumed that the terminal A117a is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "8" is extracted as the diffusion activity.

The countermeasure planning program 112 sets i to 1 (step 902). At this time, the value of i is 1.

The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115 (step 903). At this time, the countermeasure to be devised is "to block the communication sent by the terminal A117a to the TCP / 22 address".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure planned in step 903, and the proposed countermeasure exists in the white list 113. In that case, the process proceeds to step 905, and if it does not exist, the process proceeds to step 906 (step 904). At this time, since the proposed countermeasure "blocking the communication sent by the terminal A117a to the TCP / 22 address" does not exist in the white list 113, the process proceeds to step 906.

The countermeasure planning program 112 notifies the administrator of the countermeasures planned in step 904 (step 906).
At this time, the administrator is notified of the proposed countermeasure "blocking the communication sent by the terminal A117a to the TCP / 22 address".

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the prevention measures are taken. The processes from step 902 to step 908 are repeated for the combination of the coping terminal and all the spreading activities (step 901).
Here, it is assumed that the terminal B117b is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "6" is extracted as the diffusion activity.

The countermeasure planning program 112 sets i to 1 (step 902). At this time, the value of i is 1.

The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115 (step 903).
At this time, the countermeasure to be devised is "to block the communication sent by the terminal B117b to the TCP / 445 address".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure planned in step 903, and the proposed countermeasure exists in the white list 113. In that case, the process proceeds to step 905, and if it does not exist, the process proceeds to step 906 (step 904).
At this time, the proposed countermeasure "blocking the communication sent by the terminal B117b to the TCP / 445th address" exists in the white list of the ID 201 "4" of the white list 113, and therefore proceeds to step 905.

The countermeasure planning program 112 proceeds to step 907 if all levels of countermeasures have been drafted, and proceeds to step 908 if there are countermeasures at a level that has not yet been drafted (step 905).
At this time, since there is a countermeasure at a level that has not yet been planned, the process proceeds to step 908.

The countermeasure planning program 112 adds 1 to i and returns to step 903 (step 908). At this time, the value of i is 2.
The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115 (step 903).
At this time, the countermeasure to be devised is "block the SMBv1 protocol communication sent by the terminal B117b to the TCP / 445 number".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure planned in step 903, and the communication matching the planned countermeasure is displayed in the white list 113. If it exists, the process proceeds to step 905, and if it does not exist, the process proceeds to step 906 (step 904).
At this time, the proposed countermeasure "blocking the SMBv1 protocol communication transmitted by the terminal B117b to the TCP / 445 number" exists in the white list of ID 201 "4" of the white list 113, and therefore proceeds to step 905. ..

The countermeasure planning program 112 proceeds to step 907 if all levels of countermeasures have been drafted, and proceeds to step 908 if there are countermeasures at a level that has not yet been drafted (step 905).
At this time, since there is a countermeasure at a level that has not yet been planned, the process proceeds to step 908.

The countermeasure planning program 112 adds 1 to i and returns to step 903 ”(step 908). At this time, the value of i is 3.

The countermeasure planning program 112 plans countermeasures for the communication direction “Out” and the level “i” for the diffusion activity extracted in step 901 by utilizing the countermeasure template 115 (step 903).
At this time, the proposed countermeasure is "block the SMBv1 protocol communication (packet size 54-88) transmitted by the terminal B117b to TCP / 445".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 901 with the countermeasure planned in step 903, and the communication matching the planned countermeasure is displayed in the white list 113. If it exists, the process proceeds to step 905, and if it does not exist, the process proceeds to step 906 (step 904).
At this time, the proposed countermeasure "blocking the SMBv1 protocol communication (packet size 54-88) transmitted by the terminal B117b to TCP / 445" matches the white list of ID 201 "4" of the white list 113. To do so, the process proceeds to step 905.

The countermeasure planning program 112 proceeds to step 907 if all levels of countermeasures have been drafted, and proceeds to step 908 if there are countermeasures at a level that has not yet been drafted (step 905).
At this time, since all levels of countermeasures have been devised, the process proceeds to step 907.

The countermeasure planning program 112 notifies the administrator that the countermeasure cannot be planned in the preventive countermeasure terminal extracted in step 901 and the spreading activity (step 907).
At this time, at the terminal B117b, the administrator is notified that the ID 301 has not been able to formulate a countermeasure against the diffusion activity of "6".

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the prevention measures are taken. The processes from step 902 to step 908 are repeated for the combination of the coping terminal and all the spreading activities (step 901).
Here, it is assumed that the terminal B117b is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "7" is extracted as the diffusion activity. At this time, since it is not possible to formulate a countermeasure from the diffusion activity with ID 301 of "7" as in the diffusion activity with ID 301 of "6", the description thereof will be omitted.

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the prevention measures are taken. The processes from step 902 to step 908 are repeated for the combination of the coping terminal and all the spreading activities (step 901).
Here, it is assumed that the terminal B117b is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "8" is extracted as the diffusion activity. At this time, although the explanation is omitted, the countermeasure "blocking the communication sent by the terminal B117b to the TCP / 22 number" is devised from the spreading activity of the ID 301 "8", and the administrator is notified. To.

The above is the result of planning the countermeasures in the preventive countermeasure terminal. Next, the planning of countermeasures in the preventive countermeasure terminal will be described.

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the preventive measures are taken. The processes from step 910 to step 916 are repeated for the combination of the coping terminal and all the spreading activities (step 909).
Here, it is assumed that the terminal C117c is extracted as a preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "6" is extracted as the diffusion activity.

The countermeasure planning program 112 sets i to 1 (step 910). At this time, the value of i is 1.

The countermeasure planning program 112 plans countermeasures for the communication direction “In” and the level “i” for the diffusion activity extracted in step 909 by utilizing the countermeasure template 115 (step 911).
At this time, the countermeasure to be devised is "to block the communication received by the terminal C117c to the TCP / 445 address".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 909 with the countermeasure planned in step 911, and the prepared countermeasure exists in the white list 113. In that case, the process proceeds to step 913, and if it does not exist, the process proceeds to step 914 (step 912).
At this time, since the proposed countermeasure "blocking the communication received by the terminal C117c to the TCP / 445 address" exists in the white list of ID 201 "5" of the white list 113, the process proceeds to step 913.

The countermeasure planning program 112 proceeds to step 915 if all levels of countermeasures have been drafted, and returns to step 916 if there are countermeasures at a level that has not yet been drafted (step 913).
At this time, since there is a countermeasure at a level that has not yet been planned, the process proceeds to step 916.

The countermeasure planning program 112 adds 1 to i and proceeds to step 911 (step 916). At this time, the value of i is 2.

The countermeasure planning program 112 plans countermeasures for the communication direction “In” and the level “i” for the diffusion activity extracted in step 909 by utilizing the countermeasure template 115 (step 911). At this time, the countermeasure to be devised is "block the SMBv1 protocol communication received by the terminal C117c to the TCP / 445 number".

The countermeasure planning program 112 compares the white list 113 corresponding to the preventive countermeasure terminal extracted in step 909 with the countermeasure planned in step 911, and the prepared countermeasure exists in the white list 113. In that case, the process proceeds to step 913, and if it does not exist, the process proceeds to step 914 (step 912).
At this time, since the proposed countermeasure "blocking the SMBv1 protocol communication received by the terminal C117c to the TCP / 445 number" does not exist in the white list 113, the process proceeds to step 914.

The countermeasure planning program 112 notifies the administrator of the countermeasures planned in step 912 (step 914). At this time, the administrator is notified of the proposed countermeasure "block the SMBv1 protocol communication received by the terminal C117c to the TCP / 445 number".

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the preventive measures are taken. The processes from step 910 to step 916 are repeated for the combination of the coping terminal and all the spreading activities (step 909).
Here, it is assumed that the terminal C117c is extracted as the preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "7" is extracted as the diffusion activity. At this time, since the same countermeasure as the spreading activity with ID 301 of "6" is devised from the spreading activity with ID 301 of "7", the description thereof will be omitted.

The countermeasure planning program 112 extracts the preventive countermeasure terminal determined in step 503, the preventive countermeasure terminal determined in step 502, the preventive countermeasure terminal for which no countermeasure has been planned, and the diffusion activity, and all the preventive measures are taken. The processes from step 910 to step 916 are repeated for the combination of the coping terminal and all the spreading activities (step 909).
Here, it is assumed that the terminal C117c is extracted as a preventive countermeasure terminal for which no countermeasure has been devised, and the diffusion activity with ID 301 of "8" is extracted as the diffusion activity. At this time, although the explanation is omitted, the countermeasure "block the communication to TCP / 22 received by the terminal C117c" is devised from the spreading activity of ID301 "8", and the administrator is notified. To.

As described above, in this embodiment, the communication used for business is stored as a white list in advance, and when the countermeasures planned at the time of cyber attack detection are included in the white list, the countermeasure range is limited. By formulating new countermeasures, it is possible to formulate security countermeasures that do not affect business operations.

In addition, you may change a part of this Example and carry out as follows. The preventive action terminal may be determined from the alert detection information. For example, when worm-type malware is detected, all terminals are determined to be preventive countermeasure terminals regardless of the number of terminals included in the spreading activity. This makes it possible to take proactive measures (prevention).

In addition, the proposed countermeasures may be automatically applied. For example, the administrator is notified of the proposed countermeasures, and at the same time, the countermeasures are automatically applied to each terminal. This makes it possible to apply countermeasures promptly.

In addition, network-level countermeasures may be added to the planning template 404 of the countermeasure template 115. For example, a countermeasure for applying a patch to the terminal 117, a countermeasure for updating the signature of the antivirus software to the latest version, a countermeasure for changing the terminal settings, a countermeasure for stopping a specific program, and the like may be used. This makes it possible to devise new countermeasures even when network-level countermeasures cannot be applied.

Further, instead of the countermeasure template 115, a countermeasure corresponding to the detection alert detected by the security appliance may be obtained from the security vendor and used for countermeasure planning. This makes it possible to automatically determine whether or not the countermeasures provided by the security vendor affect the business and notify the administrator.
Further, the white list generation program 108 may be executed periodically. This makes it possible to create a white list 113 that follows changes in the terminal configuration and business.

Further, the size 206 of the white list 113 may store the size of the packet used for communication. This makes it possible to formulate countermeasures with a more limited scope of countermeasures.

Further, the present invention is not limited to the above-described embodiment as it is, and at the implementation stage, the components can be modified and embodied within a range that does not deviate from the gist thereof. In addition, various inventions can be formed by an appropriate combination of the plurality of components disclosed in the above-described embodiment. For example, some components may be removed from all the components shown in the embodiments. In addition, components across different embodiments may be combined as appropriate.

101 ... Security countermeasure planning device, 108 ... White list generation program, 109 ... Terminal activity acquisition program, 110 ... Spread activity judgment program, 111 ... Countermeasure terminal judgment program, 112 ... Countermeasure planning program, 113 ... White list, 114 ... Terminal activity log, 115 ... Countermeasure template, 117 ... Terminal, 118 ... Security appliance

Claims (15)

In a security countermeasure planning device that has a function to formulate security countermeasures against cyber attacks on terminals connected to the network
A white list storage unit that holds information related to communication used by the user in business as a white list for each terminal.
When a cyber attack on the terminal is detected
The security countermeasures for each terminal are formulated, and when the drafted security countermeasures are present in the white list of the terminal, the countermeasure range affected by communication is limited from the security countermeasures. A security countermeasure planning device, which is characterized by having a countermeasure planning department, which formulates various security countermeasures. The security countermeasure planning device according to claim 1.
Further provided with a diffusion activity determination unit that determines the communication used in the cyber attack as a diffusion activity when the cyber attack is detected.
The countermeasure planning unit is a security countermeasure planning device characterized in that the security countermeasure is planned for each diffusion activity. The security countermeasure planning device according to claim 2.
A coping terminal determination unit that determines the terminal to which the security countermeasure is applied as a coping terminal based on the spreading activity is further provided.
The countermeasure planning unit is a security countermeasure planning device characterized in that the security countermeasure is planned for each countermeasure terminal. The security countermeasure planning device according to claim 3.
The countermeasure planning unit is a security countermeasure planning device characterized in that it formulates preventive countermeasures for blocking communication transmitted by the terminal and preventive countermeasures for blocking communication received by the terminal. The security countermeasure planning device according to claim 4.
The address terminal determining unit, the diffusion of the terminal included in the source or destination of the activity, the security countermeasure planning system, characterized in that said terminal for applying said anti countermeasure. The security countermeasure planning device according to claim 4.
The countermeasure terminal determination unit is a security countermeasure planning device characterized in that it determines the terminal to which the preventive countermeasure is applied based on the number of the terminals included in the diffusion activity. The security countermeasure planning device according to claim 1.
A terminal activity acquisition unit that acquires a terminal activity log indicating the activity status of the terminal,
A white list generator that generates the white list based on the terminal activity log,
A spreading activity determination unit that determines the spreading activity of malware on the terminal that has been attacked by the cyber attack.
A coping terminal determination unit that determines the terminal that is or may be infected with the malware by the spreading activity as a coping terminal.
With
The countermeasure planning unit devises a countermeasure against the malware for the countermeasure terminal.
A security countermeasure planning device characterized by this. The security countermeasure planning device according to claim 7.
Includes an ID that uniquely identifies the white list, the IP address, communication direction, port, protocol, and packet size of the communication of the coping terminal that is the target of the white list.
The communication direction is the security countermeasure of "Out" in which the white list targets the communication transmitted by the IP address, or "In" in which the white list targets the communication received by the IP address. Including
The terminal activity log is
An ID that uniquely identifies the terminal activity log,
Includes the date and time when the terminal activity log occurred, the source of the communication, the destination of the communication, the destination port of the communication, the protocol of the communication, and the size of the packet included in the communication.
The security countermeasure is
Includes an ID that uniquely identifies the security countermeasure template, the communication direction to which the countermeasure is applied, the level of the countermeasure, and a planning template used when planning the countermeasure.
A security countermeasure planning device characterized by this. In the security countermeasure planning method that has the function of formulating security countermeasures against cyber attacks on terminals connected to the network
For each terminal, information related to communication used by the user in business is retained as a white list.
When a cyber attack on the terminal is detected
The security countermeasures for each terminal are formulated, and when the drafted security countermeasures are present in the white list of the terminal, the countermeasure range affected by communication is limited from the security countermeasures. Develop security measures,
A security countermeasure planning method that is characterized by this. The security countermeasure planning method according to claim 9.
When the cyber attack is detected, the communication used in the cyber attack is determined as a spreading activity, and the communication is determined as a spreading activity.
A security countermeasure planning method, characterized in that the security countermeasure is formulated for each diffusion activity. The security countermeasure planning method according to claim 10.
Based on the spreading activity, the terminal to which the security countermeasure is applied is determined as a countermeasure terminal, and the terminal is determined.
A security countermeasure planning method, characterized in that the security countermeasure is formulated for each countermeasure terminal. The security countermeasure planning method according to claim 11.
A security countermeasure planning method, which comprises planning a preventive measure for blocking communication transmitted by the terminal and a preventive measure for blocking communication received by the terminal. The security countermeasure planning method according to claim 12.
Security countermeasure planning method characterized by the terminal included in the source or destination of the proliferation activities, and the terminal for applying the anti-countermeasure. The security countermeasure planning method according to claim 12.
A security countermeasure planning method, characterized in that the terminal to which the preventive countermeasure is applied is determined based on the number of the terminals included in the diffusion activity. The security countermeasure planning method according to claim 9.
A step of acquiring a terminal activity log indicating the activity status of the terminal,
Steps to generate the white list based on the terminal activity log,
Steps to determine malware spreading activity on the terminal that has been attacked by the cyber attack,
A step of determining a terminal that is or may be infected with the malware by the spreading activity as a coping terminal.
With
To formulate the security countermeasure for the countermeasure terminal.
A security countermeasure planning method characterized by this.

Images