JP6978662B2 - Output program, information processing device, and output method - Google Patents

Description

The present invention relates to an output program, an information processing apparatus, and an output how.

In recent years, the damage caused by targeted attacks has become more serious. For example, an attacker sends an email with a harmful file attached to the victim's computer. Since the body of the e-mail looks like a normal business or request, the attacked person may easily open the harmful file attached to the e-mail. When an attacker opens a malicious file, the attacker's computer is directed to a malicious website and infected with malware. A computer infected with malware, for example, leaks information on the computer to the outside.

As described above, in targeted attacks, since the attack proceeds by a method of disguising a legitimate operation or communication, it takes a long time for the malware infection damage to be discovered, and the spread of the infection damage becomes serious. Therefore, when malware infection damage is detected, the risk of spreading infection damage can be suppressed by quickly grasping the range of infection damage and performing infection removal work on computers within that range. ..

As a method of grasping the range of infection damage, for example, logs of other computers or network devices that have been accessed by the attacked person's computer now or in the past are collected, and the range of infection damage is based on the analysis result of the log. There is a way to narrow down. However, when the amount of logs is huge, it takes a long time to analyze, and logs of server devices that handle confidential company information and personal information may not be easily provided. For example, it is often difficult to collect file server logs even if there is evidence that the victim's computer is accessing the files in the shared folder on the file server.

A virus detection system has been proposed that detects viruses such as malware and spreading activities caused by targeted attacks with high accuracy and at an early stage. In this virus detection system, the work of monitoring the communication between the terminal devices and the activity of each terminal device and collecting the communication and activity information in the diffusion activity detection device is carried out. Further, this diffusion activity detection device determines whether or not communication and activity are suspicious based on the first policy, and determines whether or not the terminal device is suspicious based on the second policy. Further, this spreading activity detecting device expresses the relationship between suspicious terminal devices in a graph, and detects the spreading activity of the virus based on the graph.

However, in the above-mentioned proposed technology, learning is carried out using the communication and activity performed in normal work and the suspicious communication and activity as templates, and the criterion for determining whether or not the subject is suspicious based on the learning result (1. The mechanism for constructing the second policy) is adopted.

Japanese Unexamined Patent Publication No. 2016-66282

If the file server log cannot be obtained for administrative reasons, or if the attacked person is using cloud storage and cannot obtain the log from the access destination server device, quickly narrow down the scope of infection damage. Is difficult. If it is possible to grasp the damage range of attacks that disguise the communication and activities of terminal devices performed in normal business without using logs such as file servers, the risk of spreading infection damage can be reduced. Therefore, first of all, it is one of the problems to be able to grasp the risk of malware infection in each terminal device without using the log of the file server or the like.

According to one aspect, an object of the present invention is to provide output program that can provide useful information to refine the terminal device at risk for malware, the information processing apparatus, and an output how.

According to one aspect, based on a plurality of terminal devices properties information satisfies the stored information with the same name information or the same criteria and information accessible storage device updates, updates of the plurality of terminal devices The property information is received from the terminal device that executed the process, and based on the received property information, the execution history of the terminal device is generated and stored in the storage unit, and a notification indicating the risk of malware infection of the first terminal device is shown. Is acquired , a second having a history of access to any information held by the first terminal device among the plurality of terminal devices based on the execution history of the plurality of terminal devices stored in the storage unit. The terminal device is specified , and the risk level of malware infection of the second terminal device is evaluated based on the execution content in the specified second terminal device and the risk level information for associating the risk level of malware infection with the execution content. , An output program that outputs the evaluation result and causes the computer to execute the process is provided.

It can provide useful information for narrowing down terminals that are at risk of malware infection.

It is a figure which showed an example of the information processing apparatus which concerns on 1st Embodiment. It is a figure which showed an example of the information processing system which concerns on 2nd Embodiment. It is a figure for demonstrating the spread of malware infection. It is a block diagram which showed an example of the hardware which can realize the function of the information processing apparatus which concerns on 2nd Embodiment. It is a block diagram which showed an example of the function which the information processing apparatus which concerns on 2nd Embodiment has. It is the first figure which showed an example of the state determination table which concerns on 2nd Embodiment. It is the 2nd figure which showed an example of the state determination table which concerns on 2nd Embodiment. It is a figure which showed an example of the determination result table which concerns on 2nd Embodiment. It is a figure which showed an example of the property update history included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example of the file list of the same name included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example of the APP access log among the file access logs included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example of the RF property log among the file access logs included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example of the LF property log among the file access logs included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example of the alert history among the event log included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example of the access history among the event log included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example (for PC # 1) of the analysis log included in the log information which concerns on 2nd Embodiment. It is a figure which showed an example (for PC # 2) of the analysis log included in the log information which concerns on 2nd Embodiment. It is a figure for demonstrating the accumulation of the APP access log which concerns on 2nd Embodiment. It is a figure for demonstrating the accumulation of RF property log which concerns on 2nd Embodiment. It is a figure for demonstrating the output of the analysis result (malware infection risk) which concerns on 2nd Embodiment. It is a sequence diagram for demonstrating the operation of the information processing system which concerns on 2nd Embodiment. It is a flow chart which showed the flow of the process which concerns on the accumulation of the APP access log which concerns on 2nd Embodiment. It is a flow chart which showed the flow of the process which concerns on the accumulation of RF property log which concerns on 2nd Embodiment. It is a flow chart which showed the flow of the process which concerns on the accumulation of the LF property log which concerns on 2nd Embodiment. It is a flow chart which showed the flow of the generation process of the analysis log which concerns on 2nd Embodiment. It is a 1st flow chart which showed the flow of the determination process which concerns on 2nd Embodiment. It is a 2nd flow chart which showed the flow of the determination process which concerns on 2nd Embodiment. It is a figure for demonstrating the flow of the determination process and the update process of the determination result table which concerns on 2nd Embodiment. It is a figure which showed an example of the non-tracking rule table which concerns on one modification of 2nd Embodiment. It is a figure which showed an example of the non-tracking machine table which concerns on one modification of 2nd Embodiment. It is a flow diagram which showed the flow of the addition processing of the PC to the target list which concerns on one modification of 2nd Embodiment.

An embodiment of the present invention will be described below with reference to the accompanying drawings. In the present specification and the drawings, elements having substantially the same function may be designated by the same reference numerals to omit duplicate description.

<1. First Embodiment>
The first embodiment will be described with reference to FIG. The first embodiment relates to a mechanism for evaluating the degree of infection risk (risk level) in each terminal device using information that can be easily collected from the terminal device, and outputting the evaluation result. FIG. 1 is a diagram showing an example of an information processing apparatus according to the first embodiment. The information processing device 10 shown in FIG. 1 is an example of the information processing device according to the first embodiment.

As shown in FIG. 1, the information processing apparatus 10 has a storage unit 11 and a calculation unit 12.
The storage unit 11 is a volatile storage device such as a RAM (Random Access Memory) or a non-volatile storage device such as an HDD (Hard Disk Drive) or a flash memory. The arithmetic unit 12 is a processor such as a CPU (Central Processing Unit) or a DSP (Digital Signal Processor). However, the arithmetic unit 12 may be an electronic circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). The arithmetic unit 12 executes a program stored in a memory such as the storage unit 11, for example.

The information processing device 10 communicates with the terminal devices 21, 22, 23, and the storage device 30 via the network NW. The network NW is, for example, a wired and / or wireless communication network such as a LAN (Local Area Network) or WAN (Wide Area Network), or a WLAN (Wireless LAN) or a mobile phone line.

The terminal devices 21, 22 and 23 are, for example, PCs (Personal Computers), server devices, communication devices (radio base stations, radio relay stations, mobile terminals, routers) and the like.
The storage device 30 is, for example, a storage device such as NAS (Network Attached Storage), a file server, or cloud storage. The storage device 30 is equipped with, for example, a recording medium such as an HDD or SSD (Solid State Drive), or a RAID (Redundant Arrays of Inexpensive Disks) device in which a plurality of recording media are connected for redundancy. The storage device 30 is a storage area that is permitted to be accessed by the terminal devices 21, 22, and 23. In the example of FIG. 1, the information A possessed by the terminal device 21 is stored in the storage device 30. Further, the terminal device 21 is an example of the first terminal device.

The storage unit 11 stores the execution history 11a of the processing by the terminal devices 21, 22, and 23. The execution history 11a includes information about events (operations and processes) executed in the past by the terminal devices 21, 22, and 23.

The execution history 11a of FIG. 1 includes information on the time when the event was executed, the content of the event, the target of the event, and the terminal device that executed the event. The information included in the execution history 11a can be obtained, for example, from the logs of the terminal devices 21, 22, and 23, or from the property of the information in the storage device 30. Note that this property is information that can be easily collected from the terminal devices 21, 22, and 23.

In the example of FIG. 1, the execution history 11a is associated with the time “10:05”, the event “creation”, the target “A @ SV”, and the terminal device “21”. The SV represents the storage device 30. "A @ SV" represents information A in the storage device 30. These information indicate that the terminal device 21 created the information A in the storage device 30 at 10:05. In addition, "22 (via 23)" in the column of the terminal device indicates that the event by the terminal device 22 was executed by the remote operation by the terminal device 23.

The storage unit 11 may further store the risk information 11b regarding the risk of malware infection. The risk information 11b exemplified in FIG. 1 is information that associates the risk of malware infection (magnitude of infection risk) with the execution content.

The risk level information 11b associates, for example, a combination of retention / non-retention of the relevant information, a logon type (local / remote), and the number of failed logon failures with the risk level. The above-mentioned relevant information is information having the same name as the information held by the terminal device at risk of infection or information satisfying the same criteria. As a criterion, for example, whether attributes such as file size and modification date and time are the same can be applied. The attribute can be acquired by referring to, for example, a property given to the information.

The infection risk of the terminal device depends on, for example, a malware detection product (antivirus software installed in the terminal devices 21, 22, 23, and the storage device 30, or an infection detection device (not shown; hardware) on the network NW). Can be detected.

The terminal device that is remotely logged on is likely to be a stepping stone for an attack. Terminal devices with a high number of logon failures are likely to be attacked. In addition, the terminal device holding the relevant information is highly likely to be infected with malware through access to the information held by the terminal device at risk of infection. The risk information 11b illustrated in FIG. 1 is set in consideration of these factors. The risk information 11b shown in FIG. 1 is an example, and the items of the execution contents and the setting of the risk may be modified.

When the calculation unit 12 acquires the notification 12a indicating the malware infection risk of the terminal device 21, the calculation unit 12 executes a process involving access to any information A possessed by the terminal device 21 among the terminal devices 21, 22, and 23. The terminal device 22 is specified based on the execution history 11a (12b). The terminal device 22 is an example of the second terminal device.

Further, the arithmetic unit 12 evaluates the risk of malware infection in the terminal device 22 based on the execution content in the specified terminal device 22, and outputs the evaluation result (12c).
In the example of FIG. 1, the risk level of the terminal device 22 is evaluated as “medium” based on the risk level information 11b, and the information of the risk level “medium” is output as the evaluation result. For example, the arithmetic unit 12 is a display device (not shown) connected to the information processing device 10 or a display device (not shown) of a management terminal (not shown) connected to the information processing device 10 via the network NW. ) Displays the evaluation result.

As described above, by outputting the evaluation result regarding the infection risk using the information that can be easily collected from the terminal devices 21, 22, and 23, useful information for grasping the range of infection spread is provided. .. In addition, by indicating the degree of infection risk for each terminal device, it is possible to appropriately select a location where communication interruption or access restriction is to be implemented, which contributes to prevention of infection spread.

The first embodiment has been described above.
<2. 2nd Embodiment>
Next, the second embodiment will be described. The second embodiment relates to a mechanism for evaluating the degree (risk level) of infection risk in each PC using information that can be easily collected from the PC and outputting the evaluation result.

[2-1. system]
The information processing system according to the second embodiment will be described with reference to FIG. FIG. 2 is a diagram showing an example of an information processing system according to the second embodiment. The information processing system (System) 100 illustrated in FIG. 2 is an example of the information processing system according to the second embodiment.

As shown in FIG. 2, the information processing system 100 includes an information processing device 101, PC 102, 103, an FSV (File Server) 201, and a storage device (Storage) 202. The information processing apparatus 101, PC 102, 103, and FSV 201 are connected via a network NW. The network NW is, for example, a LAN or WAN, or a communication line network such as a WLAN or a mobile phone line.

The storage device 202 is, for example, a recording medium such as an HDD or SSD, or a RAID device that is made redundant by combining a plurality of recording media. The storage device 202 is connected to the FSV 201. A storage area such as an LV (Logical Volume) is set in the storage device 202. Further, in the storage area of the storage device 202, for example, a shared folder (Share) 202a that is permitted to be accessed by the PCs 102 and 103 is set.

In the example of FIG. 2, the number of PCs is two, but three or more PCs can be connected to the network NW. Further, in the following description, for convenience of explanation, PC 102 may be referred to as PC # 1 and PC 103 may be referred to as PC # 2. Further, the notation PC # k (k = 3, 4, ...) May mean a PC (not shown) connected to the network NW. Further, the function of the information processing apparatus 101 described later can be mounted on the PCs 102 and 103.

Hereinafter, the description will be given by taking the information processing system 100 shown in FIG. 2 as an example.
As described above, the shared folder 202a is set in the storage device 202, and access by the PCs 102 and 103 is permitted. In this case, if the PC 102 is infected with malware and the file (shared file 202b) on the shared folder 202a owned by the PC 102 is rewritten as a harmful file, there is a risk that the infection spreads to other PCs by accessing the shared folder 202a. Occurs.

For example, as shown in FIG. 3, when a malware infection occurs in PC # 1, the shared file 202b may be rewritten as a harmful file by the malware. FIG. 3 is a diagram for explaining the spread of malware infection. When PC # 2 uses the shared file 202b rewritten as a harmful file, PC # 2 can be infected with malware. Similarly, if PC # 2 rewrites another file in the shared folder 202a, there is a risk that the infection spreads to other PCs connected to the network NW.

In the information processing system 100, each PC performs logon / log-off monitoring, logon account monitoring, local file system monitoring, handle operation monitoring, and the like, and uses information that can be collected by each PC to be used as an information processing device. 101 assesses the risk of infection. In the information processing system 100, it is assumed that the log of the FSV 201 is not provided to the information processing device 101. However, information such as the properties of the shared file 202b that can be referred to by each PC without special authority can be used by the information processing apparatus 101.

The information processing system 100 has been described above.
[2-2. hardware]
Here, the hardware of the information processing apparatus 101 will be described with reference to FIG. FIG. 4 is a block diagram showing an example of hardware capable of realizing the functions of the information processing apparatus according to the second embodiment.

The function of the information processing apparatus 101 can be realized by using, for example, the hardware resources shown in FIG. That is, the function of the information processing apparatus 101 is realized by controlling the hardware shown in FIG. 4 by using a computer program.

As shown in FIG. 4, the hardware mainly includes a CPU 902, a ROM (Read Only Memory) 904, a RAM 906, a host bus 908, and a bridge 910. Further, the hardware includes an external bus 912, an interface 914, an input unit 916, an output unit 918, a storage unit 920, a drive 922, a connection port 924, and a communication unit 926.

The CPU 902 functions as, for example, an arithmetic processing device or a control device, and controls all or a part of the operation of each component based on various programs recorded in the ROM 904, the RAM 906, the storage unit 920, or the removable recording medium 928. .. The ROM 904 is an example of a storage device that stores programs read into the CPU 902, data used for calculations, and the like. The RAM 906 temporarily or permanently stores, for example, a program read into the CPU 902 and various parameters that change when the program is executed.

These elements are interconnected, for example, via a host bus 908 capable of high speed data transmission. On the other hand, the host bus 908 is connected to the external bus 912, which has a relatively low data transmission speed, via, for example, the bridge 910. Further, as the input unit 916, for example, a mouse, a keyboard, a touch panel, a touch pad, a button, a switch, a lever, and the like are used. Further, as the input unit 916, a remote controller capable of transmitting a control signal using infrared rays or other radio waves may be used.

As the output unit 918, for example, a display device such as a CRT (Cathode Ray Tube), an LCD (Liquid Crystal Display), a PDP (Plasma Display Panel), or an ELD (Electro-Luminescence Display) is used. Further, as the output unit 918, an audio output device such as a speaker or headphones, a printer, or the like may be used. That is, the output unit 918 is a device capable of visually or audibly outputting information.

The storage unit 920 is a device for storing various types of data. As the storage unit 920, for example, a magnetic storage device such as an HDD is used. Further, as the storage unit 920, a semiconductor storage device such as an SSD or a RAM disk, an optical storage device, an optical magnetic storage device, or the like may be used.

The drive 922 is a device that reads out the information recorded on the removable recording medium 928, which is a removable recording medium, or writes the information on the removable recording medium 928. As the removable recording medium 928, for example, a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is used.

The connection port 924 is a port for connecting an external connection device 930 such as a USB (Universal Serial Bus) port, an IEEE1394 port, a SCSI (Small Computer System Interface), a RS-232C port, or an optical audio terminal. As the externally connected device 930, for example, a printer or the like is used.

The communication unit 926 is a communication device for connecting to the network 932. The communication unit 926 includes, for example, a communication circuit for wired or wireless LAN, a communication circuit for WUSB (Wireless USB), a communication circuit or router for optical communication, a communication circuit or router for ADSL (Asymmetric Digital Subscriber Line), and the like. A communication circuit for a mobile phone network or the like can be used. The network 932 connected to the communication unit 926 is a network connected by wire or wirelessly, and includes, for example, the Internet, a LAN, a broadcasting network, a satellite communication line, and the like.

The hardware of the information processing apparatus 101 has been described above.
The functions of PC 102, 103, and FSV 201 can also be realized by using the hardware shown in FIG. Therefore, detailed description of the hardware of PC102, 103, and FSV201 will be omitted.

[2-3. Information processing device]
The function of the information processing apparatus 101 will be described with reference to FIG. FIG. 5 is a block diagram showing an example of the functions of the information processing apparatus according to the second embodiment.

As shown in FIG. 5, the information processing apparatus 101 includes a storage unit 111, an alert monitoring unit 112, a history collection unit 113, a risk evaluation unit 114, and a display control unit 115.
The functions of the alert monitoring unit 112, the history collection unit 113, the risk assessment unit 114, and the display control unit 115 can be realized by using the CPU 902 or the like described above. The function of the storage unit 111 can be realized by using the RAM 906, the storage unit 920, or the like described above.

The storage unit 111 stores the state determination table (TBL) 111a, the determination result table (TBL) 111b, and the log information 111c. The state determination table 111a is a table in which conditions that serve as determination criteria for determining the state of each PC regarding the infection risk are registered. The determination result table 111b is a table in which the determination result of each PC based on the state determination table 111a is recorded.

The log information 111c is information about logs acquired from the storage device 202, each PC, and the like. The log information 111c includes a property update history L1, a file list L2 having the same name, a file access log L3, an event log L4, and an analysis log L5.

The property update history L1 is a history of file properties (file size, update date and time, etc.) related to the file in the shared folder 202a. The file list L2 with the same name is information about the PC holding the file with the same name as the file in the shared folder 202a. In addition, the same reference file list that describes the information of the file having the same attribute information and the like included in the property of the file may be used. The file name is an example of attribute information. In addition to the file properties, the same standard file list that describes the information of files with the same standard may be used based on the attribute information of the file that can be easily acquired by each PC.

The file access log L3 includes the APP access log L3a, the RF property log L3b, and the LF property log L3c. The APP access log L3a is an access log to a file accumulated by the application software of each PC.

The RF property log L3b is a log of file properties related to the files in the shared folder 202a accumulated by each PC. The LF property log L3c is a log of file properties related to local files accumulated by each PC.

The event log L4 includes an alert history L4a and an access history L4b. The alert history L4a is a log accumulating the contents of alerts output from the malware detection product. The malware detection product is, for example, anti-virus software installed in each PC or FSV201, or an infection detection device (communication device, network monitoring device, etc.) on the network NW. The access history L4b is a history of access (logon, logoff, access attempt, etc.) to each PC or shared folder 202a.

The analysis log L5 is information that integrates the file access log L3, the event log L4, and the like. The analysis log L5 is used when evaluating the infection risk of each PC.
Hereinafter, the state determination table 111a, the determination result table 111b, and the log information 111c will be further described. Here, for convenience of explanation, the contents of the log information 111c are described separately from L1 to L5, but modifications such as excluding duplicate contents are possible. Further, the log information 111c may be organized in a format that can be easily searched and edited by using RDBMS (Relational Database Management System) or the like.

(Status judgment table / judgment result table)
The state determination table 111a will be further described with reference to FIGS. 6 and 7. FIG. 6 is a first diagram showing an example of a state determination table according to the second embodiment. FIG. 7 is a second diagram showing an example of a state determination table according to the second embodiment.

As shown in FIG. 6, the state determination table 111a is provided with an information source item (top row) and a condition item (second row from the top). The information source "L4a" means that information matched to the corresponding condition can be obtained from the alert history L4a. Further, the information source "L4b" means that the information matched with the corresponding condition can be obtained from the access history L4b.

Further, the information source "L3a" means that the information matched with the corresponding condition can be obtained from the APP access log L3a. Further, the information source "L3b" means that the information matched with the corresponding condition can be obtained from the RF property log L3b. Further, the information source "L4b, L3a" means that the information collated with the corresponding condition can be obtained from the access history L4b and the APP access log L3a.

The condition "FILE" of the information source "L4a" means the detection of a suspicious file on the target PC. For example, when an alert containing the existence of a suspicious file is output from a malware detection product, it corresponds to the condition "FILE" of the information source "L4a". The condition "operation" means the detection of a suspicious operation on the target PC.

For example, when an alert indicating that a suspicious operation is detected is output from a malware detection product, it corresponds to the condition "operation". The condition "communication" means the detection of suspicious communication on the target PC. For example, when an alert indicating that suspicious communication has been detected is output from a malware detection product, the condition "communication" is satisfied.

The condition "logon" of the information source "L4b" means that the target PC is logged on within the target period. The target period is set to, for example, a predetermined period (for example, 2 hours) before the time when malware infection is detected on a certain PC. Whether or not the target PC is logged on within the target period corresponds to the condition "logon" if there is a record indicating the logon of the target PC in the access history L4b corresponding to the target period.

The condition "FILE" of the information source "L3a" means that it can be determined from the APP access log L3a that the target PC holds a suspicious file (a program used for an attack, etc.). The condition "FILE" of the information source "L3b" means that it can be determined from the RF property log L3b that the target PC holds a file having the same name as the suspicious file in the shared folder 202a. In addition, in the determination regarding the condition "FILE" of the information source "L3b", a modification using the file list L2 having the same name may be adopted.

The condition "remote" of the information source "L4b" means that it is determined from the access history L4b that the target PC is remotely logged on. The condition "access" of the information source "L3a" means that it is determined from the APP access log L3a that the target PC has accessed the suspicious shared file 202b in the shared folder 202a.

For example, referring to the above condition "logon" and condition "remote", whether or not the target PC was remotely logged on during a predetermined period (target period) before the time when malware infection was detected on a certain PC. I understand. Operations and processes that cause malware infection are likely to be performed via remote operations by malicious parties. Therefore, it is preferable to include the target PC that is remotely logged on during the target period as the target of the investigation for investigating whether or not the operation or process that causes the malware infection is executed. For this reason, as described above, the above target period is set based on the time of malware infection.

The condition "failure" of the information source "L4b, L3a" is that the target PC fails to access or log on to another PC or FSV201 a predetermined number of times (for example, 5 times) or more from the access history L4b and the APP access log L3a. It means that it is judged.

The number in the leftmost column of the state determination table 111a is an item number. LvX, Lv0, Lv1, Lv2, and Lv3 on the right side of the item number indicate the status of another PC (access source) accessing the target PC or another PC (access destination) accessed by the target PC. Represents. On the other hand, Lv0, Lv1, Lv2, and Lv3 in the rightmost column of the state determination table 111a represent the degree of risk (degree of infection risk) in the target PC.

Lv3 represents a case where a suspicious operation or communication and a suspicious file are confirmed (a state of high risk). Lv2 represents a case (state during risk) in which suspicious operation or communication is confirmed. Lv1 represents a case where a suspicious file is confirmed (a state of low risk). Lv0 represents a case where suspicious operation, suspicious communication, and suspicious file are not confirmed (risk minimum state). LvX represents a case where the infection risk has not been determined (risk undetermined state).

In the state determination table 111a, "◯" means that the condition is satisfied, and "x" means that the condition is not applicable. In addition, "-" means that it does not matter whether the condition is met or not. The relationship between the combination of specific conditions and the degree of danger is as shown in the state determination table 111a shown in FIGS. 6 and 7.

However, the conditions illustrated in FIGS. 6 and 7 are examples, and conditions may be added or some conditions may be added depending on the types of alerts that can be acquired and the contents of conditions that can be realistically determined. It may be omitted. Such deformation is also possible.

The determination result based on the above-mentioned state determination table 111a is recorded in the determination result table 111b shown in FIG. FIG. 8 is a diagram showing an example of a determination result table according to the second embodiment. Information on the state of the target PC and information on the state of the access source or access destination PC (access PC) of the target PC are recorded in the determination result table 111b. The method of recording information in the determination result table 111b will be described later.

(Log information)
Next, the log information 111c will be further described with reference to FIGS. 9 to 15.
First, refer to FIG. FIG. 9 is a diagram showing an example of the property update history included in the log information according to the second embodiment.

The property update history L1 is a history of properties related to a file (target file) in the shared folder 202a. Properties include, for example, information such as modification date / time, access date / time, creation date / time, file size, setting change contents, file owner, attributes (read permission, etc.). For example, if the property of the target file is acquired and added to the property update history L1 each time the property of the target file is updated, the property update history L1 as shown in FIG. 9 can be obtained.

Next, refer to FIG. FIG. 10 is a diagram showing an example of a file list having the same name included in the log information according to the second embodiment.
The file list L2 with the same name is information about a local file (file with the same name) having the same name as the file (target file) in the shared folder 202a. In the example of FIG. 10, in the file list L2 with the same name, the name (PC name) of the PC holding the file with the same name, the update date / time, size, hash value, owner, creation date / time, and location (local folder of the PC) of the file with the same name are displayed. is described. The hash value is a value obtained by inputting a file having the same name into the hash function. The identity of the files can be easily determined by comparing the hash values.

Next, refer to FIG. FIG. 11 is a diagram showing an example of an APP access log among the file access logs included in the log information according to the second embodiment.
The APP access log L3a is a set of logs output by the application software of each PC. In the example of FIG. 11, the APP access log L3a contains the date and time when the log occurred, the event that caused the log, the path to the target file of the event, the owner of the target file, the PC name, the user name, and the information source. is described.

The information source described in the APP access log L3a is information indicating which application software log is used. By referring to the APP access log L3a, it can be determined whether or not the application software has accessed the file in the shared folder 202a.

Next, refer to FIG. FIG. 12 is a diagram showing an example of an RF property log among the file access logs included in the log information according to the second embodiment.
The RF property log L3b is a set of logs obtained from the property (shared file property) of the file in the shared folder 202a. In the example of FIG. 12, in the RF property log L3b, the date and time when the log occurred, the event that caused the log, the path to the target file of the event, the size of the target file, the content of the setting change, the owner of the target file, And the information source (shared file property) is described.

Next, refer to FIG. FIG. 13 is a diagram showing an example of the LF property log among the file access logs included in the log information according to the second embodiment.
The LF property log L3c is a set of logs obtained from the property (file property) of the file in the local folder of each PC. In the example of FIG. 13, in the LF property log L3c, the date and time when the log occurred, the event that caused the log, the path to the target file of the event, the size of the target file, the owner of the target file, the PC name, and the user name. , And the information source (file property) are described.

Next, refer to FIG. FIG. 14 is a diagram showing an example of an alert history among the event logs included in the log information according to the second embodiment. As shown in FIG. 14, the alert history L4a includes the date and time when the alert occurred, the event that caused the alert, the path to the event target file (“−” in the case of an event without a target file), and the PC. The name and information source (malware detection product) are described.

Next, refer to FIG. FIG. 15 is a diagram showing an example of an access history among the event logs included in the log information according to the second embodiment. As shown in FIG. 15, the access history L4b contains the date and time when the event (logon, log-off, or access attempt) occurred, the content of the event, and the path to the target file of the event (in the case of an event without a target file, "-". ”), The PC name, the user name, and the form of logon are described.

The form of logon indicates whether it is a local logon that directly logs on to a PC or a remote logon that is performed via another PC. Further, in the case of remote logon, the information of the PC used for logon is described in the access history L4b. For example, "via PC # 3" in the logon column means a form of logon in which a user logs on remotely via PC # 3.

(Collecting log information and generating logs for analysis)
Of the log information 111c, the analysis log L5 is obtained by integrating the above file access log L3 and event log L4. FIG. 16 is a diagram showing an example (for PC # 1) of the analysis log included in the log information according to the second embodiment. FIG. 17 is a diagram showing an example (for PC # 2) of the analysis log included in the log information according to the second embodiment.

The analysis log L5 is generated for each target PC. For example, when the various logs shown in FIGS. 11 to 15 are integrated for PC # 1, the analysis log L5 as shown in FIG. 16 can be obtained. As shown in FIG. 16, in the analysis log L5, the date and time when the event occurred, the content of the event, the path to the target file of the event (“-” if there is no target file), the PC name, the user name, and the logon. Form and source of information are included.

For example, the information regarding the event "logon" is obtained from the access history L4b included in the event log L4. Information about the event "file creation" targeting "C: \ exp.docx" (local file) can be obtained from the LF property log L3c. Information about the event "file creation" targeting "\\ FSV \ exp.docx" (shared file) can be obtained from the RF property log L3b.

As described above, the analysis log L5 for PC # 1 can be obtained by extracting the information about PC # 1 from the file access log L3 and the event log L4 and arranging them in the order of the oldest occurrence date and time. Similarly, by extracting information about PC # 2 from the file access log L3 and the event log L4 and arranging them in chronological order from the oldest occurrence date and time, the analysis log L5 for PC # 2 as shown in FIG. 17 can be obtained.

(Log accumulation, risk judgment, output of judgment result)
See FIG. 5 again.
The alert monitoring unit 112 monitors the alert output by the malware detection product. When an alert is output from the malware detection product, the alert monitoring unit 112 stores the content of the alert as an alert history L4a in the storage unit 111. The alert monitoring unit 112 may acquire an alert notified to each PC from each PC and store the content of the acquired alert in the storage unit 111 as an alert history L4a.

The history collection unit 113 collects the log by the application software of each PC, the property log of the local file accumulated in each PC, and the shared file property log. Then, the history collection unit 113 stores the collected logs in the storage unit 111 as the APP access log L3a, the RF property log L3b, and the LF property log L3c.

The accumulation of the APP access log L3a is carried out, for example, by the procedure as shown in FIG. FIG. 18 is a diagram for explaining the accumulation of the APP access log according to the second embodiment.
In the example of FIG. 18, the application software installed on the PC # 1 is accessing the file (shared file) in the shared folder 202a. At this time, the application software stores information such as the occurrence date and time described in the APP access log L3a in the PC # 1. The information stored in the PC # 1 in this way is collected by the history collecting unit 113 and stored in the storage unit 111 as the APP access log L3a. The same applies to other PCs.

Further, the accumulation of the RF property log L3b is carried out, for example, by the procedure as shown in FIG. FIG. 19 is a diagram for explaining the accumulation of RF property logs according to the second embodiment.

In the example of FIG. 19, PC # 1 monitors the update of the shared file property, and PC # 1 acquires the information of the shared file property at the update timings t1, t2, and t3. At this time, PC # 1 accumulates information such as the date and time of occurrence described in the RF property log L3b. The information stored in the PC # 1 in this way is collected by the history collecting unit 113 and stored in the storage unit 111 as the RF property log L3b. The same applies to other PCs.

The risk assessment unit 114 determines the degree of danger of each PC based on the state determination table 111a. For example, when the malware infection of PC # 2 is notified, the risk assessment unit 114 integrates the file access log L3 and the event log L4 whose occurrence date and time is before the notification to generate the analysis log L5 of each PC. The risk level of each PC is determined based on the state determination table 111a. The display control unit 115 outputs the determination result by the risk evaluation unit 114.

For example, the display control unit 115 outputs information as shown in FIG. 20 to the display screen 203. FIG. 20 is a diagram for explaining the output of the analysis result (malware infection risk) according to the second embodiment.

In the example of FIG. 20, the connection relationship of FSV, PC # 1, ..., # 6 is shown on the display screen 203, and the degree of risk (magnitude of malware infection risk) depends on the color of FSV, PC # 1, ..., # 6. Is expressed. By adopting such expressions, it becomes easy to take measures promptly and appropriately, such as narrowing down the infection range, estimating the infection route, and identifying the cutting route.

The function of the information processing apparatus 101 has been described above.
[2-4. Processing flow]
Hereinafter, the flow of processing executed in the information processing system 100 will be described, and the functions of the information processing apparatus 101 and each PC will be supplemented.

In the following, for convenience of explanation, the description will proceed with an example of a situation in which the information processing system 100 includes PC 102, 103, ..., 105. Further, PC 102, 103, ..., 105 may be referred to as PC # 1, PC # 2, ..., PC # 4, respectively.

Further, when the functions of PC 102, 103, ..., 105 are realized by using the hardware of FIG. 4, the process described below can be executed by using CPU 902 or the like. When accumulating logs, PC 102, 103, ..., 105 use RAM 906, a storage unit 920, a removable recording medium 928, or an external storage connected via a communication unit 926 or a connection port 924 to store logs. Use.

(Sequence: Information processing system)
First, with reference to FIG. 21, the overall flow of processing executed by the information processing system 100 will be described. FIG. 21 is a sequence diagram for explaining the operation of the information processing system according to the second embodiment.

(S101) The information processing apparatus 101 monitors the alert output from the malware detection product by the alert monitoring unit 112. When an alert is output from the malware detection product, the alert monitoring unit 112 stores the content of the output alert in the storage unit 111 as the alert history L4a of the event log L4.

(S102, S103, S104) As shown in FIG. 18, the PC 102 monitors the access to the shared folder 202a by the application software and accumulates the access log of the application software. Like the PC 102, the PC 103, ..., 105 also accumulate the access log of the application software. The access log of the application software accumulated by the PCs 102, 103, ..., 105 is used as the APP access log L3a (see FIG. 11).

Further, as shown in FIG. 19, the PC 102 monitors the shared file property of the file in the shared folder 202a, and acquires the information of the shared file property at the timing when the shared file property is updated. The shared file property monitored by the PC 102 may be only the shared file property of the file owned by the PC 102.

The PC 102 stores the acquired shared file property information as a shared file property log. Like PC 102, PC 103, ..., 105 also accumulate shared file property logs. The shared file property log accumulated by PC 102, 103, ..., 105 is used as the RF property log L3b (see FIG. 12).

Further, the PC 102 monitors the file property of the local file and accumulates the file property information as a file property log at the timing when the file property is updated. Like PC102, PC103, ..., 105 also accumulate file property logs. The file property log accumulated by PC 102, 103, ..., 105 is used as the LF property log L3c (see FIG. 13).

(S105, S106) The information processing apparatus 101 receives, for example, a notification (infection notification) from the malware detection product that the PC 103 (PC # 2) is suspected of being infected with malware by the alert monitoring unit 112. In this case, the information processing apparatus 101 generates the determination result table 111b (see FIG. 8) in the initial state by the risk assessment unit 114, and uses the information of the starting point PC (PC # 2 in this example) as the determination result table. Described in 111b. In the initial state, only the value is described in the "name" column and the "log" column of the target PC.

For example, the risk assessment unit 114 describes FSV, PC # 1, PC # 2, ..., PC # 4 in the "name" column of the target PC, and "none", PC # 1 in the "log" column of the FSV. , PC # 2, ..., Generates a determination result table 111b in which "Yes" is described in the "Log" column of PC # 4.

Further, the risk assessment unit 114 describes the state (Lv3) of PC # 2, which is the target of the infection notification, in the corresponding column of the determination result table 111b (the "state" column corresponding to the name "PC # 2" of the target PC). do. Further, the risk assessment unit 114 describes "[starting point]" in the "name" column and "LvX" in the "status" column of the access PC corresponding to the name "PC # 2" of the target PC.

Although PC # 2, which is the target of the infection notification, is set as the starting point here, another PC may be set as the starting point.
(S107) The information processing apparatus 101 sends a log information transmission request to PCs 102, 103, ..., 105 (target PCs in which the "log" column of the determination result table 111b is "yes") by the history collection unit 113. .. For example, the history collection unit 113 notifies the PCs 102, 103, ..., 105 of the time when the malware infection of PC # 2 is detected or the time when the infection notification is received (starting time), and the predetermined period before that time ( For example, it requests transmission of log information regarding an event that occurred in 2 hours).

(S108) PCs 102, 103, ..., 105 receive a log information transmission request from the information processing device 101, and transmit the log information to the information processing device 101 in response to the transmission request.
For example, the PCs 102, 103, ..., 105 transmit log information including the access log of the application software, the shared file property log, and the file property log of the local file accumulated in each to the information processing apparatus 101. When the information processing apparatus 101 has notified the starting point time, the PCs 102, 103, ..., 105 may extract log information whose event occurrence date and time is before the starting point time and transmit it to the information processing apparatus 101.

(S109) The information processing apparatus 101 generates the APP access log L3a, the RF property log L3b, and the LF property log L3c from the log information received from the PC 102, 103, ..., 105 by the risk assessment unit 114. Further, the risk assessment unit 114 has an analysis log L5 corresponding to each of the PC 102, 103, ..., 105 based on the APP access log L3a, the RF property log L3b, and the LF property log L3c (see FIGS. 16 and 17). To create.

(S110) The information processing apparatus 101 collates the analysis log L5 with the state determination table 111a by the risk assessment unit 114, and sequentially determines the states of the PC 102, PC 104, ..., 105.

For example, the risk assessment unit 114 refers to the analysis log L5 for PC # 2 and identifies a PC or FSV that has evidence of access by the starting point PC 103 (PC # 2). Then, the risk assessment unit 114 determines the state of the specified PC or FSV, and describes the determination result in the determination result table 111b.

Further, the risk assessment unit 114 identifies an undetermined PC or FSV that is an access destination or an access source of the determined PC or FSV, and describes the determination result regarding the state of the identified PC or FSV in the determination result table 111b. .. In such a procedure, the risk assessment unit 114 sequentially determines the states of the PC and the FSV.

(S111) The information processing apparatus 101 outputs the states of the PC and the FSV based on the state determination table 111a by the display control unit 115. For example, as shown in FIG. 20, the display control unit 115 displays the connection relationship between the PC and the FSV on the display screen 203, and colors the display object representing each PC and the FSV according to the state. When the processing of S111 is completed, the series of processing shown in FIG. 21 is completed.

(Accumulation of APP access log: PC)
Here, with reference to FIG. 22, the flow of the process (corresponding to a part of S102) for accumulating the access log (log corresponding to the APP access log L3a) of the application software will be further described. FIG. 22 is a flow chart showing a flow of processing related to the accumulation of the APP access log according to the second embodiment. Here, the processing by the PC 102 (PC # 1) will be described as an example, but the same applies to the PC 103, ..., 105.

(S121) PC102 refers to the access log of the installed application software.
Some application software has a function of recording a history (access log) such as a file path, an access date and time, and an access content of a recently accessed file, for example.

For example, widely used presentation software records "recently used presentations" as its own access log. In addition, this access log is saved as a shortcut file. Therefore, the file path information can be obtained from the link destination of the saved shortcut file, and the access date and time information can be obtained from the update date and time of the shortcut file.

(S122) The PC 102 determines whether or not the access log of the application software has been updated. If the access log has been updated, the process proceeds to S123. On the other hand, if the access log is not updated, the process proceeds to S124.

(S123) The PC 102 extracts information related to file access (for example, the above file path, access date and time, access content) from the access log referred to in S121, and holds it as an access log used as the APP access log L3a.

(S124) The PC 102 determines whether or not to end the accumulation of the access log. For example, when the power of the PC 102 is turned off, the application software is terminated, or the user explicitly terminates the operation, the PC 102 determines that the accumulation of the access log is terminated. When the accumulation of the access log is terminated, the series of processes shown in FIG. 22 is terminated. On the other hand, if the accumulation of the access log is not completed, the process proceeds to S121.

(Accumulation of RF property log: PC)
Next, with reference to FIG. 23, the flow of processing (corresponding to a part of S102) related to the accumulation of the shared file property log (log corresponding to the RF property log L3b) will be further described. FIG. 23 is a flow chart showing a flow of processing related to the accumulation of RF property logs according to the second embodiment. Here, the processing by the PC 102 (PC # 1) will be described as an example, but the same applies to the PC 103, ..., 105.

(S131) The PC 102 refers to the property (shared file property) of the file in the shared folder 202a that has been accessed in the past. The reference timing of the shared file property is set to, for example, "every 5 minutes" or "every day at midnight".

(S132) The PC 102 determines whether or not there is a target file (file corresponding to the referenced shared file property). If there is a target file, the process proceeds to S133. On the other hand, if there is no target file, the process proceeds to S135.

(S133) The PC 102 determines whether or not the shared file property of the target file has been updated. If the shared file property has been updated, the process proceeds to S134. On the other hand, if the shared file property is not updated, the process proceeds to S135.

(S134) The PC 102 acquires information (file creation date / time, path, size, owner, etc.) from the referenced shared file property, and holds it as a shared file property log used as the RF property log L3b.

(S135) The PC 102 determines whether or not to end the accumulation of the shared file property log. For example, when the power of the PC 102 is cut off, the communication between the PC 102 and the FSV 201 is cut off, or the user explicitly terminates the operation, the PC 102 determines that the storage of the shared file property log is terminated. When the accumulation of the shared file property log is terminated, the series of processes shown in FIG. 23 is terminated. On the other hand, if the accumulation of the shared file property log is not completed, the process proceeds to S131.

(Accumulation of LF property log: PC)
Next, with reference to FIG. 24, the flow of processing (corresponding to a part of S102) related to the accumulation of the file property log (log corresponding to the LF property log L3c) will be further described. FIG. 24 is a flow chart showing a flow of processing related to the accumulation of the LF property log according to the second embodiment. Here, the processing by the PC 102 (PC # 1) will be described as an example, but the same applies to the PC 103, ..., 105.

(S141) The PC 102 monitors an operation on a local file having the same name as the file in the shared folder 202a.
For example, when the file in the shared folder 202a is copied to the PC 102, an operation in which a file having the same name as the file in the shared folder 202a is created in the PC 102 or an operation in which the local file having the same name is overwritten is detected. Further, when the file in the local folder overwrites the file having the same name in the shared folder 202a, the operation of reading the file in the local folder is detected.

(S142) The PC 102 determines whether or not the target operation (operation on a local file having the same name as the file in the shared folder 202a) is detected. When the target operation is detected, the process proceeds to S143. On the other hand, if the target operation is not detected, the process proceeds to S145. The monitoring of the target operation may be performed at a preset timing, or may be continuously performed during the period when the power of the PC 102 is turned on.

(S143, S144) The PC 102 creates a file list having the same name that describes information about a local file having the same name, and information on the target operation is stored in the file list having the same name (in the file list L2 having the same name illustrated in FIG. 10 to PC # 1). Add to (corresponds to the corresponding record). Further, the PC 102 holds the contents of the operation for the local file having the same name as the file property log used as the LF property log L3c.

(S145) The PC 102 determines whether or not to end the accumulation of the file property log. For example, when the power of the PC 102 is cut off, the communication between the PC 102 and the FSV 201 is cut off, or the user explicitly terminates the operation, the PC 102 determines that the accumulation of the file property log is terminated. When the accumulation of the file property log is terminated, the series of processes shown in FIG. 24 is terminated. On the other hand, if the accumulation of the file property log is not completed, the process proceeds to S141.

When using the same standard file list for attribute information other than the name, in the above processing, the same standard file is processed in the same way as the file with the same name.
(Generation of analysis log: Information processing device)
Next, with reference to FIG. 25, the flow of the process (corresponding to S109) related to the generation of the analysis log L5 will be further described. FIG. 25 is a flow chart showing the flow of the analysis log generation process according to the second embodiment. It is assumed that the APP access log L3a, the RF property log L3b, and the LF property log L3c are stored in the storage unit 111.

(S151) The risk assessment unit 114 selects an unselected PC as a target PC.
(S152, S153, S154) The risk assessment unit 114 acquires the occurrence date / time, event, path, and PC name from the record corresponding to the target PC in the APP access log L3a (see FIG. 11). Further, the risk assessment unit 114 acquires the occurrence date / time, event, path, PC name, user name, and logon status from the record corresponding to the target PC in the RF property log L3b (see FIG. 12). Further, the risk assessment unit 114 acquires the occurrence date / time, event, path, and PC name from the record corresponding to the target PC in the LF property log L3c (see FIG. 13).

(S155, S156) The risk assessment unit 114 acquires the occurrence date / time, event, path, and PC name from the record corresponding to the target PC in the alert history L4a (see FIG. 14). Further, the risk assessment unit 114 acquires the occurrence date / time, the event, the PC name, the user name, and the logon status from the record corresponding to the target PC in the access history L4b (see FIG. 15).

(S157, S158) The risk assessment unit 114 arranges the information acquired in S152 to S154 in chronological order and records it in the storage unit 111 as an analysis log L5 (see FIGS. 16 and 17) for the target PC. When the target PC has been selected (when there is no unselected PC as the target PC), the series of processes shown in FIG. 25 ends. On the other hand, if there is an unselected PC as the target PC, the process proceeds to S151.

(Determination process)
Next, the flow of the determination process (corresponding to S110) will be further described with reference to FIGS. 26 and 27. FIG. 26 is a first flow chart showing the flow of the determination process according to the second embodiment. FIG. 27 is a second flow chart showing the flow of the determination process according to the second embodiment. It is assumed that the analysis log L5 for each PC is stored in the storage unit 111.

(S161) The risk assessment unit 114 sets a period to be analyzed. For example, the risk assessment unit 114 sets a predetermined period (for example, 2 hours) before the time when the malware infection is detected by the malware detection product or the time when the infection notification is received as the analysis target period. However, the risk assessment unit 114 may include a certain period after the infection notification in the period to be analyzed.

(S162, S163) The risk assessment unit 114 generates the determination result table 111b, and sets the information of the PC as the starting point in the determination result table 111b. In the example of FIG. 21, the initial state of the determination result table 111b is set at the timing of S106, but as shown in FIG. 26, the initial state may be set at the timing of S110. Further, the risk assessment unit 114 generates a target list for registering the PC or FSV (target device) to be the target of the determination process, and registers the starting PC in the target list.

(S164) The risk assessment unit 114 determines whether or not the target list is empty. When the target list is empty, the series of processes shown in FIGS. 26 and 27 ends. On the other hand, if the target list is not empty, the process proceeds to S165.

(S165, S166) The risk assessment unit 114 selects one target device from the target list. Further, the risk assessment unit 114 determines whether or not the selected target device is an FSV. If the target device is an FSV, the process proceeds to S167. On the other hand, if the target device is not an FSV (if it is a PC), the process proceeds to S170.

(S167) The risk assessment unit 114 detects an alert for FSV with reference to the alert history L4a. Further, the risk assessment unit 114 refers to the analysis log L5 of each PC and detects a PC (access PC) whose access destination or access source is the FSV.

(S168) The risk assessment unit 114 refers to the state determination table 111a (see FIGS. 6 and 7) and identifies the state of the access PC and the state corresponding to the alert. Further, the risk assessment unit 114 records the specified state in the determination result table 111b.

(S169) The risk assessment unit 114 detects a PC (undetermined PC) whose state is LvX from the access PCs detected in S167. In addition, the risk assessment unit 114 adds the detected PC to the target list and deletes the FSV from the target list. When the processing of S169 is completed, the processing proceeds to S172.

(S170) The risk assessment unit 114 refers to the state determination table 111a and identifies the state corresponding to the analysis log L5 of the target device (PC). Further, the risk assessment unit 114 records the specified state in the determination result table 111b.

(S171) The risk assessment unit 114 refers to the analysis log L5 of each PC and detects a PC or FSV (access PC) whose access destination or access source is the target device (PC). Further, the risk assessment unit 114 detects a PC or FSV (PC or FSV which has not been determined) whose state is LvX among the detected access PCs. Then, the risk assessment unit 114 adds the detected PC or FSV to the target list, and deletes the target device (PC) from the target list.

(S172) The risk assessment unit 114 records the name of the target device and the state of the target device in the “access PC” column of the determination result table 111b in which the PC or FSV added to the target list is the target PC. When the processing of S172 is completed, the processing proceeds to S164.

By executing the processes shown in FIGS. 26 and 27, for example, the determination result table 111b as shown in FIG. 8 can be obtained.
Here, with reference to FIG. 28, the transition of the determination result table 111b in the process of the determination process described above will be described. FIG. 28 is a diagram for explaining the flow of the determination process and the update process of the determination result table according to the second embodiment. In the example of FIG. 28, it is assumed that the information processing system 100 includes four PCs # 1, # 2, # 3, and # 4.

FIG. 28A is an example showing the initial state of the determination result table 111b.
The risk assessment unit 114 describes FSV, PC # 1, # 2, # 3, and # 4 in the "name" column of the target PC in the determination result table 111b. Further, considering that log information such as an access log cannot be obtained from the FSV, the risk assessment unit 114 describes "None" in the "log" column corresponding to the FSV. On the other hand, since log information can be obtained from PCs # 1, # 2, # 3, and # 4, the risk assessment unit 114 has "Yes" in the "log" column corresponding to PCs # 1, # 2, # 3, and # 4. ".

For example, when a notification of malware infection targeting PC # 2 is received, the risk assessment unit 114 determines that the infection risk of PC # 2 is the maximum, and determines that the “state” of the target PC corresponding to PC # 2. Describe "Lv3" in the column. In addition, the risk assessment unit 114 determines a PC as a starting point when carrying out an investigation of the infection range. For example, the risk assessment unit 114 uses the PC (PC # 2 in this example), which is the target of the infection notification, as the starting point of the investigation. The starting point PC may be set to a PC other than the PC targeted for the infection notification.

When PC # 2 is the starting point, the risk assessment unit 114 describes [starting point] in the "name" column and "LvX" in the "status" column of the access PC corresponding to PC # 2.
Here, as information for identifying the starting PC, predetermined information is described in the "name" column and the "status" column of the access PC corresponding to the starting PC, but the starting PC is used. The representation of information about the starting point may be modified, such as by using a flag to identify it. According to the above description, the determination result table 111b in the initial state is generated. At this time, the display control unit 115 may display the state corresponding to the determination result table 111b in the initial state on the display screen 203.

FIG. 28B is an example showing the progress of infection investigation on the access destination of the starting point PC # 2 or the access source PC or FSV.
In the example of FIG. 28, there is an access of PC # 2 to the FSV and an access to PC # 2 by PC # 4. That is, PC # 2 is an access PC for FSV and PC # 4. In this case, the risk assessment unit 114 describes "PC # 2" in the "name" column and "Lv3" (state of PC # 2) in the "status" column of the access PC corresponding to the FSV. Similarly, the risk assessment unit 114 describes "PC # 2" in the "name" column and "Lv3" in the "status" column of the access PC corresponding to PC # 4.

Further, the risk assessment unit 114 collates the status of the alert history L4a and PC # 2 (FSV access PC) relating to the FSV which is the access PC of the PC # 2 with the status determination table 111a, and determines the status of the FSV. In the example of FIG. 28, the state of FSV corresponds to "Lv3". In this case, the risk assessment unit 114 describes "Lv3" in the "state" column of the target PC corresponding to the FSV.

Further, the risk assessment unit 114 collates the analysis log L5 relating to PC # 4, which is the access PC of PC # 2, with the state determination table 111a, and determines the state of PC # 4. In the example of FIG. 28, the state of PC # 4 corresponds to “Lv1”. In this case, the risk assessment unit 114 describes "Lv1" in the "state" column of the target PC corresponding to PC # 4.

The display control unit 115 may display the state of each PC on the display screen 203 based on the determination result table 111b corresponding to the state (B) in the middle of the infection investigation. For example, the display control unit 115 connects the accessible PCs and the PCs with the FSV by a line, and expresses the state of each PC that has been determined by the risk assessment unit 114 by a color or the like.

FIG. 28C is an example showing a situation in which an infection investigation is executed by sequentially selecting a PC for which a determination result is obtained and an FSV access PC.
In the state (B) of FIG. 28, the infection investigation of PC # 2, # 4, and FSV is completed. In this case, the risk assessment unit 114 refers to, for example, the analysis log L5 of PC # 1 and # 3, and identifies a PC (access PC) having access to any of PC # 2, # 4, and FSV. .. In the example of FIG. 28, there is access of PC # 1 to the FSV. In this case, the risk assessment unit 114 describes "FSV" in the "name" column and "Lv3" (FSV status) in the "status" column of the access PC corresponding to PC # 1 in the determination result table 111b. ..

Further, the risk assessment unit 114 collates the analysis log L5 of the PC # 1 with the state determination table 111a to determine the state of the PC # 1. In the example of FIG. 28, the state of PC # 1 is determined to be "Lv2". In this case, the risk assessment unit 114 describes "Lv2" in the "state" column of the target PC corresponding to PC # 1.

Further, the risk assessment unit 114 searches for the access PC of PC # 3 with reference to the analysis log L5 of PC # 3. In the example of FIG. 28, PC # 1 is the access PC of PC # 3. In this case, the risk assessment unit 114 has "PC # 1" in the "name" column and "Lv2" (state of PC # 1) in the "status" column of the access PC corresponding to PC # 3 in the determination result table 111b. ). Further, the risk assessment unit 114 collates the analysis log L5 of the PC # 3 with the state determination table 111a to determine the state of the PC # 3, and determines the determination result (“Lv2” in this example) of the target PC. Describe in the "Status" column.

By the above processing, the infection investigation is completed, and the determination result table 111b in which the state of each PC is described is obtained. The display control unit 115 displays the status of each PC and the presence / absence of access between PCs or between PCs and FSVs on the display screen 203 based on the determination result table 111b. By applying the above method, even if log information cannot be obtained from the FSV, it is possible to sequentially determine the states of the accessed PC and the FSV in order from the starting PC. As a result, it becomes easier to grasp the range of infection, which contributes to the suppression of the spread of infection.

[2-5. Modification example]
Here, a modified example of the second embodiment will be described with reference to FIGS. 29 to 31. FIG. 29 is a diagram showing an example of a non-tracking rule table according to a modification of the second embodiment. FIG. 30 is a diagram showing an example of a non-tracking machine table according to a modification of the second embodiment. FIG. 31 is a flow chart showing the flow of the process of adding the PC to the target list according to the modified example of the second embodiment.

So far, we have explained how to proceed with infection investigation while sequentially tracking PCs and FSVs that are accessed starting from a specific PC. By applying this method, it is possible to investigate the extent of infection without omission. On the other hand, when the information processing system 100 includes a large number of PCs and FSVs, the investigation time may become long. Therefore, in this modification, we propose a method (high-speed method) to shorten the investigation time by proceeding with the investigation targeting PCs and FSVs with high infection risk and excluding some PCs and FSVs from the tracking targets.

In adopting the speed-up method, a non-tracking rule table 111d as shown in FIG. 29 and a non-tracking machine table 111e as shown in FIG. 30 are introduced. The non-tracking rule table 111d and the non-tracking machine table 111e are stored in the storage unit 111.

As shown in FIG. 29, the non-tracking rule table 111d associates a non-tracking network address with a forced tracking condition. Non-tracking network addresses are the range of network addresses that are excluded from the tracking of infection investigations. The compulsory follow-up condition is a condition to be compulsorily included in the follow-up target of the infection investigation. The non-tracking network address and forced tracking conditions are set in advance by an administrator or the like.

For example, the part "Lv1, Lv3" in the "status" column means that a PC or FSV whose status is Lv1 or Lv3 is included in the tracking target of the infection investigation even if it corresponds to a non-tracking network address. In addition, even if the part with "PC # 1 and PC # 2" in the "PC name" column corresponds to a non-tracking network address, PC # 1 and PC # 2 are included in the tracking target of the infection investigation. means.

On the other hand, as shown in FIG. 30, the non-tracking machine table 111e has items of tracking interrupted PC, access PC / FSV, and network address. The non-tracking machine table 111e is a table for storing information on the PC or FSV when the tracking of the infection investigation is interrupted based on the non-tracking rule table 111d.

In the "tracking interrupted PC" column, information (PC name, etc.) of the PC or FSV corresponding to the non-tracking rule table 111d is described. In the "access PC / FSV" column, information on the PC or FSV that is the access source or access destination of the tracking interrupted PC is described. In the "network address" column, the non-tracking network address that is the condition for the suspension of tracking is described.

When the above speed-up method is applied, among the determination processes shown in FIGS. 26 and 27, the addition process to the target list executed in S171 is modified as shown in FIG. 31. Further, a process in which the network address is acquired in advance from each PC and the FSV by the history collecting unit 113 and stored in the storage unit 111 is added. Hereinafter, the processing of FIG. 31 will be described.

(S181) The risk assessment unit 114 refers to the analysis log L5 of each PC and detects a PC or FSV (access PC) whose access destination or access source is the target device (PC). Further, the risk assessment unit 114 detects a PC or FSV (PC or FSV which has not been determined) whose state is LvX among the detected access PCs.

(S182) The risk assessment unit 114 collates the detected network address of the PC or FSV with the non-tracking network address of the non-tracking rule table 111d, and determines whether or not the PC or FSV belongs to the non-tracking network address. To judge. If the PC or FSV belongs to a non-tracking network address, the process proceeds to S184. On the other hand, if the PC or FSV does not belong to the non-tracking network address, the process proceeds to S183.

(S183) The risk assessment unit 114 adds the detected PC or FSV to the target list, and deletes the target device (PC) from the target list. When the process of S183 is completed, the series of processes shown in FIG. 31 is completed.

(S184) The risk assessment unit 114 records the detected PC or FSV information in the non-tracking machine table 111e. At this time, the risk assessment unit 114 describes the name of the detected PC or FSV in the "tracking interruption PC" column, and describes the access PC name of the detected PC or FSV in the "access PC / FSV" column. The display control unit 115 outputs the information of the non-tracking machine table 111e to the display screen 203. When the process of S184 is completed, the series of processes shown in FIG. 31 is completed.

The second embodiment has been described above.
By applying the technology of the second embodiment, even in a situation where the FSV log information cannot be collected, the access to the FSV can be specified by using the update history of the file property and the log information held by each PC, and the system can be used. Contributes to the understanding of infection damage by the administrator. In addition, it is possible to follow up the infection damage along the accelerator route based on the access status to the FSV and each PC, and to grasp the range of infection spreading via the FSV and the PC. In addition, by outputting the access status and the status of each PC in a display method that makes it easy to grasp the status, the system administrator can easily grasp the status.

10 Information processing device 11 Storage unit 11a Execution history 11b Danger level information 12 Calculation unit 12a Notification 12b Processing 12c Output 21, 22, 23 Terminal device 30 Storage device A Target information NW network

Claims (5)

Based on the plurality of terminal devices properties information satisfies the stored information with the same name information or the information same standard as the accessible storage device updates the update processing of the plural terminal devices The information of the property is received from the executed terminal device, and the execution history of the terminal device is generated and stored in the storage unit based on the received information of the property.
When the notification indicating the malware infection risk of the first terminal device is acquired, the first terminal device among the plurality of terminal devices is based on the execution history of the plurality of terminal devices stored in the storage unit. Identify a second terminal that has a history of access to any of the information it holds .
The risk level of malware infection in the second terminal device is evaluated and evaluated based on the specified execution content in the second terminal device and the risk level information for associating the risk level of malware infection with the execution content. Output the result,
An output program characterized by having a computer perform processing. The output program is
Among the plurality of terminal devices, information having the same name as any of the above information or information satisfying the same criteria as any of the above information is possessed, and the same name is included in the target period including the update time of any of the above information. The terminal device in which the information of the above or the information satisfying the same criteria is copied to the storage device is specified as the second terminal device.
The output program according to claim 1, wherein the processing is executed by a computer. As the execution content, the risk information includes whether or not the plurality of terminal devices have a history of access to the information in the accessible storage device, whether or not the access involves remote logon, and the access. Or, including whether or not the number of failures of the remote logon is equal to or greater than the threshold value.
The execution content is specified based on the log information obtained from the plurality of terminal devices.
The output program according to claim 1 or 2. The plurality of terminal devices information of the same name that is stored in a storage device accessible information Homata based on the updated property information which satisfy the same criteria and the information, the updating of the plural terminal devices Information on the property is received from the terminal device that executed the process, and based on the received information on the property, the execution history of the terminal device is generated and stored in the storage unit.
When the notification indicating the malware infection risk of the first terminal device is acquired, the first terminal device among the plurality of terminal devices is based on the execution history of the plurality of terminal devices stored in the storage unit. There the second terminal device having a history of access to any information held Ru JP Teisu, have a computing unit,
The calculation unit has the risk level of malware infection in the second terminal device based on the specified execution content in the second terminal device and the risk level information for associating the risk level of malware infection with the execution content. Is evaluated and the evaluation result is output.
An information processing device characterized by this. The computer
The plurality of terminal devices information of the same name that is stored in a storage device accessible information Homata based on the updated property information which satisfy the same criteria and the information, the updating of the plural terminal devices Information on the property is received from the terminal device that executed the process, and based on the received information on the property, the execution history of the terminal device is generated and stored in the storage unit.
When the notification indicating the malware infection risk of the first terminal device is acquired, the first terminal device among the plurality of terminal devices is based on the execution history of the plurality of terminal devices stored in the storage unit. Identify a second terminal that has a history of access to any of the information it holds .
The risk level of malware infection in the second terminal device is evaluated and evaluated based on the specified execution content in the second terminal device and the risk level information for associating the risk level of malware infection with the execution content. Output the result,
An output method characterized by performing processing.

Images