JP7167585B2 - FAILURE DETECTION DEVICE, FAILURE DETECTION METHOD AND FAILURE DETECTION PROGRAM - Google Patents

Description

The present invention relates to a failure detection device, failure detection method, and failure detection program.

2. Description of the Related Art Conventionally, various devices that can be connected to a network have been known, and recently, smart devices, for example, devices called IoT (Internet Of Things), have become popular. With the spread of network-connectable devices, multiple devices are connecting to the network, but devices have vulnerabilities that lead to unintended third-party access and control of the device. Sometimes. In other words, devices with vulnerabilities may allow unintended connections and processes to be performed. Therefore, there is a demand for removing vulnerabilities from devices, and it is desired to manage multiple devices connected to a network. For example, in order to reduce the management of multiple devices, access the device via a router to acquire the settings, identify network vulnerabilities by matching the acquired settings with known vulnerability information, and repair them. A system for executing an action for performing is disclosed (see, for example, Patent Document 1).

JP 2017-174378 A

By the way, since a plurality of devices connectable to a network are accessed by individually determined different means of access, such as communication protocols, the load of device management increases according to the type of means of access to the devices.
When managing failures in a plurality of devices with different communication protocols, the present invention reduces the load of device management compared to an apparatus that acquires the settings of each of a plurality of devices using a common communication protocol and manages failures in the devices. It is an object of the present invention to provide a failure detection device, a failure detection method, and a failure detection program capable of suppressing the increase.

A failure detection apparatus according to a first aspect of the present disclosure includes a recording unit that records, as a communication record, each communication protocol used in communication with each of a plurality of devices connected to a network; , based on the communication protocol recorded in the communication record and information associated with the communication protocol indicating vulnerability related to communication of the device in the communication protocol, and a fault detection unit that detects each of the predicted faults.

A second aspect of the present disclosure is the failure detection device according to the first aspect , wherein when the failure detection unit detects the failure, a failure presence process corresponding to the detection of the failure is performed, and An execution unit that, when the fault is not detected, executes fault-no-processing corresponding to the fault not being detected.

A third aspect of the present disclosure is the failure detection device according to the second aspect , wherein the failure-present process is a process of informing the user of the presence of the failure, and the failure-free process notifies the user of This is the process of reporting the absence of the obstacle.

A fourth aspect of the present disclosure is the failure detection device according to any one of the first to third aspects , wherein the failure is vulnerability related to communication of the device.

A fifth aspect of the present disclosure is the fault detection device according to the fourth aspect , wherein the vulnerability is detected using information associated with the communication protocol and indicating vulnerability in the communication protocol.

A sixth aspect of the present disclosure is the failure detection device according to the fifth aspect , wherein the information indicating vulnerability is information indicating vulnerability of a management protocol used in a communication protocol.

A seventh aspect of the present disclosure is the fault detection device according to any one of the first to sixth aspects , wherein the plurality of devices are internal connection devices connected to a predetermined internal network, and predetermined An externally connected device connected to an external network is included , and the failure detection unit detects a failure expected to occur in the communication protocol for the externally connected device.

In a failure detection method according to an eighth aspect of the present disclosure , a computer records, as a communication record, each communication protocol used in communication with each of a plurality of devices connected to a network, and in each of the plurality of devices On the other hand, what happens in the communication protocol based on the communication protocol recorded in the communication record and information associated with the communication protocol indicating vulnerability related to communication of the device in the communication protocol is a fault detection method that detects each of the predicted faults.

A fault detection program according to a ninth aspect of the present disclosure records, in a computer , each communication protocol used in communication with each of a plurality of devices connected to a network as a communication record, and in each of the plurality of devices, On the other hand, what happens in the communication protocol based on the communication protocol recorded in the communication record and information associated with the communication protocol indicating vulnerability related to communication of the device in the communication protocol is a fault detection program that executes processing for detecting each of the predicted faults.

According to the first aspect, the eighth aspect, and the ninth aspect , when managing failures in a plurality of devices with different communication protocols, the device failures are managed by acquiring the settings of each of the plurality of devices with a common communication protocol. It has the effect of being able to suppress an increase in device management load compared to a device.
According to the second aspect and the third aspect , there is an effect that it is possible to assist execution of appropriate processing corresponding to the failure detection result, compared to the case where only failure detection processing is performed.
According to the fourth aspect and the fifth aspect , there is an effect that the load of device management can be further suppressed by targeting vulnerabilities related to communication, compared to the case of uniformly detecting failures. .
According to the sixth aspect , it is possible to improve the detection accuracy of fault detection as compared with the case where the management protocol is not targeted.
According to the seventh aspect , there is an effect that a failure can be detected according to the network to which the device is connected compared to the case of detecting a failure in a common network environment.

1 is a block diagram showing an example of the configuration of a network system according to a first embodiment; FIG. 4 is a flow chart showing an example of the flow of processing of a control program according to the first embodiment; FIG. 4 is an image diagram showing an example of a communication record according to the first embodiment; FIG. It is an image figure which shows an example of the vulnerability list|wrist which concerns on 1st Embodiment. FIG. 4 is an image diagram showing an example of a management protocol correspondence list according to the first embodiment; FIG. 4 is an image diagram showing an example of a management protocol vulnerability list according to the first embodiment; 9 is a flow chart showing an example of the flow of processing of a control program according to the second embodiment; FIG. 11 is an image diagram showing an example of a failure list in which definition information in which a failure level is set for each item indicating vulnerability is listed according to the third embodiment; FIG. 11 is a flow chart showing an example of the flow of processing of a control program according to the third embodiment; FIG.

An example of a failure detection device according to an embodiment will be described below in detail with reference to the drawings.
This embodiment applies a failure detection device that manages a plurality of devices capable of network communication and detects failures expected to occur in the devices to a multifunction machine having multiple functions such as image reading and printing. Description of an Example In the following description, constituent elements and processes having the same actions and functions are given the same reference numerals throughout the drawings, and redundant description may be omitted as appropriate.

(First embodiment)
FIG. 1 shows an example of the configuration of a network system 1 according to the first embodiment.
A network system 1 includes a multi-function device 30 connected to an external network 2 such as the Internet and an internal network 3 such as an intranet constructed with Ethernet (registered trademark) or the like that functions within a site. The network system 1 also includes a plurality of devices 40 each connected to the internal network 3 .

Note that FIG. 1 shows, as an example of the plurality of devices 40, a case in which N devices 40 from device 40-1 to device 40-N are included. In the following description, when each of the N devices 40 is distinguished and described, one of the symbols (-1) to (-N) will be assigned. When it is not necessary to distinguish between them, they will be collectively referred to as the device 40 for explanation.

The multi-function device 30 has document-related functions including a copy function for copying a document, a scanning function for reading (scanning) a document as an image and converting it into data, and a print function for printing electronic data of an input document. there is In order to realize this document-related function, the multi-function device 30 has a scanner 37 for scanning documents and a printer 38 for printing various data. The multi-function device 30 also includes an external communication interface (I/F) 34, which is a functional unit that communicates with the external network 2, and an internal communication interface (I/F) 35, which is a functional unit that communicates with the internal network 3. there is In addition, although the details will be described later, the multi-function device 30 has a gateway function for collecting and managing data from the N devices 40, and a failure detection function for detecting failures expected to occur in the devices 40. is doing.

Specifically, as shown in FIG. 1, the multi-function device 30 includes a computer as an execution device that executes processing for realizing various functions.
The MFP 30 has a computer main body 32 . The computer main body 32 includes a CPU 32A, a RAM 32B, a ROM 32C, an auxiliary storage device 32D such as a hard disk drive (HDD), and an input/output interface (I/O) 32E. The CPU 32A, RAM 32B, ROM 32C, auxiliary storage device 32D, and input/output I/O 32E are connected via a bus 32F so as to exchange data and commands with each other. Also, an external communication I/F 34, an internal communication I/F 35, an operation display section 36 such as a display and a keyboard, a scanner 37, and a printer 38 are connected to the I/O 32E.

The auxiliary storage device 32D stores a control program 32G for causing the multi-function device 30 to function as a failure detection device. The CPU 32A reads out the control program 32G from the auxiliary storage device 32D, develops it in the RAM 32B, and executes processing. As a result, the multi-function device 30 that has executed the control program 32G operates as a failure detection device. The auxiliary storage device 32D also stores a table 32H that stores information related to communication protocol vulnerabilities in order to allow the multifunction device 30 to function as a failure detection device and support failure detection of the device 40. . The control program 32G and table 32H may be provided by a recording medium such as a CD-ROM.

In this embodiment, failure means a state of a device that directly or indirectly causes an unintended operation of a device included in the network system 1, and a state of a device that may directly or indirectly cause an unintended operation. state. An unintended operation is an operation that deviates from the predetermined operation of the device. An example of this failure is a vulnerability that allows a device to be controlled by access by a third party that indirectly causes unintended behavior. Vulnerable devices will have the potential for unintended connections and operations to be performed. This vulnerability can be detected by vulnerability scanning, such as a security diagnostic process. Other examples of faults include conditions that directly cause unintended actions, autonomous execution of unintended controls by the device itself, and conditions that cause the device to stop controlling. In this case, it can be detected by including it in a vulnerability scan such as security diagnosis processing. In addition, faults include a state in which execution of specific software causes hardware to behave unintendedly, and a state in which execution of specific software causes unintended behaviors in self or other software.

The control program 32</b>G includes a gateway process that implements a gateway function that collects and manages data from the communication from the device 40 in the multifunction machine 30 . The CPU 32A reads out the gateway process included in the control program 32G from the auxiliary storage device 32D, develops it in the RAM 32B, and executes processing, so that the multi-function device 30 operates as a gateway that collects and manages data through communication from the device 40. do. By executing this gateway function, a record of communication of the device 40 (communication record 50 shown in FIG. 3) is recorded in the auxiliary storage device 32D.

The auxiliary storage device 32D also stores a document-related function program 32J for realizing document-related functions in the multifunction machine 30. FIG. The CPU 32A reads the document-related function program 32J from the auxiliary storage device 32D, develops it in the RAM 32B, and executes processing. As a result, the MFP 30 that has executed the document-related function program 32J operates so as to be able to execute document-related functions including a copy function, a scan function, and a print function.

On the other hand, devices 40 (device 40-1 to device 40-N) are connected to the internal network 3 . The device 40 is, for example, a device including an IoT device, each having a unique function.
The device 40 includes a CPU 41, a RAM 42, a ROM 43, a communication section 44 that is a functional section that communicates with the internal network 3, and a unique functional section 45 that executes processing unique to the device. The CPU 41, RAM 42, ROM 43, communication section 44, and unique function section 45 are connected via a bus 46 so as to exchange data and commands with each other. The ROM 43 stores a unique function program (not shown) for realizing a unique function in the device 40 . The CPU 41 reads out a unique function program (not shown) from the ROM 43, develops it in the RAM 42, and executes processing. As a result, the device 40 operates as a device that implements unique functions.

Each device 40 communicates with the internal network 3 using a separate communication protocol. As the individual communication protocols, for example, connection-oriented TCP (Transmission Control Protocol), IP (Internet Protocol), and connectionless-oriented UDP (User Datagram Protocol) are known as standard protocols. Also, NFC (Near Field Communication) and Wi-Fi (Wireless Fidelity) are known as protocols used for wireless communication. Also, as short-range wireless communication protocols, Bluetooth, which is roughly classified into Bluetooth classic, BLE (Bluetooth Low Energy), and power-saving ZigBee (registered trademark), are known. Furthermore, SMB (Server Message Block) and CIFS (Common Internet File System) are known as protocols used for file sharing and the like.

Although the device 40 communicating with the internal network 3 is described in the first embodiment, the device 40 is not limited to being provided with communication with the internal network 3 . For example, it may be applied to a device that communicates with the MFP 30 via the external network 2 .

The multi-function device 30 is an example of a failure detection device in technology disclosed herein. The operation display unit 36 is an example of a notification unit in technology disclosed herein.

Next, in the network system 1 according to the first embodiment, the device 40 is managed by the multi-function device 30 operating as a failure detection device, and the processing related to communication protocol vulnerability will be described.
Here, it is assumed that a communication record (communication record) of the device 40 is recorded in the auxiliary storage device 32D by execution of processing by the gateway process.
In addition, in the present embodiment, the vulnerability of a communication protocol is taken as an example of a failure, and the case of detecting a failure, that is, detecting the vulnerability of a communication protocol will be described.

FIG. 2 shows an example of the processing flow of the control program 32G executed by the multi-function device 30 as fault detection processing of the device 40. As shown in FIG. The control program 32G is executed by the CPU 32A when the MFP 30 is powered on.

First, in step S100, the communication record of the device 40 is acquired by reading the communication record 50 recorded in the auxiliary storage device 32D.

FIG. 3 shows an example of the communication record 50 recorded in the auxiliary storage device 32D.
As shown in FIG. 3, the communication record of the device 40 includes a time-series number indicating the order of communication (indicated as "No." A destination address is associated with information indicating a communication protocol for communication in the device 40 and recorded as a record. For example, in the first communication record (No. 1), the device 40 of the communication destination address (IP address of 172.27.55.xxx) (any one device 40 from device 40-1 to device 40-N) indicates that communication was performed using a communication protocol (TCP).

Next, in step S102 of FIG. 2, a communication protocol vulnerability list is acquired by reading the communication protocol vulnerability list 52 stored in the table 32H of the auxiliary storage device 32D.

FIG. 4 shows an example of the communication protocol vulnerability list 52 .
As shown in FIG. 4, in the communication protocol vulnerability list 52, each record number (denoted as "No." in FIG. 4) corresponds to information indicating a communication protocol and information indicating vulnerability in the communication protocol. recorded with. For example, the first record number (No. 1) indicates that the communication protocol (UDP) may have vulnerability (UDP vulnerability). Also, the second record number (No. 2) indicates that the communication protocol (TCP) includes the possibility of having two vulnerabilities (TCP vulnerability and HTTP vulnerability).

Next, in step S104 of FIG. 2, communication protocol vulnerabilities are identified using the communication record 50 acquired in step S100 and the communication protocol vulnerability list 52 acquired in step S102. That is, the vulnerability of the communication protocol that may include vulnerability in the communication protocol of the device 40 that has communicated is identified. Specifically, for each record recorded in the communication record 50, information indicating vulnerability corresponding to the communication protocol is specified.

For example, the first communication record (No. 1) in the communication record 50 communicates with the device 40 with the communication destination address (IP address of 172.27.55.xxx) using the communication protocol (TCP). Assuming that this device 40 is the device 40-1, the vulnerability list 52 indicates that the communication protocol (TCP) includes the possibility of having two vulnerabilities (TCP vulnerability and HTTP vulnerability). Therefore, it can be estimated that the device 40-1 may contain TCP vulnerability and HTTP vulnerability. Therefore, in step S104, vulnerabilities that the device 40 may contain can be identified.

In this way, by identifying the vulnerabilities that the device 40 may contain, a vulnerability scan that detects vulnerabilities, in this case a TCP vulnerability and an HTTP vulnerability scan for the device 40-1, is performed. is effective and makes it easier to identify protocols to be scanned for vulnerabilities.

Next, extending from the vulnerability identification of the general communication protocol (step S104), a process of identifying the vulnerability of the management protocol is executed. First, in step S106, a list related to the vulnerability of the management protocol is obtained from the table 32H of the auxiliary storage device 32D.

As an example of a list related to vulnerabilities of management protocols, FIG. 5 shows a correspondence list 54 of management protocols in communication protocols, and FIG. 6 shows a vulnerability list 56 of management protocols.

As shown in FIG. 5, the management protocol correspondence list 54 is a record in which information indicating a communication protocol and information indicating a management protocol are associated with an item number (denoted as "No." in FIG. 5). recorded as For example, the first record (No. 1) indicates that two management protocols (RDP (remote desktop) and telnet (Teletype network)) correspond to the communication protocol (UDP). there is

Further, as shown in FIG. 6, the management protocol vulnerability list 56 includes information indicating the management protocol and vulnerability in the management protocol in the record number (denoted as "No." in FIG. 6). is recorded in association with the information shown. For example, the first record number (No. 1) indicates that the management protocol (RDP) may have a vulnerability (RDP vulnerability).

Next, in step S108 of FIG. 2, vulnerabilities in the management protocol are identified using the management protocol vulnerability list 56 acquired in step S106. That is, the vulnerability of the communication protocol of the management protocol predetermined for management that may include vulnerability in the communication protocol of the device 40 that has communicated is identified. Specifically, for each record recorded in the communication record 50, a management protocol corresponding to the communication protocol is acquired (FIG. 5), and information indicating vulnerability corresponding to the management protocol is specified (FIG. 6). ).

For example, in the first communication record (No. 1) in the communication record 50 (FIG. 3), the device 40 that communicated is assumed to be device 40-1. The device 40-1 can confirm that it is communicating with the "TCP" communication protocol, and if the communication protocol is "TCP", it selects "RDP" and " telnet" is used as the management protocol. Then, from the management protocol vulnerability list 56, the management protocol of "RDP" has the management protocol vulnerability of "RDP vulnerability", and the management protocol of "telnet" has the management protocol vulnerability of "telnet vulnerability". It can be confirmed that the possibility is included. Therefore, it can be presumed that the device 40-1 may include RDP vulnerability and telnet vulnerability in the management protocol. Accordingly, in step S108, vulnerabilities in management protocols that the device 40 may contain can be identified.

By identifying the vulnerability of the management protocol that the device 40 may contain in this way, when performing a vulnerability scan for detecting the vulnerability of the device 40, the vulnerability scan of the management protocol can be performed. It is possible to extend it to

Note that the device 40 is not limited to communicating using the management protocol. If it is not necessary to identify the vulnerability of the management protocol, the processing of steps S106 and S108 can be omitted. In this case, for example, the presence or absence of processing for the management protocol is set and stored in advance, and the processing (steps S106 and S108) is executed or not executed according to the presence or absence of processing for the management protocol set and stored in advance. may be determined.

Next, in step S110, it is determined whether or not to execute a vulnerability scan. If the determination is affirmative, the process proceeds to step S112, and if the determination is negative, the process proceeds to step S118. In this step S110, the device 40 that may have at least the communication protocol vulnerability, that is, the device 40 that communicated with the communication protocol that has the vulnerability of the communication protocol identified in step S104 is set as the target device 40, Decide whether to run a vulnerability scan. It should be noted that all the devices 40 that have performed communication recorded in the communication record 50 may be specified as the target device 40 .

Here, for the vulnerability scan, it is possible to determine whether or not to execute the vulnerability scan based on the scan conditions. A first example of the scan condition is the user's designation of whether or not to execute the scan. For example, the CPU 32A displays on the operation display unit 36 to be able to specify whether or not to execute a vulnerability scan, detects an operation by the user on the operation display unit 36, and uses information indicating whether or not to execute the detected vulnerability scan. can determine whether to run a vulnerability scan. As a result, it is possible to preferentially execute whether or not to execute the vulnerability scan intentionally designated by the user.

A second example of the scan condition includes setting information indicating whether or not to execute a vulnerability scan. For example, information indicating whether or not to execute a vulnerability scan is stored in the RAM 32B or the auxiliary storage device 32D as scan conditions. As described above, the CPU 32A displays the scan conditions on the operation display unit 36 so that whether or not to execute the vulnerability scan can be specified, detects the user's operation on the operation display unit 36, and uses the detected information as the scan conditions. It may be stored in the auxiliary storage device 32D. Note that the scan conditions may be obtained from an external device. Therefore, in step S110, for example, by reading out the scan conditions stored in the auxiliary storage device 32D, it is possible to determine whether or not to execute the vulnerability scan. As a result, it is possible to execute processing according to whether or not a preset vulnerability scan is to be executed.

If the scan conditions result in an affirmative determination in step S110, then in step S112 vulnerability scan for the protocol vulnerability of the target device is executed, and then the process proceeds to step S114. Vulnerability scanning is the process of detecting the presence or absence of vulnerabilities in communication protocols. In this embodiment, security diagnosis processing is executed as vulnerability scanning. This security diagnosis process is a process of diagnosing whether or not the device 40 has a vulnerability that may allow unintended connection and processing to be executed. It should be noted that the security diagnosis processing can use well-known processing, so detailed description thereof will be omitted.

In step S114, if a vulnerability is detected in step S112, an affirmative determination is made, and in step S116, processing for dealing with the presence of vulnerability is executed, and then this processing routine ends. On the other hand, if a negative determination is made in step S114, this processing routine is terminated after executing processing for dealing with no vulnerability in step S117.

In step S116, as an example of vulnerability handling processing, it is notified that the target device has vulnerability and vulnerability suppression processing. This allows the user to confirm that the target device has the vulnerability. Notification that a target device has a vulnerability includes information indicating a warning such as inviting access by an unintended third party to control the device. The user can also confirm the vulnerability mitigation process that mitigates communication protocol vulnerabilities for target devices that have vulnerabilities. Notification of the vulnerability suppression process for the target device includes advice information indicating information prompting communication protocol version upgrade, information prompting switching to a different communication protocol, and the like.
Note that the notification that the target device has a vulnerability and the notification of the vulnerability suppression process may be stored in a readable manner, for example, in the auxiliary storage device 32D.

In step S117, information indicating that the target device has no vulnerability is notified as an example of processing for dealing with no vulnerability. This allows the user to confirm that the target device is free of vulnerabilities. Note that the process of step S117 may be omitted.

On the other hand, if the scan conditions result in a negative determination in step S110, in step S118, it is notified that the target device 40 may have communication protocol vulnerability, and this processing routine ends. If the determination in step S110 is negative, the target device 40 is still vulnerable. It is preferable to report information indicating a warning that there is a possibility that the device will be controlled by the access.

It is preferable to exclude the device 40 in which the vulnerability of the communication protocol is detected from the management target of the multi-function device 30 . For example, it is preferable to prohibit the gateway function for connecting to the external network 2 in the MFP 30 in order to avoid failures caused by communication protocol vulnerabilities.

As described above, according to the first embodiment, communication protocol vulnerabilities are identified from the communication records of a plurality of devices 40, and whether or not the devices 40 may have communication protocol vulnerabilities, and whether the devices 40 Detects the presence or absence of communication protocol vulnerabilities. By notifying the result, the user can confirm the possibility that the communication protocol of the device 40 has vulnerability and the vulnerability of the communication protocol. Therefore, when managing failures in a plurality of devices with different communication protocols, the burden of device management can be suppressed, and an increase in the device management load can be suppressed.

Note that the processing of steps S104 and S106 is an example of processing executed by the protocol detection unit. The processing of steps S112 and S114 is an example of processing executed by the failure detection unit in technology disclosed herein.

(Second embodiment)
Next, a second embodiment will be described. The second embodiment applies the disclosed technology to the processing of suppressing vulnerability. Since the second embodiment has substantially the same configuration as the first embodiment, the same parts are denoted by the same reference numerals and detailed description thereof is omitted.

FIG. 7 shows part of the processing flow of the control program 32G according to the second embodiment. In the second embodiment, the processing routine shown in FIG. 7 may be executed in place of the processing from step S114 to step S117 of the processing routine shown in FIG. You can run it by The second embodiment will explain a case where the processing routine shown in FIG. 7 is executed after the processing of steps S116 and S117 shown in FIG.

After executing the reporting process corresponding to the presence or absence of vulnerability in the communication protocol (steps S112 to S117 shown in FIG. 2), the CPU 32A executes the vulnerability suppression process for the device having the vulnerability in the communication protocol in step S120. Determine whether or not

Here, whether or not the vulnerability prevention process can be executed can be determined based on the following determination conditions. A first example of the determination condition is designation by the user as to whether or not execution is possible. For example, the CPU 32A displays on the operation display unit 36 the possibility of executing the vulnerability prevention process so that it can be specified, detects the user's operation on the operation display unit 36, and detects information indicating whether the detected vulnerability prevention process can be executed. can be used to determine whether or not to execute the vulnerability prevention process. As a result, it is possible to preferentially execute whether or not to execute the vulnerability prevention process intentionally designated by the user.

A second example of the determination condition is the setting of information indicating whether or not the vulnerability prevention process is to be executed. For example, information indicating whether or not the vulnerability prevention process can be executed is stored in the auxiliary storage device 32D as a determination condition. As for the determination conditions, the CPU 32A displays on the operation display unit 36 such that whether or not to execute the vulnerability prevention process can be specified as described above, detects the user's operation on the operation display unit 36, and uses the detected information as the determination conditions. It may be stored in the auxiliary storage device 32D. Note that the determination condition may be obtained from an external device. Therefore, in step S120, for example, by reading out the determination conditions stored in the auxiliary storage device 32D, it is possible to determine whether or not the vulnerability prevention process can be executed.

In the next step S122, using the determination result of step S120, it is determined whether or not to execute the vulnerability suppression process. If the determination is affirmative, the process proceeds to step S124. do.

If a negative determination is made in step S122, the target device 40 is in a vulnerable state, so in step S126, a warning such as notification of information that may lead to unintended access to control the device 40 remains. is performed again, this processing routine is terminated.

On the other hand, if an affirmative determination is made in step S122, this processing routine ends after the vulnerability prevention processing is executed for the target device 40. FIG.

An example of the vulnerability prevention process executed on the target device 40 is a correction process for correcting the detected vulnerability of the communication protocol when the vulnerability of the communication protocol is detected.

A first example of corrective processing is password change processing. The password change process is, for example, a process of forcibly changing the password. Passwords that are easy to guess are vulnerable. Therefore, if an easy-to-guess password is used, the password is forcibly changed according to predetermined password change conditions such as increasing the number of encrypted digits and converting to a password that is irreversibly difficult to guess. The new password may be managed by the multi-function device 30 and notified to the user.

A forced password change may not be desired by the user. In this case, both the old and new passwords are managed by the multi-function device 30, and when the user instructs to restore the old password, the process of restoring the old password may be executed.
Also, in order to increase the security of the changed password, it is preferable to execute the process of forcibly changing the password only when the new password data can be safely stored in a physically remote location. Specifically, the password is forcibly changed only when a new password is printed in the secret area only when the multifunction machine 30 is provided with a secret area such as a print cabinet with a confidentiality key. .

A second example of corrective processing includes changing the vulnerability prevention processing according to the communication protocol. For example, when a communication protocol vulnerability is detected, the action in the detected communication protocol is switched.
Specifically, when "telnet" is detected as a vulnerable communication protocol, an action of switching to a new strong password is performed. On the other hand, if "ssh" is detected as the communication protocol, it will take action to switch to a new and strong RSA certificate.

As described above, according to the second embodiment, when a vulnerability in the communication protocol is detected, processing for suppressing the vulnerability is further performed. Vulnerability suppression processing can be executed.

(Third Embodiment)
Next, a third embodiment will be described. 3rd Embodiment specifies the vulnerability of a communication protocol step by step. Since the third embodiment has substantially the same configuration as the first and second embodiments, the same parts are denoted by the same reference numerals and detailed descriptions thereof are omitted.

In the third embodiment, as an example of stepwise identification of communication protocol vulnerabilities, a case of changing the degree of communication protocol vulnerability according to the location to which the device 40 belongs as indicated by the network segment is disclosed. technology is applied.

In the third embodiment, in addition to the device 40 communicating with the internal network 3, the device communicating with the external network 2 is the external device 40EX, and the multifunction machine 30 also collects and manages data from the external device 40EX. explain.

Further, in the third embodiment, it is assumed that a failure level is set in advance for each item indicating vulnerability of communication protocols.

FIG. 8 shows an example of a failure list 58 listing definition information in which a failure level is set for each item indicating vulnerability according to the third embodiment.

As shown in FIG. 8, the failure list 58 includes, for information indicating communication protocols, information indicating vulnerable items such as software numbers having vulnerabilities, information indicating a plurality of categories of vulnerabilities, and information indicating a plurality of vulnerabilities. and information indicating the degree of failure derived using the value indicated by the category. The example shown in FIG. 8 shows a case where the communication destination responds as a category of vulnerability. Specifically, an example is shown for the first vulnerable item (TCP-1) when the communication protocol is "TCP". Vulnerability item (TCP-1) has the value "D1-1" when the communication destination is internal network 3, and the value "D1-2" when the communication destination is external network 2. It shows that a function f for deriving the degree of failure S using the value is defined. The degree of failure S may be the same value for the internal network and the external network. In that case, it can be identified only by a threshold value for vulnerability determination, which will be described later.

It should be noted that the failure list 58 is set with a larger value as the degree of risk of a failure predicted to occur in the device 40 increases. For example, the degree of failure S is set to D1-1<D1-2 when the vulnerability of the device 40 of the external network 2 is greater than that of the device 40 of the internal network 3, which is indicated in the vulnerability item.

Further, the failure list 58 can use identification numbers assigned to software vulnerabilities, such as CVE (Common Vulnerabilities and Exposures) numbers. In addition, the fault list 58 can use criteria and values for evaluating the severity of vulnerabilities defined in the common vulnerability system CVSS (Common Vulnerability Scoring System).

FIG. 9 shows part of the processing flow of the control program 32G according to the third embodiment. In the third embodiment, instead of the processing of step S104 shown in FIG. 2, a processing routine shown in FIG. 9 is executed.

After acquiring the communication record 50 and the communication protocol vulnerability list 52 (steps S100 and S102 in FIG. 2), the CPU 32A proceeds to step S130 and sets device conditions for each device 40 . A device condition is information indicating a category of vulnerability that can be set from the communication record 50 . Here, the communication protocol and communication destination address (IP address) of the device 40 are obtained from the communication record 50, and information indicating whether the communication protocol and access point is the external network 2 or the internal network 3 is set as the device condition of the device 40. set. Specifically, in the communication record 50, the device 40 of the first communication record (No. 1) uses the communication destination address (IP address of 172.27.55. ) is set as the device condition.

In the next step S132, first, the fault list 58 is obtained by reading it from the auxiliary storage device 32D. Next, using the obtained fault list 58 and the device conditions set in step S130, a threshold for vulnerability determination is set for each device 40. FIG.

For example, if an initial value is set in advance as a standard, the threshold for vulnerability determination is set so that the device 40 of the external network 2 is smaller than the device 40 of the internal network 3 . In other words, the threshold is set so that the vulnerability of the device 40 on the external network 2 is determined more strictly than the device 40 on the internal network 3 . In this case, the threshold value may be set so that the failure list 58 includes all the failure degrees S of the vulnerable items included in the communication protocol communicated by the device 40. A threshold may be set so that

In the next step S134, a failure item with a failure degree S exceeding the threshold set in step S132 is specified as vulnerability of the communication protocol.

As described above, in the third embodiment, the threshold is set according to the device conditions using the definition information in which the degree of failure is set for each item indicating vulnerability. It can detect communication protocol vulnerabilities.

In the above description, the communication destination indicating the position of the device 40 is used as the information indicating the category of vulnerability, but the information indicating the category of vulnerability is not limited to this. For example, information indicating whether the communication is wired or wireless may be used as the communication mode. For example, if the communication record 50 includes information indicating that the IP address of a predetermined access point for wireless communication is passed, it is possible to specify that the communication is wireless communication.

Although each embodiment has been described above, the technical scope of the disclosed technology is not limited to the scope described in the above embodiments. Various changes or improvements can be made to the above-described embodiments without departing from the scope of the invention, and forms with such changes or improvements are also included in the technical scope of the technology disclosed herein.

Further, in the above-described embodiment, a case has been described in which the processing is implemented by a software configuration using a flowchart, but the present invention is not limited to this, and may be implemented by a hardware configuration.

1 Network system 2 External network 3 Internal network 30 MFP 32 Computer main unit 32D Auxiliary storage device 32G Control program 32H Table 36 Operation display unit 37 Scanner 38 Printer 40 Device 50 Communication record 52 Vulnerability list 54 Countermeasure list 56 Vulnerability list 58 Failure list

Claims (7)

a recording unit that records, as a communication record, each communication protocol used in communication with each of a plurality of devices connected to a network;
for each of the plurality of devices, based on the communication protocol recorded in the communication record and information indicating vulnerability associated with communication of the device in the communication protocol associated with the communication protocol; , a fault detector that detects each of the faults expected to occur in the communication protocol;
Fault detection device with When the failure detection unit detects the failure, a failure presence process corresponding to the detection of the failure is executed, and when the failure is not detected, the failure to detect the failure is performed. 2. The fault detection device according to claim 1, further comprising an execution unit for executing fault-free processing. 3. The failure detection apparatus according to claim 2, wherein the failure presence process is a process of informing a user of the presence of the failure, and the no-failure process is a process of notifying the user of the absence of the failure. . The information indicating vulnerability is information indicating vulnerability of a management protocol used in a communication protocol.
The failure detection device according to claim 1 . The plurality of devices includes an internal connection device that connects to a predetermined internal network and an external connection device that connects to a predetermined external network ,
The failure detection apparatus according to any one of claims 1 to 4 , wherein the failure detection unit detects a failure expected to occur in the communication protocol with respect to the externally connected device. the computer
Record each communication protocol used in communication with each of a plurality of devices connected to the network as a communication record,
for each of the plurality of devices, based on the communication protocol recorded in the communication record and information indicating vulnerability associated with communication of the device in the communication protocol associated with the communication protocol; , a fault detection method for detecting each of the faults expected to occur in said communication protocol. to the computer ,
Record each communication protocol used in communication with each of a plurality of devices connected to the network as a communication record,
for each of the plurality of devices, based on the communication protocol recorded in the communication record and information indicating vulnerability associated with communication of the device in the communication protocol associated with the communication protocol; , detecting each of the faults expected to occur in said communication protocol
A fault detection program that causes an action to take place.

Images