WO2015029464A1 - Simulation device, information generation device, simulation method, simulation program, environment provision system, environment provision method, and program - Google Patents

Simulation device, information generation device, simulation method, simulation program, environment provision system, environment provision method, and program Download PDF

Info

Publication number
WO2015029464A1
WO2015029464A1 PCT/JP2014/054417 JP2014054417W WO2015029464A1 WO 2015029464 A1 WO2015029464 A1 WO 2015029464A1 JP 2014054417 W JP2014054417 W JP 2014054417W WO 2015029464 A1 WO2015029464 A1 WO 2015029464A1
Authority
WO
WIPO (PCT)
Prior art keywords
simulation
environment
training
procedure
information
Prior art date
Application number
PCT/JP2014/054417
Other languages
French (fr)
Japanese (ja)
Inventor
大 宮内
修一郎 益田
薫 鶴
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Publication of WO2015029464A1 publication Critical patent/WO2015029464A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/28Error detection; Error correction; Monitoring by checking the correct order of processing

Definitions

  • the present invention relates to a simulation device, an information generation device, a simulation method, and a simulation program.
  • the present invention relates to an information generation apparatus that generates a simulation procedure for simulating an operation performed in the operation system using an operation history of the operation system to be simulated, a simulation apparatus including the information generation apparatus, a simulation method, and a simulation program.
  • a reproduction method for automatically simulating or reproducing the operation of a computer there is a method of reproducing an operation record for the purpose of a regression test or the like (for example, see Patent Document 1).
  • this reproduction method first, the operation content of an actual user (tester) is explicitly recorded as an operation history using a dedicated operation history recording device. Next, the recorded operation history is read, and the operation of the user (tester) is reproduced by a dedicated operation reproduction device incorporated in the test environment or the like. According to this reproduction method, repeated operation by the user (tester) in the test environment becomes unnecessary, and the efficiency of the test can be improved.
  • a system simulation method for simulating the operation of the system there is a method of simulating a response to an input to the system for the purpose of operation training (see, for example, Patent Document 2).
  • This system simulation method simulates the response of the system according to the operation of the operator (trainer) without preparing an actual system when performing system operation training. According to this system simulation method, it is possible to perform operation training and the like without an actual system.
  • Patent Document 1 is a method for reproducing an operation record recorded by a dedicated operation history recording device, and the operation content must be explicitly recorded.
  • the operation details must be recorded explicitly, the processing details of the production environment will be recorded, and there is a problem that the normal operation may be affected by increasing the load on the system during the production operation.
  • the operation contents must be explicitly recorded, there is a problem that only the operation in the time zone when the recording is acquired can be reproduced, and various operation patterns cannot be prepared.
  • operation movement can be reproduced only by the structure of an environment equivalent to a production environment, the objective of preparing the training environment of a desired difficulty cannot be achieved, but the subject that it cannot respond flexibly to a change in scale. There is.
  • Patent Document 2 is a method of simulating only a response to an input, and does not reproduce the processing of the system, so that there is a problem that the operation of the entire system cannot be simulated.
  • the present invention has been made to solve the above-described problems, and an object thereof is to provide a simulation device that can simulate the overall operation tendency of a production environment without affecting the production environment. To do.
  • An extraction unit that extracts a plurality of operation histories as extraction operation histories from the operation history information based on an extraction condition that is a condition for extracting operation histories from operation history information in which a plurality of operation histories indicating operation histories are accumulated; Based on the extraction operation history extracted by the extraction unit, a procedure generation unit that generates a simulation procedure indicating a procedure of the operation to be simulated by a processing device; And an execution unit that executes the simulation procedure generated by the procedure generation unit using a processing device.
  • an extraction unit that extracts a plurality of operation histories from the operation history information of the operation system as an extraction operation history, and based on the extracted extraction operation history
  • a generation unit that generates a simulation procedure indicating the procedure of the operation to be simulated
  • an execution unit that executes the generated simulation procedure, so that the entire operation system can be operated without affecting the operation system. Simulation of movement tendency can be performed.
  • FIG. 1 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to Embodiment 1.
  • FIG. 2 is a block configuration diagram of a simulation device 111 according to Embodiment 1.
  • FIG. 6 is a diagram illustrating an example of a configuration of simulation data 1112 according to Embodiment 1.
  • FIG. 2 is a diagram illustrating an example of a hardware configuration of a simulation apparatus 111 according to Embodiment 1.
  • FIG. 2 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to Embodiment 1, and is a diagram for explaining the operation of each unit of the simulation device 111.
  • FIG. 6 is a diagram showing an example of an access log 1022 according to Embodiment 1 and an example of an extraction log 122 extracted by an extraction unit 121.
  • FIG. 6 is a flowchart showing an operation of a simulated environment generation process by a procedure generation unit 123 and a file generation unit 124 according to the first embodiment.
  • 6 is a flowchart showing an operation of a simulated environment generation process by a procedure generation unit 123 and a file generation unit 124 according to the first embodiment.
  • FIG. 4 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to a third embodiment. It is a figure which shows an example of a structure of the data for simulation 6112 which concerns on Embodiment 3.
  • FIG. 6 is a block configuration diagram of a simulation device 111 according to a third embodiment.
  • FIG. 10 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to a third embodiment, and is a diagram for explaining the operation of each unit of a simulation apparatus 111.
  • 10 is a flowchart showing an operation of a simulated environment generation process by a procedure generation unit 123 and a file generation unit 124 according to the third embodiment. It is a whole block diagram of the environment provision system 200 which concerns on Embodiment 5.
  • FIG. FIG. 20 is a diagram illustrating an example of a configuration of a normal business scenario 2311 according to the fifth embodiment. It is a figure explaining the reproduction
  • FIG. 16 is a flowchart showing a flow of an environment providing method (environment providing process) of the environment providing system 200 according to the fifth embodiment.
  • FIG. 1 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to the present embodiment. The outline of the configuration and functions of the production environment system 10 and the simulation system 11 according to the present embodiment will be described with reference to FIG.
  • the production environment system 10 is an example of an operation system that stores operation history information (access log 1022) in which an operation history indicating an operation history is accumulated in a storage device of the file server 102.
  • the simulation system 11 is a training environment system that simulates the operation trend of the production environment system 10 and provides a training environment for operation training.
  • the production environment system 10 includes a terminal group 101 composed of a plurality of terminals and a file server 102.
  • the file server 102 is an example of a storage device of an operation system that stores a file group 1021 composed of a plurality of files and an access log 1022.
  • the access log 1022 is a general log that the file server 102 outputs for auditing or failure analysis.
  • the access log 1022 stores a plurality of log records (log entries) that are operation histories.
  • the access log 1022 is an example of operation history information in which a log record (operation history) indicating a history of access from the terminal group 101 to the file group 1021 is accumulated. Access from the terminal group 101 to the file group 1021 is an example of an operation performed in the production environment system 10.
  • terminals included in the terminal group 101 may be simply referred to as terminals.
  • files included in the file group 1021 may be simply referred to as files.
  • the terminal accesses the file group 1021 stored in the file server 102 via the network 103.
  • the simulation system 11 simulates an operation tendency of access from the terminal group 101 to the file group 1021 performed in the production environment system 10.
  • the simulation system 11 includes a simulation device 111 and a simulation file server 112.
  • the simulation device 111 includes a simulation terminal group 1111 composed of a plurality of simulation terminals and simulation data 1112.
  • the simulation file server 112 is an example of a storage device that stores a simulation file group 1121 including a plurality of simulation files.
  • the simulation apparatus 111 Based on the access log 1022 of the production environment system 10, the simulation apparatus 111 generates simulation data 1112 that is a simulation procedure indicating a simulation procedure. At this time, the simulation apparatus 111 generates simulation data 1112 so that the number of terminals or the number of users simulated in the simulation system 11 is different from that in the production environment system 10 in order to adjust the difficulty level of the training environment.
  • the simulation data 1112 is a simulation procedure indicating a procedure for accessing the simulation file group 1121 from the simulation terminal group 1111. For example, an access time, an access type, and the like are set.
  • the simulation apparatus 111 generates an initial file configuration of the simulation file group 1121 necessary for simulating the operation according to the simulation data 1112 and stores the initial file configuration in the simulation file server 112.
  • the simulation device 111 may be configured not to store the generated initial file configuration of the simulation file group 1121 in the simulation file server 112.
  • the simulation device 111 may be configured to store the initial file configuration of the generated simulation file group 1121 in, for example, a storage device included therein. In this case, the simulation file server 112 becomes unnecessary.
  • the simulation apparatus 111 simulates the operation of the production environment system 10, it is assumed to have the same configuration as the production environment system 10 as much as possible.
  • the simulation file server having the same specifications as the file server 102 is used.
  • 112 preferably stores the initial file structure of the simulated file group 1121.
  • the simulation file group 1121 may be stored in a storage device such as a hard disk or flash memory inside the simulation apparatus 111 in order to adjust the training environment.
  • the simulation apparatus 111 performs simulation according to the simulation procedure of the simulation data 1112 using the simulation terminal group 1111 and the initial file configuration of the simulation file group 1121.
  • FIG. 2 is a block configuration diagram of the simulation apparatus 111 according to the present embodiment. A block configuration of the simulation apparatus 111 according to the present embodiment will be described with reference to FIG.
  • the simulation apparatus 111 includes an information generation unit 1110 and an execution unit 125.
  • the information generation unit 1110 includes an extraction unit 121 and a simulated environment generation unit 128.
  • the simulated environment generation unit 128 includes a procedure generation unit 123 and a file generation unit 124.
  • the simulation apparatus 111 stores the extraction condition 126, the extraction log 122, and simulation data 1112 in a storage device.
  • the simulation file group 1121 may be stored in the simulation file server 112 as illustrated in FIG. 2, or may be stored in a storage device inside the simulation apparatus 111.
  • the extraction condition 126 is a condition for extracting a log record (operation history) from the access log 1022. As described above, since the simulation system 11 provides a training environment for operation training, the difficulty level of the training environment can be flexibly adjusted.
  • the extraction condition 126 is for adjusting the training environment. For example, an operator name, a terminal ID, a terminal address, and the like of a log record (operation history) extracted from the access log 1022 are designated. The operator's name, terminal ID, terminal address, etc. are examples of identifiers set in advance as the extraction condition 126.
  • the extraction condition 126 can be appropriately set by a system administrator or the like.
  • the information generation unit 1110 is an example of an information generation apparatus that generates information used for simulating an operation performed in the production environment system 10.
  • the simulation data 1112, the initial file configuration of the simulation file group 1121, and the like are examples of information used for simulating operations generated by the information generation unit 1110 (information generation device).
  • the extraction unit 121 extracts a plurality of log records from the access log 1022 as the extraction log 122 based on the extraction condition 126.
  • the extraction log is an example of an extraction operation history.
  • the procedure generation unit 123 Based on the extraction log 122 extracted by the extraction unit 121, the procedure generation unit 123 generates simulation data 1112 indicating the procedure of the operation to be simulated by the processing device.
  • the simulation data 1112 is an example of a simulation procedure.
  • the simulation environment generation unit 128 includes simulation data 1112 that is a procedure of simulation operation, and a simulation file group 1121 that includes a simulation file 1121a on which the operation is performed. Is generated.
  • the procedure generation unit 123 eliminates inconsistencies between log records that occur when a plurality of log records included in the extraction log 122 are simulated.
  • the procedure generation unit 123 corrects at least one of the plurality of log records so that the inconsistency is eliminated, and sets the extracted log 122 in which at least one log record is corrected as simulation data 1112.
  • the file generation unit 124 Based on the simulation data 1112, the file generation unit 124 generates a simulation file 1121 a that is an operation target included in the simulation data 1112.
  • the simulation file group 1121 includes at least one simulation file 1121a.
  • the procedure generation unit 123 and the file generation unit 124 may be configured as separate functional blocks, or may be configured as one simulated environment generation unit 128 to realize the function.
  • the execution unit 125 executes the simulation procedure of the simulation data 1112 for the simulation file group 1121 generated by the file generation unit 124.
  • the file generation unit 124 needs to configure the simulated file group 1121 with a necessary initial file configuration in accordance with the processing content of the simulation data 1112 before the execution of the simulation by the execution unit 125 is started. That is, it is necessary that a directory structure and files necessary for the processing contents to be implemented in the simulation exist.
  • the simulation terminal group 1111 is configured on the simulation apparatus 111. However, the necessary number of terminals are actually prepared, and operation is performed using the simulation data 1112 prepared for each terminal. A trend may be simulated.
  • the function of the simulation system 11 does not depend on the configurations of the simulation device 111, the simulation terminal group 1111, the simulation file server 112, and the like.
  • FIG. 3 is a diagram showing an example of the configuration of the simulation data 1112 according to the present embodiment.
  • the simulation data 1112 stores a plurality of log records that are a plurality of operations.
  • the log record indicates an access time 21 indicating an access interval necessary for the operation of the simulated terminal group 1111, an access user 22 accessing the simulated file group 1121, an access type 23 such as WRITE and READ, and a file to be operated.
  • Information such as the access file 24 is stored.
  • the access time 21 is set to the time from the start of simulation.
  • the access time 21 “8” of the second record means that the operation of the record NO2 is executed 8 seconds after the simulation is started.
  • An identifier for identifying an operator is set for the access user 22.
  • the identifier for identifying the operator is, for example, a user name.
  • the MAC address of the terminal may be used.
  • an operation type is set such as “WRITE”, “READ”, and “DELETE”.
  • the access file 24 the file name and path name of the simulation file 1121a to be accessed are set.
  • the simulation data 1112 is set with information necessary for performing the simulation.
  • FIG. 4 is a diagram illustrating an example of a hardware configuration of the simulation apparatus 111 according to the present embodiment. A hardware configuration example of the simulation apparatus 111 will be described with reference to FIG.
  • the simulation device 111 is a computer, and each element of the simulation device 111 can be realized by a program.
  • an arithmetic device 901, an external storage device 902, a main storage device 903, a communication device 904, and an input / output device 905 are connected to the bus.
  • the arithmetic device 901 is a CPU (Central Processing Unit) that executes a program.
  • the external storage device 902 is, for example, a ROM (Read Only Memory), a flash memory, or a hard disk device.
  • the main storage device 903 is a RAM (Random / Access / Memory).
  • the communication device 904 is, for example, a communication board or the like, and is connected to a LAN (Local / Area / Network) or the like.
  • the communication device 904 is not limited to a LAN, but includes an IP-VPN (Internet, Protocol, Private, Network), a wide area LAN, an ATM (Asynchronous / Transfer / Mode) network, a WAN (Wide / Area / Network), or the Internet.
  • the input / output device 905 is, for example, a mouse, a keyboard, a display device, or the like. Instead of the mouse, a touch panel, touch pad, trackball, pen tablet, or other pointing device may be used.
  • the display device may be an LCD (Liquid / Crystal / Display), a CRT (Cathode / Ray / Tube), or another display device.
  • the program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
  • the program is a program that realizes a function described as “unit” shown in the block configuration diagram.
  • an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic unit 901 executes the OS while “ ⁇ ” shown in the block configuration diagram.
  • the program that realizes the function of “part” is executed.
  • An application program is also stored in the external storage device 902, and is sequentially executed by the arithmetic device 901 while being loaded in the main storage device 903. Information such as “ ⁇ table” is also stored in the external storage device 902.
  • Information, data, signal values, and variable values indicating the results of the processing are stored in the main storage device 903 as files. Yes.
  • data received by the simulation device 111 is stored in the main storage device 903.
  • the encryption key / decryption key, random number value, and parameter may be stored in the main storage device 903 as a file.
  • FIG. 4 is merely an example of the hardware configuration of the simulation apparatus 111, and the hardware configuration of the simulation apparatus 111 is not limited to the configuration illustrated in FIG. .
  • FIG. 5 is an overall configuration diagram of the production environment system 10 and the simulation system 11 according to the present embodiment, and is a diagram for explaining the operation of each unit of the simulation apparatus 111.
  • the operation of each part of the simulation apparatus 111 will be described with reference to FIGS.
  • Each part of the simulation device 111 shown in FIG. 2 implements a simulation method by the simulation device 111 by executing processing in cooperation with hardware resources such as a processing device, a storage device, and an input / output device included in the simulation device 111.
  • the function of the simulation device 111 is realized by reading a simulation program stored in the main storage device of the simulation device 111 and executing it by the processing device.
  • the extraction unit 121 executes an extraction process 121a.
  • the extraction unit 121 extracts a log record from the access log 1022 based on the extraction condition 126 and sets it as the extraction log 122.
  • the extraction process 121a reduces the number of users simulated by the simulation system 11 from the number of users of the production environment system 10.
  • the extraction log 122 is a target user excerpt log in which only the log records related to necessary users are extracted from the access log 1022 by the extraction unit 121.
  • the procedure generation unit 123 executes a procedure generation process 123a.
  • the procedure generator 123 generates simulation data 1112 from the extracted log 122 that narrows down the users.
  • the file generation unit 124 executes a file generation process 124a.
  • the file generation unit 124 generates an initial file configuration of the simulated file group 1121 from the extraction log 122.
  • the execution unit 125 executes a simulation execution process 125a.
  • the execution unit 125 executes access to the simulation file group 1121 from the simulation terminal group 1111 according to the simulation procedure indicated by the simulation data 1112.
  • FIG. 6 is a diagram illustrating an example of the access log 1022 according to the present embodiment and an example of the extraction log 122 extracted from the access log 1022 by the extraction unit 121.
  • the access log 1022 stores log records 10221 to 10224 which are operation histories.
  • a log record is also called a log entry.
  • the extraction log 122 is extracted by the extraction processing 121 a by the extraction unit 121.
  • the extraction log 122 stores log records 1221 to 1223 that are operations to be simulated. In the extraction process 121a, if the target log is narrowed down and the extraction log 122 is simulated as it is, there is a possibility that inconsistency occurs that the simulation operates in a state where necessary data is missing.
  • the extraction unit 121 extracts the extraction log 122 based on the extraction condition “user A, user B, user D” included in the log record to be extracted.
  • the log record 10223 related to the user C is deleted from the access log 1022 by the extraction process 121 a by the extraction unit 121.
  • “User C creates file 1” (log record 10223) and then “User D reads file 1” (log record 10224). Since “Create File 1” does not exist, there is an inconsistency that a file to be read by the user D does not exist. That is, the operation of the log record 1223 is an operation that cannot be executed without the operation of the log record 10223.
  • the procedure generation unit 123 corrects the extraction log 122 so as to eliminate the inconsistency as described above, and generates simulation data 1112.
  • the simulated environment generation process includes a procedure generation process 123a by the procedure generation unit 123 and a file generation process 124a by the file generation unit 124.
  • the procedure generation unit 123 and the file generation unit 124 have been described as separate blocks, for example, the procedure generation unit 123 and the file generation unit 124 may be configured as one simulated environment generation unit 128.
  • the access type 23 of the access log 1022 will be described as three types: “READ (read)”, “WRITE (write)”, and “DELETE (erase)”.
  • the simulation environment generation unit 128 provisionally creates an empty initial file configuration in the simulation file server 112 as a simulation file group 1121 by the processing device.
  • the simulation environment generation unit 128 temporarily creates simulation data 1112 by the processing device without changing the contents of the extraction log 122. Thereafter, the simulated environment generation unit 128 accesses (operates) the provisionally created simulation file group 1121 according to the temporarily created simulation data 1112. At this time, for example, if there is no file to be read in the work area and there is no file to be read in the initial file structure, the simulated environment generation unit 128 performs processing such as adding a file to the initial file structure.
  • the simulated environment generation unit 128 copies the simulated file group 1121, which is an initial file configuration, to the work area of the simulated device 111 by the processing device.
  • the simulated file group 1121 copied to the work area is referred to as a working simulated file group 11211.
  • the simulation environment generation unit 128 sets the analysis position of the simulation data 1112 to the first line by the processing device.
  • the simulation environment generation unit 128 analyzes one line of the analysis log that is the analysis position of the simulation data 1112 by the processing device.
  • the simulated environment generation unit 128 determines the access type 23 of the analysis log by the processing device. In S106, if the access type 23 is READ, the simulated environment generation unit 128 proceeds to S107. In S107, the simulation environment generation unit 128 determines whether there is a file to be read in the work simulation file group 11211 by the processing device. If there is a file to be read (YES in S107), the process proceeds to S108. If there is no file to be read (NO in S107), the process proceeds to S113.
  • the simulated environment generation unit 128 proceeds to S110.
  • the simulated environment generation unit 128 creates a file to be written in the working simulated file group 11211. If there is already a file to be written, nothing is done.
  • the simulated environment generation unit 128 proceeds to S108 after S110.
  • the simulated environment generation unit 128 proceeds to S111 if the access type 23 is DELETE.
  • the simulated environment generation unit 128 determines whether there is a file to be deleted in the working simulated file group 11211 by the processing device. If there is a file to be deleted (YES in S111), the process proceeds to S112. In S112, the simulation environment generation unit 128 deletes the file to be deleted from the work simulation file group 11211 by the processing device. If there is no DELETE file (NO in S111), the process proceeds to S113.
  • the simulation environment generation unit 128 determines whether there is a file to access the simulation file group 1121 of the simulation file server 112 by the processing device. If it is determined in S107 that there is no file to be read, the file to be read is determined as a file to be accessed. If it is determined in S107 that there is no file to be deleted, the file to be deleted is determined as a file to be accessed.
  • the process proceeds to S115.
  • the simulation environment generation unit 128 adds a file for accessing the simulation file group 1121 of the simulation file server 112 by the processing device, returns to S103, and repeats the processing.
  • the process proceeds to S114.
  • the fact that there is a file that accesses the simulated file group 1121 of the simulated file server 112 means that the above inconsistency has occurred. For this reason, here, the corresponding line of the simulation data 1112 is changed to WRITE to eliminate the inconsistency.
  • the simulation environment generation unit 128 changes the access type 23 of the corresponding line (analysis log line) of the simulation data 1112 to WRITE, returns to S104, and repeats the processing.
  • the simulation environment generation unit 128 determines whether the simulation data 1112 has been analyzed to the last line by the processing device. If it has not been analyzed to the end (NO in S108), the process proceeds to S109. In S109, the simulation environment generation unit 128 advances the analysis position of the simulation data 1112 by one line, and repeats the processing from S105. When the analysis is performed up to the last line (YES in S108), the simulated environment generation unit 128 ends the simulated environment generation process.
  • the procedure generation unit 123 and the file generation unit 124 have been described as one simulated environment generation unit 128, but the procedure generation unit 123 and the file generation unit 124 may be separate processes.
  • the procedure generation unit 123 first temporarily creates a simulated file group 1121 as an initial file configuration on the work area, and ends the analysis for all the rows of the simulation data 1112.
  • the file generation unit 124 stores the simulation file group 1121 as the initial file configuration in the simulation file server 112 on the work area based on the simulation file group 1121 as the initial file configuration. It may be generated.
  • the process may be executed in any order and configuration as long as the difficulty of the training environment is adjusted based on the access log 1022 and the inconsistency that occurs when the operation is simulated can be resolved.
  • the simulation apparatus 111 and the information generation apparatus generate the simulation data 1112 by changing the number of users, for example, for the access log 1022 of the file server 102 of the production environment system 10. To do.
  • the initial file structure of the simulation data 1112 and the simulation file group 1121 for the simulation system 11 is generated in response to the inconsistency in which data necessary for the simulation is missing. For this reason, it is possible to simulate the operational tendency of the production environment in a training environment having a configuration according to the target difficulty level without affecting the production environment system 10 and causing a load.
  • the present invention can be applied to a system in which communication is performed between a plurality of clients such as a file server, a mail server, a Web server, an authentication server, and a DB server and the server.
  • clients such as a file server, a mail server, a Web server, an authentication server, and a DB server and the server.
  • Embodiment 2 FIG. In the present embodiment, differences from the first embodiment will be mainly described. Components having the same functions as those described in Embodiment 1 may be denoted by the same reference numerals and description thereof may be omitted.
  • information names such as user names and file names appearing in the access log 1022 of the production environment system 10 are changed (anonymized) to names different from those of the production environment system 10. Further, the file name of the simulation file 1121a included in the simulation file group 1121 is changed (anonymized) to a name different from the file name of the file included in the file group 1021 of the production environment system 10.
  • the procedure generation unit 123 anonymizes the information name included in the log entry (operation history) of the access log 1022 by the processing device, and generates simulation data 1112 based on the access log 1022 in which the information name is anonymized.
  • the procedure generation unit 123 may anonymize information names such as user names and file names that are confidential information.
  • the file generation unit 124 anonymizes the file name of the simulation file 1121a by the processing device, and generates the simulation file group 1121.
  • the file generation unit 124 may anonymize when the file name is confidential information.
  • the simulation apparatus 111 and the information generation unit 1110 (information generation apparatus) according to the present embodiment generate simulation data and setting values in order to prevent leakage of confidential information in the production environment. Anonymize the confidential information of the production environment included in the log to be used, and generate data and setting values for simulating the operation tendency. At the stage of retrieving the access log 1022 from the production environment system 10, the confidential information of the production environment system 10 is prevented from leaking to the simulation system 11 by changing (anonymizing) the name including such confidential information. And security of the production environment system 10 can be ensured.
  • Embodiment 3 FIG. In the present embodiment, differences from the first and second embodiments will be mainly described. Components having the same functions as those described in the first and second embodiments are denoted by the same reference numerals and description thereof may be omitted.
  • FIG. 9 is an overall configuration diagram of the production environment system 10 and the simulation system 11 according to the present embodiment.
  • FIG. 9 is a configuration diagram when the simulation apparatus 111 is applied to a general mail server.
  • the production environment system 10 includes a DNS (Domain Name System) server 602 and a mail server 603 in addition to the terminal group 101 and the network described in the first embodiment.
  • DNS Domain Name System
  • the DNS server 602 includes a DNS record 6021.
  • the DNS server 602 is a server that performs name resolution between a domain name and an IP address by associating the domain name with an IP address.
  • the DNS record 6021 stores associations between domain names and IP addresses.
  • the mail server 603 includes a transmission / reception log 6022.
  • the transmission / reception log 6022 is an example of operation history information in which a history of mail transmission / reception, which is an operation from the terminal group 101, is accumulated.
  • the simulation system 11 simulates an operation tendency of mail transmission / reception from the terminal group 101 via the network 103 and the mail server 603 in the production environment system 10.
  • the simulation system 11 includes a simulation DNS server 612 and a simulation mail server 613 in addition to the simulation apparatus 111 and the simulation network 113 described in the first embodiment.
  • the simulation apparatus 111 includes simulation data 6112 and an external mail server 6111 in addition to the simulation terminal group 1111 described in the first embodiment.
  • the simulation DNS server 612 includes a simulation DNS record 6121.
  • the simulation DNS record 6121 stores correspondence information between the domain name of the mail and the IP address.
  • the simulation system 11 generates simulation data 1112 indicating a mail transmission / reception procedure as a simulation procedure based on the transmission / reception log 6022.
  • the operation tendency of the terminal group 101 of the production environment system 10 is simulated by the simulation terminal group 1111 of the simulation system 11 in accordance with the contents of the simulation data 1112.
  • the simulated terminal group 1111 transmits / receives mail to / from the external mail server 6111 via the simulation network 113 and the simulation mail server 613.
  • the simulated terminal group 1111 transmits and receives mail within the simulated system 11.
  • an external mail server 6111 is prepared inside the simulation apparatus 111 in order to simulate mail transmission / reception with the outside of the system.
  • the simulation DNS server 612 is set so that the mail is transmitted to the external mail server 6111.
  • transmission from the external mail server 6111 to the simulation mail server 613 simulates reception of mail from the outside.
  • FIG. 10 is a diagram showing an example of the configuration of simulation data 6112 according to the present embodiment.
  • the simulation system 11 simulates mail transmission / reception based on the simulation data 6112 and the simulation DNS record 6121.
  • simulation data 6112 in which a transmission time 71, a transmission source address 72, a destination address 73, and the like are recorded, and a simulation DNS record for a simulation DNS server 612 for simulating mail transmission to an external environment 6121 needs to be prepared.
  • the simulation data 6112 includes a transmission time 71 indicating a transmission interval of a mail necessary for the operation of the external mail server 6111 and the simulated terminal group 1111, a transmission source address 72 that is a transmission source of the mail, a destination that is a transmission destination of the mail. Information such as an address 73 is stored. Thus, the simulation data 6112 stores data necessary for simulation.
  • the simulation DNS record 6121 of the simulation DNS server 612 the correspondence between the domain name and the IP address is set so that name resolution for the mail addressed to the external environment transmitted from the simulation terminal group 1111 becomes the external mail server 6111. Information is set.
  • the external mail server 6111 and the simulated terminal group 1111 are configured on the simulated device 111, but the configuration is not limited thereto. For example, there is no problem even if the necessary number of servers and terminals are actually prepared, and the simulation of the operation tendency is performed using the simulation data 6112 prepared for each server and each terminal. Realization of the simulation method by the simulation apparatus 111 according to the present embodiment does not depend on the configuration of the simulation system 11 or the simulation apparatus 111 itself.
  • FIG. 11 is a block configuration diagram of the simulation apparatus 111 according to the present embodiment.
  • FIG. 12 is an overall configuration diagram of the production environment system 10 and the simulation system 11 according to the present embodiment, and is a diagram for explaining the operation of each unit of the simulation apparatus 111.
  • the information generation unit 1110 generates simulation data 6112 and simulation DNS record 6121 based on the transmission / reception log 6022.
  • a transmission / reception log 6022 of the mail server 603 is a general log output by the mail server 603 for auditing, failure analysis, or the like.
  • the extraction unit 121 extracts a log record from the transmission / reception log 6022 based on the extraction condition 126 (extraction process 121a). Then, the simulation environment generation unit 128 generates simulation data 6112 and simulation DNS record 6121 (procedure generation process 123a (simulation data generation process), file generation process 124a (simulation DNS record generation process)).
  • the simulation data 6112 is an example of an operation procedure (email transmission / reception procedure).
  • the simulation DNS record 6121 is an example of a simulation file that is a file used for simulation.
  • the procedure generation process 123a (simulation data 6112 generation process) by the procedure generation unit 123 and the file generation process 124a (simulation DNS record generation process) by the file generation unit 124 are different processes.
  • the procedure generation unit 123 and the file generation unit 124 may be configured as one simulated environment generation unit 128 and may be one simulated environment generation process. That is, the simulation environment generation unit 128 outputs the setting values of the simulation data 6112 and the simulation DNS record 6121 from the transmission / reception log 6022.
  • the transmission / reception log 6022 includes two logs, transmission and reception, for a single mail transmission. Will exist. However, when simulating the operation tendency of mail transmission / reception by the simulation system 11, since the mail transmission operation is generally simulated, the users are narrowed down by the source address.
  • the target user excerpt log 622 operates in a state where necessary data is missing due to the effect of narrowing down the target transmission users in the extraction process 121a. For example, there is a possibility that a user excluded as a sender exists as a receiver. If this transmission itself is simply excluded to cope with this, the number of transmissions to be simulated decreases.
  • FIG. 13 is a flowchart showing the operation of the simulated environment generation process performed by the procedure generation unit 123 and the file generation unit 124 according to the present embodiment.
  • the simulated environment generation process S200 simulation data, simulation DNS record generation process
  • the extracted log 122 extracted from the transmission / reception log 6022 is analyzed line by line, and the setting values of the simulation data 6112 and the simulation DNS record 6121 are analyzed. Is generated.
  • the simulation environment generation unit 128 sets empty simulation data 6112 by the processing device, and sets the analysis log that is the analysis position of the extraction log 122 as the first line.
  • the simulated environment generation unit 128 analyzes the analysis log of the extraction log 122 by the processing device.
  • step S ⁇ b> 203 the simulated environment generation unit 128 determines whether the analysis log transmission source is within the production environment system 10 using the processing device. When the transmission source is within the production environment system 10 (YES in S203), the simulated environment generation unit 128 proceeds to S204. If the transmission source is not within the production environment system 10 (NO in S203), the simulated environment generation unit 128 proceeds to S209. In S209, the simulated environment generation unit 128 associates the domain name of the transmission source with the IP address (hereinafter referred to as name resolution) so that the mail of the analysis log becomes a transmission mail from the external mail server 6111 by the processing device. Is added to the simulation DNS record 6121, and the process proceeds to S204.
  • name resolution the domain name of the transmission source with the IP address
  • the simulated environment generation unit 128 determines whether the destination of the analysis log is within the production environment system 10 using the processing device. If the destination is not within the production environment system 10 (NO in S204), the simulated environment generation unit 128 proceeds to S210. In S210, the simulation environment generation unit 128 associates the destination domain name with the IP address so that the analysis log destination is the external mail server 6111 in the simulation DNS record 6121 (hereinafter, name resolution). And the process proceeds to S207.
  • step S ⁇ b> 205 the simulated environment generation unit 128 determines whether the destination is an address excluded by the extraction unit 121 by the processing device. The simulated environment generation unit 128 determines whether the address is an address from which the destination is excluded by referring to the extraction condition 126, for example.
  • the process proceeds to S207. If the destination is an excluded address (YES in S205), the process proceeds to S206. In S206, the simulated environment generation unit 128 changes the destination address of the analysis log to an address of the internal environment that is not excluded by the processing device. As described above, when the destination of the extraction log 122 is an address of the internal environment, if the destination is the same as the transmission source address excluded in the extraction processing 121a, the destination is changed to an address that is not excluded. Ensure sex.
  • the simulation environment generation unit 128 adds the analysis log to the simulation data 6112 by the processing device.
  • the simulated environment generation unit 128 determines whether the extraction log 122 has been analyzed up to the last line by the processing device. If it has not been analyzed to the end (NO in S208), the process proceeds to S211. In S211, the simulated environment generation unit 128 advances the analysis position of the extraction log 122 by one line, and repeats the processing from S202. When the analysis is performed up to the last line (YES in S208), the simulated environment generation unit 128 ends the simulated environment generation process (S212).
  • the number of transmission users is changed with respect to the transmission / reception log 6031 of the mail server 603 of the production environment system 10, and the data generated at that time is reduced. Simulating data 6112 and simulating DNS record 6121 are generated while coping with the matching. Accordingly, it is possible to simulate the operation tendency of the production environment in the training environment having a configuration according to the target difficulty level without affecting the production environment system 10 and the load.
  • Embodiment 4 FIG. In the present embodiment, differences from the third embodiment will be mainly described. Components having the same functions as those described in the third embodiment are denoted by the same reference numerals, and description thereof may be omitted.
  • the information name of the source address and destination address appearing in the transmission / reception log 6022 of the production environment system 10 is changed (anonymized) to a name different from that of the production environment system 10.
  • the simulated environment generation unit 128 (the procedure generation unit 123 and the file generation unit 124) anonymizes the information name of the transmission source address and the destination address included in the mail transmission / reception history of the transmission / reception log 6022 by the processing device, and the information name is anonymized.
  • simulation data 6112 and simulation DNS record 6121 are generated.
  • the simulated environment generation unit 128 may anonymize information names such as a transmission source address and a destination address that are confidential information.
  • the simulation system 11, the simulation device 111, and the information generation unit 1110 (information generation device) change the names of confidential information and the like at the stage of extracting the transmission / reception log 6022 from the production environment system 10. Since anonymization is performed, it is possible to prevent the confidential information of the production environment system 10 from leaking to the simulation system 11 and to secure the security of the production environment system 10.
  • the configurations of the “information generation unit”, “simulated environment generation unit”, “execution unit”, “extraction unit”, “procedure generation unit”, and “file generation unit” described in the first to fourth embodiments are as follows. It is not limited.
  • the “procedure generation unit” and the “file generation unit” may be realized by one functional block, and the “simulated environment generation unit” and the “extraction unit” may be realized by one functional block.
  • the simulation apparatus 111 may be configured by any other combination of these functional blocks.
  • Embodiment 5 FIG. In the present embodiment, differences from Embodiments 1 to 4 will be mainly described. In the present embodiment, the same components as those described in the first to fourth embodiments are denoted by the same reference numerals, and the description thereof is omitted.
  • the simulation system 11 that generates reproduction data from log data (see FIGS. 1, 5, 9, etc.)
  • the simulation system 11 is aimed at, for example, SOC (Security Operation Center) training.
  • the simulation system 11 anonymizes log data from the access log 1022 and the transmission / reception log 6022 of the production environment system 10 and retrieves the log data.
  • the simulation system 11 narrows down the scale of the user to be simulated in order to adjust the difficulty level, generates simulation data 1112 and 6112 as reproduction data so that no contradiction occurs during reproduction, and executes simulation.
  • it is possible to reproduce the operation tendency of the production environment system 10 in environments of different scales while ensuring security.
  • An SOC training environment may be established for the purpose of training personnel to respond to cyber attacks. In this case, it is necessary to record and play back the cyber attack operation manually (instructor) after simulating the operational tendency of the production environment system 10. Furthermore, it is necessary to enable cyber attack detection training using log monitoring software.
  • This SOC training environment can be realized as follows by combining the simulation system 11 described in Embodiments 1 to 4 and a method for storing and reproducing operation records for the purpose of regression testing.
  • an attack operation record at the time of a cyber attack is stored in advance.
  • the attack operation record at the time of the cyber attack is reproduced to realize the training environment.
  • the log monitoring software stores a log when the training environment is realized as a training log. Using the training log saved by the log monitoring software, the trainer conducts cyber attack detection training.
  • the training effect for the trainer is weak. This is because the training environment becomes the same every time because the attacking terminal IP address used for the attack, the account name, the IP address, etc. of the infected terminal infected with the virus are the same every time.
  • an environment providing system 200 that can create a different training environment each time during training such as SOC training, and can return to the training environment saved at a certain point in time will be described.
  • FIG. 14 is an overall configuration diagram of an environment providing system 200 (environment providing apparatus) according to the present embodiment.
  • environment providing system 200 environment providing apparatus
  • a plurality of components having various functions are further added to the components of the simulation system 11 described in the first to fourth embodiments.
  • the environment providing system 200 includes a pseudo Internet environment system 210, a virtual enterprise environment system 220, and a test management environment system 230.
  • the pseudo Internet environment system 210 includes an attack terminal 212 and a server group 213.
  • the server group 213 includes, for example, a Web server 2131 and a DNS server 2132. Further, an attack operation record 2312 described later is stored in the storage device provided in the pseudo Internet environment system 210.
  • the virtual enterprise environment system 220 includes a simulated terminal group 1111, a business system 223, and a log monitoring environment system 224.
  • the simulated terminal group 1111 is an example of a training device used for cyber attack detection training.
  • the test management environment system 230 includes a training management device 231.
  • the training management device 231 of the test management environment system 230 includes a request acquisition unit 2316, a training execution unit 2315, and a training environment change unit 2313.
  • the storage device of the training management device 231 stores a normal business scenario 2311, an attack operation record 2312, and training environment information 2314.
  • the normal business scenario 2311 is the simulation data 1112 (see FIG. 2) and the simulation data 6112 (see FIG. 11) described in the first to fourth embodiments.
  • the normal business scenario 2311 (simulation data 1112 and 6112) is generated by the information generation unit 1110 (see FIGS. 2 and 11) as described in the first to fourth embodiments.
  • the information generation unit 1110 is not shown, but the test management environment system 230 includes the information generation unit 1110.
  • the information generation unit 1110 stores the generated normal business scenario 2311 (simulation data 1112 and 6112) in the storage device of the training management device 231.
  • the normal business scenario 2311 is an example of a simulation procedure.
  • the attack operation record 2312 stores at least one operation record at the time of a cyber attack.
  • the attack operation record 2312 is an example of an attack procedure.
  • the training environment information 2314 stores past training environments.
  • the training environment information 2314 is an example of an environment information storage unit that stores information indicating the training environment generated by the training environment change unit 2313 (environment setting unit).
  • an administrator for example, an instructor
  • the request acquisition unit 2316 acquires this environment setting request.
  • the environment setting request includes information related to selection of the normal business scenario 2311 and information related to selection of the attack operation record 2312.
  • the environment setting request includes the designation of whether to create a new training environment, keep the current training environment, or use the past training environment for the training environment when conducting the training. It is.
  • Information specifying generation of a new training environment is called a generation instruction.
  • a training environment in which attack detection has failed in the past may be specified, or a past date and time may be specified, and a training environment corresponding to the date and time may be specified.
  • the training execution unit 2315 transmits the normal business scenario 2311 selected by the environment setting request to the virtual enterprise environment system 220.
  • the training execution unit 2315 causes the simulated terminal group 1111 (training apparatus) to perform simulation of the normal business of the production environment system 10 according to the normal business scenario 2311 (simulation procedure).
  • the training execution unit 2315 is an example of a simulation execution unit.
  • the training execution unit 2315 transmits the selected attack operation record 2312 to the pseudo Internet environment system 210.
  • the attack terminal 212 of the simulated Internet environment system 210 performs a cyber attack on the simulated terminal group 1111 that is performing the simulation according to the attack operation record 2312 (attack procedure).
  • the attack terminal 212 is an example of an attack execution unit.
  • the training environment changing unit 2313 newly sets a training environment when a new training environment is selected. When a training environment is newly set, the training environment change unit 2313 stores the set training environment in the training environment information 2314.
  • the training environment changing unit 2313 is an example of an environment setting unit that sets the training environment of the simulated terminal group 1111 based on the environment setting request.
  • the training environment changing unit 2313 determines whether or not a generation instruction for instructing generation of a training environment is included in the environment setting request. When it is determined that the generation instruction is included, the training environment change unit 2313 generates a training environment for the simulated terminal group 1111. The training environment changing unit 2313 sets the generated training environment in the virtual enterprise environment system 220 and the pseudo Internet environment system 210. In this manner, the training environment changing unit 2313 sets the training environment of the training device according to the generation instruction included in the environment setting request.
  • the training environment changing unit 2313 determines that the generation instruction is not included in the environment setting request, the training environment changing unit 2313 sets the training environment information 2314 stored in the storage device in the virtual enterprise environment system 220 and the pseudo Internet environment system 210. It is determined whether or not a setting instruction for instructing is included in the environment setting request. When it is determined that the setting instruction is included, the training environment changing unit 2313 acquires the training environment information 2314 based on the setting instruction, and the training environment information indicated by the acquired training environment information is the virtual enterprise environment system 220 and the pseudo Internet. Set in environment system 210. Thus, the training environment changing unit 2313 sets the training environment of the training device according to the setting instruction included in the environment setting request.
  • the simulated terminal group 1111 of the virtual enterprise environment system 220 is assumed to have a scale of, for example, hundreds to thousands.
  • the simulated terminal group 1111 includes a plurality of terminals 1131.
  • An infected terminal 1131x exists among the plurality of terminals 1131.
  • the business system 223 of the virtual enterprise environment system 220 includes a simulation file server 112 and a simulation DNS server 612.
  • a Web server 2201 and the like are included.
  • the simulation file server 112 includes the simulation file group 1121.
  • the simulation DNS server 612 includes a simulation DNS record 6121.
  • the Web server 2201 includes a log 2202 in which, for example, a URL (Uniform / Resource / Locator) is recorded.
  • the log monitoring environment system 224 of the virtual enterprise environment system 220 includes a trainee terminal 2241 and a log collection monitoring unit 2242.
  • the log collection monitoring unit 2242 stores a training environment log realized by the attack operation record 2312 and the normal business scenario 2311 as a training log 2243.
  • the trainer uses the trainer terminal 2241 to monitor the output by the log collection monitoring unit 2242 such as the training log 2243 and perform training for detecting a cyber attack.
  • the log collection monitoring unit 2242 acquires operation logs from the simulated terminal group 1111 during execution of simulation by the simulated terminal group 1111 (training apparatus) and during execution of cyber attack by the attack terminal 212 (attack execution unit). It is an example of a log acquisition part.
  • FIG. 15 is a diagram illustrating an example of the configuration of the normal business scenario 2311 according to the present embodiment.
  • the normal business scenario 2311 stores a plurality of log records that are operations of a plurality of normal business operations. For each record of the normal business scenario 2311, a record number, a reproduction interval, an account to be used, an operation type, and auxiliary information for reproduction are set.
  • Each terminal 1131 can simulate the operational tendency of the production environment system 10 by playing back only the records corresponding to the account previously assigned to the terminal 1131.
  • FIG. 16 is a diagram for explaining a normal business reproduction method by terminal 1131 according to the present embodiment.
  • the training execution unit 2315 gives the normal business scenario 2311 to each terminal 1131 of the simulated terminal group 1111 of the virtual enterprise environment system 220 in order to simulate the operation tendency of the production environment system 10 during the production operation.
  • the scenario 2311 is reproduced.
  • the terminal 1131 includes a scenario execution unit 1131a and account information 1131b.
  • the account information 1131b stores the account information of the terminal itself.
  • the scenario execution unit 1131a acquires the normal business scenario 2311 and also acquires account information 1131b. Based on the account information 1131b, the scenario execution unit 1131a executes a record of the normal business scenario 2311 corresponding to the account of the own terminal in the normal business scenario 2311.
  • the reproduction time interval is set to 10 seconds
  • the account to be used is SP63251
  • the operation type is file server access
  • the auxiliary information for reproduction is set to file path 1. Therefore, the scenario execution unit 1131a of the terminal 1131 corresponding to the account SP63251 executes simulation of normal work based on the information set in the first record.
  • FIG. 17 is a diagram for explaining a reproduction method of a cyber attack by the attack terminal 212 and the infected terminal 1131x according to the present embodiment.
  • the training execution unit 2315 gives the attack operation record 2312 to the attack terminal 212 of the pseudo Internet environment system 210 and the infected terminal 1131x of the virtual enterprise environment system 220 in order to reproduce the cyber attack.
  • the attack operation record 2312 includes an attack operation record (infection operation) 2312a and an attack operation record (cyber attack) 2312b.
  • the attack operation record (infection operation) 2312a is information on an infection operation for infecting the terminal 1131 with a virus.
  • the training execution unit 2315 transmits an attack operation record (infection operation) 2312a to the terminal 1131 (infected terminal 1131x).
  • the attack operation record (cyber attack) 2312b is information relating to a cyber attack operation (file leakage, etc.) after the terminal 1131 is infected with a virus to become an infected terminal 1131x and remote control becomes possible.
  • the training execution unit 2315 transmits an attack operation record (cyber attack) 2312b to the attack terminal 212.
  • infection operation for example, infection operations shown in S112a, S112b, and S112x are recorded.
  • the infected terminal 1131x reproduces the infection operation selected by the administrator from among them.
  • the infected terminal 1131x is infected with a virus by an operation of executing the mail attachment file.
  • S112b the infected terminal 1131x is infected with a virus by an operation of downloading and executing software with a virus from an external site.
  • the infected terminal 1131x is infected with a virus by an operation of executing software without omission of update.
  • the attack terminal 212 can be remotely operated.
  • the attack terminal 212 includes a remote operation unit 2121.
  • the remote operation unit 2121 reproduces a cyber attack on the virtual enterprise environment system 220 via the infected terminal 1131x.
  • FIG. 18 is a diagram showing an example of the configuration of the training environment information 2314 according to the present embodiment.
  • the training environment information 2314 a plurality of training environments are set.
  • the training environment number indicating the training environment, the implementation date and time when the training environment was implemented, the IP address of the attacking terminal 212, the account of the infected terminal 1131x, and the IP address are set.
  • information that defines the training environment may be set.
  • either an account or an IP address may be set. In this way, the training environment information 2314 is associated with the generation date and time when the training environment is generated.
  • the hardware configuration of the training management device 231, the attack terminal 212, the terminal 1131, and the infected terminal 1131x will be described.
  • the hardware configuration of the training management device 231, the attack terminal 212, the terminal 1131, and the infected terminal 1131x is the same as the hardware configuration of the simulated terminal group 1111 described in FIG.
  • each of the training management device 231, the attack terminal 212, the terminal 1131, the infected terminal 1131x, and the log monitoring environment system 224 the functions described as “unit” can be realized by each device executing a program.
  • the program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
  • the program is a program that realizes the function described as “unit” shown in the block configuration diagram.
  • an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic unit 901 executes the OS while “ ⁇ ” shown in the block configuration diagram.
  • the program that realizes the function of “part” is executed.
  • Information such as “normal business scenario”, “attack operation record”, “training environment information”, “training log”, and “account information” is also stored in the external storage device 902.
  • FIG. 19 is a flowchart showing a flow of an environment providing method (environment providing process) of the environment providing system 200 according to the present embodiment.
  • ⁇ Request acquisition process (process): S10>
  • the training management device 231 acquires an environment setting request by the request acquisition unit (request acquisition step (process)).
  • An administrator such as an instructor or a training trainer inputs an environment setting request to the request acquisition unit to select a normal business scenario 2311 and an attack operation record 2312 as the background of the training environment, and also provides training environment information. 2314 is selected.
  • the request acquisition unit 2316 displays a scenario selection screen that allows the administrator to select the normal business scenario 2311 and the attack operation record 2312 on the display device.
  • the request acquisition unit 2316 causes the administrator to select the normal business scenario 2311 and the attack operation record 2312 using the scenario selection screen.
  • the request acquisition unit 2316 displays a training environment selection screen for selecting whether to set a new training environment, a current training environment, or a saved training environment for the training environment. indicate. On the displayed training environment selection screen, the administrator selects whether to set a new training environment, a current training environment, or a saved training environment.
  • Setting a new training environment means that a new training environment is generated by the training environment changing unit 2313 and the generated training environment is set.
  • the administrator can specify the conditions of the newly created training environment from the training environment selection screen.
  • Setting the current training environment means that the training is performed in the current training environment.
  • Setting the saved training environment means setting the training environment recorded in the training environment information 2314 by the training environment changing unit 2313 in the past.
  • the administrator can specify the past date and time as the specified date and time on the training environment selection screen.
  • the training environment changing unit 2313 acquires the training environment information 2314 corresponding to the specified date and time specified in S11, and sets the acquired training environment information 2314.
  • the training environment information 2314 is associated with the generation date and time when the training environment is generated.
  • the training environment changing unit 2313 acquires an environment setting request including a specified date and time, and acquires training environment information 2314 corresponding to the specified date and time based on the specified date and time included in the environment setting request.
  • the training environment changing unit 2313 changes the IP address of the attack terminal within the specified range.
  • the training environment changing unit 2313 exchanges accounts and IP addresses between the infected terminal 1131 x and the arbitrary terminal 1131.
  • the training environment changing unit 2313 changes the account used by each terminal 1131.
  • the training environment changing unit 2313 updates the DNS data regarding the terminal 1131 whose account has been changed. The DNS data is updated by executing re-registration of the simulation DNS record 6121 of the simulation DNS server 612.
  • the infected terminal 1131x can be switched without installing an application necessary for infection in all the terminals 1131.
  • the environment providing process (process) for providing the training environment is completed.
  • the training execution unit 2315 transmits the selected normal business scenario 2311 to the simulated terminal group 1111 and distributes the selected attack operation record 2312 to the infected terminal 1131x and the attack terminal 212.
  • the simulated terminal group 1111 and the attacking terminal 212 start simulation of normal business based on the normal business scenario 2311 and start simulation of cyber attack based on the attack operation record 2312.
  • training is performed by the trainee.
  • the training environment changing unit 2313 determines whether or not the current training environment has been saved in the training environment information 2314 by the processing device. If it is determined in S20 that the current training environment has been saved in the training environment information 2314 (not required in S20), the process ends. If it is determined in S20 that the current training environment is not stored in the training environment information 2314 (required in S20), the process proceeds to S21. In S21, the training environment changing unit 2313 stores the current training environment in the training environment information 2314, and ends the process.
  • the training environment such as the attacker terminal IP, the account of the infected terminal, the IP, etc. Can change.
  • the environment provision system 200 it is possible to restore and train a training environment that has been implemented in the past. Therefore, the effect of training can be enhanced.
  • the training environment can be changed before the start of training (select a new training environment, a current training environment, or a training environment previously implemented), and the training environment can be saved for reuse after training. .
  • Each of the virtual enterprise environment system 220, the pseudo Internet environment system 210, and the test management environment system 230 described in the fifth embodiment may be a single device. Or it may not be one apparatus. You may be comprised from the several apparatus connected to the network.
  • the virtual enterprise environment system 220, the pseudo Internet environment system 210, and the test management environment system 230 may be configured in any manner as long as the functions described above can be realized.
  • first to fifth embodiments of the present invention have been described above, two or more of these embodiments may be implemented in combination. Alternatively, one of these embodiments may be partially implemented. Alternatively, two or more of these embodiments may be partially combined. In addition, this invention is not limited to these embodiment, A various change is possible as needed.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The purpose of the present invention is to provide a simulation device that makes it possible to simulate an operation trend of a production environment without affecting the production environment. A simulation device (111) that simulates an operation that is carried out in a production environment system comprising an access log (1022) in which a plurality of operation histories that indicate the history of operations are stored is provided with: an extraction unit (121) that extracts a plurality of operation histories as an extracted log (122) from the access log (1022) on the basis of an extraction condition (126) that is a condition for extracting an operation history from the access log (1022); a sequence generation unit (123) that uses a processing device to generate simulation data (1112) that indicates the sequence of operations to be simulated on the basis of the extracted log (122) that is extracted by the extraction unit (121); and an execution unit (125) that uses the processing device to run the simulation data (1112) that is generated by the sequence generation unit (123).

Description

模擬装置、情報生成装置、模擬方法、模擬プログラム、環境提供システム、環境提供方法及びプログラムSimulation device, information generation device, simulation method, simulation program, environment providing system, environment providing method, and program
 本発明は、模擬装置、情報生成装置、模擬方法及び模擬プログラムに関する。特に、模擬される操作システムが有する操作履歴を用いて、操作システムにおいて行われる操作を模擬する模擬手順を生成する情報生成装置と、情報生成装置を備える模擬装置、模擬方法及び模擬プログラムに関する。 The present invention relates to a simulation device, an information generation device, a simulation method, and a simulation program. In particular, the present invention relates to an information generation apparatus that generates a simulation procedure for simulating an operation performed in the operation system using an operation history of the operation system to be simulated, a simulation apparatus including the information generation apparatus, a simulation method, and a simulation program.
 従来、計算機の動作を自動的に模擬あるいは再現する再現方式には、回帰試験などを目的として、操作記録を再生する方式がある(例えば、特許文献1参照)。この再現方式では、まず、専用の操作履歴記録装置を利用して、実際のユーザ(試験者)の操作内容を操作履歴として明示的に記録する。次に、記録した操作履歴を読み込んで、試験環境などに組み込んだ専用の操作再生装置により、ユーザ(試験者)の操作を再現する。この再現方式によれば、試験環境でのユーザ(試験者)による繰り返し操作が不要となり、試験の効率化が可能となる。 Conventionally, as a reproduction method for automatically simulating or reproducing the operation of a computer, there is a method of reproducing an operation record for the purpose of a regression test or the like (for example, see Patent Document 1). In this reproduction method, first, the operation content of an actual user (tester) is explicitly recorded as an operation history using a dedicated operation history recording device. Next, the recorded operation history is read, and the operation of the user (tester) is reproduced by a dedicated operation reproduction device incorporated in the test environment or the like. According to this reproduction method, repeated operation by the user (tester) in the test environment becomes unnecessary, and the efficiency of the test can be improved.
 また、システムの動作を模擬するシステム模擬方式には、操作訓練などを目的として、システムへの入力に対する応答を模擬する方式がある(例えば、特許文献2参照)。このシステム模擬方式は、システムの操作訓練をする際に、実際のシステムを用意せずに、操作者(訓練者)の操作に応じたシステムの応答を模擬するものである。このシステム模擬方式によれば、実際のシステムがなくても操作訓練などを行うことが可能となる。 Further, as a system simulation method for simulating the operation of the system, there is a method of simulating a response to an input to the system for the purpose of operation training (see, for example, Patent Document 2). This system simulation method simulates the response of the system according to the operation of the operator (trainer) without preparing an actual system when performing system operation training. According to this system simulation method, it is possible to perform operation training and the like without an actual system.
特開2008-117093号公報JP 2008-117093 A 特開平10-207580号公報JP-A-10-207580
 障害やサイバー攻撃などによってシステムに発生した不測の事態を発見することを訓練するための訓練環境を構築する場合、本番稼動中の正常時のシステムの動作傾向を訓練環境で模擬しておく必要がある。この場合、単一ユーザの操作の模擬のみではなく、システム全体としての動作の模擬が求められる。
 また、訓練の難易度の調整を行うために、実際の環境とは規模の異なる訓練環境で動作傾向の模擬を実現する必要がある。つまり、本番稼動中のシステムの動作の忠実な再現ではなく、処理内容や処理頻度、アクセス頻度などの傾向を再現した模擬が必要となる。
When building a training environment for training to detect unforeseen situations that have occurred in the system due to obstacles or cyber attacks, it is necessary to simulate the normal system operation tendency during production in the training environment. is there. In this case, not only the operation of a single user but also the operation of the entire system is required.
In addition, in order to adjust the difficulty level of training, it is necessary to simulate the movement tendency in a training environment having a different scale from the actual environment. In other words, it is necessary not to faithfully reproduce the operation of the system in actual operation but to simulate a trend such as processing contents, processing frequency, and access frequency.
 特許文献1は、専用の操作履歴記録装置で記録した操作記録を再生する方式であり、操作内容を明示的に記録しなければならない。操作内容を明示的に記録しなければならない場合、本番環境の処理内容を記録することとなり、本番稼動中のシステムへの負荷増などによって通常の動作に影響を与える可能性があるという課題がある。また、操作内容を明示的に記録しなければならない場合、記録を取得した時間帯の動作しか再現できず、様々な動作パターンを用意することができないという課題がある。
 また、特許文献1では、本番環境と同等の環境の構成でしか動作を再現できないため、所望の難易度の訓練環境を用意するという目的が達成できず、規模の変更に柔軟に対応できないという課題がある。
Patent Document 1 is a method for reproducing an operation record recorded by a dedicated operation history recording device, and the operation content must be explicitly recorded. When the operation details must be recorded explicitly, the processing details of the production environment will be recorded, and there is a problem that the normal operation may be affected by increasing the load on the system during the production operation. . In addition, when the operation contents must be explicitly recorded, there is a problem that only the operation in the time zone when the recording is acquired can be reproduced, and various operation patterns cannot be prepared.
Moreover, in patent document 1, since operation | movement can be reproduced only by the structure of an environment equivalent to a production environment, the objective of preparing the training environment of a desired difficulty cannot be achieved, but the subject that it cannot respond flexibly to a change in scale. There is.
 特許文献2は、入力に対する応答のみを模擬する方式であり、システムの処理の再現は行わないため、システム全体としての動作の模擬をすることができないという課題がある。 Patent Document 2 is a method of simulating only a response to an input, and does not reproduce the processing of the system, so that there is a problem that the operation of the entire system cannot be simulated.
 この発明は、上記のような課題を解決するためになされたもので、本番環境に影響を与えずに、本番環境の全体の動作傾向の模擬を可能とする模擬装置を提供することを目的とする。 The present invention has been made to solve the above-described problems, and an object thereof is to provide a simulation device that can simulate the overall operation tendency of a production environment without affecting the production environment. To do.
 操作の履歴を示す操作履歴が複数蓄積された操作履歴情報から操作履歴を抽出する条件である抽出条件に基づいて、前記操作履歴情報から複数の操作履歴を抽出操作履歴として抽出する抽出部と、
 前記抽出部により抽出された前記抽出操作履歴に基づいて、模擬する操作の手順を示す模擬手順を処理装置により生成する手順生成部と、
 前記手順生成部により生成された前記模擬手順を処理装置により実行する実行部とを備えることを特徴とする。
An extraction unit that extracts a plurality of operation histories as extraction operation histories from the operation history information based on an extraction condition that is a condition for extracting operation histories from operation history information in which a plurality of operation histories indicating operation histories are accumulated;
Based on the extraction operation history extracted by the extraction unit, a procedure generation unit that generates a simulation procedure indicating a procedure of the operation to be simulated by a processing device;
And an execution unit that executes the simulation procedure generated by the procedure generation unit using a processing device.
 本発明に係る模擬装置の一の態様によれば、抽出条件に基づいて、操作システムの操作履歴情報から複数の操作履歴を抽出操作履歴として抽出する抽出部と、抽出された抽出操作履歴に基づいて、模擬する操作の手順を示す模擬手順を生成する手順生成部と、生成された前記模擬手順を実行する実行部とを備えているので、操作システムに影響を与えずに、操作システム全体の動作傾向の模擬を行うことができる。 According to one aspect of the simulation device according to the present invention, based on the extraction condition, an extraction unit that extracts a plurality of operation histories from the operation history information of the operation system as an extraction operation history, and based on the extracted extraction operation history And a generation unit that generates a simulation procedure indicating the procedure of the operation to be simulated, and an execution unit that executes the generated simulation procedure, so that the entire operation system can be operated without affecting the operation system. Simulation of movement tendency can be performed.
実施の形態1に係る本番環境システム10及び模擬システム11の全体構成図である。1 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to Embodiment 1. FIG. 実施の形態1に係る模擬装置111のブロック構成図である。2 is a block configuration diagram of a simulation device 111 according to Embodiment 1. FIG. 実施の形態1に係る模擬用データ1112の構成の一例を示す図である。6 is a diagram illustrating an example of a configuration of simulation data 1112 according to Embodiment 1. FIG. 実施の形態1に係る模擬装置111のハードウェア構成の一例を示す図である。2 is a diagram illustrating an example of a hardware configuration of a simulation apparatus 111 according to Embodiment 1. FIG. 実施の形態1に係る本番環境システム10及び模擬システム11の全体構成図であり、模擬装置111の各部の動作を説明するための図である。2 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to Embodiment 1, and is a diagram for explaining the operation of each unit of the simulation device 111. FIG. 実施の形態1に係るアクセスログ1022の一例と、抽出部121により抽出された抽出ログ122の一例とを示す図である。6 is a diagram showing an example of an access log 1022 according to Embodiment 1 and an example of an extraction log 122 extracted by an extraction unit 121. FIG. 実施の形態1に係る手順生成部123及びファイル生成部124による模擬環境生成処理の動作を示すフローチャートである。6 is a flowchart showing an operation of a simulated environment generation process by a procedure generation unit 123 and a file generation unit 124 according to the first embodiment. 実施の形態1に係る手順生成部123及びファイル生成部124による模擬環境生成処理の動作を示すフローチャートである。6 is a flowchart showing an operation of a simulated environment generation process by a procedure generation unit 123 and a file generation unit 124 according to the first embodiment. 実施の形態3に係る本番環境システム10及び模擬システム11の全体構成図である。FIG. 4 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to a third embodiment. 実施の形態3に係る模擬用データ6112の構成の一例を示す図である。It is a figure which shows an example of a structure of the data for simulation 6112 which concerns on Embodiment 3. FIG. 実施の形態3に係る模擬装置111のブロック構成図である。FIG. 6 is a block configuration diagram of a simulation device 111 according to a third embodiment. 実施の形態3に係る本番環境システム10及び模擬システム11の全体構成図であり、模擬装置111の各部の動作を説明するための図である。FIG. 10 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to a third embodiment, and is a diagram for explaining the operation of each unit of a simulation apparatus 111. 実施の形態3に係る手順生成部123及びファイル生成部124による模擬環境生成処理の動作を示すフローチャートである。10 is a flowchart showing an operation of a simulated environment generation process by a procedure generation unit 123 and a file generation unit 124 according to the third embodiment. 実施の形態5に係る環境提供システム200の全体構成図である。It is a whole block diagram of the environment provision system 200 which concerns on Embodiment 5. FIG. 実施の形態5に係る通常業務シナリオ2311の構成の一例を示す図である。FIG. 20 is a diagram illustrating an example of a configuration of a normal business scenario 2311 according to the fifth embodiment. 実施の形態5に係る端末1131による通常業務の再生方式について説明する図である。It is a figure explaining the reproduction | regeneration system of the normal business by the terminal 1131 which concerns on Embodiment 5. FIG. 実施の形態5に係る攻撃端末212と感染端末1131xとによるサイバー攻撃の再生方式を説明する図である。It is a figure explaining the reproduction | regeneration system of the cyber attack by the attack terminal 212 which concerns on Embodiment 5, and the infected terminal 1131x. 実施の形態5に係る訓練環境情報2314の構成の一例を示す図である。It is a figure which shows an example of a structure of the training environment information 2314 which concerns on Embodiment 5. FIG. 実施の形態5に係る環境提供システム200の環境提供方法(環境提供処理)の流れを示すフローチャートである。16 is a flowchart showing a flow of an environment providing method (environment providing process) of the environment providing system 200 according to the fifth embodiment.
 実施の形態1.
 図1は、本実施の形態に係る本番環境システム10及び模擬システム11の全体構成図である。
 図1を用いて、本実施の形態に係る本番環境システム10及び模擬システム11の構成及び機能の概略について説明する。
Embodiment 1 FIG.
FIG. 1 is an overall configuration diagram of a production environment system 10 and a simulation system 11 according to the present embodiment.
The outline of the configuration and functions of the production environment system 10 and the simulation system 11 according to the present embodiment will be described with reference to FIG.
 本番環境システム10は、操作の履歴を示す操作履歴を蓄積した操作履歴情報(アクセスログ1022)をファイルサーバ102の記憶装置に記憶する操作システムの一例である。
 模擬システム11は、本番環境システム10の動作動向を模擬し、操作訓練のための訓練環境を提供する訓練環境システムである。
The production environment system 10 is an example of an operation system that stores operation history information (access log 1022) in which an operation history indicating an operation history is accumulated in a storage device of the file server 102.
The simulation system 11 is a training environment system that simulates the operation trend of the production environment system 10 and provides a training environment for operation training.
 本番環境システム10は、複数の端末により構成される端末群101と、ファイルサーバ102とを備える。
 ファイルサーバ102は、複数のファイルから構成されるファイル群1021と、アクセスログ1022とを記憶する操作システムの記憶装置の一例である。
 アクセスログ1022は、ファイルサーバ102が監査あるいは障害解析等のために出力している一般的なログである。アクセスログ1022には、操作履歴であるログレコード(ログエントリ)が複数蓄積されている。
The production environment system 10 includes a terminal group 101 composed of a plurality of terminals and a file server 102.
The file server 102 is an example of a storage device of an operation system that stores a file group 1021 composed of a plurality of files and an access log 1022.
The access log 1022 is a general log that the file server 102 outputs for auditing or failure analysis. The access log 1022 stores a plurality of log records (log entries) that are operation histories.
 アクセスログ1022は、端末群101からファイル群1021に対するアクセスの履歴を示すログレコード(操作履歴)を蓄積した操作履歴情報の一例である。端末群101からファイル群1021に対するアクセスは、本番環境システム10において行われる操作の一例である。 The access log 1022 is an example of operation history information in which a log record (operation history) indicating a history of access from the terminal group 101 to the file group 1021 is accumulated. Access from the terminal group 101 to the file group 1021 is an example of an operation performed in the production environment system 10.
 以下において、端末群101に含まれる端末を、単に端末と呼ぶ場合もある。また、ファイル群1021に含まれるファイルを、単に、ファイルと呼ぶ場合もある。
 端末は、ネットワーク103を介してファイルサーバ102に記憶されているファイル群1021にアクセスする。
Hereinafter, terminals included in the terminal group 101 may be simply referred to as terminals. In addition, files included in the file group 1021 may be simply referred to as files.
The terminal accesses the file group 1021 stored in the file server 102 via the network 103.
 模擬システム11は、本番環境システム10において行われる端末群101からファイル群1021へのアクセスの動作傾向を模擬する。
 模擬システム11は、模擬装置111と、模擬用ファイルサーバ112とを備える。
 模擬装置111は、複数の模擬端末から構成される模擬端末群1111と、模擬用データ1112とを備える。
 模擬用ファイルサーバ112は、複数の模擬ファイルから構成される模擬ファイル群1121を記憶する記憶装置の一例である。
The simulation system 11 simulates an operation tendency of access from the terminal group 101 to the file group 1021 performed in the production environment system 10.
The simulation system 11 includes a simulation device 111 and a simulation file server 112.
The simulation device 111 includes a simulation terminal group 1111 composed of a plurality of simulation terminals and simulation data 1112.
The simulation file server 112 is an example of a storage device that stores a simulation file group 1121 including a plurality of simulation files.
 模擬装置111は、本番環境システム10のアクセスログ1022に基づいて、模擬の手順を示す模擬手順である模擬用データ1112を生成する。このとき、模擬装置111は、訓練環境の難易度を調整するために、模擬システム11において模擬する端末数あるいはユーザ数が本番環境システム10とは異なるように模擬用データ1112を生成する。
 模擬用データ1112は、模擬端末群1111から模擬ファイル群1121へのアクセスの手順を示す模擬手順であり、例えば、アクセス時間、アクセス種別等が設定されている。
Based on the access log 1022 of the production environment system 10, the simulation apparatus 111 generates simulation data 1112 that is a simulation procedure indicating a simulation procedure. At this time, the simulation apparatus 111 generates simulation data 1112 so that the number of terminals or the number of users simulated in the simulation system 11 is different from that in the production environment system 10 in order to adjust the difficulty level of the training environment.
The simulation data 1112 is a simulation procedure indicating a procedure for accessing the simulation file group 1121 from the simulation terminal group 1111. For example, an access time, an access type, and the like are set.
 模擬装置111は、模擬用データ1112にしたがって操作を模擬する場合に必要となる模擬ファイル群1121の初期ファイル構成を生成し、模擬用ファイルサーバ112に記憶する。なお、模擬装置111は、生成した模擬ファイル群1121の初期ファイル構成を模擬用ファイルサーバ112に記憶しない構成でもよい。模擬装置111は、例えば、内部に有する記憶機器に、生成した模擬ファイル群1121の初期ファイル構成を記憶する構成でも構わない。この場合、模擬用ファイルサーバ112は不要となる。 The simulation apparatus 111 generates an initial file configuration of the simulation file group 1121 necessary for simulating the operation according to the simulation data 1112 and stores the initial file configuration in the simulation file server 112. The simulation device 111 may be configured not to store the generated initial file configuration of the simulation file group 1121 in the simulation file server 112. The simulation device 111 may be configured to store the initial file configuration of the generated simulation file group 1121 in, for example, a storage device included therein. In this case, the simulation file server 112 becomes unnecessary.
 ただし、模擬装置111は、本番環境システム10の動作を模擬するものであるため、できるだけ、本番環境システム10と同様の構成を有するものとする。例えば、本番環境システム10が、端末群101からファイルサーバ102に記憶されたファイル群1021に対するアクセスを行う場合には、模擬システム11側では、ファイルサーバ102と同程度のスペックを有する模擬用ファイルサーバ112に模擬ファイル群1121の初期ファイル構成を記憶しておくことが好ましい。あるいは、訓練環境を調整するために、模擬装置111内部のハードディスク、フラッシュメモリなどの記憶機器に模擬ファイル群1121を記憶するものとしてもよい。 However, since the simulation apparatus 111 simulates the operation of the production environment system 10, it is assumed to have the same configuration as the production environment system 10 as much as possible. For example, when the production environment system 10 accesses the file group 1021 stored in the file server 102 from the terminal group 101, on the simulation system 11 side, the simulation file server having the same specifications as the file server 102 is used. 112 preferably stores the initial file structure of the simulated file group 1121. Alternatively, the simulation file group 1121 may be stored in a storage device such as a hard disk or flash memory inside the simulation apparatus 111 in order to adjust the training environment.
 模擬装置111は、模擬端末群1111と模擬ファイル群1121の初期ファイル構成とを用いて、模擬用データ1112の模擬手順に従って模擬を実行する。 The simulation apparatus 111 performs simulation according to the simulation procedure of the simulation data 1112 using the simulation terminal group 1111 and the initial file configuration of the simulation file group 1121.
 図2は、本実施の形態に係る模擬装置111のブロック構成図である。図2を用いて、本実施の形態に係る模擬装置111のブロック構成について説明する。 FIG. 2 is a block configuration diagram of the simulation apparatus 111 according to the present embodiment. A block configuration of the simulation apparatus 111 according to the present embodiment will be described with reference to FIG.
 図2に示すように、模擬装置111は、情報生成部1110、実行部125を備える。情報生成部1110は、抽出部121、模擬環境生成部128を備える。模擬環境生成部128は、手順生成部123、ファイル生成部124を備える。
 また、模擬装置111は、抽出条件126、抽出ログ122、模擬用データ1112を記憶機器に記憶する。模擬ファイル群1121は、図2に示すように模擬用ファイルサーバ112に記憶されていてもよいし、模擬装置111内部の記憶機器に記憶されていてもよい。
As illustrated in FIG. 2, the simulation apparatus 111 includes an information generation unit 1110 and an execution unit 125. The information generation unit 1110 includes an extraction unit 121 and a simulated environment generation unit 128. The simulated environment generation unit 128 includes a procedure generation unit 123 and a file generation unit 124.
In addition, the simulation apparatus 111 stores the extraction condition 126, the extraction log 122, and simulation data 1112 in a storage device. The simulation file group 1121 may be stored in the simulation file server 112 as illustrated in FIG. 2, or may be stored in a storage device inside the simulation apparatus 111.
 抽出条件126は、アクセスログ1022からログレコード(操作履歴)を抽出するための条件である。上述したように、模擬システム11は、操作訓練の訓練環境を提供するものであるため、訓練環境の難易度を柔軟に調整することができる。抽出条件126は、訓練環境を調整するためのものであり、例えば、アクセスログ1022から抽出するログレコード(操作履歴)の操作者の名、端末ID、端末アドレスなどを指定する。操作者の名、端末ID、端末アドレスなどは、予め抽出条件126として設定される識別子の一例である。
 抽出条件126は、システム管理者などにより、適宜設定することができる。
The extraction condition 126 is a condition for extracting a log record (operation history) from the access log 1022. As described above, since the simulation system 11 provides a training environment for operation training, the difficulty level of the training environment can be flexibly adjusted. The extraction condition 126 is for adjusting the training environment. For example, an operator name, a terminal ID, a terminal address, and the like of a log record (operation history) extracted from the access log 1022 are designated. The operator's name, terminal ID, terminal address, etc. are examples of identifiers set in advance as the extraction condition 126.
The extraction condition 126 can be appropriately set by a system administrator or the like.
 情報生成部1110は、本番環境システム10において行われる操作の模擬に用いる情報を生成する情報生成装置の一例である。模擬用データ1112、模擬ファイル群1121の初期ファイル構成等は、情報生成部1110(情報生成装置)が生成する操作の模擬に用いる情報の一例である。 The information generation unit 1110 is an example of an information generation apparatus that generates information used for simulating an operation performed in the production environment system 10. The simulation data 1112, the initial file configuration of the simulation file group 1121, and the like are examples of information used for simulating operations generated by the information generation unit 1110 (information generation device).
 抽出部121は、抽出条件126に基づいて、アクセスログ1022から複数のログレコードを抽出ログ122として抽出する。抽出ログは、抽出操作履歴の一例である。
 手順生成部123は、抽出部121により抽出された抽出ログ122に基づいて、模擬する操作の手順を示す模擬用データ1112を処理装置により生成する。模擬用データ1112は、模擬手順の一例である。
The extraction unit 121 extracts a plurality of log records from the access log 1022 as the extraction log 122 based on the extraction condition 126. The extraction log is an example of an extraction operation history.
Based on the extraction log 122 extracted by the extraction unit 121, the procedure generation unit 123 generates simulation data 1112 indicating the procedure of the operation to be simulated by the processing device. The simulation data 1112 is an example of a simulation procedure.
 模擬環境生成部128は、抽出部121により抽出された抽出ログ122に基づいて、模擬の操作の手順である模擬用データ1112と、操作が行われる模擬ファイル1121aから構成される模擬ファイル群1121とを生成する。 Based on the extraction log 122 extracted by the extraction unit 121, the simulation environment generation unit 128 includes simulation data 1112 that is a procedure of simulation operation, and a simulation file group 1121 that includes a simulation file 1121a on which the operation is performed. Is generated.
 手順生成部123は、抽出ログ122に含まれる複数のログレコードを模擬した場合に生じるログレコード間の不整合を解消する。手順生成部123は、不整合が解消されるように、複数のログレコードのうち少なくとも1つのログレコードを修正し、少なくとも1つのログレコードが修正された抽出ログ122を模擬用データ1112とする。
 ファイル生成部124は、模擬用データ1112に基づいて、模擬用データ1112に含まれる操作の対象となる模擬ファイル1121aを生成する。模擬ファイル群1121は、少なくとも1つの模擬ファイル1121aから構成される。
 手順生成部123とファイル生成部124とは、別々の機能ブロックとして構成されてもよいし、1つの模擬環境生成部128として構成され、その機能が実現されるものでもよい。
The procedure generation unit 123 eliminates inconsistencies between log records that occur when a plurality of log records included in the extraction log 122 are simulated. The procedure generation unit 123 corrects at least one of the plurality of log records so that the inconsistency is eliminated, and sets the extracted log 122 in which at least one log record is corrected as simulation data 1112.
Based on the simulation data 1112, the file generation unit 124 generates a simulation file 1121 a that is an operation target included in the simulation data 1112. The simulation file group 1121 includes at least one simulation file 1121a.
The procedure generation unit 123 and the file generation unit 124 may be configured as separate functional blocks, or may be configured as one simulated environment generation unit 128 to realize the function.
 実行部125は、ファイル生成部124により生成された模擬ファイル群1121に対して、模擬用データ1112の模擬手順を実行する。
 ファイル生成部124は、実行部125による模擬の実行の開始前に、模擬用データ1112の処理内容に合わせて、必要な初期ファイル構成で模擬ファイル群1121を構成しておく必要がある。つまり、模擬で実施される処理内容に必要なディレクトリ構成やファイルが存在している必要がある。
The execution unit 125 executes the simulation procedure of the simulation data 1112 for the simulation file group 1121 generated by the file generation unit 124.
The file generation unit 124 needs to configure the simulated file group 1121 with a necessary initial file configuration in accordance with the processing content of the simulation data 1112 before the execution of the simulation by the execution unit 125 is started. That is, it is necessary that a directory structure and files necessary for the processing contents to be implemented in the simulation exist.
 なお、本実施の形態では、模擬端末群1111を模擬装置111上に構成しているが、実際に端末を必要数分用意して、各端末向けに用意した模擬用データ1112を利用して動作傾向の模擬を実施してもよい。模擬システム11の機能は、模擬装置111、模擬端末群1111、模擬用ファイルサーバ112等の構成には依存しない。 In this embodiment, the simulation terminal group 1111 is configured on the simulation apparatus 111. However, the necessary number of terminals are actually prepared, and operation is performed using the simulation data 1112 prepared for each terminal. A trend may be simulated. The function of the simulation system 11 does not depend on the configurations of the simulation device 111, the simulation terminal group 1111, the simulation file server 112, and the like.
 図3は、本実施の形態に係る模擬用データ1112の構成の一例を示す図である。
 模擬用データ1112には、複数の操作である複数のログレコードが蓄積されている。
 ログレコードは、模擬端末群1111の動作に必要なアクセス間隔などを示すアクセス時間21、模擬ファイル群1121へアクセスするアクセスユーザ22、WRITEやREADなどのアクセス種別23、操作をする対象のファイルを示すアクセスファイル24などの情報が格納されている。
FIG. 3 is a diagram showing an example of the configuration of the simulation data 1112 according to the present embodiment.
The simulation data 1112 stores a plurality of log records that are a plurality of operations.
The log record indicates an access time 21 indicating an access interval necessary for the operation of the simulated terminal group 1111, an access user 22 accessing the simulated file group 1121, an access type 23 such as WRITE and READ, and a file to be operated. Information such as the access file 24 is stored.
 アクセス時間21には、模擬の開始時からの時間が設定される。例えば、2レコード目のアクセス時間21「8」は、レコードNO2の操作は模擬の開始時から8秒後に実行されることを意味する、
 アクセスユーザ22には、操作者を識別する識別子が設定される。操作者を識別する識別子とは、例えば、ユーザの名前である。その他、端末のMACアドレスなどでもよい。
The access time 21 is set to the time from the start of simulation. For example, the access time 21 “8” of the second record means that the operation of the record NO2 is executed 8 seconds after the simulation is started.
An identifier for identifying an operator is set for the access user 22. The identifier for identifying the operator is, for example, a user name. In addition, the MAC address of the terminal may be used.
 アクセス種別23には、「WRITE」,「READ」,「DELETE」のように、操作の種別が設定される。
 アクセスファイル24には、アクセスの対象となる模擬ファイル1121aのファイル名やパス名が設定される。
 以上のように、模擬用データ1112には、模擬を実施するために必要な情報が設定されている。
In the access type 23, an operation type is set such as “WRITE”, “READ”, and “DELETE”.
In the access file 24, the file name and path name of the simulation file 1121a to be accessed are set.
As described above, the simulation data 1112 is set with information necessary for performing the simulation.
 図4は、本実施の形態に係る模擬装置111のハードウェア構成の一例を示す図である。
 図4を用いて、模擬装置111のハードウェア構成例について説明する。
FIG. 4 is a diagram illustrating an example of a hardware configuration of the simulation apparatus 111 according to the present embodiment.
A hardware configuration example of the simulation apparatus 111 will be described with reference to FIG.
 模擬装置111はコンピュータであり、模擬装置111の各要素をプログラムで実現することができる。
 模擬装置111のハードウェア構成としては、バスに、演算装置901、外部記憶装置902、主記憶装置903、通信装置904、入出力装置905が接続されている。
The simulation device 111 is a computer, and each element of the simulation device 111 can be realized by a program.
As a hardware configuration of the simulation device 111, an arithmetic device 901, an external storage device 902, a main storage device 903, a communication device 904, and an input / output device 905 are connected to the bus.
 演算装置901は、プログラムを実行するCPU(Central・Processing・Unit)である。
 外部記憶装置902は、例えばROM(Read・Only・Memory)やフラッシュメモリ、ハードディスク装置である。
 主記憶装置903は、RAM(Random・Access・Memory)である。
 通信装置904は、例えば通信ボード等であり、LAN(Local・Area・Network)等に接続されている。通信装置904は、LANに限らず、IP-VPN(Internet・Protocol・Virtual・Private・Network)、広域LAN、ATM(Asynchronous・Transfer・Mode)ネットワークといったWAN(Wide・Area・Network)、あるいは、インターネットに接続されていても構わない。LAN、WAN、インターネットは、ネットワークの一例である。
 入出力装置905は、例えばマウス、キーボード、ディスプレイ装置等である。マウスの代わりに、タッチパネル、タッチパッド、トラックボール、ペンタブレット、あるいは、その他のポインティングデバイスが用いられてもよい。ディスプレイ装置は、LCD(Liquid・Crystal・Display)、CRT(Cathode・Ray・Tube)、あるいは、その他の表示装置でもよい。
The arithmetic device 901 is a CPU (Central Processing Unit) that executes a program.
The external storage device 902 is, for example, a ROM (Read Only Memory), a flash memory, or a hard disk device.
The main storage device 903 is a RAM (Random / Access / Memory).
The communication device 904 is, for example, a communication board or the like, and is connected to a LAN (Local / Area / Network) or the like. The communication device 904 is not limited to a LAN, but includes an IP-VPN (Internet, Protocol, Private, Network), a wide area LAN, an ATM (Asynchronous / Transfer / Mode) network, a WAN (Wide / Area / Network), or the Internet. It does not matter if it is connected to. LAN, WAN, and the Internet are examples of networks.
The input / output device 905 is, for example, a mouse, a keyboard, a display device, or the like. Instead of the mouse, a touch panel, touch pad, trackball, pen tablet, or other pointing device may be used. The display device may be an LCD (Liquid / Crystal / Display), a CRT (Cathode / Ray / Tube), or another display device.
 プログラムは、通常は外部記憶装置902に記憶されており、主記憶装置903にロードされた状態で、順次演算装置901に読み込まれ、実行される。
 プログラムは、ブロック構成図に示す「~部」として説明している機能を実現するプログラムである。
 更に、外部記憶装置902にはオペレーティングシステム(OS)も記憶されており、OSの少なくとも一部が主記憶装置903にロードされ、演算装置901はOSを実行しながら、ブロック構成図に示す「~部」の機能を実現するプログラムを実行する。
 また、アプリケーションプログラムも外部記憶装置902に記憶されており、主記憶装置903にロードされた状態で、順次演算装置901により実行される。
 また、「~テーブル」等の情報も外部記憶装置902に記憶されている。
The program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
The program is a program that realizes a function described as “unit” shown in the block configuration diagram.
Further, an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic unit 901 executes the OS while “˜” shown in the block configuration diagram. The program that realizes the function of “part” is executed.
An application program is also stored in the external storage device 902, and is sequentially executed by the arithmetic device 901 while being loaded in the main storage device 903.
Information such as “˜table” is also stored in the external storage device 902.
 また、本実施の形態の説明において、「~の判断」、「~の判定」、「~の抽出」、「~の検知」、「~の設定」、「~の登録」、「~の選択」、「~の生成」、「~の入力」、「~の出力」等として説明している処理の結果を示す情報やデータや信号値や変数値が主記憶装置903にファイルとして記憶されている。
 また、模擬装置111が受信したデータが主記憶装置903に記憶される。
 また、暗号鍵・復号鍵や乱数値やパラメータが、主記憶装置903にファイルとして記憶されてもよい。
In the description of the present embodiment, “determining”, “determining”, “extracting”, “detecting”, “setting”, “registering”, “selecting” ”,“ Generate ”,“ Input of ”,“ Output of ”, etc. Information, data, signal values, and variable values indicating the results of the processing are stored in the main storage device 903 as files. Yes.
In addition, data received by the simulation device 111 is stored in the main storage device 903.
Further, the encryption key / decryption key, random number value, and parameter may be stored in the main storage device 903 as a file.
 なお、図4の構成は、あくまでも模擬装置111のハードウェア構成の一例を示すものであり、模擬装置111のハードウェア構成は図4に記載の構成に限らず、他の構成であってもよい。 Note that the configuration of FIG. 4 is merely an example of the hardware configuration of the simulation apparatus 111, and the hardware configuration of the simulation apparatus 111 is not limited to the configuration illustrated in FIG. .
 図5は、本実施の形態に係る本番環境システム10及び模擬システム11の全体構成図であり、模擬装置111の各部の動作を説明するための図である。
 図2及び図5を用いて、模擬装置111の各部の動作について説明する。図2に示す模擬装置111の各部は、模擬装置111の備える処理装置、記憶装置、入出力装置等のハードウェア資源と協働して処理を実行することにより、模擬装置111による模擬方法を実現する。例えば、模擬装置111の機能は、模擬装置111の主記憶装置に記憶されている模擬プログラムが読み出され、処理装置により実行されることにより実現される。
FIG. 5 is an overall configuration diagram of the production environment system 10 and the simulation system 11 according to the present embodiment, and is a diagram for explaining the operation of each unit of the simulation apparatus 111.
The operation of each part of the simulation apparatus 111 will be described with reference to FIGS. Each part of the simulation device 111 shown in FIG. 2 implements a simulation method by the simulation device 111 by executing processing in cooperation with hardware resources such as a processing device, a storage device, and an input / output device included in the simulation device 111. To do. For example, the function of the simulation device 111 is realized by reading a simulation program stored in the main storage device of the simulation device 111 and executing it by the processing device.
 抽出部121は、抽出処理121aを実行する。
 抽出処理121aにおいて、抽出部121は、抽出条件126に基づいて、アクセスログ1022からログレコードを抽出し、抽出ログ122とする。抽出処理121aは、訓練環境の難易度を調整するため、例えば、模擬システム11で模擬するユーザ数を本番環境システム10のユーザ数より減少させる。抽出ログ122は、抽出部121により、アクセスログ1022から、必要なユーザに関するログレコードのみが抜粋された対象ユーザ抜粋ログである。
The extraction unit 121 executes an extraction process 121a.
In the extraction process 121 a, the extraction unit 121 extracts a log record from the access log 1022 based on the extraction condition 126 and sets it as the extraction log 122. In order to adjust the difficulty level of the training environment, for example, the extraction process 121a reduces the number of users simulated by the simulation system 11 from the number of users of the production environment system 10. The extraction log 122 is a target user excerpt log in which only the log records related to necessary users are extracted from the access log 1022 by the extraction unit 121.
 手順生成部123は、手順生成処理123aを実行する。
 手順生成処理123aにおいて、手順生成部123は、ユーザを絞り込んだ抽出ログ122から模擬用データ1112を生成する。
 ファイル生成部124は、ファイル生成処理124aを実行する。
 ファイル生成処理124aにおいて、ファイル生成部124は、抽出ログ122から模擬ファイル群1121の初期ファイル構成を生成する。
The procedure generation unit 123 executes a procedure generation process 123a.
In the procedure generation process 123a, the procedure generator 123 generates simulation data 1112 from the extracted log 122 that narrows down the users.
The file generation unit 124 executes a file generation process 124a.
In the file generation process 124 a, the file generation unit 124 generates an initial file configuration of the simulated file group 1121 from the extraction log 122.
 実行部125は、模擬実行処理125aを実行する。
 模擬実行処理125aにおいて、実行部125は、模擬用データ1112が示す模擬手順にしたがって、模擬端末群1111から模擬ファイル群1121に対するアクセスを実行する。
The execution unit 125 executes a simulation execution process 125a.
In the simulation execution process 125a, the execution unit 125 executes access to the simulation file group 1121 from the simulation terminal group 1111 according to the simulation procedure indicated by the simulation data 1112.
 図6は、本実施の形態に係るアクセスログ1022の一例と、抽出部121によりアクセスログ1022から抽出された抽出ログ122の一例とを示す図である。
 図6に示すように、アクセスログ1022には、操作履歴であるログレコード10221~10224が格納されている。ログレコードは、ログエントリともいう。抽出部121による抽出処理121aにより、抽出ログ122が抽出される。抽出ログ122には、模擬する操作であるログレコード1221~1223が格納されている。
 抽出処理121aにおいて、対象のユーザを絞り込んでいる影響で、抽出ログ122をそのまま模擬した場合には、必要なデータが欠落した状態で模擬が動作するという不整合が生じる可能性がある。
FIG. 6 is a diagram illustrating an example of the access log 1022 according to the present embodiment and an example of the extraction log 122 extracted from the access log 1022 by the extraction unit 121.
As shown in FIG. 6, the access log 1022 stores log records 10221 to 10224 which are operation histories. A log record is also called a log entry. The extraction log 122 is extracted by the extraction processing 121 a by the extraction unit 121. The extraction log 122 stores log records 1221 to 1223 that are operations to be simulated.
In the extraction process 121a, if the target log is narrowed down and the extraction log 122 is simulated as it is, there is a possibility that inconsistency occurs that the simulation operates in a state where necessary data is missing.
 図6に示すように、抽出部121は、抽出するログレコードに含まれるユーザは「ユーザA,ユーザB,ユーザD」という抽出条件に基づいて、抽出ログ122を抽出するものとする。
 抽出部121による抽出処理121aにより、アクセスログ1022からユーザCに関するログレコード10223が削除される。アクセスログ1022において、「ユーザCがファイル1を作成」(ログレコード10223)し、その後、「ユーザDがファイル1を読込」(ログレコード10224)をするが、抽出ログ122では、「ユーザCがファイル1を作成」が存在しないため、ユーザDが読み込むファイルが存在しないという不整合が生じる。
 つまり、ログレコード1223の操作は、ログレコード10223の操作がなければ実行できない操作になっている。
As illustrated in FIG. 6, the extraction unit 121 extracts the extraction log 122 based on the extraction condition “user A, user B, user D” included in the log record to be extracted.
The log record 10223 related to the user C is deleted from the access log 1022 by the extraction process 121 a by the extraction unit 121. In the access log 1022, “User C creates file 1” (log record 10223) and then “User D reads file 1” (log record 10224). Since “Create File 1” does not exist, there is an inconsistency that a file to be read by the user D does not exist.
That is, the operation of the log record 1223 is an operation that cannot be executed without the operation of the log record 10223.
 手順生成部123は、上記のような不整合を解消するように抽出ログ122を修正し、模擬用データ1112を生成する。 The procedure generation unit 123 corrects the extraction log 122 so as to eliminate the inconsistency as described above, and generates simulation data 1112.
 図7及び図8は、本実施の形態に係る手順生成部123及びファイル生成部124による模擬環境生成処理の動作の一例を示すフローチャートである。模擬環境生成処理(S100)は、手順生成部123による手順生成処理123aと、ファイル生成部124によるファイル生成処理124aとから構成されている。
 手順生成部123とファイル生成部124とは別のブロックとして説明したが、例えば、手順生成部123とファイル生成部124とを1つの模擬環境生成部128として構成してもよい。ここでは、1つの模擬環境生成部128の動作として説明する。
 以下の模擬環境生成処理の説明において、アクセスログ1022のアクセス種別23を「READ(読込み)」、「WRITE(書込み)」、「DELETE(消去)」の3種類として説明する。
7 and 8 are flowcharts showing an example of the operation of the simulated environment generation process by the procedure generation unit 123 and the file generation unit 124 according to the present embodiment. The simulated environment generation process (S100) includes a procedure generation process 123a by the procedure generation unit 123 and a file generation process 124a by the file generation unit 124.
Although the procedure generation unit 123 and the file generation unit 124 have been described as separate blocks, for example, the procedure generation unit 123 and the file generation unit 124 may be configured as one simulated environment generation unit 128. Here, the operation of one simulated environment generation unit 128 will be described.
In the following description of the simulated environment generation process, the access type 23 of the access log 1022 will be described as three types: “READ (read)”, “WRITE (write)”, and “DELETE (erase)”.
 S101において、模擬環境生成部128は、処理装置により、空の初期ファイル構成を模擬ファイル群1121として模擬用ファイルサーバ112に仮作成する。
 S102において、模擬環境生成部128は、処理装置により、抽出ログ122の内容に変更を加えずに、模擬用データ1112を仮作成する。
 以降、模擬環境生成部128は、仮作成した模擬ファイル群1121に対して、仮作成した模擬用データ1112に従ってアクセス(操作)を行う。この際、模擬環境生成部128は、例えば、作業領域にREADするファイルがなく、初期ファイル構成にもREADするファイルが存在していなければ、初期ファイル構成にファイルを追加する等の処理を行う。
In S101, the simulation environment generation unit 128 provisionally creates an empty initial file configuration in the simulation file server 112 as a simulation file group 1121 by the processing device.
In S102, the simulation environment generation unit 128 temporarily creates simulation data 1112 by the processing device without changing the contents of the extraction log 122.
Thereafter, the simulated environment generation unit 128 accesses (operates) the provisionally created simulation file group 1121 according to the temporarily created simulation data 1112. At this time, for example, if there is no file to be read in the work area and there is no file to be read in the initial file structure, the simulated environment generation unit 128 performs processing such as adding a file to the initial file structure.
 S103において、模擬環境生成部128は、処理装置により、模擬装置111の作業領域に、初期ファイル構成である模擬ファイル群1121をコピーする。作業領域にコピーした模擬ファイル群1121を作業用模擬ファイル群11211とする。
 S104において、模擬環境生成部128は、処理装置により、模擬用データ1112の解析位置を1行目とする。
 S105において、模擬環境生成部128は、処理装置により、模擬用データ1112の解析位置である解析ログを1行解析する。
In S <b> 103, the simulated environment generation unit 128 copies the simulated file group 1121, which is an initial file configuration, to the work area of the simulated device 111 by the processing device. The simulated file group 1121 copied to the work area is referred to as a working simulated file group 11211.
In S104, the simulation environment generation unit 128 sets the analysis position of the simulation data 1112 to the first line by the processing device.
In S105, the simulation environment generation unit 128 analyzes one line of the analysis log that is the analysis position of the simulation data 1112 by the processing device.
 S106において、模擬環境生成部128は、処理装置により、解析ログのアクセス種別23を判定する。
 S106において、模擬環境生成部128は、アクセス種別23がREADの場合、S107に進む。
 S107において、模擬環境生成部128は、処理装置により、作業用模擬ファイル群11211にREADするファイルがあるかを判定する。READするファイルがある場合(S107でYES)、S108に進む。READするファイルがない場合(S107でNO)、S113に進む。
In S106, the simulated environment generation unit 128 determines the access type 23 of the analysis log by the processing device.
In S106, if the access type 23 is READ, the simulated environment generation unit 128 proceeds to S107.
In S107, the simulation environment generation unit 128 determines whether there is a file to be read in the work simulation file group 11211 by the processing device. If there is a file to be read (YES in S107), the process proceeds to S108. If there is no file to be read (NO in S107), the process proceeds to S113.
 S106において、模擬環境生成部128は、アクセス種別23がWRITEの場合、S110に進む。
 S110において、模擬環境生成部128は、作業用模擬ファイル群11211にWRITEするファイルを作成する。既にWRITEするファイルが存在する場合は、何もしない。模擬環境生成部128は、S110の後、S108に進む。
In S106, if the access type 23 is WRITE, the simulated environment generation unit 128 proceeds to S110.
In S110, the simulated environment generation unit 128 creates a file to be written in the working simulated file group 11211. If there is already a file to be written, nothing is done. The simulated environment generation unit 128 proceeds to S108 after S110.
 S106において、模擬環境生成部128は、アクセス種別23がDELETEの場合、S111に進む。
 S111において、模擬環境生成部128は、処理装置により、作業用模擬ファイル群11211にDELETEするファイルがあるかを判定する。DELETEするファイルがある場合(S111でYES)、S112に進む。
 S112において、模擬環境生成部128は、処理装置により、作業用模擬ファイル群11211から、DELETEするファイルを削除する。
 DELETEするファイルがない場合(S111でNO)、S113に進む。
In S106, the simulated environment generation unit 128 proceeds to S111 if the access type 23 is DELETE.
In S111, the simulated environment generation unit 128 determines whether there is a file to be deleted in the working simulated file group 11211 by the processing device. If there is a file to be deleted (YES in S111), the process proceeds to S112.
In S112, the simulation environment generation unit 128 deletes the file to be deleted from the work simulation file group 11211 by the processing device.
If there is no DELETE file (NO in S111), the process proceeds to S113.
 S113において、模擬環境生成部128は、処理装置により、模擬用ファイルサーバ112の模擬ファイル群1121にアクセスするファイルがあるかどうか判定する。S107においてREADするファイルがないと判定された場合は、そのREADするファイルをアクセスするファイルとして判定する。S107においてDELETEするファイルがないと判定された場合は、そのDELETEするファイルをアクセスするファイルとして判定する。 In S113, the simulation environment generation unit 128 determines whether there is a file to access the simulation file group 1121 of the simulation file server 112 by the processing device. If it is determined in S107 that there is no file to be read, the file to be read is determined as a file to be accessed. If it is determined in S107 that there is no file to be deleted, the file to be deleted is determined as a file to be accessed.
 模擬環境生成部128は、アクセスするファイルがないと判定した場合(S113でNO)、S115に進む。
 S115において、模擬環境生成部128は、処理装置により、模擬用ファイルサーバ112の模擬ファイル群1121にアクセスするファイルを追加し、S103に戻り、処理を繰り返す。
If the simulated environment generation unit 128 determines that there is no file to be accessed (NO in S113), the process proceeds to S115.
In S115, the simulation environment generation unit 128 adds a file for accessing the simulation file group 1121 of the simulation file server 112 by the processing device, returns to S103, and repeats the processing.
 模擬環境生成部128は、アクセスするファイルがあると判定した場合(S113でYES)、S114に進む。模擬用ファイルサーバ112の模擬ファイル群1121にアクセスするファイルがあるということは、上述のような不整合が生じていることになる。このため、ここでは、模擬用データ1112の該当行をWRITEに変更して不整合を解消する。
 S114において、模擬環境生成部128は、模擬用データ1112の該当行(解析ログの行)のアクセス種別23をWRITEに変更し、S104に戻り、処理を繰り返す。
If the simulated environment generation unit 128 determines that there is a file to be accessed (YES in S113), the process proceeds to S114. The fact that there is a file that accesses the simulated file group 1121 of the simulated file server 112 means that the above inconsistency has occurred. For this reason, here, the corresponding line of the simulation data 1112 is changed to WRITE to eliminate the inconsistency.
In S114, the simulation environment generation unit 128 changes the access type 23 of the corresponding line (analysis log line) of the simulation data 1112 to WRITE, returns to S104, and repeats the processing.
 S108において、模擬環境生成部128は、処理装置により、模擬用データ1112を最後の行まで解析したかを判定する。
 まだ最後まで解析していない場合(S108でNO)、S109に進む。
 S109において、模擬環境生成部128は、模擬用データ1112の解析位置を1行進め、S105から処理を繰り返す。
 最後の行まで解析した場合(S108でYES)、模擬環境生成部128は、模擬環境生成処理を終了する。
In S108, the simulation environment generation unit 128 determines whether the simulation data 1112 has been analyzed to the last line by the processing device.
If it has not been analyzed to the end (NO in S108), the process proceeds to S109.
In S109, the simulation environment generation unit 128 advances the analysis position of the simulation data 1112 by one line, and repeats the processing from S105.
When the analysis is performed up to the last line (YES in S108), the simulated environment generation unit 128 ends the simulated environment generation process.
 以上で、模擬環境生成部128による模擬環境生成処理の説明を終わる。
 ここでは、手順生成部123とファイル生成部124とを1つの模擬環境生成部128として説明したが、手順生成部123とファイル生成部124とを別々の処理としてもよい。例えば、まず、手順生成部123が、作業領域上に初期ファイル構成としての模擬ファイル群1121を仮作成し、模擬用データ1112の全ての行についての解析を終了する。ファイル生成部124は、手順生成部123の処理が終了した後に、作業領域上に初期ファイル構成としての模擬ファイル群1121に基づいて、模擬用ファイルサーバ112に初期ファイル構成としての模擬ファイル群1121を生成するものとしてもよい。
 アクセスログ1022に基づいて、訓練環境の難易度を調整するとともに、操作を模擬する際に生じる不整合を解消することができれば、どのような順序、構成で処理を実行しても構わない。
This is the end of the description of the simulated environment generation process performed by the simulated environment generation unit 128.
Here, the procedure generation unit 123 and the file generation unit 124 have been described as one simulated environment generation unit 128, but the procedure generation unit 123 and the file generation unit 124 may be separate processes. For example, the procedure generation unit 123 first temporarily creates a simulated file group 1121 as an initial file configuration on the work area, and ends the analysis for all the rows of the simulation data 1112. After the process of the procedure generation unit 123 is completed, the file generation unit 124 stores the simulation file group 1121 as the initial file configuration in the simulation file server 112 on the work area based on the simulation file group 1121 as the initial file configuration. It may be generated.
The process may be executed in any order and configuration as long as the difficulty of the training environment is adjusted based on the access log 1022 and the inconsistency that occurs when the operation is simulated can be resolved.
 以上のように、本実施の形態に係る模擬装置111、情報生成装置は、本番環境システム10のファイルサーバ102のアクセスログ1022に対し、例えば、ユーザ数に変更を加えて模擬用データ1112を生成する。このとき、模擬時に必要なデータが欠落した不整合にも対処して模擬システム11用の模擬用データ1112と模擬ファイル群1121の初期ファイル構成を生成するようにしている。このため、本番環境システム10に負荷や影響を与えずに、目的の難易度に応じた構成の訓練環境で、本番環境の動作傾向を模擬することが可能となる。 As described above, the simulation apparatus 111 and the information generation apparatus according to the present embodiment generate the simulation data 1112 by changing the number of users, for example, for the access log 1022 of the file server 102 of the production environment system 10. To do. At this time, the initial file structure of the simulation data 1112 and the simulation file group 1121 for the simulation system 11 is generated in response to the inconsistency in which data necessary for the simulation is missing. For this reason, it is possible to simulate the operational tendency of the production environment in a training environment having a configuration according to the target difficulty level without affecting the production environment system 10 and causing a load.
 本番環境に影響を与えずに、訓練環境で本番環境の動作傾向を模擬するための模擬用のデータを生成し、本番環境と異なる構成の訓練環境においても、本番環境の動作傾向の模擬を可能とすることを目的としており、ファイルサーバやメールサーバ、Webサーバ、認証サーバ、DBサーバをはじめとする複数クライアントとサーバ間で通信が行われるようなシステムに適用できるものである。 Generate simulation data for simulating production environment operation trends in the training environment without affecting the production environment, and simulating production environment operation trends in a training environment with a different configuration from the production environment The present invention can be applied to a system in which communication is performed between a plurality of clients such as a file server, a mail server, a Web server, an authentication server, and a DB server and the server.
 実施の形態2.
 本実施の形態では、主に、実施の形態1との差異について説明する。
 実施の形態1で説明した構成部と同様の機能を有する構成部については、同一の符号を付し、その説明を省略する場合がある。
Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be mainly described.
Components having the same functions as those described in Embodiment 1 may be denoted by the same reference numerals and description thereof may be omitted.
 本実施の形態では、本番環境システム10のアクセスログ1022に現れるユーザ名やファイル名等の情報名を、本番環境システム10とは異なる名称に変更(匿名化)する。また、模擬ファイル群1121に含まれる模擬ファイル1121aのファイル名を、本番環境システム10のファイル群1021に含まれるファイルのファイル名とは異なる名称に変更(匿名化)する。 In this embodiment, information names such as user names and file names appearing in the access log 1022 of the production environment system 10 are changed (anonymized) to names different from those of the production environment system 10. Further, the file name of the simulation file 1121a included in the simulation file group 1121 is changed (anonymized) to a name different from the file name of the file included in the file group 1021 of the production environment system 10.
 手順生成部123は、アクセスログ1022のログエントリ(操作履歴)に含まれる情報名を処理装置により匿名化し、情報名が匿名化されたアクセスログ1022に基づいて、模擬用データ1112を生成する。手順生成部123は、ユーザ名やファイル名等の情報名が機密情報である場合に匿名化するとしてもよい。 The procedure generation unit 123 anonymizes the information name included in the log entry (operation history) of the access log 1022 by the processing device, and generates simulation data 1112 based on the access log 1022 in which the information name is anonymized. The procedure generation unit 123 may anonymize information names such as user names and file names that are confidential information.
 ファイル生成部124は、模擬ファイル1121aのファイル名を処理装置により匿名化し、模擬ファイル群1121を生成する。ファイル生成部124は、ファイル名が機密情報である場合に匿名化するとしてもよい。 The file generation unit 124 anonymizes the file name of the simulation file 1121a by the processing device, and generates the simulation file group 1121. The file generation unit 124 may anonymize when the file name is confidential information.
 以上のように、本実施の形態に係る模擬装置111,情報生成部1110(情報生成装置)は、本番環境の機密情報などの漏洩を防ぐために、模擬用のデータと設定値を生成するために利用するログに含まれる本番環境の機密情報を匿名化して、動作傾向を模擬するためのデータと設定値を生成する。
 アクセスログ1022を本番環境システム10から取り出す段階で、これらの機密情報などを含んだ名称を変更(匿名化)することで、本番環境システム10の機密情報が模擬システム11に漏洩することを防ぐことができ、本番環境システム10のセキュリティを確保することが可能となる。
As described above, the simulation apparatus 111 and the information generation unit 1110 (information generation apparatus) according to the present embodiment generate simulation data and setting values in order to prevent leakage of confidential information in the production environment. Anonymize the confidential information of the production environment included in the log to be used, and generate data and setting values for simulating the operation tendency.
At the stage of retrieving the access log 1022 from the production environment system 10, the confidential information of the production environment system 10 is prevented from leaking to the simulation system 11 by changing (anonymizing) the name including such confidential information. And security of the production environment system 10 can be ensured.
 実施の形態3.
 本実施の形態では、主に、実施の形態1,2との差異について説明する。
 実施の形態1,2で説明した構成部と同様の機能を有する構成部については、同一の符号を付し、その説明を省略する場合がある。
Embodiment 3 FIG.
In the present embodiment, differences from the first and second embodiments will be mainly described.
Components having the same functions as those described in the first and second embodiments are denoted by the same reference numerals and description thereof may be omitted.
 図9は、本実施の形態に係る本番環境システム10及び模擬システム11の全体構成図である。図9では、模擬装置111を一般的なメールサーバに適用した場合の構成図である。 FIG. 9 is an overall configuration diagram of the production environment system 10 and the simulation system 11 according to the present embodiment. FIG. 9 is a configuration diagram when the simulation apparatus 111 is applied to a general mail server.
 図9に示すように、本番環境システム10は、実施の形態1で説明した端末群101,ネットワークに加え、DNS(Domain・Name・System)サーバ602、メールサーバ603を備える。 As shown in FIG. 9, the production environment system 10 includes a DNS (Domain Name System) server 602 and a mail server 603 in addition to the terminal group 101 and the network described in the first embodiment.
 DNSサーバ602は、DNSレコード6021を備える。DNSサーバ602は、ドメイン名とIPアドレスとの対応付けを行うことにより、ドメイン名とIPアドレスとの名前解決を行うサーバである。DNSレコード6021には、ドメイン名とIPアドレスとの対応付けが格納されている。
 メールサーバ603は、送受信ログ6022を備える。送受信ログ6022は、端末群101からの操作であるメールの送受信の履歴が蓄積された操作履歴情報の一例である。
The DNS server 602 includes a DNS record 6021. The DNS server 602 is a server that performs name resolution between a domain name and an IP address by associating the domain name with an IP address. The DNS record 6021 stores associations between domain names and IP addresses.
The mail server 603 includes a transmission / reception log 6022. The transmission / reception log 6022 is an example of operation history information in which a history of mail transmission / reception, which is an operation from the terminal group 101, is accumulated.
 模擬システム11は、本番環境システム10における、端末群101からネットワーク103とメールサーバ603とを介したメールの送受信の動作傾向を模擬する。
 模擬システム11は、実施の形態1で説明した模擬装置111、模擬用ネットワーク113に加え、模擬用DNSサーバ612、模擬用メールサーバ613を備える。
 模擬装置111は、実施の形態1で説明した模擬端末群1111に加え、模擬用データ6112、外部メールサーバ6111を備える。
 模擬用DNSサーバ612は、模擬用DNSレコード6121を備える。模擬用DNSレコード6121には、メールのドメイン名とIPアドレスとの対応付けの情報が格納されている。
The simulation system 11 simulates an operation tendency of mail transmission / reception from the terminal group 101 via the network 103 and the mail server 603 in the production environment system 10.
The simulation system 11 includes a simulation DNS server 612 and a simulation mail server 613 in addition to the simulation apparatus 111 and the simulation network 113 described in the first embodiment.
The simulation apparatus 111 includes simulation data 6112 and an external mail server 6111 in addition to the simulation terminal group 1111 described in the first embodiment.
The simulation DNS server 612 includes a simulation DNS record 6121. The simulation DNS record 6121 stores correspondence information between the domain name of the mail and the IP address.
 模擬システム11では、送受信ログ6022に基づいて、模擬手順であるメールの送受信手順が示された模擬用データ1112を生成する。模擬システム11では、模擬用データ1112の内容に従って、本番環境システム10の端末群101の動作傾向を、模擬システム11の模擬端末群1111で模擬する。模擬端末群1111は、模擬用ネットワーク113と模擬用メールサーバ613とを介して、外部メールサーバ6111とメールの送受信を行う。模擬端末群1111は、模擬システム11内部において、メールの送受信を行う。 The simulation system 11 generates simulation data 1112 indicating a mail transmission / reception procedure as a simulation procedure based on the transmission / reception log 6022. In the simulation system 11, the operation tendency of the terminal group 101 of the production environment system 10 is simulated by the simulation terminal group 1111 of the simulation system 11 in accordance with the contents of the simulation data 1112. The simulated terminal group 1111 transmits / receives mail to / from the external mail server 6111 via the simulation network 113 and the simulation mail server 613. The simulated terminal group 1111 transmits and receives mail within the simulated system 11.
 このとき、訓練環境の難易度などの調整のために、模擬システム11で模擬する端末数やユーザ数は、本番環境システム10とは異なる構成とする。
 また、本実施の形態に係る模擬システム11では、システムの外部とのメールの送受信を模擬するため、外部メールサーバ6111を模擬装置111の内部に用意する。模擬端末群1111から外部へのメール送信時は、模擬用DNSサーバ612で外部メールサーバ6111へメールが送信されるように設定を行う。また、外部からのメール受信は、外部メールサーバ6111から模擬用メールサーバ613へ送信することにより、外部からのメールの受信を模擬する。
At this time, in order to adjust the difficulty level of the training environment, the number of terminals and the number of users simulated by the simulation system 11 are different from those of the production environment system 10.
Further, in the simulation system 11 according to the present embodiment, an external mail server 6111 is prepared inside the simulation apparatus 111 in order to simulate mail transmission / reception with the outside of the system. When mail is transmitted from the simulated terminal group 1111 to the outside, the simulation DNS server 612 is set so that the mail is transmitted to the external mail server 6111. In addition, when receiving mail from the outside, transmission from the external mail server 6111 to the simulation mail server 613 simulates reception of mail from the outside.
 図10は、本実施の形態に係る模擬用データ6112の構成の一例を示す図である。
 模擬システム11では、模擬用データ6112と、模擬用DNSレコード6121とに基づいて、メール送受信の模擬を行う。
 模擬システム11では、送信時間71、送信元アドレス72、宛先アドレス73などを記録した模擬用データ6112と、外部環境宛へのメール送信を模擬するための模擬用DNSサーバ612用の模擬用DNSレコード6121を用意する必要がある。
FIG. 10 is a diagram showing an example of the configuration of simulation data 6112 according to the present embodiment.
The simulation system 11 simulates mail transmission / reception based on the simulation data 6112 and the simulation DNS record 6121.
In the simulation system 11, simulation data 6112 in which a transmission time 71, a transmission source address 72, a destination address 73, and the like are recorded, and a simulation DNS record for a simulation DNS server 612 for simulating mail transmission to an external environment 6121 needs to be prepared.
 模擬用データ6112には、外部メールサーバ6111と模擬端末群1111との動作に必要なメールの送信間隔などを示す送信時間71、メールの送信元である送信元アドレス72、メールの宛先である宛先アドレス73などの情報が格納されている。このように模擬用データ6112には、模擬に必要なデータが格納されている。 The simulation data 6112 includes a transmission time 71 indicating a transmission interval of a mail necessary for the operation of the external mail server 6111 and the simulated terminal group 1111, a transmission source address 72 that is a transmission source of the mail, a destination that is a transmission destination of the mail. Information such as an address 73 is stored. Thus, the simulation data 6112 stores data necessary for simulation.
 模擬用DNSサーバ612の模擬用DNSレコード6121には、模擬端末群1111から送信される外部環境宛のメールに対する名前解決が外部メールサーバ6111となるように、ドメイン名とIPアドレスとの対応付けの情報が設定されている。
 なお、本実施の形態では、外部メールサーバ6111と模擬端末群1111とを模擬装置111上に構成しているが、このような構成に限られない。例えば、実際にサーバや端末を必要数分用意し、各サーバや各端末向けに用意した模擬用データ6112を利用して、動作傾向の模擬を実施しても問題はない。本実施の形態に係る模擬装置111により模擬方法の実現は、模擬システム11や模擬装置111自体の構成には依存しない。
In the simulation DNS record 6121 of the simulation DNS server 612, the correspondence between the domain name and the IP address is set so that name resolution for the mail addressed to the external environment transmitted from the simulation terminal group 1111 becomes the external mail server 6111. Information is set.
In the present embodiment, the external mail server 6111 and the simulated terminal group 1111 are configured on the simulated device 111, but the configuration is not limited thereto. For example, there is no problem even if the necessary number of servers and terminals are actually prepared, and the simulation of the operation tendency is performed using the simulation data 6112 prepared for each server and each terminal. Realization of the simulation method by the simulation apparatus 111 according to the present embodiment does not depend on the configuration of the simulation system 11 or the simulation apparatus 111 itself.
 図11は、本実施の形態に係る模擬装置111のブロック構成図である。図12は、本実施の形態に係る本番環境システム10及び模擬システム11の全体構成図であり、模擬装置111の各部の動作を説明するための図である。 FIG. 11 is a block configuration diagram of the simulation apparatus 111 according to the present embodiment. FIG. 12 is an overall configuration diagram of the production environment system 10 and the simulation system 11 according to the present embodiment, and is a diagram for explaining the operation of each unit of the simulation apparatus 111.
 図11及び図12に示すように、情報生成部1110は、送受信ログ6022に基づいて模擬用データ6112と、模擬用DNSレコード6121とを生成する。メールサーバ603の送受信ログ6022は、メールサーバ603が監査や障害解析等のために出力している一般的なログである。 As shown in FIGS. 11 and 12, the information generation unit 1110 generates simulation data 6112 and simulation DNS record 6121 based on the transmission / reception log 6022. A transmission / reception log 6022 of the mail server 603 is a general log output by the mail server 603 for auditing, failure analysis, or the like.
 実施の形態1と同様に、抽出部121が抽出条件126に基づいて送受信ログ6022からログレコードを抽出する(抽出処理121a)。そして、模擬環境生成部128が模擬用データ6112と模擬用DNSレコード6121とを生成する(手順生成処理123a(模擬用データ生成処理)、ファイル生成処理124a(模擬用DNSレコード生成処理))。
 模擬用データ6112は、操作手順(メール送受信手順)の一例である。模擬用DNSレコード6121は、模擬に用いるファイルである模擬ファイルの一例である。
Similar to the first embodiment, the extraction unit 121 extracts a log record from the transmission / reception log 6022 based on the extraction condition 126 (extraction process 121a). Then, the simulation environment generation unit 128 generates simulation data 6112 and simulation DNS record 6121 (procedure generation process 123a (simulation data generation process), file generation process 124a (simulation DNS record generation process)).
The simulation data 6112 is an example of an operation procedure (email transmission / reception procedure). The simulation DNS record 6121 is an example of a simulation file that is a file used for simulation.
 実施の形態1で説明したように、手順生成部123による手順生成処理123a(模擬用データ6112生成処理)とファイル生成部124によるファイル生成処理124a(模擬用DNSレコード生成処理)とは別の処理としてもよいし、手順生成部123とファイル生成部124とを1つの模擬環境生成部128として構成し、1つの模擬環境生成処理としてもよい。つまり、模擬環境生成部128は、送受信ログ6022から、模擬用データ6112と模擬用DNSレコード6121との設定値を出力する。 As described in the first embodiment, the procedure generation process 123a (simulation data 6112 generation process) by the procedure generation unit 123 and the file generation process 124a (simulation DNS record generation process) by the file generation unit 124 are different processes. Alternatively, the procedure generation unit 123 and the file generation unit 124 may be configured as one simulated environment generation unit 128 and may be one simulated environment generation process. That is, the simulation environment generation unit 128 outputs the setting values of the simulation data 6112 and the simulation DNS record 6121 from the transmission / reception log 6022.
 まず、模擬システム11で模擬するユーザ数を本番環境システム10から減少させるため、抽出部121による抽出処理121abにより、送受信ログ6031から、必要なユーザに関するログのみを抜粋する。
 なお、本番環境システム10内のユーザから、本番環境システム10内のユーザへメールの送信が行われた場合、送受信ログ6022には単一のメール送信に対して、送信と受信の2つのログが存在することになる。しかし、模擬システム11でメールの送受信の動作傾向を模擬する場合、一般的にメール送信動作を模擬することになるため、送信元アドレスでユーザを絞り込むこととする。
First, in order to reduce the number of users simulated by the simulation system 11 from the production environment system 10, only the logs related to necessary users are extracted from the transmission / reception log 6031 by the extraction processing 121 ab by the extraction unit 121.
When mail is transmitted from a user in the production environment system 10 to a user in the production environment system 10, the transmission / reception log 6022 includes two logs, transmission and reception, for a single mail transmission. Will exist. However, when simulating the operation tendency of mail transmission / reception by the simulation system 11, since the mail transmission operation is generally simulated, the users are narrowed down by the source address.
 抽出処理121aで対象の送信ユーザを絞り込んでいる影響で、対象ユーザ抜粋ログ622には必要なデータが欠落した状態で動作するという不整合が生じている可能性がある。例えば、送信者として除外したユーザが受信者として存在してしまうという可能性がある。これに対処するために、単純にこの送信自体を除外してしまうと模擬すべき送信数が減少してしまう。 There may be an inconsistency that the target user excerpt log 622 operates in a state where necessary data is missing due to the effect of narrowing down the target transmission users in the extraction process 121a. For example, there is a possibility that a user excluded as a sender exists as a receiver. If this transmission itself is simply excluded to cope with this, the number of transmissions to be simulated decreases.
 図13は、本実施の形態に係る手順生成部123及びファイル生成部124による模擬環境生成処理の動作を示すフローチャートである。
 模擬環境生成処理S200(模擬用データ、模擬用DNSレコード生成処理)では、送受信ログ6022からユーザを抜粋した抽出ログ122を1行ずつ解析し、模擬用データ6112と模擬用DNSレコード6121の設定値を生成する。
FIG. 13 is a flowchart showing the operation of the simulated environment generation process performed by the procedure generation unit 123 and the file generation unit 124 according to the present embodiment.
In the simulated environment generation process S200 (simulation data, simulation DNS record generation process), the extracted log 122 extracted from the transmission / reception log 6022 is analyzed line by line, and the setting values of the simulation data 6112 and the simulation DNS record 6121 are analyzed. Is generated.
 S201において、模擬環境生成部128は、処理装置により、空の模擬用データ6112を設定するとともに、抽出ログ122の解析位置である解析ログを1行目とする。
 S202において、模擬環境生成部128は、処理装置により、抽出ログ122の解析ログを解析する。
In S201, the simulation environment generation unit 128 sets empty simulation data 6112 by the processing device, and sets the analysis log that is the analysis position of the extraction log 122 as the first line.
In S202, the simulated environment generation unit 128 analyzes the analysis log of the extraction log 122 by the processing device.
 S203において、模擬環境生成部128は、処理装置により、解析ログの送信元が本番環境システム10内であるかを判定する。
 送信元が本番環境システム10内である場合(S203でYES)、模擬環境生成部128はS204に進む。
 送信元が本番環境システム10内でない場合(S203でNO)、模擬環境生成部128はS209に進む。
 S209において、模擬環境生成部128は、処理装置により、解析ログのメールが外部メールサーバ6111からの送信メールとなるように、送信元のドメイン名とIPアドレスとの対応付け(以下、名前解決とする)を模擬用DNSレコード6121に追加し、S204に進む。
In step S <b> 203, the simulated environment generation unit 128 determines whether the analysis log transmission source is within the production environment system 10 using the processing device.
When the transmission source is within the production environment system 10 (YES in S203), the simulated environment generation unit 128 proceeds to S204.
If the transmission source is not within the production environment system 10 (NO in S203), the simulated environment generation unit 128 proceeds to S209.
In S209, the simulated environment generation unit 128 associates the domain name of the transmission source with the IP address (hereinafter referred to as name resolution) so that the mail of the analysis log becomes a transmission mail from the external mail server 6111 by the processing device. Is added to the simulation DNS record 6121, and the process proceeds to S204.
 S204において、模擬環境生成部128は、処理装置により、解析ログの宛先が本番環境システム10内であるかを判定する。
 宛先が本番環境システム10内でない場合(S204でNO)、模擬環境生成部128はS210に進む。
 S210において、模擬環境生成部128は、処理装置により、模擬用DNSレコード6121に、解析ログの宛先が外部メールサーバ6111となるように宛先のドメイン名とIPアドレスとの対応付け(以下、名前解決とする)を追加し、S207に進む。
In S <b> 204, the simulated environment generation unit 128 determines whether the destination of the analysis log is within the production environment system 10 using the processing device.
If the destination is not within the production environment system 10 (NO in S204), the simulated environment generation unit 128 proceeds to S210.
In S210, the simulation environment generation unit 128 associates the destination domain name with the IP address so that the analysis log destination is the external mail server 6111 in the simulation DNS record 6121 (hereinafter, name resolution). And the process proceeds to S207.
 宛先が本番環境システム10内である場合(S204でYES)、模擬環境生成部128はS205に進む。
 S205において、模擬環境生成部128は、処理装置により、宛先が抽出部121により除外されたアドレスか否かを判定する。模擬環境生成部128は、例えば、抽出条件126を参照することにより、宛先が除外されているアドレスか否かを判定する。
If the destination is within the production environment system 10 (YES in S204), the simulated environment generation unit 128 proceeds to S205.
In step S <b> 205, the simulated environment generation unit 128 determines whether the destination is an address excluded by the extraction unit 121 by the processing device. The simulated environment generation unit 128 determines whether the address is an address from which the destination is excluded by referring to the extraction condition 126, for example.
 宛先が除外されたアドレスでない場合(S205でNO)、S207に進む。
 宛先が除外されたアドレスである場合(S205でYES)、S206に進む。
 S206において、模擬環境生成部128は、処理装置により、解析ログの宛先アドレスを除外されていない内部環境のアドレスに変更する。このように、抽出ログ122の宛先が内部環境のアドレスであるときに、その宛先が抽出処理121aで除外された送信元アドレスと同一であれば、宛先を除外されていないアドレスに変更して整合性を確保する。
If the destination is not an excluded address (NO in S205), the process proceeds to S207.
If the destination is an excluded address (YES in S205), the process proceeds to S206.
In S206, the simulated environment generation unit 128 changes the destination address of the analysis log to an address of the internal environment that is not excluded by the processing device. As described above, when the destination of the extraction log 122 is an address of the internal environment, if the destination is the same as the transmission source address excluded in the extraction processing 121a, the destination is changed to an address that is not excluded. Ensure sex.
 S207において、模擬環境生成部128は、処理装置により、解析ログを模擬用データ6112に追加する。 In S207, the simulation environment generation unit 128 adds the analysis log to the simulation data 6112 by the processing device.
 S208において、模擬環境生成部128は、処理装置により、抽出ログ122を最後の行まで解析したかを判定する。
 まだ最後まで解析していない場合(S208でNO)、S211に進む。
 S211において、模擬環境生成部128は、抽出ログ122の解析位置を1行進め、S202から処理を繰り返す。
 最後の行まで解析した場合(S208でYES)、模擬環境生成部128は、模擬環境生成処理を終了する(S212)。
In S208, the simulated environment generation unit 128 determines whether the extraction log 122 has been analyzed up to the last line by the processing device.
If it has not been analyzed to the end (NO in S208), the process proceeds to S211.
In S211, the simulated environment generation unit 128 advances the analysis position of the extraction log 122 by one line, and repeats the processing from S202.
When the analysis is performed up to the last line (YES in S208), the simulated environment generation unit 128 ends the simulated environment generation process (S212).
 以上のように、本実施の形態に係る模擬システム11,模擬装置111では、本番環境システム10のメールサーバ603の送受信ログ6031に対し送信ユーザ数に変更を加え、その際に発生するデータの不整合に対処しつつ、模擬用データ6112と模擬用DNSレコード6121とを生成する。これにより、本番環境システム10に負荷や影響を与えずに、目的の難易度に応じた構成の訓練環境で、本番環境の動作傾向を模擬することが可能となる。 As described above, in the simulation system 11 and the simulation apparatus 111 according to the present embodiment, the number of transmission users is changed with respect to the transmission / reception log 6031 of the mail server 603 of the production environment system 10, and the data generated at that time is reduced. Simulating data 6112 and simulating DNS record 6121 are generated while coping with the matching. Accordingly, it is possible to simulate the operation tendency of the production environment in the training environment having a configuration according to the target difficulty level without affecting the production environment system 10 and the load.
 実施の形態4.
 本実施の形態では、主に、実施の形態3との差異について説明する。
 実施の形態3で説明した構成部と同様の機能を有する構成部については、同一の符号を付し、その説明を省略する場合がある。
Embodiment 4 FIG.
In the present embodiment, differences from the third embodiment will be mainly described.
Components having the same functions as those described in the third embodiment are denoted by the same reference numerals, and description thereof may be omitted.
 本実施の形態では、本番環境システム10の送受信ログ6022に現れる送信元アドレスや宛先アドレスの情報名を、本番環境システム10とは異なる名称に変更(匿名化)する。
 模擬環境生成部128(手順生成部123、ファイル生成部124)は、送受信ログ6022のメール送受信履歴に含まれる送信元アドレスや宛先アドレスの情報名を処理装置により匿名化し、情報名が匿名化された送受信ログ6022に基づいて、模擬用データ6112及び模擬用DNSレコード6121を生成する。模擬環境生成部128は、送信元アドレスや宛先アドレス等の情報名が機密情報である場合に匿名化するとしてもよい。
In the present embodiment, the information name of the source address and destination address appearing in the transmission / reception log 6022 of the production environment system 10 is changed (anonymized) to a name different from that of the production environment system 10.
The simulated environment generation unit 128 (the procedure generation unit 123 and the file generation unit 124) anonymizes the information name of the transmission source address and the destination address included in the mail transmission / reception history of the transmission / reception log 6022 by the processing device, and the information name is anonymized. Based on the transmission / reception log 6022, simulation data 6112 and simulation DNS record 6121 are generated. The simulated environment generation unit 128 may anonymize information names such as a transmission source address and a destination address that are confidential information.
 以上のように、本実施の形態に係る模擬システム11,模擬装置111,情報生成部1110(情報生成装置)は、送受信ログ6022を本番環境システム10から取り出す段階で、機密情報などの名称を変更(匿名化)するので、本番環境システム10の機密情報が模擬システム11に漏洩することを防ぐことができ、本番環境システム10のセキュリティを確保することが可能となる。 As described above, the simulation system 11, the simulation device 111, and the information generation unit 1110 (information generation device) according to the present embodiment change the names of confidential information and the like at the stage of extracting the transmission / reception log 6022 from the production environment system 10. Since anonymization is performed, it is possible to prevent the confidential information of the production environment system 10 from leaking to the simulation system 11 and to secure the security of the production environment system 10.
 上記実施の形態1~4において説明した「情報生成部」、「模擬環境生成部」、「実行部」、「抽出部」、「手順生成部」、「ファイル生成部」の構成は、これに限られるわけではない。例えば、「手順生成部」、「ファイル生成部」をひとつの機能ブロックで実現してもよいし、「模擬環境生成部」、「抽出部」をひとつの機能ブロックで実現しても良い。あるいは、これらの機能ブロックを、他のどのような組み合わせで模擬装置111を構成しても構わない。 The configurations of the “information generation unit”, “simulated environment generation unit”, “execution unit”, “extraction unit”, “procedure generation unit”, and “file generation unit” described in the first to fourth embodiments are as follows. It is not limited. For example, the “procedure generation unit” and the “file generation unit” may be realized by one functional block, and the “simulated environment generation unit” and the “extraction unit” may be realized by one functional block. Alternatively, the simulation apparatus 111 may be configured by any other combination of these functional blocks.
 以上、本発明の実施の形態について説明したが、これらの実施の形態のうち、2つ以上を組み合わせて実施しても構わない。あるいは、これらの実施の形態のうち、1つを部分的に実施しても構わない。あるいは、これらの実施の形態のうち、2つ以上を部分的に組み合わせて実施しても構わない。なお、本発明は、これらの実施の形態に限定されるものではなく、必要に応じて種々の変更が可能である。 Although the embodiments of the present invention have been described above, two or more of these embodiments may be implemented in combination. Alternatively, one of these embodiments may be partially implemented. Alternatively, two or more of these embodiments may be partially combined. In addition, this invention is not limited to these embodiment, A various change is possible as needed.
 実施の形態5.
 本実施の形態では、主に、実施の形態1~4との差異について説明する。
 本実施の形態では、実施の形態1~4で説明した構成部と同様の構成部には同一の符号を付し、その説明を省略する。
Embodiment 5 FIG.
In the present embodiment, differences from Embodiments 1 to 4 will be mainly described.
In the present embodiment, the same components as those described in the first to fourth embodiments are denoted by the same reference numerals, and the description thereof is omitted.
 上述したように、実施の形態1~4では、本番環境システム10の動作傾向を模擬及び再現する方式として、ログデータから再現用データを生成する模擬システム11(図1,5,9等参照)について説明した。模擬システム11は、例えば、SOC(Security Operation Center)訓練を目的としている。 As described above, in the first to fourth embodiments, as a method of simulating and reproducing the operation tendency of the production environment system 10, the simulation system 11 that generates reproduction data from log data (see FIGS. 1, 5, 9, etc.) Explained. The simulation system 11 is aimed at, for example, SOC (Security Operation Center) training.
 模擬システム11は、実施の形態4で説明したように、本番環境システム10のアクセスログ1022、送受信ログ6022からログデータを匿名化した上で取り出す。そして、模擬システム11は、難易度の調整のため、模擬するユーザ規模の絞り込みを行い、再生時に矛盾が生じないように模擬用データ1112,6112を再生データとして生成し、模擬を実行する。このように、実施の形態4に係る模擬システム11によれば、セキュリティを確保した状態で、異なる規模の環境で本番環境システム10の動作傾向を再現することができる。 As described in the fourth embodiment, the simulation system 11 anonymizes log data from the access log 1022 and the transmission / reception log 6022 of the production environment system 10 and retrieves the log data. The simulation system 11 narrows down the scale of the user to be simulated in order to adjust the difficulty level, generates simulation data 1112 and 6112 as reproduction data so that no contradiction occurs during reproduction, and executes simulation. As described above, according to the simulation system 11 according to the fourth embodiment, it is possible to reproduce the operation tendency of the production environment system 10 in environments of different scales while ensuring security.
 サイバー攻撃に対応するための要員を訓練することを目的として、SOC訓練環境を構築する場合がある。この場合、本番環境システム10の動作傾向を模擬した上で、人手(教官)によりサイバー攻撃操作の記録及び再生を行う必要がある。さらに、ログ監視ソフトウェア等を用いて、サイバー攻撃の検知訓練が行えるようにする必要がある。 ∙ An SOC training environment may be established for the purpose of training personnel to respond to cyber attacks. In this case, it is necessary to record and play back the cyber attack operation manually (instructor) after simulating the operational tendency of the production environment system 10. Furthermore, it is necessary to enable cyber attack detection training using log monitoring software.
 このSOC訓練環境は、実施の形態1~4で説明した模擬システム11と、回帰試験を目的として操作記録を保存及び再生する方式とを組み合わせれば、次のように実現することができる。
 まず、予めサイバー攻撃時の攻撃操作記録を保存しておく。そして、本番環境システム10の動作傾向の模擬の実行とともに、サイバー攻撃時の攻撃操作記録を再生し、訓練環境を実現する。ログ監視ソフトウェアは、訓練環境の実現時のログを訓練用ログとして保存する。ログ監視ソフトウェアにより保存された訓練用ログを用いて、訓練者はサイバー攻撃の検知訓練を行う。
This SOC training environment can be realized as follows by combining the simulation system 11 described in Embodiments 1 to 4 and a method for storing and reproducing operation records for the purpose of regression testing.
First, an attack operation record at the time of a cyber attack is stored in advance. Then, along with the simulation of the operation tendency of the production environment system 10, the attack operation record at the time of the cyber attack is reproduced to realize the training environment. The log monitoring software stores a log when the training environment is realized as a training log. Using the training log saved by the log monitoring software, the trainer conducts cyber attack detection training.
 しかし、本番環境システム10の動作傾向の模擬及びサイバー攻撃の模擬を再現させるだけでは、訓練者に対する訓練効果が薄い。なぜなら、攻撃に使用した攻撃端末IPアドレス、ウィルスが感染した感染端末のアカウント名やIPアドレス等が毎回同じとなってしまうことにより、訓練環境が毎回同じとなってしまうからである。
 一方で、過去の訓練時にサイバー攻撃の検知に失敗したようなケースでは、同じ訓練環境で再度訓練したい場合もある。
However, only by reproducing the simulation of the operation tendency of the production environment system 10 and the simulation of the cyber attack, the training effect for the trainer is weak. This is because the training environment becomes the same every time because the attacking terminal IP address used for the attack, the account name, the IP address, etc. of the infected terminal infected with the virus are the same every time.
On the other hand, in cases where cyber-attack detection has failed during past training, it may be desired to train again in the same training environment.
 本実施の形態では、例えば、SOC訓練のような訓練実施時に、毎回異なる訓練環境を作り出すことができるとともに、ある時点で保存した訓練環境に戻すこともできる環境提供システム200について説明する。 In the present embodiment, for example, an environment providing system 200 that can create a different training environment each time during training such as SOC training, and can return to the training environment saved at a certain point in time will be described.
 図14は、本実施の形態に係る環境提供システム200(環境提供装置)の全体構成図である。
 本実施の形態に係る環境提供システム200は、実施の形態1~4で説明した模擬システム11の構成部に、さらに、様々な機能を有する複数の構成部が追加されている。
FIG. 14 is an overall configuration diagram of an environment providing system 200 (environment providing apparatus) according to the present embodiment.
In the environment providing system 200 according to the present embodiment, a plurality of components having various functions are further added to the components of the simulation system 11 described in the first to fourth embodiments.
 環境提供システム200は、擬似インターネット環境システム210、仮想企業環境システム220、試験管理環境システム230を備える。 The environment providing system 200 includes a pseudo Internet environment system 210, a virtual enterprise environment system 220, and a test management environment system 230.
 擬似インターネット環境システム210は、攻撃端末212、サーバ群213を備える。サーバ群213は、例えば、Webサーバ2131、DNSサーバ2132を備える。また、擬似インターネット環境システム210が備える記憶装置には、後述する攻撃操作記録2312が記憶される。 The pseudo Internet environment system 210 includes an attack terminal 212 and a server group 213. The server group 213 includes, for example, a Web server 2131 and a DNS server 2132. Further, an attack operation record 2312 described later is stored in the storage device provided in the pseudo Internet environment system 210.
 仮想企業環境システム220は、模擬端末群1111、業務システム223、ログ監視環境システム224を備える。模擬端末群1111は、サイバー攻撃の検知訓練に用いる訓練装置の一例である。
 試験管理環境システム230は、訓練管理装置231を備える。
The virtual enterprise environment system 220 includes a simulated terminal group 1111, a business system 223, and a log monitoring environment system 224. The simulated terminal group 1111 is an example of a training device used for cyber attack detection training.
The test management environment system 230 includes a training management device 231.
 試験管理環境システム230の訓練管理装置231は、要求取得部2316、訓練実行部2315、訓練環境変更部2313を備える。また、訓練管理装置231の記憶装置には、通常業務シナリオ2311、攻撃操作記録2312、訓練環境情報2314が記憶される。 The training management device 231 of the test management environment system 230 includes a request acquisition unit 2316, a training execution unit 2315, and a training environment change unit 2313. The storage device of the training management device 231 stores a normal business scenario 2311, an attack operation record 2312, and training environment information 2314.
 通常業務シナリオ2311は、実施の形態1~4で説明した模擬用データ1112(図2参照)、模擬用データ6112(図11参照)である。通常業務シナリオ2311(模擬用データ1112,6112)は、実施の形態1~4で説明したように、情報生成部1110(図2,11参照)により生成される。図14では情報生成部1110の図示は省略するが、試験管理環境システム230が情報生成部1110を備えるものとする。情報生成部1110は、生成した通常業務シナリオ2311(模擬用データ1112,6112)を、訓練管理装置231の記憶装置に記憶する。
 通常業務シナリオ2311は、模擬手順の一例である。
The normal business scenario 2311 is the simulation data 1112 (see FIG. 2) and the simulation data 6112 (see FIG. 11) described in the first to fourth embodiments. The normal business scenario 2311 (simulation data 1112 and 6112) is generated by the information generation unit 1110 (see FIGS. 2 and 11) as described in the first to fourth embodiments. In FIG. 14, the information generation unit 1110 is not shown, but the test management environment system 230 includes the information generation unit 1110. The information generation unit 1110 stores the generated normal business scenario 2311 (simulation data 1112 and 6112) in the storage device of the training management device 231.
The normal business scenario 2311 is an example of a simulation procedure.
 攻撃操作記録2312には、サイバー攻撃時の操作記録が少なくとも1つ以上記憶されている。攻撃操作記録2312は、攻撃手順の一例である。
 訓練環境情報2314には、過去の訓練環境が記憶される。訓練環境情報2314は、訓練環境変更部2313(環境設定部)により生成された訓練環境を示す情報を記憶する環境情報記憶部の一例である。
The attack operation record 2312 stores at least one operation record at the time of a cyber attack. The attack operation record 2312 is an example of an attack procedure.
The training environment information 2314 stores past training environments. The training environment information 2314 is an example of an environment information storage unit that stores information indicating the training environment generated by the training environment change unit 2313 (environment setting unit).
 本実施の形態に係る環境提供システム200を用いて訓練を実施する場合、まず、管理者(例えば、教官)により、攻撃の検知訓練に用いる訓練装置の訓練環境の設定を要求する環境設定要求が入力される。
 要求取得部2316は、この環境設定要求を取得する。
 環境設定要求には、通常業務シナリオ2311の選択に関する情報と攻撃操作記録2312の選択に関する情報とが含まれる。
When training is performed using the environment providing system 200 according to the present embodiment, first, an administrator (for example, an instructor) issues an environment setting request for requesting setting of a training environment for a training apparatus used for attack detection training. Entered.
The request acquisition unit 2316 acquires this environment setting request.
The environment setting request includes information related to selection of the normal business scenario 2311 and information related to selection of the attack operation record 2312.
 さらに、環境設定要求には、訓練を実施する際の訓練環境について、新たな訓練環境を生成するか、現状の訓練環境のままとするか、過去の訓練環境のいずれかとするかの指定が含まれる。新たな訓練環境の生成を指定する情報を生成指示と呼ぶものとする。過去の訓練環境としては、例えば、過去に攻撃の検知が失敗した訓練環境を指定する、あるいは、過去の日時を指定し、その日時に対応する訓練環境を指定してもよい。 In addition, the environment setting request includes the designation of whether to create a new training environment, keep the current training environment, or use the past training environment for the training environment when conducting the training. It is. Information specifying generation of a new training environment is called a generation instruction. As the past training environment, for example, a training environment in which attack detection has failed in the past may be specified, or a past date and time may be specified, and a training environment corresponding to the date and time may be specified.
 訓練実行部2315は、環境設定要求により選択された通常業務シナリオ2311を仮想企業環境システム220に送信する。訓練実行部2315は、通常業務シナリオ2311(模擬手順)にしたがって、本番環境システム10の通常業務の模擬を模擬端末群1111(訓練装置)に実行させる。訓練実行部2315は、模擬実行部の一例である。 The training execution unit 2315 transmits the normal business scenario 2311 selected by the environment setting request to the virtual enterprise environment system 220. The training execution unit 2315 causes the simulated terminal group 1111 (training apparatus) to perform simulation of the normal business of the production environment system 10 according to the normal business scenario 2311 (simulation procedure). The training execution unit 2315 is an example of a simulation execution unit.
 また、訓練実行部2315は、選択された攻撃操作記録2312を擬似インターネット環境システム210に送信する。擬似インターネット環境システム210の攻撃端末212は、攻撃操作記録2312(攻撃手順)にしたがって、模擬を実行している模擬端末群1111に対してサイバー攻撃を実行する。攻撃端末212は、攻撃実行部の一例である。 Also, the training execution unit 2315 transmits the selected attack operation record 2312 to the pseudo Internet environment system 210. The attack terminal 212 of the simulated Internet environment system 210 performs a cyber attack on the simulated terminal group 1111 that is performing the simulation according to the attack operation record 2312 (attack procedure). The attack terminal 212 is an example of an attack execution unit.
 訓練環境変更部2313は、新たな訓練環境が選択された場合に、新たに訓練環境を設定する。訓練環境変更部2313は、新たに訓練環境を設定した場合に、設定した訓練環境を訓練環境情報2314に記憶する。
 訓練環境変更部2313は、環境設定要求に基づいて、模擬端末群1111の訓練環境を設定する環境設定部の一例である。
The training environment changing unit 2313 newly sets a training environment when a new training environment is selected. When a training environment is newly set, the training environment change unit 2313 stores the set training environment in the training environment information 2314.
The training environment changing unit 2313 is an example of an environment setting unit that sets the training environment of the simulated terminal group 1111 based on the environment setting request.
 訓練環境変更部2313は、環境設定要求に訓練環境の生成を指示する生成指示が含まれているか否かを判定する。訓練環境変更部2313は、生成指示が含まれていると判定した場合、模擬端末群1111の訓練環境を生成する。訓練環境変更部2313は、生成した訓練環境を、仮想企業環境システム220及び擬似インターネット環境システム210に設定する。このように、訓練環境変更部2313は、環境設定要求に含まれる生成指示にしたがって、訓練装置の訓練環境を設定する。 The training environment changing unit 2313 determines whether or not a generation instruction for instructing generation of a training environment is included in the environment setting request. When it is determined that the generation instruction is included, the training environment change unit 2313 generates a training environment for the simulated terminal group 1111. The training environment changing unit 2313 sets the generated training environment in the virtual enterprise environment system 220 and the pseudo Internet environment system 210. In this manner, the training environment changing unit 2313 sets the training environment of the training device according to the generation instruction included in the environment setting request.
 また、訓練環境変更部2313は、環境設定要求に生成指示が含まれていないと判定した場合、記憶装置に記憶されている訓練環境情報2314を仮想企業環境システム220及び擬似インターネット環境システム210に設定することを指示する設定指示が、環境設定要求に含まれているか否かを判定する。訓練環境変更部2313は、設定指示が含まれていると判定した場合、設定指示に基づいて訓練環境情報2314を取得し、取得した訓練環境情報が示す訓練環境を仮想企業環境システム220及び擬似インターネット環境システム210に設定する。このように、訓練環境変更部2313は、環境設定要求に含まれる設定指示にしたがって、訓練装置の訓練環境を設定する。 When the training environment changing unit 2313 determines that the generation instruction is not included in the environment setting request, the training environment changing unit 2313 sets the training environment information 2314 stored in the storage device in the virtual enterprise environment system 220 and the pseudo Internet environment system 210. It is determined whether or not a setting instruction for instructing is included in the environment setting request. When it is determined that the setting instruction is included, the training environment changing unit 2313 acquires the training environment information 2314 based on the setting instruction, and the training environment information indicated by the acquired training environment information is the virtual enterprise environment system 220 and the pseudo Internet. Set in environment system 210. Thus, the training environment changing unit 2313 sets the training environment of the training device according to the setting instruction included in the environment setting request.
 仮想企業環境システム220の模擬端末群1111は、例えば、数百台~数千台の規模を想定する。模擬端末群1111には、複数の端末1131が含まれる。複数の端末1131のなかに感染端末1131xが存在する。 The simulated terminal group 1111 of the virtual enterprise environment system 220 is assumed to have a scale of, for example, hundreds to thousands. The simulated terminal group 1111 includes a plurality of terminals 1131. An infected terminal 1131x exists among the plurality of terminals 1131.
 仮想企業環境システム220の業務システム223は、模擬用ファイルサーバ112、模擬用DNSサーバ612を含む。その他にもWebサーバ2201等を含む。実施の形態1~4で説明したように、模擬用ファイルサーバ112は、模擬ファイル群1121を備える。また、模擬用DNSサーバ612は、模擬用DNSレコード6121を備える。Webサーバ2201は、例えば、URL(Uniform・Resource・Locator)等が記録されたログ2202を備える。 The business system 223 of the virtual enterprise environment system 220 includes a simulation file server 112 and a simulation DNS server 612. In addition, a Web server 2201 and the like are included. As described in the first to fourth embodiments, the simulation file server 112 includes the simulation file group 1121. The simulation DNS server 612 includes a simulation DNS record 6121. The Web server 2201 includes a log 2202 in which, for example, a URL (Uniform / Resource / Locator) is recorded.
 仮想企業環境システム220のログ監視環境システム224は、訓練者端末2241、ログ収集監視部2242を備える。
 ログ収集監視部2242は、攻撃操作記録2312と通常業務シナリオ2311とにより実現された訓練環境のログを訓練用ログ2243として保存する。訓練者は、訓練者端末2241を用いて、訓練用ログ2243等のようなログ収集監視部2242による出力を監視し、サイバー攻撃を検知する訓練を実施する。
 ログ収集監視部2242は、模擬端末群1111(訓練装置)による模擬の実行中で、かつ、攻撃端末212(攻撃実行部)によるサイバー攻撃の実行中に、模擬端末群1111から操作ログを取得するログ取得部の一例である。
The log monitoring environment system 224 of the virtual enterprise environment system 220 includes a trainee terminal 2241 and a log collection monitoring unit 2242.
The log collection monitoring unit 2242 stores a training environment log realized by the attack operation record 2312 and the normal business scenario 2311 as a training log 2243. The trainer uses the trainer terminal 2241 to monitor the output by the log collection monitoring unit 2242 such as the training log 2243 and perform training for detecting a cyber attack.
The log collection monitoring unit 2242 acquires operation logs from the simulated terminal group 1111 during execution of simulation by the simulated terminal group 1111 (training apparatus) and during execution of cyber attack by the attack terminal 212 (attack execution unit). It is an example of a log acquisition part.
 図15は、本実施の形態に係る通常業務シナリオ2311の構成の一例を示す図である。
 通常業務シナリオ2311には、複数の通常業務の操作である複数のログレコードが蓄積されている。
 通常業務シナリオ2311の各レコードには、レコード番号、再生する間隔、使用するアカウント、操作種別、再生するための補助情報が設定される。各端末1131において、その端末1131に予め割り当てられたアカウントに該当するレコードだけを再生することで、本番環境システム10の動作傾向を模擬することができる。
FIG. 15 is a diagram illustrating an example of the configuration of the normal business scenario 2311 according to the present embodiment.
The normal business scenario 2311 stores a plurality of log records that are operations of a plurality of normal business operations.
For each record of the normal business scenario 2311, a record number, a reproduction interval, an account to be used, an operation type, and auxiliary information for reproduction are set. Each terminal 1131 can simulate the operational tendency of the production environment system 10 by playing back only the records corresponding to the account previously assigned to the terminal 1131.
 図16は、本実施の形態に係る端末1131による通常業務の再生方式について説明する図である。
 訓練実行部2315は、本番稼動中の本番環境システム10の動作傾向を模擬するため、仮想企業環境システム220の模擬端末群1111の各端末1131に対して、通常業務シナリオ2311を与え、その通常業務シナリオ2311を再現する。
 図16に示すように、端末1131は、シナリオ実行部1131a、アカウント情報1131bを備える。アカウント情報1131bには、自端末のアカウント情報が記憶されている。
 シナリオ実行部1131aは、通常業務シナリオ2311を取得するとともに、アカウント情報1131bを取得する。シナリオ実行部1131aは、アカウント情報1131bに基づいて、通常業務シナリオ2311のうち、自端末のアカウントに対応する通常業務シナリオ2311のレコードを実行する。
FIG. 16 is a diagram for explaining a normal business reproduction method by terminal 1131 according to the present embodiment.
The training execution unit 2315 gives the normal business scenario 2311 to each terminal 1131 of the simulated terminal group 1111 of the virtual enterprise environment system 220 in order to simulate the operation tendency of the production environment system 10 during the production operation. The scenario 2311 is reproduced.
As illustrated in FIG. 16, the terminal 1131 includes a scenario execution unit 1131a and account information 1131b. The account information 1131b stores the account information of the terminal itself.
The scenario execution unit 1131a acquires the normal business scenario 2311 and also acquires account information 1131b. Based on the account information 1131b, the scenario execution unit 1131a executes a record of the normal business scenario 2311 corresponding to the account of the own terminal in the normal business scenario 2311.
 例えば、通常業務シナリオ2311の1レコード目には、再生する時間間隔は10秒、使用するアカウントはSP63251、操作種別はファイルサーバアクセス、再生するための補助情報はファイルパス1が設定される。そこで、アカウントSP63251に対応する端末1131のシナリオ実行部1131aは、1レコード目に設定された情報に基づいて、通常業務の模擬を実行する。 For example, in the first record of the normal business scenario 2311, the reproduction time interval is set to 10 seconds, the account to be used is SP63251, the operation type is file server access, and the auxiliary information for reproduction is set to file path 1. Therefore, the scenario execution unit 1131a of the terminal 1131 corresponding to the account SP63251 executes simulation of normal work based on the information set in the first record.
 図17は、本実施の形態に係る攻撃端末212と感染端末1131xとによるサイバー攻撃の再生方式を説明する図である。
 訓練実行部2315は、サイバー攻撃を再生するため、擬似インターネット環境システム210の攻撃端末212と仮想企業環境システム220の感染端末1131xとに対して、攻撃操作記録2312を与える。
FIG. 17 is a diagram for explaining a reproduction method of a cyber attack by the attack terminal 212 and the infected terminal 1131x according to the present embodiment.
The training execution unit 2315 gives the attack operation record 2312 to the attack terminal 212 of the pseudo Internet environment system 210 and the infected terminal 1131x of the virtual enterprise environment system 220 in order to reproduce the cyber attack.
 攻撃操作記録2312は、攻撃操作記録(感染操作)2312aと、攻撃操作記録(サイバー攻撃)2312bとを有する。
 攻撃操作記録(感染操作)2312aは、端末1131をウィルスに感染させる感染操作の情報である。
 訓練実行部2315は、端末1131(感染端末1131x)に対して攻撃操作記録(感染操作)2312aを送信する。
The attack operation record 2312 includes an attack operation record (infection operation) 2312a and an attack operation record (cyber attack) 2312b.
The attack operation record (infection operation) 2312a is information on an infection operation for infecting the terminal 1131 with a virus.
The training execution unit 2315 transmits an attack operation record (infection operation) 2312a to the terminal 1131 (infected terminal 1131x).
 攻撃操作記録(サイバー攻撃)2312bは、端末1131がウィルスに感染して感染端末1131xとなり、遠隔操作が可能になった後のサイバー攻撃操作(ファイル漏洩等)に関する情報である。
 訓練実行部2315は、攻撃端末212に対して攻撃操作記録(サイバー攻撃)2312bを送信する。
The attack operation record (cyber attack) 2312b is information relating to a cyber attack operation (file leakage, etc.) after the terminal 1131 is infected with a virus to become an infected terminal 1131x and remote control becomes possible.
The training execution unit 2315 transmits an attack operation record (cyber attack) 2312b to the attack terminal 212.
 図17に示すように、S111において、感染端末1131xでウィルスに感染する行為を再生するためには、感染時に利用されるアプリケーションが感染端末1131xにインストールされている必要がある。 As shown in FIG. 17, in order to reproduce an action of infecting a virus on the infected terminal 1131x in S111, an application used at the time of infection needs to be installed on the infected terminal 1131x.
 攻撃操作記録(感染操作)2312aには、例えば、S112a,S112b,S112xに示すような感染操作が記録されている。感染端末1131xは、その中から管理者により選択された感染操作を再生する。S112aでは、感染端末1131xがメール添付ファイルを実行する操作によりウィルスに感染する。S112bでは、感染端末1131xが外部サイトからウィルス付きソフトウェアをダウンロードして実行する操作によりウィルスに感染する。S112xでは、感染端末1131xがソフトウェアを更新漏れのまま実行する操作によりウィルスに感染する。 In the attack operation record (infection operation) 2312a, for example, infection operations shown in S112a, S112b, and S112x are recorded. The infected terminal 1131x reproduces the infection operation selected by the administrator from among them. In S112a, the infected terminal 1131x is infected with a virus by an operation of executing the mail attachment file. In S112b, the infected terminal 1131x is infected with a virus by an operation of downloading and executing software with a virus from an external site. In S112x, the infected terminal 1131x is infected with a virus by an operation of executing software without omission of update.
 S113において、感染端末1131xがウィルスに感染すると、攻撃端末212により遠隔操作が可能となる。
 攻撃端末212は、遠隔操作部2121を備える。遠隔操作部2121は、攻撃操作記録(サイバー攻撃)2312bに基づいて、感染端末1131xを介して、仮想企業環境システム220に対するサイバー攻撃を再生する。
If the infected terminal 1131x is infected with a virus in S113, the attack terminal 212 can be remotely operated.
The attack terminal 212 includes a remote operation unit 2121. Based on the attack operation record (cyber attack) 2312b, the remote operation unit 2121 reproduces a cyber attack on the virtual enterprise environment system 220 via the infected terminal 1131x.
 本実施の形態に係る環境提供システム200では、上述した攻撃操作記録2312の再生、通常業務シナリオ2311の再生に加え、訓練時に訓練環境を適宜切り替えることが必要となる。 In the environment providing system 200 according to the present embodiment, in addition to the above-described reproduction of the attack operation record 2312 and the normal business scenario 2311, it is necessary to appropriately switch the training environment during training.
 図18は、本実施の形態に係る訓練環境情報2314の構成の一例を示す図である。
 訓練環境情報2314は、複数の訓練環境が設定されている。訓練環境情報2314には、訓練環境を示す訓練環境番号、訓練環境が実施された実施日時、攻撃端末212のIPアドレス、感染端末1131xのアカウント及びIPアドレスが設定される。これらの情報の他にも、訓練環境を定義する情報が設定されていてもよい。また、訓練環境情報2314には、アカウントとIPアドレスとのいずれか一方が設定されていてもよい。
 このように、訓練環境情報2314には、訓練環境を生成した生成日時が対応付けられている。
FIG. 18 is a diagram showing an example of the configuration of the training environment information 2314 according to the present embodiment.
In the training environment information 2314, a plurality of training environments are set. In the training environment information 2314, the training environment number indicating the training environment, the implementation date and time when the training environment was implemented, the IP address of the attacking terminal 212, the account of the infected terminal 1131x, and the IP address are set. In addition to these pieces of information, information that defines the training environment may be set. In the training environment information 2314, either an account or an IP address may be set.
In this way, the training environment information 2314 is associated with the generation date and time when the training environment is generated.
 ここで、訓練管理装置231、攻撃端末212、端末1131、感染端末1131xのハードウェア構成について説明する。訓練管理装置231、攻撃端末212、端末1131、感染端末1131xのハードウェア構成は、例えば、図4で説明した模擬端末群1111のハードウェア構成と同様である。 Here, the hardware configuration of the training management device 231, the attack terminal 212, the terminal 1131, and the infected terminal 1131x will be described. For example, the hardware configuration of the training management device 231, the attack terminal 212, the terminal 1131, and the infected terminal 1131x is the same as the hardware configuration of the simulated terminal group 1111 described in FIG.
 訓練管理装置231、攻撃端末212、端末1131、感染端末1131x、ログ監視環境システム224のそれぞれにおいて、「~部」として説明した機能は、各装置がプログラムを実行することにより実現することができる。 In each of the training management device 231, the attack terminal 212, the terminal 1131, the infected terminal 1131x, and the log monitoring environment system 224, the functions described as “unit” can be realized by each device executing a program.
 プログラムは、通常は外部記憶装置902に記憶されており、主記憶装置903にロードされた状態で、順次演算装置901に読み込まれ、実行される。
 プログラムは、上述したように、ブロック構成図に示す「~部」として説明している機能を実現するプログラムである。
 更に、外部記憶装置902にはオペレーティングシステム(OS)も記憶されており、OSの少なくとも一部が主記憶装置903にロードされ、演算装置901はOSを実行しながら、ブロック構成図に示す「~部」の機能を実現するプログラムを実行する。
 また、「通常業務シナリオ」、「攻撃操作記録」、「訓練環境情報」、「訓練用ログ」、「アカウント情報」などの情報も外部記憶装置902に記憶されている。
The program is normally stored in the external storage device 902, and is loaded into the main storage device 903 and sequentially read into the arithmetic device 901 and executed.
As described above, the program is a program that realizes the function described as “unit” shown in the block configuration diagram.
Further, an operating system (OS) is also stored in the external storage device 902. At least a part of the OS is loaded into the main storage device 903, and the arithmetic unit 901 executes the OS while “˜” shown in the block configuration diagram. The program that realizes the function of “part” is executed.
Information such as “normal business scenario”, “attack operation record”, “training environment information”, “training log”, and “account information” is also stored in the external storage device 902.
 図19は、本実施の形態に係る環境提供システム200の環境提供方法(環境提供処理)の流れを示すフローチャートである。 FIG. 19 is a flowchart showing a flow of an environment providing method (environment providing process) of the environment providing system 200 according to the present embodiment.
 <要求取得工程(処理):S10>
 S10において、訓練管理装置231は、要求取得部により、環境設定要求を取得する(要求取得工程(処理))。教官あるいは訓練をする訓練者などの管理者は、環境設定要求を要求取得部に入力することにより、訓練環境の背景となる通常業務シナリオ2311と攻撃操作記録2312とを選択するとともに、訓練環境情報2314を選択する。
<Request acquisition process (process): S10>
In S10, the training management device 231 acquires an environment setting request by the request acquisition unit (request acquisition step (process)). An administrator such as an instructor or a training trainer inputs an environment setting request to the request acquisition unit to select a normal business scenario 2311 and an attack operation record 2312 as the background of the training environment, and also provides training environment information. 2314 is selected.
 例えば、要求取得部2316は、通常業務シナリオ2311と攻撃操作記録2312とを管理者に選択させるシナリオ選択画面を表示装置に表示する。要求取得部2316は、シナリオ選択画面により、管理者に通常業務シナリオ2311と攻撃操作記録2312とを選択させる。また、要求取得部2316は、訓練環境について、新たな訓練環境を設定するか、現在の訓練環境を設定するか、保存された訓練環境を設定するかを選択させる訓練環境選択画面を表示装置に表示する。管理者は、表示された訓練環境選択画面により、新たな訓練環境を設定するか、現在の訓練環境を設定するか、保存された訓練環境を設定するかを選択する。 For example, the request acquisition unit 2316 displays a scenario selection screen that allows the administrator to select the normal business scenario 2311 and the attack operation record 2312 on the display device. The request acquisition unit 2316 causes the administrator to select the normal business scenario 2311 and the attack operation record 2312 using the scenario selection screen. In addition, the request acquisition unit 2316 displays a training environment selection screen for selecting whether to set a new training environment, a current training environment, or a saved training environment for the training environment. indicate. On the displayed training environment selection screen, the administrator selects whether to set a new training environment, a current training environment, or a saved training environment.
 新たな訓練環境を設定するとは、訓練環境変更部2313により新たに訓練環境を生成し、生成した訓練環境を設定することである。管理者は、訓練環境選択画面から、新たに生成する訓練環境の条件を指定することができる。
 現在の訓練環境を設定するとは、現状の訓練環境のまま訓練を実施することである。
 保存された訓練環境を設定するとは、過去に、訓練環境変更部2313により訓練環境情報2314に記録された訓練環境を設定することである。管理者は、訓練環境選択画面により、過去の日時を指定日時として指定することができるものとする。
Setting a new training environment means that a new training environment is generated by the training environment changing unit 2313 and the generated training environment is set. The administrator can specify the conditions of the newly created training environment from the training environment selection screen.
Setting the current training environment means that the training is performed in the current training environment.
Setting the saved training environment means setting the training environment recorded in the training environment information 2314 by the training environment changing unit 2313 in the past. The administrator can specify the past date and time as the specified date and time on the training environment selection screen.
 S11において、保存された訓練環境を設定すると選択された場合、S12に進む。
 S11において、現在の訓練環境を設定すると選択された場合、何もせずにS17に進む。
 S11において、新たな訓練環境を設定すると選択された場合、S13に進む。
If it is selected in S11 to set the saved training environment, the process proceeds to S12.
If it is selected in S11 to set the current training environment, the process proceeds to S17 without doing anything.
If it is selected in S11 to set a new training environment, the process proceeds to S13.
 <環境設定工程(処理):S12~S16>
 S12において、訓練環境変更部2313は、S11において指定された指定日時に対応する訓練環境情報2314を取得し、取得した訓練環境情報2314を設定する。例えば、訓練環境情報2314には、訓練環境を生成した生成日時が対応付けられている。訓練環境変更部2313は、指定日時を含む環境設定要求を取得し、環境設定要求に含まれる指定日時に基づいて、指定日時に対応する訓練環境情報2314を取得する。
<Environment setting process (process): S12 to S16>
In S12, the training environment changing unit 2313 acquires the training environment information 2314 corresponding to the specified date and time specified in S11, and sets the acquired training environment information 2314. For example, the training environment information 2314 is associated with the generation date and time when the training environment is generated. The training environment changing unit 2313 acquires an environment setting request including a specified date and time, and acquires training environment information 2314 corresponding to the specified date and time based on the specified date and time included in the environment setting request.
 S13において、訓練環境変更部2313は、攻撃端末のIPアドレスを指定された範囲内で変更する。
 S14において、訓練環境変更部2313は、感染端末1131xと任意の端末1131との間で、アカウント及びIPアドレスの入れ替えを実行する。
 S15において、訓練環境変更部2313は、各端末1131の使用するアカウントを変更する。
 S16において、訓練環境変更部2313は、アカウントを変更した端末1131に関するDNSデータを更新する。DNSデータの更新は、模擬用DNSサーバ612の模擬用DNSレコード6121の再登録を実行することにより行う。
In S13, the training environment changing unit 2313 changes the IP address of the attack terminal within the specified range.
In S <b> 14, the training environment changing unit 2313 exchanges accounts and IP addresses between the infected terminal 1131 x and the arbitrary terminal 1131.
In S15, the training environment changing unit 2313 changes the account used by each terminal 1131.
In S16, the training environment changing unit 2313 updates the DNS data regarding the terminal 1131 whose account has been changed. The DNS data is updated by executing re-registration of the simulation DNS record 6121 of the simulation DNS server 612.
 S14の処理のように、感染端末1131xと任意の端末1131のアカウント及びIPアドレスを入れ替えることにより、全端末1131に感染に必要なアプリケーションをインストールしなくても、感染端末1131xを切り替えることができる。
 S11~S16の処理により、訓練環境を提供する環境提供処理(工程)が完了する。
By exchanging accounts and IP addresses of the infected terminal 1131x and the arbitrary terminal 1131 as in the process of S14, the infected terminal 1131x can be switched without installing an application necessary for infection in all the terminals 1131.
By the processes of S11 to S16, the environment providing process (process) for providing the training environment is completed.
 <模擬実行工程(処理)、攻撃実行工程(処理):S17~S18>
 S17において、訓練実行部2315は、選択された通常業務シナリオ2311を模擬端末群1111に送信するとともに、選択された攻撃操作記録2312を感染端末1131xと攻撃端末212とに配信する。
<Simulation execution process (process), attack execution process (process): S17 to S18>
In S17, the training execution unit 2315 transmits the selected normal business scenario 2311 to the simulated terminal group 1111 and distributes the selected attack operation record 2312 to the infected terminal 1131x and the attack terminal 212.
 S18において、模擬端末群1111及び攻撃端末212は、通常業務シナリオ2311に基づく通常業務の模擬を開始するとともに、攻撃操作記録2312に基づくサイバー攻撃の模擬を開始する。
 S19において、訓練者により訓練が実施される。
In S <b> 18, the simulated terminal group 1111 and the attacking terminal 212 start simulation of normal business based on the normal business scenario 2311 and start simulation of cyber attack based on the attack operation record 2312.
In S19, training is performed by the trainee.
 S20において、訓練環境変更部2313は、現在の訓練環境が訓練環境情報2314に保存済みか否かを処理装置により判定する。
 S20において、現在の訓練環境が訓練環境情報2314に保存済みと判定された場合(S20で不要)、処理を終了する。
 S20において、現在の訓練環境が訓練環境情報2314に保存されていないと判定された場合(S20で要)、S21に進む。
 S21において、訓練環境変更部2313は、現在の訓練環境を訓練環境情報2314に保存し、処理を終了する。
In S20, the training environment changing unit 2313 determines whether or not the current training environment has been saved in the training environment information 2314 by the processing device.
If it is determined in S20 that the current training environment has been saved in the training environment information 2314 (not required in S20), the process ends.
If it is determined in S20 that the current training environment is not stored in the training environment information 2314 (required in S20), the process proceeds to S21.
In S21, the training environment changing unit 2313 stores the current training environment in the training environment information 2314, and ends the process.
 以上のように、本実施の形態に係る環境提供システム200によれば、例えば、SOC訓練環境を構築する場合において、攻撃者端末IPや感染端末のアカウント及びIP等の訓練環境が、訓練毎に変更できる。また、環境提供システム200によれば、過去に実施した訓練環境を復元して訓練することができる。よって、訓練の効果を高めることができる。
 また、訓練開始前に、訓練環境を変更可能(新たな訓練環境、現在の訓練環境、過去に実施した訓練環境のいずれかを選択)であり、訓練後に再利用に備えて訓練環境を保存できる。
As described above, according to the environment providing system 200 according to the present embodiment, for example, when the SOC training environment is constructed, the training environment such as the attacker terminal IP, the account of the infected terminal, the IP, etc. Can change. Moreover, according to the environment provision system 200, it is possible to restore and train a training environment that has been implemented in the past. Therefore, the effect of training can be enhanced.
In addition, the training environment can be changed before the start of training (select a new training environment, a current training environment, or a training environment previously implemented), and the training environment can be saved for reuse after training. .
 上記実施の形態5において説明した仮想企業環境システム220、擬似インターネット環境システム210、試験管理環境システム230は、それぞれ、1つの装置であってもよい。あるいは、1つの装置でなくても構わない。ネットワークに接続された複数の装置から構成されていても構わない。仮想企業環境システム220、擬似インターネット環境システム210、試験管理環境システム230は、それぞれ、上述した機能を実現することができれば、どのようなに構成されていても構わない。 Each of the virtual enterprise environment system 220, the pseudo Internet environment system 210, and the test management environment system 230 described in the fifth embodiment may be a single device. Or it may not be one apparatus. You may be comprised from the several apparatus connected to the network. The virtual enterprise environment system 220, the pseudo Internet environment system 210, and the test management environment system 230 may be configured in any manner as long as the functions described above can be realized.
 以上、本発明の実施の形態1~5について説明したが、これらの実施の形態のうち、2つ以上を組み合わせて実施しても構わない。あるいは、これらの実施の形態のうち、1つを部分的に実施しても構わない。あるいは、これらの実施の形態のうち、2つ以上を部分的に組み合わせて実施しても構わない。なお、本発明は、これらの実施の形態に限定されるものではなく、必要に応じて種々の変更が可能である。 Although the first to fifth embodiments of the present invention have been described above, two or more of these embodiments may be implemented in combination. Alternatively, one of these embodiments may be partially implemented. Alternatively, two or more of these embodiments may be partially combined. In addition, this invention is not limited to these embodiment, A various change is possible as needed.
 10 本番環境システム、11 模擬システム、21 アクセス時間、22 アクセスユーザ、23 アクセス種別、24 アクセスファイル、101 端末群、102 ファイルサーバ、103 ネットワーク、111 模擬装置、112 模擬用ファイルサーバ、113 模擬用ネットワーク、121 抽出部、121a 抽出処理、122 抽出ログ、123 手順生成部、123a 手順生成処理、124 ファイル生成部、124a ファイル生成処理、125 実行部、126 抽出条件、128 模擬環境生成部、200 環境提供システム、210 擬似インターネット環境システム、212 攻撃端末、213 サーバ群、220 仮想企業環境システム、223 業務システム、224 ログ監視環境システム、230 試験管理環境システム、231 訓練管理装置、602 DNSサーバ、603 メールサーバ、612 模擬用DNSサーバ、613 模擬用メールサーバ、901 演算装置、902 外部記憶装置、903 主記憶装置、904 通信装置、905 入出力装置、1021 ファイル群、1022 アクセスログ、1110 情報生成部、1111 模擬端末群、1112 模擬用データ、1121 模擬ファイル群、1121a 模擬ファイル、1131 端末、1131a シナリオ実行部、1131b アカウント情報、1131x 感染端末、2121 遠隔操作部、2131 Webサーバ、2132 DNSサーバ、2201 Webサーバ、2241 訓練者端末、2242 ログ収集監視部、2243 訓練用ログ、2311 通常業務シナリオ、2312 攻撃操作記録、2312a 攻撃操作記録(感染操作)、2312b 攻撃操作記録(サイバー攻撃)、2313 訓練環境変更部、2314 訓練環境情報、2315 訓練実行部、2316 要求取得部、6021 DNSレコード、6022 送受信ログ、6111 外部メールサーバ、6112 模擬用データ、6121 模擬用DNSレコード。 10 production environment system, 11 simulation system, 21 access time, 22 access user, 23 access type, 24 access file, 101 terminal group, 102 file server, 103 network, 111 simulation device, 112 simulation file server, 113 simulation network , 121 extraction unit, 121a extraction process, 122 extraction log, 123 procedure generation unit, 123a procedure generation process, 124 file generation unit, 124a file generation process, 125 execution unit, 126 extraction conditions, 128 simulated environment generation unit, 200 environment provision System, 210 pseudo Internet environment system, 212 attack terminal, 213 server group, 220 virtual enterprise environment system, 223 business system, 224 log monitoring environment system, 23 Test management environment system, 231 training management device, 602 DNS server, 603 mail server, 612 simulation DNS server, 613 simulation mail server, 901 arithmetic device, 902 external storage device, 903 main storage device, 904 communication device, 905 input Output device, 1021 file group, 1022 access log, 1110 information generation unit, 1111, simulated terminal group, 1112, simulated data, 1121 simulated file group, 1121a simulated file, 1131, terminal, 1311, scenario execution unit, 1311, account information, 1311, infected terminal 2121 Remote operation unit, 2131 Web server, 2132 DNS server, 2201 Web server, 2241 trainer terminal, 2242 log collection monitoring unit, 2243 training log 2311 Normal business scenario, 2312 Attack operation record, 2312a Attack operation record (infection operation), 2312b Attack operation record (cyber attack), 2313 Training environment change part, 2314 Training environment information, 2315 Training execution part, 2316 Request acquisition part, 6021 DNS record, 6022 transmission / reception log, 6111 external mail server, 6112 simulation data, 6121 simulation DNS record.

Claims (20)

  1.  操作の履歴を示す操作履歴が複数蓄積された操作履歴情報から操作履歴を抽出する条件である抽出条件に基づいて、前記操作履歴情報から複数の操作履歴を抽出操作履歴として抽出する抽出部と、
     前記抽出部により抽出された前記抽出操作履歴に基づいて、模擬する操作の手順を示す模擬手順を処理装置により生成する手順生成部と、
     前記手順生成部により生成された前記模擬手順を処理装置により実行する実行部と
    を備えることを特徴とする模擬装置。
    An extraction unit that extracts a plurality of operation histories as extraction operation histories from the operation history information based on an extraction condition that is a condition for extracting operation histories from operation history information in which a plurality of operation histories indicating operation histories are accumulated;
    Based on the extraction operation history extracted by the extraction unit, a procedure generation unit that generates a simulation procedure indicating a procedure of the operation to be simulated by a processing device;
    A simulation apparatus comprising: an execution unit that executes the simulation procedure generated by the procedure generation unit using a processing device.
  2.  前記手順生成部は、
     前記抽出操作履歴に含まれる前記複数の操作履歴を模擬した場合に生じる操作履歴間の不整合を解消するように、前記複数の操作履歴のうち少なくとも1つの操作履歴を修正し、前記少なくとも1つの操作履歴が修正された前記抽出操作履歴を前記模擬手順とすることを特徴とする請求項1に記載の模擬装置。
    The procedure generator is
    Correcting at least one operation history among the plurality of operation histories so as to eliminate inconsistency between operation histories generated when the plurality of operation histories included in the extraction operation history are simulated, and The simulation apparatus according to claim 1, wherein the extraction operation history in which the operation history is corrected is used as the simulation procedure.
  3.  前記操作履歴情報には、ファイルに対する操作の履歴が前記操作履歴として複数蓄積され、
     前記模擬装置は、さらに、
     前記模擬手順に基づいて、前記模擬手順の示す操作の対象となる模擬ファイルを生成するファイル生成部を備え、
     前記実行部は、
     前記ファイル生成部により生成された前記模擬ファイルに対して、前記模擬手順を実行することを特徴とする請求項1または2に記載の模擬装置。
    In the operation history information, a plurality of operation histories for files are accumulated as the operation history,
    The simulation apparatus further includes:
    Based on the simulation procedure, a file generation unit that generates a simulation file that is an operation target indicated by the simulation procedure,
    The execution unit is
    The simulation apparatus according to claim 1, wherein the simulation procedure is executed on the simulation file generated by the file generation unit.
  4.  前記手順生成部は、
     前記抽出操作履歴の前記操作履歴に含まれる情報名を処理装置により匿名化し、前記情報名が匿名化された前記抽出操作履歴に基づいて、前記模擬手順を生成することを特徴とする請求項1~3のいずれかに記載の模擬装置。
    The procedure generator is
    The information procedure included in the operation history of the extraction operation history is anonymized by a processing device, and the simulation procedure is generated based on the extraction operation history in which the information name is anonymized. 4. The simulator according to any one of items 3 to 3.
  5.  前記ファイル生成部は、
     前記模擬ファイルのファイル名を処理装置により匿名化することを特徴とする請求項3に記載の模擬装置。
    The file generator
    The simulation apparatus according to claim 3, wherein a file name of the simulation file is anonymized by a processing apparatus.
  6.  前記操作履歴は、操作をした操作者を識別する識別子を含み、
     前記抽出部は、予め設定された識別子を前記抽出条件とし、前記識別子を含む操作履歴を前記操作履歴情報から抽出することを特徴とする請求項1~5のいずれかに記載の模擬装置。
    The operation history includes an identifier for identifying an operator who performed the operation,
    6. The simulation apparatus according to claim 1, wherein the extraction unit uses a preset identifier as the extraction condition, and extracts an operation history including the identifier from the operation history information.
  7.  前記情報名は、機密情報であることを特徴とする請求項4に記載の模擬装置。 The simulation apparatus according to claim 4, wherein the information name is confidential information.
  8.  前記ファイル名は、機密情報であることを特徴とする請求項5に記載の模擬装置。 The simulation apparatus according to claim 5, wherein the file name is confidential information.
  9.  前記操作履歴情報には、メールサーバを介して行われるメールの通信の履歴が前記操作履歴として複数蓄積され、
     前記模擬装置は、さらに、
     前記模擬手順に基づいて前記模擬手順の示すメールの通信を行う通信元サーバと通信先サーバとを備え、
     前記実行部は、
     前記通信元サーバと通信先サーバとを用いて、前記模擬手順を実行する
    ことを特徴とする請求項1または2に記載の模擬装置。
    In the operation history information, a plurality of mail communication histories performed via a mail server are accumulated as the operation history,
    The simulation apparatus further includes:
    A communication source server and a communication destination server that perform mail communication indicated by the simulation procedure based on the simulation procedure,
    The execution unit is
    The simulation apparatus according to claim 1, wherein the simulation procedure is executed using the communication source server and the communication destination server.
  10.  操作の履歴を示す操作履歴が複数蓄積された操作履歴情報から操作履歴を抽出する条件である抽出条件に基づいて、前記操作履歴情報から複数の操作履歴を抽出操作履歴として抽出する抽出部と、
     前記抽出部により抽出された前記抽出操作履歴に基づいて、模擬する操作の手順を示す模擬手順を、前記操作の模擬に用いる情報として処理装置により生成する手順生成部と
    を備え、
     前記手順生成部は、
     前記抽出操作履歴に含まれる前記複数の操作履歴を模擬した場合に生じる操作履歴間の不整合を解消するように、前記複数の操作履歴のうち少なくとも1つの操作履歴を修正し、前記少なくとも1つの操作履歴が修正された前記抽出操作履歴を前記模擬手順とする
    ことを特徴とする情報生成装置。
    An extraction unit that extracts a plurality of operation histories as extraction operation histories from the operation history information based on an extraction condition that is a condition for extracting operation histories from operation history information in which a plurality of operation histories indicating operation histories are accumulated;
    Based on the extraction operation history extracted by the extraction unit, a procedure generating unit that generates a simulation procedure indicating a procedure of an operation to be simulated as information used for the simulation of the operation, and
    The procedure generator is
    Correcting at least one operation history among the plurality of operation histories so as to eliminate inconsistency between operation histories generated when the plurality of operation histories included in the extraction operation history are simulated, and The information generation apparatus characterized in that the extraction operation history whose operation history is corrected is used as the simulation procedure.
  11.  前記操作履歴情報には、ファイルに対する操作の履歴が前記操作履歴として複数蓄積され、
     前記情報生成装置は、さらに、
     前記模擬手順に基づいて、前記模擬手順の示す操作の対象となる模擬ファイルを、前記操作の模擬に用いる情報として処理装置により生成するファイル生成部を備えることを特徴とする請求項10に記載の情報生成装置。
    In the operation history information, a plurality of operation histories for files are accumulated as the operation history,
    The information generation device further includes:
    The file generation part which produces | generates the simulation file used as the object of operation which the said simulation procedure shows based on the said simulation procedure as information used for the simulation of the said operation is provided. Information generator.
  12.  操作の履歴を示す操作履歴が複数蓄積された操作履歴情報から操作履歴を抽出する条件である抽出条件に基づいて、前記操作履歴情報から複数の操作履歴を抽出操作履歴として抽出し、
     抽出された前記抽出操作履歴に基づいて、模擬する操作の手順を示す模擬手順を処理装置により生成し、
     生成された前記模擬手順を処理装置により実行する
    ことを特徴とする模擬方法。
    Based on an extraction condition that is a condition for extracting an operation history from operation history information in which a plurality of operation histories indicating operation histories are accumulated, a plurality of operation histories are extracted as extraction operation histories from the operation history information,
    Based on the extracted extraction operation history, a simulation procedure indicating an operation procedure to be simulated is generated by the processing device,
    A simulation method, wherein the generated simulation procedure is executed by a processing device.
  13.  操作の履歴を示す操作履歴が複数蓄積された操作履歴情報から操作履歴を抽出する条件である抽出条件に基づいて、前記操作履歴情報から複数の操作履歴を抽出操作履歴として抽出する抽出処理と、
     前記抽出処理により抽出された前記抽出操作履歴に基づいて、模擬する操作の手順を示す模擬手順を処理装置により生成する手順生成処理と、
     前記手順生成処理により生成された前記模擬手順を処理装置により実行する実行処理と
    をコンピュータに実行させることを特徴とする模擬プログラム。
    An extraction process for extracting a plurality of operation histories from the operation history information as an extraction operation history based on an extraction condition that is a condition for extracting an operation history from operation history information in which a plurality of operation histories indicating operation histories are accumulated;
    On the basis of the extraction operation history extracted by the extraction process, a procedure generation process for generating a simulation procedure indicating a procedure of an operation to be simulated by a processing device;
    A simulation program for causing a computer to execute an execution process of executing the simulation procedure generated by the procedure generation process by a processing device.
  14.  攻撃の検知訓練に用いる訓練装置の訓練環境の設定を要求する環境設定要求に基づいて、前記訓練装置の訓練環境を前記訓練装置に設定する環境設定部と、
     模擬手順にしたがって、前記訓練装置に模擬を実行させる模擬実行部と、
     攻撃手順にしたがって、模擬を実行している前記訓練装置に対してサイバー攻撃を実行する攻撃実行部と
    を備えることを特徴とする環境提供システム。
    An environment setting unit that sets the training environment of the training device in the training device based on an environment setting request that requires setting of the training environment of the training device used for attack detection training;
    According to a simulation procedure, a simulation execution unit that causes the training device to execute simulation,
    An environment providing system comprising: an attack execution unit that executes a cyber attack on the training device that is performing simulation according to an attack procedure.
  15.  前記環境設定部は、
     前記環境設定要求に前記訓練装置の訓練環境の生成を指示する生成指示が含まれているか否かを判定し、前記生成指示が含まれていると判定した場合、前記訓練装置の訓練環境を生成し、生成した訓練環境を前記訓練装置に設定し、
     さらに、前記環境設定部により生成された訓練環境を示す環境情報を記憶する環境情報記憶部を備えることを特徴とする請求項14に記載の環境提供システム。
    The environment setting unit
    It is determined whether or not the environment setting request includes a generation instruction for instructing generation of a training environment for the training apparatus. If it is determined that the generation instruction is included, a training environment for the training apparatus is generated. And setting the generated training environment in the training device,
    The environment providing system according to claim 14, further comprising an environment information storage unit that stores environment information indicating the training environment generated by the environment setting unit.
  16.  前記環境設定部は、
     前記環境設定要求に前記生成指示が含まれていないと判定した場合、前記環境情報記憶部に記憶された前記環境情報が示す訓練環境を前記訓練装置に設定することを指示する設定指示が、前記環境設定要求に含まれているか否かを判定し、前記設定指示が含まれていると判定した場合、前記設定指示に基づいて前記環境情報記憶部から前記環境情報を取得し、取得した前記環境情報が示す訓練環境を前記訓練装置に設定することを特徴とする請求項15に記載の環境提供システム。
    The environment setting unit
    When it is determined that the generation instruction is not included in the environment setting request, a setting instruction that instructs to set the training environment indicated by the environment information stored in the environment information storage unit in the training apparatus is It is determined whether or not it is included in the environment setting request, and when it is determined that the setting instruction is included, the environment information is acquired from the environment information storage unit based on the setting instruction, and the acquired environment The environment providing system according to claim 15, wherein a training environment indicated by information is set in the training device.
  17.  前記環境情報記憶部は、
     前記訓練装置の訓練環境を生成した生成日時が対応付けられた前記環境情報を記憶し、
     前記環境設定部は、
     指定日時を含む前記環境設定要求を取得し、前記環境設定要求に含まれる前記指定日時に基づいて、前記環境情報記憶部から前記環境情報を選択する
    ことを特徴とする請求項16に記載の環境提供システム。
    The environmental information storage unit
    Storing the environment information associated with the generation date and time of generating the training environment of the training device;
    The environment setting unit
    17. The environment according to claim 16, wherein the environment setting request including a specified date and time is acquired, and the environment information is selected from the environment information storage unit based on the specified date and time included in the environment setting request. Offer system.
  18.  さらに、前記模擬実行部による模擬の実行中で、かつ、前記攻撃実行部による攻撃の実行中に、前記訓練装置から操作ログを取得するログ取得部を備えることを特徴とする請求項14~17のいずれかに記載の環境提供システム。 18. A log acquisition unit that acquires an operation log from the training device during execution of simulation by the simulation execution unit and execution of an attack by the attack execution unit. The environment providing system according to any one of the above.
  19.  環境設定部が、攻撃の検知訓練に用いる訓練装置の訓練環境の設定を要求する環境設定要求に基づいて、前記訓練装置の訓練環境を前記訓練装置に設定し、
     模擬実行部が、模擬手順にしたがって、前記訓練装置に模擬を実行させ、
     攻撃実行部が、攻撃手順にしたがって、模擬を実行している前記訓練装置に対してサイバー攻撃を実行することを特徴とする環境提供方法。
    The environment setting unit sets the training environment of the training device in the training device based on the environment setting request for requesting the setting of the training environment of the training device used for attack detection training,
    The simulation execution unit causes the training apparatus to execute simulation according to a simulation procedure,
    An environment providing method, wherein an attack execution unit executes a cyber attack on the training device that is executing simulation according to an attack procedure.
  20.  攻撃の検知訓練に用いる訓練装置の訓練環境の設定を要求する環境設定要求に基づいて、前記訓練装置の訓練環境を前記訓練装置に設定する環境設定処理と、
     模擬手順にしたがって、前記訓練装置に模擬を実行させる模擬実行処理と、
     攻撃手順にしたがって、模擬を実行している前記訓練装置に対してサイバー攻撃を実行する攻撃実行処理とを実行させるプログラム。
    An environment setting process for setting the training environment of the training device in the training device based on an environment setting request for requesting the setting of the training environment of the training device used for attack detection training;
    A simulation execution process for causing the training apparatus to execute a simulation according to a simulation procedure;
    A program for executing an attack execution process for executing a cyber attack on the training apparatus that is executing the simulation according to an attack procedure.
PCT/JP2014/054417 2013-08-29 2014-02-25 Simulation device, information generation device, simulation method, simulation program, environment provision system, environment provision method, and program WO2015029464A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
PCT/JP2013/073200 WO2015029195A1 (en) 2013-08-29 2013-08-29 Simulation device, information generation device, simulation method, and simulation program
JPPCT/JP2013/073200 2013-08-29

Publications (1)

Publication Number Publication Date
WO2015029464A1 true WO2015029464A1 (en) 2015-03-05

Family

ID=52585811

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/JP2013/073200 WO2015029195A1 (en) 2013-08-29 2013-08-29 Simulation device, information generation device, simulation method, and simulation program
PCT/JP2014/054417 WO2015029464A1 (en) 2013-08-29 2014-02-25 Simulation device, information generation device, simulation method, simulation program, environment provision system, environment provision method, and program

Family Applications Before (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/073200 WO2015029195A1 (en) 2013-08-29 2013-08-29 Simulation device, information generation device, simulation method, and simulation program

Country Status (1)

Country Link
WO (2) WO2015029195A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017126041A1 (en) * 2016-01-20 2017-07-27 三菱電機株式会社 Training device, training method, and training program
JP6420879B1 (en) * 2017-07-12 2018-11-07 韓國電子通信研究院Electronics and Telecommunications Research Institute Augmented reality-based cyber crisis response training providing apparatus and method
CN109948275A (en) * 2019-03-28 2019-06-28 湘潭大学 A kind of crawler belt grouser structure optimization calculation method based on CFD-DEM coupling Simulation
US10417115B1 (en) 2018-04-27 2019-09-17 Amdocs Development Limited System, method, and computer program for performing production driven testing
JP2021093595A (en) * 2019-12-09 2021-06-17 富士通株式会社 Malware inspection support program, malware inspection support method and communication device
WO2022003868A1 (en) * 2020-07-01 2022-01-06 日本電気株式会社 Log generation system, log generation method and computer readable medium
JP7446142B2 (en) 2020-03-31 2024-03-08 三菱電機株式会社 Cyber security audit system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
JP2002229945A (en) * 2001-01-30 2002-08-16 Yokogawa Electric Corp Vulnerability examination system for computer system
JP2003108521A (en) * 2001-09-29 2003-04-11 Toshiba Corp Fragility evaluating program, method and system
JP2008117093A (en) * 2006-11-02 2008-05-22 Hitachi Ltd User operation recording/reproducing method and device
JP2012008853A (en) * 2010-06-25 2012-01-12 Hitachi Ltd Operation reproduction method of web application and system
JP2012190345A (en) * 2011-03-11 2012-10-04 Nec Corp Automatic log information collecting device and automatic log information collecting method
US20130014264A1 (en) * 2005-01-27 2013-01-10 Scott Cruickshanks Kennedy Systems and Methods For Implementing and Scoring Computer Network Defense Exercises

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6088804A (en) * 1998-01-12 2000-07-11 Motorola, Inc. Adaptive system and method for responding to computer network security attacks
JP2002229945A (en) * 2001-01-30 2002-08-16 Yokogawa Electric Corp Vulnerability examination system for computer system
JP2003108521A (en) * 2001-09-29 2003-04-11 Toshiba Corp Fragility evaluating program, method and system
US20130014264A1 (en) * 2005-01-27 2013-01-10 Scott Cruickshanks Kennedy Systems and Methods For Implementing and Scoring Computer Network Defense Exercises
JP2008117093A (en) * 2006-11-02 2008-05-22 Hitachi Ltd User operation recording/reproducing method and device
JP2012008853A (en) * 2010-06-25 2012-01-12 Hitachi Ltd Operation reproduction method of web application and system
JP2012190345A (en) * 2011-03-11 2012-10-04 Nec Corp Automatic log information collecting device and automatic log information collecting method

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2017126041A1 (en) * 2016-01-20 2017-07-27 三菱電機株式会社 Training device, training method, and training program
JPWO2017126041A1 (en) * 2016-01-20 2018-03-15 三菱電機株式会社 Training apparatus, training method, and training program
JP6420879B1 (en) * 2017-07-12 2018-11-07 韓國電子通信研究院Electronics and Telecommunications Research Institute Augmented reality-based cyber crisis response training providing apparatus and method
JP2019020702A (en) * 2017-07-12 2019-02-07 韓國電子通信研究院Electronics and Telecommunications Research Institute Cyber crisis corresponding training provision device and method for extension reality basis
US10417115B1 (en) 2018-04-27 2019-09-17 Amdocs Development Limited System, method, and computer program for performing production driven testing
CN109948275A (en) * 2019-03-28 2019-06-28 湘潭大学 A kind of crawler belt grouser structure optimization calculation method based on CFD-DEM coupling Simulation
JP2021093595A (en) * 2019-12-09 2021-06-17 富士通株式会社 Malware inspection support program, malware inspection support method and communication device
JP7446142B2 (en) 2020-03-31 2024-03-08 三菱電機株式会社 Cyber security audit system
WO2022003868A1 (en) * 2020-07-01 2022-01-06 日本電気株式会社 Log generation system, log generation method and computer readable medium
JPWO2022003868A1 (en) * 2020-07-01 2022-01-06
JP7421196B2 (en) 2020-07-01 2024-01-24 日本電気株式会社 Log generation system, log generation method, and log generation program

Also Published As

Publication number Publication date
WO2015029195A1 (en) 2015-03-05

Similar Documents

Publication Publication Date Title
WO2015029464A1 (en) Simulation device, information generation device, simulation method, simulation program, environment provision system, environment provision method, and program
Najera-Gutierrez et al. Web Penetration Testing with Kali Linux: Explore the methods and tools of ethical hacking with Kali Linux
US10212173B2 (en) Deterministic reproduction of client/server computer state or output sent to one or more client computers
JP6307453B2 (en) Risk assessment system and risk assessment method
JP6643491B2 (en) Timestamp-based matching of identifiers
US11138095B2 (en) Identity propagation through application layers using contextual mapping and planted values
Faircloth Penetration tester's open source toolkit
Schwarzkopf et al. Increasing virtual machine security in cloud environments
US20200366706A1 (en) Managing supersedence of solutions for security issues among assets of an enterprise network
JP6285390B2 (en) Cyber attack analysis apparatus and cyber attack analysis method
JP5064912B2 (en) Management apparatus, network system, program, and management method
US20200210584A1 (en) Deterministic Reproduction of Client/Server Computer State or Output Sent to One or More Client Computers
Serketzis et al. Actionable threat intelligence for digital forensics readiness
US20180063172A1 (en) Non-transitory computer-readable recording medium storing control program, control method, and information processing device
WO2019026172A1 (en) Security diagnostic device and security diagnostic method
Shiaeles et al. On-scene triage open source forensic tool chests: Are they effective?
JP2012083909A (en) Application characteristic analysis device and program
Beyers et al. Arguments and Methods for Database Data Model Forensics.
Ali et al. Navigating Murky Waters: Automated Browser Feature Testing for Uncovering Tracking Vectors
JP5640752B2 (en) Attack imitation test method, attack imitation test device, and attack imitation test program
Wichmann et al. Web cryptography API: Prevalence and possible developer mistakes
JP2007200047A (en) Access log-displaying system and method
JP7378791B2 (en) Information processing device, information processing method, and program
JP2012237564A (en) Analytical instrument control/management system
JP6690674B2 (en) Unauthorized access detection system, unauthorized access detection method and unauthorized access detection program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14840954

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14840954

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP