WO2015072041A1

WO2015072041A1 - Security-measure training system and security-measure training method

Info

Publication number: WO2015072041A1
Application number: PCT/JP2013/081075
Authority: WO
Inventors: 信隆川口; 谷川　嘉伸
Original assignee: 株式会社日立製作所
Priority date: 2013-11-18
Filing date: 2013-11-18
Publication date: 2015-05-21

Abstract

The present invention relates to security-measure training in an enterprise network. A security-measure training system for executing computer security-measure training comprises: a scenario execution unit which, in accordance with a prescribed training scenario, sends a training e-mail containing a training program to a terminal which is the subject of the training; an observation unit which observes the behavior of the terminal with respect to the training e-mail containing the training program that has penetrated into the terminal on the basis of information indicating vulnerabilities; an analysis unit which determines, on the basis of the observation results, the terminal into which the training program has penetrated; a determination unit which determines an action to be taken with regard to the terminal into which the training program has penetrated; an execution unit which executes the determined action with respect to the terminal; and a feedback unit which feeds back to the terminal and to each unit the results of the training executed on the basis of the training scenario.

Description

Security countermeasure training system, security countermeasure training method

The present invention relates to security countermeasure training in an enterprise network.

In recent years, malicious malicious programs (malware) such as computer viruses, spyware, and bot programs that cause threats such as information leakage and unauthorized access are increasing. Furthermore, targeted attacks that use malware to persistently attack specific organizations are becoming a social problem.

As a result, organizations such as corporations and government offices need to be trained to prevent damage in advance, assuming that they are targets of cyber attacks such as targeted attacks. Patent Document 1 describes a system that automatically generates a training scenario for a cyber attack. Patent Document 2 describes a system that automatically generates a countermeasure manual for coping with an attack.

US2008 / 0183520A1 JP 2002-328894 A

However, Patent Document 1 does not have a function of feeding back a training result to a training target person or a security countermeasure device as a training target and making an improvement. In addition, Patent Document 2 has a function for an evacuee to revise a manual, but is performed by a human hand and is not automated.

In the present invention, training that simulates a cyber attack is performed in an enterprise network, and the training result is fed back to a training subject and a security countermeasure device, thereby improving the network security level.

In order to solve the above-described problems and achieve the object, a security countermeasure training system according to the present invention is a security countermeasure training system that executes training of a security countermeasure for a computer, and is a training target according to a predetermined training scenario. A scenario execution unit that transmits a training e-mail including a training program to the terminal; an observation unit that observes the behavior of the terminal with respect to the training e-mail including the training program that has entered the terminal based on information indicating vulnerability; and An analysis unit that identifies a terminal that has intruded into the training program based on the observation result; a determination unit that determines a treatment for the terminal that has intruded into the training program; and the determined treatment to the terminal An execution unit that executes the training, and a training result that is executed based on the training scenario. A feedback unit for feeding back the serial each unit, configured as a security measure training system comprising: a.

The present invention can also be grasped as a security countermeasure training method executed in the security countermeasure training system.

According to the present invention, in the enterprise network, it is possible to improve the security level of the network by performing security countermeasure training for general terminals and security countermeasure devices and feedback based on the training result.

It is a figure showing an outline of a training system. It is a figure which shows the phase and communication of a training system. It is a figure which shows the structure of scenario DB. It is a figure which shows the structure of observation setting DB. It is a figure which shows the structure of analysis setting DB. It is a figure which shows the structure of decision setting DB. It is a figure which shows the structure of execution setting DB. It is a figure which shows the structure of scan terminal DB. It is a figure which shows the structure of malware terminal DB. It is a figure which shows the structure of training DB. It is a figure which shows the flowchart of a process of a scenario execution part. It is a figure which shows the flowchart of a process of pseudo malware. It is a figure which shows the flowchart of a process of a general terminal training part. It is a figure which shows the flowchart of a process of an observation part. It is a figure which shows the flowchart of a process of an analysis part. It is a figure which shows the flowchart of a process of an observation part (modification example). It is a figure which shows the flowchart of the process of an analysis part (modification). It is a figure which shows the flowchart of a process of a determination part. It is a figure which shows the flowchart of a process of an execution part. It is a figure which shows the flowchart of the process of a determination part (modification). It is a figure which shows the flowchart of the process of an execution part (modification). It is a figure which shows the flowchart of a process of an observation training part. It is a figure which shows the flowchart of a process of an analysis training part. It is a figure which shows the flowchart of a process of a decision training part. It is a figure which shows the flowchart of a process of an execution training part. It is a figure which shows the flowchart of a process of a receiving part. It is a figure which shows the flowchart of a process of a feedback part.

Hereinafter, embodiments of the present invention will be described based on examples shown in the drawings. In this embodiment, the scenario execution device distributes the targeted attack mail to a general terminal in the organization network according to the scenario. Malware is attached to targeted attack emails. The general terminal is equipped with a function for monitoring the user's behavior in advance, and monitors whether the user has contacted the administrator to receive a suspicious email or whether an attached file has been opened. When the attached file is executed, malware starts and spreads throughout the organization network. The observation device installed in the organization network detects a terminal that performs suspicious communication, and the analysis device detects the presence of malware. The determination device determines a communication blocking range for suppressing malware, and the execution device blocks communication by any means. The training feedback device changes the frequency of security education for users based on the notification rate, attachment open rate, malware infection rate, time spent on malware extinction, and the parameters and behavior of each security countermeasure device. Make improvements. By repeating the training until the scenario training goal is met, the security of the organizational network can be improved.

(System configuration)
FIG. 1 is a diagram showing an outline of a training system configuration for carrying out the present invention. As elements constituting this system, communication network 100, scenario execution device 200, switch 300, switch 400, general terminal 500, general terminal 600, observation device 700, analysis device 800, determination device 900, execution device 1000, training feedback device There is 1100.
There are 600.

The communication network 100 may be a public network such as a WAN (World Area Network), a LAN (Local Area Network), a mobile phone, or a PHS. Communication between each device and the switch is performed via the communication network 100.

The scenario execution device 200 is a device for performing security training. The scenario execution device is a PC or server having a general configuration, and a general operating system and application are operating. The scenario execution device includes a scenario execution unit 210 and a scenario DB 220. The scenario execution unit 210 performs training such as transmission of targeted attack mail according to the contents of the scenario DB 220. In the scenario DB 220, training implementation contents and achievement targets are registered. The flow of the scenario execution unit 210 and the configuration of the scenario DB 220 will be described in detail later.

The switch 300 is a switch that functions in the layer 2 of the TCP / IP architecture, and connects the general terminal 500 and the communication network 100. By inputting a command to the switch 300, communication of the general terminal 500 can be cut off.

The switch 400 is a switch that functions in the layer 2 of the TCP / IP architecture, and connects the general terminal 600 and the communication network 100. By inputting a command to the switch 300, the communication of the general terminal 600 can be cut off.

The general terminal 500 is a terminal connected to the switch 300, and is a PC or server having a general configuration, and a general operating system and application are operating. A plurality of similar terminals such as a general terminal 501, a general terminal 502,..., A general terminal 599 are connected to the switch 300. The general terminal 500 includes a general terminal training unit 510, a pseudo vulnerability unit 520, and a mailer 530. The general terminal training unit 510 observes the behavior of the user during training and transmits it to the training feedback device 1100. In addition, user training is performed in response to feedback from the training feedback device 1100. The pseudo-vulnerability section 520 stores information indicating vulnerabilities including, for example, security holes and bugs, which are artificially created for training, and the pseudo-malware attached to the targeted attack email is infected. Used to enlarge. Mailer 530 is used to receive targeted attack mail. Details of the general terminal training unit 510 will be described later.

The general terminal 600 is a terminal connected to the switch 400, is a PC or server having a general configuration, and a general operating system and application are operating. The switch 400 is connected to a plurality of similar terminals such as a general terminal 601, a general terminal 602,. The general terminal 600 includes a general terminal training unit 610, a pseudo vulnerability unit 620, and a mailer 630, and is equivalent to the general terminal training unit 510, the pseudo vulnerability unit 520, and the mailer 530. Here, it is assumed that the general terminal 500 and the general terminal 600 are terminals that exist in different departments of the organization.

The observation apparatus 700 is a PC or server having a general configuration, and a general operating system and application are operating. The observation apparatus 700 includes an observation unit 710, an observation training unit 720, an observation setting DB 730, and a scan terminal DB 740. The observation unit 710 finds a terminal that performs an address scan (an act of indiscriminately trying to connect to another terminal by automatically generating an IP address from a random number). A terminal that has performed more than a certain number of address scans is regarded as an address scanner (a terminal that is malicious and may be intentionally performing address scans), and reports terminal information to the analyzer 840.

The observation training unit 720 changes the observation setting DB 730 according to the feedback from the training feedback device 1100. The observation setting DB 730 stores setting parameters used in the observation apparatus 700. The scan terminal DB 740 stores information on terminals that have performed address scanning. The flow of the observation unit 710 and the observation training unit 720 and the configuration of the observation setting DB 730 and the scan terminal DB 740 will be described in detail later.

The analysis apparatus 800 is a PC or server having a general configuration, and a general operating system and application are operating. The analysis device 800 includes an analysis unit 810, an analysis training unit 820, an analysis setting DB 830, and a malware terminal DB 840. The analysis unit 810 detects malware based on information obtained from the observation device 700. The analysis training unit 820 changes the analysis setting DB 830 according to feedback from the training feedback device 1100. The analysis setting DB 830 stores setting parameters used in the analysis device 800. The malware terminal DB 840 stores address scanner information. The flow of the analysis unit 810 and the analysis training unit 820 and the configuration of the analysis setting DB 830 and the malware terminal DB 840 will be described in detail later.

The determination apparatus 900 is a PC or server having a general configuration, and a general operating system and application are operating. The determination apparatus 900 includes a determination unit 910, a determination training unit 920, and a determination setting DB 930. The determination unit 910 determines a network range to be disconnected in order to suppress malware infection, and notifies the execution apparatus 1000. The decision training unit 920 changes the decision setting DB 930 in accordance with the feedback from the training feedback device 1100. The determination setting DB 930 stores determination patterns that the determination unit 910 can take. The flow of the determination unit 910 and the determination training unit 820 and the configuration of the determination setting DB 930 will be described in detail later.

The execution device 1000 is a PC or server having a general configuration, and a general operating system and application are operating. The execution apparatus 1000 includes an execution unit 1010, an execution training unit 1020, and an execution setting DB 1030. The execution unit 1010 disconnects the network according to the notification from the determination apparatus 900. The execution training unit 1020 changes the execution setting DB 1030 in accordance with feedback from the training feedback device 1100. The execution setting DB 1030 stores cutting methods that the execution unit 1010 can take. The flow of the execution unit 1010 and the execution training unit 1020 and the configuration of the execution setting DB 1030 will be described in detail later. Note that the observation apparatus 700, the analysis apparatus 800, the determination apparatus 900, and the execution apparatus 1000 may be physically realized on one apparatus.

The training feedback device 1100 is a PC or server having a general configuration, and a general operating system and application are operating. The training feedback device 1100 includes a receiving unit 1110, a feedback unit 1120, and a training DB 1130. The receiving unit 1110 receives various messages from other devices. The feedback unit 1120 determines feedback content based on the training result and notifies each device. The training DB 1130 includes training results and feedback contents. The flow of the receiving unit 1110 and the feedback unit 1120 and the configuration of the training DB 1130 will be described later.

Fig. 2 shows the two phases taken by the training system and the communication between the devices. The training system has a training phase and a feedback phase. During training, the training phase and the feedback phase are repeated. As a result, the security level of general terminals and security countermeasure devices is gradually improved. First, the contents of communication exchanged during the training phase will be described.

The training scenario C1 includes training content and achievement targets, and is transmitted from the scenario execution device 100 to the training feedback device 1100. The target type mail C2 is transmitted from the scenario execution device 100 to the general terminal 500 and the general terminal 600 during the training of the target type attack. A record of how the user handled the target mail C2 is transmitted from the general terminals 50 and 600 to the training feedback device 1100 as a user behavior record C3. When the general terminals 500 and 600 are infected with malware, the malware infection record C4 is transmitted to the training feedback device 1100. The pseudo malware C5 spreads infection between the general terminals 500 and 600 while performing address scanning.

The observation apparatus 700 transmits the address scanner information C6 including the IP address of the address scanner to the analysis apparatus 800. The analysis apparatus 800 transmits malware terminal information C7 including the IP address of the malware terminal and the like to the determination apparatus 900. The determination apparatus 900 transmits a disconnection command C8 including information on the network disconnection range to the execution apparatus 1000.

The execution apparatus 1000 transmits a disconnection request mail C9-1 or a disconnection request short message C9-2 in which a request to disconnect the terminal from the network is written to the general terminal 500 and the general terminal 600 according to the setting of the execution setting DB 1030. Then, a disconnect command C9-3 for disconnecting the terminal from the network is transmitted to the

switches

300 and 400. During one training phase, messages C2 to C9-3 are sent repeatedly.

For example, every time the infection spreads, the pseudo malware C5 is transmitted. The address scanner information C6 is transmitted every time a new address scanner is discovered. Next, communication contents exchanged in the feedback phase will be described. All communication takes place from the training feedback device 1100.

General terminal feedback C10 is a message indicating the frequency of security education for general users, and is transmitted to the general terminals 500 and 600. The observation device feedback C11 is a message regarding the threshold setting change of the observation device 700. The analyzer feedback C12 is a message related to the threshold setting change of the analyzer 800.

The determination device feedback C13 is a message regarding a change in the behavior pattern of the determination device 900. The execution device feedback C14 is a message related to a change in the behavior pattern of the execution device 1000. The training result C15 is a message indicating the degree of achievement of training, and is transmitted to the scenario execution device 100.
(Various tables)
FIG. 3 shows the scenario DB 220 in the scenario execution device 200. Each record manages training contents and training targets. The scenario ID 221 is used to uniquely identify each record in the scenario DB 220. The training content 222 indicates specific training content. The training target 223 indicates a target that the training should satisfy.

In the example of FIG. 3, the training content 222 of the record with the scenario ID 221 “scenario 1” is “send a targeted attack email including pseudo malware to all users”. Further, the training target 223 is “malware infection rate of 10 minutes or less, rate of user executing attached file: 5% or less, notification rate to administrator: 50% or more”. The malware infection rate means the proportion of general terminals that are finally infected with malware.

Here, in order to simply lower the malware infection rate below the target, the sensitivity of the observation device 700 or the analysis device 800 may be made extremely high (the threshold value may be set to a very low value). In this case, however, a large amount of false detection occurs. For this reason, the sensitivity of the observation apparatus 700 and the analysis apparatus 800 is lowered, and the sensitivity is adjusted through training. On the other hand, as a reverse method, the sensitivity of the observation apparatus 700 or the analysis apparatus 800 is initially made extremely low (threshold is set very high), and the sensitivity is increased through training (the threshold is lowered). It may be taken.

The percentage of users who executed the attached file means the percentage of users who actually executed the attached file among the users who received the targeted attack mail. The notification rate to the administrator means the proportion of users who have reported to the network administrator among the users who have received the targeted attack mail.

4A to 4D show an observation setting DB 730 of the observation apparatus 700, an analysis setting DB 830 of the analysis apparatus 800, a determination setting DB 930 of the determination apparatus 900, and an execution setting DB 1030 of the execution apparatus 1000.
FIG. 4A shows the observation setting DB 730 of the observation apparatus 700. Each record indicates a setting parameter and its value. A parameter 731 indicates a parameter name. A value 732 indicates a parameter value corresponding to the parameter 731. In the example of FIG. 4A, the value 732 of the record whose parameter 731 is “observation threshold” is “30”. This means that a terminal whose observed address scan count exceeds 30 is recognized as an address scanner.

FIG. 4B shows the analysis setting DB 830 of the analyzer 800. Each record indicates a setting parameter and its value. A parameter 831 indicates a parameter name.
A value 832 indicates a parameter value corresponding to the parameter 831. In the example of FIG. 4B, the value 832 of the record whose parameter 831 is “analysis threshold” is “6”. This means that when the number of address scanners is 6 or more, it is determined that malware has occurred.

FIG. 4C shows the determination setting DB 930 of the determination device 900. Each record indicates a strategy for stopping the spread of malware infection and whether or not the strategy is selected. A strategy 931 indicates a strategy such as what policy is used to disconnect the malware-infected terminal from the network. A selection 932 indicates which strategy 931 is selected. The determination unit 910 sets the strategy 931 selected in the selection 932 as the disconnection range from the network. In the example of FIG. 4C, the strategy 931 has a record of “disconnecting the disconnected PC”, a record of “disconnecting the network of the infected PC”, and three types of records “disconnecting the network of the same department as the infected PC”. Is registered. Since the selection 932 of the record whose strategy 931 is “disconnect infected PC” is selected as “◯”, the determination unit 910 determines this strategy 931.

FIG. 4D shows the execution setting DB 1030 of the execution apparatus 1000. Each record indicates how to execute the strategy determined by the determination unit 930. The execution method 1031 shows how the malware-infected terminal is disconnected from the network. The selection 1032 indicates which execution method 1031 is selected. The execution unit 1010 executes the execution method 1031 selected in the selection 1032. In the example of FIG. 4D, three types of records are registered: a record whose execution method 1031 is “Distribute disconnect request mail”, a record “Distribute disconnect request short message”, and “Distribute disconnect command”. ing. Since the selection 1032 of the record whose execution method 1031 is “Distribute disconnect command” is selected as “◯”, the execution unit 1010 executes this execution method 1031. Since the disconnection request short message is directly displayed on the display of the general terminals 500 and 600, it is assumed that the user can be noticed earlier than the disconnection request mail.

5A and 5B show the scan terminal DB 740 of the observation apparatus 700 and the malware terminal DB 840 of the analysis apparatus 800. FIG. 5A shows the scan terminal DB 740 of the observation apparatus 700. The scan terminal DB 740 holds the number of address scans of each terminal observed by the observation unit 710. A scan terminal 741 indicates a terminal that has performed a scan, and a scan number 742 indicates the number of times. In the example of FIG. 5A, five records are recorded. The scan number 742 of the record whose scan terminal 741 is “terminal 503” is “32”, the scan number 742 of the record whose scan terminal 741 is “terminal 501” is “30”, and the record whose scan terminal 741 is “terminal 505” The scan number 742 is “50”, the scan number 742 of the record whose scan terminal 741 is “terminal 504” is “32”, and the scan number 742 of the record whose scan terminal 741 is “terminal 506” is “34”. ing. The number of scans 742 of the record whose scan terminal 741 is “terminal 509” is “32”.

FIG. 5B shows the malware terminal DB 840 of the analysis device 800. A record of the address scanner 841 is recorded in the malware terminal DB 840. In FIG. 5B, “terminal 503”, “terminal 501”, “terminal 505”, “terminal 504”, “terminal 506”, and “terminal 509” are recorded.

FIG. 6 shows the training DB 1130 of the training feedback device 1100. In the training DB 1130, information regarding the training result and feedback based on the training result is recorded. The number of exercises 1131 indicates the number of exercises. The training result 1132 shows each training result, and includes an infection rate 1134, an attached file open rate 1135, and a notification rate 1136. The infection rate 1134 indicates the ratio of terminals infected with pseudo malware among the general terminals 500 and 600. The attached file open rate 1135 indicates the proportion of users who executed the attached file among the users who received the targeted attack mail. The report rate 1136 indicates the ratio of users who have reported to the management department among the users who have received the targeted attack mail.

The feedback 1133 indicates the feedback content in each training, and includes an observation threshold change 1137, an analysis threshold change 1138, a strategy change 1139, an execution method change 1140, and a user education frequency change 1141. The observation threshold change 1137 indicates the degree to which the observation threshold in the observation setting DB 730 is changed. The analysis threshold change 1138 indicates the degree to which the analysis threshold of the analysis setting DB 830 is changed. The strategy change 1139 indicates a change in the selection of the strategy 931 in the decision setting DB 930. An execution method change 1140 indicates a change in the execution method 1031 of the execution setting DB 1030. The user education frequency 1141 indicates the frequency with which security education is performed on the general terminals 500 and 600 for the user.

In the example shown in FIG. 6, a total of three training records are recorded. In the record in which the number of exercises 1131 is “first”, the infection rate 1134 is “25%”, the attached file open rate 1135 is “20%”, and the notification rate 1136 is “20%”. As feedback, the observation threshold change 1137 is “−15”, the analysis threshold change 1138 is “−3”, the strategy change 1139 is “disconnect the network of the infected PC”, and the execution method 1140 is “Distribute disconnect request short message” “User education frequency change 1141 is“ once a week ”.

Similarly, in the record in which the number of exercises 1131 is “second”, the infection rate 1134 is “20%”, the attached file open rate 1135 is “10%”, and the notification rate 1136 is “40%”. As feedback, the observation threshold change 1137 is “−5”, the analysis threshold change 1138 is “−1”, the strategy change 1139 is “disconnect the network of the same department as the infected PC”, and the execution method 1140 is “command to switch "Send" user education frequency change 1142 becomes "once every two weeks". Similarly, in the record in which the number of exercises 1131 is “third”, the infection rate 1134 is “10%”, the attached file open rate 1135 is “5%”, and the notification rate 1136 is “50%”. In this case, since the training target 223 of the record in the scenario DB 220 where scenario ID 221 = scenario 1 is achieved, no feedback is performed. A specific feedback determination method will be described later.

FIG. 7 is a flowchart showing processing in the scenario execution unit 210 of the scenario execution apparatus 200.
In process S2001, the scenario execution unit 210 of the scenario execution apparatus 200 accepts selection of a scenario used for training from the scenario DB 220. The item to be selected may be an item at the beginning of the scenario DB 220, an item selected at random, or may be designated by a training practitioner. The selected scenario is transmitted to the training feedback device 1100 as a training scenario C1.

In process S2002, the scenario execution unit 210 executes the training content 222 of the selected scenario. In the example of FIG. 3, a mail with pseudo malware attached is transmitted to the user using the general terminals 500 and 600 as the target mail C2. In process S2003, the scenario execution unit 210 receives the training result C15 from the training feedback device 1100.

In process S2004, the scenario execution unit 210 completes the training when it is confirmed from the training result C15 that the training target 223 has been achieved. When the training target 223 is not achieved, the process waits for a certain period (for example, several days, weeks, months) in the process S2005. Then, it transfers to process S2002 and implements retraining.

FIG. 8 is a flowchart showing pseudo malware processing.

In the process S2101, the pseudo-malware activated from the attached mail performs an address scan on the communication network 100. In the process S2102, the pseudo malware finds the general terminal 500 or 600 as an infection target as a result of the address scan.

In process S2103, the pseudo-malware that has found the target of infection enters the general terminal 500 or 600 using information indicating the vulnerability stored in the pseudo-vulnerability unit 520 (or the pseudo-vulnerability unit 620). The pseudo-malware that has succeeded in the intrusion executes the process S2101 again to expand the infection.

FIG. 9 is a flowchart showing processing of the general

terminal training units

510 and 610 of the general terminals 500 and 600.

In process S2201, the general

terminal training units

510 and 610 observe how the user handles the target mail C1 received from the scenario execution device 100. Specifically, whether to notify the administrator or execute the attached file is observed.

In process S2202, the observed user behavior is transmitted to the training feedback device 1100 as a user behavior record C3. In process S2203, when it is confirmed that the pseudo malware is infected, the process proceeds to process S2204. In process S2204, the pseudo malware infection is transmitted to the training feedback apparatus 1100 as the malware infection record C4.

In process S2205, general terminal feedback C15 is received from the training feedback device 1110. In process S2206, user education is performed according to the frequency described in the general terminal feedback C15. For example, educational materials that raise security awareness are automatically executed at regular intervals.

10A and 10B are flowcharts showing processing of the observation unit 710 of the observation device 700 and the analysis unit 810 of the analysis device 800. FIG. 10A shows processing of the observation unit 710 of the observation apparatus 700.

In process S2301, the observation unit 710 observes an IP packet flowing through the communication network 100 and finds a scan packet. For example, an IP packet addressed to an IP address not assigned to any terminal is a scan packet. In the process S2302, the observation unit 710 registers the terminal that transmits the scan packet found in the process S2301 in the scan terminal DB 741, and sets 1 to the scan number 742. When the transmission terminal is already registered as the scan terminal 741, the scan number 742 is incremented by "+1".

In process S2303, the observation unit 710 checks whether there is a terminal whose scan count 742 exceeds the parameter 731 = the observation threshold value 732, and if there is, in step S2304, determines that the terminal is an address scanner. The address scanner information C6 is transmitted to the analyzer 800. In the examples of FIGS. 4A and 5A, the terminals 503, 501, 505, 504, 506, and 509 are all determined as address scanners because the number of scans 742 exceeds 30, which is the observation threshold value. Will be sent.

In this embodiment, the observation unit 710 automatically sends the address scanner information C6 to the analyzer 800 when it is confirmed that there is a terminal whose scan number 742 exceeds the parameter 731 = the observation threshold value 732. For example, as shown in FIG. 10C, the observation unit 710 displays a terminal exceeding the number of terminals and the threshold on a display device (not shown) of the observation device 700, and the operator confirms the contents. After that, the address scanner information C6 may be transmitted again, and the address scanner information C6 may be transmitted when the observation unit 710 receives the instruction. In this case, since the operator confirms the address scanner information C6, the terminal serving as the address scanner can be specified at this stage. Further, the address scanner information C6 can be reliably transmitted to the terminal serving as the address scanner.

FIG. 10B shows processing of the analysis unit 810 of the analysis apparatus 800.

In process S2401, the analysis unit 810 receives the address scanner information C6 from the observation device 700. In process S2402, the analysis unit 810 registers the received address scanner in the malware terminal DB 840.

In process S2403, the analysis unit 810 checks whether or not the number of registered address scanners exceeds the parameter 831 = analysis threshold value 832, and if so, in step S2404, determines the malware terminal information C7 in the determination device 900. Send to. The malware terminal information C7 includes identifiers (for example, IP addresses) of all address scanners. In the example of FIGS. 4B and 5B, the number of scanners registered in the malware terminal DB 840 is 6 or more which is the analysis threshold value, and thus the malware terminal information C7 is transmitted.

In this embodiment, the analysis unit 810 automatically transmits the malware terminal information C7 to the determination device 900 when it is confirmed that the number of registered address scanners exceeds the parameter 831 = the analysis threshold value 832. However, for example, as shown in FIG. 10D, the analysis unit 810 displays a terminal exceeding the number of terminals and the threshold value on a display device (not shown) of the analysis device 800, and the operator confirms the contents. Then, the malware terminal information C7 may be transmitted again, and the malware terminal information C7 may be transmitted by the analysis unit 810 receiving the instruction. In this case, since the operator confirms the malware terminal information C7, the terminal that is the malware terminal at this stage can be specified. Further, the malware terminal information C7 can be reliably transmitted to the terminal serving as the address scanner.

FIGS. 11A and 11B are flowcharts illustrating processing of the determination unit 910 of the determination device 900 and the execution unit 1010 of the execution device 1000. FIG.

FIG. 11A is a flowchart showing processing of the determination unit 910 of the determination apparatus 900. In process S2501, the determination unit 910 receives malware terminal information C7 from the analysis device 800. In process S2502, the determination unit 910 determines the cutting range based on the determination setting DB 930.

In process S2503, the determination unit 910 transmits a cutting command C8 according to the cutting range determined in process S2502. The disconnection command C8 describes a general terminal or network to be disconnected. In the example of FIGS. 5B and 4C, a disconnection instruction C8 is transmitted, which indicates that “terminals 503, 501, 505, 504, 506, and 509 are disconnected from the network”.

In the present embodiment, the determination unit 910 automatically transmits the disconnection command C8 according to the determined cutting range. For example, as illustrated in FIG. 11C, the determination unit 910 determines the determined cutting range. The range is displayed on a display device (not shown) of the determination device 900, and after the operator confirms the contents, the transmission command for the cutting command C8 is given again, and the determination unit 910 transmits the cutting command C8 by receiving the command. May be. In this case, since the operator confirms the cutting range, the cutting range can be specified at this stage. In addition, the disconnection command can be reliably transmitted to the target terminal.

FIG. 11B is a flowchart showing processing of the execution unit 1010 of the execution apparatus 1000.

In process S2601, the execution unit 1010 receives a disconnection command C8 from the determination device 900. In process S2602, the execution unit 1010 determines a cutting execution method based on the execution setting DB 1030.

In process S2603, the execution unit 1010 actually executes the cutting process according to the execution method determined in process S2602. In the example of FIGS. 5B, 4C, and 4D, the disconnection request mail C9-1 is transmitted to the terminals 503, 501, 505, 504, 506, and 509.

In the present embodiment, the execution unit 1010 automatically performs the disconnection according to the determined execution method. However, for example, as illustrated in FIG. 11D, the execution unit 1010 displays a confirmation screen before performing the disconnection. May be displayed on a display device (not shown) of the execution apparatus 1000, and after the operator confirms the contents, a cutting execution instruction is given again, and the execution unit 1010 receives the instruction to execute the cutting. In this case, since the operator confirms the disconnection before executing the disconnection, the disconnection to the target terminal can be surely performed.

FIG. 12 shows a flowchart of processing of the observation training unit 720 of the observation device 700, the analysis training unit 820 of the analysis device 800, the determination training unit 920 of the determination device 900, and the execution training unit 1020 of the execution device 1000.

FIG. 12A is a flowchart showing processing of the observation training unit 720 of the observation apparatus 700.

In process S2701, the observation training unit 720 receives the observation device feedback C11 from the training feedback device 1100. In process S2702, the observation training unit 720 changes the observation threshold according to the received observation device feedback C11. A specific modification will be described with reference to FIG.

FIG. 12B is a flowchart showing the processing of the analysis training unit 820 of the analyzer 800.

In process S2801, the analysis training unit 820 receives the analysis device feedback C12 from the training feedback device 1100. In process S2802, the analysis training unit 820 changes the analysis threshold according to the received analyzer feedback C12. A specific modification will be described with reference to FIG.

FIG. 12C is a flowchart showing the processing of the decision training unit 920 of the decision device 900.

In process S2901, the decision training unit 920 receives the decision device feedback C13 from the training feedback device 1100. In the process S2902, the decision training unit 920 changes the strategy 931 indicated by the selection 932 in the decision setting DB 930 according to the received analyzer feedback C12. A specific modification will be described with reference to FIG.

FIG. 12D is a flowchart showing processing of the execution training unit 1020 of the execution apparatus 1000.

In process S3001, the execution training unit 1020 receives the execution device feedback C14 from the training feedback device 1100. In process S3002, the execution training unit 1020 changes the execution method 1031 indicated by the selection 1032 in the execution setting DB 1030 in accordance with the received execution device feedback C12. A specific modification will be described with reference to FIG.

FIG. 13 is a flowchart showing the processing of the receiving unit 1110 of the training feedback device 1100.

In process S3101, the receiving unit 1110 receives the training scenario C1 from the scenario execution device 100 and stores it. Training scenario C1 is used to determine whether training has achieved a training goal. In process S3102, the receiving unit 1110 receives the user behavior record C3 and the malware infection record C4. The infection rate 1134, attached file open rate 1136, and notification rate 1137 in the training DB 1130 are updated according to the reception result.

In process S3203, if the receiving unit 1110 does not receive the malware infection record C4 for a certain time (for example, 10 minutes), it determines that the spread of malware infection has stopped. In process S3204, the receiving unit 1110 activates the feedback unit 1120 and passes the training scenario C1. When the process of the feedback unit 1120 ends, the process returns to the process S3101 again and waits for the reception of the training scenario C1.

FIG. 14 is a flowchart showing the processing of the feedback unit 1120 of the training feedback device 1100.

In process S3201, the feedback unit 1120 compares the training result 1132 with the achievement target of the training scenario C1, and evaluates the result of the training. As a result, if the training has achieved the goal, the process proceeds to process S3214.

When the training has not achieved the target, the feedback unit 1120 determines whether or not this training is the first training in the process S3202, and in the case of the first training, the feedback unit 1120 proceeds to the processing S3202 for the second and subsequent trainings. In the case of training, the process proceeds to process S3207.

Processes S3203 to 3206 are feedback processes for the first training. In process S3203, the feedback unit 1120 determines whether the attached file open rate 1136 or the notification rate 1136 is lower than the achievement target. If low, the process proceeds to process S3204, and if higher, the process proceeds to process S3205. To do. In the process S3204, the feedback unit 1120 records the default user education frequency registered in the feedback unit 1120 in the user education frequency change 1141 in advance.

In process S3205, the feedback unit 1120 determines whether or not the infection rate 1134 is higher than the achievement target. If it is higher, the process proceeds to process S3206, and if lower, the process proceeds to process S3210. In process S3206, the feedback unit 1120 records the default observation threshold change and analysis threshold change registered in advance in the feedback unit 1120 in the observation threshold change 1137 and the analysis threshold change 1138.

Processes S3207 to 3209 are feedback processes for the second and subsequent training. In these processes, the feedback unit 1120 affects the influence of the n-1th feedback on the nth training (the difference between the nth training and the n-1th training, that is, the difference between the current training and the previous training). ) To obtain the feedback necessary to achieve the goal during the n + 1 training.

In processing S3207, the feedback unit 1120 changes the nth observation threshold value = n-1th observation threshold value change / (nth infection rate−n-1th infection rate) × (nth infection rate−target infection rate). Obtained and recorded in the observation threshold change 1137.

In process S3208, the feedback unit 1120 changes the nth analysis threshold value = n-1th analysis threshold value change / (nth infection rate−n-1th infection rate) × (nth infection rate−target infection rate). Obtained and recorded in analysis threshold change 1138.

In process S3209, the feedback unit 1120 changes the nth user education frequency change = n-1th education frequency change × (n-1th attached file open rate−nth attached file open rate + nth notification rate−n−1. Second report rate) / (nth attached file open rate−target attached file open rate + target report rate−nth report rate) is obtained and recorded in the user education frequency change 1141.

Process S3210 to process S3214 are feedback processes for all training that does not achieve the goal. In process S3210, the feedback unit 1120 determines whether or not the infection rate is higher than the target. If the infection rate is higher, the process proceeds to process S3211; otherwise, the process proceeds to process S3213.

In process S3211, the feedback unit 1120 determines a feedback process for setting the cutting range wider than the current state in the strategy of the determination apparatus 900, and records it in the strategy method 1139. In the process S3212, the feedback unit 1120 determines a feedback process for performing an execution method stronger than the current execution method in the execution method of the execution apparatus 1000, and records it in the execution method change 1141.

In the process S3213, the feedback unit 1120 changes the items described in the observation threshold change 1137, the analysis value threshold change 1138, the strategy change 1139, the execution method change 1140, and the user education frequency change 1141 to the observation device feedback C11 and the analysis device feedback. C12, determination device feedback C13, execution device feedback C14, and general terminal feedback C10. In the process S3214, the feedback unit 1120 transmits a training result C15 indicating whether or not the training has achieved the training target to the scenario execution apparatus 100.

The processing of the feedback unit 1120 will be described using the training DB 1130 in FIG. 6 as an example.

In the first training, the infection rate was 1134 = 30%, the attached file open rate was 1135 = 20%, and the notification rate was 1136 = 20%. For this reason, the default user education frequency change 1141 = “once a week” is selected by the process S3204. Also, by the process S3206, the observation threshold value change 1137 and the analysis threshold value change 1138, which are default values “−15” and “−3”, are selected. Also, by the process S3211, the strategy change 1139 selects “disconnect network of infected terminal”, which is wider than the current “disconnect only infected terminal”. Similarly, in process S3212, execution method change 1140 selects “Distribute disconnect request short message”, which is a one-step stronger execution method than the current “Distribute disconnect request mail”. The selected feedback is transmitted to each security countermeasure device in S3213.

In the second training, the infection rate was 1134 = 15%, the attached file open rate was 1135 = 10%, and the notification rate was 1136 = 40%. For this reason, the default user education frequency change 1141 = “once every two weeks = 1 × (20−10 + 40−20) ÷ (10−5 + 50−40)” is selected by the processing S3209. In addition, the observation threshold change 1137 is set to “−5 = −15 / (30−15) × (15−10)” by the process S3207. Also, by the process S3208, “−1 = −3 / (30−15) × (15−10)” is selected as the analysis threshold value change 1138. Also, by the process S3211, the strategy change 1139 selects “disconnect the network of the same department as the infected terminal”, which is wider than the current “disconnect only infected terminal”. Similarly, in step S3212, execution method change 1140 selects “send disconnect command”, which is an execution method that is one step stronger than the current “deliver disconnect request mail”. The selected feedback is transmitted to each security countermeasure device in S3213.

In the third training, since the training target has been achieved, the process S3213 is not executed and no feedback is transmitted.

As described above, the security countermeasure training system in the present embodiment includes a scenario execution device that executes various training scenarios, a general terminal that is a training target, an observation device that is a security countermeasure device, an analysis device, a determination device, an execution device, and It consists of a training feedback device that evaluates the training results and gives feedback to the general terminal and the security countermeasure device. The observation device, analysis device, decision device, and execution device cooperate to detect and suppress malware that has spread throughout the network. Based on the training result, the feedback device instructs the general terminal about the frequency of user education, and adjusts the parameters of each security countermeasure device and changes the behavior pattern. By repeatedly executing the training by this system, it is possible to realize that the general terminal and the security countermeasure device satisfy the goal of the training scenario.

DESCRIPTION OF SYMBOLS 100 ... Communication network, 200 ... Scenario execution apparatus, 300 ... Switch, 400 ... Switch, 500 ... General terminal, 600 ... General terminal, 700 ... Observation apparatus, 800 * ..Analysis device, 900... Decision device, 1000... Execution device, 1100.

Claims

A security countermeasure training system for executing training of computer security countermeasures,
A scenario execution unit that transmits a training email including a training program to a terminal to be trained according to a predetermined training scenario;
An observation unit for observing the behavior of the terminal with respect to a training email including the training program that has entered the terminal based on information indicating vulnerability;
An analysis unit that identifies a terminal invaded by the training program based on the observation result;
A determination unit for determining a treatment for a terminal invaded by the training program;
An execution unit that executes the determined action on the terminal;
A feedback unit that feeds back a training result executed based on the training scenario to the terminal and the units;
A security countermeasure training system characterized by comprising:
Each unit repeatedly executes the training program until the training goal defined by the predetermined training scenario is achieved,
The feedback unit feeds back the training result until a training goal defined by the predetermined training scenario is achieved.
The security countermeasure training system according to claim 1, wherein:
The feedback unit feeds back the current training result based on the training result fed back last time.
The security countermeasure training system according to claim 1, wherein:
The training program is malware, the analysis unit identifies a terminal infected with malware based on the result of the observation, and the determination unit determines a countermeasure for suppressing malware infection as the treatment. ,
The security countermeasure training system according to claim 1, wherein:
The observation unit observes the number of address scans and the number of address scanners by the training program,
The feedback unit changes a threshold value of the number of address scans and a threshold value of the number of address scanners observed by the observation unit in the feedback.
The security countermeasure training system according to claim 1, wherein:
The observation unit observes the number of address scans and the number of address scanners by the training program,
The feedback unit changes the execution method of the treatment in the feedback.
The security countermeasure training system according to claim 1, wherein:
A security countermeasure training method for executing computer security countermeasure training,
A scenario execution step of sending a training email including a training program to a terminal to be trained according to a predetermined training scenario;
An observation step of observing the behavior of the terminal with respect to a training email including the training program that has entered the terminal based on information indicating vulnerability;
An analysis step of identifying a terminal invaded by the training program based on the observation result;
A determining step for determining a treatment for a terminal that has been infiltrated into the training program;
An execution step of performing the determined action on the terminal;
A feedback step of feeding back a training result executed based on the training scenario to the terminal and the units;
A security countermeasure training method characterized by including:
Each step repeatedly executes the training program until a training goal defined by the predetermined training scenario is achieved;
The feedback step feeds back the training result until the training goal defined by the predetermined training scenario is achieved;
The security countermeasure training method according to claim 7, wherein:
The feedback step feeds back the current training result based on the training result fed back last time.
The security countermeasure training method according to claim 7, wherein:
The training program is malware, and the analysis step specifies a terminal infected with the malware based on the result of the observation, and the determination step determines a measure for suppressing malware infection as the treatment. ,
The security countermeasure training method according to claim 7, wherein:
The observation step observes the number of address scans and the number of address scanners by the training program,
The feedback step changes a threshold value for the number of address scans and a threshold value for the number of address scanners observed by the observation unit in the feedback.
The security countermeasure training method according to claim 7, wherein:
The observation step observes the number of address scans and the number of address scanners by the training program,
The feedback step changes the execution method of the treatment in the feedback.
The security countermeasure training method according to claim 7, wherein: