WO2016111079A1 - Système de collecte de journal et procédé de collecte de journal - Google Patents

Système de collecte de journal et procédé de collecte de journal Download PDF

Info

Publication number
WO2016111079A1
WO2016111079A1 PCT/JP2015/081204 JP2015081204W WO2016111079A1 WO 2016111079 A1 WO2016111079 A1 WO 2016111079A1 JP 2015081204 W JP2015081204 W JP 2015081204W WO 2016111079 A1 WO2016111079 A1 WO 2016111079A1
Authority
WO
WIPO (PCT)
Prior art keywords
log
dummy
communication packet
management server
information processing
Prior art date
Application number
PCT/JP2015/081204
Other languages
English (en)
Japanese (ja)
Inventor
博隆 吉田
信 萱島
大和田 徹
宏樹 内山
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2016111079A1 publication Critical patent/WO2016111079A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3226Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using a predetermined code, e.g. password, passphrase or PIN
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0894Escrow, recovery or storing of secret information, e.g. secret key escrow or cryptographic key storage

Definitions

  • the present invention relates to a log collection system and a log collection method, and specifically to a technique that enables secure log collection while appropriately avoiding an increase in load on a control device and a network.
  • Control systems that support social infrastructure including railways, electricity, water, and gas operate predetermined mechanisms such as valves and actuators based on sensor measurement information, etc., and set pressures and temperatures that are set in advance. A control operation such as maintenance of this is required. These series of control processes are performed by a control device including a control controller in the control system.
  • control systems are built in a closed network, and dedicated OSs and protocols have been used, so unlike information systems that have been opened and networked at an early stage, they are not susceptible to security threats such as attacks by viruses. It has been thought that no damage would occur if exposed or attacked.
  • the control device As a threat to the control device, there is a threat that the communication driver of the control device intentionally transmits a large number of packets from other devices connected to the Ethernet (registered trademark), thereby distorting the communication cycle and the operation timing of the application task. Can be mentioned.
  • As a countermeasure against such a threat there is a countermeasure for monitoring the operation state and security state of the control controller and providing various logs obtained by this monitoring to the user as audit data. In order to realize this countermeasure, the control device needs to generate a log that is a record of events related to the operating state and the security state.
  • control device has a restriction that a large part of control work is occupied in a calculation resource (CPU or memory) under an operating condition in which control processing in a short cycle is frequently executed. It was difficult to execute log generation and accumulation together. Therefore, it is necessary for the control device to only generate and transmit logs, and it is necessary for the log management server to accumulate and analyze this log.
  • communication path control LAN, etc.
  • a common key with a log acquisition terminal is stored in a hardware security module, and the collected log data is encrypted using the above-mentioned common key.
  • the log collection terminal that encrypts and stores it as well as the above-mentioned common key is stored in the hardware security module, the encrypted log data is obtained from the log collection terminal, and the obtained encrypted log data is decrypted using the common key
  • Patent Document 1 A log acquisition system (see Patent Document 1) including a log acquisition terminal to be converted has been proposed. According to this prior art, it is possible to encrypt and protect the communication log, to prevent leakage of log data due to unauthorized acquisition of the encryption key, and to prevent falsification of the log information and to reference the correct log information. .
  • an object of the present invention is to provide a technique that enables secure log collection while appropriately avoiding an increase in load on a control device and a network.
  • the log collection system of the present invention determines whether to transmit a genuine or dummy log based on a predetermined rule, and executes a process of transmitting a communication packet including the determined log to the log management server And a communication packet is received from the information processing apparatus, and whether the log included in the communication packet is a genuine log or a dummy log is verified based on the predetermined rule shared with the information processing apparatus. And a log management server that executes processing to collect the genuine log.
  • the information processing apparatus determines whether to transmit a genuine or dummy log based on a predetermined rule, and transmits a communication packet including the determined log to the log management server.
  • the log management server receives a communication packet from the information processing apparatus, and whether the log included in the communication packet is an authentic log or a dummy log is based on the predetermined rule shared with the information processing apparatus And authenticating and collecting a genuine log.
  • secure log collection is possible while appropriately avoiding an increase in load on the control device and the network.
  • encryption processing for each communication packet is not required, and low-load and secure processing can be performed by using a log authentication table prepared in advance at a timing when it is difficult to place a load on the control device and the network.
  • FIG. 1 is a diagram illustrating a configuration example of a log collection system 100 according to the present embodiment.
  • a log collection system 100 illustrated in FIG. 1 is a computer system that enables secure log collection while appropriately avoiding an increase in load on a control device and a network.
  • the log collection system 100 generates control packets 110 and 130 that generate and transmit communication packets including logs in infrastructure facilities and the like, and communication including logs from the control devices 110 and 130. It includes a log management server 140 that receives packets and collects logs, and a network 190 that connects the control devices 110 and 130 and the log management server 140.
  • the configuration in which the two control devices 110 and 130 can communicate with the log management server 140 via the network 190 is illustrated, but the number of control devices is not limited to this. The number of control devices in the configuration of FIG. 1 is an example. Further, when it is not particularly necessary to distinguish, the control device 110 is represented in the following description regarding the control device.
  • the control device 110 in the log collection system 100 operates a predetermined mechanism such as a valve or an actuator based on measurement information of a sensor installed in an infrastructure facility or the like, and a preset pressure.
  • Such a configuration is the same in the control device 130.
  • each part mentioned above is a function mounted by executing the program with which the control apparatus 110 is provided. This also applies to the log management server 140.
  • the communication unit 111 described above transmits the communication packet generated by the communication packet generation unit 112 to the log management server 140 via the network 190. Further, the communication packet generation unit 112 generates a communication packet that selectively includes a genuine or dummy log and an index (data for verification) based on the log authentication table 900. Further, the log transmission control unit 113 controls whether to transmit a communication packet including an authentic log or a dummy log based on the log authentication table 900 (predetermined rule). In addition, the authentic log storage unit 115 stores a log (authentic) generated by the control device 110 based on the above-described sensor measurement information (eg, temperature, pressure, etc. of a predetermined part). In addition, the log authentication table storage unit 116 stores a log authentication table 900 (described later based on FIG. 7) provided from the log management server 140 and shared with the log management server 140.
  • a log authentication table 900 (described later based on FIG. 7) provided from the log management server 140 and shared with the log management server 140.
  • the log management server 140 is a server device that communicates with the control device 110 and the like via the network 190 as described above to execute sharing of the log authentication table 900 and log collection processing, and the encryption / decryption processing unit 141,
  • the log authentication table generation unit 142, the communication packet verification unit 143, the log analysis unit 148, the log storage unit 144, the key information storage unit 145, the log authentication table storage unit 146, and the communication unit 147 are configured.
  • the above-described communication unit 147 receives the above-described communication packet from the control device 110 or the like via the network 190.
  • the encryption / decryption processing unit 141 performs cryptographic processing such as generation of a random number using a random number generation function and decryption processing using a secret key or the like.
  • the log authentication table generation unit 142 generates a dummy log by using the log analysis result output from the log analysis unit 148 (for example, the log analysis result obtained from the control device 110 during a trial operation of the log collection system). Then, the log authentication table 900 is generated.
  • the communication packet verification unit 143 verifies in the log authentication table 900 based on the index whether the log included in the communication packet received from the control device 110 is genuine or dummy.
  • the log analysis unit 148 analyzes the log included in the communication packet received from the control device 110.
  • the log storage unit 144 stores log data that the communication packet verification unit verifies the log included in the communication packet received from the control device 110 and determines as a genuine log.
  • the key information storage unit 145 stores key information used as an input by the encryption / decryption processing unit 141.
  • the log authentication table storage unit 146 stores a log authentication table 900 that is used as an input by the communication packet verification unit 143 to verify the log.
  • the computer illustrated in FIG. 2 includes a storage device 11, a CPU 13, an input / output device 14, and a communication device 15.
  • the storage device 11 is a storage device composed of an appropriate non-volatile storage element or the like, and includes a program 12 for implementing functions necessary as the log management server 140 or the control device 110, a log authentication table 900, and the like. It holds various data.
  • the CPU 13 is an arithmetic unit that executes the program 12 held in the above-described storage device 11 to perform overall control of the computer itself and perform various determinations, calculations, and control processes.
  • the input / output device 14 is assumed not to be provided in the log management server 140 but to be provided in the control device 110.
  • the measurement signal sent from the sensor installed in the control target is transmitted to the communication device 15. It is a device responsible for processing acquired through the communication device 15 and processing for outputting a signal to a predetermined mechanism such as an actuator through the communication device 15.
  • the communication device 15 is a device responsible for communication processing with other devices, and a network interface card, a wireless communication unit, or the like can be assumed.
  • the communication device 15 is connected to the network 190 and communicates with the control device 110. Further, in the case of the communication device 15 in the control device 110, it communicates with the above-described sensor or actuator using a predetermined communication protocol, and also communicates with the log management server 140.
  • the communication device 15 in the control device 110 it communicates with the above-described sensor or actuator using a predetermined communication protocol, and also communicates with the log management server 140.
  • FIG. 3 is a sequence diagram showing an overall outline of the log collection method according to the first embodiment.
  • an overall outline of log collection processing of the control device 110 and the log management server 140 will be described with reference to the sequence diagram of FIG. 3.
  • the log authentication table 900 described above is used to determine whether a log included in a communication packet is an authentic log or a dummy log. Although details will be described later (FIG. 7), this log authentication table 900 stores an index for designating the transmission order of communication packets including the log, and the data corresponding to each index includes a dummy log or its log. One of constant values indicating that the log received by the index is a genuine log is stored.
  • the control device 110 and the log management server 140 are divided into a log authentication table concealment sharing processing phase and a log collection phase, and perform processing according to each phase.
  • log authentication table concealment sharing processing S201
  • log management server 140 executes log authentication table concealment sharing processing between the log management server 140 and the control device 110, and prior concealment sharing of the log authentication table 900 is performed.
  • the trial operation is a state where the normal operation of the control device 110 (operation unrelated to the log collection operation of the present invention) is not performed or is not in a production environment, and the log collection system 100 of the present embodiment is experimentally tested. It is the timing for generating and sharing the log authentication table 900 by operating it. In other words, the timing at which the influence on the control device 110 is minimized.
  • control device 110 In the above-described log authentication table concealment sharing process (S201), the control device 110 generates a communication packet including a log and transmits it to the log management server 140 (S313).
  • the log management server 140 receives the above-described communication packet from the control device 110 (S411), and generates a dummy log based on the log included in this communication packet (S413). Next, the log management server 140 performs a random number generation process (S414), generates a log authentication table 900 including an index, and transmits the log authentication table 900 to the control device 110 (S416).
  • control device 110 receives the above-described log authentication table 900 from the log management server 140 (S314) and stores it in the log authentication table storage unit 116. Details of the above log authentication table concealment sharing process will be described later with reference to FIG.
  • the control device 110 After execution of the above-described log authentication table concealment sharing process, during normal operation, the control device 110 refers to the log authentication table 900 (S502), and logs transmission control process (S318) determines whether the log is authentic or dummy. After determining whether to include in the communication packet, the log transmission process (S202) is executed.
  • the log management server 140 refers to the log authentication table 900 (S603), and verifies whether the corresponding log is genuine or dummy based on the index included in the communication packet received from the control device 110 described above.
  • a verification process (S318) is executed, and a log collection process (S203) for storing the genuine log in the log storage unit 144 is executed. Details of the log transmission process (S202) and the log collection process (S203) will be described later with reference to FIGS. --- Log authentication table confidential sharing process --- FIG. 4 is a flowchart showing a processing procedure example 1 of the log collection method in the first embodiment. Specifically, the log authentication table concealment sharing process (FIG. 3: S201) performed in the log collection system at the time of a test run. It is a detailed flow.
  • the log generation unit 117 of the control device 110 generates a log from values relating to the operation state, security state, etc. of the control device itself obtained with an existing function (eg, system monitoring function in the OS) provided in advance. This is stored in the authentic log storage unit 115 (S311).
  • an existing function eg, system monitoring function in the OS
  • the communication packet generation unit 112 of the control device 110 acquires data from a control application that operates on the control device itself (eg, an application for controlling infrastructure equipment or the like that is the original operation as the control device). (Example: data such as control results), the authentic log generated by the log generating unit 117 described above, and information corresponding to “authentic” output by the log transmission control unit 113 in response to transmission of the authentic log Is set to a predetermined packet according to the communication protocol, and a communication packet is generated (S312).
  • a control application that operates on the control device itself
  • data such as control results
  • the authentic log generated by the log generating unit 117 described above and information corresponding to “authentic” output by the log transmission control unit 113 in response to transmission of the authentic log Is set to a predetermined packet according to the communication protocol, and a communication packet is generated (S312).
  • the communication unit 111 transmits the communication packet generated by the communication packet generation unit 112 to the log management server 140 via the network 190 (S313).
  • the communication unit 147 of the log management server 140 receives the above-described communication packet from the control device 110, acquires an authentic log from the communication packet, and stores it in the log storage unit 144 (S411).
  • the log analysis unit 148 of the log management server 140 creates a log analysis result by analyzing the above-described authentic log stored in the log storage unit 144 using a predetermined algorithm (S412). Details of the log analysis result are shown in FIG.
  • the log analysis result 700 illustrated in FIG. 5 indicates a distribution range of each value of the device state A, the device state B, the security state C, and the security state D included in each of the plurality of genuine logs, for example. This is a result specified by the log analysis unit 148 as “a possible value”. In the example of the log analysis result in FIG. 5, the above-described four types of log items are shown, but the present invention is not limited to this.
  • the device state A 700-1 and the device state B 700-2 are information indicating the operation state of the device in which the control device 110 is installed.
  • the state of such equipment is generally monitored from multiple viewpoints such as temperature and pressure.
  • the security status C700-3 and the security status D700-4 are information indicating the security status of the device in which the control device 110 is installed.
  • the security status of a device is generally monitored from a plurality of viewpoints.
  • the encryption / decryption processing unit 141 of the log management server 140 performs a predetermined encryption process using the key information stored in the key information storage unit 145 as an input of a predetermined function, and generates a random number sequence (S414).
  • the log authentication table generation unit 142 of the log management server 140 generates an index and a log authentication table 900 associated therewith, and stores the log authentication table 900 in the log authentication table storage unit 146 (S415). . More specifically, the log authentication table generation unit 142 generates, for example, an index group that is a sequence of 1 to n (n is an integer of 0 ⁇ n), and the index group is obtained in step S414 described above. The index corresponding to the value of the predetermined digit of the random number sequence is determined as an index corresponding to the authentic log, and the other indexes are determined as indexes corresponding to the dummy log.
  • the log authentication table generation unit 142 uses a dummy value (eg, a random number generation function) that falls within a range that the log item can take for each log item indicated by the log analysis result obtained in step S412 described above.
  • a random log is generated by setting a random number value obtained in the corresponding range), a record is generated by associating this with an index corresponding to the dummy log among the above-mentioned indexes, and a log authentication table 900.
  • the index corresponding to the authentic log for example, the value of each log item described above is set to “0”, a record is generated, and stored in the log authentication table 900. In this way, the log authentication table 900 is generated.
  • FIG. 6 A specific example of the above-mentioned dummy log is shown in FIG. 6, and a specific example of the log authentication table 900 is shown in FIG.
  • a dummy log column 800 illustrated in FIG. 6 shows a dummy log 801, a dummy log 802, and a dummy log 803, respectively.
  • -3 and security state D700-4 are set with values selected at random from a range of possible values.
  • the range of values that the device status A 700-1 can take is a value of “0 to 10” from the log analysis result 700, and thus the device status A 700-1 in each of the dummy log 801, the dummy log 802, and the dummy log 803.
  • the fields corresponding to are “5”, “8”, and “2”, respectively. The same applies to other log items.
  • the log authentication table 900 illustrated in FIG. 7 includes, as an authentic log, the random number sequence generated by the encryption / decryption processing unit 141 in step S414 and indexes having values “2”, “5”, and “11” as values.
  • the other indexes “1”, “3”, “4”, “6” to “10” are indexes corresponding to the dummy logs
  • the dummy log generating unit 149 includes the indexes corresponding to the dummy logs.
  • Data of the generated dummy log 801, dummy log 802, and dummy log 803 is set as “value”.
  • a constant value (0, 0, 0, 0) or the like is set in the index corresponding to the authentic log.
  • the log authentication table log may be regenerated. From the viewpoint of the security of cryptographic random numbers, log so that the sum of the number of indexes of all generated log authentication tables is larger than the cycle of cryptographic random numbers derived from the security required by the system.
  • the number of authentication table generations may be determined. For example, if a log authentication table having a random number period p and the number of each index D is generated s times, s is a number satisfying p ⁇ D ⁇ s.
  • the communication unit 147 of the log management server 140 transmits the log authentication table 900 stored in the log authentication table storage unit 146 to the control device 110 via the network 190 (S416).
  • FIG. 8 is a flowchart showing a processing procedure example 2 of the log collection method according to the first embodiment. Specifically, the flowchart shows a log transmission process (S202) in the control device 110.
  • S202 log transmission process
  • the log transmission control unit 113 of the control device 110 refers to the value of the variable k (initial value is 1) held in the storage area secured in the storage device 11, for example, Obtained as an index to be set in the communication packet to be transmitted (S501).
  • the log transmission control unit 113 increments the value of the variable k after the index acquisition process.
  • the log transmission control unit 113 refers to the log authentication table 900 stored in the log authentication table storage unit 116, and acquires data corresponding to the index obtained in step S501 described above (S502).
  • the acquired data becomes “value” and “log type” in the log authentication table 900.
  • the log transmission control unit 113 determines whether the value of the “log type” obtained in step S502 is “authentic”, that is, the corresponding index corresponds to the authentic log (S503). As a result of the determination, if the corresponding index corresponds to the genuine log (S503: YES), the log transmission control unit 113 acquires the authentic log from the authentic log storage unit 115 (S504). On the other hand, as a result of the above determination, if the corresponding index does not correspond to the genuine log (S503: NO), the log transmission control unit 113 acquires the “value” obtained in step S502, that is, the dummy log. (S505).
  • the communication packet generation unit 112 of the control device 110 performs the process of the log transmission control unit 113 in step S504 or S505 described above on the data acquired from the control application running on the control device itself (described with reference to FIG. 4).
  • a communication packet is generated by adding the acquired data (authentic log or dummy log) and the corresponding index (obtained in step S501) (S506).
  • a specific example of the communication packet generated by the communication packet generator 112 is shown in FIG.
  • a communication packet 1000 illustrated in FIG. 9 includes a header (for example, a storage destination of information such as a packet transmission source, a transmission destination IP address, and a protocol type), a control data storage area (a storage destination of data obtained from a control application) , An index (the value of the index obtained in step S501 described above), and a log storage area (a genuine or dummy log obtained in step S504 or S505 described above).
  • the communication packet 1001 is a communication packet that includes the genuine log with the index obtained in step S 501 described above, that is, a genuine log “7” obtained from the authentic log storage unit 115 in step S 504 described above. , 60, 20, 90 "are communication packets set in the log storage area.
  • the communication packet 1002 among the communication packets 1000 is a communication packet whose index obtained in the above-described step S501 is “3”, that is, a dummy log, and is obtained from the log authentication table 900 in the above-described step S505, for example, the dummy log 802 ( (See FIG. 6) “8, 52, 15, 90” are communication packets set in the log storage area.
  • the communication unit 111 of the control device 110 transmits the communication packet generated by the communication packet generation unit 112 in step S506 described above to the log management server 140 via the network 190 (S507), and the flow ends.
  • Log collection performed by the log management server ---
  • details of the log collection processing (FIG. 3: S203) executed by the log management server 140 will be described with reference to FIG.
  • the communication unit 147 of the log management server 140 receives the communication packet transmitted from the control device 110 via the network 190 (S601), and acquires the log included in the communication packet (S610). Also, the communication unit 147 acquires an index from the communication packet received in step S601 (S602).
  • the communication packet verification unit 143 of the log management server 140 refers to the log authentication table 900 stored in the log authentication table storage unit 146 using the index obtained in step S602 described above as a key (S603), and the corresponding index. Whether the log obtained in step S610 is a genuine log or a dummy log is verified based on whether the value of the “log type” in the record corresponding to “dummy” or “authentic” is determined (S604).
  • step S604 if it is determined that the corresponding log is an authentic log (S605: YES), the communication packet verification unit 143 stores the log acquired in step S610 in the log storage unit 144 as an authentic log. (S607).
  • step S604 if it is determined that the corresponding log is not an authentic log, that is, a dummy log (S605: NO), the communication packet verification unit 143 discards the log acquired in step S610 ( S608), the process returns to step S601. A series of processing indicated by this flow is continued while the log management server 140 is operating.
  • Second Embodiment In the first embodiment described above, by including the index of the log authentication table 900 in the communication packet, the transmission order of the communication packet is synchronized between the control device 110 and the log management server 140, and it corresponds to the authentic log or the dummy log. It was possible to verify whether to do.
  • an index is not set for the communication packet, and the transmission order of the communication packet is synchronized by using information shared by the control device 110 and the log management server 140, for example, time information.
  • information shared by the control device 110 and the log management server 140 for example, time information.
  • the configuration of the log collection system 100 (the log management server 140 and the control device 110), the hardware configuration of the computer, the overall outline, and the log authentication table concealment sharing process are the same as in the first embodiment. is there. Therefore, in the second embodiment, processing that is a difference from the first embodiment will be described.
  • Control device log transmission Here, the log transmission processing in the control device 110 of the second embodiment will be described with reference to FIG. In this case, the log transmission control unit 113 of the control device 110 acquires the current time value from the clock function provided in the OS of the control device 110, for example, as time information of the communication packet to be transmitted next time (S1501).
  • the log transmission control unit 113 inputs the time information acquired in step S1501 described above to, for example, the function f (t) of the time information t, and acquires the output value of the function f (t) as an index (S1502). ).
  • This function f (t) is shared in advance between the control device 110 and the log management server 140 in the same way as the log authentication table 900, and the time included in a time zone between certain times t1 and t2.
  • an index “1” is output
  • an index “2” is output.
  • the log transmission control unit 113 refers to the log authentication table stored in the log authentication table storage unit 116 using the index value calculated in step S1502 described above as a key, and sets the data (value and log) corresponding to the corresponding index. Type) is acquired (S1503).
  • the log transmission control unit 113 determines whether the corresponding index corresponds to the authentic log based on the “log type” of the data obtained here as “authentic” or “dummy” (S1504).
  • step S1502 when the index calculated in step S1502 corresponds to the authentic log (S1504: YES), the log transmission control unit 113 acquires the authentic log from the authentic log storage unit 115 (S1505). ). On the other hand, as a result of the above determination, if the corresponding index does not correspond to the intrinsic log (S1504: NO), the log transmission control unit 113 acquires the “value” obtained in step S1503, that is, the dummy log. (S1506).
  • the communication packet generation unit 112 of the control device 110 applies the log transmission control unit 113 to the data acquired from the control application running on the control device itself (described with reference to FIG. 4) in step S1505 or S1506 described above.
  • the acquired data (authentic log or dummy log) is added to generate a communication packet (S1507).
  • a specific example of the communication packet generated by the communication packet generator 112 is shown in FIG.
  • a communication packet 2000 illustrated in FIG. 12 includes a header (for example, a storage destination of information such as a packet transmission source, a transmission destination IP address, a protocol type), a control data storage area (a storage destination of data obtained from a control application). , And a log storage area (authentic or dummy log obtained in step S1505 or S1506 described above).
  • the communication packet 2001 is a communication packet including an authentic log, and the authentic logs “7, 60, 20, 90” obtained from the authentic log storage unit 115 in step S1505 are set in the log storage area.
  • the communication packet 2002 among the communication packets 2000 is a communication packet including a dummy log, and is obtained from the log authentication table 900 in the above-described step S1506, for example, dummy log 802 (see FIG. 6) “8, 52, 15, 90”. Is a communication packet set in the log storage area.
  • the communication unit 111 of the control device 110 transmits the communication packet generated by the communication packet generation unit 112 in step S1507 described above to the log management server 140 via the network 190 (S1508), and the flow ends.
  • Log collection processing in the log management server ---
  • log collection processing executed by the log management server 140 in the second embodiment will be described with reference to FIG.
  • the communication unit 147 of the log management server 140 receives the communication packet transmitted from the control device 110 via the network 190 (S1601).
  • the communication packet verification unit 143 of the log management server 140 acquires the value of the transmission time from the communication packet received in step S1601 described above, or determines the current time from the clock function provided in the OS of the log management server 140. A value is acquired (S1602). Further, the communication packet verification unit 143 acquires a log from the received communication packet (S1603).
  • the communication packet verification unit 143 inputs the time information acquired in the above-described step S1602 to the above-described function f (t), and acquires the output value of this function f (t) as an index (S1604).
  • the communication packet verification unit 143 refers to the log authentication table stored in the log authentication table storage unit 146 using the index calculated in step S1604 as a key (S1605), and “ Whether the log obtained in step S1603 is a genuine log or a dummy log is verified based on the value of “log type” being “dummy” or “authentic” (S1607).
  • step S1607 when it is determined that the corresponding log is an authentic log (S1607: YES), the communication packet verification unit 143 stores the log acquired in step S1603 in the log storage unit 144 as an authentic log. (S1610).
  • FIG. 14 is a diagram illustrating a configuration example of the log collection system 100 according to the third embodiment.
  • the log collection system 100 illustrated in FIG. 14 has no difference in the configuration of the log management server 140 as compared to the system configuration in FIG.
  • the control device 110 further includes a cryptographic processing unit 2118 and a key information storage unit 2114.
  • the communication packet generation unit 112 performs encryption processing using input parameters of an encryption algorithm such as encryption key information and initial vectors stored in the key information storage unit 2114 and a mask described later, or the payload of the communication packet or This is done for some or all of the headers.
  • an encryption algorithm such as encryption key information and initial vectors stored in the key information storage unit 2114 and a mask described later, or the payload of the communication packet or This is done for some or all of the headers.
  • a mask data specifying an area for performing encryption processing in a communication packet is named a mask, and the mask is stored in the key information storage unit 2114.
  • the area for performing the above-described encryption processing in the communication packet is, for example, an index storage area, and encryption processing is applied for the purpose of concealing the communication packet index.
  • the communication unit 111 transmits the communication packet subjected to the encryption process to the log management server 140 via the network 190.
  • Control device log transmission --- The control device 110 according to the third embodiment executes a log transmission process that is partially different from the log transmission process (S202) according to the first embodiment. This log transmission process will be described with reference to FIG. Note that the processing in steps S501 to S503 described in the first embodiment is the same as that in the third embodiment, and a description thereof will be omitted.
  • the encryption processing unit 2118 described above performs at least the index among the header, the control data storage area, the index, and the log storage area constituting the communication packet. Then, encryption processing such as encryption processing or MAC generation processing based on the encryption key of the key information storage unit 2114 is executed (S2506).
  • the communication packet generation unit 112 uses the data acquired by the log transmission control unit 113 in step S504 or S505 described above (data already described with reference to FIG. 4) from the control application that runs on the control device itself. (Authentication log or dummy log) and at least the index encrypted in step S2506 are added to generate a communication packet (S506).
  • the communication unit 111 transmits the communication packet generated by the communication packet generation unit 112 in step S506 described above to the log management server 140 via the network 190 (S507), and the flow ends.
  • Log collection performed by the log management server ---
  • the log management server 140 according to the third embodiment executes a log collection process that is partially different from the log collection process (S203) according to the first embodiment.
  • the communication unit 147 of the log management server 140 receives the communication packet transmitted from the control device 110 via the network 190 (S601), and the encryption / decryption processing unit 141 receiving the communication packet
  • the decryption process or the MAC verification process is executed on the value (index) of the area encrypted in step S2506 using the decryption key stored in the key information storage unit 2114 (S2610).
  • the object to be decoded here is all or part of the header, the control data storage area, the index, and the log storage area constituting the communication packet, but at least the index needs to be included.
  • designing the configuration of a communication packet including a log at the time of system design, pre-processing for log data authentication processing, and authentication data Generation and settings prevent network bandwidth pressure due to an increase in communication packets during system operation, and each control device performs log communication packet protection processing using cryptographic technology with low resources.
  • the original purpose of log collection is for the controller to notify the server of its normal state or abnormal state by transmitting the log to the management server. According to the present invention, this object can be achieved even in a situation where a tampering attack exists between the server and the controller.
  • a packet configuration that stores a log in an empty area of the communication packet eliminates the need to separately process a log collection communication packet, resulting in an increase in the amount of communication packets.
  • Network bandwidth pressure can be avoided.
  • the log authentication table used when verifying whether the log included in the communication packet is an authentic log or a dummy log is generated and distributed at a timing that does not place a load on the original operation of the control device, for example, during system test operation.
  • efficient processing based on the index of the log authentication table is executed instead of conventional encryption / decryption processing, and each processing during system test operation and normal operation The load can be appropriately controlled.
  • the communication packet including the authentic log or dummy log is transmitted and received based on the index of the log authentication table shared between the control device and the log management server.
  • the information processing apparatus performs verification data for verifying the authenticity of the log based on the predetermined rule in the process of transmitting the communication packet to the log management server.
  • the log management server receives the information from the information processing apparatus during the process of verifying whether the log included in the communication packet is a genuine log or a dummy log.
  • the verification data included in the communication packet may be verified based on the predetermined rule shared with respect to the information processing apparatus, and whether the log included in the communication packet is an authentic log or a dummy log may be verified. .
  • the information processing apparatus holds, as the predetermined rule, a log authentication table including at least a plurality of indexes corresponding to each genuine or dummy log in a storage device, and the communication
  • a log authentication table including at least a plurality of indexes corresponding to each genuine or dummy log in a storage device
  • the communication packet including the selection index that is the verification data is transmitted to a log management server
  • the log management server holds the log authentication table in a storage device
  • the log included in the communication packet Before verifying whether the log is genuine or dummy,
  • the selection index included in the communication packet received from the information processing device is checked against the log authentication table shared with respect to the information processing device, and it is determined whether the selection index corresponds to a genuine log or a dummy log.
  • the log included in the communication packet may be verified as a genuine log or a dummy log.
  • the log management server performs processing for generating the log authentication table using a predetermined algorithm, holding the log authentication table in a storage device, and transmitting the log authentication table to the information processing device.
  • the information processing apparatus may receive the log authentication table from the log management server and hold the log authentication table in a storage device.
  • the log management server generates an index corresponding to either a genuine or dummy log based on a random number when generating the log authentication table, and the dummy log of the indexes
  • the log authentication table may be generated by associating and storing a dummy log generated by a predetermined algorithm with an index corresponding to.
  • the log management server generates the dummy log by applying analysis result data obtained by analyzing the log obtained from the information processing apparatus to a predetermined algorithm when generating the dummy log. It may be a thing.
  • the log management server executes the generation of the log authentication table at a predetermined timing at which the influence on the normal operation in the information processing apparatus is a predetermined level or less.
  • the number of log authentication table generations may be determined so that the sum of the number of indexes of all generated log authentication tables is larger than the cycle of cryptographic random numbers derived from security required in .
  • the information processing apparatus in the process of transmitting the communication packet to the log management server, if the selected index corresponds to a genuine log, the authenticity stored in the storage device.
  • the communication packet including a log, predetermined data acquired from a control application that operates according to the original purpose of the information processing apparatus, and the corresponding index is generated, and the selection index corresponds to a dummy log
  • the selection A communication packet including a dummy log held in the log authentication table regarding the index, predetermined data acquired from the control application, and the corresponding index may be generated.
  • the log management server when the information processing apparatus transmits the communication packet to the log management server, the verification data for verifying the authenticity of the log based on the predetermined rule, includes the communication packet received from the information processing apparatus in the process of verifying whether the log included in the communication packet is a genuine log or a dummy log.
  • the verification data may be verified based on the predetermined rule shared with respect to the corresponding information processing apparatus, and whether the log included in the communication packet is an authentic log or a dummy log may be verified.
  • the information processing apparatus holds, as the predetermined rule, a log authentication table including at least a plurality of indexes corresponding to authentic or dummy logs in a storage device, and the communication
  • a log authentication table including at least a plurality of indexes corresponding to authentic or dummy logs in a storage device
  • the communication In the process of transmitting the packet to the log management server, an index in the log authentication table is selected with a predetermined algorithm, and whether to authenticate or dummy is transmitted based on the selected index, the determined log, A communication packet including the selection index that is the verification data is transmitted to a log management server, and the log management server holds the log authentication table in a storage device;
  • the log authentication sharing the selection index included in the communication packet received from the information processing apparatus with respect to the information processing apparatus A table may be collated to determine whether the selected index corresponds to a genuine or dummy log, and to verify whether the log included in the communication packet is a genuine or dummy log.
  • the log management server generates the log authentication table using a predetermined algorithm, holds the log authentication table in a storage device, and transmits the log authentication table to the information processing device. Further, the information processing apparatus may receive the log authentication table from the log management server and hold it in a storage device.
  • the log management server generates an index corresponding to either a genuine or dummy log based on a random number when generating the log authentication table, and the dummy log of the indexes
  • the log authentication table may be generated by associating and storing a dummy log generated by a predetermined algorithm with an index corresponding to.
  • the log management server generates the dummy log by applying analysis result data obtained by analyzing the log obtained from the information processing apparatus to a predetermined algorithm when generating the dummy log. It is good.
  • the log management server generates the log authentication table at a predetermined timing at which the influence on the normal operation of the information processing apparatus is a predetermined level or less, and is obtained by the system.
  • the number of log authentication table generations may be determined such that the sum of the numbers of indexes of all generated log authentication tables is larger than the cycle of cryptographic random numbers derived from security.
  • the information processing apparatus transmits the communication packet to the log management server and the selected index corresponds to the authentic log
  • the authenticity stored in the storage device is stored.
  • the communication packet including a log predetermined data acquired from a control application that operates according to the original purpose of the information processing apparatus, and the corresponding index is generated, and the selection index corresponds to a dummy log
  • the selection A communication packet including a dummy log held in the log authentication table regarding the index, predetermined data acquired from the control application, and the corresponding index may be generated.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Selective Calling Equipment (AREA)
  • Telephonic Communication Services (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Le problème décrit par la présente invention consiste à permettre la collecte sécurisée de journaux tout en évitant de manière appropriée une augmentation de charge dans un dispositif de commande et dans un réseau. La solution selon l'invention porte sur un système (100) de collecte de journal comprenant un dispositif (110) de traitement d'informations permettant d'exécuter un processus consistant à déterminer si un journal authentique ou un journal factice doit être transmis sur la base d'une règle prédéfinie et à transmettre un paquet de communication comprenant le journal déterminé à un serveur (140) de gestion de journal, le serveur (140) de gestion de journal étant destiné à exécuter un processus de réception du paquet de communication en provenance du dispositif (110) de traitement d'informations, à vérifier si le journal compris dans le paquet de communication est un journal authentique ou un journal factice sur la base de la règle prédéfinie partagée avec le dispositif (110) de traitement d'informations, et à recueillir le journal authentique.
PCT/JP2015/081204 2015-01-07 2015-11-05 Système de collecte de journal et procédé de collecte de journal WO2016111079A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015-001339 2015-01-07
JP2015001339A JP6356075B2 (ja) 2015-01-07 2015-01-07 ログ収集システムおよびログ収集方法

Publications (1)

Publication Number Publication Date
WO2016111079A1 true WO2016111079A1 (fr) 2016-07-14

Family

ID=56355781

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/081204 WO2016111079A1 (fr) 2015-01-07 2015-11-05 Système de collecte de journal et procédé de collecte de journal

Country Status (2)

Country Link
JP (1) JP6356075B2 (fr)
WO (1) WO2016111079A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6278485B2 (ja) * 2016-08-18 2018-02-14 株式会社大一商会 遊技機
CN107608868B (zh) * 2017-09-08 2021-10-22 联想(北京)有限公司 日志收集方法、基板管理控制器bmc及磁盘控制器

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10301492A (ja) * 1997-04-23 1998-11-13 Sony Corp 暗号化装置および方法、復号装置および方法、並びに情報処理装置および方法
WO2008117471A1 (fr) * 2007-03-27 2008-10-02 Fujitsu Limited Programme d'audit, système d'audit et méthode d'audit
JP2013037554A (ja) * 2011-08-09 2013-02-21 Mega Chips Corp メモリシステム、セキュリティメモリおよび情報保護方法

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4913493B2 (ja) * 2006-07-21 2012-04-11 株式会社野村総合研究所 情報漏洩防止方法
JP5423308B2 (ja) * 2009-10-20 2014-02-19 富士通株式会社 通信端末装置、通信処理方法及びプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10301492A (ja) * 1997-04-23 1998-11-13 Sony Corp 暗号化装置および方法、復号装置および方法、並びに情報処理装置および方法
WO2008117471A1 (fr) * 2007-03-27 2008-10-02 Fujitsu Limited Programme d'audit, système d'audit et méthode d'audit
JP2013037554A (ja) * 2011-08-09 2013-02-21 Mega Chips Corp メモリシステム、セキュリティメモリおよび情報保護方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
KEISUKE HAKUTA ET AL.: "Towards Realization of Applying Encryption Communication Functions to Controllers used in Industrial Control Systems", JOURNAL OF THE SOCIETY OF INSTRUMENT AND CONTROL ENGINEERS, vol. 53, no. 10, 10 October 2014 (2014-10-10), pages 936 - 942 *

Also Published As

Publication number Publication date
JP2016126638A (ja) 2016-07-11
JP6356075B2 (ja) 2018-07-11

Similar Documents

Publication Publication Date Title
Checkoway et al. A systematic analysis of the Juniper Dual EC incident
CN104573516B (zh) 一种基于安全芯片的工控系统可信环境管控方法和平台
Kim et al. Security and performance considerations in ros 2: A balancing act
Castellanos et al. Legacy-compliant data authentication for industrial control system traffic
CN110071812A (zh) 一种可编辑、可链接、不可抵赖的环签名方法
CN110770729B (zh) 用于证明虚拟机完整性的方法和设备
US10073980B1 (en) System for assuring security of sensitive data on a host
US10681057B2 (en) Device and method for controlling a communication network
US20200128042A1 (en) Communication method and apparatus for an industrial control system
CN107534645A (zh) 主机存储认证
Accorsi Log data as digital evidence: What secure logging protocols have to offer?
CN111737769B (zh) 用于连接的管芯之间的安全通信的多芯片封装及方法
Marian et al. Experimenting with digital signatures over a DNP3 protocol in a multitenant cloud-based SCADA architecture
CN113259135A (zh) 用于检测数据防篡改的轻量级区块链通信认证装置及其方法
JP6356075B2 (ja) ログ収集システムおよびログ収集方法
CN113591103B (zh) 一种电力物联网智能终端间的身份认证方法和系统
CN114885325A (zh) 适用5g网络的调控业务网络安全可信审计方法和系统
Coble et al. Secure software attestation for military telesurgical robot systems
US10404718B2 (en) Method and device for transmitting software
Hieb et al. Security enhancements for distributed control systems
CN109905408A (zh) 网络安全防护方法、系统、可读存储介质及终端设备
Shanmukesh et al. Secure DLMS/COSEM communication for Next Generation Advanced Metering Infrastructure
Zhou et al. A scheme for lightweight SCADA packet authentication
CN116827821B (zh) 基于区块链云应用程序性能监控方法
US11784790B2 (en) Method for operating keystream generators for secure data transmission, the keystream generators being operated in counter mode, keystream generator having counter mode operation for secure data transmission, and computer program product for keystream generation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15876952

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15876952

Country of ref document: EP

Kind code of ref document: A1