WO2016199582A1 - Cyberattack countermeasure range prioritizing system, and cyberattack countermeasure range prioritizing method - Google Patents

Cyberattack countermeasure range prioritizing system, and cyberattack countermeasure range prioritizing method Download PDF

Info

Publication number
WO2016199582A1
WO2016199582A1 PCT/JP2016/065539 JP2016065539W WO2016199582A1 WO 2016199582 A1 WO2016199582 A1 WO 2016199582A1 JP 2016065539 W JP2016065539 W JP 2016065539W WO 2016199582 A1 WO2016199582 A1 WO 2016199582A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
countermeasure
countermeasure range
malware
range
Prior art date
Application number
PCT/JP2016/065539
Other languages
French (fr)
Japanese (ja)
Inventor
直樹 下間
林 直樹
倫宏 重本
哲郎 鬼頭
仲小路 博史
淳弥 楠美
Original Assignee
株式会社日立システムズ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立システムズ filed Critical 株式会社日立システムズ
Publication of WO2016199582A1 publication Critical patent/WO2016199582A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a system for prioritizing the scope of countermeasures when countermeasures against malware infection are confirmed in an organization such as a company.
  • countermeasures When a malware infection is detected, the security administrator investigates whether there is any other infected device in the company based on the infected device, and takes measures such as isolating the infected device's network and adding a proxy blacklist. There is a need (these surveys and countermeasures are collectively referred to as countermeasures).
  • Patent Document 1 (“Virus Damage Range Prediction System”) as a technology related to the above-described reduction in labor required for specifying the range of countermeasures against malware infection.
  • Patent Document 1 stores the operation log of each client terminal every day, and when an infection of the client is detected, specifies the file operated by the client from the operation log and specifies another client that has accessed the file By doing so, we identify the range of possible infections in the entire network system and raise the priority of countermeasures. And it is a technique that reduces the effort required to identify the infection range by investigating from a high priority range.
  • malware infection methods such as infection by file operations, infection by e-mail, and infection by browsing websites.
  • technique described in Patent Document 1 does not perform anything other than specifying the countermeasure range based on the file operation log, it cannot cope with malware other than infection caused by file operations.
  • the present invention has been made in view of the above, and a cyber attack countermeasure range prioritizing method and a cyber attack countermeasure range prioritizing method capable of efficiently performing countermeasures against various malware including file operations.
  • the purpose is to provide.
  • the cyber attack countermeasure range prioritizing system is composed of a plurality of components, and cyber attack countermeasures prioritize the countermeasure range for components infected with malware.
  • a range prioritizing system that acquires characteristic information indicating characteristics of the malware that has infected the constituent elements, and includes relation information indicating the relation between the constituent elements stored in a storage unit and the characteristic information.
  • the distance between the component and the infected component is calculated, and the calculated distance is associated with the prioritization policy indicating the countermeasure range
  • a cyber attack characterized by comprising a countermeasure range prioritizing section for determining the priority of the countermeasure range based on policy information Configured as a countermeasure range prioritization system.
  • the present invention can be understood as a cyber attack countermeasure range prioritization method performed by the cyber attack countermeasure range prioritization system.
  • 1 is an overall configuration diagram of a system. It is an example of a system configuration diagram. It is an example of a structure of attribute information DB. It is an example of a structure of the mail exchange relation information table of relation information DB. It is an example of a structure of the exchange relationship information table of SNS of relationship information DB. It is an example of a structure of the exchange relation information table between the business departments of relation information DB. It is an example of a structure of countermeasure range prioritization policy DB. It is an example of a structure of operation characteristic information DB. It is an example of a structure of countermeasure log
  • the cyber attack countermeasure range prioritization system 101 includes, as components, a relation information DB (Data Base) 102, a countermeasure range prioritization policy DB 103, an attribute information DB 104, an operation characteristic information DB 105, a countermeasure range history information DB 106, a relation information creation / An update function 107 and a countermeasure range prioritizing function 108 are provided.
  • a relation information DB Data Base
  • the cyber attack countermeasure range prioritization system 101 acquires configuration information (such as owner information and IP information of a terminal) of the infected client terminal 109 when the client terminal 109 of a certain organization confirms malware infection.
  • configuration information such as owner information and IP information of a terminal
  • the cyber attack countermeasure range prioritization system 101 also acquires a communication log from the mail server 111, the network device 112, etc. generated in daily business processing of the organization, and the related information creation / update function 107 Information relating to the relationship between the client terminals 109 is generated using the attribute information DB 104 and the relationship information DB 102 and stored in the relationship information DB 102. The contents of this process will be described below.
  • the cyber attack countermeasure range prioritization system 101 determines whether the configuration information of the infected client terminal, the operation characteristic information of the malware, and the client terminal 109 in the organization Using the relationship information, the prioritization of the countermeasure range of malware infection is calculated, and the list information of the calculation result is output to the countermeasure execution function 113. Based on the acquired list information, the countermeasure implementation function 113 sends a countermeasure implementation countermeasure (such as sending an alert mail to a client terminal having a high possibility of infection in addition to the infected client terminal 109). Transmit to terminal 114.
  • a countermeasure implementation countermeasure such as sending an alert mail to a client terminal having a high possibility of infection in addition to the infected client terminal 109.
  • the system can be realized by a normal computer system as shown in FIG. Specifically, it includes a CPU 201, a memory 202, a storage device 203, an input device 204, an output device 205, a communication control device 206, and a bus 207 that connects these components to each other.
  • the CPU 201 executes various programs stored in the storage device 203 and expanded in the memory 202.
  • the input device 204 is, for example, a keyboard or a mouse
  • the output device 205 is, for example, a display.
  • the communication control device 206 is, for example, a wireless network interface or a network interface card. These are connected to each other by a bus 207.
  • Each of the following functions is actually a general information processing apparatus such as a server or a PC (Personal Computer).
  • Each of the above functions is realized by executing a program that operates as a relation information creating / updating unit, countermeasure range prioritizing unit, and countermeasure implementing unit installed in the system.
  • the attribute information DB 104 and the countermeasure range prioritizing policy DB 103 are stored as input information in advance for each company.
  • the attribute information is information for uniquely identifying each component of the system. If the component is a person, it is an employee ID, name, department, position, email address information, etc. For departmental organizations, there are department names, business divisions, and location information.
  • countermeasure range prioritization policy information when a component infected with malware is detected in the network system of the organization, which range is set as the possible range of infection, and what priority is set as the priority of the countermeasure It is information that determines.
  • the relationship information DB 102 holds information on the relationship between each component of the organization from the log information indicating the history of processing and operations performed in daily operations of the organization.
  • the relationship information if the constituent elements are employees of the organization and the log information is an email transmission / reception log, there is an email exchange relationship between employees. If the constituent element is an employee and the log information is a message transmission / reception log in SNS, there is an exchange relationship between employees.
  • the relationship information may be the email exchange layer, the SNS layer, or the packet communication layer between components.
  • the constituent elements may be business departments, computer terminals, information systems composed of a plurality of terminals, network segments, and the like.
  • the relationship information DB 102 can take a plurality of table structures depending on the relationship between the constituent elements. For example, there is a table structure that holds the exchange relationship of the mail between components, and a table structure that holds an exchange relationship between employees in the SNS.
  • the operation characteristic information DB 105 and the countermeasure history information DB 106 are held not as input information unique to the organization, but as information acquired when implementing malware infection countermeasures in the organization or information obtained from outside the organization.
  • Malware operating characteristic information includes malware characteristic information and information on operating environment conditions.
  • the countermeasure history information includes what countermeasures have been taken against what malware in the past malware countermeasure examples, and policy information for future countermeasures.
  • the attribute information DB 3301 holds individual information of all employees belonging to the company targeted by the system of the present embodiment. Specifically, the attribute information DB 3301 includes an employee ID 3302, an e-mail address 3303, a name 3304, an office name 3305, a department name 3306, a department classification 3307, a position 3308, an owned terminal IP address 3309, an OS 3310, a browser 3312, a Word 3313, and a final login. It consists of date 3314.
  • the employee ID 3302 holds information for uniquely identifying each employee in the company.
  • the e-mail address 3303 holds e-mail address information individually assigned to each employee.
  • the name 3304 holds information on the name of the employee.
  • the establishment name 3305 holds information on the establishment name to which the employee belongs.
  • the department category 3307 holds business category information of the department to which the employee belongs.
  • the position 3308 holds information on the position of the employee.
  • the owned terminal IP address 3309 holds information on the IP of the terminal owned by the employee.
  • the OS 3310 holds information on the OS of the terminal owned by the employee.
  • the browser 3311 holds information on a browser used on the terminal owned by the employee.
  • Word 3313 is an example of an application installed in the terminal owned by the employee, and holds the name and version information of the application.
  • the last login date and time 3314 holds information on the last date and time when the employee logged in from the owned terminal.
  • the mail address 3303 of the employee ID 3302 of “001” and the name 3304 of “Hanako” is “Hanako@aaa.com”. Because the name of the business establishment 3305 is “AAA” and the job title 308 is “business establishment manager”, the department name 306 is “-(not applicable)” and the department category 307 is also “-(not applicable). ) ”. Also, one terminal is owned, the owned terminal IP address 308 is “10.0.0.1”, the OS 310 is “Win7”, the browser 311 is “IE9”, and among the installed applications, Word312 Is “Office 2013”, and the last login date and time 313 at the owning terminal is “2015/01/01”.
  • the individual employee information stored in the attribute information DB 301 is not limited to the above, and may be location information of a department, network segment information, age information, or the like.
  • the attribute information DB 104 when the constituent element is an employee has been described.
  • the structure of the attribute information DB 104 changes depending on whether the constituent element is a department or an information system.
  • the mail exchange relation information table 401 shown in FIG. 4A holds information on the relationship between other employees of the organization and other employees and persons outside the company who are involved in the exchange of mails in daily operations.
  • the exchange relation information table 401 with the mail includes an employee ID 402 and related person information 403.
  • the employee ID 402 holds information that uniquely identifies each employee of the company.
  • the related person information 403 holds information on an employee ID of a person who is in an email exchange relationship in the daily work of the employee if the employee is an employee and an e-mail address of the person if the employee is an external person.
  • a person related to the employee whether or not the determination criteria for holding information related to the person in the related person information 403 has been sent or received an email more than a certain number of times, or has an email sent from the employee There are things.
  • the employee ID 412 is “002”.
  • the related persons in the exchange relationship are two persons having employee IDs 412 “001” and “030” from the related person information 413 and an outside person whose mail address is “Taro@abc.com”. I understand.
  • the business unit signature 422 is related to “AAA / CC” (the AAA business unit CC unit)
  • the business unit signature 422 is obtained from the related business unit information 423. It can be seen that the business department is “AAA / BB” (the BB department of the AAA division).
  • the operation characteristic information DB 601 holds information regarding malware detected in the organization or information regarding malware provided from outside the organization.
  • the operation characteristic information DB 601 includes a malware ID 602, a hash value 603, an SNS 604, an e-mail 605, an OS 606, a browser 607, a Word 608, a timed expression 609, and the like.
  • the information held in the operation characteristic information DB 601 may be information on the scan result of anti-virus software or information on the result of malware surface analysis.
  • the malware ID 602 holds information for uniquely identifying a certain malware.
  • the hash value 603 holds information on the hash value of the malware.
  • the SNS 604 and the mail 605 hold information indicating whether or not the malware is a type in which infection spreads via the SNS or mail. That is, the infection type of malware is determined by whether or not the infection spreads by the exchange between the constituent elements. In FIG. 6, it is shown that Yes is set when infection is expanded by SNS or mail, and No is set when it is not expanded.
  • the OS 606, the browser 607, and the Word 608 hold information indicating whether the malware is a type in which the malware operates in any version of the application or OS of the item.
  • the time expression 609 holds information on whether or not the malware is of a type that operates at a specific date and time, and the date and time information.
  • the countermeasure range prioritizing policy DB 501 holds policy information for prioritizing a range to be preferentially countermeasured when a component infected with malware (infected component) is detected in the organization.
  • the countermeasure range prioritization policy DB 501 includes a countermeasure range classification element 502, a distance 503 from an infection component (in a mail exchange relationship), a position 504, a relationship between a last login date and a malware operation date 505.
  • the countermeasure range prioritization policy 506 and the like.
  • the countermeasure range classification element 502 holds information on each classification element that is an axis for classifying the constituent elements of the organization when the constituent elements infected with malware in the organization are detected.
  • the components are assumed to refer to employees of the organization.
  • the distance 503 from the infection component (in the mail exchange relationship), which is one of the countermeasure range classification elements 502, is based on the infection component in the mail exchange relationship information table 401 in the relation information DB 102.
  • the constituent elements of the related party in the related party information 403 are traced, the calculated number of the constituent elements is reached through the shortest number of constituent elements.
  • the component is “terminal”, and when calculating the distance, the number of other components between the infected component and the component in the “mail exchange relationship” is treated as the distance. It is assumed that each table in the relationship information DB 102 is defined. Further, in each table, when other components cannot be reached from the infected component to the component, the distance between the infected component and the component is “ ⁇ (infinite)”. The definition of the distance is one example in the present embodiment, and is not limited to this.
  • the position 504 holds the position information of the owner of the terminal, which is the component.
  • the relationship 505 between the last login date and the malware operation date and time is a time series comparison between the last date and time when the employee as the component logged in to the owned terminal and the operation date and time information of the malware described in the operation characteristic information DB 601. Holds relationship information.
  • the countermeasure range prioritization policy 506 holds countermeasure priority information assigned to the component. In this embodiment, the priority is higher as the distance from the infection component is closer, and is lower as the distance is longer. When the distance is “ ⁇ (infinity)”, the priority is “0”. However, even when the distance is long, the priority level changes depending on the information of other elements of the countermeasure range classification element. Further, the countermeasure range prioritization policy DB 501 is applied when prioritizing all the components in the organization. The setting of the priority is an example and is not limited to this.
  • the countermeasure range prioritization policy DB 501 can be viewed as follows.
  • the distance 503 from the infection component (in the mail exchange relationship) in the countermeasure range classification element 502 is “0”, and the position 504 of the component is “business
  • the line of “malware operation date and time ⁇ last login date and time” corresponds to the relationship between the “manager”, the last login date and the malware operation date and time.
  • “3” is assigned as the priority of the countermeasure for the component.
  • the countermeasure history information DB 701 holds malware characteristic information, information on the infection range, future countermeasure policy information, and the like.
  • the malware characteristic information 702 holds malware characteristic information including a malware hash value 703 and a file name 704.
  • past countermeasure history information ⁇ future countermeasure policy 705 includes information on which range of malware infection has been confirmed in the past, information on which range of components will be assigned countermeasure priority in the future, and the like. Hold.
  • the system of this embodiment prioritizes the range of malware infection countermeasures in the target organization.
  • the relationship information DB creation / update process shown in FIG. 8A and the countermeasure range prioritization process shown in FIG. 8B operate independently.
  • the network communication log of the mail server 111, the network device 112, etc. is acquired, and the relationship information DB is created / updated.
  • the countermeasure range prioritization process when an infection component is detected in the organization, information on the infection component is acquired, and the attribute information DB 104, the relationship information DB 102, the countermeasure range prioritization policy DB 103, the operation characteristics are acquired. Based on the information in the information DB 105 and the countermeasure history information DB 106, priority is given to the countermeasure range of malware infection in the organization.
  • the two processing contents will be described.
  • log information that occurs daily in the business of the organization (network system log information such as mail transmission / reception logs and other network communication logs, or file system access) Log information such as logs) is acquired (step 801).
  • step 802 based on the acquired log information, it is determined which type of relation information DB 102 is to be created / updated (step 802).
  • a creation / update process is performed on the determined relationship information DB 102 (step 803), thereby ending the entire overview flow of the relationship information DB creation / update. Details of this processing will be described later.
  • step 811 information on the component that detected the malware infection (for example, the IP address of the owning terminal if the component is the terminal owner) is received.
  • step 812 based on the acquired component information, prioritization of the scope of measures in the organization is performed (step 812). Details of this processing will be described later.
  • the countermeasure range obtained in step 812 (for example, a list of IP addresses of terminals to be investigated with increasing priority) is used as input information to the countermeasure implementation function different from the system of this embodiment.
  • the overall outline flow of the countermeasure range prioritization is completed.
  • relation information DB creation / update it is determined from the mail transmission / reception log acquired from the mail server 111 operated in a certain organization whether or not the person of the transmission source and the transmission destination is an employee. Or the process which memorize
  • a transmission destination mail address is extracted from the acquired mail reception log (step 901), and using the transmission destination mail address as a key, the attribute information DB 102 of the organization is searched for whether or not the corresponding employee exists (step 901). 902).
  • step 902 If, as a result of the above search (step 902), the corresponding employee does not exist in the organization, the related information DB creation / update process of this detailed flow is terminated. If the corresponding employee exists in the organization, the process proceeds to step 904 (step 903).
  • the sender mail address is extracted from the acquired mail reception log, and the attribute information DB 102 of the organization is searched for the corresponding employee using the sender mail address as a key (step 904).
  • step 904 if the corresponding employee does not exist in the organization, the process proceeds to step 906. If the corresponding employee exists in the organization, the process proceeds to step 908 (step 905).
  • step 905 if the employee having the sender email address does not exist in the organization, it can be seen that the person of the sender email address is a person outside the company. Further, the employee ID of the employee having the transmission destination email address is specified from the attribute information DB 301, and the transmission source email address is stored in the relationship information DB 401 among the related party information of the row corresponding to the specified employee ID. (Step 906).
  • step 906 it can be seen that if the source email address exists, the employee having the destination email address and the outside person having the source email address are in a relationship with each other. At this time, it is determined that the unique information (for example, mail address) of the person having the transmission source mail address is already stored in the related person information 403, and it is not necessary to add, and the process is terminated. If the sender email address does not exist, the process proceeds to step 908 (step 907).
  • the unique information for example, mail address
  • step 905 if it is determined that the person having the sender email address is an employee of the organization, the employee ID of the employee is identified from the attribute information DB 301, and the destination employee is stored in the relationship information DB 403. It is searched whether or not the identified employee ID of the sender employee is stored in the relation information of the row corresponding to the employee ID of the employee (step 909).
  • step 909 when the employee ID of the transmission source employee exists, it can be understood that the transmission destination employee and the transmission source employee are in a relationship between related parties. At this time, it is determined that the unique information (for example, employee ID) of the transmission source employee is already stored in the related person information 403, and it is determined that there is no need for additional writing, and the process ends. If the employee ID of the source employee does not exist, the process proceeds to step 910 (step 910).
  • this processing step it is determined that the transmission destination employee and the transmission source employee are related parties at the timing of this processing step, and the employee ID of the transmission source employee is added to the related party information 403 (step 911).
  • the above is the details of the related information DB creation / update process.
  • the countermeasure range prioritization function 108 acquires the operation characteristic information of the malware whose infection is detected from the operation characteristic DB 105 (step 1001). Next, based on the acquired operating characteristic information, a relevant relation information table is selected (step 1002). For example, when the malware whose infection is detected is the malware ID “001”, since it is a type infected by the malware “SNS” and “mail”, the mail exchange relation information table shown in FIG. The SNS exchange relation information table shown in FIG. 4B is selected.
  • the distance between the relevant component stored in the relevant relation information table and the infected component is calculated (step 1003).
  • the constituent element is the employee ID “001” and the infected constituent element is the employee ID “003”, the distance between them is “1”. .
  • attribute information DB 104 information on the constituent element is searched from the attribute information DB 104, and corresponding attribute information (for example, job title) is acquired (step 1004).
  • the corresponding policy information is acquired from the countermeasure range prioritizing policy information DB 103 (step 1005), and the acquired policy information is acquired.
  • a priority is assigned to the component (step 1006). For example, if the relevant component is separated from the infected component by a distance “1” and the title of the relevant component is “office manager”, as shown in FIG. Is acquired and assigned to the component.
  • step 1006 if the prioritization process for all the components is completed, the process proceeds to step 1008, and if not completed, the process proceeds to step 1007 (step 1007).
  • step 1007 when the prioritization processing for all the constituent elements is not completed, the constituent element that has not been prioritized is selected, and the processing proceeds to step 10003 for the constituent element (step 1008). ).
  • step 1007 when the prioritization processing for all the components is completed, it is searched whether there is a case similar to the operation characteristics of the malware in the countermeasure history DB 106, and a similar case is found The process proceeds to step 1009, and if a similar case is not found, the process proceeds to step 1012 (step 1009). At this time, as to what kind of case is judged to be similar, there are similarities of malware file names and those with the same output file.
  • countermeasure history information is acquired from the corresponding past countermeasure history information ⁇ future countermeasure policy information 705 (step 1010). For example, if the malware with a similar file name is “ABC.exe”, and if the infection is confirmed with a component whose mail exchange relationship is “10”, the component corresponding to the above condition will be The countermeasure history information for assigning the priority “3” is acquired.
  • step 1011 it is determined which concept is the distance from the acquired countermeasure history information, and the relevant relation information table is selected (step 1011). For example, in the above example, it is determined that the distance is based on the concept of “mail” exchange.
  • the corresponding component is selected from the acquired countermeasure history information, the corresponding priority is assigned to the selected component, and the process proceeds to step 1013 (step 1012). For example, when the countermeasure history information is acquired, a priority “3” is assigned to a component having an email exchange relationship distance of “10”.
  • steps 1008 to 1011 it is determined whether or not there is malware similar to the malware for which the priority of the countermeasure range has been determined, and when it is determined that there is similar malware, , The priority of the countermeasure range set for malware is assigned.
  • the above is the details of the prioritization processing of the countermeasure scope when a cyber attack is detected by a certain component of the organization. Thereby, it is possible to reduce the trouble of determining from which component of the organization the component should be preferentially treated based on the infected component.
  • Example 2 will be described.
  • the countermeasure range prioritization policy DB 1101 of FIG. 11 is used, which is an extension of the configuration of the countermeasure range prioritization policy DB 501 used in the first embodiment.
  • the countermeasure range prioritization policy DB 1101 includes a countermeasure range classification element 1102, a distance 1103 from an infection component (in a mail exchange relationship), a position 1104, a countermeasure range prioritization policy 1105, and the configuration It includes an element priority 1106, a prioritized extended policy 1107, a priority 1108, a target range 1109, and the like.
  • the countermeasure range prioritization policy DB 1101 Since the view of the countermeasure range prioritization policy DB 1101 in this configuration is basically the same as the countermeasure range prioritization policy DB 501, the priority added to the configuration of the countermeasure range prioritization policy DB 501 will be described below.
  • the rating extension policy 1107, the priority 1108, and the target range 1109 will be described.
  • the countermeasure range prioritization policy DB 501 holds policy information on the priority assigned to the constituent elements corresponding to the classification elements of the countermeasure range classification element 502, whereas the countermeasure range priority
  • the rating policy DB 1101 further holds information on a target range to which priority is assigned and information on the priority from the constituent elements.
  • the priority assigned to the component is From the priority 1106 of the constituent element, it can be seen that it is “4”, and from the information of the priority 1108 and the target range 1109 of the prioritized extended policy 1107, “the constituent element up to the distance 3 from the constituent element” It can be seen that priority “3” is assigned to all.
  • the position is higher than the position “department manager” and should be the countermeasure range (components that can be affected by infection. The range of the component's skirt composed of the surrounding components.)
  • the priority of the position “business manager” is given priority over the priority of the position “department manager”. The degree is larger.
  • the concept of the distance in the target range 1109 is the distance 1103 from the infection component (in the mail exchange relationship) in the element of the countermeasure range classification element 1102 in this example, but it is not necessarily matched with this. There is no need. Further, in the case where the priority that can be assigned to each component is overlapped by applying the prioritized extended policy 1107, higher priority is applied in this embodiment.
  • the final priority application policy is not limited to this.
  • step 1202 the processing from step 1001 to step 1007 in the first embodiment is the same, and the result of completion of the prioritization processing for all the components in step 1006 is acquired (step 1202).
  • an arbitrary component that has not been prioritized according to the prioritized extended policy 1107 is selected from the countermeasure range prioritization policy DB 1101 (step 1202). ).
  • prioritized extended policy information corresponding to the selected component is acquired (1203).
  • constituent elements corresponding to the target range of the acquired prioritized extended policy are extracted (step 1204).
  • the priority of the acquired prioritized extended policy is assigned to the extracted component (step 1205).
  • step 1207 it is determined whether or not the prioritization processing for all the components has been completed. If completed, the process proceeds to step 1207, and if not completed, the process proceeds to step 1202 (step 1206).
  • step 1206 when the prioritization processing for all components is completed, the subsequent processing is performed from the processing in step 1008 to the processing in step 1011 as in the processing in the first embodiment (step 1207). .
  • the above is the details of the countermeasure range prioritization processing in the second embodiment. As a result, even when a component other than the infection component is temporarily infected, and when a component other than the infection component and its surrounding components should be preferentially taken, the priority of the measure is increased. It is possible to reduce the trouble of determining that it should be.

Abstract

The present invention makes it possible for countermeasures against various types of malware, including malware introduced by file manipulation, to be deployed efficiently. This cyberattack countermeasure range prioritizing system is formed from a plurality of constituent elements, prioritizes a range over which countermeasures against constituent elements infected by malware are to be deployed, and is provided with a countermeasure range prioritizing portion which: acquires characteristic information indicating characteristics of the malware with which constituent elements have been infected; calculates, on the basis of relationship information which indicates relationships between constituent elements and is stored in a storage portion, and also on the basis of the characteristic information, the distance between the constituent elements of a malware infection type indicated in the characteristic information, and the infected constituent elements; and defines countermeasure range priority levels on the basis of policy information associating the calculated distance with a prioritization policy indicating the countermeasure range.

Description

サイバー攻撃対策範囲優先度付けシステム、サイバー攻撃対策範囲優先度付け方法Cyber attack countermeasure range prioritization system, cyber attack countermeasure range prioritization method
 本発明は、企業などの組織内でマルウェア感染を確認した際にマルウェア感染の対策をするにあたり、対策範囲の優先度付けを行うシステムに関するものである。 The present invention relates to a system for prioritizing the scope of countermeasures when countermeasures against malware infection are confirmed in an organization such as a company.
 近年、不審ファイル添付型の攻撃メール(不審メール)などによる、企業を狙ったサイバー攻撃が増加している。この中で、セキュリティ管理者は日々、膨大な数の不審メールや不審検体報告に対応しており、不審メールの検知、解析、対応(マルウェア感染が疑われる対象の特定と感染範囲の特定、注意喚起)に追われている。 In recent years, cyber attacks targeting corporations using suspicious file attachment type attack emails (suspicious emails) are increasing. Among these, security managers handle a large number of suspicious emails and suspicious sample reports every day, and detect, analyze, and respond to suspicious emails (identification of targets suspected of malware infection, identification of infection range, caution) Aroused).
 マルウェア感染が発覚した際には、セキュリティ管理者は当該感染端末を基点として社内でほかにも感染端末がないかどうかを調査し、感染端末のネットワーク隔離やプロキシのブラックリスト追加などの対処を行う必要がある(これらの調査、対処を総称して対策と呼ぶ)。 When a malware infection is detected, the security administrator investigates whether there is any other infected device in the company based on the infected device, and takes measures such as isolating the infected device's network and adding a proxy blacklist. There is a need (these surveys and countermeasures are collectively referred to as countermeasures).
 しかし、社員数が多く規模の大きい企業全体で上記の対策を行うには、調査対象となる端末の数やファイルのアクセスログ、ネットワークログの数が膨大となり、手間がかかってしまうことが課題となる。 However, in order to implement the above measures in a large company with a large number of employees, the number of terminals, file access logs, and network logs to be surveyed becomes enormous, which is troublesome. Become.
 上記の、マルウェア感染の対策範囲の特定に要する手間の軽減に関連する技術として、特許文献1(「ウィルス被害範囲予測システム」)がある。特許文献1は、日々、各クライアント端末の操作ログを記憶し、クライアントの感染が検出されたとき、上記操作ログから当該クライアントが操作したファイルを特定し、当該ファイルにアクセスした別のクライアントを特定することで、ネットワーク・システム全体のなかで感染可能性がある範囲を特定し、対策の優先度を上げる。そして、優先度の高い範囲から調査することで、感染範囲の特定に要する手間を軽減する技術である。 There is Patent Document 1 (“Virus Damage Range Prediction System”) as a technology related to the above-described reduction in labor required for specifying the range of countermeasures against malware infection. Patent Document 1 stores the operation log of each client terminal every day, and when an infection of the client is detected, specifies the file operated by the client from the operation log and specifies another client that has accessed the file By doing so, we identify the range of possible infections in the entire network system and raise the priority of countermeasures. And it is a technique that reduces the effort required to identify the infection range by investigating from a high priority range.
特開2009-176137号公報JP 2009-176137 A
 マルウェアの感染方法には特許文献1で取り上げているファイル操作による感染のほか、メールによる感染、Webサイトの閲覧による感染など、様々な種類がある。しかし、特許文献1に記載の技術ではファイルの操作ログによる対策範囲の特定以外は行っていないため、ファイル操作による感染以外のマルウェアには対応できない。 There are various types of malware infection methods such as infection by file operations, infection by e-mail, and infection by browsing websites. However, since the technique described in Patent Document 1 does not perform anything other than specifying the countermeasure range based on the file operation log, it cannot cope with malware other than infection caused by file operations.
 本発明は、上記に鑑みてなされたものであって、ファイル操作を含む様々なマルウェアに対する対策を効率的に行うことが可能なサイバー攻撃対策範囲優先度付けシステム、サイバー攻撃対策範囲優先度付け方法を提供することを目的とする。 The present invention has been made in view of the above, and a cyber attack countermeasure range prioritizing method and a cyber attack countermeasure range prioritizing method capable of efficiently performing countermeasures against various malware including file operations. The purpose is to provide.
 上記課題を解決し、目的を達成するために、本発明にかかるサイバー攻撃対策範囲優先度付けシステムは、複数の構成要素から構成され、マルウェアに感染した構成要素に対する対策範囲を優先付けるサイバー攻撃対策範囲優先度付けシステムであって、前記構成要素を感染させた前記マルウェアの特性を示す特性情報を取得し、記憶部に記憶された前記構成要素同士の関係を示す関係情報と前記特性情報とに基づいて、前記特性情報に示される前記マルウェアの感染タイプにおける前記構成要素と前記感染した構成要素との距離を算出し、算出した前記距離と前記対策範囲を示す優先度付けポリシーとを対応付けたポリシー情報とに基づいて、前記対策範囲の優先度を定める対策範囲優先度付け部、を備えることを特徴とするサイバー攻撃対策範囲優先度付けシステムとして構成される。 In order to solve the above-mentioned problems and achieve the object, the cyber attack countermeasure range prioritizing system according to the present invention is composed of a plurality of components, and cyber attack countermeasures prioritize the countermeasure range for components infected with malware. A range prioritizing system that acquires characteristic information indicating characteristics of the malware that has infected the constituent elements, and includes relation information indicating the relation between the constituent elements stored in a storage unit and the characteristic information. Based on the infection type of the malware indicated in the characteristic information, the distance between the component and the infected component is calculated, and the calculated distance is associated with the prioritization policy indicating the countermeasure range A cyber attack characterized by comprising a countermeasure range prioritizing section for determining the priority of the countermeasure range based on policy information Configured as a countermeasure range prioritization system.
 また、本発明は、上記サイバー攻撃対策範囲優先度付けシステムで行われるサイバー攻撃対策範囲優先度付け方法としても把握される。 Also, the present invention can be understood as a cyber attack countermeasure range prioritization method performed by the cyber attack countermeasure range prioritization system.
 本発明によれば、ファイル操作を含む様々なマルウェアに対する対策を効率的に行うことが可能となる。 According to the present invention, it is possible to efficiently take measures against various malware including file operations.
システムの全体構成図である。1 is an overall configuration diagram of a system. システムの構成図の例である。It is an example of a system configuration diagram. 属性情報DBの構成の例である。It is an example of a structure of attribute information DB. 関係情報DBのメールのやり取り関係情報テーブルの構成の例である。It is an example of a structure of the mail exchange relation information table of relation information DB. 関係情報DBのSNSの交流関係情報テーブルの構成の例である。It is an example of a structure of the exchange relationship information table of SNS of relationship information DB. 関係情報DBの事業部署間の交流関係情報テーブルの構成の例である。It is an example of a structure of the exchange relation information table between the business departments of relation information DB. 対策範囲優先度付けポリシーDBの構成の例である。It is an example of a structure of countermeasure range prioritization policy DB. 動作特性情報DBの構成の例である。It is an example of a structure of operation characteristic information DB. 対策履歴情報DBの構成の例である。It is an example of a structure of countermeasure log | history information DB. 関係情報DB作成・更新の全体概要フローの例である。It is an example of the whole outline | summary flow of relationship information DB creation / update. 対策範囲優先度付けの全体概要フローの例である。It is an example of the whole outline flow of countermeasure range prioritization. 関係情報DB作成・更新の詳細フローの例である。It is an example of the detailed flow of relation information DB creation and update. 対策範囲優先度付け詳細フローの例である。It is an example of a countermeasure range prioritization detailed flow. 実施例2に該当する対策範囲優先度付けポリシーDBの構成の例である。It is an example of a structure of countermeasure range prioritization policy DB applicable to Example 2. FIG. 実施例2に該当する対策範囲優先度付け詳細フローの例である。It is an example of the countermeasure range prioritization detail flow applicable to Example 2. FIG.
 以下、本発明の実施形態を、図面に示す実施例を基に説明する。なお、実施形態は下記に限定されるものではない。 Hereinafter, embodiments of the present invention will be described based on examples shown in the drawings. The embodiment is not limited to the following.
 まず、本発明を適用したサイバー攻撃対策範囲優先度付けシステムの全体構成図を、図1を用いて説明する。サイバー攻撃対策範囲優先度付けシステム101は構成要素として、関係情報DB(Data Base)102、対策範囲優先度付けポリシーDB103、属性情報DB104、動作特性情報DB105、対策範囲履歴情報DB106、関係情報作成・更新機能107、対策範囲優先度付け機能108とを有する。 First, an overall configuration diagram of a cyber attack countermeasure range prioritizing system to which the present invention is applied will be described with reference to FIG. The cyber attack countermeasure range prioritization system 101 includes, as components, a relation information DB (Data Base) 102, a countermeasure range prioritization policy DB 103, an attribute information DB 104, an operation characteristic information DB 105, a countermeasure range history information DB 106, a relation information creation / An update function 107 and a countermeasure range prioritizing function 108 are provided.
 前記サイバー攻撃対策範囲優先度付けシステム101は、ある組織のクライアント端末109でマルウェア感染を確認した際、当該感染クライアント端末109の構成情報(所有者情報や端末のIP情報など)を取得する。 The cyber attack countermeasure range prioritization system 101 acquires configuration information (such as owner information and IP information of a terminal) of the infected client terminal 109 when the client terminal 109 of a certain organization confirms malware infection.
 また、前記クライアント端末109で動作したマルウェアの挙動や動作特性をマルウェア解析機能110で解析した結果を前記動作特性情報DB105に格納する。前記サイバー攻撃対策範囲優先度付けシステム101はまた、当該組織の日頃の業務処理において発生するメールサーバ111やネットワーク機器112等からの通信ログを取得し、関係情報作成・更新機能107で当該組織のクライアント端末109間の関係性に関する情報を、前記属性情報DB104と関係情報DB102とを用いて生成し、関係情報DB102に格納する。本処理の内容については下記で説明する。 Also, the result of analyzing the behavior and operation characteristics of the malware operating on the client terminal 109 by the malware analysis function 110 is stored in the operation characteristic information DB 105. The cyber attack countermeasure range prioritization system 101 also acquires a communication log from the mail server 111, the network device 112, etc. generated in daily business processing of the organization, and the related information creation / update function 107 Information relating to the relationship between the client terminals 109 is generated using the attribute information DB 104 and the relationship information DB 102 and stored in the relationship information DB 102. The contents of this process will be described below.
 当該組織のあるクライアント端末109でマルウェア感染を確認した際には、前記サイバー攻撃対策範囲優先度付けシステム101は感染クライアント端末の構成情報とマルウェアの動作特性情報と、当該組織におけるクライアント端末109間の関係情報とを用いて、マルウェア感染の対策範囲の優先度付けを計算し、計算結果のリスト情報を対策実施機能113に出力する。前記対策実施機能113では、取得した前記リスト情報を基に、対策実施策(感染クライアント端末109のほか、感染の可能性が高いクライアント端末に対して注意喚起メールを送信するなど)をセキュリティ担当者端末114へ送信する。 When a malware infection is confirmed at a client terminal 109 in the organization, the cyber attack countermeasure range prioritization system 101 determines whether the configuration information of the infected client terminal, the operation characteristic information of the malware, and the client terminal 109 in the organization Using the relationship information, the prioritization of the countermeasure range of malware infection is calculated, and the list information of the calculation result is output to the countermeasure execution function 113. Based on the acquired list information, the countermeasure implementation function 113 sends a countermeasure implementation countermeasure (such as sending an alert mail to a client terminal having a high possibility of infection in addition to the infected client terminal 109). Transmit to terminal 114.
 前記システムは、図2に示すような通常のコンピュータシステムにより実現することができる。具体的には、CPU201、メモリ202、記憶装置203、入力装置204、出力装置205、通信制御装置206、これらを相互に接続するバス207からなる。CPU201は、記憶装置203に記憶され、メモリ202に展開された各種プログラムを実行する。入力装置204は例えばキーボード、マウスなどであり、出力装置205は例えばディスプレイである。通信制御装置206は、例えば無線ネットワークインターフェース、ネットワークインターフェースカードである。これらは、バス207によって相互に接続される。以下に示す各機能(関係情報作成・更新機能107、対策範囲優先度付け機能108、対策実施機能113)は、実際には、例えば、サーバやPC(Personal Computer)等の一般的な情報処理装置にインストールされた、関係情報作成・更新部、対策範囲優先度付け部、対策実施部として動作するプログラムを実行することにより、上記各機能が実現される。 The system can be realized by a normal computer system as shown in FIG. Specifically, it includes a CPU 201, a memory 202, a storage device 203, an input device 204, an output device 205, a communication control device 206, and a bus 207 that connects these components to each other. The CPU 201 executes various programs stored in the storage device 203 and expanded in the memory 202. The input device 204 is, for example, a keyboard or a mouse, and the output device 205 is, for example, a display. The communication control device 206 is, for example, a wireless network interface or a network interface card. These are connected to each other by a bus 207. Each of the following functions (relation information creation / update function 107, countermeasure range prioritizing function 108, countermeasure implementation function 113) is actually a general information processing apparatus such as a server or a PC (Personal Computer). Each of the above functions is realized by executing a program that operates as a relation information creating / updating unit, countermeasure range prioritizing unit, and countermeasure implementing unit installed in the system.
 なお、本システムでは属性情報DB104と対策範囲優先度付けポリシーDB103は、企業ごとに、予めインプット情報として保持する。属性情報は、当該システムの各構成要素を一意に特定するための情報であって、当該構成要素が人であれば社員IDや氏名、所属部署や職位、メールアドレス情報などで、当該構成要素が部署組織であれば部署名や業務区分、所在地情報などがある。 In this system, the attribute information DB 104 and the countermeasure range prioritizing policy DB 103 are stored as input information in advance for each company. The attribute information is information for uniquely identifying each component of the system. If the component is a person, it is an employee ID, name, department, position, email address information, etc. For departmental organizations, there are department names, business divisions, and location information.
 対策範囲優先度付けポリシー情報は、当該組織のネットワーク・システムにおいてマルウェア感染した構成要素を検知した際に、感染可能性がある範囲をどの範囲に設定し、対策の優先度をどの値に設定するかを定めた情報である。 In the countermeasure range prioritization policy information, when a component infected with malware is detected in the network system of the organization, which range is set as the possible range of infection, and what priority is set as the priority of the countermeasure It is information that determines.
 また、関係情報DB102は、当該組織の日頃の業務などで行われた処理や動作の履歴を示すログ情報から、当該組織の各構成要素間の関係性の情報を保持する。関係性の情報は、構成要素が当該組織の社員で、ログ情報がメールの送受信ログであれば、社員同士のメールのやり取り関係がある。また構成要素が社員で、ログ情報がSNSでのメッセージ送受信ログであれば、社員同士の交流関係などがある。 Also, the relationship information DB 102 holds information on the relationship between each component of the organization from the log information indicating the history of processing and operations performed in daily operations of the organization. As for the relationship information, if the constituent elements are employees of the organization and the log information is an email transmission / reception log, there is an email exchange relationship between employees. If the constituent element is an employee and the log information is a message transmission / reception log in SNS, there is an exchange relationship between employees.
 関係性の情報は、前記メールのやり取りのレイヤであっても良いし、前記SNSでのレイヤや、構成要素間のパケット通信でのレイヤであってもよい。なお、構成要素は社員のほかに、事業部署やコンピュータ端末、複数の端末から構成される情報システムや、ネットワークセグメントなどであってもよい。また、関係情報DB102は構成要素間の関係性によって複数のテーブル構造をとり得る。たとえば、構成要素間での前記メールのやり取り関係を保持するテーブル構造や、前記SNSでの社員同士の交流関係を保持するテーブル構造などがある。 The relationship information may be the email exchange layer, the SNS layer, or the packet communication layer between components. In addition to employees, the constituent elements may be business departments, computer terminals, information systems composed of a plurality of terminals, network segments, and the like. Further, the relationship information DB 102 can take a plurality of table structures depending on the relationship between the constituent elements. For example, there is a table structure that holds the exchange relationship of the mail between components, and a table structure that holds an exchange relationship between employees in the SNS.
 そして、動作特性情報DB105、対策履歴情報DB106は、当該組織固有のインプット情報ではなく、当該組織でマルウェア感染対策を実施した際に取得した情報や、当該組織の外部から取得した情報として保持する。マルウェアの動作特性情報は、マルウェアの特徴情報や動作環境の条件に関する情報などがある。また対策履歴情報は、過去のマルウェア対策事例でどういったマルウェアに対してどの範囲まで対策を実施したかや、今後の対策のポリシー情報などがある。 Then, the operation characteristic information DB 105 and the countermeasure history information DB 106 are held not as input information unique to the organization, but as information acquired when implementing malware infection countermeasures in the organization or information obtained from outside the organization. Malware operating characteristic information includes malware characteristic information and information on operating environment conditions. In addition, the countermeasure history information includes what countermeasures have been taken against what malware in the past malware countermeasure examples, and policy information for future countermeasures.
 以下では、上記の各DBの内容について説明する。まず、図3を用いて属性情報DB104の構成を示す。属性情報DB3301は、本実施形態のシステムが対象とする企業に所属する全ての社員の個別情報を保持する。具体的には、属性情報DB3301は社員ID3302、メールアドレス3303、氏名3304、事業所名3305、部署名3306、部署区分3307、職位3308、所有端末IPアドレス3309、OS3310、ブラウザ3312、Word3313、最終ログイン日時3314からなる。 In the following, the contents of each DB will be described. First, the configuration of the attribute information DB 104 will be described with reference to FIG. The attribute information DB 3301 holds individual information of all employees belonging to the company targeted by the system of the present embodiment. Specifically, the attribute information DB 3301 includes an employee ID 3302, an e-mail address 3303, a name 3304, an office name 3305, a department name 3306, a department classification 3307, a position 3308, an owned terminal IP address 3309, an OS 3310, a browser 3312, a Word 3313, and a final login. It consists of date 3314.
 社員ID3302は、当該企業において各社員を一意に特定する情報を保持する。メールアドレス3303は、各社員に個別に割り当てられたメールアドレスの情報を保持する。氏名3304は、当該社員の氏名の情報を保持する。事業所名3305は、当該社員が所属する事業所名の情報を保持する。部署区分3307は、当該社員が所属する部署の業務区分情報を保持する。職位3308は、当該社員の職位の情報を保持する。所有端末IPアドレス3309は、当該社員が所有する端末のIPの情報を保持する。OS3310は、当該社員の所有端末のOSの情報を保持する。ブラウザ3311は、当該社員の所有端末で使用するブラウザの情報を保持する。Word3313は、当該社員の所有端末にインストールされているアプリケーションの例であり、当該アプリケーションの名称やバージョン情報などを保持する。最終ログイン日時3314は、当該社員が所有端末からログインした最終日時の情報を保持する。 The employee ID 3302 holds information for uniquely identifying each employee in the company. The e-mail address 3303 holds e-mail address information individually assigned to each employee. The name 3304 holds information on the name of the employee. The establishment name 3305 holds information on the establishment name to which the employee belongs. The department category 3307 holds business category information of the department to which the employee belongs. The position 3308 holds information on the position of the employee. The owned terminal IP address 3309 holds information on the IP of the terminal owned by the employee. The OS 3310 holds information on the OS of the terminal owned by the employee. The browser 3311 holds information on a browser used on the terminal owned by the employee. Word 3313 is an example of an application installed in the terminal owned by the employee, and holds the name and version information of the application. The last login date and time 3314 holds information on the last date and time when the employee logged in from the owned terminal.
 たとえば、社員ID3302が「001」で、氏名3304が「花子」さんのメールアドレス3303は「Hanako@aaa.com」である。所属している事業所名3305は「AAA」で、職位308が「事業所長」であるため、部署名306については「-(該当無し)」、部署区分307についても同様に「-(該当無し)」となる。また、所有している端末は1台で、所有端末IPアドレス308は「10.0.0.1」、OS310は「Win7」、ブラウザ311は「IE9」、インストールされているアプリケーションのうち、Word312のバージョンは「Office2013」、所有端末での最終ログイン日時313は「2015/01/01」となる。 For example, the mail address 3303 of the employee ID 3302 of “001” and the name 3304 of “Hanako” is “Hanako@aaa.com”. Because the name of the business establishment 3305 is “AAA” and the job title 308 is “business establishment manager”, the department name 306 is “-(not applicable)” and the department category 307 is also “-(not applicable). ) ”. Also, one terminal is owned, the owned terminal IP address 308 is “10.0.0.1”, the OS 310 is “Win7”, the browser 311 is “IE9”, and among the installed applications, Word312 Is “Office 2013”, and the last login date and time 313 at the owning terminal is “2015/01/01”.
 なお、属性情報DB301で保持する社員の個別情報は上記に限るものでなく、所属部署の所在地情報やネットワークセグメントの情報、年齢情報などであってもよい。また、本例では構成要素が社員の場合での属性情報DB104について説明したが、構成要素が部署の場合や情報システムの場合ごとに、属性情報DB104の構造は変わるものである。 Note that the individual employee information stored in the attribute information DB 301 is not limited to the above, and may be location information of a department, network segment information, age information, or the like. In this example, the attribute information DB 104 when the constituent element is an employee has been described. However, the structure of the attribute information DB 104 changes depending on whether the constituent element is a department or an information system.
 次に、図4(a)~(c)の各テーブル401、411、421を用いて関係情報DB102の構成を示す。 Next, the configuration of the relational information DB 102 is shown using the tables 401, 411, and 421 of FIGS. 4 (a) to 4 (c).
 まず、図4(a)に示すメールのやり取り関係情報テーブル401について説明する。メールのやり取り関係情報テーブル401は、当該組織の各社員について、当該社員が日頃の業務においてメールのやり取りをする関係にある、ほかの社員や社外の人物との関係性の情報を保持する。 First, the mail exchange relation information table 401 shown in FIG. 4A will be described. The mail exchange relation information table 401 holds information on the relationship between other employees of the organization and other employees and persons outside the company who are involved in the exchange of mails in daily operations.
 具体的には、メールとのやり取り関係情報テーブル401は社員ID402、関係者情報403からなる。社員ID402は、当該企業の各社員を一意に特定する情報を保持する。関係者情報403は、当該社員が日頃の業務でメールのやり取り関係にある人物の、社員であれば社員IDを、社外の人物であればその人物のメールアドレスの情報を保持する。当該社員と関係のある人物として、前記関係者情報403に前記人物に関する情報を保持する判定基準には、ある回数以上のメールのやり取りがあったかどうか、または当該社員からメールを送信したことがあるかどうかなどがある。 Specifically, the exchange relation information table 401 with the mail includes an employee ID 402 and related person information 403. The employee ID 402 holds information that uniquely identifies each employee of the company. The related person information 403 holds information on an employee ID of a person who is in an email exchange relationship in the daily work of the employee if the employee is an employee and an e-mail address of the person if the employee is an external person. As a person related to the employee, whether or not the determination criteria for holding information related to the person in the related person information 403 has been sent or received an email more than a certain number of times, or has an email sent from the employee There are things.
 たとえば、社員ID402が「002」の社員について、当該社員とメールのやり取り関係にある関係者は、関係者情報403から、社員ID402「023」、「030」を持つ2人の社員と、メールアドレスが「Jiro@abc.com」である社外の人物であることが分かる。 For example, regarding an employee whose employee ID 402 is “002”, a person who is in an email exchange relationship with the employee has two employees having employee IDs 402 “023” and “030” and an email address. Is a person outside the company with “Jiro@abc.com”.
 図4(b)に示すSNSの交流関係情報テーブル411、図4(c)に示す事業部署間の交流関係情報テーブル421も同様に、たとえば社員ID412が「002」の社員について、当該社員とSNSの交流関係にある関係者は、関係者情報413から、社員ID412「001」、「030」を持つ2人の社員と、メールアドレスが「Taro@abc.com」である社外の人物であることが分かる。また事業部署間の交流関係であれば、たとえば事業部署名422が「AAA/CC」(AAA事業所のCC部署)と関係のある関係事業部署は、関係事業部署情報423から、事業部署名が「AAA/BB」(AAA事業部のBB部署)である事業部署であることが分かる。 Similarly, in the SNS exchange relation information table 411 shown in FIG. 4B and the exchange relation information table 421 between business departments shown in FIG. 4C, for example, the employee ID 412 is “002”. The related persons in the exchange relationship are two persons having employee IDs 412 “001” and “030” from the related person information 413 and an outside person whose mail address is “Taro@abc.com”. I understand. For example, if the business unit signature 422 is related to “AAA / CC” (the AAA business unit CC unit), the business unit signature 422 is obtained from the related business unit information 423. It can be seen that the business department is “AAA / BB” (the BB department of the AAA division).
 次に、図6を用いてマルウェアの動作特性情報DB601の構成を示す。動作特性情報DB601は、当該組織で検知されたマルウェアに関する情報、もしくは当該組織外部から提供されたマルウェアに関する情報を保持する。 Next, the configuration of the malware operating characteristic information DB 601 will be described with reference to FIG. The operation characteristic information DB 601 holds information regarding malware detected in the organization or information regarding malware provided from outside the organization.
 具体的には、動作特性情報DB601はマルウェアID602、ハッシュ値603、SNS604、メール605、OS606、ブラウザ607、Word608、時限式609などからなる。なお、動作特性情報DB601に保持する情報はほかにも、アンチウィルスソフトでのスキャン結果の情報でも良く、マルウェアの表層解析の結果の情報を保持していても良い。 Specifically, the operation characteristic information DB 601 includes a malware ID 602, a hash value 603, an SNS 604, an e-mail 605, an OS 606, a browser 607, a Word 608, a timed expression 609, and the like. In addition, the information held in the operation characteristic information DB 601 may be information on the scan result of anti-virus software or information on the result of malware surface analysis.
 マルウェアID602は、あるマルウェアを一意に識別するための情報を保持する。ハッシュ値603は、当該マルウェアのハッシュ値の情報を保持する。SNS604、メール605は、当該マルウェアがSNSやメールを介して感染が拡大するタイプであるかどうかの情報を保持する。すなわち、マルウェアの感染タイプが、構成要素間のやり取りで感染が拡大するか否かにより定められている。図6では、SNSやメールにより感染が拡大する場合はYes、拡大しない場合はNoが設定されていることを示している。 The malware ID 602 holds information for uniquely identifying a certain malware. The hash value 603 holds information on the hash value of the malware. The SNS 604 and the mail 605 hold information indicating whether or not the malware is a type in which infection spreads via the SNS or mail. That is, the infection type of malware is determined by whether or not the infection spreads by the exchange between the constituent elements. In FIG. 6, it is shown that Yes is set when infection is expanded by SNS or mail, and No is set when it is not expanded.
 OS606やブラウザ607、Word608は、当該マルウェアが当該項目のアプリ、OSの、どのバージョンの場合に、マルウェアが動作するタイプであるかどうかの情報を保持する。時限式609は、当該マルウェアが特定の日時に動作するタイプであるかどうかの情報と、その日時情報とを保持する。 The OS 606, the browser 607, and the Word 608 hold information indicating whether the malware is a type in which the malware operates in any version of the application or OS of the item. The time expression 609 holds information on whether or not the malware is of a type that operates at a specific date and time, and the date and time information.
 次に、図5を用いて対策範囲優先度付けポリシーDB108の構成を示す。対策範囲優先度付けポリシーDB501は、当該組織においてマルウェアに感染した構成要素(感染構成要素)を検知した際、優先的に対策すべき範囲の優先度付けのポリシー情報を保持する。 Next, the configuration of the countermeasure range prioritization policy DB 108 will be described with reference to FIG. The countermeasure range prioritizing policy DB 501 holds policy information for prioritizing a range to be preferentially countermeasured when a component infected with malware (infected component) is detected in the organization.
 具体的には、対策範囲優先度付けポリシーDB501は、対策範囲分類要素502、(メールのやり取り関係での)感染構成要素からの距離503、職位504、最終ログイン日時とマルウェア動作日時との関係505、対策範囲優先度付けポリシー506などからなる。 Specifically, the countermeasure range prioritization policy DB 501 includes a countermeasure range classification element 502, a distance 503 from an infection component (in a mail exchange relationship), a position 504, a relationship between a last login date and a malware operation date 505. The countermeasure range prioritization policy 506 and the like.
 対策範囲分類要素502は、当該組織でマルウェア感染した構成要素を検知した際に、当該組織の構成要素を分類する軸となる、各分類要素の情報を保持する。以下では、構成要素を当該組織の社員を指すものとして説明する。 The countermeasure range classification element 502 holds information on each classification element that is an axis for classifying the constituent elements of the organization when the constituent elements infected with malware in the organization are detected. In the following description, the components are assumed to refer to employees of the organization.
 前記対策範囲分類要素502の一つである、(メールのやり取り関係での)感染構成要素からの距離503は、前記関係情報DB102でのメールのやり取り関係情報テーブル401において、感染構成要素を基点として関係者情報403の関係者の構成要素をたどったとき、最短でいくつの構成要素を介して当該構成要素にたどり着くかを計算した数を保持する。 The distance 503 from the infection component (in the mail exchange relationship), which is one of the countermeasure range classification elements 502, is based on the infection component in the mail exchange relationship information table 401 in the relation information DB 102. When the constituent elements of the related party in the related party information 403 are traced, the calculated number of the constituent elements is reached through the shortest number of constituent elements.
 ここでは、構成要素が「端末」であり、距離を計算する際に「メールのやり取り関係」での感染構成要素と当該構成要素間にある、その他構成要素の数を距離として扱っているが、関係情報DB102の各テーブルで、定義されるものであるとする。また、前記各テーブルにおいて、感染構成要素から当該構成要素へその他構成要素をたどってもたどり着けない場合、感染構成要素と当該構成要素との距離は「∞(無限大)」であるとする。前記距離の定義は、本実施例での一つの例であって、この限りではない。 Here, the component is “terminal”, and when calculating the distance, the number of other components between the infected component and the component in the “mail exchange relationship” is treated as the distance. It is assumed that each table in the relationship information DB 102 is defined. Further, in each table, when other components cannot be reached from the infected component to the component, the distance between the infected component and the component is “∞ (infinite)”. The definition of the distance is one example in the present embodiment, and is not limited to this.
 職位504は、当該構成要素である、端末の所有者の職位情報を保持する。最終ログイン日時とマルウェア動作日時との関係505は、当該構成要素である社員が所有端末にログインした最終日時と、前記動作特性情報DB601で説明したマルウェアの動作日時情報と時系列で比較したときの関係情報を保持する。対策範囲優先度付けポリシー506は、当該構成要素に対して割り当てる、対策の優先度情報を保持する。本実施例では、優先度は感染構成要素からの前記距離が近いほど高い値となり、距離が遠くなるほど低い値となる。距離が「∞(無限大)」の場合には、優先度は「0」となる。ただし、距離が遠い場合でも、前記対策範囲分類要素のほかの要素の情報により、優先度の高さも変化する。さらに、本対策範囲優先度付けポリシーDB501は当該組織における全ての構成要素に対して優先度付けを行う際に適用する。なお、上記優先度の設定は一例であって、この限りではない。 The position 504 holds the position information of the owner of the terminal, which is the component. The relationship 505 between the last login date and the malware operation date and time is a time series comparison between the last date and time when the employee as the component logged in to the owned terminal and the operation date and time information of the malware described in the operation characteristic information DB 601. Holds relationship information. The countermeasure range prioritization policy 506 holds countermeasure priority information assigned to the component. In this embodiment, the priority is higher as the distance from the infection component is closer, and is lower as the distance is longer. When the distance is “∞ (infinity)”, the priority is “0”. However, even when the distance is long, the priority level changes depending on the information of other elements of the countermeasure range classification element. Further, the countermeasure range prioritization policy DB 501 is applied when prioritizing all the components in the organization. The setting of the priority is an example and is not limited to this.
 たとえば、ある組織において事業所長の端末でマルウェア感染を検知したとき、端末の所有者を構成要素として捉えることができる。また、本事例でのマルウェアの動作日時は「2014/12/1」で、当該事業所長の端末への最終ログイン日時は「2014/12/31」であるとする。このとき、当該対策範囲優先度付けポリシーDB501は以下のように見ることができる。すなわち、当該構成要素が感染構成要素であるため、対策範囲分類要素502における(メールのやり取り関係での)感染構成要素からの距離503は「0」であり、当該構成要素の職位504は「事業所長」、最終ログイン日時とマルウェア動作日時との関係は「マルウェア動作日時≦最終ログイン日時」の行が該当する。このとき、当該構成要素に対する対策の優先度は、対策優先度付けポリシー506から、「3」が割り当てられることが分かる。 For example, when a malware infection is detected on a terminal of a business establishment in a certain organization, the owner of the terminal can be regarded as a component. In addition, it is assumed that the operation date / time of malware in this example is “2014/12/1”, and the last login date / time to the terminal of the office manager is “2014/12/31”. At this time, the countermeasure range prioritization policy DB 501 can be viewed as follows. That is, since the component is an infection component, the distance 503 from the infection component (in the mail exchange relationship) in the countermeasure range classification element 502 is “0”, and the position 504 of the component is “business The line of “malware operation date and time ≦ last login date and time” corresponds to the relationship between the “manager”, the last login date and the malware operation date and time. At this time, it is understood from the countermeasure prioritization policy 506 that “3” is assigned as the priority of the countermeasure for the component.
 次に、図7を用いて対策履歴情報DB106の構成を示す。対策履歴情報DB701は、マルウェアの特徴情報や感染範囲に関する情報、今後の対策ポリシー情報などを保持する。具体的には、対策履歴情報DB701は、ハッシュ値703、ファイル名704などを有するマルウェアの特徴情報702と、過去の対策履歴情報⇒今後の対策ポリシー情報705などからなる。マルウェアの特徴情報702は、マルウェアのハッシュ値703やファイル名704をはじめとする、マルウェアの特徴情報を保持する。また、過去の対策履歴情報⇒今後の対策ポリシー705は、過去にどの範囲でマルウェア感染が確認されたかという情報や、今後どの範囲の構成要素に対して対策の優先度を割り当てるかの情報などを保持する。 Next, the configuration of the countermeasure history information DB 106 will be described with reference to FIG. The countermeasure history information DB 701 holds malware characteristic information, information on the infection range, future countermeasure policy information, and the like. Specifically, the countermeasure history information DB 701 includes malware characteristic information 702 having a hash value 703, a file name 704, and the like, past countermeasure history information = future countermeasure policy information 705, and the like. The malware characteristic information 702 holds malware characteristic information including a malware hash value 703 and a file name 704. In addition, past countermeasure history information⇒future countermeasure policy 705 includes information on which range of malware infection has been confirmed in the past, information on which range of components will be assigned countermeasure priority in the future, and the like. Hold.
 以上の各DBを基に、本実施形態のシステムは対象とする組織におけるマルウェア感染対策範囲の優先度付けを行う。 Based on each of the above DBs, the system of this embodiment prioritizes the range of malware infection countermeasures in the target organization.
 以下では、本発明を適用したサイバー攻撃対策範囲優先度付けシステム101の全体の処理概要について、図8(a)、(b)で示すような全体の処理フローに従って説明する。本実施形態のシステムではそれぞれ、図8(a)に示す関係情報DB作成・更新処理と図8(b)に示す対策範囲優先度付け処理の2つが独立して動作する。 Hereinafter, the overall processing outline of the cyber attack countermeasure range prioritization system 101 to which the present invention is applied will be described in accordance with the overall processing flow as shown in FIGS. 8 (a) and 8 (b). In the system of the present embodiment, the relationship information DB creation / update process shown in FIG. 8A and the countermeasure range prioritization process shown in FIG. 8B operate independently.
 関係情報DB作成・更新処理では、メールサーバ111やネットワーク機器112等のネットワーク通信ログ等を取得し、関係情報DBを作成・更新する。また、対策範囲優先度付け処理では、当該組織で感染構成要素を検知した際に、当該感染構成要素の情報を取得し、属性情報DB104、関係情報DB102、対策範囲優先度付けポリシーDB103、動作特性情報DB105、対策履歴情報DB106の情報を基に、当該組織におけるマルウェア感染の対策範囲の優先度付けを行う。以下では、前記2つの処理内容について、それぞれ説明する。 In the relationship information DB creation / update process, the network communication log of the mail server 111, the network device 112, etc. is acquired, and the relationship information DB is created / updated. In the countermeasure range prioritization process, when an infection component is detected in the organization, information on the infection component is acquired, and the attribute information DB 104, the relationship information DB 102, the countermeasure range prioritization policy DB 103, the operation characteristics are acquired. Based on the information in the information DB 105 and the countermeasure history information DB 106, priority is given to the countermeasure range of malware infection in the organization. Hereinafter, the two processing contents will be described.
 まず、図8(a)を用いて関係情報作成・更新機能107による、関係情報DB作成・更新の処理フローの概要について説明する。 First, the outline of the processing flow for creating / updating the relational information DB by the relational information creation / updating function 107 will be described with reference to FIG.
 関係情報DB作成・更新の全体概要フローではまず、当該組織の業務のなかで日々発生するログ情報(メールの送受信ログやその他ネットワーク通信ログ等のネットワーク・システムのログ情報、またはファイル・システムのアクセスログ等のログ情報)を取得する(ステップ801)。 In the overall overview flow of creating and updating the relationship information database, log information that occurs daily in the business of the organization (network system log information such as mail transmission / reception logs and other network communication logs, or file system access) Log information such as logs) is acquired (step 801).
 次に、前記取得したログ情報を基に、どの種別の関係情報DB102に作成・更新処理を行うかを決定する(ステップ802)。 Next, based on the acquired log information, it is determined which type of relation information DB 102 is to be created / updated (step 802).
 そして、前記決定した関係情報DB102に対して作成・更新処理を行う(ステップ803)ことで、関係情報DB作成・更新の全体概要フローを終了する。本処理の詳細については後述する。 Then, a creation / update process is performed on the determined relationship information DB 102 (step 803), thereby ending the entire overview flow of the relationship information DB creation / update. Details of this processing will be described later.
 次に、図8(b)を用いて対策範囲優先度付け機能108による、対策範囲優先度付け処理の処理フローの概要について説明する。 Next, an outline of the processing flow of countermeasure range prioritization processing by the countermeasure range prioritizing function 108 will be described with reference to FIG.
 対策範囲優先度付けの全体概要フローではまず、マルウェア感染を検知した構成要素の情報(例えば構成要素が端末所有者であれば所有端末のIPアドレスなど)を受信する(ステップ811)。 In the overall outline flow of the countermeasure range prioritization, first, information on the component that detected the malware infection (for example, the IP address of the owning terminal if the component is the terminal owner) is received (step 811).
 次に、前記取得した構成要素の情報を基に、当該組織における対策範囲の優先度付けを行う(ステップ812)。本処理の詳細については後述する。 Next, based on the acquired component information, prioritization of the scope of measures in the organization is performed (step 812). Details of this processing will be described later.
 次に、前記ステップ812で得られた対策範囲(たとえば、優先度を上げて調査する端末のIPアドレスのリストなど)を、本実施形態のシステムとは別の、対策実施機能へのインプット情報として送信する(ステップ813)ことで、対策範囲優先度付けの全体概要フローを終了する。 Next, the countermeasure range obtained in step 812 (for example, a list of IP addresses of terminals to be investigated with increasing priority) is used as input information to the countermeasure implementation function different from the system of this embodiment. By transmitting (step 813), the overall outline flow of the countermeasure range prioritization is completed.
 以上が本実施形態のシステムにおける、関係情報DB作成・更新処理と対策範囲優先度付け処理のそれぞれの全体の処理概要である。 The above is the overall processing overview of the relationship information DB creation / update processing and countermeasure range prioritization processing in the system of this embodiment.
 次に、前記ステップ802の関係情報DB作成・更新処理の詳細について、図9に示すような処理フローに従って説明する。本実施例では取得するログ情報の例として、メールサーバ111からのメールの送受信ログに関して説明する。 Next, the details of the relation information DB creation / update process in step 802 will be described according to the process flow shown in FIG. In the present embodiment, a mail transmission / reception log from the mail server 111 will be described as an example of acquired log information.
 関係情報DB作成・更新の詳細フローでは、ある組織において運用されているメールサーバ111から取得したメールの送受信ログから、送信元、送信先の人物がそれぞれ社員であるかどうかを判定し、社員同士または社員と社外の人物との関係の度合いを関係情報DB102に記憶させる処理を説明する。なお、本処理フローでは前記メールサーバ111のメール受信ログを取得する。 In the detailed flow of the relation information DB creation / update, it is determined from the mail transmission / reception log acquired from the mail server 111 operated in a certain organization whether or not the person of the transmission source and the transmission destination is an employee. Or the process which memorize | stores the degree of the relationship between an employee and an external person in relation information DB102 is demonstrated. In this processing flow, the mail reception log of the mail server 111 is acquired.
 まず、取得したメール受信ログから送信先メールアドレス抽出し(ステップ901)、前記送信先メールアドレスをキーにして、当該組織の属性情報DB102から、該当する社員が存在するかどうかを検索する(ステップ902)。 First, a transmission destination mail address is extracted from the acquired mail reception log (step 901), and using the transmission destination mail address as a key, the attribute information DB 102 of the organization is searched for whether or not the corresponding employee exists (step 901). 902).
 上記検索(ステップ902)の結果、該当する社員が当該組織において存在しない場合、本詳細フローの関係情報DB作成・更新処理を終了する。また、該当する社員が当該組織において存在する場合、ステップ904の処理に進む(ステップ903)。 If, as a result of the above search (step 902), the corresponding employee does not exist in the organization, the related information DB creation / update process of this detailed flow is terminated. If the corresponding employee exists in the organization, the process proceeds to step 904 (step 903).
 次に、取得したメール受信ログから送信元メールアドレス抽出し、前記送信元メールアドレスをキーにして、当該組織の属性情報DB102から、該当する社員が存在するかどうかを検索する(ステップ904)。 Next, the sender mail address is extracted from the acquired mail reception log, and the attribute information DB 102 of the organization is searched for the corresponding employee using the sender mail address as a key (step 904).
 上記検索(ステップ904)の結果、該当する社員が当該組織において存在しない場合、ステップ906の処理に進む。また、該当する社員が当該組織において存在する場合、ステップ908の処理に進む(ステップ905)。 As a result of the search (step 904), if the corresponding employee does not exist in the organization, the process proceeds to step 906. If the corresponding employee exists in the organization, the process proceeds to step 908 (step 905).
 上記判定(ステップ905)の結果、前記送信元メールアドレスを持つ社員が当該組織において存在しない場合、前記送信元メールアドレスの人物が社外の人物であることが分かる。また、前記送信先メールアドレスを持つ社員の社員IDを属性情報DB301から特定し、関係情報DB401において、前記特定した社員IDに該当する行の関係者情報のうち、前記送信元メールアドレスが記憶されているかどうかを検索する(ステップ906)。 As a result of the determination (step 905), if the employee having the sender email address does not exist in the organization, it can be seen that the person of the sender email address is a person outside the company. Further, the employee ID of the employee having the transmission destination email address is specified from the attribute information DB 301, and the transmission source email address is stored in the relationship information DB 401 among the related party information of the row corresponding to the specified employee ID. (Step 906).
 上記ステップ906の検索の結果、前記送信元メールアドレスが存在する場合、前記送信先メールアドレスを持つ社員と前記送信元メールアドレスを持つ社外の人物は関係者同士の関係にあるということが分かる。このとき、既に関係者情報403に前記送信元メールアドレスを持つ人物の固有情報(例えばメールアドレス)が記憶されており、追記の必要がないと判定し、処理を終了する。また、前記送信元メールアドレスが存在しない場合、ステップ908の処理に進む(ステップ907)。 As a result of the search in step 906, it can be seen that if the source email address exists, the employee having the destination email address and the outside person having the source email address are in a relationship with each other. At this time, it is determined that the unique information (for example, mail address) of the person having the transmission source mail address is already stored in the related person information 403, and it is not necessary to add, and the process is terminated. If the sender email address does not exist, the process proceeds to step 908 (step 907).
 本処理ステップでは、前記送信先メールアドレスを持つ社員と前記送信元メールアドレスを持つ社外の人物は本処理ステップのタイミングで関係者同士となったと判定し、関係者情報403に前記送信元メールアドレスを追記する(ステップ908)。 In this processing step, it is determined that the employee having the transmission destination email address and the outside person having the transmission source email address are related parties at the timing of the processing step, and the transmission source email address is included in the related party information 403. Is added (step 908).
 次に、ステップ908以降の処理について説明する。 Next, the processing after step 908 will be described.
 上記ステップ905の検索の結果、前記送信元メールアドレスを持つ人物が当該組織の社員であると判定できた場合、当該社員の社員IDを属性情報DB301から特定し、関係情報DB403において、送信先社員の社員IDに該当する行の関係情報のうち、送信元社員の、特定した前記社員IDが記憶されているかどうかを検索する(ステップ909)。 As a result of the search in step 905, if it is determined that the person having the sender email address is an employee of the organization, the employee ID of the employee is identified from the attribute information DB 301, and the destination employee is stored in the relationship information DB 403. It is searched whether or not the identified employee ID of the sender employee is stored in the relation information of the row corresponding to the employee ID of the employee (step 909).
 上記ステップ909の検索の結果、送信元社員の社員IDが存在する場合、前記送信先社員と前記送信元社員とは関係者同士の関係にあるということが分かる。このとき、既に関係者情報403に前記送信元社員の固有情報(例えば社員ID)が記憶されており、追記の必要がないと判定し、処理を終了する。また、送信元社員の前記社員IDが存在しない場合、ステップ910の処理に進む(ステップ910)。 As a result of the search in the above step 909, when the employee ID of the transmission source employee exists, it can be understood that the transmission destination employee and the transmission source employee are in a relationship between related parties. At this time, it is determined that the unique information (for example, employee ID) of the transmission source employee is already stored in the related person information 403, and it is determined that there is no need for additional writing, and the process ends. If the employee ID of the source employee does not exist, the process proceeds to step 910 (step 910).
 本処理ステップでは、送信先社員と送信元社員とが本処理ステップのタイミングで関係者同士となったと判定し、関係者情報403に送信元社員の前記社員IDを追記する(ステップ911)。以上が、関係情報DB作成・更新処理の詳細である。 In this processing step, it is determined that the transmission destination employee and the transmission source employee are related parties at the timing of this processing step, and the employee ID of the transmission source employee is added to the related party information 403 (step 911). The above is the details of the related information DB creation / update process.
 次に、前記ステップ812の対策範囲優先度付け処理の詳細について、図10に示すような処理フローに従って説明する。はじめに、実施例1について説明する。 Next, details of the countermeasure range prioritization process in step 812 will be described according to the process flow shown in FIG. First, Example 1 will be described.
 対策範囲優先度付け機能108は、動作特性DB105から感染が検知されたマルウェアの動作特性情報を取得する(ステップ1001)。次に、前記取得した動作特性情報を基に、該当する関係情報テーブルを選択する(ステップ1002)。例えば、感染が検知されたマルウェアがマルウェアID「001」である場合、そのマルウェア「SNS」および「メール」により感染するタイプであるため、図4(a)に示したメールのやりとり関係情報テーブルおよび図4(b)に示したSNSの交流関係情報テーブルを選択する。 The countermeasure range prioritization function 108 acquires the operation characteristic information of the malware whose infection is detected from the operation characteristic DB 105 (step 1001). Next, based on the acquired operating characteristic information, a relevant relation information table is selected (step 1002). For example, when the malware whose infection is detected is the malware ID “001”, since it is a type infected by the malware “SNS” and “mail”, the mail exchange relation information table shown in FIG. The SNS exchange relation information table shown in FIG. 4B is selected.
 次に、該当する関係情報テーブルに記憶されている当該構成要素と感染構成要素との距離を算出する(ステップ1003)。例えば、図4(a)に示したメールのやりとり関係情報テーブルでは、当該構成要素が社員ID「001」、感染構成要素が社員ID「003」である場合、両者の距離は「1」となる。 Next, the distance between the relevant component stored in the relevant relation information table and the infected component is calculated (step 1003). For example, in the mail exchange relation information table shown in FIG. 4A, when the constituent element is the employee ID “001” and the infected constituent element is the employee ID “003”, the distance between them is “1”. .
 次に、属性情報DB104から当該構成要素の情報を検索し、該当する属性情報(例えば、職位)を取得する(ステップ1004)。 Next, information on the constituent element is searched from the attribute information DB 104, and corresponding attribute information (for example, job title) is acquired (step 1004).
 次に、感染構成要素からの距離と前記取得した属性情報(例えば、職位)を基に、対策範囲優先度付けポリシー情報DB103から該当するポリシー情報を取得し(ステップ1005)、前記取得したポリシー情報を基に、当該構成要素に優先度を割り当てる(ステップ1006)。例えば、当該構成要素が感染構成要素から距離「1」だけ離れており、当該構成要素の職位が「事業所長」である場合、図5に示したように、対策範囲優先度付けポリシーとして「3」が取得され、当該構成要素に割り当てられる。 Next, based on the distance from the infection component and the acquired attribute information (for example, job title), the corresponding policy information is acquired from the countermeasure range prioritizing policy information DB 103 (step 1005), and the acquired policy information is acquired. Based on the above, a priority is assigned to the component (step 1006). For example, if the relevant component is separated from the infected component by a distance “1” and the title of the relevant component is “office manager”, as shown in FIG. Is acquired and assigned to the component.
 ステップ1006の処理の結果、全ての構成要素への優先度付け処理が完了していればステップ1008の処理に進み、完了していなければステップ1007の処理に進む(ステップ1007)。 As a result of the process of step 1006, if the prioritization process for all the components is completed, the process proceeds to step 1008, and if not completed, the process proceeds to step 1007 (step 1007).
 ステップ1007の処理の結果、全ての構成要素への優先度付け処理が完了していないとき、優先度付け未処理の構成要素を選択し、当該構成要素について、ステップ10003の処理に進む(ステップ1008)。 As a result of the processing in step 1007, when the prioritization processing for all the constituent elements is not completed, the constituent element that has not been prioritized is selected, and the processing proceeds to step 10003 for the constituent element (step 1008). ).
 ステップ1007の処理の結果、全ての構成要素への優先度付け処理が完了したとき、対策履歴DB106に当該マルウェアの動作特性に類似する事例があるかどうかを検索し、類似する事例が見つかったとき、ステップ1009の処理に進み、類似する事例が見つからなかったとき、ステップ1012の処理に進む(ステップ1009)。このとき、どういった事例を類似のものであると判定するかについては、マルウェアのファイル名の類似や出力ファイルが同じであるものなどがある。 As a result of the processing in step 1007, when the prioritization processing for all the components is completed, it is searched whether there is a case similar to the operation characteristics of the malware in the countermeasure history DB 106, and a similar case is found The process proceeds to step 1009, and if a similar case is not found, the process proceeds to step 1012 (step 1009). At this time, as to what kind of case is judged to be similar, there are similarities of malware file names and those with the same output file.
 ステップ1009の処理の結果、当該マルウェアの動作特性に類似する事例が見つかったとき、該当する過去の対策履歴情報⇒今後の対策ポリシー情報705から、対策履歴情報を取得する(ステップ1010)。例えば、ファイル名が類似するマルウェアが「ABC.exe」である場合、メールのやりとり関係の距離が「10」の構成要素で感染が確認された場合には、今後上記条件に該当する構成要素に優先度「3」を割り当てるという上記対策履歴情報を取得する。 When, as a result of the processing in step 1009, a case similar to the operation characteristic of the malware is found, countermeasure history information is acquired from the corresponding past countermeasure history information ⇒ future countermeasure policy information 705 (step 1010). For example, if the malware with a similar file name is “ABC.exe”, and if the infection is confirmed with a component whose mail exchange relationship is “10”, the component corresponding to the above condition will be The countermeasure history information for assigning the priority “3” is acquired.
 次に、前記取得した対策履歴情報から、どの概念での距離であるかを判定し、該当する関係情報テーブルを選択する(ステップ1011)。例えば、上記例では、距離が「メール」でのやり取りという概念におけるものであることが判定される。 Next, it is determined which concept is the distance from the acquired countermeasure history information, and the relevant relation information table is selected (step 1011). For example, in the above example, it is determined that the distance is based on the concept of “mail” exchange.
 次に、前記取得した対策履歴情報から、該当する構成要素を選択し、該当する優先度を前記選択した構成要素に割り当てて、ステップ1013の処理に進む(ステップ1012)。例えば、上記対策履歴情報が取得された場合、メールのやりとり関係の距離が「10」の構成要素に優先度「3」を割り当てる。 Next, the corresponding component is selected from the acquired countermeasure history information, the corresponding priority is assigned to the selected component, and the process proceeds to step 1013 (step 1012). For example, when the countermeasure history information is acquired, a priority “3” is assigned to a component having an email exchange relationship distance of “10”.
 つまり、ステップ1008~1011においては、対策範囲の優先度を定めたマルウェアに類似するマルウェアがあるか否かを判定し、類似するマルウェアがあると判定した場合、類似するマルウェアが感染した構成要素に、マルウェアについて定めた対策範囲の優先度を割り当てている。 In other words, in steps 1008 to 1011, it is determined whether or not there is malware similar to the malware for which the priority of the countermeasure range has been determined, and when it is determined that there is similar malware, , The priority of the countermeasure range set for malware is assigned.
 最後に、上記のステップで優先度を割り当てた構成要素のリスト情報を出力する(ステップ1013)。 Finally, the list information of the components to which the priority is assigned in the above step is output (step 1013).
 以上が、当該組織のある構成要素でサイバー攻撃を検知した際の、対策範囲の優先度付け処理の詳細である。これにより、感染構成要素を基点にして当該組織のどの範囲の構成要素から優先的に対策すべきかを判断する手間が軽減できる。 The above is the details of the prioritization processing of the countermeasure scope when a cyber attack is detected by a certain component of the organization. Thereby, it is possible to reduce the trouble of determining from which component of the organization the component should be preferentially treated based on the infected component.
 このように、本システムによれば、対策が必要な当該システムの構成要素の優先度付けを行うことができるため、優先度の高い範囲から対策を実施することで、ネットワーク経由で感染を広げるタイプのマルウェアに対する効率的なマルウェアの対策(感染調査や、感染した当該構成要素への対処)を実施することができる。 In this way, according to this system, it is possible to prioritize the components of the system that require countermeasures, so by implementing countermeasures from a high priority range, the type that spreads infection via the network It is possible to implement effective malware countermeasures (infection investigations and countermeasures against the infected components) against other malware.
 次に、実施例2について説明する。本実施例では、実施例1で用いた対策範囲優先度付けポリシーDB501の構成を拡張した、図11の対策範囲優先度付けポリシーDB1101を利用する。 Next, Example 2 will be described. In the present embodiment, the countermeasure range prioritization policy DB 1101 of FIG. 11 is used, which is an extension of the configuration of the countermeasure range prioritization policy DB 501 used in the first embodiment.
 具体的には、対策範囲優先度付けポリシーDB1101は、対策範囲分類要素1102、(メールでのやり取り関係での)感染構成要素からの距離1103、職位1104、対策範囲優先度付けポリシー1105、当該構成要素の優先度1106、優先度付け拡張ポリシー1107、優先度1108、対象範囲1109などからなる。 Specifically, the countermeasure range prioritization policy DB 1101 includes a countermeasure range classification element 1102, a distance 1103 from an infection component (in a mail exchange relationship), a position 1104, a countermeasure range prioritization policy 1105, and the configuration It includes an element priority 1106, a prioritized extended policy 1107, a priority 1108, a target range 1109, and the like.
 本構成での対策範囲優先度付けポリシーDB1101の見方は基本的に、前記対策範囲優先度付けポリシーDB501と同様であるため、以下では、前記対策範囲優先度付けポリシーDB501の構成に追加した、優先度付け拡張ポリシー1107と優先度1108、対象範囲1109について説明する。具体的には、前記対策範囲優先度付けポリシーDB501が、対策範囲分類要素502の各分類要素に該当する構成要素に対して割り当てる優先度のポリシー情報を保持していたのに対し、対策範囲優先度付けポリシーDB1101は当該構成要素からさらに、優先度を割り当てる対象範囲の情報とその優先度の情報を保持するものである。 Since the view of the countermeasure range prioritization policy DB 1101 in this configuration is basically the same as the countermeasure range prioritization policy DB 501, the priority added to the configuration of the countermeasure range prioritization policy DB 501 will be described below. The rating extension policy 1107, the priority 1108, and the target range 1109 will be described. Specifically, the countermeasure range prioritization policy DB 501 holds policy information on the priority assigned to the constituent elements corresponding to the classification elements of the countermeasure range classification element 502, whereas the countermeasure range priority The rating policy DB 1101 further holds information on a target range to which priority is assigned and information on the priority from the constituent elements.
 たとえば、(メールのやり取り関係での)感染構成要素からの距離1103が「2」の構成要素に対し、当該構成要素の職位1104が「事業部長」であれば、当該構成要素へ割り当てる優先度は当該構成要素の優先度1106から「4」であることが分かり、さらに、優先度付け拡張ポリシー1107の優先度1108、対象範囲1109の情報から、「当該構成要素からの距離3までの構成要素」すべてに対し、優先度「3」を割り当てることが分かる。図11では、上記職位が「事業部長」であれば、職位「部課長」よりも地位が高く、対策範囲とすべき構成要素(感染によって影響を与えうる構成要素。すなわち当該構成要素を中心としたときに周辺の構成要素から構成される当該構成要素のすそのの範囲。)までの距離の値も大きくなると考えられるため、職位「部課長」の優先度よりも職位「事業部長」の優先度のほうが大きくなっている。 For example, if the distance 1103 from the infected component (in the mail exchange relationship) is “2” and the position 1104 of the component is “business manager”, the priority assigned to the component is From the priority 1106 of the constituent element, it can be seen that it is “4”, and from the information of the priority 1108 and the target range 1109 of the prioritized extended policy 1107, “the constituent element up to the distance 3 from the constituent element” It can be seen that priority “3” is assigned to all. In FIG. 11, if the above-mentioned position is “business manager”, the position is higher than the position “department manager” and should be the countermeasure range (components that can be affected by infection. The range of the component's skirt composed of the surrounding components.) The priority of the position “business manager” is given priority over the priority of the position “department manager”. The degree is larger.
 このとき、対象範囲1109での距離の概念については、本例では対策範囲分類要素1102の要素にある(メールのやり取り関係での)感染構成要素からの距離1103であるが、必ずしもこれと一致させる必要はない。また、前記優先度付け拡張ポリシー1107を適用することで、各構成要素に対して割り当てることができる優先度に重複が生じる場合には、本実施例ではより高い優先度を適用しているが、優先度の最終的な適用ポリシーについてはこれに限るものではない。 At this time, the concept of the distance in the target range 1109 is the distance 1103 from the infection component (in the mail exchange relationship) in the element of the countermeasure range classification element 1102 in this example, but it is not necessarily matched with this. There is no need. Further, in the case where the priority that can be assigned to each component is overlapped by applying the prioritized extended policy 1107, higher priority is applied in this embodiment. The final priority application policy is not limited to this.
 以下では、実施例2の処理について説明する。実施例2ではまず、実施例1でのステップ1001からステップ1007までの処理は同じで、ステップ1006において優先度付け処理が全ての構成要素へ完了した結果を取得する(ステップ1202)。 Hereinafter, the processing of the second embodiment will be described. In the second embodiment, first, the processing from step 1001 to step 1007 in the first embodiment is the same, and the result of completion of the prioritization processing for all the components in step 1006 is acquired (step 1202).
 次に、前記取得したすべての構成要素のうち、前記対策範囲優先度付けポリシーDB1101から、優先度付け拡張ポリシー1107に従った優先度付け処理が未処理の任意の構成要素を選択する(ステップ1202)。 Next, out of all the acquired components, an arbitrary component that has not been prioritized according to the prioritized extended policy 1107 is selected from the countermeasure range prioritization policy DB 1101 (step 1202). ).
 次に、前記選択した構成要素に該当する優先度付け拡張ポリシー情報を取得する(1203)。 Next, prioritized extended policy information corresponding to the selected component is acquired (1203).
 次に、前記取得した優先度付け拡張ポリシーの対象範囲に該当する構成要素を抽出する(ステップ1204)。 Next, constituent elements corresponding to the target range of the acquired prioritized extended policy are extracted (step 1204).
 次に、前記抽出した構成要素に対し、前記取得した優先度付け拡張ポリシーの優先度を割り当てる(ステップ1205)。 Next, the priority of the acquired prioritized extended policy is assigned to the extracted component (step 1205).
 次に、全ての構成要素への優先度付け処理が完了したかどうかを判定し、完了していればステップ1207に進み、完了していなければステップ1202の処理に進む(ステップ1206)。 Next, it is determined whether or not the prioritization processing for all the components has been completed. If completed, the process proceeds to step 1207, and if not completed, the process proceeds to step 1202 (step 1206).
 ステップ1206の処理の結果、全ての構成要素への優先度付け処理が完了したとき、以降の処理は実施例1の処理と同様に、ステップ1008の処理からステップ1011の処理を行う(ステップ1207)。 As a result of the processing in step 1206, when the prioritization processing for all components is completed, the subsequent processing is performed from the processing in step 1008 to the processing in step 1011 as in the processing in the first embodiment (step 1207). .
 最後に、上記のステップで優先度を割り当てた構成要素のリスト情報を出力する(ステップ1208)。 Finally, the list information of the component assigned the priority in the above step is output (step 1208).
 以上が、実施例2における対策範囲優先度付け処理の詳細である。これにより、感染構成要素以外の構成要素が仮に感染していた場合で、かつ前記感染構成要素以外の構成要素とその周囲の構成要素を優先的に対策すべき場合でも、対策の優先度を上げるべきであると判断する手間が軽減できる。 The above is the details of the countermeasure range prioritization processing in the second embodiment. As a result, even when a component other than the infection component is temporarily infected, and when a component other than the infection component and its surrounding components should be preferentially taken, the priority of the measure is increased. It is possible to reduce the trouble of determining that it should be.
101:サイバー攻撃対策範囲優先度付けシステム
102:関係情報DB
103:対策範囲優先度付けポリシーDB
104:属性情報DB
105:動作特性情報DB
106:対策履歴情報DB
107:関係情報作成・更新機能
108:対策範囲優先度付け機能。 101: Cyber attack countermeasure range prioritization system 102: Relation information DB
103: Policy range prioritization policy DB
104: Attribute information DB
105: Operation characteristic information DB
106: Countermeasure history information DB
107: Relationship information creation / update function 108: Measure range prioritization function

Claims (12)

  1.  複数の構成要素から構成され、マルウェアに感染した構成要素に対する対策範囲を優先付けるサイバー攻撃対策範囲優先度付けシステムであって、
     前記構成要素を感染させた前記マルウェアの特性を示す特性情報を取得し、記憶部に記憶された前記構成要素同士の関係を示す関係情報と前記特性情報とに基づいて、前記特性情報に示される前記マルウェアの感染タイプにおける前記構成要素と前記感染した構成要素との距離を算出し、算出した前記距離と前記対策範囲を示す優先度付けポリシーとを対応付けたポリシー情報とに基づいて、前記対策範囲の優先度を定める対策範囲優先度付け部、
     を備えることを特徴とするサイバー攻撃対策範囲優先度付けシステム。     A cyber attack countermeasure range prioritization system that prioritizes the scope of countermeasures against components infected with malware, consisting of multiple components,
    The characteristic information indicating the characteristic of the malware infected with the component is acquired, and is indicated in the characteristic information based on the relationship information indicating the relationship between the components stored in the storage unit and the characteristic information. Based on the policy information that calculates the distance between the component and the infected component in the infection type of the malware, and associates the calculated distance with the prioritization policy indicating the countermeasure range, the countermeasure Measure scope prioritization section that determines the priority of the scope,
    A cyber attack countermeasure range prioritizing system characterized by comprising:
  2.  請求項1に記載のサイバー攻撃対策範囲優先度付けシステムであって、
     前記対策範囲優先度付け部は、前記記憶部に記憶された前記構成要素の組織上の属性を示す属性情報と算出した前記距離と前記ポリシー情報とに基づいて、前記対策範囲の優先度を定める、
     ことを特徴とするサイバー攻撃対策範囲優先度付けシステム。     The cyber attack countermeasure range prioritizing system according to claim 1,
    The countermeasure range prioritization unit determines the priority of the countermeasure range based on attribute information indicating an organizational attribute of the component stored in the storage unit, the calculated distance, and the policy information. ,
    Cyber attack countermeasure range prioritization system characterized by that.
  3.  請求項1に記載のサイバー攻撃対策範囲優先度付けシステムであって、
     前記構成要素間で行われた履歴情報に基づいて、前記関係情報を生成する関係情報生成部、
     を備えることを特徴とするサイバー攻撃対策範囲優先度付けシステム。     The cyber attack countermeasure range prioritizing system according to claim 1,
    A relationship information generating unit that generates the relationship information based on history information performed between the components;
    A cyber attack countermeasure range prioritizing system characterized by comprising:
  4.  請求項2に記載のサイバー攻撃対策範囲優先度付けシステムであって、
     前記対策範囲優先度付け部は、前記構成要素間のやり取りで感染が拡大するか否かにより定められた前記マルウェアの感染タイプと前記属性情報と算出した前記距離と前記ポリシー情報とに基づいて、前記対策範囲の優先度を定める、
     ことを特徴とするサイバー攻撃対策範囲優先度付けシステム。     The cyber attack countermeasure range prioritizing system according to claim 2,
    The countermeasure range prioritization unit is based on the infection type and the attribute information, the calculated distance, and the policy information of the malware determined by whether or not infection spreads in the exchange between the components. Determining the priority of the scope of the measures;
    Cyber attack countermeasure range prioritization system characterized by that.
  5.  請求項1に記載のサイバー攻撃対策範囲優先度付けシステムであって、
     前記記憶部は、前記感染した構成要素に対する過去の対策履歴を記憶し、
     前記対策範囲優先度付け部は、前記過去の対策履歴の中から前記対策範囲の優先度を定めた前記マルウェアに類似するマルウェアがあるか否かを判定し、前記類似するマルウェアがあると判定した場合、前記類似するマルウェアが感染した構成要素に、前記マルウェアについて定めた前記対策範囲の優先度を割り当てる、
     ことを特徴とするサイバー攻撃対策範囲優先度付けシステム。     The cyber attack countermeasure range prioritizing system according to claim 1,
    The storage unit stores a past countermeasure history for the infected component,
    The countermeasure range prioritization unit determines whether there is malware similar to the malware that has determined the priority of the countermeasure range from the past countermeasure history, and determines that there is the similar malware A priority of the countermeasure range determined for the malware is assigned to a component infected by the similar malware,
    Cyber attack countermeasure range prioritization system characterized by that.
  6.  請求項2に記載のサイバー攻撃対策範囲優先度付けシステムであって、
     前記対策範囲優先度付け部は、前記対策範囲の優先度を定めた前記構成要素の周辺の構成要素について、前記属性情報に応じて定められた前記対策範囲を示す拡張優先度付けポリシーと前記距離とに基づいて、前記対策範囲の優先度を定める、
     ことを特徴とするサイバー攻撃対策範囲優先度付けシステム。     The cyber attack countermeasure range prioritizing system according to claim 2,
    The countermeasure range prioritization unit includes an extended prioritization policy indicating the countermeasure range determined according to the attribute information and the distance with respect to the constituent elements around the component that has determined the priority of the countermeasure range Based on the above, the priority of the countermeasure range is determined.
    Cyber attack countermeasure range prioritization system characterized by that.
  7.  複数の構成要素から構成され、マルウェアに感染した構成要素に対する対策範囲を優先付けるサイバー攻撃対策範囲優先度付け方法であって、
     前記構成要素を感染させた前記マルウェアの特性を示す特性情報を取得する取得ステップと、
    記憶部に記憶された前記構成要素同士の関係を示す関係情報と前記特性情報とに基づいて、前記特性情報に示される前記マルウェアの感染タイプにおける前記構成要素と前記感染した構成要素との距離を算出する算出ステップと、
     算出した前記距離と前記対策範囲を示す優先度付けポリシーとを対応付けたポリシー情報とに基づいて、前記対策範囲の優先度を定める対策範囲優先度付けステップと、
     を含むことを特徴とするサイバー攻撃対策範囲優先度付け方法。     A cyber attack countermeasure range prioritization method that prioritizes the countermeasure range for a component that is composed of multiple components and infected with malware,
    An acquisition step of acquiring characteristic information indicating characteristics of the malware infected with the component;
    Based on the relationship information indicating the relationship between the components stored in the storage unit and the characteristic information, the distance between the component and the infected component in the malware infection type indicated in the characteristic information A calculating step for calculating;
    A countermeasure range prioritizing step for determining the priority of the countermeasure range based on the policy information in which the calculated distance and the prioritization policy indicating the countermeasure range are associated;
    A cyber attack countermeasure range prioritizing method characterized by including:
  8.  請求項7に記載のサイバー攻撃対策範囲優先度付け方法であって、
     前記対策範囲優先度付けステップでは、前記記憶部に記憶された前記構成要素の組織上の属性を示す属性情報と算出した前記距離と前記ポリシー情報とに基づいて、前記対策範囲の優先度を定める、
     ことを特徴とするサイバー攻撃対策範囲優先度付け方法。     The cyber attack countermeasure range prioritizing method according to claim 7,
    In the countermeasure range prioritizing step, the priority of the countermeasure range is determined based on attribute information indicating an organizational attribute of the component stored in the storage unit, the calculated distance, and the policy information. ,
    A cyber attack countermeasure range prioritizing method characterized by this.
  9.  請求項7に記載のサイバー攻撃対策範囲優先度付け方法であって、
     前記構成要素間で行われた履歴情報に基づいて、前記関係情報を生成する関係情報生成ステップ、
     をさらに含むことを特徴とするサイバー攻撃対策範囲優先度付け方法。     The cyber attack countermeasure range prioritizing method according to claim 7,
    A relationship information generation step for generating the relationship information based on history information performed between the components;
    A cyber attack countermeasure range prioritizing method characterized by further including:
  10.  請求項8に記載のサイバー攻撃対策範囲優先度付け方法であって、
     前記対策範囲優先度付けステップでは、前記構成要素間のやり取りで感染が拡大するか否かにより定められた前記マルウェアの感染タイプと前記属性情報と算出した前記距離と前記ポリシー情報とに基づいて、前記対策範囲の優先度を定める、
     ことを特徴とするサイバー攻撃対策範囲優先度付け方法。     The cyber attack countermeasure range prioritizing method according to claim 8,
    In the countermeasure range prioritizing step, based on the infection type of the malware and whether the attribute information, the calculated distance, and the policy information determined by whether or not the infection spreads in the exchange between the components, Determining the priority of the scope of the measures;
    A cyber attack countermeasure range prioritizing method characterized by this.
  11.  請求項7に記載のサイバー攻撃対策範囲優先度付け方法であって、
     前記対策範囲優先度付けステップでは、前記記憶部に記憶された前記感染した構成要素に対する過去の対策履歴の中から前記対策範囲の優先度を定めた前記マルウェアに類似するマルウェアがあるか否かを判定し、前記類似するマルウェアがあると判定した場合、前記類似するマルウェアが感染した構成要素に、前記マルウェアについて定めた前記対策範囲の優先度を割り当てる、
     ことを特徴とするサイバー攻撃対策範囲優先度付け方法。     The cyber attack countermeasure range prioritizing method according to claim 7,
    In the countermeasure range prioritizing step, it is determined whether or not there is malware similar to the malware that has determined the priority of the countermeasure range from the past countermeasure history for the infected component stored in the storage unit. If it is determined that there is the similar malware, the priority of the countermeasure range determined for the malware is assigned to the component infected by the similar malware.
    A cyber attack countermeasure range prioritizing method characterized by this.
  12.  請求項8に記載のサイバー攻撃対策範囲優先度付け方法であって、
     前記対策範囲優先度付けステップでは、前記対策範囲の優先度を定めた前記構成要素の周辺の構成要素について、前記属性情報に応じて定められた前記対策範囲を示す拡張優先度付けポリシーと前記距離とに基づいて、前記対策範囲の優先度を定める、
     ことを特徴とするサイバー攻撃対策範囲優先度付け方法。     The cyber attack countermeasure range prioritizing method according to claim 8,
    In the countermeasure range prioritizing step, an extended prioritization policy indicating the countermeasure range determined according to the attribute information and the distance for the constituent elements around the component that has determined the priority of the countermeasure range Based on the above, the priority of the countermeasure range is determined.
    A cyber attack countermeasure range prioritizing method characterized by this.
PCT/JP2016/065539 2015-06-10 2016-05-26 Cyberattack countermeasure range prioritizing system, and cyberattack countermeasure range prioritizing method WO2016199582A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2015-117066 2015-06-10
JP2015117066A JP6490502B2 (en) 2015-06-10 2015-06-10 Cyber attack countermeasure range prioritization system, cyber attack countermeasure range prioritization method

Publications (1)

Publication Number Publication Date
WO2016199582A1 true WO2016199582A1 (en) 2016-12-15

Family

ID=57503445

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2016/065539 WO2016199582A1 (en) 2015-06-10 2016-05-26 Cyberattack countermeasure range prioritizing system, and cyberattack countermeasure range prioritizing method

Country Status (2)

Country Link
JP (1) JP6490502B2 (en)
WO (1) WO2016199582A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10938839B2 (en) 2018-08-31 2021-03-02 Sophos Limited Threat detection with business impact scoring

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004178033A (en) * 2002-11-25 2004-06-24 Hitachi Ltd Security management support method and program in distributed system
JP2006252277A (en) * 2005-03-11 2006-09-21 Nec Corp Detection method for area infected with computer virus, and network system
JP2008140300A (en) * 2006-12-05 2008-06-19 Hitachi Ltd Storage system, virus infection diffusion preventing method, and virus removal supporting method

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4705961B2 (en) * 2008-01-25 2011-06-22 Sky株式会社 Virus damage range prediction system
US8316453B2 (en) * 2008-06-27 2012-11-20 Bank Of America Corporation Dynamic community generator
JP2010267128A (en) * 2009-05-15 2010-11-25 Ntt Docomo Inc Analysis system, analysis device, detection method, analysis method and program
JP2011101172A (en) * 2009-11-05 2011-05-19 Nec Corp Worm infection source specification system, specification method and specification program, agent, and manager computer

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004178033A (en) * 2002-11-25 2004-06-24 Hitachi Ltd Security management support method and program in distributed system
JP2006252277A (en) * 2005-03-11 2006-09-21 Nec Corp Detection method for area infected with computer virus, and network system
JP2008140300A (en) * 2006-12-05 2008-06-19 Hitachi Ltd Storage system, virus infection diffusion preventing method, and virus removal supporting method

Also Published As

Publication number Publication date
JP6490502B2 (en) 2019-03-27
JP2017004233A (en) 2017-01-05

Similar Documents

Publication Publication Date Title
US11470029B2 (en) Analysis and reporting of suspicious email
US11012472B2 (en) Security rule generation based on cognitive and industry analysis
US11159545B2 (en) Message platform for automated threat simulation, reporting, detection, and remediation
US10121000B1 (en) System and method to detect premium attacks on electronic networks and electronic devices
US10387667B2 (en) Method and system for anonymizing activity records
US20180191754A1 (en) Suspicious message processing and incident response
US11902299B2 (en) Campaign intelligence and visualization for combating cyberattacks
CA3120469A1 (en) Threat detection platforms for detecting, characterizing, and remediating email-based threats in real time
US11562064B2 (en) Machine learning-based security alert escalation guidance
US20120011245A1 (en) Monitoring communications
US10454967B1 (en) Clustering computer security attacks by threat actor based on attack features
US20210021637A1 (en) Method and system for detecting and mitigating network breaches
WO2017019717A1 (en) Dynamic attachment delivery in emails for advanced malicious content filtering
AU2016246074A1 (en) Message report processing and threat prioritization
US11201875B2 (en) Web threat investigation using advanced web crawling
AU2011276987B2 (en) Monitoring communications
JP6490502B2 (en) Cyber attack countermeasure range prioritization system, cyber attack countermeasure range prioritization method
US11831661B2 (en) Multi-tiered approach to payload detection for incoming communications
US11770388B1 (en) Network infrastructure detection
US20230208876A1 (en) Url rewriting
US20230117268A1 (en) User entity normalization and association

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16807289

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16807289

Country of ref document: EP

Kind code of ref document: A1