WO2018088383A1 - Security rule evaluation device and security rule evaluation system - Google Patents

Security rule evaluation device and security rule evaluation system Download PDF

Info

Publication number
WO2018088383A1
WO2018088383A1 PCT/JP2017/040045 JP2017040045W WO2018088383A1 WO 2018088383 A1 WO2018088383 A1 WO 2018088383A1 JP 2017040045 W JP2017040045 W JP 2017040045W WO 2018088383 A1 WO2018088383 A1 WO 2018088383A1
Authority
WO
WIPO (PCT)
Prior art keywords
security
information
threat
security rule
rule
Prior art date
Application number
PCT/JP2017/040045
Other languages
French (fr)
Japanese (ja)
Inventor
佑介 西
敏彦 萩原
Original Assignee
株式会社日立システムズ
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立システムズ filed Critical 株式会社日立システムズ
Publication of WO2018088383A1 publication Critical patent/WO2018088383A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to a security rule evaluation device and a security rule evaluation system.
  • the present invention claims the priority of Japanese Patent Application No. 2016-217845 filed on November 8, 2016, and for the designated countries where weaving by reference of documents is permitted, the contents described in the application are as follows: Is incorporated into this application by reference.
  • JP 2010-266966 A Patent Document 1
  • the computer collects log information and asset management information collected by the computer system for each group and statistically processes the log information and asset management information for each specific group, and performs a relative processing on the information security of each group within the group.
  • a security countermeasure evaluation method is described that includes an evaluation step for performing a general evaluation and that obtains an index of how much security countermeasure each organization is taking.
  • Patent Document 1 The technology described in Patent Document 1 is limited to security rule evaluation. No countermeasures are taken into consideration regarding the maintenance load of security rules accompanying environmental changes.
  • An object of the present invention is to provide a technique capable of assisting the examination of changes in security rules accompanying changes in the environment.
  • a security rule evaluation apparatus provides information on the importance of information security threats and compatibility characteristic information indicating compatibility characteristics between the threat and the information processing system to be protected Security information that calculates the priority of updating the security rules of the information processing system for each security rule using at least the importance information and the compatibility characteristic information.
  • a rule evaluation unit, and a priority rule presenting unit that presents the security rules to be updated in the order of the priorities by the security rule evaluation unit.
  • FIG. 1 It is a figure which shows the structure of the security rule evaluation system which concerns on 1st embodiment of this invention. It is a figure which shows the data structure stored in an If rule table. It is a figure which shows the data structure stored in an If / Then rule corresponding
  • the data analysis infrastructure performs correlation analysis on log information that can be acquired from various IT resources including network devices such as switches and proxies, server devices, and storage.
  • network devices such as switches and proxies, server devices, and storage.
  • Security systems that detect unknown attacks and malware-infected terminals are becoming more widespread by performing necessary control such as the IT resource control infrastructure stopping the port of the network device according to the analysis result.
  • Such a security system often uses an If rule for detecting an unknown attack or a malware-infected terminal by correlation analysis of a large number of logs, and a Then rule that defines a control to be performed when the If rule is satisfied.
  • These security rules are set by the security administrator for each target system (that is, for each tenant, each department, each user, etc.) protected by the security system.
  • Patent Document 1 uses information obtained by collecting and statistically processing information on security measures of another system different from the system to be evaluated as a security level standard.
  • security threats that should be emphasized may be different between other systems and a system whose security level is to be evaluated.
  • the present invention emphasizes each system by using security information of other systems as a security level standard in order to follow general security threat trends when evaluating the priority of security rules of the system. Set the priority of security rules regarding threats to be high so that security rules that need to be updated can be selected and updated quickly.
  • the effect is that, by using general security information as a security level standard, the priority of security rules related to security threats that should be emphasized for each system can be increased while reflecting the trend of threat information. It can be said that security rules that need to be updated in order to maintain a high security level can be selected and updated quickly.
  • FIG. 1 is a diagram showing a configuration of a security rule evaluation system according to the first embodiment of the present invention.
  • a computer system 1A (and 1B) provided in an information security company that provides threat information, and the computer system 1A and the network 3 are communicably connected.
  • Security server 4 server device 6, network device 7, storage 8, and security countermeasure product 9 that are communicatively connected to security system 4 via network 5.
  • the computer systems 1A and 1B will be referred to as computer systems 1 unless otherwise distinguished.
  • IT Information Technology
  • the computer system 1 is, for example, an information security company that provides information security countermeasure products and information security countermeasure information, an information security organization that collects and publishes information on information security, and a specific company that has its own information security information. It is an information system including a server device that is physical computer hardware installed in a system for collecting and analyzing.
  • information security companies, information security organizations, and information systems that collect and analyze information related to information security are referred to as information security vendors unless otherwise distinguished.
  • Computer systems 1A and 1B store and hold security threat information 2A and 2B, respectively.
  • security threat information 2A and 2B are not particularly distinguished, they are referred to as security threat information 2.
  • the computer system 1 is connected to the security system 4 through the network 3.
  • the security threat information 2 is regularly sent to the security system 4, particularly the security rule evaluation apparatus 100 (for example, once every four hours, for example, at a predetermined frequency). Or at a predetermined timing (when a threat that should be dealt with urgently occurs).
  • Security threat information 2 includes information related to cyber attacks.
  • cyber attack information that conforms to standards for describing cyber attacks, such as STIX (Structured Threat Information Expression), cyber attack information in the form that information security companies and information security organizations provide, or countermeasure information Including.
  • STIX Structured Threat Information Expression
  • the network 3 is, for example, a public network such as the Internet, a LAN (Local Area Network), or a WAN (Wide Area Network), and connects the computer system 1 and the security system 4 in a communicable manner.
  • the computer system 1 transmits the security threat information 2 to the security system 4, particularly the security rule evaluation device 100, using the network 3.
  • the security system 4 includes a security rule evaluation device 100, a data analysis device 200, and an IT resource control device 300. Details will be described later.
  • the network 5 is, for example, a public network such as the Internet or an in-house network such as a LAN, and connects the security system 4 and IT equipment.
  • the security system 4 collects a cyber attack detection log of the security countermeasure product 9 using the network 5, and transmits an IT device control instruction via the network 5 as a result of the log analysis.
  • the server device 6 is, for example, a server computer that is physical computer hardware.
  • the network device 7 is, for example, a switch, a router, a proxy, or a firewall.
  • the storage 8 is, for example, a storage device or a database control device that holds data and can perform data input / output communication with other devices via the network 5.
  • the security countermeasure product 9 is, for example, IPS (Intrusion Prevention System), IDS (Intrusion Detection System), or UTM (Unified Thread Management) that detects a cyber attack.
  • the security rule evaluation device 100 is, for example, a server computer that is physical computer hardware.
  • the security rule evaluation device 100 is communicably connected to the computer system 1, the data analysis device 200, and the IT resource control device 300.
  • the security threat information 2A is transmitted from the computer system 1A
  • the security threat information 2B is transmitted from the computer system 1B. Can be received.
  • the security rule evaluation device 100 can receive information related to the If rule table 210 and the If / Then rule correspondence table 220 from the data analysis device 200.
  • the security rule evaluation device 100 can receive information related to the The rule table 310 from the IT resource control device 300. Other detailed information related to the security rule evaluation apparatus 100 will be described later.
  • the data analysis device 200 is, for example, a server computer that is physical computer hardware.
  • the data analysis device 200 is communicably connected to the security rule evaluation device 100, the IT resource control device 300, and the IT device, and transmits an If rule table 210 and an If / Then rule correspondence table 220 to the security rule evaluation device 100. Is possible.
  • the data analysis apparatus 200 acquires and analyzes a log from the IT device, and when it corresponds to the If rule stored in the If rule table 210, the IT resource is determined according to the correspondence in the If / Then rule correspondence table 220. An instruction is transmitted to the control device 300 to execute the Then rule stored in the Then rule table 310.
  • FIG. 2 is a diagram showing a data structure stored in the If rule table.
  • If rule table 210 stores system identifier 210A, If rule name 210B, and rule content 210C in association with each other.
  • the system identifier 210A is information for identifying an information system to be protected as a target to which the If rule is applied.
  • the If rule name 210B is a name of a rule that is a condition for detecting a threat to the information system to be protected.
  • the rule content 210C is information for specifying detailed attributes of a rule serving as a character string condition for detecting a threat to the information system to be protected.
  • the rule content 210C includes information specifying the range of data for verifying the condition, information specifying the physical device, a log pattern left by the threat, and a condition specification such as a communication destination IP (Internet Protocol) address. Included as data.
  • a condition specification such as a communication destination IP (Internet Protocol) address.
  • IP Internet Protocol
  • the If rule table 210 may describe the rule contents using an analysis language (not shown) prepared by the data analysis apparatus 200, or may describe the rule contents using an arbitrary language or tool prepared by the security administrator. May be.
  • FIG. 3 is a diagram showing a data structure stored in the If / Then rule correspondence table.
  • the If / Then rule correspondence table 220 stores a system identifier 220A, an If rule name 220B, and a Then rule name 220C in association with each other.
  • the system identifier 220A is information for identifying an information system to be protected as a target to which the If rule is applied.
  • the If rule name 220B is a name of a rule that is a condition for detecting a threat to the information system to be protected.
  • the rule name 220C is information for identifying a The rule that defines information processing to be taken when a threat to the information system to be protected is detected.
  • Such an If / Then rule correspondence table 220 is, for example, a technique for defining a Then rule to be executed when an If rule is met.
  • the IT resource control device 300 is, for example, a server computer that is physical computer hardware.
  • the IT resource control device 300 is communicably connected to the security rule evaluation device 100, the data analysis device 200, and the IT device, and can transmit the Then rule table 310 to the security rule evaluation device 100. Also, when the IT resource control device 300 receives an instruction to execute the Then rule stored in the Then rule table 310 from the data analysis device 200, the IT resource control device 300 searches the Then rule table 310 for the Then rule and reads the Then rule. IT equipment is controlled using this.
  • FIG. 4 is a diagram showing a data structure stored in the Then rule table.
  • Rule table 310 stores, for example, the system identifier 310A, the Then rule name 310B, and the rule content 310C in association with the Then rule to be executed when the If rule is met.
  • the system identifier 310A is information for identifying an information system to be protected as a target to which the Then rule is applied.
  • the rule name 310B is the name of an information processing rule that is executed when a threat to the information system to be protected is detected.
  • the rule content 310C is information for specifying a predetermined command, an executable file to be executed, a script, a remote machine control command, or the like.
  • rule table 310 is a technique for defining a rule to be executed when an If rule is met, for example.
  • rule A regarding the information system “X” is “vmcontrol.pl-operation poweroff--vmnameXXX”. Specifically, “VM (virtual machine) whose name is XXX” "Power off” is shown. Note that in the Then rule table 310, rule contents may be described using a control language prepared by the IT resource control apparatus 300, or rule contents are described by an arbitrary language or tool prepared by the security administrator. Also good.
  • the security system 4 includes the security rule evaluation device 100, the data analysis device 200, and the IT resource control device 300, which are separate and independent devices. Needless to say, the function of each device may be implemented in a server computer which is a piece of physical computer hardware.
  • FIG. 5 is a diagram showing the configuration of the security rule evaluation apparatus.
  • the security rule evaluation device 100 includes, for example, an input unit 110, an output unit 120, a calculation unit 130, a communication unit 140, and a storage unit 150.
  • the input unit 110 receives user input information input from a device such as a keyboard or a mouse, and sends it to the calculation unit 130.
  • the output unit 120 causes a device such as a display to output output information that is a calculation result of the calculation unit 130 in response to an input from the user.
  • the calculation unit 130 includes a threat information management unit 131, a security rule evaluation unit 132, and a priority rule presentation unit 133.
  • the threat information management unit 131 acquires security threat information from the computer system 1, sets a master category using these, and calculates the importance for each threat category. More specifically, the threat information management unit 131 specifies the importance of the threat according to the update frequency of the information provided from the security vendor related to the threat, and uses the information provided from a plurality of security vendors. The threats are classified into master categories common to the security vendors, and the importance levels are calculated by adding the importance levels between the security vendors for each master category, thereby calculating the importance levels for each threat category. Further, the threat information management unit 131 identifies the threat adaptation characteristic information for each threat using the detection results of attacks received by the information processing system to be protected. In other words, the threat information management unit 131 specifies information on the importance level of threats in information security and information on characteristics of matching between the threat and the information processing system to be protected.
  • the security rule evaluation unit 132 calculates the adaptability characteristics of the information system to be protected against the threat, and calculates the priority of the security rule update using the importance and the predetermined weight. In addition, the security rule evaluation unit 132 can specify the range of the security rule related to the changed configuration in the information system, and can calculate the priority thereof. The security rule evaluation unit 132 calculates the priority of the security rule higher as the importance is higher and the matching characteristic is higher.
  • the security rule evaluation unit 132 acquires attack detection information for each information system from the security countermeasure product 9 via the network 5 and stores it in the attack detection information table 155. Also, the security rule evaluation unit 132 uses the attack detection information table 155 to calculate the adaptation characteristics for each information security vendor for each information system from the attack detection information, and stores them in the threat information compatibility characteristics table 156. Also, the security rule evaluation unit 132 classifies the attack detection information using the attack detection information table 155, calculates the number of attacks for each threat category, and stores the number of attacks in the attack detection number table 158.
  • the security rule evaluation unit 132 stores the weight for each category for each information security vendor set by the security administrator in the weighting table 159, for example. Further, the security rule evaluation unit 132 acquires the If rule table 210 from the data analysis device 200 and the Then rule table 310 from the IT resource control device 300, and classifies each rule into one of the categories defined in the threat category table 152. And stored in the security rule evaluation table 160. The security rule evaluation unit 132 calculates the priority of each security rule using the threat category evaluation table 154, the threat information compatibility characteristic table 156, and the weighting table 159, and stores the priority in the security rule evaluation table 160.
  • the priority rule presenting unit 133 presents a rule that prioritizes updating among security rules. Specifically, the priority rule presenting unit 133 displays the security rules having the highest update priority as a result of the evaluation by the security rule evaluation unit 132 in order of priority.
  • the communication unit 140 is configured by a device such as a NIC (Network Interface Card), and is connected to other devices.
  • a device such as a NIC (Network Interface Card)
  • NIC Network Interface Card
  • the storage unit 150 is a storage device such as a flash memory or an HDD (Hard Disc Drive), for example, an operation system (OS), a threat information table 151, a threat category table 152, a similar category table 153, and a threat category evaluation.
  • OS operation system
  • a table 154, an attack detection information table 155, a threat information compatibility characteristic table 156, a threat information update count table 157, an attack detection count table 158, a weighting table 159, and a security rule evaluation table 160 are stored. .
  • FIG. 6 is a diagram showing a data structure stored in the threat information table.
  • the threat information table 151 includes a security vendor identifier 151A, a type 151B, an item 151C, and a value 151D.
  • the security vendor identifier 151A is information for identifying the information security vendor.
  • the type 151B is information indicating a predetermined threat type classified by the information security vendor, such as ransomware, virus, or spyware.
  • the item 151C is information indicating an item for further classifying the threat of the type specified by the type 151B. For example, there are various types of ransomware, such as those that perform communication and those that access a file, and those that perform communication are identified by the detailed items of the communication destination IP.
  • the item 151C indicates such a detailed item.
  • the value 151D is information that identifies the value of a threat that has the item identified by the item 151C.
  • FIG. 7 is a diagram showing a data structure stored in the threat category table.
  • the threat category table 152 in order to store the categories extracted from the threat information, a category name for each security vendor and a master category that unifies the category names among the security vendors are stored in association with each other.
  • the category of information security vendor A, the category of information security vendor B, and the master category 152C that unifies them are stored in the threat category table 152 in association with each other.
  • a category having a communication destination IP item is set in the ransomware type, and in the information security vendor B, a malware classification is provided and the DstIP item is included. If categories are set and these are classified as similar threats as entities, a category having a type of Ransomware and having an item of communication destination IP is stored as a master category for unifying them. Has been.
  • the threat category table 152 shown in FIG. 7 may store categories with a granularity of categories in accordance with a standard such as STIX, or stores categories with a granularity of categories uniquely defined by a security vendor or security administrator. May be. Further, for example, a category may be extracted and stored using a dictionary system (hereinafter referred to as a category similar dictionary) that collects synonyms with respect to threat category names, or categories may be extracted by an arbitrary method by a security administrator. It may be stored.
  • a dictionary system hereinafter referred to as a category similar dictionary
  • FIG. 8 is a diagram showing a data structure stored in the similar category table (similar category dictionary).
  • a master expression 153A stores expressions for expressing similar expressions in a unified manner.
  • the first expression 153B stores an expression having the same meaning as the master expression 153A.
  • the second expression 153C is an expression used for a category by another information security vendor and has the same meaning as the master expression 153A.
  • the categories of “Ransomware Dst IP” and “Ransomware (malware) communication destination IP” are synonymous, and are collectively expressed as “Ransomware communication destination IP”.
  • first expression 153B and the second expression 153C are synonymous can be defined by using a known technique (for example, Japanese Patent Application Laid-Open No. 2012-48291).
  • the expression of the master expression 153A may be arbitrarily extracted from a part of expressions such as the first expression 153B and the second expression 153C, or may be arbitrarily determined by a security administrator.
  • FIG. 9 is a diagram showing a data structure stored in the threat category evaluation table 154.
  • the threat category evaluation table 154 stores the degree of importance for each information security vendor.
  • the security category identifier 154A, the master category 154B, and the importance 154C are stored in the threat category evaluation table 154.
  • the security vendor identifier 154A is information that identifies the information security vendor.
  • the master category 154B is information for specifying a master category in which threat information provided by the information security vendor is assigned to the master category.
  • the importance 154C is information on the importance based on the update frequency of the threat information for each information security vendor calculated by the threat information management unit 131.
  • the information security vendor “A” provides threat information classified into the master categories “Ransomware communication destination IP”, “Virus code”, “Ransomware file access”, and “Spyware file access”.
  • the importance calculated by the threat information management unit 131 is “7.2”, “3.2”, “3.0”, and “4.2”.
  • FIG. 10 is a diagram showing a data structure stored in the attack detection information table.
  • the attack detection information table 155 stores the result of acquiring attack detection information for each information system from the security countermeasure product 9 via the network 5.
  • the attack detection information table 155 stores a system identifier 155A, a time 155B, a security product 155C, a category 155D, a detection value 155E, and an occurrence location 155F.
  • the system identifier 155A is an identifier that identifies the information system in which the attack is detected.
  • Time 155B is the time when the attack was detected.
  • the security product 155C is information that identifies the security countermeasure product that detected the attack.
  • the category 155D is information for specifying a master category including the detected attack type and items.
  • the detection value 155E is information for specifying the value of the detected attack item.
  • the occurrence location 155F is information that identifies a location where an attack is detected, that is, an IT
  • the security countermeasure product “A” and the “destination IP” address are “1.2.3” at “22:51:23 on June 30, 2016”. .4 ”is detected from“ server a ”.
  • the attack detection information table 155 may store other information related to detailed attacks, may store information described in the alert log of the security countermeasure product, or may be uniquely assigned by the security administrator. The defined information may be stored. Further, as illustrated, the attack detection information table 155 may store information on attacks detected and received by the real system, or attacks detected by a decoy system simulating the real system such as a honeypot. Information may be stored.
  • FIG. 11 is a diagram showing a data structure stored in the threat information compatibility characteristic table.
  • the threat information compatibility characteristic table 156 stores adaptation characteristics indicating how much the information system is actually associated with threats, for example, for threat information provided by an information security vendor.
  • a security vendor identifier 156A is information that identifies the information security vendor.
  • the system identifier 156B is information that identifies an information system.
  • the category 156C is information that identifies the category of threat information provided by the information security vendor.
  • the conformance characteristic 156D identifies the degree to which the information system identified by the system identifier 156B matches the threat information belonging to the category identified by the category 156C provided by the information security vendor identified by the security vendor identifier 156A. It is an index value. The calculation of the matching characteristic will be described later.
  • the information system “X” indicates that the conformance characteristic is “10” with respect to the threat information related to the category “Ransomware communication destination IP” of the information security vendor “A”.
  • FIG. 12 is a diagram showing a data structure stored in the threat information update count table.
  • the threat information update count table 157 includes a security vendor identifier 157A, a category 157B, “2016/6/30” 157C, “2016/6/29” 157D, “2016/6/28” 157E, 2016/6/27 “157F and” 2016/6/26 "157G.
  • the security vendor identifier 157A information for identifying an information security vendor from which threat information acquired by the security rule evaluation device 100 is acquired is stored.
  • the category 157B stores a predetermined threat category determined by the information security vendor identified by the security vendor identifier 157A.
  • the update count is accumulated every day. However, the update count may be accumulated at intervals arbitrarily determined by the security administrator (for example, every 3 hours or every week). good.
  • threat information on “Ranwareware communication destination IP” from the information security vendor “A” is 10 times on June 30, 2016, 5 times on June 29, 2016, and June 28, 2016. 2 times a day, 6 times on June 27, 2016, and 20 times on June 26, 2016.
  • FIG. 13 is a diagram showing a data structure stored in the attack detection frequency table.
  • the attack detection count table 158 includes a system identifier 158A, a security vendor identifier 158B, a master category 158C, and an attack detection count 158D.
  • the system identifier 158A is information for specifying an information system.
  • the security vendor identifier 158B is information that identifies the information security vendor.
  • the master category 158C is information for identifying a master category in which threat information provided by the information security vendor is assigned to the master category.
  • the attack detection count 158D is the number of times the information system identified by the system identifier 158A detects an attack from the threats belonging to the category identified by the master category 158C provided by the information security vendor identified by the security vendor identifier 158B. . For example, it is shown that the information system “X” has detected an attack classified into the “Ransomware communication destination IP” category of the information security vendor “A” “30” times.
  • the number of attack detections the number of all detected attacks from the time when the information system specified by the system identifier 158A starts operating until the time when the number of attacks is calculated is stored.
  • the present invention is not limited to this, and the number of attacks detected in an arbitrary time interval determined by the security administrator, such as the latest one hour or the previous day 24 hours, may be stored.
  • FIG. 14 is a diagram showing a data structure stored in the weighting table.
  • the weighting table 159 stores weighting applied to each threat master category provided by the information security vendor.
  • the weighting table 159 includes a security vendor identifier 159A, a master category 159B, and a weight 159C.
  • the security vendor identifier 159A is information that identifies the information security vendor.
  • the master category 159B is information that identifies a master category in which threat information provided by the information security vendor is assigned to the master category. The greater the stored value of the weight 159C, the higher priority is given to measures against threats in the master category provided by the information security vendor.
  • the example shown in FIG. 14 indicates that the “Ransomware communication destination IP” category of the information security vendor “A” has a weight of “8”. Note that the weighting in the weighting table 159 may be determined at any time determined by the security administrator at any time.
  • FIG. 15 is a diagram showing a data structure stored in the security rule evaluation table.
  • the security rule evaluation table 160 stores the priority of the If rule set for each information system.
  • the security rule evaluation table 160 includes a system identifier 160A, an If rule name 160B, a master category 160C, and a priority 160D.
  • the system identifier 160A is information for specifying an information system.
  • the If rule name 160B is information for specifying an If rule name managed by the information system specified by the system identifier 160A.
  • the master category 160C is information that identifies a category of threat information that is unified among information security vendors.
  • the priority 160D is a degree of priority for updating the If rule specified by the If rule name 160B.
  • FIG. 16 is a diagram showing a hardware configuration of the security rule evaluation apparatus.
  • the security rule evaluation device 100 includes a communication device 101 such as a NIC (Network Interface Card), a main storage device 102 such as a memory, an input device 103 such as a keyboard and a mouse, and an arithmetic device 104 such as a CPU (Central Processing Unit). And an external storage device 105 such as a hard disk or an SSD (Solid State Drive), a display device 106 such as a display or a printer, and a bus 107 connecting them.
  • a communication device 101 such as a NIC (Network Interface Card)
  • main storage device 102 such as a memory
  • an input device 103 such as a keyboard and a mouse
  • an arithmetic device 104 such as a CPU (Central Processing Unit).
  • an external storage device 105 such as a hard disk or an SSD (Solid State Drive)
  • a display device 106 such as a display or a printer
  • the communication device 101 is a wired communication device that performs wired communication via a network cable, or a wireless communication device that performs wireless communication via an antenna.
  • the communication device 101 communicates with other devices connected to the network.
  • the main storage device 102 is a memory such as a RAM (Random Access Memory).
  • the input device 103 is a device that receives input information including a pointing device such as a keyboard and a mouse, a touch panel, or a microphone that is a voice input device.
  • a pointing device such as a keyboard and a mouse
  • a touch panel such as a touch panel
  • a microphone that is a voice input device.
  • the external storage device 105 is a non-volatile storage device that can store digital information, such as a so-called hard disk, SSD, or flash memory.
  • the display device 106 is a device that generates output information including a display, a printer, a speaker that is an audio output device, and the like.
  • the above-described threat information management unit 131, security rule evaluation unit 132, and priority rule presentation unit 133 are realized by a program that causes the arithmetic device 104 to perform processing.
  • This program is stored in the main storage device 102 or the external storage device 105, loaded onto the main storage device 102 for execution, and executed by the arithmetic device 104.
  • various tables stored in the storage unit 150 are realized by the main storage device 102 and the external storage device 105.
  • the communication unit 140 that is communicably connected to the Internet or a LAN is realized by the communication device 101. Further, the input unit 110 is realized by the input device 103, and the output unit 120 is realized by the display device 106.
  • the above is the hardware configuration example of the security rule evaluation device 100 in the present embodiment.
  • the configuration is not limited to this, and other hardware may be used.
  • a device that receives input / output via the Internet may be used.
  • the security rule evaluation device 100 has known elements such as an OS (Operating System), middleware, and applications, and in particular, an existing processing function for displaying a GUI screen on an input / output device such as a display. Is provided.
  • OS Operating System
  • middleware middleware
  • applications applications
  • an existing processing function for displaying a GUI screen on an input / output device such as a display. Is provided.
  • FIG. 17 is a diagram showing an operation flow of the master category setting process.
  • the master category setting process is a procedure for setting the master category by referring to the security threat information 2 acquired by the security rule evaluation apparatus 100 from the information security vendor, extracting the category.
  • the threat information management unit 131 refers to the threat information acquired from the information security vendor from the threat information table 151 (step S111).
  • the threat information management unit 131 extracts a category of threat information for each vendor (step S112). Specifically, the threat information management unit 131 refers to the type 151B and the item 151C in the threat information table 151, and extracts a category for each vendor.
  • the threat information management unit 131 stores the information in the security vendor A category 152A and the security vendor B category 152B in the threat category table 152.
  • the granularity of the category may be determined and extracted using a classification such as the type or item of threat information acquired from an information security vendor, or may be determined and extracted using a classification defined by a standard such as STIX.
  • the security administrator may arbitrarily determine and extract it. For category extraction, for example, a category similarity dictionary may be used, or an arbitrary method by a security administrator may be used.
  • the threat information management unit 131 sets a master category based on similarity of threat categories for each vendor (step S113). Specifically, the threat information management unit 131 associates the threat information categories for each security vendor extracted in step S112 and sets the name of the master category in order to treat them as the same name. As a result, the master category is stored in the master category 152C in FIG. Note that the category association and master category setting for each information security vendor may be in accordance with a standard such as STIX, or may be arbitrarily implemented by a security administrator.
  • the threat information management unit 131 searches the similar category table 153 that is the similar dictionary for the category expression for each information security vendor extracted in step S112, and the corresponding expression exists. If so, the master representation 153A for that representation is read and stored in the master category 152C. If the category representation for each information security vendor extracted in step S112 cannot be obtained by search, that is, if there is no similar category, the threat information management unit 131 uses the category representation for each information security vendor as it is as the master category. Store as 152C.
  • the above is the operation flow of the master category setting process.
  • threat information categorized from different viewpoints for each information security vendor can be classified by a unified category.
  • the master category setting process shown in FIG. 17 may be executed every time threat information is acquired from an information security vendor, or may be executed at an arbitrary time or time interval predetermined by the security administrator. .
  • FIG. 18 is a diagram showing an operational flow of threat category-specific importance calculation processing.
  • the threat category importance calculation processing is a procedure in which the security rule evaluation apparatus 100 calculates importance for each threat category using threat information acquired from an information security vendor.
  • the threat information management unit 131 refers to the threat information acquired from the information security vendor from the threat information table 151 (step S121).
  • the threat information management unit 131 calculates the number of updates of threat information using the referenced threat information (step S122). Specifically, the threat information management unit 131 calculates the number of updates of threat information for each category for each information security vendor and stores it in the threat information update count table 157.
  • the threat information management part 131 calculates importance (step S123). Specifically, the threat information management unit 131 calculates the importance for each category for each information security vendor using the update count of the threat information calculated in step S122, and the result is the importance of the threat category evaluation table 154. Store at degree 154C.
  • the threat information management unit 131 can calculate the importance by giving a large weight to the update number of the latest threat information.
  • a method using a weighted moving average can be considered. For example, when the number of updates for m days is R_m and the weight is n, the importance I that is a weighted moving average can be calculated by the following equation (1).
  • the above is the operation flow of threat category importance calculation processing.
  • the threat category-specific importance calculation processing it is possible to calculate an index value called importance for threat information with a high update rate in the near future.
  • the weighted moving average is used to calculate the importance.
  • the importance may be calculated using an expression arbitrarily set by the security administrator such as using an average.
  • the importance level may be a value provided by the information security vendor as the importance level in the threat information.
  • the importance may be a value set in advance by the security administrator using an arbitrary method.
  • the procedure shown in FIG. 18 may be executed every time the master category setting process shown in FIG. 17 is executed, or may be executed every time threat information is acquired from an information security vendor. Alternatively, it may be executed at an arbitrary time or time interval predetermined by the security administrator.
  • FIG. 19 is a diagram showing an operation flow of the matching characteristic calculation process.
  • the adaptation characteristic calculation process is a procedure in which the threat information management unit 131 calculates an adaptation characteristic indicating the relevance to the information system to be protected for each threat category, using the threat information acquired from the information security vendor.
  • the threat information management unit 131 refers to a log related to the detected attack (step S211). Specifically, the threat information management unit 131 uses the attack detection information table 155 to collect and refer to log information regarding detected attacks.
  • the threat information management unit 131 calculates the number of attack detections for each category (step S212). Specifically, the threat information management unit 131 calculates the number of attack detections for each category for each information security vendor for each information system using the referenced attack detection information, and the number of attack detections 158D in the attack detection number table 158. The number of times is stored in.
  • the threat information management unit 131 calculates conformance characteristics for each category (step S213). Specifically, the threat information management unit 131 uses the number of attack detections calculated in step S212 to calculate conformance characteristics for each category for each information security vendor for each information system, and the result is the threat information conformance characteristics table 156. Stored in the matching characteristic 156D.
  • the threat information management unit 131 can calculate the conforming characteristic as a ratio of the number of attacks detected for each category for each security vendor to the total number of attacks detected for each information system.
  • the adaptation characteristics are as follows.
  • the above is the operation flow of the compatibility characteristic calculation process.
  • the adaptation characteristic calculation process it is possible to calculate an index value called an adaptation characteristic for each category of threat information based on the results received by the information system to be protected.
  • the ratio of the number of attack detections is used to calculate the adaptation characteristics, but the present invention is not limited to this.
  • the threat information management unit 131 may calculate the ratio using a weighted moving average obtained by weighting the number of most recent attacks detected, or may be calculated using a calculation method arbitrarily determined by the security administrator. Also good.
  • it is not limited to calculating the adaptation characteristics using the actual number of attacks detected, but the adaptation characteristics are calculated using information on attacks detected by a decoy system that simulates a real system such as a honeypot. May be.
  • the adaptation characteristic may be calculated using a value set by the security administrator by an arbitrary method using other information.
  • the conformance characteristic calculation process may be executed every time the master category setting process is executed, may be executed every time an attack is detected, or at an arbitrary time or time interval predetermined by the security administrator. May be executed.
  • the threat information management unit 131 reads the If rule table 210 held by the data analysis apparatus 200, analyzes the If rule, and uses the category name for each security vendor and the category name of the master category stored in the threat category table 152. A character string search is performed, and the master category corresponding to the searched character string is determined as the category of the If rule.
  • the threat information management unit 131 may perform a character string search using a category name obtained by referring to the threat category table 152. For example, threat information management The unit 131 may search for a character string using a category synonym dictionary, or the security manager may check the rule contents and determine the category. It may be executed each time a security rule is added, may be executed every time a master category setting process is executed, or executed at an arbitrary time or time interval predetermined by the security administrator. May be.
  • FIG. 20 is a diagram showing an operation flow of security rule priority calculation processing.
  • the threat information management unit 131 uses the importance of the threat information obtained from the outside, the matching characteristic indicating the relationship with the information system to be protected, and the weight of the information security vendor. This is a procedure for calculating the priority for considering the update of the If rule.
  • the threat information management unit 131 determines whether or not there is a change in the importance level, the matching characteristic, or the weight value (step S231). Specifically, the threat information management unit 131 uses the importance 154C stored in the threat category evaluation table 154, the matching characteristic 156D stored in the threat information matching characteristic table 156, or the weight 159C stored in the weighting table 159. It is determined whether the value of has been updated. When there is no change in any of the importance level, the adaptation characteristic, and the weight value (in the case of “No” in step S231), the threat information management unit 131 returns the control to step S231.
  • the security rule evaluation unit 132 calculates the priority of the security rule (If rule and Then rule). Is performed (step S232). Specifically, the security rule evaluation unit 132 sets the importance 154C stored in the threat category evaluation table 154, the matching characteristic 156D stored in the threat information matching characteristic table 156, and the weight 159C stored in the weighting table 159. The priority of each category to which the security rule for each information system belongs is calculated using the value, and the result is stored in the priority 160D of the security rule evaluation table 160.
  • the security rule evaluation unit 132 calculates the priority of the category, the product of the importance, the conforming characteristic, and the weight with respect to the category for each security vendor, and calculates the value of all information security vendors. Calculate by adding together. For example, if the number of information security vendors is m, the importance for each category is Ic, the conforming characteristic is Fc, and the weight is Wc, the priority Pc is obtained by the following equation (2).
  • the above is the operation flow of the security rule priority calculation process.
  • the security rule priority calculation process the importance using threat information from information security vendors reflecting the external environment, conformance characteristics reflecting characteristics specific to the information system to be protected, and trends among information security vendors
  • the priority of the security rule can be calculated using the weighting considering the above.
  • the priority regarding the category “spyware file access” of the information system “X” is the importance and compatibility characteristics of the “spyware file access” of the information security vendor “A” regarding the information system “X”.
  • the product of the weight and the product of the importance, conformance characteristics, and weight of “spyware file access” of information security vendor “B”, (4.2 ⁇ 13 ⁇ 2) + (8.3 ⁇ 7 ⁇ 8) 490.
  • step S232 may be performed by another arbitrary method determined by the security administrator. Further, the security rule priority calculation process may be executed at an arbitrary time or time interval predetermined by the security administrator. Further, the security rule evaluation unit 132 may increase the priority of the If rule or the Then rule when the type, item, and value at the time of actual attack completely match. This is because updating should be given the highest priority for a rule that exactly matches the actual attacked value.
  • the security rule evaluation unit 132 may calculate priorities for the security rules related to the configuration of the information system to be protected. In this case, following the execution of the system change influence rule extraction process described later, the security rule evaluation unit 132 receives the extracted security rule information and performs the security rule priority calculation process only for this. You can do it.
  • FIG. 21 is a diagram showing an operation flow of system change influence rule extraction processing.
  • the system change influence rule extraction process is a procedure in which the security rule evaluation unit 132 extracts a security rule that can be affected by a change in the information system to be protected.
  • the security rule evaluation unit 132 determines whether there is an information system configuration change or threat information update (step S311). For example, the security rule evaluation unit 132 inquires of the configuration management system of the information system to be protected whether there is change information, and inquires of the computer system 1 of the information security vendor whether the threat information is updated. As a result, if there is no information system configuration change or threat information update ("No" in step S311), the security rule evaluation unit 132 returns control to step S311.
  • the security rule evaluation unit 132 extracts a security rule that may need to be updated (step S311). S312). Specifically, the security rule evaluation unit 132 refers to the If rule table 210 included in the data analysis device 200 and the Then rule table 310 included in the IT resource control device 300, and is related to an information system configuration change or threat information update. If rules and When rules to be extracted are extracted.
  • the security rule evaluation unit 132 performs a character string search to determine whether the value associated with the information system configuration change is included in the contents of the If rule, and if a character string is included, extracts it as a related If rule. .
  • the security rule evaluation unit 132 relates to the information system “X” in the If rule table 210.
  • a character string search of “server 1” and “server 2” is performed for the If rule and The rule, and “If rule E” including “server 1” is extracted as a security rule that may need to be updated.
  • the security rule evaluation unit 132 performs a character string search on the rule content 310C of the Then rule table 310 and extracts it as a related security rule.
  • the above is the operation flow of the system change impact rule extraction process.
  • the system change influence rule extraction process it is possible to extract all the security rules in the influence range based on the change caused by the environment such as the configuration change of the information system to be protected.
  • the security rule evaluation unit 132 may refer to the If / Then rule correspondence table 220 with respect to the If rule or Then rule extracted in step S312, and refer to the corresponding Then rule or If rule to be updated. It may be extracted as a secure security rule.
  • the security administrator uses the security rule evaluation device 100 to narrow down the security rules extracted in step S312 and confirm the priority.
  • the priority rule presenting unit 133 displays, for example, the management screen 400 shown in FIG.
  • FIG. 22 is a diagram showing an output screen example of the security rule priority calculation process.
  • a security rule display area 410 that displays security rules that may need to be updated in order of priority is displayed.
  • security rules extracted in step S312 that may need to be updated are displayed in order of priority.
  • the management screen 400 displays in a similar manner without distinguishing between the Then rule and the If rule.
  • the present invention is not limited to this, and the priority of the If rule corresponding to the Then rule (preferably the highest priority) may be displayed as the priority of the Then rule with reference to the If / Then rule correspondence table 220. .
  • the management screen 400 may display, for example, the security rules extracted by the security administrator in step S312 from the security rule evaluation table 160, or the security rules extracted in step S312 are in order of priority. It may be displayed on the screen.
  • the security administrator may be arranged in units of information systems, instead of updating all the security rules of the information system to be protected by the security system administrator.
  • the security administrator registers the information system that he / she manages in the security rule evaluation apparatus 100 in advance, and the security rule evaluation unit 132 performs login in the security rule priority calculation process and the system change influence rule extraction process.
  • the processing is executed only on the information system where the registered security administrator is registered. By doing in this way, even when the scale of the information system becomes large, it is possible to easily divide the work.
  • each of the above-described configurations, functions, processing units, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit.
  • control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
  • each of the above-described configurations, functions, processing units, and the like may be realized in a distributed system by executing a part or all of them by, for example, another device and performing integrated processing via a network.

Abstract

The purpose of the present invention is to provide a technology which assists with considering a change in a security rule in connection with a change in environment. Provided is a security rule evaluation device, comprising: a threat information management unit which identifies information of the seriousness of an information security threat and pertinence characteristic information which indicates a pertinence characteristic between the threat and an information processing system subject to protection; a security rule evaluation unit which, using at least the seriousness information and the pertinence characteristic information, computes for each security rule of the information processing system a priority for updating the security rule; and a priority rule presentation unit which presents the security rules which are subject to updating, in order by the priority according to the security rule evaluation unit.

Description

セキュリティルール評価装置およびセキュリティルール評価システムSecurity rule evaluation device and security rule evaluation system
 本発明は、セキュリティルール評価装置およびセキュリティルール評価システムに関する。本発明は2016年11月8日に出願された日本国特許の出願番号2016-217845の優先権を主張し、文献の参照による織り込みが認められる指定国については、その出願に記載された内容は参照により本出願に織り込まれる。 The present invention relates to a security rule evaluation device and a security rule evaluation system. The present invention claims the priority of Japanese Patent Application No. 2016-217845 filed on November 8, 2016, and for the designated countries where weaving by reference of documents is permitted, the contents described in the application are as follows: Is incorporated into this application by reference.
 本技術分野の背景技術として、特開2010-266966号公報(特許文献1)がある。この公報には、コンピュータが、団体毎のコンピュータシステムにおけるログ情報及び資産管理情報を収集したログ情報及び資産管理情報を特定のグループ毎に統計処理してグループ内での各団体の情報セキュリティに関する相対的な評価を行う評価ステップを含み、各団体がどの程度のセキュリティ対策を施しているかの指標を求めるセキュリティ対策評価方法が記載されている。 As a background art in this technical field, there is JP 2010-266966 A (Patent Document 1). In this gazette, the computer collects log information and asset management information collected by the computer system for each group and statistically processes the log information and asset management information for each specific group, and performs a relative processing on the information security of each group within the group. A security countermeasure evaluation method is described that includes an evaluation step for performing a general evaluation and that obtains an index of how much security countermeasure each organization is taking.
特開2010-266966号公報JP 2010-266966 A
 上記特許文献1に記載された技術では、セキュリティルールの評価に留まる。環境の変化に伴うセキュリティルールの保守負荷に関しては、何らの対策は考慮されていない。 The technology described in Patent Document 1 is limited to security rule evaluation. No countermeasures are taken into consideration regarding the maintenance load of security rules accompanying environmental changes.
 本発明の目的は、環境の変化に伴うセキュリティルールの変更の検討を補助することができる技術を提供することにある。 An object of the present invention is to provide a technique capable of assisting the examination of changes in security rules accompanying changes in the environment.
 本願は、上記課題の少なくとも一部を解決する手段を複数含んでいるが、その例を挙げるならば、以下のとおりである。上記課題を解決すべく、本発明の一態様に係るセキュリティルール評価装置は、情報セキュリティ上の脅威の重要度の情報と、上記脅威と防御対象の情報処理システムとの適合特性を示す適合特性情報と、を特定する脅威情報管理部と、少なくとも、上記重要度の情報と、上記適合特性情報と、を用いて上記情報処理システムのセキュリティルールの更新の優先度を上記セキュリティルールごとに算出するセキュリティルール評価部と、上記セキュリティルール評価部による上記優先度の順に更新対象のセキュリティルールを提示する優先ルール提示部と、を備える。 The present application includes a plurality of means for solving at least a part of the above-described problems, and examples thereof are as follows. In order to solve the above problems, a security rule evaluation apparatus according to an aspect of the present invention provides information on the importance of information security threats and compatibility characteristic information indicating compatibility characteristics between the threat and the information processing system to be protected Security information that calculates the priority of updating the security rules of the information processing system for each security rule using at least the importance information and the compatibility characteristic information. A rule evaluation unit, and a priority rule presenting unit that presents the security rules to be updated in the order of the priorities by the security rule evaluation unit.
 本発明によれば、環境の変化に伴うセキュリティルールの変更の検討を補助することができる。上記した以外の課題、構成及び効果は、以下の実施形態の説明により明らかにされる。 According to the present invention, it is possible to assist the examination of the change of the security rule accompanying the environmental change. Problems, configurations, and effects other than those described above will be clarified by the following description of embodiments.
本発明の第一の実施形態に係るセキュリティルール評価システムの構成を示す図である。It is a figure which shows the structure of the security rule evaluation system which concerns on 1st embodiment of this invention. Ifルールテーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in an If rule table. If/Thenルール対応テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in an If / Then rule corresponding | compatible table. Thenルールテーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in Then rule table. セキュリティルール評価装置の構成を示す図である。It is a figure which shows the structure of a security rule evaluation apparatus. 脅威情報テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a threat information table. 脅威カテゴリテーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a threat category table. 類似カテゴリテーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a similar category table. 脅威カテゴリ評価テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a threat category evaluation table. 攻撃検知情報テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in an attack detection information table. 脅威情報適合特性テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a threat information compatibility characteristic table. 脅威情報更新回数テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a threat information update frequency table. 攻撃検知回数テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in the attack detection frequency table. 重み付けテーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a weighting table. セキュリティルール評価テーブルに格納されるデータ構造を示す図である。It is a figure which shows the data structure stored in a security rule evaluation table. セキュリティルール評価装置のハードウェア構成を示す図である。It is a figure which shows the hardware constitutions of a security rule evaluation apparatus. マスタカテゴリ設定処理の動作フローを示す図である。It is a figure which shows the operation | movement flow of a master category setting process. 脅威カテゴリ別重要度算出処理の動作フローを示す図である。It is a figure which shows the operation | movement flow of the importance calculation process according to threat category. 適合特性算出処理の動作フローを示す図である。It is a figure which shows the operation | movement flow of a suitable characteristic calculation process. セキュリティルール優先度算出処理の動作フローを示す図である。It is a figure which shows the operation | movement flow of a security rule priority calculation process. システム変更影響ルール抽出処理の動作フローを示す図である。It is a figure which shows the operation | movement flow of a system change influence rule extraction process. セキュリティルール優先度算出処理の出力画面例を示す図である。It is a figure which shows the example of an output screen of a security rule priority calculation process.
 以下、本発明に係る一つの実施の形態を図面に基づいて説明する。なお、実施の形態を説明するための全図において、同一の部材には原則として同一の符号を付し、その繰り返しの説明は省略する。また、以下の実施の形態において、その構成要素(要素ステップ等も含む)は、特に明示した場合および原理的に明らかに必須であると考えられる場合等を除き、必ずしも必須のものではないことは言うまでもない。また、「Aからなる」、「Aよりなる」、「Aを有する」、「Aを含む」と言うときは、特にその要素のみである旨明示した場合等を除き、それ以外の要素を排除するものでないことは言うまでもない。同様に、以下の実施の形態において、構成要素等の形状、位置関係等に言及するときは、特に明示した場合および原理的に明らかにそうでないと考えられる場合等を除き、実質的にその形状等に近似または類似するもの等を含むものとする。 Hereinafter, an embodiment according to the present invention will be described with reference to the drawings. Note that components having the same function are denoted by the same reference symbols throughout the drawings for describing the embodiment, and the repetitive description thereof will be omitted. Further, in the following embodiments, the constituent elements (including element steps) are not necessarily indispensable unless otherwise specified and clearly considered essential in principle. Needless to say. In addition, when referring to “consisting of A”, “consisting of A”, “having A”, and “including A”, other elements are excluded unless specifically indicated that only that element is included. It goes without saying that it is not what you do. Similarly, in the following embodiments, when referring to the shapes, positional relationships, etc. of the components, etc., the shapes are substantially the same unless otherwise specified, or otherwise apparent in principle. And the like are included.
 一般に、ウィルス、スパイウェア、ランサムウェア、アドウェアといったマルウェアなどのサイバー攻撃に対して、攻撃を防ぐセキュリティシステムや、攻撃を受けた端末を検知してネットワークから隔離する等によりサイバー攻撃の被害を抑えることを目的としたセキュリティシステムが知られている。 In general, to protect against cyber attacks such as viruses, spyware, ransomware, adware, and other cyber attacks, it is possible to reduce the damage of cyber attacks by, for example, detecting and isolating the attacked devices from the network. The intended security system is known.
 セキュリティシステムは、これまでは、例えばインターネットとシステムの間にセキュリティ対策製品を設置し、製品毎に予め実装された監視技術、監視により取得した情報の解析ルール、解析結果に応じた制御ルールをルールベースエンジン上で実行することで、サイバー攻撃に対応する技術が普及してきている。しかし、攻撃手法の進化やシステム内部の人間による不正操作といった攻撃態様の変化に伴い、特定のセキュリティ対策製品のみによっては攻撃態様を網羅できず、サイバー攻撃を防ぐことが困難となってきている。 Up to now, security systems have been installed with security countermeasure products between the Internet and the system, for example, and the monitoring technology pre-implemented for each product, the analysis rules for the information acquired by monitoring, and the control rules according to the analysis results Technology that responds to cyber attacks by running on the base engine has become widespread. However, with changes in attack modes such as the evolution of attack methods and unauthorized operations by humans inside the system, it is not possible to cover attack modes only with specific security countermeasure products, making it difficult to prevent cyber attacks.
 そこで、近年、セキュリティ対策製品から得られるログ情報に加え、スイッチやプロキシ等のネットワーク機器や、サーバー装置、ストレージ等を含む各種のITリソースから取得可能なログ情報を、データ解析基盤が相関分析し、分析結果に応じてITリソース制御基盤がネットワーク機器のポートを停止させる等必要な制御を実行することで、未知の攻撃やマルウェア感染端末を検知するセキュリティシステムがさらに普及しつつある。 Therefore, in recent years, in addition to log information obtained from security countermeasure products, the data analysis infrastructure performs correlation analysis on log information that can be acquired from various IT resources including network devices such as switches and proxies, server devices, and storage. Security systems that detect unknown attacks and malware-infected terminals are becoming more widespread by performing necessary control such as the IT resource control infrastructure stopping the port of the network device according to the analysis result.
 こうしたセキュリティシステムでは、多数のログを相関分析して未知の攻撃やマルウェア感染端末を検知するIfルールと、Ifルールを満たす場合に実施すべき制御を定義したThenルールを用いることが多い。これらのセキュリティルールは、セキュリティ管理者が、セキュリティシステムが守る対象のシステム毎(すなわち、テナント毎、部署毎、ユーザー毎など)に設定される。 Such a security system often uses an If rule for detecting an unknown attack or a malware-infected terminal by correlation analysis of a large number of logs, and a Then rule that defines a control to be performed when the If rule is satisfied. These security rules are set by the security administrator for each target system (that is, for each tenant, each department, each user, etc.) protected by the security system.
 こうしたセキュリティルールは、守る対象のシステムの頻繁な構成変更や新たなセキュリティの脅威(サイバー攻撃)に対応するため、迅速に更新される必要がある。しかし一方で、セキュリティルールはシステム毎に複数のセキュリティ管理者がそれぞれ多量に設定するため、すべての守る対象のシステムに係るセキュリティルールの内容の把握は困難となっている。この結果、更新が必要なセキュリティルールを選択し、適切な修正を実施して更新する時間も膨大なものとなる。このため、更新するセキュリティルールを迅速に把握し、更新の決定を補助となる技術が必要となっている。 These security rules need to be updated quickly in order to respond to frequent configuration changes and new security threats (cyber attacks) on the system to be protected. However, on the other hand, since a plurality of security managers set a large amount of security rules for each system, it is difficult to grasp the contents of the security rules related to all the systems to be protected. As a result, it takes a lot of time to select a security rule that needs to be updated, perform an appropriate correction, and update it. For this reason, a technique for quickly grasping the security rule to be updated and assisting the determination of the update is required.
 上記の特許文献1に記載の技術は、評価対象のシステムと異なる他のシステムのセキュリティ対策に関する情報を収集して統計処理したものをセキュリティレベルの基準として用いる。しかし、他のシステムと、セキュリティレベルを評価したいシステムとでは、重視すべきセキュリティの脅威が異なる可能性がある。 The technique described in Patent Document 1 above uses information obtained by collecting and statistically processing information on security measures of another system different from the system to be evaluated as a security level standard. However, security threats that should be emphasized may be different between other systems and a system whose security level is to be evaluated.
 例えば、従業員を多く抱えた企業のシステムでは、特定の組織や人物を狙って行われる標的型攻撃メールに対する防御を重視しているとする。また、ホームページなど外部に公開しているWebサイトを運用しているシステムでは、一時的に大量のトラフィックを送信しWebサイトを表示不能にさせるDDoS(Distributed Denial of Service)攻撃に対する防御を重視しているとする。このとき、このようなWebサイトのシステムのセキュリティルールに関して、当該企業のシステムをセキュリティレベルの基準とすると、例えば重視していない標的型攻撃メールに関するセキュリティルールの対策優先度が上がり、反対に重視しているDDoS攻撃に関するセキュリティルールの対策優先度が下がることとなる。 Suppose, for example, that a company system with many employees emphasizes protection against targeted attack emails targeting specific organizations and people. Also, in systems that operate websites that are open to the public, such as homepages, emphasis is placed on protection against DDoS (Distributed Denial of Service) attacks that temporarily send a large amount of traffic and render the website undisplayable. Suppose that At this time, regarding the security rules of such a website system, if the company's system is used as a security level standard, for example, the priority of countermeasures for security rules related to targeted attack emails that are not emphasized will increase, and on the contrary The countermeasure priority of the security rule related to the DDoS attack is lowered.
 つまり、Webシステムのセキュリティルールの更新の際は、優先度の高い標的型攻撃メールに関するセキュリティルールから更新され、DDoS攻撃に関するセキュリティルールの更新までに時間を要し、その間サイバー攻撃に対するセキュリティレベルが低下する。このように、他のシステムをセキュリティレベルの基準とすると、重視すべきセキュリティの脅威に対する優先度が下がり、結果として必要なセキュリティルールの更新に時間がかかる可能性がある。 In other words, when updating the security rules of the Web system, it is updated from the security rules related to the high priority target-type attack email, and it takes time to update the security rules related to the DDoS attack, and the security level against cyber attacks is lowered during that time. To do. Thus, when other systems are used as security level standards, the priority of security threats to be emphasized is lowered, and as a result, it may take time to update the necessary security rules.
 そこで、本発明は、システムのセキュリティルールの優先度を評価する場合において、一般のセキュリティの脅威のトレンドに追従するため他のシステムのセキュリティ情報をセキュリティレベルの基準に用いつつ、システム毎に重視すべき脅威に関するセキュリティルールの優先度を高く設定し、更新が必要なセキュリティルールを迅速に選択および更新できるようにする。 Therefore, the present invention emphasizes each system by using security information of other systems as a security level standard in order to follow general security threat trends when evaluating the priority of security rules of the system. Set the priority of security rules regarding threats to be high so that security rules that need to be updated can be selected and updated quickly.
 その効果は、一般的なセキュリティ情報をセキュリティレベルの基準に用いることで脅威情報のトレンドを反映しつつ、システム毎に重視すべきセキュリティの脅威に関するセキュリティルールの優先度を高めることができ、システム毎にセキュリティレベルを高く保つために更新が必要なセキュリティルールを迅速に選択および更新できるものといえる。 The effect is that, by using general security information as a security level standard, the priority of security rules related to security threats that should be emphasized for each system can be increased while reflecting the trend of threat information. It can be said that security rules that need to be updated in order to maintain a high security level can be selected and updated quickly.
 図1は、本発明の第一の実施形態に係るセキュリティルール評価システムの構成を示す図である。 FIG. 1 is a diagram showing a configuration of a security rule evaluation system according to the first embodiment of the present invention.
 本実施形態では、セキュリティルール評価装置100に係るセキュリティ評価システムとして、脅威情報を提供する情報セキュリティ企業等が備えるコンピュータシステム1A(および1B)と、コンピュータシステム1Aとネットワーク3を介して通信可能に接続するセキュリティシステム4と、セキュリティシステム4とネットワーク5を介して通信可能に接続するサーバー装置6、ネットワーク機器7、ストレージ8、セキュリティ対策製品9と、が含まれる。以下、コンピュータシステム1A、1Bを特に区別しない場合はコンピュータシステム1という。また、サーバー装置6、ネットワーク機器7、ストレージ8、セキュリティ対策製品9を特に区別しない場合はIT(Information TEchnology)機器と呼ぶ。なお、図1のIT機器は、あくまで一例であり、この種類に限定されず様々な種類の電子機器が接続されても良い。 In the present embodiment, as a security evaluation system according to the security rule evaluation apparatus 100, a computer system 1A (and 1B) provided in an information security company that provides threat information, and the computer system 1A and the network 3 are communicably connected. Security server 4, server device 6, network device 7, storage 8, and security countermeasure product 9 that are communicatively connected to security system 4 via network 5. Hereinafter, the computer systems 1A and 1B will be referred to as computer systems 1 unless otherwise distinguished. When the server device 6, the network device 7, the storage 8, and the security countermeasure product 9 are not particularly distinguished, they are referred to as IT (Information Technology) devices. 1 is merely an example, and the present invention is not limited to this type, and various types of electronic devices may be connected.
 コンピュータシステム1は、例えば、情報セキュリティ対策製品および情報セキュリティ対策情報を提供する情報セキュリティ企業や、情報セキュリティに関する情報を収集および公開する情報セキュリティ機関、特定の企業が有し独自に情報セキュリティに関する情報を収集および分析するシステムに設置された物理的なコンピュータハードウェアであるサーバー装置を含む情報システムである。以下、情報セキュリティ企業、情報セキュリティ機関、情報セキュリティに関する情報を収集および分析する情報システムを特に区別しない場合は情報セキュリティベンダという。 The computer system 1 is, for example, an information security company that provides information security countermeasure products and information security countermeasure information, an information security organization that collects and publishes information on information security, and a specific company that has its own information security information. It is an information system including a server device that is physical computer hardware installed in a system for collecting and analyzing. Hereinafter, information security companies, information security organizations, and information systems that collect and analyze information related to information security are referred to as information security vendors unless otherwise distinguished.
 コンピュータシステム1A、1Bは、それぞれセキュリティ脅威情報2A、2Bを記憶し保持する。以下、セキュリティ脅威情報2A、2Bを特に区別しない場合はセキュリティ脅威情報2という。コンピュータシステム1はネットワーク3を通じてセキュリティシステム4と接続しており、例えば、セキュリティ脅威情報2をセキュリティシステム4、特にセキュリティルール評価装置100に定期的に(例えば、4時間に1回程度等所定の頻度で)、あるいは所定のタイミング(緊急対応すべき脅威が発生した場合には適時)で送信する。 Computer systems 1A and 1B store and hold security threat information 2A and 2B, respectively. Hereinafter, when the security threat information 2A and 2B are not particularly distinguished, they are referred to as security threat information 2. The computer system 1 is connected to the security system 4 through the network 3. For example, the security threat information 2 is regularly sent to the security system 4, particularly the security rule evaluation apparatus 100 (for example, once every four hours, for example, at a predetermined frequency). Or at a predetermined timing (when a threat that should be dealt with urgently occurs).
 セキュリティ脅威情報2は、サイバー攻撃に関する情報を含む。例えば、STIX(Structured Threat Information eXpression)といったサイバー攻撃を記述するための規格に沿ったサイバー攻撃情報であったり、情報セキュリティ企業や情報セキュリティ機関が独自に提供する形式のサイバー攻撃情報あるいはその対策情報を含む。 Security threat information 2 includes information related to cyber attacks. For example, cyber attack information that conforms to standards for describing cyber attacks, such as STIX (Structured Threat Information Expression), cyber attack information in the form that information security companies and information security organizations provide, or countermeasure information Including.
 ネットワーク3は、例えば、インターネット等の公衆網やLAN(Local Area Netowork)、WAN(Wide Area Netowork)であり、コンピュータシステム1とセキュリティシステム4とを通信可能に接続する。例えば、コンピュータシステム1は、ネットワーク3を用いてセキュリティシステム4、特にセキュリティルール評価装置100にセキュリティ脅威情報2を送信する。 The network 3 is, for example, a public network such as the Internet, a LAN (Local Area Network), or a WAN (Wide Area Network), and connects the computer system 1 and the security system 4 in a communicable manner. For example, the computer system 1 transmits the security threat information 2 to the security system 4, particularly the security rule evaluation device 100, using the network 3.
 セキュリティシステム4は、セキュリティルール評価装置100と、データ解析装置200と、ITリソース制御装置300と、を含んで構成される。詳細については、後述する。 The security system 4 includes a security rule evaluation device 100, a data analysis device 200, and an IT resource control device 300. Details will be described later.
 ネットワーク5は、例えば、インターネット等の公衆網やLAN等の社内ネットワークであり、セキュリティシステム4とIT機器とを接続する。例えば、セキュリティシステム4は、ネットワーク5を用いてセキュリティ対策製品9のサイバー攻撃検知ログを収集し、ログの解析の結果、ネットワーク5を介してIT機器の制御指示を送信する。 The network 5 is, for example, a public network such as the Internet or an in-house network such as a LAN, and connects the security system 4 and IT equipment. For example, the security system 4 collects a cyber attack detection log of the security countermeasure product 9 using the network 5, and transmits an IT device control instruction via the network 5 as a result of the log analysis.
 サーバー装置6は、例えば、物理的なコンピュータハードウェアであるサーバー計算機である。ネットワーク機器7は、例えば、スイッチやルータ、プロキシ、ファイアーウォールである。ストレージ8は、例えば、データを保持し、ネットワーク5を介して他の装置とデータの入出力の通信を行うことが可能な記憶装置あるいはデータベースの制御装置である。セキュリティ対策製品9は、例えば、サイバー攻撃を検知するIPS(Intrusion Prevention System)やIDS(Intrusion Detection System)、UTM(Unified Thread Management)である。 The server device 6 is, for example, a server computer that is physical computer hardware. The network device 7 is, for example, a switch, a router, a proxy, or a firewall. The storage 8 is, for example, a storage device or a database control device that holds data and can perform data input / output communication with other devices via the network 5. The security countermeasure product 9 is, for example, IPS (Intrusion Prevention System), IDS (Intrusion Detection System), or UTM (Unified Thread Management) that detects a cyber attack.
 セキュリティルール評価装置100は、例えば、物理的なコンピュータハードウェアであるサーバー計算機である。セキュリティルール評価装置100は、コンピュータシステム1、データ解析装置200、ITリソース制御装置300と通信可能に接続されており、コンピュータシステム1Aからはセキュリティ脅威情報2Aを、コンピュータシステム1Bからはセキュリティ脅威情報2Bを受信可能である。また、セキュリティルール評価装置100は、データ解析装置200からはIfルールテーブル210と、If/Thenルール対応テーブル220と、に係る情報を受信できる。また、セキュリティルール評価装置100は、ITリソース制御装置300からはThenルールテーブル310に係る情報を受信することができる。セキュリティルール評価装置100に係るその他詳細な情報は、後述する。 The security rule evaluation device 100 is, for example, a server computer that is physical computer hardware. The security rule evaluation device 100 is communicably connected to the computer system 1, the data analysis device 200, and the IT resource control device 300. The security threat information 2A is transmitted from the computer system 1A, and the security threat information 2B is transmitted from the computer system 1B. Can be received. Further, the security rule evaluation device 100 can receive information related to the If rule table 210 and the If / Then rule correspondence table 220 from the data analysis device 200. Also, the security rule evaluation device 100 can receive information related to the The rule table 310 from the IT resource control device 300. Other detailed information related to the security rule evaluation apparatus 100 will be described later.
 データ解析装置200は、例えば、物理的なコンピュータハードウェアであるサーバー計算機である。データ解析装置200は、セキュリティルール評価装置100、ITリソース制御装置300、IT機器と通信可能に接続されており、Ifルールテーブル210とIf/Thenルール対応テーブル220とをセキュリティルール評価装置100に送信可能である。また、データ解析装置200は、IT機器からのログを取得して解析し、Ifルールテーブル210に保存されたIfルールに該当する場合は、If/Thenルール対応テーブル220の対応付けに従い、ITリソース制御装置300へThenルールテーブル310に保存されたThenルールを実行するよう指示を送信する。 The data analysis device 200 is, for example, a server computer that is physical computer hardware. The data analysis device 200 is communicably connected to the security rule evaluation device 100, the IT resource control device 300, and the IT device, and transmits an If rule table 210 and an If / Then rule correspondence table 220 to the security rule evaluation device 100. Is possible. In addition, the data analysis apparatus 200 acquires and analyzes a log from the IT device, and when it corresponds to the If rule stored in the If rule table 210, the IT resource is determined according to the correspondence in the If / Then rule correspondence table 220. An instruction is transmitted to the control device 300 to execute the Then rule stored in the Then rule table 310.
 図2は、Ifルールテーブルに格納されるデータ構造を示す図である。Ifルールテーブル210は、システム識別子210Aと、Ifルール名210Bと、ルール内容210Cと、を対応付けて格納する。システム識別子210Aは、Ifルールが適用される対象の守るべき情報システムを識別する情報である。Ifルール名210Bは、守るべき情報システムに対する脅威を検出する条件となるルールの名称である。ルール内容210Cは、守るべき情報システムに対する脅威を検出する文字列条件となるルールの詳細な属性を特定する情報である。例えば、ルール内容210Cには、条件を検証するデータの範囲を決定する情報や、物理機器を特定する情報、あるいは脅威が残すログパターンや通信先のIP(Internet Protocol)アドレス等の条件指定がテキストデータとして含まれる。このようなIfルールテーブル210は、例えば、IT機器のログを相関分析してサイバー攻撃を検知することに用いられる技術である。すなわち、本実施形態に係るセキュリティルールには、脅威からの攻撃を情報処理システムにおいて検知する条件が格納されているといえる。 FIG. 2 is a diagram showing a data structure stored in the If rule table. If rule table 210 stores system identifier 210A, If rule name 210B, and rule content 210C in association with each other. The system identifier 210A is information for identifying an information system to be protected as a target to which the If rule is applied. The If rule name 210B is a name of a rule that is a condition for detecting a threat to the information system to be protected. The rule content 210C is information for specifying detailed attributes of a rule serving as a character string condition for detecting a threat to the information system to be protected. For example, the rule content 210C includes information specifying the range of data for verifying the condition, information specifying the physical device, a log pattern left by the threat, and a condition specification such as a communication destination IP (Internet Protocol) address. Included as data. Such an If rule table 210 is a technique used for detecting a cyber attack by performing a correlation analysis on a log of an IT device, for example. That is, it can be said that the security rule according to the present embodiment stores conditions for detecting an attack from a threat in the information processing system.
 図2に示す例では、情報システム「X」に関する「IfルールA」は「data=“事業部B” machine=“VM1” threat=“スパイウェア” ファイルアクセス=“/userA”」である。これは、「事業部BのVM1のログに関して、スパイウェアと判断されて、かつアクセス先のファイルが/userAであるログを抽出する」ことが示されている。 In the example shown in FIG. 2, the “If rule A” regarding the information system “X” is “data =“ division B ”machine =“ VM1 ”threat =“ Spyware ”file access =“ / userA ””. This indicates that “the log of VM1 of business division B is extracted as a spyware and the access destination file is / userA”.
 なお、Ifルールテーブル210は、データ解析装置200で用意された図示しない解析言語を用いてルール内容を記述しても良いし、セキュリティ管理者が用意した任意の言語やツールによってルール内容を記述しても良い。 The If rule table 210 may describe the rule contents using an analysis language (not shown) prepared by the data analysis apparatus 200, or may describe the rule contents using an arbitrary language or tool prepared by the security administrator. May be.
 図3は、If/Thenルール対応テーブルに格納されるデータ構造を示す図である。If/Thenルール対応テーブル220は、システム識別子220Aと、Ifルール名220Bと、Thenルール名220Cと、を対応付けて格納する。システム識別子220Aは、Ifルールが適用される対象の守るべき情報システムを識別する情報である。Ifルール名220Bは、守るべき情報システムに対する脅威を検出する条件となるルールの名称である。Thenルール名220Cは、守るべき情報システムに対する脅威が検出された場合に対策する情報処理を定めたThenルールを特定する情報である。このようなIf/Thenルール対応テーブル220は、例えば、Ifルールに該当した際に実行すべきThenルールを定義する技術である。 FIG. 3 is a diagram showing a data structure stored in the If / Then rule correspondence table. The If / Then rule correspondence table 220 stores a system identifier 220A, an If rule name 220B, and a Then rule name 220C in association with each other. The system identifier 220A is information for identifying an information system to be protected as a target to which the If rule is applied. The If rule name 220B is a name of a rule that is a condition for detecting a threat to the information system to be protected. The rule name 220C is information for identifying a The rule that defines information processing to be taken when a threat to the information system to be protected is detected. Such an If / Then rule correspondence table 220 is, for example, a technique for defining a Then rule to be executed when an If rule is met.
 ITリソース制御装置300は、例えば、物理的なコンピュータハードウェアであるサーバー計算機である。ITリソース制御装置300は、セキュリティルール評価装置100、データ解析装置200、IT機器と通信可能に接続されており、Thenルールテーブル310をセキュリティルール評価装置100に送信することが可能である。また、ITリソース制御装置300は、データ解析装置200からThenルールテーブル310に保存されたThenルールの実行指示を受けた場合は、当該ThenルールをThenルールテーブル310を検索してThenルールを読み出し、これを用いてIT機器を制御する。 The IT resource control device 300 is, for example, a server computer that is physical computer hardware. The IT resource control device 300 is communicably connected to the security rule evaluation device 100, the data analysis device 200, and the IT device, and can transmit the Then rule table 310 to the security rule evaluation device 100. Also, when the IT resource control device 300 receives an instruction to execute the Then rule stored in the Then rule table 310 from the data analysis device 200, the IT resource control device 300 searches the Then rule table 310 for the Then rule and reads the Then rule. IT equipment is controlled using this.
 図4は、Thenルールテーブルに格納されるデータ構造を示す図である。Thenルールテーブル310は、例えば、Ifルールに該当した際に実行すべきThenルールに関して、システム識別子310Aと、Thenルール名310Bと、ルール内容310Cと、を対応付けて格納する。システム識別子310Aは、Thenルールが適用される対象の守るべき情報システムを識別する情報である。Thenルール名310Bは、守るべき情報システムに対する脅威を検出した場合に実行される情報処理のルールの名称である。ルール内容310Cは、所定のコマンドや実行すべき実行可能形式のファイル、あるいはスクリプト、リモートマシンの制御コマンド等を特定する情報である。このようなThenルールテーブル310は、例えば、Ifルールに該当した際に実行すべきルールを定義する技術である。 FIG. 4 is a diagram showing a data structure stored in the Then rule table. The Then rule table 310 stores, for example, the system identifier 310A, the Then rule name 310B, and the rule content 310C in association with the Then rule to be executed when the If rule is met. The system identifier 310A is information for identifying an information system to be protected as a target to which the Then rule is applied. The rule name 310B is the name of an information processing rule that is executed when a threat to the information system to be protected is detected. The rule content 310C is information for specifying a predetermined command, an executable file to be executed, a script, a remote machine control command, or the like. The Then rule table 310 is a technique for defining a rule to be executed when an If rule is met, for example.
 図4に示す例では、情報システム「X」に関する「ThenルールA」は「vmcontrol.pl -operation poweroff --vmname XXX」であり、具体的には、「名前がXXXのVM(仮想マシン)をパワーオフする」ことが示されている。なお、Thenルールテーブル310は、ITリソース制御装置300で用意された制御言語を用いてルール内容が記述されても良いし、セキュリティ管理者が用意した任意の言語やツールによってルール内容が記述されても良い。 In the example shown in FIG. 4, “Then rule A” regarding the information system “X” is “vmcontrol.pl-operation poweroff--vmnameXXX”. Specifically, “VM (virtual machine) whose name is XXX” "Power off" is shown. Note that in the Then rule table 310, rule contents may be described using a control language prepared by the IT resource control apparatus 300, or rule contents are described by an arbitrary language or tool prepared by the security administrator. Also good.
 上述のように、本実施形態においては、セキュリティシステム4がそれぞれ独立した別の装置であるセキュリティルール評価装置100と、データ解析装置200と、ITリソース制御装置300とを含んで構成されているが、一つの物理的なコンピュータハードウェアであるサーバー計算機に各装置の機能が実装されていても良いことは言うまでもない。 As described above, in the present embodiment, the security system 4 includes the security rule evaluation device 100, the data analysis device 200, and the IT resource control device 300, which are separate and independent devices. Needless to say, the function of each device may be implemented in a server computer which is a piece of physical computer hardware.
 図5は、セキュリティルール評価装置の構成を示す図である。セキュリティルール評価装置100は、例えば、入力部110と、出力部120と、演算部130と、通信部140と、記憶部150を備える。 FIG. 5 is a diagram showing the configuration of the security rule evaluation apparatus. The security rule evaluation device 100 includes, for example, an input unit 110, an output unit 120, a calculation unit 130, a communication unit 140, and a storage unit 150.
 入力部110は、例えばキーボードやマウスといった装置により入力されるユーザの入力情報を受け付けて演算部130に送る。 The input unit 110 receives user input information input from a device such as a keyboard or a mouse, and sends it to the calculation unit 130.
 出力部120は、例えばディスプレイといった装置に、ユーザからの入力に対する演算部130の演算結果となる出力情報を出力させる。 The output unit 120 causes a device such as a display to output output information that is a calculation result of the calculation unit 130 in response to an input from the user.
 演算部130は、脅威情報管理部131と、セキュリティルール評価部132と、優先ルール提示部133と、を含む。 The calculation unit 130 includes a threat information management unit 131, a security rule evaluation unit 132, and a priority rule presentation unit 133.
 脅威情報管理部131は、セキュリティ脅威情報をコンピュータシステム1から取得すると共に、これらを用いてマスタカテゴリを設定し、脅威カテゴリ別重要度を算出する。より具体的には、脅威情報管理部131は、脅威の重要度を、脅威に係るセキュリティベンダからの提供情報の更新頻度に応じて特定し、複数のセキュリティベンダからの提供情報を用いる場合には、脅威をセキュリティベンダ間で共通するマスタカテゴリに分類して、重要度をマスタカテゴリごとにセキュリティベンダ間で合算して特定することで、脅威カテゴリ別重要度を算出する。また、脅威情報管理部131は、脅威の適合特性情報を、脅威毎に、防御対象の情報処理システムが受けた攻撃の検知実績を用いて特定する。すなわち、脅威情報管理部131は、情報セキュリティ上の脅威の重要度の情報と、脅威と防御対象の情報処理システムとの適合特性情報と、を特定する。 The threat information management unit 131 acquires security threat information from the computer system 1, sets a master category using these, and calculates the importance for each threat category. More specifically, the threat information management unit 131 specifies the importance of the threat according to the update frequency of the information provided from the security vendor related to the threat, and uses the information provided from a plurality of security vendors. The threats are classified into master categories common to the security vendors, and the importance levels are calculated by adding the importance levels between the security vendors for each master category, thereby calculating the importance levels for each threat category. Further, the threat information management unit 131 identifies the threat adaptation characteristic information for each threat using the detection results of attacks received by the information processing system to be protected. In other words, the threat information management unit 131 specifies information on the importance level of threats in information security and information on characteristics of matching between the threat and the information processing system to be protected.
 セキュリティルール評価部132は、守るべき情報システムの脅威に対する適合特性を算出するとともに、重要度および所定の重み付けを用いて、セキュリティルールの更新の優先度を算出する。また、セキュリティルール評価部132は、情報システムのうち変更があった構成に係るセキュリティルールの範囲を特定し、その優先度を算出することもできる。なお、セキュリティルール評価部132は、重要度が高く、適合特性が高い程セキュリティルールの優先度を高く算出する。 The security rule evaluation unit 132 calculates the adaptability characteristics of the information system to be protected against the threat, and calculates the priority of the security rule update using the importance and the predetermined weight. In addition, the security rule evaluation unit 132 can specify the range of the security rule related to the changed configuration in the information system, and can calculate the priority thereof. The security rule evaluation unit 132 calculates the priority of the security rule higher as the importance is higher and the matching characteristic is higher.
 セキュリティルール評価部132は、ネットワーク5を介してセキュリティ対策製品9から情報システム別の攻撃検知情報を取得し、攻撃検知情報テーブル155に格納する。また、セキュリティルール評価部132は、攻撃検知情報テーブル155を用いて、攻撃検知情報から情報システム毎の情報セキュリティベンダ別のカテゴリの適合特性を算出し、脅威情報適合特性テーブル156に格納する。また、セキュリティルール評価部132は、攻撃検知情報テーブル155を用いて、攻撃検知情報を分類して脅威のカテゴリごとに攻撃回数を算出し、攻撃検知回数テーブル158に格納する。 The security rule evaluation unit 132 acquires attack detection information for each information system from the security countermeasure product 9 via the network 5 and stores it in the attack detection information table 155. Also, the security rule evaluation unit 132 uses the attack detection information table 155 to calculate the adaptation characteristics for each information security vendor for each information system from the attack detection information, and stores them in the threat information compatibility characteristics table 156. Also, the security rule evaluation unit 132 classifies the attack detection information using the attack detection information table 155, calculates the number of attacks for each threat category, and stores the number of attacks in the attack detection number table 158.
 さらに、セキュリティルール評価部132は、例えばセキュリティ管理者が設定する情報セキュリティベンダ毎のカテゴリ別の重みを重みづけテーブル159に格納する。さらに、セキュリティルール評価部132は、データ解析装置200からIfルールテーブル210を、ITリソース制御装置300からThenルールテーブル310を取得し、各ルールを脅威カテゴリテーブル152で定義したカテゴリのいずれかに分類し、セキュリティルール評価テーブル160に格納する。セキュリティルール評価部132は、脅威カテゴリ評価テーブル154と脅威情報適合特性テーブル156と重みづけテーブル159とを用いて、各セキュリティルールの優先度を算出し、セキュリティルール評価テーブル160に格納する。 Further, the security rule evaluation unit 132 stores the weight for each category for each information security vendor set by the security administrator in the weighting table 159, for example. Further, the security rule evaluation unit 132 acquires the If rule table 210 from the data analysis device 200 and the Then rule table 310 from the IT resource control device 300, and classifies each rule into one of the categories defined in the threat category table 152. And stored in the security rule evaluation table 160. The security rule evaluation unit 132 calculates the priority of each security rule using the threat category evaluation table 154, the threat information compatibility characteristic table 156, and the weighting table 159, and stores the priority in the security rule evaluation table 160.
 優先ルール提示部133は、セキュリティルールのうち、更新を優先するルールを提示する。具体的には、優先ルール提示部133は、セキュリティルール評価部132が評価した結果、更新の優先度が高いセキュリティルールについて、優先度の順に表示する。 The priority rule presenting unit 133 presents a rule that prioritizes updating among security rules. Specifically, the priority rule presenting unit 133 displays the security rules having the highest update priority as a result of the evaluation by the security rule evaluation unit 132 in order of priority.
 通信部140は、例えばNIC(Network Interface Card)のような装置で構成され、他の機器と接続する。 The communication unit 140 is configured by a device such as a NIC (Network Interface Card), and is connected to other devices.
 記憶部150は、例えばフラッシュメモリ、HDD(Hard Disc Drive)のような記憶装置であり、オペレーションシステム(OS)、脅威情報テーブル151と、脅威カテゴリテーブル152と、類似カテゴリテーブル153と、脅威カテゴリ評価テーブル154と、攻撃検知情報テーブル155と、脅威情報適合特性テーブル156と、脅威情報更新回数テーブル157と、攻撃検知回数テーブル158と、重みづけテーブル159と、セキュリティルール評価テーブル160と、を記憶する。 The storage unit 150 is a storage device such as a flash memory or an HDD (Hard Disc Drive), for example, an operation system (OS), a threat information table 151, a threat category table 152, a similar category table 153, and a threat category evaluation. A table 154, an attack detection information table 155, a threat information compatibility characteristic table 156, a threat information update count table 157, an attack detection count table 158, a weighting table 159, and a security rule evaluation table 160 are stored. .
 図6は、脅威情報テーブルに格納されるデータ構造を示す図である。脅威情報テーブル151は、セキュリティベンダ識別子151Aと、種別151Bと、項目151Cと、値151Dと、を含む。 FIG. 6 is a diagram showing a data structure stored in the threat information table. The threat information table 151 includes a security vendor identifier 151A, a type 151B, an item 151C, and a value 151D.
 セキュリティベンダ識別子151Aは、情報セキュリティベンダを特定する情報である。種別151Bは、ランサムウェア、ウィルス、スパイウェア等、情報セキュリティベンダが分類した所定の脅威の種別を示す情報である。項目151Cは、種別151Bで特定される種別の脅威を、さらに詳細に分類する項目を示す情報である。例えば、ランサムウェアの種別には、通信を行うもの、ファイルにアクセスするもの等様々な種類があり、その中で通信を行うものについては通信先IPの詳細項目をもって識別することとなる。項目151Cは、そのような詳細の項目を示す。値151Dは、項目151Cで特定される項目について、脅威となるものが有する値を特定する情報である。 The security vendor identifier 151A is information for identifying the information security vendor. The type 151B is information indicating a predetermined threat type classified by the information security vendor, such as ransomware, virus, or spyware. The item 151C is information indicating an item for further classifying the threat of the type specified by the type 151B. For example, there are various types of ransomware, such as those that perform communication and those that access a file, and those that perform communication are identified by the detailed items of the communication destination IP. The item 151C indicates such a detailed item. The value 151D is information that identifies the value of a threat that has the item identified by the item 151C.
 図6の例では、情報セキュリティベンダ「A」によると「通信先IPアドレスが1.2.3.4の通信はランサムウェアに分類されるサイバー攻撃である」、「『function hoge』を含む文字列のコードはウィルスに分類されるサイバー攻撃である」ということが示されている。なお、図6では、その他の詳細な脅威の情報が格納されても良いし、STIXといった規格に沿った情報が格納されても良いし、セキュリティベンダやセキュリティ管理者が独自に定義した脅威情報が格納されても良い。 In the example of FIG. 6, according to the information security vendor “A”, “communication with the communication destination IP address 1.2.3.4 is a cyber attack classified as ransomware”, “characters including“ function hoge ” The code in the column is a cyber attack classified as a virus. In FIG. 6, other detailed threat information may be stored, information in accordance with a standard such as STIX may be stored, or threat information uniquely defined by a security vendor or a security administrator is stored. It may be stored.
 図7は、脅威カテゴリテーブルに格納されるデータ構造を示す図である。脅威カテゴリテーブル152には、脅威情報から抽出したカテゴリを保管するため、セキュリティベンダ毎のカテゴリ名と、セキュリティベンダ間でカテゴリ名を統一するマスタカテゴリが対応付けて格納される。具体的には、脅威カテゴリテーブル152には、情報セキュリティベンダAのカテゴリと、情報セキュリティベンダBのカテゴリと、それらを統一するマスタカテゴリ152Cと、が対応付けて格納される。 FIG. 7 is a diagram showing a data structure stored in the threat category table. In the threat category table 152, in order to store the categories extracted from the threat information, a category name for each security vendor and a master category that unifies the category names among the security vendors are stored in association with each other. Specifically, the category of information security vendor A, the category of information security vendor B, and the master category 152C that unifies them are stored in the threat category table 152 in association with each other.
 例えば、情報セキュリティベンダAでは、ランサムウェアの種別であって通信先IPの項目を有するカテゴリが設定されており、かたや情報セキュリティベンダBでは、マルウェア(Ransomware)の種別であってDstIPの項目を有するカテゴリが設定されており、これらは実体として同様の脅威を分類したものであるとすると、これらを統一するマスタカテゴリとしてRansomwareの種別であって通信先IPの項目を有するカテゴリが対応付けられて格納されている。 For example, in the information security vendor A, a category having a communication destination IP item is set in the ransomware type, and in the information security vendor B, a malware classification is provided and the DstIP item is included. If categories are set and these are classified as similar threats as entities, a category having a type of Ransomware and having an item of communication destination IP is stored as a master category for unifying them. Has been.
 なお、図7に示す脅威カテゴリテーブル152は、STIXといった規格に沿ったカテゴリの粒度でカテゴリを格納されても良いし、セキュリティベンダやセキュリティ管理者が独自に定義したカテゴリの粒度でカテゴリを格納されても良い。また、例えば脅威のカテゴリ名に関して類語をまとめた辞書システム(以下、カテゴリの類似辞書)を用いてカテゴリが抽出されて格納されても良いし、セキュリティ管理者による任意の方法でカテゴリが抽出されて格納されても良い。 The threat category table 152 shown in FIG. 7 may store categories with a granularity of categories in accordance with a standard such as STIX, or stores categories with a granularity of categories uniquely defined by a security vendor or security administrator. May be. Further, for example, a category may be extracted and stored using a dictionary system (hereinafter referred to as a category similar dictionary) that collects synonyms with respect to threat category names, or categories may be extracted by an arbitrary method by a security administrator. It may be stored.
 図8は、類似カテゴリテーブル(カテゴリの類似辞書)に格納されるデータ構造を示す図である。類似カテゴリテーブル153には、マスタ表現153Aと、第一の表現153Bと、第二の表現153Cと、が対応付けて格納される。マスタ表現153Aには、類似表現を統一して表すための表現が格納される。第一の表現153Bには、マスタ表現153Aと同義の表現が格納される。第二の表現153Cには、別の情報セキュリティベンダによるカテゴリに用いられる表現であって、マスタ表現153Aと同義の表現が格納される。例えば、「マルウェア(Ransomware) Dst IP」と「Ransomware(malware) 通信先IP」のカテゴリは同義であり、統一して「Ransomware 通信先IP」と表現することが示されている。 FIG. 8 is a diagram showing a data structure stored in the similar category table (similar category dictionary). In the similar category table 153, a master expression 153A, a first expression 153B, and a second expression 153C are stored in association with each other. The master expression 153A stores expressions for expressing similar expressions in a unified manner. The first expression 153B stores an expression having the same meaning as the master expression 153A. The second expression 153C is an expression used for a category by another information security vendor and has the same meaning as the master expression 153A. For example, the categories of “Ransomware Dst IP” and “Ransomware (malware) communication destination IP” are synonymous, and are collectively expressed as “Ransomware communication destination IP”.
 なお、例えば、第一の表現153Bと第二の表現153Cが同義であることは、公知の技術(例えば特開2012-48291号)を用いることで定義することができる。また、マスタ表現153Aの表現は、第一の表現153Bや第二の表現153Cなどの表現の一部から任意に抽出されても良いし、セキュリティ管理者が任意に定めても良い。 Note that, for example, the fact that the first expression 153B and the second expression 153C are synonymous can be defined by using a known technique (for example, Japanese Patent Application Laid-Open No. 2012-48291). The expression of the master expression 153A may be arbitrarily extracted from a part of expressions such as the first expression 153B and the second expression 153C, or may be arbitrarily determined by a security administrator.
 図9は、脅威カテゴリ評価テーブル154に格納されるデータ構造を示す図である。脅威カテゴリ評価テーブル154には、情報セキュリティベンダ毎のカテゴリ別の重要度が格納される。具体的には、脅威カテゴリ評価テーブル154には、セキュリティベンダ識別子154Aと、マスタカテゴリ154Bと、重要度154Cと、が格納される。セキュリティベンダ識別子154Aは、情報セキュリティベンダを特定する情報である。マスタカテゴリ154Bは、情報セキュリティベンダが提供する脅威情報をマスタカテゴリに割り当てたマスタカテゴリを特定する情報である。重要度154Cは、詳細は後述するが、脅威情報管理部131が算出した情報セキュリティベンダ毎の脅威情報の更新頻度に基づく重要度の情報である。 FIG. 9 is a diagram showing a data structure stored in the threat category evaluation table 154. As shown in FIG. The threat category evaluation table 154 stores the degree of importance for each information security vendor. Specifically, the security category identifier 154A, the master category 154B, and the importance 154C are stored in the threat category evaluation table 154. The security vendor identifier 154A is information that identifies the information security vendor. The master category 154B is information for specifying a master category in which threat information provided by the information security vendor is assigned to the master category. Although the details will be described later, the importance 154C is information on the importance based on the update frequency of the threat information for each information security vendor calculated by the threat information management unit 131.
 図9の例においては、情報セキュリティベンダ「A」は、マスタカテゴリ「Ransomware 通信先IP」「ウィルス コード」「Ransomware ファイルアクセス」「スパイウェア ファイルアクセス」に分類される脅威情報を提供しており、それぞれ脅威情報管理部131が算出した重要度は「7.2」、「3.2」、「3.0」、「4.2」であることが示されている。 In the example of FIG. 9, the information security vendor “A” provides threat information classified into the master categories “Ransomware communication destination IP”, “Virus code”, “Ransomware file access”, and “Spyware file access”. The importance calculated by the threat information management unit 131 is “7.2”, “3.2”, “3.0”, and “4.2”.
 図10は、攻撃検知情報テーブルに格納されるデータ構造を示す図である。攻撃検知情報テーブル155には、ネットワーク5を介してセキュリティ対策製品9から情報システム別の攻撃検知情報を取得した結果が格納される。攻撃検知情報テーブル155には、システム識別子155Aと、時刻155Bと、セキュリティ製品155Cと、カテゴリ155Dと、検出値155Eと、発生場所155Fと、が格納される。システム識別子155Aは、攻撃が検知された情報システムを特定する識別子である。時刻155Bは、攻撃が検知された時刻である。セキュリティ製品155Cは、攻撃を検知したセキュリティ対策製品を特定する情報である。カテゴリ155Dは、検知された攻撃の種別と、項目とを含めたマスタカテゴリを特定する情報である。検出値155Eは、検知された攻撃の項目の値を特定する情報である。発生場所155Fは、攻撃が検知された場所、すなわち攻撃を受けたIT機器を特定する情報である。 FIG. 10 is a diagram showing a data structure stored in the attack detection information table. The attack detection information table 155 stores the result of acquiring attack detection information for each information system from the security countermeasure product 9 via the network 5. The attack detection information table 155 stores a system identifier 155A, a time 155B, a security product 155C, a category 155D, a detection value 155E, and an occurrence location 155F. The system identifier 155A is an identifier that identifies the information system in which the attack is detected. Time 155B is the time when the attack was detected. The security product 155C is information that identifies the security countermeasure product that detected the attack. The category 155D is information for specifying a master category including the detected attack type and items. The detection value 155E is information for specifying the value of the detected attack item. The occurrence location 155F is information that identifies a location where an attack is detected, that is, an IT device that has received the attack.
 図10の例においては、情報システム「X」において、「2016年6月30日22時51分23秒」にセキュリティ対策製品「A」が、「通信先IP」アドレスが「1.2.3.4」となる「Ransomware」の通信を「サーバa」から検知したことが示されている。 In the example of FIG. 10, in the information system “X”, the security countermeasure product “A” and the “destination IP” address are “1.2.3” at “22:51:23 on June 30, 2016”. .4 ”is detected from“ server a ”.
 なお、攻撃検知情報テーブル155には、その他の詳細な攻撃に関する情報が格納されても良いし、セキュリティ対策製品のアラートログに記載される情報が格納されても良いし、セキュリティ管理者が独自に定義した情報が格納されても良い。また、攻撃検知情報テーブル155は、例示した通り、実システムが受けて検知した攻撃の情報が格納されても良いし、ハニーポットのように実システムを模擬したおとりのシステムで検知された攻撃の情報が格納されても良い。 It should be noted that the attack detection information table 155 may store other information related to detailed attacks, may store information described in the alert log of the security countermeasure product, or may be uniquely assigned by the security administrator. The defined information may be stored. Further, as illustrated, the attack detection information table 155 may store information on attacks detected and received by the real system, or attacks detected by a decoy system simulating the real system such as a honeypot. Information may be stored.
 図11は、脅威情報適合特性テーブルに格納されるデータ構造を示す図である。脅威情報適合特性テーブル156には、例えば情報セキュリティベンダが提供する脅威情報に対して、情報システムが実際にどれだけ脅威と関連するかを示す適合特性が格納される。脅威情報適合特性テーブル156には、セキュリティベンダ識別子156Aと、システム識別子156Bと、カテゴリ156Cと、適合特性156Dと、が格納される。セキュリティベンダ識別子156Aは、情報セキュリティベンダを特定する情報である。システム識別子156Bは、情報システムを特定する情報である。カテゴリ156Cは、情報セキュリティベンダが提供する脅威情報のカテゴリを特定する情報である。適合特性156Dは、セキュリティベンダ識別子156Aにより特定される情報セキュリティベンダが提供するカテゴリ156Cにより特定されるカテゴリに属する脅威情報に対して、システム識別子156Bにより特定される情報システムが適合する度合いを特定する指標値である。適合特性の算出については、後述する。 FIG. 11 is a diagram showing a data structure stored in the threat information compatibility characteristic table. The threat information compatibility characteristic table 156 stores adaptation characteristics indicating how much the information system is actually associated with threats, for example, for threat information provided by an information security vendor. In the threat information conformance characteristic table 156, a security vendor identifier 156A, a system identifier 156B, a category 156C, and a conformance characteristic 156D are stored. The security vendor identifier 156A is information that identifies the information security vendor. The system identifier 156B is information that identifies an information system. The category 156C is information that identifies the category of threat information provided by the information security vendor. The conformance characteristic 156D identifies the degree to which the information system identified by the system identifier 156B matches the threat information belonging to the category identified by the category 156C provided by the information security vendor identified by the security vendor identifier 156A. It is an index value. The calculation of the matching characteristic will be described later.
 図11の例においては、情報システム「X」は、情報セキュリティベンダ「A」のカテゴリ「Ransomware 通信先IP」に関する脅威情報に関して、適合特性は「10」となることが示されている。 In the example of FIG. 11, the information system “X” indicates that the conformance characteristic is “10” with respect to the threat information related to the category “Ransomware communication destination IP” of the information security vendor “A”.
 図12は、脅威情報更新回数テーブルに格納されるデータ構造を示す図である。脅威情報更新回数テーブル157には、セキュリティベンダ識別子157Aと、カテゴリ157Bと、「2016/6/30」157Cと、「2016/6/29」157Dと、「2016/6/28」157Eと、「2016/6/27」157Fと、「2016/6/26」157Gと、が含まれる。 FIG. 12 is a diagram showing a data structure stored in the threat information update count table. The threat information update count table 157 includes a security vendor identifier 157A, a category 157B, “2016/6/30” 157C, “2016/6/29” 157D, “2016/6/28” 157E, 2016/6/27 "157F and" 2016/6/26 "157G.
 セキュリティベンダ識別子157Aには、セキュリティルール評価装置100が取得する脅威情報の取得元となる情報セキュリティベンダを識別する情報が格納される。カテゴリ157Bには、セキュリティベンダ識別子157Aにて識別される情報セキュリティベンダが定めた所定の脅威のカテゴリが格納される。 In the security vendor identifier 157A, information for identifying an information security vendor from which threat information acquired by the security rule evaluation device 100 is acquired is stored. The category 157B stores a predetermined threat category determined by the information security vendor identified by the security vendor identifier 157A.
 「2016/6/30」157Cには、2016年6月30日の脅威情報の更新回数が格納される。「2016/6/29」157Dには、2016年6月29日の脅威情報の更新回数が格納される。「2016/6/28」157Eには、2016年6月28日の脅威情報の更新回数が格納される。「2016/6/27」157Fには、2016年6月27日の脅威情報の更新回数が格納される。「2016/6/26」157Gには、2016年6月26日の脅威情報の更新回数が格納される。なお、図12の例では、更新回数の累積を一日毎としているが、セキュリティ管理者が任意に定めた間隔(例えば、3時間毎や1週間毎等)で更新回数を累積するようにしても良い。 In “2016/6/30” 157C, the number of updates of threat information on June 30, 2016 is stored. In “2016/6/29” 157D, the number of updates of threat information on June 29, 2016 is stored. In “2016/6/28” 157E, the number of updates of threat information on June 28, 2016 is stored. In “2016/6/27” 157F, the number of updates of threat information on June 27, 2016 is stored. In “2016/6/26” 157G, the number of updates of threat information on June 26, 2016 is stored. In the example of FIG. 12, the update count is accumulated every day. However, the update count may be accumulated at intervals arbitrarily determined by the security administrator (for example, every 3 hours or every week). good.
 図12に示す例では、情報セキュリティベンダ「A」から「Ransomware 通信先IP」に関する脅威情報が、2016年6月30日に10回、2016年6月29日に5回、2016年6月28日に2回、2016年6月27日に6回、2016年6月26日に20回更新されたことが示されている。 In the example illustrated in FIG. 12, threat information on “Ranwareware communication destination IP” from the information security vendor “A” is 10 times on June 30, 2016, 5 times on June 29, 2016, and June 28, 2016. 2 times a day, 6 times on June 27, 2016, and 20 times on June 26, 2016.
 図13は、攻撃検知回数テーブルに格納されるデータ構造を示す図である。攻撃検知回数テーブル158には、システム識別子158Aと、セキュリティベンダ識別子158Bと、マスタカテゴリ158Cと、攻撃検知回数158Dと、が含まれる。 FIG. 13 is a diagram showing a data structure stored in the attack detection frequency table. The attack detection count table 158 includes a system identifier 158A, a security vendor identifier 158B, a master category 158C, and an attack detection count 158D.
 システム識別子158Aは、情報システムを特定する情報である。セキュリティベンダ識別子158Bは、情報セキュリティベンダを特定する情報である。マスタカテゴリ158Cは、情報セキュリティベンダが提供する脅威情報をマスタカテゴリに割り当てたマスタカテゴリを特定する情報である。攻撃検知回数158Dは、セキュリティベンダ識別子158Bにより特定される情報セキュリティベンダが提供するマスタカテゴリ158Cにより特定されるカテゴリに属する脅威から、システム識別子158Aにより特定される情報システムが攻撃を検知した回数である。例えば、情報システム「X」は情報セキュリティベンダ「A」の「Ransomware 通信先IP」カテゴリに分類される攻撃を「30」回検知したことが示されている。 The system identifier 158A is information for specifying an information system. The security vendor identifier 158B is information that identifies the information security vendor. The master category 158C is information for identifying a master category in which threat information provided by the information security vendor is assigned to the master category. The attack detection count 158D is the number of times the information system identified by the system identifier 158A detects an attack from the threats belonging to the category identified by the master category 158C provided by the information security vendor identified by the security vendor identifier 158B. . For example, it is shown that the information system “X” has detected an attack classified into the “Ransomware communication destination IP” category of the information security vendor “A” “30” times.
 なお、攻撃検知回数に関しては、システム識別子158Aにより特定される情報システムが稼動し始めた時から攻撃回数を算出する時までの、すべての検知した攻撃の回数を格納する。ただし、これに限られず、直近の1時間、前日24時間等、セキュリティ管理者が定めた任意の時間間隔における検知した攻撃の回数を格納するようにしても良い。 As for the number of attack detections, the number of all detected attacks from the time when the information system specified by the system identifier 158A starts operating until the time when the number of attacks is calculated is stored. However, the present invention is not limited to this, and the number of attacks detected in an arbitrary time interval determined by the security administrator, such as the latest one hour or the previous day 24 hours, may be stored.
 図14は、重みづけテーブルに格納されるデータ構造を示す図である。重み付けテーブル159は、情報セキュリティベンダが提供する脅威のマスタカテゴリ毎に適用する重みづけを格納する。重みづけテーブル159には、セキュリティベンダ識別子159Aと、マスタカテゴリ159Bと、重み159Cと、が含まれる。セキュリティベンダ識別子159Aは、情報セキュリティベンダを特定する情報である。マスタカテゴリ159Bは、情報セキュリティベンダが提供する脅威情報をマスタカテゴリに割り当てたマスタカテゴリを特定する情報である。重み159Cは、格納された値が大きい程、情報セキュリティベンダが提供するマスタカテゴリの脅威への対策をより優先する。 FIG. 14 is a diagram showing a data structure stored in the weighting table. The weighting table 159 stores weighting applied to each threat master category provided by the information security vendor. The weighting table 159 includes a security vendor identifier 159A, a master category 159B, and a weight 159C. The security vendor identifier 159A is information that identifies the information security vendor. The master category 159B is information that identifies a master category in which threat information provided by the information security vendor is assigned to the master category. The greater the stored value of the weight 159C, the higher priority is given to measures against threats in the master category provided by the information security vendor.
 図14に示す例では、情報セキュリティベンダ「A」の「Ransomware 通信先IP」カテゴリは重みづけが「8」であることが示されている。なお、重み付けテーブル159における重みづけは、セキュリティ管理者が定める任意の方法、任意の時に決定されても良い。 The example shown in FIG. 14 indicates that the “Ransomware communication destination IP” category of the information security vendor “A” has a weight of “8”. Note that the weighting in the weighting table 159 may be determined at any time determined by the security administrator at any time.
 図15は、セキュリティルール評価テーブルに格納されるデータ構造を示す図である。セキュリティルール評価テーブル160は、情報システム毎に設定されているIfルールの優先度を格納する。セキュリティルール評価テーブル160には、システム識別子160Aと、Ifルール名160Bと、マスタカテゴリ160Cと、優先度160Dと、が含まれる。システム識別子160Aは、情報システムを特定する情報である。Ifルール名160Bは、システム識別子160Aにより特定される情報システムが管理するIfルール名を特定する情報である。マスタカテゴリ160Cは、情報セキュリティベンダ間で統一した脅威情報のカテゴリを特定する情報である。優先度160Dは、Ifルール名160Bにより特定されるIfルールについての、更新を優先する度合いである。 FIG. 15 is a diagram showing a data structure stored in the security rule evaluation table. The security rule evaluation table 160 stores the priority of the If rule set for each information system. The security rule evaluation table 160 includes a system identifier 160A, an If rule name 160B, a master category 160C, and a priority 160D. The system identifier 160A is information for specifying an information system. The If rule name 160B is information for specifying an If rule name managed by the information system specified by the system identifier 160A. The master category 160C is information that identifies a category of threat information that is unified among information security vendors. The priority 160D is a degree of priority for updating the If rule specified by the If rule name 160B.
 図15に示す例では、情報システム「X」のIfルール「A」はカテゴリ「スパイウェア ファイルアクセス」に分類され、優先度は「490」であることが示されている。 15, the If rule “A” of the information system “X” is classified into the category “Spyware file access”, and the priority is “490”.
 図16は、セキュリティルール評価装置のハードウェア構成を示す図である。セキュリティルール評価装置100は、NIC(Network Interface Card)等の通信装置101と、メモリ等の主記憶装置102と、キーボードやマウス等の入力装置103と、CPU(Central Processing Unit)等の演算装置104と、ハードディスクやSSD(Solid State Drive)等の外部記憶装置105と、ディスプレイやプリンタ等の表示装置106と、これらをつなぐバス107と、を含んで構成される。 FIG. 16 is a diagram showing a hardware configuration of the security rule evaluation apparatus. The security rule evaluation device 100 includes a communication device 101 such as a NIC (Network Interface Card), a main storage device 102 such as a memory, an input device 103 such as a keyboard and a mouse, and an arithmetic device 104 such as a CPU (Central Processing Unit). And an external storage device 105 such as a hard disk or an SSD (Solid State Drive), a display device 106 such as a display or a printer, and a bus 107 connecting them.
 通信装置101は、ネットワークケーブルを介して有線通信を行う有線の通信装置、又はアンテナを介して無線通信を行う無線通信装置である。通信装置101は、ネットワークに接続される他の装置との通信を行う。 The communication device 101 is a wired communication device that performs wired communication via a network cable, or a wireless communication device that performs wireless communication via an antenna. The communication device 101 communicates with other devices connected to the network.
 主記憶装置102は、例えばRAM(Random Access Memory)などのメモリである。 The main storage device 102 is a memory such as a RAM (Random Access Memory).
 入力装置103は、キーボードやマウス等のポインティングデバイス、タッチパネル、あるいは音声入力装置であるマイク等を含む入力情報を受け付ける装置である。 The input device 103 is a device that receives input information including a pointing device such as a keyboard and a mouse, a touch panel, or a microphone that is a voice input device.
 外部記憶装置105は、デジタル情報を記憶可能な、いわゆるハードディスクやSSD、あるいはフラッシュメモリなどの不揮発性記憶装置である。 The external storage device 105 is a non-volatile storage device that can store digital information, such as a so-called hard disk, SSD, or flash memory.
 表示装置106は、ディスプレイやプリンタ、あるいは音声出力装置であるスピーカ等を含む出力情報を生成する装置である。 The display device 106 is a device that generates output information including a display, a printer, a speaker that is an audio output device, and the like.
 上記した脅威情報管理部131と、セキュリティルール評価部132と、優先ルール提示部133とは、演算装置104に処理を行わせるプログラムによって実現される。このプログラムは、主記憶装置102、または外部記憶装置105内に記憶され、実行にあたって主記憶装置102上にロードされ、演算装置104により実行される。 The above-described threat information management unit 131, security rule evaluation unit 132, and priority rule presentation unit 133 are realized by a program that causes the arithmetic device 104 to perform processing. This program is stored in the main storage device 102 or the external storage device 105, loaded onto the main storage device 102 for execution, and executed by the arithmetic device 104.
 また、記憶部150に格納される各種のテーブルは、主記憶装置102及び外部記憶装置105により実現される。 Further, various tables stored in the storage unit 150 are realized by the main storage device 102 and the external storage device 105.
 また、インターネットやLAN等に通信可能に接続する通信部140は通信装置101により実現される。また、入力部110は、入力装置103により実現され、出力部120は、表示装置106により実現される。 In addition, the communication unit 140 that is communicably connected to the Internet or a LAN is realized by the communication device 101. Further, the input unit 110 is realized by the input device 103, and the output unit 120 is realized by the display device 106.
 以上が、本実施形態におけるセキュリティルール評価装置100のハードウェア構成例である。しかし、これに限らず、その他のハードウェアを用いて構成されるものであってもよい。例えば、インターネットを介して入出力を受け付ける装置であってもよい。 The above is the hardware configuration example of the security rule evaluation device 100 in the present embodiment. However, the configuration is not limited to this, and other hardware may be used. For example, a device that receives input / output via the Internet may be used.
 なお、セキュリティルール評価装置100は、図示しないが、OS(Operating System)、ミドルウェア、アプリケーションなどの公知の要素を有し、特にディスプレイなどの入出力装置にGUI画面を表示するための既存の処理機能を備える。 Although not shown, the security rule evaluation device 100 has known elements such as an OS (Operating System), middleware, and applications, and in particular, an existing processing function for displaying a GUI screen on an input / output device such as a display. Is provided.
 [動作の説明]次に、本実施形態におけるセキュリティルール評価装置100の動作を説明する。 [Description of Operation] Next, the operation of the security rule evaluation apparatus 100 in this embodiment will be described.
 図17は、マスタカテゴリ設定処理の動作フローを示す図である。マスタカテゴリ設定処理は、セキュリティルール評価装置100が情報セキュリティベンダから取得したセキュリティ脅威情報2を参照し、カテゴリを抽出して、マスタカテゴリを設定する手順である。 FIG. 17 is a diagram showing an operation flow of the master category setting process. The master category setting process is a procedure for setting the master category by referring to the security threat information 2 acquired by the security rule evaluation apparatus 100 from the information security vendor, extracting the category.
 まず、脅威情報管理部131は、脅威情報テーブル151から、情報セキュリティベンダより取得した脅威情報を参照する(ステップS111)。 First, the threat information management unit 131 refers to the threat information acquired from the information security vendor from the threat information table 151 (step S111).
 そして、脅威情報管理部131は、ベンダ毎の脅威情報のカテゴリを抽出する(ステップS112)。具体的には、脅威情報管理部131は、脅威情報テーブル151の種別151Bと項目151Cを参照し、ベンダ毎にカテゴリを抽出する。脅威情報管理部131は、脅威カテゴリテーブル152におけるセキュリティベンダAのカテゴリ152AやセキュリティベンダBのカテゴリ152Bに格納する。なお、カテゴリの粒度は、情報セキュリティベンダから取得した脅威情報の種別や項目といった分類を用いて決定され抽出されても良いし、STIXといった規格で定められた分類を用いて決定され抽出されても良いし、セキュリティ管理者が任意に定めて抽出されても良い。また、カテゴリの抽出は、例えばカテゴリの類似辞書を用いても良いし、セキュリティ管理者による任意の方法が用いられても良い。 Then, the threat information management unit 131 extracts a category of threat information for each vendor (step S112). Specifically, the threat information management unit 131 refers to the type 151B and the item 151C in the threat information table 151, and extracts a category for each vendor. The threat information management unit 131 stores the information in the security vendor A category 152A and the security vendor B category 152B in the threat category table 152. The granularity of the category may be determined and extracted using a classification such as the type or item of threat information acquired from an information security vendor, or may be determined and extracted using a classification defined by a standard such as STIX. The security administrator may arbitrarily determine and extract it. For category extraction, for example, a category similarity dictionary may be used, or an arbitrary method by a security administrator may be used.
 そして、脅威情報管理部131は、ベンダ毎の脅威カテゴリの類似によるマスタカテゴリの設定を行う(ステップS113)。具体的には、脅威情報管理部131は、ステップS112で抽出したセキュリティベンダ毎の脅威情報のカテゴリを対応付けし、同一の名称として扱うためマスタカテゴリの名前を設定する。この結果、図7におけるマスタカテゴリ152Cにマスタカテゴリが格納される。なお、情報セキュリティベンダ毎のカテゴリの対応付けおよびマスタカテゴリの設定は、STIXといった規格に沿っても良いし、セキュリティ管理者が任意に実施しても良い。 Then, the threat information management unit 131 sets a master category based on similarity of threat categories for each vendor (step S113). Specifically, the threat information management unit 131 associates the threat information categories for each security vendor extracted in step S112 and sets the name of the master category in order to treat them as the same name. As a result, the master category is stored in the master category 152C in FIG. Note that the category association and master category setting for each information security vendor may be in accordance with a standard such as STIX, or may be arbitrarily implemented by a security administrator.
 カテゴリの類似辞書を用いる場合には、脅威情報管理部131は、ステップS112で抽出した情報セキュリティベンダ毎のカテゴリの表現を、類似辞書である類似カテゴリテーブル153から検索し、該当する表現が存在する場合は、その表現に対するマスタ表現153Aを読み出し、マスタカテゴリ152Cに格納する。ステップS112で抽出した情報セキュリティベンダ毎のカテゴリの表現が検索で得られない場合、すなわち類似カテゴリがない場合には、脅威情報管理部131は、情報セキュリティベンダ毎のカテゴリの表現を、そのままマスタカテゴリ152Cとして格納する。 When the category similar dictionary is used, the threat information management unit 131 searches the similar category table 153 that is the similar dictionary for the category expression for each information security vendor extracted in step S112, and the corresponding expression exists. If so, the master representation 153A for that representation is read and stored in the master category 152C. If the category representation for each information security vendor extracted in step S112 cannot be obtained by search, that is, if there is no similar category, the threat information management unit 131 uses the category representation for each information security vendor as it is as the master category. Store as 152C.
 以上が、マスタカテゴリ設定処理の動作フローである。マスタカテゴリ設定処理によれば、情報セキュリティベンダごとに異なる観点でカテゴライズされた脅威情報を、統一したカテゴリにより区分することができるようになる。 The above is the operation flow of the master category setting process. According to the master category setting process, threat information categorized from different viewpoints for each information security vendor can be classified by a unified category.
 なお、図17に示したマスタカテゴリ設定処理は、情報セキュリティベンダから脅威情報を取得する度に実行しても良いし、セキュリティ管理者があらかじめ定めた任意の時刻や時間間隔で実行しても良い。 The master category setting process shown in FIG. 17 may be executed every time threat information is acquired from an information security vendor, or may be executed at an arbitrary time or time interval predetermined by the security administrator. .
 図18は、脅威カテゴリ別重要度算出処理の動作フローを示す図である。脅威カテゴリ別重要度算出処理は、セキュリティルール評価装置100が、情報セキュリティベンダから取得する脅威情報を用いて、脅威のカテゴリ毎に重要度を算出する手順である。 FIG. 18 is a diagram showing an operational flow of threat category-specific importance calculation processing. The threat category importance calculation processing is a procedure in which the security rule evaluation apparatus 100 calculates importance for each threat category using threat information acquired from an information security vendor.
 まず、脅威情報管理部131は、脅威情報テーブル151から、情報セキュリティベンダより取得した脅威情報を参照する(ステップS121)。 First, the threat information management unit 131 refers to the threat information acquired from the information security vendor from the threat information table 151 (step S121).
 そして、脅威情報管理部131は、参照した脅威情報を用いて、脅威情報の更新回数の算出を行う(ステップS122)。具体的には、脅威情報管理部131は、情報セキュリティベンダ毎に、カテゴリ別に脅威情報の更新回数を算出して脅威情報更新回数テーブル157へ格納する。 Then, the threat information management unit 131 calculates the number of updates of threat information using the referenced threat information (step S122). Specifically, the threat information management unit 131 calculates the number of updates of threat information for each category for each information security vendor and stores it in the threat information update count table 157.
 そして、脅威情報管理部131は、重要度の算出を行う(ステップS123)。具体的には、脅威情報管理部131は、ステップS122で算出した脅威情報の更新回数を用いて、情報セキュリティベンダ毎に、カテゴリ別の重要度を算出し、結果を脅威カテゴリ評価テーブル154の重要度154Cに格納する。 And the threat information management part 131 calculates importance (step S123). Specifically, the threat information management unit 131 calculates the importance for each category for each information security vendor using the update count of the threat information calculated in step S122, and the result is the importance of the threat category evaluation table 154. Store at degree 154C.
 この処理においては、脅威情報管理部131は、直近の脅威情報の更新回数に大きな重みをつけて重要度を算出することができる。その方法については、加重移動平均を用いる方法が考えられる。例えば、m日の更新回数をR_m、重みをnとすると、加重移動平均となる重要度Iは下式(1)で算出できる。 In this process, the threat information management unit 131 can calculate the importance by giving a large weight to the update number of the latest threat information. As the method, a method using a weighted moving average can be considered. For example, when the number of updates for m days is R_m and the weight is n, the importance I that is a weighted moving average can be calculated by the following equation (1).
Figure JPOXMLDOC01-appb-I000001
                           ・・・式(1)
Figure JPOXMLDOC01-appb-I000001
... Formula (1)
 図12に示す例であれば、重みn=5とすると、2016年6月26日から2016年6月30日の5日間の更新回数を用いて重要度を算出すると、情報セキュリティベンダ「A」の「Ransomware 通信先IP」の重要度は以下となる。 In the example shown in FIG. 12, when the weight n = 5, when the importance is calculated using the number of updates for five days from June 26, 2016 to June 30, 2016, the information security vendor “A”. The importance of “Ransomware Destination IP” is as follows.
Figure JPOXMLDOC01-appb-I000002
Figure JPOXMLDOC01-appb-I000002
 以上が、脅威カテゴリ別重要度算出処理の動作フローである。脅威カテゴリ別重要度算出処理によれば、近日の更新度合の高い脅威情報について、重要度という指標値を算出することができるようになる。 The above is the operation flow of threat category importance calculation processing. According to the threat category-specific importance calculation processing, it is possible to calculate an index value called importance for threat information with a high update rate in the near future.
 なお、図18のステップS123では、重要度の算出に加重移動平均を用いているが、更新日で重みをつけない単純移動平均や、より直近に更新された脅威情報に大きな重みをつける指数移動平均を用いるなどセキュリティ管理者が任意に設定した式を用いて重要度を算出しても良い。また、セキュリティベンダの脅威情報の更新回数を用いてカテゴリ別の重要度を算出することに限られず、重要度は、情報セキュリティベンダが脅威情報の中で重要度として提供する値を用いても良い。または、重要度は、セキュリティ管理者が任意の方法で予め設定した値を用いても良い。図18に示す手順は、図17に示すマスタカテゴリ設定処理が実行された度に実行されても良いし、情報セキュリティベンダから脅威情報を取得する度に実行されても良い。あるいはセキュリティ管理者があらかじめ定めた任意の時刻や時間間隔で実行されても良い。 In step S123 in FIG. 18, the weighted moving average is used to calculate the importance. However, the simple moving average that does not weight the update date, or the exponential movement that weights more recently updated threat information. The importance may be calculated using an expression arbitrarily set by the security administrator such as using an average. In addition, it is not limited to calculating the importance level for each category using the update count of the threat information of the security vendor, and the importance level may be a value provided by the information security vendor as the importance level in the threat information. . Alternatively, the importance may be a value set in advance by the security administrator using an arbitrary method. The procedure shown in FIG. 18 may be executed every time the master category setting process shown in FIG. 17 is executed, or may be executed every time threat information is acquired from an information security vendor. Alternatively, it may be executed at an arbitrary time or time interval predetermined by the security administrator.
 図19は、適合特性算出処理の動作フローを示す図である。適合特性算出処理は、脅威情報管理部131が、情報セキュリティベンダから取得する脅威情報を用いて、脅威のカテゴリ毎に、守るべき情報システムとの関連性を示す適合特性を算出する手順である。 FIG. 19 is a diagram showing an operation flow of the matching characteristic calculation process. The adaptation characteristic calculation process is a procedure in which the threat information management unit 131 calculates an adaptation characteristic indicating the relevance to the information system to be protected for each threat category, using the threat information acquired from the information security vendor.
 まず、脅威情報管理部131は、検知した攻撃に関するログの参照を行う(ステップS211)。具体的には、脅威情報管理部131は、攻撃検知情報テーブル155を用いて、検知した攻撃に関するログ情報を収集し、参照する。 First, the threat information management unit 131 refers to a log related to the detected attack (step S211). Specifically, the threat information management unit 131 uses the attack detection information table 155 to collect and refer to log information regarding detected attacks.
 そして、脅威情報管理部131は、カテゴリごとの攻撃検知回数の算出を行う(ステップS212)。具体的には、脅威情報管理部131は、参照した攻撃検知情報を用いて、情報システム毎の情報セキュリティベンダ別の各カテゴリの攻撃検知回数を算出し、攻撃検知回数テーブル158の攻撃検知回数158Dに回数を格納する。 Then, the threat information management unit 131 calculates the number of attack detections for each category (step S212). Specifically, the threat information management unit 131 calculates the number of attack detections for each category for each information security vendor for each information system using the referenced attack detection information, and the number of attack detections 158D in the attack detection number table 158. The number of times is stored in.
 そして、脅威情報管理部131は、カテゴリごとの適合特性を算出する(ステップS213)。具体的には、脅威情報管理部131は、ステップS212で算出した攻撃検知回数を用いて、情報システム毎に情報セキュリティベンダ別の各カテゴリに対する適合特性を算出し、結果を脅威情報適合特性テーブル156の適合特性156Dに格納する。 Then, the threat information management unit 131 calculates conformance characteristics for each category (step S213). Specifically, the threat information management unit 131 uses the number of attack detections calculated in step S212 to calculate conformance characteristics for each category for each information security vendor for each information system, and the result is the threat information conformance characteristics table 156. Stored in the matching characteristic 156D.
 この処理においては、脅威情報管理部131は、適合特性を、情報システム毎の全攻撃検知回数に対するセキュリティベンダ別の各カテゴリの攻撃検知回数の割合として算出することができる。図13の攻撃検知回数テーブル158の例を用いると、適合特性は以下となる。 In this process, the threat information management unit 131 can calculate the conforming characteristic as a ratio of the number of attacks detected for each category for each security vendor to the total number of attacks detected for each information system. Using the example of the attack detection count table 158 in FIG. 13, the adaptation characteristics are as follows.
Figure JPOXMLDOC01-appb-I000003
Figure JPOXMLDOC01-appb-I000003
 以上が、適合特性算出処理の動作フローである。適合特性算出処理によれば、守るべき情報システムが受けた実績にもとづいて脅威情報のカテゴリごとに適合特性という指標値を算出することができるようになる。 The above is the operation flow of the compatibility characteristic calculation process. According to the adaptation characteristic calculation process, it is possible to calculate an index value called an adaptation characteristic for each category of threat information based on the results received by the information system to be protected.
 なお、ステップS213では、適合特性の算出に攻撃検知回数の割合を用いたが、これに限られるものではない。例えば、脅威情報管理部131は、直近の攻撃検知回数に重みをかけた加重移動平均を用いて割合を算出しても良いし、セキュリティ管理者が任意に定めた算出方法を用いて算出しても良い。また、実際に受けた攻撃の検知回数を用いて適合特性を算出するのに限られず、ハニーポットのように実システムを模擬したおとりシステムで検知された攻撃の情報を用いて適合特性を算出しても良い。またさらに、他の情報を用いてセキュリティ管理者が任意の方法で設定した値を用いて適合特性を算出しても良い。 In step S213, the ratio of the number of attack detections is used to calculate the adaptation characteristics, but the present invention is not limited to this. For example, the threat information management unit 131 may calculate the ratio using a weighted moving average obtained by weighting the number of most recent attacks detected, or may be calculated using a calculation method arbitrarily determined by the security administrator. Also good. In addition, it is not limited to calculating the adaptation characteristics using the actual number of attacks detected, but the adaptation characteristics are calculated using information on attacks detected by a decoy system that simulates a real system such as a honeypot. May be. Still further, the adaptation characteristic may be calculated using a value set by the security administrator by an arbitrary method using other information.
 適合特性算出処理は、マスタカテゴリ設定処理が実行された度に実行されても良いし、攻撃を検知する度に実行されても良いし、セキュリティ管理者があらかじめ定めた任意の時刻や時間間隔で実行されても良い。 The conformance characteristic calculation process may be executed every time the master category setting process is executed, may be executed every time an attack is detected, or at an arbitrary time or time interval predetermined by the security administrator. May be executed.
 ここで、Ifルールのそれぞれについて、マスタカテゴリに分類する処理について説明する。脅威情報管理部131は、データ解析装置200が保有するIfルールテーブル210を読み出し、Ifルールを解析して、脅威カテゴリテーブル152に格納されているセキュリティベンダ毎のカテゴリ名やマスタカテゴリのカテゴリ名で文字列検索を行い、検索された文字列に該当するマスタカテゴリをそのIfルールのカテゴリとして決定する。 Here, the process of classifying each If rule into a master category will be described. The threat information management unit 131 reads the If rule table 210 held by the data analysis apparatus 200, analyzes the If rule, and uses the category name for each security vendor and the category name of the master category stored in the threat category table 152. A character string search is performed, and the master category corresponding to the searched character string is determined as the category of the If rule.
 例えば、図2のIfルールテーブル210における情報システム「X」の「IfルールA」のカテゴリを決定する処理では、脅威情報管理部131は、当該「IfルールA」についてのルール内容210Cを読み出し、「data=“事業部B” machine=“VM1” threat=“スパイウェア” ファイルアクセス=“/userA”」について脅威カテゴリテーブル152を参照し、「ランサムウェア」と「通信IP」を含む文字列か検索し、該当しなければ「ランサムウェア」と「ファイルアクセス」を含む文字列か検索し、該当しなければ同様にその他のカテゴリ名で文字列検索を行う。この結果、情報システム「X」の「IfルールA」は、「スパイウェア」と「ファイルアクセス」の文字列検索で該当するため、「スパイウェア ファイルアクセス」のマスタカテゴリに分類が決定される。 For example, in the process of determining the “If rule A” category of the information system “X” in the If rule table 210 of FIG. 2, the threat information management unit 131 reads the rule content 210C for the “If rule A”, Refer to the threat category table 152 for “data =“ department B ”, machine =“ VM1 ”, threat =“ spyware ”, file access =“ / userA ”, and search for a character string including“ ransomware ”and“ communication IP ”. If not applicable, a search is made for a character string including “ransomware” and “file access”, and if not applicable, a character string search is performed using other category names as well. As a result, the “If Rule A” of the information system “X” corresponds to the character string search of “Spyware” and “File Access”, and therefore, the classification is determined as the master category of “Spyware File Access”.
 なお、このようなIfルールのマスタカテゴリの決定手順については、脅威情報管理部131が脅威カテゴリテーブル152を参照して得られるカテゴリ名を用いて文字列検索しても良いし、例えば脅威情報管理部131がカテゴリの類語辞書を用いて文字列検索しても良いし、例えばセキュリティ管理者がルール内容を確認しカテゴリを決定しても良い。また、セキュリティルールが追加される度に実行されても良いし、マスタカテゴリ設定処理が実行される度に実行されても良いし、セキュリティ管理者があらかじめ定めた任意の時刻や時間間隔で実行しても良い。 As for the procedure for determining the master category of the If rule, the threat information management unit 131 may perform a character string search using a category name obtained by referring to the threat category table 152. For example, threat information management The unit 131 may search for a character string using a category synonym dictionary, or the security manager may check the rule contents and determine the category. It may be executed each time a security rule is added, may be executed every time a master category setting process is executed, or executed at an arbitrary time or time interval predetermined by the security administrator. May be.
 図20は、セキュリティルール優先度算出処理の動作フローを示す図である。セキュリティルール優先度算出処理は、脅威情報管理部131が、外部から得た脅威情報の重要度と、守るべき情報システムとの関連性を示す適合特性と、情報セキュリティベンダの重み付けとを用いて、Ifルールの更新を検討する優先度を算出する手順である。 FIG. 20 is a diagram showing an operation flow of security rule priority calculation processing. In the security rule priority calculation process, the threat information management unit 131 uses the importance of the threat information obtained from the outside, the matching characteristic indicating the relationship with the information system to be protected, and the weight of the information security vendor. This is a procedure for calculating the priority for considering the update of the If rule.
 まず、脅威情報管理部131は、重要度または適合特性または重みの値に変更があったか否かを判定する(ステップS231)。具体的には、脅威情報管理部131は、脅威カテゴリ評価テーブル154に格納された重要度154C、または脅威情報適合特性テーブル156に格納された適合特性156Dまたは重みづけテーブル159に格納された重み159Cの値が更新されたか否か判断する。重要度、適合特性および重みの値のいずれにも変更がなかった場合(ステップS231にて「No」の場合)には、脅威情報管理部131は、制御をステップS231に戻す。 First, the threat information management unit 131 determines whether or not there is a change in the importance level, the matching characteristic, or the weight value (step S231). Specifically, the threat information management unit 131 uses the importance 154C stored in the threat category evaluation table 154, the matching characteristic 156D stored in the threat information matching characteristic table 156, or the weight 159C stored in the weighting table 159. It is determined whether the value of has been updated. When there is no change in any of the importance level, the adaptation characteristic, and the weight value (in the case of “No” in step S231), the threat information management unit 131 returns the control to step S231.
 重要度または適合特性または重みの値に変更があった場合(ステップS231にて「Yes」の場合)には、セキュリティルール評価部132は、セキュリティルール(IfルールおよびThenルール)の優先度の算出を行う(ステップS232)。具体的には、セキュリティルール評価部132は、脅威カテゴリ評価テーブル154に格納された重要度154Cおよび脅威情報適合特性テーブル156に格納された適合特性156Dおよび重みづけテーブル159に格納された重み159Cの値を用いて、情報システム毎のセキュリティルールが属するカテゴリそれぞれの優先度を算出し、結果をセキュリティルール評価テーブル160の優先度160Dに格納する。 When there is a change in the importance level, the matching characteristic, or the weight value (“Yes” in step S231), the security rule evaluation unit 132 calculates the priority of the security rule (If rule and Then rule). Is performed (step S232). Specifically, the security rule evaluation unit 132 sets the importance 154C stored in the threat category evaluation table 154, the matching characteristic 156D stored in the threat information matching characteristic table 156, and the weight 159C stored in the weighting table 159. The priority of each category to which the security rule for each information system belongs is calculated using the value, and the result is stored in the priority 160D of the security rule evaluation table 160.
 優先度の具体的な算出については、セキュリティルール評価部132は、カテゴリの優先度を、セキュリティベンダ毎のカテゴリに関して、重要度と適合特性と重みの積を計算し、全情報セキュリティベンダの値を足し合わせることで算出する。例えば、情報セキュリティベンダの数をm、カテゴリ別の重要度をIc、適合特性をFc、重みをWcとすると、優先度Pcは下式(2)により求まる。 For the specific calculation of the priority, the security rule evaluation unit 132 calculates the priority of the category, the product of the importance, the conforming characteristic, and the weight with respect to the category for each security vendor, and calculates the value of all information security vendors. Calculate by adding together. For example, if the number of information security vendors is m, the importance for each category is Ic, the conforming characteristic is Fc, and the weight is Wc, the priority Pc is obtained by the following equation (2).
Figure JPOXMLDOC01-appb-I000004
                  ・・・式(2)
Figure JPOXMLDOC01-appb-I000004
... Formula (2)
 以上が、セキュリティルール優先度算出処理の動作フローである。セキュリティルール優先度算出処理によれば、外部環境を反映した情報セキュリティベンダからの脅威情報を用いた重要度と、守るべき情報システムに固有の特性を反映した適合特性と、情報セキュリティベンダ間の傾向等を考慮した重み付けと、を用いて、セキュリティルールの優先度を算出することができるようになる。 The above is the operation flow of the security rule priority calculation process. According to the security rule priority calculation process, the importance using threat information from information security vendors reflecting the external environment, conformance characteristics reflecting characteristics specific to the information system to be protected, and trends among information security vendors The priority of the security rule can be calculated using the weighting considering the above.
 本実施形態の例においては、情報システム「X」のカテゴリ「スパイウェア ファイルアクセス」に関する優先度は、情報システム「X」に関する情報セキュリティベンダ「A」の「スパイウェア ファイルアクセス」の重要度と適合特性と重みの積と、情報セキュリティベンダ「B」の「スパイウェア ファイルアクセス」の重要度と適合特性と重みの積と、を足して、(4.2×13×2)+(8.3×7×8)=490となる。 In the example of this embodiment, the priority regarding the category “spyware file access” of the information system “X” is the importance and compatibility characteristics of the “spyware file access” of the information security vendor “A” regarding the information system “X”. By adding the product of the weight and the product of the importance, conformance characteristics, and weight of “spyware file access” of information security vendor “B”, (4.2 × 13 × 2) + (8.3 × 7 × 8) = 490.
 なお、ステップS232における優先度の算出については、セキュリティ管理者が定めた別の任意の方法で計算されても良い。また、セキュリティルール優先度算出処理は、セキュリティ管理者があらかじめ定めた任意の時刻や時間間隔で実行されても良い。また、セキュリティルール評価部132は、IfルールあるいはThenルールのそれぞれについて、実際に攻撃を受けた際の種別、項目、値が完全一致する場合には、優先度を増加させるようにしてもよい。実際に攻撃を受けた値と完全一致するルールについては、更新を最優先にすべきであるためである。 Note that the priority calculation in step S232 may be performed by another arbitrary method determined by the security administrator. Further, the security rule priority calculation process may be executed at an arbitrary time or time interval predetermined by the security administrator. Further, the security rule evaluation unit 132 may increase the priority of the If rule or the Then rule when the type, item, and value at the time of actual attack completely match. This is because updating should be given the highest priority for a rule that exactly matches the actual attacked value.
 また、セキュリティルール評価部132は、守るべき情報システムのうち変更があった構成に係るセキュリティルールについて優先度を算出するようにしてもよい。その場合には、後述のシステム変更影響ルール抽出処理の実施に続けて、セキュリティルール評価部132は、抽出されたセキュリティルールの情報を受け取り、これに限定してセキュリティルール優先度算出処理を行うようにすればよい。 Also, the security rule evaluation unit 132 may calculate priorities for the security rules related to the configuration of the information system to be protected. In this case, following the execution of the system change influence rule extraction process described later, the security rule evaluation unit 132 receives the extracted security rule information and performs the security rule priority calculation process only for this. You can do it.
 図21は、システム変更影響ルール抽出処理の動作フローを示す図である。システム変更影響ルール抽出処理は、セキュリティルール評価部132が、守るべき情報システムの変更により影響が及びうるセキュリティルールを抽出する手順である。 FIG. 21 is a diagram showing an operation flow of system change influence rule extraction processing. The system change influence rule extraction process is a procedure in which the security rule evaluation unit 132 extracts a security rule that can be affected by a change in the information system to be protected.
 まず、セキュリティルール評価部132は、情報システムの構成変更または脅威情報のアップデートが存在するか否か判断する(ステップS311)。例えば、セキュリティルール評価部132は、守るべき情報システムの構成管理システムに変更情報の有無を問い合わせ、情報セキュリティベンダのコンピュータシステム1へ脅威情報の更新の有無を問い合わせる。その結果、情報システムの構成変更または脅威情報のアップデートがいずれにも存在しない場合(ステップS311にて「No」の場合)には、セキュリティルール評価部132は、制御をステップS311へ戻す。 First, the security rule evaluation unit 132 determines whether there is an information system configuration change or threat information update (step S311). For example, the security rule evaluation unit 132 inquires of the configuration management system of the information system to be protected whether there is change information, and inquires of the computer system 1 of the information security vendor whether the threat information is updated. As a result, if there is no information system configuration change or threat information update ("No" in step S311), the security rule evaluation unit 132 returns control to step S311.
 情報システムの構成変更または脅威情報のアップデートが存在する場合(ステップS311にて「Yes」の場合)には、セキュリティルール評価部132は、更新が必要な可能性のあるセキュリティルールを抽出する(ステップS312)。具体的には、セキュリティルール評価部132は、データ解析装置200が有するIfルールテーブル210およびITリソース制御装置300が有するThenルールテーブル310を参照し、情報システムの構成変更または脅威情報のアップデートに関係するIfルールおよびThenルールを抽出する。 When there is an information system configuration change or threat information update (“Yes” in step S311), the security rule evaluation unit 132 extracts a security rule that may need to be updated (step S311). S312). Specifically, the security rule evaluation unit 132 refers to the If rule table 210 included in the data analysis device 200 and the Then rule table 310 included in the IT resource control device 300, and is related to an information system configuration change or threat information update. If rules and When rules to be extracted are extracted.
 より詳しくは、セキュリティルール評価部132は、情報システムの構成変更に伴う値がIfルールの内容に含まれるか文字列検索し、文字列が含まれている場合は、関係するIfルールとして抽出する。例を挙げると、セキュリティルール評価部132は、情報システム「X」に関して「machine名」が「サーバ1」から「サーバ2」に構成変更された場合、Ifルールテーブル210の情報システム「X」に関するIfルールやThenルールについて「サーバ1」および「サーバ2」の文字列検索を行い、「サーバ1」を含む「IfルールE」を更新が必要な可能性のあるセキュリティルールとして抽出する。なお、Thenルールの場合には、セキュリティルール評価部132は、Thenルールテーブル310のルール内容310Cを文字列検索して、関連するセキュリティルールとして抽出する。 More specifically, the security rule evaluation unit 132 performs a character string search to determine whether the value associated with the information system configuration change is included in the contents of the If rule, and if a character string is included, extracts it as a related If rule. . For example, when the “machine name” of the information system “X” is changed from “server 1” to “server 2”, the security rule evaluation unit 132 relates to the information system “X” in the If rule table 210. A character string search of “server 1” and “server 2” is performed for the If rule and The rule, and “If rule E” including “server 1” is extracted as a security rule that may need to be updated. In the case of the Then rule, the security rule evaluation unit 132 performs a character string search on the rule content 310C of the Then rule table 310 and extracts it as a related security rule.
 以上が、システム変更影響ルール抽出処理の動作フローである。システム変更影響ルール抽出処理によれば、守るべき情報システムの構成変更等の環境に起因する変更に基づき、影響範囲にあるセキュリティルールをもれなく抽出することができるようになる。 The above is the operation flow of the system change impact rule extraction process. According to the system change influence rule extraction process, it is possible to extract all the security rules in the influence range based on the change caused by the environment such as the configuration change of the information system to be protected.
 なお、セキュリティルール評価部132は、ステップS312で抽出されたIfルールまたはThenルールに関して、If/Thenルール対応テーブル220を参照して、対応するThenルールまたはIfルールを参照し、更新が必要な可能性のあるセキュリティルールとして抽出しても良い。 Note that the security rule evaluation unit 132 may refer to the If / Then rule correspondence table 220 with respect to the If rule or Then rule extracted in step S312, and refer to the corresponding Then rule or If rule to be updated. It may be extracted as a secure security rule.
 そして、セキュリティ管理者は、セキュリティルール評価装置100を用いてステップS312で抽出したセキュリティルールに絞り込んで優先度を確認する。その場合には、優先度を表示するために、優先ルール提示部133は、例えば、図22に示す管理画面400を表示する。 Then, the security administrator uses the security rule evaluation device 100 to narrow down the security rules extracted in step S312 and confirm the priority. In that case, in order to display the priority, the priority rule presenting unit 133 displays, for example, the management screen 400 shown in FIG.
 図22は、セキュリティルール優先度算出処理の出力画面例を示す図である。管理画面400には、例えば、更新が必要な可能性のあるセキュリティルールを優先度の順に表示するセキュリティルール表示領域410が表示されている。セキュリティルール表示領域410には、例えば、ステップS312で抽出した更新が必要な可能性のあるセキュリティルールが、優先度が高い順に表示される。管理画面400は、ThenルールとIfルールの区別なく同様に表示する。しかし、これに限られず、If/Thenルール対応テーブル220を参照して、Thenルールに対応するIfルールの優先度(望ましくは、最も高い優先度)をThenルールの優先度として表示しても良い。 FIG. 22 is a diagram showing an output screen example of the security rule priority calculation process. On the management screen 400, for example, a security rule display area 410 that displays security rules that may need to be updated in order of priority is displayed. In the security rule display area 410, for example, security rules extracted in step S312 that may need to be updated are displayed in order of priority. The management screen 400 displays in a similar manner without distinguishing between the Then rule and the If rule. However, the present invention is not limited to this, and the priority of the If rule corresponding to the Then rule (preferably the highest priority) may be displayed as the priority of the Then rule with reference to the If / Then rule correspondence table 220. .
 例示すると、図22の場合、更新が必要な可能性のあるセキュリティルールとして、情報システム「X」では、「スパイウェア ファイルアクセス」カテゴリの「IfルールO」の優先度が「1510」で順位が1位となっていることが示されている。また、「ThenルールC」はIf/Thenルール対応テーブル220においてはIfルールBと対応しており、そのIfルールBに相当する優先度をThenルールCの優先度として取得して、優先度が「944.8」となり順位が2位となっている。 For example, in the case of FIG. 22, as a security rule that may need to be updated, in the information system “X”, the priority of “If Rule O” in the “Spyware File Access” category is “1510” and the rank is 1 It has been shown that “Then rule C” corresponds to If rule B in the If / Then rule correspondence table 220, and the priority corresponding to the If rule B is acquired as the priority of the Then rule C. “944.8”, and the ranking is second.
 なお、管理画面400は、例えば、セキュリティ管理者がステップS312で抽出したセキュリティルールをセキュリティルール評価テーブル160から選択して表示させても良いし、ステップS312で抽出されたセキュリティルールが優先度の順に当該画面に表示されても良い。 The management screen 400 may display, for example, the security rules extracted by the security administrator in step S312 from the security rule evaluation table 160, or the security rules extracted in step S312 are in order of priority. It may be displayed on the screen.
 以上、実施形態に係るセキュリティルール評価システムについて具体的に説明したが、本発明は前記実施の形態に限定されるものではなく、その要旨を逸脱しない範囲で種々変更可能であることはいうまでもない。例えば、セキュリティシステムの管理者が守るべき情報システムのセキュリティルール全てを更新する物ではなく、情報システム単位にセキュリティ管理者を配置可能としても良い。その場合、セキュリティ管理者は自分が管理する情報システムを予めセキュリティルール評価装置100に登録しておき、セキュリティルール評価部132は、セキュリティルール優先度算出処理およびシステム変更影響ルール抽出処理においては、ログインしているセキュリティ管理者が登録されている情報システムに限定して処理を実行する。このようにすることで、情報システムの規模が大きくなった場合でも、容易に分業することができる。 The security rule evaluation system according to the embodiment has been specifically described above, but the present invention is not limited to the above-described embodiment, and it is needless to say that various changes can be made without departing from the scope of the invention. Absent. For example, the security administrator may be arranged in units of information systems, instead of updating all the security rules of the information system to be protected by the security system administrator. In this case, the security administrator registers the information system that he / she manages in the security rule evaluation apparatus 100 in advance, and the security rule evaluation unit 132 performs login in the security rule priority calculation process and the system change influence rule extraction process. The processing is executed only on the information system where the registered security administrator is registered. By doing in this way, even when the scale of the information system becomes large, it is possible to easily divide the work.
 なお、上記した実施形態では本発明を分かりやすく説明するために構成を詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。 In the above-described embodiment, the configuration is described in detail in order to explain the present invention in an easy-to-understand manner, and is not necessarily limited to the one having all the configurations described.
 また、上記の各構成、機能、処理部等は、それらの一部又は全部を、例えば集積回路で設計する等によりハードウェアで実現してもよい。また、制御線や情報線は説明上必要と考えられるものを示しており、製品上必ずしも全ての制御線や情報線を示しているとは限らない。実際には殆ど全ての構成が相互に接続されていると考えてもよい。 In addition, each of the above-described configurations, functions, processing units, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
 また、上記した各構成、機能、処理部等は、それらの一部又は全部を、例えば別の装置で実行してネットワークを介して統合処理する等により分散システムで実現してもよい。 In addition, each of the above-described configurations, functions, processing units, and the like may be realized in a distributed system by executing a part or all of them by, for example, another device and performing integrated processing via a network.
 また、上記した実施形態の技術的要素は、単独で適用されてもよいし、プログラム部品とハードウェア部品のような複数の部分に分けられて適用されるようにしてもよい。 Also, the technical elements of the above-described embodiments may be applied independently, or may be applied by being divided into a plurality of parts such as program parts and hardware parts.
 以上、本発明について、実施形態を中心に説明した。 In the above, this invention was demonstrated centering on embodiment.
1A,1B・・・コンピュータシステム、2A,2B・・・セキュリティ脅威情報、3・・・ネットワーク、4・・・セキュリティシステム、5・・・ネットワーク、6・・・サーバー装置、7・・・ネットワーク機器、8・・・ストレージ、9・・・セキュリティ対策製品、100・・・セキュリティルール評価装置、200・・・データ解析装置、210・・・Ifルールテーブル、220・・・If/Thenルール対応テーブル、300・・・ITリソース制御装置、310・・・Thenルールテーブル 1A, 1B ... Computer system, 2A, 2B ... Security threat information, 3 ... Network, 4 ... Security system, 5 ... Network, 6 ... Server device, 7 ... Network Equipment: 8 ... Storage, 9 ... Security countermeasure product, 100 ... Security rule evaluation device, 200 ... Data analysis device, 210 ... If rule table, 220 ... If / Then rule correspondence Table, 300 ... IT resource control device, 310 ... Then rule table

Claims (8)

  1.  情報セキュリティ上の脅威の重要度の情報と、前記脅威と防御対象の情報処理システムとの適合特性を示す適合特性情報と、を特定する脅威情報管理部と、
     少なくとも、前記重要度の情報と、前記適合特性情報と、を用いて前記情報処理システムのセキュリティルールの更新の優先度を前記セキュリティルールごとに算出するセキュリティルール評価部と、
     前記セキュリティルール評価部による前記優先度の順に更新対象のセキュリティルールを提示する優先ルール提示部と、
     を備えるセキュリティルール評価装置。     A threat information management unit that identifies information on the importance of information security threats, and compatibility characteristic information indicating compatibility characteristics between the threat and the information processing system to be protected;
    A security rule evaluation unit that calculates, for each security rule, the priority of updating the security rule of the information processing system using at least the importance information and the matching characteristic information;
    A priority rule presenting unit that presents security rules to be updated in the order of priority by the security rule evaluation unit;
    Security rule evaluation apparatus comprising:
  2.  請求項1に記載のセキュリティルール評価装置であって、
     前記セキュリティルール評価部は、前記重要度が高く、前記適合特性が高い程前記セキュリティルールの前記優先度を高く算出する、
     セキュリティルール評価装置。     The security rule evaluation device according to claim 1,
    The security rule evaluation unit calculates the priority of the security rule higher as the importance is higher and the conforming characteristic is higher.
    Security rule evaluation device.
  3.  請求項1に記載のセキュリティルール評価装置であって、
     前記脅威情報管理部は、前記脅威の適合特性情報を、前記脅威毎に、防御対象の情報処理システムが受けた攻撃の検知実績を用いて特定する、
     セキュリティルール評価装置。     The security rule evaluation device according to claim 1,
    The threat information management unit identifies the characteristic information of the threat for each threat by using the detection results of attacks received by the information processing system to be protected.
    Security rule evaluation device.
  4.  請求項1に記載のセキュリティルール評価装置であって、
     前記脅威情報管理部は、前記脅威の重要度を、前記脅威に係る一つ以上のセキュリティベンダからの提供情報の更新頻度に応じて特定する、
     セキュリティルール評価装置。     The security rule evaluation device according to claim 1,
    The threat information management unit identifies the importance of the threat according to the update frequency of the information provided from one or more security vendors related to the threat;
    Security rule evaluation device.
  5.  請求項1に記載のセキュリティルール評価装置であって、
     前記脅威情報管理部は、前記脅威の重要度を、前記脅威に係るセキュリティベンダからの提供情報の更新頻度に応じて特定し、複数の前記セキュリティベンダからの前記提供情報を用いる場合には、前記脅威を前記セキュリティベンダ間で共通するカテゴリに分類して、前記優先度を、前記カテゴリごとに前記セキュリティベンダ間で合算して特定する、
     セキュリティルール評価装置。     The security rule evaluation device according to claim 1,
    The threat information management unit specifies the importance of the threat according to the update frequency of the information provided from the security vendor related to the threat, and when using the provided information from a plurality of the security vendors, Classify threats into categories common to the security vendors, and identify the priority by summing the security vendors for each category;
    Security rule evaluation device.
  6.  請求項1に記載のセキュリティルール評価装置であって、
     前記セキュリティルールには、前記脅威からの攻撃を前記情報処理システムにおいて検知する条件が含まれている、
     セキュリティルール評価装置。     The security rule evaluation device according to claim 1,
    The security rule includes a condition for detecting an attack from the threat in the information processing system.
    Security rule evaluation device.
  7.  請求項1に記載のセキュリティルール評価装置であって、
     前記セキュリティルール評価部は、前記情報処理システムのうち変更があった構成に係る前記セキュリティルールについて前記優先度を算出する、
     セキュリティルール評価装置。     The security rule evaluation device according to claim 1,
    The security rule evaluation unit calculates the priority for the security rule related to a configuration that has changed in the information processing system.
    Security rule evaluation device.
  8.  セキュリティルール評価装置と、前記セキュリティルール評価装置と通信可能に接続される防御対象の情報処理装置と、を含むセキュリティルール評価システムであって、
     前記セキュリティルール評価装置は、
     情報セキュリティ上の脅威の重要度の情報と、前記脅威と前記防御対象の情報処理装置との適合特性を示す適合特性情報と、を特定する脅威情報管理部と、
     少なくとも、前記重要度の情報と、前記適合特性情報と、を用いて前記防御対象の前記情報処理装置のセキュリティルールの更新の優先度を前記セキュリティルールごとに算出するセキュリティルール評価部と、
     前記セキュリティルール評価部による前記優先度の順に更新対象のセキュリティルールを提示する優先ルール提示部と、を備え、
     前記防御対象の前記情報処理装置は、前記情報処理装置が受けた攻撃の検知実績を前記セキュリティルール評価装置へ送信し、
     前記脅威情報管理部は、前記脅威の適合特性情報を、前記脅威毎に、前記検知実績を用いて特定する、
     セキュリティルール評価システム。     A security rule evaluation system comprising: a security rule evaluation device; and a protection target information processing device connected to be communicable with the security rule evaluation device,
    The security rule evaluation device includes:
    A threat information management unit that identifies information on the importance of information security threats, and matching characteristic information indicating matching characteristics between the threat and the information processing apparatus to be protected;
    A security rule evaluation unit that calculates, for each security rule, the priority of updating the security rule of the information processing apparatus to be protected using at least the importance level information and the matching characteristic information;
    A priority rule presenting unit that presents security rules to be updated in the order of the priorities by the security rule evaluation unit,
    The information processing apparatus to be protected transmits an attack detection result received by the information processing apparatus to the security rule evaluation apparatus,
    The threat information management unit specifies the characteristic characteristics information of the threat for each threat using the detection results,
    Security rule evaluation system.
PCT/JP2017/040045 2016-11-08 2017-11-07 Security rule evaluation device and security rule evaluation system WO2018088383A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2016217845A JP2018077607A (en) 2016-11-08 2016-11-08 Security rule evaluation device and security rule evaluation system
JP2016-217845 2016-11-08

Publications (1)

Publication Number Publication Date
WO2018088383A1 true WO2018088383A1 (en) 2018-05-17

Family

ID=62110317

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/040045 WO2018088383A1 (en) 2016-11-08 2017-11-07 Security rule evaluation device and security rule evaluation system

Country Status (2)

Country Link
JP (1) JP2018077607A (en)
WO (1) WO2018088383A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI774081B (en) * 2020-10-12 2022-08-11 瑞昱半導體股份有限公司 Multi-tasking chip

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7149888B2 (en) 2018-10-17 2022-10-07 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Information processing device, information processing method and program
WO2020079896A1 (en) 2018-10-17 2020-04-23 パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ Information processing device, information processing method, and program
JPWO2022219787A1 (en) * 2021-04-15 2022-10-20
WO2022219786A1 (en) * 2021-04-15 2022-10-20 日本電信電話株式会社 Labeling device, labeling method, and program
WO2023233711A1 (en) * 2022-05-30 2023-12-07 パナソニックIpマネジメント株式会社 Information processing method, abnormality determination method, and information processing device

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004498A1 (en) * 2006-07-06 2008-01-10 Nec Corporation Security risk management system, device, method, and program
JP2013025429A (en) * 2011-07-19 2013-02-04 Mitsubishi Electric Corp Security evaluation apparatus, security evaluation method of security evaluation apparatus, security evaluation program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008004498A1 (en) * 2006-07-06 2008-01-10 Nec Corporation Security risk management system, device, method, and program
JP2013025429A (en) * 2011-07-19 2013-02-04 Mitsubishi Electric Corp Security evaluation apparatus, security evaluation method of security evaluation apparatus, security evaluation program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI774081B (en) * 2020-10-12 2022-08-11 瑞昱半導體股份有限公司 Multi-tasking chip

Also Published As

Publication number Publication date
JP2018077607A (en) 2018-05-17

Similar Documents

Publication Publication Date Title
WO2018088383A1 (en) Security rule evaluation device and security rule evaluation system
US11012472B2 (en) Security rule generation based on cognitive and industry analysis
US10176321B2 (en) Leveraging behavior-based rules for malware family classification
EP3287927B1 (en) Non-transitory computer-readable recording medium storing cyber attack analysis support program, cyber attack analysis support method, and cyber attack analysis support device
US9628507B2 (en) Advanced persistent threat (APT) detection center
US10264009B2 (en) Automated machine learning scheme for software exploit prediction
EP3567504B1 (en) A framework for coordination between endpoint security and network security services
US11057411B2 (en) Log analysis device, log analysis method, and log analysis program
US20150172303A1 (en) Malware Detection and Identification
CN104040554A (en) Calculating quantitative asset risk
US11797668B2 (en) Sample data generation apparatus, sample data generation method, and computer readable medium
CN108369541B (en) System and method for threat risk scoring of security threats
WO2016208159A1 (en) Information processing device, information processing system, information processing method, and storage medium
JP6717206B2 (en) Anti-malware device, anti-malware system, anti-malware method, and anti-malware program
WO2018211827A1 (en) Assessment program, assessment method, and information processing device
Walker et al. Cuckoo’s malware threat scoring and classification: Friend or foe?
JP2017167695A (en) Attack countermeasure determination system, attack countermeasure determination method and attack countermeasure determination program
US20220237302A1 (en) Rule generation apparatus, rule generation method, and computer-readable recording medium
KR102578290B1 (en) Security compliance automation method
CN113010268B (en) Malicious program identification method and device, storage medium and electronic equipment
EP2991305B1 (en) Apparatus and method for identifying web page for industrial control system
JP2019057016A (en) Classification device
US20230008765A1 (en) Estimation apparatus, estimation method and program
WO2020148934A1 (en) Analysis device and analysis method
US20180227318A1 (en) Information processing apparatus and information processing system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17868957

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17868957

Country of ref document: EP

Kind code of ref document: A1