WO2019026310A1 - 情報処理装置、情報処理方法及び情報処理プログラム - Google Patents

情報処理装置、情報処理方法及び情報処理プログラム Download PDF

Info

Publication number
WO2019026310A1
WO2019026310A1 PCT/JP2017/043869 JP2017043869W WO2019026310A1 WO 2019026310 A1 WO2019026310 A1 WO 2019026310A1 JP 2017043869 W JP2017043869 W JP 2017043869W WO 2019026310 A1 WO2019026310 A1 WO 2019026310A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
detected
past
activity
activities
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2017/043869
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
一広 大野
久繁 伊藤
雅香 高橋
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Priority to CN201780093404.1A priority Critical patent/CN110959158A/zh
Priority to EP17920534.9A priority patent/EP3657371A1/en
Priority to US16/634,832 priority patent/US20210117538A1/en
Publication of WO2019026310A1 publication Critical patent/WO2019026310A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present invention relates to a technology for detecting an attack activity on an information system.
  • Patent Literatures 1 to 3 disclose techniques related to the present invention.
  • Patent Document 1 a feature amount is calculated from a destination or variable value of a URL (Uniform Resource Locator) transmitted by a server, and it is determined whether the URL is similar to a signature possessed by the monitoring device. This makes it possible to detect an attack communication using a URL destination or variable value that does not completely match the signature possessed by the monitoring device, and to detect an unknown attack on a terminal or server.
  • the purpose of the function of determining the similarity of the signatures of Patent Document 1 is to add a new attack pattern.
  • Patent Document 2 focuses on the fact that resource information of a computer represented by a CPU (Central Processing Unit) usage rate often fluctuates due to a security violation act, and the present CPU usage rate and the feature amount of the past CPU usage rate Is calculated. Then, when the calculation result matches the rule describing the condition of the resource information, it is determined as abnormal. This makes it possible to deal with security breaches on computer systems without analyzing a large amount of various log information.
  • CPU Central Processing Unit
  • Patent Documents 1 to 3 can not solve these problems.
  • the main object of the present invention is to solve the above-mentioned problems. Specifically, the main purpose is to ensure that appropriate response measures are taken for the detected attack activity.
  • An information processing apparatus is When an attack activity is detected using a detection rule, a situation when a current attack activity that is the detected attack activity is detected, and a plurality of attack activities detected in the past using the detection rule The situation when each of a plurality of past attack activities is detected and the situation where the detection rule is premised are analyzed, and based on the analysis result, an arbitrary number of attacks from among the plurality of past attack activities A selection unit for selecting an activity, And a response procedure presentation unit that presents the response procedure performed on the attack activity selected by the selection unit.
  • a situation when a current attack activity is detected, a situation when each of a plurality of past attack activities is sensed, and a situation under which a detection rule is premised are analyzed. Then, in the present invention, a past attack activity suitable for the current attack activity is selected from a plurality of past attack activities, and a countermeasure against the selected past attack activity is presented. Thus, according to the present invention, the analyst can take appropriate measures for the detected attack activity.
  • FIG. 1 shows an example of a network configuration according to a first embodiment.
  • FIG. 1 is a diagram showing an example of a functional configuration of an attack activity analysis support device according to a first embodiment.
  • FIG. 5 is a flowchart showing the flow of processing of the attack activity analysis support apparatus according to the first embodiment;
  • FIG. 6 shows an example of an analysis history table according to the first embodiment.
  • FIG. 6 shows an example of a device management table according to the first embodiment.
  • FIG. 6 shows an example of a similarity history comparison table according to the first embodiment.
  • FIG. 7 shows an example of a selected analysis history according to the first embodiment.
  • FIG. 6 is a diagram showing an example of presentation to the operator according to Embodiment 1;
  • FIG. 6 shows an example of a detection log according to the first embodiment.
  • FIG. 2 is a diagram showing an example of a hardware configuration of an attack activity analysis support device according to the first embodiment.
  • FIG. 1 shows an example of a network configuration according to the present embodiment.
  • the firewall 11 distinguishes between the external network 16 and the internal network 18.
  • the firewall 11 is connected to the external network 16, the DMZ (DeMilitarized Zone) network 17 and the internal network 18.
  • the firewall 11 and the DMZ network 17 can prevent attack from the external network 16 to the internal network 18.
  • the DMZ network 17 includes an intrusion detection device 12, a proxy server 13 and a plurality of monitoring targets 14.
  • the intrusion detection device 12 is connected to the firewall 11.
  • the intrusion detection device 12 investigates the communication between the external network 16 passing through the firewall 11 and the DMZ network 17 and the communication between the external network 16 and the internal network 18 using a detection rule. Then, when the intrusion detection device 12 detects an attack activity from the external network 16, the intrusion detection device 12 generates a detection log indicating a situation when the attack activity is detected.
  • the proxy server 13 connects with the firewall 11.
  • the proxy server 13 relays communication from the monitoring target 15 in the internal network 18 to the external network 16. Furthermore, the proxy server 13 relays communication from the external network 16 to the monitoring target 15.
  • the monitoring target 14 is connected to the firewall 11.
  • the monitoring target 14 includes a mail server, a web server, and the like.
  • the internal network 18 includes a plurality of monitoring targets 15 and an attack activity analysis support device 01.
  • the monitoring target 15 is connected to the firewall 11.
  • the monitoring targets 15 include personal terminals, file servers, AD (Active Directory) servers, and the like.
  • the attack activity analysis support apparatus 01 is connected to the internal network 18 and monitors the monitoring target 14 connected to the DMZ network 17 and the monitoring target 15 connected to the internal network 18.
  • the attack activity analysis support apparatus 01 stores an analysis history in which a situation and an action to be taken upon detection of an attack activity on the monitoring target 14 and the monitoring target 15 are indicated. Details of the analysis history will be described later.
  • the attacking activity analysis support device 01 uses the display device 10 to display an analysis history of past attacking activity similar to the generated attacking activity to the operator.
  • An attack activity is any activity that generates an information security threat.
  • the attack activities include various unauthorized accesses, attacks called “... Attacks”, preliminary operations of these attacks, and the like.
  • the attack activity analysis support device 01 corresponds to an information processing device.
  • the operation performed by the attack activity analysis support apparatus 01 corresponds to an information processing method.
  • FIG. 2 shows an example of the functional configuration of the attack activity analysis support apparatus 01
  • FIG. 10 shows an example of the hardware configuration of the attack activity analysis support apparatus 01.
  • the attack activity analysis support device 01 is a computer.
  • the attack activity analysis support device 01 includes a processor 101, a storage device 102, a network interface 103, a display interface 104, and an input interface 105 as hardware as shown in FIG. Further, as shown in FIG. 2, the attack activity analysis support apparatus 01 has, as a functional configuration, a warning information collection unit 02, a monitoring information collection unit 03, an analysis information calculation unit 04, a warning importance degree estimation unit 05, a warning information storage unit 06, the monitoring information storage unit 07 and the analysis history storage unit 08 are provided.
  • the storage device 102 stores programs for realizing the functions of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05.
  • FIG. 10 schematically shows a state where the processor 101 is executing a program for realizing the functions of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05.
  • Programs for realizing the functions of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05 correspond to an information processing program.
  • the warning information storage unit 06, the monitoring information storage unit 07, and the analysis history storage unit 08 are realized by the storage device 102.
  • the network interface 103 is an interface with a communication cable of the internal network 18.
  • the display interface 104 is an interface with the display device 10.
  • the input interface 105 is an interface with the input device 09.
  • the warning information collection unit 02 collects detection logs from the intrusion detection device 12 via the network interface 103. Further, the warning information collection unit 02 stores the collected detection log in the warning information storage unit 06.
  • the monitoring information collection unit 03 collects proxy logs from the proxy server 13 via the network interface 103.
  • the monitoring information collection unit 03 stores the collected proxy log in the monitoring information storage unit 07.
  • the analysis information calculation unit 04 is detected in the past using the situation when the current attack activity, which is the detected attack activity, is detected, and the detection rule.
  • the situation when each of a plurality of past attack activities, which are a plurality of attack activities, is detected, and the situation on which the detection rule is premised are analyzed.
  • the situation when each of a plurality of past attack activities is detected is described in the analysis history stored in the analysis history storage unit 08. Further, information indicating a situation on which the detection rule is premised is stored, for example, in the storage device 102.
  • the analysis information calculation unit 04 analyzes the similarity between the situation when the current attack activity is detected and the situation when each of the plurality of past attack activities is detected.
  • the analysis information calculation unit 04 analyzes the degree of similarity between the situation when each of a plurality of past attack activities is detected and the situation where the detection rule is premised. For example, the analysis information calculation unit 04 analyzes the similarity between the time at which the current attack activity is detected and the time zone in which each of a plurality of past attack activities is detected. Further, the analysis information calculation unit 04 analyzes the similarity between the amount of communication when the current attack activity is detected and the amount of communication when each of a plurality of past attack activities is detected. Further, the analysis information calculation unit 04 analyzes the similarity between the time zone in which each of a plurality of past attack activities is detected and the time zone on which the detection rule is premised.
  • the analysis information calculation unit 04 analyzes the similarity between the amount of communication when each of a plurality of past attack activities is detected and the amount of communication on which the detection rule is premised. Furthermore, the analysis information calculation unit 04 analyzes the degree of similarity between the types of target devices of each of a plurality of past attack activities and the types of target devices for which the detection rule is premised. Then, based on the analysis result, the analysis information calculation unit 04 selects an arbitrary number of attack activities from among a plurality of past attack activities. The analysis information calculation unit 04 corresponds to a selection unit. The process performed by the analysis information calculation unit 04 corresponds to the selection process.
  • the warning importance degree estimation unit 05 presents, to the operator through the display device 10, the countermeasure action taken on the attack activity selected by the analysis information calculation unit 04.
  • the warning importance degree estimation unit 05 determines the order between the selected two or more attack activities.
  • the warning importance degree estimation unit 05 determines, for example, the order between the selected two or more attack activities based on the importance of the corresponding treatment of each of the selected two or more attack activities.
  • the warning importance degree estimation unit 05 presents the response measures taken for the two or more selected attack activities in accordance with the determined order.
  • the warning importance degree estimation unit 05 corresponds to a response treatment presentation unit. Further, the process performed by the warning importance degree estimation unit 05 corresponds to a countermeasure presentation process.
  • the warning information storage unit 06 stores a detection log.
  • the monitoring information storage unit 07 stores proxy logs.
  • the analysis history storage unit 08 stores an analysis history.
  • FIG. 4 shows an example of the analysis history table 203 generated by the analysis information calculation unit 04.
  • the analysis history table 203 includes a plurality of analysis histories which are results of analysis of past attack activities.
  • Each record in FIG. 4 is an analysis history.
  • Each analysis history includes an analysis history number, a warning name, an occurrence time zone, a countermeasure, and analysis information.
  • the analysis history number is a serial number automatically set by the analysis information calculation unit 04.
  • the response measures are designated by the operator of the attack activity analysis support apparatus 01.
  • the warning name and the occurrence time zone are generated from the detection log transmitted from the intrusion detection device 12.
  • the intrusion detection device 12 analyzes the communication from the external network 16 to the internal network 18 using a detection rule. When the attack activity is detected, the intrusion detection device 12 identifies the type of attack activity based on the detection rule. The intrusion detection device 12 specifies, for example, which of the Dos attack, port scan, and file transmission the detected attack type is. Then, the intrusion detection device 12 includes the identified type of attack as a warning name in the detection log. Further, the intrusion detection device 12 includes the date and time when the attack activity is detected in the detection log. In addition, the value of analysis information is also generated from the detection log.
  • the intrusion detection device 12 identifies the communication destination of the attack activity from the IP address of the transmission destination of the communication data used for the attack activity, and includes the type of the identified communication destination in the detection log. Further, the intrusion detection device 12 may include only the IP address of the transmission destination of the communication data used for the attack activity in the detection log.
  • the analysis information calculation unit 04 specifies the type of communication destination from the IP address of the transmission destination included in the detection log. More specifically, the analysis information calculation unit 04 specifies the type of communication destination using the device management table 204 illustrated in FIG. 5.
  • the device management table 204 in FIG. 5 indicates the IP addresses of the devices that constitute each of the monitoring target 14 and the monitoring target 15, and the application of each device is shown for each IP address.
  • the analysis information calculation unit 04 collates the IP address of the transmission destination indicated by the detection log with the device management table 204 to specify the type of the communication destination.
  • the intrusion detection device 12 includes, in the detection log, the traffic of the DMZ network 17 or the internal network 18 when the attack activity is detected.
  • the intrusion detection device 12 may not specify at least one of the type of the communication destination and the communication amount. That is, the intrusion detection device 12 does not have to include at least one of the type of communication destination and the communication amount in the detection log.
  • the analysis information calculation unit 04 generates analysis information from the proxy log. That is, the proxy server 13 may identify the type of communication destination and the amount of communication when attack activity is detected, and may describe the type and the amount of communication destination identified in the proxy log.
  • FIG. 6 shows an example of the similarity history comparison table 205.
  • the similarity history comparison table 205 is configured by an analysis history number, a condition based on the detection rule, and a condition at the time of detection of past attack activity.
  • the analysis history number indicates the analysis history number of FIG.
  • the “conditions assumed by detection rule” indicate the conditions assumed when the detection rule is generated. In the example of FIG. 6, a situation where a detection rule for detecting a DoS attack is assumed is shown.
  • the “condition based on the detection rule” is, for example, a time zone, a communication amount, and a target device. In the example of FIG.
  • the time zone in which the DoS attack occurs is "10: 00-12: 00"
  • the traffic volume at the time of the DoS attack is 5000 access / min
  • the DoS attack Assuming that the target device is a Web server, detection rules for detecting DoS attacks are generated.
  • a past attack activity determined as a DoS attack that is, a past attack activity detected by applying a detection rule for detecting a Dos attack is applied. The situation is shown.
  • the “condition at the time of detection of past attack activity” is, for example, a time zone, a traffic amount, and a target device.
  • the time slot in which the DoS attack of analysis history number 1 is detected is “10: 00-12: 00”, and the traffic volume when the DoS attack is detected is 5500 access / min.
  • the device targeted by the attack is a web server.
  • the similar history comparison table 205 is used to compare, for each past attack activity, the situation assumed by the detection rule with the situation when each attack activity was detected.
  • FIG. 6 shows a similar history comparison table 205 for DoS attacks, a similar history comparison table 205 exists for other attack activities (port scan, file transmission, etc.).
  • FIG. 9 shows an example of the detection log 301 transmitted from the intrusion detection device 12 to the attack activity analysis support device 01 when the intrusion detection device 12 newly detects an attack activity.
  • the detection log 301 includes a warning name, date and time of occurrence, and analysis information.
  • the meanings of the warning name, the date and time of occurrence, and the analysis information are the same as those shown in FIG.
  • the warning name, occurrence date and time, and analysis information shown in FIG. 4 are attributes of past attack activity detected in the past, whereas the warning name, occurrence date and time and analysis information shown in FIG. 9 are newly detected. It is an attribute of the current attack activity.
  • FIG. 9 shows an example in which the value of analysis information is also transmitted from the intrusion detection device 12 as the detection log 301, as described above, the value of analysis information may be transmitted from the proxy server 13 as a proxy log.
  • FIG. 3 is a flowchart showing an operation example of the attack activity analysis support device 01.
  • the analysis information calculation unit 04 If the analysis history table 203 shown in FIG. 4 is not stored in the analysis history storage unit 08, the analysis information calculation unit 04 generates an analysis history table 203 as an initial setting (step S001). Also, the analysis information calculation unit 04 generates the device management table 204 of the monitoring target 14 and the monitoring target 15 if necessary.
  • the warning information collection unit 02 periodically receives a detection log from the intrusion detection device 12, and stores the received detection log in the warning information storage unit 06 (step S002).
  • the intrusion detection device 12 periodically transmits a detection log even when attack activity is not detected. In the case where the attack activity is not detected, the intrusion detection device 12 transmits a detection log different from the detection log when the attack activity is detected. For example, the intrusion detection device 12 transmits a detection log in which the warning name column in FIG. 9 is blank.
  • the warning information collection unit 02 determines whether or not the received detection log notifies the detection of the attack activity (step S003). For example, the warning information collection unit 02 determines whether a value is set in the column of the warning name of the received detection log.
  • step S 004 If the received detection log is a detection log notifying of detection of attack activity, the process proceeds to step S 004. On the other hand, if the received detection log is not a detection log notifying of detection of attack activity, the process returns to step S002.
  • the warning information collection unit 02 has received the detection log 301 shown in FIG. That is, it is assumed that the intrusion detection device 12 detects a DoS attack.
  • step S003 is YES, that is, when the attack activity is detected in the intrusion detection device 12, the warning information collection unit 02 outputs the detection log received from the intrusion detection device 12 to the analysis information calculation unit 04.
  • the analysis information calculation unit 04 acquires, from the analysis history storage unit 08, the analysis history table 203 corresponding to the warning name indicated in the detection log acquired from the warning information collection unit 02 (step S004). Specifically, the analysis information calculation unit 04 acquires the analysis history table 203 of FIG. 4 corresponding to the DoS attack which is the warning name of the detection log 301 of FIG. 9.
  • the analysis information calculation unit 04 extracts, from the analysis history table 203, an analysis history in which a communication destination common to the communication destination shown in the detection log is shown (step S005).
  • the analysis information calculation unit 04 extracts the analysis history of analysis history numbers 1, 3, 4, 5, and 10 whose communication destination is the Web server.
  • the analysis information calculation unit 04 analyzes the similarity of the analysis history extracted in step S005 (step S006).
  • the similarity history comparison table 205 is used for analysis of similarity. Specifically, the analysis information calculation unit 04 detects the time at which the current attack activity shown in the detection log was detected, and the analysis history numbers 1, 3, 4, 5, and 10 Calculate the degree of similarity with the time zone indicated in the "occurrence time zone" of the situation. Also, the analysis information calculation unit 04 determines the amount of communication when the current attack activity shown in the detection log is detected and the status of the analysis history numbers 1, 3, 4, 5, and 10 “when the attack activity was detected in the past.
  • the analysis information calculation unit 04 presupposes the time zone indicated in the "occurrence time zone” and the "detection rule” of the "the situation at the time of detection of the past attack activity” of the analysis history numbers 1, 3, 4, 5, and 10. Calculate the degree of similarity with the time zone indicated in the "occurrence time zone” of the situation. Further, the analysis information calculation unit 04 assumes that the communication amount indicated by the “communication amount” in “the situation at the time of detection of the past attack activity” and “the detection rule” in the analysis history numbers 1, 3, 4, 5, and 10 Calculate the degree of similarity with the amount of communication indicated in "the amount of communication” in the situation.
  • the analysis information calculation unit 04 presupposes the types of devices indicated in the “target” of “the situation at the time of detection of the past attack activity” and “the detection rule” in the analysis history numbers 1, 3, 4, 5, and 10. Calculate the degree of similarity with the type of device indicated in "Target”.
  • the occurrence time is “10:18”, and the communication amount is “5500 access / minute”. Therefore, the analysis history numbers 1, 3 and 4 have high similarity in relation to the current attack activity. Furthermore, in the “condition based on the detection rule” in FIG. 6, the occurrence time zone is “10: 00-12: 00”, “communication amount” is “5000”, and “target” is “Web”. is there. For this reason, high similarity is given to analysis history numbers 1, 3 and 4 also in relation to the detection rule. In the present embodiment, the calculation method of the degree of similarity itself does not matter. As a result, in the example of FIG.
  • the analysis information calculation unit 04 selects the analysis histories of the analysis history numbers 1, 3, and 4 having high similarity as the history suitable for analysis of the newly generated detection log. Then, the analysis information calculation unit 04 outputs the analysis histories (corresponding records in FIG. 4) of the analysis history numbers 1, 3 and 4 to the warning importance degree estimation unit 05.
  • the warning importance degree estimation unit 05 acquires an analysis history from the analysis information calculation unit 04, and presents the acquired analysis history to the operator via the display device 10 according to the acquired importance of the analysis history (step S007).
  • the warning importance degree estimation unit 05 presents the acquired analysis history to the operator via the display device 10.
  • the warning importance degree estimation unit 05 determines the importance of the analysis history. Then, the warning importance degree estimation unit 05 determines the order among the plurality of analysis histories in order of importance, and presents the plurality of analysis histories to the operator via the display device 10 according to the determined order.
  • the determination method of the importance of analysis history is as follows.
  • the warning importance degree estimation unit 05 rearranges, from the item of necessity of the countermeasure described in the “action corresponding to” in the analysis history, the analysis history in which the countermeasure is necessary to the top.
  • the analysis history in which “report to customer” is described in the item of the treatment content described in “response treatment” in the analysis history is sorted in the upper rank.
  • FIG. 7 shows the order of the analysis history notified to the warning importance degree estimation unit 05.
  • the analysis information calculation unit 04 notifies the warning importance degree estimation unit 05 in the order of analysis history numbers 1, 3, and 4.
  • FIG. 8 shows the order of the analysis history after the order is changed by the warning importance degree estimation unit 05.
  • FIG. 7 shows the order of the analysis history notified to the warning importance degree estimation unit 05.
  • the analysis information calculation unit 04 notifies the warning importance degree estimation unit 05 in the order of analysis history numbers 1, 3, and 4.
  • FIG. 8 shows the order of the analysis history after the order is changed by the warning importance degree estimation unit 05.
  • the warning importance degree estimation unit 05 presents the operator with a plurality of analysis histories in the order shown in FIG. The operator can consider the response action to the newly detected current attack activity, with reference to the description of the “response action” column of the analysis history presented from the warning importance degree estimation unit 05. Note that, after the operator determines the action to be taken against the newly detected current attack activity, the analysis information calculation unit 04 displays the description content of the detection log 301 of FIG. 9 and the action taken by the operator. A new record is added to the analysis history table 203.
  • the situation when the current attack activity is detected, the situation when each of a plurality of past attack activities is detected, and the situation where the detection rule is premised are analyzed. Do. Then, in the present embodiment, a past attack activity suitable for the current attack activity is selected from a plurality of past attack activities, and a countermeasure to the selected past attack activity is presented. Therefore, according to the present embodiment, even inexperienced analysts (operators) can take appropriate measures for the current attack activities.
  • the processor 101 illustrated in FIG. 10 performs an IC (Integrated Circuit) that performs processing. Circuit).
  • the processor 101 is a CPU, a DSP (Digital Signal Processor), or the like.
  • the storage device 102 illustrated in FIG. 3 is a random access memory (RAM), a read only memory (ROM), a flash memory, a hard disk drive (HDD), or the like.
  • a network interface 103 illustrated in FIG. 3 is an electronic circuit that executes data communication processing.
  • the network interface 103 is, for example, a communication chip or a NIC (Network Interface Card).
  • the storage device 102 also stores an OS (Operating System). Then, at least a part of the OS is executed by the processor 101.
  • the processor 101 executes a program that implements the functions of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05 while executing at least a part of the OS.
  • As the processor 101 executes the OS task management, memory management, file management, communication control and the like are performed. Further, at least one of information, data, a signal value, and a variable value indicating a result of processing of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05 is the storage device 102.
  • the programs for realizing the functions of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05 are a magnetic disk, a flexible disk, an optical disk, a compact disk, Blu-ray (registered trademark) It may be stored in a portable storage medium such as a disc or a DVD.
  • the “unit” of the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05 is replaced with a “circuit” or a “process” or a “procedure” or a “process”. It is also good.
  • the attack activity analysis support device 01 may be realized by a processing circuit.
  • the processing circuit is, for example, a logic integrated circuit (IC), a gate array (GA), an application specific integrated circuit (ASIC), a field-programmable gate (FPGA). Array).
  • the warning information collection unit 02, the monitoring information collection unit 03, the analysis information calculation unit 04, and the warning importance degree estimation unit 05 are each realized as part of a processing circuit.
  • processing circuit the upper concept of the processor, the memory, the combination of the processor and the memory, and the processing circuit. That is, the processor, the memory, the combination of the processor and the memory, and the processing circuit are specific examples of the "processing circuit".
  • 01 attack activity analysis support device 02 warning information collection unit, 03 monitoring information collection unit, 04 analysis information calculation unit, 05 warning importance degree estimation unit, 06 warning information storage unit, 07 monitoring information storage unit, 08 analysis history storage unit, 09 input device, 10 display device, 11 firewall, 12 intrusion detection device, 13 proxy server, 14 monitored object, 15 monitored object, 16 external network, 17 DMZ network, 18 internal network, 101 processor, 102 storage device, 103 network interface , 104 display interface, 105 input interface.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
PCT/JP2017/043869 2017-08-02 2017-12-06 情報処理装置、情報処理方法及び情報処理プログラム Ceased WO2019026310A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201780093404.1A CN110959158A (zh) 2017-08-02 2017-12-06 信息处理装置、信息处理方法和信息处理程序
EP17920534.9A EP3657371A1 (en) 2017-08-02 2017-12-06 Information processing device, information processing method, and information processing program
US16/634,832 US20210117538A1 (en) 2017-08-02 2017-12-06 Information processing apparatus, information processing method, and computer readable medium

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017150179A JP6656211B2 (ja) 2017-08-02 2017-08-02 情報処理装置、情報処理方法及び情報処理プログラム
JP2017-150179 2017-08-02

Publications (1)

Publication Number Publication Date
WO2019026310A1 true WO2019026310A1 (ja) 2019-02-07

Family

ID=65232423

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/043869 Ceased WO2019026310A1 (ja) 2017-08-02 2017-12-06 情報処理装置、情報処理方法及び情報処理プログラム

Country Status (5)

Country Link
US (1) US20210117538A1 (https=)
EP (1) EP3657371A1 (https=)
JP (1) JP6656211B2 (https=)
CN (1) CN110959158A (https=)
WO (1) WO2019026310A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021019636A1 (ja) * 2019-07-29 2021-02-04 オムロン株式会社 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11736497B1 (en) * 2018-03-19 2023-08-22 Bedrock Automation Platforms Inc. Cyber security platform and method
JP7276347B2 (ja) * 2018-09-26 2023-05-18 日本電気株式会社 情報処理装置、制御方法、及びプログラム
JP7186637B2 (ja) * 2019-02-21 2022-12-09 三菱電機株式会社 検知ルール群調整装置および検知ルール群調整プログラム
JP7287484B2 (ja) * 2019-10-28 2023-06-06 日本電気株式会社 情報処理装置、表示方法、及びプログラム
CN112003824B (zh) * 2020-07-20 2023-04-18 中国银联股份有限公司 攻击检测方法、装置及计算机可读存储介质
US11811520B2 (en) * 2020-12-10 2023-11-07 International Business Machines Corporation Making security recommendations
JP7574668B2 (ja) * 2021-01-27 2024-10-29 セイコーエプソン株式会社 電子機器及び電子機器の制御方法
JPWO2023112382A1 (https=) * 2021-12-15 2023-06-22
US20240114001A1 (en) * 2022-10-03 2024-04-04 Bank Of America Corporation System and method for server monitoring and problem resolution for electronic mail messages
JP7824211B2 (ja) * 2022-12-28 2026-03-04 株式会社オービック 異常検知支援装置、異常検知支援方法、及び異常検知支援プログラム

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4661512B2 (ja) 2004-11-05 2011-03-30 株式会社日立製作所 遠隔メンテナンスシステム,モニタリングセンター計算機及びメンテナンス指示方法
JP2011076161A (ja) * 2009-09-29 2011-04-14 Nomura Research Institute Ltd インシデント管理システム
JP2013011949A (ja) 2011-06-28 2013-01-17 Nippon Telegr & Teleph Corp <Ntt> 特徴情報抽出装置、特徴情報抽出方法および特徴情報抽出プログラム
WO2016147403A1 (ja) * 2015-03-19 2016-09-22 三菱電機株式会社 情報処理装置及び情報処理方法及び情報処理プログラム
JP2016184358A (ja) 2015-03-26 2016-10-20 株式会社日立システムズ データ分析システム

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8655823B1 (en) * 2011-03-23 2014-02-18 Emc Corporation Event management system based on machine logic
US9043903B2 (en) * 2012-06-08 2015-05-26 Crowdstrike, Inc. Kernel-level security agent
JP5972401B2 (ja) * 2013-01-21 2016-08-17 三菱電機株式会社 攻撃分析システム及び連携装置及び攻撃分析連携方法及びプログラム
US9276945B2 (en) * 2014-04-07 2016-03-01 Intuit Inc. Method and system for providing security aware applications

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP4661512B2 (ja) 2004-11-05 2011-03-30 株式会社日立製作所 遠隔メンテナンスシステム,モニタリングセンター計算機及びメンテナンス指示方法
JP2011076161A (ja) * 2009-09-29 2011-04-14 Nomura Research Institute Ltd インシデント管理システム
JP2013011949A (ja) 2011-06-28 2013-01-17 Nippon Telegr & Teleph Corp <Ntt> 特徴情報抽出装置、特徴情報抽出方法および特徴情報抽出プログラム
WO2016147403A1 (ja) * 2015-03-19 2016-09-22 三菱電機株式会社 情報処理装置及び情報処理方法及び情報処理プログラム
JP2016184358A (ja) 2015-03-26 2016-10-20 株式会社日立システムズ データ分析システム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP3657371A4 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2021019636A1 (ja) * 2019-07-29 2021-02-04 オムロン株式会社 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体
JPWO2021019636A1 (https=) * 2019-07-29 2021-02-04
JP7318710B2 (ja) 2019-07-29 2023-08-01 オムロン株式会社 セキュリティ装置、インシデント対応処理方法、プログラム、及び記憶媒体

Also Published As

Publication number Publication date
JP6656211B2 (ja) 2020-03-04
CN110959158A (zh) 2020-04-03
JP2019028891A (ja) 2019-02-21
EP3657371A4 (en) 2020-05-27
US20210117538A1 (en) 2021-04-22
EP3657371A1 (en) 2020-05-27

Similar Documents

Publication Publication Date Title
JP6656211B2 (ja) 情報処理装置、情報処理方法及び情報処理プログラム
US12166786B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
JP5972401B2 (ja) 攻撃分析システム及び連携装置及び攻撃分析連携方法及びプログラム
US10728264B2 (en) Characterizing behavior anomaly analysis performance based on threat intelligence
US9444834B2 (en) Method and system for detecting behavior of remotely intruding into computer
EP4275347B1 (en) Systems, devices, and methods for observing and/or securing data access to a computer network
CN103701795A (zh) 拒绝服务攻击的攻击源的识别方法和装置
EP4091084B1 (en) Endpoint security using an action prediction model
JP6717206B2 (ja) マルウェア対策装置、マルウェア対策システム、マルウェア対策方法、及び、マルウェア対策プログラム
US20150222648A1 (en) Apparatus for analyzing the attack feature dna and method thereof
JP2009223375A (ja) 悪性Webサイト判定装置、悪性Webサイト判定システム、それらの方法、プログラム
US12062098B2 (en) Systems and methods for detecting and mitigating cyber security threats
EP3353983B1 (en) Method and system with a passive web application firewall
JP2018169643A (ja) セキュリティ運用システム、セキュリティ運用管理装置およびセキュリティ運用方法
US20170200011A1 (en) System and Method for Tracing Data Access and Detecting Abnormality in the Same
WO2020195230A1 (ja) 分析システム、方法およびプログラム
US11503060B2 (en) Information processing apparatus, information processing system, security assessment method, and security assessment program
US20250045385A1 (en) System and method for terminating ransomware based on detection of anomalous data
KR102366846B1 (ko) 데이터유출 탐지 보안 시스템 및 방법
CN111147497B (zh) 一种基于知识不对等的入侵检测方法、装置以及设备
JP7424395B2 (ja) 分析システム、方法およびプログラム
JP5386015B1 (ja) バグ検出装置およびバグ検出方法
JP5731586B2 (ja) ツールバーを介した二重アンチフィッシング方法及びアンチフィッシングサーバ
JP7405162B2 (ja) 分析システム、方法およびプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17920534

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

ENP Entry into the national phase

Ref document number: 2017920534

Country of ref document: EP

Effective date: 20200219