WO2019146346A1 - Système de sécurité, procédé d'opération de sécurité et dispositif de gestion globale d'incident - Google Patents

Système de sécurité, procédé d'opération de sécurité et dispositif de gestion globale d'incident Download PDF

Info

Publication number
WO2019146346A1
WO2019146346A1 PCT/JP2018/047563 JP2018047563W WO2019146346A1 WO 2019146346 A1 WO2019146346 A1 WO 2019146346A1 JP 2018047563 W JP2018047563 W JP 2018047563W WO 2019146346 A1 WO2019146346 A1 WO 2019146346A1
Authority
WO
WIPO (PCT)
Prior art keywords
incident
management device
response processing
execution
response
Prior art date
Application number
PCT/JP2018/047563
Other languages
English (en)
Japanese (ja)
Inventor
中村 修
砂原 秀樹
賢郎 近藤
康広 藤井
哲郎 鬼頭
翔太 藤井
倫宏 重本
Original Assignee
株式会社日立製作所
学校法人慶應義塾
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所, 学校法人慶應義塾 filed Critical 株式会社日立製作所
Publication of WO2019146346A1 publication Critical patent/WO2019146346A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to the technology of execution control of incident response processing (response) when an incident occurs.
  • an incident management device in charge of security installed in the system.
  • a manager of the incident management device or the like executes execution of processing (incident response processing: alert, analysis, judgment, response, etc.) corresponding to the incident that has occurred. .
  • the administrator when dealing with an incident, the administrator arranges and acquires log data and the like in a device where an incident necessary for analysis processing has occurred from another system that manages log data and the like. Then, the acquired log data and the like are transmitted to a system or the like that performs the analysis process and executed, and various processes by the administrator such as dealing with an incident occur based on the analysis result.
  • Patent Document 1 a security system for preventing unauthorized intrusion into a network system is known (see, for example, Patent Document 1).
  • the present invention has been made in view of the above-described circumstances, and an object thereof is to provide a technology capable of quickly executing an incident response process at the time of an incident occurrence.
  • a security system comprises one or more incident management devices managing security in a predetermined management target system, a general incident management device managing one or more incident management devices, and an incident
  • a security system including at least one response processing apparatus capable of executing an incident response process which is a process corresponding to the incident, and the incident management apparatus controls the occurrence of the incident when the incident management apparatus detects the occurrence of the incident.
  • the general incident management device transmits a request for executing the incident handling process corresponding to the incident to the response processing device when the general incident management device receives the notification of the occurrence of the incident from the incident management device.
  • Equipped with Nsu processing apparatus includes a processing execution unit for executing incident response process.
  • FIG. 1 is an overall configuration diagram of a security system according to an embodiment.
  • FIG. 2 is a block diagram of a general incident management device according to an embodiment.
  • FIG. 3 is a diagram illustrating an execution procedure of the incident response process according to an embodiment.
  • FIG. 4 is a diagram showing an example of process request information according to an embodiment.
  • FIG. 5 is a block diagram of an address management table according to an embodiment.
  • FIG. 6 is a configuration diagram of an information disclosure contract management table according to an embodiment.
  • FIG. 7 is a configuration diagram of a capability list table according to an embodiment.
  • FIG. 8 is a flowchart of an incident occurrence process according to an embodiment.
  • FIG. 9 is a detailed flowchart of step S308 in the incident occurrence processing according to an embodiment.
  • FIG. 10 is a detailed flowchart of step S311 in incident occurrence processing according to an embodiment.
  • FIG. 11 is a flowchart of an incident occurrence process according to a modification.
  • information may be described by the expression “AAA table”, but the information may be expressed by any data structure. That is, the "AAA table” can be called “AAA information” to indicate that the information does not depend on the data structure.
  • processing may be described with “program” as the subject, but the program is executed by an arithmetic unit (a processor, for example, a CPU (Central Processing Unit)) to perform predetermined processing.
  • the subject of the processing may be an arithmetic unit (or a processor, an apparatus or system having the processor, or the like), as appropriate, using a storage unit (for example, memory) and / or an interface device (for example, communication port). Good.
  • the arithmetic unit may also include a dedicated hardware circuit that performs part or all of the processing.
  • the program may be installed on a device such as a computer from a program source.
  • the program source may be, for example, a program distribution server or a computer readable storage medium.
  • two or more programs may be realized as one program, or one program may be realized as two or more programs.
  • FIG. 1 is an overall configuration diagram of a security system according to an embodiment.
  • the security system 1 includes a plurality of field systems 10 (10A, 10B, 10X).
  • the field systems 10A, 10B and 10X are connected via the network 40.
  • the network 40 is a communication path such as a LAN (Local Area Network) or a WAN (Wide Area Network).
  • the on-site system 10A (on-site system A) includes a firewall 100, a general incident management apparatus 101, a server 102, a security information event management (SIEM) 103, and a terminal 104.
  • SIEM security information event management
  • the firewall 100 is disposed at the leading end of the network 40 of the on-site system A, and controls whether the communication from the network 40 to the inside of the on-site system 10A and the communication from the inside of the on-site system 10A to the network 40 are possible.
  • the terminal 104 executes various processes based on the user's instruction.
  • the server 102 provides the terminal 104 with various functions.
  • the server 102 also stores, for example, a log of communication by each terminal 104 and a log of processing.
  • the SIEM 103 acquires a log or the like in the server 102 and analyzes the log or the like to detect the occurrence of a security incident (security incident: also simply referred to as an incident), and an alert indicating the occurrence of the incident is managed by the general incident management apparatus 101 Output to
  • the general incident management device 101 When the general incident management device 101 receives an alert from the field system 10A to which the general incident management device 101 belongs, or receives an alert from the incident management device 105 of another field system 10, it responds to the incident corresponding to the alert Control the execution of the processing to be performed (incident response processing).
  • the field systems 10B and 10X each include a firewall 100, a server 102, a security information event management (SIEM) 103, a terminal 104, and an incident management apparatus 105 as an example of an incident processing apparatus.
  • SIEM security information event management
  • symbol is attached
  • the incident management device 105 When the incident management device 105 receives an alert from the SIEM 103 of the on-site system 10 to which it belongs, the type of the alert in the general incident management device 101 and the procedure for executing the incident handling process corresponding to the incident indicated by the alert (execution To notify the contents). Note that the incident management device 105 may execute the processing that can be executed by itself among the incident handling processing, and may notify the general incident management device 101 of only the execution procedure of the processing that can not be executed by itself.
  • FIG. 2 is a block diagram of a general incident management device according to an embodiment.
  • the general incident management device 101 is configured of, for example, a PC (Personal Computer) or a server device, and includes an arithmetic device 200, a memory 201, and a storage device 202.
  • the memory 201 is an example of a capability information storage unit, an information disclosure information storage unit, and an access information storage unit.
  • the arithmetic device 200 includes, for example, one or more processors (CPUs (Central Processing Units)), and executes various processes in accordance with a program stored in the memory 201.
  • processors CPUs (Central Processing Units)
  • CPUs Central Processing Units
  • the storage device 202 is, for example, a hard disk or a flash memory, and stores a program executed by the computing device 200 and data used by the computing device 200.
  • the memory 201 is, for example, a RAM (RANDOM ACCESS MEMORY), and stores a program executed by the arithmetic device 200 and necessary information.
  • the memory 201 includes a situation analysis program 211, a response determination program 212, a corresponding subject determination program 213, an authentication authorization program 214, a response execution program 215, an address management table 216, and an information disclosure contract management.
  • Table 217 and the capability list table 218 are stored.
  • the situation analysis program 211 configures a functional unit by being executed by the computing device 200, and determines whether the received alert is a false alarm.
  • the response determination program 212 configures a functional unit (an example of a process determination unit) by being executed by the arithmetic device 200, and determines an incident handling process (response) to be performed on an incident indicated by an alert.
  • the response subject determination program 213 is executed by the computing device 200 to configure a functional unit (an execution device determination unit, an example of an execution availability confirmation unit), and a device that executes incident response processing (in the present embodiment, for example) Determine the incident management device).
  • the authentication approval program 214 configures a functional unit (an example of a process execution request unit, a transmission control unit, and a result display control unit) by being executed by the arithmetic device 200, and performs an incident handling process on the determined device.
  • Send execution request configures a functional unit (an example of a processing execution unit) by being executed by the arithmetic device 200, and executes at least one of the incident response processing.
  • the incident management device 105 includes an arithmetic device 200, a memory 201, and a storage device 202.
  • the memory 201 may store the response execution program 215.
  • the response execution program 215 of the incident management device 105 constitutes a functional unit (an example of a notification unit and an execution result transmission unit) when executed by the computing device 200, and the response execution program 215 of the general incident management device 101.
  • the type of alert in the general incident management apparatus 101 and the procedure for executing the incident response process corresponding to the incident indicated by the alert Has a function to notify.
  • FIG. 3 is a diagram illustrating an execution procedure of the incident response process according to an embodiment.
  • FIG. 3 shows an execution procedure of the incident response process when, for example, virus infection of the terminal 104, inflow of illegal packets in the firewall 100, outflow of illegal packets in the firewall 100, and occurrence of Dos attack are assumed as incidents. It shows. In the case of any one incident, a part of these execution procedures will be selected and executed.
  • Examples of incident response processing in the initial response of the first stage include alert content confirmation, log analysis, and PCAP (Packet Capture) analysis.
  • the incident response process in the second stage policy determination includes, for example, service suspension range determination and participant gathering.
  • Examples of incident response processing in the third stage primary handling include evidence collection and service suspension.
  • Incident response processing in the fourth stage of detailed analysis includes, for example, analysis of intrusion methods, malware analysis, forensics, business impact analysis, and countermeasure planning. Examples of the incident response process in the fifth stage of the root countermeasure are restoration and updating.
  • the incident response process in the sixth stage report includes, for example, report creation and reporting inside and outside the company.
  • FIG. 4 is a diagram showing an example of process request information according to an embodiment.
  • the processing request information is information transmitted from the general incident management apparatus 101 to the incident management apparatus 105 determined as an apparatus for executing the incident handling process.
  • the request processing information stores the incident handling processing name to be requested.
  • the first request processing information indicates an example in the case of requesting analysis of an intrusion signature as the incident response processing.
  • FIG. 5 is a block diagram of an address management table according to an embodiment.
  • the address management table 216 stores an entry corresponding to each of the incident management devices in the field system being grasped.
  • the entry of the address management table 216 includes fields of an entry number 2161, an organization name 2162, and an address 2163 of an incident management apparatus.
  • the entry number 2161 stores the number of the entry.
  • the organization name 2162 stores the name (organization name) of the organization that is the entity that manages the field system 10 including the incident management device 105 corresponding to the entry.
  • the address 2163 of the incident management device stores the address (for example, an IP address) of the incident management device 105 corresponding to the entry.
  • FIG. 6 is a configuration diagram of an information disclosure contract management table according to an embodiment.
  • the organization name of the information disclosure source is arranged in the vertical axis direction
  • the organization name of the information disclosure destination is arranged in the horizontal axis direction
  • the information disclosure source corresponding to the intersection is The content of the contract regarding information disclosure with the disclosure destination is stored. For example, in the case of disclosure from company A to company B, it indicates that partial disclosure with deletion of personal information is permitted in a contract, and in the case of disclosure from company A to organization 1, only suspicious files should be disclosed. Indicates that the contract is acceptable.
  • FIG. 7 is a configuration diagram of a capability list table according to an embodiment.
  • the capability list table 218 is a table for managing an incident response process (corresponding to a security operation) having a capability to be executed in a system managed by each organization, and stores an entry for each organization.
  • the entry of the capability list table 218 includes an entry number 2181, an organization name 2182, and an executable security operation 2183.
  • the entry number 2181 stores the number of the entry.
  • the organization name 2182 stores the name of the organization (organization name) corresponding to the entry.
  • Executable security operations 2183 store the security operations executable in the field system 10 (strictly, the incident management device 105) of the organization corresponding to the entry.
  • FIG. 8 is a flowchart of an incident occurrence process according to an embodiment.
  • the SIEM 103 When the SIEM 103 detects the occurrence of an incident in the on-site system 10, the SIEM 103 transmits an alert indicating the occurrence of the incident to the incident management device 105 in the on-site system 10.
  • the incident management apparatus 105 receives this alert (step S300)
  • the incident management apparatus 105 that has received the alert executes an incident handling process that can be executed by itself corresponding to the initial handling (step S301).
  • the incident management device 105 determines whether the alert indicating the occurrence of the incident has been eliminated or not, that is, whether or not the incident has been resolved by the executed initial response incident response process (step S302). As a result, when the incident is resolved (step S302: YES), there is no need to execute any further processing, and the incident management device 105 ends the incident occurrence processing.
  • step S302 if the incident has not been resolved (step S302: NO), the response execution program 215 of the incident management device 105 is executing the type of alert and the incident response process corresponding to the incident indicated by the alert. Incident information including the content of the incident handling process that is not present is transmitted to the general incident management device 101 (step S304).
  • the situation analysis program 211 (precisely, the computing device 200 executing the situation analysis program 211) of the general incident management device 101 analyzes the situation based on the received incident information (step S304).
  • the situation analysis it may be analyzed whether an alert is a false alarm. Note that the situation analysis program 211 may immediately end the process when it is determined to be a false alarm.
  • the response determination program 212 of the general incident management device 101 determines the execution procedure (execution content) of the incident handling process (response) to be executed, based on the type of alert of the received incident information (step S308).
  • the response subject determination program 213 of the general incident management device 101 transmits a notification (offer notification) for recruiting the incident management device 105 that can actually execute the determined incident response process (step S309).
  • the response entity determination program 213 refers to the capability list table 218, and identifies one or more organizations having an incident management device capable of functionally executing the determined incident response process.
  • the response entity determination program 213 transfers information necessary for the determined incident response process between the identified organization and the organization that is the owner entity of the on-site system to which the incident management apparatus 105 that has generated the incident belongs. Whether or not there is an information disclosure contract capable of passing necessary information among the identified organizations by referring to the information disclosure contract management table 217 and confirming whether or not there is an information disclosure contract capable of Select your organization.
  • the response subject determination program 213 refers to the address management table 216 and acquires the address of the incident management apparatus 105 of one or more selected organizations.
  • the correspondent agent determination program 213 transmits, to all the acquired addresses, a solicitation notification that confirms whether execution of the determined incident response process is possible.
  • the handling subject determination program 213 performs the same process as described above for each process.
  • the incident management apparatus 105 that has received the recruitment notification can execute the incident handling process, it transmits a response including that effect to the general incident management apparatus 101.
  • the response subject determination program 213 determines the incident management apparatus 105 that has made the response to the incident management apparatus 105 that executes the incident response process, and notifies the authentication approval program 214 accordingly.
  • the authentication approval program 214 that has received the notification transmits a request for executing the incident handling process to the determined incident management device 105 (step S310). Note that if it is determined that different incident management apparatuses 105 are to execute a plurality of incident response processes, the incident management apparatus 105 is requested to execute an incident response process to be executed by the incident management apparatus 105. Send.
  • the authentication and approval program 214 also makes a request to be able to acquire the information at the execution request destination. Specifically, when there is information necessary for the incident response process for which the execution request has been made, the necessary information is transmitted to the incident management device of the execution request destination to the device etc. storing the necessary information. An instruction may be issued, and notification that necessary information is transmitted to the execution request destination may be notified, and information is obtained from the device or the like storing the necessary information in the execution request destination incident management apparatus 105. You may make it instruct
  • the response execution program 215 of the incident management device 105 that has received the execution request executes the incident handling process based on the execution request (step S311).
  • the response execution program 215 transmits the execution result of the incident handling process to the general incident management device 101 (step S312).
  • the processing results of all the incident handling processes determined to be executed are collected.
  • the authentication approval program 214 of the general incident management apparatus 101 causes each display result to be displayed on a display device (not shown).
  • step S308 of the incident occurrence process details of step S308 of the incident occurrence process will be described.
  • FIG. 9 is a detailed flowchart of step S308 in the incident occurrence processing according to an embodiment.
  • the response determination program 212 of the general incident management device 101 instructs the incident management device 105 of the on-site system involved in the collection of the evidence information of the incident based on the type of the alert of the received incident information (step S3081).
  • the response determination program 212 of the general incident management device 101 determines necessity of analysis of intrusion method (S3082) and necessity determination of analysis of malware (S3083) according to the type of alert included in the incident information. , At least one of necessity determination of forensics (S3084) and necessity determination of analysis of business impact (S3085), and thereafter, based on the results of steps S3082 to S3085, the design method of implementing measures The necessity determination (S3086) is performed. Each processing determined to be necessary by these processing steps is an incident response processing that needs to be performed.
  • step S311 of the incident occurrence process details of step S311 of the incident occurrence process will be described.
  • FIG. 10 is a detailed flowchart of step S311 in incident occurrence processing according to an embodiment.
  • the response execution program 215 of the incident management apparatus 105 executes analysis of the intrusion method (step S3111), execution of analysis of the malware (step S3112), execution of the forensic (step S3113), and business effects. All the processes received as the execution request among the execution of the analysis (step S3114) are executed, and thereafter, the implementation method planning of the countermeasure is executed (step S3115). As a result, the incident response process that has received the execution request will be executed.
  • the security system 1 when an incident occurs and an alert occurs in a certain on-site system 10, the general incident management apparatus from the incident management unit 105 of the on-site system 10 It is notified to 101, and the necessary incident response processing can be distributed to other incident management apparatuses 105. Thereby, necessary incident response processing can be performed promptly and appropriately. Further, since log data etc. necessary for the incident handling process can be acquired by the incident management system 105 which executes the incident handling process without passing through the general incident managing system 101, the load of the general incident managing system 101 can be obtained. It can be reduced.
  • the security system according to the modification differs from the security system according to the above-described embodiment in part of the functions and part of the processing when an incident occurs.
  • FIG. 11 is a flowchart of an incident occurrence process according to a modification.
  • symbol is attached
  • step S311 the response execution program 215 of the incident management apparatus 105 that has executed the incident handling process determines whether another system (such as a field system) involved in the incident is detected by the analysis process or the like included in the incident handling process. It determines (step S313). As a result, when another system involved in the incident is not detected (step S313: NO), the response execution program 215 advances the process to step S312.
  • another system such as a field system
  • the response execution program 215 (specifically, the computing device 200 that executes the response execution program 215: related system detection unit and access An example of the information transmission unit) acquires the organization name of another detected system and the address of a device (incident management device 105 in the present embodiment) that executes the incident response processing of that system, and the incident management device 105
  • the capability information indicating the ability to execute the incident response process which is exemplarily executable is acquired (step S314), the acquired organization name and address, and the capability information are transmitted to the general incident management apparatus 101 (step S315), and the processing is performed.
  • the process proceeds to step S312.
  • the response determination program 212 (specifically, the arithmetic apparatus 200 that executes the response determination program 212: access An example of the information addition registration unit adds a new entry including an organization name and an address to the address management table 216, and adds an entry including an organization name and capability information to the capability list table 218. Furthermore, the response determination program 212 adds the acquired organization name to the disclosure source and the disclosure destination of the information disclosure contract management table, and sets an information disclosure contract at each intersection of this organization and another organization.
  • the information disclosure contract at this point may be the minimum information disclosure contract content. In the following, when an information disclosure contract is concluded, the content of the information disclosure contract may be changed according to the content.
  • a device capable of executing the incident handling process of the newly detected system can be selected as a candidate for executing the incident handling process in the later process, and a broader incident It is possible to cope with the response processing.
  • the incident management apparatus 105 and the general incident management apparatus 101 are configured to be able to execute the incident handling process, but for example, an apparatus (response processing apparatus) that executes the incident handling process It may be provided separately from the device 105 or the general incident management device 101.
  • the execution of the incident handling process is solicited, and the incident handling process execution request is sent to the incident management device 105 that has responded to the solicitation.
  • the management apparatus 105 may be requested to execute an incident handling process.
  • the request destination of the incident handling process when determining the request destination of the incident handling process, it is determined whether or not there is an information disclosure contract capable of passing information necessary for the incident handling process.
  • the present invention is not limited to this, and in the case where only an organization having no problem in information disclosure is targeted for the security system, it is not necessary to execute a process of determining whether an information disclosure contract exists or not.
  • the information disclosure contract management table necessary for the processing may not be provided.
  • a part or all of the processing performed by the arithmetic device 200 may be performed by a dedicated hardware circuit.
  • the program in the above embodiment may be installed from a program source.
  • the program source may be a program distribution server or storage medium (eg, portable non-transitory storage medium).

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention permet l'exécution rapide d'un processus de gestion d'incident lorsqu'un incident s'est produit. Un système de sécurité 1 comprend : au moins un dispositif de gestion d'incident 105 qui gère la sécurité et qui permet d'exécuter un processus de gestion d'incident; et un dispositif de gestion globale d'incident 101. Le dispositif de gestion d'incident 105 comprend une unité de notification qui notifie l'occurrence d'un incident au dispositif de gestion globale d'incident 101 lorsque l'occurrence d'un incident a été détectée. Le dispositif de gestion globale d'incident 101 comprend une unité de requête d'exécution de processus qui, lors de la réception de la notification concernant l'occurrence d'un incident provenant du dispositif de gestion d'incident 105, envoie une requête d'exécution d'un processus de gestion d'incident correspondant à l'incident à un autre dispositif de gestion d'incident 105. L'autre dispositif de gestion d'incident 105 comprend une unité d'exécution de processus qui exécute le processus de traitement d'incident.
PCT/JP2018/047563 2018-01-29 2018-12-25 Système de sécurité, procédé d'opération de sécurité et dispositif de gestion globale d'incident WO2019146346A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018012789A JP7012958B2 (ja) 2018-01-29 2018-01-29 セキュリティシステム、セキュリティオペレーション方法、及び統括インシデント管理装置
JP2018-012789 2018-01-29

Publications (1)

Publication Number Publication Date
WO2019146346A1 true WO2019146346A1 (fr) 2019-08-01

Family

ID=67395849

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/047563 WO2019146346A1 (fr) 2018-01-29 2018-12-25 Système de sécurité, procédé d'opération de sécurité et dispositif de gestion globale d'incident

Country Status (2)

Country Link
JP (1) JP7012958B2 (fr)
WO (1) WO2019146346A1 (fr)

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002251374A (ja) * 2000-12-20 2002-09-06 Fujitsu Ltd 情報管理システム、情報管理方法、およびその方法をコンピュータに実行させるプログラム、並びにそのプログラムを記録したコンピュータ読み取り可能な記録媒体

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002251374A (ja) * 2000-12-20 2002-09-06 Fujitsu Ltd 情報管理システム、情報管理方法、およびその方法をコンピュータに実行させるプログラム、並びにそのプログラムを記録したコンピュータ読み取り可能な記録媒体

Also Published As

Publication number Publication date
JP2019133258A (ja) 2019-08-08
JP7012958B2 (ja) 2022-01-31

Similar Documents

Publication Publication Date Title
US11936666B1 (en) Risk analyzer for ascertaining a risk of harm to a network and generating alerts regarding the ascertained risk
US11240262B1 (en) Malware detection verification and enhancement by coordinating endpoint and malware detection systems
EP3127301B1 (fr) Utilisation de profils de confiance pour la détection d'intrusion dans un réseau
US8375120B2 (en) Domain name system security network
US7941854B2 (en) Method and system for responding to a computer intrusion
US20100251369A1 (en) Method and system for preventing data leakage from a computer facilty
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
KR20180097527A (ko) 다수의 네트워크 종점들을 보호하기 위한 듀얼 메모리 인트로스펙션
US20180302430A1 (en) SYSTEM AND METHOD FOR DETECTING CREATION OF MALICIOUS new USER ACCOUNTS BY AN ATTACKER
US8458789B1 (en) System, method and computer program product for identifying unwanted code associated with network communications
JP2006119754A (ja) ネットワーク型ウィルス活動検出プログラム、処理方法およびシステム
JP7204247B2 (ja) 脅威対応自動化方法
US9350754B2 (en) Mitigating a cyber-security attack by changing a network address of a system under attack
US11310278B2 (en) Breached website detection and notification
US10291644B1 (en) System and method for prioritizing endpoints and detecting potential routes to high value assets
US20230007013A1 (en) Visualization tool for real-time network risk assessment
US20080184368A1 (en) Preventing False Positive Detections in an Intrusion Detection System
US20140033272A1 (en) Evaluating a security stack in repsonse to a request to access a service
US11693961B2 (en) Analysis of historical network traffic to identify network vulnerabilities
JP2006040196A (ja) ソフトウェア監視システムおよび監視方法
WO2019146346A1 (fr) Système de sécurité, procédé d'opération de sécurité et dispositif de gestion globale d'incident
US20200389435A1 (en) Auditing smart bits
WO2015178002A1 (fr) Dispositif de traitement d'informations, système de traitement d'informations et procédé d'analyse d'historique de communications
WO2020255185A1 (fr) Dispositif, procédé et programme de traitement de graphe d'attaque
KR20100067383A (ko) 서버 보안 시스템 및 서버 보안 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18901826

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18901826

Country of ref document: EP

Kind code of ref document: A1