WO2019225232A1 - Monitoring device, monitoring system, and monitoring method - Google Patents

Monitoring device, monitoring system, and monitoring method Download PDF

Info

Publication number
WO2019225232A1
WO2019225232A1 PCT/JP2019/016416 JP2019016416W WO2019225232A1 WO 2019225232 A1 WO2019225232 A1 WO 2019225232A1 JP 2019016416 W JP2019016416 W JP 2019016416W WO 2019225232 A1 WO2019225232 A1 WO 2019225232A1
Authority
WO
WIPO (PCT)
Prior art keywords
monitoring
detection data
incident
unauthorized
result
Prior art date
Application number
PCT/JP2019/016416
Other languages
French (fr)
Japanese (ja)
Inventor
熊谷 洋子
宏樹 内山
訓 大久保
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2019225232A1 publication Critical patent/WO2019225232A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B25/00Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems
    • GPHYSICS
    • G08SIGNALLING
    • G08BSIGNALLING OR CALLING SYSTEMS; ORDER TELEGRAPHS; ALARM SYSTEMS
    • G08B25/00Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems
    • G08B25/01Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems characterised by the transmission medium
    • G08B25/04Alarm systems in which the location of the alarm condition is signalled to a central station, e.g. fire or police telegraphic systems characterised by the transmission medium using a single signalling line, e.g. in a closed loop

Definitions

  • the present invention relates to a monitoring device, a monitoring system, and a monitoring method using physical security.
  • control system requires real-time processing higher than the information system, installation of software for devices and terminals and change of log output settings may affect existing operations. Log collection also increases the network load, which may affect existing business. For these reasons, it is often difficult for the control system to collect logs from each device or terminal.
  • Patent Literature 1 the terminal device is infected with malware by detecting the contradiction that the user's terminal device behaves suspiciously in a situation where the user cannot operate using the entry / exit situation. A monitoring device for detecting this is described.
  • malware infection can be detected by using both information of entry / exit acquired from the entry / exit management system and network information transmitted / received by the terminal device. That is, it is possible to detect malware infection without collecting log information of terminal devices.
  • Patent Document 1 cannot be used as it is. Moreover, although the technique of patent document 1 can detect the behavior after malware infection, it is difficult to detect at the stage (intrusion phase) until the infection. For this reason, in an environment where a large number of operators handle the device, it is necessary to detect cyber attacks at an early stage (in the intrusion phase) without collecting device and terminal logs.
  • the present invention has been made in view of the above circumstances, and an object thereof is to detect an incident of a monitoring target device without collecting a log related to an operation performed on the monitoring target device.
  • a monitoring apparatus detects an incident of the monitoring target device based on an analysis result of communication information transmitted from the monitoring target device and image information obtained by photographing the monitoring target device. Detect.
  • the present invention it is possible to detect an incident of a monitoring target device without collecting a log regarding an operation performed on the monitoring target device.
  • FIG. 1 is a block diagram showing a functional configuration of the monitoring system according to the first embodiment.
  • FIG. 2 is a block diagram showing a hardware configuration of the monitoring apparatus of FIG.
  • FIG. 3 is a block diagram showing a hardware configuration of the unauthorized communication preventing apparatus of FIG.
  • FIG. 4 is a diagram showing a processing flow of extracting physical detection data in the monitoring system of FIG.
  • FIG. 5 is a diagram illustrating a configuration example of monitoring information generated by the monitoring camera of FIG.
  • FIG. 6 is a diagram showing detection rules used for extracting the physical detection data of FIG.
  • FIG. 7 is a diagram showing a processing flow for detecting and handling a security incident in the monitoring system of FIG.
  • FIG. 1 is a block diagram showing a functional configuration of the monitoring system according to the first embodiment.
  • FIG. 2 is a block diagram showing a hardware configuration of the monitoring apparatus of FIG.
  • FIG. 3 is a block diagram showing a hardware configuration of the unauthorized communication preventing apparatus of FIG.
  • FIG. 8 is a diagram illustrating a configuration example of cyber detection data generated by each of the unauthorized communication prevention device and the unauthorized connection prevention device of FIG. 1 and physical detection data generated by the video analysis device.
  • FIG. 9 is a flowchart showing processing of the integrated analysis unit of the monitoring apparatus of FIG.
  • FIG. 10 is a diagram showing a display example of the incident status confirmation screen of the monitoring apparatus of FIG.
  • FIG. 11 is a diagram illustrating a processing flow of extracting physical detection data in the monitoring system according to the second embodiment.
  • FIG. 12 is a diagram illustrating a processing flow of security incident detection and response in the monitoring system according to the second embodiment.
  • FIG. 1 is a block diagram illustrating a functional configuration of the monitoring system according to the first embodiment.
  • the monitoring system includes control devices 10 1 to 10 n (n is a positive integer), unauthorized communication preventing device 20, unauthorized connection preventing device 30, monitoring device 40, monitoring camera 50, and video analysis.
  • Device 60 A control unit 10 1, the unauthorized communication preventing device 20, and unauthorized access preventing apparatus 30, the monitoring device 40, a monitoring camera 50, the image analyzer 60 is connected through a network 70.
  • the control device 10 n is connected to the unauthorized communication prevention device 20.
  • a plurality of unauthorized communication prevention devices 20 and unauthorized connection prevention devices 30 may exist for each network.
  • a plurality of monitoring cameras 50 and video analysis devices 60 may exist.
  • the monitoring camera 50 may be provided for each monitoring target device.
  • the monitoring target device is a device or a terminal that is a detection target of a security incident.
  • Each of the control devices 10 1 to 10 n controls the control system while communicating between the control devices 10 1 to 10 n in a control system used in social infrastructure such as electric power, railway, water supply, gas, and automobiles.
  • Each of the control devices 10 1 to 10 n includes control processing units 101 1 to 101 n that perform control processing, and communication units 102 1 to 102 n that communicate with the network 70, the unauthorized communication prevention device 20, and the like.
  • the unauthorized communication prevention device 20 detects an attack based on communication information transmitted from the monitored device. Attacks can include steps of intrusion, search, expansion, and purpose execution.
  • the unauthorized communication preventing apparatus 20 includes a filtering unit 201 that filters communication packets input to the unauthorized communication preventing apparatus 20, and detection data generation that generates cyber detection data (alert) when the filtering unit 201 detects unauthorized communication.
  • a second communication unit 206 that communicates with the control device 10 n .
  • the filtering policy can define communication contents to be filtered.
  • the cyber detection data is a result of detecting an attack based on communication information transmitted from the monitored device.
  • the unauthorized communication preventing apparatus 20 may have three or more communication units.
  • the unauthorized connection prevention device 30 detects unauthorized connection of the monitored device and generates cyber detection data based on the unauthorized connection detection result.
  • the unauthorized connection prevention device 30 generates an unauthorized connection detection unit 301 that detects that an unauthorized device is connected to the network 70, and generates cyber detection data (alert) when the unauthorized connection detection unit 301 detects an unauthorized connection.
  • a detection data generation unit 302 that performs communication, a list update unit 303 that updates a valid device list that is referred to by the unauthorized communication detection unit 301, a communication unit 304 that communicates with the network 70, and a valid device list that is referred to by the unauthorized connection detection unit 301.
  • a legitimate device list storage unit 305 for storing. For example, a MAC address permitted to connect to the network 70 can be registered in the legitimate device list.
  • the monitoring camera 50 generates a monitoring image of the monitoring target device.
  • the monitoring location of the monitoring target device by the monitoring camera 50 can be, for example, an input / output interface portion such as a display screen, a connector and a port of the monitoring target device.
  • the monitoring camera 50 includes a photographing unit 501 that performs photographing processing of a monitoring target, and a communication unit 502 that communicates with the network 70.
  • the video analysis device 60 analyzes image information obtained by photographing the monitoring target device. At this time, the video analysis device 60 can generate physical detection data based on the image information of the monitoring target device. The physical detection data is a result of detecting an attack based on the image information of the monitoring target device.
  • the video analysis device 60 is collected by the video collection unit 601 that collects video data captured by the monitoring camera 50, the detection data generation unit 602 that detects unauthorized connection or manipulation from the collected video data, and the video collection unit 601.
  • a video storage unit 603 that stores video data, a detection rule storage unit 604 that stores a detection rule referred to by the detection detection data generation unit 602, and a communication unit 605 that communicates with the monitoring camera 50 and the monitoring device 40 are provided.
  • the monitoring device 40 detects an incident of the monitoring target device based on the communication information transmitted from the monitoring target device and the analysis result of the image information obtained by photographing the monitoring target device. At this time, the monitoring device 40 can monitor the incident of the monitoring target device based on the cyber detection data that is the first detection data and the physical detection data that is the second detection data.
  • the monitoring device 40 may collect cyber detection data and physical detection data from the outside, or may generate physical detection data based on image information obtained by photographing the monitoring target device.
  • the monitoring device 40 receives the action information for the interface of the monitoring target device generated based on the image information, and based on the detection rule related to the action information, as a result of detecting an unauthorized connection or an unauthorized operation for the interface, Detection data may be generated.
  • This action information is information related to the operation of the interface of the monitoring target device.
  • the monitoring device 40 includes a detection data collection unit 401 that collects the cyber detection data generated by the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30, the physical detection data generated by the video analysis device 60, and the collected cyber detection data.
  • the integrated analysis unit 402 detects the incident of the monitored device using the physical detection data, analyzes the cause of the incident and formulates a recommended measure, and based on the analysis result of the integrated analysis unit 402, the unauthorized communication prevention device 20 and the unauthorized Stores the countermeasure execution unit 403 that makes a request for disconnecting the device or the network from the connection prevention device 30, the communication unit 404 that communicates with the network 70, and the cyber detection data and physical detection data collected by the detection data collection unit 401.
  • the recommended measures are planned by the detection data storage unit 405 and the integrated analysis unit 402.
  • a countermeasure pattern storage unit 406 that stores a list of countermeasures to be referred to
  • an analysis result storage unit 407 that stores recommended countermeasures for incidents output as a result of analysis by the integrated analysis unit 402, and an importance level of the incident
  • an input / output unit 408 for inputting a result of the user's determination as to whether or not to implement a recommended measure.
  • the importance may be a priority for implementing the recommended measure.
  • the monitoring device 40 monitors the incident of the monitoring target device based on the cyber detection data and the physical detection data, thereby collecting the log of the operation performed on the monitoring target device without collecting the log of the monitoring target device.
  • Security incidents can be detected.
  • the existing control system provided with the control devices 10 1 to 10 n
  • the unauthorized communication preventing device 20, the unauthorized connection preventing device 30, and the monitoring are performed without affecting the existing work performed in the control system.
  • the apparatus 40, the monitoring camera 50, and the video analysis apparatus 60 can be introduced. For this reason, it is possible to detect security incidents early in control systems used in social infrastructure such as electric power, railways, water and gas, and automobiles, and to take appropriate primary measures before they reach a wide range.
  • the security of these control systems can be improved.
  • the security incident is an incident related to the security of the monitored device such as infection by malware or the like and unauthorized access from the outside.
  • FIG. 2 is a block diagram showing a hardware configuration of the monitoring apparatus of FIG.
  • the monitoring device 40 includes a communication device 11, an input / output device 12, a storage device 13, a CPU 14, and a memory 15.
  • the communication device 11, the input / output device 12, the storage device 13, the CPU 14, and the memory 15 are connected via an internal communication line 16 such as a bus.
  • the CPU 14 is hardware that controls operation of the entire monitoring device 40.
  • the memory 15 can be composed of, for example, a semiconductor memory such as SRAM or DRAM.
  • the memory 15 can store a program being executed by the CPU 14, or can be provided with a work area for the CPU 14 to execute the program.
  • the storage device 13 is a storage device having a large storage capacity, for example, a hard disk device or an SSD (Solid State Drive).
  • the storage device 13 can hold execution files of various programs and data used for executing the programs.
  • the storage device 13 can store a monitoring program 13A.
  • the monitoring program 13A may be software that can be installed in the monitoring device 40, or may be incorporated in the monitoring device 40 as firmware.
  • the monitoring program 13A may be introduced when necessary via another storage medium or communication medium (a network or a carrier wave propagating through the network).
  • the communication device 11 is hardware having a function of controlling communication with the outside.
  • the communication device 11 is connected to the network 70.
  • the network 70 may be a WAN (Wide Area Network) such as the Internet, a LAN (Local Area Network) such as WiFi, or a mixture of WAN and LAN.
  • WAN Wide Area Network
  • LAN Local Area Network
  • the input / output device 12 is a user interface that receives operations from the user and provides the user with various information such as processing progress and processing results.
  • the input / output device 12 is, for example, a keyboard, a mouse, a touch panel, a card reader, a voice input device, a screen display device (liquid crystal monitor, organic EL display, graphic card, etc.), a voice output device (speaker, etc.), a printing device, and the like. .
  • the CPU 14 reads the monitoring program 13A into the memory 15 and executes the monitoring program 13A, thereby detecting an incident on the monitored device based on the cyber detection data and the physical detection data, planning a countermeasure for the incident, and the incident It is possible to calculate the importance of
  • the monitoring program 13A can realize the functions of the detection data collection unit 401, the integrated analysis unit 402, and the countermeasure execution unit 403 in FIG.
  • the execution of the monitoring program 13A may be shared by a plurality of processors and computers.
  • the CPU 14 may instruct the cloud computer or the like to execute all or part of the monitoring program 13A via the network 70 and receive the execution result.
  • control devices 10 1 to 10 n , the unauthorized connection prevention device 30, the monitoring device 40, the monitoring camera 50, and the video analysis device 60 in FIG. 1 can also include hardware similar to that in FIG.
  • the CPUs of the control devices 10 1 to 10 n can realize the control processing of the control system by executing the control program.
  • the CPU of the unauthorized connection prevention device 30 can detect unauthorized connection of the monitored device by executing the unauthorized connection prevention program, and can generate cyber detection data based on the unauthorized connection detection result.
  • the CPU of the monitoring camera 50 can generate a monitoring image of the monitoring target device by executing a shooting program.
  • the CPU of the video analysis device 60 can analyze image information obtained by photographing the monitoring target device by executing a video analysis program.
  • FIG. 3 is a block diagram showing a hardware configuration of the unauthorized communication preventing apparatus of FIG. 3, improper communication prevention device 20 includes a first communication device 21 1, the second communication device 212, a storage device 22, an output device 23, a CPU 24, a memory 25.
  • a first communication device 21 1, the second communication device 212, a storage device 22, an output device 23, a CPU 24, a memory 25 is connected via an internal communication line 26 such as a bus.
  • the storage device 22 can store an unauthorized communication prevention program 22A.
  • the first communication device 21 1 is connected to the network 70, the second communication device 21 2 is connected to the control device 10 n.
  • the unauthorized communication prevention device 20 may have three or more communication devices.
  • the unauthorized communication prevention program 22A can realize the functions of the filtering unit 201, the detection data generation unit 202, and the policy update unit 203 of FIG.
  • the execution of the unauthorized communication prevention program 22A may be shared by a plurality of processors and computers.
  • the CPU 24 may instruct the cloud computer or the like to execute all or part of the unauthorized communication prevention program 22A via the network 70 and receive the execution result.
  • a processing flow in the attack detection system for the control system of the present embodiment will be described.
  • a program stored in each storage device of the control devices 10 1 to 10 n , the unauthorized communication prevention device 20, the unauthorized connection prevention device 30, the monitoring device 40, the monitoring camera 50, and the video analysis device 60 is stored in the memory. And executed by each CPU, and executed by each processing unit embodied on an apparatus constituting the attack detection system for the control system.
  • FIG. 4 is a diagram showing a processing flow of extracting physical detection data in the monitoring system of FIG.
  • the monitoring camera 50 monitors (photographs) the interface portion of the control devices 10 1 to 10 n that are the devices to be monitored (S401).
  • the interface include a connector portion for various devices such as USB of each device, a LAN connector portion for network connection, a monitor screen for displaying operation results, and the like.
  • the monitoring camera 50 generates monitoring information A901 including an image obtained by photographing the monitoring target device and sends it to the video analysis device 60 (S402).
  • FIG. 5 is a diagram illustrating a configuration example of monitoring information generated by the monitoring camera of FIG.
  • monitoring information A901 includes date and time A902 taken by the monitoring camera 50, position information A903 of the shooting target, and video information A904.
  • the video analysis device 60 analyzes the video of the monitoring target device and extracts action information for the interface (S403).
  • the video analysis device 60 determines whether or not the action information extracted from the monitoring information A901 matches the detection rule held in the detection rule storage unit 604 (S404). If the action information matches the detection rule (YES in S404), physical detection data A1011 is generated based on the action information and transmitted to the monitoring device 40 (S405). When the physical detection data A1011 is transmitted from the video analysis device 60, the monitoring device 40 receives the physical detection data A1011 (S406). On the other hand, when the action information does not match the detection rule (NO in S404), the video analysis device 60 executes the next video analysis process.
  • FIG. 6 is a diagram showing detection rules used for extracting the physical detection data of FIG.
  • the video analysis device 60 refers to the detection rule in S404 of FIG.
  • the detection rules include two types of rules, a black list 501 and a white list 511.
  • a black list 501 describes a list of actions that are not permitted, and a white list 511 describes a list of actions that are permitted.
  • the black list 501 includes a major classification 502, a minor classification 503, terminal information 504, and a determination rule 505.
  • the white list 511 includes a major classification 512, a minor classification 513, terminal information 514, and a determination rule 515.
  • the major classifications 502 and 512 can describe whether the action to the monitoring target device is connection or operation.
  • the small classifications 503 and 513 can describe the connection destination to the monitoring target device and the error contents of the monitoring target device.
  • the terminal information 504 and 514 can describe a part (position information) where the action is executed.
  • the determination rule 505 can describe specific contents of actions that are not permitted. For example, as an example of unauthorized connection of an interface of a monitoring target device, a case where a USB memory is inserted into a USB connector can be cited. As an example of the unauthorized operation of the interface of the monitoring target device, there can be mentioned a case where the authentication error screen at the time of login is displayed three times in succession.
  • the determination rule 515 can describe specific contents of permitted actions. For example, as an example where the interface of the monitoring target device is not unauthorized connection, a case where a device with an approved seal is inserted can be cited.
  • FIG. 7 is a diagram showing a processing flow for detecting and handling a security incident in the monitoring system of FIG.
  • the video analysis apparatus 60 detects an abnormality according to the flow shown in FIG. 4 (S601), it transmits physical detection data A1011 to the monitoring apparatus 40 (S602).
  • the unauthorized connection prevention device 30 When detecting an abnormality based on communication information transmitted from the control devices 10 1 to 10 n that are monitoring target devices (S603), the unauthorized connection prevention device 30 uses the detected abnormality content as cyber detection data A1012 and an audit device. 40 (S604). At this time, the unauthorized connection preventing apparatus 30 receives the MAC address transmitted from the control devices 10 1 to 10 n that are the devices to be monitored. If the MAC address received from the control device 10 1 to 10 n or the like as the monitoring target device does not match the MAC address permitted to connect to the network 70, the unauthorized connection of the monitoring target device is recognized. it can.
  • the unauthorized communication prevention device 20 detects an abnormality based on the communication information transmitted from the control devices 10 1 to 10 n that are the devices to be monitored (S605), the detected content of the abnormality is the cyber detection data A1013 as an audit device. It transmits to 40 (S606). At this time, the unauthorized communication preventing apparatus 20 receives the communication information transmitted from the control devices 10 1 to 10 n that are monitoring target devices. If the communication information received from the control devices 10 1 to 10 n that are the monitoring target devices matches the filtering policy, the unauthorized operation of the monitoring target device can be recognized.
  • FIG. 8 is a diagram illustrating a configuration example of cyber detection data generated by each of the unauthorized communication prevention device and the unauthorized connection prevention device of FIG. 1 and physical detection data generated by the video analysis device.
  • the detection data A1001 includes an alert occurrence date and time A1002, an alert item A1003, and alert related information A1004.
  • the alert item A1003 can describe the type of the detection data A1001.
  • the type of the detection data A1001 can indicate, for example, whether the detection data A1001 is physical detection data or cyber detection data.
  • the alert-related information A1004 can describe the location and content of unauthorized connection or unauthorized operation.
  • the monitoring device 40 when the monitoring device 40 receives any of the physical detection data A1011 and the cyber detection data A1012, A1013, the information is integratedly analyzed (S607). Then, the monitoring device 40 presents the importance of the attack detected as a result of analyzing the information, a recommended countermeasure method, and the like to the monitor (S608).
  • the monitoring person determines whether or not to execute the recommended countermeasure based on the presentation content presented from the monitoring device 40 (S609).
  • the monitoring device 40 sends a countermeasure command to a device (the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30) that implements the recommended countermeasure (S610).
  • the device that has received the countermeasure command executes measures such as device disconnection or network shutdown. For example, when the unauthorized connection preventing device 30 receives a handling command from the monitoring device 40, the monitoring target device is disconnected (S611).
  • FIG. 9 is a flowchart showing processing of the integrated analysis unit of the monitoring apparatus of FIG.
  • the integrated analysis unit 402 starts the integrated analysis process (S701)
  • the detection data is acquired from the detection data storage unit 405 (S702), and whether the detection data relates to an attempted attack or whether the detected attack relates to an attempted attack. Is determined (S703).
  • An attempted attack is defined as a process in which an attacker attempted to intrude or attack the control system but was not realized by the security function of each device. For example, information related to authentication failure at the time of login to each terminal, information (alert) indicating that the communication content is not delivered to the transmission target by the unauthorized communication prevention device 20 being determined as unauthorized communication, and unauthorized connection prevention Information (alert) or the like indicating that the device 30 is determined to be an unauthorized terminal and has not been connected to the network is detected data regarding the attempted attack.
  • an attempted attack is defined as a process when an attacker performs an intrusion or attack on the control system and succeeds. For example, information indicating that an unauthorized USB token is connected to the device, information indicating that an unauthorized command has been executed (without an error), and the like are detection data related to the attempted attack.
  • the measure for storing the device related to the detected data is selected from the measure pattern storage unit 406 as a recommended measure (S704).
  • a recommended measure is a measure for disconnecting a device related to the detected data from the network 70 or blocking communication related to the device related to the detected data.
  • the detection data to be analyzed is a type of physical detection data or cyber detection data (S705). If the detection data is physical detection data (“physical” in S705), this means that there is an unauthorized person at the site of the control system, and even if the attack can be prevented by a security device or function, it is immediately attacked by another method. There is a risk of being made. Therefore, the importance level of the incident is set to “high” (S706).
  • the detection data to be analyzed is cyber detection data (“Cyber” in S705)
  • cyber detection data (“Cyber” in S705)
  • the attack can be prevented by a security device or security function
  • another means can be used. It can be assumed that it takes a certain amount of time to attack. Therefore, the importance level of the incident is set to “medium” (S707).
  • a measure for strengthening monitoring is selected from the measure pattern storage unit 406 as a recommended measure for the device related to the detected data (S708).
  • a recommended measure is to collect not only the detection data collected from each device but also a more detailed log, and check whether a log related to cyber attacks is output on the screen of the device in the field. To do.
  • the detection data to be analyzed is a type of physical detection data or cyber detection data (S709). If the detection data is physical detection data (“physical” in S709), this means that there is an unauthorized person at the site of the control system, and even if the current situation is an attempted attack, an attack is immediately made by another method. There is a risk. Therefore, the importance level of the incident is set to “medium” (S710).
  • the detection data to be analyzed is cyber detection data (“Cyber” in S709)
  • cyber detection data (“Cyber” in S709)
  • the attack can be prevented by a security device or security function, use another means. It can be assumed that it takes a certain amount of time to attack. For this reason, the importance level of the incident is set to “low” (S711).
  • the recommended countermeasure information acquired in S704 or S708 and the importance information determined in S706, S707, S710, and S711 are stored in the analysis result storage unit 407 (S509), and the integrated analysis process is terminated (S510). ).
  • FIG. 10 is a diagram showing a display example of the incident status confirmation screen of the monitoring apparatus of FIG.
  • the incident status confirmation screen A801 includes a system configuration screen A802, an incident analysis result screen A803, and a physical detection data detail screen A804.
  • the system configuration screen A802 shows the configuration of the control system to be monitored.
  • the control devices A to D on the system configuration screen A802 are the control devices 10 1 to 10 n in FIG.
  • the monitoring device 40 detects an incident with respect to the control devices A and B
  • the monitoring devices A and B can be highlighted.
  • the incident analysis result screen A803 is recommended as an incident IDA805 for identifying an incident, an importance A806 indicating the importance of the incident indicated by the incident IDA805, and a primary action for minimizing the impact of the incident.
  • a recommended measure A807 indicating a measure to be infected, an infection location A808 indicating a location where infection is suspected in the incident, a detail A809 indicating detailed information on the infection location, and reference information A810 indicating further detailed information are displayed.
  • the physical detection data details A804 displays an image that is the basis of the physical detection data as reference information A810 when the physical detection data is included.
  • this image is acquired by making an inquiry to the video analysis device 60 based on the date and position information.
  • the display content of the incident status confirmation screen A801 is not limited to the above, and it is sufficient that at least the above elements are included. Further, the display order of the components on the incident status confirmation screen A801 is not limited to the above.
  • the video analysis device 60 extracts action information for the interface from the monitoring information A901, generates physical detection data A1011 based on the action information, and transmits the physical detection data A1011 to the monitoring device 40.
  • the video analysis device 60 may transmit the action information extracted from the monitoring information A901 to the monitoring device 40, and the monitoring device 40 may generate the physical detection data A1011 based on the action information.
  • FIG. 11 is a diagram illustrating a processing flow of extracting physical detection data in the monitoring system according to the second embodiment.
  • the monitoring device 40 can be provided with a detection rule storage unit that stores the detection rule referred to in S1106. This detection rule can be configured similarly to the content of FIG.
  • the monitoring camera 50 monitors (photographs) interface portions such as the control devices 10 1 to 10 n that are devices to be monitored (S1101). Next, the monitoring camera 50 generates monitoring information A901 including an image obtained by photographing the monitoring target device, and sends the monitoring information A901 to the video analysis device 60 (S1102).
  • the video analysis device 60 analyzes the video of the monitoring target device and extracts action information for the interface (S1103). Then, the video analysis device 60 transmits the action information to the monitoring device 40 (S1104).
  • the monitoring device 40 determines whether or not the action information extracted from the monitoring information A901 matches the detection rule held in the detection rule storage unit (S1106). ). If the action information matches the detection rule (YES in S1106), physical detection data A1011 is generated based on the action information (S1107). On the other hand, when the action information does not match the detection rule (NO in S1107), the monitoring device 40 executes the next action information analysis process.
  • FIG. 12 is a diagram illustrating a processing flow of security incident detection and response in the monitoring system according to the second embodiment.
  • the video analysis device 60 when detecting the action information for the interface (S1201), the video analysis device 60 transmits the action information to the monitoring device 40 (S1202).
  • the monitoring device 40 detects abnormality by matching the action information with the detection rule, it generates physical detection data (S1203).
  • the subsequent processing contents of S1204 to S1212 are the same as S603 to S611 of FIG.
  • the devices and terminals are collected without collecting the logs of the devices and terminals. Can be detected early in the intrusion phase.
  • this invention is not limited to said embodiment, A various deformation
  • a detection device other than the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30 is connected, Includes the functions of the unauthorized communication prevention device 20 and the unauthorized connection prevention device 30, or the control devices 10 1 to 10 n , the monitoring device 40, the unauthorized communication prevention device 20 and the unauthorized connection prevention device 30 are connected to the network 70.
  • the communication function is not included, and communication with the network 70 is performed via another device. Even in the case of the present embodiment, there is no essential change in the processing performed in the entire system.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Emergency Management (AREA)
  • Business, Economics & Management (AREA)
  • Computer Hardware Design (AREA)
  • Quality & Reliability (AREA)
  • Alarm Systems (AREA)
  • Debugging And Monitoring (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The purpose of the present invention is to detect an incident of a monitoring subject apparatus without collecting a log relating to an operation performed in the monitoring subject apparatus. A detection data collection unit 401 collects cyber detection data generated in an unauthorized communication prevention device 20 or an unauthorized connection prevention device 30 and physical detection data generated in a video analysis device 60. An integration analysis unit 402 uses the collected cyber detection data and the physical detection data to analyze a cause and plan recommendation measures. A measure execution unit 403 requests the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30 to perform apparatus and network disconnection on the basis of a result of the analysis by the integration analysis unit 402.

Description

監視装置、監視システムおよび監視方法Monitoring device, monitoring system, and monitoring method
 本発明は、フィジカルセキュリティを活用した監視装置、監視システムおよび監視方法に関する。 The present invention relates to a monitoring device, a monitoring system, and a monitoring method using physical security.
 近年、電力、鉄道、水道およびガスなどの社会インフラ(インフラストラクチャー)や自動車等で利用される制御システムに対し、サイバー攻撃が増加傾向にあり、マルウェア等の感染や外部からの不正アクセスなどのセキュリティインシデントへの対応が必要となっている。このため、制御システムにセキュリティインシデントに対応するためのセキュリティ機器を導入することで、サイバー攻撃の検知、防御および検知した場合に感染した機器を切り離すなどの対処が実施されている。 In recent years, cyber attacks have been increasing against social infrastructures such as electric power, railways, water and gas, and control systems used in automobiles. Security such as malware infection and unauthorized access from outside. Response to incidents is required. For this reason, countermeasures such as detection of a cyber attack, defense, and separation of an infected device when it is detected are implemented by introducing a security device for responding to a security incident in the control system.
 セキュリティインシデントの対応では、早期に検知し、影響が広範囲に及ぶ前に適切な一次対処を行うことが重要なポイントとなる。サイバー攻撃は通常、侵入、探索、拡大および目的実行という段階を踏んで進むため、早期検知を実現するには早い段階である侵入フェーズの事象を検知することが重要となる。侵入フェーズの事象とは、機器への不正ログインや、USBトークン等の不正デバイスの接続、不正端末のネットワーク接続等であり、これらを検知するには機器や端末に導入したセキュリティソフトや、機器のOS(Operating System)の機能を活用するなどし、それらのログを収集してチェックすることで検知することが考えられる。  When dealing with security incidents, it is important to detect them early and take appropriate primary measures before the impact reaches a wide area. Since cyber attacks usually go through the steps of intrusion, search, expansion, and purpose execution, it is important to detect events in the intrusion phase, which is an early stage, in order to realize early detection. Events in the intrusion phase include unauthorized login to devices, connection of unauthorized devices such as USB tokens, network connection of unauthorized terminals, etc. In order to detect these, security software installed on devices and terminals, It is conceivable to detect by collecting and checking these logs by utilizing the function of OS (Operating System).
 しかしながら、制御システムにおいては、情報システムと比較してリアルタイム処理が高く求められることから、機器や端末に対するソフトウェア導入や、ログ出力の設定変更が、既存業務へ影響を与えてしまう可能性がある。また、ログ収集においても、ネットワーク負荷を増大させるため、既存業務への影響を与えてしまう可能性がある。これらの理由から、制御システムでは各機器や端末からログを収集するのが困難な場合が多く存在する。 However, since the control system requires real-time processing higher than the information system, installation of software for devices and terminals and change of log output settings may affect existing operations. Log collection also increases the network load, which may affect existing business. For these reasons, it is often difficult for the control system to collect logs from each device or terminal.
 このため、機器や端末のログ以外からセキュリティインシデントを検知する必要があり、それには入退出管理や監視カメラ等のフィジカルセキュリティ装置を活用することが考えられる。特許文献1においては、入退出の状況を活用し、ユーザが操作し得ない状況において、ユーザの端末機器が不審な振る舞いをするという矛盾を検出することにより、端末機器がマルウェアに感染していることを検知する監視装置が述べられている。 For this reason, it is necessary to detect security incidents other than equipment and terminal logs, and it is conceivable to use physical security devices such as entry / exit management and surveillance cameras. In Patent Literature 1, the terminal device is infected with malware by detecting the contradiction that the user's terminal device behaves suspiciously in a situation where the user cannot operate using the entry / exit situation. A monitoring device for detecting this is described.
特開2015-55960号公報Japanese Patent Laying-Open No. 2015-55960
 上記特許文献1の技術では、入退出管理システムから取得する入退出の情報と、端末機器が送受信するネットワークの情報の、両方の情報を活用することで、マルウェア感染を検知することができる。すなわち、端末機器のログ情報は収集せずに、マルウェア感染の検知が可能となる。 In the technology disclosed in Patent Document 1, malware infection can be detected by using both information of entry / exit acquired from the entry / exit management system and network information transmitted / received by the terminal device. That is, it is possible to detect malware infection without collecting log information of terminal devices.
 しかしながら、制御システムでは、特定の装置に対して特定のユーザが割り当てられるわけではないため、特許文献1の技術をそのまま活用することはできない。また、特許文献1の技術では、マルウェア感染後の振る舞いを検知できるが、感染にいたるまでの段階(侵入フェーズ)での検知は困難である。このため、多数の操作員が装置を扱うような環境において、機器や端末のログは収集せずに、サイバー攻撃を早期に(侵入フェーズで)検知する必要がある。 However, in the control system, since a specific user is not assigned to a specific device, the technique of Patent Document 1 cannot be used as it is. Moreover, although the technique of patent document 1 can detect the behavior after malware infection, it is difficult to detect at the stage (intrusion phase) until the infection. For this reason, in an environment where a large number of operators handle the device, it is necessary to detect cyber attacks at an early stage (in the intrusion phase) without collecting device and terminal logs.
 本発明は、上記事情に鑑みなされたものであり、その目的は、監視対象機器で行われた操作に関するログを収集することなく、監視対象機器のインシデントを検知することにある。 The present invention has been made in view of the above circumstances, and an object thereof is to detect an incident of a monitoring target device without collecting a log related to an operation performed on the monitoring target device.
 上記目的を達成するため、第1の観点に係る監視装置は、監視対象機器から送信された通信情報と前記監視対象機器を撮影した画像情報の解析結果に基づいて、前記監視対象機器のインシデントを検知する。 In order to achieve the above object, a monitoring apparatus according to a first aspect detects an incident of the monitoring target device based on an analysis result of communication information transmitted from the monitoring target device and image information obtained by photographing the monitoring target device. Detect.
 本発明によれば、監視対象機器で行われた操作に関するログを収集することなく、監視対象機器のインシデントを検知することができる。 According to the present invention, it is possible to detect an incident of a monitoring target device without collecting a log regarding an operation performed on the monitoring target device.
図1は、第1実施形態に係る監視システムの機能的な構成を示すブロック図である。FIG. 1 is a block diagram showing a functional configuration of the monitoring system according to the first embodiment. 図2は、図1の監視装置のハードウェア構成を示すブロック図である。FIG. 2 is a block diagram showing a hardware configuration of the monitoring apparatus of FIG. 図3は、図1の不正通信防止装置のハードウェア構成を示すブロック図である。FIG. 3 is a block diagram showing a hardware configuration of the unauthorized communication preventing apparatus of FIG. 図4は、図1の監視システムにおけるフィジカル検知データの抽出の処理フローを示す図である。FIG. 4 is a diagram showing a processing flow of extracting physical detection data in the monitoring system of FIG. 図5は、図1の監視カメラで生成されるモニタリング情報の構成例を示す図である。FIG. 5 is a diagram illustrating a configuration example of monitoring information generated by the monitoring camera of FIG. 図6は、図4のフィジカル検知データの抽出に用いられる検知ルールを示す図である。FIG. 6 is a diagram showing detection rules used for extracting the physical detection data of FIG. 図7は、図1の監視システムにおけるセキュリティインシデントの検知および対処の処理フローを示す図である。FIG. 7 is a diagram showing a processing flow for detecting and handling a security incident in the monitoring system of FIG. 図8は、図1の不正通信防止装置および不正接続防止装置のそれぞれで生成されるサイバー検知データと、映像解析装置で生成されるフィジカル検知データの構成例を示す図である。FIG. 8 is a diagram illustrating a configuration example of cyber detection data generated by each of the unauthorized communication prevention device and the unauthorized connection prevention device of FIG. 1 and physical detection data generated by the video analysis device. 図9は、図1の監視装置の統合分析部の処理を示すフローチャートである。FIG. 9 is a flowchart showing processing of the integrated analysis unit of the monitoring apparatus of FIG. 図10は、図1の監視装置のインシデント状況確認画面の表示例を示す図である。FIG. 10 is a diagram showing a display example of the incident status confirmation screen of the monitoring apparatus of FIG. 図11は、第2実施形態に係る監視システムにおけるフィジカル検知データの抽出の処理フローを示す図である。FIG. 11 is a diagram illustrating a processing flow of extracting physical detection data in the monitoring system according to the second embodiment. 図12は、第2実施形態に係る監視システムにおけるセキュリティインシデントの検知および対処の処理フローを示す図である。FIG. 12 is a diagram illustrating a processing flow of security incident detection and response in the monitoring system according to the second embodiment.
 実施形態について、図面を参照して説明する。なお、以下に説明する実施形態は特許請求の範囲に係る発明を限定するものではなく、また、実施形態の中で説明されている諸要素及びその組み合わせの全てが発明の解決手段に必須であるとは限らない。 Embodiments will be described with reference to the drawings. The embodiments described below do not limit the invention according to the claims, and all the elements and combinations described in the embodiments are essential for the solution of the invention. Not necessarily.
 図1は、第1実施形態に係る監視システムの機能的な構成を示すブロック図である。
 図1において、監視システムは、制御装置10~10(nは正の整数)と、不正通信防止装置20と、不正接続防止装置30と、監視装置40と、監視カメラ50と、映像解析装置60とを備える。制御装置10と、不正通信防止装置20と、不正接続防止装置30と、監視装置40と、監視カメラ50と、映像解析装置60は、ネットワーク70を介して接続されている。制御装置10は、不正通信防止装置20に接続されている。 FIG. 1 is a block diagram illustrating a functional configuration of the monitoring system according to the first embodiment.
In FIG. 1, the monitoring system includes control devices 10 1 to 10 n (n is a positive integer), unauthorized communication preventing device 20, unauthorized connection preventing device 30, monitoring device 40, monitoring camera 50, and video analysis. Device 60. A control unit 10 1, the unauthorized communication preventing device 20, and unauthorized access preventing apparatus 30, the monitoring device 40, a monitoring camera 50, the image analyzer 60 is connected through a network 70. The control device 10 n is connected to the unauthorized communication prevention device 20.
 ここで、不正通信防止装置20や不正接続防止装置30はネットワーク毎に複数存在してもよい。また、監視カメラ50や映像解析装置60は複数存在してもよい。監視カメラ50は、監視対象機器ごとに設けるようにしてもよい。監視対象機器は、セキュリティインシデントの検知対象となる機器や端末等である。 Here, a plurality of unauthorized communication prevention devices 20 and unauthorized connection prevention devices 30 may exist for each network. A plurality of monitoring cameras 50 and video analysis devices 60 may exist. The monitoring camera 50 may be provided for each monitoring target device. The monitoring target device is a device or a terminal that is a detection target of a security incident.
 各制御装置10~10は、電力、鉄道、水道およびガスなどの社会インフラや自動車等で利用される制御システムにおいて、制御装置10~10間で通信しながら制御システムを制御する。各制御装置10~10は、制御処理を行う制御処理部101~101と、ネットワーク70や不正通信防止装置20等と通信を行う通信部102~102とを備える。 Each of the control devices 10 1 to 10 n controls the control system while communicating between the control devices 10 1 to 10 n in a control system used in social infrastructure such as electric power, railway, water supply, gas, and automobiles. Each of the control devices 10 1 to 10 n includes control processing units 101 1 to 101 n that perform control processing, and communication units 102 1 to 102 n that communicate with the network 70, the unauthorized communication prevention device 20, and the like.
 不正通信防止装置20は、監視対象機器から送信された通信情報を基に攻撃を検知する。攻撃には、侵入、探索、拡大および目的実行という段階を含むことができる。不正通信防止装置20は、不正通信防止装置20に入力される通信パケットをフィルタリングするフィルタリング部201と、フィルタリング部201で不正な通信を検知した際にサイバー検知データ(アラート)を生成する検知データ生成部202と、フィルタリング部201で参照するフィルタリングポリシを更新するポリシ更新部203と、ネットワーク70と通信を行う第一通信部204と、フィルタリング部201で参照するフィルタリングポリシを格納するフィルタリングポリシ格納部205と、制御装置10と通信を行う第ニ通信部206とを備える。フィルタリングポリシは、フィルタリング対象となる通信内容を定義することができる。サイバー検知データは、監視対象機器から送信された通信情報を基に攻撃を検知した結果である。なお、不正通信防止装置20は、3つ以上の通信部を保有してもよい。 The unauthorized communication prevention device 20 detects an attack based on communication information transmitted from the monitored device. Attacks can include steps of intrusion, search, expansion, and purpose execution. The unauthorized communication preventing apparatus 20 includes a filtering unit 201 that filters communication packets input to the unauthorized communication preventing apparatus 20, and detection data generation that generates cyber detection data (alert) when the filtering unit 201 detects unauthorized communication. Unit 202, policy updating unit 203 that updates a filtering policy referred to by filtering unit 201, first communication unit 204 that communicates with network 70, and filtering policy storage unit 205 that stores a filtering policy referred to by filtering unit 201. And a second communication unit 206 that communicates with the control device 10 n . The filtering policy can define communication contents to be filtered. The cyber detection data is a result of detecting an attack based on communication information transmitted from the monitored device. The unauthorized communication preventing apparatus 20 may have three or more communication units.
 不正接続防止装置30は、監視対象機器の不正接続を検知し、不正接続の検知結果に基づいてサイバー検知データを生成する。不正接続防止装置30は、ネットワーク70上に不正な機器が接続されたことを検知する不正接続検知部301と、不正接続検知部301で不正接続を検知した際にサイバー検知データ(アラート)を生成する検知データ生成部302と、不正通信検知部301で参照する正当機器リストを更新するリスト更新部303と、ネットワーク70と通信を行う通信部304と、不正接続検知部301で参照する正当機器リストを格納する正当機器リスト格納部305とを備える。正当機器リストには、例えば、ネットワーク70への接続が許可されるMACアドレスを登録することができる。 The unauthorized connection prevention device 30 detects unauthorized connection of the monitored device and generates cyber detection data based on the unauthorized connection detection result. The unauthorized connection prevention device 30 generates an unauthorized connection detection unit 301 that detects that an unauthorized device is connected to the network 70, and generates cyber detection data (alert) when the unauthorized connection detection unit 301 detects an unauthorized connection. A detection data generation unit 302 that performs communication, a list update unit 303 that updates a valid device list that is referred to by the unauthorized communication detection unit 301, a communication unit 304 that communicates with the network 70, and a valid device list that is referred to by the unauthorized connection detection unit 301. And a legitimate device list storage unit 305 for storing. For example, a MAC address permitted to connect to the network 70 can be registered in the legitimate device list.
 監視カメラ50は、監視対象機器の監視画像を生成する。監視カメラ50による監視対象機器の監視箇所は、例えば、監視対象機器の表示画面、コネクタおよびポートなどの入出力インタフェース部分とすることができる。監視カメラ50は、監視対象の撮影処理を行う撮影部501と、ネットワーク70と通信を行う通信部502とを備える。 The monitoring camera 50 generates a monitoring image of the monitoring target device. The monitoring location of the monitoring target device by the monitoring camera 50 can be, for example, an input / output interface portion such as a display screen, a connector and a port of the monitoring target device. The monitoring camera 50 includes a photographing unit 501 that performs photographing processing of a monitoring target, and a communication unit 502 that communicates with the network 70.
 映像解析装置60は、監視対象機器を撮影した画像情報を解析する。この時、映像解析装置60は、監視対象機器の画像情報を基にフィジカル検知データを生成することができる。フィジカル検知データは、監視対象機器の画像情報を基に攻撃を検知した結果である。映像解析装置60は、監視カメラ50が撮影した映像データを収集する映像収集部601と、収集した映像データから不正接続や不正操作を検知する検知データ生成部602と、映像収集部601が収集した映像データを格納する映像格納部603と、検検知データ生成部602が参照する検知ルールを格納する検知ルール格納部604と、監視カメラ50や監視装置40と通信を行う通信部605とを備える。 The video analysis device 60 analyzes image information obtained by photographing the monitoring target device. At this time, the video analysis device 60 can generate physical detection data based on the image information of the monitoring target device. The physical detection data is a result of detecting an attack based on the image information of the monitoring target device. The video analysis device 60 is collected by the video collection unit 601 that collects video data captured by the monitoring camera 50, the detection data generation unit 602 that detects unauthorized connection or manipulation from the collected video data, and the video collection unit 601. A video storage unit 603 that stores video data, a detection rule storage unit 604 that stores a detection rule referred to by the detection detection data generation unit 602, and a communication unit 605 that communicates with the monitoring camera 50 and the monitoring device 40 are provided.
 監視装置40は、監視対象機器から送信された通信情報と監視対象機器を撮影した画像情報の解析結果に基づいて、監視対象機器のインシデントを検知する。この時、監視装置40は、第1検知データであるサイバー検知データと、第2検知データであるフィジカル検知データに基づいて、監視対象機器のインシデントを監視することができる。ここで、監視装置40は、サイバー検知データとフィジカル検知データを外部から収集するようにしてもよいし、監視対象機器を撮影した画像情報に基づいてフィジカル検知データを生成するようにしてもよい。例えば、監視装置40は、画像情報を基に生成された監視対象機器のインタフェースに対するアクション情報を受信し、アクション情報に関する検知ルールに基づいて、そのインタフェースに対する不正接続または不正操作を検知した結果としてフィジカル検知データを生成するようにしてもよい。このアクション情報は、監視対象機器のインタフェースの操作に関する情報である。 The monitoring device 40 detects an incident of the monitoring target device based on the communication information transmitted from the monitoring target device and the analysis result of the image information obtained by photographing the monitoring target device. At this time, the monitoring device 40 can monitor the incident of the monitoring target device based on the cyber detection data that is the first detection data and the physical detection data that is the second detection data. Here, the monitoring device 40 may collect cyber detection data and physical detection data from the outside, or may generate physical detection data based on image information obtained by photographing the monitoring target device. For example, the monitoring device 40 receives the action information for the interface of the monitoring target device generated based on the image information, and based on the detection rule related to the action information, as a result of detecting an unauthorized connection or an unauthorized operation for the interface, Detection data may be generated. This action information is information related to the operation of the interface of the monitoring target device.
 監視装置40は、不正通信防止装置20または不正接続防止装置30で生成したサイバー検知データと、映像解析装置60で生成したフィジカル検知データを収集する検知データ収集部401と、収集したサイバー検知データとフィジカル検知データを用いて監視対象機器のインシデントを検知し、そのインシデントの原因分析や推奨対策の立案を行う統合分析部402と、統合分析部402の分析結果に基づき、不正通信防止装置20や不正接続防止装置30に対して機器やネットワーク切断の要求を行う対策実行部403と、ネットワーク70と通信を行う通信部404と、検知データ収集部401で収集したサイバー検知データとフィジカル検知データを格納する検知データ格納部405と、統合分析部402で推奨対策を立案する際に参照する対策のリストを格納する対策パターン格納部406と、統合分析部402で分析した結果出力されるインシデントに対する推奨対策及びインシデントの重要度を格納する分析結果格納部407と、統合分析部402の分析結果を表示したり、推奨対策を実施するか否かをユーザが判断した結果を入力する入出力部408とを備える。なお、重要度は、推奨対策を実施する優先度であってもよい。 The monitoring device 40 includes a detection data collection unit 401 that collects the cyber detection data generated by the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30, the physical detection data generated by the video analysis device 60, and the collected cyber detection data. The integrated analysis unit 402 detects the incident of the monitored device using the physical detection data, analyzes the cause of the incident and formulates a recommended measure, and based on the analysis result of the integrated analysis unit 402, the unauthorized communication prevention device 20 and the unauthorized Stores the countermeasure execution unit 403 that makes a request for disconnecting the device or the network from the connection prevention device 30, the communication unit 404 that communicates with the network 70, and the cyber detection data and physical detection data collected by the detection data collection unit 401. The recommended measures are planned by the detection data storage unit 405 and the integrated analysis unit 402. A countermeasure pattern storage unit 406 that stores a list of countermeasures to be referred to, an analysis result storage unit 407 that stores recommended countermeasures for incidents output as a result of analysis by the integrated analysis unit 402, and an importance level of the incident, and an integrated analysis unit 402 And an input / output unit 408 for inputting a result of the user's determination as to whether or not to implement a recommended measure. The importance may be a priority for implementing the recommended measure.
 ここで、監視装置40は、サイバー検知データとフィジカル検知データに基づいて、監視対象機器のインシデントを監視することにより、監視対象機器で行われた操作に関するログを収集することなく、監視対象機器のセキュリティインシデントを検知することができる。また、制御装置10~10が設けられた既存の制御システムにおいて、制御システムで行われている既存業務に影響を与えることなく、不正通信防止装置20と、不正接続防止装置30と、監視装置40と、監視カメラ50と、映像解析装置60を導入することができる。このため、電力、鉄道、水道およびガスなどの社会インフラや自動車等で利用される制御システムにおいて、セキュリティインシデントを早期に検知し、影響が広範囲に及ぶ前に適切な一次対処を行うことが可能となり、これらの制御システムのセキュリティを向上させることができる。なお、セキュリティインシデントは、マルウェア等の感染や外部からの不正アクセスなどの監視対象機器のセキュリティに関するインシデントである。 Here, the monitoring device 40 monitors the incident of the monitoring target device based on the cyber detection data and the physical detection data, thereby collecting the log of the operation performed on the monitoring target device without collecting the log of the monitoring target device. Security incidents can be detected. Further, in the existing control system provided with the control devices 10 1 to 10 n , the unauthorized communication preventing device 20, the unauthorized connection preventing device 30, and the monitoring are performed without affecting the existing work performed in the control system. The apparatus 40, the monitoring camera 50, and the video analysis apparatus 60 can be introduced. For this reason, it is possible to detect security incidents early in control systems used in social infrastructure such as electric power, railways, water and gas, and automobiles, and to take appropriate primary measures before they reach a wide range. The security of these control systems can be improved. The security incident is an incident related to the security of the monitored device such as infection by malware or the like and unauthorized access from the outside.
 図2は、図1の監視装置のハードウェア構成を示すブロック図である。
 図2において、監視装置40は、通信装置11と、入出力装置12と、記憶装置13と、CPU14と、メモリ15とを備える。通信装置11と、入出力装置12と、記憶装置13と、CPU14と、メモリ15は、バスなどの内部通信線16を介して接続されている。 FIG. 2 is a block diagram showing a hardware configuration of the monitoring apparatus of FIG.
In FIG. 2, the monitoring device 40 includes a communication device 11, an input / output device 12, a storage device 13, a CPU 14, and a memory 15. The communication device 11, the input / output device 12, the storage device 13, the CPU 14, and the memory 15 are connected via an internal communication line 16 such as a bus.
 CPU14は、監視装置40全体の動作制御を司るハードウェアである。メモリ15は、例えば、SRAMまたはDRAMなどの半導体メモリから構成することができる。メモリ15には、CPU14が実行中のプログラムを格納したり、CPU14がプログラムを実行するためのワークエリアを設けたりすることができる。 The CPU 14 is hardware that controls operation of the entire monitoring device 40. The memory 15 can be composed of, for example, a semiconductor memory such as SRAM or DRAM. The memory 15 can store a program being executed by the CPU 14, or can be provided with a work area for the CPU 14 to execute the program.
 記憶装置13は、大容量の記憶容量を有する記憶デバイスであり、例えば、ハードディスク装置やSSD(Solid State Drive)である。記憶装置13は、各種プログラムの実行ファイルやプログラムの実行に用いられるデータを保持することができる。記憶装置13には、監視プログラム13Aを格納することができる。監視プログラム13Aは、監視装置40にインストール可能なソフトウェアであってもよいし、監視装置40にファームウェアとして組み込まれていてもよい。監視プログラム13Aは、他の記憶媒体または通信媒体(ネットワークまたはネットワークを伝搬する搬送波)を介して、必要なときに導入されてもよい。 The storage device 13 is a storage device having a large storage capacity, for example, a hard disk device or an SSD (Solid State Drive). The storage device 13 can hold execution files of various programs and data used for executing the programs. The storage device 13 can store a monitoring program 13A. The monitoring program 13A may be software that can be installed in the monitoring device 40, or may be incorporated in the monitoring device 40 as firmware. The monitoring program 13A may be introduced when necessary via another storage medium or communication medium (a network or a carrier wave propagating through the network).
 通信装置11は、外部との通信を制御する機能を有するハードウェアである。通信装置11は、ネットワーク70に接続される。ネットワーク70は、インターネットなどのWAN(Wide Area Network)であってもよいし、WiFiなどのLAN(Local Area Network)であってもよいし、WANとLANが混在していてもよい。 The communication device 11 is hardware having a function of controlling communication with the outside. The communication device 11 is connected to the network 70. The network 70 may be a WAN (Wide Area Network) such as the Internet, a LAN (Local Area Network) such as WiFi, or a mixture of WAN and LAN.
 入出力装置12は、ユーザからの操作を受け付けたり、ユーザに処理経過や処理結果等の各種情報を提供するユーザインターフェースである。入出力装置12は、例えば、キーボード、マウス、タッチパネル、カードリーダ、音声入力装置、画面表示装置(液晶モニタ、有機ELディスプレイ、グラフィックカード等)、音声出力装置(スピーカ等)、印字装置等である。 The input / output device 12 is a user interface that receives operations from the user and provides the user with various information such as processing progress and processing results. The input / output device 12 is, for example, a keyboard, a mouse, a touch panel, a card reader, a voice input device, a screen display device (liquid crystal monitor, organic EL display, graphic card, etc.), a voice output device (speaker, etc.), a printing device, and the like. .
 CPU14が監視プログラム13Aをメモリ15に読み出し、監視プログラム13Aを実行することにより、サイバー検知データとフィジカル検知データに基づいて、監視対象機器のインシデントを検知し、そのインシデントに対する対策の立案と、そのインシデントの重要度の算出を実行することができる。 The CPU 14 reads the monitoring program 13A into the memory 15 and executes the monitoring program 13A, thereby detecting an incident on the monitored device based on the cyber detection data and the physical detection data, planning a countermeasure for the incident, and the incident It is possible to calculate the importance of
 この時、監視プログラム13Aは、図1の検知データ収集部401と、統合分析部402と、対策実行部403の機能を実現することができる。なお、監視プログラム13Aの実行は、複数のプロセッサやコンピュータに分担させてもよい。あるいは、CPU14は、ネットワーク70を介してクラウドコンピュータなどに監視プログラム13Aの全部または一部の実行を指示し、その実行結果を受け取るようにしてもよい。 At this time, the monitoring program 13A can realize the functions of the detection data collection unit 401, the integrated analysis unit 402, and the countermeasure execution unit 403 in FIG. Note that the execution of the monitoring program 13A may be shared by a plurality of processors and computers. Alternatively, the CPU 14 may instruct the cloud computer or the like to execute all or part of the monitoring program 13A via the network 70 and receive the execution result.
 なお、図1の制御装置10~10、不正接続防止装置30、監視装置40、監視カメラ50および映像解析装置60も、図2と同様のハードウェアを備えることができる。ただし、各制御装置10~10のCPUは制御プログラムを実行することにより、制御システムの制御処理を実現することができる。不正接続防止装置30のCPUは不正接続防止プログラムを実行することにより、監視対象機器の不正接続を検知し、不正接続の検知結果に基づいてサイバー検知データを生成することができる。監視カメラ50のCPUは撮影プログラムを実行することにより、監視対象機器の監視画像を生成することができる。映像解析装置60のCPUは映像解析プログラムを実行することにより、監視対象機器を撮影した画像情報を解析することができる。 Note that the control devices 10 1 to 10 n , the unauthorized connection prevention device 30, the monitoring device 40, the monitoring camera 50, and the video analysis device 60 in FIG. 1 can also include hardware similar to that in FIG. However, the CPUs of the control devices 10 1 to 10 n can realize the control processing of the control system by executing the control program. The CPU of the unauthorized connection prevention device 30 can detect unauthorized connection of the monitored device by executing the unauthorized connection prevention program, and can generate cyber detection data based on the unauthorized connection detection result. The CPU of the monitoring camera 50 can generate a monitoring image of the monitoring target device by executing a shooting program. The CPU of the video analysis device 60 can analyze image information obtained by photographing the monitoring target device by executing a video analysis program.
 図3は、図1の不正通信防止装置のハードウェア構成を示すブロック図である。
 図3において、不正通信防止装置20は、第一通信装置21と、第二通信装置21と、記憶装置22と、入出力装置23と、CPU24と、メモリ25とを備える。第一通信装置21と、第二通信装置21と、記憶装置22と、入出力装置23と、CPU24と、メモリ25は、バスなどの内部通信線26を介して接続されている。記憶装置22には、不正通信防止プログラム22Aを格納することができる。第一通信装置21は、ネットワーク70に接続され、第二通信装置21は、制御装置10に接続されている。不正通信防止装置20は、3つ以上の通信装置を保有してもよい。 FIG. 3 is a block diagram showing a hardware configuration of the unauthorized communication preventing apparatus of FIG.
3, improper communication prevention device 20 includes a first communication device 21 1, the second communication device 212, a storage device 22, an output device 23, a CPU 24, a memory 25. A first communication device 21 1, the second communication device 212, a storage device 22, an output device 23, a CPU 24, a memory 25 is connected via an internal communication line 26 such as a bus. The storage device 22 can store an unauthorized communication prevention program 22A. The first communication device 21 1 is connected to the network 70, the second communication device 21 2 is connected to the control device 10 n. The unauthorized communication prevention device 20 may have three or more communication devices.
 CPU14が不正通信防止プログラム22Aをメモリ15に読み出し、不正通信防止プログラム22Aを実行することにより、監視対象機器から送信された通信情報を基に攻撃を検知することができる。 When the CPU 14 reads the unauthorized communication prevention program 22A into the memory 15 and executes the unauthorized communication prevention program 22A, an attack can be detected based on the communication information transmitted from the monitored device.
 この時、不正通信防止プログラム22Aは、図1のフィルタリング部201と、検知データ生成部202と、ポリシ更新部203の機能を実現することができる。なお、不正通信防止プログラム22Aの実行は、複数のプロセッサやコンピュータに分担させてもよい。あるいは、CPU24は、ネットワーク70を介してクラウドコンピュータなどに不正通信防止プログラム22Aの全部または一部の実行を指示し、その実行結果を受け取るようにしてもよい。 At this time, the unauthorized communication prevention program 22A can realize the functions of the filtering unit 201, the detection data generation unit 202, and the policy update unit 203 of FIG. The execution of the unauthorized communication prevention program 22A may be shared by a plurality of processors and computers. Alternatively, the CPU 24 may instruct the cloud computer or the like to execute all or part of the unauthorized communication prevention program 22A via the network 70 and receive the execution result.
 以下、本実施形態の制御システム向け攻撃検知システムにおける処理フローについて説明する。以下に述べる処理フローは、制御装置10~10、不正通信防止装置20、不正接続防止装置30、監視装置40、監視カメラ50および映像解析装置60の各記憶装置に格納されたプログラムがメモリにロードされ、それぞれのCPUにより実行されることにより、制御システム向け攻撃検知システムを構成する装置上に具現化される各処理部により実行される。 Hereinafter, a processing flow in the attack detection system for the control system of the present embodiment will be described. In the processing flow described below, a program stored in each storage device of the control devices 10 1 to 10 n , the unauthorized communication prevention device 20, the unauthorized connection prevention device 30, the monitoring device 40, the monitoring camera 50, and the video analysis device 60 is stored in the memory. And executed by each CPU, and executed by each processing unit embodied on an apparatus constituting the attack detection system for the control system.
 図4は、図1の監視システムにおけるフィジカル検知データの抽出の処理フローを示す図である。
 図4において、監視カメラ50は、監視対象機器である制御機器10~10等のインタフェース部分をモニタリング(撮影)する(S401)。インタフェースとしては、例えば、各機器のUSB等の各種デバイス用のコネクタ部分や、ネットワーク接続のためのLANコネクタ部分、操作結果を表示するモニタ画面などがある。 FIG. 4 is a diagram showing a processing flow of extracting physical detection data in the monitoring system of FIG.
In FIG. 4, the monitoring camera 50 monitors (photographs) the interface portion of the control devices 10 1 to 10 n that are the devices to be monitored (S401). Examples of the interface include a connector portion for various devices such as USB of each device, a LAN connector portion for network connection, a monitor screen for displaying operation results, and the like.
 次に、監視カメラ50は、監視対象機器を撮影した画像を含むモニタリング情報A901を生成し、映像解析装置60へ送付する(S402)。 Next, the monitoring camera 50 generates monitoring information A901 including an image obtained by photographing the monitoring target device and sends it to the video analysis device 60 (S402).
 図5は、図1の監視カメラで生成されるモニタリング情報の構成例を示す図である。
 図5において、モニタリング情報A901は、監視カメラ50で撮影した日時A902と、撮影対象の位置情報A903と、映像情報A904とを含む。 FIG. 5 is a diagram illustrating a configuration example of monitoring information generated by the monitoring camera of FIG.
In FIG. 5, monitoring information A901 includes date and time A902 taken by the monitoring camera 50, position information A903 of the shooting target, and video information A904.
 次に、図4において、映像解析装置60は、監視カメラ50からモニタリング情報A901を受信すると、監視対象機器の映像の解析を行い、インタフェースに対するアクション情報を抽出する(S403)。 Next, in FIG. 4, when receiving the monitoring information A901 from the monitoring camera 50, the video analysis device 60 analyzes the video of the monitoring target device and extracts action information for the interface (S403).
 そして、映像解析装置60は、モニタリング情報A901から抽出したアクション情報が、検知ルール格納部604に保持された検知ルールにマッチするか否かを判定する(S404)。アクション情報が検知ルールにマッチした場合(S404でYES)、そのアクション情報を基にフィジカル検知データA1011を生成し、監視装置40へ送信する(S405)。監視装置40は、映像解析装置60からフィジカル検知データA1011が送信されると、フィジカル検知データA1011を受信する(S406)。一方、アクション情報が検知ルールにマッチしない場合(S404でNO)、映像解析装置60は、次の映像解析処理を実行する。 Then, the video analysis device 60 determines whether or not the action information extracted from the monitoring information A901 matches the detection rule held in the detection rule storage unit 604 (S404). If the action information matches the detection rule (YES in S404), physical detection data A1011 is generated based on the action information and transmitted to the monitoring device 40 (S405). When the physical detection data A1011 is transmitted from the video analysis device 60, the monitoring device 40 receives the physical detection data A1011 (S406). On the other hand, when the action information does not match the detection rule (NO in S404), the video analysis device 60 executes the next video analysis process.
 図6は、図4のフィジカル検知データの抽出に用いられる検知ルールを示す図である。
 図6において、映像解析装置60は、図4のS404で検知ルールを参照する。検知ルールは、ブラックリスト501とホワイトリスト511の2種類のルールを備える。ブラックリスト501には、許可しないアクションのリストを記述し、ホワイトリスト511には許可するアクションのリストを記述する。ブラックリスト501は、大分類502、小分類503、端末情報504および判定ルール505を含む。ホワイトリスト511は、大分類512、小分類513、端末情報514および判定ルール515を含む。 FIG. 6 is a diagram showing detection rules used for extracting the physical detection data of FIG.
In FIG. 6, the video analysis device 60 refers to the detection rule in S404 of FIG. The detection rules include two types of rules, a black list 501 and a white list 511. A black list 501 describes a list of actions that are not permitted, and a white list 511 describes a list of actions that are permitted. The black list 501 includes a major classification 502, a minor classification 503, terminal information 504, and a determination rule 505. The white list 511 includes a major classification 512, a minor classification 513, terminal information 514, and a determination rule 515.
 大分類502、512は、監視対象機器へのアクションが接続か操作かを記述することができる。小分類503、513は、監視対象機器への接続先や監視対象機器のエラー内容を記述することができる。端末情報504、514は、アクションが実行された部位(位置情報)を記述することができる。 The major classifications 502 and 512 can describe whether the action to the monitoring target device is connection or operation. The small classifications 503 and 513 can describe the connection destination to the monitoring target device and the error contents of the monitoring target device. The terminal information 504 and 514 can describe a part (position information) where the action is executed.
 判定ルール505は、許可しないアクションの具体的な内容を記述することができる。例えば、監視対象機器のインタフェースの不正接続の例として、USBメモリがUSBコネクタに差し込まれた場合を挙げることができる。監視対象機器のインタフェースの不正操作の例として、ログイン時の認証エラー画面が3回連続で表示された場合を挙げることができる。 The determination rule 505 can describe specific contents of actions that are not permitted. For example, as an example of unauthorized connection of an interface of a monitoring target device, a case where a USB memory is inserted into a USB connector can be cited. As an example of the unauthorized operation of the interface of the monitoring target device, there can be mentioned a case where the authentication error screen at the time of login is displayed three times in succession.
 判定ルール515は、許可するアクションの具体的な内容を記述することができる。例えば、監視対象機器のインタフェースの不正接続でない例として、承認済みシールがついたデバイスが差し込まれた場合を挙げることができる。 The determination rule 515 can describe specific contents of permitted actions. For example, as an example where the interface of the monitoring target device is not unauthorized connection, a case where a device with an approved seal is inserted can be cited.
 図7は、図1の監視システムにおけるセキュリティインシデントの検知および対処の処理フローを示す図である。
 図7において、映像解析装置60は、図4に示したフローに従い異常を検知した場合(S601)、フィジカル検知データA1011を監視装置40へ送信する(S602)。 FIG. 7 is a diagram showing a processing flow for detecting and handling a security incident in the monitoring system of FIG.
In FIG. 7, when the video analysis apparatus 60 detects an abnormality according to the flow shown in FIG. 4 (S601), it transmits physical detection data A1011 to the monitoring apparatus 40 (S602).
 不正接続防止装置30は、監視対象機器である制御機器10~10等から送信された通信情報に基づいて異常を検知した場合(S603)、検知した異常内容をサイバー検知データA1012として監査装置40へ送信する(S604)。この時、不正接続防止装置30は、監視対象機器である制御機器10~10等から送信されたMACアドレスを受信する。そして、監視対象機器である制御機器10~10等から受信したMACアドレスが、ネットワーク70への接続が許可されるMACアドレスと一致しない場合、その監視対象機器の不正接続を認識することができる。 When detecting an abnormality based on communication information transmitted from the control devices 10 1 to 10 n that are monitoring target devices (S603), the unauthorized connection prevention device 30 uses the detected abnormality content as cyber detection data A1012 and an audit device. 40 (S604). At this time, the unauthorized connection preventing apparatus 30 receives the MAC address transmitted from the control devices 10 1 to 10 n that are the devices to be monitored. If the MAC address received from the control device 10 1 to 10 n or the like as the monitoring target device does not match the MAC address permitted to connect to the network 70, the unauthorized connection of the monitoring target device is recognized. it can.
 不正通信防止装置20は、監視対象機器である制御機器10~10等から送信された通信情報に基づいて異常を検知した場合(S605)、検知した異常内容をサイバー検知データA1013として監査装置40へ送信する(S606)。この時、不正通信防止装置20は、監視対象機器である制御機器10~10等から送信された通信情報を受信する。そして、監視対象機器である制御機器10~10等から受信した通信情報がフィルタリングポリシに一致する場合、その監視対象機器の不正操作を認識することができる。 If the unauthorized communication prevention device 20 detects an abnormality based on the communication information transmitted from the control devices 10 1 to 10 n that are the devices to be monitored (S605), the detected content of the abnormality is the cyber detection data A1013 as an audit device. It transmits to 40 (S606). At this time, the unauthorized communication preventing apparatus 20 receives the communication information transmitted from the control devices 10 1 to 10 n that are monitoring target devices. If the communication information received from the control devices 10 1 to 10 n that are the monitoring target devices matches the filtering policy, the unauthorized operation of the monitoring target device can be recognized.
 図8は、図1の不正通信防止装置および不正接続防止装置のそれぞれで生成されるサイバー検知データと、映像解析装置で生成されるフィジカル検知データの構成例を示す図である。
 図8において、検知データA1001は、アラート発生日時A1002と、アラート項目A1003と、アラート関連情報A1004とを含む。アラート項目A1003には、検知データA1001の種別を記述することができる。検知データA1001の種別は、例えば、未遂か既遂か、検知データA1001がフィジカル検知データかサイバー検知データかを示すことができる。アラート関連情報A1004には、不正接続や不正操作の箇所および内容等を記述することができる。 FIG. 8 is a diagram illustrating a configuration example of cyber detection data generated by each of the unauthorized communication prevention device and the unauthorized connection prevention device of FIG. 1 and physical detection data generated by the video analysis device.
In FIG. 8, the detection data A1001 includes an alert occurrence date and time A1002, an alert item A1003, and alert related information A1004. The alert item A1003 can describe the type of the detection data A1001. The type of the detection data A1001 can indicate, for example, whether the detection data A1001 is physical detection data or cyber detection data. The alert-related information A1004 can describe the location and content of unauthorized connection or unauthorized operation.
 図7において、監視装置40は、フィジカル検知データA1011およびサイバー検知データA1012、A1013のいずれかのデータを受信すると、それら情報を統合的に解析する(S607)。そして、監視装置40は、それら情報を分析した結果として検知した攻撃の重要度や、推奨する対策方法等を監視員へ提示する(S608)。 In FIG. 7, when the monitoring device 40 receives any of the physical detection data A1011 and the cyber detection data A1012, A1013, the information is integratedly analyzed (S607). Then, the monitoring device 40 presents the importance of the attack detected as a result of analyzing the information, a recommended countermeasure method, and the like to the monitor (S608).
 監視員は、監視装置40から提示された提示内容を基に推奨対策を実行するか否かを判断する(S609)。推奨対策を実行する旨を監視員が入力した場合には、監視装置40は、推奨対策を実現する機器(不正通信防止装置20や不正接続防止装置30)へ対処コマンドを送付し(S610)。その対処コマンドを受け付けた機器において機器切断やネットワーク遮断などの対処を実行する。例えば、不正接続防止装置30が監視装置40から対処コマンドを受け付けると、監視対象機器を切断する(S611)。 The monitoring person determines whether or not to execute the recommended countermeasure based on the presentation content presented from the monitoring device 40 (S609). When the monitor inputs that the recommended countermeasure is to be executed, the monitoring device 40 sends a countermeasure command to a device (the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30) that implements the recommended countermeasure (S610). The device that has received the countermeasure command executes measures such as device disconnection or network shutdown. For example, when the unauthorized connection preventing device 30 receives a handling command from the monitoring device 40, the monitoring target device is disconnected (S611).
 図9は、図1の監視装置の統合分析部の処理を示すフローチャートである。
 図9において、統合分析部402が統合分析処理を開始すると(S701)、検知データ格納部405から検知データを取得し(S702)、当該検知データが未遂の攻撃に関するものか、既遂の攻撃に関するものかの種別を判定する(S703)。 FIG. 9 is a flowchart showing processing of the integrated analysis unit of the monitoring apparatus of FIG.
In FIG. 9, when the integrated analysis unit 402 starts the integrated analysis process (S701), the detection data is acquired from the detection data storage unit 405 (S702), and whether the detection data relates to an attempted attack or whether the detected attack relates to an attempted attack. Is determined (S703).
 未遂の攻撃とは、攻撃者が制御システムに対して侵入や攻撃を試みたが、各装置のセキュリティ機能等により実現しなかった処理と定義する。例えば、各端末へのログイン時の認証失敗に関する情報や、不正通信防止装置20において不正な通信と判断されて通信内容が送信対象まで届けられなかったことを示す情報(アラート)や、不正接続防止装置30において不正な端末と判断されてネットワークに接続されなかったことを示す情報(アラート)等が、未遂の攻撃に関する検知データとなる。 An attempted attack is defined as a process in which an attacker attempted to intrude or attack the control system but was not realized by the security function of each device. For example, information related to authentication failure at the time of login to each terminal, information (alert) indicating that the communication content is not delivered to the transmission target by the unauthorized communication prevention device 20 being determined as unauthorized communication, and unauthorized connection prevention Information (alert) or the like indicating that the device 30 is determined to be an unauthorized terminal and has not been connected to the network is detected data regarding the attempted attack.
 また、既遂の攻撃とは、攻撃者が制御システムに対して侵入や攻撃を実行し、それが成功した場合の処理と定義する。例えば、機器に対して不正なUSBトークンが接続されたことを示す情報や、不正なコマンドが(エラーなく)実行されたことを示す情報等が、既遂の攻撃に関する検知データとなる。 Also, an attempted attack is defined as a process when an attacker performs an intrusion or attack on the control system and succeeds. For example, information indicating that an unauthorized USB token is connected to the device, information indicating that an unauthorized command has been executed (without an error), and the like are detection data related to the attempted attack.
 分析対象の検知データが「既遂」の場合(S703で「既遂」)、すでに侵入や感染がなされており、影響が拡大するリスクが高い。このため、当該検知データに関する機器の切り離し対策を推奨対策として、対策パターン格納部406から選定する(S704)。例えば、当該検知データに関する機器をネットワーク70から切り離したり、当該検知データに関する機器に関する通信を遮断する対策を推奨対策とする。 If the detection data to be analyzed is “achieved” (“achieved” in S703), there is already an intrusion or infection, and there is a high risk that the impact will be expanded. For this reason, the measure for storing the device related to the detected data is selected from the measure pattern storage unit 406 as a recommended measure (S704). For example, a recommended measure is a measure for disconnecting a device related to the detected data from the network 70 or blocking communication related to the device related to the detected data.
 次に、分析対象の検知データについて、フィジカル検知データかサイバー検知データのどちらの種別なのかを判定する(S705)。当該検知データがフィジカル検知データの場合(S705で「フィジカル」)、制御システムの現場に不正者が居ることを意味し、攻撃がセキュリティ装置や機能で防げた場合にも、すぐさま他の方法で攻撃をなされるリスクがある。このため、インシデントの重要度を「高」に設定する(S706)。 Next, it is determined whether the detection data to be analyzed is a type of physical detection data or cyber detection data (S705). If the detection data is physical detection data (“physical” in S705), this means that there is an unauthorized person at the site of the control system, and even if the attack can be prevented by a security device or function, it is immediately attacked by another method. There is a risk of being made. Therefore, the importance level of the incident is set to “high” (S706).
 分析対象の検知データがサイバー検知データの場合(S705で「サイバー」)、リモートから攻撃がされている可能性が高く、攻撃がセキュリティ装置やセキュリティ機能で防げた場合には、別の手段での攻撃をするまでにはある程度の時間を要することが想定できる。このため、インシデントの重要度を「中」に設定する(S707)。 If the detection data to be analyzed is cyber detection data (“Cyber” in S705), there is a high possibility that an attack has been made remotely, and if the attack can be prevented by a security device or security function, another means can be used. It can be assumed that it takes a certain amount of time to attack. Therefore, the importance level of the incident is set to “medium” (S707).
 一方、当該分析対象の検知データが「未遂」の場合(S703で「未遂」)、攻撃は発生しているが侵入や感染にはいたっていないことを示す。このため、当該検知データに関する機器について、監視を強化する対策を推奨対策として、対策パターン格納部406から選定する(S708)。例えば、各機器から収集する検知データだけでなく、より詳細なログを収集したり、現場の機器の画面にて、サイバー攻撃に関するログが出力されていないかをチェックしたりする対策を推奨対策とする。 On the other hand, when the detection data of the analysis target is “Attempted” (“Attempted” in S703), it indicates that an attack has occurred but has not been invaded or infected. Therefore, a measure for strengthening monitoring is selected from the measure pattern storage unit 406 as a recommended measure for the device related to the detected data (S708). For example, a recommended measure is to collect not only the detection data collected from each device but also a more detailed log, and check whether a log related to cyber attacks is output on the screen of the device in the field. To do.
 次に、分析対象の検知データについて、フィジカル検知データかサイバー検知データのどちらの種別なのかを判定する(S709)。当該検知データがフィジカル検知データの場合(S709で「フィジカル」)、制御システムの現場に不正者が居ることを意味し、現状は未遂の攻撃であっても、すぐさま他の方法で攻撃をなされるリスクがある。このため、インシデントの重要度を「中」に設定する(S710)。 Next, it is determined whether the detection data to be analyzed is a type of physical detection data or cyber detection data (S709). If the detection data is physical detection data (“physical” in S709), this means that there is an unauthorized person at the site of the control system, and even if the current situation is an attempted attack, an attack is immediately made by another method. There is a risk. Therefore, the importance level of the incident is set to “medium” (S710).
 分析対象の検知データがサイバー検知データの場合(S709で「サイバー」)、リモートから攻撃がなされている可能性が高く、攻撃がセキュリティ装置やセキュリティ機能で防げた場合には、別の手段での攻撃をするまでにはある程度の時間を要することが想定できる。このため、インシデントの重要度を「低」に設定する(S711)。 If the detection data to be analyzed is cyber detection data (“Cyber” in S709), there is a high possibility that an attack has been made remotely, and if the attack can be prevented by a security device or security function, use another means. It can be assumed that it takes a certain amount of time to attack. For this reason, the importance level of the incident is set to “low” (S711).
 次に、S704またはS708で取得した推奨対策情報と、S706、S707、S710、S711で決定した重要度の情報を、分析結果格納部407へ格納し(S509)、統合分析処理を終了する(S510)。 Next, the recommended countermeasure information acquired in S704 or S708 and the importance information determined in S706, S707, S710, and S711 are stored in the analysis result storage unit 407 (S509), and the integrated analysis process is terminated (S510). ).
 図10は、図1の監視装置のインシデント状況確認画面の表示例を示す図である。
 図10において、インシデント状況確認画面A801は、システム構成画面A802と、インシデント分析結果画面A803と、フィジカル検知データ詳細画面A804を備える。システム構成画面A802には、監視対象の制御システムの構成が示される。システム構成画面A802の制御装置A~Dは、図1の制御装置10~10である。ここで、監視装置40は、制御装置A、Bについてインシデントを検知した場合、制御装置A、Bを強調表示することができる。インシデント分析結果画面A803は、インシデントを識別するためのインシデントIDA805と、当該インシデントIDA805で示されるインシデントの重要度を示す重要度A806と、当該インシデントの影響を最小限に抑えるための一次対処として推奨される対策を示す推奨対策A807と、当該インシデントで感染が疑われる箇所を示す感染箇所A808と、当該感染箇所に関する詳細情報を示す詳細A809と、更なる詳細情報を示す参考情報A810を表示する。 FIG. 10 is a diagram showing a display example of the incident status confirmation screen of the monitoring apparatus of FIG.
In FIG. 10, the incident status confirmation screen A801 includes a system configuration screen A802, an incident analysis result screen A803, and a physical detection data detail screen A804. The system configuration screen A802 shows the configuration of the control system to be monitored. The control devices A to D on the system configuration screen A802 are the control devices 10 1 to 10 n in FIG. Here, when the monitoring device 40 detects an incident with respect to the control devices A and B, the monitoring devices A and B can be highlighted. The incident analysis result screen A803 is recommended as an incident IDA805 for identifying an incident, an importance A806 indicating the importance of the incident indicated by the incident IDA805, and a primary action for minimizing the impact of the incident. A recommended measure A807 indicating a measure to be infected, an infection location A808 indicating a location where infection is suspected in the incident, a detail A809 indicating detailed information on the infection location, and reference information A810 indicating further detailed information are displayed.
 フィジカル検知データ詳細A804は、フィジカル検知データが含まれる場合に、参考情報A810としてフィジカル検知データの根拠となった画像を表示する。本画像は、参考情報A810の項目内のリンクをクリックした際に、その日時や位置情報を基に映像解析装置60へ問い合わせて取得する。 The physical detection data details A804 displays an image that is the basis of the physical detection data as reference information A810 when the physical detection data is included. When the link in the item of reference information A810 is clicked, this image is acquired by making an inquiry to the video analysis device 60 based on the date and position information.
 なお、インシデント状況確認画面A801の表示内容は上記に限定されるものではなく、少なくとも上記の要素が含まれていればよい。また、インシデント状況確認画面A801の構成要素の表示順序は上記に限定されるものではない。 Note that the display content of the incident status confirmation screen A801 is not limited to the above, and it is sufficient that at least the above elements are included. Further, the display order of the components on the incident status confirmation screen A801 is not limited to the above.
 上述した第1実施形態では、映像解析装置60が、モニタリング情報A901からインタフェースに対するアクション情報を抽出し、そのアクション情報を基にフィジカル検知データA1011を生成し、監視装置40へ送信する方法について説明した。これに対し、映像解析装置60が、モニタリング情報A901から抽出したアクション情報を監視装置40へ送信し、監視装置40が、そのアクション情報を基にフィジカル検知データA1011を生成するようにしてもよい。 In the first embodiment described above, a method has been described in which the video analysis device 60 extracts action information for the interface from the monitoring information A901, generates physical detection data A1011 based on the action information, and transmits the physical detection data A1011 to the monitoring device 40. . On the other hand, the video analysis device 60 may transmit the action information extracted from the monitoring information A901 to the monitoring device 40, and the monitoring device 40 may generate the physical detection data A1011 based on the action information.
 図11は、第2実施形態に係る監視システムにおけるフィジカル検知データの抽出の処理フローを示す図である。なお、監視装置40には、S1106で参照する検知ルールを格納する検知ルール格納部を設けることができる。この検知ルールは、図6の内容と同様に構成することができる。
 図11において、監視カメラ50は、監視対象機器である制御機器10~10等のインタフェース部分をモニタリング(撮影)する(S1101)。次に、監視カメラ50は、監視対象機器を撮影した画像を含むモニタリング情報A901を生成し、映像解析装置60へ送付する(S1102)。 FIG. 11 is a diagram illustrating a processing flow of extracting physical detection data in the monitoring system according to the second embodiment. The monitoring device 40 can be provided with a detection rule storage unit that stores the detection rule referred to in S1106. This detection rule can be configured similarly to the content of FIG.
In FIG. 11, the monitoring camera 50 monitors (photographs) interface portions such as the control devices 10 1 to 10 n that are devices to be monitored (S1101). Next, the monitoring camera 50 generates monitoring information A901 including an image obtained by photographing the monitoring target device, and sends the monitoring information A901 to the video analysis device 60 (S1102).
 次に、映像解析装置60は、監視カメラ50からモニタリング情報A901を受信すると、監視対象機器の映像の解析を行い、インタフェースに対するアクション情報を抽出する(S1103)。そして、映像解析装置60は、そのアクション情報を監視装置40へ送信する(S1104)。 Next, when receiving the monitoring information A901 from the monitoring camera 50, the video analysis device 60 analyzes the video of the monitoring target device and extracts action information for the interface (S1103). Then, the video analysis device 60 transmits the action information to the monitoring device 40 (S1104).
 次に、監視装置40は、インタフェースに対するアクション情報を受信すると(S1105)、モニタリング情報A901から抽出したアクション情報が、検知ルール格納部に保持された検知ルールにマッチするか否かを判定する(S1106)。アクション情報が検知ルールにマッチした場合(S1106でYES)、そのアクション情報を基にフィジカル検知データA1011を生成する(S1107)。一方、アクション情報が検知ルールにマッチしない場合(S1107でNO)、監視装置40は、次のアクション情報解析処理を実行する。 Next, when receiving the action information for the interface (S1105), the monitoring device 40 determines whether or not the action information extracted from the monitoring information A901 matches the detection rule held in the detection rule storage unit (S1106). ). If the action information matches the detection rule (YES in S1106), physical detection data A1011 is generated based on the action information (S1107). On the other hand, when the action information does not match the detection rule (NO in S1107), the monitoring device 40 executes the next action information analysis process.
 ここで、監視装置40側でアクション情報解析処理を実行することにより、映像解析装置60側でアクション情報解析処理を実行する必要がなくなり、映像解析装置60の負荷を低減することができる。 Here, by executing the action information analysis processing on the monitoring device 40 side, it is not necessary to execute the action information analysis processing on the video analysis device 60 side, and the load on the video analysis device 60 can be reduced.
 図12は、第2実施形態に係る監視システムにおけるセキュリティインシデントの検知および対処の処理フローを示す図である。
 図12において、映像解析装置60は、インタフェースに対するアクション情報を検知すると(S1201)、監視装置40へアクション情報を送信する(S1202)。監視装置40は、アクション情報に対して検知ルールとのマッチングを行うことで異常を検知した場合、フィジカル検知データを生成する(S1203)。これ以降のS1204~S1212の処理内容は、図7のS603~S611と同様である。 FIG. 12 is a diagram illustrating a processing flow of security incident detection and response in the monitoring system according to the second embodiment.
In FIG. 12, when detecting the action information for the interface (S1201), the video analysis device 60 transmits the action information to the monitoring device 40 (S1202). When the monitoring device 40 detects abnormality by matching the action information with the detection rule, it generates physical detection data (S1203). The subsequent processing contents of S1204 to S1212 are the same as S603 to S611 of FIG.
 以上説明したように、上述した実施形態によれば、多数の操作員が制御装置10~10を扱うような制御システムにおいて、機器や端末のログは収集せずに、それらの機器や端末への攻撃を侵入フェーズで早期に検知可能となる。 As described above, according to the above-described embodiment, in a control system in which a large number of operators handle the control devices 10 1 to 10 n , the devices and terminals are collected without collecting the logs of the devices and terminals. Can be detected early in the intrusion phase.
 なお、本発明は、上記の実施形態に限定されるものではなく、その要旨の範囲内で様々な変形が可能である。例えば、監視カメラ50以外のフィジカルセキュリティ装置でアクション情報及びフィジカル検知データを生成する場合や、不正通信防止装置20や不正接続防止装置30以外の検知装置が接続されている場合や、監視装置40内に不正通信防止装置20や不正接続防止装置30の機能が含まれている場合や、制御装置10~10や監視装置40や不正通信防止装置20や不正接続防止装置30にネットワーク70との通信機能が含まれておらず、別の装置を経由してネットワーク70と通信を行う場合などである。当該実施形態の場合においても、システム全体において行う処理に本質的な変化はない。 In addition, this invention is not limited to said embodiment, A various deformation | transformation is possible within the range of the summary. For example, when action information and physical detection data are generated by a physical security device other than the monitoring camera 50, when a detection device other than the unauthorized communication prevention device 20 or the unauthorized connection prevention device 30 is connected, Includes the functions of the unauthorized communication prevention device 20 and the unauthorized connection prevention device 30, or the control devices 10 1 to 10 n , the monitoring device 40, the unauthorized communication prevention device 20 and the unauthorized connection prevention device 30 are connected to the network 70. For example, the communication function is not included, and communication with the network 70 is performed via another device. Even in the case of the present embodiment, there is no essential change in the processing performed in the entire system.
 10~10…制御装置、11…通信装置、12…入出力装置、13…記憶装置、14…CPU、15…メモリ、16…内部信号線、101~101…制御処理部、102~102…通信部、20…不正通信防止装置、21…第一通信装置、21…第二通信装置、22…記憶装置、22…記憶装置、23…入出力装置、24…CPU、25…メモリ、26…内部信号線、201…フィルタリング部、202…検知データ生成部、203…通信ログ収集部、204…ポリシ更新部、205…モード管理部、206…第一通信部、207…フィルタリングポリシ格納部、208…通信ログ格納部、209…第二通信部、30…不正接続防止装置、301…不正接続検知部、302…検知データ生成部、303…リスト更新部、304…通信部、305…正当機器リスト格納部、40…監視装置、401…検知データ収集部、402…統合分析部、403…対策実行部、404…通信部、405…検知データ格納部、406…対策パターン格納部、407…分析結果格納部、408…入出力部、50…監視カメラ、501…撮影部、502…通信部、60…映像解析装置、601…映像収集部、602…検知データ生成部、603…映像格納部、604…検知ルール格納部、605…通信部、70…ネットワーク

  10 1 ~ 10 n ... controller, 11 ... communication device, 12 ... output device, 13 ... storage device, 14 ... CPU, 15 ... memory, 16 ... internal signal line, 101 1 ~ 101 n ... control unit, 102 1 to 102 n ... communication unit, 20 ... unauthorized communication prevention device, 21 1 ... first communication device, 21 2 ... second communication device, 22 ... storage device, 22 ... storage device, 23 ... input / output device, 24 ... CPU , 25 ... Memory, 26 ... Internal signal line, 201 ... Filtering unit, 202 ... Detection data generation unit, 203 ... Communication log collection unit, 204 ... Policy update unit, 205 ... Mode management unit, 206 ... First communication unit, 207 ... Filtering policy storage unit, 208 ... Communication log storage unit, 209 ... Second communication unit, 30 ... Unauthorized connection prevention device, 301 ... Unauthorized connection detection unit, 302 ... Detection data generation unit, 303 ... List update New section, 304 ... communication section, 305 ... legal device list storage section, 40 ... monitoring device, 401 ... detection data collection section, 402 ... integrated analysis section, 403 ... measure execution section, 404 ... communication section, 405 ... detection data storage 406 ... Measurement pattern storage unit 407 ... Analysis result storage unit 408 ... Input / output unit 50 ... Monitoring camera 501 ... Shooting unit 502 ... Communication unit 60 ... Video analysis device 601 ... Video collection unit 602 ... Detection data generation unit, 603 ... Video storage unit, 604 ... Detection rule storage unit, 605 ... Communication unit, 70 ... Network

Claims (15)

  1.  監視対象機器から送信された通信情報と前記監視対象機器を撮影した画像情報の解析結果に基づいて、前記監視対象機器のインシデントを検知する監視装置。 A monitoring device that detects an incident of the monitoring target device based on an analysis result of communication information transmitted from the monitoring target device and image information obtained by photographing the monitoring target device.
  2.  前記通信情報を基に攻撃を検知した結果である第1検知データと、前記画像情報を基に攻撃を検知した結果である第2検知データに基づいて、前記監視対象機器のインシデントを監視する請求項1に記載の監視装置。 Claims for monitoring incidents of the monitoring target device based on first detection data that is a result of detecting an attack based on the communication information and second detection data that is a result of detecting an attack based on the image information Item 2. The monitoring device according to Item 1.
  3.  前記第1検知データと、前記第2検知データを取集する検知データ取集部と、
     前記第1検知データと、前記第2検知データに基づいて、前記監視対象機器のインシデントを検知する統合分析部とを備える請求項2に記載の監視装置。     A detection data collecting unit for collecting the first detection data and the second detection data;
    The monitoring apparatus according to claim 2, further comprising: an integrated analysis unit that detects an incident of the monitoring target device based on the first detection data and the second detection data.
  4.  前記画像情報を基に生成された前記監視対象機器のインタフェースに対するアクション情報を受信し、前記アクション情報に関する検知ルールに基づいて、前記インタフェースに対する不正接続または不正操作を検知した結果として前記第2検知データを生成する請求項2に記載の監視装置。 The second detection data as a result of receiving action information for the interface of the monitoring target device generated based on the image information and detecting an unauthorized connection or an unauthorized operation to the interface based on a detection rule related to the action information. The monitoring apparatus according to claim 2, which generates
  5.  前記監視対象機器のインシデントの検知結果に基づいて、前記監視対象機器のインシデントに対する対策の立案と、前記インシデントの重要度の算出を実行する請求項1に記載の監視装置。 The monitoring apparatus according to claim 1, wherein the monitoring apparatus executes planning of countermeasures for the incident of the monitored device and calculation of the importance of the incident based on the detection result of the incident of the monitored device.
  6.  分析対象の検知データが、前記攻撃を試みたが実現しなかった処理である未遂の攻撃を示すか、前記攻撃を試みて成功した場合の処理である既遂の攻撃を示すかのどちらであるかを判定し、前記判定の結果に応じて推奨対策を切り替える請求項2に記載の監視装置。 Whether the detection data to be analyzed indicates an attempted attack that is a process that has been attempted but not realized, or indicates an attempted attack that is a process when the attack is attempted and succeeded The monitoring apparatus according to claim 2, wherein a recommended measure is switched according to a result of the determination.
  7.  分析対象の検知データが、前記第2検知データか前記第1検知データのどちらであるかを判定し、前記判定の結果に応じて前記インシデントの重要度を決定する請求項2に記載の監視装置。 The monitoring apparatus according to claim 2, wherein whether the detection data to be analyzed is the second detection data or the first detection data is determined, and the importance of the incident is determined according to the determination result. .
  8.  前記インシデント分析結果として、前記インシデントの重要度と推奨対策および前記第2検知データの基となる画像を、前記監視対象機器を含むシステムの構成図とともに画面に表示し、前記インシデントに対する対策の選定を可能とする請求項5に記載の監視装置。 As the incident analysis result, an image that is the basis of the importance of the incident, recommended countermeasures, and the second detection data is displayed on a screen together with a configuration diagram of a system including the monitoring target device, and a countermeasure for the incident is selected. The monitoring device according to claim 5, which is enabled.
  9.  前記検知ルールは、許可しないアクションのリストであるブラックリストおよび許可するアクションのリストであるホワイトリストのいずれか少なくとも一方のリストを備え、
     前記アクション情報が、前記ブラックリストに登録されたアクションに該当するかまたは前記ホワイトリストに登録されたアクションに該当しない場合に、前記インタフェースに対する不正接続または不正操作を検知する請求項4に記載の監視装置     The detection rule includes at least one of a black list that is a list of actions that are not allowed and a white list that is a list of actions that are allowed.
    5. The monitoring according to claim 4, wherein when the action information corresponds to an action registered in the black list or does not correspond to an action registered in the white list, an unauthorized connection or an unauthorized operation to the interface is detected. apparatus
  10.  監視対象機器から送信された通信情報を基に攻撃を検知する不正通信防止装置と、
     前記監視対象機器を撮影した画像情報を解析する映像解析装置と、
     前記通信情報を基に攻撃を検知した結果である第1検知データと、前記画像情報を基に攻撃を検知した結果である第2検知データに基づいて、前記監視対象機器のインシデントを監視する監視装置とを備える監視システム。     An unauthorized communication prevention device that detects an attack based on communication information transmitted from a monitored device;
    A video analysis device for analyzing image information obtained by photographing the monitored device;
    Monitoring for monitoring incidents of the monitoring target device based on first detection data that is a result of detecting an attack based on the communication information and second detection data that is a result of detecting an attack based on the image information And a monitoring system.
  11.  前記監視対象機器の不正接続を検知し、前記不正接続の検知結果に基づいて前記第1検知データを生成する不正接続防止装置をさらに備える請求項10に記載の監視システム。 The monitoring system according to claim 10, further comprising an unauthorized connection prevention device that detects an unauthorized connection of the monitoring target device and generates the first detection data based on a detection result of the unauthorized connection.
  12.  前記監視装置は、前記不正通信防止装置から前記第1検知データを取集し、前記映像解析装置から前記第2検知データを取集する請求項10に記載の監視システム。 The monitoring system according to claim 10, wherein the monitoring device collects the first detection data from the unauthorized communication preventing device and collects the second detection data from the video analysis device.
  13.  前記監視装置は、前記画像情報を基に生成された前記監視対象機器のインタフェースに対するアクション情報を前記映像解析装置から受信し、前記アクション情報に関する検知ルールに基づいて、前記インタフェースに対する不正接続または不正操作を検知した結果である第2検知データを生成する請求項10に記載の監視システム。 The monitoring device receives, from the video analysis device, action information for the interface of the monitoring target device generated based on the image information, and based on a detection rule related to the action information, an unauthorized connection or an unauthorized operation to the interface The monitoring system according to claim 10, wherein the second detection data that is a result of detecting the detection is generated.
  14.  監視プログラムを実行するCPUを備え、
     前記CPUは、前記監視プログラムを実行することで、監視対象機器から送信された通信情報を基に攻撃を検知した結果である第1検知データと、前記監視対象機器を撮影した画像情報を基に攻撃を検知した結果である第2検知データに基づいて、前記監視対象機器のインシデントを監視する監視方法。     A CPU for executing a monitoring program;
    The CPU executes the monitoring program, based on first detection data that is a result of detecting an attack based on communication information transmitted from the monitoring target device, and image information obtained by capturing the monitoring target device. A monitoring method for monitoring an incident of the monitoring target device based on second detection data that is a result of detecting an attack.
  15.  前記CPUは、前記監視プログラムを実行することで、前記監視対象機器のインシデントの検知結果に基づいて、前記監視対象機器のインシデントに対する対策の立案と、前記インシデントの重要度の算出を実行する請求項14に記載の監視方法。

          The CPU executes the monitoring program to execute countermeasure planning for the incident of the monitored device and calculation of the importance of the incident based on the detection result of the incident of the monitored device. 14. The monitoring method according to 14.

PCT/JP2019/016416 2018-05-23 2019-04-17 Monitoring device, monitoring system, and monitoring method WO2019225232A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018098605A JP7134708B2 (en) 2018-05-23 2018-05-23 Monitoring device, monitoring system and monitoring method
JP2018-098605 2018-05-23

Publications (1)

Publication Number Publication Date
WO2019225232A1 true WO2019225232A1 (en) 2019-11-28

Family

ID=68616406

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/016416 WO2019225232A1 (en) 2018-05-23 2019-04-17 Monitoring device, monitoring system, and monitoring method

Country Status (2)

Country Link
JP (1) JP7134708B2 (en)
WO (1) WO2019225232A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059557A1 (en) * 2003-12-18 2006-03-16 Honeywell International Inc. Physical security management system
JP2011186823A (en) * 2010-03-09 2011-09-22 Nec Corp Virus-checking system, virus-checking device and program
WO2015033576A1 (en) * 2013-09-06 2015-03-12 日本電気株式会社 Security system, security method, and non-temporary computer-readable medium
JP2015055960A (en) * 2013-09-11 2015-03-23 三菱電機株式会社 Monitoring device, information processing system, monitoring method, and program

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP6827266B2 (en) 2016-01-15 2021-02-10 富士通株式会社 Detection program, detection method and detection device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060059557A1 (en) * 2003-12-18 2006-03-16 Honeywell International Inc. Physical security management system
JP2011186823A (en) * 2010-03-09 2011-09-22 Nec Corp Virus-checking system, virus-checking device and program
WO2015033576A1 (en) * 2013-09-06 2015-03-12 日本電気株式会社 Security system, security method, and non-temporary computer-readable medium
JP2015055960A (en) * 2013-09-11 2015-03-23 三菱電機株式会社 Monitoring device, information processing system, monitoring method, and program

Also Published As

Publication number Publication date
JP7134708B2 (en) 2022-09-12
JP2019204259A (en) 2019-11-28

Similar Documents

Publication Publication Date Title
JP4619254B2 (en) IDS event analysis and warning system
WO2018198733A1 (en) Security monitoring system and security monitoring method
US10826915B2 (en) Relay apparatus, network monitoring system, and program
CN104509034A (en) Pattern consolidation to identify malicious activity
JP6523582B2 (en) INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING METHOD, AND INFORMATION PROCESSING PROGRAM
CN111327601B (en) Abnormal data response method, system, device, computer equipment and storage medium
CN105516177A (en) 5G network multistage attack mitigation method based on software defined network (SDN) and network function virtualization (NFV)
KR20090038189A (en) Apparatus and method for managing terminal users
JP2021027505A (en) Monitoring device, monitoring method, and monitoring program
CN111786986B (en) Numerical control system network intrusion prevention system and method
CN103975331A (en) Data center infrastructure management system incorporating security for managed infrastructure devices
CN117272325B (en) DOS-based equipment operation protection method, system, equipment and storage medium
CN114625074A (en) Safety protection system and method for DCS (distributed control System) of thermal power generating unit
WO2019225232A1 (en) Monitoring device, monitoring system, and monitoring method
KR101551537B1 (en) Information spill prevention apparatus
JP2020086978A (en) Information processing system and information processing method
EP2911362A2 (en) Method and system for detecting intrusion in networks and systems based on business-process specification
CN112769815B (en) Intelligent industrial control safety monitoring and protecting method and system
JP7150425B2 (en) COMMUNICATION SYSTEM, CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM
US20230056552A1 (en) Analysis system, method, and program
WO2022046365A1 (en) Advanced detection of identity-based attacks
US8949979B1 (en) Protecting local users from remote applications
JP2016181191A (en) Management program, management unit and management method
US12034757B2 (en) Analysis system, method, and program
US20220159031A1 (en) Analysis system, method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19807024

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19807024

Country of ref document: EP

Kind code of ref document: A1