WO2020066785A1 - Analysis device, terminal device, analysis system, analysis method and program - Google Patents

Analysis device, terminal device, analysis system, analysis method and program Download PDF

Info

Publication number
WO2020066785A1
WO2020066785A1 PCT/JP2019/036536 JP2019036536W WO2020066785A1 WO 2020066785 A1 WO2020066785 A1 WO 2020066785A1 JP 2019036536 W JP2019036536 W JP 2019036536W WO 2020066785 A1 WO2020066785 A1 WO 2020066785A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
terminal device
notification
condition
unit
Prior art date
Application number
PCT/JP2019/036536
Other languages
French (fr)
Japanese (ja)
Inventor
康博 井原
康弘 長倉
阿部 正道
Original Assignee
株式会社ラック
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社ラック filed Critical 株式会社ラック
Publication of WO2020066785A1 publication Critical patent/WO2020066785A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to an analysis device, a terminal device, an analysis system, an analysis method, and a program.
  • This application claims priority based on Japanese Patent Application No. 2018-180914 for which it applied to Japan on September 26, 2018, and uses the content here.
  • an analysis system in which an analysis device analyzes security logs for organizations of a plurality of different customers.
  • a rule for detecting a characteristic of a malicious log is created and used as a rule used for automatic analysis of a security log.
  • a rule common to a plurality of different customer organizations is often used.
  • Patent Document 1 discloses a web access monitoring method in a computer system having a centralized management server for managing client computers in a private network (see Patent Document 1).
  • the central management server sets a monitoring rule including a warning condition and a processing mode at the time of warning for web access that is unnecessary or unjust for business or education.
  • an analyzer that can efficiently deal with, a terminal device, An analysis system, an analysis method, and a program are provided.
  • One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device; an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition; When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device.
  • a notification suppressing unit that suppresses notification, wherein the notification suppressing unit stops the notification of the first information according to the first condition for the first terminal device for a predetermined period, and the predetermined period has elapsed. Later the first Resuming the notification of the first information by the matter, an analytical instrument.
  • One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device; an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition; When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device.
  • a notification suppression unit that suppresses a notification; and a management unit that manages a status of notification of the first information based on the first condition, wherein the status includes at least a status of being suppressed, and The information is It can be searched using the status of knowledge, an analytical instrument.
  • One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device; an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition; When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device.
  • a notification suppression unit that suppresses a notification, wherein the notification suppression unit is configured to control the first terminal device based on a second condition specifying that the notification of the first information to the first terminal device is suppressed.
  • the first information Suppressing notification, an analytical instrument.
  • One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device, an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition, When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device.
  • a notification suppressing unit that suppresses a notification, wherein the target information is a log related to security.
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is a rule on the alert. Is information indicating that there is an error in.
  • the analyzer according to an aspect of the present invention includes a changing unit that changes the first condition.
  • One aspect of the present invention is that the target information relating to the terminal device having a detection device that detects the target information related to the terminal device and transmits the target information to the analysis device by using a log related to security as target information is transmitted by the analysis device.
  • a notification reception control unit that receives a notification of the first information relating to the security notified from the analysis device when it is determined that the first condition is satisfied, and a first reception unit that receives the first information received by the notification reception control unit.
  • An instruction receiving unit that receives a predetermined instruction related to the security, and an instruction to suppress notification of the first information related to the security to the terminal device when the instruction is received with respect to the first information.
  • an instruction transmission control unit that transmits two pieces of information to the analysis device.
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is a message on the alert. Is information indicating that there is an error in.
  • One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit.
  • An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information.
  • a notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information
  • a notification suppressing unit that suppresses notification of the first information to the first terminal device when the second information is received from the device, wherein the first terminal device is notified from the analysis device.
  • a notification reception control unit that receives information, an instruction reception unit that receives a predetermined instruction for the first information received by the notification reception control unit, and a case where the instruction is received for the first information
  • An instruction transmission control unit that transmits the second information to the analysis device, wherein the notification suppression unit transmits a notification of the first information according to the first condition to the first terminal device for a predetermined period.
  • One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit.
  • An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information.
  • a notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information
  • a notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from a device, and management that manages a status of notification of the first information based on the first condition.
  • the first terminal device receives a notification of the first information notified from the analysis device, and receives a predetermined instruction for the first information received by the notification reception control unit.
  • An instruction receiving unit, and an instruction transmission control unit that transmits the second information to the analyzer when the instruction is received for the first information, wherein the situation is at least suppressed.
  • An analysis system wherein the first information can be searched using the status of the notification.
  • One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit.
  • An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information.
  • a notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information
  • a notification suppressing unit that suppresses notification of the first information to the first terminal device when the second information is received from the device, wherein the first terminal device is notified from the analysis device.
  • a notification reception control unit that receives information, an instruction reception unit that receives a predetermined instruction for the first information received by the notification reception control unit, and a case where the instruction is received for the first information
  • An instruction transmission control unit that transmits the second information to the analysis device, wherein the notification suppression unit determines that the notification of the first information to the first terminal device is to be suppressed.
  • One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit.
  • An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information.
  • a notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information
  • a notification suppressing unit that suppresses notification of the first information to the first terminal device when the second information is received from the device, wherein the first terminal device is notified from the analysis device.
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is a message on the alert. Is information indicating that there is an error in.
  • the analysis device includes a changing unit that changes the first condition.
  • One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information, When the second information is received from the first terminal device, the device suppresses the notification of the first information to the first terminal device, and the analysis device determines that the first terminal device For the device, according to the first condition The notification of the first information is stopped for a predetermined period of time, said predetermined period of time to resume the notification of the first information by the first condition after a lapse of an analytical method.
  • One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device is Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information, The device, when the second information is received from the first terminal device, suppresses the notification of the first information to the first terminal device, and the analysis device is configured to transmit the first information according to the first condition.
  • One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information.
  • the first information is notified to the first terminal device, and the first terminal device Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information,
  • the device suppresses the notification of the first information to the first terminal device
  • the analysis device determines that the first terminal device Notification of the first information to the device Based on the second condition for specifying a suppressing, inhibiting the notification of the first information for the first terminal device, an analytical method.
  • One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information,
  • the apparatus is an analysis method, wherein when the second information is received from the first terminal device, the device suppresses notification of the first information to the first terminal device, and the target information is a log related to security. .
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is a rule on the alert. Is information indicating that there is an error in.
  • the analyzer changes the first condition.
  • One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided. To realize a function of receiving the first information and a function of suppressing notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information.
  • the function of suppressing the notification stops the notification of the first information under the first condition for the first terminal device for a predetermined period, and the first terminal device stops the notification of the first information after the predetermined period has elapsed.
  • a program One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided.
  • An accepting function, a function of suppressing notification of the first information to the first terminal device when the second information is accepted from the first terminal device for the first information, and a first condition A program for realizing a function of managing the status of notification of the first information according to the above, wherein the status includes at least a status of being suppressed, and the first information includes a status of the notification. Using It can be searched, a program.
  • One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided.
  • the function of suppressing the notification is based on a second condition specifying that the notification of the first information to the first terminal device is to be suppressed.
  • Notifications Suppress it is a program.
  • One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided.
  • the target information is a log related to security.
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is a This information indicates that there is an error.
  • the program according to one embodiment of the present invention is a program for realizing a function of changing the first condition.
  • One aspect of the present invention relates to a computer that constitutes the terminal device having a detection device that detects the target information related to the terminal device using a log related to security as target information and transmits the target information to an analysis device.
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is a This information indicates that there is an error.
  • the analysis device the terminal device, the analysis system, the analysis method, and the program described above, it is possible to efficiently cope with a case where a false detection occurs in a specific organization among a plurality of different customer organizations. .
  • FIG. 1 is a diagram illustrating a schematic configuration example of an analysis system according to an embodiment of the present invention. It is a figure showing the example of schematic composition of the terminal unit concerning one embodiment of the present invention. It is a figure showing an example of display contents of an alert list concerning one embodiment of the present invention. It is a figure showing an example of display contents of alert details concerning one embodiment of the present invention. It is a figure showing an example of display contents of alert search concerning one embodiment of the present invention. It is a figure showing an example of a procedure of processing performed in a terminal unit concerning one embodiment of the present invention.
  • FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer according to the embodiment of the present invention.
  • FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer according to the embodiment of the present invention.
  • FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer according to the embodiment of the present invention.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of an information processing apparatus according to an embodiment of the present invention.
  • FIG. 1 is a diagram illustrating a schematic configuration example of an analysis system 1 according to an embodiment of the present invention.
  • the configuration of the functional blocks illustrated in FIG. 1 is an example, and another configuration may be used.
  • the analysis system 1 includes an analysis unit 11, a plurality of terminals 21 to 23, and a network 31.
  • the terminals 21 to 23 and the analyzer 11 are communicably connected via a network 31.
  • each of the terminal units 21 to 23 is managed by a different management entity.
  • the management entity may be, for example, an organization such as a company or a school, or may be an individual.
  • the management subject is an organization, a person belonging to the organization manages the terminal units 21 to 23.
  • the management subject is an individual, a person corresponding to the individual manages the terminal units 21 to 23.
  • a person who manages each of the terminal units 21 to 23 may be called a user.
  • two or more terminal units among the plurality of terminal units 21 to 23 may be managed by the same management entity.
  • the two or more terminal units may be a part of the plurality of terminal units 21 to 23, or may be all.
  • the number of the terminal units 21 to 23 may be any number equal to or more than one.
  • the configurations and operations of the plurality of terminals 21 to 23 are the same except that the management entities of the terminals 21 to 23 may be different.
  • one terminal unit 21 will be described as a representative. Note that a mode in which the configurations or operations of the terminal units 21 to 23 are different may be used.
  • the analysis unit 11 performs the same operation for each of the plurality of terminals 21 to 23 except that the management entity of each of the terminals 21 to 23 may be different. Note that the analysis unit 11 may be configured to perform different operations on each of the plurality of terminal units 21 to 23.
  • the analysis unit 11 is common to the plurality of terminals 21 to 23.
  • the analysis system 1 may include a plurality of analysis units 11.
  • the plurality of analyzers 11 operate by sharing the plurality of terminals 21 to 23.
  • the analysis unit 11 may be regarded as, for example, an apparatus or a system.
  • the terminal unit 21 may be regarded as, for example, an apparatus or a system.
  • the network 31 may be any network.
  • the network 31 may be, for example, the Internet or a dedicated network.
  • the communication between the terminal units 21 to 23 and the analysis unit 11 may be, for example, wired communication, wireless communication, or both wired communication and wireless communication. May be included in combination.
  • the terminal unit 21 will be described as a representative.
  • the terminal unit 21 includes a log detection device 51 and a terminal device 52.
  • FIG. 1 shows a configuration in which each of the log detection device 51 and the terminal device 52 is connected to the network 31, the configuration is not limited to this.
  • the log detection device 51 detects information to be detected (also referred to as “target information” for convenience of description).
  • the target information is a predetermined log.
  • the log detection device 51 constantly monitors a predetermined target and detects a log of the target.
  • the log is a log related to security (security log), for example, a log targeted for communication via the network 31.
  • security log security log
  • the log detection device 51 may be configured using, for example, a sensor that detects a predetermined log.
  • the log detection device 51 detects a log related to communication performed by the terminal device 52.
  • the log detection device 51 outputs the detected log.
  • the log detection device 51 transmits the detected log to the analysis unit 11.
  • the transmission of the log may be performed, for example, for each predetermined log unit.
  • the unit may be a unit for each predetermined period.
  • the predetermined period may be, for example, one day.
  • the log detecting device 51 does not store the detected log.
  • the log detection device 51 may include a storage unit that stores the detected log.
  • the terminal device 52 is configured using, for example, an information processing device operated by a user.
  • the information processing device is, for example, a computer.
  • the computer may be, for example, a desktop computer, a notebook computer, a mobile phone computer, or a smartphone computer.
  • the terminal device 52 receives the e-mail transmitted from the analysis unit 11 via the network 31.
  • the terminal device 52 acquires the information of the Web page provided by the analysis unit 11.
  • the terminal device 52 transmits information to the analysis unit 11 via the network 31.
  • the terminal device 52 transmits to the analysis unit 11 information on erroneous detection (erroneous detection) of the analysis result performed by the analysis unit 11.
  • the analyzer 11 includes an analyzer 41, a Web server 42, and a mail server 43.
  • a configuration is shown in which each of the analysis device 41, the Web server device 42, and the mail server device 43 is connected to the network 31, but is not limited thereto.
  • the analysis device 41 includes a storage unit 111, an acquisition unit 112, an analysis execution unit 113, a notification unit 114, an erroneous detection control unit 115, and a management unit 116.
  • the acquisition unit 112 includes a reception unit 131.
  • the management unit 116 includes a search processing unit 151.
  • the storage unit 111 stores various information.
  • the acquisition unit 112 receives the log transmitted from the log detection device 51 to the analysis unit 11 via the network 31 by the reception unit 131. Then, the acquiring unit 112 acquires the received log. In the present embodiment, the acquisition unit 112 collects various logs by acquiring various logs. The acquisition unit 112 outputs the received log to the analysis execution unit 113. In the present embodiment, the log detection device 51 transmits the log to the analysis device 41.
  • the log detection device 51 may compress the log information and transmit the compressed log information to the analysis device 41.
  • the analysis executing unit 113 decompresses the received information and obtains the information of the original log. It should be noted that “decompression” may be called “extension” or the like.
  • the log detection device 51 may encrypt the information to be transmitted, and transmit the encrypted information to the analysis device 41. In this case, in the analyzer 41, the analysis executing unit 113 decodes the received information to obtain the original information.
  • the analysis execution unit 113 inputs the log output from the acquisition unit 112.
  • the analysis executing unit 113 analyzes the input log based on predetermined conditions (for convenience of explanation, also referred to as “analysis conditions”).
  • the analysis executing unit 113 outputs to the notifying unit 114 predetermined information on the result of analyzing the input log (also referred to as “analysis result information” for convenience of explanation).
  • the storage unit 111 stores information specifying analysis conditions.
  • the analysis execution unit 113 acquires an analysis condition based on the information.
  • Arbitrary conditions may be used as analysis conditions.
  • the analysis condition for example, a condition for determining whether or not there is a problem with the log to be analyzed may be used.
  • the problem may be, for example, a computer virus or another event.
  • the analysis condition for example, “one or more of the information identifying the transmission source included in the log, the information identifying the transmission destination included in the log, or other information included in the log, If they match, a condition for determining that there is a problem may be used.
  • a condition described in a blacklist in which a condition of a log to be determined as having a problem is listed may be used.
  • condition that should be determined to have a problem may be referred to as, for example, a “rule”.
  • the condition will be referred to as a “detection rule” for convenience of description.
  • the detection rule may be regarded as, for example, a condition for detecting a problem based on a log. That is, when it is determined that a situation corresponding to a certain detection rule has occurred for a certain log, it is determined that a problem associated with the detection rule has occurred.
  • One or more detection rules are created, and in the present embodiment, a plurality of different detection rules are created and used. In this case, each detection rule includes information for specifying a rule for determining whether or not the detection rule is applicable.
  • Each detection rule is associated with information that specifies a problem that has occurred when the detection rule is satisfied. It should be noted that information that specifies a problem that has occurred when a detection rule is satisfied may be considered to be included in the detection rule. Each problem is associated with the content of an alert to be notified when the problem occurs.
  • the detection rule, the problem, and the alert are associated with each other.
  • association information is stored in, for example, the storage unit 111 and managed by the management unit 116.
  • the problem and the content of the alert may be configured as, for example, common information. In other words, when a problem is presented in the content of the alert, the problem can also be notified by the content of the alert.
  • each detection rule is initially created as a detection rule common to all terminal devices 52.
  • one or more terminal devices 52 to which the detection rule is applied may be initially set for each detection rule. The contents of such a setting may be considered to be included in the detection rule.
  • the detection rule as for a received signal, a problem that information communication from a suspicious source has occurred when the identification information of the transmission source device of the reception signal matches predetermined identification information has occurred. It is assumed that a problem has occurred that, when the identification information of the transmission destination device of the transmission signal matches the predetermined identification information, the information transmission to the suspicious transmission destination occurs.
  • a “detection rule” or the like may be used.
  • an alert rule is associated with a detection rule.
  • information for specifying the terminal device 52 that does not perform alert notification is included. In the alert rule, for example, it is initially set that an alert should be notified to all the terminal devices 52 when the detection rule associated with the alert rule is satisfied.
  • an alert rule may be provided for each terminal device 52.
  • information that specifies a detection rule that should notify the terminal device 52 of an alert, or a detection rule that does not notify the terminal device 52 of an alert. is included.
  • the detection rule and the alert rule are combined, for example, for the terminal device 52, when a predetermined problem is detected and an alert is notified, and when a predetermined problem is detected, the alert is generated.
  • the case where notification is not performed is identified.
  • a mode in which the alert is not notified for example, a mode in which the notification of the alert is stopped for a predetermined period may be included, or a mode in which the notification of the alert is permanently stopped may be included.
  • a rule in which a detection rule and an alert rule are integrated may be used.
  • the analysis execution unit 113 when a certain detection rule is satisfied, sends the analysis result information to the notification unit 114 when an alert should be notified based on the alert rule corresponding to the detection rule. If the notification is not performed, the analysis result information is not output to the notification unit 114. In the present embodiment, a case is shown in which whether or not to notify an alert is controlled by the analysis execution unit 113. As another example, analysis result information is output from the analysis execution unit 113 to the notification unit 114. Alternatively, a configuration may be used in which the notification unit 114 controls whether to notify an alert based on the contents of the alert rule.
  • the analysis execution unit 113 determines the type of each log.
  • the information of each log includes information specifying the type of the log.
  • a configuration may be used in which the sensor of the log detection device 51 transmits the alert information to the analysis device 41 together with the log detection result.
  • the analysis execution unit 113 determines, for example, whether or not the alert information attached to the log detection result is correct.
  • a condition for determining whether the information of the alert added to the log detection result is correct is used as the analysis condition.
  • the alert may include, for example, the name of the signature.
  • the detection rule includes at least one of an alert name (also referred to as an “alert name” for convenience of description), a degree of importance, and the like, together with a condition for determining that the log has a problem. May be stored in association with each other.
  • the alert corresponds to, for example, a problem that occurs.
  • the alert name indicates the name of the alert.
  • the alert name is predetermined for each type of alert, for example. Information for identifying each type of the content of the alert may be added to each alert.
  • the importance indicates the importance of the alert.
  • the importance may be expressed at any stage. In the present embodiment, the importance is expressed in three stages.
  • the notification unit 114 When the analysis result information is input from the analysis execution unit 113, the notification unit 114 notifies the terminal device 52 of predetermined information based on the analysis result information.
  • the predetermined information information for notifying the terminal device 52 of information on the analysis result is used, and arbitrary information may be used.
  • an arbitrary method may be used as a method of notifying the information from the notification unit 114 to the terminal device 52.
  • the notification unit 114 when information to be notified to the terminal device 52 occurs, the notification unit 114 creates an e-mail addressed to the terminal device 52 and sends the created e-mail to the mail server device 43.
  • the notification unit 114 includes information of an access destination accessible from the terminal device 52 in the electronic mail.
  • the information may be, for example, a URL (Uniform Resource Locator).
  • the notifying unit 114 generates a Web page corresponding to the access destination information included in the e-mail, and transmits the generated Web page information to the Web server device 42.
  • the notification unit 114 includes information to be notified to the terminal device 52 in the Web page.
  • the mail server device 43 receives the electronic mail transmitted from the notification unit 114.
  • the mail server device 43 transmits the received electronic mail to the destination of the electronic mail.
  • an e-mail addressed to the terminal device 52 is transmitted from the mail server device 43 to the terminal device 52 via the network 31.
  • the Web server device 42 receives the Web page information transmitted from the notification unit 114.
  • the Web server device 42 provides the Web page in a viewable manner based on the received information.
  • the Web server device 42 in response to access from the terminal device 52, the Web server device 42 provides the Web page to the terminal device 52 in a viewable manner.
  • the erroneous detection control unit 115 performs control related to erroneous detection on the result of the analysis performed by the analysis execution unit 113. For example, the erroneous detection control unit 115 performs a process of receiving a notification of erroneous detection from the terminal device 52 for each alert, and a notification source when receiving a notification of erroneous detection from the terminal device 52 for each alert. For the terminal device 52, the process of stopping the notification of the alert by the detection rule corresponding to the alert, the process of restarting the notification of the alert by the detection rule to the notification source, and the like are performed. In the present embodiment, the erroneous detection control unit 115 controls the stop of the notification of the alert or the restart of the notification of the alert by rewriting the content of the alert rule corresponding to the detection rule.
  • the management unit 116 performs various types of management on the terminal device 52.
  • the search processing unit 151 performs a process of searching for information.
  • the search processing unit 151 may perform a process of executing the search performed in the terminal device 52 instead of the terminal device 52, or a process of assisting the search performed in the terminal device 52.
  • the search processing unit 151 performs a search process using, for example, information stored in the storage unit 111.
  • the management unit 116 rewrites and changes the detection rules and the like stored in the storage unit 111, for example. Such rewriting may include, for example, new registration, overwriting, and erasing.
  • the information of the terminal device 52 is known in the analysis unit 11
  • information of the terminal device 52 regarding the contract is provided. Is set in the analysis unit 11.
  • the information may be stored in the storage unit 111, for example.
  • the information may include, for example, information specifying the terminal device 52.
  • the information may include an e-mail address of the terminal device 52.
  • the information of the terminal device 52 set with respect to the contract includes, for example, information for specifying a range of analysis that can receive a service, or information on a fee required for receiving a service (for convenience of explanation, "Charging information").
  • the range of analysis that can receive the service may be set using, for example, one or more of the data amount, the number of times, the period, and the like.
  • the management unit 116 may store information for specifying the fee currently charged for the terminal device 52 in the storage unit 111 and manage the information. From the viewpoint of the management entity that provides the analysis service by the analysis unit 11, the management entity of the terminal device 52 with which the contract regarding the service is concluded is the customer.
  • the management entities of the plurality of terminal units 21 to 23 may be different customers.
  • FIG. 2 is a diagram illustrating a schematic configuration example of the terminal device 52 according to an embodiment of the present invention.
  • the configuration of the functional blocks shown in FIG. 2 is an example, and another configuration may be used.
  • the terminal device 52 includes an input unit 211, an output unit 212, an operation unit 213, a display unit 214, a communication unit 215, a storage unit 216, and a control unit 217.
  • the control unit 217 includes a notification reception control unit 231, an instruction transmission control unit 232, and a search control unit 233.
  • the input unit 211 inputs information output from an external device.
  • the output unit 212 outputs information to an external device.
  • the external device may be any device.
  • the external device may be, for example, a portable recording medium.
  • the external device may be, for example, a printing device.
  • the operation unit 213 inputs information corresponding to an operation performed by the user.
  • the operation unit 213 may include, for example, a keyboard or a mouse.
  • the display unit 214 has a screen and outputs information to the screen. Thereby, the information is displayed on the screen.
  • the communication unit 215 performs communication via the network 31.
  • the storage unit 216 stores various types of information.
  • the control unit 217 performs various controls in the terminal device 52.
  • the notification reception control unit 231 performs a process for receiving the content of the notification performed by the notification unit 114 of the analyzer 41.
  • the notification reception control unit 231 receives, by the communication unit 215, an electronic mail transmitted from the mail server device 43 to the terminal device 52 via the network 31. Further, the notification reception control unit 231 accesses the access destination Web page described in the received e-mail, and acquires information on the Web page provided by the Web server device 42. This access may be performed, for example, in response to an operation of the operation unit 213 performed by the user.
  • the notification reception control unit 231 displays the acquired information of the e-mail or the acquired information of the Web page on the screen of the display unit 214.
  • the contents of the notification of the log analysis result include, for example, information for notifying that a problem has occurred as a log analysis result. Such a notification is an alert (warning) notification.
  • the “problem” in the result of the analysis may be called, for example, “incident” or “abnormal”.
  • the instruction transmission control unit 232 transmits an instruction corresponding to the operation of the operation unit 213 performed by the user to the analysis device 41 via the communication unit 215.
  • the user can perform an operation for giving a predetermined instruction.
  • an instruction for notifying that an erroneous detection (erroneous detection) has been detected for a case where it has been determined that a problem has occurred in the log analysis result is used.
  • the search control unit 233 performs various search processes on the contents of the notification of the analysis result.
  • the search control unit 233 may receive and present the result of the search process performed by the search processing unit 151 of the analysis device 41, for example. Further, the search control unit 233 may perform a search process, for example, with the assistance of the search processing unit 151 of the analyzer 41. Further, the search control unit 233 may perform a search process, for example, independently of the analysis device 41.
  • FIG. 3 is a diagram showing an example of the display content 2011 of the alert list according to the embodiment of the present invention.
  • the display content 2011 shows a list of alerts.
  • the display content 2011 is displayed on the screen of the display unit 214 in the terminal device 52.
  • the display content 2011 may be different for each terminal device 52, for example.
  • the list of alerts is a list of alerts performed in the past.
  • the display content 2011 is based on information provided from the analyzer 41 to the terminal device 52, for example.
  • the display content 2011 may be generated on the analysis device 41 side and provided from the analysis device 41 to the terminal device 52.
  • the display content 2011 is generated based on the information stored in the storage unit 216 in the terminal device 52 after the information provided from the analysis device 41 to the terminal device 52 is stored in the storage unit 216. Is also good. Note that the display content 2011 may include other information.
  • the date and time, the alert name, the importance, and the status are displayed in association with each other.
  • the display color of the information may be switched according to one or more of the degree of importance or the situation.
  • the date and time indicates the date and time when the alert occurred.
  • “2018/1/2” indicates January 2, 2018, and so on.
  • the alert names include “suspicious transmission” and “suspicious reception”.
  • these alert names are examples for convenience of explanation, and arbitrary names may be used as the alert names.
  • the status represents the status in which the alert is being handled. In the present embodiment, conditions such as “not responded”, “under investigation”, “response”, “pending”, “under treatment”, and “inhibited” are used. Note that an arbitrary situation may be used as the situation.
  • “Unsupported” indicates that the alert has not been handled yet.
  • “Under investigation” indicates that an investigation is being performed on the alert.
  • “Responded” indicates that the alert has been responded. In other words, it indicates that the problem has been solved for the alert.
  • “Pending” indicates that the response is pending for the alert.
  • “Under handling” indicates that the alert is being handled.
  • “Suppression” indicates that the notification of the alert is suppressed for the alert.
  • a state of “inhibited” is set in the analyzer 41. Such a setting is performed, for example, for an alert rule. Note that each word indicating the status of the alert may be expressed using any other word.
  • the date and time of the alert, the alert name, and the importance are determined by, for example, the analysis execution unit 113 of the analyzer 41, and the analysis result information including the information is output from the analysis execution unit 113 to the notification unit 114.
  • the notifying unit 114 includes the date and time of the alert, the alert name, and the importance in the content to be notified to the terminal device 52 based on the analysis result information.
  • the status of the alert is set, for example, in accordance with an operation of the operation unit 213 performed by the user on the terminal device 52.
  • the set status of the alert is notified from the terminal device 52 to the notification unit 114 of the analysis device 41, and is managed by the management unit 116.
  • the management unit 116 stores and manages information that associates an alert with a situation in the storage unit 111 based on information received from the terminal device 52 by the notification unit 114, for example.
  • FIG. 4 is a diagram showing an example of the display content 2111 of the alert details according to the embodiment of the present invention.
  • the display content 2111 indicates details of the alert.
  • the display content 2111 is displayed on the screen of the display unit 214 in the terminal device 52.
  • the display content 2111 may be different for each terminal device 52, for example.
  • the display content 2111 is based on information provided from the analyzer 41 to the terminal device 52, for example.
  • the display content 2111 may be generated on the side of the analyzer 41 and provided from the analyzer 41 to the terminal device 52.
  • the display content 2111 is generated by using the information stored in the storage unit 216 in the terminal device 52 after the information provided from the analysis device 41 to the terminal device 52 is stored in the storage unit 216. Is also good. Note that the display content 2111 may include other information.
  • the details of the alert for example, when one alert is designated by the user in the list of alerts, the details of the alert are indicated for the designated alert.
  • a frame of the attribute area 2121, a frame of the correspondence status area 2122, and a frame of the content area 2123 are displayed on one screen.
  • the names, arrangements, and the like of these areas may be arbitrary.
  • the attribute area 2121 shows the attribute of one alert to be displayed.
  • the attribute area 2121 indicates the date and time, the alert name, the importance, and the status.
  • the display color of the information may be switched according to one or more of the degree of importance or the situation.
  • the response status area 2122 information that allows an arbitrary response status to be selected from a plurality of response statuses is shown.
  • the content area 2123 detailed information on the alert or the log that generated the alert is shown.
  • the selectable response statuses include “not responded”, “under investigation”, “responded”, “pending”, “under response”, “false detection”, and “out of target”.
  • a button that can be switched between a selected state and a non-selected state is displayed for each corresponding state.
  • the button is switched between a selected black state and a non-selected white state, for example, in response to an operation of the operation unit 213 performed by the user.
  • the button may be, for example, a radio button.
  • the “erroneous detection” is an item for receiving an instruction for notifying the analyzer 41 from the terminal device 52 that the displayed alert is an erroneous detection.
  • “Not applicable” is an item for receiving an instruction for notifying the analyzer 41 from the terminal device 52 that the displayed alert is not a detection target.
  • the status of “inhibition” is automatically set in the analyzer 41 for an alert for which “false detection” is selected. For this reason, in this embodiment, the user cannot select the state of “inhibition”.
  • a configuration in which the user can select the state of “inhibition” may be used.
  • the status of “inhibited” is automatically set in the analyzer 41 for an alert for which “not applicable” is selected.
  • “false detection” and “out of target” are similar in some respects, but are provided as different things. It should be noted that “out of target” may not be provided.
  • the user operates the operation unit 213 to select a response status suitable for the displayed alert from among the response statuses that can be selected.
  • “unsupported” is selected as the initial default in the support status area 2122, but another support status may be selected.
  • a decision button 2131 is also displayed in the correspondence status area 2122. When the button 2131 is pressed based on the operation of the operation unit 213 performed by the user, information for specifying the selected correspondence status is transmitted from the terminal device 52 to the analysis device 41 by the instruction transmission control unit 232. You.
  • the terminal device 52 transmits, to the analyzer 41, information for specifying the alert and information for specifying the response status of the alert selected by the user.
  • the notification unit 114 receives the information transmitted from the terminal device 52, and the management unit 116 manages the received information.
  • the false detection control unit 115 stops notification of an alert by a detection rule that generates an alert related to the false detection for a certain period.
  • the certain period may be an arbitrary period, for example, one month.
  • such a stop of the notification of the alert is performed for the terminal device 52 for which “false detection” is selected by the user, and is not performed for the other terminal devices. . That is, even for the same detection rule, the notification of the alert by the detection rule is stopped only for the terminal device 52 for which the detection rule is erroneously detected.
  • “false detection” can be selected for each customer and each alert. For example, when a certain detection rule is erroneously detected only in a specific customer organization, it can be determined that only a specific customer organization is erroneously detected. In the organization of the specific customer, once “false detection” is selected for a certain alert, it is possible to prevent an alert based on the same detection rule from being notified for a certain period.
  • the suspension of the notification of the alert is temporarily performed.
  • the suspension of the notification of the alert may be permanently performed.
  • the detection rule for the terminal device 52 may be permanently invalidated.
  • the method of invalidating the detection rule may be arbitrary.
  • the management unit 116 may manage information indicating whether each detection rule is valid or invalid for each terminal device 52.
  • alert rule information is used as the information.
  • the erroneous detection control unit 115 stores, in the storage unit 111, information specifying whether the notification is valid or invalid for each terminal device 52 with respect to the notification of the alert according to the detection rule stored in the storage unit 111.
  • the information is included in the alert rule, and may be, for example, flag information.
  • the erroneous detection control unit 115 stores information specifying an invalid period of an alert that has been disabled and stopped for a certain period in an alert rule stored in the storage unit 111.
  • a state in which the notification of the alert is invalid is also referred to as a “suppressed” state.
  • the erroneous detection control unit 115 determines, based on the information stored in the storage unit 111, a notification of an alert that is invalid and stopped for a certain period of time has passed. The erroneous detection control unit 115 performs such a determination at, for example, a fixed time interval. Then, in the analysis device 41, when the erroneous detection control unit 115 determines that there is a notification of an alert whose invalid suspension period has elapsed, the erroneous detection control unit 115 re-enables the notification of the alert and suspends the application. The notification of the alert is applied to the terminal device 52 again.
  • the detection rule applied when the notification of the alert corresponding to the detection rule for which the false detection is pointed out is restarted, for example, the same detection rule as before the notification of the alert is stopped is used.
  • the detection rule applied when the notification of the alert corresponding to the detection rule in which the false detection was pointed out is restarted is an improvement over the detection rule before the notification of the alert was stopped.
  • a detection rule modified so as to be used may be used. Such a change of the detection rule may be manually performed on the side of the analysis device 41 based on the thinking of a human such as an analyst, or an AI (Artificial Intelligence) such as a machine learning (Machine Learning). ), Or may be automatically performed in the analyzer 41 based on a predetermined change rule.
  • the erroneous detection control unit 115 may notify a predetermined person of the fact. Such notification may be performed by any method, and for example, one or more methods of screen display, audio output, printing on paper, transmission of e-mail, and the like may be used.
  • the analysis device 41 or another device may be provided with a function unit (in this embodiment, also referred to as a “rule processing unit” for convenience of description) that performs a process related to the change of the detection rule. For example, based on data obtained in large quantities from a detection rule determined to be a false detection and a change result of the detection rule by an analyst, the rule processing unit combines the data with the customer information and uses the AI. Get the result of learning. Then, the rule processing unit may automatically perform detection rule change processing similar to that of an analyst using the result of such learning. For example, an analyst may check the detection rule changed by the AI. For example, the rule processing unit may confirm, by the AI, a detection rule newly created or changed by the analyst.
  • a function unit in this embodiment, also referred to as a “rule processing unit” for convenience of description
  • the rule processing unit combines the data with the customer information and uses the AI. Get the result of learning.
  • the rule processing unit may automatically perform detection rule change processing similar to that of an analyst using the result
  • the analysis device 41 correctly detects an attack on the terminal device 52 based on the detection rule, but a tool targeted by the attack is not used in a customer environment such as the terminal device 52.
  • a tool targeted by the attack is not used in a customer environment such as the terminal device 52.
  • the analyzer 41 may automatically determine “false detection” for the generated alert.
  • the customer environment includes not only the terminal device 52 but also devices other than the terminal device 52, such as a server device.
  • the analysis device 41 correctly detects an attack on the terminal device 52 based on the detection rule, but if the tool targeted by the attack is not used in a customer environment such as the terminal device 52, an alert is issued.
  • the terminal device 52 may be notified that the selection of “false detection” is recommended and the reason for recommending the selection of “false detection”.
  • the user looks at the content of such a notification and determines whether or not to select “false detection”.
  • the analysis device 41 correctly detects an attack based on the detection rule, but the target tool targeted by the attack is not used in the customer environment such as the terminal device 52. For example, in the customer environment, When the SQL server is not used, there is a case where an SQL injection attack is made and an SQL injection alert is sent from the log detection device 51 to the analysis device 41.
  • the erroneous detection control unit 115 stops notification of an alert by a detection rule that generates an alert related to the out of target.
  • a stop of the notification of the alert is performed for the terminal device 52 for which “out of target” is selected, and is not performed for the other terminal devices. That is, even for the same detection rule, the notification of the alert is stopped for the terminal device 52 for which the notification of the alert by the detection rule is not a target.
  • the erroneous detection control unit 115 may store, in the storage unit 111, information for specifying whether or not the detection rule stored in the storage unit 111 is not a target for each terminal device 52.
  • information for example, information on an alert rule may be used.
  • the analyzer 41 may, for example, generate an attack.
  • the selection of “not applicable” may be automatically determined.
  • the analysis device 41 may notify the terminal device 52 that “out of target” is recommended and the reason for recommending “out of target”. In this case, in the terminal device 52, the user looks at the content of such a notification and determines whether or not to select “not applicable”.
  • the analysis device 41 correctly detects an attack based on the detection rule, if the target tool targeted by the attack is not used in a customer environment such as the terminal device 52, the user at the terminal device 52 When “erroneous detection” is selected, the analyzer 41 may automatically confirm the selection of “out of target” for the generated alert, for example.
  • the management unit 116 stores information for specifying whether the tool is used in the terminal device 52 in the storage unit 111 and manages the information. Then, in the analysis device 41, for the terminal device 52 in which the alert has occurred, the “false detection” by the user is performed based on the information that specifies whether the tool is used and the detection rule that caused the alert.
  • the analysis device 41 determines whether or not the designation is changed to “out of target”, and in a predetermined case, the change is performed.
  • the analysis device 41 or a person such as an analyst determines that a certain alert has been designated as “false detection” by the user of the terminal device 52 but may fall under “not applicable” ( If the determination is made, the analysis device 41 confirms whether or not to change the "false detection” to "not applicable” for the user, and then makes the change in response to the permission of the user.
  • a configuration may be used.
  • “false detection” and “out of target” are provided.
  • “false detection” and “out of target” both stop notification of an alert by a detection rule. It may be.
  • the difference between the “false detection” and the “non-target” may differ only in the period in which the notification of the alert is stopped.
  • the suspension period of the alert notification due to “false detection” may be a finite value (for example, one month) and the suspension period of the alert notification due to “not applicable” may be permanent.
  • the alert information about the log in the “suppressed” status is also displayed, but as another example, the information of the alert in the “suppressed” status is displayed. A mode that is not displayed may be used.
  • FIG. 5 is a diagram illustrating an example of the display content 2211 of the alert search according to the embodiment of the present invention.
  • the display content 2211 is the content of a screen for searching for an alert.
  • the display content 2211 is displayed on the screen of the display unit 214 in the terminal device 52.
  • the display content 2211 may differ for each terminal device 52, for example.
  • the display content 2211 is based on information provided from the analyzer 41 to the terminal device 52, for example.
  • the display content 2211 may be generated on the analysis device 41 side and provided from the analysis device 41 to the terminal device 52.
  • the display content 2211 is generated based on the information stored in the storage unit 216 in the terminal device 52 after the information provided from the analysis device 41 to the terminal device 52 is stored in the storage unit 216. Is also good. Note that the display content 2211 may include other information.
  • the date and time range is specified at the start and end times.
  • the start time and the end time are each specified by, for example, a date.
  • a range from “April 1, 2018 to May 1, 2018” is specified.
  • the importance is designated in three stages from large to small, large, medium, and small.
  • a plurality of different degrees of importance may be specified.
  • the type of sensor is specified using the name of an individual sensor or the like.
  • a plurality of different sensors may be specified.
  • the response status is specified from among a plurality of items. Two or more different items may be specified. In the example of FIG. 5, the response status includes “not responded”, “under investigation”, “responded”, “pending”, “under response”, “false detection”, “suppression”, and “not applicable”.
  • search conditions are set on the alert search screen according to the operation of the operation unit 213 performed by the user.
  • the display content 2211 also displays a search button 2221.
  • the search control unit 233 performs overall control for alert search.
  • the analysis device 41 receives the information that specifies the search condition transmitted from the terminal device 52.
  • the management unit 116 refers to the information on the alert stored in the storage unit 111 based on the search condition specified by the received information, and matches the search condition with the search processing unit 151. Search for alerts that have been sent. Then, the management unit 116 generates information indicating a result of the search by the search processing unit 151, and notifies the terminal device 52 of the information by the notification unit 114.
  • the management unit 116 may use the search processing unit 151 to determine the status of “inhibited” or the status of “not applicable” by referring to the contents of the alert rule.
  • the terminal device 52 and the analysis device 41 may execute processing on demand. For example, in response to a request issued from the terminal device 52, a process for satisfying the request may be executed by the analyzer 41.
  • a dedicated tool (also referred to as a “dedicated tool” for convenience of description) may be used in the terminal device 52. That is, some or all of the functions of the terminal device 52 may be configured using the dedicated tool.
  • the dedicated tool may be, for example, software such as a program.
  • one or more functions of the notification reception control unit 231, the instruction transmission control unit 232, and the search control unit 233 may be configured as functions of a dedicated tool.
  • the dedicated tool may be distributed, for example, for a fee or free of charge by a management entity of the analysis unit 11 or the like.
  • the management tool for example, is installed in the terminal device 52 and performs its function.
  • FIG. 6 is a diagram illustrating an example of a procedure of a process performed in the terminal device 52 according to an embodiment of the present invention.
  • the terminal device 52 receives the notification of the alert, the corresponding status is selected.
  • Step S1 In the terminal device 52, the notification reception control unit 231 receives the notification of the alert transmitted from the analysis device 41. Then, the process proceeds to the process in step S2.
  • Step S2 In the terminal device 52, the notification reception control unit 231 displays the received notification of the alert.
  • the display content 2011 of the alert list is displayed on the terminal device 52
  • the display content 2111 of the alert details is displayed by a user operation. Then, the process proceeds to the process in step S3.
  • Step S3 In the terminal device 52, the instruction transmission control unit 232 determines whether or not the user has performed an operation of selecting a corresponding state. In the example of FIG. 4, the operation is pressing of the determination button 2131 in a state where the correspondence status is specified. As a result, in the terminal device 52, when the instruction transmission control unit 232 determines that the user has performed an operation of selecting a corresponding state (Step S3: YES), the process proceeds to Step S4. On the other hand, in the terminal device 52, when the instruction transmission control unit 232 determines that the user has not performed the operation of selecting the corresponding state (step S3: NO), the processing of this flow is ended.
  • Step S4 In the terminal device 52, the instruction transmission control unit 232 transmits, to the analysis device 41, information that specifies an instruction to select a response status accepted by an operation performed by the user. Then, the processing of this flow ends.
  • FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer 41 according to an embodiment of the present invention.
  • the analysis device 41 analyzes the log.
  • Step S21 In the analyzing device 41, the acquiring unit 112 receives and acquires the log transmitted from the log detecting device 51 by the receiving unit 131. In the present embodiment, such a log is always received. Then, the process proceeds to the process in step S22.
  • Step S22 In the analyzer 41, the analysis executing unit 113 analyzes the received log based on the analysis conditions. The analysis executing unit 113 determines, for example, a log that meets a predetermined detection rule as a log having a problem. Then, the process proceeds to the process in step S23.
  • Step S23 In the analysis device 41, the notification unit 114 notifies the terminal device 52 of information on the result of the analysis performed by the analysis execution unit 113. Then, the processing of this flow ends.
  • an alert requiring notification is notified from the notification unit 114 to the terminal device 52, and an alert not requiring notification is not notified from the notification unit 114 to the terminal device 52.
  • FIG. 8 is a diagram illustrating an example of a procedure of a process performed in the analyzer 41 according to the embodiment of the present invention.
  • the analysis device 41 performs a process related to selection of “false detection”.
  • the process related to the selection of “out of target” may be the same as the process related to the selection of “false detection”.
  • Step S41 In the analysis device 41, the management unit 116 receives a notification that “false detection” has been selected for the alert in the terminal device 52. Then, the process proceeds to the process of step S42.
  • Step S42 In the analysis device 41, the erroneous detection control unit 115 stops the notification of the alert according to the detection rule that generates the alert in which “false detection” is selected, for the notification source that is the terminal device 52 in which “false detection” is selected. . In this example, it is assumed that a suspension period of the alert is set. Then, the process proceeds to the process of step S43. In the present embodiment, for example, among the detection rules common to many terminal devices 52, notification of an alert by the detection rule is stopped for the terminal device 52 for which “false detection” is selected.
  • Step S43 In the analyzer 41, the erroneous detection control unit 115 determines whether or not the suspension period has elapsed with respect to the notification of the suspended alert. As a result, in the analyzer 41, when the erroneous detection control unit 115 determines that the suspension period has elapsed with respect to the notification of the alert during suspension (step S43: YES), the processing proceeds to step S44. On the other hand, in the analyzer 41, when the erroneous detection control unit 115 determines that the suspension period has not elapsed for the notification of the suspended alert (step S43: NO), the processing of step S43 is repeated.
  • Step S44 In the analyzer 41, when the erroneous detection control unit 115 determines that the suspension period has elapsed for the notification of the suspended alert, the erroneous detection control unit 115 restarts the notification of the alert for the corresponding terminal device 52. Then, the processing of this flow ends.
  • FIG. 9 is a diagram illustrating an example of a procedure of a process performed in the analyzer 41 according to an embodiment of the present invention.
  • the analysis device 41 performs a process related to the change of the detection rule.
  • the management unit 116 can change the detection rule stored in the storage unit 111 in accordance with an instruction from an analyst or the like in the analyzer 41.
  • a configuration in which the change of the detection rule stored in the storage unit 111 of the analysis device 41 is performed by access from a device different from the analysis device 41 may be used.
  • Step S61 In the analysis device 41, the management unit 116 determines whether or not an instruction to change the corresponding detection rule has been received for the alert for which the notification of “false detection” has been received from the terminal device 52.
  • the instruction may be, for example, an instruction given to the analyzer 41 by a person such as an analyst or an instruction automatically given by a device such as the analyzer 41.
  • the process proceeds to step S62.
  • the management unit 116 determines that the instruction to change the detection rule has not been received (step S61: NO)
  • the processing of this flow ends.
  • Step S62 In the analyzer 41, the management unit 116 changes the corresponding detection rule according to the received instruction. Then, the processing of this flow ends.
  • the detection rule for generating an alert indicating “false detection” in a certain terminal device 52 is changed in common for a plurality of terminal devices including the terminal device 52 and other terminal devices. Is also good.
  • the plurality of terminal devices may be, for example, all terminal devices to which the detection rule before the change is applied, or may be some terminal devices.
  • the detection rule for generating an alert indicating “false detection” in a certain terminal device 52 may be changed only for the terminal device 52.
  • the alert and the detection rule correspond one-to-one.
  • the description has been made assuming that the detection rule, the alert, and the alert rule correspond one-to-one.
  • the correspondence between the detection rule and the valid / invalid status of the notification is specified.
  • the correspondence between the alert and the valid / invalid status of the notification is specified.
  • the correspondence between the detection rule, the alert, and the alert rule is managed, so that the status of the notification of the alert corresponding to the detection rule is enabled / disabled.
  • a plurality of different detection rules may be associated with one alert.
  • the analysis system 1 manages information that specifies the correspondence between the alert and the situation.
  • Each alert is identified based on, for example, identification information given to each alert.
  • the notification of the alert may be set to “suppress” for the detection rule that generated the alert at that time.
  • there may be a plurality of detection rules that generate the alert for example, even if one of the detection rules that generated the alert at that time is set to the “suppressed” state. Good. Note that “out of target” may be the same as in the case of “false detection”.
  • FIG. 10 is a diagram illustrating an example of a hardware configuration of an information processing device 4001 according to an embodiment of the present invention.
  • An information processing device 4001 having a hardware configuration as shown in FIG. 10 may be used as the terminal device 52 or the analysis device 41 in the present embodiment.
  • the information processing apparatus 4001 connects the processor 4011, the operation unit 4012, the display unit 4013, the storage device 4014, the memory 4015, the input / output interface 4016, the network interface 4017, and the like.
  • a bus 4021 is provided.
  • the processor 4011 is configured from a CPU (Central Processing Unit) and the like, and executes a program to execute processing specified by the program.
  • the operation unit 4012 includes one or more input devices such as a keyboard and a mouse, and receives an operation performed by a user (person).
  • the display unit 4013 has a screen, and outputs information on the screen.
  • the storage device 4014 is a non-volatile storage unit, and is configured from, for example, a hard disk, and stores information.
  • the memory 4015 is a volatile storage unit and is configured from a RAM (Random Access Memory) or the like, and temporarily stores information.
  • a RAM Random Access Memory
  • DRAM Dynamic Random Access Memory
  • the storage device 4014 or the memory 4015 may store, for example, information of a program executed by the processor 4011.
  • the input / output interface 4016 is an interface connected to an external recording medium or the like.
  • the network interface 4017 is an interface for connecting to an external network.
  • the information processing device 4001 may include one processor as the processor 4011, or may include two or more processors.
  • the information processing apparatus 4001 may include a plurality of CPUs, execute the respective processes by the respective CPUs, and realize the entire process in cooperation with the plurality of CPUs.
  • the user of the terminal device 52 can prevent erroneous detection from being continued by a simple operation.
  • the designer of the detection rule can obtain feedback information on false detection given by the user. Then, the designer of the detection rule can review the detection rule, for example, while the notification of the alert is suppressed by the detection rule.
  • a detection rule designer may manually generate improved detection rules based on the fed back information.
  • the designer of the detection rule may generate the improved detection rule by the machine learning device by causing the machine learning device to perform the machine learning of the information fed back. Thereby, for example, erroneous detection is reduced.
  • a custom rule may be created for each customer.
  • a suppressed alert can be searched.
  • the following configuration is used in a system for monitoring logs of customer devices for each of a plurality of customers. That is, the system acquires a customer log and determines whether or not the customer log satisfies a predetermined condition. The system transmits predetermined information to the customer when it is determined that the log of the customer satisfies the predetermined condition. The predetermined information can receive a predetermined instruction from the customer. Then, in the system, when the predetermined instruction is received from the customer, the notification of the predetermined information for the customer is invalidated (a state of suppression). Note that the system may be called not only the analysis system 1 but also a monitoring system.
  • an acquisition unit in the embodiment, the analysis device 41 that acquires target information (a log in the embodiment) related to the first terminal device (the terminal device 52 in the embodiment).
  • an analysis execution unit in the present embodiment, a function of the acquisition unit 112 and an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies the first condition (the detection rule in the present embodiment).
  • the function of the analysis execution unit 113 and a notification that notifies the first terminal device of the first information (in this embodiment, alert information) when the analysis execution unit determines that the target information satisfies the first condition.
  • the information receiving unit receives the second information from the first terminal device with respect to the first information, and notifies the first terminal device of the first information.
  • a notification suppression unit in the present embodiment, the function of the erroneous detection control unit 115.
  • the first condition is a rule for detecting a problem
  • the first information is information on an alert corresponding to the problem
  • the second information is an error about the alert. Is the information for instructing.
  • the notification suppression unit suspends the notification of the first information based on the first condition for the first terminal device for a predetermined period, and waits for the first condition after the predetermined period elapses.
  • the notification of the first information may be restarted by the same as before the stop or may have been changed.
  • the analyzer includes a change unit (in the present embodiment, the management unit 116) that changes the first condition.
  • the analyzer includes a management unit (the management unit 116 in the present embodiment) that manages the status of the notification of the first information based on the first condition. Including, the first information can be retrieved using the status of the notification.
  • the notification suppression unit determines the first terminal based on a second condition (in this embodiment, an alert rule) specifying that the notification of the first information to the first terminal device is suppressed. The notification of the first information to the device is suppressed.
  • the target information is a log related to security.
  • the first information notified from the analysis device when the analysis device determines that the target information regarding the terminal device satisfies the first condition in the terminal device (the terminal device 52 in the present embodiment), the first information notified from the analysis device when the analysis device determines that the target information regarding the terminal device satisfies the first condition.
  • the notification reception control unit in the present embodiment, the function of the notification reception control unit 231) that receives the notification of the notification, and a predetermined instruction for the first information received by the notification reception control unit (in the present embodiment, “error An instruction receiving unit (in this embodiment, a function of the operation unit 213 and a function of the instruction transmission control unit 232) that receives an instruction to select “detection” or an instruction to select “out of target”;
  • the instruction transmission control unit in the present embodiment, the instruction transmission control unit 2 transmits the second information including the instruction to suppress the notification of the first information to the terminal device when the instruction is accepted). It includes a function of 2), a.
  • the present invention may be embodied in various forms such as a device such as a terminal device or an analysis device, a system such as an analysis system, a method such as an analysis method, a program, and a recording medium on which the program is recorded.
  • the recording medium may be, for example, a temporary recording medium.
  • log of the security sensor is used as the log to be analyzed.
  • FW FireWall
  • NGFW New Generation FireWall
  • IPS Intrusion presentation system
  • IDS Intrusion Detection System
  • UTM UnificationWatation, WAT, WAT, WF, etc.
  • the device that detects logs may be an intrusion prevention system (IPS) device that prevents unauthorized intrusion in a computer network.
  • the device may detect a log that may be related to fraud.
  • the device that detects the log may be a device of a firewall (FW) that blocks communication that should not be passed.
  • the device may detect both logs that may be related to fraud and logs that are not related to fraud.
  • IPS intrusion prevention system
  • FW firewall
  • logs can be used as logs to be analyzed.
  • Other logs include, for example, an authentication log, an error log, a terminal scan log, a communication log, a program operation log, and an application operation log.
  • Examples of the authentication log include logs such as Active Directory, BIND (Berkeley Internet Name Domain), and DNS (Domain Name System).
  • the error log includes, for example, a log such as WinEvt.
  • Examples of the terminal scan log include logs such as antivirus and EDR (Endpoint Detection and Response).
  • communication logs there are logs such as Proxy, mail, File access, and database (DB: DataBase) access.
  • Examples of the program operation log include a log such as a boot log and dmesg.
  • Examples of the application operation log include logs such as an event log and a unique log.
  • a log is used as an analysis target.
  • information other than a log can be used as an analysis target.
  • the information other than the log includes, for example, information on the setting of an operating system (OS).
  • OS operating system
  • Examples of the OS setting information include registry information.
  • a web browsing history, an operation history, or a log-in history may be used.
  • the log detection device may be provided, for example, outside the terminal device 52, or may be provided as a function inside the terminal device 52.
  • information of a plurality of different types of logs may be stored in a form mixed in chronological order. For example, information for identifying a sensor that has detected each log is added to each log. The logs can be distinguished based on the information. This makes it possible to extract information of a predetermined type of log from information in which information of a plurality of different types of logs is mixed.
  • the analysis of the logs by the analysis executing unit 113 may be performed, for example, for each type of log, or may be performed collectively for two or more types of logs.
  • a program for realizing the function of each device is recorded (stored) in a computer-readable recording medium (storage medium). Processing can be performed by causing a computer system to read and execute the program recorded on the recording medium.
  • the “computer system” may include an operating system or hardware such as a peripheral device.
  • the “computer-readable recording medium” includes a flexible disk, a magneto-optical disk, a writable nonvolatile memory such as a ROM (Read Only Memory), a flash memory, a portable medium such as a DVD (Digital Versatile Disc), A storage device such as a hard disk built in a computer system.
  • a “computer-readable recording medium” refers to a volatile memory (for example, DRAM) in a computer system serving as a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. ) As well as those that hold programs for a certain period of time. Further, the above program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium.
  • the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
  • the above program may be a program for realizing a part of the functions described above. Further, the above program may be a program that can realize the above-described functions in combination with a program already recorded in the computer system, that is, a so-called difference file (difference program).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

This analysis device is provided with an acquisition unit which acquires target information relating to a first terminal device, an analysis execution unit which determines whether or not the aforementioned target information acquired by the acquisition unit satisfies a first condition, a notification unit which notifies the first terminal device of the first information if the target information was determined by the analysis execution unit to satisfy the first condition, an information receiving unit which receives second information from the first terminal device for the first information notified by the notification unit, and a notification suppression unit which, if the second information has been received from the first terminal device for the first information, suppresses the notification of first information to the first terminal device. For a prescribed period, the notification suppression unit stops notification, to the first terminal device of the first information, that is triggered by the first condition, and, after the aforementioned prescribed period has elapsed, restarts notification of the first information that is triggered by the first condition.

Description

分析装置、端末装置、分析システム、分析方法およびプログラムAnalysis device, terminal device, analysis system, analysis method, and program
 本発明は、分析装置、端末装置、分析システム、分析方法およびプログラムに関する。
 本願は、2018年9月26日に日本に出願された特願2018-180914号に基づき優先権を主張し、その内容をここに援用する。 The present invention relates to an analysis device, a terminal device, an analysis system, an analysis method, and a program.
This application claims priority based on Japanese Patent Application No. 2018-180914 for which it applied to Japan on September 26, 2018, and uses the content here.
 例えば、複数の異なる顧客の組織について、セキュリティログの分析を分析装置によって行う分析システムが知られている。
 このような分析システムでは、セキュリティログの自動分析に用いられるルールとして、悪性のログの特徴を検出するルールなどが作成されて用いられる。また、このようなルールとして、複数の異なる顧客の組織に共通のルールが用いられることも多い。 For example, there is known an analysis system in which an analysis device analyzes security logs for organizations of a plurality of different customers.
In such an analysis system, a rule for detecting a characteristic of a malicious log is created and used as a rule used for automatic analysis of a security log. As such a rule, a rule common to a plurality of different customer organizations is often used.
 しかしながら、このような共通のルールでは、例えば、特定の組織における悪性ではない装置の名称が偶然に悪性のサーバの名称と一致する場合などに、当該特定の組織のログについて判定の誤り(説明の便宜上、「誤検知」ともいう。)が発生し得る。つまり、悪性ではない当該装置が悪性と判定される誤検知が発生し得る。
 このようなとき、例えば、誤検知が発生する当該特定の組織に向けてカスタムのルールを作成することが必要な場合があった。 However, according to such a common rule, for example, when the name of a non-malicious device in a specific organization coincides with the name of a malicious server, an error in the determination of the log of the specific organization (eg, For the sake of convenience, “false detection” may occur. In other words, erroneous detection that the device that is not malicious is determined to be malicious may occur.
In such a case, for example, it may be necessary to create a custom rule for the specific organization in which false detection occurs.
 なお、特許文献1には、クライアントコンピュータを管理するための集中管理サーバを構内ネットワーク内に備えたコンピュータシステムにおけるウェブアクセス監視方法が開示されている(特許文献1参照。)。当該ウェブアクセス監視方法では、集中管理サーバは、業務上または教育上で不要もしくは不当なウェブアクセスに対する警告条件および警告時の処理形態を含む監視ルールを設定する。 Patent Document 1 discloses a web access monitoring method in a computer system having a centralized management server for managing client computers in a private network (see Patent Document 1). In the web access monitoring method, the central management server sets a monitoring rule including a warning condition and a processing mode at the time of warning for web access that is unnecessary or unjust for business or education.
国際公開第2007/069338号International Publication No. 2007/069338
 しかしながら、複数の異なる顧客の組織のうちの特定の組織に誤検知が発生したときに、従来のようにカスタムのルールが作成される対処だけでは、効率的でない場合があった。 However, when a false detection occurs in a specific organization among a plurality of different customer organizations, it may not be efficient to simply perform custom rules as in the past.
 本発明の実施形態は、このような事情に鑑み、複数の異なる顧客の組織のうちの特定の組織に誤検知が発生した場合に、効率的に対処することが可能な分析装置、端末装置、分析システム、分析方法およびプログラムを提供する。 The embodiment of the present invention, in view of such circumstances, when an erroneous detection occurs in a specific organization of a plurality of different customer organizations, an analyzer that can efficiently deal with, a terminal device, An analysis system, an analysis method, and a program are provided.
 本発明の一態様は、第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、を備え、前記通知抑制部は、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、分析装置である。
 本発明の一態様は、第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、前記第1条件による前記第1情報の通知の状況を管理する管理部と、を備え、前記状況は、少なくとも、抑止されているという状況を含み、前記第1情報は、前記通知の状況を用いて検索されることが可能である、分析装置である。
 本発明の一態様は、第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、を備え、前記通知抑制部は、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、分析装置である。
 本発明の一態様は、第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、を備え、前記対象情報は、セキュリティに関するログである、分析装置である。
 本発明の一態様に係る分析装置において、前記第1条件は、問題を検知するルールであり、前記第1情報は、前記問題に対応するアラートの情報であり、前記第2情報は、前記アラートについて誤りがあることを指示する情報である。
 本発明の一態様に係る分析装置において、前記第1条件を変更する変更部を備える。 本発明の一態様は、セキュリティに関するログを対象情報とし端末装置に関する前記対象情報を検出して前記対象情報を分析装置に送信する検出装置を有する前記端末装置に関する前記対象情報が前記分析装置によって第1条件を満たすことが判定された場合に前記分析装置から通知される前記セキュリティに関する第1情報の通知を受信する通知受信制御部と、前記通知受信制御部によって受信された前記第1情報に対して前記セキュリティに関する所定の指示を受け付ける指示受付部と、前記第1情報に対して前記指示が受け付けられた場合に、前記端末装置に対する前記セキュリティに関する前記第1情報の通知を抑制する指示を含む第2情報を前記分析装置に送信する指示送信制御部と、を備える、前記端末装置である。
 本発明の一態様に係る端末装置において、前記第1条件は、問題を検知するルールであり、前記第1情報は、前記問題に対応するアラートの情報であり、前記第2情報は、前記アラートについて誤りがあることを指示する情報である。 One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device; an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition; When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device. A notification suppressing unit that suppresses notification, wherein the notification suppressing unit stops the notification of the first information according to the first condition for the first terminal device for a predetermined period, and the predetermined period has elapsed. Later the first Resuming the notification of the first information by the matter, an analytical instrument.
One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device; an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition; When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device. A notification suppression unit that suppresses a notification; and a management unit that manages a status of notification of the first information based on the first condition, wherein the status includes at least a status of being suppressed, and The information is It can be searched using the status of knowledge, an analytical instrument.
One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device; an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition; When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device. A notification suppression unit that suppresses a notification, wherein the notification suppression unit is configured to control the first terminal device based on a second condition specifying that the notification of the first information to the first terminal device is suppressed. The first information Suppressing notification, an analytical instrument.
One aspect of the present invention is an acquisition unit that acquires target information related to a first terminal device, an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition, When the execution unit determines that the target information satisfies the first condition, the notification unit that notifies the first terminal device of the first information, and the first information notified by the notification unit is An information receiving unit that receives the second information from the first terminal device, and, when the second information is received from the first terminal device with respect to the first information, the information receiving unit receives the second information from the first terminal device. A notification suppressing unit that suppresses a notification, wherein the target information is a log related to security.
In the analysis device according to one aspect of the present invention, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is a rule on the alert. Is information indicating that there is an error in.
The analyzer according to an aspect of the present invention includes a changing unit that changes the first condition. One aspect of the present invention is that the target information relating to the terminal device having a detection device that detects the target information related to the terminal device and transmits the target information to the analysis device by using a log related to security as target information is transmitted by the analysis device. A notification reception control unit that receives a notification of the first information relating to the security notified from the analysis device when it is determined that the first condition is satisfied, and a first reception unit that receives the first information received by the notification reception control unit. An instruction receiving unit that receives a predetermined instruction related to the security, and an instruction to suppress notification of the first information related to the security to the terminal device when the instruction is received with respect to the first information. And an instruction transmission control unit that transmits two pieces of information to the analysis device.
In the terminal device according to an aspect of the present invention, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is a message on the alert. Is information indicating that there is an error in.
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムであって、前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、を備え、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、を備え、前記通知抑制部は、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、分析システムである。
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムであって、前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、前記第1条件による前記第1情報の通知の状況を管理する管理部と、を備え、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、を備え、前記状況は、少なくとも、抑止されているという状況を含み、前記第1情報は、前記通知の状況を用いて検索されることが可能である、分析システムである。
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムであって、前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、を備え、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、を備え、前記通知抑制部は、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、分析システムである。
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムであって、前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、を備え、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、を備え、前記対象情報は、セキュリティに関するログである、分析システムである。
 本発明の一態様に係る分析システムにおいて、前記第1条件は、問題を検知するルールであり、前記第1情報は、前記問題に対応するアラートの情報であり、前記第2情報は、前記アラートについて誤りがあることを指示する情報である。
 本発明の一態様に係る分析システムにおいて、前記分析装置は、前記第1条件を変更する変更部を備える。 One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit. An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information. A notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information And a notification suppressing unit that suppresses notification of the first information to the first terminal device when the second information is received from the device, wherein the first terminal device is notified from the analysis device. Of the first information A notification reception control unit that receives information, an instruction reception unit that receives a predetermined instruction for the first information received by the notification reception control unit, and a case where the instruction is received for the first information An instruction transmission control unit that transmits the second information to the analysis device, wherein the notification suppression unit transmits a notification of the first information according to the first condition to the first terminal device for a predetermined period. An analysis system for stopping and resuming the notification of the first information under the first condition after the predetermined period has elapsed.
One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit. An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information. A notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from a device, and management that manages a status of notification of the first information based on the first condition. And a part The first terminal device receives a notification of the first information notified from the analysis device, and receives a predetermined instruction for the first information received by the notification reception control unit. An instruction receiving unit, and an instruction transmission control unit that transmits the second information to the analyzer when the instruction is received for the first information, wherein the situation is at least suppressed. An analysis system, wherein the first information can be searched using the status of the notification.
One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit. An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information. A notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information And a notification suppressing unit that suppresses notification of the first information to the first terminal device when the second information is received from the device, wherein the first terminal device is notified from the analysis device. Of the first information A notification reception control unit that receives information, an instruction reception unit that receives a predetermined instruction for the first information received by the notification reception control unit, and a case where the instruction is received for the first information An instruction transmission control unit that transmits the second information to the analysis device, wherein the notification suppression unit determines that the notification of the first information to the first terminal device is to be suppressed. An analysis system for suppressing notification of the first information to the first terminal device based on the first information.
One embodiment of the present invention is an analysis system including a first terminal device and an analysis device, wherein the analysis device obtains target information regarding the first terminal device, and obtains the target information by the obtaining unit. An analysis execution unit that determines whether the obtained target information satisfies a first condition, and when the analysis execution unit determines that the target information satisfies the first condition, the first information is converted to the first information. A notification unit for notifying a terminal device, an information reception unit for receiving second information from the first terminal device with respect to the first information notified by the notification unit, and a first terminal for the first information And a notification suppressing unit that suppresses notification of the first information to the first terminal device when the second information is received from the device, wherein the first terminal device is notified from the analysis device. Of the first information A notification reception control unit that receives information, an instruction reception unit that receives a predetermined instruction for the first information received by the notification reception control unit, and a case where the instruction is received for the first information And an instruction transmission control unit that transmits the second information to the analysis device, wherein the target information is a log related to security.
In the analysis system according to an aspect of the present invention, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is a message on the alert. Is information indicating that there is an error in.
In the analysis system according to an aspect of the present invention, the analysis device includes a changing unit that changes the first condition.
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、前記分析装置は、前記通知の抑制として、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、分析方法である。
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、前記分析装置は、前記第1条件による前記第1情報の通知の状況を管理し、前記状況は、少なくとも、抑止されているという状況を含み、前記第1情報は、前記通知の状況を用いて検索されることが可能である、分析方法である。
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、前記分析装置は、前記通知の抑制として、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、分析方法である。
 本発明の一態様は、第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、前記対象情報は、セキュリティに関するログである、分析方法である。
 本発明の一態様に係る分析方法において、前記第1条件は、問題を検知するルールであり、前記第1情報は、前記問題に対応するアラートの情報であり、前記第2情報は、前記アラートについて誤りがあることを指示する情報である。
 本発明の一態様に係る分析方法において、前記分析装置は、前記第1条件を変更する。 One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information, When the second information is received from the first terminal device, the device suppresses the notification of the first information to the first terminal device, and the analysis device determines that the first terminal device For the device, according to the first condition The notification of the first information is stopped for a predetermined period of time, said predetermined period of time to resume the notification of the first information by the first condition after a lapse of an analytical method.
One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device is Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information, The device, when the second information is received from the first terminal device, suppresses the notification of the first information to the first terminal device, and the analysis device is configured to transmit the first information according to the first condition. Manage the status of the notification, said status Even without including the situation has been suppressed, the first information may be retrieved by using the status of the notification, an analytical method.
One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information, When the second information is received from the first terminal device, the device suppresses the notification of the first information to the first terminal device, and the analysis device determines that the first terminal device Notification of the first information to the device Based on the second condition for specifying a suppressing, inhibiting the notification of the first information for the first terminal device, an analytical method.
One aspect of the present invention is an analysis method in an analysis system including a first terminal device and an analysis device, wherein the analysis device acquires target information on the first terminal device, and acquires the target information. It is determined whether or not the information satisfies a first condition, and when it is determined that the target information satisfies the first condition, the first information is notified to the first terminal device, and the first terminal device Receiving a notification of the first information from the analyzer, transmitting a second information to the analyzer when a predetermined instruction is received for the received first information, The apparatus is an analysis method, wherein when the second information is received from the first terminal device, the device suppresses notification of the first information to the first terminal device, and the target information is a log related to security. .
In the analysis method according to an aspect of the present invention, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is a rule on the alert. Is information indicating that there is an error in.
In the analysis method according to one aspect of the present invention, the analyzer changes the first condition.
 本発明の一態様は、分析装置を構成するコンピュータに、第1端末装置に関する対象情報を取得する機能と、取得された前記対象情報が第1条件を満たすか否かを判定する機能と、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、を実現させるためのプログラムであって、前記通知を抑制する機能は、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、プログラムである。 本発明の一態様は、分析装置を構成するコンピュータに、第1端末装置に関する対象情報を取得する機能と、取得された前記対象情報が第1条件を満たすか否かを判定する機能と、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、前記第1条件による前記第1情報の通知の状況を管理する機能と、を実現させるためのプログラムであって、前記状況は、少なくとも、抑止されているという状況を含み、前記第1情報は、前記通知の状況を用いて検索されることが可能である、プログラムである。
 本発明の一態様は、分析装置を構成するコンピュータに、第1端末装置に関する対象情報を取得する機能と、取得された前記対象情報が第1条件を満たすか否かを判定する機能と、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、を実現させるためのプログラムであって、前記通知を抑制する機能は、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、プログラムである。
 本発明の一態様は、分析装置を構成するコンピュータに、第1端末装置に関する対象情報を取得する機能と、取得された前記対象情報が第1条件を満たすか否かを判定する機能と、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、を実現させるためのプログラムであって、前記対象情報は、セキュリティに関するログである、プログラムである。
 本発明の一態様に係るプログラムにおいて、前記第1条件は、問題を検知するルールであり、前記第1情報は、前記問題に対応するアラートの情報であり、前記第2情報は、前記アラートについて誤りがあることを指示する情報である。
 本発明の一態様に係るプログラムにおいて、さらに、前記第1条件を変更する機能を実現させるためのプログラムである。
 本発明の一態様は、セキュリティに関するログを対象情報とし端末装置に関する前記対象情報を検出して前記対象情報を分析装置に送信する検出装置を有する前記端末装置を構成するコンピュータに、前記端末装置に関する前記対象情報が前記分析装置によって第1条件を満たすことが判定された場合に前記分析装置から通知される前記セキュリティに関する第1情報の通知を受信する機能と、受信された前記第1情報に対して前記セキュリティに関する所定の指示を受け付ける機能と、前記第1情報に対して前記指示が受け付けられた場合に、前記端末装置に対する前記セキュリティに関する前記第1情報の通知を抑制する指示を含む第2情報を前記分析装置に送信する機能と、を実現させるためのプログラム。
 本発明の一態様に係るプログラムにおいて、前記第1条件は、問題を検知するルールであり、前記第1情報は、前記問題に対応するアラートの情報であり、前記第2情報は、前記アラートについて誤りがあることを指示する情報である。 One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided. To realize a function of receiving the first information and a function of suppressing notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information. Wherein the function of suppressing the notification stops the notification of the first information under the first condition for the first terminal device for a predetermined period, and the first terminal device stops the notification of the first information after the predetermined period has elapsed. Depending on conditions Resuming the notification of the first information, a program. One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided. An accepting function, a function of suppressing notification of the first information to the first terminal device when the second information is accepted from the first terminal device for the first information, and a first condition A program for realizing a function of managing the status of notification of the first information according to the above, wherein the status includes at least a status of being suppressed, and the first information includes a status of the notification. Using It can be searched, a program.
One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided. To realize a function of receiving the first information and a function of suppressing notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information. Wherein the function of suppressing the notification is based on a second condition specifying that the notification of the first information to the first terminal device is to be suppressed. Notifications Suppress, it is a program.
One aspect of the present invention provides a computer that constitutes an analyzer, a function of acquiring target information regarding a first terminal device, a function of determining whether the acquired target information satisfies a first condition, When it is determined that the target information satisfies the first condition, a function of notifying the first terminal device of the first information and a second information from the first terminal device with respect to the notified first information are provided. To realize a function of receiving the first information and a function of suppressing notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information. Wherein the target information is a log related to security.
In the program according to an aspect of the present invention, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is a This information indicates that there is an error.
The program according to one embodiment of the present invention is a program for realizing a function of changing the first condition.
One aspect of the present invention relates to a computer that constitutes the terminal device having a detection device that detects the target information related to the terminal device using a log related to security as target information and transmits the target information to an analysis device. A function of receiving a notification of the first information relating to the security notified from the analysis device when the analysis device determines that the target information satisfies a first condition; And a second information including a function of receiving a predetermined instruction related to the security and an instruction to suppress notification of the first information related to the security to the terminal device when the instruction is received for the first information. And a function of transmitting the data to the analyzer.
In the program according to an aspect of the present invention, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is a This information indicates that there is an error.
 上記した分析装置、端末装置、分析システム、分析方法およびプログラムによれば、複数の異なる顧客の組織のうちの特定の組織に誤検知が発生した場合に、効率的に対処することが可能である。 According to the analysis device, the terminal device, the analysis system, the analysis method, and the program described above, it is possible to efficiently cope with a case where a false detection occurs in a specific organization among a plurality of different customer organizations. .
本発明の一実施形態に係る分析システムの概略的な構成例を示す図である。1 is a diagram illustrating a schematic configuration example of an analysis system according to an embodiment of the present invention. 本発明の一実施形態に係る端末装置の概略的な構成例を示す図である。It is a figure showing the example of schematic composition of the terminal unit concerning one embodiment of the present invention. 本発明の一実施形態に係るアラート一覧の表示内容の一例を示す図である。It is a figure showing an example of display contents of an alert list concerning one embodiment of the present invention. 本発明の一実施形態に係るアラート詳細の表示内容の一例を示す図である。It is a figure showing an example of display contents of alert details concerning one embodiment of the present invention. 本発明の一実施形態に係るアラート検索の表示内容の一例を示す図である。It is a figure showing an example of display contents of alert search concerning one embodiment of the present invention. 本発明の一実施形態に係る端末装置において行われる処理の手順の一例を示す図である。It is a figure showing an example of a procedure of processing performed in a terminal unit concerning one embodiment of the present invention. 本発明の一実施形態に係る分析装置において行われる処理の手順の一例を示す図である。FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer according to the embodiment of the present invention. 本発明の一実施形態に係る分析装置において行われる処理の手順の一例を示す図である。FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer according to the embodiment of the present invention. 本発明の一実施形態に係る分析装置において行われる処理の手順の一例を示す図である。FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer according to the embodiment of the present invention. 本発明の一実施形態に係る情報処理装置のハードウェア構成の一例を示す図である。FIG. 1 is a diagram illustrating an example of a hardware configuration of an information processing apparatus according to an embodiment of the present invention.
 本発明の実施形態について図面を参照して詳細に説明する。 An embodiment of the present invention will be described in detail with reference to the drawings.
 [分析システム]
 図1は、本発明の一実施形態に係る分析システム1の概略的な構成例を示す図である。なお、図1に示される機能ブロックの構成は、一例であり、他の構成が用いられてもよい。
 分析システム1は、分析部11と、複数の端末部21~23と、ネットワーク31を備える。
 それぞれの端末部21~23と分析部11とは、ネットワーク31を介して通信可能に接続される。 [Analysis system]
FIG. 1 is a diagram illustrating a schematic configuration example of an analysis system 1 according to an embodiment of the present invention. The configuration of the functional blocks illustrated in FIG. 1 is an example, and another configuration may be used.
The analysis system 1 includes an analysis unit 11, a plurality of terminals 21 to 23, and a network 31.
The terminals 21 to 23 and the analyzer 11 are communicably connected via a network 31.
 ここで、それぞれの端末部21~23は、それぞれ異なる管理主体により管理されている。当該管理主体は、例えば、会社または学校などの組織であってもよく、あるいは、個人であってもよい。当該管理主体が組織である場合には、当該組織に属する者が端末部21~23を管理する。また、当該管理主体が個人である場合には、当該個人に相当する者が端末部21~23を管理する。本実施形態では、それぞれの端末部21~23を管理する者をユーザと呼ぶ場合もある。
 なお、複数の端末部21~23のうちの2個以上の端末部が、同じ管理主体によって管理されてもよい。当該2個以上の端末部は、複数の端末部21~23のうちの一部であってもよく、あるいは、全部であってもよい。 Here, each of the terminal units 21 to 23 is managed by a different management entity. The management entity may be, for example, an organization such as a company or a school, or may be an individual. When the management subject is an organization, a person belonging to the organization manages the terminal units 21 to 23. When the management subject is an individual, a person corresponding to the individual manages the terminal units 21 to 23. In the present embodiment, a person who manages each of the terminal units 21 to 23 may be called a user.
Note that two or more terminal units among the plurality of terminal units 21 to 23 may be managed by the same management entity. The two or more terminal units may be a part of the plurality of terminal units 21 to 23, or may be all.
 端末部21~23の数は、1以上の任意の数であってもよい。
 本実施形態では、説明の便宜上、複数の端末部21~23の構成および動作は、それぞれの端末部21~23の管理主体が異なり得る点を除いて、同様である。このため、本実施形態では、1個の端末部21を代表させて説明する。
 なお、それぞれの端末部21~23の構成あるいは動作が異なる態様が用いられてもよい。 The number of the terminal units 21 to 23 may be any number equal to or more than one.
In this embodiment, for convenience of explanation, the configurations and operations of the plurality of terminals 21 to 23 are the same except that the management entities of the terminals 21 to 23 may be different. For this reason, in the present embodiment, one terminal unit 21 will be described as a representative.
Note that a mode in which the configurations or operations of the terminal units 21 to 23 are different may be used.
 本実施形態では、分析部11は、複数の端末部21~23のそれぞれに対して、それぞれの端末部21~23の管理主体が異なり得る点を除いて、同様な動作を行う。
 なお、分析部11は、複数の端末部21~23のそれぞれに対して、異なる動作を行う構成が用いられてもよい。 In the present embodiment, the analysis unit 11 performs the same operation for each of the plurality of terminals 21 to 23 except that the management entity of each of the terminals 21 to 23 may be different.
Note that the analysis unit 11 may be configured to perform different operations on each of the plurality of terminal units 21 to 23.
 本実施形態では、分析部11は、複数の端末部21~23に対して共通になっている。 なお、分析システム1は、複数の分析部11を備えてもよい。この場合、複数の分析部11が、複数の端末部21~23を分担して、動作を行う。
 ここで、分析部11は、例えば、装置あるいはシステムであると捉えられてもよい。 また、端末部21は、例えば、装置あるいはシステムであると捉えられてもよい。 In the present embodiment, the analysis unit 11 is common to the plurality of terminals 21 to 23. Note that the analysis system 1 may include a plurality of analysis units 11. In this case, the plurality of analyzers 11 operate by sharing the plurality of terminals 21 to 23.
Here, the analysis unit 11 may be regarded as, for example, an apparatus or a system. Further, the terminal unit 21 may be regarded as, for example, an apparatus or a system.
 ネットワーク31は、任意のネットワークであってもよい。ネットワーク31は、例えば、インターネットであってもよく、あるいは、専用のネットワークであってもよい。 なお、それぞれの端末部21~23と分析部11との通信は、例えば、有線の通信であってもよく、無線の通信であってもよく、あるいは、有線の通信と無線の通信との両方を組み合わせて含んでもよい。 The network 31 may be any network. The network 31 may be, for example, the Internet or a dedicated network. The communication between the terminal units 21 to 23 and the analysis unit 11 may be, for example, wired communication, wireless communication, or both wired communication and wireless communication. May be included in combination.
 [端末部の概要]
 端末部21を代表させて説明する。
 端末部21は、ログ検出装置51と、端末装置52を備える。
 図1の例では、ログ検出装置51と端末装置52のそれぞれがネットワーク31と接続される構成を示すが、これに限られない。 [Overview of Terminal]
The terminal unit 21 will be described as a representative.
The terminal unit 21 includes a log detection device 51 and a terminal device 52.
Although the example of FIG. 1 shows a configuration in which each of the log detection device 51 and the terminal device 52 is connected to the network 31, the configuration is not limited to this.
 ログ検出装置51は、検出の対象となる情報(説明の便宜上、「対象情報」ともいう。)を検出する。本実施形態では、当該対象情報は、所定のログである。本実施形態では、ログ検出装置51は、常時、所定の対象を監視して、当該対象のログを検出する。本実施形態では、当該ログは、セキュリティに関するログ(セキュリティログ)であり、例えば、ネットワーク31を介する通信を対象としたログである。
 ログ検出装置51は、例えば、所定のログを検出するセンサを用いて構成されてもよい。本実施形態では、ログ検出装置51は、端末装置52によって行われる通信に関するログを検出する。ログ検出装置51は、検出されたログを出力する。本実施形態では、ログ検出装置51は、検出されたログを分析部11に送信する。当該ログの送信は、例えば、所定のログのまとまりごとに行われてもよい。当該まとまりは、所定の期間ごとのまとまりであってもよい。当該所定の期間は、例えば、1日などであってもよい。
 なお、本実施形態では、ログ検出装置51は、検出されたログを記憶しない。他の例として、ログ検出装置51は、検出されたログを記憶する記憶部を備えてもよい。 The log detection device 51 detects information to be detected (also referred to as “target information” for convenience of description). In the present embodiment, the target information is a predetermined log. In the present embodiment, the log detection device 51 constantly monitors a predetermined target and detects a log of the target. In the present embodiment, the log is a log related to security (security log), for example, a log targeted for communication via the network 31.
The log detection device 51 may be configured using, for example, a sensor that detects a predetermined log. In the present embodiment, the log detection device 51 detects a log related to communication performed by the terminal device 52. The log detection device 51 outputs the detected log. In the present embodiment, the log detection device 51 transmits the detected log to the analysis unit 11. The transmission of the log may be performed, for example, for each predetermined log unit. The unit may be a unit for each predetermined period. The predetermined period may be, for example, one day.
In the present embodiment, the log detecting device 51 does not store the detected log. As another example, the log detection device 51 may include a storage unit that stores the detected log.
 端末装置52は、例えば、ユーザによって操作される情報処理装置を用いて構成される。当該情報処理装置は、例えば、コンピュータである。当該コンピュータは、例えば、デスクトップ型のコンピュータ、ノート型のコンピュータ、携帯電話のコンピュータ、あるいは、スマートフォンのコンピュータなどであってもよい。
 端末装置52は、分析部11から送信された電子メールをネットワーク31を介して受信する。
 また、端末装置52は、分析部11により提供されるWebページの情報を取得する。 また、端末装置52は、ネットワーク31を介して分析部11に情報を送信する。本実施形態では、端末装置52は、例えば、分析部11によって行われた分析の結果について、誤った検知(誤検知)に関する情報を分析部11に送信する。 The terminal device 52 is configured using, for example, an information processing device operated by a user. The information processing device is, for example, a computer. The computer may be, for example, a desktop computer, a notebook computer, a mobile phone computer, or a smartphone computer.
The terminal device 52 receives the e-mail transmitted from the analysis unit 11 via the network 31.
In addition, the terminal device 52 acquires the information of the Web page provided by the analysis unit 11. The terminal device 52 transmits information to the analysis unit 11 via the network 31. In the present embodiment, for example, the terminal device 52 transmits to the analysis unit 11 information on erroneous detection (erroneous detection) of the analysis result performed by the analysis unit 11.
 [分析部の概要]
 分析部11は、分析装置41と、Webサーバ装置42と、メールサーバ装置43を備える。
 図1の例では、分析装置41と、Webサーバ装置42と、メールサーバ装置43のそれぞれがネットワーク31と接続される構成を示すが、これに限られない。 [Overview of Analysis Department]
The analyzer 11 includes an analyzer 41, a Web server 42, and a mail server 43.
In the example of FIG. 1, a configuration is shown in which each of the analysis device 41, the Web server device 42, and the mail server device 43 is connected to the network 31, but is not limited thereto.
 分析装置41は、記憶部111と、取得部112と、分析実行部113と、通知部114と、誤検知制御部115と、管理部116を備える。
 取得部112は、受信部131を備える。
 管理部116は、検索処理部151を備える。 The analysis device 41 includes a storage unit 111, an acquisition unit 112, an analysis execution unit 113, a notification unit 114, an erroneous detection control unit 115, and a management unit 116.
The acquisition unit 112 includes a reception unit 131.
The management unit 116 includes a search processing unit 151.
 分析装置41において行われる動作の概要を示す。
 記憶部111は、各種の情報を記憶する。
 取得部112は、受信部131によって、ログ検出装置51からネットワーク31を介して分析部11に送信されたログを受信する。そして、取得部112は、受信されたログを取得する。本実施形態では、取得部112は、様々なログを取得することで、様々なログを収集する。取得部112は、受信されたログを分析実行部113に出力する。本実施形態では、ログ検出装置51は、当該ログを分析装置41に宛てて送信する。 The outline of the operation performed in the analyzer 41 will be described.
The storage unit 111 stores various information.
The acquisition unit 112 receives the log transmitted from the log detection device 51 to the analysis unit 11 via the network 31 by the reception unit 131. Then, the acquiring unit 112 acquires the received log. In the present embodiment, the acquisition unit 112 collects various logs by acquiring various logs. The acquisition unit 112 outputs the received log to the analysis execution unit 113. In the present embodiment, the log detection device 51 transmits the log to the analysis device 41.
 ここで、ログ検出装置51は、ログの情報を圧縮して、圧縮されたログの情報を分析装置41に送信してもよい。この場合、分析装置41では、分析実行部113は、受信された当該情報を解凍して、元のログの情報を取得する。なお、「解凍」の代わりに「伸張」などと呼ばれてもよい。
 また、ログ検出装置51は、送信対象の情報を暗号化して、暗号化された情報を分析装置41に送信してもよい。この場合、分析装置41では、分析実行部113は、受信された当該情報を復号して、元の情報を取得する。 Here, the log detection device 51 may compress the log information and transmit the compressed log information to the analysis device 41. In this case, in the analyzer 41, the analysis executing unit 113 decompresses the received information and obtains the information of the original log. It should be noted that “decompression” may be called “extension” or the like.
In addition, the log detection device 51 may encrypt the information to be transmitted, and transmit the encrypted information to the analysis device 41. In this case, in the analyzer 41, the analysis executing unit 113 decodes the received information to obtain the original information.
 分析実行部113は、取得部112から出力されたログを入力する。分析実行部113は、入力されたログについて、所定の条件(説明の便宜上、「分析条件」ともいう。)に基づいて、分析を行う。分析実行部113は、入力されたログについて、分析を行った結果に関する所定の情報(説明の便宜上、「分析結果情報」ともいう。)を通知部114に出力する。
 本実施形態では、記憶部111は、分析条件を特定する情報を記憶する。分析実行部113は、当該情報に基づいて、分析条件を取得する。 The analysis execution unit 113 inputs the log output from the acquisition unit 112. The analysis executing unit 113 analyzes the input log based on predetermined conditions (for convenience of explanation, also referred to as “analysis conditions”). The analysis executing unit 113 outputs to the notifying unit 114 predetermined information on the result of analyzing the input log (also referred to as “analysis result information” for convenience of explanation).
In the present embodiment, the storage unit 111 stores information specifying analysis conditions. The analysis execution unit 113 acquires an analysis condition based on the information.
 分析条件としては、任意の条件が用いられてもよい。
 分析条件としては、例えば、分析対象のログについて、問題があるか否かを判定するための条件が用いられてもよい。当該問題は、例えば、コンピュータウィルスであってもよく、あるいは、他の事象であってもよい。
 分析条件としては、例えば、「ログに含まれる送信元を識別する情報、ログに含まれる送信先を識別する情報、あるいは、ログに含まれる他の情報のうちの1以上が、所定の情報に一致する場合には、問題があると判定する条件」が用いられてもよい。分析条件としては、例えば、問題があると判定すべきログの条件がリスト化されたブラックリストに記述された当該条件が用いられてもよい。 Arbitrary conditions may be used as analysis conditions.
As the analysis condition, for example, a condition for determining whether or not there is a problem with the log to be analyzed may be used. The problem may be, for example, a computer virus or another event.
As the analysis condition, for example, “one or more of the information identifying the transmission source included in the log, the information identifying the transmission destination included in the log, or other information included in the log, If they match, a condition for determining that there is a problem may be used. As the analysis condition, for example, a condition described in a blacklist in which a condition of a log to be determined as having a problem is listed may be used.
 また、問題があると判定すべき条件は、例えば、「ルール」と呼ばれてもよく、本実施形態では、説明の便宜上、「検知ルール」と呼んで説明する。検知ルールは、例えば、ログに基づいて問題を検知する条件であると捉えられてもよい。つまり、あるログについて、ある検知ルールに該当する状況が発生したと判定された場合に、当該検知ルールに対応付けられた問題が発生したと判定することが行われる。検知ルールは、1以上作成され、本実施形態では、複数の異なる検知ルールが作成されて使用される。
 この場合、それぞれの検知ルールには、当該検知ルールに該当するか否かを判定するための規則を特定する情報が含まれる。また、それぞれの検知ルールには、当該検知ルールに該当した場合に発生したとされる問題を特定する情報が対応付けられる。なお、ある検知ルールに該当した場合に発生したとされる問題を特定する情報についても当該検知ルールに含まれる、と捉えられてもよい。
 また、それぞれの問題には、当該問題が発生した場合に通知されるべきアラートの内容が対応付けられる。 In addition, the condition that should be determined to have a problem may be referred to as, for example, a “rule”. In the present embodiment, the condition will be referred to as a “detection rule” for convenience of description. The detection rule may be regarded as, for example, a condition for detecting a problem based on a log. That is, when it is determined that a situation corresponding to a certain detection rule has occurred for a certain log, it is determined that a problem associated with the detection rule has occurred. One or more detection rules are created, and in the present embodiment, a plurality of different detection rules are created and used.
In this case, each detection rule includes information for specifying a rule for determining whether or not the detection rule is applicable. Each detection rule is associated with information that specifies a problem that has occurred when the detection rule is satisfied. It should be noted that information that specifies a problem that has occurred when a detection rule is satisfied may be considered to be included in the detection rule.
Each problem is associated with the content of an alert to be notified when the problem occurs.
 これにより、本実施形態では、検知ルールと、問題と、アラート(アラートの内容)とが、対応付けられる。本実施形態では、このような対応付けの情報は、例えば、記憶部111に記憶されて、管理部116によって管理される。
 なお、問題とアラートの内容とは、例えば、共通の情報として構成されてもよい。つまり、アラートの内容において問題を提示する場合には、アラートの内容によって問題も通知することが可能である。 Thereby, in the present embodiment, the detection rule, the problem, and the alert (contents of the alert) are associated with each other. In the present embodiment, such association information is stored in, for example, the storage unit 111 and managed by the management unit 116.
The problem and the content of the alert may be configured as, for example, common information. In other words, when a problem is presented in the content of the alert, the problem can also be notified by the content of the alert.
 また、本実施形態では、説明の便宜上、それぞれの検知ルールは、初期的には、すべての端末装置52に共通な検知ルールとして作成される場合を示す。他の例として、初期的に、検知ルールごとに、当該検知ルールが適用される1以上の端末装置52が設定されてもよい。このような設定の内容も当該検知ルールに含まれると捉えられてもよい。
 検知ルールの具体例としては、「受信信号について、当該受信信号の送信元の装置の識別情報が所定の識別情報と一致する場合に、不審な送信元からの情報通信であるという問題が発生したとする検知ルール」、「送信信号について、当該送信信号の送信先の装置の識別情報が所定の識別情報と一致する場合に、不審な送信先への情報通信であるという問題が発生したとする検知ルール」などが用いられてもよい。 Further, in the present embodiment, for convenience of explanation, a case is shown in which each detection rule is initially created as a detection rule common to all terminal devices 52. As another example, one or more terminal devices 52 to which the detection rule is applied may be initially set for each detection rule. The contents of such a setting may be considered to be included in the detection rule.
As a specific example of the detection rule, as for a received signal, a problem that information communication from a suspicious source has occurred when the identification information of the transmission source device of the reception signal matches predetermined identification information has occurred. It is assumed that a problem has occurred that, when the identification information of the transmission destination device of the transmission signal matches the predetermined identification information, the information transmission to the suspicious transmission destination occurs. A “detection rule” or the like may be used.
 ここで、本実施形態では、検知ルールが満たされたときに、当該検知ルールに対応するアラートの通知が行われる場合と、当該検知ルールに対応するアラートの通知が行われない場合がある。本実施形態では、それぞれの検知ルールごとに、当該検知ルールが満たされたときにアラートの通知を行うか否かを規定する規則(本実施形態では、説明の便宜上、「アラートルール」ともいう。)が用いられる。
 本実施形態では、検知ルールに対してアラートルールが対応付けられている。アラートルールでは、当該アラートルールに対応付けられた検知ルールが満たされたときにアラートの通知を行うべき端末装置52を特定する情報、あるいは、当該アラートルールに対応付けられた検知ルールが満たされたときにアラートの通知を行わない端末装置52を特定する情報が含まれる。アラートルールでは、例えば、初期的には、当該アラートルールに対応付けられた検知ルールが満たされたときにすべての端末装置52に対してアラートの通知を行うべきことが設定される。 Here, in the present embodiment, when the detection rule is satisfied, there is a case where notification of an alert corresponding to the detection rule is performed and a case where notification of an alert corresponding to the detection rule is not performed. In the present embodiment, for each detection rule, a rule that specifies whether to notify an alert when the detection rule is satisfied (in the present embodiment, also referred to as an “alert rule” for convenience of explanation). ) Is used.
In the present embodiment, an alert rule is associated with a detection rule. In the alert rule, information that specifies the terminal device 52 to be notified of an alert when the detection rule associated with the alert rule is satisfied, or the detection rule associated with the alert rule is satisfied. Sometimes, information for specifying the terminal device 52 that does not perform alert notification is included. In the alert rule, for example, it is initially set that an alert should be notified to all the terminal devices 52 when the detection rule associated with the alert rule is satisfied.
 なお、他の例として、アラートルールは、それぞれの端末装置52ごとに設けられてもよい。この場合、それぞれの端末装置52のアラートルールでは、当該端末装置52に対してアラートの通知を行うべき検知ルールを特定する情報、あるいは、当該端末装置52に対してアラートの通知を行わない検知ルールを特定する情報が含まれる。 As another example, an alert rule may be provided for each terminal device 52. In this case, in the alert rules of the respective terminal devices 52, information that specifies a detection rule that should notify the terminal device 52 of an alert, or a detection rule that does not notify the terminal device 52 of an alert. Is included.
 ここで、本実施形態では、検知ルールとアラートルールとが組み合わされることで、例えば、端末装置52について、所定の問題を検知してアラートを通知する場合と、所定の問題を検知するがアラートを通知しない場合とが識別される。
 アラートを通知しない態様としては、例えば、アラートの通知を所定に期間停止する態様が含まれてもよく、あるいは、アラートの通知を永久的に停止する態様が含まれてもよい。
 他の例として、検知ルールとアラートルールとが一体化されたルールが用いられてもよい。 Here, in the present embodiment, the detection rule and the alert rule are combined, for example, for the terminal device 52, when a predetermined problem is detected and an alert is notified, and when a predetermined problem is detected, the alert is generated. The case where notification is not performed is identified.
As a mode in which the alert is not notified, for example, a mode in which the notification of the alert is stopped for a predetermined period may be included, or a mode in which the notification of the alert is permanently stopped may be included.
As another example, a rule in which a detection rule and an alert rule are integrated may be used.
 本実施形態では、分析実行部113は、ある検知ルールが満たされた場合に、当該検知ルールに対応するアラートルールに基づいて、アラートの通知を行うべき場合には分析結果情報を通知部114に出力し、アラートの通知を行わない場合には分析結果情報を通知部114に出力しない。
 なお、本実施形態では、アラートの通知を行うか否かを分析実行部113によって制御する場合を示すが、他の例として、分析実行部113から通知部114へは分析結果情報を出力するが、通知部114がアラートルールの内容に基づいてアラートの通知を行うか否かを制御する構成が用いられてもよい。 In the present embodiment, when a certain detection rule is satisfied, the analysis execution unit 113 sends the analysis result information to the notification unit 114 when an alert should be notified based on the alert rule corresponding to the detection rule. If the notification is not performed, the analysis result information is not output to the notification unit 114.
In the present embodiment, a case is shown in which whether or not to notify an alert is controlled by the analysis execution unit 113. As another example, analysis result information is output from the analysis execution unit 113 to the notification unit 114. Alternatively, a configuration may be used in which the notification unit 114 controls whether to notify an alert based on the contents of the alert rule.
 なお、分析対象のログに複数の種類のログが含まれ得る場合には、例えば、分析実行部113は、それぞれのログの種類を判定する。この場合、それぞれのログの情報は、当該ログの種類を特定する情報を含む。 In the case where a plurality of types of logs can be included in the log to be analyzed, for example, the analysis execution unit 113 determines the type of each log. In this case, the information of each log includes information specifying the type of the log.
 また、例えば、ログ検出装置51のセンサが、ログの検出結果とともにアラートの情報を分析装置41に送信する構成が用いられてもよい。
 この場合、分析装置41において、分析実行部113は、例えば、ログの検出結果に付されたアラートの情報が正しいか否かを判定する。この場合、例えば、ログの検出結果に付されたアラートの情報が正しいか否かを判定する条件が分析条件として用いられる。
 一般に、ログ検出装置51のセンサでは、アラートを通知する当該センサから通知される当該アラートの精度は高くない場合も多い。当該アラートは、例えば、シグネチャの名称を含んでもよい。 Further, for example, a configuration may be used in which the sensor of the log detection device 51 transmits the alert information to the analysis device 41 together with the log detection result.
In this case, in the analysis device 41, the analysis execution unit 113 determines, for example, whether or not the alert information attached to the log detection result is correct. In this case, for example, a condition for determining whether the information of the alert added to the log detection result is correct is used as the analysis condition.
Generally, in the sensor of the log detection device 51, the accuracy of the alert notified from the sensor that notifies the alert is often not high. The alert may include, for example, the name of the signature.
 本実施形態では、検知ルールには、問題があるログであることを判定するための条件とともに、アラートの名称(説明の便宜上、「アラート名称」ともいう。)、重要度などのうちの1以上が対応付けられて保持されてもよい。当該アラートは、例えば、発生する問題に対応する。
 アラート名称は、アラートの名称を表す。アラート名称は、例えば、アラートの種別ごとに、あらかじめ定められている。
 それぞれのアラートには、当該アラートの内容の種別ごとを識別する情報が付加されてもよい。
 重要度は、アラートの重要度を表す。重要度は、任意の段階で表されてもよい。本実施形態では、重要度は、3個の段階で表される。 In the present embodiment, the detection rule includes at least one of an alert name (also referred to as an “alert name” for convenience of description), a degree of importance, and the like, together with a condition for determining that the log has a problem. May be stored in association with each other. The alert corresponds to, for example, a problem that occurs.
The alert name indicates the name of the alert. The alert name is predetermined for each type of alert, for example.
Information for identifying each type of the content of the alert may be added to each alert.
The importance indicates the importance of the alert. The importance may be expressed at any stage. In the present embodiment, the importance is expressed in three stages.
 通知部114は、分析実行部113から分析結果情報が入力された場合、当該分析結果情報に基づく所定の情報を端末装置52に通知する。当該所定の情報としては、端末装置52に分析結果に関する情報を通知するための情報が用いられ、任意の情報が用いられてもよい。 When the analysis result information is input from the analysis execution unit 113, the notification unit 114 notifies the terminal device 52 of predetermined information based on the analysis result information. As the predetermined information, information for notifying the terminal device 52 of information on the analysis result is used, and arbitrary information may be used.
 ここで、通知部114から端末装置52に情報を通知する手法としては、任意の手法が用いられてもよい。
 本実施形態では、端末装置52に通知すべき情報が発生した場合、通知部114は、端末装置52に宛てた電子メールを作成し、作成された電子メールをメールサーバ装置43に送信する。この場合、通知部114は、端末装置52からアクセスすることが可能なアクセス先の情報を当該電子メールに含める。当該情報は、例えば、URL(Uniform Resource Locator)であってもよい。
 通知部114は、電子メールに含めたアクセス先の情報に該当するWebページを生成し、生成されたWebページの情報をWebサーバ装置42に送信する。通知部114は、当該Webページに、端末装置52に通知する情報を含める。 Here, an arbitrary method may be used as a method of notifying the information from the notification unit 114 to the terminal device 52.
In the present embodiment, when information to be notified to the terminal device 52 occurs, the notification unit 114 creates an e-mail addressed to the terminal device 52 and sends the created e-mail to the mail server device 43. In this case, the notification unit 114 includes information of an access destination accessible from the terminal device 52 in the electronic mail. The information may be, for example, a URL (Uniform Resource Locator).
The notifying unit 114 generates a Web page corresponding to the access destination information included in the e-mail, and transmits the generated Web page information to the Web server device 42. The notification unit 114 includes information to be notified to the terminal device 52 in the Web page.
 メールサーバ装置43は、通知部114から送信された電子メールを受信する。メールサーバ装置43は、受信された電子メールを、当該電子メールの宛先に送信する。本実施形態では、端末装置52が宛先となっている電子メールが、メールサーバ装置43からネットワーク31を介して端末装置52に送信される。
 Webサーバ装置42は、通知部114から送信されたWebページの情報を受信する。Webサーバ装置42は、受信された情報に基づいて、当該Webページを閲覧可能に提供する。本実施形態では、Webサーバ装置42は、端末装置52からのアクセスに応じて、当該Webページを端末装置52に閲覧可能に提供する。 The mail server device 43 receives the electronic mail transmitted from the notification unit 114. The mail server device 43 transmits the received electronic mail to the destination of the electronic mail. In the present embodiment, an e-mail addressed to the terminal device 52 is transmitted from the mail server device 43 to the terminal device 52 via the network 31.
The Web server device 42 receives the Web page information transmitted from the notification unit 114. The Web server device 42 provides the Web page in a viewable manner based on the received information. In the present embodiment, in response to access from the terminal device 52, the Web server device 42 provides the Web page to the terminal device 52 in a viewable manner.
 誤検知制御部115は、分析実行部113によって行われた分析の結果について、誤検知に関する制御を行う。
 誤検知制御部115は、例えば、それぞれのアラートについて端末装置52から誤検知であることの通知を受ける処理、それぞれのアラートについて端末装置52から誤検知であることの通知を受けた場合に通知元である当該端末装置52について当該アラートに該当する検知ルールによるアラートの通知を停止する処理、当該通知元に対する当該検知ルールによるアラートの通知を再開する処理などを行う。
 本実施形態では、誤検知制御部115は、当該検知ルールに対応するアラートルールの内容を書き換えることで、当該アラートの通知を停止すること、あるいは、当該アラートの通知を再開することを制御する。 The erroneous detection control unit 115 performs control related to erroneous detection on the result of the analysis performed by the analysis execution unit 113.
For example, the erroneous detection control unit 115 performs a process of receiving a notification of erroneous detection from the terminal device 52 for each alert, and a notification source when receiving a notification of erroneous detection from the terminal device 52 for each alert. For the terminal device 52, the process of stopping the notification of the alert by the detection rule corresponding to the alert, the process of restarting the notification of the alert by the detection rule to the notification source, and the like are performed.
In the present embodiment, the erroneous detection control unit 115 controls the stop of the notification of the alert or the restart of the notification of the alert by rewriting the content of the alert rule corresponding to the detection rule.
 管理部116は、端末装置52について、各種の管理を行う。
 管理部116では、例えば、検索処理部151が、情報を検索する処理を行う。検索処理部151は、端末装置52において行われる検索を端末装置52の代わりに実行する処理、あるいは、端末装置52において行われる検索を補助する処理を行ってもよい。検索処理部151は、例えば、記憶部111に記憶された情報を用いて、検索の処理を行う。
 また、管理部116は、例えば、記憶部111に記憶される検知ルールなどを書き換えて変更する。このような書き換えには、例えば、新たな登録、上書き、および消去が含まれてもよい。 The management unit 116 performs various types of management on the terminal device 52.
In the management unit 116, for example, the search processing unit 151 performs a process of searching for information. The search processing unit 151 may perform a process of executing the search performed in the terminal device 52 instead of the terminal device 52, or a process of assisting the search performed in the terminal device 52. The search processing unit 151 performs a search process using, for example, information stored in the storage unit 111.
In addition, the management unit 116 rewrites and changes the detection rules and the like stored in the storage unit 111, for example. Such rewriting may include, for example, new registration, overwriting, and erasing.
 本実施形態では、分析部11において、端末装置52の情報が既知である場合を示す。
 本実施形態では、端末装置52の管理主体と、分析部11によって分析のサービスを提供する管理主体との間で、当該サービスに関する契約が締結されている場合に、当該契約に関して端末装置52の情報が分析部11に設定される。当該情報は、例えば、記憶部111に記憶されてもよい。当該情報は、例えば、端末装置52を特定する情報を含んでもよい。当該情報は、端末装置52の電子メールのアドレスを含んでもよい。 In the present embodiment, a case where the information of the terminal device 52 is known in the analysis unit 11 will be described.
In the present embodiment, when a contract regarding the service is concluded between the management entity of the terminal device 52 and the management entity providing the analysis service by the analysis unit 11, information of the terminal device 52 regarding the contract is provided. Is set in the analysis unit 11. The information may be stored in the storage unit 111, for example. The information may include, for example, information specifying the terminal device 52. The information may include an e-mail address of the terminal device 52.
 ここで、契約に関して設定される端末装置52の情報としては、例えば、サービスを受けることが可能な分析の範囲を特定する情報、あるいは、サービスを受けるために必要な料金に関する情報(説明の便宜上、「課金情報」ともいう。)などであってもよい。
 サービスを受けることが可能な分析の範囲は、例えば、データ量、回数、期間などのうちの1以上を用いて設定されてもよい。
 管理部116は、端末装置52について現時点で課金されている料金を特定する情報を記憶部111に記憶して管理してもよい。
 なお、分析部11によって分析のサービスを提供する管理主体から見ると、当該サービスに関する契約が締結された端末装置52の管理主体は、顧客となる。複数の端末部21~23の管理主体は、それぞれ、異なる顧客となり得る。 Here, the information of the terminal device 52 set with respect to the contract includes, for example, information for specifying a range of analysis that can receive a service, or information on a fee required for receiving a service (for convenience of explanation, "Charging information").
The range of analysis that can receive the service may be set using, for example, one or more of the data amount, the number of times, the period, and the like.
The management unit 116 may store information for specifying the fee currently charged for the terminal device 52 in the storage unit 111 and manage the information.
From the viewpoint of the management entity that provides the analysis service by the analysis unit 11, the management entity of the terminal device 52 with which the contract regarding the service is concluded is the customer. The management entities of the plurality of terminal units 21 to 23 may be different customers.
 [端末装置の詳細]
 図2は、本発明の一実施形態に係る端末装置52の概略的な構成例を示す図である。なお、図2に示される機能ブロックの構成は、一例であり、他の構成が用いられてもよい。
 端末装置52は、入力部211と、出力部212と、操作部213と、表示部214と、通信部215と、記憶部216と、制御部217を備える。
 制御部217は、通知受信制御部231と、指示送信制御部232と、検索制御部233を備える。 [Details of terminal device]
FIG. 2 is a diagram illustrating a schematic configuration example of the terminal device 52 according to an embodiment of the present invention. The configuration of the functional blocks shown in FIG. 2 is an example, and another configuration may be used.
The terminal device 52 includes an input unit 211, an output unit 212, an operation unit 213, a display unit 214, a communication unit 215, a storage unit 216, and a control unit 217.
The control unit 217 includes a notification reception control unit 231, an instruction transmission control unit 232, and a search control unit 233.
 入力部211は、外部の装置から出力される情報を入力する。
 出力部212は、外部の装置に情報を出力する。
 ここで、外部の装置は、任意の装置であってもよい。当該外部の装置は、例えば、持ち運びが可能な記録媒体であってもよい。当該外部の装置は、例えば、印刷装置であってもよい。
 操作部213は、ユーザにより行われる操作に対応する情報を入力する。操作部213は、例えば、キーボード、あるいは、マウスなどを含んでもよい。
 表示部214は、画面を有し、情報を当該画面に出力する。これにより、当該情報が当該画面に表示される。
 通信部215は、ネットワーク31を介した通信を行う。
 記憶部216は、各種の情報を記憶する。
 制御部217は、端末装置52における各種の制御を行う。 The input unit 211 inputs information output from an external device.
The output unit 212 outputs information to an external device.
Here, the external device may be any device. The external device may be, for example, a portable recording medium. The external device may be, for example, a printing device.
The operation unit 213 inputs information corresponding to an operation performed by the user. The operation unit 213 may include, for example, a keyboard or a mouse.
The display unit 214 has a screen and outputs information to the screen. Thereby, the information is displayed on the screen.
The communication unit 215 performs communication via the network 31.
The storage unit 216 stores various types of information.
The control unit 217 performs various controls in the terminal device 52.
 通知受信制御部231は、分析装置41の通知部114によって行われる通知の内容を受信するための処理を行う。
 本実施形態では、通知受信制御部231は、メールサーバ装置43からネットワーク31を介して端末装置52に宛てて送信される電子メールを、通信部215によって、受信する。また、通知受信制御部231は、受信された電子メールに記述されているアクセス先のWebページにアクセスし、Webサーバ装置42によって提供される当該Webページの情報を取得する。このアクセスは、例えば、ユーザによって行われる操作部213の操作に応じて行われてもよい。 The notification reception control unit 231 performs a process for receiving the content of the notification performed by the notification unit 114 of the analyzer 41.
In the present embodiment, the notification reception control unit 231 receives, by the communication unit 215, an electronic mail transmitted from the mail server device 43 to the terminal device 52 via the network 31. Further, the notification reception control unit 231 accesses the access destination Web page described in the received e-mail, and acquires information on the Web page provided by the Web server device 42. This access may be performed, for example, in response to an operation of the operation unit 213 performed by the user.
 通知受信制御部231は、取得された電子メールの情報あるいは取得されたWebページの情報を表示部214の画面に表示する。
 ログの分析結果の通知の内容は、例えば、ログの分析結果として問題が発生したことを判定したことを通知する情報を含む。このような通知は、アラート(警告)の通知となる。
 なお、分析の結果における「問題」は、例えば、「インシデント」あるいは「異常」などと呼ばれてもよい。 The notification reception control unit 231 displays the acquired information of the e-mail or the acquired information of the Web page on the screen of the display unit 214.
The contents of the notification of the log analysis result include, for example, information for notifying that a problem has occurred as a log analysis result. Such a notification is an alert (warning) notification.
The “problem” in the result of the analysis may be called, for example, “incident” or “abnormal”.
 指示送信制御部232は、ユーザにより行われる操作部213の操作に応じた指示を、通信部215によって、分析装置41に送信する。
 本実施形態では、表示部214の画面に表示されるWebページにおいて、ユーザは所定の指示を行うための操作を行うことが可能である。
 本実施形態では、このような指示として、ログの分析結果において問題が発生したことが判定された検知について、誤った検知(誤検知)であることを通知する指示が用いられる。 The instruction transmission control unit 232 transmits an instruction corresponding to the operation of the operation unit 213 performed by the user to the analysis device 41 via the communication unit 215.
In the present embodiment, on the Web page displayed on the screen of the display unit 214, the user can perform an operation for giving a predetermined instruction.
In the present embodiment, as such an instruction, an instruction for notifying that an erroneous detection (erroneous detection) has been detected for a case where it has been determined that a problem has occurred in the log analysis result is used.
 検索制御部233は、分析結果の通知の内容について、各種の検索の処理を行う。
 検索制御部233は、例えば、分析装置41の検索処理部151によって行われた検索の処理の結果を受信して提示等してもよい。また、検索制御部233は、例えば、分析装置41の検索処理部151によって補助されて、検索の処理を行ってもよい。また、検索制御部233は、例えば、分析装置41とは独立して、検索の処理を行ってもよい。 The search control unit 233 performs various search processes on the contents of the notification of the analysis result.
The search control unit 233 may receive and present the result of the search process performed by the search processing unit 151 of the analysis device 41, for example. Further, the search control unit 233 may perform a search process, for example, with the assistance of the search processing unit 151 of the analyzer 41. Further, the search control unit 233 may perform a search process, for example, independently of the analysis device 41.
 [アラート一覧]
 図3は、本発明の一実施形態に係るアラート一覧の表示内容2011の一例を示す図である。
 表示内容2011は、アラートの一覧を示す。表示内容2011は、端末装置52において、表示部214の画面に表示される。表示内容2011は、例えば、端末装置52ごとに異なり得る。図3の例では、アラートの一覧は、過去に行われたアラートの一覧である。 [Alert List]
FIG. 3 is a diagram showing an example of the display content 2011 of the alert list according to the embodiment of the present invention.
The display content 2011 shows a list of alerts. The display content 2011 is displayed on the screen of the display unit 214 in the terminal device 52. The display content 2011 may be different for each terminal device 52, for example. In the example of FIG. 3, the list of alerts is a list of alerts performed in the past.
 表示内容2011は、例えば、分析装置41から端末装置52に提供された情報に基づいている。
 一例として、表示内容2011は、分析装置41の側で生成されて、分析装置41から端末装置52に提供されてもよい。他の例として、表示内容2011は、分析装置41から端末装置52に提供された情報が記憶部216に記憶された後に、端末装置52において記憶部216に記憶された情報に基づいて生成されてもよい。なお、表示内容2011は、他の情報を含んでもよい。 The display content 2011 is based on information provided from the analyzer 41 to the terminal device 52, for example.
As an example, the display content 2011 may be generated on the analysis device 41 side and provided from the analysis device 41 to the terminal device 52. As another example, the display content 2011 is generated based on the information stored in the storage unit 216 in the terminal device 52 after the information provided from the analysis device 41 to the terminal device 52 is stored in the storage unit 216. Is also good. Note that the display content 2011 may include other information.
 図3の例では、日時と、アラート名称と、重要度と、状況と、が対応付けられて表示されている。なお、重要度あるいは状況などのうちの1以上に応じて、情報の表示の色が切り替えられてもよい。 で は In the example of FIG. 3, the date and time, the alert name, the importance, and the status are displayed in association with each other. The display color of the information may be switched according to one or more of the degree of importance or the situation.
 日時は、アラートが発生した日時を表す。図3の例では、例えば、「2018/1/2」は、2018年1月2日を表し、他も同様である。
 アラート名称としては、図3の例では、「不審な送信」、「不審な受信」などがある。なお、これらのアラート名称は、説明の便宜上の例示であり、アラート名称としては任意の名称が用いられてもよい。
 重要度としては、図3の例では、大きい方から小さい方へ向かって、大、中、小の3段階の重要度がある。
 状況は、アラートが取り扱われている状況を表す。本実施形態では、状況としては、「未対応」、「調査中」、「対応済」、「保留」、「対応中」、「抑止」などの状況が用いられている。なお、状況としては、任意の状況が用いられてもよい。 The date and time indicates the date and time when the alert occurred. In the example of FIG. 3, for example, “2018/1/2” indicates January 2, 2018, and so on.
In the example of FIG. 3, the alert names include “suspicious transmission” and “suspicious reception”. Note that these alert names are examples for convenience of explanation, and arbitrary names may be used as the alert names.
In the example of FIG. 3, there are three levels of importance, large, medium, and small, from large to small.
The status represents the status in which the alert is being handled. In the present embodiment, conditions such as “not responded”, “under investigation”, “response”, “pending”, “under treatment”, and “inhibited” are used. Note that an arbitrary situation may be used as the situation.
 「未対応」は、アラートが未だに対応されていないことを表す。
 「調査中」は、アラートについて調査が行われている最中であることを表す。
 「対応済」は、アラートについて対応が済まされていることを表す。つまり、アラートについて問題が解消したことを表す。
 「保留」は、アラートについて対応が保留にされていることを表す。
 「対応中」は、アラートについて対応が行われている最中であることを表す。
 「抑止」は、アラートについて、当該アラートの通知が抑止されていることを表す。本実施形態では、アラートについて、端末装置52において誤検知が指摘された場合に、分析装置41において「抑止」の状況が設定される。このような設定は、例えば、アラートルールに対して行われる。
 なお、アラートの状況を表す各語は、任意の他の語を用いて表されてもよい。 “Unsupported” indicates that the alert has not been handled yet.
“Under investigation” indicates that an investigation is being performed on the alert.
“Responded” indicates that the alert has been responded. In other words, it indicates that the problem has been solved for the alert.
"Pending" indicates that the response is pending for the alert.
“Under handling” indicates that the alert is being handled.
“Suppression” indicates that the notification of the alert is suppressed for the alert. In the present embodiment, when an erroneous detection is pointed out in the terminal device 52 with respect to the alert, a state of “inhibited” is set in the analyzer 41. Such a setting is performed, for example, for an alert rule.
Note that each word indicating the status of the alert may be expressed using any other word.
 ここで、アラートの日時、アラート名称、重要度は、例えば、分析装置41の分析実行部113により判定されて、これらの情報を含む分析結果情報が分析実行部113から通知部114に出力される。通知部114は、当該分析結果情報に基づいて、端末装置52に通知する内容にアラートの日時、アラート名称、重要度を含める。
 また、アラートの状況は、例えば、端末装置52においてユーザによって行われる操作部213の操作に応じて設定される。設定されたアラートの状況は、端末装置52から分析装置41の通知部114に通知され、管理部116によって管理される。管理部116は、例えば、通知部114によって端末装置52から受信された情報に基づいて、アラートと状況とを対応付ける情報を記憶部111に記憶して管理する。 Here, the date and time of the alert, the alert name, and the importance are determined by, for example, the analysis execution unit 113 of the analyzer 41, and the analysis result information including the information is output from the analysis execution unit 113 to the notification unit 114. . The notifying unit 114 includes the date and time of the alert, the alert name, and the importance in the content to be notified to the terminal device 52 based on the analysis result information.
The status of the alert is set, for example, in accordance with an operation of the operation unit 213 performed by the user on the terminal device 52. The set status of the alert is notified from the terminal device 52 to the notification unit 114 of the analysis device 41, and is managed by the management unit 116. The management unit 116 stores and manages information that associates an alert with a situation in the storage unit 111 based on information received from the terminal device 52 by the notification unit 114, for example.
 ここで、本実施形態では、アラート一覧において、「抑止」の状況にあるアラートの情報も表示される場合を示したが、他の例として、「抑止」の状況にあるアラートの情報は表示されない態様が用いられてもよい。 Here, in the present embodiment, the case where the information of the alert in the “suppressed” status is also displayed in the alert list, but as another example, the information of the alert in the “suppressed” status is not displayed. Aspects may be used.
 図4は、本発明の一実施形態に係るアラート詳細の表示内容2111の一例を示す図である。
 表示内容2111は、アラートの詳細を示す。表示内容2111は、端末装置52において、表示部214の画面に表示される。表示内容2111は、例えば、端末装置52ごとに異なり得る。 FIG. 4 is a diagram showing an example of the display content 2111 of the alert details according to the embodiment of the present invention.
The display content 2111 indicates details of the alert. The display content 2111 is displayed on the screen of the display unit 214 in the terminal device 52. The display content 2111 may be different for each terminal device 52, for example.
 表示内容2111は、例えば、分析装置41から端末装置52に提供された情報に基づいている。
 一例として、表示内容2111は、分析装置41の側で生成されて、分析装置41から端末装置52に提供されてもよい。他の例として、表示内容2111は、分析装置41から端末装置52に提供された情報が記憶部216に記憶された後に、端末装置52において記憶部216に記憶された情報を用いて生成されてもよい。なお、表示内容2111は、他の情報を含んでもよい。 The display content 2111 is based on information provided from the analyzer 41 to the terminal device 52, for example.
As an example, the display content 2111 may be generated on the side of the analyzer 41 and provided from the analyzer 41 to the terminal device 52. As another example, the display content 2111 is generated by using the information stored in the storage unit 216 in the terminal device 52 after the information provided from the analysis device 41 to the terminal device 52 is stored in the storage unit 216. Is also good. Note that the display content 2111 may include other information.
 アラートの詳細は、例えば、アラートの一覧のなかでユーザにより1個のアラートが指示された場合に指示されたアラートについてアラートの詳細が示される。
 図4の例では、属性領域2121の枠と、対応状況領域2122の枠と、内容領域2123の枠が、1画面で表示されている。なお、これらの領域の名称、配置などは、任意であってもよい。 As the details of the alert, for example, when one alert is designated by the user in the list of alerts, the details of the alert are indicated for the designated alert.
In the example of FIG. 4, a frame of the attribute area 2121, a frame of the correspondence status area 2122, and a frame of the content area 2123 are displayed on one screen. The names, arrangements, and the like of these areas may be arbitrary.
 アラート詳細の画面では、1個のアラートについての情報が表示される。
 属性領域2121には、表示対象となる1個のアラートの属性が示される。図4の例では、属性領域2121には、日時、アラート名称、重要度、状況が示されている。なお、重要度あるいは状況などのうちの1以上に応じて、情報の表示の色が切り替えられてもよい。
 対応状況領域2122には、複数の対応状況のなかから任意の対応状況を選択することが可能な情報が示される。
 内容領域2123には、アラートあるいはアラートを発生させたログなどについて、詳しい情報が示される。 On the alert details screen, information about one alert is displayed.
The attribute area 2121 shows the attribute of one alert to be displayed. In the example of FIG. 4, the attribute area 2121 indicates the date and time, the alert name, the importance, and the status. The display color of the information may be switched according to one or more of the degree of importance or the situation.
In the response status area 2122, information that allows an arbitrary response status to be selected from a plurality of response statuses is shown.
In the content area 2123, detailed information on the alert or the log that generated the alert is shown.
 図4の例では、選択可能な対応状況としては、「未対応」、「調査中」、「対応済」、「保留」、「対応中」、「誤検知」、「対象外」がある。それぞれの対応状況に、選択された状態と選択されていない状態とで切り替えられるボタンが表示されている。当該ボタンは、例えば、ユーザにより行われる操作部213の操作に応じて、選択された状態である黒色の状態と、選択されていない状態である白色の状態とで切り替えられる。当該ボタンは、例えば、ラジオボタンであってもよい。 In the example of FIG. 4, the selectable response statuses include “not responded”, “under investigation”, “responded”, “pending”, “under response”, “false detection”, and “out of target”. A button that can be switched between a selected state and a non-selected state is displayed for each corresponding state. The button is switched between a selected black state and a non-selected white state, for example, in response to an operation of the operation unit 213 performed by the user. The button may be, for example, a radio button.
 ここで、「未対応」、「調査中」、「対応済」、「保留」、「対応中」については、図3を参照して説明したのと同じである。
 「誤検知」は、表示されているアラートについて、誤った検知であることを端末装置52から分析装置41に通知するための指示を受け付ける項目である。
 「対象外」は、表示されているアラートについて、検知の対象外であることを端末装置52から分析装置41に通知するための指示を受け付ける項目である。
 なお、本実施形態では、「誤検知」が選択されたアラートには分析装置41において自動的に「抑止」の状況が設定される。このため、本実施形態では、ユーザは「抑止」の状況を選択することはできない。他の例として、端末装置52において、ユーザが「抑止」の状況を選択することができる構成が用いられてもよい。
 また、本実施形態では、「対象外」が選択されたアラートには分析装置41において自動的に「抑止」の状況が設定される。
 本実施形態では、「誤検知」と「対象外」とは類似するところもあるが、別のものとして設けられている。なお、「対象外」は設けられなくてもよい。 Here, “unsupported”, “under investigation”, “completed”, “pending”, and “under processing” are the same as described with reference to FIG.
The “erroneous detection” is an item for receiving an instruction for notifying the analyzer 41 from the terminal device 52 that the displayed alert is an erroneous detection.
“Not applicable” is an item for receiving an instruction for notifying the analyzer 41 from the terminal device 52 that the displayed alert is not a detection target.
In the present embodiment, the status of “inhibition” is automatically set in the analyzer 41 for an alert for which “false detection” is selected. For this reason, in this embodiment, the user cannot select the state of “inhibition”. As another example, in the terminal device 52, a configuration in which the user can select the state of “inhibition” may be used.
In the present embodiment, the status of “inhibited” is automatically set in the analyzer 41 for an alert for which “not applicable” is selected.
In the present embodiment, “false detection” and “out of target” are similar in some respects, but are provided as different things. It should be noted that “out of target” may not be provided.
 図4に示される表示内容2111において、ユーザは、操作部213を操作することで、選択することが可能な対応状況のなかから、表示されているアラートに適した対応状況を選択する。
 なお、本実施形態では、対応状況領域2122において、初期のデフォルトでは、「未対応」が選択されているが、他の対応状況が選択されていてもよい。
 対応状況領域2122には、決定のボタン2131も表示される。ユーザによって行われる操作部213の操作に基づいて、当該ボタン2131が押下されると、選択されている対応状況を特定する情報が、指示送信制御部232によって端末装置52から分析装置41に送信される。 In the display content 2111 shown in FIG. 4, the user operates the operation unit 213 to select a response status suitable for the displayed alert from among the response statuses that can be selected.
Note that in the present embodiment, “unsupported” is selected as the initial default in the support status area 2122, but another support status may be selected.
A decision button 2131 is also displayed in the correspondence status area 2122. When the button 2131 is pressed based on the operation of the operation unit 213 performed by the user, information for specifying the selected correspondence status is transmitted from the terminal device 52 to the analysis device 41 by the instruction transmission control unit 232. You.
 この場合、端末装置52では、アラートを特定する情報と、当該アラートについてユーザによって選択された対応状況を特定する情報を分析装置41に送信する。
 分析装置41では、通知部114が端末装置52から送信された情報を受信し、管理部116が受信された情報を管理する。 In this case, the terminal device 52 transmits, to the analyzer 41, information for specifying the alert and information for specifying the response status of the alert selected by the user.
In the analyzer 41, the notification unit 114 receives the information transmitted from the terminal device 52, and the management unit 116 manages the received information.
 <「誤検知」の選択>
 分析装置41では、端末装置52から受信された情報が「誤検知」を示す場合には、誤検知制御部115が当該誤検知に係るアラートを発生させる検知ルールによるアラートの通知を一定期間停止させる。当該一定期間は、任意の期間であってもよく、例えば、1か月などであってもよい。
 本実施形態では、分析装置41において、このようなアラートの通知の停止は、ユーザによって「誤検知」が選択された端末装置52に対して行われ、他の端末装置に対しては行われない。つまり、同じ検知ルールであっても、当該検知ルールが誤検知となる端末装置52のみについて、当該検知ルールによるアラートの通知が停止させられる。 <Selection of "false detection">
In the analysis device 41, when the information received from the terminal device 52 indicates “false detection”, the false detection control unit 115 stops notification of an alert by a detection rule that generates an alert related to the false detection for a certain period. . The certain period may be an arbitrary period, for example, one month.
In the present embodiment, in the analyzer 41, such a stop of the notification of the alert is performed for the terminal device 52 for which “false detection” is selected by the user, and is not performed for the other terminal devices. . That is, even for the same detection rule, the notification of the alert by the detection rule is stopped only for the terminal device 52 for which the detection rule is erroneously detected.
 本実施形態では、それぞれの顧客ごと、それぞれのアラートごとに、「誤検知」の選択が可能である。例えば、ある検知ルールについて、特定の顧客の組織のみで誤検知となる場合に、当該特定の顧客の組織のみについて誤検知とすることができる。当該特定の顧客の組織では、あるアラートに対して一度「誤検知」が選択されると、一定期間、同じ検知ルールに基づくアラートが通知されることを防止することができる。 In the present embodiment, “false detection” can be selected for each customer and each alert. For example, when a certain detection rule is erroneously detected only in a specific customer organization, it can be determined that only a specific customer organization is erroneously detected. In the organization of the specific customer, once “false detection” is selected for a certain alert, it is possible to prevent an alert based on the same detection rule from being notified for a certain period.
 なお、本実施形態では、このようなアラートの通知の停止は一時的に行われるが、他の例として、このようなアラートの通知の停止が永久的に行われてもよく、つまり、該当する端末装置52について当該検知ルールが永久的に無効にされてもよい。検知ルールを無効にする手法としては、任意であってもよい。検知ルールを無効にする手法としては、例えば、管理部116が、端末装置52ごとに、それぞれの検知ルールが有効であるかあるいは無効であるかを表す情報を管理してもよい。本実施形態では、当該情報として、例えば、アラートルールの情報が用いられる。 In the present embodiment, the suspension of the notification of the alert is temporarily performed. However, as another example, the suspension of the notification of the alert may be permanently performed. The detection rule for the terminal device 52 may be permanently invalidated. The method of invalidating the detection rule may be arbitrary. As a method of invalidating the detection rule, for example, the management unit 116 may manage information indicating whether each detection rule is valid or invalid for each terminal device 52. In the present embodiment, for example, alert rule information is used as the information.
 分析装置41において、誤検知制御部115は、記憶部111に記憶される検知ルールによるアラートの通知について、端末装置52ごとに、有効であるか無効であるかを特定する情報を記憶部111に記憶する。当該情報は、本実施形態では、アラートルールに含まれ、例えば、フラグの情報であってもよい。また、分析装置41において、誤検知制御部115は、一定期間無効であって停止させられているアラートの通知について、当該期間を特定する情報を記憶部111に記憶されたアラートルールに記憶する。
 なお、本実施形態では、アラートの通知が無効である状態を「抑止」の状態とも呼んでいる。 In the analysis device 41, the erroneous detection control unit 115 stores, in the storage unit 111, information specifying whether the notification is valid or invalid for each terminal device 52 with respect to the notification of the alert according to the detection rule stored in the storage unit 111. Remember. In the present embodiment, the information is included in the alert rule, and may be, for example, flag information. Further, in the analyzer 41, the erroneous detection control unit 115 stores information specifying an invalid period of an alert that has been disabled and stopped for a certain period in an alert rule stored in the storage unit 111.
In the present embodiment, a state in which the notification of the alert is invalid is also referred to as a “suppressed” state.
 分析装置41において、誤検知制御部115は、記憶部111に記憶される情報に基づいて、一定期間無効であって停止させられるアラートの通知について、当該期間が経過したか否かを判定する。誤検知制御部115は、このような判定を、例えば、一定の時間間隔で行う。
 そして、分析装置41において、誤検知制御部115は、無効の停止期間が経過したアラートの通知があると判定した場合には、当該アラートの通知を再び有効にして、適用が停止させられていた端末装置52に当該アラートの通知を再び適用する。 In the analyzer 41, the erroneous detection control unit 115 determines, based on the information stored in the storage unit 111, a notification of an alert that is invalid and stopped for a certain period of time has passed. The erroneous detection control unit 115 performs such a determination at, for example, a fixed time interval.
Then, in the analysis device 41, when the erroneous detection control unit 115 determines that there is a notification of an alert whose invalid suspension period has elapsed, the erroneous detection control unit 115 re-enables the notification of the alert and suspends the application. The notification of the alert is applied to the terminal device 52 again.
 ここで、誤検知が指摘された検知ルールに対応するアラートの通知が再開されたときに適用される当該検知ルールとしては、例えば、アラートの通知が停止させられる前と同じ検知ルールが用いられる。
 他の例として、誤検知が指摘された検知ルールに対応するアラートの通知が再開されたときに適用される当該検知ルールとしては、アラートの通知が停止させられる前の検知ルールに対して改善されるように変更された検知ルールが用いられてもよい。このような検知ルールの変更は、例えば、分析装置41の側において、アナリストなどの人の思考に基づいて手動で行われてもよく、あるいは、機械学習(Machine Learning)などのAI(Artificial Intelligence)を用いて行われてもよく、あるいは、あらかじめ定められた変更の規則に基づいて分析装置41において自動的に行われてもよい。例えば、誤検知制御部115は、端末装置52において「誤検知」が選択された場合に、その旨を所定の人に通知してもよい。このような通知は、任意の手法によって行われてもよく、例えば、画面表示、音声出力、紙面に印刷、電子メールの送信などのうちの1以上の手法が用いられてもよい。 Here, as the detection rule applied when the notification of the alert corresponding to the detection rule for which the false detection is pointed out is restarted, for example, the same detection rule as before the notification of the alert is stopped is used.
As another example, the detection rule applied when the notification of the alert corresponding to the detection rule in which the false detection was pointed out is restarted is an improvement over the detection rule before the notification of the alert was stopped. A detection rule modified so as to be used may be used. Such a change of the detection rule may be manually performed on the side of the analysis device 41 based on the thinking of a human such as an analyst, or an AI (Artificial Intelligence) such as a machine learning (Machine Learning). ), Or may be automatically performed in the analyzer 41 based on a predetermined change rule. For example, when “erroneous detection” is selected in the terminal device 52, the erroneous detection control unit 115 may notify a predetermined person of the fact. Such notification may be performed by any method, and for example, one or more methods of screen display, audio output, printing on paper, transmission of e-mail, and the like may be used.
 AIとして機械学習が用いられる場合、例えば、ロジスティック回帰、ベイジアンフィルター、SVM(Support Vector Machine)とDeep Learning、などの技術が使用されてもよい。
 分析装置41あるいは他の装置に、検知ルールの変更に関する処理を行う機能部(本実施形態では、説明の便宜上、「ルール処理部」ともいう。)が備えられてもよい。
 例えば、ルール処理部は、誤検知と判定された検知ルールと、アナリストによる当該検知ルールの変更結果と、が大量に取得されたデータに基づいて、当該データと顧客情報とを組み合わせてAIで学習させた結果を取得する。そして、ルール処理部は、このような学習の結果を用いて、アナリストと同様な検知ルールの変更処理を自動的に行ってもよい。
 例えば、AIが変更した検知ルールをアナリストが確認してもよい。
 例えば、ルール処理部は、AIによって、アナリストにより新たに作成または変更された検知ルールを確認してもよい。 When machine learning is used as the AI, for example, techniques such as logistic regression, Bayesian filter, SVM (Support Vector Machine) and Deep Learning may be used.
The analysis device 41 or another device may be provided with a function unit (in this embodiment, also referred to as a “rule processing unit” for convenience of description) that performs a process related to the change of the detection rule.
For example, based on data obtained in large quantities from a detection rule determined to be a false detection and a change result of the detection rule by an analyst, the rule processing unit combines the data with the customer information and uses the AI. Get the result of learning. Then, the rule processing unit may automatically perform detection rule change processing similar to that of an analyst using the result of such learning.
For example, an analyst may check the detection rule changed by the AI.
For example, the rule processing unit may confirm, by the AI, a detection rule newly created or changed by the analyst.
 なお、誤検知の一例として、分析装置41では検知ルールに基づいて端末装置52に対する攻撃を正しく検知しているが、当該攻撃が狙う対象のツールが端末装置52などの顧客環境において使用されていない場合がある。つまり、顧客環境において使用されていないツールの脆弱性をつく攻撃が当該顧客環境にある端末装置52に来る場合がある。この場合、分析装置41では、例えば、発生したアラートについて、自動的に、「誤検知」の選択を確定させてもよい。ここで、顧客環境には、端末装置52が含まれるとともに、サーバ装置などのように、端末装置52以外の装置も含まれる。
 または、分析装置41は、検知ルールに基づいて端末装置52に対する攻撃を正しく検知しているが、当該攻撃が狙う対象のツールが端末装置52などの顧客環境において使用されていない場合には、アラートの情報を端末装置52に通知するときに、「誤検知」の選択を推奨する旨、および「誤検知」の選択を推奨する理由を端末装置52に通知してもよい。この場合、端末装置52では、ユーザが、このような通知の内容を見て、「誤検知」を選択するか否かを決定する。
 ここで、分析装置41において検知ルールに基づいて攻撃を正しく検知しているが、当該攻撃が狙う対象のツールが端末装置52などの顧客環境において使用されていない場合として、例えば、顧客環境において、SQLサーバが使用されていないときに、SQLインジェクションの攻撃がされて、ログ検出装置51から分析装置41にSQLインジェクションアラートが送られてきた場合がある。 As an example of the erroneous detection, the analysis device 41 correctly detects an attack on the terminal device 52 based on the detection rule, but a tool targeted by the attack is not used in a customer environment such as the terminal device 52. There are cases. In other words, there is a case where an attack for exploiting a vulnerability of a tool not used in the customer environment comes to the terminal device 52 in the customer environment. In this case, for example, the analyzer 41 may automatically determine “false detection” for the generated alert. Here, the customer environment includes not only the terminal device 52 but also devices other than the terminal device 52, such as a server device.
Alternatively, the analysis device 41 correctly detects an attack on the terminal device 52 based on the detection rule, but if the tool targeted by the attack is not used in a customer environment such as the terminal device 52, an alert is issued. When notifying the terminal device 52 of this information, the terminal device 52 may be notified that the selection of “false detection” is recommended and the reason for recommending the selection of “false detection”. In this case, in the terminal device 52, the user looks at the content of such a notification and determines whether or not to select “false detection”.
Here, the analysis device 41 correctly detects an attack based on the detection rule, but the target tool targeted by the attack is not used in the customer environment such as the terminal device 52. For example, in the customer environment, When the SQL server is not used, there is a case where an SQL injection attack is made and an SQL injection alert is sent from the log detection device 51 to the analysis device 41.
 <「対象外」の選択>
 分析装置41では、端末装置52から受信された情報が「対象外」を示す場合には、誤検知制御部115が当該対象外に係るアラートを発生させる検知ルールによるアラートの通知を停止させる。
 本実施形態では、分析装置41において、このようなアラートの通知の停止は、「対象外」が選択された端末装置52に対して行われ、他の端末装置に対しては行われない。つまり、同じ検知ルールであっても、当該検知ルールによるアラートの通知が対象外となる端末装置52について、当該アラートの通知が停止させられる。
 分析装置41において、誤検知制御部115は、記憶部111に記憶される検知ルールについて、端末装置52ごとに、対象外であるか否かを特定する情報を記憶部111に記憶してもよい。当該情報としては、例えば、アラートルールの情報が用いられてもよい。 <Selection of "Not applicable">
In the analysis device 41, when the information received from the terminal device 52 indicates “out of target”, the erroneous detection control unit 115 stops notification of an alert by a detection rule that generates an alert related to the out of target.
In the present embodiment, in the analyzer 41, such a stop of the notification of the alert is performed for the terminal device 52 for which “out of target” is selected, and is not performed for the other terminal devices. That is, even for the same detection rule, the notification of the alert is stopped for the terminal device 52 for which the notification of the alert by the detection rule is not a target.
In the analysis device 41, the erroneous detection control unit 115 may store, in the storage unit 111, information for specifying whether or not the detection rule stored in the storage unit 111 is not a target for each terminal device 52. . As the information, for example, information on an alert rule may be used.
 なお、分析装置41において検知ルールに基づいて攻撃を正しく検知しているが、当該攻撃が狙う対象のツールが端末装置52などの顧客環境において使用されていない場合、分析装置41では、例えば、発生したアラートについて、自動的に、「対象外」の選択を確定させてもよい。
 または、分析装置41は、アラートの情報を端末装置52に通知するときに、「対象外」を推奨する旨、および「対象外」を推奨する理由を端末装置52に通知してもよい。この場合、端末装置52では、ユーザが、このような通知の内容を見て、「対象外」を選択するか否かを決定する。 Although the analyzer 41 correctly detects an attack based on the detection rule, if the target tool targeted by the attack is not used in a customer environment such as the terminal device 52, the analyzer 41 may, for example, generate an attack. For the alert that has been set, the selection of “not applicable” may be automatically determined.
Alternatively, when notifying the terminal device 52 of the alert information, the analysis device 41 may notify the terminal device 52 that “out of target” is recommended and the reason for recommending “out of target”. In this case, in the terminal device 52, the user looks at the content of such a notification and determines whether or not to select “not applicable”.
 また、分析装置41において検知ルールに基づいて攻撃を正しく検知しているが、当該攻撃が狙う対象のツールが端末装置52などの顧客環境において使用されていない場合に、端末装置52において、ユーザによって「誤検知」が選択されたときには、分析装置41では、例えば、発生したアラートについて、自動的に、「対象外」の選択を確定させてもよい。このような構成では、分析装置41では、管理部116が、端末装置52において当該ツールが使用されているか否かを特定する情報を記憶部111に記憶して管理する。そして、分析装置41では、アラートが発生した端末装置52について、ツールが使用されているか否かを特定する情報と、当該アラートを発生させた検知ルールとに基づいて、ユーザによる「誤検知」の指定を「対象外」に変更するか否かを判定し、所定の場合には、変更を行う。
 なお、他の例として、あるアラートについて、端末装置52のユーザによって「誤検知」が指定されたが「対象外」に該当する可能性があると分析装置41またはアナリストなどの人によって判定(判断)された場合には、分析装置41によってユーザに対して「誤検知」を「対象外」に変更するか否かを確認した後に、当該ユーザの許可があったことに応じて変更を行う、構成が用いられてもよい。 Further, although the analysis device 41 correctly detects an attack based on the detection rule, if the target tool targeted by the attack is not used in a customer environment such as the terminal device 52, the user at the terminal device 52 When “erroneous detection” is selected, the analyzer 41 may automatically confirm the selection of “out of target” for the generated alert, for example. In such a configuration, in the analysis device 41, the management unit 116 stores information for specifying whether the tool is used in the terminal device 52 in the storage unit 111 and manages the information. Then, in the analysis device 41, for the terminal device 52 in which the alert has occurred, the “false detection” by the user is performed based on the information that specifies whether the tool is used and the detection rule that caused the alert. It is determined whether or not the designation is changed to “out of target”, and in a predetermined case, the change is performed.
As another example, the analysis device 41 or a person such as an analyst determines that a certain alert has been designated as “false detection” by the user of the terminal device 52 but may fall under “not applicable” ( If the determination is made, the analysis device 41 confirms whether or not to change the "false detection" to "not applicable" for the user, and then makes the change in response to the permission of the user. , A configuration may be used.
 なお、本実施形態では、「誤検知」と「対象外」が設けられているが、例えば、「誤検知」と「対象外」とが、いずれも、検知ルールによるアラートの通知を停止させるものであってもよい。例えば、「誤検知」と「対象外」とでアラートの通知を停止させる期間が異なる点のみが異なっていてもよい。一例として、「誤検知」によるアラートの通知の停止期間が有限の値(例えば、1か月など)で、「対象外」によるアラートの通知の停止期間が永久的であってもよい。 In the present embodiment, “false detection” and “out of target” are provided. For example, “false detection” and “out of target” both stop notification of an alert by a detection rule. It may be. For example, the difference between the “false detection” and the “non-target” may differ only in the period in which the notification of the alert is stopped. As an example, the suspension period of the alert notification due to “false detection” may be a finite value (for example, one month) and the suspension period of the alert notification due to “not applicable” may be permanent.
 ここで、本実施形態では、アラート詳細において、「抑止」の状況にあるログについてのアラートの情報も表示される場合を示したが、他の例として、「抑止」の状況にあるアラートの情報は表示されない態様が用いられてもよい。 Here, in the present embodiment, in the alert details, the case where the alert information about the log in the “suppressed” status is also displayed, but as another example, the information of the alert in the “suppressed” status is displayed. A mode that is not displayed may be used.
 図5は、本発明の一実施形態に係るアラート検索の表示内容2211の一例を示す図である。
 表示内容2211は、アラートの検索を行う画面の内容である。表示内容2211は、端末装置52において、表示部214の画面に表示される。表示内容2211は、例えば、端末装置52ごとに異なり得る。 FIG. 5 is a diagram illustrating an example of the display content 2211 of the alert search according to the embodiment of the present invention.
The display content 2211 is the content of a screen for searching for an alert. The display content 2211 is displayed on the screen of the display unit 214 in the terminal device 52. The display content 2211 may differ for each terminal device 52, for example.
 表示内容2211は、例えば、分析装置41から端末装置52に提供された情報に基づいている。
 一例として、表示内容2211は、分析装置41の側で生成されて、分析装置41から端末装置52に提供されてもよい。他の例として、表示内容2211は、分析装置41から端末装置52に提供された情報が記憶部216に記憶された後に、端末装置52において記憶部216に記憶された情報に基づいて生成されてもよい。なお、表示内容2211は、他の情報を含んでもよい。 The display content 2211 is based on information provided from the analyzer 41 to the terminal device 52, for example.
As an example, the display content 2211 may be generated on the analysis device 41 side and provided from the analysis device 41 to the terminal device 52. As another example, the display content 2211 is generated based on the information stored in the storage unit 216 in the terminal device 52 after the information provided from the analysis device 41 to the terminal device 52 is stored in the storage unit 216. Is also good. Note that the display content 2211 may include other information.
 図5の例では、検索の条件として、日時の範囲、重要度の範囲、センサの種別、対応状況の範囲を選択することが可能である。 (5) In the example of FIG. 5, it is possible to select a range of date and time, a range of importance, a type of sensor, and a range of correspondence status as search conditions.
 日時の範囲は、開始時点と終了時点で特定される。開始時点および終了時点は、それぞれ、例えば、年月日で指定される。図5の例では、「2018年4月1日~2018年5月1日」の範囲が指定されている。
 重要度は、大きい方から小さい方へ向かって、大、中、小の3段階で指定される。複数の異なる重要度が指定されてもよい。
 センサの種別は、個別のセンサの名称などを用いて指定される。複数の異なるセンサが指定されてもよい。
 対応状況は、複数の項目のうちから指定される。2以上の異なる項目が指定されてもよい。図5の例では、対応状況として、「未対応」、「調査中」、「対応済」、「保留」、「対応中」、「誤検知」、「抑止」、「対象外」がある。 The date and time range is specified at the start and end times. The start time and the end time are each specified by, for example, a date. In the example of FIG. 5, a range from “April 1, 2018 to May 1, 2018” is specified.
The importance is designated in three stages from large to small, large, medium, and small. A plurality of different degrees of importance may be specified.
The type of sensor is specified using the name of an individual sensor or the like. A plurality of different sensors may be specified.
The response status is specified from among a plurality of items. Two or more different items may be specified. In the example of FIG. 5, the response status includes “not responded”, “under investigation”, “responded”, “pending”, “under response”, “false detection”, “suppression”, and “not applicable”.
 端末装置52において、ユーザにより行われる操作部213の操作に応じて、アラート検索の画面において検索の条件が設定される。
 表示内容2211には、検索のボタン2221も表示される。ユーザによって行われる操作部213の操作に基づいて、当該ボタン2221が押下されると、選択されている検索条件を特定する情報が、端末装置52から分析装置41に送信される。
 本実施形態では、端末装置52では、検索制御部233がアラートの検索について全体的な制御を行う。 In the terminal device 52, search conditions are set on the alert search screen according to the operation of the operation unit 213 performed by the user.
The display content 2211 also displays a search button 2221. When the button 2221 is pressed based on the operation of the operation unit 213 performed by the user, information specifying the selected search condition is transmitted from the terminal device 52 to the analysis device 41.
In the present embodiment, in the terminal device 52, the search control unit 233 performs overall control for alert search.
 分析装置41では、端末装置52から送信された検索条件を特定する情報を受信する。分析装置41において、管理部116は、検索処理部151によって、受信された情報によって特定される検索条件に基づいて、記憶部111に記憶されたアラートに関する情報を参照して、当該検索条件に合ったアラートを検索する。そして、管理部116は、検索処理部151によって検索の結果を示す情報を生成し、通知部114によって当該情報を端末装置52に通知する。本実施形態では、アラートの検索時に、管理部116は、検索処理部151によって、アラートルールの内容を参照して、「抑止」の状況あるいは「対象外」の状況などを判定してもよい。 The analysis device 41 receives the information that specifies the search condition transmitted from the terminal device 52. In the analyzer 41, the management unit 116 refers to the information on the alert stored in the storage unit 111 based on the search condition specified by the received information, and matches the search condition with the search processing unit 151. Search for alerts that have been sent. Then, the management unit 116 generates information indicating a result of the search by the search processing unit 151, and notifies the terminal device 52 of the information by the notification unit 114. In the present embodiment, when searching for an alert, the management unit 116 may use the search processing unit 151 to determine the status of “inhibited” or the status of “not applicable” by referring to the contents of the alert rule.
 [端末装置と分析装置との通信]
 本実施形態では、ログ分析のサービスにおいて、端末装置52と分析装置41とは、オンデマンドで処理を実行してもよい。例えば、端末装置52から発せられる要求に応じて、分析装置41によって当該要求を満たすための処理を実行してもよい。 [Communication between terminal device and analyzer]
In the present embodiment, in the log analysis service, the terminal device 52 and the analysis device 41 may execute processing on demand. For example, in response to a request issued from the terminal device 52, a process for satisfying the request may be executed by the analyzer 41.
 [専用ツール]
 本実施形態では、端末装置52において、専用のツール(説明の便宜上、「専用ツール」ともいう。)が用いられてもよい。つまり、端末装置52が備える機能の一部または全部が、専用ツールを用いて構成されてもよい。専用ツールは、例えば、プログラムなどのソフトウェアであってもよい。
 例えば、端末装置52において、通知受信制御部231、指示送信制御部232、検索制御部233のうちの1以上の機能が、専用ツールの機能として構成されてもよい。専用ツールは、例えば、分析部11の管理主体などによって、有償または無償で、配布されてもよい。管理ツールは、例えば、端末装置52にインストールされて機能を発揮する。 [Special tool]
In the present embodiment, a dedicated tool (also referred to as a “dedicated tool” for convenience of description) may be used in the terminal device 52. That is, some or all of the functions of the terminal device 52 may be configured using the dedicated tool. The dedicated tool may be, for example, software such as a program.
For example, in the terminal device 52, one or more functions of the notification reception control unit 231, the instruction transmission control unit 232, and the search control unit 233 may be configured as functions of a dedicated tool. The dedicated tool may be distributed, for example, for a fee or free of charge by a management entity of the analysis unit 11 or the like. The management tool, for example, is installed in the terminal device 52 and performs its function.
 [分析システムにおいて行われる処理]
 図6は、本発明の一実施形態に係る端末装置52において行われる処理の手順の一例を示す図である。
 図6の例では、端末装置52において、アラートの通知を受けた場合に、対応状況が選択される。 [Process Performed in Analysis System]
FIG. 6 is a diagram illustrating an example of a procedure of a process performed in the terminal device 52 according to an embodiment of the present invention.
In the example of FIG. 6, when the terminal device 52 receives the notification of the alert, the corresponding status is selected.
 (ステップS1)
 端末装置52において、通知受信制御部231は、分析装置41から送信されるアラートの通知を受信する。そして、ステップS2の処理へ移行する。 (Step S1)
In the terminal device 52, the notification reception control unit 231 receives the notification of the alert transmitted from the analysis device 41. Then, the process proceeds to the process in step S2.
 (ステップS2)
 端末装置52において、通知受信制御部231は、受信されたアラートの通知を表示する。本例では、端末装置52において、アラート一覧の表示内容2011が表示された後に、ユーザの操作によって、アラート詳細の表示内容2111が表示されたとする。そして、ステップS3の処理へ移行する。 (Step S2)
In the terminal device 52, the notification reception control unit 231 displays the received notification of the alert. In this example, it is assumed that, after the display content 2011 of the alert list is displayed on the terminal device 52, the display content 2111 of the alert details is displayed by a user operation. Then, the process proceeds to the process in step S3.
 (ステップS3)
 端末装置52において、指示送信制御部232は、ユーザによって対応状況を選択する操作があったか否かを判定する。図4の例では、当該操作は、対応状況が指定された状態での決定のボタン2131の押下である。
 この結果、端末装置52において、指示送信制御部232は、ユーザによって対応状況を選択する操作があったと判定した場合には(ステップS3:YES)、ステップS4の処理へ移行する。
 一方、端末装置52において、指示送信制御部232は、ユーザによって対応状況を選択する操作がなかったと判定した場合には(ステップS3:NO)、本フローの処理を終了する。 (Step S3)
In the terminal device 52, the instruction transmission control unit 232 determines whether or not the user has performed an operation of selecting a corresponding state. In the example of FIG. 4, the operation is pressing of the determination button 2131 in a state where the correspondence status is specified.
As a result, in the terminal device 52, when the instruction transmission control unit 232 determines that the user has performed an operation of selecting a corresponding state (Step S3: YES), the process proceeds to Step S4.
On the other hand, in the terminal device 52, when the instruction transmission control unit 232 determines that the user has not performed the operation of selecting the corresponding state (step S3: NO), the processing of this flow is ended.
 (ステップS4)
 端末装置52において、指示送信制御部232は、ユーザによって行われた操作によって受け付けられた対応状況の選択の指示を特定する情報を分析装置41に送信する。そして、本フローの処理を終了する。 (Step S4)
In the terminal device 52, the instruction transmission control unit 232 transmits, to the analysis device 41, information that specifies an instruction to select a response status accepted by an operation performed by the user. Then, the processing of this flow ends.
 図7は、本発明の一実施形態に係る分析装置41において行われる処理の手順の一例を示す図である。
 図7の例では、分析装置41において、ログの分析を行う。 FIG. 7 is a diagram illustrating an example of a procedure of a process performed in the analyzer 41 according to an embodiment of the present invention.
In the example of FIG. 7, the analysis device 41 analyzes the log.
 (ステップS21)
 分析装置41において、取得部112が、受信部131によって、ログ検出装置51から送信されたログを受信して、取得する。本実施形態では、このようなログの受信は、常時行われる。そして、ステップS22の処理へ移行する。 (Step S21)
In the analyzing device 41, the acquiring unit 112 receives and acquires the log transmitted from the log detecting device 51 by the receiving unit 131. In the present embodiment, such a log is always received. Then, the process proceeds to the process in step S22.
 (ステップS22)
 分析装置41において、分析実行部113が、受信されたログについて、分析条件に基づいて分析を行う。分析実行部113は、例えば、所定の検知ルールに適合するログについて、問題があるログとして判定する。そして、ステップS23の処理へ移行する。 (Step S22)
In the analyzer 41, the analysis executing unit 113 analyzes the received log based on the analysis conditions. The analysis executing unit 113 determines, for example, a log that meets a predetermined detection rule as a log having a problem. Then, the process proceeds to the process in step S23.
 (ステップS23)
 分析装置41において、通知部114は、分析実行部113によって行われた分析の結果の情報を端末装置52に通知する。そして、本フローの処理を終了する。
 なお、本実施形態では、アラートルールに基づいて、通知が必要なアラートは通知部114から端末装置52に通知され、通知が不要なアラートは通知部114から端末装置52に通知されない。 (Step S23)
In the analysis device 41, the notification unit 114 notifies the terminal device 52 of information on the result of the analysis performed by the analysis execution unit 113. Then, the processing of this flow ends.
In the present embodiment, based on the alert rule, an alert requiring notification is notified from the notification unit 114 to the terminal device 52, and an alert not requiring notification is not notified from the notification unit 114 to the terminal device 52.
 図8は、本発明の一実施形態に係る分析装置41において行われる処理の手順の一例を示す図である。
 図8の例では、分析装置41において、「誤検知」の選択に関する処理を行う。なお、本実施形態では、「対象外」の選択に関する処理についても、「誤検知」の選択に関する処理と同様であってもよい。 FIG. 8 is a diagram illustrating an example of a procedure of a process performed in the analyzer 41 according to the embodiment of the present invention.
In the example of FIG. 8, the analysis device 41 performs a process related to selection of “false detection”. In the present embodiment, the process related to the selection of “out of target” may be the same as the process related to the selection of “false detection”.
 (ステップS41)
 分析装置41において、管理部116が、端末装置52においてアラートについて「誤検知」が選択されたことの通知を受信する。そして、ステップS42の処理へ移行する。 (Step S41)
In the analysis device 41, the management unit 116 receives a notification that “false detection” has been selected for the alert in the terminal device 52. Then, the process proceeds to the process of step S42.
 (ステップS42)
 分析装置41において、誤検知制御部115は、「誤検知」が選択された端末装置52である通知元について、「誤検知」が選択されたアラートを発生する検知ルールによるアラートの通知を停止させる。本例では、当該アラートの停止期間が設定されているとする。そして、ステップS43の処理へ移行する。
 本実施形態では、例えば、多数の端末装置52に共通な検知ルールのうち、「誤検知」が選択された端末装置52について当該検知ルールによるアラートの通知が停止させられる。 (Step S42)
In the analysis device 41, the erroneous detection control unit 115 stops the notification of the alert according to the detection rule that generates the alert in which “false detection” is selected, for the notification source that is the terminal device 52 in which “false detection” is selected. . In this example, it is assumed that a suspension period of the alert is set. Then, the process proceeds to the process of step S43.
In the present embodiment, for example, among the detection rules common to many terminal devices 52, notification of an alert by the detection rule is stopped for the terminal device 52 for which “false detection” is selected.
 (ステップS43)
 分析装置41において、誤検知制御部115は、停止中のアラートの通知について、停止期間が経過したか否かを判定する。
 この結果、分析装置41において、誤検知制御部115は、停止中のアラートの通知について、停止期間が経過したことを判定した場合(ステップS43:YES)、ステップS44の処理へ移行する。
 一方、分析装置41において、誤検知制御部115は、停止中のアラートの通知について、停止期間が経過していないことを判定した場合(ステップS43:NO)、ステップS43の処理を繰り返して行う。 (Step S43)
In the analyzer 41, the erroneous detection control unit 115 determines whether or not the suspension period has elapsed with respect to the notification of the suspended alert.
As a result, in the analyzer 41, when the erroneous detection control unit 115 determines that the suspension period has elapsed with respect to the notification of the alert during suspension (step S43: YES), the processing proceeds to step S44.
On the other hand, in the analyzer 41, when the erroneous detection control unit 115 determines that the suspension period has not elapsed for the notification of the suspended alert (step S43: NO), the processing of step S43 is repeated.
 (ステップS44)
 分析装置41において、誤検知制御部115は、停止中のアラートの通知について、停止期間が経過したことを判定した場合、該当する端末装置52について当該アラートの通知を再開させる。そして、本フローの処理を終了する。 (Step S44)
In the analyzer 41, when the erroneous detection control unit 115 determines that the suspension period has elapsed for the notification of the suspended alert, the erroneous detection control unit 115 restarts the notification of the alert for the corresponding terminal device 52. Then, the processing of this flow ends.
 図9は、本発明の一実施形態に係る分析装置41において行われる処理の手順の一例を示す図である。
 図9の例では、分析装置41において、検知ルールの変更に関する処理を行う。
 本実施形態では、分析装置41において、アナリストなどによる指示に応じて、管理部116が記憶部111に記憶された検知ルールを変更し得る場合を示す。なお、他の例として、分析装置41の記憶部111に記憶された検知ルールの変更が、分析装置41とは別の装置からのアクセスによって行われる構成が用いられてもよい。 FIG. 9 is a diagram illustrating an example of a procedure of a process performed in the analyzer 41 according to an embodiment of the present invention.
In the example of FIG. 9, the analysis device 41 performs a process related to the change of the detection rule.
In the present embodiment, a case will be described in which the management unit 116 can change the detection rule stored in the storage unit 111 in accordance with an instruction from an analyst or the like in the analyzer 41. As another example, a configuration in which the change of the detection rule stored in the storage unit 111 of the analysis device 41 is performed by access from a device different from the analysis device 41 may be used.
 (ステップS61)
 分析装置41において、管理部116が、端末装置52から「誤検知」の選択の通知が受信されたアラートについて、該当する検知ルールの変更を行う指示を受け付けたか否かを判定する。本例では、当該指示は、例えば、アナリストなどの人によって分析装置41に与えられる指示であってもよく、あるいは、分析装置41などの装置によって自動的に与えられる指示であってもよい。
 この結果、分析装置41において、管理部116は、当該検知ルールの変更を行う指示を受け付けたことを判定した場合(ステップS61:YES)、ステップS62の処理へ移行する。
 一方、分析装置41において、管理部116は、当該検知ルールの変更を行う指示を受け付けていないと判定した場合(ステップS61:NO)、本フローの処理を終了する。 (Step S61)
In the analysis device 41, the management unit 116 determines whether or not an instruction to change the corresponding detection rule has been received for the alert for which the notification of “false detection” has been received from the terminal device 52. In the present example, the instruction may be, for example, an instruction given to the analyzer 41 by a person such as an analyst or an instruction automatically given by a device such as the analyzer 41.
As a result, in the analysis device 41, when the management unit 116 determines that the instruction to change the detection rule has been received (step S61: YES), the process proceeds to step S62.
On the other hand, in the analyzer 41, when the management unit 116 determines that the instruction to change the detection rule has not been received (step S61: NO), the processing of this flow ends.
 (ステップS62)
 分析装置41において、管理部116は、受け付けられた指示にしたがって、該当する検知ルールを変更する。そして、本フローの処理を終了する。 (Step S62)
In the analyzer 41, the management unit 116 changes the corresponding detection rule according to the received instruction. Then, the processing of this flow ends.
 ここで、本実施形態では、ある端末装置52において「誤検知」が指摘されたアラートを発生させる検知ルールが、当該端末装置52と他の端末装置を含む複数の端末装置について共通に変更されてもよい。当該複数の端末装置は、例えば、変更前の当該検知ルールが適用されたすべての端末装置であってもよく、一部の端末装置であってもよい。
 なお、他の例として、ある端末装置52において「誤検知」が指摘されたアラートを発生させる検知ルールが、当該端末装置52のみについて変更されてもよい。 Here, in the present embodiment, the detection rule for generating an alert indicating “false detection” in a certain terminal device 52 is changed in common for a plurality of terminal devices including the terminal device 52 and other terminal devices. Is also good. The plurality of terminal devices may be, for example, all terminal devices to which the detection rule before the change is applied, or may be some terminal devices.
As another example, the detection rule for generating an alert indicating “false detection” in a certain terminal device 52 may be changed only for the terminal device 52.
 [アラートと検知ルールと状況]
 本実施形態では、アラートと検知ルールとが1対1に対応しているとして説明した。そして、検知ルールとアラートとアラートルールとが、1対1対1で対応するとして説明した。この場合、アラートとアラートルールとの対応と、当該アラートと検知ルールとの対応に基づいて、当該検知ルールと通知の有効/無効の状況(アラートルールの内容)との対応が特定される。同様に、検知ルールとアラートルールとの対応と、当該検知ルールとアラートとの対応に基づいて、当該アラートと通知の有効/無効の状況(アラートルールの内容)との対応が特定される。本実施形態に係る分析システム1では、検知ルールとアラートとアラートルールとの対応が管理されることで、当該検知ルールに対応するアラートの通知の有効/無効の状況を管理している。 [Alerts and detection rules and status]
In the present embodiment, it has been described that the alert and the detection rule correspond one-to-one. The description has been made assuming that the detection rule, the alert, and the alert rule correspond one-to-one. In this case, based on the correspondence between the alert and the alert rule and the correspondence between the alert and the detection rule, the correspondence between the detection rule and the valid / invalid status of the notification (contents of the alert rule) is specified. Similarly, based on the correspondence between the detection rule and the alert rule, and the correspondence between the detection rule and the alert, the correspondence between the alert and the valid / invalid status of the notification (contents of the alert rule) is specified. In the analysis system 1 according to the present embodiment, the correspondence between the detection rule, the alert, and the alert rule is managed, so that the status of the notification of the alert corresponding to the detection rule is enabled / disabled.
 他の例として、複数の異なる検知ルールと1つのアラートとが対応付けられてもよい。この場合、分析システム1では、アラートに対して選択された状況を管理するために、当該アラートと当該状況との対応を特定する情報を管理する。それぞれのアラートは、例えば、それぞれのアラートに付される識別情報に基づいて識別される。あるアラートについて「誤検知」が選択された場合には、例えば、そのときに当該アラートを発生させた検知ルールについてアラートの通知を「抑止」の状態とすることが行われてもよい。つまり、当該アラートを発生させる検知ルールは複数存在し得るが、例えば、そのなかで、そのときに当該アラートを発生させた1個の検知ルールを「抑止」の状態とすることが行われてもよい。なお、「対象外」についても、「誤検知」の場合と同様であってもよい。 と し て As another example, a plurality of different detection rules may be associated with one alert. In this case, in order to manage the situation selected for the alert, the analysis system 1 manages information that specifies the correspondence between the alert and the situation. Each alert is identified based on, for example, identification information given to each alert. When “false detection” is selected for a certain alert, for example, the notification of the alert may be set to “suppress” for the detection rule that generated the alert at that time. In other words, there may be a plurality of detection rules that generate the alert. For example, even if one of the detection rules that generated the alert at that time is set to the “suppressed” state. Good. Note that “out of target” may be the same as in the case of “false detection”.
 [情報処理装置のハードウェア構成の一例]
 図10は、本発明の一実施形態に係る情報処理装置4001のハードウェア構成の一例を示す図である。
 本実施形態における端末装置52あるいは分析装置41などとして、図10に示されるようなハードウェア構成を有する情報処理装置4001が使用されてもよい。 [Example of Hardware Configuration of Information Processing Device]
FIG. 10 is a diagram illustrating an example of a hardware configuration of an information processing device 4001 according to an embodiment of the present invention.
An information processing device 4001 having a hardware configuration as shown in FIG. 10 may be used as the terminal device 52 or the analysis device 41 in the present embodiment.
 図10の例では、情報処理装置4001は、プロセッサ4011と、操作部4012と、表示部4013と、記憶装置4014と、メモリ4015と、入出力インターフェイス4016と、ネットワークインターフェイス4017と、これらを接続するバス4021を備える。 In the example of FIG. 10, the information processing apparatus 4001 connects the processor 4011, the operation unit 4012, the display unit 4013, the storage device 4014, the memory 4015, the input / output interface 4016, the network interface 4017, and the like. A bus 4021 is provided.
 プロセッサ4011は、CPU(Central Processing Unit)などから構成されており、プログラムを実行することで、当該プログラムに規定された処理を実行する。
 操作部4012は、キーボード、マウスなどのうちの1以上の入力装置を備え、ユーザ(人)により行われる操作を受け付ける。
 表示部4013は、画面を有しており、情報を当該画面に表示出力する。 The processor 4011 is configured from a CPU (Central Processing Unit) and the like, and executes a program to execute processing specified by the program.
The operation unit 4012 includes one or more input devices such as a keyboard and a mouse, and receives an operation performed by a user (person).
The display unit 4013 has a screen, and outputs information on the screen.
 記憶装置4014は、不揮発性の記憶部であり、例えば、ハードディスクなどから構成されており、情報を記憶する。
 メモリ4015は、揮発性の記憶部であり、RAM(Random Access Memory)などから構成されており、情報を一時的に記憶する。RAMとしては、例えば、DRAM(Dynamic Random Access Memory)が用いられてもよい。
 記憶装置4014あるいはメモリ4015は、例えば、プロセッサ4011により実行されるプログラムの情報を記憶してもよい。 The storage device 4014 is a non-volatile storage unit, and is configured from, for example, a hard disk, and stores information.
The memory 4015 is a volatile storage unit and is configured from a RAM (Random Access Memory) or the like, and temporarily stores information. As the RAM, for example, a DRAM (Dynamic Random Access Memory) may be used.
The storage device 4014 or the memory 4015 may store, for example, information of a program executed by the processor 4011.
 入出力インターフェイス4016は、外部の記録媒体などと接続するインターフェイスである。
 ネットワークインターフェイス4017は、外部のネットワークと接続するインターフェイスである。 The input / output interface 4016 is an interface connected to an external recording medium or the like.
The network interface 4017 is an interface for connecting to an external network.
 ここで、情報処理装置4001は、プロセッサ4011として、1個のプロセッサを備えてもよく、または、2個以上のプロセッサを備えてもよい。一例として、情報処理装置4001は、複数個のCPUを備えて、それぞれのCPUによりそれぞれの処理を実行するとともに、これら複数個のCPUにより連携して全体の処理を実現してもよい。 Here, the information processing device 4001 may include one processor as the processor 4011, or may include two or more processors. As an example, the information processing apparatus 4001 may include a plurality of CPUs, execute the respective processes by the respective CPUs, and realize the entire process in cooperation with the plurality of CPUs.
 [実施形態のまとめ]
 以上のように、本実施形態に係る分析システム1では、複数の異なる顧客の組織のうちの特定の組織に誤検知が発生した場合に、効率的に対処することが可能である。本実施形態に係る分析システム1では、端末装置52のユーザは、簡易な操作によって、誤検知が継続されることを抑止することができる。
 例えば、検知ルールの設計者は、ユーザから与えられる誤検知に関するフィードバックの情報を得ることができる。そして、検知ルールの設計者は、例えば、検知ルールによるアラートの通知の抑止の期間中に、当該検知ルールの見直しを行うことができる。例えば、検知ルールの設計者は、フィードバックされた情報に基づいて、手動で改善された検知ルールを生成してもよい。例えば、検知ルールの設計者は、フィードバックされた情報を機械学習器に機械学習させることで、改善された検知ルールを機械学習器によって生成してもよい。これにより、例えば、誤検知が削減される。
 本実施形態に係る分析システム1では、それぞれの顧客ごとに、必ずしもカスタムルールが作成されなくてもよくなる。なお、本実施形態に係る分析システム1においても、それぞれの顧客ごとに、カスタムルールが作成されてもよい。 [Summary of Embodiment]
As described above, in the analysis system 1 according to the present embodiment, it is possible to efficiently cope with a case where a false detection occurs in a specific organization among a plurality of different customer organizations. In the analysis system 1 according to the present embodiment, the user of the terminal device 52 can prevent erroneous detection from being continued by a simple operation.
For example, the designer of the detection rule can obtain feedback information on false detection given by the user. Then, the designer of the detection rule can review the detection rule, for example, while the notification of the alert is suppressed by the detection rule. For example, a detection rule designer may manually generate improved detection rules based on the fed back information. For example, the designer of the detection rule may generate the improved detection rule by the machine learning device by causing the machine learning device to perform the machine learning of the information fed back. Thereby, for example, erroneous detection is reduced.
In the analysis system 1 according to the present embodiment, it is not always necessary to create a custom rule for each customer. In the analysis system 1 according to the present embodiment, a custom rule may be created for each customer.
 また、本実施形態に係る分析システム1では、抑止されたアラートを検索することができる。これにより、本実施形態に係る分析システム1では、無駄な通知を抑止することができた件数、頻度、傾向などを把握することが可能である。
 例えば、抑止されたアラートの回数によって、無駄なアラートの通知を防ぐことができた回数を確認することができる。
 例えば、抑止されたアラートが全くない場合、あるいは、1か月に1件以下などのように少ない場合には、当該アラートの発生の原因となる攻撃通信が減ったこと、あるいは検知ルールの改善などによって、「誤検知」のアラートが減ったことを確認することができる。 Further, in the analysis system 1 according to the present embodiment, a suppressed alert can be searched. Thus, in the analysis system 1 according to the present embodiment, it is possible to grasp the number, frequency, tendency, and the like of cases in which useless notification can be suppressed.
For example, based on the number of suppressed alerts, it is possible to confirm the number of times the useless alert notification has been prevented.
For example, if there are no suppressed alerts, or if there are only a few alerts per month or less, the number of attack traffic that caused the alerts has decreased, or detection rules have been improved. Thus, it can be confirmed that the number of “false detection” alerts has been reduced.
 本実施形態では、複数の顧客のそれぞれについて、顧客の装置のログを監視するシステムにおいて、次のような構成とする。
 すなわち、システムでは、顧客のログを取得し、当該顧客のログが所定の条件を満たすか否かを判定する。システムでは、当該顧客のログが当該所定の条件を満たすと判定された場合に、当該顧客に対して所定の情報を送信する。当該所定の情報は、当該顧客から所定の指示を受け付けることが可能である。そして、システムでは、当該顧客から当該所定の指示が受け付けられた場合に、当該顧客について当該所定の情報の通知を無効(抑止の状況)にする。なお、システムとしては、分析システム1ばかりでなく、監視システムなどと呼ばれてもよい。 In the present embodiment, the following configuration is used in a system for monitoring logs of customer devices for each of a plurality of customers.
That is, the system acquires a customer log and determines whether or not the customer log satisfies a predetermined condition. The system transmits predetermined information to the customer when it is determined that the log of the customer satisfies the predetermined condition. The predetermined information can receive a predetermined instruction from the customer. Then, in the system, when the predetermined instruction is received from the customer, the notification of the predetermined information for the customer is invalidated (a state of suppression). Note that the system may be called not only the analysis system 1 but also a monitoring system.
 <構成例>
 一構成例として、分析装置(本実施形態では、分析装置41)において、第1端末装置(本実施形態では、端末装置52)に関する対象情報(本実施形態では、ログ)を取得する取得部(本実施形態では、取得部112の機能)と、取得部によって取得された対象情報が第1条件(本実施形態では、検知ルール)を満たすか否かを判定する分析実行部(本実施形態では、分析実行部113の機能)と、分析実行部によって対象情報が第1条件を満たすことを判定した場合、第1情報(本実施形態では、アラートの情報)を第1端末装置に通知する通知部(本実施形態では、通知部114の機能)と、通知部によって通知された第1情報に対して第1端末装置から第2情報(本実施形態では、「誤検知」の情報、あるいは、「対象外」の情報)を受け付ける情報受付部(本実施形態では、通知部114の機能)と、第1情報に対して第1端末装置から第2情報が受け付けられた場合に、第1端末装置に対する第1情報の通知を抑制する通知抑制部(本実施形態では、誤検知制御部115の機能)と、を備える。 <Example of configuration>
As an example of the configuration, an acquisition unit (in the embodiment, the analysis device 41) that acquires target information (a log in the embodiment) related to the first terminal device (the terminal device 52 in the embodiment). In the present embodiment, an analysis execution unit (in the present embodiment, a function of the acquisition unit 112) and an analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies the first condition (the detection rule in the present embodiment). And the function of the analysis execution unit 113), and a notification that notifies the first terminal device of the first information (in this embodiment, alert information) when the analysis execution unit determines that the target information satisfies the first condition. Unit (in the present embodiment, the function of the notifying unit 114), and the first information notified by the notifying unit from the first terminal device to the second information (in this embodiment, information of “false detection” or "Not applicable" information) The information receiving unit (in this embodiment, the function of the notifying unit 114) receives the second information from the first terminal device with respect to the first information, and notifies the first terminal device of the first information. And a notification suppression unit (in the present embodiment, the function of the erroneous detection control unit 115).
 一構成例として、分析装置において、第1条件は、問題を検知するルールであり、第1情報は、当該問題に対応するアラートの情報であり、第2情報は、当該アラートについて誤りがあることを指示する情報である。
 一構成例として、分析装置において、通知抑制部は、第1端末装置について、第1条件による第1情報の通知を所定の期間停止させ、当該所定の期間が経過した後に第1条件(本実施形態では、停止前と同じであってもよく、あるいは、変更されていてもよい。)による第1情報の通知を再開させる。
 一構成例として、分析装置において、第1条件を変更する変更部(本実施形態では、管理部116)を備える。
 一構成例として、分析装置において、第1条件による第1情報の通知の状況を管理する管理部(本実施形態では、管理部116)を備え、状況は、少なくとも、抑止されているという状況を含み、第1情報は、通知の状況を用いて検索されることが可能である。
 一構成例として、分析装置において、通知抑制部は、第1端末装置に対する第1情報の通知を抑制することを特定する第2条件(本実施形態では、アラートルール)に基づいて、第1端末装置に対する第1情報の通知を抑制する。
 一構成例として、分析装置において、対象情報は、セキュリティに関するログである。 As one configuration example, in the analyzer, the first condition is a rule for detecting a problem, the first information is information on an alert corresponding to the problem, and the second information is an error about the alert. Is the information for instructing.
As an example of the configuration, in the analysis device, the notification suppression unit suspends the notification of the first information based on the first condition for the first terminal device for a predetermined period, and waits for the first condition after the predetermined period elapses. In the embodiment, the notification of the first information may be restarted by the same as before the stop or may have been changed.
As one configuration example, the analyzer includes a change unit (in the present embodiment, the management unit 116) that changes the first condition.
As an example of the configuration, the analyzer includes a management unit (the management unit 116 in the present embodiment) that manages the status of the notification of the first information based on the first condition. Including, the first information can be retrieved using the status of the notification.
As an example of the configuration, in the analysis device, the notification suppression unit determines the first terminal based on a second condition (in this embodiment, an alert rule) specifying that the notification of the first information to the first terminal device is suppressed. The notification of the first information to the device is suppressed.
As one configuration example, in the analyzer, the target information is a log related to security.
 一構成例として、端末装置(本実施形態では、端末装置52)において、当該端末装置に関する対象情報が分析装置によって第1条件を満たすことが判定された場合に分析装置から通知される第1情報の通知を受信する通知受信制御部(本実施形態では、通知受信制御部231の機能)と、通知受信制御部によって受信された第1情報に対して所定の指示(本実施形態では、「誤検知」の選択の指示、あるいは、「対象外」の選択の指示)を受け付ける指示受付部(本実施形態では、操作部213の機能および指示送信制御部232の機能)と、第1情報に対して当該指示が受け付けられた場合に、端末装置に対する第1情報の通知を抑制する指示を含む第2情報を分析装置に送信する指示送信制御部(本実施形態では、指示送信制御部232の機能)と、を備える。 As an example of the configuration, in the terminal device (the terminal device 52 in the present embodiment), the first information notified from the analysis device when the analysis device determines that the target information regarding the terminal device satisfies the first condition. The notification reception control unit (in the present embodiment, the function of the notification reception control unit 231) that receives the notification of the notification, and a predetermined instruction for the first information received by the notification reception control unit (in the present embodiment, “error An instruction receiving unit (in this embodiment, a function of the operation unit 213 and a function of the instruction transmission control unit 232) that receives an instruction to select “detection” or an instruction to select “out of target”; The instruction transmission control unit (in the present embodiment, the instruction transmission control unit 2 transmits the second information including the instruction to suppress the notification of the first information to the terminal device when the instruction is accepted). It includes a function of 2), a.
 なお、本発明は、端末装置あるいは分析装置などの装置、分析システムなどのシステム、分析方法などの方法、プログラム、プログラムを記録した記録媒体など、様々な態様で実施されてもよい。記録媒体としては、例えば、一時的記録媒体であってもよい。 Note that the present invention may be embodied in various forms such as a device such as a terminal device or an analysis device, a system such as an analysis system, a method such as an analysis method, a program, and a recording medium on which the program is recorded. The recording medium may be, for example, a temporary recording medium.
 [ログの種類]
 本実施形態では、分析の対象とするログとして、セキュリティセンサのログが用いられる場合を示した。セキュリティセンサのログとしては、例えば、FW(FireWall)、NGFW(New Generation FireWall)、IPS(Intrusion prevention system)、IDS(Intrusion Detection System)、UTM(Unified Threat Managemant)、WAF(Web Application FireWall)などのログがある。 [Log Type]
In the present embodiment, the case where the log of the security sensor is used as the log to be analyzed has been described. As a log of a security sensor, for example, FW (FireWall), NGFW (New Generation FireWall), IPS (Intrusion presentation system), IDS (Intrusion Detection System), UTM (UnificationWatation, WAT, WAT, WF, etc.) There is a log.
 一例として、ログを検出する装置は、コンピュータネットワークにおいて不正な侵入を防止する侵入防止システム(IPS)の装置であってもよい。例えば、当該装置は、不正に関係する可能性があるログを検出してもよい。
 他の例として、ログを検出する装置は、通過させてはいけない通信を阻止するファイアウォール(FW)の装置であってもよい。例えば、当該装置は、不正に関係する可能性があるログと、不正に関係しないログとの両方を検出してもよい。
 なお、一般に、IPSとファイアウォールとを比較すると、ファイアウォールでは通過した信号についてのログもあるためデータ量が多大になり易く、IPSの方が、問題のある可能性があるログの密度が高いといえる。 As an example, the device that detects logs may be an intrusion prevention system (IPS) device that prevents unauthorized intrusion in a computer network. For example, the device may detect a log that may be related to fraud.
As another example, the device that detects the log may be a device of a firewall (FW) that blocks communication that should not be passed. For example, the device may detect both logs that may be related to fraud and logs that are not related to fraud.
In general, when comparing the IPS with the firewall, it is easy to increase the amount of data because there is a log of a signal passed through the firewall, and it can be said that the IPS has a higher density of logs that may have a problem. .
 分析の対象とするログとして、他のログを用いることも可能である。他のログとしては、例えば、認証ログ、エラーログ、端末スキャンログ、通信ログ、プログラム稼働ログ、アプリケーション動作ログなどがある。
 認証ログとしては、例えば、Active Directory、BIND(Berkeley Internet Name Domain)、DNS(Domain Name System)などのログがある。
 エラーログとしては、例えば、WinEvtなどのログがある。
 端末スキャンログとしては、アンチウィルス、EDR(Endpoint Detection and Response)などのログがある。
 通信ログとしては、Proxy、mail、Fileアクセス、データベース(DB:DataBase)アクセスなどのログがある。
 プログラム稼働ログとしては、例えば、bootログ、dmesgなどのログがある。 アプリケーション動作ログとしては、例えば、イベントログ、固有ログなどのログがある。 Other logs can be used as logs to be analyzed. Other logs include, for example, an authentication log, an error log, a terminal scan log, a communication log, a program operation log, and an application operation log.
Examples of the authentication log include logs such as Active Directory, BIND (Berkeley Internet Name Domain), and DNS (Domain Name System).
The error log includes, for example, a log such as WinEvt.
Examples of the terminal scan log include logs such as antivirus and EDR (Endpoint Detection and Response).
As communication logs, there are logs such as Proxy, mail, File access, and database (DB: DataBase) access.
Examples of the program operation log include a log such as a boot log and dmesg. Examples of the application operation log include logs such as an event log and a unique log.
 本実施形態では、分析の対象としてログが用いられる場合を示したが、分析の対象としてログ以外の情報を用いることも可能である。
 ログ以外の情報としては、例えば、オペレーティングシステム(OS:Operating System)の設定の情報がある。
 OSの設定の情報としては、例えば、レジストリの情報などがある。
 また、例えば、Webの閲覧の履歴、操作の履歴、あるいは、ログインの履歴などが用いられてもよい。 In the present embodiment, a case is described in which a log is used as an analysis target. However, information other than a log can be used as an analysis target.
The information other than the log includes, for example, information on the setting of an operating system (OS).
Examples of the OS setting information include registry information.
Further, for example, a web browsing history, an operation history, or a log-in history may be used.
 本実施形態では、1個のログ検出装置51によって1種類のログを検出する場合を示したが、2個以上のログ検出装置が備えられて、2種類以上のログを検出する構成が用いられてもよい。
 なお、ログ検出装置は、例えば、端末装置52の外部に備えられてもよく、あるいは、端末装置52の内部の機能として備えられてもよい。 In the present embodiment, a case where one type of log is detected by one log detection device 51 has been described. However, a configuration in which two or more log detection devices are provided and two or more types of logs are detected is used. You may.
The log detection device may be provided, for example, outside the terminal device 52, or may be provided as a function inside the terminal device 52.
 例えば、複数の異なる種類のログの情報が時間順に混じった形で記憶等されてもよい。各ログには、例えば、当該各ログを検出したセンサを識別する情報が付加されている。当該各ログは、当該情報に基づいて、区別されることが可能である。これにより、複数の異なる種類のログの情報が混じった情報から、所定の種類のログの情報が抽出されることが可能である。 For example, information of a plurality of different types of logs may be stored in a form mixed in chronological order. For example, information for identifying a sensor that has detected each log is added to each log. The logs can be distinguished based on the information. This makes it possible to extract information of a predetermined type of log from information in which information of a plurality of different types of logs is mixed.
 分析装置41において、分析実行部113によるログの分析は、例えば、ログの種類ごとに行われてもよく、あるいは、2以上のログの種類についてまとめて行われてもよい。 In the analyzer 41, the analysis of the logs by the analysis executing unit 113 may be performed, for example, for each type of log, or may be performed collectively for two or more types of logs.
 以上のように、実施形態に係る各装置(例えば、端末装置52、分析装置41など)の機能を実現するためのプログラムをコンピュータ読み取り可能な記録媒体(記憶媒体)に記録(記憶)して、この記録媒体に記録されたプログラムをコンピュータシステムに読み込ませ、実行することにより、処理を行うことができる。
 なお、ここでいう「コンピュータシステム」とは、オペレーティングシステムあるいは周辺機器等のハードウェアを含むものであってもよい。
 また、「コンピュータ読み取り可能な記録媒体」とは、フレキシブルディスク、光磁気ディスク、ROM(Read Only Memory)、フラッシュメモリ等の書き込み可能な不揮発性メモリ、DVD(Digital Versatile Disc)等の可搬媒体、コンピュータシステムに内蔵されるハードディスク等の記憶装置のことをいう。
 さらに、「コンピュータ読み取り可能な記録媒体」とは、インターネット等のネットワークあるいは電話回線等の通信回線を介してプログラムが送信された場合のサーバやクライアントとなるコンピュータシステム内部の揮発性メモリ(例えば、DRAM)のように、一定時間プログラムを保持しているものも含む。
 また、上記のプログラムは、このプログラムを記憶装置等に格納したコンピュータシステムから、伝送媒体を介して、あるいは、伝送媒体中の伝送波により他のコンピュータシステムに伝送されてもよい。ここで、プログラムを伝送する「伝送媒体」は、インターネット等のネットワーク(通信網)あるいは電話回線等の通信回線(通信線)のように情報を伝送する機能を有する媒体のことをいう。
 また、上記のプログラムは、前述した機能の一部を実現するためのものであってもよい。さらに、上記のプログラムは、前述した機能をコンピュータシステムに既に記録されているプログラムとの組み合わせで実現できるもの、いわゆる差分ファイル(差分プログラム)であってもよい。 As described above, a program for realizing the function of each device (for example, the terminal device 52, the analyzer 41, and the like) according to the embodiment is recorded (stored) in a computer-readable recording medium (storage medium). Processing can be performed by causing a computer system to read and execute the program recorded on the recording medium.
Here, the “computer system” may include an operating system or hardware such as a peripheral device.
The “computer-readable recording medium” includes a flexible disk, a magneto-optical disk, a writable nonvolatile memory such as a ROM (Read Only Memory), a flash memory, a portable medium such as a DVD (Digital Versatile Disc), A storage device such as a hard disk built in a computer system.
Further, a “computer-readable recording medium” refers to a volatile memory (for example, DRAM) in a computer system serving as a server or a client when a program is transmitted through a network such as the Internet or a communication line such as a telephone line. ) As well as those that hold programs for a certain period of time.
Further, the above program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
Further, the above program may be a program for realizing a part of the functions described above. Further, the above program may be a program that can realize the above-described functions in combination with a program already recorded in the computer system, that is, a so-called difference file (difference program).
 なお、本発明を実施の形態を用いて説明したが、本発明の技術的範囲は上記実施の形態には限定されない。本発明の精神及び範囲から逸脱することなく様々に変更したり代替態様を採用したりすることが可能なことは、当業者に明らかである。 Although the present invention has been described with reference to the embodiment, the technical scope of the present invention is not limited to the above embodiment. It will be apparent to those skilled in the art that various modifications and alternative embodiments can be made without departing from the spirit and scope of the invention.
1…分析システム
11…分析部
21~23…端末部
31…ネットワーク
41…分析装置
42…Webサーバ装置
43…メールサーバ装置
51…ログ検出装置
52…端末装置
111、216…記憶部
112…取得部
113…分析実行部
114…通知部
115…誤検知制御部
116…管理部
131…受信部
151…検索処理部
211…入力部
212…出力部
213、4012…操作部
214、4013…表示部
215…通信部
217…制御部
231…通知受信制御部
232…指示送信制御部
233…検索制御部
2011、2111、2211…表示内容
2121…属性領域
2122…対応状況領域
2123…内容領域
2131、2221…ボタン
4001…情報処理装置
4011…プロセッサ
4014…記憶装置
4015…メモリ
4016…入出力インターフェイス
4017…ネットワークインターフェイス DESCRIPTION OF SYMBOLS 1 ... Analysis system 11 ... Analysis part 21-23 ... Terminal part 31 ... Network 41 ... Analysis apparatus 42 ... Web server apparatus 43 ... Mail server apparatus 51 ... Log detection apparatus 52 ... Terminal apparatus 111, 216 ... Storage part 112 ... Acquisition part 113 analysis execution unit 114 notification unit 115 erroneous detection control unit 116 management unit 131 reception unit 151 search processing unit 211 input unit 212 output units 213 and 4012 operation units 214 and 4013 display unit 215 Communication section 217 Control section 231 Notification reception control section 232 Instruction transmission control section 233 Search control section 2011, 2111, 2211 Display contents 2121 Attribute area 2122 Corresponding status area 2123 Content area 2131, 2221 Button 4001 ... Information processing device 4011 ... Processor 4014 ... Storage device 4015 ... Memory 4016 ... Input / output Interface 4017: Network interface

Claims (28)

  1.  第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     を備え、
     前記通知抑制部は、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、
     分析装置。     An acquisition unit that acquires target information about the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    With
    The notification suppressing unit stops the notification of the first information based on the first condition for a predetermined period of time for the first terminal device, and notifies the first information based on the first condition after the predetermined period has elapsed. Resume,
    Analysis equipment.
  2.  第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     前記第1条件による前記第1情報の通知の状況を管理する管理部と、
     を備え、
     前記状況は、少なくとも、抑止されているという状況を含み、
     前記第1情報は、前記通知の状況を用いて検索されることが可能である、
     分析装置。     An acquisition unit that acquires target information about the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    A management unit that manages a status of notification of the first information according to the first condition;
    With
    The situation includes at least a situation of being deterred,
    The first information can be searched using the status of the notification,
    Analysis equipment.
  3.  第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     を備え、
     前記通知抑制部は、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、
     分析装置。     An acquisition unit that acquires target information about the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    With
    The notification suppression unit suppresses the notification of the first information to the first terminal device based on a second condition specifying that the notification of the first information to the first terminal device is suppressed,
    Analysis equipment.
  4.  第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     を備え、
     前記対象情報は、セキュリティに関するログである、
     分析装置。     An acquisition unit that acquires target information about the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    With
    The target information is a log related to security,
    Analysis equipment.
  5.  前記第1条件は、問題を検知するルールであり、
     前記第1情報は、前記問題に対応するアラートの情報であり、
     前記第2情報は、前記アラートについて誤りがあることを指示する情報である、
     請求項1から請求項4のいずれか1項に記載の分析装置。     The first condition is a rule for detecting a problem,
    The first information is information of an alert corresponding to the problem,
    The second information is information indicating that there is an error in the alert,
    The analyzer according to any one of claims 1 to 4.
  6.  前記第1条件を変更する変更部を備える、
     請求項1から請求項5のいずれか1項に記載の分析装置。     A changing unit for changing the first condition,
    The analyzer according to any one of claims 1 to 5.
  7.  セキュリティに関するログを対象情報とし端末装置に関する前記対象情報を検出して前記対象情報を分析装置に送信する検出装置を有する前記端末装置に関する前記対象情報が前記分析装置によって第1条件を満たすことが判定された場合に前記分析装置から通知される前記セキュリティに関する第1情報の通知を受信する通知受信制御部と、
     前記通知受信制御部によって受信された前記第1情報に対して前記セキュリティに関する所定の指示を受け付ける指示受付部と、
     前記第1情報に対して前記指示が受け付けられた場合に、前記端末装置に対する前記セキュリティに関する前記第1情報の通知を抑制する指示を含む第2情報を前記分析装置に送信する指示送信制御部と、
     を備える前記端末装置。     It is determined that the analysis device satisfies the first condition with respect to the target information regarding the terminal device having a detection device that detects the target information regarding the terminal device and uses the log regarding security as the target information and transmits the target information to the analysis device. A notification reception control unit that receives a notification of the first information related to the security notified from the analysis device when the notification is performed;
    An instruction receiving unit that receives a predetermined instruction related to the security with respect to the first information received by the notification reception control unit;
    An instruction transmission control unit configured to transmit, to the analyzer, second information including an instruction to suppress notification of the first information regarding the security to the terminal device when the instruction is received for the first information; and ,
    The terminal device comprising:
  8.  前記第1条件は、問題を検知するルールであり、
     前記第1情報は、前記問題に対応するアラートの情報であり、
     前記第2情報は、前記アラートについて誤りがあることを指示する情報である、
     請求項7に記載の端末装置。     The first condition is a rule for detecting a problem,
    The first information is information of an alert corresponding to the problem,
    The second information is information indicating that there is an error in the alert,
    The terminal device according to claim 7.
  9.  第1端末装置と、分析装置と、を備える分析システムであって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     を備え、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、
     前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、
     前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、
     を備え、
     前記通知抑制部は、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、
     分析システム。     An analysis system including a first terminal device and an analysis device,
    An acquisition unit configured to acquire target information on the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    With
    The first terminal device, a notification reception control unit that receives a notification of the first information notified from the analysis device,
    An instruction receiving unit that receives a predetermined instruction for the first information received by the notification reception control unit;
    An instruction transmission control unit configured to transmit the second information to the analyzer when the instruction is received for the first information;
    With
    The notification suppressing unit stops the notification of the first information based on the first condition for a predetermined period of time for the first terminal device, and notifies the first information based on the first condition after the predetermined period has elapsed. Resume,
    Analysis system.
  10.  第1端末装置と、分析装置と、を備える分析システムであって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     前記第1条件による前記第1情報の通知の状況を管理する管理部と、
     を備え、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、
     前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、
     前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、
     を備え、
     前記状況は、少なくとも、抑止されているという状況を含み、
     前記第1情報は、前記通知の状況を用いて検索されることが可能である、
     分析システム。     An analysis system including a first terminal device and an analysis device,
    An acquisition unit configured to acquire target information on the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    A management unit that manages a status of notification of the first information according to the first condition;
    With
    The first terminal device, a notification reception control unit that receives a notification of the first information notified from the analysis device,
    An instruction receiving unit that receives a predetermined instruction for the first information received by the notification reception control unit;
    An instruction transmission control unit configured to transmit the second information to the analyzer when the instruction is received for the first information;
    With
    The situation includes at least a situation of being deterred,
    The first information can be searched using the status of the notification,
    Analysis system.
  11.  第1端末装置と、分析装置と、を備える分析システムであって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     を備え、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、
     前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、
     前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、
     を備え、
     前記通知抑制部は、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、
     分析システム。     An analysis system including a first terminal device and an analysis device,
    An acquisition unit configured to acquire target information on the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    With
    The first terminal device, a notification reception control unit that receives a notification of the first information notified from the analysis device,
    An instruction receiving unit that receives a predetermined instruction for the first information received by the notification reception control unit;
    An instruction transmission control unit configured to transmit the second information to the analyzer when the instruction is received for the first information;
    With
    The notification suppression unit suppresses the notification of the first information to the first terminal device based on a second condition specifying that the notification of the first information to the first terminal device is suppressed,
    Analysis system.
  12.  第1端末装置と、分析装置と、を備える分析システムであって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得する取得部と、
     前記取得部によって取得された前記対象情報が第1条件を満たすか否かを判定する分析実行部と、
     前記分析実行部によって前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する通知部と、
     前記通知部によって通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける情報受付部と、
     前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する通知抑制部と、
     を備え、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信する通知受信制御部と、
     前記通知受信制御部によって受信された前記第1情報に対して所定の指示を受け付ける指示受付部と、
     前記第1情報に対して前記指示が受け付けられた場合に、前記第2情報を前記分析装置に送信する指示送信制御部と、
     を備え、
     前記対象情報は、セキュリティに関するログである、
     分析システム。     An analysis system including a first terminal device and an analysis device,
    An acquisition unit configured to acquire target information on the first terminal device;
    An analysis execution unit that determines whether the target information acquired by the acquisition unit satisfies a first condition;
    A notifying unit that notifies the first terminal device of first information when the analysis execution unit determines that the target information satisfies the first condition;
    An information receiving unit that receives second information from the first terminal device with respect to the first information notified by the notifying unit;
    A notification suppression unit that suppresses notification of the first information to the first terminal device when the second information is received from the first terminal device for the first information;
    With
    The first terminal device, a notification reception control unit that receives a notification of the first information notified from the analysis device,
    An instruction receiving unit that receives a predetermined instruction for the first information received by the notification reception control unit;
    An instruction transmission control unit configured to transmit the second information to the analyzer when the instruction is received for the first information;
    With
    The target information is a log related to security,
    Analysis system.
  13.  前記第1条件は、問題を検知するルールであり、
     前記第1情報は、前記問題に対応するアラートの情報であり、
     前記第2情報は、前記アラートについて誤りがあることを指示する情報である、
     請求項9から請求項12のいずれか1項に記載の分析システム。     The first condition is a rule for detecting a problem,
    The first information is information of an alert corresponding to the problem,
    The second information is information indicating that there is an error in the alert,
    The analysis system according to any one of claims 9 to 12.
  14.  前記分析装置は、前記第1条件を変更する変更部を備える、
     請求項9から請求項13のいずれか1項に記載の分析システム。     The analyzer includes a changing unit that changes the first condition,
    The analysis system according to any one of claims 9 to 13.
  15.  第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、
     前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、
     前記分析装置は、前記通知の抑制として、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、
     分析方法。     An analysis method in an analysis system including a first terminal device and an analysis device,
    The analyzer acquires target information regarding the first terminal device, determines whether the obtained target information satisfies a first condition, and determines that the target information satisfies the first condition. In the case, the first information is notified to the first terminal device,
    The first terminal device receives the notification of the first information notified from the analysis device, and analyzes the second information when a predetermined instruction is received for the received first information. To the device,
    The analyzer, when the second information is received from the first terminal device, suppresses the notification of the first information to the first terminal device,
    The analyzer, as the suppression of the notification, stops the notification of the first information according to the first condition for a predetermined period of time for the first terminal device, and executes the first condition after the predetermined period has elapsed according to the first condition. Restart notification of the first information;
    Analysis method.
  16.  第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、
     前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、
     前記分析装置は、前記第1条件による前記第1情報の通知の状況を管理し、
     前記状況は、少なくとも、抑止されているという状況を含み、
     前記第1情報は、前記通知の状況を用いて検索されることが可能である、
     分析方法。     An analysis method in an analysis system including a first terminal device and an analysis device,
    The analyzer acquires target information regarding the first terminal device, determines whether the obtained target information satisfies a first condition, and determines that the target information satisfies the first condition. In the case, the first information is notified to the first terminal device,
    The first terminal device receives the notification of the first information notified from the analysis device, and analyzes the second information when a predetermined instruction is received for the received first information. To the device,
    The analyzer, when the second information is received from the first terminal device, suppresses the notification of the first information to the first terminal device,
    The analyzer manages a status of notification of the first information according to the first condition,
    The situation includes at least a situation of being deterred,
    The first information can be searched using the status of the notification,
    Analysis method.
  17.  第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、
     前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、
     前記分析装置は、前記通知の抑制として、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、
     分析方法。     An analysis method in an analysis system including a first terminal device and an analysis device,
    The analyzer acquires target information regarding the first terminal device, determines whether the obtained target information satisfies a first condition, and determines that the target information satisfies the first condition. In the case, the first information is notified to the first terminal device,
    The first terminal device receives the notification of the first information notified from the analysis device, and analyzes the second information when a predetermined instruction is received for the received first information. To the device,
    The analyzer, when the second information is received from the first terminal device, suppresses the notification of the first information to the first terminal device,
    The analyzer, as the suppression of the notification, based on a second condition specifying that the notification of the first information to the first terminal device is suppressed, based on a second condition that specifies the notification of the first information to the first terminal device Suppress,
    Analysis method.
  18.  第1端末装置と、分析装置と、を備える分析システムにおける分析方法であって、
     前記分析装置は、前記第1端末装置に関する対象情報を取得し、取得された前記対象情報が第1条件を満たすか否かを判定し、前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知し、
     前記第1端末装置は、前記分析装置から通知される前記第1情報の通知を受信し、受信された前記第1情報に対して所定の指示が受け付けられた場合に、第2情報を前記分析装置に送信し、
     前記分析装置は、前記第1端末装置から第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制し、
     前記対象情報は、セキュリティに関するログである、
     分析方法。     An analysis method in an analysis system including a first terminal device and an analysis device,
    The analyzer acquires target information regarding the first terminal device, determines whether the obtained target information satisfies a first condition, and determines that the target information satisfies the first condition. In the case, the first information is notified to the first terminal device,
    The first terminal device receives the notification of the first information notified from the analysis device, and analyzes the second information when a predetermined instruction is received for the received first information. To the device,
    The analyzer, when the second information is received from the first terminal device, suppresses the notification of the first information to the first terminal device,
    The target information is a log related to security,
    Analysis method.
  19.  前記第1条件は、問題を検知するルールであり、
     前記第1情報は、前記問題に対応するアラートの情報であり、
     前記第2情報は、前記アラートについて誤りがあることを指示する情報である、
     請求項15から請求項18のいずれか1項に記載の分析方法。     The first condition is a rule for detecting a problem,
    The first information is information of an alert corresponding to the problem,
    The second information is information indicating that there is an error in the alert,
    The analysis method according to any one of claims 15 to 18.
  20.  前記分析装置は、前記第1条件を変更する、
     請求項15から請求項19のいずれか1項に記載の分析方法。     The analyzer changes the first condition;
    The analysis method according to any one of claims 15 to 19.
  21.  分析装置を構成するコンピュータに、
     第1端末装置に関する対象情報を取得する機能と、
     取得された前記対象情報が第1条件を満たすか否かを判定する機能と、
     前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、
     通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、 前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、
     を実現させるためのプログラムであって、
     前記通知を抑制する機能は、前記第1端末装置について、前記第1条件による前記第1情報の通知を所定の期間停止させ、前記所定の期間が経過した後に前記第1条件による前記第1情報の通知を再開させる、
     プログラム。     In the computer that constitutes the analyzer,
    A function of acquiring target information on the first terminal device;
    A function of determining whether or not the acquired target information satisfies a first condition;
    A function of notifying the first terminal device of the first information when it is determined that the target information satisfies the first condition;
    A function of receiving the second information from the first terminal device with respect to the notified first information, and a process of receiving the second information from the first terminal device with respect to the first information. A function of suppressing notification of the first information to one terminal device;
    Is a program for realizing
    The function of suppressing the notification is configured to stop the notification of the first information based on the first condition for a predetermined period of time for the first terminal device, and to execute the first information based on the first condition after the predetermined period has elapsed. To resume notifications for,
    program.
  22.  分析装置を構成するコンピュータに、
     第1端末装置に関する対象情報を取得する機能と、
     取得された前記対象情報が第1条件を満たすか否かを判定する機能と、
     前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、
     通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、 前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、
     前記第1条件による前記第1情報の通知の状況を管理する機能と、
     を実現させるためのプログラムであって、
     前記状況は、少なくとも、抑止されているという状況を含み、
     前記第1情報は、前記通知の状況を用いて検索されることが可能である、
     プログラム。     In the computer that constitutes the analyzer,
    A function of acquiring target information on the first terminal device;
    A function of determining whether or not the acquired target information satisfies a first condition;
    A function of notifying the first terminal device of the first information when it is determined that the target information satisfies the first condition;
    A function of receiving the second information from the first terminal device with respect to the notified first information, and a process of receiving the second information from the first terminal device with respect to the first information. A function of suppressing notification of the first information to one terminal device;
    A function of managing a status of notification of the first information according to the first condition;
    Is a program for realizing
    The situation includes at least a situation of being deterred,
    The first information can be searched using the status of the notification,
    program.
  23.  分析装置を構成するコンピュータに、
     第1端末装置に関する対象情報を取得する機能と、
     取得された前記対象情報が第1条件を満たすか否かを判定する機能と、
     前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、
     通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、 前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、
     を実現させるためのプログラムであって、
     前記通知を抑制する機能は、前記第1端末装置に対する前記第1情報の通知を抑制することを特定する第2条件に基づいて、前記第1端末装置に対する前記第1情報の通知を抑制する、
     プログラム。     In the computer that constitutes the analyzer,
    A function of acquiring target information on the first terminal device;
    A function of determining whether or not the acquired target information satisfies a first condition;
    A function of notifying the first terminal device of the first information when it is determined that the target information satisfies the first condition;
    A function of receiving the second information from the first terminal device with respect to the notified first information, and a process of receiving the second information from the first terminal device with respect to the first information. A function of suppressing notification of the first information to one terminal device;
    Is a program for realizing
    The function of suppressing the notification suppresses the notification of the first information to the first terminal device based on a second condition specifying that the notification of the first information to the first terminal device is suppressed.
    program.
  24.  分析装置を構成するコンピュータに、
     第1端末装置に関する対象情報を取得する機能と、
     取得された前記対象情報が第1条件を満たすか否かを判定する機能と、
     前記対象情報が前記第1条件を満たすことを判定した場合、第1情報を前記第1端末装置に通知する機能と、
     通知された前記第1情報に対して前記第1端末装置から第2情報を受け付ける機能と、 前記第1情報に対して前記第1端末装置から前記第2情報が受け付けられた場合に、前記第1端末装置に対する前記第1情報の通知を抑制する機能と、
     を実現させるためのプログラムであって、
     前記対象情報は、セキュリティに関するログである、
     プログラム。     In the computer that constitutes the analyzer,
    A function of acquiring target information on the first terminal device;
    A function of determining whether or not the acquired target information satisfies a first condition;
    A function of notifying the first terminal device of the first information when it is determined that the target information satisfies the first condition;
    A function of receiving the second information from the first terminal device with respect to the notified first information, and a process of receiving the second information from the first terminal device with respect to the first information. A function of suppressing notification of the first information to one terminal device;
    Is a program for realizing
    The target information is a log related to security,
    program.
  25.  前記第1条件は、問題を検知するルールであり、
     前記第1情報は、前記問題に対応するアラートの情報であり、
     前記第2情報は、前記アラートについて誤りがあることを指示する情報である、
     請求項21から請求項24のいずれか1項に記載のプログラム。     The first condition is a rule for detecting a problem,
    The first information is information of an alert corresponding to the problem,
    The second information is information indicating that there is an error in the alert,
    The program according to any one of claims 21 to 24.
  26.  さらに、前記第1条件を変更する機能を実現させるためのプログラムである、
     請求項21から請求項25のいずれか1項に記載のプログラム。     Further, the program is a program for realizing a function of changing the first condition.
    The program according to any one of claims 21 to 25.
  27.  セキュリティに関するログを対象情報とし端末装置に関する前記対象情報を検出して前記対象情報を分析装置に送信する検出装置を有する前記端末装置を構成するコンピュータに、
     前記端末装置に関する前記対象情報が前記分析装置によって第1条件を満たすことが判定された場合に前記分析装置から通知される前記セキュリティに関する第1情報の通知を受信する機能と、
     受信された前記第1情報に対して前記セキュリティに関する所定の指示を受け付ける機能と、
     前記第1情報に対して前記指示が受け付けられた場合に、前記端末装置に対する前記セキュリティに関する前記第1情報の通知を抑制する指示を含む第2情報を前記分析装置に送信する機能と、
     を実現させるためのプログラム。     A computer configuring the terminal device having a detection device that detects the target information related to the terminal device with a log related to security and transmits the target information to the analysis device,
    A function of receiving a notification of the first information related to the security notified from the analyzer when the target information regarding the terminal device is determined to satisfy a first condition by the analyzer;
    A function of receiving a predetermined instruction related to the security with respect to the received first information,
    A function of transmitting, to the analyzer, second information including an instruction to suppress notification of the first information regarding the security to the terminal device when the instruction is received for the first information;
    The program to realize.
  28.  前記第1条件は、問題を検知するルールであり、
     前記第1情報は、前記問題に対応するアラートの情報であり、
     前記第2情報は、前記アラートについて誤りがあることを指示する情報である、
     請求項27に記載のプログラム。     The first condition is a rule for detecting a problem,
    The first information is information of an alert corresponding to the problem,
    The second information is information indicating that there is an error in the alert,
    A program according to claim 27.
PCT/JP2019/036536 2018-09-26 2019-09-18 Analysis device, terminal device, analysis system, analysis method and program WO2020066785A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-180914 2018-09-26
JP2018180914A JP6517416B1 (en) 2018-09-26 2018-09-26 Analyzer, terminal device, analysis system, analysis method and program

Publications (1)

Publication Number Publication Date
WO2020066785A1 true WO2020066785A1 (en) 2020-04-02

Family

ID=66625460

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/036536 WO2020066785A1 (en) 2018-09-26 2019-09-18 Analysis device, terminal device, analysis system, analysis method and program

Country Status (2)

Country Link
JP (1) JP6517416B1 (en)
WO (1) WO2020066785A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2021120773A (en) * 2020-01-30 2021-08-19 いすゞ自動車株式会社 Notification device

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016053771A (en) * 2014-09-03 2016-04-14 三菱電機株式会社 Notification system and notification method
WO2017058313A1 (en) * 2015-09-30 2017-04-06 Symantec Corporation Detection of security incidents with low confidence security events
US20180041530A1 (en) * 2015-04-30 2018-02-08 Iyuntian Co., Ltd. Method and system for detecting malicious web addresses

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2016053771A (en) * 2014-09-03 2016-04-14 三菱電機株式会社 Notification system and notification method
US20180041530A1 (en) * 2015-04-30 2018-02-08 Iyuntian Co., Ltd. Method and system for detecting malicious web addresses
WO2017058313A1 (en) * 2015-09-30 2017-04-06 Symantec Corporation Detection of security incidents with low confidence security events

Also Published As

Publication number Publication date
JP2020052688A (en) 2020-04-02
JP6517416B1 (en) 2019-05-22

Similar Documents

Publication Publication Date Title
US9639702B1 (en) Partial risk score calculation for a data object
US20230109926A1 (en) Security integration for cloud services
US12026276B2 (en) Data augmentation for threat investigation in an enterprise network
US20190034640A1 (en) Methods and systems for providing recommendations to address security vulnerabilities in a network of computing systems
US8966659B2 (en) Automatic fraudulent digital certificate detection
US20140137190A1 (en) Methods and systems for passively detecting security levels in client devices
US20090119143A1 (en) Brand notification systems and methods
US20180007071A1 (en) Collaborative investigation of security indicators
US10733324B2 (en) Privacy enabled runtime
US10382528B2 (en) Disposition actions in digital asset management based on trigger events
WO2023064007A1 (en) Augmented threat investigation
US10769285B2 (en) Privacy enabled runtime
WO2020066785A1 (en) Analysis device, terminal device, analysis system, analysis method and program
JP2007065810A (en) Security inspection system
JP6636605B1 (en) History monitoring method, monitoring processing device, and monitoring processing program
JP5341695B2 (en) Information processing system, information processing method, and program
CN112583891B (en) Interface document acquisition method and device and server
JP2016099722A (en) Personal information leakage monitoring system, personal information leakage monitoring method, and personal information leakage monitoring program
JP2018036997A (en) Software management system, software management method, management device, and server
JP2008225830A (en) Information management system, terminal equipment, information management method, and program
JP6716995B2 (en) Information processing apparatus, information processing method, and program
WO2020066783A1 (en) Terminal device, file analysis device, file analysis system, file analysis method, and program
Bettany et al. External Malware and Virus Resources

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19864171

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19864171

Country of ref document: EP

Kind code of ref document: A1