WO2020100570A1 - Estimation method, estimation device, and estimation program - Google Patents

Estimation method, estimation device, and estimation program Download PDF

Info

Publication number
WO2020100570A1
WO2020100570A1 PCT/JP2019/042315 JP2019042315W WO2020100570A1 WO 2020100570 A1 WO2020100570 A1 WO 2020100570A1 JP 2019042315 W JP2019042315 W JP 2019042315W WO 2020100570 A1 WO2020100570 A1 WO 2020100570A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
estimation
probability
information
network
Prior art date
Application number
PCT/JP2019/042315
Other languages
French (fr)
Japanese (ja)
Inventor
恒子 倉
高橋 慧
晃司 岸
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Publication of WO2020100570A1 publication Critical patent/WO2020100570A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to an estimation method, an estimation device, and an estimation program.
  • the management identifies the information that should be protected among the assets owned by the company, grasps the cyber security risk that may occur, and examines the cyber security countermeasure policy from the viewpoint of risk reduction measures, avoidance measures, and transfer measures, Implement.
  • the Ministry of Economy, Trade and Industry has issued a guideline that a risk that is omitted from the examination by the management should be identified as a residual risk (see Non-Patent Document 1).
  • the manager installs antivirus software for protecting terminals and servers from computer viruses, or installs antivirus software between the company network and the Internet, as one of the methods for dealing with risks. Then, it is possible to take measures such as preventing an external attack. By taking such measures, it is possible to reduce cyber security risk.
  • the vulnerability of the device acquired in advance, the business impact of the device, and the relationship with other devices connected to the device are considered.
  • the priority order of the risk is determined, and therefore, when the attack is found, the management executes the countermeasure against the attack according to the priority order.
  • Patent Document 1 a method of making a more accurate assessment by combining both natural disaster forecast and cyber forecast has been proposed.
  • the attack may be further expanded depending on the characteristics of the attack and the virus. For example, when a terminal is attacked by an unknown virus, the virus definition file at that time does not include unknown virus information, and therefore cannot be detected by antivirus software. Also, it is not perfect because there are attacks such as intrusion of computer viruses using emails and internal crimes that cannot be prevented by firewalls.
  • the aforementioned cyber risk insurance is limited to compensation for damages and compensation for costs. For this reason, even if you have cyber risk insurance, it does not reduce the scope of damage from cyber attacks, nor does it have the function of stopping the decline in the brand of a company. Also, the method described in Patent Document 1 does not reduce the damage range of a cyber attack like the cyber risk insurance, and does not have a function of stopping the deterioration of the brand of the company.
  • the present invention has been made in view of the above, and at the time when an observation event likely to lead to a cyber incident occurs, an estimation method, an estimation device, and an estimation method capable of grasping the impact of an attack on the business at an early stage.
  • the purpose is to provide the program.
  • an estimation method of the present invention is an estimation method executed by an estimation device, which is device information for identifying a device in a network and an observation event generated in the device. And an attribute information of the first device corresponding to the device information accepted in the accepting process, and based on the acquired attribute information and the observation event accepted in the accepting process. Then, based on the first estimation step of estimating the risk that the device in the network is attacked, and the estimation result in the first estimation step, the business related to the service provided by the network due to the attack of the device in the network It is characterized by including a second estimation step of estimating the degree of influence and a first output step of outputting the estimation result estimated in the second estimation step.
  • FIG. 1 is a block diagram showing a configuration example of a system including an estimation device according to an embodiment.
  • FIG. 2 is a diagram showing a configuration example of a network managed by the system according to the embodiment.
  • FIG. 3 is a diagram showing an example of the data structure of the device information table.
  • FIG. 4 is a diagram showing an example of the data structure of the segment connection information table.
  • FIG. 5 is a diagram showing an example of the data structure of the observation event information table.
  • FIG. 6 is a diagram showing an example of the data structure of the incident information table.
  • FIG. 7 is a diagram showing an example of the data structure of a relationship presentation table of the purpose of use and damage.
  • FIG. 8 is a diagram showing an example of the data structure of the attack type information table.
  • FIG. 1 is a block diagram showing a configuration example of a system including an estimation device according to an embodiment.
  • FIG. 2 is a diagram showing a configuration example of a network managed by the system according to the embodiment.
  • FIG. 9 is a diagram showing an example of the data structure of the countermeasure table.
  • FIG. 10 is a diagram showing an example of the data structure of an attack type information table for countermeasures.
  • FIG. 11 is a diagram showing an example of the data structure of the countermeasure status report table for incidents.
  • FIG. 12 is a diagram showing an example of the data structure of the business influence table regarding the service name.
  • FIG. 13 is a diagram showing an example of a screen displayed on the user terminal.
  • FIG. 14 is a diagram showing an example of damage probability calculation by the risk estimation unit for the network shown in FIG.
  • FIG. 15 is a diagram illustrating a method of calculating the attack transition probability.
  • FIG. 16 is a diagram illustrating a method of calculating the probability of occurrence of each damage depending on the type of attack.
  • FIG. 17 is a diagram showing an example of a screen displayed on the user terminal.
  • FIG. 18 is a diagram illustrating a correction process performed by the risk estimation unit.
  • FIG. 19 is a diagram showing an example of a screen displayed on the user terminal.
  • FIG. 20 is a diagram showing an example of a screen displayed on the user terminal.
  • FIG. 21 is a sequence diagram showing an example of the flow of the estimation process according to the embodiment.
  • FIG. 22 is a diagram illustrating a computer that executes the estimation program.
  • FIG. 1 is a block diagram showing a configuration example of a system including an estimation device 10 according to an embodiment.
  • the system includes, for example, an estimation device 10 and a user terminal 20 as shown in FIG.
  • the estimation device 10 and the user terminal 20 are connected via a connection line 30 such as the Internet.
  • the configuration shown in FIG. 1 is merely an example, and the specific configuration and the number of devices are not particularly limited. Also, a plurality of user terminals 20 may be provided.
  • the system illustrated in FIG. 1 has a client-server system configuration, it may have a stand-alone configuration.
  • the estimation device 10 is a server device that estimates the risk of an attack on a device in the observation target network, estimates the business impact on the service provided by the network based on the estimation result, and outputs the estimated impact to the user terminal 20. is there. Specifically, the estimation device 10 receives, from the user terminal 20, a device ID for identifying a device in the network and an observation event that has occurred in the device. In addition, the estimation device 10 registers in advance incident information in which a set of an equipment ID and an observation event and an incident ID are associated with each other, and receives an input of the incident ID from the user terminal 20 to obtain the equipment ID and the observation event. May be designated.
  • the estimation device 10 estimates the risk of the device in the network being attacked based on the attribute information of the device corresponding to the device ID and the observed event. Then, the estimation device 10 estimates the degree of influence of the service provided by the network on the business due to the attack on the device in the network based on the estimation result regarding the risk. The estimation device 10 outputs the estimated degree of influence on the business to the user terminal 20. That is, the estimation device 10 estimates an attack on a device in the network based on the input information indicating what kind of observation event occurred on the certain device, and further affects the business caused by the attack. The degree is estimated and output to the user terminal 20.
  • the user terminal 20 is a device such as a PC (Personal Computer) or a smartphone, and is, for example, a device used by a user of an information system unit of a company that provides a network service.
  • the user terminal 20 notifies the estimation device 10 of input information indicating what kind of observation event has occurred with respect to a certain device, receives the degree of influence on the business regarding the service provided by the network, and displays the received content. indicate.
  • the user terminal 20 displays, as the degree of business impact, an estimated amount of money such as a decrease in sales due to a service stop due to an attack or compensation of information caused by damage such as information leakage due to an attack.
  • the estimation device 10 includes a communication processing unit 11, a storage unit 12, and a control unit 13.
  • the communication processing unit 11 controls communication regarding various types of information. For example, the communication processing unit 11 receives, from the user terminal 20, a device ID for identifying a device on the network and an observation event generated in the device as input information. In addition, the communication processing unit 11 transmits, to the user terminal 20, an estimation result regarding the degree of influence on the business due to the attack on the device in the network.
  • the storage unit 12 stores data and programs necessary for various processes performed by the control unit 13.
  • the storage unit 12 is a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk.
  • the storage unit 12 includes a device information storage unit 121, an observation information storage unit 122, an incident information storage unit 123, an attribute information storage unit 124, a media trend evaluation information storage unit 125, a social media analysis information storage unit 126, and a company basic information storage unit. It has 127.
  • FIG. 2 is a diagram showing a configuration example of a network managed by the system according to the embodiment.
  • the network to be managed which consists of DMZ (DeMilitarized Zone), internal LAN (Local Area Network), and business LAN, is connected to the Internet with a firewall in front.
  • DMZ DeMilitarized Zone
  • LAN Local Area Network
  • business LAN Various information is registered in the various tables stored in the storage unit 12 according to the network configuration shown in FIG.
  • the device information storage unit 121 stores information about each device that constitutes the network.
  • the device information storage unit 121 stores, for example, a device information table.
  • FIG. 3 is a diagram showing an example of the data structure of the device information table.
  • the device information table 121a includes a device ID, a device type, an attribute value of the device, a purpose of use, presence / absence of confidential information, a network belonging segment in which the device is placed, and OS information of the device. , Middleware, applications used, service information related to the device, etc. are described.
  • the device information storage unit 121 also stores a segment connection information table.
  • FIG. 4 is a diagram showing an example of the data structure of the segment connection information table. As shown in FIG. 2, the network managed by the system is divided into a plurality of network segments. Therefore, the segment connection information table 121b illustrated in FIG. 4 describes the number of hops from a certain segment to another segment in the network based on the network configuration diagram. The number of hops is the number of transfer devices and relay equipment through which a communication partner is reached on the communication network.
  • the observation information storage unit 122 stores the observation event information that defines the observation events that may occur when the attribute information is attacked. Specifically, the observation information storage unit 122 stores an observation event information table in which an observation event generated in the device is associated with the type of attack that the device is likely to receive and the probability of receiving the attack. Further, since a plurality of observation events can occur with respect to a certain attack, the observation event information table defines a probability calculation method for determining one probability for an attack.
  • FIG. 5 is a diagram showing an example of the data structure of the observation event information table.
  • the observation event information table 122a has items of an ID, an attribute value of the device, an observation event that occurred in the device, an attack type that the crisis receives, a probability that the device receives this attack, and a probability calculation method.
  • the probability of "80%” is received, and the calculation method of the probability is "f (x1, x2, x3)".
  • the incident information storage unit 123 stores an incident information table.
  • the incident information table is a table for recording information at the time of occurrence of some unusual event.
  • FIG. 6 is a diagram showing an example of the data structure of the incident information table.
  • the incident ID includes the date and time of the observation event, the observation event ID for identifying the observation event, the attack type, the determined attack probability, and the device ID of the attack target device. Registration / update date and time are described in association with each other. Since more detailed information can be grasped as the analysis of the information related to the incident progresses, the analysis result such as the attack type and the attack probability and the update date and time are recorded in the incident information table 123a according to the analysis. It is assumed that the device ID, the set of observation events, and the like are specified by the user terminal 20, and the incident information management unit 133 (described later) gives the incident ID and registers it.
  • the attribute information storage unit 124 stores attribute information defining various attributes of each device in the network.
  • the attribute information storage unit 124 stores a relationship presentation table between the purpose of use and damage.
  • FIG. 7 is a diagram showing an example of the data structure of a relationship presentation table of the purpose of use and damage.
  • the purpose of use is associated with specific contents of damage such as service stop, service tampering, and information leakage.
  • Each of these damages is assumed damage for the purpose of use in the device information table 121a (see FIG. 3) and has been identified in advance.
  • “1” is described for each damage if there is a relationship, and “0” is described if there is no relationship.
  • the attribute information storage unit 124 stores an attack type information table.
  • FIG. 8 is a diagram showing an example of the data structure of the attack type information table. As shown in FIG. 8, in the attack type information table 124b, the attack type ID, the attack target, and the probability of occurrence of each damage assumed in advance are described in association with each other. The probability that each damage occurs in the attack type information table 124b may be set in advance, or the probability may be constantly changed by reflecting the incident response result.
  • the attribute information storage unit 124 stores a countermeasure table.
  • FIG. 9 is a diagram showing an example of the data structure of the countermeasure table. As shown in FIG. 9, the countermeasure table 124c associates the attack ID with the countermeasure name against the cyber attack and the specific procedure.
  • the attribute information storage unit 124 stores an attack type information table for countermeasures.
  • FIG. 10 is a diagram showing an example of the data structure of an attack type information table for countermeasures. As shown in FIG. 10, in the attack type information table 124d for the countermeasure, the countermeasure ID and the occurrence probability of each damage are associated with the countermeasure ID.
  • the attack type information table 124 d for the countermeasure plan has a countermeasure for each countermeasure.
  • the probability of each damage caused by the attack is set. For example, the case where “Countermeasure 1” with the countermeasure ID “1” shown in FIG. 10 is executed will be described. In this case, of the damage caused by "attack 1”, the probability of "damage 1" is "x11", the probability of "damage 2" is “x12”, and the probability of "damage 3” is "x13”. Is. Among the damages caused by "Attack 2", the probability of "damage 1" is "x21", the probability of "damage 2" is “x22”, and the probability of "damage 3” is "x23". is there.
  • the attribute information storage unit 124 also stores a countermeasure status report table for incidents.
  • FIG. 11 is a diagram showing an example of the data structure of the countermeasure status report table for incidents.
  • the countermeasure status report table 124e for an incident describes an incident ID, a registration date / time, an update date / time, a countermeasure ID of a countermeasure performed for this incident, and an ID indicating an attack type for the countermeasure. It
  • the media trend evaluation information storage unit 125 stores the media trend and the result of processing the media trend in the external situation.
  • the media trend evaluation information storage unit 125 records, for example, news articles and news contents in association with publication dates and times.
  • the media trend evaluation information storage unit 125 also stores the ratio of positive news reports, neutral news reports, and negative news reports to the total after the case became public.
  • the social media analysis information storage unit 126 stores information about the reputation of SNS (Social Networking Service) such as Twitter among the external situations, and the result of processing the SNS information. For example, some tools for monitoring interactions on social media have a function of numerically notifying increase or decrease for each risk importance level.
  • the social media analysis information storage unit 126 may store the notified numerical value as an index of the degree of influence.
  • the company basic information storage unit 127 stores information that affects the business regarding each service.
  • the company basic information storage unit 127 stores, for example, a business influence table regarding a service name.
  • FIG. 12 is a diagram showing an example of the data structure of the business influence table regarding the service name.
  • Items that affect business include, for example, personal information, personal information compensation amount, confidential information, confidential information compensation amount, court cost, daily service sales, and impact on stock prices.
  • the business impact table 127a related to service names the number of items, the amount of compensation, and the rate of decline estimated in advance are described for each item.
  • the control unit 13 has an internal memory for storing a program defining various processing procedures and the like and required data, and executes various processing by these.
  • the control unit 13 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array).
  • the control unit 13 includes a process reception unit 131, a system information management unit 132, an incident information management unit 133, a risk estimation unit 134, an external situation management unit 135, a business impact degree calculation unit 136, and an output unit 137.
  • the process receiving unit 131 receives input information from the user terminal 20 via the communication processing unit 11. For example, the process reception unit 131 receives, from the user terminal 20, device information (device ID) for identifying a device on the network and an observation event that occurred in the device. Further, when the damage probability information and the countermeasure information are displayed on the user terminal 20, the processing reception unit 131 inputs the countermeasure information indicating the selected countermeasure among the displayed countermeasures from the user terminal 20. Accept.
  • the system information management unit 132 When the system information management unit 132 receives the device name and the event observation date and time from the process reception unit 131, the system information management unit 132 corresponds to the input device name (device ID) from the device information table 121a stored in the device information storage unit 121. Extract the attribute value. Then, the system information management unit 132 extracts the observation event corresponding to the extracted attribute value from the observation event information table 122a stored in the observation information storage unit 122. The system information management unit 132 displays the extracted observation event on the screen of the user terminal 20 via the output unit 137 (described later) and the communication processing unit 11.
  • the incident information management unit 133 When the incident information management unit 133 receives the event observation from the process reception unit 131, the incident information management unit 133 refers to the observation information storage unit 122 based on the attribute of the device extracted by the system information management unit 132 and the received observation event. , The type of expected attack on the device and its occurrence probability are calculated. The incident information management unit 133 registers the attack type and the occurrence probability of the attack in the incident information storage unit 123 in association with information such as date and time of occurrence, observation event ID, and device ID. In addition, when the incident information management unit 133 receives the countermeasure information selected by the user terminal from the process reception unit 131, the incident information management unit 133 registers the countermeasure information report table 124e for the incident in the attribute information storage unit 124.
  • the risk estimation unit 134 acquires the attribute information of the device (first device) corresponding to the device ID received by the process reception unit 131 from the attribute information storage unit 124, and the acquired attribute information and the process reception unit receive it. Based on the observed events, the risk of the device in the network being attacked is estimated.
  • the risk estimation unit 134 obtains the attack transition probability from the first device to the device (the second device) where the attack may transit, based on the segment connection information stored in the device information storage unit 121. .. Then, the risk estimation unit 134 determines whether or not an attack has occurred based on the content of the damage and the probability of occurrence of the damage depending on the type of the attack according to the intended use of each device, and the attack transition probability to the second device. Estimate the probability of damage. Note that the risk estimation unit 134 may use the probability of attack transition to the second device as the weight of the hop count.
  • the risk estimation unit 134 calculates the attack transition probability to the second device by multiplying the attack probability of the transition source device with a value based on the number of hops as a weight.
  • the risk estimation unit 134 outputs, via the output unit 137 and the communication processing unit 11, the probability of damage caused by an attack and the countermeasures against the attack acquired from the attribute information storage unit 124 to the user terminal 20.
  • the risk estimation unit 134 uses the correction value corresponding to the countermeasure acquired from the attribute information storage unit 124, Correct the probability of damage caused by an attack. Then, the risk estimating unit 134 outputs the corrected occurrence probability of damage due to the attack to the user terminal 20 via the output unit 137 and the communication processing unit 11.
  • the external situation management unit 135 acquires various external situations and registers them in the media trend evaluation information storage unit 125 and the social media analysis information storage unit 126.
  • the external situation management unit 135 also obtains a business impact index and outputs it to the business impact degree calculation unit 136.
  • a business impact index a numerical value showing the increase or decrease according to the importance of risk, which was notified using a tool that monitors interactions on social media, or extracted from the headlines and contents of company articles for news articles There is a degree of loss of corporate image based on favorable articles, intermediate articles, and malicious articles.
  • the business impact calculation unit 136 estimates the impact on the business of the service provided by the network due to the attack of the device in the network.
  • the business impact degree calculation unit 136 obtains a monetary amount related to the impact on the business due to the damage caused by the attack regarding the service provided by the network, based on various information that each service influences. Then, the business impact degree calculation unit 136 estimates the impact degree on the business by using the obtained amount of money and the probability of occurrence of damage due to the attack. Specifically, the business impact degree calculation unit 136 sets the amount of money obtained by multiplying the obtained amount of money by the probability of occurrence of damage as the degree of impact on the business. Note that the business impact degree calculation unit 136 also multiplies the obtained amount by the probability of damage caused by an attack and a business impact index based on the external situation as weighting to obtain the degree of impact on the business. Good.
  • the output unit 137 outputs the estimation result estimated by the business impact degree calculation unit 136 to the user terminal 20 via the communication processing unit 11.
  • the output unit 137 outputs the estimation result by the risk estimation unit 134 to the user terminal 20 via the communication processing unit 11.
  • FIG. 13 is a diagram showing an example of a screen displayed on the user terminal 20.
  • the user displays the screen M1 shown in FIG. 13, selects the device name (device ID) "server-S” in which the event was discovered, and selects the event. If you enter the confirmed date and time "2018/8/21 10:34", the input content is sent to the process reception unit 131.
  • the process reception unit 131 outputs these pieces of information to the system information management unit 132.
  • the system information management unit 132 extracts the attribute value “Web server” corresponding to the input device ID “server-S” from the device information table 121a (see FIG. 3) in the device information storage unit 121.
  • the system information management unit 132 based on the extracted attribute value “Web server”, from the observation event information table 122a (see FIG. 5), “server service corresponding to observation event IDs“ 1 ”to“ 4 ”. Is suddenly stopped ”,“ NW is down or speed down ”,“ server behavior is strange ”, and“ DB server load increase ”are extracted, and“ confirmed ”is displayed on the screen M1 (see FIG. 13) of the user terminal 20. "Events” that are sequentially displayed (see region R1 in FIG. 13). In this case, for example, the user checks the check boxes of the confirmation events “server service suddenly stops” and “NW is down or speed down” on the screen M1 and selects the registration button. As a result, from the user terminal 20, the confirmation event “server service suddenly stopped” (observation event ID “1”), “NW down or speed down” (observation event ID “server-S”) has occurred. 2 ”) is transmitted to the estimation device 10.
  • the incident information management unit 133 upon receipt of this confirmation event, refers to the observation event information table 122a, acquires the probability of an attack on the confirmation event and the probability calculation method, and calculates the attack occurrence rate.
  • the incident information management unit 133 acquires a function defined for each attack type corresponding to an observation event from the observation event information table 122a.
  • This function is defined as a collection of multiple probabilities for each attack type. For example, in an unauthorized intrusion attack, events that can be observed include "observation event ID” 1 ",” server service suddenly stops “, and observation event ID” 2 ",” NW is down or speed down ", Since there are three observation event IDs “3”, “the behavior of the server is strange”, the function “f (x1, x2, x3)” has three parameters corresponding to each ID, “x1” to “x3”. Is defined.
  • the incident information management unit outputs the information registered in the incident information table 123a to the risk estimation unit 134. That is, it is the information that the “unauthorized attack” of the “server-S” (incident ID “1”) that has observed the abnormality this time occurs with a probability of “80%”.
  • the risk estimation unit 134 divides this result into the first stage and the second stage and the third stage, and calculates the probability of occurrence of damage due to an attack on a device of the network.
  • FIG. 14 is a diagram showing an example of damage probability calculation by the risk estimation unit 134 for the network shown in FIG.
  • the risk estimation unit 134 executes the second stage calculation process.
  • the risk estimation unit 134 obtains the attack transition probability from the "server-S" (first device) where the event was observed to the second device to which the attack may transit.
  • the risk estimation unit 134 uses the device information table 121a and the segment information connection table 122b of the device information storage unit 121 based on the device ID “server-S” to attack the “server”. -S ”gets the segment information to which it belongs. In this case, the risk estimation unit 134 acquires the belonging segment “DMZ” of the “server-S” from the device information table 121a, and the hop count “1” (“DMZ” corresponding to the “DMZ” from the segment information connection table 122b. )), “3” (“Internal LAN”), “3” (“Business LAN”).
  • the risk estimation unit 134 extracts, from the “server-S”, a device in which an attack may have spread based on the acquired information. For example, in the network of FIG. 2, “server-T” in the DMZ, “server-U” and “server-Q” in the internal LAN, and “PC-A” in the business LAN are attacked Is likely to be expanding.
  • the risk estimation unit 134 assumes that the attack type for the “server-S” is “illegal intrusion” indicating the highest probability “80%”, the risk estimation unit 134 also indicates “illegal” as to the device to which the attack may transition. Suppose there is an intrusion.
  • the risk estimation unit 134 can obtain the probability that an attack transits from the “server-S” to each device by using the hop count of the NW segment as a weight.
  • “(1/2) h ⁇ 1 ” is selected as an example of weighting.
  • “H” represents the number of hops described in the segment connection information table 121b (see FIG. 4).
  • FIG. 15 is a diagram illustrating a method of calculating the attack transition probability. In this example, if the same NW segment is used, the probability of an attack transition is considered to be the same, and the probability of an attack transition decreases as the NW segment is different, in other words, the logically farther away. Therefore, the probability of attack transition to each device is calculated.
  • the probability Pb of transition from the event a to the event b is (1/2) s in the probability Pa of the event a when the number of hops of the events a and b is s. It will be the value multiplied by -1 .
  • the probability Pc of transitioning from the event a to the event c is a value obtained by multiplying the probability Pb by (1/2) t ⁇ 1 , where t is the number of hops of the events a and c.
  • the risk estimating unit 134 has the same probability as “unauthorized intrusion by the server-T” of the DMZ in the second stage of FIG. It gives a probability of “80%”.
  • the risk estimating unit 134 regarding the probability of “unauthorized intrusion by the server-U” of the internal LAN in the second stage of FIG. 4, since the hop count is “3”, “80% of the“ server-S ” Is multiplied by (1/2) 2 to give “20%”.
  • the risk estimation unit 134 appropriately estimates which device is receiving what type of attack and at what probability in the second stage processing. Furthermore, since the risk estimation unit 134 calculates the probability of attacking each device by weighting the number of hops, it is possible to obtain the probability of attacking each device that appropriately reflects the connection status of each device.
  • the risk estimation unit 134 executes the calculation process of the third stage.
  • the risk estimation unit 134 estimates the probability of occurrence of damage assumed by the attack in the third stage.
  • the risk estimation unit 134 in the third stage processing, the damage occurrence rate according to the content of damage and the type of attack, which is assumed in advance according to the intended use of each device, and the network obtained in the second step. And the probability of attack transition to the device in.
  • the risk estimation unit 134 refers to the device information table 121a of the device information storage unit 121, and determines, for each device, the purpose of use of the device for which an attack may transition from the “server-S” obtained in the second stage. To extract. Subsequently, the risk estimation unit 134 refers to the relationship presentation table 124a (see FIG. 7) between the purpose of use of the attribute information storage unit 124 and the damage as the processing of the next stage, and determines the purpose of use of each device. Extract the details of the damage.
  • the risk estimation unit 134 determines that when “Server-S” is illegally intruded, “Server-T” and “Server-U” may also be illegally intruded. (See the second stage of FIG. 4). Therefore, in the third stage, the risk estimating unit 134 has the purpose of use of “server-T” and “server-U” as “service provision (application)” (see lines 2 and 3 in FIG. 3). Therefore, based on the relationship presentation table 124a (see FIG. 7) between the purpose of use and damage, "service A stop”, “service A tampering", “service A information leak”, etc. are assumed as damages. ..
  • the risk estimation unit 134 is assumed to be the “server-W” because the purpose of use of the “server-W” is “service provision (personal information, confidential information)” (fourth line in FIG. 3). As the damage, “file server tampering” and “file server information leakage” (the third line in FIG. 7) are requested.
  • the risk estimation unit 134 calculates the probability of occurrence of each damage depending on the type of attack, based on the contents of the damage according to the purpose of use of each device, which is obtained from the relationship presentation table 124a between the purpose of use and the damage. , And the probability of occurrence of damage due to an attack is calculated by multiplying by the attack transition probability to each device obtained in the second stage, and the probability in the third stage is calculated.
  • the risk estimation unit 134 has a probability “60%” of damage “service stopped” by the attack type “illegal intrusion” (see the first line in FIG. 8). ) And the “80%” probability of “unauthorized intrusion by the server-T” obtained in the second stage (see FIG. 14, third stage, first stage).
  • FIG. 16 is a diagram illustrating a method of calculating the probability of occurrence of each damage depending on the type of attack. As shown in FIG. 16, in this example, as shown in FIG. 16, for example, the probability Pf of transition from the event d or the event e to the event f is calculated using the probability Pd of the event d and the probability Pe of the event e. , (1) can be calculated.
  • the risk estimation unit 134 has a probability of "falsification of service” "50%” due to the attack type "unauthorized intrusion” (see the second line of FIG. 8). ), And the probability “80%” of “unauthorized intrusion with Server-T” and “20%” of “unauthorized intrusion with Server-U” obtained in the second stage were applied to equation (1). “46%” is calculated (see the third stage, second stage in FIG. 14).
  • the risk estimation unit 134 appropriately calculates the concrete content of damage caused by the assumed attack and the probability of occurrence of each damage by performing the calculation process of the third stage.
  • the risk estimation unit 134 acquires, as countermeasure information, the procedure for the attack type “unauthorized intrusion” from the countermeasure table 124c of the attribute information storage unit 124. Then, the risk estimation unit 134 displays and outputs the estimated attack, the probability of damage caused by the attack, and the acquired countermeasure information for the attack on the user terminal 20.
  • FIG. 17 is a diagram showing an example of a screen displayed on the user terminal 20.
  • the estimated attack and its probability are estimated on the screen of the user terminal 20, as shown in the screen M2 of FIG.
  • a device to which an attack is transited, an attack transition probability thereof (see Table L2), and possible measures against the attack (see region R2) are displayed.
  • the estimation device 10 estimates a device that may be attacked from input information such as user's declaration, server log and network monitoring tool log in response to a crisis such as a cyber incident. Then, the estimation device 10 specifically derives the damage assumed by the connection state between the device and another device in addition to the information such as the information owned by the device and the service provided by the device, and the damage status. Is provided to the user in a recognizable manner. Further, the estimation device 10 presents the user with countermeasures against the estimated attack.
  • the incident information management unit 133 updates the countermeasure “illegal intrusion” (the countermeasure ID “1”) selected by the user in the countermeasure status report table 124e for the incident in the attribute information storage unit 124, and updates the registration date and time. It is registered together with the date and time and the attack type ID (see the first line in FIG. 11).
  • the risk estimation unit 134 corrects the probability of occurrence of damage by the attack using the correction value according to the countermeasure transmitted from the user terminal 20. This is because if countermeasures are taken against an attack, the probability that the damage caused by the attack will occur will also change. Therefore, the correction processing by the risk estimation unit will be described.
  • the risk estimation unit 134 refers to the attack type information table 124d corresponding to the countermeasure in the attribute information storage unit 124, and extracts the probability of occurrence of damage corresponding to the selected countermeasure.
  • the risk estimation unit 134 registers the damage occurrence probabilities for each attack type. In this example, the damage occurrence probabilities “x11” to “x3m” in the “measure 1” of the measure ID “1” are set. Extract.
  • FIG. 18 is a diagram illustrating a correction process by the risk estimation unit 134.
  • the risk estimation unit 134 calculates the value of each value extracted from the attack type information table 124d corresponding to the countermeasure plan (see Table L2-1) and the occurrence probability of each damage calculated in the third stage.
  • the values (see Table L3-1) and are calculated by the Hadamard product shown in the equations (2) and (3), and the obtained value (z in the equation (2)) is the probability after the countermeasure is taken. Confirm as.
  • Table L3-1 the value of the occurrence probability of each damage calculated in the third stage is associated with the attack types “1” to “3” and the damages “1” to “m”.
  • “y11” to “y3m” are displayed, “y11” to “y3m” are “48%”, “46%”, and “62%” actually calculated in the third stage processing (see FIG. 14). Value of the third stage).
  • the risk estimating unit 134 can obtain the damage occurrence probability when the measure is selected by performing the correction process of the damage occurrence probability due to the attack according to the selected measure with high accuracy. .
  • the risk estimating unit 134 causes the user terminal 20 to display and output the damage occurrence probability due to the corrected attack as the damage occurrence probability when the countermeasure is selected.
  • FIG. 19 is a diagram showing an example of a screen displayed on the user terminal 20.
  • the estimated damage occurrence rate is displayed in the table format on the user terminal 20 (Table L3). reference).
  • the user can refer to the table L3 on the screen M3 to actually confirm the usefulness of the measure selected by the user, and then determine whether to execute the selected measure.
  • the risk estimation unit 134 outputs the probability of each damage after implementation of the measures to the business impact degree calculation unit 136. Further, the external situation management unit 135 calculates a business impact index and outputs it to the business impact degree calculation unit 136.
  • the external situation management unit 135 extracts the number of favorable articles, intermediate articles, and malicious articles from the headlines and contents of the articles of the company acquired by a service such as news article clipping, and uses them as indicators of the degree of influence. These articles are stored in the media trend evaluation information storage unit 125. For example, one of the three factors that determine reputational risk is the gap between reputation and reality. In this case, the external situation management unit 135 classifies the news article into three categories: positive news, neutral news, and negative news, and obtains the ratio of the news article to the total after it became public as a business impact index. , Get the degree of corporate image failure (business impact). For example, the business impact index is defined as shown in equation (4).
  • the external situation management unit 135 has been described as an example of the case where the business impact index is obtained based on the news article, but the reputation index may be similarly obtained for social media. Further, the method of obtaining the business influence index required by the external situation management unit 135 is merely an example, and other indicators can be incorporated.
  • the business impact calculation unit 136 estimates the impact on the business of the service provided by the network due to the attack.
  • the business impact degree calculation unit 136 extracts the item regarding the impact on the business from the business impact table 127a regarding the service name of the company basic information storage unit 127, and calculates the impact degree on the service regarding the business.
  • the business impact degree calculation unit 136 extracts the items necessary for calculating the impact degree on the business from the business impact table 127a regarding the service name. For example, the business impact degree calculation unit 136 determines that the number of personal information items is “e 10,000”, the personal information compensation amount is “f 100 yen”, the number of confidential information items is “g 100”, and the confidential information compensation amount is “h 10,000 yen”. The court costs “i million yen”, daily service sales “j billion yen”, impact on stock price “k%”, etc. are extracted. Then, the business impact degree calculation unit 136 calculates the personal information compensation amount, the confidential information compensation amount, the influence on sales, and the stock price drop amount using the expressions (5) to (8).
  • the business impact degree calculating unit 136 causes the risk estimating unit 134 to incur damages due to the corrected attack by the various amounts of money related to the impact on the business calculated using the equations (5) to (8), respectively.
  • the probabilities By multiplying the probabilities, various amounts of money related to the business impact of an attack after taking countermeasures are calculated.
  • the business impact calculation unit 136 may further multiply the calculation result by the business impact index output from the external situation management unit 135 as a weight.
  • the external situation management unit 135 can calculate the influence more suited to the social situation by multiplying the influence on the sales with the business influence index as a weight.
  • the business impact degree calculation unit 136 causes the user terminal 20 to display and output various estimated amounts of money regarding the impact on the business of the calculated attack.
  • FIG. 20 is a diagram showing an example of a screen displayed on the user terminal 20.
  • the effect on the business of the “illegal intrusion” attack is displayed in the table format on the user terminal 20. (See Table L4).
  • the user can refer to the table L4 on the screen M4 to confirm the degree of influence on the business by the measure selected by the user in a concrete and multi-faceted manner.
  • the business impact degree calculation unit 136 does not perform the processing of multiplying the occurrence probability of damage due to the corrected attack by the risk estimation unit 134, and the calculation result of the equations (5) to (8) as it is, that is, The result when the countermeasure “unauthorized intrusion” is not executed is displayed on the user terminal 20. By confirming this result on the screen of the user terminal 20, the user can confirm the degree of business impact when the countermeasure “unauthorized intrusion” is not executed.
  • the estimation device 10 when the user has an observation event in which an attack occurs, countermeasures are taken against the predicted damage due to this attack, and countermeasures are taken against the attack. Specifically, indicate the degree of impact on the business if you do not execute.
  • FIG. 21 is a sequence diagram showing an example of the flow of the estimation process according to the embodiment.
  • the process receiving unit 131 accepts the input information and outputs the information to the system information management unit 132 (step S3).
  • the system information management unit 132 extracts the attribute value corresponding to the input device ID from the device information table 121a (see FIG. 3) in the device information storage unit 121 (step S4).
  • the system information management unit 132 extracts the observation event from the observation event information table 122a (see FIG. 5) of the observation information storage unit 122 based on the extracted attribute value (step S5).
  • the system information management unit 132 transmits an observation event display instruction to the screen of the user terminal 20 via the output unit 137 and the communication processing unit 11 (not shown) (steps S6 and S7).
  • the confirmation event is displayed on the screen of the user terminal 20 (step S8).
  • the process reception unit 131 receives the registered event (step S9) and outputs it to the incident information management unit 133 (step S10).
  • the incident information management unit 133 refers to the observation event information table 122a, acquires the probability of an attack on the confirmation event and the probability calculation method (step S11), and calculates the attack occurrence rate (step S12).
  • the incident information management unit 133 registers, in the incident information table 123a of the incident information storage unit 123, the type of attack on the first device in which the event was observed and the incidence of the attack (step S13), and The type of attack and the attack occurrence rate for the device No. 1 are output to the risk estimation unit 134 (step S14).
  • the risk estimation unit 134 divides this result into the second stage and the third stage, and calculates the probability of occurrence of damage due to an attack on the network device.
  • the risk estimation unit 134 may change (expand) the attack from the first device based on the segment connection information in the device information table 121a and the segment information connection table 122b of the device information storage unit 121.
  • the device No. 2 is extracted (step S15).
  • the risk estimation unit 134 acquires the hop count of the first device from the device information storage unit 121 (step S16).
  • the risk estimation unit 134 calculates the probability of an attack transitioning from the first device to the second device, using the hop count of the NW segment as a weight as shown in FIGS. 14 and 15 (step S17).
  • the risk estimation unit 134 executes the calculation process of the third stage.
  • the risk estimation unit 134 refers to the device information table 121a of the device information storage unit 121 and extracts the usage purpose of the second device for each device (step S18).
  • the risk estimation unit 134 refers to the relationship presentation table 124a (see FIG. 7) between the use purpose and the damage of the attribute information storage unit 124 and the attack type information table 124b (see FIG. 8) to use each device.
  • the contents of damage according to the purpose and the occurrence probability information of each damage for each attack type are extracted (step S19).
  • the risk estimating unit 134 calculates the content of damage caused by the attack and the probability of occurrence of each damage for each device in which the transition of the attack is assumed (step S20). Specifically, the risk estimation unit 134 multiplies the occurrence probability of each damage depending on the type of attack extracted in step S19 and the attack transition probability to each device obtained in the second stage to determine the damage caused by the attack. The probability of occurrence is calculated and used as the probability in the third stage.
  • the risk estimation unit 134 acquires, as countermeasure information, a procedure for an attack on the first device from the countermeasure table 124c of the attribute information storage unit 124 (step S21).
  • the risk estimation unit 134 via the output unit 137 and the communication processing unit 11, informs the user terminal 20 of an estimated attack, information indicating the probability of damage caused by the attack, and acquired countermeasure information for the attack. It is displayed (steps S22 and S23).
  • the screen of the user terminal 20 displays the estimated attack, the information indicating the probability of damage caused by the attack, and the acquired countermeasure information for the attack (step S24).
  • the process reception unit 131 receives the selected event (step S25) and outputs it to the incident information management unit 133 (step S26).
  • the incident information management unit 133 registers the selected countermeasure in the incident countermeasure status report table 124e of the attribute information storage unit 124 (step S27) and outputs the selected countermeasure to the risk estimation unit 134.
  • the risk estimation unit 134 refers to the attack type information table 124d corresponding to the countermeasure in the attribute information storage unit 124, and extracts the probability of occurrence of damage corresponding to the selected countermeasure (step S28). Then, the risk estimation unit 134 uses the extracted probability of occurrence of damage corresponding to the selected countermeasure plan as a correction value as described with reference to FIG. 18, and calculates the probability after the countermeasure is implemented (step S29). As a result, the risk estimation unit 134 corrects the damage occurrence probability due to the attack using the correction value according to the selected countermeasure.
  • the risk estimating unit 134 displays and outputs the probability of occurrence of damage due to the corrected attack on the user terminal 20 as the probability of occurrence of each damage after taking countermeasures (steps S30 and S31). As a result, the probability of damage occurring after the countermeasure selected by the user is executed is displayed on the screen of the user terminal 20 (step S32).
  • the risk estimation unit 134 outputs the probability of each damage after the countermeasure is implemented to the business impact degree calculation unit 136 (step S33).
  • the external situation management unit 135 calculates the business impact index and outputs it to the business impact degree calculation unit 136 (step S35).
  • the business impact degree calculation unit 136 extracts the enterprise basic information including the item regarding the impact on the business from the business impact table 127a regarding the service name of the enterprise basic information storage unit 127 (step S34).
  • the business impact calculation unit 136 calculates the impact of the service on the business based on the probability of each damage after the countermeasures are taken and the business impact index (step S36).
  • the business impact degree calculating unit 136 calculates the personal information compensation amount, the confidential information compensation amount, the impact on sales, the price drop amount, and the business impact degree regarding the service by using, for example, formulas (5) to (8). To do.
  • the business impact calculation unit 136 causes the user terminal 20 to display and output various estimated amounts of money regarding the impact of the calculated attack on the business (steps S37 and S38). As a result, the effect of the attack on the business is displayed on the user terminal 20 depending on whether or not the countermeasure selected by the user is executed (step S39). Further, the business impact degree calculation unit 136 registers the calculated impact degree of the attack on the business related to the service in the company basic information storage unit 127 (step S40), and ends the process.
  • the estimation device 10 receives, as input from the user terminal 20, device information that identifies a device in the network and an observation event that has occurred in the device. Then, the estimation device 10 acquires the attribute information of the first device corresponding to the received device information, and estimates the risk of the device in the network being attacked based on the acquired attribute information and the received observation event. .. Based on the risk estimation result, the estimation device 10 estimates the impact on the business of the service provided by the network due to the attack on the device in the network, and calculates the impact on the business of the service, for example, It is output to the user terminal 20.
  • the estimation device 10 in response to a crisis such as a cyber incident, the risk of the device in the network being attacked is estimated, and then the degree of impact of the attack on the business is provided to the user in a recognizable manner. ..
  • the user can appropriately grasp the damage in the real world by presenting the impact of the predicted damage on the business to the user at the time of predicting the damage. That is, according to the present embodiment, the user can grasp the influence of the attack on the business at an early stage when an observation event that is likely to lead to a cyber incident occurs. Therefore, the user can take an effective response to a cyber attack while considering the business impact.
  • each constituent element of each illustrated device is functionally conceptual, and does not necessarily have to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part of the device may be functionally or physically distributed / arranged in arbitrary units according to various loads or usage conditions. It can be integrated and configured. Further, each processing function performed in each device may be implemented entirely or in part by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by a wired logic.
  • FIG. 22 is a diagram showing a computer that executes the estimation program.
  • the computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. However, these units are connected by a bus 1080.
  • the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012, as illustrated in FIG.
  • the ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System).
  • BIOS Basic Input Output System
  • the hard disk drive interface 1030 is connected to the hard disk drive 1090, as illustrated in FIG.
  • the disk drive interface 1040 is connected to the disk drive 1100, as illustrated in FIG.
  • a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
  • the serial port interface 1050 is connected to, for example, a mouse 1051 and a keyboard 1052, as illustrated in FIG.
  • the video adapter 1060 is connected to, for example, the display 1061 as illustrated in FIG.
  • the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the above estimation program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.
  • the various data described in the above embodiments are stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 or the hard disk drive 1090 into the RAM 1012 as necessary, and executes various processing procedures.
  • the program module 1093 and the program data 1094 related to the estimation program are not limited to being stored in the hard disk drive 1090, and may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive or the like. Good. Alternatively, the program module 1093 and the program data 1094 related to the estimation program are stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.) and read by the CPU 1020 via the network interface 1070. May be done.
  • LAN Local Area Network
  • WAN Wide Area Network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

This estimation device (10) receives, as inputs from a terminal, apparatus information for identifying an apparatus in a network and an observation event generated in the apparatus. The estimation device (10) acquires attribute information about a first apparatus, which corresponds to the received apparatus information, and estimates the risk of the attack to be received by the apparatus in the network on the basis of the received observation event. The estimation device (10) estimates, on the basis of the estimation result, a degree of influence which is exerted on a business pertaining to a service provided by the network and is caused by the attack received by the apparatus in the network, and outputs the estimation result.

Description

推定方法、推定装置および推定プログラムEstimating method, estimating device, and estimating program
 本発明は、推定方法、推定装置および推定プログラムに関する。 The present invention relates to an estimation method, an estimation device, and an estimation program.
 様々な情報やサービスがデジタル化されている現在、経営者は、情報の基盤として用いるシステムや営業秘密等の重要な情報に対する企業戦略上の価値及び役割を認識し、サイバー攻撃によるリスク対処に係る方針を明確にする必要がある。経営者は、自社が保有する資産のうち、守るべき情報を特定し、発生しうるサイバーセキュリティリスクを把握し、リスク低減策、回避策、移転策の観点でサイバーセキュリティ対策の方針を検討し、実装する。また、経営者による検討から漏れたリスクは、残留リスクとして識別すべきであるとするガイドラインが、経済産業省より出されている(非特許文献1参照)。 Nowadays, various information and services have been digitized, and management is aware of the value and role in the corporate strategy for important information such as the system used as the basis of information and trade secrets, and is involved in dealing with risks due to cyber attacks. It is necessary to clarify the policy. The management identifies the information that should be protected among the assets owned by the company, grasps the cyber security risk that may occur, and examines the cyber security countermeasure policy from the viewpoint of risk reduction measures, avoidance measures, and transfer measures, Implement. In addition, the Ministry of Economy, Trade and Industry has issued a guideline that a risk that is omitted from the examination by the management should be identified as a residual risk (see Non-Patent Document 1).
 ここで、経営者は、リスクに対応する方法の一つとして、コンピュータウィルスから端末やサーバを保護するためのウィルス対策ソフトをインストールする、或いは、社内ネットワークとインターネットとの間にウィルス対策ソフトを設置して、外部からの攻撃を防御する等の対策をとることができる。このような対策によって、サイバーセキュリティリスクを軽減することが可能となる。 Here, the manager installs antivirus software for protecting terminals and servers from computer viruses, or installs antivirus software between the company network and the Internet, as one of the methods for dealing with risks. Then, it is possible to take measures such as preventing an external attack. By taking such measures, it is possible to reduce cyber security risk.
 また、サイバー攻撃が発生してしまった時には、サービスダウンや情報漏えいなどの被害に遭い、さらに第三者への損害賠償や対応費用、利益損害等が生じるため、サイバーリスク保険で費用を軽減するサービスもある。 In addition, when a cyber attack occurs, you will suffer damage such as service down and information leakage, and damages to third parties, corresponding expenses, profit damage, etc., so reduce costs with cyber risk insurance There is also a service.
 そして、ITシステムを構成する機器情報とセキュリティ情報とに基づき、事前に入手した機器の脆弱性、機器の持つビジネスへの影響、及び、機器に接続されている他の機器との関係を考慮して、リスクを判断する方法もある。この方法を用いることによってリスクの優先順位が確定するため、攻撃が見つかった場合、経営者は、優先順位に従って、攻撃に対する対処を実行する。 Then, on the basis of the device information and the security information that constitute the IT system, the vulnerability of the device acquired in advance, the business impact of the device, and the relationship with other devices connected to the device are considered. There is also a method to judge the risk. By using this method, the priority order of the risk is determined, and therefore, when the attack is found, the management executes the countermeasure against the attack according to the priority order.
 さらに、近年では、自然災害予想とサイバー予報との両方を組み合わせることにより、より精度の高い査定をする方法も提案されている(特許文献1参照)。 Furthermore, in recent years, a method of making a more accurate assessment by combining both natural disaster forecast and cyber forecast has been proposed (see Patent Document 1).
特開2017-117067号公報JP, 2017-117067, A
 ここで、サイバーインシデントなどの危機対応として、企業の中には、自社で決めた方針に則りセキュリティ対策を実行しているところもあるものの、攻撃は日々進化しており、完全に防御することは難しい。また、中小企業のように、セキュリティ対策に対する予算や専門の人員を割り当てられないところも少なくなく、毎日のように情報漏えいやインシデントが起きていることも事実である。 Here, as measures against crises such as cyber incidents, some companies are implementing security measures according to their own policies, but attacks are evolving day by day and it is impossible to completely prevent them. difficult. In addition, as in small and medium-sized enterprises, there are not a few places where the budget for security measures and specialized personnel cannot be allocated, and it is a fact that information leaks and incidents occur on a daily basis.
 企業内のある端末がサイバー攻撃にあった場合には、攻撃の特徴やウィルスによって、さらに攻撃が拡大する可能性がある。例えば、未知のウィルスによる端末が攻撃されると、その時点でのウィルス定義ファイルには、未知のウィルス情報は含まれていないため、ウィルス対策ソフトでは検知できない。また、メールなどを使ったコンピュータウィルスの侵入や、内部犯など、ファイヤウォールでは防ぎきれない攻撃もあるため、万全ではない。 If a certain terminal in a company is attacked by a cyber attack, the attack may be further expanded depending on the characteristics of the attack and the virus. For example, when a terminal is attacked by an unknown virus, the virus definition file at that time does not include unknown virus information, and therefore cannot be detected by antivirus software. Also, it is not perfect because there are attacks such as intrusion of computer viruses using emails and internal crimes that cannot be prevented by firewalls.
 さらに、企業がサイバー攻撃による被害の事態の公表が遅れたために、マスコミなどの外部メディアから不手際を非難される、Twitterなどでネット炎上によりさらに収拾がつかなくなる、このような一連の対応により販売が落ち込む、或いは、監督省庁から対応の遅れを指導され、ブランドの低下や取り扱う商品が制約されるなど、ビジネスへの影響も大きくなっている。 In addition, companies have been blamed for the failure by external media such as the media because of delays in publicizing the damage caused by cyber attacks, and due to a series of measures such as Twitter becoming uncontrollable due to the net flame The impact on the business is increasing, such as a decline in sales, or a supervisory agency instructing us to delay the response, and the brand declines and the products we handle are restricted.
 また、前述のサイバーリスク保険は、あくまでも損害賠償責任に対する補償や対応にかかった費用に対する補償にとどまる。このため、サイバーリスク保険に加入していたとしても、サイバー攻撃の被害範囲を小さくするものでもなく、企業のブランドの低下を食い止める機能もない。そして、特許文献1に記載の方法も、サイバーリスク保険と同様に、サイバー攻撃の被害範囲を小さくするものでもなく、企業のブランドの低下を食い止める機能もない。 Also, the aforementioned cyber risk insurance is limited to compensation for damages and compensation for costs. For this reason, even if you have cyber risk insurance, it does not reduce the scope of damage from cyber attacks, nor does it have the function of stopping the decline in the brand of a company. Also, the method described in Patent Document 1 does not reduce the damage range of a cyber attack like the cyber risk insurance, and does not have a function of stopping the deterioration of the brand of the company.
 本発明は、上記に鑑みてなされたものであって、サイバーインシデントにつながりそうな観測事象が発生した時点で、攻撃によるビジネスへの影響を早期に把握することができる推定方法、推定装置および推定プログラムを提供することを目的とする。 The present invention has been made in view of the above, and at the time when an observation event likely to lead to a cyber incident occurs, an estimation method, an estimation device, and an estimation method capable of grasping the impact of an attack on the business at an early stage. The purpose is to provide the program.
 上述した課題を解決し、目的を達成するために、本発明の推定方法は、推定装置によって実行される推定方法であって、ネットワークにおける機器を識別する機器情報と、該機器において発生した観測事象とを端末からの入力として受け付ける受付工程と、受付工程において受け付けられた機器情報に対応する第1の機器の属性情報を取得し、取得した属性情報と受付工程において受け付けられた観測事象とに基づいて、ネットワークにおける機器が攻撃を受けるリスクを推定する第1の推定工程と、第1の推定工程における推定結果を基に、ネットワークにおける機器が攻撃を受けることによるネットワークが提供するサービスに関するビジネスへの影響度を推定する第2の推定工程と、第2の推定工程において推定された推定結果を出力する第1の出力工程と、を含んだことを特徴とする。 In order to solve the above-mentioned problems and to achieve the object, an estimation method of the present invention is an estimation method executed by an estimation device, which is device information for identifying a device in a network and an observation event generated in the device. And an attribute information of the first device corresponding to the device information accepted in the accepting process, and based on the acquired attribute information and the observation event accepted in the accepting process. Then, based on the first estimation step of estimating the risk that the device in the network is attacked, and the estimation result in the first estimation step, the business related to the service provided by the network due to the attack of the device in the network It is characterized by including a second estimation step of estimating the degree of influence and a first output step of outputting the estimation result estimated in the second estimation step.
 本発明によれば、サイバーインシデントにつながりそうな観測事象が発生した時点で、攻撃によるビジネスへの影響を早期に把握することができる。 According to the present invention, when an observation event that may lead to a cyber incident occurs, it is possible to grasp the impact of the attack on the business at an early stage.
図1は、実施の形態に係る推定装置を含むシステムの構成例を示すブロック図である。FIG. 1 is a block diagram showing a configuration example of a system including an estimation device according to an embodiment. 図2は、実施の形態におけるシステムが管理するネットワークの構成例を示す図である。FIG. 2 is a diagram showing a configuration example of a network managed by the system according to the embodiment. 図3は、機器情報テーブルのデータ構成の一例を示す図である。FIG. 3 is a diagram showing an example of the data structure of the device information table. 図4は、セグメント接続情報テーブルのデータ構成の一例を示す図である。FIG. 4 is a diagram showing an example of the data structure of the segment connection information table. 図5は、観測事象情報テーブルのデータ構成の一例を示す図である。FIG. 5 is a diagram showing an example of the data structure of the observation event information table. 図6は、インシデント情報テーブルのデータ構成の一例を示す図である。FIG. 6 is a diagram showing an example of the data structure of the incident information table. 図7は、利用目的と被害との関係提示テーブルのデータ構成の一例を示す図である。FIG. 7 is a diagram showing an example of the data structure of a relationship presentation table of the purpose of use and damage. 図8は、攻撃種別情報テーブルのデータ構成の一例を示す図である。FIG. 8 is a diagram showing an example of the data structure of the attack type information table. 図9は、対策テーブルのデータ構成の一例を示す図である。FIG. 9 is a diagram showing an example of the data structure of the countermeasure table. 図10は、対策案に対する攻撃種別情報テーブルのデータ構成の一例を示す図である。FIG. 10 is a diagram showing an example of the data structure of an attack type information table for countermeasures. 図11は、インシデントに対する対策状況報告テーブルのデータ構成の一例を示す図である。FIG. 11 is a diagram showing an example of the data structure of the countermeasure status report table for incidents. 図12は、サービス名に関するビジネス影響テーブルのデータ構成の一例を示す図である。FIG. 12 is a diagram showing an example of the data structure of the business influence table regarding the service name. 図13は、利用者端末に表示される画面の一例を示す図である。FIG. 13 is a diagram showing an example of a screen displayed on the user terminal. 図14は、図2に示すネットワークに対するリスク推定部による被害の確率算出の一例を示す図である。FIG. 14 is a diagram showing an example of damage probability calculation by the risk estimation unit for the network shown in FIG. 図15は、攻撃遷移確率の算出方法を説明する図である。FIG. 15 is a diagram illustrating a method of calculating the attack transition probability. 図16は、攻撃の種別による各被害の発生確率の算出方法を説明する図である。FIG. 16 is a diagram illustrating a method of calculating the probability of occurrence of each damage depending on the type of attack. 図17は、利用者端末に表示される画面の一例を示す図である。FIG. 17 is a diagram showing an example of a screen displayed on the user terminal. 図18は、リスク推定部による補正処理を説明する図である。FIG. 18 is a diagram illustrating a correction process performed by the risk estimation unit. 図19は、利用者端末に表示される画面の一例を示す図である。FIG. 19 is a diagram showing an example of a screen displayed on the user terminal. 図20は、利用者端末に表示される画面の一例を示す図である。FIG. 20 is a diagram showing an example of a screen displayed on the user terminal. 図21は、実施の形態に係る推定処理の流れの一例を示すシーケンス図である。FIG. 21 is a sequence diagram showing an example of the flow of the estimation process according to the embodiment. 図22は、推定プログラムを実行するコンピュータを示す図である。FIG. 22 is a diagram illustrating a computer that executes the estimation program.
 以下に、本願に係る推定方法、推定装置および推定プログラムの実施の形態を図面に基づいて詳細に説明する。なお、この実施の形態により本願に係る推定方法、推定装置および推定プログラムが限定されるものではない。また、図面の記載において、同一部分には同一の符号を付して示している。 Hereinafter, embodiments of an estimation method, an estimation device, and an estimation program according to the present application will be described in detail with reference to the drawings. The estimation method, the estimation device, and the estimation program according to the present application are not limited by this embodiment. In the description of the drawings, the same parts are designated by the same reference numerals.
[実施の形態]
 以下の実施の形態では、第1の実施の形態に係る推定装置の構成、推定装置の処理の流れを順に説明し、最後に実施の形態による効果を説明する。 [Embodiment]
In the following embodiments, the configuration of the estimation apparatus according to the first embodiment and the processing flow of the estimation apparatus will be sequentially described, and finally, the effect of the embodiment will be described.
[推定装置の構成]
 まず、図1を用いて、実施の形態に係る推定装置を含むシステムの構成例を説明する。図1は、実施の形態に係る推定装置10を含むシステムの構成例を示すブロック図である。システムは、例えば、図1に示すように、推定装置10と、利用者端末20とを有する。推定装置10と、利用者端末20とは、インターネット等の接続回線30を介して接続される。なお、図1に示す構成は一例にすぎず、具体的な構成や各装置の数は特に限定されない。また、利用者端末20について、複数でもよい。なお、図1に例示するシステムでは、クライアントサーバシステム構成としているが、スタンドアローン構成であってもよい。 [Configuration of estimation device]
First, a configuration example of a system including the estimation device according to the embodiment will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration example of a system including an estimation device 10 according to an embodiment. The system includes, for example, an estimation device 10 and a user terminal 20 as shown in FIG. The estimation device 10 and the user terminal 20 are connected via a connection line 30 such as the Internet. The configuration shown in FIG. 1 is merely an example, and the specific configuration and the number of devices are not particularly limited. Also, a plurality of user terminals 20 may be provided. Although the system illustrated in FIG. 1 has a client-server system configuration, it may have a stand-alone configuration.
 推定装置10は、観測対象のネットワークにおける機器が攻撃を受けるリスクを推定し、推定結果を基に、ネットワークが提供するサービスに関するビジネスの影響度を推定し、利用者端末20に出力するサーバ装置である。具体的には、推定装置10は、ネットワークにおける機器を識別する機器IDと、該機器において発生した観測事象とを入力として利用者端末20から受け付ける。なお、推定装置10は、機器IDおよび観測事象の組とインシデントIDとを対応付けたインシデント情報を予め登録しておき、インシデントIDの入力を利用者端末20から受け付けることで、機器IDおよび観測事象を指定できるようにしてもよい。 The estimation device 10 is a server device that estimates the risk of an attack on a device in the observation target network, estimates the business impact on the service provided by the network based on the estimation result, and outputs the estimated impact to the user terminal 20. is there. Specifically, the estimation device 10 receives, from the user terminal 20, a device ID for identifying a device in the network and an observation event that has occurred in the device. In addition, the estimation device 10 registers in advance incident information in which a set of an equipment ID and an observation event and an incident ID are associated with each other, and receives an input of the incident ID from the user terminal 20 to obtain the equipment ID and the observation event. May be designated.
 そして、推定装置10は、機器IDに対応する機器の属性情報と観測事象とに基づいて、ネットワークにおける機器が攻撃を受けるリスクを推定する。続いて、推定装置10は、リスクに関する推定結果を基に、ネットワークにおける機器が攻撃を受けることによる、ネットワークが提供するサービスに関するビジネスへの影響度を推定する。推定装置10は、推定されたビジネスへの影響度を利用者端末20に出力する。つまり、推定装置10は、ある機器に対しどのような観測事象が発生したかという入力情報に基づき、ネットワークにおける機器に対する攻撃を推定した上で、さらに、攻撃を受けることによって生じる、ビジネスへの影響度を推定して、利用者端末20に出力する。 Then, the estimation device 10 estimates the risk of the device in the network being attacked based on the attribute information of the device corresponding to the device ID and the observed event. Then, the estimation device 10 estimates the degree of influence of the service provided by the network on the business due to the attack on the device in the network based on the estimation result regarding the risk. The estimation device 10 outputs the estimated degree of influence on the business to the user terminal 20. That is, the estimation device 10 estimates an attack on a device in the network based on the input information indicating what kind of observation event occurred on the certain device, and further affects the business caused by the attack. The degree is estimated and output to the user terminal 20.
 利用者端末20は、PC(Personal Computer)やスマートフォン等の装置であって、例えば、ネットワークサービスを提供する企業の情報システム部の利用者が使用する装置である。利用者端末20は、ある機器に対しどのような観測事象が発生したかという入力情報を推定装置10に通知し、ネットワークが提供するサービスに関するビジネスへの影響度を受信して、受信した内容を表示する。例えば、利用者端末20は、ビジネスへの影響度として、攻撃によるサービス停止に伴う売り上げの低下や、攻撃による情報漏えいなどの被害によって生じた情報の補償等の推定金額を表示する。 The user terminal 20 is a device such as a PC (Personal Computer) or a smartphone, and is, for example, a device used by a user of an information system unit of a company that provides a network service. The user terminal 20 notifies the estimation device 10 of input information indicating what kind of observation event has occurred with respect to a certain device, receives the degree of influence on the business regarding the service provided by the network, and displays the received content. indicate. For example, the user terminal 20 displays, as the degree of business impact, an estimated amount of money such as a decrease in sales due to a service stop due to an attack or compensation of information caused by damage such as information leakage due to an attack.
 次に、推定装置10の構成を説明する。図1に示すように、この推定装置10は、通信処理部11、記憶部12及び制御部13を有する。 Next, the configuration of the estimation device 10 will be described. As shown in FIG. 1, the estimation device 10 includes a communication processing unit 11, a storage unit 12, and a control unit 13.
 通信処理部11は、各種情報に関する通信を制御する。例えば、通信処理部11は、ネットワークにおける機器を識別する機器IDや該機器において発生した観測事象を入力情報として利用者端末20から受信する。また、通信処理部11は、ネットワークにおける機器が攻撃を受けることによるビジネスへの影響度に関する推定結果を、利用者端末20に送信する。 The communication processing unit 11 controls communication regarding various types of information. For example, the communication processing unit 11 receives, from the user terminal 20, a device ID for identifying a device on the network and an observation event generated in the device as input information. In addition, the communication processing unit 11 transmits, to the user terminal 20, an estimation result regarding the degree of influence on the business due to the attack on the device in the network.
 記憶部12は、制御部13による各種処理に必要なデータおよびプログラムを格納する。例えば、記憶部12は、RAM(Random Access Memory)、フラッシュメモリ(Flash Memory)等の半導体メモリ素子、又は、ハードディスク、光ディスク等の記憶装置などである。記憶部12は、機器情報記憶部121、観測情報記憶部122、インシデント情報記憶部123、属性情報記憶部124、メディア動向評価情報記憶部125、ソーシャルメディア分析情報記憶部126及び企業基礎情報記憶部127を有する。 The storage unit 12 stores data and programs necessary for various processes performed by the control unit 13. For example, the storage unit 12 is a semiconductor memory device such as a RAM (Random Access Memory) or a flash memory (Flash Memory), or a storage device such as a hard disk or an optical disk. The storage unit 12 includes a device information storage unit 121, an observation information storage unit 122, an incident information storage unit 123, an attribute information storage unit 124, a media trend evaluation information storage unit 125, a social media analysis information storage unit 126, and a company basic information storage unit. It has 127.
 ここで、説明のために、推定装置10の推定対象であるネットワークの構成例を示す。図2は、実施の形態におけるシステムが管理するネットワークの構成例を示す図である。図2に示すように、DMZ(DeMilitarized Zone)、内部LAN(Local Area Network)、業務LANで構成される管理対象のネットワークは、ファイヤウォールを前段として、インターネットに接続する。記憶部12が記憶する各種テーブルには、図2に示すネットワーク構成にしたがって各種情報が登録される。 Here, for the sake of explanation, a configuration example of a network which is an estimation target of the estimation device 10 is shown. FIG. 2 is a diagram showing a configuration example of a network managed by the system according to the embodiment. As shown in Fig. 2, the network to be managed, which consists of DMZ (DeMilitarized Zone), internal LAN (Local Area Network), and business LAN, is connected to the Internet with a firewall in front. Various information is registered in the various tables stored in the storage unit 12 according to the network configuration shown in FIG.
 まず、機器情報記憶部121について説明する。機器情報記憶部121は、ネットワークを構成する各機器に関する情報を記憶する。機器情報記憶部121は、例えば、機器情報テーブルを記憶する。図3は、機器情報テーブルのデータ構成の一例を示す図である。図3に示すように、機器情報テーブル121aは、機器ID、機器の種別、その機器の属性値、利用目的、機密情報の有無、その機器が置かれているネットワーク所属セグメント、その機器のOS情報、ミドルウェア、使用しているアプリケーション、その機器が関わっているサービス情報などが記載される。 First, the device information storage unit 121 will be described. The device information storage unit 121 stores information about each device that constitutes the network. The device information storage unit 121 stores, for example, a device information table. FIG. 3 is a diagram showing an example of the data structure of the device information table. As shown in FIG. 3, the device information table 121a includes a device ID, a device type, an attribute value of the device, a purpose of use, presence / absence of confidential information, a network belonging segment in which the device is placed, and OS information of the device. , Middleware, applications used, service information related to the device, etc. are described.
 また、機器情報記憶部121は、セグメント接続情報テーブルを記憶する。図4は、セグメント接続情報テーブルのデータ構成の一例を示す図である。図2に示すように、システムの管理対象であるネットワークは、複数のネットワークセグメントに分割されている。このため、図4に示すセグメント接続情報テーブル121bは、ネットワーク構成図に基づき、ネットワークにおけるあるセグメントから別のセグメントに到達するまでのホップ数が記載される。ホップ数は、通信ネットワーク上で通信相手に到達するまでに経由する転送装置、中継設備の数である。 The device information storage unit 121 also stores a segment connection information table. FIG. 4 is a diagram showing an example of the data structure of the segment connection information table. As shown in FIG. 2, the network managed by the system is divided into a plurality of network segments. Therefore, the segment connection information table 121b illustrated in FIG. 4 describes the number of hops from a certain segment to another segment in the network based on the network configuration diagram. The number of hops is the number of transfer devices and relay equipment through which a communication partner is reached on the communication network.
 観測情報記憶部122は、各属性情報に対して攻撃を受けた場合に発生する可能性がある観測事象を定義した観測事象情報を記憶する。具体的には、観測情報記憶部122は、機器において発生した観測事象に、機器が受ける可能性がある攻撃の種別と該攻撃を受ける確率とを対応付けた観測事象情報テーブルを記憶する。また、ある攻撃に対して複数の観測事象が起こり得るため、観測事象情報テーブルにおいては、攻撃に対する確率を1つに決定するための確率算出方法が定義されている。 The observation information storage unit 122 stores the observation event information that defines the observation events that may occur when the attribute information is attacked. Specifically, the observation information storage unit 122 stores an observation event information table in which an observation event generated in the device is associated with the type of attack that the device is likely to receive and the probability of receiving the attack. Further, since a plurality of observation events can occur with respect to a certain attack, the observation event information table defines a probability calculation method for determining one probability for an attack.
 図5は、観測事象情報テーブルのデータ構成の一例を示す図である。図5に示すように、観測事象情報テーブル122aは、ID、機器の属性値、機器において発生した観測事象、危機が受ける攻撃種別、この攻撃を機器が受ける確率、確率算出方法の項目を有する。具体的には、観測事象情報テーブル122aは、ID「1」に、属性値「Webサーバ」に「サーバのサービスが突然停止」する観測事象が発生した場合には、「不正侵入」を行う攻撃を「80%」の確率で受け、さらに、確率の算出方法は、「f(x1,x2,x3)」であることが記載されている。 FIG. 5 is a diagram showing an example of the data structure of the observation event information table. As shown in FIG. 5, the observation event information table 122a has items of an ID, an attribute value of the device, an observation event that occurred in the device, an attack type that the crisis receives, a probability that the device receives this attack, and a probability calculation method. Specifically, in the observation event information table 122a, when an observation event occurs in which the attribute value “Web server” has “the server service suddenly stops” in the ID “1”, an attack that causes “unauthorized intrusion” It is described that the probability of "80%" is received, and the calculation method of the probability is "f (x1, x2, x3)".
 インシデント情報記憶部123は、インシデント情報テーブルを記憶する。インシデント情報テーブルは、通常とは異なる何らかの事象が発生した時の情報を記録するためのテーブルである。 The incident information storage unit 123 stores an incident information table. The incident information table is a table for recording information at the time of occurrence of some unusual event.
 図6は、インシデント情報テーブルのデータ構成の一例を示す図である。図6に示すように、インシデント情報テーブル123aは、インシデントIDに、観測事象の発生日時、観測事象を識別するための観測事象ID、攻撃種別、決定した攻撃確率、攻撃対象の機器の機器ID、登録/更新日時などが対応付けて記載される。インシデントに係わる情報の分析が進むにつれ、より詳細な情報が把握できるため、インシデント情報テーブル123aには、攻撃種別や攻撃確率等の分析結果や更新日時が分析に応じて記録される。なお、機器IDや観測事象等の組は、利用者端末20によって指定され、インシデント情報管理部133(後述)によって、インシデントIDが付与され、登録されるものとする。 FIG. 6 is a diagram showing an example of the data structure of the incident information table. As shown in FIG. 6, in the incident information table 123a, the incident ID includes the date and time of the observation event, the observation event ID for identifying the observation event, the attack type, the determined attack probability, and the device ID of the attack target device. Registration / update date and time are described in association with each other. Since more detailed information can be grasped as the analysis of the information related to the incident progresses, the analysis result such as the attack type and the attack probability and the update date and time are recorded in the incident information table 123a according to the analysis. It is assumed that the device ID, the set of observation events, and the like are specified by the user terminal 20, and the incident information management unit 133 (described later) gives the incident ID and registers it.
 属性情報記憶部124は、ネットワークにおける各機器の各種属性を定義した属性情報を記憶する。例えば、属性情報記憶部124は、利用目的と被害との関係提示テーブルを記憶する。図7は、利用目的と被害との関係提示テーブルのデータ構成の一例を示す図である。 The attribute information storage unit 124 stores attribute information defining various attributes of each device in the network. For example, the attribute information storage unit 124 stores a relationship presentation table between the purpose of use and damage. FIG. 7 is a diagram showing an example of the data structure of a relationship presentation table of the purpose of use and damage.
 図7に示すように、利用目的と被害との関係提示テーブル124aでは、利用目的に、サービス停止、サービス改ざん、情報漏えい等の具体的な被害内容が対応付けられている。これらの各被害は、機器情報テーブル121a(図3参照)にある利用目的に対して想定される被害であり、事前に洗い出されたものである。図7では、各々の被害に対して、関係ありの場合には、「1」が記載され、関係なしの場合には、「0」が記載される。 As shown in FIG. 7, in the relationship presentation table 124a between the purpose of use and damage, the purpose of use is associated with specific contents of damage such as service stop, service tampering, and information leakage. Each of these damages is assumed damage for the purpose of use in the device information table 121a (see FIG. 3) and has been identified in advance. In FIG. 7, “1” is described for each damage if there is a relationship, and “0” is described if there is no relationship.
 また、属性情報記憶部124は、攻撃種別情報テーブルを記憶する。図8は、攻撃種別情報テーブルのデータ構成の一例を示す図である。図8に示すように、攻撃種別情報テーブル124bには、攻撃種別IDに、攻撃種別、攻撃対象、事前に想定した各被害が発生する確率が対応付けて記載される。攻撃種別情報テーブル124bにおける各被害が発生する確率は、事前に設定されてもよいし、インシデント対応結果を反映して常に確率が変わるようにしてもよい。 Further, the attribute information storage unit 124 stores an attack type information table. FIG. 8 is a diagram showing an example of the data structure of the attack type information table. As shown in FIG. 8, in the attack type information table 124b, the attack type ID, the attack target, and the probability of occurrence of each damage assumed in advance are described in association with each other. The probability that each damage occurs in the attack type information table 124b may be set in advance, or the probability may be constantly changed by reflecting the incident response result.
 また、属性情報記憶部124は、対策テーブルを記憶する。図9は、対策テーブルのデータ構成の一例を示す図である。図9に示すように、対策テーブル124cは、攻撃IDに、サイバー攻撃に対する対策名と、具体的な手順とが対応付けられている。 Also, the attribute information storage unit 124 stores a countermeasure table. FIG. 9 is a diagram showing an example of the data structure of the countermeasure table. As shown in FIG. 9, the countermeasure table 124c associates the attack ID with the countermeasure name against the cyber attack and the specific procedure.
 また、属性情報記憶部124は、対策案に対する攻撃種別情報テーブルを記憶する。図10は、対策案に対する攻撃種別情報テーブルのデータ構成の一例を示す図である。図10に示すように、対策案に対する攻撃種別情報テーブル124dは、対策IDに、対策案と、各被害の発生確率とが対応付けられている。 Further, the attribute information storage unit 124 stores an attack type information table for countermeasures. FIG. 10 is a diagram showing an example of the data structure of an attack type information table for countermeasures. As shown in FIG. 10, in the attack type information table 124d for the countermeasure, the countermeasure ID and the occurrence probability of each damage are associated with the countermeasure ID.
 対策テーブル124c(図9参照)の対策を実施することによって、攻撃確率(図6のインシデント情報テーブル123a参照)が下がる可能性があることから、対策案に対する攻撃種別情報テーブル124dでは、対策毎に、対策したことによって、攻撃による各被害の発生確率が設定される。例えば、図10に示す対策ID「1」の「対策1」を実行した場合について説明する。この場合、「攻撃1」によって発生する被害のうち、「被害1」の確率は「x11」であり、「被害2」の確率は「x12」であり、「被害3」の確率は「x13」である。また、「攻撃2」によって発生する被害のうち、「被害1」の確率は「x21」であり、「被害2」の確率は「x22」であり、「被害3」の確率は「x23」である。 Since the attack probability (see the incident information table 123a in FIG. 6) may be lowered by implementing the countermeasures in the countermeasure table 124c (see FIG. 9), the attack type information table 124 d for the countermeasure plan has a countermeasure for each countermeasure. By taking countermeasures, the probability of each damage caused by the attack is set. For example, the case where “Countermeasure 1” with the countermeasure ID “1” shown in FIG. 10 is executed will be described. In this case, of the damage caused by "attack 1", the probability of "damage 1" is "x11", the probability of "damage 2" is "x12", and the probability of "damage 3" is "x13". Is. Among the damages caused by "Attack 2", the probability of "damage 1" is "x21", the probability of "damage 2" is "x22", and the probability of "damage 3" is "x23". is there.
 また、属性情報記憶部124は、インシデントに対する対策状況報告テーブルを記憶する。図11は、インシデントに対する対策状況報告テーブルのデータ構成の一例を示す図である。図11に示すように、インシデントに対する対策状況報告テーブル124eには、インシデントID、登録日時、更新日時、このインシデントに対して実施した対策の対策ID、及び、対策に対する攻撃種別を示すIDが記載される。 The attribute information storage unit 124 also stores a countermeasure status report table for incidents. FIG. 11 is a diagram showing an example of the data structure of the countermeasure status report table for incidents. As shown in FIG. 11, the countermeasure status report table 124e for an incident describes an incident ID, a registration date / time, an update date / time, a countermeasure ID of a countermeasure performed for this incident, and an ID indicating an attack type for the countermeasure. It
 次に、メディア動向評価情報記憶部125について説明する。メディア動向評価情報記憶部125は、外部状況のうち、メディアの動向や、メディアの動向に処理を行った結果を記憶する。メディア動向評価情報記憶部125は、例えば、ニュース記事や報道内容を、公表日時と対応付けて記録する。また、メディア動向評価情報記憶部125は、肯定的報道、中立的報道、否定的報道の、事件が公になってからの全体に対する比率等も記憶する。 Next, the media trend evaluation information storage unit 125 will be described. The media trend evaluation information storage unit 125 stores the media trend and the result of processing the media trend in the external situation. The media trend evaluation information storage unit 125 records, for example, news articles and news contents in association with publication dates and times. The media trend evaluation information storage unit 125 also stores the ratio of positive news reports, neutral news reports, and negative news reports to the total after the case became public.
 ソーシャルメディア分析情報記憶部126は、外部状況のうち、TwitterなどのSNS(Social Networking Service)の評判に関する情報や、SNS情報に処理を行った結果を記憶する。例えば、ソーシャルメディア上のやり取りを監視するツールにおいて、リスクの重要度ごとに増減を数値で通知する機能を有するものがある。ソーシャルメディア分析情報記憶部126は、このように通知された数値を影響度の指標として記憶してもよい。 The social media analysis information storage unit 126 stores information about the reputation of SNS (Social Networking Service) such as Twitter among the external situations, and the result of processing the SNS information. For example, some tools for monitoring interactions on social media have a function of numerically notifying increase or decrease for each risk importance level. The social media analysis information storage unit 126 may store the notified numerical value as an index of the degree of influence.
 企業基礎情報記憶部127は、各々のサービスに関するビジネスに影響を与える情報を記憶する。企業基礎情報記憶部127は、例えば、サービス名に関するビジネス影響テーブルを記憶する。図12は、サービス名に関するビジネス影響テーブルのデータ構成の一例を示す図である。図12に示すように、サービス名に関するビジネス影響テーブル127aには、サービス毎に、対象となる機器名と、ビジネスに影響を与える項目とが対応付けられる。ビジネスに影響を与える項目として、例えば、個人情報、個人情報補償額、機密情報、機密情報補償額、裁判費用、1日当たりのサービスの売り上げ、株価への影響等がある。サービス名に関するビジネス影響テーブル127aでは、各項目に対して、予め想定された件数、補償額、下落率が記載されている。 The company basic information storage unit 127 stores information that affects the business regarding each service. The company basic information storage unit 127 stores, for example, a business influence table regarding a service name. FIG. 12 is a diagram showing an example of the data structure of the business influence table regarding the service name. As shown in FIG. 12, in the business influence table 127a relating to service names, the target device name and the item affecting the business are associated for each service. Items that affect business include, for example, personal information, personal information compensation amount, confidential information, confidential information compensation amount, court cost, daily service sales, and impact on stock prices. In the business impact table 127a related to service names, the number of items, the amount of compensation, and the rate of decline estimated in advance are described for each item.
 制御部13は、各種の処理手順などを規定したプログラムおよび所要データを格納するための内部メモリを有し、これらによって種々の処理を実行する。ここで、制御部13は、CPU(Central Processing Unit)やMPU(Micro Processing Unit)などの電子回路やASIC(Application Specific Integrated Circuit)やFPGA(Field Programmable Gate Array)などの集積回路である。制御部13は、処理受付部131、システム情報管理部132、インシデント情報管理部133、リスク推定部134、外部状況管理部135、ビジネス影響度算出部136及び出力部137を有する。 The control unit 13 has an internal memory for storing a program defining various processing procedures and the like and required data, and executes various processing by these. Here, the control unit 13 is an electronic circuit such as a CPU (Central Processing Unit) or MPU (Micro Processing Unit), or an integrated circuit such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field Programmable Gate Array). The control unit 13 includes a process reception unit 131, a system information management unit 132, an incident information management unit 133, a risk estimation unit 134, an external situation management unit 135, a business impact degree calculation unit 136, and an output unit 137.
 処理受付部131は、通信処理部11を介して、利用者端末20から入力情報を受け付ける。例えば、処理受付部131は、ネットワークにおける機器を識別する機器情報(機器ID)と、該機器において発生した観測事象とを入力として利用者端末20から受け付ける。また、処理受付部131は、利用者端末20に被害確率情報及び対策情報が表示された際には、利用者端末20から、表示された対策のうち選択された対策を示す対策情報の入力を受け付ける。 The process receiving unit 131 receives input information from the user terminal 20 via the communication processing unit 11. For example, the process reception unit 131 receives, from the user terminal 20, device information (device ID) for identifying a device on the network and an observation event that occurred in the device. Further, when the damage probability information and the countermeasure information are displayed on the user terminal 20, the processing reception unit 131 inputs the countermeasure information indicating the selected countermeasure among the displayed countermeasures from the user terminal 20. Accept.
 システム情報管理部132は、処理受付部131から、機器名及び事象観測日時の入力を受けると、機器情報記憶部121が記憶する機器情報テーブル121aから、入力された機器名(機器ID)に対応する属性値を抽出する。そして、システム情報管理部132は、観測情報記憶部122が記憶する観測事象情報テーブル122aから、抽出した属性値に対応する観測事象を抽出する。システム情報管理部132は、抽出した観測事象を、出力部137(後述)及び通信処理部11を介して、利用者端末20の画面に表示する。 When the system information management unit 132 receives the device name and the event observation date and time from the process reception unit 131, the system information management unit 132 corresponds to the input device name (device ID) from the device information table 121a stored in the device information storage unit 121. Extract the attribute value. Then, the system information management unit 132 extracts the observation event corresponding to the extracted attribute value from the observation event information table 122a stored in the observation information storage unit 122. The system information management unit 132 displays the extracted observation event on the screen of the user terminal 20 via the output unit 137 (described later) and the communication processing unit 11.
 インシデント情報管理部133は、処理受付部131から、事象観測を受け付けると、システム情報管理部132が抽出した機器の属性と、受け付けた観測事象とを基に、観測情報記憶部122を参照して、想定される機器への攻撃の種別とその発生確率とを算出する。インシデント情報管理部133は、攻撃種別と、その攻撃の発生確率とを、発生日時、観測事象ID及び機器ID等の情報に対応付けて、インシデント情報記憶部123に登録する。また、インシデント情報管理部133は、処理受付部131から、利用者端末によって選択された対策情報を受け付けると、属性情報記憶部124のインシデントに対する対策状況報告テーブル124eに登録する。 When the incident information management unit 133 receives the event observation from the process reception unit 131, the incident information management unit 133 refers to the observation information storage unit 122 based on the attribute of the device extracted by the system information management unit 132 and the received observation event. , The type of expected attack on the device and its occurrence probability are calculated. The incident information management unit 133 registers the attack type and the occurrence probability of the attack in the incident information storage unit 123 in association with information such as date and time of occurrence, observation event ID, and device ID. In addition, when the incident information management unit 133 receives the countermeasure information selected by the user terminal from the process reception unit 131, the incident information management unit 133 registers the countermeasure information report table 124e for the incident in the attribute information storage unit 124.
 リスク推定部134は、処理受付部131によって受け付けられた機器IDに対応する機器(第1の機器)の属性情報を属性情報記憶部124から取得し、取得した属性情報と処理受付部によって受け付けられた観測事象とに基づいて、ネットワークにおける機器が攻撃を受けるリスクを推定する。 The risk estimation unit 134 acquires the attribute information of the device (first device) corresponding to the device ID received by the process reception unit 131 from the attribute information storage unit 124, and the acquired attribute information and the process reception unit receive it. Based on the observed events, the risk of the device in the network being attacked is estimated.
 また、リスク推定部134は、機器情報記憶部121が記憶するセグメント接続情報を基に、第1の機器から攻撃が遷移する可能性がある機器(第2の機器)への攻撃遷移確率を求める。そして、リスク推定部134は、予め想定された各機器の利用目的に応じた被害の内容及び攻撃の種別による被害の発生確率と、第2の機器への攻撃遷移確率とを基に、攻撃による被害の発生確率を推定する。なお、リスク推定部134は、第2の機器への攻撃遷移確率を、ホップ数を重み付けとして用いてもよい。この場合、リスク推定部134は、遷移元の機器の攻撃確率に、ホップ数に基づく値を重み付けとして乗じて、第2の機器への攻撃遷移確率を求める。リスク推定部134は、出力部137及び通信処理部11を介して、攻撃による被害の発生確率と、属性情報記憶部124から取得した、該攻撃に対する対策とを、利用者端末20に出力する。 Further, the risk estimation unit 134 obtains the attack transition probability from the first device to the device (the second device) where the attack may transit, based on the segment connection information stored in the device information storage unit 121. .. Then, the risk estimation unit 134 determines whether or not an attack has occurred based on the content of the damage and the probability of occurrence of the damage depending on the type of the attack according to the intended use of each device, and the attack transition probability to the second device. Estimate the probability of damage. Note that the risk estimation unit 134 may use the probability of attack transition to the second device as the weight of the hop count. In this case, the risk estimation unit 134 calculates the attack transition probability to the second device by multiplying the attack probability of the transition source device with a value based on the number of hops as a weight. The risk estimation unit 134 outputs, via the output unit 137 and the communication processing unit 11, the probability of damage caused by an attack and the countermeasures against the attack acquired from the attribute information storage unit 124 to the user terminal 20.
 そして、リスク推定部134は、処理受付部131を介して、利用者端末20から、選択された対策を受け付けると、属性情報記憶部124から取得した、該対策に応じた補正値を用いて、攻撃による被害の発生確率を補正する。そして、リスク推定部134は、出力部137及び通信処理部11を介して、補正された攻撃による被害の発生確率を、利用者端末20に出力する。 Then, when the risk estimation unit 134 receives the selected countermeasure from the user terminal 20 via the processing reception unit 131, the risk estimation unit 134 uses the correction value corresponding to the countermeasure acquired from the attribute information storage unit 124, Correct the probability of damage caused by an attack. Then, the risk estimating unit 134 outputs the corrected occurrence probability of damage due to the attack to the user terminal 20 via the output unit 137 and the communication processing unit 11.
 外部状況管理部135は、様々な外部状況を取得し、メディア動向評価情報記憶部125やソーシャルメディア分析情報記憶部126に登録する。また、外部状況管理部135は、ビジネス影響指標を求め、ビジネス影響度算出部136に出力する。例えば、ビジネス影響指標として、ソーシャルメディア上のやり取りを監視するツール用いて通知された、リスクの重要度に応じた増減を示す数値や、報道記事を対象として自社の記事の見出しや内容から抽出した好意的記事、中間記事、悪意のある記事に基づく企業のイメージの失墜度合いがある。 The external situation management unit 135 acquires various external situations and registers them in the media trend evaluation information storage unit 125 and the social media analysis information storage unit 126. The external situation management unit 135 also obtains a business impact index and outputs it to the business impact degree calculation unit 136. For example, as a business impact index, a numerical value showing the increase or decrease according to the importance of risk, which was notified using a tool that monitors interactions on social media, or extracted from the headlines and contents of company articles for news articles There is a degree of loss of corporate image based on favorable articles, intermediate articles, and malicious articles.
 ビジネス影響度算出部136は、リスク推定部134による推定結果を基に、ネットワークにおける機器が攻撃を受けることによる、ネットワークが提供するサービスに関するビジネスへの影響度を推定する。ビジネス影響度算出部136は、各サービスが影響を与える各種情報を基に、ネットワークが提供するサービスに関し、攻撃によって発生する被害によるビジネスへの影響に係わる金額を求める。そして、ビジネス影響度算出部136は、求めた金額及び攻撃による被害の発生確率を用いて、ビジネスへの影響度を推定する。具体的には、ビジネス影響度算出部136は、求めた金額に、被害の発生確率を乗じた金額を、ビジネスへの影響度とする。なお、ビジネス影響度算出部136は、求めた金額に、攻撃による被害の発生確率を乗じた金額に、さらに、外部状況に基づくビジネス影響指標を、重み付けとして乗じて、ビジネスへの影響度としてもよい。 Based on the estimation result by the risk estimation unit 134, the business impact calculation unit 136 estimates the impact on the business of the service provided by the network due to the attack of the device in the network. The business impact degree calculation unit 136 obtains a monetary amount related to the impact on the business due to the damage caused by the attack regarding the service provided by the network, based on various information that each service influences. Then, the business impact degree calculation unit 136 estimates the impact degree on the business by using the obtained amount of money and the probability of occurrence of damage due to the attack. Specifically, the business impact degree calculation unit 136 sets the amount of money obtained by multiplying the obtained amount of money by the probability of occurrence of damage as the degree of impact on the business. Note that the business impact degree calculation unit 136 also multiplies the obtained amount by the probability of damage caused by an attack and a business impact index based on the external situation as weighting to obtain the degree of impact on the business. Good.
 出力部137は、通信処理部11を介して、ビジネス影響度算出部136によって推定された推定結果を、利用者端末20に出力する。出力部137は、通信処理部11を介して、リスク推定部134による推定結果を、利用者端末20に出力する。 The output unit 137 outputs the estimation result estimated by the business impact degree calculation unit 136 to the user terminal 20 via the communication processing unit 11. The output unit 137 outputs the estimation result by the risk estimation unit 134 to the user terminal 20 via the communication processing unit 11.
[推定処理の流れ]
 次に、推定装置10による推定処理の流れを説明する。図13は、利用者端末20に表示される画面の一例を示す図である。 [Flow of estimation processing]
Next, the flow of the estimation process performed by the estimation device 10 will be described. FIG. 13 is a diagram showing an example of a screen displayed on the user terminal 20.
 まず、利用者は、通常とは異なる何らかの事象を発見した場合、図13に示す画面M1を表示させて、事象が発見された機器名(機器ID)「サーバ-S」を選択し、事象を確認した日時「2018/8/21 10:34」を入力すると、入力内容が処理受付部131に送信される。処理受付部131は、これらの情報をシステム情報管理部132に出力する。システム情報管理部132では、機器情報記憶部121にある機器情報テーブル121a(図3参照)から、入力された機器ID「サーバ-S」に対応する属性値「Webサーバ」を抽出する。 First, when a user discovers some unusual event, the user displays the screen M1 shown in FIG. 13, selects the device name (device ID) "server-S" in which the event was discovered, and selects the event. If you enter the confirmed date and time "2018/8/21 10:34", the input content is sent to the process reception unit 131. The process reception unit 131 outputs these pieces of information to the system information management unit 132. The system information management unit 132 extracts the attribute value “Web server” corresponding to the input device ID “server-S” from the device information table 121a (see FIG. 3) in the device information storage unit 121.
 次に、システム情報管理部132は、抽出した属性値「Webサーバ」に基づき、観測事象情報テーブル122a(図5参照)から、観測事象ID「1」~「4」に対応する「サーバのサービスが突然停止」、「NWがダウン、またはスピードダウン」、「サーバの挙動がおかしい」、「DBサーバの負荷増大」を抽出し、利用者端末20の画面M1(図13参照)に「確認された事象」として順に表示させる(図13の領域R1参照)。この場合、例えば、利用者が、画面M1において、確認事象「サーバのサービスが突然停止」、「NWがダウン、またはスピードダウン」のチェックボックスをチェックし、登録ボタンを選択する。この結果、利用者端末20から、「サーバ-S」において発生した確認事象「サーバのサービスが突然停止」(観測事象ID「1」)、「NWがダウン、またはスピードダウン」(観測事象ID「2」)が推定装置10に送信される。 Next, the system information management unit 132, based on the extracted attribute value “Web server”, from the observation event information table 122a (see FIG. 5), “server service corresponding to observation event IDs“ 1 ”to“ 4 ”. Is suddenly stopped ”,“ NW is down or speed down ”,“ server behavior is strange ”, and“ DB server load increase ”are extracted, and“ confirmed ”is displayed on the screen M1 (see FIG. 13) of the user terminal 20. "Events" that are sequentially displayed (see region R1 in FIG. 13). In this case, for example, the user checks the check boxes of the confirmation events “server service suddenly stops” and “NW is down or speed down” on the screen M1 and selects the registration button. As a result, from the user terminal 20, the confirmation event “server service suddenly stopped” (observation event ID “1”), “NW down or speed down” (observation event ID “server-S”) has occurred. 2 ”) is transmitted to the estimation device 10.
 推定装置10では、この確認事象を受け付けると、インシデント情報管理部133が、観測事象情報テーブル122aを参照し、確認事象に対する攻撃の確率及び確率算出方法を取得して、攻撃発生率を算出する。 In the estimation device 10, upon receipt of this confirmation event, the incident information management unit 133 refers to the observation event information table 122a, acquires the probability of an attack on the confirmation event and the probability calculation method, and calculates the attack occurrence rate.
 まず、インシデント情報管理部133は、観測事象情報テーブル122aから、観測事象に対応する攻撃種別ごとに、定義された関数を取得する。この関数は、攻撃種別ごとに複数の確率を取りまとめるものとして定義される。例えば、不正侵入攻撃は、観察しうる可能性のある事象が、観測事象ID「1」の「サーバのサービスが突然停止」、観測事象ID「2」の「NWがダウン、またはスピードダウン」、観測事象ID「3」の「サーバの挙動がおかしい」の3つであるため、各IDに対応する「x1」~「x3」という3つのパラメータを有する関数「f(x1,x2,x3)」が定義されている。 First, the incident information management unit 133 acquires a function defined for each attack type corresponding to an observation event from the observation event information table 122a. This function is defined as a collection of multiple probabilities for each attack type. For example, in an unauthorized intrusion attack, events that can be observed include "observation event ID" 1 "," server service suddenly stops ", and observation event ID" 2 "," NW is down or speed down ", Since there are three observation event IDs “3”, “the behavior of the server is strange”, the function “f (x1, x2, x3)” has three parameters corresponding to each ID, “x1” to “x3”. Is defined.
 インシデント情報管理部133は、複数の観測事象が利用者によって選択された時には、その関数によって、攻撃の可能性の確率を1つに導く計算を行う。例えば、「f(x1,x2,x3)=max(x1,x2,x3)」と定義されているとする。今回の例では、観測事象ID「1」,「2」にチェックがついているため、観測事象情報テーブル122aの確率欄より、「x1=80%」、「x2=20%」となる。そして、観測事象ID「3」にはチェックがないため、「x3=0%」となる。この場合には、最大値は「x1」となるため、インシデント情報管理部133は、不正侵入攻撃の可能性を「80%」に決定する。インシデント情報管理部133は、インシデント情報記憶部123のインシデント情報テーブル123aのうち、今回異常を観測した「サーバ-S」(インシデントID「1」)の確率欄に「80%」を登録する。 The incident information management unit 133, when a plurality of observation events are selected by the user, performs a calculation to bring the probability of an attack to one by the function thereof. For example, assume that "f (x1, x2, x3) = max (x1, x2, x3)" is defined. In this example, since the observation event IDs “1” and “2” are checked, “x1 = 80%” and “x2 = 20%” are set in the probability column of the observation event information table 122a. Then, since the observation event ID “3” is not checked, “x3 = 0%” is set. In this case, since the maximum value is “x1”, the incident information management unit 133 determines the possibility of an unauthorized intrusion attack to be “80%”. The incident information management unit 133 registers “80%” in the probability column of the “server-S” (incident ID “1”) in which the abnormality was observed this time, in the incident information table 123a of the incident information storage unit 123.
 次に、インシデント情報管理部は、インシデント情報テーブル123aに登録された情報をリスク推定部134に出力する。すなわち、今回異常を観測した「サーバ-S」(インシデントID「1」)の「不正攻撃」が「80%」の確率で発生しているという情報である。リスク推定部134は、この結果を第1段階として、第2段階及び第3段階に分けて、ネットワークの機器への攻撃による被害の発生確率を算出する。図14は、図2に示すネットワークに対するリスク推定部134による被害の確率算出の一例を示す図である。 Next, the incident information management unit outputs the information registered in the incident information table 123a to the risk estimation unit 134. That is, it is the information that the “unauthorized attack” of the “server-S” (incident ID “1”) that has observed the abnormality this time occurs with a probability of “80%”. The risk estimation unit 134 divides this result into the first stage and the second stage and the third stage, and calculates the probability of occurrence of damage due to an attack on a device of the network. FIG. 14 is a diagram showing an example of damage probability calculation by the risk estimation unit 134 for the network shown in FIG.
 続いて、リスク推定部134は、第2段階目の算出処理を実行する。リスク推定部134は、第2段階目において、事象が観測された「サーバ-S」(第1の機器)から攻撃が遷移する可能性がある第2の機器への攻撃遷移確率を求める。 Subsequently, the risk estimation unit 134 executes the second stage calculation process. In the second stage, the risk estimation unit 134 obtains the attack transition probability from the "server-S" (first device) where the event was observed to the second device to which the attack may transit.
 まず、第2段階の算出処理において、リスク推定部134は、機器情報記憶部121の機器情報テーブル121a及びセグメント情報接続テーブル122bから、機器ID「サーバ-S」を基に、攻撃された「サーバ-S」が属するセグメント情報を取得する。この場合、リスク推定部134は、機器情報テーブル121aから「サーバ-S」の所属セグメント「DMZ」を取得し、セグメント情報接続テーブル122bから、「DMZ」に対応するホップ数「1」(「DMZ」)、「3」(「内部LAN」)、「3」(「業務LAN」)を取得する。リスク推定部134は、取得した情報をもとに、「サーバ-S」から攻撃が拡大している可能性のある機器を抽出する。例えば、図2のネットワークでは、破線で囲まれたDMZ内の「サーバ-T」、内部LAN内の「サーバ-U」及び「サーバ-Q」、業務LAN内の「PC-A」が、攻撃が拡大している可能性のある機器となる。 First, in the calculation process of the second stage, the risk estimation unit 134 uses the device information table 121a and the segment information connection table 122b of the device information storage unit 121 based on the device ID “server-S” to attack the “server”. -S ”gets the segment information to which it belongs. In this case, the risk estimation unit 134 acquires the belonging segment “DMZ” of the “server-S” from the device information table 121a, and the hop count “1” (“DMZ” corresponding to the “DMZ” from the segment information connection table 122b. )), “3” (“Internal LAN”), “3” (“Business LAN”). The risk estimation unit 134 extracts, from the “server-S”, a device in which an attack may have spread based on the acquired information. For example, in the network of FIG. 2, "server-T" in the DMZ, "server-U" and "server-Q" in the internal LAN, and "PC-A" in the business LAN are attacked Is likely to be expanding.
 リスク推定部134は、「サーバ-S」に対する攻撃種別を、最も高い確率「80%」を示す「不正侵入」であると想定した場合、攻撃が遷移する可能性のある機器についても、「不正侵入」が行われていると仮定する。 If the risk estimation unit 134 assumes that the attack type for the “server-S” is “illegal intrusion” indicating the highest probability “80%”, the risk estimation unit 134 also indicates “illegal” as to the device to which the attack may transition. Suppose there is an intrusion.
 ここで、リスク推定部134は、「サーバ-S」から各機器へ攻撃が遷移する確率を、NWセグメントのホップ数を重み付けとして用いて求めることが可能である。図4の例では、重みづけの例として「(1/2)h-1」を選択している。「h」は、セグメント接続情報テーブル121b(図4参照)に記載されているホップ数を表す。図15は、攻撃遷移確率の算出方法を説明する図である。今回の例では、同じNWセグメント内であれば、攻撃が遷移する確率は同じとみなし、NWセグメントが異なるほど、言い換えると、論理的に離れるほど、攻撃が遷移する確率は低くなる、という考えに則り、各機器への攻撃遷移確率を算出する。 Here, the risk estimation unit 134 can obtain the probability that an attack transits from the “server-S” to each device by using the hop count of the NW segment as a weight. In the example of FIG. 4, “(1/2) h−1 ” is selected as an example of weighting. “H” represents the number of hops described in the segment connection information table 121b (see FIG. 4). FIG. 15 is a diagram illustrating a method of calculating the attack transition probability. In this example, if the same NW segment is used, the probability of an attack transition is considered to be the same, and the probability of an attack transition decreases as the NW segment is different, in other words, the logically farther away. Therefore, the probability of attack transition to each device is calculated.
 具体的には、図15に示すように、事象aから事象bへ遷移する確率Pbは、事象a,bのホップ数をsとした場合、事象aの確率Paに、(1/2)s-1を乗じた値となる。同様に、事象aから事象cへ遷移する確率Pcは、事象a,cのホップ数をtとした場合、確率Pbに、(1/2)t-1を乗じた値となる。 Specifically, as shown in FIG. 15, the probability Pb of transition from the event a to the event b is (1/2) s in the probability Pa of the event a when the number of hops of the events a and b is s. It will be the value multiplied by -1 . Similarly, the probability Pc of transitioning from the event a to the event c is a value obtained by multiplying the probability Pb by (1/2) t−1 , where t is the number of hops of the events a and c.
 したがって、リスク推定部134は、図4の第2段階のDMZの「サーバ-Tで不正侵入」する確率については、「サーバ-S」と同じNWセグメント内であるため、第1段階と同じ「80%」の確率を付与する。また、リスク推定部134は、図4の第2段階の内部LANの「サーバ-Uで不正侵入」する確率については、ホップ数が「3」であるため、「サーバ-S」の「80%」に、(1/2)2を乗じて求めた「20%」を付与する。 Therefore, the risk estimating unit 134 has the same probability as “unauthorized intrusion by the server-T” of the DMZ in the second stage of FIG. It gives a probability of “80%”. In addition, the risk estimating unit 134, regarding the probability of “unauthorized intrusion by the server-U” of the internal LAN in the second stage of FIG. 4, since the hop count is “3”, “80% of the“ server-S ” Is multiplied by (1/2) 2 to give “20%”.
 このように、リスク推定部134は、第2段階目の処理において、どの機器がどのような攻撃をどの程度の確率で受けているのかを適切に推定している。さらに、リスク推定部134は、ホップ数を重み付けとして各機器への攻撃の確率を算出しているため、各機器の接続状況を適切に反映した各機器への攻撃の確率を求めることができる。 In this way, the risk estimation unit 134 appropriately estimates which device is receiving what type of attack and at what probability in the second stage processing. Furthermore, since the risk estimation unit 134 calculates the probability of attacking each device by weighting the number of hops, it is possible to obtain the probability of attacking each device that appropriately reflects the connection status of each device.
 続いて、リスク推定部134は、第3段階目の算出処理を実行する。リスク推定部134は、第3段階目において、攻撃によって想定される被害の発生確率を推定する。この場合、リスク推定部134は、第3段目の処理において、予め想定された各機器の利用目的に応じた被害の内容及び攻撃の種別による被害の発生確率と、第2段階で求めたネットワークにおける機器への攻撃遷移確率とを用いる。 Subsequently, the risk estimation unit 134 executes the calculation process of the third stage. The risk estimation unit 134 estimates the probability of occurrence of damage assumed by the attack in the third stage. In this case, the risk estimation unit 134, in the third stage processing, the damage occurrence rate according to the content of damage and the type of attack, which is assumed in advance according to the intended use of each device, and the network obtained in the second step. And the probability of attack transition to the device in.
 まず、リスク推定部134は、機器情報記憶部121の機器情報テーブル121aを参照し、第2段階目において求めた「サーバ-S」から攻撃が遷移する可能性がある機器の利用目的を機器ごとに抽出する。続いて、リスク推定部134は、次の段階の処理として、属性情報記憶部124の利用目的と被害との関係提示テーブル124a(図7参照)を参照して、各機器の利用目的に応じた被害の内容を抽出する。 First, the risk estimation unit 134 refers to the device information table 121a of the device information storage unit 121, and determines, for each device, the purpose of use of the device for which an attack may transition from the “server-S” obtained in the second stage. To extract. Subsequently, the risk estimation unit 134 refers to the relationship presentation table 124a (see FIG. 7) between the purpose of use of the attribute information storage unit 124 and the damage as the processing of the next stage, and determines the purpose of use of each device. Extract the details of the damage.
 例えば、リスク推定部134は、「サーバ-S」が不正侵入された時には、「サーバ-T」「サーバ-U」も不正侵入を受ける可能性があることを、第2段階目の算出処理において求める(図4第2段階参照)。そこで、リスク推定部134は、第3段階目では、「サーバ-T」「サーバ-U」については、利用目的が「サービス提供(アプリ)」(図3の2,3行目参照)であるため、利用目的と被害との関係提示テーブル124a(図7参照)を基に、最終的には「サービスAの停止」「サービスAの改ざん」「サービスAの情報漏えい」などを被害として想定する。また同様に、リスク推定部134は、「サーバ-W」の利用目的が「サービス提供(個人情報、機密情報)」であるため(図3の4行目)、「サーバ-W」に想定される被害として、「ファイルサーバの改ざん」「ファイルサーバの情報漏えい」(図7の3行目)を求める。 For example, in the calculation process of the second stage, the risk estimation unit 134 determines that when “Server-S” is illegally intruded, “Server-T” and “Server-U” may also be illegally intruded. (See the second stage of FIG. 4). Therefore, in the third stage, the risk estimating unit 134 has the purpose of use of “server-T” and “server-U” as “service provision (application)” (see lines 2 and 3 in FIG. 3). Therefore, based on the relationship presentation table 124a (see FIG. 7) between the purpose of use and damage, "service A stop", "service A tampering", "service A information leak", etc. are assumed as damages. .. Similarly, the risk estimation unit 134 is assumed to be the “server-W” because the purpose of use of the “server-W” is “service provision (personal information, confidential information)” (fourth line in FIG. 3). As the damage, “file server tampering” and “file server information leakage” (the third line in FIG. 7) are requested.
 そして、第3段階目の処理として、リスク推定部134は、属性情報記憶部124の攻撃種別情報テーブル124b(図8参照)を基に、攻撃の遷移が想定される機器ごとに、攻撃の種別による各被害の発生確率を求める。具体的には、リスク推定部134は、利用目的と被害との関係提示テーブル124aより求めた、各機器の利用目的に応じた被害の内容を基に、攻撃の種別による各被害の発生確率と、第2段階目で求めた各機器への攻撃遷移確率とを乗じて、攻撃による被害の発生確率を算出し、第3段階における確率とする。 Then, as a process of the third stage, the risk estimation unit 134, based on the attack type information table 124b (see FIG. 8) of the attribute information storage unit 124, the attack type for each device in which the transition of the attack is assumed. Calculate the probability of each damage caused by. Specifically, the risk estimation unit 134 calculates the probability of occurrence of each damage depending on the type of attack, based on the contents of the damage according to the purpose of use of each device, which is obtained from the relationship presentation table 124a between the purpose of use and the damage. , And the probability of occurrence of damage due to an attack is calculated by multiplying by the attack transition probability to each device obtained in the second stage, and the probability in the third stage is calculated.
 このため、例えば、リスク推定部134は、「サービスAの停止」が発生する確率については、攻撃種別「不正侵入」による被害「サービス停止」の確率「60%」(図8の1行目参照)と、第2段階目で求めた、「サーバ-Tで不正侵入」される確率「80%」とを乗じた「48%」を求める(図14の第3段階1段目参照)。 Therefore, for example, with respect to the probability that the “service A is stopped”, the risk estimation unit 134 has a probability “60%” of damage “service stopped” by the attack type “illegal intrusion” (see the first line in FIG. 8). ) And the “80%” probability of “unauthorized intrusion by the server-T” obtained in the second stage (see FIG. 14, third stage, first stage).
 ここで、各被害のうち、サービスの改ざんとサービスの情報漏えいとは、複数の機器から確率値が算出されているため、値を決める必要がある。図16は、攻撃の種別による各被害の発生確率の算出方法を説明する図である。図16に示すように、今回の例では、図16に示すように、例えば、事象dまたは事象eから事象fへ遷移する確率Pfは、事象dの確率Pd、事象eの確率Peを用いて、(1)式のように算出することができる。 Among the damages, it is necessary to determine the values of the falsification of the service and the information leakage of the service, because the probability values are calculated from multiple devices. FIG. 16 is a diagram illustrating a method of calculating the probability of occurrence of each damage depending on the type of attack. As shown in FIG. 16, in this example, as shown in FIG. 16, for example, the probability Pf of transition from the event d or the event e to the event f is calculated using the probability Pd of the event d and the probability Pe of the event e. , (1) can be calculated.
Figure JPOXMLDOC01-appb-M000001
Figure JPOXMLDOC01-appb-M000001
 したがって、例えば、リスク推定部134は、「サービスAの改ざん」が発生する確率については、攻撃種別「不正侵入」による被害「サービスの改ざん」の確率「50%」(図8の2行目参照)と、第2段階目で求めた、「サーバ-Tで不正侵入」される確率「80%」及び「サーバ-Uで不正侵入」される確率「20%」を(1)式に適用した「46%」を求める(図14の第3段階2段目参照)。 Therefore, for example, with respect to the probability that "falsification of service A" occurs, the risk estimation unit 134 has a probability of "falsification of service" "50%" due to the attack type "unauthorized intrusion" (see the second line of FIG. 8). ), And the probability “80%” of “unauthorized intrusion with Server-T” and “20%” of “unauthorized intrusion with Server-U” obtained in the second stage were applied to equation (1). “46%” is calculated (see the third stage, second stage in FIG. 14).
 このように、リスク推定部134は、3段階目の算出処理を行うことによって、想定される攻撃による被害の具体的な内容と、各被害の発生確率を適切に算出している。 In this way, the risk estimation unit 134 appropriately calculates the concrete content of damage caused by the assumed attack and the probability of occurrence of each damage by performing the calculation process of the third stage.
 次に、リスク推定部134は、属性情報記憶部124の対策テーブル124cから、攻撃種別「不正侵入」に対する手順を対策情報として取得する。そして、リスク推定部134は、推定される攻撃、該攻撃による被害の発生確率、及び、取得した該攻撃に対する対策情報を、利用者端末20に表示出力する。図17は、利用者端末20に表示される画面の一例を示す図である。 Next, the risk estimation unit 134 acquires, as countermeasure information, the procedure for the attack type “unauthorized intrusion” from the countermeasure table 124c of the attribute information storage unit 124. Then, the risk estimation unit 134 displays and outputs the estimated attack, the probability of damage caused by the attack, and the acquired countermeasure information for the attack on the user terminal 20. FIG. 17 is a diagram showing an example of a screen displayed on the user terminal 20.
 利用者が、画面M1において、確認事象をチェックし登録すると、利用者端末20の画面には、図17の画面M2に示すように、推定される攻撃とその確率(表L1参照)、推定される攻撃が遷移する機器とその攻撃遷移確率(表L2参照)、及び、攻撃に対して取り得る対策(領域R2参照)が表示される。 When the user checks and registers the confirmation event on the screen M1, the estimated attack and its probability (see Table L1) are estimated on the screen of the user terminal 20, as shown in the screen M2 of FIG. A device to which an attack is transited, an attack transition probability thereof (see Table L2), and possible measures against the attack (see region R2) are displayed.
 このように、推定装置10は、サイバーインシデントなどの危機対応において、ユーザの申告、サーバのログやネットワーク監視ツールのログなどの入力情報から攻撃を受けている可能性のある機器を推定する。そして、推定装置10は、その機器が所有する情報やその機器が提供するサービスなどの情報に加え、その機器と他の機器との接続状態によって想定される被害を具体的に導き出し、被害の状況を認識可能に利用者に提供している。さらに、推定装置10は、推定される攻撃に対する対策を利用者に提示している。 In this way, the estimation device 10 estimates a device that may be attacked from input information such as user's declaration, server log and network monitoring tool log in response to a crisis such as a cyber incident. Then, the estimation device 10 specifically derives the damage assumed by the connection state between the device and another device in addition to the information such as the information owned by the device and the service provided by the device, and the damage status. Is provided to the user in a recognizable manner. Further, the estimation device 10 presents the user with countermeasures against the estimated attack.
 ここで、利用者が、画面M2において、取り得る対策「不正侵入」のチェックボックスをチェックし、対策選択ボタンを選択した場合を例に説明する。この場合には、利用者端末20から、攻撃に対する対策「不正侵入」が推定装置10に送信される。推定装置10では、インシデント情報管理部133が、利用者によって選択された対策「不正侵入」(対策ID「1」を、属性情報記憶部124のインシデントに対する対策状況報告テーブル124eに、登録日時、更新日時、攻撃種別IDとともに登録する(図11の1行目参照)。 Here, an example will be described in which the user checks the check box of possible “illegal intrusion” on the screen M2 and selects the countermeasure selection button. In this case, the countermeasure “attack” against the attack is transmitted from the user terminal 20 to the estimation device 10. In the estimation device 10, the incident information management unit 133 updates the countermeasure “illegal intrusion” (the countermeasure ID “1”) selected by the user in the countermeasure status report table 124e for the incident in the attribute information storage unit 124, and updates the registration date and time. It is registered together with the date and time and the attack type ID (see the first line in FIG. 11).
 そして、リスク推定部134が、利用者端末20から送信された対策に応じた補正値を用いて、攻撃による被害の発生確率を補正する。攻撃に対して対策をとる場合には、その攻撃によって生じる被害が発生する確率も変わるためである。そこで、リスク推定部による補正処理について説明する。 Then, the risk estimation unit 134 corrects the probability of occurrence of damage by the attack using the correction value according to the countermeasure transmitted from the user terminal 20. This is because if countermeasures are taken against an attack, the probability that the damage caused by the attack will occur will also change. Therefore, the correction processing by the risk estimation unit will be described.
 まず、リスク推定部134は、属性情報記憶部124の対策案に対応する攻撃種別情報テーブル124dを参照して、選択された対策案に対応する被害の発生確率を抽出する。リスク推定部134は、被害の発生確率は、攻撃種別毎に登録されており、今回の例では、対策ID「1」の「対策1」における各被害の発生確率「x11」~「x3m」を抽出する。 First, the risk estimation unit 134 refers to the attack type information table 124d corresponding to the countermeasure in the attribute information storage unit 124, and extracts the probability of occurrence of damage corresponding to the selected countermeasure. The risk estimation unit 134 registers the damage occurrence probabilities for each attack type. In this example, the damage occurrence probabilities “x11” to “x3m” in the “measure 1” of the measure ID “1” are set. Extract.
 図18は、リスク推定部134による補正処理を説明する図である。図18に示すように、リスク推定部134は、対策案に対応する攻撃種別情報テーブル124dから抽出した各値(表L2-1参照)と、第3段階目で算出した各被害の発生確率の値(表L3-1参照)と、と、を、(2)式及び(3)式で示すアダマール積で算出し、得られた値((2)式におけるz)を、対策実施後の確率として確定する。表L3-1では、説明のため、第3段階目で算出した各被害の発生確率の値を、攻撃種別「1」~「3」と被害「1」~「m」とに対応させて「y11」~「y3m」と表示しているが、「y11」~「y3m」は、第3段階目の処理において実際に算出した「48%」、「46%」、「62%」(図14の第3段階参照)の値である。 FIG. 18 is a diagram illustrating a correction process by the risk estimation unit 134. As shown in FIG. 18, the risk estimation unit 134 calculates the value of each value extracted from the attack type information table 124d corresponding to the countermeasure plan (see Table L2-1) and the occurrence probability of each damage calculated in the third stage. The values (see Table L3-1) and are calculated by the Hadamard product shown in the equations (2) and (3), and the obtained value (z in the equation (2)) is the probability after the countermeasure is taken. Confirm as. For the sake of explanation, in Table L3-1, the value of the occurrence probability of each damage calculated in the third stage is associated with the attack types “1” to “3” and the damages “1” to “m”. Although “y11” to “y3m” are displayed, “y11” to “y3m” are “48%”, “46%”, and “62%” actually calculated in the third stage processing (see FIG. 14). Value of the third stage).
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000002
Figure JPOXMLDOC01-appb-M000003
Figure JPOXMLDOC01-appb-M000003
 このように、リスク推定部134は、攻撃による被害の発生確率を、選択された対策に応じて補正処理を行うことで、対策を選択した場合の被害の発生確率を高い精度で求めることができる。リスク推定部134は、補正後の攻撃による被害の発生確率を、対策を選択した場合の被害の発生確率として、利用者端末20に表示出力させる。図19は、利用者端末20に表示される画面の一例を示す図である。 As described above, the risk estimating unit 134 can obtain the damage occurrence probability when the measure is selected by performing the correction process of the damage occurrence probability due to the attack according to the selected measure with high accuracy. . The risk estimating unit 134 causes the user terminal 20 to display and output the damage occurrence probability due to the corrected attack as the damage occurrence probability when the countermeasure is selected. FIG. 19 is a diagram showing an example of a screen displayed on the user terminal 20.
 図19の画面M3に示すように、利用者端末20には、利用者が選択した対策「不正侵入」を実行した後に、推定された被害の発生確率が、表形式で表示される(表L3参照)。利用者は、この画面M3の表L3を参照して、実際に、自身が選択した対策の有益性を確認した上で、選択した対策を実行するか否かを判断することができる。 As shown in the screen M3 of FIG. 19, after the countermeasure “illegal intrusion” selected by the user is executed, the estimated damage occurrence rate is displayed in the table format on the user terminal 20 (Table L3). reference). The user can refer to the table L3 on the screen M3 to actually confirm the usefulness of the measure selected by the user, and then determine whether to execute the selected measure.
 そして、リスク推定部134は、対策実施後の各被害の確率を、ビジネス影響度算出部136に出力する。さらに、外部状況管理部135は、ビジネス影響指標を算出して、ビジネス影響度算出部136に出力する。 Then, the risk estimation unit 134 outputs the probability of each damage after implementation of the measures to the business impact degree calculation unit 136. Further, the external situation management unit 135 calculates a business impact index and outputs it to the business impact degree calculation unit 136.
 次に、外部状況管理部135によるビジネス影響指標の算出処理について説明する。外部状況管理部135は、ニュース記事クリッピングなどのサービスによって取得した、自社の記事の見出しや内容から、好意的記事、中間記事、悪意のある記事の数を抽出し、影響度の指標として用いる。これらの記事は、メディア動向評価情報記憶部125に記憶されている。例えば、風評リスクを決定する三要因の一つとして、評判と実態とのギャップが挙げられる。この場合、外部状況管理部135は、ニュース記事を肯定的報道、中立的報道、否定的報道の3つに分類し、事件が公になってからの全体に対する比率をビジネス影響指標として求めることによって、企業のイメージの失墜度合い(ビジネスの影響度)を取得する。例えば、ビジネス影響指標を(4)式に示すように定義する。 Next, the process of calculating the business impact index by the external situation management unit 135 will be described. The external situation management unit 135 extracts the number of favorable articles, intermediate articles, and malicious articles from the headlines and contents of the articles of the company acquired by a service such as news article clipping, and uses them as indicators of the degree of influence. These articles are stored in the media trend evaluation information storage unit 125. For example, one of the three factors that determine reputational risk is the gap between reputation and reality. In this case, the external situation management unit 135 classifies the news article into three categories: positive news, neutral news, and negative news, and obtains the ratio of the news article to the total after it became public as a business impact index. , Get the degree of corporate image failure (business impact). For example, the business impact index is defined as shown in equation (4).
Figure JPOXMLDOC01-appb-M000004
Figure JPOXMLDOC01-appb-M000004
 なお、外部状況管理部135は、報道記事を基にビジネス影響指標を求めた場合を例に説明したが、ソーシャルメディアに対しても同じように評判指数を求めてもよい。また、外部状況管理部135が求めるビジネス影響指標の求め方は、あくまでも一例であり、他の指標を取り入れることも可能である。 Note that the external situation management unit 135 has been described as an example of the case where the business impact index is obtained based on the news article, but the reputation index may be similarly obtained for social media. Further, the method of obtaining the business influence index required by the external situation management unit 135 is merely an example, and other indicators can be incorporated.
 続いて、ビジネス影響度算出部136は、攻撃を受けることによる、ネットワークが提供するサービスに関するビジネスへの影響度を推定する。ここで、ビジネス影響度算出部136は、企業基礎情報記憶部127のサービス名に関するビジネス影響テーブル127aから、ビジネスへの影響に関する項目を抽出し、サービスに関するビジネスへの影響度を算出する。 Subsequently, the business impact calculation unit 136 estimates the impact on the business of the service provided by the network due to the attack. Here, the business impact degree calculation unit 136 extracts the item regarding the impact on the business from the business impact table 127a regarding the service name of the company basic information storage unit 127, and calculates the impact degree on the service regarding the business.
 例えば、「サーバ-S」が攻撃された場合を例に説明する。この場合、「サーバ-S」が対象に含まれているサービスは、「A社」のものである。このため、ビジネス影響度算出部136は、サービス名に関するビジネス影響テーブル127aから、ビジネスへの影響度の算出のために必要となる項目を抽出する。例えば、ビジネス影響度算出部136は、個人情報の件数「e万件」、個人情報補償額「f百円」、機密情報の件数「g百件」、機密情報補償額「h万円」、裁判費用「i万円」、1日当たりのサービスの売り上げ「j億円」、株価への影響「k%」などを抽出する。そして、ビジネス影響度算出部136は、(5)~(8)式を用いて、個人情報補償額、機密情報補償額、売り上げへの影響、株価下落金額を算出する。 For example, the case where "Server-S" is attacked is explained. In this case, the services that include “Server-S” as the target are those of “Company A”. For this reason, the business impact degree calculation unit 136 extracts the items necessary for calculating the impact degree on the business from the business impact table 127a regarding the service name. For example, the business impact degree calculation unit 136 determines that the number of personal information items is “e 10,000”, the personal information compensation amount is “f 100 yen”, the number of confidential information items is “g 100”, and the confidential information compensation amount is “h 10,000 yen”. The court costs “i million yen”, daily service sales “j billion yen”, impact on stock price “k%”, etc. are extracted. Then, the business impact degree calculation unit 136 calculates the personal information compensation amount, the confidential information compensation amount, the influence on sales, and the stock price drop amount using the expressions (5) to (8).
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000005
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000006
Figure JPOXMLDOC01-appb-M000007
Figure JPOXMLDOC01-appb-M000007
Figure JPOXMLDOC01-appb-M000008
Figure JPOXMLDOC01-appb-M000008
 続いて、ビジネス影響度算出部136は、(5)~(8)式を用いて算出したビジネスへの影響に係わる各種金額に、それぞれ、リスク推定部134による、補正後の攻撃による被害の発生確率を乗ずることによって、対策を行った上での攻撃によるビジネスへの影響に関する各種金額を算出する。 Subsequently, the business impact degree calculating unit 136 causes the risk estimating unit 134 to incur damages due to the corrected attack by the various amounts of money related to the impact on the business calculated using the equations (5) to (8), respectively. By multiplying the probabilities, various amounts of money related to the business impact of an attack after taking countermeasures are calculated.
 この際、ビジネス影響度算出部136は、さらに、この算出結果に、外部状況管理部135から出力されたビジネス影響指標を重み付けとして乗じてもよい。例えば、外部状況管理部135は、売り上げへの影響に対し、ビジネス影響指数を重み付けとして乗ずることによって、より社会の状況にあった影響を算出することができる。 At this time, the business impact calculation unit 136 may further multiply the calculation result by the business impact index output from the external situation management unit 135 as a weight. For example, the external situation management unit 135 can calculate the influence more suited to the social situation by multiplying the influence on the sales with the business influence index as a weight.
 ビジネス影響度算出部136は、算出した攻撃によるビジネスへの影響に関する各種予測金額を、利用者端末20に表示出力させる。図20は、利用者端末20に表示される画面の一例を示す図である。 The business impact degree calculation unit 136 causes the user terminal 20 to display and output various estimated amounts of money regarding the impact on the business of the calculated attack. FIG. 20 is a diagram showing an example of a screen displayed on the user terminal 20.
 図20の画面M4に示すように、利用者端末20には、利用者が選択した対策「不正侵入」を実行した後に、「不正侵入」攻撃によるビジネスへの影響が、表形式で表示される(表L4参照)。利用者は、この画面M4の表L4を参照して、実際に、自身が選択した対策による、ビジネスへの影響度を、具体的かつ多面的に確認することができる。 As shown in the screen M4 of FIG. 20, after the countermeasure “illegal intrusion” selected by the user is executed, the effect on the business of the “illegal intrusion” attack is displayed in the table format on the user terminal 20. (See Table L4). The user can refer to the table L4 on the screen M4 to confirm the degree of influence on the business by the measure selected by the user in a concrete and multi-faceted manner.
 さらに、ビジネス影響度算出部136は、リスク推定部134による、補正後の攻撃による被害の発生確率を乗ずる処理を行わず、(5)~(8)式のそのままの算出結果、すわなち、対策「不正侵入」を実行しなかった場合の結果を、利用者端末20に表示出力させる。利用者は、この結果を利用者端末20の画面上で確認することによって、対策「不正侵入」を実行しなかった場合のビジネス影響度を確認することができる。 Further, the business impact degree calculation unit 136 does not perform the processing of multiplying the occurrence probability of damage due to the corrected attack by the risk estimation unit 134, and the calculation result of the equations (5) to (8) as it is, that is, The result when the countermeasure “unauthorized intrusion” is not executed is displayed on the user terminal 20. By confirming this result on the screen of the user terminal 20, the user can confirm the degree of business impact when the countermeasure “unauthorized intrusion” is not executed.
 このように、推定装置10では、利用者に対し、攻撃が発生する観測事象があった場合に、この攻撃による予測被害に対して、攻撃に対して対策を実行した場合及び攻撃に対して対策を実行しなかった場合のビジネスへの影響度を具体的に提示する。 As described above, in the estimation device 10, when the user has an observation event in which an attack occurs, countermeasures are taken against the predicted damage due to this attack, and countermeasures are taken against the attack. Specifically, indicate the degree of impact on the business if you do not execute.
[推定処理の処理手順]
 続いて、実施の形態に係る推定処理の処理手順について説明する。図21は、実施の形態に係る推定処理の流れの一例を示すシーケンス図である。 [Processing procedure of estimation processing]
Subsequently, a processing procedure of the estimation processing according to the embodiment will be described. FIG. 21 is a sequence diagram showing an example of the flow of the estimation process according to the embodiment.
 図21に示すように、利用者による利用者端末20の入力画面への入力によって、事象が発見された機器名と事象確認日時とが送信されると(ステップS1,S2)、処理受付部131が入力情報を受け付け、システム情報管理部132に、これらの情報を出力する(ステップS3)。 As shown in FIG. 21, when the device name in which the event is detected and the event confirmation date and time are transmitted by the user's input on the input screen of the user terminal 20 (steps S1 and S2), the process receiving unit 131. Accepts the input information and outputs the information to the system information management unit 132 (step S3).
 システム情報管理部132は、機器情報記憶部121にある機器情報テーブル121a(図3参照)から、入力された機器IDに対応する属性値を抽出する(ステップS4)。システム情報管理部132は、抽出した属性値に基づき、観測情報記憶部122の観測事象情報テーブル122a(図5参照)から、観測事象を抽出する(ステップS5)。システム情報管理部132は、出力部137及び通信処理部11(不図示)を介して、利用者端末20の画面に観測事象の表示指示を送信する(ステップS6,S7)。 The system information management unit 132 extracts the attribute value corresponding to the input device ID from the device information table 121a (see FIG. 3) in the device information storage unit 121 (step S4). The system information management unit 132 extracts the observation event from the observation event information table 122a (see FIG. 5) of the observation information storage unit 122 based on the extracted attribute value (step S5). The system information management unit 132 transmits an observation event display instruction to the screen of the user terminal 20 via the output unit 137 and the communication processing unit 11 (not shown) (steps S6 and S7).
 この結果、利用者端末20の画面には、確認事象が表示される(ステップS8)。利用者の操作によって、確認事象が登録されると、推定装置10では、処理受付部131が、登録された事象を受け付け(ステップS9)、インシデント情報管理部133に出力する(ステップS10)。インシデント情報管理部133は、観測事象情報テーブル122aを参照し、確認事象に対する攻撃の確率及び確率算出方法を取得して(ステップS11)、攻撃発生率を算出する(ステップS12)。インシデント情報管理部133は、インシデント情報記憶部123のインシデント情報テーブル123aに、事象が観測された第1の機器に対する攻撃の種別と、その攻撃の発生率とを登録するとともに(ステップS13)、第1の機器に対する攻撃の種別及び攻撃発生率をリスク推定部134に出力する(ステップS14)。 As a result, the confirmation event is displayed on the screen of the user terminal 20 (step S8). When the confirmation event is registered by the operation of the user, in the estimation device 10, the process reception unit 131 receives the registered event (step S9) and outputs it to the incident information management unit 133 (step S10). The incident information management unit 133 refers to the observation event information table 122a, acquires the probability of an attack on the confirmation event and the probability calculation method (step S11), and calculates the attack occurrence rate (step S12). The incident information management unit 133 registers, in the incident information table 123a of the incident information storage unit 123, the type of attack on the first device in which the event was observed and the incidence of the attack (step S13), and The type of attack and the attack occurrence rate for the device No. 1 are output to the risk estimation unit 134 (step S14).
 リスク推定部134は、この結果を第1段階として、第2段階及び第3段階に分けて、ネットワークの機器への攻撃による被害の発生確率を算出する。 The risk estimation unit 134 divides this result into the second stage and the third stage, and calculates the probability of occurrence of damage due to an attack on the network device.
 まず、リスク推定部134は、機器情報記憶部121の機器情報テーブル121a及びセグメント情報接続テーブル122bにおけるセグメント接続情報を基に、第1の機器から攻撃が遷移する(拡大する)可能性がある第2の機器を抽出する(ステップS15)。そして、リスク推定部134は、機器情報記憶部121から、第1の機器のホップ数を取得する(ステップS16)。リスク推定部134は、第1の機器から第2の機器へ攻撃が遷移する確率を、図14及び図15のように、NWセグメントのホップ数を重み付けとして用いて、算出する(ステップS17)。 First, the risk estimation unit 134 may change (expand) the attack from the first device based on the segment connection information in the device information table 121a and the segment information connection table 122b of the device information storage unit 121. The device No. 2 is extracted (step S15). Then, the risk estimation unit 134 acquires the hop count of the first device from the device information storage unit 121 (step S16). The risk estimation unit 134 calculates the probability of an attack transitioning from the first device to the second device, using the hop count of the NW segment as a weight as shown in FIGS. 14 and 15 (step S17).
 そして、リスク推定部134は、第3段階目の算出処理を実行する。この場合、リスク推定部134は、機器情報記憶部121の機器情報テーブル121aを参照し、第2の機器の利用目的を機器ごとに抽出する(ステップS18)。続いて、リスク推定部134は、属性情報記憶部124の利用目的と被害との関係提示テーブル124a(図7参照)及び攻撃種別情報テーブル124b(図8参照)を参照して、各機器の利用目的に応じた被害の内容、攻撃種別毎の各被害の発生確率情報を抽出する(ステップS19)。 Then, the risk estimation unit 134 executes the calculation process of the third stage. In this case, the risk estimation unit 134 refers to the device information table 121a of the device information storage unit 121 and extracts the usage purpose of the second device for each device (step S18). Subsequently, the risk estimation unit 134 refers to the relationship presentation table 124a (see FIG. 7) between the use purpose and the damage of the attribute information storage unit 124 and the attack type information table 124b (see FIG. 8) to use each device. The contents of damage according to the purpose and the occurrence probability information of each damage for each attack type are extracted (step S19).
 リスク推定部134は、抽出した情報を基づいて、攻撃の遷移が想定される機器ごとに、攻撃による被害の内容と、各被害の発生確率を算出する(ステップS20)。具体的には、リスク推定部134は、ステップS19において抽出した攻撃の種別による各被害の発生確率と、第2段階目で求めた各機器への攻撃遷移確率とを乗じて、攻撃による被害の発生確率を算出し、第3段階における確率とする。 Based on the extracted information, the risk estimating unit 134 calculates the content of damage caused by the attack and the probability of occurrence of each damage for each device in which the transition of the attack is assumed (step S20). Specifically, the risk estimation unit 134 multiplies the occurrence probability of each damage depending on the type of attack extracted in step S19 and the attack transition probability to each device obtained in the second stage to determine the damage caused by the attack. The probability of occurrence is calculated and used as the probability in the third stage.
 続いて、リスク推定部134は、属性情報記憶部124の対策テーブル124cから、第1の機器への攻撃に対する手順を対策情報として取得する(ステップS21)。リスク推定部134は、出力部137及び通信処理部11を介して、利用者端末20に、推定される攻撃、該攻撃による被害の発生確率を示す情報、及び、取得した該攻撃に対する対策情報を表示させる(ステップS22,S23)。 Subsequently, the risk estimation unit 134 acquires, as countermeasure information, a procedure for an attack on the first device from the countermeasure table 124c of the attribute information storage unit 124 (step S21). The risk estimation unit 134, via the output unit 137 and the communication processing unit 11, informs the user terminal 20 of an estimated attack, information indicating the probability of damage caused by the attack, and acquired countermeasure information for the attack. It is displayed (steps S22 and S23).
 これによって、利用者端末20の画面には、推定される攻撃、該攻撃による被害の発生確率を示す情報、及び、取得した該攻撃に対する対策情報が表示される(ステップS24)。利用者の操作によって、対策が選択されると、推定装置10では、処理受付部131が、選択された事象を受け付け(ステップS25)、インシデント情報管理部133に出力する(ステップS26)。インシデント情報管理部133は、属性情報記憶部124のインシデント対策状況報告テーブル124eに、選択された対策を登録するとともに(ステップS27)、選択された対策をリスク推定部134に出力する。 As a result, the screen of the user terminal 20 displays the estimated attack, the information indicating the probability of damage caused by the attack, and the acquired countermeasure information for the attack (step S24). When the countermeasure is selected by the user's operation, in the estimation device 10, the process reception unit 131 receives the selected event (step S25) and outputs it to the incident information management unit 133 (step S26). The incident information management unit 133 registers the selected countermeasure in the incident countermeasure status report table 124e of the attribute information storage unit 124 (step S27) and outputs the selected countermeasure to the risk estimation unit 134.
 続いて、リスク推定部134は、属性情報記憶部124の対策案に対応する攻撃種別情報テーブル124dを参照して、選択された対策案に対応する被害の発生確率を抽出する(ステップS28)。そして、リスク推定部134が、抽出した選択された対策案に対応する被害の発生確率を図18の説明のように補正値として用いて、対策実施後の確率を算出する(ステップS29)。これによって、リスク推定部134は、選択された対策に応じた補正値を用いて、攻撃による被害の発生確率を補正する。 Subsequently, the risk estimation unit 134 refers to the attack type information table 124d corresponding to the countermeasure in the attribute information storage unit 124, and extracts the probability of occurrence of damage corresponding to the selected countermeasure (step S28). Then, the risk estimation unit 134 uses the extracted probability of occurrence of damage corresponding to the selected countermeasure plan as a correction value as described with reference to FIG. 18, and calculates the probability after the countermeasure is implemented (step S29). As a result, the risk estimation unit 134 corrects the damage occurrence probability due to the attack using the correction value according to the selected countermeasure.
 リスク推定部134は、補正後の攻撃による被害の発生確率を、対策実施後の各被害の発生確率として、利用者端末20に表示出力させる(ステップS30,S31)。この結果、利用者端末20の画面には、利用者が選択した対策を実行した後の被害の発生確率が表示される(ステップS32)。 The risk estimating unit 134 displays and outputs the probability of occurrence of damage due to the corrected attack on the user terminal 20 as the probability of occurrence of each damage after taking countermeasures (steps S30 and S31). As a result, the probability of damage occurring after the countermeasure selected by the user is executed is displayed on the screen of the user terminal 20 (step S32).
 続いて、リスク推定部134は、対策実施後の各被害の確率を、ビジネス影響度算出部136に出力する(ステップS33)。外部状況管理部135は、ビジネス影響指標を算出して、ビジネス影響度算出部136に出力する(ステップS35)。 Subsequently, the risk estimation unit 134 outputs the probability of each damage after the countermeasure is implemented to the business impact degree calculation unit 136 (step S33). The external situation management unit 135 calculates the business impact index and outputs it to the business impact degree calculation unit 136 (step S35).
 そして、ビジネス影響度算出部136は、企業基礎情報記憶部127のサービス名に関するビジネス影響テーブル127aから、ビジネスへの影響に関する項目を含む企業基礎情報を抽出する(ステップS34)。ビジネス影響度算出部136は、対策実施後の各被害の確率やビジネス影響指標を基に、サービスに関するビジネスへの影響度を算出する(ステップS36)。ビジネス影響度算出部136は、例えば(5)~(8)式を用いて、個人情報補償額、機密情報補償額、売り上げへの影響、株価下落金額を、サービスに関するビジネスへの影響度を算出する。 Then, the business impact degree calculation unit 136 extracts the enterprise basic information including the item regarding the impact on the business from the business impact table 127a regarding the service name of the enterprise basic information storage unit 127 (step S34). The business impact calculation unit 136 calculates the impact of the service on the business based on the probability of each damage after the countermeasures are taken and the business impact index (step S36). The business impact degree calculating unit 136 calculates the personal information compensation amount, the confidential information compensation amount, the impact on sales, the price drop amount, and the business impact degree regarding the service by using, for example, formulas (5) to (8). To do.
 ビジネス影響度算出部136は、算出した攻撃によるビジネスへの影響に関する各種予測金額を、利用者端末20に表示出力させる(ステップS37,S38)。この結果、利用者端末20には、利用者が選択した対策の実行の有無に応じた、攻撃によるビジネスへの影響が表示される(ステップS39)。また、ビジネス影響度算出部136は、算出した攻撃によるサービスに関するビジネスへの影響度を、企業基礎情報記憶部127に登録して(ステップS40)、処理を終了する。 The business impact calculation unit 136 causes the user terminal 20 to display and output various estimated amounts of money regarding the impact of the calculated attack on the business (steps S37 and S38). As a result, the effect of the attack on the business is displayed on the user terminal 20 depending on whether or not the countermeasure selected by the user is executed (step S39). Further, the business impact degree calculation unit 136 registers the calculated impact degree of the attack on the business related to the service in the company basic information storage unit 127 (step S40), and ends the process.
[実施の形態の効果]
 このように、実施の形態に係る推定装置10は、ネットワークにおける機器を識別する機器情報と、該機器において発生した観測事象とを利用者端末20からの入力として受け付ける。そして、推定装置10は、受け付けた機器情報に対応する第1の機器の属性情報を取得し、取得した属性情報と受け付けた観測事象とに基づいて、ネットワークにおける機器が攻撃を受けるリスクを推定する。そして、推定装置10は、リスク推定結果を基に、ネットワークにおける機器が攻撃を受けることによるネットワークが提供するサービスに関するビジネスへの影響度を推定して、サービスに関するビジネスへの影響度を、例えば、利用者端末20に出力する。 [Effect of Embodiment]
As described above, the estimation device 10 according to the embodiment receives, as input from the user terminal 20, device information that identifies a device in the network and an observation event that has occurred in the device. Then, the estimation device 10 acquires the attribute information of the first device corresponding to the received device information, and estimates the risk of the device in the network being attacked based on the acquired attribute information and the received observation event. .. Based on the risk estimation result, the estimation device 10 estimates the impact on the business of the service provided by the network due to the attack on the device in the network, and calculates the impact on the business of the service, for example, It is output to the user terminal 20.
 したがって、推定装置10によれば、サイバーインシデントなどの危機対応において、ネットワークにおける機器が攻撃を受けるリスクを推定した上で、攻撃によるサービスに関するビジネスへの影響度を、利用者に認識可能に提供する。このように、実施の形態では、予測された被害に対してビジネスへの影響を被害予測時に利用者に提示することにより、利用者は、実社会での被害を適切に把握することができる。すなわち、本実施の形態によれば、利用者は、サイバーインシデントにつながりそうな観測事象が発生した時点で、攻撃によるビジネスへの影響を早期に把握することができる。このため、利用者は、ビジネスへの影響を考慮しながら、サイバー攻撃に対して効率的な対応をとることができる。 Therefore, according to the estimation device 10, in response to a crisis such as a cyber incident, the risk of the device in the network being attacked is estimated, and then the degree of impact of the attack on the business is provided to the user in a recognizable manner. .. As described above, in the embodiment, the user can appropriately grasp the damage in the real world by presenting the impact of the predicted damage on the business to the user at the time of predicting the damage. That is, according to the present embodiment, the user can grasp the influence of the attack on the business at an early stage when an observation event that is likely to lead to a cyber incident occurs. Therefore, the user can take an effective response to a cyber attack while considering the business impact.
[システム構成等]
 また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況などに応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行われる各処理機能は、その全部または任意の一部が、CPUおよび当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。 [System configuration, etc.]
Further, each constituent element of each illustrated device is functionally conceptual, and does not necessarily have to be physically configured as illustrated. That is, the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part of the device may be functionally or physically distributed / arranged in arbitrary units according to various loads or usage conditions. It can be integrated and configured. Further, each processing function performed in each device may be implemented entirely or in part by a CPU and a program that is analyzed and executed by the CPU, or may be realized as hardware by a wired logic.
 また、本実施の形態において説明した各処理のうち、自動的に行われるものとして説明した処理の全部または一部を手動的に行うこともでき、あるいは、手動的に行われるものとして説明した処理の全部または一部を公知の方法で自動的に行うこともできる。この他、上記文書中や図面中で示した処理手順、制御手順、具体的名称、各種のデータやパラメータを含む情報については、特記する場合を除いて任意に変更することができる。 Further, of the processes described in the present embodiment, all or part of the processes described as being automatically performed may be manually performed, or the processes described as being manually performed. All or part of the above can be automatically performed by a known method. In addition, the processing procedures, control procedures, specific names, and information including various data and parameters shown in the above-mentioned documents and drawings can be arbitrarily changed unless otherwise specified.
[プログラム]
 また、上記実施の形態において説明した推定装置が実行する処理をコンピュータが実行可能な言語で記述したプログラムを作成することもできる。例えば、実施の形態に係る推定装置10が実行する処理をコンピュータが実行可能な言語で記述した推定プログラムを作成することもできる。この場合、コンピュータが推定プログラムを実行することにより、上記実施の形態と同様の効果を得ることができる。さらに、かかる推定プログラムをコンピュータ読み取り可能な記録媒体に記録して、この記録媒体に記録された推定プログラムをコンピュータに読み込ませて実行することにより上記実施の形態と同様の処理を実現してもよい。 [program]
Further, it is also possible to create a program in which the process executed by the estimation device described in the above embodiment is described in a computer-executable language. For example, it is possible to create an estimation program in which a process executed by the estimation device 10 according to the embodiment is described in a computer-executable language. In this case, the computer executes the estimation program to obtain the same effect as that of the above-described embodiment. Further, by recording the estimation program in a computer-readable recording medium and causing the computer to read and execute the estimation program recorded in the recording medium, the same processing as that in the above-described embodiment may be realized. ..
 図22は、推定プログラムを実行するコンピュータを示す図である。図22に例示するように、コンピュータ1000は、例えば、メモリ1010と、CPU1020と、ハードディスクドライブインタフェース1030と、ディスクドライブインタフェース1040と、シリアルポートインタフェース1050と、ビデオアダプタ1060と、ネットワークインタフェース1070とを有し、これらの各部はバス1080によって接続される。 FIG. 22 is a diagram showing a computer that executes the estimation program. As illustrated in FIG. 22, the computer 1000 has, for example, a memory 1010, a CPU 1020, a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. However, these units are connected by a bus 1080.
 メモリ1010は、図22に例示するように、ROM(Read Only Memory)1011及びRAM1012を含む。ROM1011は、例えば、BIOS(Basic Input Output System)等のブートプログラムを記憶する。ハードディスクドライブインタフェース1030は、図22に例示するように、ハードディスクドライブ1090に接続される。ディスクドライブインタフェース1040は、図22に例示するように、ディスクドライブ1100に接続される。例えば磁気ディスクや光ディスク等の着脱可能な記憶媒体が、ディスクドライブ1100に挿入される。シリアルポートインタフェース1050は、図22に例示するように、例えばマウス1051、キーボード1052に接続される。ビデオアダプタ1060は、図22に例示するように、例えばディスプレイ1061に接続される。 The memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM 1012, as illustrated in FIG. The ROM 1011 stores, for example, a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1030 is connected to the hard disk drive 1090, as illustrated in FIG. The disk drive interface 1040 is connected to the disk drive 1100, as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100. The serial port interface 1050 is connected to, for example, a mouse 1051 and a keyboard 1052, as illustrated in FIG. The video adapter 1060 is connected to, for example, the display 1061 as illustrated in FIG.
 ここで、図22に例示するように、ハードディスクドライブ1090は、例えば、OS1091、アプリケーションプログラム1092、プログラムモジュール1093、プログラムデータ1094を記憶する。すなわち、上記の、推定プログラムは、コンピュータ1000によって実行される指令が記述されたプログラムモジュールとして、例えばハードディスクドライブ1090に記憶される。 Here, as illustrated in FIG. 22, the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, the above estimation program is stored in, for example, the hard disk drive 1090 as a program module in which a command executed by the computer 1000 is described.
 また、上記実施の形態で説明した各種データは、プログラムデータとして、例えばメモリ1010やハードディスクドライブ1090に記憶される。そして、CPU1020が、メモリ1010やハードディスクドライブ1090に記憶されたプログラムモジュール1093やプログラムデータ1094を必要に応じてRAM1012に読み出し、各種処理手順を実行する。 The various data described in the above embodiments are stored as program data in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 or the hard disk drive 1090 into the RAM 1012 as necessary, and executes various processing procedures.
 なお、推定プログラムに係るプログラムモジュール1093やプログラムデータ1094は、ハードディスクドライブ1090に記憶される場合に限られず、例えば着脱可能な記憶媒体に記憶され、ディスクドライブ等を介してCPU1020によって読み出されてもよい。あるいは、推定プログラムに係るプログラムモジュール1093やプログラムデータ1094は、ネットワーク(LAN、WAN(Wide Area Network)等)を介して接続された他のコンピュータに記憶され、ネットワークインタフェース1070を介してCPU1020によって読み出されてもよい。 The program module 1093 and the program data 1094 related to the estimation program are not limited to being stored in the hard disk drive 1090, and may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive or the like. Good. Alternatively, the program module 1093 and the program data 1094 related to the estimation program are stored in another computer connected via a network (LAN, WAN (Wide Area Network), etc.) and read by the CPU 1020 via the network interface 1070. May be done.
 10 推定装置
 11 通信処理部
 12 記憶部
 13 制御部
 121 機器情報記憶部
 122 観測情報記憶部
 123 インシデント情報記憶部
 124 属性情報記憶部
 125 メディア動向評価情報記憶部
 126 ソーシャルメディア分析情報記憶部
 127 企業基礎情報記憶部
 131 処理受付部
 132 システム情報管理部
 133 インシデント情報管理部
 134 リスク推定部
 135 外部状況管理部
 136 ビジネス影響度算出部
 137 出力部
 20 利用者端末
 30 接続回線 10 Estimator 11 Communication processing unit 12 Storage unit 13 Control unit 121 Device information storage unit 122 Observation information storage unit 123 Incident information storage unit 124 Attribute information storage unit 125 Media trend evaluation information storage unit 126 Social media analysis information storage unit 127 Corporate foundation Information storage unit 131 Process reception unit 132 System information management unit 133 Incident information management unit 134 Risk estimation unit 135 External situation management unit 136 Business impact calculation unit 137 Output unit 20 User terminal 30 Connection line

Claims (7)

  1.  推定装置によって実行される推定方法であって、
     ネットワークにおける機器を識別する機器情報と、該機器において発生した観測事象とを端末からの入力として受け付ける受付工程と、
     前記受付工程において受け付けられた機器情報に対応する第1の機器の属性情報を取得し、取得した属性情報と前記受付工程において受け付けられた観測事象とに基づいて、前記ネットワークにおける機器が攻撃を受けるリスクを推定する第1の推定工程と、
     前記第1の推定工程における推定結果を基に、前記ネットワークにおける機器が攻撃を受けることによる前記ネットワークが提供するサービスに関するビジネスへの影響度を推定する第2の推定工程と、
     前記第2の推定工程において推定された推定結果を出力する第1の出力工程と、
     を含んだことを特徴とする推定方法。     An estimation method executed by an estimation device, comprising:
    A receiving step of receiving device information for identifying a device in the network and an observation event occurring in the device as input from the terminal;
    The attribute information of the first device corresponding to the device information received in the receiving step is acquired, and the device in the network is attacked based on the acquired attribute information and the observation event received in the receiving step. A first estimation step for estimating risk,
    A second estimating step of estimating, based on the estimation result of the first estimating step, a degree of influence on a business regarding a service provided by the network due to an attack on a device in the network;
    A first output step of outputting the estimation result estimated in the second estimation step;
    An estimation method characterized by including.
  2.  前記第1の推定工程は、セグメント接続情報を基に、前記第1の機器から攻撃が遷移する可能性がある第2の機器への攻撃遷移確率を求め、予め想定された各機器の利用目的に応じた被害の内容及び攻撃の種別による被害の発生確率と、前記第2の機器への攻撃遷移確率とを基に、攻撃による被害の発生確率を推定し、
     前記第2の推定工程は、各サービスが影響を与える各種情報を基に、前記ネットワークが提供するサービスに関し、攻撃によって発生する被害によるビジネスへの影響に係わる金額を求め、求めた金額及び前記攻撃による被害の発生確率を用いて、前記ビジネスへの影響度を推定することを特徴とする請求項1に記載の推定方法。     In the first estimating step, an attack transition probability from the first device to a second device in which an attack is likely to make a transition is obtained based on the segment connection information, and the use purpose of each device assumed in advance is obtained. Based on the damage content and the attack probability depending on the type of the attack, and the attack transition probability to the second device, the attack damage probability is estimated,
    In the second estimating step, based on various kinds of information that each service affects, regarding the service provided by the network, a monetary amount related to the business impact due to damage caused by the attack is calculated, and the calculated monetary amount and the attack. The estimation method according to claim 1, wherein the degree of influence on the business is estimated using a probability of occurrence of damage due to.
  3.  前記第2の推定工程は、前記求めた金額に、前記攻撃による被害の発生確率を乗じた金額に、外部状況に基づくビジネス影響指標を重み付けとして乗じて、前記ビジネスへの影響度とすることを特徴とする請求項2に記載の推定方法。 In the second estimating step, an amount obtained by multiplying the obtained amount by the probability of occurrence of damage by the attack is multiplied by a business influence index based on an external situation as a weight to obtain the degree of influence on the business. The estimation method according to claim 2, which is characterized in that
  4.  前記第1の推定工程は、遷移元の機器の攻撃確率に、ホップ数に基づく値を重み付けとして乗じて、前記第2の機器への攻撃遷移確率を求めることを特徴とする請求項2に記載の推定方法。 The said 1st estimation process calculates | requires the attack transition probability to the said 2nd apparatus by multiplying the attack probability of a transition source apparatus as a weighting based on the value based on a hop number. Estimation method.
  5.  前記端末に、前記攻撃による被害の発生確率と、前記攻撃に対する対策とを出力する第2の出力工程と、
     前記端末から選択された対策を受け付けると、受け付けた対策に応じた補正値を用いて、前記攻撃による被害の発生確率を補正する補正工程と、
     補正工程におい補正された前記攻撃による被害の発生確率を前記端末に出力する第3の出力工程と、
     を含んだことを特徴とする請求項2に記載の推定方法。     A second output step of outputting to the terminal a probability of damage caused by the attack, and a countermeasure against the attack;
    When a countermeasure selected from the terminal is received, a correction step of correcting the occurrence probability of damage due to the attack using a correction value according to the received countermeasure,
    A third output step of outputting to the terminal the probability of occurrence of damage caused by the attack corrected in the correction step;
    The estimation method according to claim 2, further comprising:
  6.  ネットワークにおける機器を識別する機器情報と、該機器において発生した観測事象とを端末からの入力として受け付ける受付部と、
     前記受付部によって受け付けられた機器情報に対応する第1の機器の属性情報を取得し、取得した属性情報と前記受付部によって受け付けられた観測事象とに基づいて、前記ネットワークにおける機器が攻撃を受けるリスクを推定する第1の推定部と、
     前記第1の推定部による推定結果を基に、前記ネットワークにおける機器が攻撃を受けることによる前記ネットワークが提供するサービスに関するビジネスへの影響度を推定する第2の推定部と、
     前記第2の推定部によって推定された推定結果を出力する出力部と、
     を有することを特徴とする推定装置。     A device that receives device information for identifying a device in the network and an observation event that has occurred in the device as an input from the terminal,
    The attribute information of the first device corresponding to the device information received by the reception unit is acquired, and the device in the network is attacked based on the acquired attribute information and the observation event received by the reception unit. A first estimation unit for estimating risk,
    A second estimating unit that estimates the degree of influence on the business regarding the service provided by the network due to the attack on the device in the network based on the estimation result by the first estimating unit;
    An output unit that outputs the estimation result estimated by the second estimation unit;
    An estimation device comprising:
  7.  ネットワークにおける機器を識別する機器情報と、該機器において発生した観測事象とを端末からの入力として受け付ける受付ステップと、
     前記受付ステップにおいて受け付けられた機器情報に対応する第1の機器の属性情報を取得し、取得した属性情報と前記受付ステップにおいて受け付けられた観測事象とに基づいて、前記ネットワークにおける機器が攻撃を受けるリスクを推定する第1の推定ステップと、
     前記第1の推定ステップにおける推定結果を基に、前記ネットワークにおける機器が攻撃を受けることによる前記ネットワークが提供するサービスに関するビジネスへの影響度を推定する第2の推定ステップと、
     前記第2の推定ステップにおいて推定された推定結果を出力する出力ステップと、
     をコンピュータに実行させることを特徴とする推定プログラム。     A receiving step of receiving device information for identifying a device in the network and an observation event occurring in the device as input from the terminal;
    The attribute information of the first device corresponding to the device information received in the receiving step is acquired, and the device in the network is attacked based on the acquired attribute information and the observation event received in the receiving step. A first estimation step of estimating risk,
    A second estimating step of estimating, based on the estimation result in the first estimating step, a degree of influence on a business regarding a service provided by the network due to an attack on a device in the network;
    An output step of outputting the estimation result estimated in the second estimation step,
    An estimation program characterized by causing a computer to execute.
PCT/JP2019/042315 2018-11-15 2019-10-29 Estimation method, estimation device, and estimation program WO2020100570A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018-214910 2018-11-15
JP2018214910A JP2020086530A (en) 2018-11-15 2018-11-15 Estimation method, estimation device and estimation program

Publications (1)

Publication Number Publication Date
WO2020100570A1 true WO2020100570A1 (en) 2020-05-22

Family

ID=70731982

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/042315 WO2020100570A1 (en) 2018-11-15 2019-10-29 Estimation method, estimation device, and estimation program

Country Status (2)

Country Link
JP (1) JP2020086530A (en)
WO (1) WO2020100570A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120159624A1 (en) * 2010-12-21 2012-06-21 Fujitsu Technology Solutions Intellectual Property Gmbh Computer security method, system and model
US20160241581A1 (en) * 2014-04-03 2016-08-18 Isight Partners, Inc. System and Method of Cyber Threat Intensity Determination and Application to Cyber Threat Mitigation
JP2017224053A (en) * 2016-06-13 2017-12-21 株式会社日立製作所 Vulnerability risk evaluation system and method

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20120159624A1 (en) * 2010-12-21 2012-06-21 Fujitsu Technology Solutions Intellectual Property Gmbh Computer security method, system and model
US20160241581A1 (en) * 2014-04-03 2016-08-18 Isight Partners, Inc. System and Method of Cyber Threat Intensity Determination and Application to Cyber Threat Mitigation
JP2017224053A (en) * 2016-06-13 2017-12-21 株式会社日立製作所 Vulnerability risk evaluation system and method

Also Published As

Publication number Publication date
JP2020086530A (en) 2020-06-04

Similar Documents

Publication Publication Date Title
US20220255965A1 (en) Cyber risk analysis and remediation using network monitored sensors and methods of use
EP3343867B1 (en) Methods and apparatus for processing threat metrics to determine a risk of loss due to the compromise of an organization asset
US20190272492A1 (en) Trusted Eco-system Management System
JP6621940B2 (en) Method and apparatus for reducing security risks in a networked computer system architecture
Ab Rahman et al. A survey of information security incident handling in the cloud
US9426169B2 (en) System and method for cyber attacks analysis and decision support
JP6382334B2 (en) A system for measuring and automatically accumulating various cyber risks and methods for dealing with them
US20130125239A1 (en) Insider threat correlation tool
Radziwill et al. Cybersecurity cost of quality: Managing the costs of cybersecurity risk management
JP7026681B2 (en) Digital security and account discovery
JP7005936B2 (en) Evaluation program, evaluation method and information processing equipment
US10819732B1 (en) Computing device, software application, and computer-implemented method for system-specific real-time threat monitoring
Maurushat et al. The legal obligation to provide timely security patching and automatic updates
Alqudhaibi et al. Cybersecurity 4.0: safeguarding trust and production in the digital food industry era
CN113361933A (en) Centralized management and control center for cross-enterprise collaboration
Adleena Huzaizi et al. Cyber-security culture towards digital marketing communications among small and medium-sized (SME) entrepreneurs
JPWO2015159926A1 (en) Information leakage detection device, information leakage detection method, and information leakage detection program
WO2020100570A1 (en) Estimation method, estimation device, and estimation program
Pandey 'Context, Content, Process' Approach to Align Information Security Investments with Overall Organizational Strategy
Catescu Detecting insider threats using security information and event management (SIEM)
Xiong et al. An empirical analysis of vulnerability information disclosure impact on patch R&D of software vendors
JP5352879B2 (en) Security measure evaluation method and apparatus
Thompson et al. Incident response frameworks
EP4329246A1 (en) System and method to quantify domain-centric risk
Bendovschi et al. Security countermeasures in the cyber-world

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19885562

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19885562

Country of ref document: EP

Kind code of ref document: A1