WO2021079495A1 - 評価装置、評価システム、評価方法及びプログラム - Google Patents

評価装置、評価システム、評価方法及びプログラム Download PDF

Info

Publication number
WO2021079495A1
WO2021079495A1 PCT/JP2019/041928 JP2019041928W WO2021079495A1 WO 2021079495 A1 WO2021079495 A1 WO 2021079495A1 JP 2019041928 W JP2019041928 W JP 2019041928W WO 2021079495 A1 WO2021079495 A1 WO 2021079495A1
Authority
WO
WIPO (PCT)
Prior art keywords
application
information
vulnerability
risk
library
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2019/041928
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
和彦 磯山
純明 榮
淳 西岡
佑嗣 小林
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2021553260A priority Critical patent/JP7294441B2/ja
Priority to US17/767,127 priority patent/US12271483B2/en
Priority to PCT/JP2019/041928 priority patent/WO2021079495A1/ja
Publication of WO2021079495A1 publication Critical patent/WO2021079495A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Definitions

  • the present invention relates to an evaluation device, an evaluation system, an evaluation method and a program.
  • Patent Document 1 describes that, in an information processing device having a forced access control function, a method for reducing a workload in updating a security policy while maintaining security strength, and a computer program are provided.
  • Patent Document 2 states that a vulnerability determination device, a vulnerability determination method, and a vulnerability determination program that can solve the problem of determining a program vulnerability based only on specific development information are provided. Has been done.
  • Patent Document 3 among the software whose vulnerability information is disclosed, only the software having a high degree of influence on the safety of the computer can be determined, and the vulnerability determination device and its program capable of efficiently improving the security. It is stated that it provides.
  • the library published as OSS may be incorporated into the application (application program). There is no difference in that the published library also has a program, and it often has vulnerabilities such as bugs and security holes.
  • the library often has a complicated structure that calls the library further, and whether or not the above vulnerability becomes apparent may change depending on the combination of libraries. Since an application has a complicated configuration, it may not be possible to determine how much the vulnerability affects the system without executing the application. That is, in a system realized by an application, software vulnerabilities may become apparent after the application is started.
  • the main object of the present invention is to provide an evaluation device, an evaluation system, an evaluation method and a program for appropriately evaluating the risk of continuously executing an application without stopping the execution of the application.
  • the first acquisition unit that acquires the application information about the application executed on the server and the application continuously executed on the server based on the application information.
  • An evaluation device including an evaluation unit for evaluating the degree of risk and an output unit for outputting the evaluation result of the degree of risk is provided.
  • the evaluation device includes a server that generates application information about a running application and an evaluation device connected to the server, and the evaluation device acquires the application information from the server.
  • a rating system is provided.
  • an evaluation method includes a step of evaluating the degree and a step of outputting the evaluation result of the degree of risk.
  • the computer mounted on the evaluation device is subjected to the process of acquiring the application information regarding the application being executed on the server, and the application is continuously executed on the server based on the application information.
  • a program for executing a process of evaluating the degree of risk of execution and a process of outputting the evaluation result of the degree of risk are provided.
  • an evaluation device an evaluation system, an evaluation method and a program for appropriately evaluating the risk of continuously executing an application without stopping the execution of the application are provided. ..
  • other effects may be produced in place of or in combination with the effect.
  • the evaluation device 100 includes a first acquisition unit 101, an evaluation unit 102, and an output unit 103 (see FIG. 1).
  • the first acquisition unit 101 acquires application information about the application being executed on the server.
  • the evaluation unit 102 evaluates the risk of continuously executing the application on the server based on the application information.
  • the output unit 103 outputs the evaluation result of the degree of risk.
  • the evaluation device 100 evaluates the risk of continuously executing the application based on the information (application information) of the application actually executed on the server. Since the application information is information that can be generated before the server is started and the application is executed, the above evaluation is possible even after the application is started on the server. Therefore, it is possible to appropriately determine (evaluate) the risk of continuously executing the application without stopping the execution of the application on the server.
  • FIG. 2 is a diagram for explaining the evaluation device 10 according to the first embodiment.
  • the evaluation device 10 acquires "application information" from the outside.
  • the application information is information about an application running on an external server (not shown in FIG. 2). Details regarding application information will be described later.
  • the evaluation device 10 evaluates the risk of continuously executing the application on the server based on the application information, and provides the administrator or the like with information according to the evaluation result.
  • the evaluation device 10 when the evaluation device 10 evaluates (determines) that it is risky to continuously execute the application on the server that is the basis for generating the application information, the evaluation device 10 displays that fact on the liquid crystal monitor or the like. ..
  • the evaluation device 10 recognizes a vulnerability in the application subject to risk evaluation, but if it evaluates that the risk is low even if the execution of the application is continued, it may display that fact. When the evaluation device 10 determines that the application subject to risk evaluation is not vulnerable, the evaluation device 10 may display that fact.
  • the evaluation device 10 may display a countermeasure (countermeasure) together with the above evaluation result.
  • the countermeasure include stopping the execution of the application on the server and upgrading the application or library that is found to be vulnerable.
  • FIG. 3 is a diagram showing an example of a processing configuration (processing module) of the evaluation device 10 according to the first embodiment.
  • the evaluation device 10 includes an application information acquisition unit 201, a vulnerability information acquisition unit 202, a risk evaluation unit 203, an evaluation result output unit 204, and a storage unit 205.
  • the application information acquisition unit 201 is a means for acquiring application information.
  • the application information is information about each application running on the server subject to risk evaluation (see FIG. 4).
  • n is a positive integer, the same applies hereinafter
  • application detailed information is included in the application information.
  • the application detailed information includes, for example, an application name, an application identifier, and detailed information about each library called (loaded) by the application (hereinafter referred to as library detailed information).
  • the application identifier may be any information as long as the application can be uniquely defined.
  • the version of the application is exemplified as the above identifier.
  • the hash value of the application executable file may be used as the above identifier.
  • Hash values have collision difficulty that the same hash value cannot be generated from different data, and determinacy that the same hash value is generated from the same data. Therefore, the hash value generated from the binary file functions as an identifier that uniquely identifies the application.
  • application A1 uses m (m is a positive integer, the same applies hereinafter) libraries.
  • m is a positive integer, the same applies hereinafter
  • the detailed library information for each of the m libraries is included in the detailed information of the application A1.
  • the detailed library information includes, for example, the name of the library, the identifier of the library, and the function table.
  • the hash value generated from the library version or the binary file of the library can be used in the same way as the application identifier.
  • the function table is table information in which a list of functions called by the application (functions provided by the library to the application) is described. For example, as shown in FIG. 4, k (k is a positive integer, the same applies hereinafter) functions F1 to Fk are described in the library detailed information of the library L1.
  • Application information can be generated using commands or the like provided by the OS (Operating System) running on the server.
  • OS Operating System
  • a list of running applications (processes) can be obtained by a ps command or the like.
  • a list of libraries loaded when the application is started can be obtained by a command such as ldconfig.
  • Table information such as GOT (Global Offset Table) and PLT (Procedure Linkage Table) generated when the application is linked can be used to generate the function table.
  • GOT Global Offset Table
  • PLT Procedure Linkage Table
  • the application information acquisition unit 201 stores the acquired application information in the storage unit 205.
  • Vulnerability information acquisition unit 202 is a means for acquiring (collecting) information on vulnerabilities in applications and libraries (hereinafter referred to as vulnerability information). For example, the vulnerability information acquisition unit 202 generates a GUI (Graphical User Interface) for inputting the above vulnerability information, and acquires the vulnerability information from the administrator or the like.
  • GUI Graphic User Interface
  • the vulnerability information acquisition unit 202 may acquire the vulnerability information from an external storage medium such as a USB (Universal Serial Bus) memory in which the above vulnerability information is stored.
  • an external storage medium such as a USB (Universal Serial Bus) memory in which the above vulnerability information is stored.
  • Vulnerability information acquisition unit 202 may access a database server on the network or a server managed by an application or library developer, etc., and acquire vulnerability information from these servers. Specifically, the vulnerability information acquisition unit 202 may centrally manage the vulnerability information regarding the library published as OSS, access the server that provides the information, and acquire the vulnerability information from the server.
  • FIG. 5 is a diagram showing an example of vulnerability information.
  • the vulnerability information includes the name of the application or library, the identifier of the application or the like, the information describing the content of the vulnerability (hereinafter referred to as the detailed information on the vulnerability), and the information. Is included.
  • the identifier of the application etc. is the same kind of information as the identifier included in the application information (version of the application etc., hash value of the binary file).
  • the detailed information on the vulnerability includes, for example, the type of the vulnerability and the specific content of the vulnerability.
  • the type of vulnerability is information that is predetermined by the administrator, etc., according to the content of the vulnerability (defect) that the application or library has. For example, as shown in FIG. 6, the type of vulnerability is associated with the content of the defect.
  • the administrator, etc. confirms the WEB (web) site operated by the creator of the application or library, and provides detailed information on the vulnerability based on the defect information described on the WEB site and the information shown in FIG. Generate.
  • the above WEB site may contain information associating the identifier of the application in which the vulnerability was found, the type of the vulnerability, and the specific content of the vulnerability.
  • the vulnerability information acquisition unit 202 can acquire the vulnerability information as shown in FIG. 6 directly from the WEB site.
  • the items (fields) included in the application vulnerability information and the library vulnerability information are different.
  • FIG. 7A shows an example of vulnerability information related to the application.
  • the vulnerability detailed information of the vulnerability information regarding the application includes the type and specific content of the vulnerability.
  • version 1.1 of application A1 has a defect (vulnerability) that arbitrary code (executable file) is possible under specific conditions. The defect is classified into type 1 as shown in FIG.
  • FIG. 7B shows an example of vulnerability information regarding the library.
  • the vulnerability detailed information of the vulnerability information regarding the library includes a defect function (defect function field) in addition to the type and specific content of the vulnerability.
  • the function having the vulnerability is described as a defect function in the detailed information on the vulnerability of the library.
  • the defect function is information for identifying a function having a vulnerability (defect) among the functions that can be provided by the library.
  • version 2.2 of the library L1 has a vulnerability that a security hole exists at the port number X1 in the function F5.
  • the vulnerability is classified into type 4 as shown in FIG.
  • Vulnerability information acquisition unit 202 stores the acquired vulnerability information in the storage unit 205.
  • the vulnerability information acquisition unit 202 repeatedly acquires (collects) new vulnerability information, and stores the acquired vulnerability information in the storage unit 205.
  • the vulnerability information acquisition unit 202 accesses a database server or the like having the vulnerability information at regular intervals or at a predetermined timing to acquire the latest vulnerability information.
  • the vulnerability information acquisition unit 202 stores the acquired vulnerability information in the storage unit 205.
  • the risk evaluation unit 203 is a means for evaluating the risk of continuously executing an application on a server based on application information. More specifically, the risk evaluation unit 203 evaluates the risk of continuously executing the application on the server to be determined based on the application information and the vulnerability information. The risk evaluation unit 203 generates the evaluation result of the risk as “risk information”.
  • FIG. 8 is a flowchart showing an example of the operation of the risk evaluation unit 203.
  • the risk evaluation unit 203 extracts the application in which the corresponding vulnerability information is stored in the storage unit 205 from each application described in the application information (step S101).
  • the presence or absence of the corresponding vulnerability information is confirmed for each of the applications A1 to An, and the application in which the corresponding vulnerability information exists is extracted. Specifically, if the vulnerability information having the same identifier as the identifier of the application described in the application information is stored in the storage unit 205, the risk evaluation unit 203 extracts the application. That is, the risk evaluation unit 203 extracts the application in which the vulnerability information is stored in the storage unit 205 from the plurality of applications included in the application information.
  • the risk evaluation unit 203 determines the risk level (hereinafter referred to as risk level) of continuously executing the extracted application (step S102).
  • the risk assessment unit 203 determines the risk level by referring to the information related to the vulnerability type and the risk level described in the vulnerability information.
  • the storage unit 205 stores information as shown in FIG. As shown in FIG. 9, the vulnerability type and the corresponding risk level are associated and stored in the storage unit 205. In the example of FIG. 9, the risk level is divided into three stages. The higher the risk level number, the higher the risk, indicating that level 3 is the most dangerous.
  • Level 3 The application cannot be continuously executed, and immediate measures are required.
  • Level 2 The application can be continuously executed, but countermeasures are required.
  • Level 1 The application can be continuously executed and no countermeasures are required.
  • the risk level is determined to be "1".
  • the risk assessment unit 203 generates risk information (application risk information) related to the application based on the extracted application, the corresponding vulnerability information (vulnerability type), and the determined risk level (step S103).
  • the information shown in FIG. 10 is generated as application risk information.
  • the risk assessment unit 203 includes the risk level indicating the risk of continuously executing the extracted application from the vulnerability type of the vulnerability detailed information corresponding to the extracted application. Generate application risk information.
  • the risk evaluation unit 203 extracts the library in which the corresponding vulnerability information is stored in the storage unit 205 from each library described in the application information (step S104).
  • the risk evaluation unit 203 extracts the library. ..
  • the risk evaluation unit 203 determines whether or not the vulnerability of the extracted library becomes apparent by continuing the execution of the application (step S105).
  • the risk evaluation unit 203 is vulnerable when the function described in the defect function field of the detailed vulnerability information of the library does not exist in the function table included in the corresponding application information (detailed library information). Is determined not to manifest. In this case, the risk evaluation unit 203 sets the risk level of the library to “1” (step S106).
  • the risk evaluation unit 203 determines that the vulnerability becomes apparent when the function described in the defect function field of the detailed vulnerability information of the library exists in the function table included in the corresponding application information (detailed library information). To do. In this case, the risk assessment unit 203 determines the risk level of the library according to the vulnerability type (step S107).
  • steps S105 to S107 are specifically described as follows.
  • the risk evaluation unit 203 refers to the detailed information on the vulnerabilities of the libraries L2 and L3, and confirms whether or not the function described in the defect function field is included in the function table of the corresponding application information.
  • the risk assessment unit 203 sets the risk level to the smallest value (level 1) for a library in which the vulnerability does not become apparent even if the library has a vulnerability.
  • the risk evaluation unit 203 sets the risk level according to the vulnerability type for the library having the vulnerability and in which the vulnerability becomes apparent. In the example shown in FIG. 12, the risk level of the library L2 is “2”.
  • the risk assessment unit 203 generates risk information (library risk information) related to the library based on the extracted library, the corresponding vulnerability detailed information (vulnerable type), and the determined risk level (step S108).
  • risk information library risk information
  • the information shown in FIG. 13 is generated as library risk information.
  • the risk assessment unit 203 gives a low risk level to the extracted library when the vulnerability of the extracted library does not become apparent.
  • the risk evaluation unit 203 gives a high risk level to the extracted library when the vulnerability of the extracted library becomes apparent.
  • the risk assessment unit 203 then generates library risk information, including low or high risk levels.
  • the risk evaluation unit 203 delivers the risk information (application risk information, library risk information) to the evaluation result output unit 204. If the risk information regarding each application and each library described in the application information does not exist, the risk evaluation unit 203 notifies the evaluation result output unit 204 to that effect.
  • the evaluation result output unit 204 may display the above message (evaluation result) on a liquid crystal monitor or the like, or may send it to a predetermined e-mail address or the like. Alternatively, the evaluation result output unit 204 may print the evaluation result using a printer.
  • the evaluation result output unit 204 when the evaluation result output unit 204 receives from the risk evaluation unit 203 that the risk information does not exist, the evaluation result output unit 204 displays on the LCD monitor or the like that there is no risk in the continuous execution of the application.
  • the evaluation result output unit 204 displays according to the risk level. For example, assume that the risk information does not include the level 3 and level 2 risk levels, but includes the level 1 risk level. In this case, the evaluation result output unit 204 outputs that the application running on the server contains a vulnerability, but the application can be continuously executed (see FIG. 14).
  • the evaluation result output unit 204 displays a message according to the highest risk level. For example, if level 2 is the highest risk level, the evaluation result output unit 204 displays that "the application can be continuously executed, but countermeasures are required”. If level 3 is the highest risk level, the evaluation result output unit 204 displays that "continuous execution of the application is impossible and immediate countermeasures are required”.
  • the evaluation result output unit 204 may display a countermeasure plan corresponding to each risk level of level 2 or higher together with the above message. That is, the evaluation result output unit 204 may output the countermeasures for avoiding the vulnerability together with the above message.
  • the information shown in FIG. 15 is stored in the storage unit 205 as "countermeasure information”.
  • the evaluation result output unit 204 refers to the above countermeasure information and acquires the countermeasure according to the vulnerability type included in the risk information.
  • the evaluation result output unit 204 that has acquired the risk information as shown in FIG. 13 may display as shown in FIG.
  • the evaluation device 10 has a risk (risk level) of continuously executing the application based on the information (application information) of the application actually executed on the server.
  • the application information is information that can be generated before the server is started and the application is executed, the above determination can be made even after the application is started on the server. That is, by using the evaluation device 10 according to the first embodiment, the risk when the application is continuously executed on the server for risk evaluation is appropriately determined without stopping the server.
  • the evaluation device 10 according to the first embodiment inputs information indicating the startup status at the time of application startup as a snapshot, and collates (matches) with the vulnerability found after the fact. The evaluation device 10 determines the influence of the above-mentioned vulnerability on the server by the collation.
  • the evaluation device 10 can evaluate the risk related to the running application based on the latest vulnerability information, it is possible to eliminate unnecessary and unurgent server stoppages. In other words, even if a vulnerability is found in the library, if the function having the vulnerability is not used, the vulnerability will not become apparent and it is not necessary to stop the server.
  • the method of avoiding the vulnerability is not limited to stopping the server and updating the application or library.
  • the evaluation device 10 stores in advance the countermeasures for vulnerabilities that can be dealt with by changing the settings of the communication device as described above in the storage unit 205, and informs the administrator or the like as necessary. Present.
  • it is ideal to stop the server and update applications etc. in order to avoid vulnerabilities in the future if it is not necessary to stop the server immediately, that fact and countermeasures will be presented. By doing so, safety is ensured while avoiding unnecessary shutdown of the server.
  • the server 20 In the second embodiment, the case where the server generates the application information described in the first embodiment will be described. As shown in FIG. 17, in the second embodiment, the server 20 generates application information.
  • the evaluation device 10 and the server 20 are connected by wire or wirelessly and are configured to be able to communicate with each other.
  • FIG. 18 is a diagram showing an example of a processing configuration (processing module) of the server 20 according to the second embodiment.
  • the server 20 includes an application information generation unit 301, an application information output unit 302, and a storage unit 303.
  • the application information generation unit 301 is a means for generating application information.
  • the application information generation unit 301 can be implemented as a function of the OS executed on the server 20.
  • the application information generation unit 301 collects information about the application and the library being executed on the server 20 by using the command or the like described in the first embodiment.
  • the application information generation unit 301 refers to table information such as GOT and PLT described in the first embodiment, and collects information on the functions of the library used by the application.
  • Table information such as GOT and PLT is stored in the storage unit 303.
  • the application information generation unit 301 generates application information by integrating the collected information into a format as shown in FIG.
  • the application information generation unit 301 delivers the generated application information to the application information output unit 302.
  • the application information output unit 302 transmits the acquired application information to the evaluation device 10.
  • the server 20 automatically generates the application information and provides the application information to the evaluation device 10. Therefore, for example, when the server 20 periodically generates application information and provides it to the evaluation device 10, the risk of the application is also periodically confirmed.
  • FIG. 19 is a diagram showing an example of the hardware configuration of the evaluation device 10.
  • the evaluation device 10 can be configured by an information processing device (so-called computer), and includes the configuration illustrated in FIG.
  • the evaluation device 10 includes a processor 311, a memory 312, an input / output interface 313, a communication interface 314, and the like.
  • the components such as the processor 311 are connected by an internal bus or the like so that they can communicate with each other.
  • the configuration shown in FIG. 19 does not mean to limit the hardware configuration of the evaluation device 10.
  • the evaluation device 10 may include hardware (not shown), or may not include an input / output interface 313 if necessary.
  • the number of processors 311 and the like included in the evaluation device 10 is not limited to the example of FIG. 19, and for example, a plurality of processors 311 may be included in the evaluation device 10.
  • the processor 311 is a programmable device such as a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). Alternatively, the processor 311 may be a device such as an FPGA (Field Programmable Gate Array) or an ASIC (Application Specific Integrated Circuit). The processor 311 executes various programs including an operating system (OS).
  • OS operating system
  • the memory 312 is a RAM (RandomAccessMemory), a ROM (ReadOnlyMemory), an HDD (HardDiskDrive), an SSD (SolidStateDrive), or the like.
  • the memory 312 stores an OS program, an application program, and various data.
  • the communication interface 314 is a circuit, module, or the like that communicates with another device.
  • the communication interface 314 includes a NIC (Network Interface Card) and the like.
  • the function of the evaluation device 10 is realized by various processing modules.
  • the processing module is realized, for example, by the processor 311 executing a program stored in the memory 312.
  • the program can also be recorded on a computer-readable storage medium.
  • the storage medium may be a non-transitory such as a semiconductor memory, a hard disk, a magnetic recording medium, or an optical recording medium. That is, the present invention can also be embodied as a computer program product.
  • the program can be downloaded via a network or updated using a storage medium in which the program is stored.
  • the processing module may be realized by a semiconductor chip.
  • server 20 can also be configured by an information processing device like the evaluation device 10, and its basic hardware configuration is not different from that of the evaluation device 10, so the description thereof will be omitted.
  • application information described with reference to FIG. 4 is an example, and in addition to the elements shown in FIG. 4, other elements may be included in the application information.
  • application details may include registry settings and launch options for each application.
  • the evaluation device 10 performs machine learning using teacher data that associates the specific content of the vulnerability with the vulnerability type, and generates a classification model (discriminator). Any algorithm such as a support vector machine, boosting, or a neural network can be used to generate the classification model by the evaluation device 10. Since a known technique can be used for the algorithm such as the support vector machine, the description thereof will be omitted.
  • the evaluation device 10 may acquire the vulnerability type by inputting the specific content of the vulnerability acquired from the WEB site or the like into the generated classification model.
  • the function table is generated based on the table information such as GOT and PLT.
  • a library a library cached on the memory
  • the server 20 may monitor and manage the cached library and generate a more accurate function table. For example, when the library ⁇ is loaded in the memory when the application A is started, the library ⁇ is cached in the memory. After that, when the application B is started and the above library ⁇ is required, the library ⁇ will be loaded from the cache.
  • the server 20 may monitor the library cached in the memory and generate application information.
  • the evaluation device 10 displays a message and a countermeasure plan according to the risk level.
  • the display of the above message or the like is an example, and the evaluation device 10 may display other information.
  • the evaluation device 10 may display the name, version, or the like of a vulnerable application or library.
  • the computer By installing the evaluation program in the memory of the computer, the computer can function as an evaluation device. Further, by causing the computer to execute the evaluation program, the evaluation method can be executed by the computer.
  • [Appendix 1] The first acquisition unit (101, 201), which acquires application information about the application executed on the server (20), and Based on the application information, the evaluation units (102, 203) and the evaluation unit (102, 203), which evaluate the risk of continuously executing the application on the server (20), Output units (103, 204) that output the evaluation result of the degree of risk, and An evaluation device (10, 100) comprising.
  • [Appendix 2] It also has a second acquisition unit (202) that acquires vulnerability information related to application and library vulnerabilities.
  • the evaluation device (10, 100) according to Appendix 1, wherein the evaluation unit (102, 203) evaluates the risk level based on the application information and the vulnerability information.
  • the application information includes detailed information of the application being executed on the server (20).
  • the detailed information of the application includes the identifier of the application and the detailed information of the library called by the application.
  • the evaluation device (10, 100) according to Appendix 2 wherein the detailed information of the library includes an identifier of the library and a function table in which a function called from the application is described.
  • the vulnerability information includes identifiers of applications and libraries having vulnerabilities, and detailed information on vulnerabilities that describe the contents of the vulnerabilities.
  • the evaluation device (10, 100) according to Appendix 3, wherein the detailed information on the vulnerability includes a vulnerability type determined from the content of the vulnerability.
  • the evaluation unit (102, 203) extracts an application in which the identifier of the application included in the detailed information of the application and the identifier of the application having the vulnerability included in the vulnerability information match. From the vulnerability type of the detailed information of the vulnerability corresponding to the extracted application, application risk information including a first risk level indicating the risk of continuously executing the extracted application is generated.
  • the evaluation device (10, 100) according to Appendix 4.
  • the evaluation unit (102, 203) extracts a library in which the identifier of the library included in the detailed information of the library and the identifier of the library having the vulnerability included in the vulnerability information match.
  • Appendix 7 In the detailed information on the vulnerability in the library, the function having the vulnerability is described as a defect function.
  • the evaluation unit (102, 203) determines that the defect function described in the detailed information on the vulnerability of the extracted library exists in the function table of the detailed information of the library corresponding to the extracted library.
  • the evaluation unit (102, 203) gives the extracted library a second risk level when the vulnerability of the extracted library does not become apparent.
  • the evaluation device (10, 100) according to Appendix 7, which generates library risk information including the second risk level or the third risk level.
  • the output unit (103, 204) outputs a message regarding the risk level of executing the application on the server (20) according to the application risk information and the risk level included in the library risk information.
  • [Appendix 10] The evaluation device (10, 100) according to Appendix 9, wherein the output unit (103, 204) outputs a countermeasure for avoiding the vulnerability together with the message.
  • the evaluation device (10, 100) according to any one of Supplementary note 3 to 10, wherein the identifier of the application and the identifier of the library are hash values.
  • a server (20) that generates application information about running applications, and Evaluation devices (10, 100) connected to the server (20) and Including The evaluation device (10, 100) is First acquisition units (101, 201) that acquire the application information from the server (20), and Based on the application information, the evaluation units (102, 203) and the evaluation unit (102, 203), which evaluate the risk of continuously executing the application on the server (20), Output units (103, 204) that output the evaluation result of the degree of risk, and Evaluation system equipped with.
  • the forms of Appendix 12 to Appendix 14 can be expanded to the forms of Appendix 2 to Appendix 11 in the same manner as the form of Appendix 1.
  • Evaluation device 100 Evaluation device 20 Server 101 First acquisition unit 102 Evaluation unit 103 Output unit 201 Application information acquisition unit 202 Vulnerability information acquisition unit 203 Risk evaluation unit 204 Evaluation result output unit 205, 303 Storage unit 301 Application information generation unit 302 Application information output unit 311 Processor 312 Memory 313 Input / output interface 314 Communication interface

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)
PCT/JP2019/041928 2019-10-25 2019-10-25 評価装置、評価システム、評価方法及びプログラム Ceased WO2021079495A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2021553260A JP7294441B2 (ja) 2019-10-25 2019-10-25 評価装置、評価システム、評価方法及びプログラム
US17/767,127 US12271483B2 (en) 2019-10-25 2019-10-25 Evaluation apparatus, evaluation system, evaluation method, and program
PCT/JP2019/041928 WO2021079495A1 (ja) 2019-10-25 2019-10-25 評価装置、評価システム、評価方法及びプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2019/041928 WO2021079495A1 (ja) 2019-10-25 2019-10-25 評価装置、評価システム、評価方法及びプログラム

Publications (1)

Publication Number Publication Date
WO2021079495A1 true WO2021079495A1 (ja) 2021-04-29

Family

ID=75619725

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/041928 Ceased WO2021079495A1 (ja) 2019-10-25 2019-10-25 評価装置、評価システム、評価方法及びプログラム

Country Status (3)

Country Link
US (1) US12271483B2 (https=)
JP (1) JP7294441B2 (https=)
WO (1) WO2021079495A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2025040502A (ja) * 2023-09-12 2025-03-25 株式会社東芝 情報処理装置、情報処理方法及びプログラム

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12149555B2 (en) 2021-12-28 2024-11-19 SecureX.AI, Inc. Systems and methods for vulnerability assessment for cloud assets using imaging methods
US12299133B2 (en) * 2021-12-28 2025-05-13 SecureX.AI, Inc. Systems and methods for prioritizing security findings using machine learning models
US12166785B2 (en) 2021-12-28 2024-12-10 SecureX.AI, Inc. Systems and methods for predictive analysis of potential attack patterns based on contextual security information
US12299135B2 (en) * 2022-09-29 2025-05-13 Red Hat, Inc. K-anonymous vulnerability detection

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009217637A (ja) * 2008-03-11 2009-09-24 Fujitsu Ltd セキュリティ状況表示装置、セキュリティ状況表示方法、およびコンピュータプログラム
WO2012132125A1 (ja) * 2011-03-30 2012-10-04 株式会社日立製作所 脆弱性判定システム、脆弱性判定方法、および、脆弱性判定プログラム
JP2017224053A (ja) * 2016-06-13 2017-12-21 株式会社日立製作所 脆弱性リスク評価システムおよび脆弱性リスク評価方法
JP2019525287A (ja) * 2016-06-23 2019-09-05 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation 脆弱なアプリケーションの検出

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005114403A1 (en) * 2004-05-21 2005-12-01 Computer Associates Think, Inc. Method and apparatus for reusing a computer software library
JP4751431B2 (ja) 2008-09-12 2011-08-17 株式会社東芝 脆弱性判定装置及びプログラム
JP2010117887A (ja) 2008-11-13 2010-05-27 Nec Corp 脆弱性判定装置、脆弱性判定方法及び脆弱性判定プログラム
US20120137369A1 (en) * 2010-11-29 2012-05-31 Infosec Co., Ltd. Mobile terminal with security functionality and method of implementing the same
US8799647B2 (en) * 2011-08-31 2014-08-05 Sonic Ip, Inc. Systems and methods for application identification
MX349569B (es) * 2013-02-25 2017-08-03 Beyondtrust Software Inc Sistemas y metodos de reglas a base de riesgo para control de aplicaciones.
US9591570B2 (en) * 2014-04-07 2017-03-07 Aruba Networks, Inc. Method and system for tracking devices
JP6415353B2 (ja) 2015-03-02 2018-10-31 キヤノン株式会社 情報処理方装置、情報処理装置の制御方法、およびコンピュータプログラム
US10678513B2 (en) * 2017-09-12 2020-06-09 Devfactory Fz-Llc Library upgrade method, apparatus, and system
WO2020026228A1 (en) * 2018-08-01 2020-02-06 Vdoo Connected Trust Ltd. Firmware verification

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009217637A (ja) * 2008-03-11 2009-09-24 Fujitsu Ltd セキュリティ状況表示装置、セキュリティ状況表示方法、およびコンピュータプログラム
WO2012132125A1 (ja) * 2011-03-30 2012-10-04 株式会社日立製作所 脆弱性判定システム、脆弱性判定方法、および、脆弱性判定プログラム
JP2017224053A (ja) * 2016-06-13 2017-12-21 株式会社日立製作所 脆弱性リスク評価システムおよび脆弱性リスク評価方法
JP2019525287A (ja) * 2016-06-23 2019-09-05 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Machines Corporation 脆弱なアプリケーションの検出

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2025040502A (ja) * 2023-09-12 2025-03-25 株式会社東芝 情報処理装置、情報処理方法及びプログラム

Also Published As

Publication number Publication date
US12271483B2 (en) 2025-04-08
JPWO2021079495A1 (https=) 2021-04-29
US20220374528A1 (en) 2022-11-24
JP7294441B2 (ja) 2023-06-20

Similar Documents

Publication Publication Date Title
WO2021079495A1 (ja) 評価装置、評価システム、評価方法及びプログラム
US11455400B2 (en) Method, system, and storage medium for security of software components
US11652641B2 (en) Artifact lifecycle management on a cloud computing system
US9471780B2 (en) System, method, and computer program product for mounting an image of a computer system in a pre-boot environment for validating the computer system
US10055249B2 (en) Automated compliance exception approval
US8732836B2 (en) System and method for correcting antivirus records to minimize false malware detections
EP3477524B1 (en) Methods and systems for holistically attesting the trust of heterogeneous compute resources
US20250363205A1 (en) System and method for detecting excessive permissions in identity and access management
US9086942B2 (en) Software discovery by an installer controller
JP2012212380A (ja) ソフトウエア更新を適用した情報処理装置を検査するシステム
CN108292342B (zh) 向固件中的侵入的通知
US20090132999A1 (en) Secure and fault-tolerant system and method for testing a software patch
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
US9158641B2 (en) Cloud auto-test system, method and non-transitory computer readable storage medium of the same
US20220321594A1 (en) Development security operations on the edge of the network
US8392469B2 (en) Model based distributed application management
US11574049B2 (en) Security system and method for software to be input to a closed internal network
CN117786674A (zh) 用于识别至少一个软件包中的潜在数据泄露攻击的方法
JP7355211B2 (ja) シグネチャ生成装置、シグネチャ生成方法およびシグネチャ生成プログラム
US20180341772A1 (en) Non-transitory computer-readable storage medium, monitoring method, and information processing apparatus
JP7229533B2 (ja) 情報処理装置、ネットワーク機器、情報処理方法および情報処理プログラム
US20250350610A1 (en) System and method for cybersecurity toxic combination precognition
WO2018168822A1 (ja) セキュリティリスク管理装置、セキュリティリスク管理方法およびセキュリティリスク管理プログラム
JP2024097245A (ja) 情報処理装置、情報処理方法、及びプログラム
EP2973176B1 (en) System and method employing structured intelligence to verify and contain threats at endpoints

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19949988

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021553260

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19949988

Country of ref document: EP

Kind code of ref document: A1

WWG Wipo information: grant in national office

Ref document number: 17767127

Country of ref document: US