WO2021144978A1 - Attack estimation device, attack estimation method, and attack estimation program - Google Patents

Attack estimation device, attack estimation method, and attack estimation program Download PDF

Info

Publication number
WO2021144978A1
WO2021144978A1 PCT/JP2020/001555 JP2020001555W WO2021144978A1 WO 2021144978 A1 WO2021144978 A1 WO 2021144978A1 JP 2020001555 W JP2020001555 W JP 2020001555W WO 2021144978 A1 WO2021144978 A1 WO 2021144978A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
event
tool
estimation
unit
Prior art date
Application number
PCT/JP2020/001555
Other languages
French (fr)
Japanese (ja)
Inventor
久詞 内藤
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2020/001555 priority Critical patent/WO2021144978A1/en
Publication of WO2021144978A1 publication Critical patent/WO2021144978A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • This disclosure relates to an attack estimation device, an attack estimation method, and an attack estimation program.
  • the company must promptly determine whether or not the event was caused by a cyber attack. Furthermore, if it is determined that the event was caused by a cyber attack, the company must promptly identify the infection route, take measures to prevent the spread of damage, and maintain the business.
  • Patent Document 1 a behavior pattern showing a trace indicating a cyber attack is registered in advance. In addition, the behavior of the process running on the terminal is recorded. Then, a method of detecting an attack event has been proposed by determining that an attack has been performed when a behavior matching the registered behavior pattern is found in the record.
  • Patent Document 1 defines in advance information indicating a trace of an attack that remains when a cyber attack occurs, and confirms whether the log recorded by the device contains information that matches the information indicating the trace. It is a signature-based method that detects attack events.
  • a signature-based method when a tool installed as standard in the OS (Operating System) or a tool approved for use by a company (hereinafter referred to as a regular tool) is abused, a cyber attack event is detected. There is a problem that it cannot be detected properly.
  • the detection method using the operation pattern of the legitimate tool the operation of the legitimate tool due to the activity of the legitimate user may match the operation pattern of the attack, and false detection of the attack event may occur.
  • the operation of the legitimate tool due to the activity of the legitimate user may be mixed with the operation of the legitimate tool due to the cyber attack, and the operation pattern may not be properly discovered and the detection of the attack event may be omitted.
  • One of the main purposes of this disclosure is to solve the above problems, and the main purpose is to appropriately detect the event of a cyber attack even when a legitimate tool is used for the cyber attack. And.
  • the attack estimation device is When it is detected that an event related to the security of a terminal device in which one or more tools are installed has occurred in the terminal device.
  • a tool estimation unit that estimates an event-related tool that may have been involved in the occurrence of the event, and a tool estimation unit. It has a determination unit for determining the possibility that the event has occurred due to a cyber attack by using the event involvement tool estimated by the tool estimation unit.
  • the event of the cyber attack can be appropriately detected.
  • FIG. The figure which shows the configuration example of the attack estimation system which concerns on Embodiment 1.
  • FIG. The figure which shows the configuration example of the hardware of the attack estimation apparatus which concerns on Embodiment 1.
  • FIG. The figure which shows the functional configuration example of the attack estimation apparatus which concerns on Embodiment 1.
  • FIG. The figure which shows the example of the tool information which concerns on Embodiment 1.
  • FIG. The flowchart which shows the operation example of the attack estimation apparatus which concerns on Embodiment 1.
  • FIG. The figure which shows the example of the attack tree information which concerns on Embodiment 2.
  • the flowchart which shows the operation example of the attack estimation apparatus which concerns on Embodiment 2.
  • FIG. 1 is a diagram showing a configuration of an attack estimation system 1 according to the present embodiment.
  • the control system 1 includes an attack estimation device 10, a target system 20, and a network 30.
  • the attack estimation device 10 performs attack estimation for estimating whether or not a security-related event generated in the target system 20 is caused by a cyber attack.
  • the attack estimation device 10 is connected to the target system 20 via the network 30.
  • the operation procedure of the attack estimation device 10 corresponds to the attack estimation method.
  • the program that realizes the operation of the attack estimation device 10 corresponds to the attack estimation program.
  • the target system 20 includes one or more terminal devices 21. Further, the terminal device 21 is installed in a company, a school, or the like and is used by a regular user. Specific examples of the terminal device 21 are a PC (Personal Computer), a server, a workstation, a tablet, a smartphone, a mobile phone, and the like.
  • PC Personal Computer
  • server a workstation
  • tablet a tablet
  • smartphone a mobile phone
  • the network 30 is an information communication network for data communication between devices.
  • the network 30 is, for example, a local area network such as a company or a school, a wide area network, or the Internet.
  • FIG. 2 is a diagram showing a hardware configuration example of the attack estimation device 10 according to the present embodiment.
  • the attack estimation device 10 is a computer.
  • the attack estimation device 10 includes a processor 11, a memory device 12, an auxiliary storage device 13, a drive device 14, a communication interface 16, and a display device 17 as hardware, and is connected to each other by a signal line.
  • the processor 11 is an IC (Integrated Circuit) that performs processing. Specific examples of the processor 11 include a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and the like.
  • a CPU Central Processing Unit
  • DSP Digital Signal Processor
  • the memory device 12 temporarily stores data.
  • the memory device 12 is a RAM (Random Access Memory).
  • the auxiliary storage device 13 stores data.
  • the auxiliary storage device 13 is a hard disk.
  • the auxiliary storage device 13 includes SSD (registered trademark, Solid State Drive), SD (registered trademark, Secure Digital) memory card, CF (registered trademark, CompactFlash), NAND flash, flexible disk, optical disk, compact disk, and Blu-ray (registered trademark, Secure Digital) memory card. It may be a portable recording medium such as a registered trademark) disc or a DVD (registered trademark, Digital Versaille Disk).
  • a program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102, which will be described later, is installed in the auxiliary storage device 13.
  • the program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102 installed in the auxiliary storage device 13 is loaded into the memory device 12 and read by the processor 11. And executed.
  • the OS is also stored in the auxiliary storage device 13. Then, at least a part of the OS is executed by the processor 11.
  • the processor 11 executes a program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102 while executing at least a part of the OS.
  • the processor 11 executes the OS, task management, memory management, file management, communication control, and the like are performed.
  • At least one of the information, data, signal value, and variable value indicating the processing result of the receiving unit 100, the processing unit 101, and the output unit 102 is a register in the processor 11, the memory device 12, and the auxiliary storage device 13. It is stored in at least one of the cache memories.
  • the drive device 14 transfers data.
  • the recording medium 15 is a portable recording medium that stores a program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102. Specific examples include hard disks, SSDs (registered trademarks), SD (registered trademarks) memory cards, CF (registered trademarks), NAND flashes, flexible disks, optical disks, compact discs, Blu-ray (registered trademarks) disks, and DVDs (registered trademarks). Is.
  • the recording medium 15 storing the program is set in the drive device 14, and when the program installation instruction is given, the program is installed in the auxiliary storage device 13 from the recording medium 15 via the drive device 14.
  • the program does not necessarily have to be installed using the recording medium 15, and may be downloaded from another computer via the network 30 or the like.
  • the communication interface 16 is an electronic circuit that executes data communication processing with the connection destination.
  • the communication interface 16 is a communication chip for Ethernet (registered trademark) or a NIC (Network Interface Card).
  • the display device 17 displays the result of the attack estimation of the attack estimation device 10.
  • the attack estimation device 10 may be composed of a plurality of computers having the hardware as shown in FIG. That is, the processing executed by the attack estimation device 10 may be distributed to a plurality of computers and executed.
  • FIG. 3 is a diagram showing a functional configuration example of the attack estimation device 10 according to the present embodiment.
  • the attack estimation device 10 includes a receiving unit 100, a processing unit 101, an output unit 102, a system configuration information storage unit 120, and a tool information storage unit 121. Further, the processing unit 101 includes a tool estimation unit 110 and a determination unit 111.
  • the receiving unit 100 receives a notification notifying that an event related to security has been detected, and an operation history and an operation record of the tool in the terminal device 21 in which the event has occurred.
  • the processing unit 101 estimates an attack of a security-related event that has occurred in the terminal device 21.
  • the tool estimation unit 110 estimates an event-related tool, which is a regular tool that may have been involved in a security-related event that occurred in the terminal device 21, based on the operation record of the tool and the tool information.
  • the process performed by the tool estimation unit 110 corresponds to the tool estimation process.
  • the determination unit 111 determines the possibility that an event related to the security of the terminal device 21 has occurred due to a cyber attack by using the event involvement tool estimated by the tool estimation unit 110.
  • the process performed by the determination unit 111 corresponds to the determination process.
  • the output unit 102 outputs the result estimated by the processing unit 101.
  • the system configuration information storage unit 120 stores the information of the terminal device 21 belonging to the target system 20.
  • the tool information storage unit 121 stores tool information related to a regular tool such as a tool installed as standard in the terminal device 21 or a tool approved for use in daily business. Details of the tool information will be described later.
  • the system configuration information storage unit 120 and the tool information storage unit 121 are realized by the memory device 12 and the auxiliary storage device 13.
  • the "unit” of the receiving unit 100, the processing unit 101, and the output unit 102 may be read as “circuit” or “process” or “procedure” or “processing”. Further, the attack estimation device 10 may be realized by a processing circuit.
  • the processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array).
  • the receiving unit 100, the processing unit 101, and the output unit 102 are each realized as a part of the processing circuit.
  • the superordinate concept of the processor and the processing circuit is referred to as "processing circuit Lee". That is, the processor and the processing circuit are specific examples of the "processing circuit Lee", respectively.
  • FIG. 4 shows an example of the tool information T10 according to the present embodiment.
  • the tool information storage unit 121 stores the tool information T10 shown in FIG.
  • the tool ID which is the identifier of the legitimate tool
  • the name of the legitimate tool the name of the legitimate tool
  • the frequency of use of the legitimate tool used in the cyber attack in the past the legitimacy in the past.
  • the frequency of use of the tool by legitimate users is shown.
  • the tool information T10 is information registered in advance by the administrator of the attack estimation system 1, a security expert, or the like.
  • the frequency of use used for cyber attacks and the frequency of use used by legitimate users are determined based on the information collected by the administrator of the attack estimation system 1, a security expert, or the like.
  • one tool information T10 is registered for the target system 20, but the present invention is not limited to this, and a plurality of such information may be registered for each terminal device 21 or for each base where a plurality of terminal devices 21 are installed.
  • Tool information T10 may be prepared and registered.
  • the standard command line tool of Windows (registered trademark), tasklist is registered as tool ID: A50020, tool name: tasklist, attack usage frequency: high, and regular user usage frequency: low. Indicates that you are. It also indicates that the net use is registered as a tool ID: A50021, a tool name: net use, an attack usage frequency: high, and a legitimate user usage frequency: low.
  • the value indicating the frequency of use is two values of high and low, but the value is not limited to this, and a value of two or more values may be used, or a numerical value may be used to indicate the value.
  • the attack estimation device 10 receives a notification notifying the occurrence of an event related to the security of the terminal device 21 and the operation history and operation record of the tool installed in the terminal device 21, and estimates the attack.
  • the operation history is a history in which a legitimate user of the terminal device 21 operates the tool, and as a specific example, it is recorded using a hardware-based input operation recording device or the like, which is difficult to be tampered with by malware or the like of a cyber attack.
  • Operation history may be an operation history recorded when a confirmation dialog is displayed when the tool is operated and the user permits the operation on the GUI (Graphic User interface).
  • the operation history is an operation record of the tool recorded at the OS level.
  • step S100 the receiving unit 100 receives a notification notifying that a security-related event has occurred.
  • the receiving unit 100 receives the operation history and operation record of the tool. Then, the receiving unit 100 notifies the processing unit 101 of information such as the received notification, the operation history, and the operation record.
  • step S110 the tool estimation unit 110 confirms whether or not the information received by the reception unit 100 is information related to the terminal device 21 registered in the system configuration information storage unit 120. If the tool estimation unit 110 confirms that the information received by the reception unit 100 is that of the terminal device 21 registered in the system configuration information storage unit 120, the tool estimation unit 110 searches for the operation record received by the reception unit 100 and causes an event. Extract tools that were operated during a certain period of time before the occurrence of.
  • the fixed period is a period designated in advance by the operator, and specific examples thereof are several hours, several days, and the like.
  • the tool estimation unit 110 refers to the tool information T10 stored in the tool information storage unit 121, and among the extracted tools, the tool registered in the tool information T10 is involved in an event that may have been involved in the event. Presumed to be a tool. Then, the tool estimation unit 110 notifies the determination unit 111 of the tool name of the event-related tool, the frequency of use used in the cyber attack in the past, and the frequency of use used by the legitimate user in the past as the estimation result. On the other hand, if the tool estimation unit 110 confirms that the information received by the reception unit 100 is not the information related to the terminal device 21 registered in the system configuration information storage unit 120, the tool estimation unit 110 waits until the information of the terminal device 21 is received.
  • step S120 the determination unit 111 determines the possibility that the event has occurred due to a cyber attack based on the estimation result of the event-related tool notified by the tool estimation unit 110. Specifically, the determination unit 111 compares the frequency of use of the event-related tool in the past for cyber attacks with the frequency of use in the past by legitimate users. Then, if the frequency of use used in the cyber attack is higher than the frequency of use by the legitimate user, the process proceeds to step S160. On the other hand, if the frequency of use used for the cyber attack is the same or lower than the frequency of use used by the legitimate user, the process proceeds to step S130.
  • the determination unit 111 determines the possibility that the event has occurred due to the cyber attack based on the frequency of use used for the cyber attack in the past and the frequency of use used by the legitimate user in the past. An example will be described. However, the present invention is not limited to this, and the determination unit 111 may determine the possibility that the event has occurred due to the cyber attack based only on the frequency of use used for the cyber attack in the past.
  • step S130 the determination unit 111 confirms the operation history and the operation record of the event-related tool. More specifically, the determination unit 111 confirms the operation time and operation content of the event-related tool in the operation history and the operation time and operation content of the event-related tool.
  • step S140 the determination unit 111 determines whether the recorded operation of the event-related tool matches the operation of the regular user based on the confirmation result of the operation history of the event-related tool and the operation record. If the recorded action of the event-related tool matches the action of the legitimate user, the process proceeds to step S150. On the other hand, if the recorded operation of the event involvement tool does not match the operation by the operation of the regular user, the process proceeds to step S160.
  • step S150 the determination unit 111 determines that the event involvement tool is not involved in the event and that there is no possibility that a cyber attack has occurred. Then, the determination unit 111 notifies the output unit 102 of the determination result.
  • step S160 the determination unit 111 determines that the event involvement tool is involved in the event and that a cyber attack may have occurred. Then, the determination unit 111 notifies the output unit 102 of the determination result.
  • step S170 the output unit 102 notified from the determination unit 111 outputs the estimation result to the display device 17. Further, the output unit 102 may store the estimation result in the auxiliary storage device 13, or may transmit the estimation result to the connection destination via the communication interface 16.
  • Embodiment 2 an example of estimating an attack route using an attack tree will be described.
  • the threat that is the ultimate target of the cyber attack is the root node, and the attacks that may be executed in stages until the threat of the root node is generated are the leaf nodes or internal nodes that connect to the root node. It is the information of the tree structure.
  • the attack route estimation according to the present embodiment determines whether or not an attack route via each node constituting the attack tree is established, and each node determined to pass is based on the connection relationship between the nodes.
  • the process of estimating the attack route indicated by connecting is shown.
  • the difference from the first embodiment will be mainly described. The matters not explained below are the same as those in the first embodiment.
  • FIG. 6 is a functional configuration diagram of the attack estimation device 10 according to the present embodiment.
  • the attack estimation device 10 newly includes a route estimation unit 112 and an attack tree information storage unit 122.
  • the route estimation unit 112 estimates the attack route based on the attack tree information. A detailed explanation of the attack tree information will be described later.
  • the "part" of the route estimation unit 112 may be read as “circuit” or “process” or “procedure” or “processing”. Further, when the attack estimation device 10 is realized by the processing circuit, the route estimation unit 112 is realized as a part of the processing circuit.
  • the attack tree information storage unit 122 is a storage area for storing attack tree information. Further, the attack tree information storage unit 122 is realized by the memory device 12 and the auxiliary storage device 13.
  • the receiving unit 100 in addition to the information received in the first embodiment, the receiving unit 100 also receives the attack information of the cyber attack confirmed to have occurred in the target system 20.
  • the attack information is the attacked terminal device and attack means.
  • the same components as those in the first embodiment are designated by the same numbers, and the description thereof will be omitted.
  • FIG. 7 shows an example of the attack tree information T20 according to the present embodiment.
  • the attack tree information storage unit 122 stores the attack tree information T20 shown in FIG. 7.
  • the attack tree information T20 is composed of a plurality of node information.
  • the node information indicates the terminal device to be attacked, the attack means, and the connection relationship between the nodes.
  • the node information As the node information, the node ID which is the identifier of the node, the device ID which is the identifier of the terminal device 21 which is the target of the attack, and the node are ordered from the leftmost column.
  • the branching condition to the child node located below the node, the parent node ID of the parent node located above the node, and the attack means are shown.
  • the branching condition to the child node is OR or AND.
  • OR When the branching condition is OR, it indicates that an attack route via at least one of a plurality of child nodes may be established. Further, when the branch condition is AND, it is shown that an attack route passing through all of a plurality of child nodes may be established.
  • the attack that is the final target of the cyber attack is node ID: 1, device ID: D, branch condition:-(no branch condition), parent node ID:-(no parent node), attack means: Indicates that the customer information is deleted and registered as.
  • one of the attacks that may be executed step by step until the final target attack is node ID: 1, 1, device ID: D, branch condition: OR, parent node ID: 1, attack means: It indicates that it is registered as an intrusion using "OS vulnerability X".
  • the node whose node ID is represented by one integer is the root node. Therefore, node ID: 1 indicates that it is a root node.
  • node IDs: 1 and 1, whose node IDs are represented by two integers separated by commas indicate that they are leaf nodes or internal nodes, not root nodes.
  • FIG. 8 shows an attack tree 200 represented based on the attack tree information T20.
  • the attack tree 200 is expressed based on node IDs: 1,1 to 1,1,1,1,1,1 leaf nodes and internal nodes, with node ID: 1 as the root node of the apex, and their connection relationships. It is a tree. Then, the attack route is shown by connecting the leaf node and the internal node determined to pass through to the root node based on the connection relationship between the nodes.
  • the attack tree information T20 is information registered in advance by the administrator of the attack estimation system 1 or a security expert. In the present embodiment, one attack tree information T20 is registered for the target system 20, but the attack tree information T20 is not limited to that, and a plurality of attack tree information T20 is prepared for each attack which is the final target of the attack. , May be registered.
  • the route estimation unit 112 starts the attack route estimation when the reception unit 100 receives the attack information via the communication interface 16.
  • the trigger for starting the attack route estimation is not limited to the reception of the attack information of the receiving unit 100, and the determination that there is a possibility of an attack by the determination unit 111 in the attack estimation may be used.
  • step S200 the receiving unit 100 receives the attack information. Then, the receiving unit 100 notifies the processing unit 101 of the received attack information.
  • the route estimation unit 112 confirms whether or not the attack information received by the reception unit 100 is information related to the terminal device 21 registered in the system configuration information storage unit 120. If the route estimation unit 112 confirms that the attack information received by the reception unit 100 is information related to the terminal device 21 registered in the system configuration information storage unit 120, the attack tree stored in the attack tree information storage unit 122 See information T20. Then, the route estimation unit 112 searches for the attack tree information T20 and extracts the root node corresponding to the attack information received by the reception unit 100.
  • the route estimation unit 112 determines whether the attack information received by the reception unit 100 is not the information related to the terminal device 21 registered in the system configuration information storage unit 120. If the route estimation unit 112 confirms that the attack information received by the reception unit 100 is not the information related to the terminal device 21 registered in the system configuration information storage unit 120, the route estimation unit 112 waits until the information of the terminal device 21 is received. ..
  • the route estimation unit 112 searches for the attack tree information T20 and uses the terminal device 21 on which the attack estimation is performed and the estimated event involvement tool. Extract the root node corresponding to the attack method. Then, if the root node can be extracted, the process proceeds to step S220. On the other hand, if there is no root node corresponding to the attack information received by the receiving unit 100 and the root node cannot be extracted, the process proceeds to step S270.
  • step S220 the route estimation unit 112 selects one root node from the extracted root nodes.
  • the route estimation unit 112 selects one unselected root node from the extracted root nodes.
  • the route estimation unit 112 may select the node IDs in ascending order of numbers.
  • step S230 the route estimation unit 112 designates one descendant node of the descendant nodes of the selected root node.
  • the route estimation unit 112 specifies one of the descendant nodes of the selected root node that has not performed the establishment determination of the attack route via the node.
  • the route estimation unit 112 may specify the node IDs in ascending order of numbers.
  • the route estimation unit 112 determines whether an attack route via the node is established. Specifically, the route estimation unit 112 confirms whether or not the information corresponding to the attack indicated by the node specified in the attack information received by the reception unit 100 exists. Then, when the route estimation unit 112 confirms that the information corresponding to the attack indicated by the designated node exists, the route estimation unit 112 determines that the attack route via the node is established. On the other hand, when the route estimation unit 112 cannot confirm that the information corresponding to the attack indicated by the designated node exists, the route estimation unit 112 causes the tool estimation unit 110 to perform attack estimation on the terminal device 21 indicated by the designated node. Notify and start attack estimation.
  • the route estimation unit 112 determines that the attack route via the node is established when it is estimated that there is a possibility of an attack shown to the designated node. On the other hand, if it is estimated that there is no possibility of an attack shown to the designated node, the route estimation unit 112 determines that the attack route via the node is not established. In addition, it is determined that the attack route via all the descendant nodes of the node determined not to be established is not established.
  • step S250 the route estimation unit 112 determines whether or not the next designated node exists among the descendant nodes of the selected root node. Specifically, the route estimation unit 112 confirms whether or not there is a node among the descendant nodes of the selected root node that has not performed the establishment determination of the attack route via the node in step S240. Then, if there is a node that has not performed the establishment determination of the attack route via the node, the process returns to step S230. On the other hand, if there is no node for which the route estimation unit 112 has not executed the establishment determination of the attack route via the node, the process proceeds to step S260.
  • step S260 the route estimation unit 112 determines whether or not the root node to be selected next exists. Specifically, the route estimation unit 112 confirms whether or not there is a root node not selected in the process of step S220 among the root nodes extracted in the process of step S210. Then, if there is a root node that has not been selected, the process returns to step S220. On the other hand, if there is no unselected root node, the process proceeds to step S270.
  • step S270 the route estimation unit 112 notifies the output unit 102 of the node information of the root node and the descendant node that is supposed to pass through as a result of the attack route estimation. Then, the output unit 102 connects the root node and a plurality of descendant nodes that are supposed to pass through based on the result of the attack route estimation notified to the route estimation unit 112 based on the connection relationship between the nodes. The route is output to the display device 17 as an estimated attack route. Further, the output unit 102 may store the estimated attack route in the auxiliary storage device 13, or may transmit the estimated attack route to the connection destination via the communication interface 16.
  • the output unit 102 may divide one attack route into a plurality of attack routes and output it based on the branching condition between the parent node and the child node. As a specific example, when a parent node and a plurality of child nodes whose branching conditions between nodes are OR exist in the estimated attack route, even if a plurality of attack routes branched to each child node are output respectively. good.
  • the attack route can be estimated by connecting the confirmed attack and the estimated attack based on the relationship between the attacks using the attack tree. Therefore, according to the present embodiment, it is possible to detect a complex cyber attack event by a multi-stage attack including an attack in which a legitimate tool is used for the cyber attack.
  • an example of estimating the attack route using the received attack information has been described.
  • the present invention is not limited to this, and the attack estimation device 10 may have a function of collecting attack information, and the attack route may be estimated using the collected attack information.
  • attack estimation system 10 attack estimation device, 11 processor, 12 memory device, 13 auxiliary storage device, 14 drive device, 15 recording medium, 16 communication interface, 17 display device, 20 target system, 21 terminal device, 30 network, 100 Reception unit, 101 processing unit, 102 output unit, 110 tool estimation unit, 111 judgment unit, 112 route estimation unit, 120 system configuration information storage unit, 121 tool information storage unit, 122 attack tree information storage unit, 200 attack tree, T10 Tool information, T20 attack tree information.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)

Abstract

When an event is detected to have occurred in a terminal device in which one or more tools are installed, the event relating to the security of the terminal device, a tool estimation unit (110) estimates an event-involved tool, which is a tool that may have been involved in the occurrence of the event, among the one or more tools. Moreover, when an event is detected to have occurred in the terminal device in which the one or more tools are installed, the event relating to the security of the terminal device, an assessment unit (111) uses the event-involved tool estimated by the tool estimation unit to assess the possibility that the event occurred due to a cyberattack.

Description

攻撃推定装置、攻撃推定方法及び攻撃推定プログラムAttack estimation device, attack estimation method and attack estimation program
 本開示は、攻撃推定装置、攻撃推定方法及び攻撃推定プログラムに関する。 This disclosure relates to an attack estimation device, an attack estimation method, and an attack estimation program.
 近年の企業を取り巻く環境変化により、企業の情報セキュリティリスクは多様化、変質してきた。今日では、サイバー攻撃による重要情報の流出、不正アクセス、システム障害等の情報資産を巡るトラブルに繋がる情報セキュリティインシデントの発生が頻発しており、インシデントの発生を完全に防ぐことは困難な状況となっている。したがって、企業はセキュリティ監視に加えて、規制面を強化する等によりインシデント発生時における高い対応能力が求められてきている。 Due to changes in the environment surrounding companies in recent years, corporate information security risks have diversified and changed in quality. Today, information security incidents that lead to troubles related to information assets such as leakage of important information due to cyber attacks, unauthorized access, and system failures are occurring frequently, and it is difficult to completely prevent the occurrence of incidents. ing. Therefore, in addition to security monitoring, companies are required to have a high ability to respond in the event of an incident by strengthening regulatory aspects.
 インシデントへの対応が遅れると被害は拡大し、企業が被る損失は甚大となる。したがって、情報セキュリティインシデントの可能性のある情報セキュリティに関連する事象が検知された時は、企業はすみやかにサイバー攻撃によって発生した事象であるか否かを判断する必要がある。更に、サイバー攻撃によって発生した事象であると判断した場合は、企業はすみやかに感染経路を特定し被害の拡大を防ぐ措置をとり、事業を維持しなければならない。 If the response to the incident is delayed, the damage will increase and the loss suffered by the company will be enormous. Therefore, when an information security-related event that may be an information security incident is detected, the company must promptly determine whether or not the event was caused by a cyber attack. Furthermore, if it is determined that the event was caused by a cyber attack, the company must promptly identify the infection route, take measures to prevent the spread of damage, and maintain the business.
 しかし、高度化した脅威によって引き起こされたインシデントに即座に対応できる高度なスキルを有するセキュリティ人材は限られており、限られた人材でどのようにインシデントの可能性のある情報セキュリティに関連する事象発生時に素早く対応するかが課題となっている。このような背景から、高度なスキルを有する人材がいなくても、高い対応能力を実現できる技術が提案されている。 However, there are only a limited number of security personnel with advanced skills who can immediately respond to incidents caused by advanced threats, and how limited personnel can cause information security-related events. The issue is how to respond quickly at times. Against this background, technologies that can realize high responsiveness even without human resources with advanced skills have been proposed.
 特許文献1では、サイバー攻撃を示す痕跡を示す挙動パターンが予め登録される。また、端末上で動作したプロセスの挙動が記録される。そして、登録された挙動パターンと一致する挙動が記録の中に見つかった場合に攻撃が行われたと判定することで、攻撃事象を検知する方式が提案されている。 In Patent Document 1, a behavior pattern showing a trace indicating a cyber attack is registered in advance. In addition, the behavior of the process running on the terminal is recorded. Then, a method of detecting an attack event has been proposed by determining that an attack has been performed when a behavior matching the registered behavior pattern is found in the record.
特開2010-092174号公報Japanese Unexamined Patent Publication No. 2010-0922174
 特許文献1は、サイバー攻撃発生時に残る攻撃の痕跡を示す情報を予め定義しておくことで、装置で記録されたログに痕跡を示す情報と一致する情報が含まれているかを確認することによって攻撃事象を検知するシグネチャベースの方式である。しかし、シグネチャベースの方式では、OS(Operating System)に標準搭載されるツール又は企業等で使用が認められたツール等(以下、正規ツール)が悪用されるような場合に、サイバー攻撃の事象を適切に検知出来ないという課題がある。
 具体例としては、正規ツールの動作パターンを用いる検知方式では、正規ユーザの活動による正規ツールの動作が攻撃の動作パターンと一致してしまい攻撃事象の誤検知が発生する可能性がある。また、正規ユーザの活動による正規ツールの動作にサイバー攻撃による正規ツールの動作が混ざり、動作パターンが適切に発見されずに攻撃事象の検知漏れが発生する可能性がある。 Patent Document 1 defines in advance information indicating a trace of an attack that remains when a cyber attack occurs, and confirms whether the log recorded by the device contains information that matches the information indicating the trace. It is a signature-based method that detects attack events. However, in the signature-based method, when a tool installed as standard in the OS (Operating System) or a tool approved for use by a company (hereinafter referred to as a regular tool) is abused, a cyber attack event is detected. There is a problem that it cannot be detected properly.
As a specific example, in the detection method using the operation pattern of the legitimate tool, the operation of the legitimate tool due to the activity of the legitimate user may match the operation pattern of the attack, and false detection of the attack event may occur. In addition, the operation of the legitimate tool due to the activity of the legitimate user may be mixed with the operation of the legitimate tool due to the cyber attack, and the operation pattern may not be properly discovered and the detection of the attack event may be omitted.
 本開示は、上記のような課題を解決することを主な目的の一つとしており、サイバー攻撃に正規ツールが利用される場合においても、サイバー攻撃の事象を適切に検知することを主な目的とする。 One of the main purposes of this disclosure is to solve the above problems, and the main purpose is to appropriately detect the event of a cyber attack even when a legitimate tool is used for the cyber attack. And.
 本開示に係る攻撃推定装置は、
 1つ以上のツールがインストールされている端末装置のセキュリティに関連する事象が前記端末装置において発生したことが検知された場合に、
 前記1つ以上のツールのうちで、前記事象の発生に関与した可能性のあるツールである事象関与ツールを推定するツール推定部と、
 前記ツール推定部により推定された前記事象関与ツールを用いて、前記事象がサイバー攻撃により発生した可能性を判定する判定部とを有する。 The attack estimation device according to the present disclosure is
When it is detected that an event related to the security of a terminal device in which one or more tools are installed has occurred in the terminal device.
Among the one or more tools, a tool estimation unit that estimates an event-related tool that may have been involved in the occurrence of the event, and a tool estimation unit.
It has a determination unit for determining the possibility that the event has occurred due to a cyber attack by using the event involvement tool estimated by the tool estimation unit.
 本開示によれば、サイバー攻撃に正規ツールが利用される場合においても、サイバー攻撃の事象を適切に検知することができる。 According to this disclosure, even when a legitimate tool is used for a cyber attack, the event of the cyber attack can be appropriately detected.
実施の形態1に係る攻撃推定システムの構成例を示す図。The figure which shows the configuration example of the attack estimation system which concerns on Embodiment 1. FIG. 実施の形態1に係る攻撃推定装置のハードウェアの構成例を示す図。The figure which shows the configuration example of the hardware of the attack estimation apparatus which concerns on Embodiment 1. FIG. 実施の形態1に係る攻撃推定装置の機能構成例を示す図。The figure which shows the functional configuration example of the attack estimation apparatus which concerns on Embodiment 1. FIG. 実施の形態1に係るツール情報の例を示す図。The figure which shows the example of the tool information which concerns on Embodiment 1. FIG. 実施の形態1に係る攻撃推定装置の動作例を示すフローチャート。The flowchart which shows the operation example of the attack estimation apparatus which concerns on Embodiment 1. 実施の形態2に係る攻撃推定装置の機能構成例を示す図。The figure which shows the functional configuration example of the attack estimation apparatus which concerns on Embodiment 2. FIG. 実施の形態2に係るアタックツリー情報の例を示す図。The figure which shows the example of the attack tree information which concerns on Embodiment 2. 実施の形態2に係るアタックツリーの例を示す図。The figure which shows the example of the attack tree which concerns on Embodiment 2. 実施の形態2に係る攻撃推定装置の動作例を示すフローチャート。The flowchart which shows the operation example of the attack estimation apparatus which concerns on Embodiment 2.
 以下、実施の形態について、図を用いて説明する。以下の実施の形態の説明及び図面において、同一の符号を付したものは、同一の部分又は相当する部分を示す。
 なお、実施の形態1では、SOC(Security Operation Center)業務において、サイバー攻撃の事象を検知する業務を想定した例を説明する。 Hereinafter, embodiments will be described with reference to the drawings. In the following description and drawings of the embodiments, those having the same reference numerals indicate the same parts or corresponding parts.
In the first embodiment, an example will be described assuming a business of detecting a cyber attack event in the SOC (Security Operation Center) business.
 実施の形態1.
***構成の説明***
 図1は、本実施の形態に係る攻撃推定システム1の構成を示す図である。
 制御システム1は、攻撃推定装置10、対象システム20、及びネットワーク30を備える。 Embodiment 1.
*** Explanation of configuration ***
FIG. 1 is a diagram showing a configuration of an attack estimation system 1 according to the present embodiment.
The control system 1 includes an attack estimation device 10, a target system 20, and a network 30.
 攻撃推定装置10は、対象システム20で発生したセキュリティに関連する事象がサイバー攻撃によって生じたか否かを推定する攻撃推定を行う。攻撃推定装置10は、ネットワーク30を介して、対象システム20と互いに接続される。
 なお、攻撃推定装置10の動作手順は、攻撃推定方法に相当する。また、攻撃推定装置10の動作を実現するプログラムは、攻撃推定プログラムに相当する。 The attack estimation device 10 performs attack estimation for estimating whether or not a security-related event generated in the target system 20 is caused by a cyber attack. The attack estimation device 10 is connected to the target system 20 via the network 30.
The operation procedure of the attack estimation device 10 corresponds to the attack estimation method. Further, the program that realizes the operation of the attack estimation device 10 corresponds to the attack estimation program.
 対象システム20は、1つ以上の端末装置21を備える。また、端末装置21は、企業又は学校等に設置され、正規ユーザが利用する。端末装置21は、具体例としては、PC(Personal Computer)、サーバ、ワークステーション、タブレット、スマートフォン、又は携帯電話等である。 The target system 20 includes one or more terminal devices 21. Further, the terminal device 21 is installed in a company, a school, or the like and is used by a regular user. Specific examples of the terminal device 21 are a PC (Personal Computer), a server, a workstation, a tablet, a smartphone, a mobile phone, and the like.
 ネットワーク30は、装置間でデータ通信を行う為の情報通信網である。ネットワーク30は、具体例としては、企業又は学校等のローカル・エリア・ネットワーク、ワイド・エリア・ネットワーク、又はインターネットである。 The network 30 is an information communication network for data communication between devices. The network 30 is, for example, a local area network such as a company or a school, a wide area network, or the Internet.
 図2は、本実施の形態に係る攻撃推定装置10のハードウェア構成例を示す図である。
 攻撃推定装置10は、コンピュータである。攻撃推定装置10は、ハードウェアとして、プロセッサ11、メモリ装置12、補助記憶装置13、ドライブ装置14、通信インタフェース16、及び表示装置17を備え、信号線により互いに接続される。 FIG. 2 is a diagram showing a hardware configuration example of the attack estimation device 10 according to the present embodiment.
The attack estimation device 10 is a computer. The attack estimation device 10 includes a processor 11, a memory device 12, an auxiliary storage device 13, a drive device 14, a communication interface 16, and a display device 17 as hardware, and is connected to each other by a signal line.
 プロセッサ11は、プロセッシングを行うIC(Integrated Circuit)である。プロセッサ11は、具体例としては、CPU(Central Processing Unit)、DSP(Digital Signal Processor)等である。 The processor 11 is an IC (Integrated Circuit) that performs processing. Specific examples of the processor 11 include a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and the like.
 メモリ装置12は、データを一時的に記憶する。メモリ装置12は、具体例としては、RAM(Random Access Memory)である。 The memory device 12 temporarily stores data. As a specific example, the memory device 12 is a RAM (Random Access Memory).
 補助記憶装置13は、データを保管する。補助記憶装置13は、具体例としては、ハードディスクである。
 また、補助記憶装置13は、SSD(登録商標、Solid State Drive)、SD(登録商標、Secure Digital)メモリカード、CF(登録商標、CompactFlash)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(登録商標、Digital Versatile Disk)といった可搬記録媒体であってもよい。
 補助記憶装置13には、後述の受信部100、処理部101、及び出力部102の機能を実現するプログラムがインストールされる。そして、プログラムの起動指示があった時に、補助記憶装置13にインストールされた受信部100、処理部101、及び出力部102の機能を実現するプログラムはメモリ装置12にロードされ、プロセッサ11に読み出され、実行される。
 また、補助記憶装置13には、OSも記憶されている。
 そして、OSの少なくとも一部がプロセッサ11により実行される。
 プロセッサ11はOSの少なくとも一部を実行しながら、受信部100、処理部101、及び出力部102の機能を実現するプログラムを実行する。
 プロセッサ11がOSを実行することで、タスク管理、メモリ管理、ファイル管理、通信制御等が行われる。 The auxiliary storage device 13 stores data. As a specific example, the auxiliary storage device 13 is a hard disk.
The auxiliary storage device 13 includes SSD (registered trademark, Solid State Drive), SD (registered trademark, Secure Digital) memory card, CF (registered trademark, CompactFlash), NAND flash, flexible disk, optical disk, compact disk, and Blu-ray (registered trademark, Secure Digital) memory card. It may be a portable recording medium such as a registered trademark) disc or a DVD (registered trademark, Digital Versaille Disk).
A program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102, which will be described later, is installed in the auxiliary storage device 13. Then, when the program start instruction is given, the program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102 installed in the auxiliary storage device 13 is loaded into the memory device 12 and read by the processor 11. And executed.
The OS is also stored in the auxiliary storage device 13.
Then, at least a part of the OS is executed by the processor 11.
The processor 11 executes a program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102 while executing at least a part of the OS.
When the processor 11 executes the OS, task management, memory management, file management, communication control, and the like are performed.
 また、受信部100、処理部101、及び出力部102の処理の結果を示す情報、データ、信号値及び変数値の少なくともいずれかが、プロセッサ11、メモリ装置12、補助記憶装置13内のレジスタ及びキャッシュメモリの少なくともいずれかに記憶される。 Further, at least one of the information, data, signal value, and variable value indicating the processing result of the receiving unit 100, the processing unit 101, and the output unit 102 is a register in the processor 11, the memory device 12, and the auxiliary storage device 13. It is stored in at least one of the cache memories.
 ドライブ装置14は、データの受け渡しを行う。 The drive device 14 transfers data.
 記録媒体15は、受信部100、処理部101、及び出力部102の機能を実現するプログラムを記憶する可搬記録媒体である。具体例としては、ハードディスク、SSD(登録商標)、SD(登録商標)メモリカード、CF(登録商標)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(登録商標)である。
 プログラムを記憶した記録媒体15がドライブ装置14にセットされ、プログラムのインストール指示があった時に、記録媒体15からドライブ装置14を介して、プログラムが補助記憶装置13にインストールされる。 The recording medium 15 is a portable recording medium that stores a program that realizes the functions of the receiving unit 100, the processing unit 101, and the output unit 102. Specific examples include hard disks, SSDs (registered trademarks), SD (registered trademarks) memory cards, CF (registered trademarks), NAND flashes, flexible disks, optical disks, compact discs, Blu-ray (registered trademarks) disks, and DVDs (registered trademarks). Is.
The recording medium 15 storing the program is set in the drive device 14, and when the program installation instruction is given, the program is installed in the auxiliary storage device 13 from the recording medium 15 via the drive device 14.
 ただし、プログラムのインストールは、必ずしも記録媒体15を用いて行う必要はなく、ネットワーク30等を介して他のコンピュータよりダウンロードするようにしてもよい。 However, the program does not necessarily have to be installed using the recording medium 15, and may be downloaded from another computer via the network 30 or the like.
 通信インタフェース16は、接続先とデータの通信処理を実行する電子回路である。通信インタフェース16は、具体例としては、Ethernet(登録商標)用の通信チップ又はNIC(Network Interface Card)である。 The communication interface 16 is an electronic circuit that executes data communication processing with the connection destination. As a specific example, the communication interface 16 is a communication chip for Ethernet (registered trademark) or a NIC (Network Interface Card).
 表示装置17は、攻撃推定装置10の攻撃推定の結果等を表示する。 The display device 17 displays the result of the attack estimation of the attack estimation device 10.
 なお、攻撃推定装置10は、図2に示されるようなハードウェアを有する複数のコンピュータによって構成されてもよい。すなわち、攻撃推定装置10が実行する処理は、複数のコンピュータに分散されて実行されてもよい。 The attack estimation device 10 may be composed of a plurality of computers having the hardware as shown in FIG. That is, the processing executed by the attack estimation device 10 may be distributed to a plurality of computers and executed.
 図3は、本実施の形態に係る攻撃推定装置10の機能構成例を示す図である。
 攻撃推定装置10は、受信部100、処理部101、出力部102、システム構成情報記憶部120、及びツール情報記憶部121を備える。また、処理部101は、ツール推定部110及び判定部111を備える。 FIG. 3 is a diagram showing a functional configuration example of the attack estimation device 10 according to the present embodiment.
The attack estimation device 10 includes a receiving unit 100, a processing unit 101, an output unit 102, a system configuration information storage unit 120, and a tool information storage unit 121. Further, the processing unit 101 includes a tool estimation unit 110 and a determination unit 111.
 受信部100は、セキュリティに関連する事象が検知されたことを知らせる通知と、事象が発生した端末装置21におけるツールの操作履歴及び動作記録とを受信する。
 処理部101は、端末装置21で発生したセキュリティに関連する事象の攻撃推定を行う。
 ツール推定部110は、ツールの動作記録とツール情報とに基づき、端末装置21で発生したセキュリティに関連する事象に関与した可能性のある正規ツールである事象関与ツールを推定する。
 ツール推定部110により行われる処理はツール推定処理に相当する。
 判定部111は、ツール推定部110が推定した事象関与ツールを用いて、端末装置21のセキュリティに関連する事象がサイバー攻撃により発生した可能性を判定する。
 判定部111により行われる処理は判定処理に相当する。
 出力部102は、処理部101が推定した結果を出力する。 The receiving unit 100 receives a notification notifying that an event related to security has been detected, and an operation history and an operation record of the tool in the terminal device 21 in which the event has occurred.
The processing unit 101 estimates an attack of a security-related event that has occurred in the terminal device 21.
The tool estimation unit 110 estimates an event-related tool, which is a regular tool that may have been involved in a security-related event that occurred in the terminal device 21, based on the operation record of the tool and the tool information.
The process performed by the tool estimation unit 110 corresponds to the tool estimation process.
The determination unit 111 determines the possibility that an event related to the security of the terminal device 21 has occurred due to a cyber attack by using the event involvement tool estimated by the tool estimation unit 110.
The process performed by the determination unit 111 corresponds to the determination process.
The output unit 102 outputs the result estimated by the processing unit 101.
 システム構成情報記憶部120は、対象システム20に属する端末装置21の情報を記憶する。
 ツール情報記憶部121は、端末装置21に標準的に搭載されているツール又は普段の業務での利用が認められたツールといった正規ツールに関するツール情報を記憶する。ツール情報の詳細については後述する。
 システム構成情報記憶部120及びツール情報記憶部121は、メモリ装置12及び補助記憶装置13により実現される。 The system configuration information storage unit 120 stores the information of the terminal device 21 belonging to the target system 20.
The tool information storage unit 121 stores tool information related to a regular tool such as a tool installed as standard in the terminal device 21 or a tool approved for use in daily business. Details of the tool information will be described later.
The system configuration information storage unit 120 and the tool information storage unit 121 are realized by the memory device 12 and the auxiliary storage device 13.
 なお、受信部100、処理部101、及び出力部102の「部」を、「回路」又は「工程」又は「手順」又は「処理」に読み替えてもよい。
 また、攻撃推定装置10は、処理回路により実現されてもよい。処理回路は、例えば、ロジックIC(Integrated Circuit)、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)である。
 この場合は、受信部100、処理部101、及び出力部102は、それぞれ処理回路の一部として実現される。
 なお、本明細書では、プロセッサと処理回路との上位概念を、「プロセッシングサーキットリー」という。
 つまり、プロセッサと処理回路とは、それぞれ「プロセッシングサーキットリー」の具体例である。 The "unit" of the receiving unit 100, the processing unit 101, and the output unit 102 may be read as "circuit" or "process" or "procedure" or "processing".
Further, the attack estimation device 10 may be realized by a processing circuit. The processing circuit is, for example, a logic IC (Integrated Circuit), a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array).
In this case, the receiving unit 100, the processing unit 101, and the output unit 102 are each realized as a part of the processing circuit.
In this specification, the superordinate concept of the processor and the processing circuit is referred to as "processing circuit Lee".
That is, the processor and the processing circuit are specific examples of the "processing circuit Lee", respectively.
 図4は、本実施の形態に係るツール情報T10の例を示す。
 ツール情報記憶部121は、図4に示すツール情報T10を記憶する。
 図4の例では、ツール情報T10には、左端の欄から順に、正規ツールの識別子であるツールID、正規ツールの名称、過去に正規ツールがサイバー攻撃に用いられた利用頻度、及び過去に正規ツールが正規ユーザに用いられた利用頻度が示される。 FIG. 4 shows an example of the tool information T10 according to the present embodiment.
The tool information storage unit 121 stores the tool information T10 shown in FIG.
In the example of FIG. 4, in the tool information T10, in order from the leftmost column, the tool ID which is the identifier of the legitimate tool, the name of the legitimate tool, the frequency of use of the legitimate tool used in the cyber attack in the past, and the legitimacy in the past. The frequency of use of the tool by legitimate users is shown.
 ツール情報T10は、攻撃推定システム1の管理者又はセキュリティの専門家等が予め登録する情報である。
 なお、サイバー攻撃に用いられた利用頻度及び正規ユーザに用いられた利用頻度は、攻撃推定システム1の管理者又はセキュリティの専門家等が情報収集して得た情報に基づき、決定される。
 なお、本実施の形態では、対象システム20に対して1つのツール情報T10が登録されているが、それに限定されず、端末装置21毎あるいは複数の端末装置21が設置される拠点毎等、複数のツール情報T10が用意され、登録されてもよい。 The tool information T10 is information registered in advance by the administrator of the attack estimation system 1, a security expert, or the like.
The frequency of use used for cyber attacks and the frequency of use used by legitimate users are determined based on the information collected by the administrator of the attack estimation system 1, a security expert, or the like.
In the present embodiment, one tool information T10 is registered for the target system 20, but the present invention is not limited to this, and a plurality of such information may be registered for each terminal device 21 or for each base where a plurality of terminal devices 21 are installed. Tool information T10 may be prepared and registered.
 図4の例では、Windows(登録商標)の標準のコマンドラインツールであるtasklistが、ツールID:A50020、ツール名:tasklist、攻撃の利用頻度:高、正規ユーザの利用頻度:低として登録されていることを示す。また、net useが、ツールID:A50021、ツール名:net use、攻撃の利用頻度:高、正規ユーザの利用頻度:低として登録されていることを示す。
 なお、図4の例では、利用頻度を示す値は、高及び低の2値であるが、それに限らず、2値以上の値を用いてもよく、また数値を用いて示してもよい。 In the example of FIG. 4, the standard command line tool of Windows (registered trademark), tasklist, is registered as tool ID: A50020, tool name: tasklist, attack usage frequency: high, and regular user usage frequency: low. Indicates that you are. It also indicates that the net use is registered as a tool ID: A50021, a tool name: net use, an attack usage frequency: high, and a legitimate user usage frequency: low.
In the example of FIG. 4, the value indicating the frequency of use is two values of high and low, but the value is not limited to this, and a value of two or more values may be used, or a numerical value may be used to indicate the value.
***動作の説明***
 次に、図5のフローチャートを用いて、本実施の形態に係る攻撃推定装置10の動作例について説明する。
 本実施の形態では、攻撃推定装置10が、端末装置21のセキュリティに関連する事象の発生を知らせる通知と、端末装置21にインストールされたツールの操作履歴及び動作記録とを受信し、攻撃推定を行う例を説明する。
 なお、操作履歴は、端末装置21の正規ユーザがツールを操作した履歴であり、具体例としては、サイバー攻撃のマルウェア等による改ざんが難しい、ハードウェアベースの入力操作記録装置等を用いて記録される操作履歴である。あるいは、操作履歴は、ツールを操作時に確認ダイアログを表示され、GUI(Graphic User interface)上でユーザが操作を許可した場合に記録される操作履歴であってもよい。
 また、動作履歴は、OSレベルで記録されたツールの動作記録である。 *** Explanation of operation ***
Next, an operation example of the attack estimation device 10 according to the present embodiment will be described with reference to the flowchart of FIG.
In the present embodiment, the attack estimation device 10 receives a notification notifying the occurrence of an event related to the security of the terminal device 21 and the operation history and operation record of the tool installed in the terminal device 21, and estimates the attack. An example to be performed will be described.
The operation history is a history in which a legitimate user of the terminal device 21 operates the tool, and as a specific example, it is recorded using a hardware-based input operation recording device or the like, which is difficult to be tampered with by malware or the like of a cyber attack. Operation history. Alternatively, the operation history may be an operation history recorded when a confirmation dialog is displayed when the tool is operated and the user permits the operation on the GUI (Graphic User interface).
The operation history is an operation record of the tool recorded at the OS level.
 まず、ステップS100では、受信部100は、セキュリティに関連する事象が発生したことを知らせる通知を受信する。また、受信部100は、ツールの操作履歴及び動作記録を受信する。
 そして、受信部100は、受信した通知、操作履歴、及び動作記録といった情報を処理部101へ通知する。 First, in step S100, the receiving unit 100 receives a notification notifying that a security-related event has occurred. In addition, the receiving unit 100 receives the operation history and operation record of the tool.
Then, the receiving unit 100 notifies the processing unit 101 of information such as the received notification, the operation history, and the operation record.
 次に、ステップS110では、ツール推定部110は、受信部100が受信した情報がシステム構成情報記憶部120に登録された端末装置21に関する情報であるか否かを確認する。
 ツール推定部110は、受信部100が受信した情報がシステム構成情報記憶部120に登録された端末装置21のものであることを確認すれば、受信部100が受信した動作記録を探索し、事象が発生する前の一定期間に操作されたツールを抽出する。一定期間とは、操作者が予め指定する期間であり、具体例としては、数時間、数日等である。
 また、ツール推定部110は、ツール情報記憶部121に記憶されるツール情報T10を参照し、抽出したツールのうちツール情報T10に登録されているツールを、事象に関与した可能性のある事象関与ツールと推定する。そして、ツール推定部110は、推定結果として、事象関与ツールのツール名、過去にサイバー攻撃に利用された利用頻度、及び過去に正規ユーザに利用された利用頻度を、判定部111に通知する。
 一方、ツール推定部110は、受信部100が受信した情報がシステム構成情報記憶部120に登録された端末装置21に関する情報でないことを確認すれば、端末装置21の情報を受信するまで待機する。 Next, in step S110, the tool estimation unit 110 confirms whether or not the information received by the reception unit 100 is information related to the terminal device 21 registered in the system configuration information storage unit 120.
If the tool estimation unit 110 confirms that the information received by the reception unit 100 is that of the terminal device 21 registered in the system configuration information storage unit 120, the tool estimation unit 110 searches for the operation record received by the reception unit 100 and causes an event. Extract tools that were operated during a certain period of time before the occurrence of. The fixed period is a period designated in advance by the operator, and specific examples thereof are several hours, several days, and the like.
Further, the tool estimation unit 110 refers to the tool information T10 stored in the tool information storage unit 121, and among the extracted tools, the tool registered in the tool information T10 is involved in an event that may have been involved in the event. Presumed to be a tool. Then, the tool estimation unit 110 notifies the determination unit 111 of the tool name of the event-related tool, the frequency of use used in the cyber attack in the past, and the frequency of use used by the legitimate user in the past as the estimation result.
On the other hand, if the tool estimation unit 110 confirms that the information received by the reception unit 100 is not the information related to the terminal device 21 registered in the system configuration information storage unit 120, the tool estimation unit 110 waits until the information of the terminal device 21 is received.
 次に、ステップS120では、判定部111は、ツール推定部110より通知を受けた事象関与ツールの推定結果に基づき、事象がサイバー攻撃により発生した可能性を判定する。
 具体的には、判定部111は、事象関与ツールが、過去にサイバー攻撃に利用された利用頻度と過去に正規ユーザに利用された利用頻度とを比較する。そして、正規ユーザに利用された頻度に比べてサイバー攻撃に利用された利用頻度が高ければ、処理がステップS160に進む。
 一方、正規ユーザに利用された利用頻度に比べてサイバー攻撃に利用された利用頻度が同じ又は低ければ、処理がステップS130に進む。
 なお、本実施の形態では、過去にサイバー攻撃に利用された利用頻度と過去に正規ユーザに利用された利用頻度とに基づき、判定部111が、事象がサイバー攻撃により発生した可能性を判定する例を説明する。しかし、それに限らず、過去にサイバー攻撃に利用された利用頻度のみに基づき、判定部111が事象がサイバー攻撃により発生した可能性を判定してもよい。 Next, in step S120, the determination unit 111 determines the possibility that the event has occurred due to a cyber attack based on the estimation result of the event-related tool notified by the tool estimation unit 110.
Specifically, the determination unit 111 compares the frequency of use of the event-related tool in the past for cyber attacks with the frequency of use in the past by legitimate users. Then, if the frequency of use used in the cyber attack is higher than the frequency of use by the legitimate user, the process proceeds to step S160.
On the other hand, if the frequency of use used for the cyber attack is the same or lower than the frequency of use used by the legitimate user, the process proceeds to step S130.
In the present embodiment, the determination unit 111 determines the possibility that the event has occurred due to the cyber attack based on the frequency of use used for the cyber attack in the past and the frequency of use used by the legitimate user in the past. An example will be described. However, the present invention is not limited to this, and the determination unit 111 may determine the possibility that the event has occurred due to the cyber attack based only on the frequency of use used for the cyber attack in the past.
 次に、ステップS130では、判定部111は、事象関与ツールの操作履歴と動作記録とを確認する。
 より具体的には、判定部111は、操作履歴の事象関与ツールの操作時刻及び操作内容と事象関与ツールの動作時刻及び動作内容とを確認する。 Next, in step S130, the determination unit 111 confirms the operation history and the operation record of the event-related tool.
More specifically, the determination unit 111 confirms the operation time and operation content of the event-related tool in the operation history and the operation time and operation content of the event-related tool.
 次に、ステップS140では、判定部111は、事象関与ツールの操作履歴と動作記録との確認結果に基づき、記録された事象関与ツールの動作が正規ユーザの操作による動作と一致するか判定する。
 記録された事象関与ツールの動作が正規ユーザの操作による動作と一致すれば、処理がステップS150に進む。
 一方、記録された事象関与ツールの動作が正規ユーザの操作による動作と一致しなければ、処理がステップS160に進む。 Next, in step S140, the determination unit 111 determines whether the recorded operation of the event-related tool matches the operation of the regular user based on the confirmation result of the operation history of the event-related tool and the operation record.
If the recorded action of the event-related tool matches the action of the legitimate user, the process proceeds to step S150.
On the other hand, if the recorded operation of the event involvement tool does not match the operation by the operation of the regular user, the process proceeds to step S160.
 次に、ステップS150では、判定部111は、事象関与ツールは事象に関与しておらず、サイバー攻撃が発生した可能性はないと判定する。そして、判定部111は、判定結果を出力部102に通知する。 Next, in step S150, the determination unit 111 determines that the event involvement tool is not involved in the event and that there is no possibility that a cyber attack has occurred. Then, the determination unit 111 notifies the output unit 102 of the determination result.
 次に、ステップS160では、判定部111は、事象関与ツールは事象に関与しおり、サイバー攻撃が発生した可能性があると判定する。そして、判定部111は、判定結果を出力部102に通知する。 Next, in step S160, the determination unit 111 determines that the event involvement tool is involved in the event and that a cyber attack may have occurred. Then, the determination unit 111 notifies the output unit 102 of the determination result.
 そして、ステップS170では、判定部111から通知を受けた出力部102は、表示装置17に推定結果を出力する。また、出力部102は、補助記憶装置13に推定結果を格納してもよく、あるいは、通信インタフェース16を介して、接続先に推定結果を送信してもよい。 Then, in step S170, the output unit 102 notified from the determination unit 111 outputs the estimation result to the display device 17. Further, the output unit 102 may store the estimation result in the auxiliary storage device 13, or may transmit the estimation result to the connection destination via the communication interface 16.
***実施の形態の効果の説明***
 以上により、本実施の形態では、セキュリティに関連する事象が検知されたとき、事象に関与した可能性のある正規ツールが推定される。そして、推定された正規ツールがサイバー攻撃に利用された可能性があるか否かが判定される。したがって、サイバー攻撃に正規ツールが利用される場合においても、サイバー攻撃の事象を適切に検知することができる。
 なお、本実施の形態では、セキュリティに関連する事象を検知する情報の受信を契機に攻撃推定を行う例を説明した。しかし、それに限らず、攻撃推定装置10が端末装置21のセキュリティに関連する事象の検知機能を備え、検知機能の検知を契機に攻撃推定を行ってもよい。 *** Explanation of the effect of the embodiment ***
Based on the above, in the present embodiment, when a security-related event is detected, a legitimate tool that may have been involved in the event is presumed. Then, it is determined whether or not the estimated legitimate tool may have been used in a cyber attack. Therefore, even when a legitimate tool is used for a cyber attack, the event of the cyber attack can be appropriately detected.
In this embodiment, an example of performing attack estimation triggered by receiving information for detecting a security-related event has been described. However, the present invention is not limited to this, and the attack estimation device 10 may have an event detection function related to the security of the terminal device 21, and the attack estimation may be performed when the detection function is detected.
 実施の形態2.
 本実施の形態では、アタックツリーを用いて、攻撃経路推定を行う例を説明する。
 アタックツリーは、サイバー攻撃の最終目標である脅威を根ノードとし、根ノードの脅威を発生させるまでに段階的に実行される可能性のある攻撃を根ノードに繋がる、葉ノード又は内部ノードとした木構造の情報である。
 本実施の形態に係る攻撃経路推定とは、アタックツリーを構成する各ノードを経由する攻撃経路が成立するか否かを判定し、経由すると判定された各々のノードをノード間の接続関係に基づき接続することで示される攻撃経路を推定する処理を示す。
 本実施の形態では、主に実施の形態1との差異を説明する。
 なお、以下で説明していない事項は、実施の形態1と同様である。 Embodiment 2.
In this embodiment, an example of estimating an attack route using an attack tree will be described.
In the attack tree, the threat that is the ultimate target of the cyber attack is the root node, and the attacks that may be executed in stages until the threat of the root node is generated are the leaf nodes or internal nodes that connect to the root node. It is the information of the tree structure.
The attack route estimation according to the present embodiment determines whether or not an attack route via each node constituting the attack tree is established, and each node determined to pass is based on the connection relationship between the nodes. The process of estimating the attack route indicated by connecting is shown.
In this embodiment, the difference from the first embodiment will be mainly described.
The matters not explained below are the same as those in the first embodiment.
 図6は、本実施の形態に係る攻撃推定装置10の機能構成図である。
 本実施の形態では、攻撃推定装置10は、新たに経路推定部112とアタックツリー情報記憶部122とを備える。
 経路推定部112は、アタックツリー情報に基づき、攻撃経路推定を実施する。アタックツリー情報の詳しい説明は後述する。
 なお、経路推定部112の「部」を、「回路」又は「工程」又は「手順」又は「処理」に読み替えてもよい。
 また、攻撃推定装置10が処理回路により実現される場合、経路推定部112は、処理回路の一部として実現される。
 アタックツリー情報記憶部122は、アタックツリー情報を記憶する記憶領域である。また、アタックツリー情報記憶部122は、メモリ装置12及び補助記憶装置13により実現される。
 また、本実施の形態では、受信部100は、実施の形態1で受信する情報に加え、対象システム20で発生したことが確認されたサイバー攻撃の攻撃情報も受信する。攻撃情報とは、攻撃を受けた端末装置及び攻撃手段である。
 なお、実施の形態1と同一構成部分には同一番号を付してその説明を省略する。 FIG. 6 is a functional configuration diagram of the attack estimation device 10 according to the present embodiment.
In the present embodiment, the attack estimation device 10 newly includes a route estimation unit 112 and an attack tree information storage unit 122.
The route estimation unit 112 estimates the attack route based on the attack tree information. A detailed explanation of the attack tree information will be described later.
The "part" of the route estimation unit 112 may be read as "circuit" or "process" or "procedure" or "processing".
Further, when the attack estimation device 10 is realized by the processing circuit, the route estimation unit 112 is realized as a part of the processing circuit.
The attack tree information storage unit 122 is a storage area for storing attack tree information. Further, the attack tree information storage unit 122 is realized by the memory device 12 and the auxiliary storage device 13.
Further, in the present embodiment, in addition to the information received in the first embodiment, the receiving unit 100 also receives the attack information of the cyber attack confirmed to have occurred in the target system 20. The attack information is the attacked terminal device and attack means.
The same components as those in the first embodiment are designated by the same numbers, and the description thereof will be omitted.
 図7は、本実施の形態に係るアタックツリー情報T20の例を示す。
 アタックツリー情報記憶部122は、図7に示すアタックツリー情報T20を記憶する。
 アタックツリー情報T20は、複数のノード情報から構成される。そして、ノード情報は、攻撃の対象となる端末装置、攻撃手段、及びノード間の接続関係が示される。
 具体的には、図7のアタックツリー情報T20の例では、ノード情報として、左端の欄から順に、ノードの識別子であるノードID、攻撃の対象となる端末装置21の識別子である装置ID、ノードの下位に位置する子ノードへの分岐条件、ノードの上位に位置する親ノードの親ノードID、及び攻撃手段が示される。
 なお、子ノードへの分岐条件は、OR又はANDである。分岐条件がORの場合、複数の子ノードのうちの少なくともいずれか1つのノードを経由する攻撃経路が成立する可能性があることを示す。また、分岐条件がANDの場合、複数の子ノードのすべてを経由する攻撃経路が成立する可能性があることを示す。 FIG. 7 shows an example of the attack tree information T20 according to the present embodiment.
The attack tree information storage unit 122 stores the attack tree information T20 shown in FIG. 7.
The attack tree information T20 is composed of a plurality of node information. Then, the node information indicates the terminal device to be attacked, the attack means, and the connection relationship between the nodes.
Specifically, in the example of the attack tree information T20 of FIG. 7, as the node information, the node ID which is the identifier of the node, the device ID which is the identifier of the terminal device 21 which is the target of the attack, and the node are ordered from the leftmost column. The branching condition to the child node located below the node, the parent node ID of the parent node located above the node, and the attack means are shown.
The branching condition to the child node is OR or AND. When the branching condition is OR, it indicates that an attack route via at least one of a plurality of child nodes may be established. Further, when the branch condition is AND, it is shown that an attack route passing through all of a plurality of child nodes may be established.
 図7の例では、サイバー攻撃の最終目標である攻撃が、ノードID:1、装置ID:D、分岐条件:-(分岐条件なし)、親ノードID:-(親ノードなし)、攻撃手段:顧客情報を削除、として登録されていることを示す。また、最終目標である攻撃までに段階的に実行される可能性のある攻撃の一つが、ノードID:1,1、装置ID:D、分岐条件:OR、親ノードID:1、攻撃手段:“OSの脆弱性X”を用いて侵入、として登録されていることを示す。
 なお、図7の例では、ノードIDが一つの整数で表されるノードが根ノードであることを示す。したがって、ノードID:1は根ノードであることを示す。一方、ノードIDがカンマで区切られた二つの整数で表されるノードID:1,1は根ノードではなく、葉ノード又は内部ノードであることを示す。 In the example of FIG. 7, the attack that is the final target of the cyber attack is node ID: 1, device ID: D, branch condition:-(no branch condition), parent node ID:-(no parent node), attack means: Indicates that the customer information is deleted and registered as. In addition, one of the attacks that may be executed step by step until the final target attack is node ID: 1, 1, device ID: D, branch condition: OR, parent node ID: 1, attack means: It indicates that it is registered as an intrusion using "OS vulnerability X".
In the example of FIG. 7, it is shown that the node whose node ID is represented by one integer is the root node. Therefore, node ID: 1 indicates that it is a root node. On the other hand, node IDs: 1 and 1, whose node IDs are represented by two integers separated by commas, indicate that they are leaf nodes or internal nodes, not root nodes.
 図8には、アタックツリー情報T20に基づき表されるアタックツリー200を示す。アタックツリー200は、ノードID:1を頂点の根ノードとし、ノードID:1,1から1,1,1,1,1,1の葉ノード及び内部ノードと、それらの接続関係に基づき表現される木である。
 そして、根ノードに至るまでに経由すると判定された葉ノード及び内部ノードを、ノード間の接続関係に基づき接続することにより攻撃経路が示される。 FIG. 8 shows an attack tree 200 represented based on the attack tree information T20. The attack tree 200 is expressed based on node IDs: 1,1 to 1,1,1,1,1,1 leaf nodes and internal nodes, with node ID: 1 as the root node of the apex, and their connection relationships. It is a tree.
Then, the attack route is shown by connecting the leaf node and the internal node determined to pass through to the root node based on the connection relationship between the nodes.
 アタックツリー情報T20は、攻撃推定システム1の管理者又はセキュリティの専門家が予め登録する情報である。
 なお、本実施の形態では、対象システム20に対して1つのアタックツリー情報T20が登録されているが、それに限定されず、攻撃の最終目標である攻撃毎に複数のアタックツリー情報T20が用意され、登録されてもよい。 The attack tree information T20 is information registered in advance by the administrator of the attack estimation system 1 or a security expert.
In the present embodiment, one attack tree information T20 is registered for the target system 20, but the attack tree information T20 is not limited to that, and a plurality of attack tree information T20 is prepared for each attack which is the final target of the attack. , May be registered.
 次に、図9のフローチャートを用いて、本実施の形態に係る攻撃推定装置10の動作例について説明する。
 なお、本実施の形態では、受信部100が通信インタフェース16を介して攻撃情報を受信したことを契機に、経路推定部112が攻撃経路推定を開始する例を説明する。
 しかし、攻撃経路推定の開始契機は、受信部100の攻撃情報の受信に限らず、攻撃推定における判定部111による攻撃の可能性があるとの判定を用いてもよい。 Next, an operation example of the attack estimation device 10 according to the present embodiment will be described with reference to the flowchart of FIG.
In the present embodiment, an example will be described in which the route estimation unit 112 starts the attack route estimation when the reception unit 100 receives the attack information via the communication interface 16.
However, the trigger for starting the attack route estimation is not limited to the reception of the attack information of the receiving unit 100, and the determination that there is a possibility of an attack by the determination unit 111 in the attack estimation may be used.
 まず、ステップS200では、受信部100は、攻撃情報を受信する。
 そして、受信部100は、受信した攻撃情報を処理部101へ通知する。 First, in step S200, the receiving unit 100 receives the attack information.
Then, the receiving unit 100 notifies the processing unit 101 of the received attack information.
 次に、ステップS210では、経路推定部112は、受信部100が受信した攻撃情報がシステム構成情報記憶部120に登録された端末装置21に関する情報であるか否かを確認する。
 経路推定部112は、受信部100が受信した攻撃情報がシステム構成情報記憶部120に登録された端末装置21に関する情報であることを確認すれば、アタックツリー情報記憶部122に記憶されるアタックツリー情報T20を参照する。そして、経路推定部112は、アタックツリー情報T20を探索し、受信部100が受信した攻撃情報に該当する根ノードを抽出する。
 一方、経路推定部112は、受信部100が受信した攻撃情報がシステム構成情報記憶部120に登録された端末装置21に関する情報でないことを確認すれば、端末装置21の情報を受信するまで待機する。
 なお、攻撃経路推定の開始契機に攻撃推定の判定を用いる場合、経路推定部112は、アタックツリー情報T20を探索し、攻撃推定が行われた端末装置21及び推定された事象関与ツールを用いた攻撃手段に該当する根ノードを抽出する。
 そして、根ノードを抽出できれば、処理がステップS220に進む。一方、受信部100が受信した攻撃情報に該当する根ノードが無く根ノードを抽出できなければ、処理がステップS270に進む。 Next, in step S210, the route estimation unit 112 confirms whether or not the attack information received by the reception unit 100 is information related to the terminal device 21 registered in the system configuration information storage unit 120.
If the route estimation unit 112 confirms that the attack information received by the reception unit 100 is information related to the terminal device 21 registered in the system configuration information storage unit 120, the attack tree stored in the attack tree information storage unit 122 See information T20. Then, the route estimation unit 112 searches for the attack tree information T20 and extracts the root node corresponding to the attack information received by the reception unit 100.
On the other hand, if the route estimation unit 112 confirms that the attack information received by the reception unit 100 is not the information related to the terminal device 21 registered in the system configuration information storage unit 120, the route estimation unit 112 waits until the information of the terminal device 21 is received. ..
When the attack estimation determination is used as the trigger for starting the attack route estimation, the route estimation unit 112 searches for the attack tree information T20 and uses the terminal device 21 on which the attack estimation is performed and the estimated event involvement tool. Extract the root node corresponding to the attack method.
Then, if the root node can be extracted, the process proceeds to step S220. On the other hand, if there is no root node corresponding to the attack information received by the receiving unit 100 and the root node cannot be extracted, the process proceeds to step S270.
 次に、ステップS220では、経路推定部112は、抽出した根ノードのうち、1つの根ノードを選択する。
 処理がステップS260から戻った場合は、経路推定部112は、抽出した根ノードのうち、選択されていない根ノードを1つ選択する。
 なお、選択できる根ノードが複数ある場合、経路推定部112は、ノードIDの数字の若い順に選択してもよい。 Next, in step S220, the route estimation unit 112 selects one root node from the extracted root nodes.
When the process returns from step S260, the route estimation unit 112 selects one unselected root node from the extracted root nodes.
When there are a plurality of root nodes that can be selected, the route estimation unit 112 may select the node IDs in ascending order of numbers.
 次に、ステップS230では、経路推定部112は、選択した根ノードの、子孫ノードのうち、1つの子孫ノードを指定する。
 処理がステップS250から戻った場合は、経路推定部112は、選択した根ノードの子孫ノードのうち、ノードを経由する攻撃経路の成立判定を実施していない子孫ノードを1つ指定する。
 なお、指定できる子孫ノードが複数ある場合、経路推定部112は、ノードIDの数字の若い順に指定してもよい。 Next, in step S230, the route estimation unit 112 designates one descendant node of the descendant nodes of the selected root node.
When the process returns from step S250, the route estimation unit 112 specifies one of the descendant nodes of the selected root node that has not performed the establishment determination of the attack route via the node.
When there are a plurality of descendant nodes that can be specified, the route estimation unit 112 may specify the node IDs in ascending order of numbers.
 次に、ステップS240では、経路推定部112は、ノードを経由する攻撃経路が成立するか判定する。
 具体的には、経路推定部112は、受信部100が受信した攻撃情報に指定したノードに示される攻撃に該当する情報が存在するか否かを確認する。
 そして、経路推定部112は、指定したノードに示される攻撃に該当する情報が存在することを確認した場合、ノードを経由する攻撃経路が成立すると判定する。
 一方、経路推定部112は、指定したノードに示される攻撃に該当する情報が存在することを確認できなかった場合、指定したノードに示される端末装置21に対する攻撃推定の実施をツール推定部110に通知し、攻撃推定を開始する。
 なお、本実施の形態に係る攻撃推定は、実施の形態1と同一の処理であるため説明を省略する。
 そして、攻撃推定により、経路推定部112は、指定したノードに示される攻撃の可能性があると推定した場合、ノードを経由する攻撃経路が成立すると判定する。
 一方、経路推定部112は、指定したノードに示される攻撃の可能性がないと推定した場合、ノードを経由する攻撃経路が成立しないと判定する。また、成立しないと判定されたノードの全ての子孫ノードを経由する攻撃経路が成立しないと判定する。 Next, in step S240, the route estimation unit 112 determines whether an attack route via the node is established.
Specifically, the route estimation unit 112 confirms whether or not the information corresponding to the attack indicated by the node specified in the attack information received by the reception unit 100 exists.
Then, when the route estimation unit 112 confirms that the information corresponding to the attack indicated by the designated node exists, the route estimation unit 112 determines that the attack route via the node is established.
On the other hand, when the route estimation unit 112 cannot confirm that the information corresponding to the attack indicated by the designated node exists, the route estimation unit 112 causes the tool estimation unit 110 to perform attack estimation on the terminal device 21 indicated by the designated node. Notify and start attack estimation.
Since the attack estimation according to the present embodiment is the same process as that of the first embodiment, the description thereof will be omitted.
Then, based on the attack estimation, the route estimation unit 112 determines that the attack route via the node is established when it is estimated that there is a possibility of an attack shown to the designated node.
On the other hand, if it is estimated that there is no possibility of an attack shown to the designated node, the route estimation unit 112 determines that the attack route via the node is not established. In addition, it is determined that the attack route via all the descendant nodes of the node determined not to be established is not established.
 次に、ステップS250では、経路推定部112は、選択した根ノードの子孫ノードのうち、次に指定するノードが存在するか否かを判定する。
 具体的には、経路推定部112は、選択した根ノードの子孫ノードのうち、ステップS240のノードを経由する攻撃経路の成立判定を実施していないノードが存在するか否かを確認する。そして、ノードを経由する攻撃経路の成立判定を実施していないノードが存在すれば、処理がステップS230に戻る。
 一方、経路推定部112がノードを経由する攻撃経路の成立判定を実施していないノードが存在しなければ、処理がステップS260に進む。 Next, in step S250, the route estimation unit 112 determines whether or not the next designated node exists among the descendant nodes of the selected root node.
Specifically, the route estimation unit 112 confirms whether or not there is a node among the descendant nodes of the selected root node that has not performed the establishment determination of the attack route via the node in step S240. Then, if there is a node that has not performed the establishment determination of the attack route via the node, the process returns to step S230.
On the other hand, if there is no node for which the route estimation unit 112 has not executed the establishment determination of the attack route via the node, the process proceeds to step S260.
 次に、ステップS260では、経路推定部112は、次に選択する根ノードが存在するか否かを判定する。
 具体的には、経路推定部112は、ステップS210の処理で抽出した根ノードのうち、ステップS220の処理で選択していない根ノードが存在するか否かを確認する。
 そして、選択していない根ノードが存在すれば、処理がステップS220に戻る。
 一方、選択していない根ノードが存在しなければ、処理がステップS270に進む。 Next, in step S260, the route estimation unit 112 determines whether or not the root node to be selected next exists.
Specifically, the route estimation unit 112 confirms whether or not there is a root node not selected in the process of step S220 among the root nodes extracted in the process of step S210.
Then, if there is a root node that has not been selected, the process returns to step S220.
On the other hand, if there is no unselected root node, the process proceeds to step S270.
 そして、ステップS270では、経路推定部112は、根ノード及び経由するとされた子孫ノードのノード情報を攻撃経路推定の結果として出力部102に通知する。そして、出力部102は、経路推定部112に通知された攻撃経路推定の結果に基づき、根ノードと経由するとされた複数の子孫ノードとを、ノード間の接続関係に基づき接続して示される攻撃経路を、推定される攻撃経路として表示装置17に出力する。
 また、出力部102は、補助記憶装置13に推定される攻撃経路を格納してもよく、あるいは、通信インタフェース16を介して、接続先に推定される攻撃経路を送信してもよい。
 なお、出力部102は、親ノードと子ノード間の分岐条件に基づき、1つの攻撃経路を複数の攻撃経路に分けて出力してもよい。具体例としては、推定された攻撃経路にノード間の分岐条件がORである親ノードと複数の子ノードとが存在した場合、各々の子ノードに分岐した複数の攻撃経路を各々出力してもよい。 Then, in step S270, the route estimation unit 112 notifies the output unit 102 of the node information of the root node and the descendant node that is supposed to pass through as a result of the attack route estimation. Then, the output unit 102 connects the root node and a plurality of descendant nodes that are supposed to pass through based on the result of the attack route estimation notified to the route estimation unit 112 based on the connection relationship between the nodes. The route is output to the display device 17 as an estimated attack route.
Further, the output unit 102 may store the estimated attack route in the auxiliary storage device 13, or may transmit the estimated attack route to the connection destination via the communication interface 16.
The output unit 102 may divide one attack route into a plurality of attack routes and output it based on the branching condition between the parent node and the child node. As a specific example, when a parent node and a plurality of child nodes whose branching conditions between nodes are OR exist in the estimated attack route, even if a plurality of attack routes branched to each child node are output respectively. good.
 以上のように、本実施の形態では、アタックツリーを用いて、確認された攻撃及び推定された攻撃を、それぞれの攻撃の関係に基づき接続することで、攻撃経路の推定が可能である。したがって、本実施の形態によれば、サイバー攻撃に正規ツールが利用される攻撃を含む多段攻撃による複合的なサイバー攻撃の事象を検知することができる。
 なお、本実施の形態では、受信した攻撃情報を用いて攻撃経路推定を行う例を説明した。しかし、それに限らず、攻撃推定装置10が攻撃情報を収集する機能を備え、収集した攻撃情報を用いて攻撃経路推定を行ってもよい。 As described above, in the present embodiment, the attack route can be estimated by connecting the confirmed attack and the estimated attack based on the relationship between the attacks using the attack tree. Therefore, according to the present embodiment, it is possible to detect a complex cyber attack event by a multi-stage attack including an attack in which a legitimate tool is used for the cyber attack.
In this embodiment, an example of estimating the attack route using the received attack information has been described. However, the present invention is not limited to this, and the attack estimation device 10 may have a function of collecting attack information, and the attack route may be estimated using the collected attack information.
 以上、実施の形態について説明したが、これら2つの実施の形態を組み合わせて実施しても構わない。
 あるいは、これら2つの実施の形態のうち、1つを部分的に実施しても構わない。
 あるいは、これら2つの実施の形態を部分的に組み合わせて実施しても構わない。
 なお、これらの実施の形態に限定されるものではなく、必要に応じて種々の変更が可能である。 Although the embodiments have been described above, these two embodiments may be combined and implemented.
Alternatively, one of these two embodiments may be partially implemented.
Alternatively, these two embodiments may be partially combined and implemented.
It should be noted that the present invention is not limited to these embodiments, and various changes can be made as needed.
 1 攻撃推定システム、10 攻撃推定装置、11 プロセッサ、12 メモリ装置、13 補助記憶装置、14 ドライブ装置、15 記録媒体、16 通信インタフェース、17 表示装置、20 対象システム、21 端末装置、30 ネットワーク、100 受信部、101 処理部、102 出力部、110 ツール推定部、111 判定部、112 経路推定部、120 システム構成情報記憶部、121 ツール情報記憶部、122 アタックツリー情報記憶部、200 アタックツリー、T10 ツール情報、T20 アタックツリー情報。 1 attack estimation system, 10 attack estimation device, 11 processor, 12 memory device, 13 auxiliary storage device, 14 drive device, 15 recording medium, 16 communication interface, 17 display device, 20 target system, 21 terminal device, 30 network, 100 Reception unit, 101 processing unit, 102 output unit, 110 tool estimation unit, 111 judgment unit, 112 route estimation unit, 120 system configuration information storage unit, 121 tool information storage unit, 122 attack tree information storage unit, 200 attack tree, T10 Tool information, T20 attack tree information.

Claims (7)

  1.  1つ以上のツールがインストールされている端末装置のセキュリティに関連する事象が前記端末装置において発生したことが検知された場合に、
     前記1つ以上のツールのうちで、前記事象の発生に関与した可能性のあるツールである事象関与ツールを推定するツール推定部と、
     前記ツール推定部により推定された前記事象関与ツールを用いて、前記事象がサイバー攻撃により発生した可能性を判定する判定部とを有する攻撃推定装置。     When it is detected that an event related to the security of a terminal device in which one or more tools are installed has occurred in the terminal device.
    Among the one or more tools, a tool estimation unit that estimates an event-related tool that may have been involved in the occurrence of the event, and a tool estimation unit.
    An attack estimation device having a determination unit for determining the possibility that the event has occurred due to a cyber attack using the event involvement tool estimated by the tool estimation unit.
  2.  前記判定部は、
     前記事象関与ツールが過去にサイバー攻撃に利用された頻度に基づき、前記事象がサイバー攻撃により発生した可能性を判定する請求項1に記載の攻撃推定装置。     The determination unit
    The attack estimation device according to claim 1, wherein the event involvement tool determines the possibility that the event has occurred due to a cyber attack based on the frequency of being used for a cyber attack in the past.
  3.  前記判定部は、
     前記事象関与ツールが過去にサイバー攻撃に利用された頻度と、前記事象関与ツールが過去に正規ユーザに利用された頻度とを比較して、前記事象がサイバー攻撃により発生した可能性を判定する請求項1に記載の攻撃推定装置。     The determination unit
    By comparing the frequency with which the event-related tool was used in a cyber attack in the past and the frequency with which the event-related tool was used by a legitimate user in the past, it is possible that the event was caused by a cyber attack. The attack estimation device according to claim 1.
  4.  前記判定部は、
     前記端末装置において前記事象関与ツールが操作された履歴である操作履歴と前記事象関与ツールの動作が記録された動作記録とに基づき、前記事象がサイバー攻撃により発生した可能性を判定する請求項1に記載の攻撃推定装置。     The determination unit
    Based on the operation history, which is the history of the operation of the event-related tool in the terminal device, and the operation record in which the operation of the event-related tool is recorded, the possibility that the event has occurred due to a cyber attack is determined. The attack estimation device according to claim 1.
  5.  前記攻撃推定装置は、更に、
     前記判定部により前記事象が前記サイバー攻撃により発生した可能性があると判定された場合に、アタックツリーを用いて、前記サイバー攻撃の前記端末装置への攻撃経路を推定する経路推定部を有する請求項1に記載の攻撃推定装置。     The attack estimation device further
    It has a route estimation unit that estimates the attack route of the cyber attack to the terminal device by using the attack tree when the determination unit determines that the event may have occurred due to the cyber attack. The attack estimation device according to claim 1.
  6.  コンピュータが、1つ以上のツールがインストールされている端末装置のセキュリティに関連する事象が前記端末装置において発生したことが検知された場合に、
     前記1つ以上のツールのうちで、前記事象の発生に関与した可能性のあるツールである事象関与ツールを推定し、
     前記コンピュータが、推定した前記事象関与ツールを用いて、前記事象がサイバー攻撃により発生した可能性を判定する攻撃推定方法。     When the computer detects that a security-related event in a terminal device with one or more tools installed has occurred in the terminal device.
    Among the one or more tools, the event involvement tool, which is a tool that may have been involved in the occurrence of the event, is estimated.
    An attack estimation method in which the computer uses the estimated event involvement tool to determine the possibility that the event has occurred due to a cyber attack.
  7.  1つ以上のツールがインストールされている端末装置のセキュリティに関連する事象が前記端末装置において発生したことが検知された場合に、
     前記1つ以上のツールのうちで、前記事象の発生に関与した可能性のあるツールである事象関与ツールを推定するツール推定処理と、
     前記ツール推定処理により推定された前記事象関与ツールを用いて、前記事象がサイバー攻撃により発生した可能性を判定する判定処理とをコンピュータに実行させる攻撃推定プログラム。     When it is detected that an event related to the security of a terminal device in which one or more tools are installed has occurred in the terminal device.
    Among the one or more tools, a tool estimation process for estimating an event-related tool, which is a tool that may have been involved in the occurrence of the event, and a tool estimation process.
    An attack estimation program that causes a computer to execute a determination process for determining the possibility that the event has occurred due to a cyber attack using the event involvement tool estimated by the tool estimation process.
PCT/JP2020/001555 2020-01-17 2020-01-17 Attack estimation device, attack estimation method, and attack estimation program WO2021144978A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/001555 WO2021144978A1 (en) 2020-01-17 2020-01-17 Attack estimation device, attack estimation method, and attack estimation program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/001555 WO2021144978A1 (en) 2020-01-17 2020-01-17 Attack estimation device, attack estimation method, and attack estimation program

Publications (1)

Publication Number Publication Date
WO2021144978A1 true WO2021144978A1 (en) 2021-07-22

Family

ID=76864116

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/001555 WO2021144978A1 (en) 2020-01-17 2020-01-17 Attack estimation device, attack estimation method, and attack estimation program

Country Status (1)

Country Link
WO (1) WO2021144978A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023132048A1 (en) * 2022-01-07 2023-07-13 富士通株式会社 Generation method, generation program, and information processing device

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010009187A (en) * 2008-06-25 2010-01-14 Kddi R & D Laboratories Inc Information processor, information processing system, program, and recording medium
JP2014089593A (en) * 2012-10-30 2014-05-15 Hitachi Ltd Program analysis system and method
JP2015142324A (en) * 2014-01-30 2015-08-03 日本電信電話株式会社 Information sharing device, information sharing method, and information sharing program
JP2016009227A (en) * 2014-06-23 2016-01-18 学校法人東京電機大学 Log acquisition device and log acquisition program
JP2019003598A (en) * 2017-06-16 2019-01-10 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for detecting abnormal events
JP2019082989A (en) * 2017-09-29 2019-05-30 エーオー カスペルスキー ラボAO Kaspersky Lab Systems and methods of cloud detection, investigation and elimination of targeted attacks
WO2019193958A1 (en) * 2018-04-04 2019-10-10 日本電信電話株式会社 Information processing device and information processing method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010009187A (en) * 2008-06-25 2010-01-14 Kddi R & D Laboratories Inc Information processor, information processing system, program, and recording medium
JP2014089593A (en) * 2012-10-30 2014-05-15 Hitachi Ltd Program analysis system and method
JP2015142324A (en) * 2014-01-30 2015-08-03 日本電信電話株式会社 Information sharing device, information sharing method, and information sharing program
JP2016009227A (en) * 2014-06-23 2016-01-18 学校法人東京電機大学 Log acquisition device and log acquisition program
JP2019003598A (en) * 2017-06-16 2019-01-10 エーオー カスペルスキー ラボAO Kaspersky Lab System and method for detecting abnormal events
JP2019082989A (en) * 2017-09-29 2019-05-30 エーオー カスペルスキー ラボAO Kaspersky Lab Systems and methods of cloud detection, investigation and elimination of targeted attacks
WO2019193958A1 (en) * 2018-04-04 2019-10-10 日本電信電話株式会社 Information processing device and information processing method

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2023132048A1 (en) * 2022-01-07 2023-07-13 富士通株式会社 Generation method, generation program, and information processing device

Similar Documents

Publication Publication Date Title
US11687653B2 (en) Methods and apparatus for identifying and removing malicious applications
JP6680437B2 (en) System and method for detecting unknown vulnerabilities in a computing process
US10320818B2 (en) Systems and methods for detecting malicious computing events
CN108701188B (en) System and method for modifying a file backup in response to detecting potential lasso software
US9838405B1 (en) Systems and methods for determining types of malware infections on computing devices
CN109155774B (en) System and method for detecting security threats
US7647622B1 (en) Dynamic security policy through use of empirical security events
US8640233B2 (en) Environmental imaging
US9934378B1 (en) Systems and methods for filtering log files
US11184368B2 (en) Systems and methods for reporting computer security incidents
CN113660224A (en) Situation awareness defense method, device and system based on network vulnerability scanning
US9166995B1 (en) Systems and methods for using user-input information to identify computer security threats
CN113632432A (en) Method and device for judging attack behavior and computer storage medium
US9552481B1 (en) Systems and methods for monitoring programs
US10762203B2 (en) Reducing impact of malware/ransomware in caching environment
WO2021144978A1 (en) Attack estimation device, attack estimation method, and attack estimation program
US10846405B1 (en) Systems and methods for detecting and protecting against malicious software
US11763004B1 (en) System and method for bootkit detection
US20230396646A1 (en) Identifying computer systems for malware infection mitigation
JP7427146B1 (en) Attack analysis device, attack analysis method, and attack analysis program
CN114640529B (en) Attack protection method, apparatus, device, storage medium and computer program product
US9665715B1 (en) Systems and methods for detecting malware-induced crashes
US11853417B2 (en) Hardware device integrity validation using platform configuration values
US12034764B1 (en) Systems and methods for detecting malware based on anomalous cross-customer financial transactions
US20230376964A1 (en) Systems and methods for detecting unauthorized online transactions

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20914222

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20914222

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP