WO2022091207A1 - リスク分析装置、分析対象要素決定装置、方法、及びコンピュータ可読媒体 - Google Patents
リスク分析装置、分析対象要素決定装置、方法、及びコンピュータ可読媒体 Download PDFInfo
- Publication number
- WO2022091207A1 WO2022091207A1 PCT/JP2020/040219 JP2020040219W WO2022091207A1 WO 2022091207 A1 WO2022091207 A1 WO 2022091207A1 JP 2020040219 W JP2020040219 W JP 2020040219W WO 2022091207 A1 WO2022091207 A1 WO 2022091207A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- analysis
- host
- attack
- virtual
- hosts
- Prior art date
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 238
- 238000012502 risk assessment Methods 0.000 title claims abstract description 145
- 238000000034 method Methods 0.000 title claims description 43
- 230000007704 transition Effects 0.000 claims description 9
- 230000008569 process Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 abstract description 11
- 238000004891 communication Methods 0.000 description 13
- 230000010485 coping Effects 0.000 description 13
- 230000006870 function Effects 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000005457 optimization Methods 0.000 description 6
- 239000004065 semiconductor Substances 0.000 description 3
- 230000008901 benefit Effects 0.000 description 2
- 239000000284 extract Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1491—Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- This disclosure relates to a risk analyzer, an analysis target element determination device, a risk analysis method, an analysis target element determination method, and a computer-readable medium.
- Patent Document 1 discloses a system including a security analysis system, an optimization device, and a coping function control device.
- the optimization device collects cyber attack information and system information from the security analysis system.
- the cyber attack information includes information on the type of cyber attack, the identifier of the attacker, the identifier of the victim, and the effective countermeasure function.
- System information is information about the entire system, including devices that have been attacked by cyber attacks.
- the system information includes network configuration information, coping function information for each coping point on the network, and resource usage status information of the coping point.
- the optimization device identifies the attack route of the cyber attack based on the collected cyber attack information and system information. More specifically, the optimizer searches for the collected IP (Internet Protocol) address of the attacker's terminal and the IP address of the victim's terminal based on the network configuration information, and damages from the attacker's terminal. The route to the user's terminal is specified as an attack route.
- the optimization device extracts devices on the attack path that have an effective coping function against cyber attacks as candidates for coping points.
- the optimization device selects a coping point from the extracted coping point candidates. After that, the optimization device outputs the selected coping point and the effective coping function to the coping function control device, and causes the coping function control device to execute the coping function.
- Attack scenarios include, for example, the entry point used for the attack, the final attack target, and the type of final attack.
- the security risk analysis device deductively infers the attack procedure based on the attack conditions for the attack scenario by referring to the system configuration information and searches for the attack route.
- a graph showing the attack procedure in the attack route and the conditions of each attack procedure in a graph format is called an "attack graph" or an "attack tree”.
- Patent Document 1 In the above case, if the number of hosts included in the system to be analyzed is large, there is a problem that the calculation cost required to generate the attack graph becomes enormous.
- the optimizing device simply specifies the route from the attacker's terminal to the victim's terminal as the attack route, and does not infer the attack procedure. Therefore, Patent Document 1 does not provide a means for solving the above-mentioned problem. Even if the system includes a large number of hosts, it is desired that risk analysis can be performed without increasing the calculation cost.
- the analysis target element determination device is a grouping means for grouping a plurality of hosts included in the analysis target system into a plurality of groups each including one or more hosts, and one or more for each of the plurality of groups. From the virtual analysis element of the group to which the host that is the start point of the attack belongs to the group to which the host that is the end point of the attack belongs, using the virtual analysis element generation means that generates the virtual analysis element and the virtual analysis element.
- the analysis means for analyzing whether or not an attack on the virtual analysis element is possible and the analysis result of the analysis means are included in the route where the attack is performed. It has an analysis target element determination means for determining a host corresponding to a virtual analysis element as a target of risk analysis.
- the present disclosure provides a risk analyzer as a second aspect.
- the risk analyzer is a grouping means for grouping a plurality of hosts included in the system to be analyzed into a plurality of groups each including one or more hosts, and one or more virtual groups for each of the plurality of groups.
- the virtual analysis element generation means for generating an analysis element and the virtual analysis element of the group to which the host that is the start point of the attack belongs
- the virtual analysis element of the group to which the host that is the end point of the attack belongs is used.
- the attack is performed among the hosts included in the analysis target system.
- the analysis target element determination means for determining the host corresponding to the virtual analysis element included in the route as the target of the risk analysis, and the host determined by the analysis target element determination means as the target of the risk analysis are used as the starting point of the attack. It has a second analysis means for analyzing whether or not it is possible to attack the host which is the end point of the attack from the host.
- the present disclosure provides, as a third aspect, a method for determining an element to be analyzed.
- a plurality of hosts included in the analysis target system are grouped into a plurality of groups each including one or more hosts, and one or more virtual analysis elements are set for each of the plurality of groups.
- the host corresponding to the virtual analysis element included in the route where the attack is performed is determined as the target of the risk analysis. Including that.
- the present disclosure provides a risk analysis method as a fourth aspect.
- a plurality of hosts included in the system to be analyzed are grouped into a plurality of groups each including one or more hosts, and one or more virtual analysis elements are generated for each of the plurality of groups.
- the virtual analysis element determines whether or not it is possible to attack the virtual analysis element of the group to which the host that is the end point of the attack belongs from the virtual analysis element of the group to which the host that is the start point of the attack belongs.
- Analysis is performed, and among the hosts included in the system to be analyzed, the host corresponding to the virtual analysis element included in the route on which the attack is performed is determined as the target of risk analysis based on the result of the analysis.
- the host determined as the target of the risk analysis it is included to analyze whether or not it is possible to attack the host which is the end point of the attack from the host which is the start point of the attack.
- the present disclosure provides a computer-readable medium as a fifth aspect.
- the computer-readable medium groups a plurality of hosts included in the system to be analyzed into a plurality of groups each including one or more hosts, and generates one or more virtual analysis elements for each of the plurality of groups.
- the virtual analysis element Using the virtual analysis element, whether or not it is possible to attack the virtual analysis element of the group to which the host that is the end point of the attack belongs from the virtual analysis element of the group to which the host that is the start point of the attack belongs.
- the present disclosure provides a computer-readable medium as a sixth aspect.
- the computer-readable medium groups a plurality of hosts included in the system to be analyzed into a plurality of groups each including one or more hosts, and generates one or more virtual analysis elements for each of the plurality of groups.
- the analysis is performed, and based on the result of the analysis, among the hosts included in the system to be analyzed, the host corresponding to the virtual analysis element included in the route in which the attack is performed is determined as the target of the risk analysis.
- a program for causing the computer to execute a process of analyzing whether or not an attack on the host which is the end point of the attack is possible from the host which is the start point of the attack is stored.
- the risk analysis device and method, the analysis target element determination device and method, and the computer-readable medium according to the present disclosure can perform risk analysis even for a complicated system without increasing the calculation cost.
- FIG. 1 shows a schematic configuration of a risk analyzer according to the present disclosure.
- the risk analysis device 10 includes a grouping means 11, a virtual analysis element generation means 12, an analysis means 13, an analysis target element determination means 14, and an analysis means 15.
- the grouping means 11, the virtual analysis element generation means 12, the analysis means 13, and the analysis target element determination means 14 constitute the analysis target element determination device 20.
- the grouping means 11 groups a plurality of hosts included in the system to be analyzed into a plurality of groups each including one or more hosts.
- the virtual analysis element generation means 12 generates one or more virtual analysis elements for each of the plurality of groups.
- the analysis means (first analysis means) 13 uses the generated virtual analysis element to change the virtual analysis element of the group to which the host that is the start point of the attack belongs to the virtual analysis element of the group to which the host that is the end point of the attack belongs. Analyze whether it is possible to attack the analysis elements of.
- the analysis target element determining means 14 targets the host included in the analysis target system, which corresponds to the virtual analysis element included in the attack route, as the target of risk analysis. To be determined as.
- the analysis means (second analysis means) 15 determines whether or not the host determined by the analysis target element determination means 14 as the target of the risk analysis can be attacked from the host at the start point of the attack to the host at the end point of the attack. To analyze.
- the virtual analysis element generation means 12 generates a virtual analysis element in each group.
- the analysis means 13 searches for an attack route from the start point of the attack to the end point of the attack by using a virtual analysis element.
- the analysis target element determining means 14 determines the host corresponding to the virtual analysis element included in the attack route as the target of the risk analysis in the analysis means 15. By doing so, the present disclosure can reduce the calculation cost in the analysis means 15 as compared with the case where the risk analysis is performed for the entire system.
- FIG. 2 shows a risk analyzer according to an embodiment of the present disclosure.
- the risk analysis device 100 has a grouping unit 101, a representative host generation unit 102, a first risk analysis unit 103, an analysis target element determination unit 104, and a second risk analysis unit 105.
- the grouping unit 101, the representative host generation unit 102, the first risk analysis unit 103, and the analysis target element determination unit 104 constitute the analysis target element determination device 110.
- the risk analyzer 100 corresponds to the risk analyzer 10 shown in FIG.
- the analysis target element determination device 110 corresponds to the analysis target element determination device 20 shown in FIG.
- the risk analysis device 100 analyzes the security risk in the system to be analyzed by using the method of division analysis.
- the division analysis is to analyze the risk of the entire system by dividing the entire system into predetermined units, performing risk analysis for each division unit, and combining the risk division results of each division unit. Point to that.
- FIG. 3 shows a system analyzed by divisional analysis.
- This system has a host (host A) 200A, a host (host B) 200B, and a host (host C) 200C.
- the host 200A is the host of the attack entrance and the host 200C is the host of the attack target.
- the split analysis it is analyzed whether an attack from the host 200A to the host 200B is possible, and whether an attack from the host 200B to the host 200C is possible.
- the risk analysis device 100 analyzes whether an attack from the host 200A to the host 200C is possible by combining the analysis results of the host 200A and the host 200B and the analysis results of the host 200B and the host 200C.
- FIG. 4 shows the analysis target analyzed by the division analysis.
- the host (host X) 200X is the host that is the starting point of the division analysis
- the host (host Y) 200Y is the host that is the end point of the division analysis.
- the hosts 200X and 200Y have three states, "code execution possible”, “data stealing possible”, and “data tampering possible", respectively.
- each of the plurality of straight lines connecting each state of the host 200X and each state of the host 200Y represents an analysis unit (analysis target element).
- the host that is the starting point and the host that is the ending point are the same host. In that case, for example, it is analyzed whether or not each state of the host 200X can be transitioned to another state of the host 200X.
- FIG. 5 shows an example of the result of the division analysis.
- the risk analysis device 100 assumes that "the code can be executed by the host A" as a precondition.
- the risk analysis device 100 has information that "network service X is operating on host B", “reachable from host A to host B", and "the vulnerability of RCE (Remote code execution) in network service X" from the system configuration information. To get.
- the risk analysis device 100 derives an inference result that "code can be executed by host B” based on the state that "code can be executed by host A” and the acquired information.
- the risk analysis device 100 assumes that "code can be executed by host B" as a precondition in the split analysis between host 200B and host 200C.
- the risk analysis device 100 acquires information such as "network service X is operating on host C", "reachable from host B to host C", and "RCE vulnerability in network service X" from the system configuration information.
- the risk analysis device 100 derives an inference result that "code can be executed by host C” based on the state that "code can be executed by host B" and the acquired information. By connecting the analysis results of the two division analyzes, the analysis result that the code can be executed on the host 200C can be obtained when the code can be executed on the host 200A.
- FIG. 6 shows an example of the system to be analyzed.
- the network includes four subnets. More specifically, the network includes subnet (subnet A) 250A, subnet (subnet B) 250B, subnet (subnet C) 250C, and subnet (subnet D) 250D.
- Subnet 250A includes the host at the entry point (initial position), and subnet 250D includes the host at the final attack target.
- the analysis starts from the host in the subnet 250A and ends in the host in the subnet 250B (analysis between AB), and the analysis starts from the host in the subnet 250A and ends in the host in the subnet 250C (analysis between A and B). Analysis between AC and C) is carried out. Further, an analysis (analysis between BC) is performed starting from the host in the subnet 250B and ending at the host in the subnet 250C. Further, an analysis starting from a host in subnet 250B and ending in a host in subnet 250D (analysis between BD) and an analysis starting from a host in subnet 250C and ending in a host in subnet 250D (C). -Analysis between D) is carried out.
- the subnet 250C is not connected to the subnet 250D. Therefore, it is considered that the attack route from the attack on the host in the subnet 250A to the host in the subnet 250D does not include the host in the subnet 250C. Therefore, the division analysis starting from or ending at the host in the subnet 250C is essentially unnecessary. In the division analysis, the calculation cost increases by analyzing unnecessary parts. In one aspect, the present embodiment provides a risk analysis device 100 capable of reducing unnecessary calculation costs in divisional analysis.
- the grouping unit 101 refers to the system configuration information 150 and groups a plurality of hosts included in the system into a plurality of groups each including one or more hosts.
- System configuration information includes, for example, information about hosts and information about connections between hosts.
- Information about the host includes, for example, IP address, subnet mask, host firewall settings, installed software, OS (Operating System) (including version), operating service, free port number, presence / absence of USB (Universal Serial Bus) port, etc. And contains information such as vulnerability information.
- the information about the host further includes information such as the host type, the presence / absence of user operation, and the credential information held.
- the "host type” includes, for example, a general PC (Personal Computer), a router, a firewall, a file server, an active directory server, and a DSN (Domain Name Server) server.
- Information about connections between hosts includes information such as network firewall settings and data flow information.
- the "data flow information” includes, for example, "file sharing is performed by SMB between hosts A and B", “files are moved from host C to D using a USB memory”, and the like. Contains information.
- the grouping unit 101 groups the hosts for each subnet network.
- the subnetwork to which each host belongs can be determined based on the address information.
- the grouping unit 101 acquires the IP address of each host from the system configuration information 150, and determines that the hosts having the same network address belong to the same subnetwork.
- the grouping unit 101 groups hosts belonging to the same subnetwork into the same group.
- the grouping unit 101 may group the hosts according to a range delimited by a predetermined boundary, for example, a security boundary in the network.
- the grouping unit 101 may group the hosts according to the network range divided by the firewall.
- the grouping unit 101 groups the hosts based on the IP address and the host type included in the system configuration information 150.
- the grouping unit 101 determines, for example, that hosts having the same network address as the IP address belong to the same subnetwork.
- the grouping unit 101 extracts hosts having a plurality of IP addresses, and uses the same host in a subnetwork connected by a host whose host type is not a firewall, for example, a router or a host having a plurality of NICs (Network Interface Cards). Divide into groups.
- the grouping unit 101 groups the hosts according to the roles assigned to the hosts such as the office PC, the file server, the log server, the stepping server, the control server, or the HMI (Human Machine Interface). You may.
- the grouping unit 101 acquires the host type of each host from the system configuration information 150.
- the grouping unit 101 may group hosts having the same host type into the same group.
- the grouping unit 101 may group the hosts based on the configuration of each host.
- the grouping unit 101 may group the hosts based on, for example, a combination of arbitrary information included in the system configuration information 150.
- the grouping unit 101 may group a plurality of hosts having the same installed OS and software into the same group.
- the grouping unit 101 may group the hosts according to the information manually input by the user. The above grouping methods may be combined as appropriate.
- the grouping unit 101 corresponds to the grouping means 11 shown in FIG.
- the representative host generation unit 102 generates one or more virtual analysis elements for each of the plurality of groups grouped by the grouping unit 101.
- the representative host generation unit 102 generates a representative host, which is a virtual host, corresponding to one or more of the hosts belonging to the group as a virtual analysis element.
- the representative host generation unit 102 corresponds to the virtual analysis element generation means 12 shown in FIG.
- the representative host generation unit 102 merges the attackable elements included in the system configuration information 150 of one or more hosts belonging to the same group, and the merged attackable elements are attacked by the representative host. It may be an element to be obtained.
- the elements that can be attacked included in the system configuration information 150 include, for example, an operating service (free port number), the presence / absence of a USB port, vulnerability information, presence / absence of user operation, possessed credential information, and data flow information.
- the "operating service” includes, for example, network services such as SSH (Secure Shell), FTP (File Transfer Protocol), telnet (Teletype network), and SMB (Server Message Block).
- the representative host generation unit 102 can appropriately rewrite the host information into the representative host information.
- the representative host generation unit 102 can rewrite each host to the representative host of the group to which each host belongs in the data flow information.
- the information that "file sharing by SMB is performed between hosts A and B" means that "file sharing by SMB is performed between the representative host of the group to which host A belongs and the representative host of the group to which host B belongs”. It may be rewritten with the information "I am doing".
- the representative host generation unit 102 can rewrite the information of each host in the host firewall information and the network firewall information to the information of the representative host of the group to which each host belongs. For example, it is assumed that the IP address of the host A is "192.168.10.1" and the IP address of the host B is "192.168.20.1". It is assumed that the firewall information has the content of "permitting communication on TCP port 22 from 192.168.10.1 to 192.168.20.1". It is assumed that the IP address of the representative host of the group to which the host A belongs is "192.168.10.100" and the IP address of the representative host of the group to which the host B belongs is "192.168.20.100". In that case, the representative host generation unit 102 can rewrite the firewall information as "permit communication on TCP port 22 from 192.168.10.100 to 192.168.20.100".
- the representative host generation unit 102 may use the IP address and host type of a host arbitrarily selected from a plurality of hosts belonging to the same group as the IP address and host type of the representative host. Alternatively, the representative host generation unit 102 may use the dummy value as the IP address and host type of the representative host. The representative host generation unit 102 may merge the IP addresses and host types of the hosts in the group.
- the representative host generation unit 102 may acquire elements that can be attacked by each host from the system configuration information 150 and generate a representative host based on the number of elements that can be attacked.
- the representative host generation unit 102 may select one or more hosts belonging to the same group and having a large number of elements that can be attacked, and generate a host having the same configuration as the selected host as the representative host.
- the representative host generation unit 102 may select, for example, the host having the largest number of elements that can be attacked in each group.
- the representative host generation unit 102 may select one or more hosts in each group in which the number of elements that can be attacked is a predetermined number or more.
- the representative host generation unit 102 may generate a representative host based on the number of elements that can be attacked, such as the number of vulnerability information or the number of services in operation.
- the representative host generation unit 102 selects a host having an element that can be attacked by a host of another group from one or more hosts belonging to the same group, and selects a host having the same configuration as the selected host. It may be generated as a representative host.
- the representative host generation unit 102 may identify a host having an element that can be attacked by a host of another group based on, for example, the data flow information included in the system configuration information 150, the host firewall information, and the network firewall information. can.
- the representative host generation unit 102 may generate a representative host for each host having an element that can be attacked to reach each end point state of the division analysis.
- the representative host generation unit 102 holds, for example, for each analysis element, as a table which end state of the division analysis is reached.
- the representative host generation unit 102 refers to the table to be held and the system configuration information 150, and determines which end point state each host has an element to reach.
- FIG. 7 shows a specific example of a table showing the correspondence between the operating service and the end point state.
- the representative host generation unit 102 holds, for example, a table in which a protocol used in the service and an end point state that can be transitioned by an attack using the protocol are associated with each other.
- the representative host generation unit 102 determines that, for example, when "telnet” is used in a certain host, that host has an element that can be attacked leading to "code execution”.
- the representative host generation unit 102 is an element that can be attacked, for example, when "RDP (Remote Desktop Protocol)" is used in a certain host, the host can be attacked to "code execution", "data tampering", and "data theft”. Judge to have.
- RDP Remote Desktop Protocol
- the three states of "code execution”, "data tampering”, and “data theft” are considered as end point states, but the end point state is not limited to these.
- the representative host generation unit 102 creates a table in which those states are associated with an element that can be attacked. You just have to hold it.
- the representative host generation unit 102 holds a table in which the vulnerability and the end point state that can be transitioned by an attack using the vulnerability are associated with each other.
- the representative host generation unit 102 may determine that the data flow information reaches the final state of "data falsification” or "data theft” for the related host.
- the representative host generation unit 102 may, for example, merge the elements in the group that can be attacked to reach the same final state to generate the representative host corresponding to each final state.
- the representative host generation unit 102 merges the configurable elements of the selected plurality of hosts according to the first method or the second method.
- a host with many elements that can be attacked may be further selected.
- the first risk analysis unit 103 analyzes the potential risks included in the system by using the representative host generated by the representative host generation unit 102.
- the first risk analysis unit 103 deductively infers the attack procedure for each of several possible attack scenarios and searches for the attack route.
- Attack scenarios include the entry point used for the attack, the final target of the attack, and the type of final attack.
- the first risk analysis unit 103 indicates the type of the final attack on the representative host of the group to which the attack target host belongs when the attack is started from the representative host of the group to which the entrance host used for the attack belongs. Analyze whether an attack is possible.
- the first risk analysis unit 103 corresponds to the analysis means 13 shown in FIG.
- the first risk analysis unit 103 performs risk analysis using the method of division analysis.
- the first risk analysis unit 103 refers to the system configuration information 150, and for the pair of representative hosts generated by the representative host generation unit 102, from each state of the representative host as the starting point to each state of the representative host as the ending point. Analyze whether or not it is possible to transition to.
- the first risk analysis unit 103 combines the results of the division analysis, and when the attack is started from the representative host corresponding to the entrance used for the attack, the final risk analysis unit 103 is finalized at the representative host corresponding to the final attack target. Analyze whether or not the attack indicated by the type of attack is possible.
- the analysis target element determination unit 104 determines the analysis target element to be analyzed by the second risk analysis unit 105 based on the result of the risk analysis carried out by the first risk analysis unit 103. Based on the analysis result of the first risk analysis unit 103, the analysis target element determination unit 104 selects the host included in the analysis target system corresponding to the virtual analysis element included in the attack route. Determine for risk analysis.
- the analysis target element determination unit 104 corresponds to the analysis target element determination means 14 shown in FIG.
- the analysis target element determination unit 104 excludes the host in the group of the representative host from the analysis target.
- the analysis target element determination unit 104 determines the state of the hosts in the group by the division analysis when the specific state of the representative host is not used as the attack start point or end point state. Exclude from the analysis target of.
- the analysis target element determination unit 104 checks whether or not there is a representative host that is not used in the attack. The analysis target element determination unit 104 identifies a representative host that is not used in the attack, and excludes the end point state corresponding to the identified representative host from the analysis target for the hosts in the group.
- the second risk analysis unit 105 refers to the system configuration information 150 for the analysis target element determined by the analysis target element determination unit 104, and analyzes the potential risk contained in the system.
- the risk analysis performed by the second risk analysis unit 105 may be the same as the risk analysis performed by the first risk analysis unit 103, except that the target of analysis changes from the representative host of each group to each host.
- the second risk analysis unit 105 does not necessarily have to be arranged separately from the first risk analysis unit 103, and the first risk analysis unit 103 and the second risk analysis unit 105 are the same functional units. You may.
- the second risk analysis unit 105 refers to the system configuration information 150 and analyzes whether or not each state of the host to be analyzed can be changed from each state of the host as the starting point to each state of the host as the ending point. ..
- the second risk analysis unit 105 combines the results of the division analysis, and when the attack is started from the host of the entrance used for the attack, it is shown in the final attack type in the host of the final attack target. Analyze whether an attack is possible.
- the second risk analysis unit 105 corresponds to the analysis means 15 shown in FIG.
- FIG. 8 shows a part of the system to be analyzed.
- the subnet (subnet X) 250X includes a host 200A, a host 200B, a host 200C, a host (host D) 200D, a host (host E) 200E, and a host (host F) 200F.
- the subnet (subnet Y) 250Y includes a host (host G) 200G.
- the subnet 250X is connected to the subnet 250Y via a firewall (FW: FireWall) 210.
- the firewall 210 shall only allow communication from the host 200E to the host 200G.
- Host 200A of subnet 250X has "FTP” as an element that can be attacked to reach the state of "data tampering possible”.
- the host 200B has "RDP Login” as an element that can be attacked to reach the "code executable” state.
- the host 200C has a vulnerability identified by "CVE (Common Vulnerabilities and Exposures) -2020-YYYY” as an element that can be attacked to reach the state of "data tampering possible”.
- the host 200D has a vulnerability identified by "CVE-2020-ZZZZ” as an element that can be attacked leading to data tampering.
- the host 200E has "SSH Login” as an element that can be attacked leading to "code execution”.
- the host 200F has "SMB” as an element that can be attacked leading to "data tampering possible”.
- Host 200G on subnet 250Y has a vulnerability identified by "CVE-2020-XXXX” as an attackable element leading to "code executable”.
- FIG. 9 shows a representative host generated in each subnetwork.
- the representative host generation unit 102 groups the hosts in each subnet for each state.
- the representative host generation unit 102 generates a representative host (representative host A) 220A corresponding to “data tampering possible” for the subnet 250X.
- the representative host 220A has vulnerabilities identified by "FTP”, "SMB”, and "CVE-2020-YYYY” as elements that can be attacked.
- the representative host generation unit 102 generates a representative host (representative host B) 220B corresponding to "data stealing possible".
- the representative host 220B has a vulnerability identified by "CVE-2020-ZZZZ” as an element that can be attacked.
- the representative host generation unit 102 generates the representative host (representative host C) 220C corresponding to the “code executable”.
- the representative host 220C has "RDP Login” and "SSH Login” as elements that can be attacked.
- the representative host generation unit 102 generates the representative host (representative host D) 220D for the subnet 250Y.
- the representative host 220A is a representative host corresponding to the hosts 200A, 200C, and 200F shown in FIG.
- the representative host 220B is a representative host corresponding to the host 200D shown in FIG.
- the representative host 220C is a representative host corresponding to the hosts 200B and 200E shown in FIG.
- the representative host 220D is a representative host corresponding to the host 200G shown in FIG.
- the first risk analysis unit 103 performs risk analysis using the representative host shown in FIG. As a result of the risk analysis, it is analyzed that an attack from the representative host 220C to the representative host 220D is possible. On the other hand, since the communication from the representative hosts 220A and 220B to the representative host 220D is blocked by the firewall 210, it is analyzed that there is no attack from the representative hosts 220A and 220B to the representative host 220D. In that case, the analysis target element determination unit 104 excludes "data tampering possible" and "data stealing possible” from the analysis target for the subnet 250X. The second risk analysis unit 105 performs a risk analysis on "code executable" for the host on the subnet 250X. By doing so, it is possible to reduce the analysis of unnecessary parts in the division analysis.
- FIG. 10 shows an operation procedure (risk analysis method) in the risk analysis device 100.
- the grouping unit 101 divides a plurality of hosts included in the analysis target system into a plurality of groups based on the system configuration information 150 (step S1).
- the representative host generation unit 102 generates one or more representative hosts in each group (step S2).
- the first risk analysis unit 103 analyzes the risk in the system to be analyzed using the representative host generated in step S2 (step S3).
- the analysis target element determination unit 104 determines the analysis target element (host and its state) based on the risk analysis result in step S3 (step S4).
- the analysis target element determination unit 104 excludes the representative host that is not used for the attack, the host corresponding to the state, and the state thereof from the analysis target element, for example, in the risk analysis using the representative host.
- Steps S1 to S4 correspond to the operation procedure (analysis target element determination method) of the analysis target element determination device 110.
- the second risk analysis unit 105 performs a detailed risk analysis on the analysis target element determined in step S4 with reference to the system configuration information 150 (step S5).
- step S4 when the representative host not used for the attack, the host corresponding to the state, and the state are excluded from the analysis target elements, the unnecessary part is not analyzed in step S5. Therefore, the calculation cost can be reduced as compared with the case where the risk analysis is performed for all the hosts included in the system to be analyzed and their states.
- the grouping unit 101 groups a plurality of hosts into several groups.
- the representative host generation unit 102 generates a representative host for each group.
- the first risk analysis unit 103 performs risk analysis using the representative host generated for each group.
- the analysis target element determination unit 104 determines the representative host that can be used for an attack based on the result of the risk analysis in the first risk analysis unit 103, and the analysis target element of the risk analysis performed by the second risk analysis unit 105. To be determined as.
- the risk analysis carried out by the second risk analysis unit 105 it is possible to suppress the analysis of unnecessary parts, and the calculation cost can be reduced as compared with the case where the risk analysis is performed for the entire system.
- FIG. 2 has described an example in which the risk analysis device 100 includes the analysis target element determination device 110.
- the risk analysis device 100 and the analysis target element determination device 110 do not necessarily have to be configured as the same device, and they may be configured as separate devices.
- an example in which the method of divisional analysis is mainly used has been described, but the present disclosure is not limited to this.
- the first risk analysis unit 103 and the second risk analysis unit 105 may perform risk analysis without dividing the entire system into predetermined division units. Even in that case, the calculation cost can be reduced by excluding the parts that are not used for the attack from the analysis target.
- FIG. 11 shows a configuration example of a computer device that can be used as the risk analysis device 100 and the analysis target element determination device 110.
- the computer device 500 includes a control unit (CPU: Central Processing Unit) 510, a storage unit 520, a ROM (ReadOnlyMemory) 530, a RAM (RandomAccessMemory) 540, a communication interface (IF: Interface) 550, and a user interface (IF). ) Has 560.
- the communication IF 550 is an interface for connecting the computer device 500 and the communication network via a wired communication means, a wireless communication means, or the like.
- the user IF 560 includes a display unit such as a display. Further, the user IF 560 includes an input unit such as a keyboard, a mouse, and a touch panel.
- the storage unit 520 is an auxiliary storage device that can hold various types of data.
- the storage unit 520 does not necessarily have to be a part of the computer device 500, and may be an external storage device or a cloud storage connected to the computer device 500 via a network.
- the storage unit 520 stores, for example, the system configuration information 150 shown in FIG.
- ROM 530 is a non-volatile storage device.
- a semiconductor storage device such as a flash memory having a relatively small capacity is used.
- the program executed by the CPU 510 may be stored in the storage unit 520 or the ROM 530.
- the storage unit 520 or ROM 530 stores, for example, various programs for realizing the functions of each unit in the risk analysis device 100 or the analysis target element determination device 110.
- Non-temporary computer-readable media include various types of tangible storage media.
- Examples of non-temporary computer-readable media are magnetic recording media such as flexible disks, magnetic tapes, or hard disks, such as magneto-optical recording media such as magneto-optical disks, CDs (compact discs), or DVDs (digital versatile disks).
- Includes optical disk media such as, and semiconductor memory such as mask ROM, PROM (programmable ROM), EPROM (erasable PROM), flash ROM, or RAM.
- the program may also be supplied to the computer using various types of temporary computer-readable media. Examples of temporary computer readable media include electrical, optical, and electromagnetic waves.
- the temporary computer-readable medium can supply the program to the computer via a wired communication path such as an electric wire and an optical fiber, or a wireless communication path.
- RAM 540 is a volatile storage device.
- various semiconductor memory devices such as DRAM (Dynamic Random Access Memory) or SRAM (Static Random Access Memory) are used.
- the RAM 540 can be used as an internal buffer for temporarily storing data and the like.
- the CPU 510 expands the program stored in the storage unit 520 or the ROM 530 into the RAM 540 and executes the program. By executing the program by the CPU 510, the functions of each part in the risk analysis device 100 or the analysis target element determination device 110 can be realized.
- the CPU 510 may have an internal buffer that can temporarily store data and the like.
- Grouping means for grouping multiple hosts included in the system to be analyzed into multiple groups, each containing one or more hosts.
- a virtual analysis element generation means for generating one or more virtual analysis elements for each of the plurality of groups, Using the virtual analysis element, it is analyzed whether or not it is possible to attack the virtual analysis element of the group to which the host that is the end point of the attack belongs from the virtual analysis element of the group to which the host that is the start point of the attack belongs.
- Analytical means to do Based on the analysis result of the analysis means, among the hosts included in the system to be analyzed, the host corresponding to the virtual analysis element included in the route where the attack is performed is determined as the target of risk analysis.
- An analysis target element determination device including a determination means.
- Appendix 2 The analysis target element determination according to Appendix 1 in which the virtual analysis element generation means generates a representative host, which is a virtual host, corresponding to one or more of the hosts belonging to the group as the virtual analysis element. Device.
- Appendix 3 The analysis target element determination according to Appendix 2, wherein the virtual analysis element generation means merges the attackable elements of the hosts belonging to the group and sets the merged attackable elements as the attackable elements of the representative host. Device.
- the virtual analysis element generation means selects, among the hosts belonging to the group, the host having the largest number of elements that can be attacked, or one or more hosts having a predetermined number or more of elements that can be attacked, and the selection.
- the analysis target element determination device according to Appendix 2 or 3, wherein the element that can be attacked by the host is the element that can be attacked by the representative host.
- the virtual analysis element generation means selects a host having an element that can be attacked by a host of another group from the hosts belonging to the group, and representatives the element that can be attacked by the selected host.
- the analysis target element determination device according to any one of Supplementary note 2 to 4, which is an element that can be attacked by the host.
- the analysis target element determining means excludes the host corresponding to the representative host not included in the route on which the attack is performed from the hosts included in the analysis target system from the target of the risk analysis.
- the analysis target element determination device according to any one.
- each division unit in which the system to be analyzed is divided into predetermined units the analysis means changes from each state of the representative host, which is the starting point of the division unit, to each state of the representative host, which is the end point of the division unit.
- the analysis target element determination device according to any one of Supplementary note 2 to 6, which analyzes whether or not it is possible.
- the analysis target element determining means excludes the state of the representative host as the starting point and the state of the representative host as the ending point, which are not included in the route in which the attack is performed, from the target of the risk analysis.
- Appendix 10 The analysis target according to Appendix 9, wherein the analysis target element determining means identifies a representative host that is not used in the attack and excludes the state of the host that is the end point corresponding to the specified representative host from the target of the risk analysis. Element determination device.
- the grouping means is the analysis target element determination device according to any one of Supplementary note 1 to 12, which groups the hosts according to the role of the host.
- the grouping means is the analysis target element determination device according to any one of Supplementary note 1 to 13 for grouping the hosts according to the configuration of the hosts.
- Grouping means for grouping multiple hosts included in the system to be analyzed into multiple groups, each containing one or more hosts.
- a virtual analysis element generation means for generating one or more virtual analysis elements for each of the plurality of groups, Using the virtual analysis element, it is analyzed whether or not it is possible to attack the virtual analysis element of the group to which the host that is the end point of the attack belongs from the virtual analysis element of the group to which the host that is the start point of the attack belongs.
- Analysis target element determination means and With respect to the host determined by the analysis target element determining means as the target of the risk analysis, a second analysis means for analyzing whether or not an attack from the host that is the start point of the attack to the host that is the end point of the attack is possible.
- Appendix 16 The risk analysis device according to Appendix 15, wherein the virtual analysis element generation means generates a representative host, which is a virtual host, corresponding to one or more of the hosts belonging to the group as the virtual analysis element.
- Appendix 17 The risk analysis device according to Appendix 16, wherein the virtual analysis element generation means merges the attackable elements of the hosts belonging to the group, and the merged attackable elements are used as the attackable elements of the representative host.
- the analysis target element determining means excludes the host corresponding to the representative host not included in the route on which the attack is performed from the hosts included in the analysis target system from the target of the risk analysis.
- the first analysis means changes from each state of the representative host, which is the starting point of the division unit, to each state of the representative host, which is the end point of the division unit, in each division unit in which the system to be analyzed is divided into predetermined units. Analyze whether or not the transition is possible,
- the second analysis means is a transition from each state of the host which is the starting point of the division unit to each state of the host which is the end point of the division unit in each division unit in which the system to be analyzed is divided into predetermined units.
- the risk analyzer according to any one of the appendices 16 to 18 for analyzing whether or not the risk is possible.
- the second analysis means is a transition from each state of the host that is the starting point of the division unit to each state of the host that is the end point of the division unit in each division unit in which the system to be analyzed is divided into predetermined units. Analyze whether it is possible and The risk analysis device according to Appendix 16, wherein the virtual analysis element generation means generates the representative host for each host having an element that can be attacked to reach each state of the host that is the end point of the division unit.
- Appendix 21 The risk analysis according to Appendix 20, wherein the analysis target element determining means identifies a representative host that is not used in the attack, and excludes the state of the host that is the end point corresponding to the specified representative host from the target of the risk analysis. Device.
- Multiple hosts included in the system to be analyzed are grouped into multiple groups, each containing one or more hosts.
- one or more virtual analytical elements are generated.
- the virtual analysis element it is analyzed whether or not it is possible to attack the virtual analysis element of the group to which the host that is the end point of the attack belongs from the virtual analysis element of the group to which the host that is the start point of the attack belongs. death,
- the computer executes a process of determining the host included in the system to be analyzed that corresponds to the virtual analysis element included in the route where the attack is performed as the target of the risk analysis.
- a non-temporary computer-readable medium that stores a program to make it.
- Non-temporary computer readable medium Stores a program for causing a computer to execute a process of analyzing whether or not an attack on a host that is the end point of the attack is possible from the host that is the start point of the attack for the host determined as the target of the risk analysis.
- Risk analysis device 11 Grouping means 12: Virtual analysis element generation means 13: Analysis means 14: Analysis target element determination means 15: Analysis means 20: Analysis target element determination device 100: Risk analysis device 101: Grouping unit 102 : Representative host generation unit 103: First risk analysis unit 104: Analysis target element determination unit 105: Second risk analysis unit 110: Analysis target element determination device 150: System configuration information 200A-G, X, Y: Host 210 : Firewall 220A-D: Representative host 250A-D, X, Y: Subzone 500: Computer device 510: CPU 520: Storage unit 530: ROM 540: RAM 550: Communication IF 560: User IF
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化するグループ化手段と、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成する仮想分析要素生成手段と、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析する分析手段と、
前記分析手段の分析結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する分析対象要素決定手段とを備える分析対象要素決定装置。
前記仮想分析要素生成手段は、前記グループに属するホストのうちの1以上のホストに対応する、仮想のホストである代表ホストを、前記仮想の分析要素として生成する付記1に記載の分析対象要素決定装置。
前記仮想分析要素生成手段は、前記グループに属するホストの攻撃され得る要素をマージし、該マージした攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする付記2に記載の分析対象要素決定装置。
前記仮想分析要素生成手段は、前記グループに属するホストのうち、攻撃され得る要素の数が最も多いホスト、又は攻撃され得る要素の数が所定の値以上の1以上のホストを選択し、該選択したホストが持つ攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする付記2又は3に記載の分析対象要素決定装置。
前記仮想分析要素生成手段は、前記グループに属するホストのうち、他のグループのホストから攻撃可能な攻撃され得る要素を持つホストを選択し、該選択したホストが持つ攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする付記2から4何れか1つに記載の分析対象要素決定装置。
前記分析対象要素決定手段は、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれない前記代表ホストに対応するホストを前記リスク分析の対象から除外する付記2から5何れか1つに記載の分析対象要素決定装置。
前記分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となる代表ホストの各状態から前記分割単位の終点となる代表ホストの各状態への遷移が可能であるか否かを分析する付記2から6何れか1つに記載の分析対象要素決定装置。
前記分析対象要素決定手段は、前記攻撃が行われる経路に含まれない、前記起点となる代表ホストの状態と、前記終点となる代表ホストの状態とを、前記リスク分析の対象から除外する付記7に記載の分析対象要素決定装置。
前記リスク分析では、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となるホストの各状態から前記分割単位の終点となるホストの各状態への遷移が可能であるか否かが分析され、
前記仮想分析要素生成手段は、前記分割単位の終点となるホストの各状態に至る攻撃され得る要素を持つホストごとに、前記代表ホストを生成する付記2に記載の分析対象要素決定装置。
前記分析対象要素決定手段は、前記攻撃に利用されない代表ホストを特定し、該特定した代表ホストに対応する終点となるホストの状態を、前記リスク分析の対象から除外する付記9に記載の分析対象要素決定装置。
前記グループ化手段は、前記ホストを、前記ホストが属するサブネットワークごとにグループ分けする付記1から10何れか1つに記載の分析対象要素決定装置。
前記グループ化手段は、前記ホストを、所定の境界で区切られた範囲ごとにグループ分けする付記1から11何れか1つに記載の分析対象要素決定装置。
前記グループ化手段は、前記ホストを、前記ホストの役割ごとにグループ分けする付記1から12何れか1つに記載の分析対象要素決定装置。
前記グループ化手段は、前記ホストを、前記ホストの構成ごとにグループ分けする付記1から13何れか1つに記載の分析対象要素決定装置。
分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化するグループ化手段と、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成する仮想分析要素生成手段と、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析する第1の分析手段と、
前記第1の分析手段の分析結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する分析対象要素決定手段と、
前記分析対象要素決定手段が前記リスク分析の対象として決定したホストについて、前記攻撃の始点となるホストから、前記攻撃の終点となるホストに対する攻撃が可能か否かを分析する第2の分析手段とを備えるリスク分析装置。
前記仮想分析要素生成手段は、前記グループに属するホストのうちの1以上のホストに対応する、仮想のホストである代表ホストを、前記仮想の分析要素として生成する付記15に記載のリスク分析装置。
前記仮想分析要素生成手段は、前記グループに属するホストの攻撃され得る要素をマージし、該マージした攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする付記16に記載のリスク分析装置。
前記分析対象要素決定手段は、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれない前記代表ホストに対応するホストを前記リスク分析の対象から除外する付記16又は17に記載のリスク分析装置。
前記第1の分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となる代表ホストの各状態から前記分割単位の終点となる代表ホストの各状態への遷移が可能であるか否かを分析し、
前記第2の分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となるホストの各状態から前記分割単位の終点となるホストの各状態への遷移が可能であるか否かを分析する付記16から18何れか1つに記載のリスク分析装置。
前記第2の分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となるホストの各状態から前記分割単位の終点となるホストの各状態への遷移が可能であるか否かを分析し、
前記仮想分析要素生成手段は、前記分割単位の終点となるホストの各状態に至る攻撃され得る要素を持つホストごとに、前記代表ホストを生成する付記16に記載のリスク分析装置。
前記分析対象要素決定手段は、前記攻撃に利用されない代表ホストを特定し、該特定した代表ホストに対応する終点となるホストの状態を、前記リスク分析の対象から除外する付記20に記載のリスク分析装置。
分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する分析対象要素決定方法。
分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定し、
前記リスク分析の対象として決定されたホストについて、前記攻撃の始点となるホストから、前記攻撃の終点となるホストに対する攻撃が可能か否かを分析するリスク分析方法。
分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する処理をコンピュータに実行させるためのプログラムを格納する非一時的なコンピュータ可読媒体。
分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定し、
前記リスク分析の対象として決定されたホストについて、前記攻撃の始点となるホストから、前記攻撃の終点となるホストに対する攻撃が可能か否かを分析する処理をコンピュータに実行させるためのプログラムを格納する非一時的なコンピュータ可読媒体。
11:グループ化手段
12:仮想分析要素生成手段
13:分析手段
14:分析対象要素決定手段
15:分析手段
20:分析対象要素決定装置
100:リスク分析装置
101:グループ化部
102:代表ホスト生成部
103:第1のリスク分析部
104:分析対象要素決定部
105:第2のリスク分析部
110:分析対象要素決定装置
150:システム構成情報
200A-G,X,Y:ホスト
210:ファイアウォール
220A-D:代表ホスト
250A-D,X,Y:サブネット
500:コンピュータ装置
510:CPU
520:記憶部
530:ROM
540:RAM
550:通信IF
560:ユーザIF
Claims (25)
- 分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化するグループ化手段と、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成する仮想分析要素生成手段と、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析する分析手段と、
前記分析手段の分析結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する分析対象要素決定手段とを備える分析対象要素決定装置。 - 前記仮想分析要素生成手段は、前記グループに属するホストのうちの1以上のホストに対応する、仮想のホストである代表ホストを、前記仮想の分析要素として生成する請求項1に記載の分析対象要素決定装置。
- 前記仮想分析要素生成手段は、前記グループに属するホストの攻撃され得る要素をマージし、該マージした攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする請求項2に記載の分析対象要素決定装置。
- 前記仮想分析要素生成手段は、前記グループに属するホストのうち、攻撃され得る要素の数が最も多いホスト、又は攻撃され得る要素の数が所定の値以上の1以上のホストを選択し、該選択したホストが持つ攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする請求項2又は3に記載の分析対象要素決定装置。
- 前記仮想分析要素生成手段は、前記グループに属するホストのうち、他のグループのホストから攻撃可能な攻撃され得る要素を持つホストを選択し、該選択したホストが持つ攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする請求項2から4何れか1項に記載の分析対象要素決定装置。
- 前記分析対象要素決定手段は、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれない前記代表ホストに対応するホストを前記リスク分析の対象から除外する請求項2から5何れか1項に記載の分析対象要素決定装置。
- 前記分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となる代表ホストの各状態から前記分割単位の終点となる代表ホストの各状態への遷移が可能であるか否かを分析する請求項2から6何れか1項に記載の分析対象要素決定装置。
- 前記分析対象要素決定手段は、前記攻撃が行われる経路に含まれない、前記起点となる代表ホストの状態と、前記終点となる代表ホストの状態とを、前記リスク分析の対象から除外する請求項7に記載の分析対象要素決定装置。
- 前記リスク分析では、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となるホストの各状態から前記分割単位の終点となるホストの各状態への遷移が可能であるか否かが分析され、
前記仮想分析要素生成手段は、前記分割単位の終点となるホストの各状態に至る攻撃され得る要素を持つホストごとに、前記代表ホストを生成する請求項2に記載の分析対象要素決定装置。 - 前記分析対象要素決定手段は、前記攻撃に利用されない代表ホストを特定し、該特定した代表ホストに対応する終点となるホストの状態を、前記リスク分析の対象から除外する請求項9に記載の分析対象要素決定装置。
- 前記グループ化手段は、前記ホストを、前記ホストが属するサブネットワークごとにグループ分けする請求項1から10何れか1項に記載の分析対象要素決定装置。
- 前記グループ化手段は、前記ホストを、所定の境界で区切られた範囲ごとにグループ分けする請求項1から11何れか1項に記載の分析対象要素決定装置。
- 前記グループ化手段は、前記ホストを、前記ホストの役割ごとにグループ分けする請求項1から12何れか1項に記載の分析対象要素決定装置。
- 前記グループ化手段は、前記ホストを、前記ホストの構成ごとにグループ分けする請求項1から13何れか1項に記載の分析対象要素決定装置。
- 分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化するグループ化手段と、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成する仮想分析要素生成手段と、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析する第1の分析手段と、
前記第1の分析手段の分析結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する分析対象要素決定手段と、
前記分析対象要素決定手段が前記リスク分析の対象として決定したホストについて、前記攻撃の始点となるホストから、前記攻撃の終点となるホストに対する攻撃が可能か否かを分析する第2の分析手段とを備えるリスク分析装置。 - 前記仮想分析要素生成手段は、前記グループに属するホストのうちの1以上のホストに対応する、仮想のホストである代表ホストを、前記仮想の分析要素として生成する請求項15に記載のリスク分析装置。
- 前記仮想分析要素生成手段は、前記グループに属するホストの攻撃され得る要素をマージし、該マージした攻撃され得る要素を、前記代表ホストの攻撃され得る要素とする請求項16に記載のリスク分析装置。
- 前記分析対象要素決定手段は、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれない前記代表ホストに対応するホストを前記リスク分析の対象から除外する請求項16又は17に記載のリスク分析装置。
- 前記第1の分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となる代表ホストの各状態から前記分割単位の終点となる代表ホストの各状態への遷移が可能であるか否かを分析し、
前記第2の分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となるホストの各状態から前記分割単位の終点となるホストの各状態への遷移が可能であるか否かを分析する請求項16から18何れか1項に記載のリスク分析装置。 - 前記第2の分析手段は、前記分析対象のシステムを所定単位で分割した各分割単位において、前記分割単位の起点となるホストの各状態から前記分割単位の終点となるホストの各状態への遷移が可能であるか否かを分析し、
前記仮想分析要素生成手段は、前記分割単位の終点となるホストの各状態に至る攻撃され得る要素を持つホストごとに、前記代表ホストを生成する請求項16に記載のリスク分析装置。 - 前記分析対象要素決定手段は、前記攻撃に利用されない代表ホストを特定し、該特定した代表ホストに対応する終点となるホストの状態を、前記リスク分析の対象から除外する請求項20に記載のリスク分析装置。
- 分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する分析対象要素決定方法。 - 分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定し、
前記リスク分析の対象として決定されたホストについて、前記攻撃の始点となるホストから、前記攻撃の終点となるホストに対する攻撃が可能か否かを分析するリスク分析方法。 - 分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定する処理をコンピュータに実行させるためのプログラムを格納する非一時的なコンピュータ可読媒体。 - 分析対象のシステムに含まれる複数のホストを、それぞれが1以上のホストを含む複数のグループにグループ化し、
前記複数のグループのそれぞれについて、1以上の仮想の分析要素を生成し、
前記仮想の分析要素を用いて、攻撃の始点となるホストが属するグループの前記仮想の分析要素から、攻撃の終点となるホストが属するグループの前記仮想の分析要素に対する攻撃が可能か否かを分析し、
前記分析の結果に基づいて、前記分析対象のシステムに含まれるホストのうち、前記攻撃が行われる経路に含まれる仮想の分析要素に対応するホストをリスク分析の対象として決定し、
前記リスク分析の対象として決定されたホストについて、前記攻撃の始点となるホストから、前記攻撃の終点となるホストに対する攻撃が可能か否かを分析する処理をコンピュータに実行させるためのプログラムを格納する非一時的なコンピュータ可読媒体。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2022558638A JPWO2022091207A5 (ja) | 2020-10-27 | リスク分析装置、分析対象要素決定装置、方法、及びプログラム | |
PCT/JP2020/040219 WO2022091207A1 (ja) | 2020-10-27 | 2020-10-27 | リスク分析装置、分析対象要素決定装置、方法、及びコンピュータ可読媒体 |
US18/032,632 US20240022589A1 (en) | 2020-10-27 | 2020-10-27 | Risk analysis device, analysis target element determination device, and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/040219 WO2022091207A1 (ja) | 2020-10-27 | 2020-10-27 | リスク分析装置、分析対象要素決定装置、方法、及びコンピュータ可読媒体 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022091207A1 true WO2022091207A1 (ja) | 2022-05-05 |
Family
ID=81382216
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/040219 WO2022091207A1 (ja) | 2020-10-27 | 2020-10-27 | リスク分析装置、分析対象要素決定装置、方法、及びコンピュータ可読媒体 |
Country Status (2)
Country | Link |
---|---|
US (1) | US20240022589A1 (ja) |
WO (1) | WO2022091207A1 (ja) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019186722A1 (ja) * | 2018-03-27 | 2019-10-03 | 日本電気株式会社 | セキュリティ評価システム、セキュリティ評価方法及びプログラム |
WO2020136837A1 (ja) * | 2018-12-27 | 2020-07-02 | 三菱電機株式会社 | アタックツリー生成装置、アタックツリー生成方法およびアタックツリー生成プログラム |
WO2020189669A1 (ja) * | 2019-03-20 | 2020-09-24 | パナソニックIpマネジメント株式会社 | リスク分析装置及びリスク分析方法 |
-
2020
- 2020-10-27 US US18/032,632 patent/US20240022589A1/en active Pending
- 2020-10-27 WO PCT/JP2020/040219 patent/WO2022091207A1/ja active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2019186722A1 (ja) * | 2018-03-27 | 2019-10-03 | 日本電気株式会社 | セキュリティ評価システム、セキュリティ評価方法及びプログラム |
WO2020136837A1 (ja) * | 2018-12-27 | 2020-07-02 | 三菱電機株式会社 | アタックツリー生成装置、アタックツリー生成方法およびアタックツリー生成プログラム |
WO2020189669A1 (ja) * | 2019-03-20 | 2020-09-24 | パナソニックIpマネジメント株式会社 | リスク分析装置及びリスク分析方法 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2022091207A1 (ja) | 2022-05-05 |
US20240022589A1 (en) | 2024-01-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11265288B2 (en) | Using network configuration analysis to improve server grouping in migration | |
US10193929B2 (en) | Methods and systems for improving analytics in distributed networks | |
US10778645B2 (en) | Firewall configuration manager | |
US11263266B2 (en) | Traffic anomaly sensing device, traffic anomaly sensing method, and traffic anomaly sensing program | |
US20210243216A1 (en) | Penetration tests of systems under test | |
US11431792B2 (en) | Determining contextual information for alerts | |
US11481478B2 (en) | Anomalous user session detector | |
Zhang et al. | Effective network vulnerability assessment through model abstraction | |
US20230283641A1 (en) | Dynamic cybersecurity scoring using traffic fingerprinting and risk score improvement | |
CN112073437A (zh) | 多维度的安全威胁事件分析方法、装置、设备及存储介质 | |
Dowling et al. | Using analysis of temporal variances within a honeypot dataset to better predict attack type probability | |
US9111092B2 (en) | Security event management apparatus, systems, and methods | |
WO2019067049A1 (en) | DETECTION OF INTRUSION | |
WO2022091207A1 (ja) | リスク分析装置、分析対象要素決定装置、方法、及びコンピュータ可読媒体 | |
WO2021130943A1 (ja) | リスク分析結果表示装置、方法、及びコンピュータ可読媒体 | |
CN116048718A (zh) | 一种基于容器提高云托管Web应用程序安全性的方法及装置 | |
US11960623B2 (en) | Intelligent and reversible data masking of computing environment information shared with external systems | |
WO2021156966A1 (ja) | 分析システム、方法およびプログラム | |
US11133977B2 (en) | Anonymizing action implementation data obtained from incident analysis systems | |
US11297086B2 (en) | Correlation-based network security | |
WO2020255185A1 (ja) | 攻撃グラフ加工装置、方法およびプログラム | |
WO2021059471A1 (ja) | セキュリティリスク分析支援装置、方法、及びコンピュータ可読媒体 | |
WO2022264265A1 (ja) | リスク分析装置、仮想モデル生成装置、方法、及びコンピュータ可読媒体 | |
JP6286314B2 (ja) | マルウェア通信制御装置 | |
Mohamed et al. | The migration of the university IT infrastructure toward a secure IaaS Cloud |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20959725 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022558638 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18032632 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20959725 Country of ref document: EP Kind code of ref document: A1 |