WO2022137403A1 - 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム - Google Patents

情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム Download PDF

Info

Publication number
WO2022137403A1
WO2022137403A1 PCT/JP2020/048267 JP2020048267W WO2022137403A1 WO 2022137403 A1 WO2022137403 A1 WO 2022137403A1 JP 2020048267 W JP2020048267 W JP 2020048267W WO 2022137403 A1 WO2022137403 A1 WO 2022137403A1
Authority
WO
WIPO (PCT)
Prior art keywords
history information
information
history
collection
risk
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2020/048267
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
光輝 冨田
則夫 山垣
啓文 植田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
NEC Corp
Original Assignee
NEC Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by NEC Corp filed Critical NEC Corp
Priority to JP2022570864A priority Critical patent/JPWO2022137403A1/ja
Priority to PCT/JP2020/048267 priority patent/WO2022137403A1/ja
Priority to US18/266,754 priority patent/US20240045949A1/en
Publication of WO2022137403A1 publication Critical patent/WO2022137403A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security

Definitions

  • the present invention relates to an information collection control device, an information collection system, an information collection control method, and an information collection control program.
  • Patent Document 1 states that the operation of a device is justified based on the system call execution information of the OS executed by the device in the system to be analyzed. Techniques for determining sex have been proposed.
  • the system call is a mechanism for the program to use the resources managed by the OS, and the system call execution information of Patent Document 1 includes a system call name, an argument, and the like. In Patent Document 1, it is determined that there is a security problem in the device corresponding to the system call execution history that matches the fraudulent pattern.
  • Patent Document 1 In the technique disclosed in Patent Document 1, the validity of the operation of the device is determined based on the system call execution information called by the OS. However, in Patent Document 1, since a huge number of system calls are called even in a short time, the processing load for grasping the sign of a cyber attack and the presence or absence of a security risk increases, and eventually the sign of a cyber attack. There is a problem that the cost and time required for the process for grasping the presence or absence of security risks increase.
  • An object of the present invention is to solve the above problems, and an object of the present invention is to reduce a processing load when analyzing a security risk.
  • the information collection control device of the present invention includes a history information collection unit that collects history information related to the operation history of a program operating in a terminal, a transmission control unit that controls transmission timing of the history information to a server, and a transmission control unit. To prepare for.
  • the information collecting system of the present invention includes a history information collecting unit that collects history information related to the operation history of a program running on a terminal, and a transmission control unit that controls the transmission timing of the history information to a server. It is equipped with an information collection control device.
  • the information collection control method of the present invention includes performing a collection process for collecting history information related to the operation history of a program operating on a terminal, and controlling the transmission timing of the history information to a server.
  • the information collection control program of the present invention causes a processor to perform a collection process for collecting history information regarding the operation history of a program operating in a terminal and to control the transmission timing of the history information to a server. ..
  • Second Embodiment 4.1 Functional configuration of device 1 4.2. Flow of collection target optimization processing in device 1. 5. Modification example of the second embodiment 5.1. Functional configuration of device 1 6. Third Embodiment 6.1. Functional configuration of server 2 6.2. Flow of collection target optimization processing in server 2. 7. Modification example of the third embodiment 8. Fourth Embodiment 9. Other embodiments
  • Patent Document 1 As a technique for monitoring information on device operation and analyzing security risks, for example, a technique for determining the validity of device operation based on the system call execution information of the OS executed on the device in the analysis target system. Proposed.
  • the system call is a mechanism for the program to use the resources managed by the OS, and the system call execution information of Patent Document 1 includes a system call name, an argument, and the like. In Patent Document 1, it is determined that there is a security problem in the device corresponding to the system call execution history that matches the fraudulent pattern.
  • the present invention aims to reduce the processing load when analyzing security risks.
  • the information collection control device has a history information collecting unit that collects history information related to the operation history of a program operating in a terminal, and a history information collecting unit for collecting the history information to a server.
  • a transmission control unit for controlling transmission timing is provided.
  • FIG. 1 is a diagram illustrating an operation mode of the information collection system 1000 according to the first embodiment.
  • the information collection system 1000 is configured by connecting a device 1 and a server 2 via a network 3.
  • the device 1 is, for example, a terminal such as a RU (Radio Unit) used as a radio slave station of a base station device of a wireless communication system.
  • the RU converts a digital signal into a radio frequency, amplifies transmission power, and transmits / receives with an antenna element.
  • a program for collecting history information regarding the operation history of a program operating on the device 1 (for example, an OS (Operating System) of the device 1) is installed in the device 1.
  • An information processing terminal other than the RU may be used as the device 1.
  • the server 2 is an information processing device that stores, analyzes, outputs, and the like the information collected by the information collection system 1000.
  • the server 2 can receive the history information transmitted from the device 1 and analyze the security risk in the device 1 based on the received history information.
  • the network 3 is a communication line that connects the device 1 and the server 2 so as to be communicable, and either wireless or wired may be used.
  • the device 1 and the server 2 do not need to be always connected. At least, the device 1 and the server 2 may be connected at the timing when the history information is transmitted from the device 1.
  • the history information of the device 1 in the present embodiment operates on the device 1 such as a file operation, a directory operation, a registry operation, a thread operation, a process operation, etc. realized by operating a program such as an OS of the device 1.
  • a program such as an OS of the device 1.
  • Such an operation history can be obtained by acquiring the execution history of the system call called when the program operating in the device 1 uses the hardware resource of the device 1.
  • the program running on the device 1 performs input / output to the hardware resource of the device 1 and file processing by calling the library function.
  • Some library functions indirectly use system calls to perform input / output to / from the hardware resources of device 1 and file processing.
  • the operation history of the device 1 as described above can also be obtained by acquiring the history of the library function called by the program operating in the device 1.
  • the history of system calls called by the program running on the device 1 and the history of library functions are referred to as "history information”.
  • the program implemented in the device 1 by a system call or a library function executes input / output processing from the hardware resources constituting the device 1, as long as the program operates, the time is short in the device 1.
  • a huge number of system calls will be called. Therefore, the processing load of the server 2 that analyzes the security risk of the device 1 based on the history information of the device 1 becomes enormous, and as a result, the processing for grasping the sign of a cyber attack and the presence or absence of the security risk.
  • the cost and time required for the operation increase.
  • the transmission timing of the history information is controlled by the device 1.
  • FIG. 2 is a block diagram showing a hardware configuration of an information processing device.
  • a CPU Central Processing Unit
  • ROM Read Only Memory
  • RAM Random Access Memory
  • storage medium 14 a storage medium 14
  • I / F interface
  • the CPU 11 is a calculation means and controls the operation of the entire information processing device.
  • the RAM 13 is a volatile storage medium capable of high-speed reading and writing of information, and is used as a work area when the CPU 11 processes information.
  • the ROM 12 is a read-only non-volatile storage medium, and stores programs such as firmware.
  • the storage medium 14 is a non-volatile storage medium capable of reading and writing information such as an HDD (Hard Disk Drive), and stores an OS, various control programs, application programs, and the like.
  • the I / F15 connects and controls the bus 16 with various hardware, networks, and the like.
  • the input unit 17 is an input device such as a keyboard or a mouse for the user to input information to the information processing device.
  • the display unit 18 is a display device such as an LCD (Liquid Crystal Display) for the user to confirm the state of the information processing device.
  • the input unit 17 and the display unit 18 can be omitted.
  • the software control unit of the information processing device is configured by the CPU 11 performing an operation according to a program stored in the ROM 12 or a program loaded from the storage medium 14 into the RAM 13. Then, by combining the software control unit configured as described above with the hardware, the controller 100 (see FIG. 3), the normal area 102, and the protected area 103 (see FIG. 12) of the device 1 according to the present embodiment. ), A functional block that realizes the functions of an information processing device such as the controller 200 of the server 2 (see FIG. 18) is configured.
  • FIG. 3 is a functional block diagram showing a functional configuration of the device 1.
  • the device 1 includes a controller 100 and a network I / F 101.
  • the controller 100 acquires history information of a program running on the device 1, sets a risk level regarding the degree of security risk of the device 1, and controls transmission of the history information to the server 2.
  • the controller 100 is configured by installing a dedicated software program on the device 1. This software program corresponds to the information collection control program of the present embodiment.
  • the controller 100 includes a history information collection unit 110, a history information DB (Data Base) 130, a risk level setting unit 140, a transmission control unit 150, and a risk level setting DB (Data Base) 160.
  • the history information collection unit 110 executes a collection process for collecting history information 120A, 120B, 120C, 120D regarding the operation history of the program operating on the device 1.
  • history information 120A, 120B, 120C, and 120D the description will be continued by referring to the history information 120.
  • the history information DB 130 is a storage area for storing the history information 120 collected by the history information collection unit 110. The structure of the information stored in the history information DB 130 will be described later.
  • the risk level setting unit 140 executes a risk level setting process for setting a risk level regarding the degree of security risk in the device 1 with respect to the history information 120 collected by the history information collection unit 110.
  • the degree of risk regarding the degree of security risk corresponds to a risk index indicating the degree of security risk in a terminal such as device 1 determined based on a security vulnerability assessment or the like.
  • the risk setting unit 140 has history information 120A, based on the risk setting conditions 161 and 162 (see FIGS. 6 and 8) determined based on the security vulnerability evaluation and the history of past cyber attacks.
  • the risk level is set for 120B, 120C, and 120D, respectively.
  • the risk information regarding the risk set by the risk setting unit 140 is stored in the risk setting DB 160. Details of the risk setting process performed by the risk setting unit 140 will be described later with reference to FIGS. 6 to 10.
  • the transmission control unit 150 executes a transmission determination process that controls the transmission timing of the history information to the server 2. The details of the transmission determination process performed by the transmission control unit 150 will be described later with reference to FIGS. 10 and 11.
  • the device 1 acquires the history information 120 related to the operation history of the program operating on the device 1, and controls the transmission timing of transmitting the acquired history information 120 to the server 2.
  • FIG. 4 is a sequence diagram showing a processing flow in the information collection system 1000.
  • FIG. 5 is a diagram showing the configuration of the history information data table 131.
  • FIG. 6 is a diagram showing an example of the information described in the risk setting condition 161.
  • FIG. 7 is a flowchart showing an example of the flow of the risk setting process in the device 1.
  • FIG. 8 is a diagram showing an example of the information described in the risk setting condition 162.
  • FIG. 9 is a flowchart showing another example of the flow of the risk setting process in the device 1.
  • FIG. 10 is a diagram showing a configuration of risk level information set in the risk level setting process.
  • FIG. 11 is a flowchart showing the flow of transmission determination processing in the device 1.
  • the device 1 executes a collecting process for collecting the history information 120 in step S101.
  • the collection process by the history information collection unit 110 may be continuously performed while the device 1 is activated.
  • the history information 120 to be collected in the collection process may be set in advance, and the history information 120 set as the collection target may be collected. Further, the timing at which the history information collecting unit 110 performs the collecting process may be set in advance.
  • the device 1 transmits the history information 120 collected in the collection process (step S101) to the history information DB 130 in step S102.
  • the history information collection unit 110 collects information regarding the names of system calls and library functions called by the program operating on the device 1 as history information 120. In addition to such information, the history information collecting unit 110 accesses, for example, information on the execution time of a system call or a library function, information on a user of a program running on the device 1, and a program running on the device 1 in the collecting process. At least one of the information related to the created file is collected as history information 120.
  • the history information collecting unit 110 sets the history information 120A as "execution time: 2020.11.24.XX.YY”, "execution user name: userA”, and "history information: write (XX.XX)”. It is assumed that information including .XX.X.jpg), read (XYZZ.Z.config), ... "is collected.
  • the history information collecting unit 110 sets the history information 120B as "execution time: 2020.11.24.XX.FF", "execution user name: userB”, and "history information: exe (ZX)”. It is assumed that information including .exe), ... ”is collected.
  • the history information collecting unit 110 uses the history information 120C as "execution time: 2020.11.24.ZZ.XF", "execution user name: user A”, “history information: ..., recvfrom”. It is assumed that information including (rs: main, in: xx), send (int suckfd, ...), ... "is collected.
  • the history information collecting unit 110 sets the history information 120D as “execution time: 2020.11.24.FX.WZ”, “execution user name: userC”, and “history information: read (Z). It is assumed that information including .ZZ.ZZ.Z.tp), ... "is collected.
  • step S103 the history information 120 transmitted by the history information collecting unit 110 in step S102 is stored in the history information DB 130.
  • the history information 120A, 120B, 120C, 120D collected by the history information collecting unit 110 and the history information 120A, 120B, 120C, 120D for identifying the history information 120A, 120B, 120C, 120D are identified. It is stored in the history information DB 130 in association with the identifier.
  • the No. 1 of the history information data table 151 is shown.
  • the risk setting unit 140 acquires the history information 120 from the history information DB 130 in step S104. When the history information 120 is acquired, the risk level setting unit 140 executes the risk level setting process in step S105. The details of the risk setting process will be described later with reference to FIGS. 6 to 10.
  • the transmission control unit 150 executes the transmission determination process in step S106.
  • the transmission determination process a process of determining whether or not it is time to transmit the history information of the device 1 to the server 2, a process of determining whether or not to transmit the history information of the device 1 to the server 2, and the like are performed. The details of the transmission determination process will be described later with reference to FIGS. 10 and 11.
  • the transmission control unit 150 acquires the history information 120 determined to be transmitted to the server 2 from the history information DB 130 as a result of the transmission determination process in step S106 in step S107. Then, in step S108, the transmission control unit 150 transmits the history information 120 acquired in step S107 to the server 2 via the network I / F 101.
  • the device 1 collects the history information 120 of the program operating in the device 1, and performs a process of controlling the transmission timing of the collected history information 120 to the server 2.
  • the history information 120 includes various parameters such as an execution date and time and an execution user name as a history of system calls and library functions. Therefore, it is possible to determine the degree of security risk such as a sign of a cyber attack on the device 1 or a vulnerability based on the value of the parameter included in the history information 120.
  • a cyber attack on device 1 a plurality of system calls and library functions are called and the information resources of device 1 are used. Therefore, if the system calls included in the attack pattern and the execution order of the system calls are known, it is possible to determine the degree of security risk such as a sign of a cyber attack on the device 1 and a vulnerability.
  • the library function as in the system call, if the library function included in the attack pattern and the execution order of the library function are known, it is possible to determine the degree of security risk in the device 1.
  • the degree of For cyber attacks that combine system calls and library functions, if the system calls and library functions included in the attack pattern and the execution order of the system calls and library functions are known, there is a security risk in device 1. It is possible to determine the degree of.
  • the risk level setting process for setting the risk level for the history information 120 collected by the history information collecting unit 110 is performed by utilizing the characteristics of the system call as described above.
  • the details of the risk setting process based on the risk setting condition 161 in which the parameters are described will be described, and then the details of the risk setting process based on the risk setting condition 162 in which the attack pattern is described will be described.
  • the risk setting process based on the risk setting condition 161 in which the parameters are described may be referred to as the first process
  • the risk setting process based on the risk setting condition 162 in which the attack pattern is described may be referred to. May be referred to as a second process.
  • the risk setting unit 140 executes the first process (see FIG. 7) based on the risk setting condition 161 (see FIG. 6) in which the information defining the normal value and the abnormal value for these parameters is described.
  • the degree of security risk in the device 1 is determined based on the history information 120, the user of the program that executed the system call or the library function, the execution time, and the like.
  • the degree of danger is set for the history information 120 based on the determination result.
  • the first process corresponds to a process of setting a risk level depending on whether or not a parameter that is not a normal value is included in the history information 120 with respect to the parameter of a specific system call (or library function).
  • the risk setting condition 161 shown in FIG. 6 includes information indicating the first parameter "user name”, the second parameter "execution time”, ... Regarding "system call name: execute”.
  • the first parameter "user name” of the risk level setting condition 161 if the information of the execution user name of the system call express included in the history information 120 is the information corresponding to "user name: user A", it is "dangerous". Information for setting "danger level: 10" is described if the information corresponds to "degree: 0" and "user name: other than user A”. In other words, regarding the first parameter "user name” of the risk setting condition 161, the information of the execution user name of the system call extract included in the history information 120 corresponds to the normal value "user name: user A”. If it is information, "risk level: 0" is set, and if it is information corresponding to an abnormal value "user name: other than user A", there is a security risk for device 1 as a risk level. Information for setting the value "danger level: 10" indicating that the value is described.
  • the information of the execution time of the system call express included in the history information 120 corresponds to "execution time: between 14:00 and 18:00". If it is information, information that sets "risk level: 0", and if it is information corresponding to "execution time: time zone other than 14:00 to 18:00", information that sets "risk level: 20" is described. .. In other words, regarding the second parameter "execution time” of the risk setting condition 161, the information of the execution time of the system call express included in the history information 120 is a normal value "execution time: 14:00 to 18:00".
  • the risk level setting unit 140 refers to the risk level setting condition 161 in step S11.
  • the risk level setting condition 161 is a set value stored inside the risk level setting unit 140, and is based on the information transmitted from the server 2 by, for example, the operator of the information collection system 1000 operating the server 2. Can be set. Further, the risk setting condition 161 may be a set value stored inside the risk setting unit 140 at the time of product shipment of the device 1.
  • step S12 the risk setting unit 140 pays attention to the nth parameter from the risk setting condition 161 referred to in step S11.
  • the risk setting unit 140 pays attention to the first parameter among the n parameters included in the risk setting condition 161 in order.
  • n 2, that is, the second parameter of the risk setting condition 161.
  • step S13 the risk setting unit 140 compares the history information 120A to 120D with the second parameter of the risk setting condition 161, respectively, and compares the second parameter of the risk setting condition 161 in the history information 120A to 120D. It is determined whether or not the value corresponding to is a normal value.
  • the history information 120A, 120C, 120D does not include "system call: privilege".
  • the history information 120B will be used as an example.
  • the risk setting unit 140 sets the history information 120B to "risk: Set 0 ”and proceed to step S15.
  • the risk setting unit 140 will perform the step S14.
  • "Danger level: 10" is added to the history information 120B, and the process proceeds to step S15. Since the history information 120A, 120C, 120D does not include “system call: privilege”, the risk setting unit 140 sets "risk: 0" in the history information 120A, 120C, 120D.
  • the user who executed the "system call: privilege" in the history information 120B is "userB".
  • "risk level: 10" indicating that there is a security risk for the device 1 is set with respect to the first parameter "user name” of the risk level setting condition 161.
  • step S15 the risk level setting unit 140 determines whether or not the history information 120B has a parameter for which the risk level is not set with respect to the parameter included in the risk level setting condition 161.
  • the risk level setting unit 140 pays attention to the (n + 1) th parameter in step S16 and performs the process from step S13. Run again.
  • the risk level setting unit 140 relates to the parameters included in the history information 120B in step S17.
  • the set risk levels are totaled and the risk levels are set in the history information 120B. That is, in the history information 120B, if the execution time "XX.FF" of the "system call: execute” is "between 14:00 and 18:00", the risk level of the history information 120B is as a result of step S17. , Is set to "10". On the other hand, in the history information 120B, if the execution time "XX.FF" of "system call: execute” is "a time zone other than 14:00 to 18:00", the risk level of the history information 120B is ". It is set to 30 ".
  • the risk level set by the risk level setting unit 140 is No. 10 in FIG.
  • the history information identifier “MGan7Mr2” that identifies the history information 120B is associated with the “risk level: 10 or 30” and stored in the risk level information data table 163 in the risk level setting DB 160. ..
  • the degree of security risk in the device 1 is determined based on the user who executed the system call, the execution time, and the like, and the risk level is set for the history information 120 based on the determination result. ..
  • the first process corresponds to a process of setting a risk level depending on whether or not the history information 120 includes a parameter that is not a normal value with respect to a parameter of the operation history of a specific system call.
  • the risk setting unit 140 is second based on the risk setting condition 162 (see FIG. 8) in which a known attack pattern and an attack pattern preset by an index such as a vulnerability evaluation related to the device 1 are described. The process (see FIG. 9) is executed.
  • the degree of security risk in the device 1 is determined based on the history information 120, the system call and the library function peculiar to the attack pattern, and the execution order of the system call and the library function.
  • the degree of danger is set for the history information 120 based on the determination result.
  • the second process is a process for setting the degree of risk depending on whether or not the history information 120 contains information corresponding to the system call or library function peculiar to the attack pattern and the execution order of the system call or library function. Equivalent to.
  • the information corresponding to the system call or library function peculiar to the attack pattern and the execution order of the system call or library function corresponds to the attack-related information related to the attack pattern.
  • the risk setting conditions 162 shown in FIG. 8 include "system call SC1 (normal); risk: 0”, “recvfrom (rs: main, in: xx) (normal); risk: 0", and “send ( int dockfd, ...) (normal); Information indicating a risk level: 100 "is included.
  • the risk setting condition 162 describes a plurality of system calls and library functions, and the execution order of the system calls and library functions. Of these, information for setting "risk level: 100" for the execution history of the system call "send (int dockfd, ...) (Normal)" is described. By doing so, when an operation including a known attack pattern or an attack pattern including a preset attack pattern based on an index such as a vulnerability evaluation regarding the device 1 is performed on the device 1, the risk setting unit 140 performs the operation. The degree of danger is set.
  • the risk level setting unit 140 refers to the risk level setting condition 162 in step S21.
  • the risk level setting condition 162 is a set value stored inside the risk level setting unit 140, and is based on the information transmitted from the server 2 by, for example, the operator of the information collection system 1000 operating the server 2. Can be set. Further, the risk setting condition 162 may be a set value stored inside the risk setting unit 140 at the time of product shipment of the device 1.
  • step S22 the risk setting unit 140 determines whether or not the history information 120 acquired in step S104 includes the history information 120 corresponding to the information described in the risk setting condition 162 referred to in step S21. do.
  • the history information 120C is information including "history information: ..., recvfrom (rs: main, in: xx), send (int dockfd, ...), ##.
  • the information corresponds to "system call SC1", “recvfrom (rs: main, in: xx)", and “send (int dockfd, ...)" Described in the risk setting condition 162 (.
  • Step S22 / Y the risk setting unit 140 adds “risk: 100” to the history information 120C, and proceeds to step S24.
  • step S22 it is determined that the history information 120A, 120B, 120D is not the history information corresponding to the information described in the risk setting condition 162 (step S22 / N). In this case, the risk setting unit 140 proceeds to step S24.
  • step S24 the risk setting unit 140 has "danger: 0" for the history information 120A, "danger: 0" for the history information 120B, “danger: 100" for the history information 120C, and “danger” for the history information 120D. Degree: 0 ”is set.
  • the risk level set for the history information 120C by the risk level setting unit 140 is No. 10 in FIG.
  • the history information identifier “P8hVPoiw” that identifies the history information 120C is associated with the “risk level: 100” and stored in the risk level information data table 163 in the risk level setting DB 160.
  • No. of FIG. The second line shows the degree of danger set in the history information 120B in the first process.
  • the degree of security risk in the device 1 is determined based on the system call and library function peculiar to the attack pattern, and the execution order of the system call and library function, and the history information is based on the determination result.
  • the risk level is set for 120.
  • the second process corresponds to the process of setting the risk level depending on whether the history information 120 contains information corresponding to the system call or library function peculiar to the attack pattern and the execution order of the system call or library function. do.
  • step S31 the transmission control unit 150 includes information indicating that "risk level: 10 or 30" is set in the history information 120B as the risk level information stored in the risk level information data table 163.
  • the history information 120C acquires information indicating that "danger level: 100" is set.
  • step S32 the transmission control unit 150 transmits the history information 120 in which the first value or higher is set as the risk level to the server 2.
  • the transmission control unit 150 acquires information having "danger level: 10" or more from the risk level information data table 163.
  • the information having a risk level of 10 or more is No. 2 and No. It is stored in 7.
  • the transmission control unit 150 is No. 2 and No. Acquire the history information identifiers "MGan7Mr2" and "P8hVPoiw" in the 7th row.
  • the transmission control unit 150 transfers the history information 120B and the history information 120C identified based on the history information identifiers “MGan7Mr2” and “P8hVPoiw” in the history information data table 151 to the server 2 via the network I / F 101. Send to.
  • step S33 the transmission control unit 150 transmits the history information 120 to the server 2 when the total risk of the entire history information 120 becomes the second value or more.
  • the transmission control unit 150 transmits the history information 120A, 120B, 120C, 120D to the server 2 via the network I / F 101.
  • step S34 the transmission control unit 150 transmits the history information 120 including a specific system call to the server 2.
  • the specific system call corresponds to, for example, a system call called by the device 1 when an unfavorable operation is performed from the viewpoint of security.
  • the unfavorable operation from the viewpoint of security corresponds to, for example, access to an important file system of device 1 such as a system folder, access to a registry related to automatic execution of a program, and the like.
  • step S35 the transmission control unit 150 transmits the history information 120 regarding the operation history executed in the device 1 within a predetermined time to the server 2. Assuming that the operating time of the device 1 is set from 5:00 to 23:00, the transmission control unit 150 has history information 120 regarding the operation observed by the device 1 between 23:00 and 5:00. May be sent to the server 2.
  • step S36 the transmission control unit 150 transmits the history information 120 to the server 2 when the amount of the history information 120 collected by the history information collection unit 110 exceeds a predetermined amount.
  • the state in which the amount of the history information 120 is equal to or more than a predetermined amount means that, for example, when the history information 120 is equal to or more than a predetermined number of bytes (Bytes), the number of lines of the history information 120 stored in the history information DB 130 Corresponds to the case where is more than the predetermined number of lines.
  • step S37 the transmission control unit 150 transmits the history information 120 to the server 2 when a predetermined time has elapsed since the history information was transmitted to the server 2 last time. For example, when 12 hours have elapsed since the history information was transmitted to the server 2 last time, the transmission control unit 150 transmits the history information 120 collected in the device 1 after the transmission of the previous history information to the server 2. do.
  • transmission control unit 150 may perform any one of the processes from steps S32 to S37.
  • the device 1 performs a process of selecting the history information 120 to be transmitted and a process of controlling the transmission timing of the history information 120.
  • the server 2 can reduce the processing load when performing the security risk analysis of the device 1 based on the history information of the device 1.
  • FIG. 12 is a functional block diagram showing a functional configuration of the device 1 according to a modification of the first embodiment.
  • the device 1 includes a normal area 102 including a history information collecting unit 110, and a protected area 103 including a history information DB 130, a risk setting unit 140, a transmission control unit 150, a risk setting DB 160, and a history information receiving unit 170.
  • the normal area 102 of the device 1 refers to a normal execution environment constructed on the memory (ROM12 or RAM13) space of the device 1 and in which the OS or the like of the device 1 is executed.
  • the protected area 103 of the device 1 is isolated from the normal area 102 in the memory (ROM 12 or RAM 13) space of the device 1 by a technique such as TrustZone (registered trademark) of Arm Co., Ltd. or KeyStone of RISC-V Foundation. Refers to a space (Secure World) that is more secure than the normal area 102.
  • the protected area 103 which is a secure space, cannot be directly accessed from the normal area 102, which is a non-secure space. Therefore, in this modification, the protected area 103 is provided with a history information receiving unit 170 as an element for receiving the history information 120 collected in the normal area 102 in the protected area 103.
  • step S111 the history information receiving unit 170 executes a history information transmission request requesting transmission of the history information 120 to the protected area 103 to the history information collecting unit 110.
  • the history information collecting unit 110 Upon receiving the history information transmission request, the history information collecting unit 110 transmits the history information 120 to the history information receiving unit 170 in step S102.
  • the history information receiving unit 170 transfers the history information 120 transmitted from the history information collecting unit 110 to the history information DB 130. Similar to the first embodiment, the history information 120A, 120B, 120C, 120D collected by the history information collection unit 110 by the collection process and the history information identifier for identifying the history information 120A, 120B, 120C, 120D It is associated and stored in the history information DB 130.
  • the processing after step S112 is the same as that of the first embodiment.
  • a process of controlling the transmission timing of the history information 120 is performed. According to the above configuration, it is possible to suppress falsification of the collected history information 120, data corruption, etc., so that the reliability of the information related to the operation of the device is further improved, and the history of the device 1 with respect to the server 2 can be suppressed. Information can be sent.
  • Second embodiment> The second embodiment is different from the first embodiment in that the history information collecting unit 110 optimizes the operation history of the device 1 to be collected in the collecting process.
  • the same components as those in the first embodiment are designated by the same reference numerals, and duplicate description will be omitted. Further, unless otherwise specified, the operation of the device 1 in the present embodiment is the same as that in the first embodiment, and thus the duplicate description will be omitted.
  • FIG. 14 is a functional block diagram showing a functional configuration of the device 1 according to the second embodiment.
  • the device 1 includes a history information collection unit 110, a history information DB 130, a risk setting unit 140, a transmission control unit 150, a risk setting DB 160, and a history information collection control unit 180.
  • the history information collection control unit 180 executes a collection target optimization process for optimizing the operation history of the program operating on the device 1 to be collected by the history information collection unit 110 in the collection process.
  • FIG. 15 is a diagram showing an example of the information described in the risk setting condition 164.
  • FIG. 16 is a flowchart showing the flow of the collection target optimization process in the device 1.
  • a cyber attack on device 1 multiple system calls are called and the information resources of device 1 are used.
  • historical information that is predicted to have a security risk such as a sign of a cyber attack on device 1 is collected based on the system call included in the attack pattern, the order of the system call, and the execution history of the system call. do.
  • the risk setting conditions 164 shown in FIG. 15 include “system call SA1 (normal); 10 msec: risk: 0", “system call SA2 (normal); 10 msec: risk: 0", and “system call SA3 (normal)”. ); 5 msec; Risk level: 100 ”is included.
  • the risk setting condition 164 of FIG. 15 describes an operation including an attack pattern in which system call SA1, system call SA2, and system call SA3 are executed in order. That is, the risk setting condition 164 corresponds to information including an operation history indicating that the device 1 has a security risk.
  • Information for setting "danger level: 100" for the operation history of 1 is described.
  • the flow of the collection target optimization process executed in the device 1 will be described.
  • the operation history of the device 1 to be collected by the history information collecting unit 110 in the collecting process will be referred to as “collection target operation history”.
  • step S41 the history information collection control unit 180 acquires the history information 120 and the risk level setting condition 164 collected by the history information collection unit 110.
  • step S42 the history information collection control unit 180 determines whether or not the history information 120 acquired in step S41 includes an operation history corresponding to the risk setting condition 164.
  • the history information collection control unit 180 is set to step S43. In, the operation history of the device 1 related to the collection target operation history is added to the collection target.
  • the system call SA1 is executed within 10 ms in the device 1 in which the system call SA1 is set as the collection target operation history.
  • the history information collection control unit 180 sets the system calls SA2 and SA3 described in the risk setting condition 164 as the related operation history related to the system call SA1 as the collection target operation history as the collection target in step S43. to add.
  • the history information collection unit 110 executes the collection process with the system calls SA1, SA2, and SA3 as collection targets.
  • an operation history indicating that the device 1 has a security risk is added to the collection target operation history.
  • the history information collection control unit 180 sets the history information collection control unit 180 in step S44. In, the operation history of the device 1 related to the collection target operation history is excluded from the collection target.
  • the collection target operation history when the system call SA1 is normally executed within 10 ms, the system call SA2 is normally executed within 10 ms, and the system call SA3 is normally executed within 5 ms.
  • the collection target operation history set for the device 1 corresponds to the information described in the risk level setting condition 164. That is, here, the collection target operation history set for the device 1 includes an operation history indicating that the device 1 has a security risk.
  • the history information collection control unit 180 determines that the operation history in which the system calls SA1, SA2, and SA3 are executed in order is not related to the collection target operation history, and the collection target in step S44. System call SA2 and system call SA3 are excluded from the operation history.
  • the history information collection unit 110 excludes the system calls SA2 and SA3 from the collection target and executes the collection process.
  • the collection target optimization process is performed based on the history information collected by the history information collection unit 110. According to the above configuration, since the history information collected in the device 1 is optimized for the program running in the device 1 according to the operation, the history information transmitted to the server 2 is also optimized.
  • the operation history related to the attack pattern of device 1 is added to the collection target, and the operation history that is no longer related to the attack pattern of device 1 is excluded from the collection target.
  • the history information predicted to have a security risk in the device 1 can be selectively transmitted to the server 2, so that the processing load of the server 2 can be reduced.
  • FIG. 17 is a functional block diagram showing a functional configuration of the device 1 according to a modified example of the second embodiment.
  • the device 1 includes a normal area 102 including a history information collecting unit 110, a history information DB 130, a risk setting unit 140, a transmission control unit 150, a risk setting DB 160, a history information receiving unit 170, and a history information collecting control unit 180. Includes protection area 103.
  • the operation history collected by the history information collecting unit 110 is optimized in the protected area 103, which is more secure than the normal area 102 in which the OS of the device 1 is executed, while being isolated from the normal area 102. Collection target optimization processing is performed. By doing so, it is possible to suppress falsification of the collected history information 120, data corruption, and the like, so that the reliability of the information related to the operation of the device is further improved, and the operation collected by the history information collecting unit 110.
  • the history can be optimized and the history information of the device 1 can be transmitted to the server 2.
  • the third embodiment is different from the first and second embodiments in that the history information collecting unit 110 optimizes the operation history of the device 1 to be collected in the collection process based on the instruction from the server 2. ..
  • FIG. 18 is a functional block diagram showing a functional configuration of the server 2 according to the third embodiment.
  • the server 2 includes a controller 200 and a network I / F 201.
  • the controller 200 receives the history information transmitted from the device 1, analyzes the security risk of the device 1, and executes the collection target optimization process for optimizing the operation history to be collected in the device 1.
  • the controller 200 is configured by installing a dedicated software program on the device 1.
  • the controller 200 includes a history information receiving unit 210, a history information DB (Data Base) 220, a history information analysis unit 230, and a history information collection control unit 240.
  • the history information receiving unit 210 receives the history information 120 transmitted from the device 1 and stores it in the history information DB 220 which is a storage area.
  • the history information analysis unit 230 executes an analysis process for analyzing the degree of security risk in the device 1 based on the history information 120 received from the device 1.
  • the history information collection control unit 240 executes a collection target optimization process for optimizing the operation history of the device 1 to be collected in the collection process by the history information collection unit 110 based on the history information 120 received from the device 1. ..
  • FIG. 19 is a flowchart showing the flow of the collection target optimization process performed on the server 2 according to the third embodiment.
  • the history information analysis unit 230 analyzes the history information 120 received from the device 1.
  • the history information analysis unit 230 performs security risk analysis on the history information 120 received from the device 1 based on a known vulnerability evaluation standard such as CVSS (Common Assessment System).
  • CVSS Common Assessment System
  • the history information collection control unit 240 determines the operation history to be collected by the history information collection unit 110 in the collection process based on the history information 120 received from the device 1 and the result of the analysis process. do.
  • the history information collection control unit 240 of the server 2 performs the same processing as the history information collection control unit 180 of the device 1 (see FIG. 16), and the operation history to be collected by the history information collection unit 110 in the collection processing is collected. You may decide.
  • the history information collection control unit 240 transmits the operation history information to be collected by the history information collection unit 110 determined in step S52 to the device 1 in step S53. Based on the received information received from the server 2, the history information collecting unit 110 of the device 1 includes the operation history determined as the collection target in step S52 as the collection target and executes the collection process.
  • the collection target optimization process is performed on the server 2 based on the history information collected by the history information collection unit 110. Since the server 2 performs an analysis process for analyzing the degree of security risk in the device 1 based on the history information, it is possible to perform a collection process that reflects the result of the analysis process. Further, the processing load of the device 1 can be reduced by performing the collection target optimization processing on the server 2.
  • the information input to the server 2 by the operator of the information collection system 1000 operating the server 2 may be reflected in the collection target optimization process in the server 2.
  • the information input to the server 2 is information for which history information 120 related to the operation history executed in the device 1 within a predetermined time is to be collected, and information for collecting history information 120 including a specific system call.
  • the information that specifies the operation history to be collected by the history information collecting unit 110 in the collecting process such as the information to be collected.
  • FIG. 20 is a diagram showing an operation mode of the information collection system 1000 according to the modified example of the third embodiment.
  • the device 1, the devices 4 and 5 of the same model as the device 1, and the server 2 are connected via the network 3.
  • the server 2 receives history information regarding the operation history of the programs operating on the devices 1, 4, and 5. Therefore, the server 2 can execute the collection target optimization process for the device 1 based on the history information received from the device 4, for example. That is, in this modification, the collection target optimization process that reflects the history information acquired by each of the devices 1, 4, and 5 can be performed.
  • FIG. 21 is a block diagram illustrating a schematic configuration of the information collection system 1000A according to the fourth embodiment of the present invention. As shown in FIG. 21, the information collection system 1000A has an information collection control device 1A.
  • FIG. 22 is a block diagram illustrating a schematic configuration of the information collection control device 1A according to the fourth embodiment.
  • the information collection control device 1A includes a history information collection unit 110A and a transmission control unit 150A.
  • the history information collecting unit 110 performs a collecting process for collecting history information related to the operation history of the program running on the terminal.
  • the transmission control unit 150A controls the transmission timing of the history information to the server.
  • the information collection control device 1A according to the fourth embodiment may execute the operation of the device 1 according to the first to third embodiments.
  • the information collection system 1000A according to the fourth embodiment may be configured in the same manner as the information collection system 1000 according to the first to third embodiments. In the above case, the description of the first to third embodiments can be applied to the fourth embodiment.
  • the fourth embodiment is not limited to the above examples.
  • the steps in the process described in the present specification do not necessarily have to be executed in chronological order in the order described in the sequence diagram or the flowchart.
  • the steps in the process may be executed in an order different from the order described in the sequence diagram or the flowchart, or may be executed in parallel.
  • some of the steps in the process may be deleted, and additional steps may be added to the process.
  • a device including the components of the device 1 described in the present specification may be provided.
  • a method including the processing of the above-mentioned components may be provided, and a program for causing the processor to execute the processing of the above-mentioned components may be provided.
  • a non-transitory computer readable medium may be provided to the computer on which the program is recorded.
  • a history information collection unit that collects history information related to the operation history of programs running on terminals, and a history information collection unit that performs collection processing.
  • a transmission control unit that controls the transmission timing of the history information to the server is provided. Information collection control device.
  • Appendix 2 It is provided with a risk level setting unit that sets a risk level related to the degree of security risk in the terminal with respect to the history information.
  • the transmission control unit The transmission timing is controlled based on the risk level set in the history information.
  • the information collection control device according to Appendix 1.
  • the risk setting unit is When the history information contains a parameter that is not a normal value, a value indicating that the terminal has a security risk is set as the risk level.
  • the information collection control device according to Appendix 2.
  • the risk setting unit is When the history information includes attack-related information related to an attack pattern on the terminal, a value indicating that the terminal has a security risk is set as the risk level.
  • the information collection control device according to Appendix 2 or 3.
  • the history information collecting unit is arranged in a normal area, and is arranged in a normal area.
  • the transmission control unit and the risk setting unit are arranged in a protected area that is more secure than the normal area.
  • a history information receiving unit which is arranged in the protected area and receives the history information from the history information collecting unit is provided.
  • the information collection control device according to any one of Supplementary note 2 to 6.
  • the history information collecting unit collects the collection target operation history predetermined as the collection target from the operation history as the history information.
  • the operation history includes a history information collection control unit that causes the history information collection unit to execute the collection process with the related operation history related to the collection target operation history as the collection target.
  • the information collection control device according to any one of Supplementary note 2 to 7.
  • the history information collection control unit is When the related operation history is no longer related to the collection target operation history, the related operation history is excluded from the collection target.
  • the information collection control device according to Appendix 8.
  • the collection target operation history includes an operation history indicating that the terminal has a security risk.
  • the history information collection control unit is Controlling the execution of the collection process by the history information collecting unit based on the received information received from the server.
  • the information collection control device according to any one of Supplementary note 8 to 10.
  • the history information collection control unit is arranged in a protected area that is more secure than the normal area.
  • the information collection control device according to any one of Supplementary note 8 to 11.
  • the transmission control unit The history information is transmitted to the server at predetermined time intervals.
  • the information collection control device according to any one of Supplementary note 1 to 13.
  • the processing load can be reduced when analyzing security risks.
  • Information collection control device 2 Server 3 Network 11 CPU (Central Processing Unit) 12 ROM (Read Only Memory) 13 RAM (Random Access Memory) 14 Storage medium 15 Interface (I / F) 16 Bus 17 Input unit 18 Display unit 100 Controller 101 Network I / F 102 Normal area 103 Protected area 110, 110A History information collection unit 120, 120A, 120B, 120C, 120D History information 130 History information DB (Data Base) 131 History information data table 140 Danger level setting unit 150, 150A Transmission control unit 151 History information data table 160 Danger level setting DB (Data Base) 163 Danger information data table 170 History information receiving unit 180 History information collection control unit 200 Controller 201 Network I / F 210 History information receiver 220 History information DB (Data Base) 230 History information analysis unit 240 History information collection control unit 1000, 1000A Information collection system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Debugging And Monitoring (AREA)
PCT/JP2020/048267 2020-12-23 2020-12-23 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム Ceased WO2022137403A1 (ja)

Priority Applications (3)

Application Number Priority Date Filing Date Title
JP2022570864A JPWO2022137403A1 (https=) 2020-12-23 2020-12-23
PCT/JP2020/048267 WO2022137403A1 (ja) 2020-12-23 2020-12-23 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム
US18/266,754 US20240045949A1 (en) 2020-12-23 2020-12-23 Information collection control apparatus, information collection system, information collection control method, and information collection control program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2020/048267 WO2022137403A1 (ja) 2020-12-23 2020-12-23 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム

Publications (1)

Publication Number Publication Date
WO2022137403A1 true WO2022137403A1 (ja) 2022-06-30

Family

ID=82159265

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2020/048267 Ceased WO2022137403A1 (ja) 2020-12-23 2020-12-23 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム

Country Status (3)

Country Link
US (1) US20240045949A1 (https=)
JP (1) JPWO2022137403A1 (https=)
WO (1) WO2022137403A1 (https=)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2024007581A (ja) * 2022-07-06 2024-01-19 株式会社東芝 リスク評価装置、リスク評価方法及びプログラム
WO2025248594A1 (ja) * 2024-05-27 2025-12-04 Ntt株式会社 システムコール収集システム、および、保守サーバ

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010267128A (ja) * 2009-05-15 2010-11-25 Ntt Docomo Inc 解析システム、解析装置、検知方法、解析方法及びプログラム
JP2015511047A (ja) * 2012-03-19 2015-04-13 クアルコム,インコーポレイテッド マルウェアを検出するコンピューティングデバイス
JP2019028670A (ja) * 2017-07-28 2019-02-21 大日本印刷株式会社 セキュアエレメント、コンピュータプログラム、デバイス、サーバ及びデバイス監視方法
CN110119621B (zh) * 2019-05-05 2020-08-21 网御安全技术(深圳)有限公司 异常系统调用的攻击防御方法、系统及防御装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010267128A (ja) * 2009-05-15 2010-11-25 Ntt Docomo Inc 解析システム、解析装置、検知方法、解析方法及びプログラム
JP2015511047A (ja) * 2012-03-19 2015-04-13 クアルコム,インコーポレイテッド マルウェアを検出するコンピューティングデバイス
JP2019028670A (ja) * 2017-07-28 2019-02-21 大日本印刷株式会社 セキュアエレメント、コンピュータプログラム、デバイス、サーバ及びデバイス監視方法
CN110119621B (zh) * 2019-05-05 2020-08-21 网御安全技术(深圳)有限公司 异常系统调用的攻击防御方法、系统及防御装置

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2024007581A (ja) * 2022-07-06 2024-01-19 株式会社東芝 リスク評価装置、リスク評価方法及びプログラム
JP7735229B2 (ja) 2022-07-06 2025-09-08 株式会社東芝 リスク評価装置、リスク評価方法及びプログラム
US12554858B2 (en) 2022-07-06 2026-02-17 Kabushiki Kaisha Toshiba Risk evaluation device, risk evaluation method, and program product
WO2025248594A1 (ja) * 2024-05-27 2025-12-04 Ntt株式会社 システムコール収集システム、および、保守サーバ

Also Published As

Publication number Publication date
JPWO2022137403A1 (https=) 2022-06-30
US20240045949A1 (en) 2024-02-08

Similar Documents

Publication Publication Date Title
US11086983B2 (en) System and method for authenticating safe software
US10701091B1 (en) System and method for verifying a cyberthreat
CN104268173B (zh) 集中式数据监控方法、装置及系统
US12141292B2 (en) Tracking and mitigating security threats and vulnerabilities in browser extension engines
WO2022137403A1 (ja) 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム
CN114625074A (zh) 一种用于火电机组dcs系统的安全防护系统及方法
CN118713858B (zh) 一种用于管理ai大语言模型安全网关管理方法
EP3964990A1 (en) Method and system for deciding on the need for an automated response to an incident
CN118626138A (zh) 一种应用程序的部署方法
CN118713860A (zh) 基于云平台的安全堡垒机系统及其电子设备、存储介质
KR102338998B1 (ko) 로그 무결성 검사 및 이를 통한 로그 위변조 행위 증빙 시스템 및 그 방법
CN114500039A (zh) 基于安全管控的指令下发方法及系统
CN113468217A (zh) 数据查询管理方法、装置、计算机设备及可读存储介质
CN118432945A (zh) 基于云计算的网络安全评估方法以及相关装置
JP7491399B2 (ja) 分析装置、分析システム、分析方法、及び分析プログラム
CN118132333A (zh) 一种基于边缘计算的容灾方法及相关装置
CN118779924A (zh) 设备安全评估方法、装置、设备及介质
JP4516331B2 (ja) 業務支援装置及び業務支援プログラム
Hassani Implementing Patch Management Process
WO2020240766A1 (ja) 評価装置、システム、制御方法、及びプログラム
KR101854391B1 (ko) 로그 검색을 이용한 단말의 보안 검사 방법
US10397312B2 (en) Automated server deployment platform
US20250373648A1 (en) Remote access session monitoring techniques
US20250284822A1 (en) Assessment of raised security events at an application
CN118350004B (zh) 一种基于载荷库的漏洞扫描方法和系统

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 20966893

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2022570864

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 18266754

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 20966893

Country of ref document: EP

Kind code of ref document: A1