WO2022137403A1 - 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム - Google Patents
情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム Download PDFInfo
- Publication number
- WO2022137403A1 WO2022137403A1 PCT/JP2020/048267 JP2020048267W WO2022137403A1 WO 2022137403 A1 WO2022137403 A1 WO 2022137403A1 JP 2020048267 W JP2020048267 W JP 2020048267W WO 2022137403 A1 WO2022137403 A1 WO 2022137403A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- history information
- information
- history
- collection
- risk
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims description 140
- 230000005540 biological transmission Effects 0.000 claims abstract description 90
- 238000012545 processing Methods 0.000 claims abstract description 47
- 230000006870 function Effects 0.000 description 31
- 238000012986 modification Methods 0.000 description 30
- 230000004048 modification Effects 0.000 description 30
- 238000010586 diagram Methods 0.000 description 25
- 238000005457 optimization Methods 0.000 description 23
- 230000010365 information processing Effects 0.000 description 14
- 238000011156 evaluation Methods 0.000 description 4
- 230000002159 abnormal effect Effects 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 238000012502 risk assessment Methods 0.000 description 2
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 230000001151 other effect Effects 0.000 description 1
- 238000011112 process operation Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
Definitions
- the present invention relates to an information collection control device, an information collection system, an information collection control method, and an information collection control program.
- Patent Document 1 states that the operation of a device is justified based on the system call execution information of the OS executed by the device in the system to be analyzed. Techniques for determining sex have been proposed.
- the system call is a mechanism for the program to use the resources managed by the OS, and the system call execution information of Patent Document 1 includes a system call name, an argument, and the like. In Patent Document 1, it is determined that there is a security problem in the device corresponding to the system call execution history that matches the fraudulent pattern.
- Patent Document 1 In the technique disclosed in Patent Document 1, the validity of the operation of the device is determined based on the system call execution information called by the OS. However, in Patent Document 1, since a huge number of system calls are called even in a short time, the processing load for grasping the sign of a cyber attack and the presence or absence of a security risk increases, and eventually the sign of a cyber attack. There is a problem that the cost and time required for the process for grasping the presence or absence of security risks increase.
- An object of the present invention is to solve the above problems, and an object of the present invention is to reduce a processing load when analyzing a security risk.
- the information collection control device of the present invention includes a history information collection unit that collects history information related to the operation history of a program operating in a terminal, a transmission control unit that controls transmission timing of the history information to a server, and a transmission control unit. To prepare for.
- the information collecting system of the present invention includes a history information collecting unit that collects history information related to the operation history of a program running on a terminal, and a transmission control unit that controls the transmission timing of the history information to a server. It is equipped with an information collection control device.
- the information collection control method of the present invention includes performing a collection process for collecting history information related to the operation history of a program operating on a terminal, and controlling the transmission timing of the history information to a server.
- the information collection control program of the present invention causes a processor to perform a collection process for collecting history information regarding the operation history of a program operating in a terminal and to control the transmission timing of the history information to a server. ..
- Second Embodiment 4.1 Functional configuration of device 1 4.2. Flow of collection target optimization processing in device 1. 5. Modification example of the second embodiment 5.1. Functional configuration of device 1 6. Third Embodiment 6.1. Functional configuration of server 2 6.2. Flow of collection target optimization processing in server 2. 7. Modification example of the third embodiment 8. Fourth Embodiment 9. Other embodiments
- Patent Document 1 As a technique for monitoring information on device operation and analyzing security risks, for example, a technique for determining the validity of device operation based on the system call execution information of the OS executed on the device in the analysis target system. Proposed.
- the system call is a mechanism for the program to use the resources managed by the OS, and the system call execution information of Patent Document 1 includes a system call name, an argument, and the like. In Patent Document 1, it is determined that there is a security problem in the device corresponding to the system call execution history that matches the fraudulent pattern.
- the present invention aims to reduce the processing load when analyzing security risks.
- the information collection control device has a history information collecting unit that collects history information related to the operation history of a program operating in a terminal, and a history information collecting unit for collecting the history information to a server.
- a transmission control unit for controlling transmission timing is provided.
- FIG. 1 is a diagram illustrating an operation mode of the information collection system 1000 according to the first embodiment.
- the information collection system 1000 is configured by connecting a device 1 and a server 2 via a network 3.
- the device 1 is, for example, a terminal such as a RU (Radio Unit) used as a radio slave station of a base station device of a wireless communication system.
- the RU converts a digital signal into a radio frequency, amplifies transmission power, and transmits / receives with an antenna element.
- a program for collecting history information regarding the operation history of a program operating on the device 1 (for example, an OS (Operating System) of the device 1) is installed in the device 1.
- An information processing terminal other than the RU may be used as the device 1.
- the server 2 is an information processing device that stores, analyzes, outputs, and the like the information collected by the information collection system 1000.
- the server 2 can receive the history information transmitted from the device 1 and analyze the security risk in the device 1 based on the received history information.
- the network 3 is a communication line that connects the device 1 and the server 2 so as to be communicable, and either wireless or wired may be used.
- the device 1 and the server 2 do not need to be always connected. At least, the device 1 and the server 2 may be connected at the timing when the history information is transmitted from the device 1.
- the history information of the device 1 in the present embodiment operates on the device 1 such as a file operation, a directory operation, a registry operation, a thread operation, a process operation, etc. realized by operating a program such as an OS of the device 1.
- a program such as an OS of the device 1.
- Such an operation history can be obtained by acquiring the execution history of the system call called when the program operating in the device 1 uses the hardware resource of the device 1.
- the program running on the device 1 performs input / output to the hardware resource of the device 1 and file processing by calling the library function.
- Some library functions indirectly use system calls to perform input / output to / from the hardware resources of device 1 and file processing.
- the operation history of the device 1 as described above can also be obtained by acquiring the history of the library function called by the program operating in the device 1.
- the history of system calls called by the program running on the device 1 and the history of library functions are referred to as "history information”.
- the program implemented in the device 1 by a system call or a library function executes input / output processing from the hardware resources constituting the device 1, as long as the program operates, the time is short in the device 1.
- a huge number of system calls will be called. Therefore, the processing load of the server 2 that analyzes the security risk of the device 1 based on the history information of the device 1 becomes enormous, and as a result, the processing for grasping the sign of a cyber attack and the presence or absence of the security risk.
- the cost and time required for the operation increase.
- the transmission timing of the history information is controlled by the device 1.
- FIG. 2 is a block diagram showing a hardware configuration of an information processing device.
- a CPU Central Processing Unit
- ROM Read Only Memory
- RAM Random Access Memory
- storage medium 14 a storage medium 14
- I / F interface
- the CPU 11 is a calculation means and controls the operation of the entire information processing device.
- the RAM 13 is a volatile storage medium capable of high-speed reading and writing of information, and is used as a work area when the CPU 11 processes information.
- the ROM 12 is a read-only non-volatile storage medium, and stores programs such as firmware.
- the storage medium 14 is a non-volatile storage medium capable of reading and writing information such as an HDD (Hard Disk Drive), and stores an OS, various control programs, application programs, and the like.
- the I / F15 connects and controls the bus 16 with various hardware, networks, and the like.
- the input unit 17 is an input device such as a keyboard or a mouse for the user to input information to the information processing device.
- the display unit 18 is a display device such as an LCD (Liquid Crystal Display) for the user to confirm the state of the information processing device.
- the input unit 17 and the display unit 18 can be omitted.
- the software control unit of the information processing device is configured by the CPU 11 performing an operation according to a program stored in the ROM 12 or a program loaded from the storage medium 14 into the RAM 13. Then, by combining the software control unit configured as described above with the hardware, the controller 100 (see FIG. 3), the normal area 102, and the protected area 103 (see FIG. 12) of the device 1 according to the present embodiment. ), A functional block that realizes the functions of an information processing device such as the controller 200 of the server 2 (see FIG. 18) is configured.
- FIG. 3 is a functional block diagram showing a functional configuration of the device 1.
- the device 1 includes a controller 100 and a network I / F 101.
- the controller 100 acquires history information of a program running on the device 1, sets a risk level regarding the degree of security risk of the device 1, and controls transmission of the history information to the server 2.
- the controller 100 is configured by installing a dedicated software program on the device 1. This software program corresponds to the information collection control program of the present embodiment.
- the controller 100 includes a history information collection unit 110, a history information DB (Data Base) 130, a risk level setting unit 140, a transmission control unit 150, and a risk level setting DB (Data Base) 160.
- the history information collection unit 110 executes a collection process for collecting history information 120A, 120B, 120C, 120D regarding the operation history of the program operating on the device 1.
- history information 120A, 120B, 120C, and 120D the description will be continued by referring to the history information 120.
- the history information DB 130 is a storage area for storing the history information 120 collected by the history information collection unit 110. The structure of the information stored in the history information DB 130 will be described later.
- the risk level setting unit 140 executes a risk level setting process for setting a risk level regarding the degree of security risk in the device 1 with respect to the history information 120 collected by the history information collection unit 110.
- the degree of risk regarding the degree of security risk corresponds to a risk index indicating the degree of security risk in a terminal such as device 1 determined based on a security vulnerability assessment or the like.
- the risk setting unit 140 has history information 120A, based on the risk setting conditions 161 and 162 (see FIGS. 6 and 8) determined based on the security vulnerability evaluation and the history of past cyber attacks.
- the risk level is set for 120B, 120C, and 120D, respectively.
- the risk information regarding the risk set by the risk setting unit 140 is stored in the risk setting DB 160. Details of the risk setting process performed by the risk setting unit 140 will be described later with reference to FIGS. 6 to 10.
- the transmission control unit 150 executes a transmission determination process that controls the transmission timing of the history information to the server 2. The details of the transmission determination process performed by the transmission control unit 150 will be described later with reference to FIGS. 10 and 11.
- the device 1 acquires the history information 120 related to the operation history of the program operating on the device 1, and controls the transmission timing of transmitting the acquired history information 120 to the server 2.
- FIG. 4 is a sequence diagram showing a processing flow in the information collection system 1000.
- FIG. 5 is a diagram showing the configuration of the history information data table 131.
- FIG. 6 is a diagram showing an example of the information described in the risk setting condition 161.
- FIG. 7 is a flowchart showing an example of the flow of the risk setting process in the device 1.
- FIG. 8 is a diagram showing an example of the information described in the risk setting condition 162.
- FIG. 9 is a flowchart showing another example of the flow of the risk setting process in the device 1.
- FIG. 10 is a diagram showing a configuration of risk level information set in the risk level setting process.
- FIG. 11 is a flowchart showing the flow of transmission determination processing in the device 1.
- the device 1 executes a collecting process for collecting the history information 120 in step S101.
- the collection process by the history information collection unit 110 may be continuously performed while the device 1 is activated.
- the history information 120 to be collected in the collection process may be set in advance, and the history information 120 set as the collection target may be collected. Further, the timing at which the history information collecting unit 110 performs the collecting process may be set in advance.
- the device 1 transmits the history information 120 collected in the collection process (step S101) to the history information DB 130 in step S102.
- the history information collection unit 110 collects information regarding the names of system calls and library functions called by the program operating on the device 1 as history information 120. In addition to such information, the history information collecting unit 110 accesses, for example, information on the execution time of a system call or a library function, information on a user of a program running on the device 1, and a program running on the device 1 in the collecting process. At least one of the information related to the created file is collected as history information 120.
- the history information collecting unit 110 sets the history information 120A as "execution time: 2020.11.24.XX.YY”, "execution user name: userA”, and "history information: write (XX.XX)”. It is assumed that information including .XX.X.jpg), read (XYZZ.Z.config), ... "is collected.
- the history information collecting unit 110 sets the history information 120B as "execution time: 2020.11.24.XX.FF", "execution user name: userB”, and "history information: exe (ZX)”. It is assumed that information including .exe), ... ”is collected.
- the history information collecting unit 110 uses the history information 120C as "execution time: 2020.11.24.ZZ.XF", "execution user name: user A”, “history information: ..., recvfrom”. It is assumed that information including (rs: main, in: xx), send (int suckfd, ...), ... "is collected.
- the history information collecting unit 110 sets the history information 120D as “execution time: 2020.11.24.FX.WZ”, “execution user name: userC”, and “history information: read (Z). It is assumed that information including .ZZ.ZZ.Z.tp), ... "is collected.
- step S103 the history information 120 transmitted by the history information collecting unit 110 in step S102 is stored in the history information DB 130.
- the history information 120A, 120B, 120C, 120D collected by the history information collecting unit 110 and the history information 120A, 120B, 120C, 120D for identifying the history information 120A, 120B, 120C, 120D are identified. It is stored in the history information DB 130 in association with the identifier.
- the No. 1 of the history information data table 151 is shown.
- the risk setting unit 140 acquires the history information 120 from the history information DB 130 in step S104. When the history information 120 is acquired, the risk level setting unit 140 executes the risk level setting process in step S105. The details of the risk setting process will be described later with reference to FIGS. 6 to 10.
- the transmission control unit 150 executes the transmission determination process in step S106.
- the transmission determination process a process of determining whether or not it is time to transmit the history information of the device 1 to the server 2, a process of determining whether or not to transmit the history information of the device 1 to the server 2, and the like are performed. The details of the transmission determination process will be described later with reference to FIGS. 10 and 11.
- the transmission control unit 150 acquires the history information 120 determined to be transmitted to the server 2 from the history information DB 130 as a result of the transmission determination process in step S106 in step S107. Then, in step S108, the transmission control unit 150 transmits the history information 120 acquired in step S107 to the server 2 via the network I / F 101.
- the device 1 collects the history information 120 of the program operating in the device 1, and performs a process of controlling the transmission timing of the collected history information 120 to the server 2.
- the history information 120 includes various parameters such as an execution date and time and an execution user name as a history of system calls and library functions. Therefore, it is possible to determine the degree of security risk such as a sign of a cyber attack on the device 1 or a vulnerability based on the value of the parameter included in the history information 120.
- a cyber attack on device 1 a plurality of system calls and library functions are called and the information resources of device 1 are used. Therefore, if the system calls included in the attack pattern and the execution order of the system calls are known, it is possible to determine the degree of security risk such as a sign of a cyber attack on the device 1 and a vulnerability.
- the library function as in the system call, if the library function included in the attack pattern and the execution order of the library function are known, it is possible to determine the degree of security risk in the device 1.
- the degree of For cyber attacks that combine system calls and library functions, if the system calls and library functions included in the attack pattern and the execution order of the system calls and library functions are known, there is a security risk in device 1. It is possible to determine the degree of.
- the risk level setting process for setting the risk level for the history information 120 collected by the history information collecting unit 110 is performed by utilizing the characteristics of the system call as described above.
- the details of the risk setting process based on the risk setting condition 161 in which the parameters are described will be described, and then the details of the risk setting process based on the risk setting condition 162 in which the attack pattern is described will be described.
- the risk setting process based on the risk setting condition 161 in which the parameters are described may be referred to as the first process
- the risk setting process based on the risk setting condition 162 in which the attack pattern is described may be referred to. May be referred to as a second process.
- the risk setting unit 140 executes the first process (see FIG. 7) based on the risk setting condition 161 (see FIG. 6) in which the information defining the normal value and the abnormal value for these parameters is described.
- the degree of security risk in the device 1 is determined based on the history information 120, the user of the program that executed the system call or the library function, the execution time, and the like.
- the degree of danger is set for the history information 120 based on the determination result.
- the first process corresponds to a process of setting a risk level depending on whether or not a parameter that is not a normal value is included in the history information 120 with respect to the parameter of a specific system call (or library function).
- the risk setting condition 161 shown in FIG. 6 includes information indicating the first parameter "user name”, the second parameter "execution time”, ... Regarding "system call name: execute”.
- the first parameter "user name” of the risk level setting condition 161 if the information of the execution user name of the system call express included in the history information 120 is the information corresponding to "user name: user A", it is "dangerous". Information for setting "danger level: 10" is described if the information corresponds to "degree: 0" and "user name: other than user A”. In other words, regarding the first parameter "user name” of the risk setting condition 161, the information of the execution user name of the system call extract included in the history information 120 corresponds to the normal value "user name: user A”. If it is information, "risk level: 0" is set, and if it is information corresponding to an abnormal value "user name: other than user A", there is a security risk for device 1 as a risk level. Information for setting the value "danger level: 10" indicating that the value is described.
- the information of the execution time of the system call express included in the history information 120 corresponds to "execution time: between 14:00 and 18:00". If it is information, information that sets "risk level: 0", and if it is information corresponding to "execution time: time zone other than 14:00 to 18:00", information that sets "risk level: 20" is described. .. In other words, regarding the second parameter "execution time” of the risk setting condition 161, the information of the execution time of the system call express included in the history information 120 is a normal value "execution time: 14:00 to 18:00".
- the risk level setting unit 140 refers to the risk level setting condition 161 in step S11.
- the risk level setting condition 161 is a set value stored inside the risk level setting unit 140, and is based on the information transmitted from the server 2 by, for example, the operator of the information collection system 1000 operating the server 2. Can be set. Further, the risk setting condition 161 may be a set value stored inside the risk setting unit 140 at the time of product shipment of the device 1.
- step S12 the risk setting unit 140 pays attention to the nth parameter from the risk setting condition 161 referred to in step S11.
- the risk setting unit 140 pays attention to the first parameter among the n parameters included in the risk setting condition 161 in order.
- n 2, that is, the second parameter of the risk setting condition 161.
- step S13 the risk setting unit 140 compares the history information 120A to 120D with the second parameter of the risk setting condition 161, respectively, and compares the second parameter of the risk setting condition 161 in the history information 120A to 120D. It is determined whether or not the value corresponding to is a normal value.
- the history information 120A, 120C, 120D does not include "system call: privilege".
- the history information 120B will be used as an example.
- the risk setting unit 140 sets the history information 120B to "risk: Set 0 ”and proceed to step S15.
- the risk setting unit 140 will perform the step S14.
- "Danger level: 10" is added to the history information 120B, and the process proceeds to step S15. Since the history information 120A, 120C, 120D does not include “system call: privilege”, the risk setting unit 140 sets "risk: 0" in the history information 120A, 120C, 120D.
- the user who executed the "system call: privilege" in the history information 120B is "userB".
- "risk level: 10" indicating that there is a security risk for the device 1 is set with respect to the first parameter "user name” of the risk level setting condition 161.
- step S15 the risk level setting unit 140 determines whether or not the history information 120B has a parameter for which the risk level is not set with respect to the parameter included in the risk level setting condition 161.
- the risk level setting unit 140 pays attention to the (n + 1) th parameter in step S16 and performs the process from step S13. Run again.
- the risk level setting unit 140 relates to the parameters included in the history information 120B in step S17.
- the set risk levels are totaled and the risk levels are set in the history information 120B. That is, in the history information 120B, if the execution time "XX.FF" of the "system call: execute” is "between 14:00 and 18:00", the risk level of the history information 120B is as a result of step S17. , Is set to "10". On the other hand, in the history information 120B, if the execution time "XX.FF" of "system call: execute” is "a time zone other than 14:00 to 18:00", the risk level of the history information 120B is ". It is set to 30 ".
- the risk level set by the risk level setting unit 140 is No. 10 in FIG.
- the history information identifier “MGan7Mr2” that identifies the history information 120B is associated with the “risk level: 10 or 30” and stored in the risk level information data table 163 in the risk level setting DB 160. ..
- the degree of security risk in the device 1 is determined based on the user who executed the system call, the execution time, and the like, and the risk level is set for the history information 120 based on the determination result. ..
- the first process corresponds to a process of setting a risk level depending on whether or not the history information 120 includes a parameter that is not a normal value with respect to a parameter of the operation history of a specific system call.
- the risk setting unit 140 is second based on the risk setting condition 162 (see FIG. 8) in which a known attack pattern and an attack pattern preset by an index such as a vulnerability evaluation related to the device 1 are described. The process (see FIG. 9) is executed.
- the degree of security risk in the device 1 is determined based on the history information 120, the system call and the library function peculiar to the attack pattern, and the execution order of the system call and the library function.
- the degree of danger is set for the history information 120 based on the determination result.
- the second process is a process for setting the degree of risk depending on whether or not the history information 120 contains information corresponding to the system call or library function peculiar to the attack pattern and the execution order of the system call or library function. Equivalent to.
- the information corresponding to the system call or library function peculiar to the attack pattern and the execution order of the system call or library function corresponds to the attack-related information related to the attack pattern.
- the risk setting conditions 162 shown in FIG. 8 include "system call SC1 (normal); risk: 0”, “recvfrom (rs: main, in: xx) (normal); risk: 0", and “send ( int dockfd, ...) (normal); Information indicating a risk level: 100 "is included.
- the risk setting condition 162 describes a plurality of system calls and library functions, and the execution order of the system calls and library functions. Of these, information for setting "risk level: 100" for the execution history of the system call "send (int dockfd, ...) (Normal)" is described. By doing so, when an operation including a known attack pattern or an attack pattern including a preset attack pattern based on an index such as a vulnerability evaluation regarding the device 1 is performed on the device 1, the risk setting unit 140 performs the operation. The degree of danger is set.
- the risk level setting unit 140 refers to the risk level setting condition 162 in step S21.
- the risk level setting condition 162 is a set value stored inside the risk level setting unit 140, and is based on the information transmitted from the server 2 by, for example, the operator of the information collection system 1000 operating the server 2. Can be set. Further, the risk setting condition 162 may be a set value stored inside the risk setting unit 140 at the time of product shipment of the device 1.
- step S22 the risk setting unit 140 determines whether or not the history information 120 acquired in step S104 includes the history information 120 corresponding to the information described in the risk setting condition 162 referred to in step S21. do.
- the history information 120C is information including "history information: ..., recvfrom (rs: main, in: xx), send (int dockfd, ...), ##.
- the information corresponds to "system call SC1", “recvfrom (rs: main, in: xx)", and “send (int dockfd, ...)" Described in the risk setting condition 162 (.
- Step S22 / Y the risk setting unit 140 adds “risk: 100” to the history information 120C, and proceeds to step S24.
- step S22 it is determined that the history information 120A, 120B, 120D is not the history information corresponding to the information described in the risk setting condition 162 (step S22 / N). In this case, the risk setting unit 140 proceeds to step S24.
- step S24 the risk setting unit 140 has "danger: 0" for the history information 120A, "danger: 0" for the history information 120B, “danger: 100" for the history information 120C, and “danger” for the history information 120D. Degree: 0 ”is set.
- the risk level set for the history information 120C by the risk level setting unit 140 is No. 10 in FIG.
- the history information identifier “P8hVPoiw” that identifies the history information 120C is associated with the “risk level: 100” and stored in the risk level information data table 163 in the risk level setting DB 160.
- No. of FIG. The second line shows the degree of danger set in the history information 120B in the first process.
- the degree of security risk in the device 1 is determined based on the system call and library function peculiar to the attack pattern, and the execution order of the system call and library function, and the history information is based on the determination result.
- the risk level is set for 120.
- the second process corresponds to the process of setting the risk level depending on whether the history information 120 contains information corresponding to the system call or library function peculiar to the attack pattern and the execution order of the system call or library function. do.
- step S31 the transmission control unit 150 includes information indicating that "risk level: 10 or 30" is set in the history information 120B as the risk level information stored in the risk level information data table 163.
- the history information 120C acquires information indicating that "danger level: 100" is set.
- step S32 the transmission control unit 150 transmits the history information 120 in which the first value or higher is set as the risk level to the server 2.
- the transmission control unit 150 acquires information having "danger level: 10" or more from the risk level information data table 163.
- the information having a risk level of 10 or more is No. 2 and No. It is stored in 7.
- the transmission control unit 150 is No. 2 and No. Acquire the history information identifiers "MGan7Mr2" and "P8hVPoiw" in the 7th row.
- the transmission control unit 150 transfers the history information 120B and the history information 120C identified based on the history information identifiers “MGan7Mr2” and “P8hVPoiw” in the history information data table 151 to the server 2 via the network I / F 101. Send to.
- step S33 the transmission control unit 150 transmits the history information 120 to the server 2 when the total risk of the entire history information 120 becomes the second value or more.
- the transmission control unit 150 transmits the history information 120A, 120B, 120C, 120D to the server 2 via the network I / F 101.
- step S34 the transmission control unit 150 transmits the history information 120 including a specific system call to the server 2.
- the specific system call corresponds to, for example, a system call called by the device 1 when an unfavorable operation is performed from the viewpoint of security.
- the unfavorable operation from the viewpoint of security corresponds to, for example, access to an important file system of device 1 such as a system folder, access to a registry related to automatic execution of a program, and the like.
- step S35 the transmission control unit 150 transmits the history information 120 regarding the operation history executed in the device 1 within a predetermined time to the server 2. Assuming that the operating time of the device 1 is set from 5:00 to 23:00, the transmission control unit 150 has history information 120 regarding the operation observed by the device 1 between 23:00 and 5:00. May be sent to the server 2.
- step S36 the transmission control unit 150 transmits the history information 120 to the server 2 when the amount of the history information 120 collected by the history information collection unit 110 exceeds a predetermined amount.
- the state in which the amount of the history information 120 is equal to or more than a predetermined amount means that, for example, when the history information 120 is equal to or more than a predetermined number of bytes (Bytes), the number of lines of the history information 120 stored in the history information DB 130 Corresponds to the case where is more than the predetermined number of lines.
- step S37 the transmission control unit 150 transmits the history information 120 to the server 2 when a predetermined time has elapsed since the history information was transmitted to the server 2 last time. For example, when 12 hours have elapsed since the history information was transmitted to the server 2 last time, the transmission control unit 150 transmits the history information 120 collected in the device 1 after the transmission of the previous history information to the server 2. do.
- transmission control unit 150 may perform any one of the processes from steps S32 to S37.
- the device 1 performs a process of selecting the history information 120 to be transmitted and a process of controlling the transmission timing of the history information 120.
- the server 2 can reduce the processing load when performing the security risk analysis of the device 1 based on the history information of the device 1.
- FIG. 12 is a functional block diagram showing a functional configuration of the device 1 according to a modification of the first embodiment.
- the device 1 includes a normal area 102 including a history information collecting unit 110, and a protected area 103 including a history information DB 130, a risk setting unit 140, a transmission control unit 150, a risk setting DB 160, and a history information receiving unit 170.
- the normal area 102 of the device 1 refers to a normal execution environment constructed on the memory (ROM12 or RAM13) space of the device 1 and in which the OS or the like of the device 1 is executed.
- the protected area 103 of the device 1 is isolated from the normal area 102 in the memory (ROM 12 or RAM 13) space of the device 1 by a technique such as TrustZone (registered trademark) of Arm Co., Ltd. or KeyStone of RISC-V Foundation. Refers to a space (Secure World) that is more secure than the normal area 102.
- the protected area 103 which is a secure space, cannot be directly accessed from the normal area 102, which is a non-secure space. Therefore, in this modification, the protected area 103 is provided with a history information receiving unit 170 as an element for receiving the history information 120 collected in the normal area 102 in the protected area 103.
- step S111 the history information receiving unit 170 executes a history information transmission request requesting transmission of the history information 120 to the protected area 103 to the history information collecting unit 110.
- the history information collecting unit 110 Upon receiving the history information transmission request, the history information collecting unit 110 transmits the history information 120 to the history information receiving unit 170 in step S102.
- the history information receiving unit 170 transfers the history information 120 transmitted from the history information collecting unit 110 to the history information DB 130. Similar to the first embodiment, the history information 120A, 120B, 120C, 120D collected by the history information collection unit 110 by the collection process and the history information identifier for identifying the history information 120A, 120B, 120C, 120D It is associated and stored in the history information DB 130.
- the processing after step S112 is the same as that of the first embodiment.
- a process of controlling the transmission timing of the history information 120 is performed. According to the above configuration, it is possible to suppress falsification of the collected history information 120, data corruption, etc., so that the reliability of the information related to the operation of the device is further improved, and the history of the device 1 with respect to the server 2 can be suppressed. Information can be sent.
- Second embodiment> The second embodiment is different from the first embodiment in that the history information collecting unit 110 optimizes the operation history of the device 1 to be collected in the collecting process.
- the same components as those in the first embodiment are designated by the same reference numerals, and duplicate description will be omitted. Further, unless otherwise specified, the operation of the device 1 in the present embodiment is the same as that in the first embodiment, and thus the duplicate description will be omitted.
- FIG. 14 is a functional block diagram showing a functional configuration of the device 1 according to the second embodiment.
- the device 1 includes a history information collection unit 110, a history information DB 130, a risk setting unit 140, a transmission control unit 150, a risk setting DB 160, and a history information collection control unit 180.
- the history information collection control unit 180 executes a collection target optimization process for optimizing the operation history of the program operating on the device 1 to be collected by the history information collection unit 110 in the collection process.
- FIG. 15 is a diagram showing an example of the information described in the risk setting condition 164.
- FIG. 16 is a flowchart showing the flow of the collection target optimization process in the device 1.
- a cyber attack on device 1 multiple system calls are called and the information resources of device 1 are used.
- historical information that is predicted to have a security risk such as a sign of a cyber attack on device 1 is collected based on the system call included in the attack pattern, the order of the system call, and the execution history of the system call. do.
- the risk setting conditions 164 shown in FIG. 15 include “system call SA1 (normal); 10 msec: risk: 0", “system call SA2 (normal); 10 msec: risk: 0", and “system call SA3 (normal)”. ); 5 msec; Risk level: 100 ”is included.
- the risk setting condition 164 of FIG. 15 describes an operation including an attack pattern in which system call SA1, system call SA2, and system call SA3 are executed in order. That is, the risk setting condition 164 corresponds to information including an operation history indicating that the device 1 has a security risk.
- Information for setting "danger level: 100" for the operation history of 1 is described.
- the flow of the collection target optimization process executed in the device 1 will be described.
- the operation history of the device 1 to be collected by the history information collecting unit 110 in the collecting process will be referred to as “collection target operation history”.
- step S41 the history information collection control unit 180 acquires the history information 120 and the risk level setting condition 164 collected by the history information collection unit 110.
- step S42 the history information collection control unit 180 determines whether or not the history information 120 acquired in step S41 includes an operation history corresponding to the risk setting condition 164.
- the history information collection control unit 180 is set to step S43. In, the operation history of the device 1 related to the collection target operation history is added to the collection target.
- the system call SA1 is executed within 10 ms in the device 1 in which the system call SA1 is set as the collection target operation history.
- the history information collection control unit 180 sets the system calls SA2 and SA3 described in the risk setting condition 164 as the related operation history related to the system call SA1 as the collection target operation history as the collection target in step S43. to add.
- the history information collection unit 110 executes the collection process with the system calls SA1, SA2, and SA3 as collection targets.
- an operation history indicating that the device 1 has a security risk is added to the collection target operation history.
- the history information collection control unit 180 sets the history information collection control unit 180 in step S44. In, the operation history of the device 1 related to the collection target operation history is excluded from the collection target.
- the collection target operation history when the system call SA1 is normally executed within 10 ms, the system call SA2 is normally executed within 10 ms, and the system call SA3 is normally executed within 5 ms.
- the collection target operation history set for the device 1 corresponds to the information described in the risk level setting condition 164. That is, here, the collection target operation history set for the device 1 includes an operation history indicating that the device 1 has a security risk.
- the history information collection control unit 180 determines that the operation history in which the system calls SA1, SA2, and SA3 are executed in order is not related to the collection target operation history, and the collection target in step S44. System call SA2 and system call SA3 are excluded from the operation history.
- the history information collection unit 110 excludes the system calls SA2 and SA3 from the collection target and executes the collection process.
- the collection target optimization process is performed based on the history information collected by the history information collection unit 110. According to the above configuration, since the history information collected in the device 1 is optimized for the program running in the device 1 according to the operation, the history information transmitted to the server 2 is also optimized.
- the operation history related to the attack pattern of device 1 is added to the collection target, and the operation history that is no longer related to the attack pattern of device 1 is excluded from the collection target.
- the history information predicted to have a security risk in the device 1 can be selectively transmitted to the server 2, so that the processing load of the server 2 can be reduced.
- FIG. 17 is a functional block diagram showing a functional configuration of the device 1 according to a modified example of the second embodiment.
- the device 1 includes a normal area 102 including a history information collecting unit 110, a history information DB 130, a risk setting unit 140, a transmission control unit 150, a risk setting DB 160, a history information receiving unit 170, and a history information collecting control unit 180. Includes protection area 103.
- the operation history collected by the history information collecting unit 110 is optimized in the protected area 103, which is more secure than the normal area 102 in which the OS of the device 1 is executed, while being isolated from the normal area 102. Collection target optimization processing is performed. By doing so, it is possible to suppress falsification of the collected history information 120, data corruption, and the like, so that the reliability of the information related to the operation of the device is further improved, and the operation collected by the history information collecting unit 110.
- the history can be optimized and the history information of the device 1 can be transmitted to the server 2.
- the third embodiment is different from the first and second embodiments in that the history information collecting unit 110 optimizes the operation history of the device 1 to be collected in the collection process based on the instruction from the server 2. ..
- FIG. 18 is a functional block diagram showing a functional configuration of the server 2 according to the third embodiment.
- the server 2 includes a controller 200 and a network I / F 201.
- the controller 200 receives the history information transmitted from the device 1, analyzes the security risk of the device 1, and executes the collection target optimization process for optimizing the operation history to be collected in the device 1.
- the controller 200 is configured by installing a dedicated software program on the device 1.
- the controller 200 includes a history information receiving unit 210, a history information DB (Data Base) 220, a history information analysis unit 230, and a history information collection control unit 240.
- the history information receiving unit 210 receives the history information 120 transmitted from the device 1 and stores it in the history information DB 220 which is a storage area.
- the history information analysis unit 230 executes an analysis process for analyzing the degree of security risk in the device 1 based on the history information 120 received from the device 1.
- the history information collection control unit 240 executes a collection target optimization process for optimizing the operation history of the device 1 to be collected in the collection process by the history information collection unit 110 based on the history information 120 received from the device 1. ..
- FIG. 19 is a flowchart showing the flow of the collection target optimization process performed on the server 2 according to the third embodiment.
- the history information analysis unit 230 analyzes the history information 120 received from the device 1.
- the history information analysis unit 230 performs security risk analysis on the history information 120 received from the device 1 based on a known vulnerability evaluation standard such as CVSS (Common Assessment System).
- CVSS Common Assessment System
- the history information collection control unit 240 determines the operation history to be collected by the history information collection unit 110 in the collection process based on the history information 120 received from the device 1 and the result of the analysis process. do.
- the history information collection control unit 240 of the server 2 performs the same processing as the history information collection control unit 180 of the device 1 (see FIG. 16), and the operation history to be collected by the history information collection unit 110 in the collection processing is collected. You may decide.
- the history information collection control unit 240 transmits the operation history information to be collected by the history information collection unit 110 determined in step S52 to the device 1 in step S53. Based on the received information received from the server 2, the history information collecting unit 110 of the device 1 includes the operation history determined as the collection target in step S52 as the collection target and executes the collection process.
- the collection target optimization process is performed on the server 2 based on the history information collected by the history information collection unit 110. Since the server 2 performs an analysis process for analyzing the degree of security risk in the device 1 based on the history information, it is possible to perform a collection process that reflects the result of the analysis process. Further, the processing load of the device 1 can be reduced by performing the collection target optimization processing on the server 2.
- the information input to the server 2 by the operator of the information collection system 1000 operating the server 2 may be reflected in the collection target optimization process in the server 2.
- the information input to the server 2 is information for which history information 120 related to the operation history executed in the device 1 within a predetermined time is to be collected, and information for collecting history information 120 including a specific system call.
- the information that specifies the operation history to be collected by the history information collecting unit 110 in the collecting process such as the information to be collected.
- FIG. 20 is a diagram showing an operation mode of the information collection system 1000 according to the modified example of the third embodiment.
- the device 1, the devices 4 and 5 of the same model as the device 1, and the server 2 are connected via the network 3.
- the server 2 receives history information regarding the operation history of the programs operating on the devices 1, 4, and 5. Therefore, the server 2 can execute the collection target optimization process for the device 1 based on the history information received from the device 4, for example. That is, in this modification, the collection target optimization process that reflects the history information acquired by each of the devices 1, 4, and 5 can be performed.
- FIG. 21 is a block diagram illustrating a schematic configuration of the information collection system 1000A according to the fourth embodiment of the present invention. As shown in FIG. 21, the information collection system 1000A has an information collection control device 1A.
- FIG. 22 is a block diagram illustrating a schematic configuration of the information collection control device 1A according to the fourth embodiment.
- the information collection control device 1A includes a history information collection unit 110A and a transmission control unit 150A.
- the history information collecting unit 110 performs a collecting process for collecting history information related to the operation history of the program running on the terminal.
- the transmission control unit 150A controls the transmission timing of the history information to the server.
- the information collection control device 1A according to the fourth embodiment may execute the operation of the device 1 according to the first to third embodiments.
- the information collection system 1000A according to the fourth embodiment may be configured in the same manner as the information collection system 1000 according to the first to third embodiments. In the above case, the description of the first to third embodiments can be applied to the fourth embodiment.
- the fourth embodiment is not limited to the above examples.
- the steps in the process described in the present specification do not necessarily have to be executed in chronological order in the order described in the sequence diagram or the flowchart.
- the steps in the process may be executed in an order different from the order described in the sequence diagram or the flowchart, or may be executed in parallel.
- some of the steps in the process may be deleted, and additional steps may be added to the process.
- a device including the components of the device 1 described in the present specification may be provided.
- a method including the processing of the above-mentioned components may be provided, and a program for causing the processor to execute the processing of the above-mentioned components may be provided.
- a non-transitory computer readable medium may be provided to the computer on which the program is recorded.
- a history information collection unit that collects history information related to the operation history of programs running on terminals, and a history information collection unit that performs collection processing.
- a transmission control unit that controls the transmission timing of the history information to the server is provided. Information collection control device.
- Appendix 2 It is provided with a risk level setting unit that sets a risk level related to the degree of security risk in the terminal with respect to the history information.
- the transmission control unit The transmission timing is controlled based on the risk level set in the history information.
- the information collection control device according to Appendix 1.
- the risk setting unit is When the history information contains a parameter that is not a normal value, a value indicating that the terminal has a security risk is set as the risk level.
- the information collection control device according to Appendix 2.
- the risk setting unit is When the history information includes attack-related information related to an attack pattern on the terminal, a value indicating that the terminal has a security risk is set as the risk level.
- the information collection control device according to Appendix 2 or 3.
- the history information collecting unit is arranged in a normal area, and is arranged in a normal area.
- the transmission control unit and the risk setting unit are arranged in a protected area that is more secure than the normal area.
- a history information receiving unit which is arranged in the protected area and receives the history information from the history information collecting unit is provided.
- the information collection control device according to any one of Supplementary note 2 to 6.
- the history information collecting unit collects the collection target operation history predetermined as the collection target from the operation history as the history information.
- the operation history includes a history information collection control unit that causes the history information collection unit to execute the collection process with the related operation history related to the collection target operation history as the collection target.
- the information collection control device according to any one of Supplementary note 2 to 7.
- the history information collection control unit is When the related operation history is no longer related to the collection target operation history, the related operation history is excluded from the collection target.
- the information collection control device according to Appendix 8.
- the collection target operation history includes an operation history indicating that the terminal has a security risk.
- the history information collection control unit is Controlling the execution of the collection process by the history information collecting unit based on the received information received from the server.
- the information collection control device according to any one of Supplementary note 8 to 10.
- the history information collection control unit is arranged in a protected area that is more secure than the normal area.
- the information collection control device according to any one of Supplementary note 8 to 11.
- the transmission control unit The history information is transmitted to the server at predetermined time intervals.
- the information collection control device according to any one of Supplementary note 1 to 13.
- the processing load can be reduced when analyzing security risks.
- Information collection control device 2 Server 3 Network 11 CPU (Central Processing Unit) 12 ROM (Read Only Memory) 13 RAM (Random Access Memory) 14 Storage medium 15 Interface (I / F) 16 Bus 17 Input unit 18 Display unit 100 Controller 101 Network I / F 102 Normal area 103 Protected area 110, 110A History information collection unit 120, 120A, 120B, 120C, 120D History information 130 History information DB (Data Base) 131 History information data table 140 Danger level setting unit 150, 150A Transmission control unit 151 History information data table 160 Danger level setting DB (Data Base) 163 Danger information data table 170 History information receiving unit 180 History information collection control unit 200 Controller 201 Network I / F 210 History information receiver 220 History information DB (Data Base) 230 History information analysis unit 240 History information collection control unit 1000, 1000A Information collection system
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
Abstract
Description
1.本発明の実施形態の概要
2.第1の実施形態
2.1.情報収集システム1000の運用形態
2.2.デバイス1の構成
2.2.1.デバイス1等の情報処理装置のハードウェア構成
2.2.2.デバイス1の機能構成
2.3.情報収集システム1000における処理の概要
2.3.1.情報収集システム1000における処理の流れ
2.3.2.デバイス1における危険度設定処理の概要
2.3.2.1.パラメータが記述された危険度設定条件に基づく危険度設定処理の流れ
2.3.2.2.攻撃パターンが記述された危険度設定条件に基づく危険度設定処理の流れ
2.3.3.デバイス1における送信判定処理の流れ
3.第1の実施形態の変形例
3.1.デバイス1の機能構成
3.2.情報収集システム1000における処理の流れ
4.第2の実施形態
4.1.デバイス1の機能構成
4.2.デバイス1における収集対象最適化処理の流れ
5.第2の実施形態の変形例
5.1.デバイス1の機能構成
6.第3の実施形態
6.1.サーバ2の機能構成
6.2.サーバ2における収集対象最適化処理の流れ
7.第3の実施形態の変形例
8.第4の実施形態
9.その他の実施形態
まず、本発明の実施形態の概要を説明する。
近年、ネットワークに接続されるシステムに対するサイバー攻撃の増加により、システムのセキュリティ強化が望まれている。システムの安全性を担保するためには、システムへのサイバー攻撃が実行された後ではなく、サイバー攻撃に対して前もって対策を立てておく必要がある。システムに含まれる機器に対するサイバー攻撃の予兆やセキュリティリスクの有無を把握するためには、機器の動作に関する情報を監視する必要がある。
本発明の実施形態では、情報収集制御装置が、端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行う履歴情報収集部と、サーバへの前記履歴情報の送信タイミングを制御する送信制御部と、を備える。
以下、図1から図11を参照して、本発明の第1の実施形態について説明する。本実施形態においては、デバイス1及びサーバ2を含み、デバイス1において収集された情報をサーバ2に送信する情報収集システム1000について説明する。
まず、第1の実施形態に係る情報収集システム1000の運用形態について説明する。図1は、第1の実施形態に係る情報収集システム1000の運用形態を例示した図である。図1に示すように、情報収集システム1000は、デバイス1、及びサーバ2がネットワーク3を介して接続されて構成されている。
次に、本実施形態に係るデバイス1の構成について説明する。ここでは、まず、デバイス1やサーバ2等の情報処理装置のハードウェア構成を説明した後、デバイス1の機能構成について説明する。
図2を参照して、本実施形態に係るデバイス1及びサーバ2等の情報処理装置のハードウェア構成について説明する。図2は、情報処理装置のハードウェア構成を示すブロック図である。
次に、図3を参照して、デバイス1の機能構成について説明する。図3は、デバイス1の機能構成を示す機能ブロック図である。図3に示すように、デバイス1は、コントローラ100及びネットワークI/F101を含む。
次に、図4から図11を参照して、本実施形態の情報収集システム1000における処理の概要について説明する。図4は、情報収集システム1000における処理の流れを示すシーケンス図である。図5は、履歴情報データテーブル131の構成を示す図である。図6は、危険度設定条件161に記述されている情報の一例を示す図である。図7は、デバイス1における危険度設定処理の流れの一例を示すフローチャートである。図8は、危険度設定条件162に記述されている情報の一例を示す図である。図9は、デバイス1における危険度設定処理の流れの他の例を示すフローチャートである。図10は、危険度設定処理において設定される危険度情報の構成を示す図である。図11は、デバイス1における送信判定処理の流れを示すフローチャートである。
まず、図4を参照して、情報収集システム1000における処理の流れについて説明する。図4において、デバイス1(履歴情報収集部110)は、ステップS101において、履歴情報120を収集する収集処理を実行する。本実施例において、例えば、デバイス1が起動している間に亘って、履歴情報収集部110による収集処理が継続して行われるようにしてもよい。また、収集処理において収集対象とする履歴情報120を予め設定しておき、収集対象として設定された履歴情報120を収集するようにしてもよい。さらに、履歴情報収集部110が収集処理を行うタイミングを予め設定しておいてもよい。
次に、図6から図10を参照して、デバイス1において、ステップS105で行われる危険度設定処理の詳細について説明する。履歴情報120には、システムコールやライブラリ関数の履歴として、実行日時、実行ユーザ名等の各種のパラメータが含まれている。ゆえに、履歴情報120に含まれるパラメータの値に基づいてデバイス1に対するサイバー攻撃の予兆や、脆弱性等、セキュリティリスクの程度を判別することができる。
上述したように、システムコールやライブラリ関数の履歴には、実行日時、実行ユーザ名等の各種のパラメータが含まれている。危険度設定部140は、これらのパラメータに関して正常値及び異常値を定めた情報が記述された危険度設定条件161(図6参照)に基づいて、第1処理(図7参照)を実行する。
上述したように、デバイス1において動作するプログラムによって、複数のシステムコールが呼び出される。危険度設定部140は、既知の攻撃パターンや、デバイス1に関する脆弱性評価等の指標等により予め設定された攻撃パターンが記述された危険度設定条件162(図8参照)に基づいて、第2処理(図9参照)を実行する。
次に、図10及び図11を参照してデバイス1における送信判定処理の詳細について説明する。危険度設定部140による危険度設定処理の結果、履歴情報120Bには、“危険度:10又は30”が設定され、履歴情報120Cには“危険度:100”が設定されていると仮定する(図10参照)。
次に、第1の実施形態の変形例として、機器の動作に関する情報の信頼性を向上させるために、デバイス1のOS実行環境と、デバイス1の履歴情報120の送信制御を行う環境とを隔離させた構成について説明する。
まず、図12を参照して、本変形例に係るデバイス1の機能構成について説明する。図12は、第1の実施形態の変形例に係るデバイス1の機能構成を示す機能ブロック図である。デバイス1は、履歴情報収集部110を含む通常領域102と、履歴情報DB130、危険度設定部140、送信制御部150、危険度設定DB160及び履歴情報受信部170を含む保護領域103とを含む。
次に、図13を参照して、第1の実施形態の変形例に係る情報収集システム1000における処理の流れについて説明する。本変形例では、履歴情報受信部170により保護領域103への履歴情報120の送信要求を行う処理を含む点が、第1の実施形態と異なる。
第2の実施形態は、履歴情報収集部110が収集処理において収集対象とするデバイス1の動作履歴の最適化を行う点で第1の実施形態と異なる。
まず、図14を参照して、第2の実施形態に係るデバイス1の機能構成について説明する。図14は、第2の実施形態に係るデバイス1の機能構成を示す機能ブロック図である。デバイス1は、履歴情報収集部110、履歴情報DB130、危険度設定部140、送信制御部150、危険度設定DB160及び履歴情報収集制御部180を含む。
次に、図15及び図16を参照して収集対象最適化処理の流れについて説明する。図15は、危険度設定条件164に記述されている情報の一例を示す図である。図16は、デバイス1における収集対象最適化処理の流れを示すフローチャートである。
次に、第2の実施形態の変形例として、機器の動作に関する情報の信頼性を向上させるために、デバイス1のOS実行環境と、デバイス1の履歴情報120の送信制御を行う環境とを隔離させた構成について説明する。
まず、図17を参照して、本変形例に係るデバイス1の機能構成について説明する。図17は、第2の実施形態の変形例に係るデバイス1の機能構成を示す機能ブロック図である。デバイス1は、履歴情報収集部110を含む通常領域102と、履歴情報DB130、危険度設定部140、送信制御部150、危険度設定DB160、履歴情報受信部170及び履歴情報収集制御部180を含む保護領域103とを含む。
第3の実施形態は、履歴情報収集部110が収集処理において収集対象とするデバイス1の動作履歴の最適化をサーバ2からの指示に基づいて行う点で第1及び第2の実施形態と異なる。
まず、図18を参照して、第3の実施形態に係るサーバ2の機能構成について説明する。図18は、第3の実施形態に係るサーバ2の機能構成を示す機能ブロック図である。図18に示すように、サーバ2は、コントローラ200及びネットワークI/F201を含む。
次に、図19を参照して、サーバ2における収集対象最適化処理の流れについて説明する。図19は、第3の実施形態に係るサーバ2で行われる収集対象最適化処理の流れを示すフローチャートである。
次に、第3の実施形態の変形例として、サーバ2に対してデバイス1、4、5が接続された情報収集システム1000について説明する。図20は、第3の実施形態の変形例に係る情報収集システム1000の運用形態を示す図である。本変形例に係る情報収集システム1000は、デバイス1と、デバイス1と同じ機種であるデバイス4、5と、サーバ2とがネットワーク3を介して接続されている。
次いで、図21及び図22を参照して本発明の第4の実施形態について説明する。上述した第1から第3の実施形態は具体的な実施形態であるが、第4の実施形態はより一般化された実施形態である。以下の第4の実施形態によれば、第1から第3の実施形態と同様の技術的効果が奏される。
一例として、第4の実施形態に係る情報収集制御装置1Aが、第1から第3の実施形態に係るデバイス1の動作を実行してもよい。同様に、一例として、第4の実施形態に係る情報収集システム1000Aが、第1から第3の実施形態に係る情報収集システム1000と同様に構成されてもよい。以上の場合、第1から第3の実施形態についての説明が第4の実施形態にも適用可能である。なお、第4の実施形態は以上の例に限定されるものではない。
以上、本発明の実施形態を説明したが、本発明はこれらの実施形態に限定されるものではない。これらの実施形態は例示にすぎないということ、及び、本発明のスコープ及び精神から逸脱することなく様々な変形が可能であるということは、当業者に理解されるであろう。
端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行う履歴情報収集部と、
サーバへの前記履歴情報の送信タイミングを制御する送信制御部と、を備える、
情報収集制御装置。
前記端末におけるセキュリティリスクの程度に関連する危険度を前記履歴情報に対して設定する危険度設定部を備え、
前記送信制御部は、
前記履歴情報に設定された前記危険度に基づいて前記送信タイミングを制御する、
付記1に記載の情報収集制御装置。
前記危険度設定部は、
前記履歴情報に正常値ではないパラメータが含まれている場合に、前記危険度として前記端末にセキュリティリスクが有ることを示す値を設定する、
付記2に記載の情報収集制御装置。
前記危険度設定部は、
前記履歴情報に前記端末への攻撃パターンに関連する攻撃関連情報が含まれている場合に、前記危険度として前記端末にセキュリティリスクが有ることを示す値を設定する、
付記2又は3に記載の情報収集制御装置。
前記送信制御部は、
前記危険度として前記履歴情報に設定された前記端末にセキュリティリスクが有ることを示す値が第1値以上である場合に、当該履歴情報を前記サーバへ送信する、
付記3又は4に記載の情報収集制御装置。
前記送信制御部は、
前記危険度として前記履歴情報に設定された前記端末にセキュリティリスクが有ることを示す値の合計が第2値以上となった場合に、当該履歴情報を前記サーバへ送信する、
付記3から5のいずれか1項に記載の情報収集制御装置。
前記履歴情報収集部は、通常領域に配置されており、
前記送信制御部及び前記危険度設定部は、前記通常領域よりもセキュアな保護領域に配置されており、
前記保護領域に配置され、前記履歴情報収集部から前記履歴情報を受信する履歴情報受信部を備える、
付記2から6のいずれか1項に記載の情報収集制御装置。
前記履歴情報収集部は、前記動作履歴のうち、収集対象として予め定められた収集対象動作履歴を前記履歴情報として収集し、
前記動作履歴のうち、前記収集対象動作履歴に関連する関連動作履歴を前記収集対象として前記履歴情報収集部に前記収集処理を実行させる履歴情報収集制御部、を備える、
付記2から7のいずれか1項に記載の情報収集制御装置。
前記履歴情報収集制御部は、
前記関連動作履歴が前記収集対象動作履歴に関連しなくなった場合に、前記収集対象から前記関連動作履歴を除外する、
付記8に記載の情報収集制御装置。
前記収集対象動作履歴には、前記端末にセキュリティリスクが有ることを示す動作履歴が含まれる、
付記8又は9に記載の情報収集制御装置。
前記履歴情報収集制御部は、
前記サーバから受信した受信情報に基づいて、前記履歴情報収集部による前記収集処理の実行を制御する、
付記8から10のいずれか1項に記載の情報収集制御装置。
前記履歴情報収集制御部は、通常領域よりもセキュアな保護領域に配置されている、
付記8から11のいずれか1項に記載の情報収集制御装置。
前記送信制御部は、
前記履歴情報収集部が収集した前記履歴情報の量が所定量以上となった場合に、前記履歴情報を前記サーバへ送信する、
付記1から12のいずれか1項に記載の情報収集制御装置。
前記送信制御部は、
所定時間毎に、前記履歴情報を前記サーバへ送信する、
付記1から13のいずれか1項に記載の情報収集制御装置。
前記送信制御部は、
前記履歴情報が、所定時間内における前記動作履歴である場合に、当該履歴情報を前記サーバへ送信する、
付記1から14のいずれか1項に記載の情報収集制御装置。
前記送信制御部は、
前記履歴情報が所定のシステムコールである場合に、当該履歴情報を前記サーバへ送信する、
付記1から15のいずれか1項に記載の情報収集制御装置。
付記1から16のいずれか1項に記載の情報収集制御装置を含む、情報収集システム。
端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行うことと、
サーバへの前記履歴情報の送信タイミングを制御することと、を備える、
情報収集制御方法。
端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行うことと、
サーバへの前記履歴情報の送信タイミングを制御することと、をプロセッサに実行させる、
情報収集制御プログラム。
1A 情報収集制御装置
2 サーバ
3 ネットワーク
11 CPU(Central Processing Unit)
12 ROM(Read Only Memory)
13 RAM(Random Access Memory)
14 記憶媒体
15 インタフェース(I/F)
16 バス
17 入力部
18 表示部
100 コントローラ
101 ネットワークI/F
102 通常領域
103 保護領域
110、110A 履歴情報収集部
120、120A、120B、120C、120D 履歴情報
130 履歴情報DB(Data Base)
131 履歴情報データテーブル
140 危険度設定部
150、150A 送信制御部
151 履歴情報データテーブル
160 危険度設定DB(Data Base)
163 危険度情報データテーブル
170 履歴情報受信部
180 履歴情報収集制御部
200 コントローラ
201 ネットワークI/F
210 履歴情報受信部
220 履歴情報DB(Data Base)
230 履歴情報分析部
240 履歴情報収集制御部
1000、1000A 情報収集システム
Claims (19)
- 端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行う履歴情報収集部と、
サーバへの前記履歴情報の送信タイミングを制御する送信制御部と、を備える、
情報収集制御装置。 - 前記端末におけるセキュリティリスクの程度に関連する危険度を前記履歴情報に対して設定する危険度設定部を備え、
前記送信制御部は、
前記履歴情報に設定された前記危険度に基づいて前記送信タイミングを制御する、
請求項1に記載の情報収集制御装置。 - 前記危険度設定部は、
前記履歴情報に正常値ではないパラメータが含まれている場合に、前記危険度として前記端末にセキュリティリスクが有ることを示す値を設定する、
請求項2に記載の情報収集制御装置。 - 前記危険度設定部は、
前記履歴情報に前記端末への攻撃パターンに関連する攻撃関連情報が含まれている場合に、前記危険度として前記端末にセキュリティリスクが有ることを示す値を設定する、
請求項2又は3に記載の情報収集制御装置。 - 前記送信制御部は、
前記危険度として前記履歴情報に設定された前記端末にセキュリティリスクが有ることを示す値が第1値以上である場合に、当該履歴情報を前記サーバへ送信する、
請求項3又は4に記載の情報収集制御装置。 - 前記送信制御部は、
前記危険度として前記履歴情報に設定された前記端末にセキュリティリスクが有ることを示す値の合計が第2値以上となった場合に、当該履歴情報を前記サーバへ送信する、
請求項3から5のいずれか1項に記載の情報収集制御装置。 - 前記履歴情報収集部は、通常領域に配置されており、
前記送信制御部及び前記危険度設定部は、前記通常領域よりもセキュアな保護領域に配置されており、
前記保護領域に配置され、前記履歴情報収集部から前記履歴情報を受信する履歴情報受信部を備える、
請求項2から6のいずれか1項に記載の情報収集制御装置。 - 前記履歴情報収集部は、前記動作履歴のうち、収集対象として予め定められた収集対象動作履歴を前記履歴情報として収集し、
前記動作履歴のうち、前記収集対象動作履歴に関連する関連動作履歴を前記収集対象として前記履歴情報収集部に前記収集処理を実行させる履歴情報収集制御部、を備える、
請求項2から7のいずれか1項に記載の情報収集制御装置。 - 前記履歴情報収集制御部は、
前記関連動作履歴が前記収集対象動作履歴に関連しなくなった場合に、前記収集対象から前記関連動作履歴を除外する、
請求項8に記載の情報収集制御装置。 - 前記収集対象動作履歴には、前記端末にセキュリティリスクが有ることを示す動作履歴が含まれる、
請求項8又は9に記載の情報収集制御装置。 - 前記履歴情報収集制御部は、
前記サーバから受信した受信情報に基づいて、前記履歴情報収集部による前記収集処理の実行を制御する、
請求項8から10のいずれか1項に記載の情報収集制御装置。 - 前記履歴情報収集制御部は、通常領域よりもセキュアな保護領域に配置されている、
請求項8から11のいずれか1項に記載の情報収集制御装置。 - 前記送信制御部は、
前記履歴情報収集部が収集した前記履歴情報の量が所定量以上となった場合に、前記履歴情報を前記サーバへ送信する、
請求項1から12のいずれか1項に記載の情報収集制御装置。 - 前記送信制御部は、
所定時間毎に、前記履歴情報を前記サーバへ送信する、
請求項1から13のいずれか1項に記載の情報収集制御装置。 - 前記送信制御部は、
前記履歴情報が、所定時間内における前記動作履歴である場合に、当該履歴情報を前記サーバへ送信する、
請求項1から14のいずれか1項に記載の情報収集制御装置。 - 前記送信制御部は、
前記履歴情報が所定のシステムコールである場合に、当該履歴情報を前記サーバへ送信する、
請求項1から15のいずれか1項に記載の情報収集制御装置。 - 請求項1から16のいずれか1項に記載の情報収集制御装置を含む、情報収集システム。
- 端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行うことと、
サーバへの前記履歴情報の送信タイミングを制御することと、を備える、
情報収集制御方法。 - 端末において動作するプログラムの動作履歴に関する履歴情報を収集する収集処理を行うことと、
サーバへの前記履歴情報の送信タイミングを制御することと、をプロセッサに実行させる、
情報収集制御プログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/266,754 US20240045949A1 (en) | 2020-12-23 | 2020-12-23 | Information collection control apparatus, information collection system, information collection control method, and information collection control program |
JP2022570864A JPWO2022137403A1 (ja) | 2020-12-23 | 2020-12-23 | |
PCT/JP2020/048267 WO2022137403A1 (ja) | 2020-12-23 | 2020-12-23 | 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2020/048267 WO2022137403A1 (ja) | 2020-12-23 | 2020-12-23 | 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022137403A1 true WO2022137403A1 (ja) | 2022-06-30 |
Family
ID=82159265
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2020/048267 WO2022137403A1 (ja) | 2020-12-23 | 2020-12-23 | 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20240045949A1 (ja) |
JP (1) | JPWO2022137403A1 (ja) |
WO (1) | WO2022137403A1 (ja) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010267128A (ja) * | 2009-05-15 | 2010-11-25 | Ntt Docomo Inc | 解析システム、解析装置、検知方法、解析方法及びプログラム |
JP2015511047A (ja) * | 2012-03-19 | 2015-04-13 | クアルコム,インコーポレイテッド | マルウェアを検出するコンピューティングデバイス |
JP2019028670A (ja) * | 2017-07-28 | 2019-02-21 | 大日本印刷株式会社 | セキュアエレメント、コンピュータプログラム、デバイス、サーバ及びデバイス監視方法 |
CN110119621B (zh) * | 2019-05-05 | 2020-08-21 | 网御安全技术(深圳)有限公司 | 异常系统调用的攻击防御方法、系统及防御装置 |
-
2020
- 2020-12-23 WO PCT/JP2020/048267 patent/WO2022137403A1/ja active Application Filing
- 2020-12-23 US US18/266,754 patent/US20240045949A1/en active Pending
- 2020-12-23 JP JP2022570864A patent/JPWO2022137403A1/ja active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010267128A (ja) * | 2009-05-15 | 2010-11-25 | Ntt Docomo Inc | 解析システム、解析装置、検知方法、解析方法及びプログラム |
JP2015511047A (ja) * | 2012-03-19 | 2015-04-13 | クアルコム,インコーポレイテッド | マルウェアを検出するコンピューティングデバイス |
JP2019028670A (ja) * | 2017-07-28 | 2019-02-21 | 大日本印刷株式会社 | セキュアエレメント、コンピュータプログラム、デバイス、サーバ及びデバイス監視方法 |
CN110119621B (zh) * | 2019-05-05 | 2020-08-21 | 网御安全技术(深圳)有限公司 | 异常系统调用的攻击防御方法、系统及防御装置 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2022137403A1 (ja) | 2022-06-30 |
US20240045949A1 (en) | 2024-02-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10701091B1 (en) | System and method for verifying a cyberthreat | |
US11086983B2 (en) | System and method for authenticating safe software | |
US20190230098A1 (en) | Indicator of compromise calculation system | |
JP7030133B2 (ja) | ロールベースコンピュータセキュリティ構成のシステム及び方法 | |
US20080301457A1 (en) | Authentication system and apparatus | |
CN104662517A (zh) | 安全漏洞检测技术 | |
CN102332072A (zh) | 用于检测恶意软件和管理恶意软件相关信息的系统和方法 | |
AU2013254368A1 (en) | Cyber security analyzer | |
US20070044151A1 (en) | System integrity manager | |
CN102143168A (zh) | 基于linux平台服务器安全性能实时监控方法及系统 | |
KR100926735B1 (ko) | 웹 소스 보안 관리 시스템 및 방법 | |
JP2019192190A (ja) | 予めスクレイプしたビッグデータを用いたクラウドスクレイピングシステム及び方法と、そのためのコンピュータプログラム | |
US20100063950A1 (en) | Computing environment climate dependent policy management | |
CN114500039A (zh) | 基于安全管控的指令下发方法及系统 | |
WO2022137403A1 (ja) | 情報収集制御装置、情報収集システム、情報収集制御方法、及び情報収集制御プログラム | |
CN114625074A (zh) | 一种用于火电机组dcs系统的安全防护系统及方法 | |
CN114629677A (zh) | 一种用于火电机组电量计费系统的安全防护系统及方法 | |
KR102338998B1 (ko) | 로그 무결성 검사 및 이를 통한 로그 위변조 행위 증빙 시스템 및 그 방법 | |
EP3964990A1 (en) | Method and system for deciding on the need for an automated response to an incident | |
CN113254944B (zh) | 漏洞处理方法、系统、电子设备、存储介质及程序产品 | |
Rencelj Ling et al. | Estimating time-to-compromise for industrial control system attack techniques through vulnerability data | |
US10397312B2 (en) | Automated server deployment platform | |
Cornelius et al. | Recommended practice: Creating cyber forensics plans for control systems | |
KR20200071995A (ko) | 정보자산의 실시간 위협 대응 시스템 | |
US20230039079A1 (en) | Tracking and Mitigating Security Threats and Vulnerabilities in Browser Extension Engines |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 20966893 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2022570864 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18266754 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 20966893 Country of ref document: EP Kind code of ref document: A1 |