WO2022185576A1 - 不正侵害分析支援装置、及び不正侵害分析支援方法 - Google Patents

不正侵害分析支援装置、及び不正侵害分析支援方法 Download PDF

Info

Publication number
WO2022185576A1
WO2022185576A1 PCT/JP2021/033101 JP2021033101W WO2022185576A1 WO 2022185576 A1 WO2022185576 A1 WO 2022185576A1 JP 2021033101 W JP2021033101 W JP 2021033101W WO 2022185576 A1 WO2022185576 A1 WO 2022185576A1
Authority
WO
WIPO (PCT)
Prior art keywords
infringement
text
field
word
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2021/033101
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
篤 鈴木
イーウェン チェン
裕紀 山▲崎▼
謙吾 井島
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hitachi Ltd
Original Assignee
Hitachi Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hitachi Ltd filed Critical Hitachi Ltd
Priority to EP21929141.6A priority Critical patent/EP4206950B1/en
Priority to US17/911,755 priority patent/US20230126967A1/en
Publication of WO2022185576A1 publication Critical patent/WO2022185576A1/ja
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/30Information retrieval; Database structures therefor; File system structures therefor of unstructured textual data
    • G06F16/35Clustering; Classification
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1433Vulnerability analysis

Definitions

  • the present invention relates to an infringement analysis support device and an infringement analysis support method.
  • Patent Document 1 describes a security dictionary in which a security information management device collects security information, which is information about security, and stores security-related keywords for each attribute. and extract keywords from the referrer security information that is the basis for comparing the relevance with the security information, compare the extracted keywords with the keywords included in the collected security information, and compare the extracted keywords with the referrer security information. It is described that the degree of relevance to security information is calculated, and security information with a higher degree of relevance is preferentially output.
  • the present invention has been made in view of the above background, and its object is to provide a fraud analysis support device and a fraud analysis support method capable of classifying information related to fraud according to fields. It is in.
  • One of the present inventions for solving the above-mentioned problems relates to an input unit that has a processor and a memory and receives input of a field related to illegal infringement, and a device that is communicatively connected to a predetermined network.
  • a keyword extracting unit that extracts words in the input field related to the illegal infringement from the text, and the extracted words based on the extracted words and word information of the mode of illegal infringement in the input field. and calculating the degree of relevance between the mode of infringement, and estimating the degree of relevance for estimating that the text is a text of infringement in the input field when the calculated degree of relevance is equal to or greater than a predetermined threshold and an output unit for outputting information indicating that the text is a text of fraudulent infringement in the field.
  • one of the present inventions for solving the above-mentioned problems relates to an input process in which an information processing apparatus receives an input in a field related to illegal infringement, and an illegal infringement against a device communicatively connected to a predetermined network.
  • a keyword extraction process for extracting words in the input field related to the illegal infringement from the text, and the extracted words based on the extracted words and word information of the mode of illegal infringement in the input field. and calculating the degree of relevance between the mode of infringement, and estimating the degree of relevance for estimating that the text is a text of infringement in the input field when the calculated degree of relevance is equal to or greater than a predetermined threshold and an output process for outputting information indicating that the text is a text of fraudulent infringement in the field.
  • information related to illegal infringement can be classified according to the field.
  • FIG. 1 is a diagram showing an example of the configuration of a fraudulent infringement analysis support system according to this embodiment.
  • FIG. 2 is a diagram illustrating an example of functions of the infringement analysis support device.
  • FIG. 3 is a diagram showing an example of a field-specific keyword DB.
  • FIG. 4 is a diagram illustrating an example of a domain-specific attack example DB.
  • FIG. 5 is a diagram showing an example of an exclusion keyword DB.
  • FIG. 6 is a diagram illustrating an example of hardware included in each device.
  • FIG. 7 is a sequence diagram outlining the processing performed in the infringement analysis support system.
  • FIG. 8 is a sequence diagram illustrating an outline of processing performed by the infringement analysis support device.
  • FIG. 9 is a flowchart illustrating an example of keyword extraction processing.
  • FIG. 9 is a flowchart illustrating an example of keyword extraction processing.
  • FIG. 10 is a flow diagram illustrating an example of association degree estimation processing.
  • FIG. 11 is a flowchart illustrating an example of exclusion processing.
  • FIG. 12 is a diagram showing an example of a relevance information display screen displaying relevance information.
  • FIG. 13 is a diagram illustrating another functional example of the infringement analysis support device.
  • FIG. 1 is a diagram showing an example of the configuration of a fraudulent infringement analysis support system 10 according to this embodiment.
  • the infringement analysis support system 10 acquires input devices 6 such as keyboards, mice, touch panels, etc. that receive input from users, and security information described below from one or more IoT devices 7 (IOT: Internet Of Things).
  • IOT Internet Of Things
  • Security information collection device 1 security identification information provision device 2, infringement analysis support device 3, information received from security identification information provision device 2 and infringement analysis support device 3, and specification information of IoT device 7 and the like, an impact analysis device 4 that generates information on the threat of fraudulent infringement (cyber attack) against each IoT device 7, a security identification information provision device 2, a fraud analysis support device 3, and an impact analysis device 4 and an output device 5 such as a monitor (display) for displaying information generated by on a screen.
  • a monitor display
  • the security information is information output by each IoT device 7 or information processed from that information, and is information of a plurality of sentences (hereinafter referred to as security sentences) regarding unauthorized infringement of the IoT device 7.
  • the security information is, for example, information about a security attack that the IoT device 7 received via the communication network 8 or the like, or information representing security vulnerability.
  • Each security document is composed of documents of various technical fields to which each IoT device belongs.
  • the security identification information attachment device 2 Based on the security information (security sentences) acquired by the security information collection device 1, the security identification information attachment device 2 classifies information (security identification information) indicating the type of unauthorized infringement performed on the IoT device 7 into a predetermined classification. Create according to the method.
  • the infringement analysis support device 3 identifies security texts related to the field in which the user is in charge from each piece of security information (a plurality of security texts) acquired by the security information collection device 1, and creates information about the security texts.
  • Each IoT device 7 and the security information collection device 1 are communicably connected by a wired or wireless communication network 8 such as the Internet or a LAN (Local Area Network).
  • a wired or wireless communication network 8 such as the Internet or a LAN (Local Area Network).
  • the security information collection device 1, the security identification information provision device 3, the infringement analysis support device 3, and the impact analysis device 4 for example, LAN (Local Area Network), WAN (Wide Area Network), the Internet, Alternatively, they are communicably connected by a wired or wireless communication network 9 such as a dedicated line.
  • LAN Local Area Network
  • WAN Wide Area Network
  • the Internet Alternatively, they are communicably connected by a wired or wireless communication network 9 such as a dedicated line.
  • FIG. 2 is a diagram illustrating an example of the functions of the infringement analysis support device 3.
  • the infringement analysis support device 3 includes functional units of an input unit 301 , a keyword extraction unit 303 , a relevance estimation unit 304 , an exclusion processing unit 305 and an output unit 302 .
  • the infringement analysis support device 3 includes databases of field-specific keyword DB 306 , field-specific attack example DB 307 , and exclusion keyword DB 308 .
  • the input unit 301 accepts the input of the field that the user is in charge of through the input from the user to the input device 6 .
  • the input unit 301 also acquires security information (security sentences) from the security information collection device 1 .
  • the keyword extraction unit 303 Based on the field-specific keyword DB 306, the keyword extraction unit 303 extracts words in the user-entered field (hereinafter referred to as "user field") related to the illegal infringement from the sentences related to the illegal infringement of the IoT device 7.
  • the relevance estimation unit 304 uses is calculated, and if the calculated degree of relevance is equal to or greater than a predetermined threshold value, the security text is presumed to be a text of illegal infringement in the field input by the user.
  • the exclusion processing unit 305 removes a predetermined word (hereinafter referred to as an exclusion keyword) from each word of the field input by the user in the security text. and presume that the security text is a text of infringement in the field entered by the user only if none of the words contain the exclusion keyword.
  • the output unit 302 outputs information (hereinafter referred to as relevance information) indicating that the security text is a text of illegal infringement in the field entered by the user.
  • FIG. 3 is a diagram showing an example of the field-specific keyword DB 306.
  • the field-specific keyword DB 306 is a word database that includes a field type 3061, a class 3062 (item (category) representing a mode of infringement) in the field, and words 3063 (keywords) belonging to the field type 3061 and the class 3062. is.
  • the field type 3061 includes "security” common to all fields and "by field” other than that.
  • the class 3062 includes classes common to all fields, such as sources of attacks for illegal infringement and attack methods for illegal infringement, and classes characterizing fields such as "component", “interface”, "system”, and “protocol”. be.
  • the words 3063 are set with words related to illegal infringement common to all fields such as "software” and “network” and words related to illegal infringement in specific fields such as "ECU” and "wireless communication".
  • FIG. 4 is a diagram showing an example of the domain-specific attack case DB 307.
  • the domain-specific attack case DB 307 consists of one or a plurality of domain databases 3070 that store aspects of attack cases (infringement cases) for each domain.
  • Each field database 3070 contains an attack case ID 3071 in the field, an attack source 3072 in the attack case, an attack method 3073 in the attack case, an attack target component 3074 in the attack case, and an interface 3075 used in the attack case. It has each information of
  • FIG. 5 is a diagram showing an example of the excluded keyword DB 308.
  • the exclusion keyword DB 308 includes an exclusion keyword table 3080 for each field in which exclusion keywords are stored.
  • the exclusion keyword table 3080 has information on target classes 3081 and exclusion words 3082 (exclusion keywords) in the classes.
  • An exclusion keyword is, for example, a word that is not used in the field, and as an example, a word that determines that the target security text is a text in a field unrelated to the user field.
  • FIG. 6 is a diagram explaining an example of hardware provided in each device (security information collection device 1, security identification information provision device 2, infringement analysis support device 3, and impact analysis device 4).
  • Each device includes a processing unit 91 such as a CPU (Central Processing Unit), a memory 92 such as RAM (Random Access Memory), ROM (Read Only Memory), HDD (Hard Disk Drive), SSD (Solid State Drive), etc. and a communication device 96 such as a wireless network interface or network interface card.
  • each device may have an input device 94 such as a keyboard, mouse, or touch panel, or an output device 95 such as a monitor (display).
  • the functional units of these devices are implemented by executing programs stored in the memory 92 by the processing device 91 of each device. These programs are, for example, storage devices such as secondary storage devices, nonvolatile semiconductor memories, hard disk drives, and SSDs, or non-temporary data storage media readable by each node, such as IC cards, SD cards, and DVDs. may be stored in
  • FIG. 7 is a sequence diagram outlining the processing performed in the infringement analysis support system 10. As shown in FIG. This process is started, for example, when a user inputs a predetermined value to the input device 6 .
  • the input device 6 receives input from the user of information (information source) specifying a group of IoT devices 7 to be analyzed.
  • the input device 6 then transmits the input information source to the security information collection device 1 (s1).
  • the security information collection device 1 acquires security information (one or more security sentences) from the IoT device 7 corresponding to the information source received from the input device 6 via the communication network 5 (s3).
  • the security information collection device 1 then transmits the acquired security text to the security identification information provision device 2 and the infringement analysis support device 3 (s5, s7).
  • the security identification information adding device 2 creates security identification information based on the received security text, attaches the created security identification information to the security text, and transmits it to the impact analysis device 4 (s9). In addition, the security identification information adding device 2 attaches the security identification information to the security text and transmits it to the output device 5 (s11).
  • the infringement analysis support device 3 creates relevance information based on the received security text, and transmits the created relevance information to the impact analysis device 4 (s13). In addition, the infringement analysis support device 3 attaches the relevance information to the security text and transmits it to the output device 5 (s15).
  • the impact analysis device 4 Based on the information (security identification information and relevance information) received from the security identification information assigning device 2 and the fraud analysis support device 3, the impact analysis device 4 generates information (impact level information), and transmits the created level of impact information to the output device 5 (s17).
  • the output device 5 displays the information received from the security identification information provision device 2, the infringement analysis support device 3, and the impact analysis device 4 on the screen (s19).
  • FIG. 8 is a sequence diagram illustrating an overview of the processing performed by the infringement analysis support device 3.
  • the input unit 301 of the infringement analysis support device 3 transmits the security text received from the security information collection device 1 to the keyword extraction unit 303 .
  • the input unit 301 also transmits information on the field to which the user belongs (user field) to the relevance estimation unit 304 (s51).
  • the input unit 301 acquires the user field by receiving from the input device 6 information on the field input by the user to the input device 6 .
  • the keyword extraction unit 303 executes a keyword extraction process s52 for extracting each word of the received security text together with its field as a field-specific keyword, and transmits the field-specific keyword to the relevance estimation unit 304 (s53).
  • the relevance estimation unit 304 refers to the field-specific attack case DB 307 to determine the degree of relevance between the field-specific keywords of each security text and the mode of infringement in each field. is calculated for each security document. Based on these degrees of relevance, the degree-of-relevance estimating unit 304 identifies security texts related to the user field (hereinafter referred to as related security texts) (relevance degree estimation processing s54). The degree-of-association estimation unit 304 transmits information on the created related security text to the exclusion processing unit 305 (s55).
  • the exclusion processing unit 305 executes exclusion processing s56 for excluding sentences containing the exclusion keyword from the related security sentences, and transmits the excluded related security sentences to the output unit 302 (s57). After that, the output unit 302 outputs relevance information based on the related security text. The relevance information is displayed on the screen by the output device 5 or the like and presented to the user.
  • FIG. 9 is a flowchart illustrating an example of the keyword extraction processing s52.
  • the keyword extraction unit 303 receives each security text from the security information collection device 1 (s71), it recognizes words included in each received security text (s73). For example, the keyword extraction unit 303 identifies each word that constitutes the security text for each security text.
  • the keyword extraction unit 303 identifies, for each word, the class to which the word recognized in s73 belongs (s75). For example, the keyword extraction unit 303 acquires records in which the same word 3063 as the word acquired in s73 is set from the field-specific keyword DB 306 .
  • the keyword extraction unit 303 creates information (field-specific keywords) in which each word specified in s73 is associated with each class specified in s75 for each security text. This completes the field-specific keyword extraction process.
  • FIG. 10 is a flow diagram illustrating an example of association degree estimation processing.
  • the relevance estimation unit 304 selects one of the security sentences (s91).
  • the relevance estimation unit 304 selects one field (s93). Specifically, one field database 3070 is selected from the field-specific attack case DB 307 .
  • the relevance estimation unit 304 acquires the domain-specific keyword of the security text selected in s91, and also acquires the contents of the domain database 3070 of the domain-specific attack case DB 307 selected in s93 (s95).
  • the degree-of-relevance estimation unit 304 calculates the degree of relevance between the acquired field-specific keyword and the mode (class) of attack cases indicated by the acquired field database 3070 (s97).
  • the relevance estimation unit 304 sets a predetermined initial value for the relevance. Then, for each record (each attack example) of the field database 3070 acquired in s93, the relevance estimation unit 304 determines that the content of the attack source 3072 of the record is "Attack If it is in the field-specific keyword of "original", the degree of relevance related to the attack case is incremented by one. In addition, if the contents of the attack technique 3073 of the record include the class 3062 of the field-specific keywords of "attack technique" among the field-specific keywords acquired in s93, the relevance estimation unit 304 Increase the degree by 1. The relevance estimation unit 304 performs such processing for each class (mode) such as the component 3074 and the interface 3075 . Furthermore, the degree-of-association estimation unit 304 repeats the above processing for all records (all attack cases) in the field database 3070 .
  • the degree-of-relevance estimation unit 304 determines whether there is an attack case whose degree of relevance is equal to or greater than a predetermined threshold (s99).
  • a predetermined threshold for example, that the degree of relevance matches the number of classes, that is, that the domain-specific keyword and a certain attack case class match perfectly. means. It should be noted that even if the degree of association does not match the number of classes completely, it is sufficient if the number of classes matches a certain number or more.
  • the relevance estimation unit 304 executes the process of s101, and if there is no attack case whose relevance is greater than or equal to the predetermined threshold ( s99:N), the degree-of-association estimation unit 304 executes the process of s107.
  • the degree-of-relevance estimation unit 304 confirms whether or not there are other fields that have not been selected in s93. repeat. If there is no unselected field (s103: N), the relevance estimation unit 304 performs the process of s107.
  • the relevance estimation unit 304 checks whether the field selected in s93 matches the user field. If the field selected in s93 matches the user field (s101: Y), the relevance estimation unit 304 executes the process of s105, and if the field selected in s93 does not match the user field (s101: N), the relevance estimation unit 304 executes the process of s107.
  • the relevance estimation unit 304 creates relevant information indicating that the security text selected at s91 is related to the field selected at s93 (that is, the user field). For example, the relevance estimation unit 304 creates information in which the security text selected in s91, the user field, and the relevance calculated in s97 are associated with each other. After that, the process of s107 is performed.
  • the degree-of-relevance estimating unit 304 checks whether there is any other security text that has not been selected in s91. If there is any security text that has not been selected (s107: Y), the security text Repeat the subsequent steps. If there is no unselected security text (s107:N), the relevance estimation process ends.
  • the relevance estimation unit 304 may create, as relevance information, relevance information indicating that the security text selected in s91 is not related to the user field.
  • the field information, the security text, and the degree of relevance are combined. may be included in the relevance information. This makes it possible to provide the user with information on security texts that are texts in fields other than the user field but are closely related to the user field.
  • FIG. 11 is a flowchart illustrating an example of exclusion processing.
  • the exclusion processing unit 305 acquires one security text related to the user field (related security text) specified by the degree-of-association estimation process (s131).
  • the exclusion processing unit 305 determines whether or not there is an exclusion keyword in the words of the related security text within the same class (s133). That is, the exclusion processing unit 305 identifies the class of each word in the related security text, and determines whether or not the word in the related security text includes the same word as the excluded keyword of the class.
  • the exclusion processing unit 305 identifies the class of each word in the related security text from the field-specific keyword DB 306 .
  • the exclusion processing unit 305 identifies the exclusion keyword in the class from the exclusion word 3082 of the exclusion keyword table 3080 related to the user field in the exclusion keyword DB 308 .
  • the exclusion processor 305 determines, for each word in the related security sentence, whether the word is the same as any of the excluded keywords in the word's class.
  • the exclusion processing unit 305 performs the process of s137, and the word corresponding to the exclusion keyword is included in the words in the related security text. If not (s133: N), the exclusion processing unit 305 performs the process of s135.
  • the exclusion processing unit 305 determines that the related security text acquired in s131 is not the security text of the user field, and deletes the information related to the related security text from the relevance information. After that, the process of s137 is performed. Note that the exclusion processing unit 305 may create information indicating that the related security text is not the security text of the user field, instead of deleting the information.
  • the exclusion processing unit 305 determines whether or not there are other related security texts that have not been acquired in s131. If there are no other related security texts not acquired in s131 (s137: N), the exclusion process ends, and if there are other related security texts not acquired in s131 (s137: Y), exclusion processing The unit 305 repeats the processing from s131 on one of them.
  • FIG. 12 is a diagram showing an example of a relevance information display screen 200 displaying relevance information.
  • the relevance information display screen 200 displays information 201 of a field (user field) specified by the user, a list 203 of related security texts, and a list 205 of security texts that are not related security texts.
  • the related security text list 203 displays information 207 (number, identifier, text itself, etc.) identifying each related security text and the degree of relevance of the related security text.
  • the list 205 of security texts that are not related security texts displays information 207 (numbers, identifiers, the texts themselves, etc.) specifying those security texts and the degree of relevance of the security texts.
  • the relevance information display screen 200 is displayed by the infringement analysis support device 3 or the output device 5, for example.
  • FIG. 13 is a diagram explaining another functional example of the infringement analysis support device 3.
  • This infringement analysis support device 3 sets a class indicating that it is an exclusion keyword.
  • the keyword extraction unit 303 associates each word in each security document with the above-mentioned class to make it a domain-specific keyword if the word is an exclusion keyword, and the exclusion processing unit 305 Exclusion processing is performed based on the class.
  • the infringement analysis support device 3 of the present embodiment extracts words in the user field related to infringement from the security sentences related to the IoT device 7, and based on each word and the field-specific attack case DB 307 related to the user field , calculating the degree of relevance between the extracted word and the word of the mode of infringement, and if the degree of relevance is greater than or equal to a predetermined threshold, presuming that the security text is the text of infringement in the user field, and Output information indicating that the text is an infringement text in the user field.
  • the infringement analysis support device 3 can classify information on infringement according to fields. That is, the infringement analysis support device 3 calculates the relevance between the words of the security text and the words of the mode of infringement for each field, and determines that the security text belongs to the field when the relevance is high. , the user can easily grasp the security documents in the field he/she is in charge of.
  • each device or terminal of this embodiment may be provided in another device or terminal, or the functions provided by another device or terminal may be provided in the same device or terminal.
  • the security sentences in this embodiment may be sentences converted from voice data, images, or other contents.
  • the method of calculating the degree of association is not limited to that described in this embodiment.
  • the degree of association may be calculated by multiplying not only the number of matching classes but also weighting coefficients for each class, each word, or each field.
  • the infringement analysis support device 3 determines whether or not each word of the input field in the text includes a predetermined word. and an exclusion processing unit that presumes that the sentence is an illegal infringement sentence in the input field only when none of the words includes the predetermined word.
  • the security text is assumed to be a text of infringement in the user field. Even if the text as a whole is highly relevant, it is possible to reliably exclude security texts that do not belong to the user field due to unique keywords, thereby preventing erroneous determinations.
  • the degree-of-relevance estimation unit of the infringement analysis support device 3 uses word information indicating at least one of the infringement source, infringement method, infringed parts, and communication network type related to the infringement as the infringement and when the number of matches between the extracted word and the word indicating the mode of infringement is equal to or greater than a predetermined number, the sentence is a sentence of infringement in the input field. Estimate it.
  • the infringement related to the user field for the IoT device 7 security sentences can be reliably extracted.
  • the infringement analysis support device 3 of the present embodiment adds each word of the input field in the sentence to a field other than the input field. Only if none of the words contains the predetermined word, the sentence is illegal in the input field It may be assumed that it is a sentence of
  • the security text is considered to be an infringement text in the user field only when each word in the user field in the security text does not contain an exclusion keyword outside the user field.
  • security sentences outside the user domain can be reliably excluded.
  • Unauthorized infringement analysis support system 6 Input device, 7 IoT device, 1 Security information collection device, 2 Security identification information provision device, 3 Infringement analysis support device, 4 Influence analysis device

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
PCT/JP2021/033101 2021-03-02 2021-09-09 不正侵害分析支援装置、及び不正侵害分析支援方法 Ceased WO2022185576A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP21929141.6A EP4206950B1 (en) 2021-03-02 2021-09-09 Unauthorized intrusion analysis assistance device and unauthorized intrusion analysis assistance method
US17/911,755 US20230126967A1 (en) 2021-03-02 2021-09-09 Unauthorized intrusion analysis support apparatus and unauthorized intrusion analysis support method

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021032480A JP7554139B2 (ja) 2021-03-02 2021-03-02 不正侵害分析支援装置、及び不正侵害分析支援方法
JP2021-032480 2021-03-02

Publications (1)

Publication Number Publication Date
WO2022185576A1 true WO2022185576A1 (ja) 2022-09-09

Family

ID=83155223

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/033101 Ceased WO2022185576A1 (ja) 2021-03-02 2021-09-09 不正侵害分析支援装置、及び不正侵害分析支援方法

Country Status (4)

Country Link
US (1) US20230126967A1 (https=)
EP (1) EP4206950B1 (https=)
JP (1) JP7554139B2 (https=)
WO (1) WO2022185576A1 (https=)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2024041143A (ja) * 2022-09-14 2024-03-27 株式会社日立製作所 機械学習モデルの学習に用いるシステム、および、方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US12499216B2 (en) * 2021-01-28 2025-12-16 Nec Corporation Display apparatus, display system, display method, and non-transitory computer-readable medium
JP7733623B2 (ja) 2022-08-24 2025-09-03 株式会社日立システムズ 計算機システム及びセキュリティ対策の評価方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014208427A1 (ja) 2013-06-24 2014-12-31 日本電信電話株式会社 セキュリティ情報管理システム及びセキュリティ情報管理方法
JP2015052841A (ja) * 2013-09-05 2015-03-19 株式会社Ubic 文書分析システム及び文書分析方法並びに文書分析プログラム
JP2019049800A (ja) * 2017-09-08 2019-03-28 日本電信電話株式会社 抽出装置、抽出方法および抽出プログラム
JP2021032480A (ja) 2019-08-24 2021-03-01 住江織物株式会社 電気カーペットの温度制御方法

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5983216A (en) * 1997-09-12 1999-11-09 Infoseek Corporation Performing automated document collection and selection by providing a meta-index with meta-index values indentifying corresponding document collections
US20050261962A1 (en) * 2004-05-18 2005-11-24 Khai Gan Chuah Anonymous page recognition
KR100862187B1 (ko) * 2006-10-27 2008-10-09 한국전자통신연구원 취약점 분석 및 공격방식 모델링을 이용한 네트워크기반의인터넷 웜 탐지 장치 및 그 방법
KR101303643B1 (ko) * 2007-01-31 2013-09-11 삼성전자주식회사 침입 코드 탐지 장치 및 그 방법
IL199115A (en) * 2009-06-03 2013-06-27 Verint Systems Ltd Systems and methods for efficiently locating keywords in communication traffic
US9237161B2 (en) * 2013-12-16 2016-01-12 Morphick, Inc. Malware detection and identification
KR101911304B1 (ko) * 2014-02-04 2018-10-24 가부시키가이샤 프론테오 문서 분석 시스템, 문서 분석 방법, 및 문서 분석 프로그램
US20170244741A1 (en) * 2016-02-19 2017-08-24 Microsoft Technology Licensing, Llc Malware Identification Using Qualitative Data
CN108647299A (zh) * 2018-05-09 2018-10-12 北京启明星辰信息安全技术有限公司 生僻字符匹配方法、字符串模式匹配方法及存储介质
CN109376531B (zh) * 2018-09-28 2021-06-01 杭州电子科技大学 基于语义重编码与特征空间分离的Web入侵检测方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2014208427A1 (ja) 2013-06-24 2014-12-31 日本電信電話株式会社 セキュリティ情報管理システム及びセキュリティ情報管理方法
JP2015052841A (ja) * 2013-09-05 2015-03-19 株式会社Ubic 文書分析システム及び文書分析方法並びに文書分析プログラム
JP2019049800A (ja) * 2017-09-08 2019-03-28 日本電信電話株式会社 抽出装置、抽出方法および抽出プログラム
JP2021032480A (ja) 2019-08-24 2021-03-01 住江織物株式会社 電気カーペットの温度制御方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP4206950A4

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2024041143A (ja) * 2022-09-14 2024-03-27 株式会社日立製作所 機械学習モデルの学習に用いるシステム、および、方法

Also Published As

Publication number Publication date
EP4206950A1 (en) 2023-07-05
JP2022133671A (ja) 2022-09-14
JP7554139B2 (ja) 2024-09-19
US20230126967A1 (en) 2023-04-27
EP4206950A4 (en) 2024-07-31
EP4206950B1 (en) 2025-03-26

Similar Documents

Publication Publication Date Title
Hasan et al. Detection of SQL injection attacks: a machine learning approach
EP3651043B1 (en) Url attack detection method and apparatus, and electronic device
CN112016317B (zh) 基于人工智能的敏感词识别方法、装置及计算机设备
JP6860070B2 (ja) 分析装置、ログの分析方法及び分析プログラム
Iqbal et al. A unified data mining solution for authorship analysis in anonymous textual communications
CN103299304B (zh) 分类规则生成装置和分类规则生成方法
US10425436B2 (en) Identifying bulletproof autonomous systems
US20180069893A1 (en) Identifying Changes in Use of User Credentials
JP2022527511A (ja) サイバーセキュリティ・イベントについての時間関係を推測すること
WO2022185576A1 (ja) 不正侵害分析支援装置、及び不正侵害分析支援方法
EP3608802A1 (en) Model variable candidate generation device and method
CN111651768B (zh) 计算机二进制程序的链接库函数名识别方法及装置
CN107247902A (zh) 恶意软件分类系统及方法
Alzhrani et al. Automated big text security classification
CN103971054A (zh) 一种基于行为序列的浏览器扩展漏洞的检测方法
CN118984246A (zh) 恶意加密流量检测方法、装置、计算机设备和介质
Purba et al. Extracting actionable cyber threat intelligence from twitter stream
CN116155589A (zh) 一种基于机器学习的攻击事件类型的识别方法和系统
JP2012088803A (ja) 悪性ウェブコード判別システム、悪性ウェブコード判別方法および悪性ウェブコード判別用プログラム
Queiroz et al. Eavesdropping hackers: Detecting software vulnerability communication on social media using text mining
CN108959922B (zh) 一种基于贝叶斯网的恶意文档检测方法及装置
KR101863569B1 (ko) 머신 러닝 기반의 취약점 정보를 분류하는 방법 및 장치
KR20180062998A (ko) 머신 러닝 기반의 취약점 정보를 분류하는 방법 및 장치
Mambetov et al. DETECTION AND CLASSIFICATION OF THREATS AND VULNERABILITIES ON HACKER FORUMS BASED ON MACHINE LEARNING.
US12242548B2 (en) Data enrichment systems and methods for abbreviated domain name classification

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21929141

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2021929141

Country of ref document: EP

Effective date: 20230330

NENP Non-entry into the national phase

Ref country code: DE