WO2022195862A1 - 分析装置、分析システム、分析方法、及び分析プログラム - Google Patents
分析装置、分析システム、分析方法、及び分析プログラム Download PDFInfo
- Publication number
- WO2022195862A1 WO2022195862A1 PCT/JP2021/011445 JP2021011445W WO2022195862A1 WO 2022195862 A1 WO2022195862 A1 WO 2022195862A1 JP 2021011445 W JP2021011445 W JP 2021011445W WO 2022195862 A1 WO2022195862 A1 WO 2022195862A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- information
- analysis
- data
- risk
- server
- Prior art date
Links
- 238000004458 analytical method Methods 0.000 title claims abstract description 235
- 238000000034 method Methods 0.000 claims abstract description 118
- 230000008569 process Effects 0.000 claims abstract description 99
- 230000010365 information processing Effects 0.000 claims abstract description 25
- 238000012545 processing Methods 0.000 description 105
- 239000003795 chemical substances by application Substances 0.000 description 54
- 238000010586 diagram Methods 0.000 description 38
- 230000006870 function Effects 0.000 description 24
- 238000000605 extraction Methods 0.000 description 23
- 230000005540 biological transmission Effects 0.000 description 20
- 238000004891 communication Methods 0.000 description 19
- 238000003860 storage Methods 0.000 description 16
- 238000012502 risk assessment Methods 0.000 description 14
- 238000012360 testing method Methods 0.000 description 9
- 239000000284 extract Substances 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 238000003745 diagnosis Methods 0.000 description 6
- 230000035515 penetration Effects 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 5
- 230000001815 facial effect Effects 0.000 description 5
- 238000009434 installation Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012546 transfer Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 3
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- 238000002347 injection Methods 0.000 description 2
- 239000007924 injection Substances 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 235000008694 Humulus lupulus Nutrition 0.000 description 1
- 238000010923 batch production Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001151 other effect Effects 0.000 description 1
- 230000037361 pathway Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 239000000243 solution Substances 0.000 description 1
- 230000033772 system development Effects 0.000 description 1
- 210000003813 thumb Anatomy 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Definitions
- the present invention relates to an analysis device, an analysis system, an analysis method, and an analysis program.
- Vulnerability diagnosis is a method of comprehensively understanding the vulnerabilities inherent in the system and the lack of security functions based on the definitions of known vulnerabilities such as SQL injection and cross-site request forgery.
- Penetration testing is a method of analyzing whether an attack on a system based on an attack scenario created in advance will achieve the purpose of the attack, and grasping the feasibility of damage to the system.
- Patent Literature 1 proposes a technique for judging the validity of a device's operation based on system call execution information of an OS executed by the device in the system to be analyzed.
- a system call is a mechanism for a program to use resources managed by the OS, and the system call execution information of Patent Document 1 includes a system call name, arguments, and the like.
- Patent Document 1 it is determined that a device corresponding to a system call execution history that matches an illegal pattern has a security problem.
- Patent Document 2 a data transmission path is generated based on program operation information describing operation specifications of a program, and a security breach in the data transmission path is detected based on whether or not a preset policy is met. Techniques for verifying presence/absence are disclosed. In Patent Literature 2, after modeling the behavior of a program in an analysis target system as a data transfer path, it is determined whether or not there is a security violation in the data transfer path.
- Patent Document 1 With the technology disclosed in Patent Document 1, it is possible to determine the correctness of the operation of the device based on the processing performed by the application running on the system. However, in Patent Document 1, there is a problem that the correctness of data handling in the system cannot be determined, which is a security problem not caused by an attack or failure.
- a data transmission path is generated based on information describing the operation specifications of a program.
- Information describing program operation specifications is information that includes security setting information and types of nodes or arcs created on the model, and is not information that indicates the behavior of the program when it is actually run. . Therefore, there is a problem that if data is exchanged through a data transmission path that is not generated based on "information describing the operation specifications of the program", it is impossible to verify whether or not there is a security violation.
- the purpose of the present invention is to solve the above problems, and to determine whether or not there is a security risk based on the actual data flow in the system to be analyzed.
- the analysis apparatus of the present invention includes a history information collection unit that collects history information related to the operation history of a program that operates in an analysis target system; An information addition unit that adds external information acquired from information resources other than the above, and a risk determination process that determines whether or not there is a security risk in the history information to which the external information is added, based on preset determination conditions. and a risk determination unit.
- the analysis system of the present invention includes a history information collection unit that collects history information about the operation history of a program that operates in an analysis target system, and an information processing device that executes the program on the history information.
- An information addition unit that adds external information acquired from information resources other than the above, and a risk determination process that determines whether or not there is a security risk in the history information to which the external information is added, based on preset determination conditions. and an analysis device having a risk determination unit.
- the analysis method of the present invention collects history information related to the operation history of a program operating in an analysis target system, and includes information other than an information processing apparatus executing the program in the history information. adding external information obtained from a resource; and performing a risk determination process for determining whether or not security risks exist in the history information to which the external information is added, based on preset determination conditions. .
- an analysis program of the present invention collects history information related to the operation history of a program operating in an analysis target system, and includes information other than an information processing apparatus executing the program in the history information. adding external information obtained from a resource; and performing risk determination processing for determining whether or not the history information to which the external information is added has a security risk based on a predetermined determination condition. to execute.
- FIG. 1 is a diagram illustrating an operational form of an analysis system according to the first embodiment.
- FIG. 2 is a model diagram for explaining paths of data exchanged in the authentication system according to the first embodiment.
- FIG. 3 is a block diagram showing the hardware configuration of the information processing device according to the first embodiment.
- FIG. 4 is a functional block diagram showing the functional configuration of the analysis server according to the first embodiment;
- FIG. 5 is a sequence diagram showing the flow of processing in the analysis system according to the first embodiment.
- FIG. 6A is a diagram exemplifying the structure of a history information data table according to the first embodiment.
- FIG. 6B is a diagram exemplifying the structure of an access right information data table according to the first embodiment.
- FIG. 7 is a flow chart showing the flow of data flow information generation processing in the analysis server according to the first embodiment.
- FIG. 8 is a diagram showing an example of data flow information according to the first embodiment.
- FIG. 9 is a flow chart showing the flow of risk determination processing in the analysis server according to the first embodiment.
- FIG. 10 is a diagram illustrating an example of a GUI on which determination results of risk determination processing according to the first embodiment are displayed.
- FIG. 11 is an explanatory diagram illustrating paths of data exchanged in the project management system according to the modification of the first embodiment.
- FIG. 12 is a diagram exemplifying the operation mode of the analysis system according to the second embodiment.
- FIG. 13 is a diagram illustrating an overview of an analysis target system according to the second embodiment.
- FIG. 14 is a functional block diagram showing the functional configuration of an analysis server according to the second embodiment;
- FIG. 15 is a sequence diagram showing the flow of processing in the analysis system according to the second embodiment.
- FIG. 16 is a diagram illustrating details of determination conditions according to the second embodiment.
- FIG. 17 is a sequence diagram showing the flow of risk determination processing according to the second embodiment.
- FIG. 18 is a diagram illustrating an analysis system according to the third embodiment.
- FIG. 19 is a diagram illustrating the configuration of an analyzer according to the third embodiment.
- Vulnerability diagnosis is a method of comprehensively understanding the vulnerabilities inherent in the system and the lack of security functions based on the definitions of known vulnerabilities such as SQL injection and cross-site request forgery.
- Penetration testing is a method of analyzing whether an attack on a system based on an attack scenario created in advance will achieve the purpose of the attack, and grasping the feasibility of damage to the system.
- a technique has been proposed for determining the correctness of a device's operation based on system call execution information of the OS executed by the device in the system to be analyzed.
- a system call is a mechanism for a program to use resources managed by the OS, and system call execution information includes a system call name, arguments, and the like. This technique determines that a device corresponding to a system call execution history that matches an illegal pattern has a security problem.
- a technology that generates a data transmission path based on program operation information describing the operation specifications of the program, and verifies whether or not there is a security violation in the data transmission path based on whether or not it matches a preset policy. disclosed.
- This technique models the behavior of a program in an analysis target system as a data transmission path, and determines whether or not there is a security breach in the data transmission path.
- Information describing program operation specifications is information that includes security setting information and types of nodes or arcs created on the model, and is not information that indicates the behavior of the program when it is actually run. . Therefore, there is a problem that if data is exchanged through a data transmission path that is not generated based on "information describing the operation specifications of the program", it is impossible to verify whether or not there is a security violation. On the other hand, in order to reduce the number of missing data transmission paths, it is necessary to describe the operation specifications of the program in more detail.
- the purpose of this embodiment is to determine whether or not there is a security risk based on the actual data flow in the system to be analyzed.
- an analysis device includes a history information collection unit that collects history information about an operation history of a program that operates in an analysis target system, and information for executing the program is stored in the history information.
- an information addition unit that adds external information acquired from an information resource other than a processing device; and a determination process that determines whether or not security risks exist in the history information to which the external information is added, based on predetermined determination conditions. and a risk determination unit for performing.
- FIG. 1 is a diagram illustrating an operational form of an analysis system 1000 according to the first embodiment.
- an analysis system 1000 includes an analysis server 1, a user terminal 2, an FR (Facial Recognition) client server 32, an FR (Facial Recognition) server 33, and an FRDB (Facial Recognition Data Base) 34 that connect a network 4. It is configured by being connected via FR (Facial Recognition) client server 32, an FR (Facial Recognition) server 33, and an FRDB (Facial Recognition Data Base) 34 that connect a network 4. It is configured by being connected via
- the analysis server 1 is a server installed with a program that analyzes whether there is a security risk in the path of data exchanged in the analysis target system based on the information acquired from the analysis target system.
- the analysis target system of this embodiment corresponds to a system connected to the analysis server 1 via the network 4, such as the authentication system 3A.
- the user terminal 2 is an information processing terminal for the operator of the analysis system 1000 to operate the analysis server 1, and is realized by a PC (Personal Computer) or the like.
- a UI User Interface
- the user terminal 2 is an information processing terminal for the operator of the analysis system 1000 to operate the analysis server 1, and is realized by a PC (Personal Computer) or the like.
- a UI User Interface
- information is transmitted and received between the user terminal 2 and the analysis server 1. can do.
- the FR client server 32, FR server 33, and FRDB 34 correspond to host terminals included in the authentication system 3A that provides an authentication service for authenticating users by face authentication or the like. Details of the authentication system 3A will be described later.
- FIG. 2 is a model diagram for explaining the route of data exchanged in the authentication system 3A.
- the authentication system 3A will be described assuming that it provides an authentication service for authenticating a user by an existing face authentication technology.
- the authentication system 3A includes a user information acquisition module 31, an FR client server 32, an FR server 33, and an FRDB34.
- the user information acquisition module 31, FR client server 32, FR server 33, and FRDB 34 are connected to each other via a network different from the network 4 (see FIG. 1).
- the user information acquisition module 31 includes an ID reader 31A capable of reading user information including a user's facial image from an IC chip or the like built into the card, a camera 31B capturing a facial image of a user passing through a gate as user information, and the like. can be used.
- the user information acquired by the user information acquisition module 31 is transmitted to the FR client server 32 .
- the path of data including user information acquired by the ID reader 31A and the camera 31B will be described as an example of the path of information exchanged in the authentication system 3A.
- the data includes a "FFFF.jpg” file showing the face image of the user, and data with extensions ".config", “.log”, “.tmp”, “.dat”, and “.dump". Take files as an example.
- the data exchange between the user information acquisition module 31, the FR client server 32, the FR server 33, and the FRDB 34 is indicated by solid lines.
- Files accessed and generated by programs operating in the FR client server 32, FR server 33, and FRDB 34 are indicated by dashed lines.
- communication with an IP (Internet Protocol) address outside the authentication system 3A in the FR server 33 and FRDB 34 is indicated by a dashed line.
- the FR client server 32 acquires the user information read by the user information acquisition module 31 (for example, "FFFF.jpg" and various setting information related to the user).
- the FR client server 32 generates a data file containing a file identifier for uniquely identifying the data file based on the acquired user information.
- the FR client server 32 generates a data file with an extension such as ".log” or ".tmp".
- a data file with an extension of “.log” corresponds to log data of a program operating on the FR client server 32 .
- the FR client server 32 also creates a temporary data file with an extension of ".tmp" containing an image of "FFFF.jpg".
- the FR client server 32 reads a data file whose extension is ".config”.
- a data file with the extension “.config” corresponds to a setting file containing setting parameter data such as the IP address of the FR server 33, and contains a file identifier for uniquely identifying the file.
- the FR server 33 receives user information from the FR client server 32 .
- the FR server 33 generates a data file containing a file identifier for uniquely identifying the data file based on the received user information.
- the FR server 33 generates, for example, data files with extensions such as ".log” and ".dump".
- a data file with an extension of “.log” corresponds to log data of a program operating on the FR server 33 .
- the FR server 33 generates a data file with the extension “.dump” indicating that the program operating in the FR server 33 has failed.
- the FR server 33 reads a data file whose extension is ".config”.
- a data file with the extension ".config” corresponds to a setting file containing setting parameter data such as the IP address of the FRDB 34, and contains a file identifier for uniquely identifying the file.
- the FR server 33 communicates with an SNS (Social Networking Service) implemented in an information resource designated by an IP address outside the authentication system 3A.
- SNS Social Networking Service
- the FRDB 34 receives and stores user information from the FR server 33.
- the FRDB 34 generates a data file containing a file identifier for uniquely identifying the data file based on the received user information.
- the FRDB 34 for example, generates data files with extensions such as ".log” and ".data".
- a data file with an extension of “.log” corresponds to log data of a program operating in the FRDB 34 .
- the FRDB 34 also creates a data file with the extension ".dat” containing some data.
- the FRDB 34 reads data files whose extension is ".config”.
- a data file with the extension ".config” corresponds to a setting file containing setting parameter data such as the storage location of data in the FRDB 34, and contains a file identifier for uniquely identifying the file.
- the authentication system 3A various data are generated and exchanged by the operation of the programs that operate in the authentication system 3A.
- the data generated or exchanged by the operation of the programs running on the authentication system 3A are not necessarily used for the authentication services provided by the authentication system 3A.
- some data generated or exchanged in the authentication system 3A are considered to have security risks, as described below.
- data including personal information such as user information may be exposed to IPs outside the authentication system 3A, such as SNS.
- IPs outside the authentication system 3A such as SNS.
- a state in which data including personal information may be exposed to an IP outside the authentication system 3A is not desirable from the viewpoint of security.
- a data file with an extension of ".dump” is a file generated for cause analysis when a failure occurs in program operation during system development. Therefore, creating a data file with the extension ".dump" in the production environment of the authentication system 3A is not desirable from the viewpoint of security.
- Information related to data generated or exchanged by the operation of the program operating in the authentication system 3A as described above can be obtained in the authentication system 3A as follows.
- an authentication program executed in the authentication system 3A acquires a system call called when using the resources (storage medium, memory, etc.) of each host terminal, or takes a snapshot of the authentication system 3A during execution of the authentication program.
- a system call and a snapshot of the authentication system 3A are information generated by the operation of a program (authentication program here) operating in the authentication system 3A.
- system calls and snapshots of the authentication system 3A correspond to history information regarding the operation history of programs operating in the authentication system 3A.
- the snapshot of the system to be analyzed such as the system call and the authentication system 3A will be referred to as "history information”.
- the analysis server 1 acquires history information from the authentication system 3A and analyzes whether there is a security risk in the data path exchanged in the authentication system 3A.
- FIG. 3 is a block diagram showing the hardware configuration of the information processing device.
- a CPU Central Processing Unit
- RAM Random Access Memory
- ROM Read Only Memory
- storage medium 14 and an interface (I/F) 15 are interconnected via a bus 16. It is also, the input unit 17, the display unit 18, and the network 4 are connected to the I/F 15.
- FIG. 1 A CPU (Central Processing Unit) 11, a RAM (Random Access Memory) 12, a ROM (Read Only Memory) 13, a storage medium 14, and an interface (I/F) 15 are interconnected via a bus 16. It is Also, the input unit 17, the display unit 18, and the network 4 are connected to the I/F 15.
- the CPU 11 is computing means and controls the operation of the entire information processing apparatus.
- the RAM 12 is a volatile storage medium from which information can be read and written at high speed, and is used as a working area when the CPU 11 processes information.
- the ROM 13 is a read-only non-volatile storage medium and stores programs such as firmware.
- the storage medium 14 is a readable/writable non-volatile storage medium such as an HDD (Hard Disk Drive), and stores an OS (Operating System), various control programs, application programs, and the like.
- the I/F 15 connects and controls the bus 16 and various hardware and networks.
- the input unit 17 is an input device such as a keyboard and a mouse for the user to input information to the information processing device.
- the display unit 18 is a display device such as an LCD (Liquid Crystal Display) for the user to check the state of the information processing device. Since the analysis server 1 operates based on information input from the user terminal 2, the input unit 17 and the display unit 18 can be omitted.
- the CPU 11 of the analysis server 1 performs calculations according to programs stored in the ROM 13 of the analysis server 1 and programs loaded from the storage medium 14 of the analysis server 1 to the RAM 12 of the analysis server 1.
- the software control unit of the analysis server 1 is configured.
- a functional block that implements the functions of the controller 100 (see FIGS. 4 and 14) of the analysis server 1 is configured by combining the software control unit configured as described above and hardware.
- FIG. 4 is a functional block diagram showing the functional configuration of the analysis server 1.
- analysis server 1 includes controller 100 and network I/F 101 .
- the controller 100 manages acquisition of history information from the analysis target system, generation of data flow information indicating data paths in the analysis target system, security risk analysis based on the data flow information, and the like.
- the controller 100 is configured by installing a dedicated software program in an information processing device such as the analysis server 1 .
- This software program corresponds to the analysis program of this embodiment.
- the main control unit 110 controls the controller 100 as a whole. Therefore, when implementing each function of the controller 100 described above, the main control unit 110 gives an instruction to each unit of the controller 100 to cause it to execute a process.
- the transmission/reception unit 120 exchanges information with the system to be analyzed via the network I/F 101 .
- the transmission/reception unit 120 executes, for example, establishment of communication with the analysis target system, reception of information output from the analysis target system to the analysis server 1, and the like.
- the transmission/reception unit 120 receives information collected by the agents 131A, 131B, and 131C in the analysis target system and so-called history information such as snapshots of the analysis target system.
- the history information collection control unit 130 controls execution of collection processing by agents 131A, 131B, and 131C that execute collection processing for collecting history information in the analysis target system.
- the agents 131A, 131B, and 131C are stored in the agent storage unit 131.
- the history information collection control unit 130 controls the start and end of history information collection processing by the installed agents 131A, 131B, and 131C.
- An agent in this embodiment is a software module installed in a host terminal included in the system to be analyzed.
- the history information collection control unit 130 may be controlled so that the agent can execute collection processing.
- the agent may be designed so that it is automatically uninstalled from the host terminal included in the system to be analyzed after the collected history information is transmitted to the analysis server 1 . A specific procedure of collection processing by the agent will be described later.
- the history information collected by the agents 131A, 131B, and 131C in the analysis target system is transmitted to the transmission/reception unit 120 via the network I/F 101.
- the main control unit 110 stores the history information received by the transmission/reception unit 120 in the received information DB (Data Base) 150 in association with scenarios 141A, 141B, and 141C described later. Further, the main control unit 110 stores the access right information in the reception information DB 150 when the access right information described later has been acquired.
- DB Data Base
- the scenario selection control unit 140 selects a scenario, which is information describing a plurality of predetermined processes, as the process to be executed by the system to be analyzed. Specifically, scenario selection control section 140 selects one of scenarios 141A, 141B, and 141C stored in scenario storage section 141 based on information received from user terminal 2 .
- the scenario selection control unit 140 may call a test code created for the purpose of verifying the operation of the analysis target system from an external device connected to the analysis server 1.
- the test code created for the purpose of verifying the operation of the authentication system 3A corresponds to the scenario.
- the scenario 141A includes "processing for transferring user information received by the FR client server 32 to the FR server 33" and “processing for performing user authentication in the FR server 33 for user information received from the FR client server 32". , “processing for storing and managing user information of a user authenticated by the FR server 33 in the FRDB 34", etc. are described.
- the scenario 141B includes "processing for the FR server 33 to refer to the user information stored in the FRDB 34", "processing for transferring the user information received by the FR client server 32 to the FR server 33", and "processing for the FR server 33". It is assumed that a process of performing user authentication based on the user information received from the client server 32 and the user information referred to the FRDB 34 and the like are described.
- the scenario selection control unit 140 may generate a scenario 141C based on information designating the results of processes that can be executed by the system to be analyzed.
- Information designating the result of processing that can be executed by the system to be analyzed is transmitted from the user terminal 2 to the analysis server 1 based on the operation of the user terminal 2 by the operator 5 (see FIG. 5).
- the scenario execution control unit 160 causes the analysis target system to execute the scenario selected by the scenario selection control unit 140.
- the scenario execution control unit 160 causes the analysis target system to execute the scenario by calling a test code created for the purpose of verifying the operation of the analysis target system as a scenario from an external device connected to the analysis server 1. You may do so.
- the scenario execution control unit 160 starts executing a plurality of processes described in the scenario after the agent installed in the system to be analyzed starts collection processing. Let Then, the scenario execution control unit 160 terminates the collection process by the agent after the execution of the multiple processes described in the scenario is completed in the system to be analyzed. That is, the scenario execution control section 160 functions as the processing execution control section of this embodiment.
- the access right information acquisition unit 210 acquires access right information of files exchanged in the analysis target system based on the history information. For example, when the authentication system 3A is caused to execute the scenario 141A, the access right information acquisition unit 210 acquires information ( hereinafter referred to as “access right information”) is acquired based on history information and the like.
- the access right information may be obtained by an agent installed in the analysis target system.
- the data flow generation unit 170 executes data flow information generation processing for generating data flow information indicating the route of data exchanged in the analysis target system. That is, the data flow generator 170 corresponds to the generator of this embodiment. Also, the data flow generator 170 includes a first extractor 171 and a second extractor 172 .
- the first extraction unit 171 extracts paths containing predetermined attribute information from the data flow information.
- the predetermined attribute information corresponds to information indicating attributes of nodes and edges of the data flow graph.
- a path containing predetermined attribute information corresponds to a subgraph included in the data flow graph and containing predetermined attribute information.
- a path containing predetermined attribute information extracted by the first extraction unit 171 corresponds to the first path of the present embodiment.
- the second extraction unit 172 first divides the data flow information into multiple paths.
- the data flow information is a data flow graph represented by a graph structure
- the second extraction unit 172 extracts the data flow graph based on a predetermined index (for example, an index representing network centrality such as betweenness centrality). into multiple subgraphs. Then, the second extraction unit 172 selects and extracts the longest subgraph from among the plurality of subgraphs. Note that the second extraction unit 172 may select and extract a subgraph containing the largest number of nodes or hosts from among the plurality of subgraphs. In this way, the second extraction unit 172 divides the data flow information into a plurality of paths, and then extracts the longest path or the path including the largest number of nodes or hosts from the plurality of paths. The path extracted from the data flow information by the second extraction unit 172 corresponds to the second path of this embodiment. The flow of data flow information generation processing will be described later.
- the risk determination unit 180 executes risk determination processing for determining whether or not there is a security risk in the data flow information based on the determination conditions stored in the condition DB (Data Base) 181 . A specific procedure of the risk determination process will be described later.
- the condition DB 181 is a database that stores determination conditions including at least one of the following information.
- the judgment conditions stored in the condition DB 181 include information on attributes of nodes and edges of a graph indicating data paths, information on access rights to the nodes, and information resources included in the nodes. and/or information about the operation of the The determination condition may be created based on system vulnerability information (for example, CWE: Common Weakness Enumeration).
- the determination conditions stored in the condition DB 181 may include information indicating risk indicators employed in existing security risk evaluation methods such as CVSS (Common Vulnerability Scoring System) and DREAD.
- a UI (User Interface) control unit 190 controls the UI displayed on the user terminal 2, such as by controlling the UI displayed on the user terminal 2 to reflect the result of the risk determination process.
- the user terminal 2 corresponds to a display device that displays the result of the risk determination process, and the UI control unit 190 functions as a display control unit that causes the user terminal 2 to display the result of the risk determination process.
- the UI control unit 190 may cause the user terminal 2 to display a UI for designating the results of processes that can be executed by the system to be analyzed.
- the analysis server 1 of the present embodiment acquires history information from the analysis target system and analyzes whether there is a security risk in the route of data exchanged in the analysis target system.
- FIG. 5 is a sequence diagram showing the flow of processing in the analysis system 1000.
- FIG. 6A is a diagram exemplifying the structure of the history information data table 151 stored in the received information DB 150.
- FIG. 6B is a diagram exemplifying the structure of the access right information data table 152 stored in the reception information DB 150.
- FIG. 7 is a flow chart showing the flow of data flow information generation processing in the analysis server 1.
- FIG. 8 is a diagram showing an example of data flow information in this embodiment.
- FIG. 9 is a flowchart showing the flow of risk determination processing in the analysis server 1.
- FIG. 10 is a diagram showing an example of the GUI 300 displaying the determination result of the risk determination process in this embodiment.
- step S101 the user terminal 2 transmits to the analysis server 1 information indicating the start of security risk analysis of the authentication system 3A.
- step S102 the analysis server 1 (history information collection control unit 130) instructs installation of the agents 131A, 131B, and 131C that execute collection processing for collecting history information.
- the analysis server 1 instructs each of the three host terminals included in the authentication system 3A to install agents 131A, 131B, and 131C.
- the FR client server 32, FR server 33, and FRDB 34 are included in the authentication system 3A as host terminals.
- the analysis server 1 instructs the FR client server 32 to install the agent 131A, the FR server 33 to install the agent 131B, and the FRDB 34 to install the agent 131C.
- the FR client server 32, the FR server 33, and the FRDB 34 may be referred to as "the host terminal of the authentication system 3A" and the agents 131A, 131B, and 131C as "agents" unless they need to be distinguished. .
- the host terminal of the authentication system 3A installs an agent in step S103.
- the host terminal of the authentication system 3A transmits completion notification information indicating that the installation of the agent has been completed to the analysis server 1 in step S104.
- the host terminal of the authentication system 3A is ready to start the collection process.
- the analysis server 1 (main control unit 110) starts history information acquisition processing in step S105.
- the history information collection control unit 130 transmits a collection process start instruction to the host terminal of the authentication system 3A.
- an instruction to start collection processing is transmitted from the analysis server 1 to the host terminal of the authentication system 3A in which the agent is installed.
- step S107 the agent starts the history information collection process in the host terminal of the authentication system 3A in which the agent is installed.
- the operator 5 operates the user terminal 2 to select a scenario (for example, scenario 141A) to be executed by the authentication system 3A.
- a scenario for example, scenario 141A
- the user terminal 2 transmits to the analysis server 1 scenario selection information indicating that the scenario 141A has been selected. Note that if a scenario is selected together with an operation to start security risk analysis on the user terminal 2, step S101 and step S108 may be performed together.
- the transmission/reception unit 120 receives the scenario selection information transmitted from the user terminal 2 at step S108.
- scenario selection information designates scenario 141A as the scenario to be executed.
- Scenario selection control unit 140 selects scenario 141A from the scenarios stored in scenario storage unit 141 based on the scenario selection information in step S110.
- the scenario selection control unit 140 transmits a scenario execution instruction designating the scenario 141A as the scenario to be executed to the host terminal of the authentication system 3A together with the scenario 141A.
- the host terminal of the authentication system 3A executes the process described in the scenario specified by the scenario execution instruction. That is, in step S112, in the authentication system 3A, "process for transferring user information received by the FR client server 32 to the FR server 33” and “process for transferring the user information received from the FR client server 32" described in the scenario 141A.
- user authentication in the FR server 33 "user information of the user authenticated in the FR server 33 is stored in the FRDB 34 and managed", and the like are executed.
- the host terminal of the authentication system 3A After executing the process according to the scenario 141A, the host terminal of the authentication system 3A transmits the history information collected by the agent to the analysis server 1 in step S113.
- step S114 the transmitting/receiving section 120 receives the history information transmitted from the host terminal of the authentication system 3A in step S113, and transfers it to the main control section 110.
- step S115 main control unit 110 causes received information DB 150 to store the history information in association with the information of scenario 141A.
- the analysis server 1 After receiving and storing the history information in step S115, the analysis server 1 (main control unit 110) transmits a collection processing end instruction to the host terminal of the authentication system 3A in which the agent is installed in step S116.
- the host terminal of the authentication system 3A that has received the collection processing end instruction from the analysis server 1 ends the history information collection processing by the agent in step S117. Further, the analysis server 1 ends the history information acquisition process by transmitting the collection process end instruction.
- the analysis server 1 obtains access right information of files accessed by the program operating in the authentication system 3A when executing the scenario, based on the history information. to get It should be noted that the agent installed in the authentication system 3A in step S103 may acquire the access right information. The acquired access right information is stored in the reception information DB 150 .
- FIG. 6A exemplifies identifiers for identifying scenarios 141A, 141B, 141C, . . . stored in the scenario storage unit 141 as scenario information. Information may be employed as scenario information.
- the history information data table 151 No. 4, ""Scenario: 141A”, “Process name: A4", “Host terminal name: FR server”, “Execution time: ", “History information: ", “Accessed file: QQQ.dump , “file identifier: P8hVPoiw”” is stored.
- the IP address of the FR client server 32, FR server 33 or FRDB 34 may be stored as the host terminal name.
- No. of the history information data table 151 The information stored in row 1 is stored in the FR client server 32 at XX:00 on November 07, 2020 by executing the process A1 as the processing described in the scenario 141A by the program operating in the authentication system 3A. This corresponds to information indicating that the operation indicated by write (X.XX.XX.X.jpg) was performed at YY minutes and that the file "X.XX.XX.X.jpg" with the file identifier WkYI8KSH was accessed. do.
- the No. of the history information data table 151 The information stored in row 2 is stored in the FR server 33 at XX:00 on November 07, 2020 by executing the process A2 as the processing described in the scenario 141A by the program operating in the authentication system 3A. It corresponds to information indicating that an operation indicated by read (utils.rb: 110, . . . ) was performed at FF minutes.
- the No. of the history information data table 151 The information stored in row 3 is generated as a file "X.YY.XX. This corresponds to information indicating that "X.tmp" has been accessed.
- the No. of the history information data table 151 The information stored in line 4 is obtained by executing the process A4 as processing described in the scenario 141A by the program operating in the authentication system 3A, so that the file "QQQ This corresponds to information indicating that .dump” has been accessed.
- FIG. 6B shows files "X.XX.XX.X.jpg”, “X.YY.XX.X.tmp”, "QQQ .dump” for each access right information.
- the access right information data table 152 shown in FIG. 6B exemplifies the configuration of access right information in a UNIX (registered trademark) OS. Therefore, the access right information data table 152 stored in the reception information DB 150 may have a data structure other than that shown in FIG. 6B.
- the file identifier is used to associate the access right information stored in the access right information data table 152 with the information stored in the history information data table 151.
- information For example, in the access right information data table 152, No. In line 1, information indicating "file identifier: WkYI8KSH" is stored. Information corresponding to "file identifier: WkYI8KSH" is stored in the history information data table 151 as No. stored in row 1. That is, in the access right information data table 152, No.
- the access right information stored in row 1 can be obtained by the FR client server 32 on November 7, 2020 XX by executing the process A1 as the processing described in the scenario 141A by the program operating in the authentication system 3A. This corresponds to information indicating the access authority of the file "X.XX.XX.X.jpg” accessed in the operation indicated by write (X.XX.XX.X.jpg) performed at time YY.
- the analysis server 1 acquires the access right information of the file identified by the file identifier stored in the history information data table 151. The same applies when the agent acquires the access right information by installing it in the authentication system 3A in step S103.
- the access permissions by class in the access permissions by class, read, write, and execute permissions are set for each user class. For example, assume that the string stored as class access permissions associated with the file "Filename: K2" is "rwxrw-r--". In this case, in the permission setting of the user class, read authority, write authority and execute authority are given to the file of "file name: K2". In this case, read authority and write authority are given to the file of "file name: K2" in the permission setting of the group class. Also, in this case, in the permission setting of the other class, only read authority is granted to the file with "file name: K2".
- This access right information indicates that the owner of the file "file name: X.XX.XX.X.jpg" is user X, and that user X is subject to user class permission settings.
- this access right information is related to the file "File name: X.XX.XX.X.jpg", the permission settings of the group class are applied to the members whose group class is group XX, and the group class is group XX Indicates that the other class's permission settings apply to members that are not.
- the "access permission by class: rw-rw-r-" associated with the file of "file name: X.XX.XX.X.jpg” is set to "file name :X.XX.XX.X.jpg” is given read authority and write authority.
- user X is granted read authority and write authority, which are user class permissions, for "file name: X.XX.XX.X.jpg”.
- members whose group class is group XX are granted read and write permissions for the file name: X.XX.X.X.jpg”.
- the group class is Members who are not in group XX are given read authority for the file name: X.XX.X.X.jpg".
- the access right information data table 152 stores the access right information set in the files accessed by the programs operating in the authentication system 3A.
- the agent is uninstalled in step S119 in the host terminal of the authentication system 3A.
- step S120 the analysis server 1 (data flow generation unit 170) executes data flow information generation processing.
- the data flow information generation process generates data flow information indicating the route of data exchanged in the system to be analyzed. Details of the data flow information generation process will be described later.
- step S121 the analysis server (risk determination unit 180) executes risk determination processing based on the data flow information and transmits the determination result to the user terminal 2.
- the analysis server (risk determination unit 180) executes risk determination processing based on the data flow information and transmits the determination result to the user terminal 2.
- the risk determination process based on the determination conditions stored in the condition DB 181, it is determined whether or not there is a security risk in the data path indicated by the data flow information. The details of the risk determination process will be described later.
- the user terminal 2 Upon receiving the determination result of the risk determination process, the user terminal 2 displays the determination result of the risk determination process in step S122.
- the UI control unit 190 of the analysis server 1 displays the determination result of the risk determination process on the user terminal 2 as a GUI (Graphical User Interface).
- the operator 5 can confirm whether or not there is a security risk in the data path from the judgment result of the risk judgment process displayed on the user terminal 2 .
- security risk analysis is performed according to the procedure shown in FIG.
- the scenario execution control unit 160 causes the analysis target system to execute the scenario. Furthermore, after the scenario execution control unit 160 terminates execution of the scenario to be executed by the system to be analyzed, the history information collection control unit 130 terminates the history information collection processing by the agent.
- FIG. 8 shows subgraphs extracted by the extraction processing by the first extraction unit 171 and the second extraction unit 172 as an example of data flow information.
- the main control unit 110 causes the data flow generation unit 170 to execute data flow information generation processing based on the information stored in the received information DB 150 .
- the data flow generation unit 170 generates data flow information based on information stored in the reception information DB 150, such as the history information data table 151 and the access right information data table 152 (see FIGS. 6A and 6B). to generate
- the data flow information generated by the data flow generation unit 170 corresponds to information such as a graph (see FIG. 8) indicating the route of data exchanged in the system to be analyzed.
- the information stored in the history information data table 151 is associated with the access right information stored in the access right information data table 152 by the file identifier.
- the data flow generator 170 may generate data flow information including access right information corresponding to the file identifiers included in the history information data table 151 .
- the data flow generation unit 170 first refers to the access right information data table 152 to acquire the access right information of the data file corresponding to the file identifier included in the history information data table 151 .
- the data flow generating unit 170 generates data flow information by associating the access right information acquired from the access right information data table 152 with the data file.
- the data flow generation unit 170 may generate data flow information including information designating access right information for data files corresponding to file identifiers included in the history information data table 151 .
- the data flow generating unit 170 generates data including a path specifying access right information corresponding to the file identifier included in the history information data table 151 among the access right information included in the access right information data table 152 . Generate flow information.
- the first extraction unit 171 or the second extraction unit 172 executes extraction processing for extracting a predetermined path in step S22.
- the first extraction unit 171 extracts paths containing predetermined attribute information from the data flow information as subgraphs.
- the second extraction unit 172 extracts a path of a predetermined length from the data flow information as a subgraph.
- the analysis server 1 may store the data flow information generated by the data flow generation unit 170 .
- FIG. 8 shows a data flow graph, which is an example of data flow information generated by the data flow generation unit 170.
- FIG. The data flow graph shown in FIG. 8 is information represented by a set of nodes including information resources such as files F1 to F4 and edges connecting two or more different nodes.
- the data of "FFFF.jpg” in FIG. 2 are contained in files F2 and F4.
- a file F2 containing data "FFFF.jpg” is generated.
- the file F4 including the data of "FFFF.jpg” is read in the process P4.
- information (data flow information) corresponding to the data path is generated based on the history when the program is actually run in the system to be analyzed.
- the first extraction unit 171 extracts a flow of data related to the selected data. This makes it easier for the operator 5 to visually recognize the route of the data.
- the operator 5 since the flow of data with high relevance to the data selected by the operator 5 is extracted by the first extraction unit 171 or the second extraction unit 172, the operator 5 has low relevance to the selected data. No need to see the data. Therefore, the operator 5 can easily recognize the flow of data when the program is actually run in the system to be analyzed.
- FIG. 9 corresponds to the process performed in step S121 of FIG.
- the main control unit 110 causes the risk determination unit 180 to execute risk determination processing based on the data flow information generated by the data flow generation unit 170 .
- the risk determination unit 180 refers to the data flow information generated by the data flow generation unit 170 in step S31.
- the data flow information referred to by the risk determination unit 180 includes paths extracted from the data flow information by the extraction processing by the first extraction unit 171 and the second extraction unit 172 (if the data flow information is a data flow graph, subgraphs) are also included.
- the risk determination unit 180 determines whether or not the data flow information referred to in step S31 includes a path that matches the determination conditions stored in the condition DB 181.
- the condition DB 181 stores at least the information on the attributes of the nodes and edges of the graph indicating the path of data, the information on the access authority to the nodes, and the information on the operations on the information resources included in the nodes. contains one of them.
- the determination condition may be created based on system vulnerability information (for example, CWE: Common Weakness Enumeration).
- the condition DB 181 may include information indicating risk indicators employed in CVSS, DREAD, and the like.
- a judgment condition for judging that there is a risk when a file with an extension of ".tmp" is not deleted, and a judgment condition for judging that there is a risk when the file access restriction is weak. may be stored in the condition DB 181.
- the condition DB 181 may store a determination condition for determining that there is a risk when the communication protocol is not encrypted.
- the risk determination unit 180 determines from the access right information data table 152 whether the access The risk determination process may be executed after obtaining the access right information corresponding to the information specifying the right information.
- step S33 if the data flow information includes a path that matches the determination condition stored in the condition DB 181 (S32/Y), the risk determination unit 180 determines the data path indicated by the data flow information. is determined to pose a security risk.
- step S34 if the data flow information does not include a path that meets the determination conditions stored in the condition DB 181 (S32/N), the risk determination unit 180 determines the data path indicated by the data flow information. determine that there is no security risk.
- step S35 the risk determination unit 180 transfers the determination result of step S33 or step S34 to the main control unit 110, and ends this process.
- the main control unit 110 passes the determination result received from the risk determination unit 180 to the UI control unit 190. Based on the determination result received from the main control unit 110, the UI control unit 190 generates information for displaying a GUI 300 as shown in FIG.
- FIG. 10 exemplifies a GUI 300 including a graph panel 310 displaying a data flow graph together with information for recognizing the route of data determined to be at risk as a determination result of risk determination processing by the risk determination unit 180.
- the communication protocol from the FR client server 32 was not encrypted when sending information from the FR client server 32 to the FR server 33 .
- the risk determination unit 180 determines that there is a risk of information leakage in the data path between the FR client server 32 and the FR server 33 .
- the user terminal 2 displays the GUI 300 including the warning display C1.
- the risk determination unit 180 determines that there is a risk. Then, the user terminal 2 displays the GUI 300 including the caution display C2.
- the user terminal 2 displays the GUI 300 including the warning display C3.
- GUI 300 may include a risk assessment panel 320 and a navigation panel 330 in which the determination result of the risk determination process is displayed as character information.
- the column of warning display C1 contains the determination result of the risk of information leakage
- the column of caution display C2 contains the determination result of the risk of residual temporary files
- the column of warning display C3 contains the access Character information indicating the determination result of the presence or absence of risk associated with the weak restriction is displayed respectively.
- the warning display C3 on the graph panel 310 may be emphasized.
- the navigation panel 330 includes a sort button 331 that allows the operator 5 to specify and search any process or information such as a file, such as "file read/write", and a sort button 331 from data flow information.
- Path specification buttons 332 and 333 are included to display the result of extracting paths containing files.
- history information related to the operation history of a program operating in the analysis target system is acquired, and data flow information indicating the route of data exchanged in the analysis target system is generated. Then, it is determined whether or not there is a security risk in the data path indicated by the data flow information based on preset determination conditions. Therefore, in this embodiment, it is possible to comprehensively acquire information about the behavior of the program when the program is actually run, and to determine whether there is a security risk in the data path, such as the correctness of data handling. can.
- the processing to be executed by the system to be analyzed is specified in advance as a scenario, and the system to be analyzed is made to execute processing according to the scenario. Therefore, it is possible to reduce the amount of data collected for risk determination processing and determine what kind of risk there is when executing specific processing in the system to be analyzed.
- the operator can specify any process or file to display the judgment result of the risk judgment process.
- it is possible to easily identify a portion determined to have a risk in the path of data exchanged in the system to be analyzed. Therefore, it becomes easier to correct the portion determined to have a risk, and it is possible to further reduce the security risk of the system to be analyzed.
- FIG. 11 is an explanatory diagram exemplifying the paths of data exchanged in the project management system 3B.
- FIG. 11 it is assumed that the progress management of the project related to the user corresponding to the user information 350 is performed.
- image conversion processing 351 for generating thumbnail images based on user information 350 and task management processing 352 are performed according to scenario 141C (see FIG. 4). Assume that it communicates with management system 3B to receive historical information.
- the project management system 3B includes a project management server 35 and a project management DB (Data Base) 36. It is also assumed that the project management server 35 and the project management DB 36 are connected to the analysis server 1 via the network 4, respectively. Furthermore, the project management server 35 and the project management DB 36 correspond to host terminals included in the project management system 3B.
- the scenario selection control unit 140 performs “processing for receiving user information”, “processing for generating a thumbnail image from the received user information”, and “executing task management of a project related to the user specified by the user information”.
- a scenario 141 ⁇ /b>C in which “processing” and the like are described in order may be generated and stored in the scenario storage unit 141 .
- the project management server 35 starts image conversion processing 351 and task management processing 352 .
- image conversion process 351 a process of converting the image "FFFF.jpg" included in the user information 350 into a thumbnail image is executed.
- the analysis server 1 stores "read (user/xxx/files/2020/.../FFFF.jpg)", ..., “(sh) execve (convert) ", ..., “rw (user/xxx/files/2020/ ... /FFFF.thumb)", ... Then, in the analysis server 1, ⁇ 2.4. >, the data flow information is generated when the image conversion processing 351 is executed, and the risk determination processing is executed for the generated data flow information.
- an event information acquisition task 353, a notification setting task 354, and other tasks 355 are executed as subtasks.
- the event information acquisition task 353 is a task for acquiring from the project management DB 36 various types of event information such as project meetings and deadlines related to the user corresponding to the user information 350 .
- the notification setting task 354 is a task for setting to notify the terminal of the user corresponding to the user information 350 of the information related to the project managed by the task management processing 352 .
- the event information acquisition task 353, notification setting task 354, and other tasks 355 are tasks that are executed by accessing information resources different from the image conversion processing 351 in the project management server 35. Therefore, the analysis server 1 performs ⁇ 2.4. >, the data flow information is generated when the task management processing 352 is executed, and the risk determination processing is executed for the generated data flow information.
- the GUI 300 may display the determination result of the risk determination process related to the task management process 352 for each event information acquisition task 353 , notification setting task 354 and other tasks 355 .
- the presence or absence of a security risk is determined based on history information such as system calls and snapshots acquired from the analysis target system.
- history information such as system calls and snapshots
- various information published on the Internet can be used to identify the data paths in the system to be analyzed, such as firewalls and protected communications. In some cases, it is possible to infer the functions, logical organization, and geographic relationship of the route of the data.
- FIG. 12 is a diagram illustrating an operational form of the analysis system 2000.
- an analysis system 2000 is configured by connecting an analysis server 1 , user terminals 2 , and an analysis target system 6 via a network 4 .
- the analysis server 1 determines whether there is a security risk based on the information acquired from the analysis target system 6.
- the analysis server 1 of this embodiment corresponds to an example of an analysis device.
- the user terminal 2 is an information processing terminal for the operator of the analysis system 2000 to operate the analysis server 1 .
- the analysis target system 6 corresponds to, for example, a system that provides office solutions using a server device, a cloud, an on-site data center, or the like.
- FIG. 13 is a diagram illustrating an overview of the analysis target system 6.
- the analysis target system 6 is a system provided across a demilitarized zone 5A (DeMilitarized Zone, hereinafter sometimes referred to as "DMZ"), a first subnet 5C, and a second subnet 5D. is.
- DMZ demilitarized Zone
- the DMZ 5A is an intermediate network separated from the Internet 5B by a firewall (FW) 51.
- FW firewall
- a host terminal in the DMZ 5A can access the Internet 5B.
- a remote base 55 such as a data center located in a geographically remote location
- a wireless communication system 56 that realizes communication from mobile terminals 56B and 56C to the Internet 5B by a wireless base station 56A
- a certificate authority 57 (Certificate Authority, hereinafter sometimes referred to as "CA") that issues public key certificates used for encryption
- a cloud 58 that provides computer resources via the Internet 5B.
- a host terminal in the DMZ 5A accesses a remote site 55, a certificate authority 57, a cloud 58, etc. via the Internet 5B.
- the host terminal in the DMZ 5A can acquire data exchanged in the wireless communication system 56 via the Internet 5B.
- the Internet access 59 is, for example, a network technology service such as a VPN (Virtual Private Network), and realizes a secure connection from a client terminal owned by an individual to the Internet 5B.
- the WEB client 60 is a service that enables access to specific information resources via the Internet 5B by connecting to the Internet 5B from a WEB browser installed in a client terminal owned by an individual.
- a remote desktop web client is known as the web client 60.
- DMZ5A is an anti-fraud server 511 equipped with an Intrusion Detection System (IDS) that detects unauthorized intrusions into DMZ5A, an Intrusion Prevention System (IPS) that prevents unauthorized intrusions into DMZ5A, and web browsers on client terminals within DMZ5A.
- IDS Intrusion Detection System
- IPS Intrusion Prevention System
- host devices such as a Web server 512 that provides HTML and object display, an FTP server 513 that sends and receives files, and a DNS server 514 that provides a Domain Name System (DNS).
- DNS Domain Name System
- the DMZ 5A of this embodiment corresponds to a so-called multistage firewall type DMZ in which the FW 51 is provided at the boundary between the Internet 5B and the DMZ 5A, and the FW 52 is provided at the boundary between the DMZ 5A and the first subnet 5C and the second subnet 5D.
- DMZ 5A so-called multistage firewall type DMZ in which the FW 51 is provided at the boundary between the Internet 5B and the DMZ 5A, and the FW 52 is provided at the boundary between the DMZ 5A and the first subnet 5C and the second subnet 5D.
- the first subnet 5C and the second subnet 5D are connected to the DMZ 5A via the L3 switch 53.
- the first subnet 5C corresponds to an in-house network for providing wireless LAN.
- the second subnet 5D corresponds to the intranet of the company on which the first subnet 5C is provided and has multiple VLANs and segments.
- the FW 52 permits access from the first subnet 5C and second subnet 5D to the DMZ 5A, but prohibits access from the DMZ 5A to the first subnet 5C and second subnet 5D. That is, while the host terminal in the first subnet 5C and the host terminal in the second subnet 5D can access the DMZ 5A, the host terminal in the DMZ 5A cannot access the first subnet 5C and the second subnet 5D. be.
- the analysis target system 6 protects the first subnet 5C and the second subnet 5D as internal networks by the DMZ 5A when an attack is made on the host terminal in the DMZ 5A from the Internet 5B. It enables the host terminal in the DMZ 5A to provide services to the Internet 5B.
- the host terminal in DMZ 5A accesses remote site 55, certificate authority 57, cloud 58, etc. via Internet 5B. Also, the host terminal in the DMZ 5A acquires data exchanged in the wireless communication system 56 via the Internet 5B.
- information for inferring the functional logical configuration of the data path and the geographical relationship of the data path is added to the history information as external information, and then the data determine whether there is a security risk in the path of
- FIG. 14 is a functional block diagram showing the functional configuration of the analysis server 1 according to this embodiment.
- the same components as those of the analysis server 1 according to the first embodiment are denoted by the same reference numerals, and redundant description may be omitted.
- the controller 100 of the analysis server 1 includes a reception information DB 150, a data flow generation unit 170, a risk determination unit 180, a condition DB 181, a history information collection unit 220, and an information addition unit 230.
- the controller 100 includes the elements described with reference to FIG. acquisition unit 210, etc.).
- the received information DB 150 is a storage area for storing information collected by the agents 131D, 131E, and 131F and information received from the analysis target system 6.
- the data flow generation unit 170 Based on the history information collected by the history information collection unit 220, the data flow generation unit 170 performs a data flow graph generation process for generating a data flow graph indicating the route of data exchanged by the system 6 to be analyzed.
- the risk determination unit 180 performs risk determination processing to determine whether or not there is a security risk in the analysis target system 6 based on the determination conditions stored in the condition DB 181 . A specific procedure of the risk determination process will be described later.
- the history information collection unit 220 installs the agents 131D, 131E, and 131F stored in the agent storage unit 131 to the host terminals included in the analysis target system 6, and collects the operation history of the programs executed in the host terminals. Collect as historical information.
- the agents 131D, 131E, and 131F are installed in different host terminals, and transmit system calls and the like of the installed host terminals to the analysis server 1 as history information.
- the history information collecting unit 220 may collect information obtained by taking a snapshot of the analysis target system 6 as history information.
- the information addition unit 230 acquires external information from information resources other than the host terminal from which the history information is collected, and adds it to the history information.
- the external information of this embodiment is, for example, when the agents 131D, 131E, and 131F are installed in the host terminals in the DMZ 5A (see FIG. 13), the information obtained from the Internet 5B, the first subnet 5C, and the second subnet 5D. information, and information acquired from the host terminal of DMZ 5A, L3 switch 53, router, etc. in which agents 131D, 131E, and 131F are not installed.
- the operation history of the program executed by the DNS server 514 of the DMZ 5A is collected as history information, for example, a public database published on the Internet 5B or an Active Directory (registered trademark) implemented in the cloud 58 , the remote base 55, the wireless communication system 56, the host terminals in the first subnet 5C and the second subnet 5D, the host terminals of the DMZ 5A in which the agents 131D, 131E, and 131F were not installed, the L3 switch 53, routers, etc. It corresponds to an information resource other than an information processing device that executes a program whose history information is to be collected. Data transmitted from these information resources to the analysis server 1 is an example of external information.
- the information addition unit 230 acquires information not defined in the scenario 141 as external information, and may be added to the history information.
- the analysis server 1 of this embodiment adds external information to the history information acquired from the analysis target system, and analyzes whether there is a security risk in the analysis target system.
- FIG. 15 is a sequence diagram showing the flow of processing in the analysis system 2000.
- FIG. 16 is a diagram illustrating details of determination conditions stored in the condition DB 181.
- FIG. 17 is a flowchart showing the flow of risk determination processing.
- step S201 the history information collection unit 220 installs agents 131D, 131E, and 131F that execute collection processing for collecting history information in the host terminal included in the system 6 to be analyzed.
- the explanation is continued on the assumption that the agent 131D, the FTP server 513, the agent 131E, and the DNS server 514 have been installed by the history information collecting unit 220, respectively, in the Web server 512, which is the host terminal included in the DMZ 5A. .
- the "host terminals within the DMZ 5A" and the agents 131D, 131E, and 131F may be referred to as "agents.”
- the historical information is collected by the agent.
- the agent collects communication probing such as ping and traceroute at the host terminal where it is installed, information on packet monitoring at the host terminal, information on the OS and applications of the host terminal, and the like.
- Such history information can be obtained from system calls in the host terminal within the DMZ 5A and snapshot information of the host terminal within the DMZ 5A.
- the operator of the analysis server 1 may operate the user terminal 2 to select a scenario to be executed by the analysis target system 6 .
- the host terminal in the DMZ 5A transmits the history information collected by the agent to the analysis server 1, and ends the collection process.
- the history information transmitted from the host terminal in the DMZ 5A to the analysis server 1 is stored in the reception information DB 150 in step S203.
- the analysis server 1 may acquire the access right information of the files accessed by the program operating in the analysis target system 6 based on the history information and store it in the received information DB 150 .
- step S204 the data flow generation unit 170 executes data flow generation processing based on the information stored in the received information DB 150.
- the data flow graph generated by the data flow generation unit 170 defines the path of the data exchanged by the system to be analyzed as a node containing an information body such as a file and an edge connecting two different nodes. It corresponds to information represented by a set (see FIG. 8).
- the data flow generation unit 170 may generate the data flow graph so as to include access right information corresponding to the file identifier included in the history information. In addition to these, the data flow generation unit 170 may generate the data flow graph so as to include information designating access right information for the data file corresponding to the file identifier included in the history information. The data flow generator 170 may also perform an extraction process of extracting a predetermined path from the data flow graph.
- information (data flow graph) corresponding to the data path is generated based on the operation history of the program when the program is actually operated in the system 6 to be analyzed.
- step S ⁇ b>205 the information addition unit 230 acquires external information to be added to the data flow graph from the analysis target system 6 .
- the information addition unit 230 acquires external information from information resources other than the host terminal from which history information is collected.
- the external information that the information addition unit 230 acquires as external information includes, for example, the following information. ⁇ Information published on the Internet 5B (geographic information indicating geographical elements of data paths such as domain names and subnet names, logical information identifying logical elements, application version information and data such as security patches (including functional information, etc.
- step S206 the information addition unit 230 adds the external information acquired from the analysis target system 6 to the data flow graph.
- history information expressed as a data flow graph can be used to infer information about off-site servers, functions of data paths, and logical configurations. It is expanded by various information.
- step S207 the risk determination unit 180 executes risk determination processing based on the data flow graph to which the external information is added, and transmits the determination result to the user terminal 2.
- the risk determination process based on the determination conditions stored in the condition DB 181, it is determined whether or not there is a security risk in the data path indicated by the data flow information. Details of the risk determination process will be described later.
- the user terminal 2 Upon receiving the determination result of the risk determination process, the user terminal 2 displays the determination result of the risk determination process in step S208.
- a screen including the determination result of the risk determination process is displayed on the user terminal 2 .
- the operator of the analysis system 2000 can confirm whether or not there is a security risk in the route of data exchanged by the analysis system 2000 from the judgment result of the risk judgment process displayed on the user terminal 2 .
- FIG. 16 This process corresponds to the process performed in step S207 of FIG.
- FIG. 16 is a diagram showing an example of determination conditions stored in the condition DB 181.
- determination conditions 1811, 1812, and 1813 stored in the condition DB 181 include geographical elements related to data routes, logical elements representing logical configurations related to data routes, and functions of data routes. contains at least one of the functional elements related to
- the judgment condition 1811 is a judgment condition for judging whether or not "information that should not be lost is designed to be backed up at a remote location".
- the judgment condition 1811 includes geographical elements and functional elements.
- the judgment condition 1811 includes, as a geographical element, a condition for judging whether or not the backup destination is a remote location. Further, the determination condition 1811 includes, as a functional element, a condition for determining whether or not there is a backup function.
- the risk determination unit 180 determines the data flow graph based on the geographical elements included in the determination condition 1811 based on the conditions of "DNS, GeoLite geographic information", "XX ms or more in ping", and "YY hop or more in traceroute". It can be determined whether the backup destination is remote in the data path indicated by .
- GeoLite is a service for estimating an area from an IP address provided by MaxMind (registered trademark).
- a service other than GeoLite provided on the Internet 5B may be used as the service for estimating the area from the IP address.
- the risk determination unit 180 determines the data indicated by the data flow graph based on the functional elements included in the determination condition 1811, based on the conditions of “analogous from the data flow graph” and “Rsync port number: 873”. It can be determined whether the route has a backup function.
- the determination condition 1812 is a determination condition for determining whether or not "the communication path is designed to be protected when it is necessary to connect to a remote system or device".
- the determination condition 1812 includes, as a geographical element, a condition for determining whether the location is remote.
- the determination condition 1812 includes, as functional elements, a condition for determining whether or not there is a communication relationship and a condition for determining whether or not the communication path is protected by IPsec, VPN, or the like. ing.
- the risk determination unit 180 determines the data flow graph based on the geographical elements included in the determination condition 1811, based on the conditions of "DNS, GeoLite geographic information", “ping ZZms or more", and “traceroute WW hop or more”. It can be determined whether the path of the data indicated by is remote. Also, the risk determination unit 180 determines whether there is a communication relationship from the functional elements included in the determination condition 1812 based on the condition of “data flow graph and packet monitoring”. In addition, the risk determination unit 180 determines from the functional elements included in the determination condition 1812 based on the conditions of “analogous communication encryption processing from data flow graph”, “OS setting”, and “IPsec port number: 50”. Therefore, it can be determined whether or not the communication path is protected by IPsec, VPN, or the like in the data path indicated by the data flow graph.
- the determination condition 1813 is a determination condition for determining whether or not "a server installed in the DMZ is prepared for each major function".
- the judgment condition 1813 includes, as logical elements, a condition for judging whether or not it is a subnet, a condition for judging whether or not it is connected to the Internet, and whether or not the main function is a separate server. It contains conditions for determining whether Also, the determination condition 1813 includes, as functional elements, a condition for determining whether or not there is a firewall (FW) between other subnets, and main functions such as Web, DNS, and FTP. It contains conditions for determining whether or not
- FW firewall
- the risk determination unit 180 determines whether or not the data route indicated by the data flow graph is a subnet based on the conditions of "DNS" and "router setting information" from the logical elements included in the determination condition 1813. can judge. Further, the risk determination unit 180 determines whether the data route indicated by the data flow graph contacts the Internet based on the conditions of “traceroute” and “router and FW settings” from the logical elements included in the determination condition 1813 . It can be determined whether or not In addition, the risk determination unit 180 determines whether the main function is different in the data path indicated by the data flow graph based on the condition of “OS information such as host name and ID” from the logical elements included in the determination condition 1813. It can be determined whether or not it is a server.
- OS information such as host name and ID
- the risk determination unit 180 determines whether other It can be determined whether or not there is a FW between the subnets. Furthermore, based on the functional elements included in the determination condition 1813, the risk determination unit 180 determines whether the data path indicated by the data flow graph is Web, It can be determined whether there are major functions such as DNS and FTP.
- the determination conditions 1811, 1812, and 1813 are stored in the condition DB 181 as algorithms in which the conditions shown in FIG. 16 are described as parameters.
- the determination conditions 1811, 1812, and 1813 illustrated in FIG. 16 are only examples of determination conditions stored in the condition DB 181.
- FIG. Judgment in the risk judgment process if at least one of the geographical elements related to the data route, the logical element indicating the logical configuration related to the data route, and the functional element related to the function of the data route is included Can be used as a condition.
- the determination conditions stored in the condition DB 181 may be constructed by the operator of the analysis system 2000 .
- the operator of the analysis system 2000 constructs a determination condition so as to include at least one of geographical elements, logical elements, and functional elements, so that the analysis target system 6 interacts It is possible to determine security risks in the path of data.
- the risk determination unit 180 executes risk determination processing on the data flow graph to which external information is added based on the determination conditions stored in the condition DB 181. Next, the flow of risk determination processing will be described with reference to FIG.
- the risk determination unit 180 refers to from the reception information DB 150, "as information about the server provided in the DMZ 5A, it is specified by traceroute that it is connected to the Internet 5B, and A second graph showing that there is an FW 51 between, that there is an FW 52 between ” will be explained as an example. It is also assumed that the risk determination unit 180 applies the determination condition 1811 to the first graph and applies the determination condition 1813 to the second graph to perform risk determination processing.
- step S41 the risk determination unit 180 refers to the data flow graph to which the external information is added from the reception information DB 150. Subsequently, in step S42, the risk determination unit 180 determines whether or not the data flow graph referred to in step S41 includes a path that does not satisfy the geographical elements of the determination conditions stored in the condition DB 181. . Note that step S42 may be omitted if the determination condition does not include a geographical element.
- step S41 If the data flow graph referenced in step S41 includes a path that does not satisfy the geographical element of the determination condition stored in the condition DB 181 (step S42/Y), the risk determination unit 180, in step S43, It is determined that the data flow graph referred to in step S41 has a geographical element risk. Subsequently, the risk determination unit 180 proceeds to step S45.
- step S41 If the data flow graph referred to in step S41 does not include a path that does not satisfy the geographical element of the determination condition stored in the condition DB 181 (step S42/N), the risk determination unit 180, in step S44, It is determined that there is no geographical element risk in the data flow graph referred to in step S41. Subsequently, the risk determination unit 180 proceeds to step S45.
- the first graph is a data flow graph that "shows that a backup is stored in a host terminal located at a remote site 55 located in an area more than 2000 km away". However, the first graph does not include paths that indicate that the remote site 55 is "more than XX ms on ping" and "more than YY hops on traceroute”. In such a case, the risk determination unit 180 determines that there is a risk of geographical elements included in the determination condition 1811 in the first graph (step S43), and proceeds to step S45.
- step S45 the risk determination unit 180 determines whether the data flow graph referred to in step S41 includes a path that does not satisfy the logical elements of the determination conditions stored in the condition DB 181. Note that step S45 may be omitted if the determination condition does not include a logical element.
- step S41 If the data flow graph referenced in step S41 includes a path that does not satisfy the logical elements of the determination conditions stored in the condition DB 181 (step S45/Y), the risk determination unit 180, in step S46, It is determined that there is a risk of a logical element in the data flow graph referred to in step S41. Subsequently, the risk determination unit 180 proceeds to step S48.
- step S41 If the data flow graph referred to in step S41 does not include a path that does not satisfy the logical elements of the determination conditions stored in the condition DB 181 (step S45/N), the risk determination unit 180, in step S47, It is determined that there is no risk of logical elements in the data flow graph referred to in step S41. Subsequently, the risk determination unit 180 proceeds to step S48.
- the second graph is a logical element included in the judgment condition 1813, which is a condition for judging whether or not it is a subnet, a condition for judging whether or not it is connected to the Internet, and a main function. It is a path that satisfies the conditions for determining whether or not it is a different server.
- the risk determination unit 180 determines that there is no risk of the logical elements included in the determination condition 1813 in the second graph (step S47), and proceeds to step S48.
- step S48 the risk determination unit 180 determines whether the data flow graph referred to in step S41 includes a path that does not satisfy the functional elements of the determination conditions stored in the condition DB 181. Note that step S48 may be omitted if the determination condition does not include a functional element.
- step S41 If the data flow graph referenced in step S41 includes a path that does not satisfy the functional elements of the determination conditions stored in the condition DB 181 (step S48/Y), the risk determination unit 180, in step S49, It is determined that there is a risk of functional elements in the data flow graph referred to in step S41. Subsequently, the risk determination unit 180 proceeds to step S51.
- step S41 If the data flow graph referred to in step S41 does not include a path that does not satisfy the functional elements of the determination conditions stored in the condition DB 181 (step S48/N), the risk determination unit 180, in step S50, It is determined that there is no risk of functional elements in the data flow graph referred to in step S41. Subsequently, the risk determination unit 180 proceeds to step S51.
- the first graph is a "data flow graph” indicating that a backup is stored in a host terminal located at a remote site 55 located over 2000 km away.
- the first graph satisfies the functional element "Rsync port number: 873" included in the judgment condition 1811. That is, since the first graph includes paths that do not satisfy the functional elements of the determination condition 1811, the risk determination unit 180 determines that the first graph does not have the functional elements of the determination condition 1811. It is determined that there is a risk (step S49), and the process proceeds to step S51.
- the second graph shows that "as information about the server provided in DMZ 5A, there is FW 51 between Internet 5B and FW 52 between L3 switch 53, and DMZ 5A has It is a data flow graph containing "information indicating that an anti-fraud server 511, a Web server 512, an FTP server 513, and a DNS server 514 exist.
- the second graph shows the condition for determining whether or not there is a firewall (FW) between other subnets, which is the functional element included in the determination condition 1813, and the main functions such as Web, DNS, and FTP. It is a path that satisfies the conditions for determining whether or not there is a function.
- the risk determination unit 180 determines that the second graph does not include a path that does not satisfy the functional element of the determination condition 1813 (step S50), and proceeds to step S51.
- step S51 the risk determination unit 180 outputs the result of the risk determination process to the user terminal 2.
- a determination result indicating that there is no security risk in the data path indicated by the second graph is output.
- a determination result is output indicating that the data path indicated by the first graph has a risk of a geographical element and a functional element.
- history information expressed as a data flow graph can be used to infer information about off-site servers and the functions and logical configurations of data paths. After expanding with information, determine whether or not there is a security risk. By doing so, it is possible to comprehensively grasp the paths of data exchanged by the system to be analyzed and determine whether or not there is a security risk.
- the determination conditions used in the risk determination process are geographical elements related to the data route, logical elements indicating the logical configuration related to the data route, and functional elements related to the function of the data route. contains at least one of
- the data path is classified into a geographical element, a logical element, and a functional element, and the risk determination process is performed. This makes it easier for the operator of the analysis system 2000 to recognize which element of the analysis system 2000 has a security risk.
- FIG. 18 is a diagram illustrating a schematic configuration of an analysis system 2000A according to the third embodiment. As shown in FIG. 18, the analysis system 2000A includes an analysis device 1A.
- FIG. 19 is a block diagram illustrating a schematic configuration of an analysis device 1A according to the third embodiment.
- the analysis device 1A includes a history information collection section 220A, an information addition section 230A, and a risk determination section 180A.
- the history information collection unit 220A collects history information related to the operation history of programs operating in the analysis target system.
- the information addition unit 230A adds external information acquired from an information resource other than the information processing apparatus executing the program to the history information.
- the risk determination unit 180A performs risk determination processing for determining whether or not there is a security risk in history information to which external information is added, based on preset determination conditions.
- the analysis device 1A according to the third embodiment may perform the operation of the analysis server 1 according to the second embodiment.
- the analysis system 2000A according to the third embodiment may be configured similarly to the analysis system 2000 according to the second embodiment.
- the description of the second embodiment can also be applied to the third embodiment.
- 3rd Embodiment is not limited to the above example.
- the steps in the processing described in this specification do not necessarily have to be executed in chronological order according to the order described in the sequence diagrams and flowcharts.
- the steps in the process may be performed in an order different from that illustrated in the sequence diagrams and flowcharts, or in parallel.
- some of the steps in the process may be deleted and additional steps may be added to the process.
- a device may be provided that includes the components of the analysis server 1 described in this specification (eg, elements corresponding to the units included in the controller 100).
- a method may also be provided that includes the processing of the above components, and a program may be provided for causing a processor to execute the processing of the above components.
- a non-transitory computer readable medium recording the program may be provided.
- such devices, modules, methods, programs, and computer-readable non-transitory recording media are also included in the present invention.
- (Appendix 1) a history information collection unit that collects history information about the operation history of a program operating in the analysis target system; an information addition unit that adds external information acquired from an information resource other than an information processing device that executes the program to the history information; a risk determination unit that performs a risk determination process that determines whether or not there is a security risk in the history information to which the external information is added, based on preset determination conditions; Analysis equipment.
- the judgment condition is At least one of a geographical element related to a data route, a logical element indicating a logical configuration related to the route, and a functional element related to the function of the route, Analytical device according to Appendix 1.
- the external information is At least one of geographical information indicating the geographical element, logical information indicating the logical element, and functional information indicating the functional element, The analyzer according to appendix 2.
- the risk determination unit performing the risk determination process by classifying the history information to which the external information is added into the geographical element, the logical element, and the functional element; The analyzer according to appendix 2 or 3.
- the external information is including information published on the Internet, 5.
- the analyzer according to any one of appendices 1 to 4.
- the external information is Accessible to an intermediate network separated from the Internet by a firewall, including information stored in said information resource contained in an internal network inaccessible from said intermediate network; 5.
- the analyzer according to any one of appendices 1 to 4.
- the history information is a data flow graph indicating the route of data exchanged by the analysis target system, 7.
- the analyzer according to any one of appendices 1 to 6.
- the history information is information about system calls called by the program, 8.
- the analyzer according to any one of appendices 1 to 7.
- the history information is information obtained by taking a snapshot of the analysis target system while the program is running.
- the analyzer according to any one of appendices 1 to 8.
- Appendix 10 An analysis system comprising the analysis device according to any one of Appendices 1 to 9.
- (Appendix 11) Collecting history information about the operation history of the program operating in the analysis target system; adding, to the history information, external information obtained from an information resource other than the information processing device that executes the program; performing a risk determination process that determines whether the history information to which the external information is added has a security risk based on a preset determination condition; Analysis method.
- (Appendix 12) Collecting history information about the operation history of the program operating in the analysis target system; adding, to the history information, external information obtained from an information resource other than the information processing device that executes the program; causing a processor to perform a risk determination process that determines whether or not the history information to which the external information is added has a security risk based on a preset determination condition; analysis program.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Computing Systems (AREA)
- Signal Processing (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Debugging And Monitoring (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
Description
1.本発明の実施形態の概要
2.第1の実施形態
2.1.分析システムの運用形態
2.2.認証システムにおいてやり取りされるデータの経路の概要
2.3.分析サーバの構成
2.3.1.分析サーバ等の情報処理装置のハードウェア構成
2.3.2.分析サーバの機能構成
2.4.分析システムにおける処理の概要
2.4.1.分析システムにおける処理の流れ
2.4.2.分析サーバにおけるデータフロー情報生成処理の流れ
2.4.3.分析サーバにおけるリスク判定処理の流れ
2.4.4.リスク判定処理の判定結果の取り扱い
3.変形例
4.第2の実施形態
4.1.分析システムの運用形態
4.2.分析対象システムの概要
4.3.分析サーバの機能構成
4.4.分析システムにおける処理の概要
4.4.1.分析システムにおける処理の流れ
4.4.2.分析サーバにおけるリスク判定処理の流れ
5.第3の実施形態
6.その他の実施形態
まず、本発明の実施形態の概要を説明する。
近年、ネットワークに接続されるシステムのセキュリティ強化が望まれており、システムのセキュリティリスクを分析するために、脆弱性診断、ペネトレーションテストといったサービスが提供されている。
本発明の実施形態では、分析装置が、分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集する履歴情報収集部と、前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加する情報付加部と、前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定する判定処理を行うリスク判定部と、を備える。
以下、図1から図10を参照して、本発明の実施形態について説明する。本実施形態においては、ネットワークを介して提供される認証サービスを提供するシステム等を対象としてセキュリティリスクを分析する分析システムについて説明する。
まず、第1の実施形態に係る分析システム1000の運用形態について説明する。図1は、第1の実施形態に係る分析システム1000の運用形態を例示した図である。図1に示すように、分析システム1000は、分析サーバ1、ユーザ端末2、FR(Facial Recognition)クライアントサーバ32、FR(Facial Recognition)サーバ33、及びFRDB(Facial Recognition Data Base)34がネットワーク4を介して接続されて構成されている。
次に、図2を参照して認証システム3Aにおいてやり取りされるデータの経路の概要について説明する。図2は、認証システム3Aにおいてやり取りされるデータの経路を説明するためのモデル図である。なお、本実施形態において、認証システム3Aは、既存の顔認証技術によってユーザを認証する認証サービスを提供すると仮定して説明を行う。
次に、本実施形態の分析サーバ1の構成について説明する。ここでは、まず、分析サーバ1及びユーザ端末2や、分析対象システムとしての認証システム3Aに含まれるホスト端末等の情報処理装置のハードウェア構成を説明した後、分析サーバ1の機能構成について説明する。
図3を参照して、本実施形態に係る分析サーバ1及びユーザ端末2や、認証システム3Aに含まれるホスト端末等の情報処理装置のハードウェア構成について説明する。図3は、情報処理装置のハードウェア構成を示すブロック図である。
次に、分析サーバ1の機能構成について図4を参照して説明する。図4は、分析サーバ1の機能構成を示す機能ブロック図である。図4に示すように、分析サーバ1は、コントローラ100及びネットワークI/F101を含む。
次に、図5から図10を参照して、本実施形態の分析システム1000における処理の概要について説明する。図5は、分析システム1000における処理の流れを示すシーケンス図である。図6Aは、受信情報DB150に記憶される履歴情報データテーブル151の構造を例示した図である。図6Bは、受信情報DB150に記憶されるアクセス権情報データテーブル152の構造を例示した図である。図7は、分析サーバ1におけるデータフロー情報生成処理の流れを示すフローチャートである。図8は、本実施形態におけるデータフロー情報の一例を示す図である。図9は、分析サーバ1におけるリスク判定処理の流れを示すフローチャートである。図10は、本実施形態におけるリスク判定処理の判定結果が表示されたGUI300の一例を示す図である。
まず、図5を参照して、分析システム1000における処理の概要について説明する。図5において、分析システム1000のオペレータ5は、ユーザ端末2に対して、分析システム1000におけるセキュリティリスク分析を開始する操作を行う。ここでは、認証システム3Aを分析対象システムとしてセキュリティリスク分析を開始する操作が行われたと仮定する。ユーザ端末2は、ステップS101において、認証システム3Aのセキュリティリスク分析を開始することを示す情報を分析サーバ1に送信する。
次に、図7及び図8を参照して、本実施形態におけるデータフロー情報生成処理の流れについて説明する。本処理は、図5のステップS120において行われる処理に相当する。なお、図8では、第1抽出部171及び第2抽出部172による抽出処理によって抽出された部分グラフをデータフロー情報の一例として示している。
次に、図9及び図10を参照して、本実施形態におけるリスク判定処理の流れについて説明する。本処理は、図5のステップS121において行われる処理に相当する。
次に、図10を参照して、本実施形態におけるリスク判定処理の判定結果の取り扱いについて説明する。図10では、リスク判定部180によるリスク判定処理の判定結果として、リスク有りと判定されたデータの経路を認識可能な情報と共にデータフローグラフが表示されるグラフパネル310が含まれるGUI300を例示している。FRクライアントサーバ32からFRサーバ33に情報を送信する際に、FRクライアントサーバ32からの通信プロトコルが暗号化されていなかったと仮定する。この場合、リスク判定部180は、FRクライアントサーバ32とFRサーバ33との間のデータの経路に情報漏洩のリスク有りと判定する。そして、ユーザ端末2には、警告表示C1が含まれるGUI300が表示される。
次に、図11を参照して、本実施形態の変形例として、認証システム3Aに代えて、プロジェクトの進捗管理サービスを提供するプロジェクト管理システム3Bを分析対象システムとしたときの動作について説明する。図11は、プロジェクト管理システム3Bでやり取りされるデータの経路を例示した説明図である。なお、図11に示す例では、ユーザ情報350に対応するユーザに関連するプロジェクトの進捗管理が行われると仮定して説明を行う。また、図12に示す例では、シナリオ141C(図4参照)によって、ユーザ情報350に基づいてサムネイル画像を生成する画像変換処理351と、タスク管理処理352とが行われ、分析サーバ1は、プロジェクト管理システム3Bと通信して履歴情報を受信すると仮定する。
第1の実施形態では、分析対象のシステムから取得したシステムコールやスナップショット等の履歴情報に基づいてセキュリティリスクの有無を判定する実施形態について説明を行った。システムコールやスナップショット等の履歴情報に加え、インターネット上に公開されている様々な情報を用いることにより、分析対象のシステムにおけるデータの経路に関して、ファイアウォールや保護通信等、そのデータの経路が有している機能、論理的な構成、及びそのデータの経路の地理的な関係等を類推できる場合がある。
図12を参照して、第2の実施形態に係る分析システム2000の運用形態について説明する。図12は、分析システム2000の運用形態を例示した図である。図12に示すように、分析システム2000は、分析サーバ1、ユーザ端末2、分析対象システム6がネットワーク4を介して接続されて構成されている。
続いて、図13を参照して、分析対象システム6の概要について説明する。図13は、分析対象システム6の概要を例示した図である。図13に示すように、分析対象システム6は、非武装地帯5A(DeMilitarized Zone、以後「DMZ」と称することがある)と、第1サブネット5Cと、第2サブネット5Dとに跨って提供されるシステムである。
続いて、図14を参照して、第2の実施形態に係る分析サーバ1の機能構成について説明する。図14は、本実施形態に係る分析サーバ1の機能構成を示す機能ブロック図である。図14において、第1の実施形態に係る分析サーバ1の機能構成と同じ構成には同じ符号を付し、重複する説明を省略する場合がある。
次に、図15から図17を参照して、本実施形態の分析システム2000における処理の概要について説明する。図15は、分析システム2000における処理の流れを示すシーケンス図である。図16は、条件DB181に記憶されている判定条件の詳細を説明する図である。図17は、リスク判定処理の流れを示すフローチャートである。
まず、図15を参照して分析システム2000における処理の流れを説明する。図15において、分析システム2000のオペレータは、ユーザ端末2に対して、分析システム2000におけるセキュリティリスク分析を開始する操作を行う。ここでは、ユーザ端末2において、分析対象として分析対象システム6を指定した上で、セキュリティリスク分析を開始する操作が行われたと仮定する。
・インターネット5B上に公開されている情報(ドメイン名やサブネット名等のデータの経路の地理的要素を示す地理情報又は論理的要素を特定する論理情報、アプリケーションのバージョン情報やセキュリティパッチ等のデータの経路の機能的要素を特定する機能情報等を含む)
・インターネット5B上でWebサービスを介して提供されるIPアドレスから特定した国や地域の名前等のデータの経路の地理的要素を示す地理情報
・インターネット5B上で提供されるコンテナ管理サービスの仮想マシンやコンテナに関する論理的要素を特定する論理情報や機能的要素を特定する機能情報
・分析対象システム6に含まれるルータやスイッチの設定等のデータの経路の機能的要素を特定する機能情報
・分析対象システム6に含まれるルータのミラーポートにおけるパケットモニタリング等のデータの経路の機能的要素を特定する機能情報
・第1サブネット5Cや第2サブネット内のホスト端末に記憶されているIPアドレスと部署識別子とを紐付けた社内通信情報等のデータの経路の機能的要素を特定する機能情報
次に、図16及び図17を参照して、本実施形態におけるリスク判定処理の流れについて説明する。本処理は、図15のステップS207で行われる処理に相当する。
続いて、図18及び図19を参照して、本発明の第3の実施形態を説明する。上述した第2の実施形態は具体的な実施形態であるが、第3の実施形態はより一般化された実施形態である。以下の第3の実施形態によれば、第2の実施形態と同様の技術的効果が奏される。
一例として、第3の実施形態に係る分析装置1Aが、第2の実施形態に係る分析サーバ1の動作を実行してもよい。同様に、一例として、第3の実施形態に係る分析システム2000Aが、第2の実施形態に係る分析システム2000と同様に構成されてもよい。以上の場合、第2の実施形態についての説明が第3の実施形態にも適用可能である。なお、第3の実施形態は以上の例に限定されるものではない。
以上、本発明の実施形態を説明したが、本発明はこれらの実施形態に限定されるものではない。これらの実施形態は例示にすぎないということ、及び、本発明のスコープ及び精神から逸脱することなく様々な変形が可能であるということは、当業者に理解されるであろう。
分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集する履歴情報収集部と、
前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加する情報付加部と、
前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定するリスク判定処理を行うリスク判定部と、を備える、
分析装置。
前記判定条件は、
データの経路に関する地理的要素、前記経路に関する論理構成を示す論理的要素、及び前記経路の機能に関する機能的要素のうち、少なくともいずれか1つを含む、
付記1に記載の分析装置。
前記外部情報は、
前記地理的要素を示す地理情報、前記論理的要素を示す論理情報、及び前記機能的要素を示す機能情報のうち、少なくともいずれか1つを含む、
付記2に記載の分析装置。
前記リスク判定部は、
前記外部情報が付加された前記履歴情報を、前記地理的要素と、前記論理的要素と、前記機能的要素とに分類して前記リスク判定処理を行う、
付記2又は3に記載の分析装置。
前記外部情報は、
インターネット上に公開されている情報を含む、
付記1から4のいずれか1項に記載の分析装置。
前記外部情報は、
ファイアウォールによってインターネットから区切られた中間ネットワークに対してアクセス可能であり、前記中間ネットワークからはアクセス不可能な内部ネットワークに含まれる前記情報資源に記憶された情報を含む、
付記1から4のいずれか1項に記載の分析装置。
前記履歴情報は、前記分析対象システムがやり取りするデータの経路を示すデータフローグラフである、
付記1から6のいずれか1項に記載の分析装置。
前記履歴情報は、前記プログラムによって呼び出されたシステムコールに関する情報である、
付記1から7のいずれか1項に記載の分析装置。
前記履歴情報は、前記プログラムが動作している間に前記分析対象システムをスナップショットして得られる情報である、
付記1から8のいずれか1項に記載の分析装置。
付記1から9のいずれか1項に記載の分析装置を備える、分析システム。
分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集することと、
前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加することと、
前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定するリスク判定処理を行うことと、を備える、
分析方法。
分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集することと、
前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加することと、
前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定するリスク判定処理を行うことと、をプロセッサに実行させる、
分析プログラム。
1A 分析装置
2 ユーザ端末
4 ネットワーク
5 オペレータ
5A DMZ
5B インターネット
5C 第1サブネット
5D 第2サブネット
6 分析対象システム
100 コントローラ
131D、131E、131F エージェント
141 シナリオ記憶部
150 受信情報DB
170 データフロー生成部
180、180A リスク判定部
181 条件DB
220、220A 履歴情報収集部
230、230A 情報付加部
2000、2000A 分析システム
Claims (12)
- 分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集する履歴情報収集部と、
前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加する情報付加部と、
前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定するリスク判定処理を行うリスク判定部と、を備える、
分析装置。 - 前記判定条件は、
データの経路に関する地理的要素、前記経路に関する論理構成を示す論理的要素、及び前記経路の機能に関する機能的要素のうち、少なくともいずれか1つを含む、
請求項1に記載の分析装置。 - 前記外部情報は、
前記地理的要素を示す地理情報、前記論理的要素を示す論理情報、及び前記機能的要素を示す機能情報のうち、少なくともいずれか1つを含む、
請求項2に記載の分析装置。 - 前記リスク判定部は、
前記外部情報が付加された前記履歴情報を、前記地理的要素と、前記論理的要素と、前記機能的要素とに分類して前記リスク判定処理を行う、
請求項2又は3に記載の分析装置。 - 前記外部情報は、
インターネット上に公開されている情報を含む、
請求項1から4のいずれか1項に記載の分析装置。 - 前記外部情報は、
ファイアウォールによってインターネットから区切られた中間ネットワークに対してアクセス可能であり、前記中間ネットワークからはアクセス不可能な内部ネットワークに含まれる前記情報資源に記憶された情報を含む、
請求項1から4のいずれか1項に記載の分析装置。 - 前記履歴情報は、前記分析対象システムがやり取りするデータの経路を示すデータフローグラフである、
請求項1から6のいずれか1項に記載の分析装置。 - 前記履歴情報は、前記プログラムによって呼び出されたシステムコールに関する情報である、
請求項1から7のいずれか1項に記載の分析装置。 - 前記履歴情報は、前記プログラムが動作している間に前記分析対象システムをスナップショットして得られる情報である、
請求項1から8のいずれか1項に記載の分析装置。 - 請求項1から9のいずれか1項に記載の分析装置を備える、分析システム。
- 分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集することと、
前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加することと、
前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定するリスク判定処理を行うことと、を備える、
分析方法。 - 分析対象システムにおいて動作するプログラムの動作履歴に関する履歴情報を収集することと、
前記履歴情報に、前記プログラムを実行する情報処理装置以外の情報資源から取得した外部情報を付加することと、
前記外部情報が付加された前記履歴情報におけるセキュリティリスクの有無を、予め設定された判定条件に基づいて判定するリスク判定処理を行うことと、をプロセッサに実行させる、
分析プログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2023506677A JPWO2022195862A1 (ja) | 2021-03-19 | 2021-03-19 | |
US18/281,230 US20240146757A1 (en) | 2021-03-19 | 2021-03-19 | Analysis apparatus, analysis system, analysis method and analysis program |
PCT/JP2021/011445 WO2022195862A1 (ja) | 2021-03-19 | 2021-03-19 | 分析装置、分析システム、分析方法、及び分析プログラム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2021/011445 WO2022195862A1 (ja) | 2021-03-19 | 2021-03-19 | 分析装置、分析システム、分析方法、及び分析プログラム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022195862A1 true WO2022195862A1 (ja) | 2022-09-22 |
Family
ID=83322088
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2021/011445 WO2022195862A1 (ja) | 2021-03-19 | 2021-03-19 | 分析装置、分析システム、分析方法、及び分析プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US20240146757A1 (ja) |
JP (1) | JPWO2022195862A1 (ja) |
WO (1) | WO2022195862A1 (ja) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007156816A (ja) * | 2005-12-05 | 2007-06-21 | Nec Corp | リスク分析装置、リスク分析方法およびリスク分析用プログラム |
JP2014506370A (ja) * | 2011-01-07 | 2014-03-13 | アビニシオ テクノロジー エルエルシー | フロー分析計装 |
JP2014143620A (ja) * | 2013-01-25 | 2014-08-07 | Hitachi Ltd | セキュリティポリシ設定装置およびセキュリティポリシ動的設定方法 |
JP2016170568A (ja) * | 2015-03-12 | 2016-09-23 | 株式会社日立製作所 | ログ管理制御システムおよびログ管理制御方法 |
JP2020095689A (ja) * | 2018-11-29 | 2020-06-18 | 株式会社リコー | 表示端末、共用システム、表示制御方法およびプログラム |
-
2021
- 2021-03-19 WO PCT/JP2021/011445 patent/WO2022195862A1/ja active Application Filing
- 2021-03-19 US US18/281,230 patent/US20240146757A1/en active Pending
- 2021-03-19 JP JP2023506677A patent/JPWO2022195862A1/ja active Pending
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007156816A (ja) * | 2005-12-05 | 2007-06-21 | Nec Corp | リスク分析装置、リスク分析方法およびリスク分析用プログラム |
JP2014506370A (ja) * | 2011-01-07 | 2014-03-13 | アビニシオ テクノロジー エルエルシー | フロー分析計装 |
JP2014143620A (ja) * | 2013-01-25 | 2014-08-07 | Hitachi Ltd | セキュリティポリシ設定装置およびセキュリティポリシ動的設定方法 |
JP2016170568A (ja) * | 2015-03-12 | 2016-09-23 | 株式会社日立製作所 | ログ管理制御システムおよびログ管理制御方法 |
JP2020095689A (ja) * | 2018-11-29 | 2020-06-18 | 株式会社リコー | 表示端末、共用システム、表示制御方法およびプログラム |
Also Published As
Publication number | Publication date |
---|---|
JPWO2022195862A1 (ja) | 2022-09-22 |
US20240146757A1 (en) | 2024-05-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10986120B2 (en) | Selecting actions responsive to computing environment incidents based on action impact information | |
US8949969B2 (en) | Payment card industry (PCI) compliant architecture and associated methodology of managing a service infrastructure | |
US7472421B2 (en) | Computer model of security risks | |
JP5972401B2 (ja) | 攻撃分析システム及び連携装置及び攻撃分析連携方法及びプログラム | |
EP1593228B1 (en) | Network audit policy assurance system | |
US8286249B2 (en) | Attack correlation using marked information | |
US20230208871A1 (en) | Systems and methods for vulnerability assessment for cloud assets using imaging methods | |
CN113407949A (zh) | 一种信息安全监控系统、方法、设备及存储介质 | |
JP4713186B2 (ja) | ネットワーク監視方法及びネットワーク監視システム | |
KR102184114B1 (ko) | 네트워크 보안 서비스를 제공하기 위한 방법 및 이를 위한 장치 | |
Kumar et al. | Integrating intrusion detection system with network monitoring | |
WO2022195862A1 (ja) | 分析装置、分析システム、分析方法、及び分析プログラム | |
Lee et al. | A framework for policy inconsistency detection in software-defined networks | |
US20220174087A1 (en) | Analysis system, method, and program | |
WO2021095223A1 (ja) | 分析システム、方法およびプログラム | |
WO2022107290A1 (ja) | 分析装置、分析システム、分析方法、及び分析プログラム | |
US10757093B1 (en) | Identification of runtime credential requirements | |
Mirković | Security evaluation in cloud | |
WO2020195230A1 (ja) | 分析システム、方法およびプログラム | |
Sun | SCLEX-lang: A threat modeling language for substation automation systems | |
US12034757B2 (en) | Analysis system, method, and program | |
Cardoso et al. | Security vulnerabilities and exposures in internet systems and services | |
JP7302666B2 (ja) | 分析システム、方法およびプログラム | |
Casagrande et al. | Systems, software, and applications updating for avoiding cyber attacks: A pentest demonstration | |
Alkhurayyif et al. | Adopting Automated Penetration Testing Tools: A Cost-Effective Approach to Enhancing Cybersecurity in Small Organizations |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21931608 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2023506677 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18281230 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21931608 Country of ref document: EP Kind code of ref document: A1 |