WO2023012849A1 - Inference device, inference method, and storage medium - Google Patents

Inference device, inference method, and storage medium Download PDF

Info

Publication number
WO2023012849A1
WO2023012849A1 PCT/JP2021/028549 JP2021028549W WO2023012849A1 WO 2023012849 A1 WO2023012849 A1 WO 2023012849A1 JP 2021028549 W JP2021028549 W JP 2021028549W WO 2023012849 A1 WO2023012849 A1 WO 2023012849A1
Authority
WO
WIPO (PCT)
Prior art keywords
attacker
attack
inference
similarity
information
Prior art date
Application number
PCT/JP2021/028549
Other languages
French (fr)
Japanese (ja)
Inventor
庄太 本浦
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2023539222A priority Critical patent/JPWO2023012849A5/en
Priority to PCT/JP2021/028549 priority patent/WO2023012849A1/en
Publication of WO2023012849A1 publication Critical patent/WO2023012849A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N5/00Computing arrangements using knowledge-based models
    • G06N5/04Inference or reasoning models

Definitions

  • This disclosure relates to hypothetical reasoning techniques.
  • Hypothetical inference is a method of deriving valid hypotheses from inference knowledge (rules) given by logical formulas and observed events. For example, in the field of cybersecurity, what-if reasoning can be applied when determining whether an observed event in a computer system is due to a cyberattack.
  • Patent Literature 1 discloses a technique for reflecting the temporal context of observations on hypothesis candidates generated by weighted hypothesis inference.
  • Patent Document 2 discloses a technique for calculating the degree of similarity between multiple suspicious activity graphs, which are structured to represent the activity details of targeted attacks and malware.
  • Patent Literature 2 discloses a technique for associating an analysis result record of a suspicious activity graph with an expected attack source.
  • Patent Document 1 does not specifically disclose the perspective of performing inference processing using information related to attackers who carry out cyber attacks. Therefore, according to the technology disclosed in Patent Document 1, there is a problem that the estimation accuracy for estimating an attacker who carries out a cyber attack becomes low.
  • Patent Document 2 for example, in a situation where it is difficult to obtain a suspicious activity graph due to reasons such as access to a network in which a suspicious activity detection device is installed, There is a problem that the estimation accuracy of the probable attack source associated with the record of the analysis result of the activity graph becomes low.
  • One purpose of this disclosure is to improve the accuracy of estimating attackers who carry out cyberattacks.
  • an inference device includes: Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents.
  • an inference apparatus includes: an inference means for obtaining an overall picture of an attack, in which the modus operandi of an attack corresponding to the observation log is hierarchically abstracted by performing inference processing based on an observation log in which information related to a cyber attack is recorded; and a similarity obtaining means for obtaining a similarity, which is a value indicating how similar the overall image of the attack and the features of the attacker inferred from past attacks are.
  • an inference method includes: Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted, A degree of similarity, which is a value indicating how similar an overview of attacks by the attacker and the features of the attacker are, is obtained.
  • an inference method includes: By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted, A degree of similarity, which is a value indicating the degree of similarity between the overall image of the attack and the features of the attacker inferred from past attack cases, is acquired.
  • the recording medium comprises Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted, A program is recorded that causes a computer to execute a process of obtaining a similarity, which is a value indicating how similar an overview of the attack by the attacker and the characteristics of the attacker are.
  • the recording medium comprises By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted, A program is recorded that causes a computer to execute a process of obtaining a similarity, which is a value indicating the degree of similarity between the overall picture of the attack and the features of the attackers inferred from past attack incidents.
  • FIG. 2 is a block diagram showing the hardware configuration of the inference device according to the first embodiment;
  • FIG. 2 is a diagram showing the functional configuration of an inference device according to the first embodiment;
  • FIG. 4 is a diagram showing an example of an observation log used for inference processing of the inference apparatus according to the first embodiment;
  • FIG. 4 is a diagram showing an example of aggressor feature information used for inference processing of the inference device according to the first embodiment;
  • FIG. 4 is a diagram showing an example of aggressor feature information used for inference processing of the inference device according to the first embodiment;
  • FIG. 4 is a diagram for explaining an example of an inference result obtained by the inference processing of the inference apparatus according to the first embodiment;
  • FIG. 4 is a diagram for explaining an example of an inference result obtained by the inference processing of the inference apparatus according to the first embodiment;
  • FIG. 4 is a diagram showing an example of aggressor estimation information generated by the inference device according to the first embodiment;
  • FIG. 4 is a diagram for explaining an example of a display screen displayed according to processing of the inference apparatus according to the first embodiment;
  • FIG. 5 is a block diagram showing the functional configuration of an inference device according to the second embodiment;
  • 9 is a flowchart for explaining processing performed by the inference device according to the second embodiment;
  • FIG. 11 is a block diagram showing the functional configuration of an inference device according to the third embodiment;
  • 10 is a flowchart for explaining processing performed by the inference device according to the third embodiment;
  • FIG. 1 is a block diagram showing the hardware configuration of the inference device 100.
  • the inference apparatus 100 includes an interface (IF) 11 , a processor 12 , a memory 13 , a recording medium 14 , a database (DB) 15 , a display section 16 and an input section 17 .
  • the IF 11 performs data input/output with external devices. Specifically, observation information used for inference is input through the IF 11 . Attacker estimation information (described later) and the like obtained by the inference device 100 are output to an external device through the IF 11 .
  • the processor 12 is a computer such as a CPU (Central Processing Unit) or a GPU (Graphics Processing Unit), and controls the entire inference apparatus 100 by executing a program prepared in advance. Specifically, the processor 12 executes processing such as inference processing, which will be described later.
  • CPU Central Processing Unit
  • GPU Graphics Processing Unit
  • the memory 13 is composed of ROM (Read Only Memory), RAM (Random Access Memory), and the like. Memory 13 is also used as a working memory during execution of various processes by processor 12 .
  • the recording medium 14 is a non-volatile, non-temporary recording medium such as a disk-shaped recording medium or semiconductor memory, and is configured to be detachable from the inference device 100 .
  • the recording medium 14 records various programs executed by the processor 12 .
  • the programs recorded in the recording medium 14 are loaded into the memory 13 and executed by the processor 12 .
  • the database 15 stores observation information and the like input through the IF 11. In addition, the database 15 stores inference results and the like obtained by the processing of the aggressor estimation unit 22, which will be described later. The database 15 also stores aggressor feature information, which will be described later.
  • the display unit 16 is configured by a display device such as a liquid crystal monitor, for example. In addition, the display unit 16 displays information such as inference results as necessary.
  • the input unit 17 is composed of an input device such as a keyboard, mouse, touch panel, etc., for example.
  • FIG. 2 is a diagram showing the functional configuration of the inference device according to the first embodiment.
  • the inference device 100 has an input reception unit 21, an aggressor estimation unit 22, and an information output unit 23.
  • the input receiving unit 21 receives input of observation logs in which events and the like actually observed in response to attacks on the network domain NDX are recorded.
  • observation log for example, the content of an event that actually occurred in one of the computers belonging to the network domain NDX and the occurrence time (time stamp) of the event are listed in chronological order. Contains sorted information. That is, the above-mentioned observation log records information related to cyberattacks.
  • the aggressor estimation unit 22 has an inference unit 31, a similarity acquisition unit 32, and an aggressor database 33.
  • the attacker estimation unit 22 provides information on an attacker who is estimated to have attacked the network domain NDX based on the observation log (hereinafter referred to as observation log LX) whose input is received by the input reception unit 21. A process is performed to obtain the attacker estimation information.
  • the aggressor estimation unit 22 also outputs the aggressor estimation information obtained by the above-described processing to the information output unit 23 .
  • the inference unit 31 has an inference engine 31a and an inference rule storage unit 31b. Also, the inference unit 31 performs inference processing based on the observation log LX and aggressor feature information AFJ (described later) stored in the aggressor database 33 . The inference unit 31 also outputs the inference result obtained by the inference processing to the similarity acquisition unit 32 .
  • the inference engine 31a performs inference processing using the inference rules stored in the inference rule storage unit 31b, whereby the attacker indicated by the attacker feature information AFJ attacks the network domain NDX. Assuming that information corresponding to the observation log LX is actually left, an overall picture of the attack on the network domain NDX is estimated. Also, the inference engine 31a performs inference processing for each of a plurality of attackers indicated by the attacker feature information AFJ. That is, the inference result obtained by the inference processing of this embodiment includes observation logs LX when each of a plurality of attackers indicated by the attacker feature information AFJ independently attacks the network domain NDX. It contains an overview of multiple attacks against the network domain NDX, assuming that information was left behind.
  • the inference rule storage unit 31b stores inference rules used for the inference processing of the inference engine 31a.
  • the inference engine 31a of the present embodiment reflects the temporal context of observations on hypothesis candidates generated by weighted hypothesis inference, as disclosed in International Publication WO2021/090497. Technology shall be used.
  • inference rule storage unit 31b of the present embodiment an inference rule that incorporates the viewpoint of TTP (Tactics, Techniques and Procedures) for the rules (inference knowledge) disclosed in International Publication WO2021/090497. It is assumed that rules are stored.
  • TTP is a framework that hierarchically abstracts (models) cyberattack methods used by attackers. Specifically, for example, in the TTP framework (https://attack.mitre.org/) disclosed by MITER, the methods of cyber attacks by attackers are “Tactics”, “Techniques”, and It is represented by the three levels of abstraction of "Procedures”.
  • TTP framework disclosed by MITRE is simply abbreviated as TTP.
  • the similarity acquisition unit 32 determines whether one attacker among the plurality of attackers indicated by the aggressor feature information AFJ is in the network. Similarity, which is a value that indicates the degree of similarity between the overall image of an attack when it is assumed that an attack has been made on the domain NDX and the characteristics of the attacker indicated by the attacker characteristics information AFJ. Get degrees. Further, the similarity acquisition unit 32 acquires a plurality of similarities corresponding to each of the plurality of aggressors indicated by the aggressor feature information AFJ, and obtains aggressor estimation information in which the acquired plurality of similarities are arranged in descending order. and outputs the generated aggressor estimation information to the information output unit 23 .
  • the aggressor database 33 stores aggressor feature information AFJ representing the features of each of a plurality of aggressors.
  • the aggressor feature information AFJZ which represents the features of attacker Z, is information that abstracts the attack modus operandi based on TTP, inferred from the contents of public reports in past attacks believed to have been carried out by said attacker Z. It includes information that associates certain abstract information with an evaluation value that is a value obtained by evaluating the specificity of the attack modus operandi represented by the abstract information. That is, the aggressor feature information AFJ includes the same information as the above-described aggressor feature information AFJZ as information representing the features of each of a plurality of aggressors.
  • the information output unit 23 generates a display screen for displaying the aggressor estimation information and the like output from the aggressor estimation unit 22, and outputs the generated display screen to the display device. That is, the information output unit 23 has a function as display screen generation means. Further, the information output unit 23 outputs data including aggressor estimation information output from the aggressor estimation unit 22 to an external device.
  • FIG. 3 is a diagram showing an example of an observation log used for inference processing of the inference apparatus according to the first embodiment.
  • the input receiving unit 21 receives an input of an observation log L1 as shown in FIG. 3 as an observation log actually observed in response to an attack on the network domain ND1.
  • the inference unit 31 performs inference processing based on the observation log L ⁇ b>1 and the aggressor feature information AFJ stored in the aggressor database 33 .
  • FIG 4 and 5 are diagrams showing an example of aggressor feature information used in the inference processing of the inference device according to the first embodiment.
  • the aggressor feature information AFJ includes, for example, aggressor feature information AFJA as shown in FIG. 4 and aggressor feature information AFJB as shown in FIG.
  • the attacker feature information AFJA includes abstract information and evaluation values representing the features of attacker A. Also, the aggressor feature information AFJB includes abstract information representing the aggressor B's features and an evaluation value.
  • File Deletion one of the abstracted information of the attacker's characteristic information AFJA, is included in the public report of past attacks believed to have been carried out by attacker A. "After achieving the purpose, the trail will be deleted It corresponds to an abstract expression of the attack method inferred from the phrase "”. Also, the aforementioned “File Deletion” corresponds to "Technique", which is set to the second highest level of abstraction in TTP.
  • the "Lateral Movement" in the abstracted information of the attacker's characteristic information AFJB is the "expanding infection to other terminals" included in the public report of past attacks believed to have been carried out by attacker B. It corresponds to an abstract representation of the attack method inferred from the wording of .
  • abstract information corresponding to the content of one public report includes one or more pieces of information corresponding to any one of "Tactics”, “Techniques”, and “Procedures”. Just do it.
  • the evaluation values included in the attacker characteristic information AFJA and AFJB are values calculated using the following formula (1).
  • EV represents an evaluation value
  • AGN represents the total number of attackers included in the attacker characteristic information AFJ
  • ATN has the same abstract information in the attacker characteristic information AFJ.
  • ln denote the number of attackers and ln denote the natural logarithm.
  • 6 and 7 are diagrams for explaining an example of the inference result obtained by the inference processing of the inference device according to the first embodiment.
  • the inference unit 31 performs inference processing based on the observation log L1 and the aggressor feature information AFJA. Assuming that the attack on the network domain ND1 is made by the attacker A, the inference result is, for example, , obtain an inference result HRA as shown in FIG. In addition, the inference unit 31 performs inference processing based on the observation log L1 and the attacker characteristic information AFJB, so that the inference result when it is assumed that the attack on the network domain ND1 is by the attacker B is , for example, an inference result HRB as shown in FIG. The inference unit 31 also outputs the inference results HRA and HRB obtained by the inference processing to the similarity acquisition unit 32 .
  • the inference result HRA is a hierarchical abstraction of the method of attacking the network domain ND1 when it is assumed that the attacker A leaves information corresponding to the observation log L1 when attacking the network domain ND1. Also, it corresponds to the overall image of the attack by the attacker A.
  • the inference result HRB hierarchically abstracts the method of attacking the network domain ND1 when it is assumed that the attacker A leaves information corresponding to the observation log L1 when attacking the network domain ND1. Also, it corresponds to the overall image of the attack by the attacker B.
  • the abstract information (“Tactics” and “Techniques”) included in each of the inference results HRA and HRB is appropriately selected by the inference engine 31a.
  • the time of occurrence in each of the inference results HRA and HRB is set as the time corresponding to the time of occurrence in the observation log L1.
  • the logs in each of the inference results HRA and HRB correspond to "Procedures" set to the third highest (lowest) abstraction level in TTP.
  • the abstract information and log shown in the column of time T22 in the inference result HRB in FIG. 7 correspond to the attack modus operandi added by the inference engine 31a as a hypothesis based on the observation log L1 and the aggressor characteristic information AFJB.
  • Time T22 corresponds to time after time T21 and before time T31.
  • the inference engine 31a appropriately selects what kind of abstract information and log to add as a hypothesis. Also, in the present embodiment, the inference engine 31a appropriately selects where to add abstracted information and logs as hypotheses.
  • the similarity acquisition unit 32 Based on the inference result HRA obtained by the inference unit 31 and the aggressor characteristic information AFJA, the similarity acquisition unit 32 obtains the overall image of the attack by the attacker A and the attack indicated by the aggressor characteristic information AFJA. A similarity DSA, which is a value indicating the degree of similarity between the features of the person A, is acquired. Further, based on the inference result HRB obtained by the inference unit 31 and the aggressor characteristic information AFJB, the similarity acquisition unit 32 obtains the overall image of the attack by the aggressor B and the aggressor characteristic information AFJB. A similarity DSB, which is a value indicating how similar the features of the attacker B are, is obtained.
  • a similarity DSA which is a value indicating the degree of similarity between the features of the person A
  • the similarities DSA and DSB can be obtained, for example, by performing cosine similarity calculations based on the idea of TF-IDF (Term Trequency-Inverse Document Frequency).
  • the similarity acquisition unit 32 compares the abstract information included in the attacker feature information AFJB and the abstract information included in the inference result HRB, thereby obtaining The presence or absence of the attack modus operandi included in the feature information AFJB is specified. Then, according to the process of the similarity acquisition unit 32, it is specified that "Lateral Movement”, “Privilege Escalation”, and “Data from Network Shared Drive ⁇ Data Compressed" appear in the inference result HRB. be.
  • the similarity acquisition unit 32 describes the evaluation values (0, ln(2), ln(2)) included in the aggressor feature information AFJB and the presence or absence of the specified appearance as 1 if it appears as described above. Further, by calculating the product of each element in (1, 1, 1) described as 0 if it does not appear, the calculation result (0, ln(2), ln(2)) is obtained.
  • the similarity acquisition unit 32 uses the aforementioned evaluation values (0, ln(2), ln(2)) and the aforementioned calculation results (0, ln(2), ln(2)) as vectors to obtain cosine A similarity DSB is obtained by calculating the similarity.
  • the cosine similarity can be calculated by the following formula (2). Therefore, for example, in the following formula, the evaluation value (0, ln(2), ln(2)) is applied to vector X, and the calculation result (0, ln(2), ln(2)) is applied to vector Y. 1 can be obtained as the similarity DSB value corresponding to cos(X, Y) by
  • the method of obtaining the degree of similarity DSB described above is also applied to obtaining the degree of similarity DSA in substantially the same way.
  • the similarity is set to 0 when cos(X, Y) has no solution because the value of the denominator of the above formula (2) is 0. Therefore, the similarity acquisition unit 32 of this embodiment acquires 0 as the value of the similarity DSA.
  • the similarity acquisition unit 32 generates aggressor estimation information ASJ in which the similarity DSA corresponding to the aggressor A and the similarity DSB corresponding to the aggressor B are arranged in descending order, and obtains the generated aggressor estimation information ASJ is output to the information output unit 23 .
  • FIG. 8 is a diagram showing an example of aggressor estimation information generated by the inference device according to the first embodiment.
  • the attacker estimation information ASJ is generated, for example, as information shown in FIG. Specifically, the attacker estimation information ASJ is a ranking table in which (names corresponding to) the attackers included in the attacker feature information AFJ are arranged in descending order of probability of having attacked the network domain ND1. is generated as
  • the information output unit 23 generates a display screen for displaying the ranking table included in the aggressor estimation information ASJ output from the aggressor estimation unit 22, and outputs the generated display screen to the display device. That is, when a plurality of degrees of similarity corresponding to each of a plurality of attackers is acquired, the information output unit 23 generates a display screen for displaying a ranking in which the degrees of similarity are arranged in descending order.
  • the similarity acquisition unit 32 when generating the aggressor estimation information ASJ, it is also possible to acquire an attack incident similar to the characteristics of the attacker A or B from among the attack incidents, and add the acquired attack incident to the aforementioned ranking table. That is, according to the present embodiment, the similarity acquisition unit 32 may acquire other past attack incidents similar to the characteristics of the attacker A or the attacker B.
  • FIG. 1 For example, when a plurality of past attack incidents are stored in the aggressor database 33, the similarity acquisition unit 32, when generating the aggressor estimation information ASJ, it is also possible to acquire an attack incident similar to the characteristics of the attacker A or B from among the attack incidents, and add the acquired attack incident to the aforementioned ranking table. That is, according to the present embodiment, the similarity acquisition unit 32 may acquire other past attack incidents similar to the characteristics of the attacker A or the attacker B.
  • the similarity acquisition unit 32 obtains a probability value representing the degree of possibility (reliability) that the attacker A actually attacked the network domain ND1 based on the similarities DSA and DSB.
  • PSA and probability value PSB representing the degree of possibility (reliability) that attacker B actually attacked network domain ND1 may be calculated.
  • the similarity acquisition unit 32 applies a softmax function to the similarities DSA and DSB, for example, so that the probability values PSA and PSB total 100%. You may make it calculate.
  • the similarity acquisition unit 32 may add the probability values PSA and PSB to the above-described ranking table when generating the aggressor estimation information ASJ.
  • the attacker characteristic information AFJ includes an IoC (Indicator of Compromise) such as a hash value of a specific malware and an IP address used in a cyberattack, good.
  • the IoC may be rephrased as trace information indicating traces of an attack performed by an attacker.
  • the inference unit 31 may perform inference processing using the aggressor characteristic information AFJ and IoC. Further, according to the present embodiment, the similarity acquisition unit 32 may add the IoC to the aforementioned ranking table when generating the aggressor estimation information ASJ.
  • the information output unit 23 displays the display screen JDG as shown in FIG. may be generated.
  • the information output unit 23 may generate a display screen for displaying an overview of the attack by the attacker.
  • FIG. 9 is a diagram for explaining an example of a display screen displayed according to processing of the inference device according to the first embodiment.
  • probability value PSB (73%), and probability value PSA (27%) are displayed.
  • the attacker B corresponding to the probability value PSB is displayed at the top, and the attacker A corresponding to the probability value PSA is displayed below the attacker B.
  • an overview ATB of the attack by the attacker B selected in the selection field SLR is displayed.
  • the elements belonging to "Tactic” in FIG. 7 are connected by arrows oriented according to the order of the time of occurrence in the same figure. Further, according to the overview ATB, “Log”, “Technique”, and “Tactic” at one occurrence time in FIG. 7 are connected by arrows oriented according to this order. Further, according to the overview ATB, the element added as a hypothesis (the element corresponding to the column of time T22 in FIG. 7) of the inference result HRB is displayed in a manner different from other elements. Further, according to the overview ATB, attack methods common to both the attacker feature information AFJB and the inference result HRB are highlighted.
  • the whole picture ATB as long as it is possible to identify the element added as a hypothesis in the inference result HRB, and the attack method common to both the attacker characteristic information AFJB and the inference result HRB, It may be displayed in color.
  • the overview ATB may include information indicating the IoC.
  • FIG. 10 is a flowchart for explaining processing performed by the inference device according to the first embodiment.
  • the input receiving unit 21 receives an input of the observation log L1 in which the events actually observed in response to the attack on the network domain ND1 are recorded (step S11).
  • the inference unit 31 performs inference processing based on the observation log L1 input in step S11 and the aggressor characteristic information AFJA and AFJB stored in the aggressor database 33, thereby obtaining an inference result HRA and HRB are acquired (step S12).
  • the similarity acquisition unit 32 acquires the similarity DSA based on the inference result HRA obtained in step S12 and the aggressor characteristic information AFJA (step S13). Further, the similarity acquisition unit 32 acquires a similarity DSB based on the inference result HRB obtained in step S12 and the aggressor characteristic information AFJB (step S13).
  • the similarity acquisition unit 32 generates aggressor estimation information ASJ in which the similarities DSA and DSB obtained in step S13 are arranged in descending order, and outputs the generated aggressor estimation information ASJ to the information output unit 23 (step S14). Then, the ranking table included in the attacker estimation information ASJ is displayed on the display device in accordance with such processing of the similarity acquisition unit 32 .
  • inference processing is performed based on observation logs that record information related to cyberattacks and the characteristics of attackers inferred from past attack incidents. It is possible to estimate the degree of similarity between the overall image of the attack obtained by the inference processing and the characteristics of the attacker. Further, as described above, according to the present embodiment, even if a series of attack processes includes an attack method that does not leave a clear trace, such as creating a large-scale compressed file. Even if there is, it is possible to obtain useful information for estimating the attacker who actually performed the series of attack processes. Therefore, according to this embodiment, it is possible to improve the estimation accuracy related to the estimation of the attacker who carries out the cyber attack.
  • FIG. 11 is a flowchart for explaining processing performed by the inference device according to the modification of the first embodiment.
  • the inference unit 31 of the present embodiment may perform inference processing for estimating the overall image ATX of the attack on the network domain ND1 based on the observation log L1 received by the input reception unit 21. Further, the similarity acquisition unit 32 of the present embodiment may acquire the similarities DSA and DSB using the overall image ATX and the aggressor characteristic information AFJA and AFJB. A specific example of such processing will be described below.
  • the input receiving unit 21 receives an input of the observation log L1 in which the events actually observed in response to the attack on the network domain ND1 are recorded (step S21).
  • the inference unit 31 performs inference processing based on the observation log L1 input in step S21, thereby obtaining an overall image ATX of the attack in which the modus operandi of the attack corresponding to the observation log L1 is hierarchically abstracted. (step S22).
  • step S22 an inference result HRX similar to the inference result HRA in FIG. 6 is obtained.
  • the similarity acquisition unit 32 determines the overall image ATX and the aggressor A indicated by the aggressor characteristic information AFJA.
  • a similarity DSC which is a value indicating how similar the features are, is obtained (step S23).
  • the similarity acquisition unit 32 determines the overall image ATX and the characteristics of the aggressor B indicated by the aggressor characteristic information AFJB. , acquires a similarity DSD, which is a value indicating the degree of similarity between , and (step S23).
  • step S23 the degree of similarity can be obtained using a method similar to the method described above. Therefore, in step S23, 0 is acquired as the value of the similarity DSC, and 1/ ⁇ 2 is acquired as the value of the similarity DSD.
  • the similarity acquisition unit 32 generates aggressor estimation information ASK in which the similarities DSC and DSD obtained in step S23 are arranged in descending order, and outputs the generated aggressor estimation information ASK to the information output unit 23 (step S24). Then, the ranking table included in the aggressor estimation information ASK is displayed on the display device in accordance with such processing of the similarity acquisition unit 32 . Note that the aggressor estimation information ASK is generated as the same as the aggressor estimation information ASJ illustrated in FIG.
  • inference processing is performed based on observation logs that record information related to cyberattacks, and the overall picture of attacks obtained by the inference processing and past attacks It is possible to estimate how similar the characteristics of the attackers inferred from the incident are. Also, as described above, according to this modified example, even if a series of attack processes includes an attack method that does not leave a clear trace, such as creating a large-scale compressed file. Even if there is, it is possible to obtain useful information for estimating the attacker who actually performed the series of attack processes. Therefore, according to this modified example, it is possible to improve the estimation accuracy related to the estimation of the attacker who carries out the cyber attack.
  • FIG. 12 is a block diagram showing the functional configuration of an inference device according to the second embodiment.
  • the inference device 100A has the same hardware configuration as the inference device 100.
  • the inference device 100A also has inference means 41 and similarity acquisition means 42 .
  • FIG. 13 is a flowchart for explaining the processing performed by the inference device according to the second embodiment.
  • the inference means 41 performs inference processing based on an observation log in which information related to a cyberattack is recorded and the characteristics of an attacker inferred from past attack cases, so that the attacker corresponds to the observation log. An overall picture of the attack by the attacker is obtained, in which the method of the attack is hierarchically abstracted assuming that the information is left (step S41).
  • the similarity acquisition means 42 acquires a similarity, which is a value indicating how similar the overall image of the attack by the attacker and the characteristics of the attacker are (step S42).
  • FIG. 14 is a block diagram showing the functional configuration of an inference device according to the third embodiment.
  • the inference device 100B has the same hardware configuration as the inference device 100.
  • the inference device 100B also has an inference means 51 and a similarity acquisition means 52 .
  • FIG. 15 is a flowchart for explaining the processing performed by the inference device according to the third embodiment.
  • the inference means 51 performs inference processing based on an observation log in which information related to a cyberattack is recorded, thereby obtaining an overall image of the attack in which the modus operandi of the attack corresponding to the observation log is hierarchically abstracted. (Step S51).
  • the similarity acquisition means 52 acquires a similarity, which is a value that indicates the degree of similarity between the overall attack and the characteristics of the attackers inferred from past attack cases (step S52).
  • Appendix 2 an inference means for obtaining an overall picture of an attack, in which the modus operandi of an attack corresponding to the observation log is hierarchically abstracted by performing inference processing based on an observation log in which information related to a cyber attack is recorded; a similarity acquisition means for acquiring a similarity, which is a value indicating the degree of similarity between the overall image of the attack and the characteristics of the attacker inferred from past attack incidents;
  • Supplementary note 1 or further comprising display screen generation means for generating a display screen for displaying a ranking in which the degrees of similarity are arranged in descending order when a plurality of degrees of similarity corresponding to each of the plurality of attackers is obtained; 2 reasoning device.
  • a recording medium recording a program for causing a computer to execute a process of obtaining a similarity, which is a value indicating how similar an overview of an attack by the attacker and the characteristics of the attacker are.
  • a recording medium recording a program that causes a computer to execute a process of obtaining a similarity, which is a value indicating how similar the overall image of the attack and the characteristics of the attacker inferred from past attacks are.

Abstract

In this inference device, an inference means performs an inference process based on an observation log which is obtained by recording information relating to a cyber attack and a feature of the attacker which is analogous to a past attack case, whereby the inference means acquires a complete picture of the attack by the attacker in which the modus operandi of the attack is hierarchically abstracted when it is supposed that the attacker has left information corresponding to the observation log. A similarity score acquisition means acquires a similarity score, which is a value indicating the degree of similarity between the complete picture of the attack by the attacker and the feature of the attacker.

Description

推論装置、推論方法、及び、記憶媒体Reasoning device, reasoning method, and storage medium
 本開示は、仮説推論の技術に関する。 This disclosure relates to hypothetical reasoning techniques.
 仮説推論は、論理式で与えられた推論知識(ルール)と、観測された事象とから妥当な仮説を導く手法である。例えば、サイバーセキュリティの分野では、コンピュータシステムにおいて観測された事象がサイバー攻撃によるものであるかを判断する場合に、仮説推論を適用することができる。例えば、特許文献1には、重み付き仮説推論により生成された仮説候補に対し、観測の時間的な前後関係を反映させる技術が開示されている。 Hypothetical inference is a method of deriving valid hypotheses from inference knowledge (rules) given by logical formulas and observed events. For example, in the field of cybersecurity, what-if reasoning can be applied when determining whether an observed event in a computer system is due to a cyberattack. For example, Patent Literature 1 discloses a technique for reflecting the temporal context of observations on hypothesis candidates generated by weighted hypothesis inference.
 一方、特許文献2には、標的型攻撃やマルウェアの活動内容を表現する構造である複数の不審活動グラフの類似度を算出する技術が開示されている。また、特許文献2には、不審活動グラフの分析結果のレコードに予想攻撃元を対応付ける技術が開示されている。 On the other hand, Patent Document 2 discloses a technique for calculating the degree of similarity between multiple suspicious activity graphs, which are structured to represent the activity details of targeted attacks and malware. In addition, Patent Literature 2 discloses a technique for associating an analysis result record of a suspicious activity graph with an expected attack source.
国際公開WO2021/090497号公報International publication WO2021/090497 特開2016-206943号公報JP 2016-206943 A
 しかし、特許文献1には、サイバー攻撃を行う攻撃者に係る情報を用いて推論処理を行う観点について特に開示等されていない。そのため、特許文献1に開示された技術によれば、サイバー攻撃を行う攻撃者の推定に係る推定精度が低くなってしまう、という問題点がある。 However, Patent Document 1 does not specifically disclose the perspective of performing inference processing using information related to attackers who carry out cyber attacks. Therefore, according to the technology disclosed in Patent Document 1, there is a problem that the estimation accuracy for estimating an attacker who carries out a cyber attack becomes low.
 また、特許文献2に開示された技術によれば、例えば、不審活動検知装置が設置されたネットワークへのアクセスが制限されている等の理由により不審活動グラフの入手が困難な状況において、当該不審活動グラフの分析結果のレコードに対応付けられる予想攻撃元の推定精度が低くなってしまう、という問題点がある。 Further, according to the technology disclosed in Patent Document 2, for example, in a situation where it is difficult to obtain a suspicious activity graph due to reasons such as access to a network in which a suspicious activity detection device is installed, There is a problem that the estimation accuracy of the probable attack source associated with the record of the analysis result of the activity graph becomes low.
 本開示の1つの目的は、サイバー攻撃を行う攻撃者の推定に係る推定精度を向上することにある。 One purpose of this disclosure is to improve the accuracy of estimating attackers who carry out cyberattacks.
 本開示の一つの観点では、推論装置は、
 サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得する推論手段と、
 前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する類似度取得手段と、を備える。 In one aspect of the present disclosure, an inference device includes:
Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. an inference means for obtaining an overall picture of the attack by the attacker, in which the attack modus operandi is hierarchically abstracted in the case of
and a similarity obtaining means for obtaining a similarity, which is a value indicating how similar the overall image of the attack by the attacker and the features of the attacker are.
 本開示の他の観点では、推論装置は、
 サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得する推論手段と、
 前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する類似度取得手段と、を備える。 In another aspect of the present disclosure, an inference apparatus includes:
an inference means for obtaining an overall picture of an attack, in which the modus operandi of an attack corresponding to the observation log is hierarchically abstracted by performing inference processing based on an observation log in which information related to a cyber attack is recorded;
and a similarity obtaining means for obtaining a similarity, which is a value indicating how similar the overall image of the attack and the features of the attacker inferred from past attacks are.
 本開示のさらに他の観点では、推論方法は、
 サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得し、
 前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する。 In yet another aspect of the disclosure, an inference method includes:
Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted,
A degree of similarity, which is a value indicating how similar an overview of attacks by the attacker and the features of the attacker are, is obtained.
 本開示のさらに他の観点では、推論方法は、
 サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得し、
 前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する。 In yet another aspect of the disclosure, an inference method includes:
By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted,
A degree of similarity, which is a value indicating the degree of similarity between the overall image of the attack and the features of the attacker inferred from past attack cases, is acquired.
 本開示のさらに他の観点では、記録媒体は、
 サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得し、
 前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する処理をコンピュータに実行させるプログラムを記録する。 In yet another aspect of the present disclosure, the recording medium comprises
Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted,
A program is recorded that causes a computer to execute a process of obtaining a similarity, which is a value indicating how similar an overview of the attack by the attacker and the characteristics of the attacker are.
 本開示のさらに他の観点では、記録媒体は、
 サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得し、
 前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する処理をコンピュータに実行させるプログラムを記録する。 In yet another aspect of the present disclosure, the recording medium comprises
By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted,
A program is recorded that causes a computer to execute a process of obtaining a similarity, which is a value indicating the degree of similarity between the overall picture of the attack and the features of the attackers inferred from past attack incidents.
 本開示によれば、サイバー攻撃を行う攻撃者の推定に係る推定精度を向上することが可能となる。 According to the present disclosure, it is possible to improve the estimation accuracy related to the estimation of attackers who carry out cyber attacks.
第1実施形態に係る推論装置のハードウェア構成を示すブロック図。2 is a block diagram showing the hardware configuration of the inference device according to the first embodiment; FIG. 第1実施形態に係る推論装置の機能構成を示す図。2 is a diagram showing the functional configuration of an inference device according to the first embodiment; FIG. 第1実施形態に係る推論装置の推論処理に用いられる観測ログの一例を示す図。4 is a diagram showing an example of an observation log used for inference processing of the inference apparatus according to the first embodiment; FIG. 第1実施形態に係る推論装置の推論処理に用いられる攻撃者特徴情報の一例を示す図。FIG. 4 is a diagram showing an example of aggressor feature information used for inference processing of the inference device according to the first embodiment; 第1実施形態に係る推論装置の推論処理に用いられる攻撃者特徴情報の一例を示す図。FIG. 4 is a diagram showing an example of aggressor feature information used for inference processing of the inference device according to the first embodiment; 第1実施形態に係る推論装置の推論処理により得られる推論結果の一例を説明するための図。FIG. 4 is a diagram for explaining an example of an inference result obtained by the inference processing of the inference apparatus according to the first embodiment; 第1実施形態に係る推論装置の推論処理により得られる推論結果の一例を説明するための図。FIG. 4 is a diagram for explaining an example of an inference result obtained by the inference processing of the inference apparatus according to the first embodiment; 第1実施形態に係る推論装置により生成される攻撃者推定情報の一例を示す図。FIG. 4 is a diagram showing an example of aggressor estimation information generated by the inference device according to the first embodiment; 第1実施形態に係る推論装置の処理に応じて表示される表示画面の一例を説明するための図。FIG. 4 is a diagram for explaining an example of a display screen displayed according to processing of the inference apparatus according to the first embodiment; 第1実施形態に係る推論装置において行われる処理を説明するためのフローチャート。4 is a flowchart for explaining processing performed by the inference device according to the first embodiment; 第1実施形態の変形例に係る推論装置において行われる処理を説明するためのフローチャート。8 is a flowchart for explaining processing performed by the inference device according to the modification of the first embodiment; 第2の実施形態に係る推論装置の機能構成を示すブロック図。FIG. 5 is a block diagram showing the functional configuration of an inference device according to the second embodiment; 第2の実施形態に係る推論装置において行われる処理を説明するためのフローチャート。9 is a flowchart for explaining processing performed by the inference device according to the second embodiment; 第3の実施形態に係る推論装置の機能構成を示すブロック図。FIG. 11 is a block diagram showing the functional configuration of an inference device according to the third embodiment; 第3の実施形態に係る推論装置において行われる処理を説明するためのフローチャート。10 is a flowchart for explaining processing performed by the inference device according to the third embodiment;
 以下、図面を参照して、本開示の好適な実施形態について説明する。 Preferred embodiments of the present disclosure will be described below with reference to the drawings.
 <第1の実施形態>
 [ハードウェア構成]
 図1は、推論装置100のハードウェア構成を示すブロック図である。図示のように、推論装置100は、インタフェース(IF)11と、プロセッサ12と、メモリ13と、記録媒体14と、データベース(DB)15と、表示部16と、入力部17と、を備える。 <First Embodiment>
[Hardware configuration]
FIG. 1 is a block diagram showing the hardware configuration of the inference device 100. As shown in FIG. As illustrated, the inference apparatus 100 includes an interface (IF) 11 , a processor 12 , a memory 13 , a recording medium 14 , a database (DB) 15 , a display section 16 and an input section 17 .
 IF11は、外部装置との間でデータの入出力を行う。具体的に、推論に用いられる観測情報は、IF11を通じて入力される。また、推論装置100により得られる攻撃者推定情報(後述)等はIF11を通じて外部装置へ出力される。 The IF 11 performs data input/output with external devices. Specifically, observation information used for inference is input through the IF 11 . Attacker estimation information (described later) and the like obtained by the inference device 100 are output to an external device through the IF 11 .
 プロセッサ12は、CPU(Central Processing Unit)、GPU(Graphics Processing Unit)などのコンピュータであり、予め用意されたプログラムを実行することにより、推論装置100の全体を制御する。具体的に、プロセッサ12は、後述する推論処理等の処理を実行する。 The processor 12 is a computer such as a CPU (Central Processing Unit) or a GPU (Graphics Processing Unit), and controls the entire inference apparatus 100 by executing a program prepared in advance. Specifically, the processor 12 executes processing such as inference processing, which will be described later.
 メモリ13は、ROM(Read Only Memory)、RAM(Random Access Memory)などにより構成される。メモリ13は、プロセッサ12による各種の処理の実行中に作業メモリとしても使用される。 The memory 13 is composed of ROM (Read Only Memory), RAM (Random Access Memory), and the like. Memory 13 is also used as a working memory during execution of various processes by processor 12 .
 記録媒体14は、ディスク状記録媒体、半導体メモリなどの不揮発性で非一時的な記録媒体であり、推論装置100に対して着脱可能に構成される。記録媒体14は、プロセッサ12が実行する各種のプログラムを記録している。推論装置100が各種の処理を実行する際には、記録媒体14に記録されているプログラムがメモリ13にロードされ、プロセッサ12により実行される。 The recording medium 14 is a non-volatile, non-temporary recording medium such as a disk-shaped recording medium or semiconductor memory, and is configured to be detachable from the inference device 100 . The recording medium 14 records various programs executed by the processor 12 . When the inference apparatus 100 executes various processes, the programs recorded in the recording medium 14 are loaded into the memory 13 and executed by the processor 12 .
 データベース15は、IF11を通じて入力された観測情報等を記憶する。また、データベース15は、後述の攻撃者推定部22の処理により得られた推論結果等を記憶する。また、データベース15には、後述の攻撃者特徴情報が格納されている。 The database 15 stores observation information and the like input through the IF 11. In addition, the database 15 stores inference results and the like obtained by the processing of the aggressor estimation unit 22, which will be described later. The database 15 also stores aggressor feature information, which will be described later.
 表示部16は、例えば、液晶モニタ等のような表示装置により構成されている。また、表示部16は、必要に応じ、推論結果等の情報を表示する。 The display unit 16 is configured by a display device such as a liquid crystal monitor, for example. In addition, the display unit 16 displays information such as inference results as necessary.
 入力部17は、例えば、キーボード、マウス及びタッチパネル等のような入力装置により構成されている。 The input unit 17 is composed of an input device such as a keyboard, mouse, touch panel, etc., for example.
 [機能構成]
 図2は、第1実施形態に係る推論装置の機能構成を示す図である。 [Function configuration]
FIG. 2 is a diagram showing the functional configuration of the inference device according to the first embodiment.
 推論装置100は、入力受付部21と、攻撃者推定部22と、情報出力部23と、を有している。 The inference device 100 has an input reception unit 21, an aggressor estimation unit 22, and an information output unit 23.
 入力受付部21は、ネットワークドメインNDXに対する攻撃に応じて実際に観測されたイベント等が記録されている観測ログの入力を受け付ける。 The input receiving unit 21 receives input of observation logs in which events and the like actually observed in response to attacks on the network domain NDX are recorded.
 具体的には、前述の観測ログには、例えば、ネットワークドメインNDXに属するいずれかのコンピュータにおいて実際に発生したイベントの内容と、当該イベントの発生時刻(タイムスタンプ)と、が時系列に沿って並べられた情報が含まれている。すなわち、前述の観測ログには、サイバー攻撃に係る情報が記録されている。 Specifically, in the observation log described above, for example, the content of an event that actually occurred in one of the computers belonging to the network domain NDX and the occurrence time (time stamp) of the event are listed in chronological order. Contains sorted information. That is, the above-mentioned observation log records information related to cyberattacks.
 攻撃者推定部22は、推論部31と、類似度取得部32と、攻撃者データベース33と、を有している。また、攻撃者推定部22は、入力受付部21において入力を受け付けた観測ログ(以降、観測ログLXと称する)に基づき、ネットワークドメインNDXに対して攻撃を行ったと推定される攻撃者に係る情報である攻撃者推定情報を得るための処理を行う。また、攻撃者推定部22は、前述の処理により得られた攻撃者推定情報を情報出力部23へ出力する。 The aggressor estimation unit 22 has an inference unit 31, a similarity acquisition unit 32, and an aggressor database 33. In addition, the attacker estimation unit 22 provides information on an attacker who is estimated to have attacked the network domain NDX based on the observation log (hereinafter referred to as observation log LX) whose input is received by the input reception unit 21. A process is performed to obtain the attacker estimation information. The aggressor estimation unit 22 also outputs the aggressor estimation information obtained by the above-described processing to the information output unit 23 .
 推論部31は、推論エンジン31aと、推論用ルール格納部31bと、を有している。また、推論部31は、観測ログLXと、攻撃者データベース33に格納されている攻撃者特徴情報AFJ(後述)と、に基づいて推論処理を行う。また、推論部31は、推論処理により得られた推論結果を類似度取得部32へ出力する。 The inference unit 31 has an inference engine 31a and an inference rule storage unit 31b. Also, the inference unit 31 performs inference processing based on the observation log LX and aggressor feature information AFJ (described later) stored in the aggressor database 33 . The inference unit 31 also outputs the inference result obtained by the inference processing to the similarity acquisition unit 32 .
 推論エンジン31aは、推論用ルール格納部31bに格納されている推論用ルールを用いた推論処理を行うことにより、攻撃者特徴情報AFJにより示される攻撃者がネットワークドメインNDXに対して攻撃を行った際に観測ログLXに相当する情報を残したと仮定した場合における、当該ネットワークドメインNDXに対する攻撃の全体像を推定する。また、推論エンジン31aは、攻撃者特徴情報AFJにより示される複数の攻撃者各々について推論処理を行う。すなわち、本実施形態の推論処理により得られる推論結果には、攻撃者特徴情報AFJにより示される複数の攻撃者各々が独立してネットワークドメインNDXに対して攻撃を行った際に観測ログLXに相当する情報を残したと仮定した場合における、当該ネットワークドメインNDXに対する複数の攻撃の全体像が含まれている。 The inference engine 31a performs inference processing using the inference rules stored in the inference rule storage unit 31b, whereby the attacker indicated by the attacker feature information AFJ attacks the network domain NDX. Assuming that information corresponding to the observation log LX is actually left, an overall picture of the attack on the network domain NDX is estimated. Also, the inference engine 31a performs inference processing for each of a plurality of attackers indicated by the attacker feature information AFJ. That is, the inference result obtained by the inference processing of this embodiment includes observation logs LX when each of a plurality of attackers indicated by the attacker feature information AFJ independently attacks the network domain NDX. It contains an overview of multiple attacks against the network domain NDX, assuming that information was left behind.
 推論用ルール格納部31bには、推論エンジン31aの推論処理に用いられる推論用ルールが格納されている。 The inference rule storage unit 31b stores inference rules used for the inference processing of the inference engine 31a.
 なお、本実施形態の推論エンジン31aには、国際公開WO2021/090497号公報に開示されているような、重み付き仮説推論により生成された仮説候補に対し、観測の時間的な前後関係を反映させる技術が用いられているものとする。 Note that the inference engine 31a of the present embodiment reflects the temporal context of observations on hypothesis candidates generated by weighted hypothesis inference, as disclosed in International Publication WO2021/090497. Technology shall be used.
 また、本実施形態の推論用ルール格納部31bには、国際公開WO2021/090497号公報に開示されているルール(推論知識)に対し、TTP(Tactics, Techniques and Procedures)の観点を組み込んだ推論用ルールが格納されているものとする。 In addition, in the inference rule storage unit 31b of the present embodiment, an inference rule that incorporates the viewpoint of TTP (Tactics, Techniques and Procedures) for the rules (inference knowledge) disclosed in International Publication WO2021/090497. It is assumed that rules are stored.
 TTPは、攻撃者によるサイバー攻撃の手口を階層的に抽象化(モデル化)したフレームワークである。具体的には、例えば、MITRE社により開示されているTTPのフレームワーク(https://attack.mitre.org/)においては、攻撃者によるサイバー攻撃の手口が、「Tactics」、「Techniques」及び「Procedures」の3階層の抽象度で表されている。そして、以降においては、MITRE社により開示されているTTPのフレームワークが推論用ルールに組み込まれている場合を例に挙げて説明を行う。また、以降の説明においては、MITRE社により開示されているTTPのフレームワークを単にTTPと略記する。 TTP is a framework that hierarchically abstracts (models) cyberattack methods used by attackers. Specifically, for example, in the TTP framework (https://attack.mitre.org/) disclosed by MITER, the methods of cyber attacks by attackers are "Tactics", "Techniques", and It is represented by the three levels of abstraction of "Procedures". In the following description, an example in which the TTP framework disclosed by MITRE is incorporated in the inference rules will be described. In the following description, the TTP framework disclosed by MITRE is simply abbreviated as TTP.
 類似度取得部32は、推論部31により得られた推論結果と、攻撃者特徴情報AFJと、に基づき、当該攻撃者特徴情報AFJにより示される複数の攻撃者のうちの一の攻撃者がネットワークドメインNDXに対して攻撃を行ったと仮定した場合の攻撃の全体像と、当該攻撃者特徴情報AFJにより示される当該一の攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する。また、類似度取得部32は、攻撃者特徴情報AFJにより示される複数の攻撃者各々に対応する複数の類似度を取得し、当該取得した複数の類似度を降順に並べた攻撃者推定情報を生成し、当該生成した攻撃者推定情報を情報出力部23へ出力する。 Based on the inference result obtained by the inference unit 31 and the aggressor feature information AFJ, the similarity acquisition unit 32 determines whether one attacker among the plurality of attackers indicated by the aggressor feature information AFJ is in the network. Similarity, which is a value that indicates the degree of similarity between the overall image of an attack when it is assumed that an attack has been made on the domain NDX and the characteristics of the attacker indicated by the attacker characteristics information AFJ. Get degrees. Further, the similarity acquisition unit 32 acquires a plurality of similarities corresponding to each of the plurality of aggressors indicated by the aggressor feature information AFJ, and obtains aggressor estimation information in which the acquired plurality of similarities are arranged in descending order. and outputs the generated aggressor estimation information to the information output unit 23 .
 攻撃者データベース33には、複数の攻撃者各々の特徴を表す攻撃者特徴情報AFJが格納されている。 The aggressor database 33 stores aggressor feature information AFJ representing the features of each of a plurality of aggressors.
 攻撃者Zの特徴を表す攻撃者特徴情報AFJZには、当該攻撃者Zにより行われたと考えられる過去の攻撃事案における公開レポートの内容から類推した攻撃の手口をTTPに基づいて抽象化した情報である抽象化情報と、当該抽象化情報により表される攻撃の手口の特異性を評価した値である評価値と、を関連付けた情報が含まれている。すなわち、攻撃者特徴情報AFJには、複数の攻撃者各々の特徴を表す情報として、前述の攻撃者特徴情報AFJZと同様の情報が含まれている。 The aggressor feature information AFJZ, which represents the features of attacker Z, is information that abstracts the attack modus operandi based on TTP, inferred from the contents of public reports in past attacks believed to have been carried out by said attacker Z. It includes information that associates certain abstract information with an evaluation value that is a value obtained by evaluating the specificity of the attack modus operandi represented by the abstract information. That is, the aggressor feature information AFJ includes the same information as the above-described aggressor feature information AFJZ as information representing the features of each of a plurality of aggressors.
 本実施形態においては、TTPに基づく抽象化情報を作成する際の公開レポートとして、例えば、https://content.secureworks.com/~/media/Files/JP/Reports/Secureworks-Bronze-Butler-Report.ashx?modified=20180419151034等を用いることができる。 In this embodiment, as a public report when creating abstract information based on TTP, for example, https://content.secureworks.com/~/media/Files/JP/Reports/Secureworks-Bronze-Butler-Report .ashx?modified=20180419151034 etc. can be used.
 情報出力部23は、攻撃者推定部22から出力される攻撃者推定情報等を表示するための表示画面を生成し、当該生成した表示画面を表示装置へ出力する。すなわち、情報出力部23は、表示画面生成手段としての機能を有している。また、情報出力部23は、攻撃者推定部22から出力される攻撃者推定情報等を含むデータを外部装置へ出力する。 The information output unit 23 generates a display screen for displaying the aggressor estimation information and the like output from the aggressor estimation unit 22, and outputs the generated display screen to the display device. That is, the information output unit 23 has a function as display screen generation means. Further, the information output unit 23 outputs data including aggressor estimation information output from the aggressor estimation unit 22 to an external device.
 [推論装置において行われる処理の具体例]
 ここで、本実施形態の推論装置100において行われる処理の具体例について説明する。図3は、第1実施形態に係る推論装置の推論処理に用いられる観測ログの一例を示す図である。 [Specific example of processing performed in inference device]
Here, a specific example of processing performed in the inference device 100 of this embodiment will be described. FIG. 3 is a diagram showing an example of an observation log used for inference processing of the inference apparatus according to the first embodiment.
 (観測情報の入力)
 入力受付部21は、ネットワークドメインND1に対する攻撃に応じて実際に観測された観測ログとして、図3に示すような観測ログL1の入力を受け付ける。 (Input observation information)
The input receiving unit 21 receives an input of an observation log L1 as shown in FIG. 3 as an observation log actually observed in response to an attack on the network domain ND1.
 図3の観測ログL1には、PC_123からPC_456へのセッションハイジャックが時刻T11において発生したこと、管理者権限が必要なタスクの予約が当該時刻T11よりも後の時刻T21において発生したこと、及び、大規模圧縮ファイルの作成が当該時刻T21よりも後の時刻T31において発生したことが記録されている。 In the observation log L1 of FIG. 3, the session hijacking from PC_123 to PC_456 occurred at time T11, the reservation of the task requiring administrator authority occurred at time T21 after time T11, and , that the creation of the large-scale compressed file occurred at time T31 later than time T21.
 (推論処理)
 推論部31は、観測ログL1と、攻撃者データベース33に格納されている攻撃者特徴情報AFJと、に基づいて推論処理を行う。 (inference processing)
The inference unit 31 performs inference processing based on the observation log L<b>1 and the aggressor feature information AFJ stored in the aggressor database 33 .
 図4及び図5は、第1実施形態に係る推論装置の推論処理に用いられる攻撃者特徴情報の一例を示す図である。 4 and 5 are diagrams showing an example of aggressor feature information used in the inference processing of the inference device according to the first embodiment.
 攻撃者特徴情報AFJには、例えば、図4に示すような攻撃者特徴情報AFJAと、図5に示すような攻撃者特徴情報AFJBと、が含まれている。 The aggressor feature information AFJ includes, for example, aggressor feature information AFJA as shown in FIG. 4 and aggressor feature information AFJB as shown in FIG.
 攻撃者特徴情報AFJAには、攻撃者Aの特徴を表す抽象化情報及び評価値が含まれている。また、攻撃者特徴情報AFJBには、攻撃者Bの特徴を表す抽象化情報及び評価値が含まれている。 The attacker feature information AFJA includes abstract information and evaluation values representing the features of attacker A. Also, the aggressor feature information AFJB includes abstract information representing the aggressor B's features and an evaluation value.
 攻撃者特徴情報AFJAの抽象化情報のうちの「Lateral Movement」は、攻撃者Aにより行われたと考えられる過去の攻撃事案における公開レポートに含まれている「横断的侵害を行います」との文言から類推した攻撃の手口を抽象的に表したものに相当する。また、前述の「Lateral Movement」は、TTPにおいて最も高い抽象度に設定されている「Tactic」に相当する。 "Lateral Movement" in the abstracted information of the attacker's characteristic information AFJA is the wording "We will perform cross-sectional infringement" included in the public report of the past attack that is believed to have been carried out by attacker A. It corresponds to an abstract representation of the attack method inferred from Also, the aforementioned "Lateral Movement" corresponds to "Tactic", which is set to the highest level of abstraction in TTP.
 攻撃者特徴情報AFJAの抽象化情報のうちの「Impact」は、攻撃者Aにより行われたと考えられる過去の攻撃事案における公開レポートに含まれている「基幹システムの制御に攻撃を加えます」との文言から類推した攻撃の手口を抽象的に表したものに相当する。また、前述の「Impact」は、TTPにおいて最も高い抽象度に設定されている「Tactic」に相当する。 "Impact" in the abstracted information of the attacker's characteristic information AFJA is "attacks on the control of the core system" included in the public report in the past attack case believed to have been carried out by attacker A. It corresponds to an abstract representation of the attack method inferred from the wording of . Further, the aforementioned "Impact" corresponds to "Tactic" which is set to the highest abstraction level in TTP.
 攻撃者特徴情報AFJAの抽象化情報のうちの「File Deletion」は、攻撃者Aにより行われたと考えられる過去の攻撃事案における公開レポートに含まれている「目的を達成後にその証跡を削除します」との文言から類推した攻撃の手口を抽象的に表したものに相当する。また、前述の「File Deletion」は、TTPにおいて2番目に高い抽象度に設定されている「Technique」に相当する。 "File Deletion", one of the abstracted information of the attacker's characteristic information AFJA, is included in the public report of past attacks believed to have been carried out by attacker A. "After achieving the purpose, the trail will be deleted It corresponds to an abstract expression of the attack method inferred from the phrase "". Also, the aforementioned "File Deletion" corresponds to "Technique", which is set to the second highest level of abstraction in TTP.
 攻撃者特徴情報AFJBの抽象化情報のうちの「Lateral Movement」は、攻撃者Bにより行われたと考えられる過去の攻撃事案における公開レポートに含まれている「他端末に感染を拡大します」との文言から類推した攻撃の手口を抽象的に表したものに相当する。 The "Lateral Movement" in the abstracted information of the attacker's characteristic information AFJB is the "expanding infection to other terminals" included in the public report of past attacks believed to have been carried out by attacker B. It corresponds to an abstract representation of the attack method inferred from the wording of .
 攻撃者特徴情報AFJBの抽象化情報のうちの「Privilege Escalation」は、攻撃者Bにより行われたと考えられる過去の攻撃事案における公開レポートに含まれている「認証サーバの管理者権限を窃取します」との文言から類推した攻撃の手口を抽象的に表したものに相当する。また、前述の「Privilege Escalation」は、TTPにおいて最も高い抽象度に設定されている「Tactic」に相当する。 "Privilege Escalation" in the abstracted information of the attacker's characteristic information AFJB is included in a public report of a past attack that is believed to have been carried out by attacker B. It corresponds to an abstract expression of the attack method inferred from the phrase "". Also, the above-mentioned "Privilege Escalation" corresponds to "Tactic" which is set to the highest abstraction level in TTP.
 攻撃者特徴情報AFJBの抽象化情報のうちの「Data from Network Shared Drive⇒Data Compressed」は、攻撃者Bにより行われたと考えられる過去の攻撃事案における公開レポートに含まれている「情報収集と圧縮ファイルの生成を行います」との文言から類推した攻撃の手口を抽象的に表したものに相当する。また、前述の「Data from Network Shared Drive」及び「Data Compressed」は、TTPにおいて2番目に高い抽象度に設定されている「Technique」に相当する。 "Data from Network Shared Drive ⇒ Data Compressed" in the abstracted information of the attacker characteristic information AFJB is the "Information collection and compression A file will be generated." In addition, the aforementioned "Data from Network Shared Drive" and "Data Compressed" correspond to "Technique", which is set to the second highest level of abstraction in TTP.
 なお、本実施形態においては、1つの公開レポートの内容に対応する抽象化情報として、「Tactics」、「Techniques」及び「Procedures」のうちのいずれかに相当する情報が1つ以上含まれていればよい。 In the present embodiment, abstract information corresponding to the content of one public report includes one or more pieces of information corresponding to any one of "Tactics", "Techniques", and "Procedures". Just do it.
 攻撃者特徴情報AFJA及びAFJBに含まれる評価値は、以下の数式(1)を用いて算出される値である。なお、以下の数式(1)において、EVは評価値を表し、AGNは攻撃者特徴情報AFJに含まれる攻撃者の総数を表し、ATNは当該攻撃者特徴情報AFJにおいて同一の抽象化情報を有する攻撃者の数を表し、lnは自然対数を表すものとする。 The evaluation values included in the attacker characteristic information AFJA and AFJB are values calculated using the following formula (1). In the following formula (1), EV represents an evaluation value, AGN represents the total number of attackers included in the attacker characteristic information AFJ, and ATN has the same abstract information in the attacker characteristic information AFJ. Let ln denote the number of attackers and ln denote the natural logarithm.
Figure JPOXMLDOC01-appb-M000001
  具体的には、例えば、「Lateral Movement」は、攻撃者特徴情報AFJA及びAFJBの両方に含まれているため、評価値EV=0となる。また、例えば、「Impact」は、攻撃者特徴情報AFJAに含まれている一方で攻撃者特徴情報AFJBには含まれていないため、評価値EV=ln(2)となる。
Figure JPOXMLDOC01-appb-M000001
 Specifically, for example, "Lateral Movement" is included in both the aggressor characteristic information AFJA and AFJB, so the evaluation value EV=0. Further, for example, "Impact" is included in the aggressor characteristic information AFJA but is not included in the aggressor characteristic information AFJB, so the evaluation value EV=ln(2).
 図6及び図7は、第1実施形態に係る推論装置の推論処理により得られる推論結果の一例を説明するための図である。 6 and 7 are diagrams for explaining an example of the inference result obtained by the inference processing of the inference device according to the first embodiment.
 推論部31は、観測ログL1と、攻撃者特徴情報AFJAと、に基づいて推論処理を行うことにより、ネットワークドメインND1に対する攻撃が攻撃者Aによるものであると仮定した場合の推論結果として、例えば、図6に示すような推論結果HRAを取得する。また、推論部31は、観測ログL1と、攻撃者特徴情報AFJBと、に基づいて推論処理を行うことにより、ネットワークドメインND1に対する攻撃が攻撃者Bによるものであると仮定した場合の推論結果として、例えば、図7に示すような推論結果HRBを取得する。また、推論部31は、推論処理により得られた推論結果HRA及びHRBを類似度取得部32へ出力する。 The inference unit 31 performs inference processing based on the observation log L1 and the aggressor feature information AFJA. Assuming that the attack on the network domain ND1 is made by the attacker A, the inference result is, for example, , obtain an inference result HRA as shown in FIG. In addition, the inference unit 31 performs inference processing based on the observation log L1 and the attacker characteristic information AFJB, so that the inference result when it is assumed that the attack on the network domain ND1 is by the attacker B is , for example, an inference result HRB as shown in FIG. The inference unit 31 also outputs the inference results HRA and HRB obtained by the inference processing to the similarity acquisition unit 32 .
 推論結果HRAは、攻撃者AがネットワークドメインND1に対して攻撃を行った際に観測ログL1に相当する情報を残したと仮定した場合における当該ネットワークドメインND1に対する攻撃の手口が階層的に抽象化された、攻撃者Aによる攻撃の全体像に相当する。 The inference result HRA is a hierarchical abstraction of the method of attacking the network domain ND1 when it is assumed that the attacker A leaves information corresponding to the observation log L1 when attacking the network domain ND1. Also, it corresponds to the overall image of the attack by the attacker A.
 推論結果HRBは、攻撃者AがネットワークドメインND1に対して攻撃を行った際に観測ログL1に相当する情報を残したと仮定した場合における当該ネットワークドメインND1に対する攻撃の手口が階層的に抽象化された、攻撃者Bによる攻撃の全体像に相当する。 The inference result HRB hierarchically abstracts the method of attacking the network domain ND1 when it is assumed that the attacker A leaves information corresponding to the observation log L1 when attacking the network domain ND1. Also, it corresponds to the overall image of the attack by the attacker B.
 推論結果HRA及びHRB各々に含まれる抽象化情報(「Tactics」及び「Techniques」)は、推論エンジン31aにより適宜選択される。また、推論結果HRA及びHRB各々における発生時刻は、観測ログL1の発生時刻に対応する時刻として設定される。また、推論結果HRA及びHRB各々におけるログは、TTPにおいて3番目に高い(最も低い)抽象度に設定されている「Procedures」に相当する。また、図7の推論結果HRBにおける時刻T22の列に示す抽象化情報及びログは、観測ログL1及び攻撃者特徴情報AFJBに基づく仮説として、推論エンジン31aにより追加された攻撃の手口に相当する。時刻T22は、時刻T21よりも後かつ時刻T31よりも前の時刻に相当する。 The abstract information ("Tactics" and "Techniques") included in each of the inference results HRA and HRB is appropriately selected by the inference engine 31a. Also, the time of occurrence in each of the inference results HRA and HRB is set as the time corresponding to the time of occurrence in the observation log L1. Also, the logs in each of the inference results HRA and HRB correspond to "Procedures" set to the third highest (lowest) abstraction level in TTP. The abstract information and log shown in the column of time T22 in the inference result HRB in FIG. 7 correspond to the attack modus operandi added by the inference engine 31a as a hypothesis based on the observation log L1 and the aggressor characteristic information AFJB. Time T22 corresponds to time after time T21 and before time T31.
 なお、本実施形態においては、どのような内容の抽象化情報及びログを仮説として追加するかについては、推論エンジン31aが適宜選択するものとする。また、本実施形態においては、仮説としての抽象化情報及びログをどこに追加するかについては、推論エンジン31aが適宜選択するものとする。 In the present embodiment, the inference engine 31a appropriately selects what kind of abstract information and log to add as a hypothesis. Also, in the present embodiment, the inference engine 31a appropriately selects where to add abstracted information and logs as hypotheses.
 (類似度の取得)
 類似度取得部32は、推論部31により得られた推論結果HRAと、攻撃者特徴情報AFJAと、に基づき、攻撃者Aによる攻撃の全体像と、当該攻撃者特徴情報AFJAにより示される当該攻撃者Aの特徴と、がどの程度類似しているかを示す値である類似度DSAを取得する。また、類似度取得部32は、推論部31により得られた推論結果HRBと、攻撃者特徴情報AFJBと、に基づき、攻撃者Bによる攻撃の全体像と、当該攻撃者特徴情報AFJBにより示される当該攻撃者Bの特徴と、がどの程度類似しているかを示す値である類似度DSBを取得する。 (Obtaining similarity)
Based on the inference result HRA obtained by the inference unit 31 and the aggressor characteristic information AFJA, the similarity acquisition unit 32 obtains the overall image of the attack by the attacker A and the attack indicated by the aggressor characteristic information AFJA. A similarity DSA, which is a value indicating the degree of similarity between the features of the person A, is acquired. Further, based on the inference result HRB obtained by the inference unit 31 and the aggressor characteristic information AFJB, the similarity acquisition unit 32 obtains the overall image of the attack by the aggressor B and the aggressor characteristic information AFJB. A similarity DSB, which is a value indicating how similar the features of the attacker B are, is obtained.
 類似度DSA及びDSBは、例えば、TF-IDF(Term Trequency-Inverse Document Frequency)のアイデアに基づくコサイン類似度の計算を行うことにより取得することができる。 The similarities DSA and DSB can be obtained, for example, by performing cosine similarity calculations based on the idea of TF-IDF (Term Trequency-Inverse Document Frequency).
 ここで、類似度DSBの具体的な取得方法について説明する。 Here, a specific method of obtaining the similarity DSB will be described.
 類似度取得部32は、攻撃者特徴情報AFJBに含まれる抽象化情報と、推論結果HRBに含まれる抽象化情報と、を比較することにより、当該推論結果HRBの攻撃の手口における、当該攻撃者特徴情報AFJBに含まれる攻撃の手口の出現の有無を特定する。そして、このような類似度取得部32の処理によれば、推論結果HRBにおいて、「Lateral Movement」、「Privilege Escalation」、及び、「Data from Network Shared Drive⇒Data Compressed」が出現したことが特定される。 The similarity acquisition unit 32 compares the abstract information included in the attacker feature information AFJB and the abstract information included in the inference result HRB, thereby obtaining The presence or absence of the attack modus operandi included in the feature information AFJB is specified. Then, according to the process of the similarity acquisition unit 32, it is specified that "Lateral Movement", "Privilege Escalation", and "Data from Network Shared Drive ⇒ Data Compressed" appear in the inference result HRB. be.
 類似度取得部32は、攻撃者特徴情報AFJBに含まれる評価値(0,ln(2),ln(2))と、前述のように特定した出現の有無を出現していれば1として記述しかつ出現していなければ0として記述した(1,1,1)と、における要素毎の積を計算することにより、計算結果(0,ln(2),ln(2))を取得する。 The similarity acquisition unit 32 describes the evaluation values (0, ln(2), ln(2)) included in the aggressor feature information AFJB and the presence or absence of the specified appearance as 1 if it appears as described above. Further, by calculating the product of each element in (1, 1, 1) described as 0 if it does not appear, the calculation result (0, ln(2), ln(2)) is obtained.
 類似度取得部32は、前述の評価値(0,ln(2),ln(2))と、前述の計算結果(0,ln(2),ln(2))と、を各々ベクトルとしてコサイン類似度を計算することにより、類似度DSBを取得する。 The similarity acquisition unit 32 uses the aforementioned evaluation values (0, ln(2), ln(2)) and the aforementioned calculation results (0, ln(2), ln(2)) as vectors to obtain cosine A similarity DSB is obtained by calculating the similarity.
 コサイン類似度は、下記数式(2)により計算することができる。そのため、例えば、下記数式において、ベクトルXに評価値(0,ln(2),ln(2))を適用し、ベクトルYに計算結果(0,ln(2),ln(2))を適用することにより、cos(X,Y)に相当する類似度DSBの値として1を得ることができる The cosine similarity can be calculated by the following formula (2). Therefore, for example, in the following formula, the evaluation value (0, ln(2), ln(2)) is applied to vector X, and the calculation result (0, ln(2), ln(2)) is applied to vector Y. 1 can be obtained as the similarity DSB value corresponding to cos(X, Y) by
Figure JPOXMLDOC01-appb-M000002
  以上に述べた類似度DSBの取得方法は、類似度DSAの取得においても略同様に適用される。
Figure JPOXMLDOC01-appb-M000002
 The method of obtaining the degree of similarity DSB described above is also applied to obtaining the degree of similarity DSA in substantially the same way.
 なお、本実施形態においては、上記数式(2)の分母の値が0になることに起因し、cos(X,Y)が解なしとなる場合には、類似度=0に設定される。従って、本実施形態の類似度取得部32は、類似度DSAの値として0を取得する。 Note that in the present embodiment, the similarity is set to 0 when cos(X, Y) has no solution because the value of the denominator of the above formula (2) is 0. Therefore, the similarity acquisition unit 32 of this embodiment acquires 0 as the value of the similarity DSA.
 (攻撃者推定情報の表示等)
 類似度取得部32は、攻撃者Aに対応する類似度DSAと、攻撃者Bに対応する類似度DSBと、を降順に並べた攻撃者推定情報ASJを生成し、当該生成した攻撃者推定情報ASJを情報出力部23へ出力する。図8は、第1実施形態に係る推論装置により生成される攻撃者推定情報の一例を示す図である。 (Display, etc. of presumed attacker information)
The similarity acquisition unit 32 generates aggressor estimation information ASJ in which the similarity DSA corresponding to the aggressor A and the similarity DSB corresponding to the aggressor B are arranged in descending order, and obtains the generated aggressor estimation information ASJ is output to the information output unit 23 . FIG. 8 is a diagram showing an example of aggressor estimation information generated by the inference device according to the first embodiment.
 攻撃者推定情報ASJは、例えば、図8に示すような情報として生成される。具体的には、攻撃者推定情報ASJは、攻撃者特徴情報AFJに含まれる各攻撃者(に対応する名称)を、ネットワークドメインND1に対して攻撃を行った可能性の高い順に並べたランキング表として生成される。 The attacker estimation information ASJ is generated, for example, as information shown in FIG. Specifically, the attacker estimation information ASJ is a ranking table in which (names corresponding to) the attackers included in the attacker feature information AFJ are arranged in descending order of probability of having attacked the network domain ND1. is generated as
 情報出力部23は、攻撃者推定部22から出力される攻撃者推定情報ASJに含まれるランキング表を表示するための表示画面を生成し、当該生成した表示画面を表示装置へ出力する。すなわち、情報出力部23は、複数の攻撃者各々に対応する複数の類似度が取得された場合に、各類似度を降順に並べたランキングを表示するための表示画面を生成する。 The information output unit 23 generates a display screen for displaying the ranking table included in the aggressor estimation information ASJ output from the aggressor estimation unit 22, and outputs the generated display screen to the display device. That is, when a plurality of degrees of similarity corresponding to each of a plurality of attackers is acquired, the information output unit 23 generates a display screen for displaying a ranking in which the degrees of similarity are arranged in descending order.
 本実施形態によれば、例えば、複数の過去の攻撃事案が攻撃者データベース33に格納されている場合において、類似度取得部32は、攻撃者推定情報ASJを生成する際に、当該複数の過去の攻撃事案の中で攻撃者AまたはBの特徴に類似している攻撃事案を取得し、当該取得した攻撃事案を前述のランキング表に対して加えるようにしてもよい。すなわち、本実施形態によれば、類似度取得部32は、攻撃者Aまたは攻撃者Bの特徴に類似している他の過去の攻撃事案を取得するようにしてもよい。 According to the present embodiment, for example, when a plurality of past attack incidents are stored in the aggressor database 33, the similarity acquisition unit 32, when generating the aggressor estimation information ASJ, It is also possible to acquire an attack incident similar to the characteristics of the attacker A or B from among the attack incidents, and add the acquired attack incident to the aforementioned ranking table. That is, according to the present embodiment, the similarity acquisition unit 32 may acquire other past attack incidents similar to the characteristics of the attacker A or the attacker B. FIG.
 本実施形態によれば、類似度取得部32は、類似度DSA及びDSBに基づき、攻撃者AがネットワークドメインND1に対して実際に攻撃を行った可能性(信頼度)の度合いを表す確率値PSAと、攻撃者BがネットワークドメインND1に対して実際に攻撃を行った可能性(信頼度)の度合いを表す確率値PSBと、を算出するようにしてもよい。具体的には、類似度取得部32は、例えば、類似度DSA及びDSBに対してソフトマックス関数を適用することにより、確率値PSA及びPSBの合計値が100%となるように各確率値を算出するようにしてもよい。また、本実施形態によれば、類似度取得部32は、攻撃者推定情報ASJを生成する際に、確率値PSA及びPSBを前述のランキング表に対して加えるようにしてもよい。 According to the present embodiment, the similarity acquisition unit 32 obtains a probability value representing the degree of possibility (reliability) that the attacker A actually attacked the network domain ND1 based on the similarities DSA and DSB. PSA and probability value PSB representing the degree of possibility (reliability) that attacker B actually attacked network domain ND1 may be calculated. Specifically, the similarity acquisition unit 32 applies a softmax function to the similarities DSA and DSB, for example, so that the probability values PSA and PSB total 100%. You may make it calculate. Further, according to the present embodiment, the similarity acquisition unit 32 may add the probability values PSA and PSB to the above-described ranking table when generating the aggressor estimation information ASJ.
 本実施形態によれば、例えば、特定のマルウェアのハッシュ値、及び、サイバー攻撃の際に用いられたIPアドレス等のようなIoC(Indicator of Compromise)が攻撃者特徴情報AFJに含まれていてもよい。IoCは、攻撃者により行われた攻撃の痕跡を示す痕跡情報と言い換えてもよい。 According to this embodiment, for example, even if the attacker characteristic information AFJ includes an IoC (Indicator of Compromise) such as a hash value of a specific malware and an IP address used in a cyberattack, good. The IoC may be rephrased as trace information indicating traces of an attack performed by an attacker.
 本実施形態によれば、推論部31が、攻撃者特徴情報AFJ及びIoCを用いて推論処理を行うようにしてもよい。また、本実施形態によれば、類似度取得部32が、攻撃者推定情報ASJを生成する際に、IoCを前述のランキング表に対して加えるようにしてもよい。 According to this embodiment, the inference unit 31 may perform inference processing using the aggressor characteristic information AFJ and IoC. Further, according to the present embodiment, the similarity acquisition unit 32 may add the IoC to the aforementioned ranking table when generating the aggressor estimation information ASJ.
 本実施形態によれば、情報出力部23が、例えば、推論結果HRA及びHRBと、攻撃者特徴情報AFJA及びAFJBと、確率値PSA及びPSBと、に基づき、図9に示すような表示画面JDGを生成するようにしてもよい。換言すると、情報出力部23は、攻撃者による攻撃の全体像を表示するための表示画面を生成するものであってもよい。図9は、第1実施形態に係る推論装置の処理に応じて表示される表示画面の一例を説明するための図である。 According to the present embodiment, the information output unit 23 displays the display screen JDG as shown in FIG. may be generated. In other words, the information output unit 23 may generate a display screen for displaying an overview of the attack by the attacker. FIG. 9 is a diagram for explaining an example of a display screen displayed according to processing of the inference device according to the first embodiment.
 図9の表示画面JDGにおける左側の表示領域には、攻撃者A及び攻撃者Bのうちのいずれかを選択可能な選択欄SLRと、当該攻撃者Bが選択されていることを示す選択枠SLWと、確率値PSB(73%)と、確率値PSA(27%)と、が表示されている。また、選択欄SLRにおいては、確率値PSBに対応する攻撃者Bが最上部に表示されているとともに、確率値PSAに対応する攻撃者Aが当該攻撃者Bの下部に表示されている。また、図9の表示画面JDGにおける右側の表示領域には、選択欄SLRにおいて選択されている攻撃者Bによる攻撃の全体像ATBが表示されている。 In the display area on the left side of the display screen JDG in FIG. 9, a selection field SLR for selecting either attacker A or attacker B, and a selection frame SLW indicating that attacker B is selected. , probability value PSB (73%), and probability value PSA (27%) are displayed. In addition, in the selection column SLR, the attacker B corresponding to the probability value PSB is displayed at the top, and the attacker A corresponding to the probability value PSA is displayed below the attacker B. In addition, in the display area on the right side of the display screen JDG in FIG. 9, an overview ATB of the attack by the attacker B selected in the selection field SLR is displayed.
 全体像ATBによれば、図7の「Tactic」に属する要素同士が、同図の発生時刻の順番に応じた向きの矢印により繋がれている。また、全体像ATBによれば、図7における一の発生時刻の「ログ」、「Technique」、「Tactic」が、この順番に応じた向きの矢印により繋がれている。また、全体像ATBによれば、推論結果HRBのうちの仮説として追加された要素(図7の時刻T22の列に相当する要素)が、他の要素とは異なる態様で表示されている。また、全体像ATBによれば、攻撃者特徴情報AFJB及び推論結果HRBの両者に共通している攻撃の手口が強調表示されている。 According to the overview ATB, the elements belonging to "Tactic" in FIG. 7 are connected by arrows oriented according to the order of the time of occurrence in the same figure. Further, according to the overview ATB, "Log", "Technique", and "Tactic" at one occurrence time in FIG. 7 are connected by arrows oriented according to this order. Further, according to the overview ATB, the element added as a hypothesis (the element corresponding to the column of time T22 in FIG. 7) of the inference result HRB is displayed in a manner different from other elements. Further, according to the overview ATB, attack methods common to both the attacker feature information AFJB and the inference result HRB are highlighted.
 なお、全体像ATBは、推論結果HRBのうちの仮説として追加された要素、並びに、攻撃者特徴情報AFJB及び当該推論結果HRBの両者に共通している攻撃の手口を識別可能な限りにおいては、色付きで表示されるものであってもよい。また、全体像ATBには、IoCを示す情報が含まれていてもよい。 In addition, the whole picture ATB, as long as it is possible to identify the element added as a hypothesis in the inference result HRB, and the attack method common to both the attacker characteristic information AFJB and the inference result HRB, It may be displayed in color. Also, the overview ATB may include information indicating the IoC.
 (処理フロー)
 図10は、第1実施形態に係る推論装置において行われる処理を説明するためのフローチャートである。 (processing flow)
FIG. 10 is a flowchart for explaining processing performed by the inference device according to the first embodiment.
 まず、入力受付部21は、ネットワークドメインND1に対する攻撃に応じて実際に観測されたイベント等が記録されている観測ログL1の入力を受け付ける(ステップS11)。 First, the input receiving unit 21 receives an input of the observation log L1 in which the events actually observed in response to the attack on the network domain ND1 are recorded (step S11).
 次に、推論部31は、ステップS11において入力された観測ログL1と、攻撃者データベース33に格納されている攻撃者特徴情報AFJA及びAFJBと、に基づいて推論処理を行うことにより、推論結果HRA及びHRBを取得する(ステップS12)。 Next, the inference unit 31 performs inference processing based on the observation log L1 input in step S11 and the aggressor characteristic information AFJA and AFJB stored in the aggressor database 33, thereby obtaining an inference result HRA and HRB are acquired (step S12).
 次に、類似度取得部32は、ステップS12において得られた推論結果HRAと、攻撃者特徴情報AFJAと、に基づいて類似度DSAを取得する(ステップS13)。また、類似度取得部32は、ステップS12において得られた推論結果HRBと、攻撃者特徴情報AFJBと、に基づいて類似度DSBを取得する(ステップS13)。 Next, the similarity acquisition unit 32 acquires the similarity DSA based on the inference result HRA obtained in step S12 and the aggressor characteristic information AFJA (step S13). Further, the similarity acquisition unit 32 acquires a similarity DSB based on the inference result HRB obtained in step S12 and the aggressor characteristic information AFJB (step S13).
 類似度取得部32は、ステップS13において得られた類似度DSA及びDSBを降順に並べた攻撃者推定情報ASJを生成し、当該生成した攻撃者推定情報ASJを情報出力部23へ出力する(ステップS14)。そして、このような類似度取得部32の処理に応じ、攻撃者推定情報ASJに含まれるランキング表が表示装置に表示される。 The similarity acquisition unit 32 generates aggressor estimation information ASJ in which the similarities DSA and DSB obtained in step S13 are arranged in descending order, and outputs the generated aggressor estimation information ASJ to the information output unit 23 (step S14). Then, the ranking table included in the attacker estimation information ASJ is displayed on the display device in accordance with such processing of the similarity acquisition unit 32 .
 以上に述べたように、本実施形態によれば、サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づいて推論処理を行うとともに、当該推論処理により得られた攻撃の全体像と、当該攻撃者の特徴と、がどの程度似ているかを推定することができる。また、以上に述べたように、本実施形態によれば、例えば、大規模圧縮ファイルの作成等のような、明確な痕跡を残さない攻撃の手口が一連の攻撃プロセスに含まれている場合であっても、当該一連の攻撃プロセスを実際に行った攻撃者の推定に有用な情報を得ることができる。そのため、本実施形態によれば、サイバー攻撃を行う攻撃者の推定に係る推定精度を向上させることができる。 As described above, according to the present embodiment, inference processing is performed based on observation logs that record information related to cyberattacks and the characteristics of attackers inferred from past attack incidents. It is possible to estimate the degree of similarity between the overall image of the attack obtained by the inference processing and the characteristics of the attacker. Further, as described above, according to the present embodiment, even if a series of attack processes includes an attack method that does not leave a clear trace, such as creating a large-scale compressed file. Even if there is, it is possible to obtain useful information for estimating the attacker who actually performed the series of attack processes. Therefore, according to this embodiment, it is possible to improve the estimation accuracy related to the estimation of the attacker who carries out the cyber attack.
 (変形例)
 以下、上記の実施形態に対する変形例を説明する。なお、以降においては、簡単のため、既述の処理等を適用可能な部分に関する具体的な説明を適宜省略するものとする。図11は、第1実施形態の変形例に係る推論装置において行われる処理を説明するためのフローチャートである。 (Modification)
Modifications of the above embodiment will be described below. In the following description, for the sake of simplification, a detailed description of portions to which the above-described processing and the like can be applied will be omitted as appropriate. FIG. 11 is a flowchart for explaining processing performed by the inference device according to the modification of the first embodiment.
 本実施形態の推論部31は、入力受付部21において入力を受け付けた観測ログL1に基づいてネットワークドメインND1に対する攻撃の全体像ATXを推定するための推論処理を行うものであってもよい。また、本実施形態の類似度取得部32は、全体像ATXと、攻撃者特徴情報AFJA及びAFJBと、を用いて類似度DSA及びDSBを取得するものであってもよい。このような処理の具体例について以下に述べる。 The inference unit 31 of the present embodiment may perform inference processing for estimating the overall image ATX of the attack on the network domain ND1 based on the observation log L1 received by the input reception unit 21. Further, the similarity acquisition unit 32 of the present embodiment may acquire the similarities DSA and DSB using the overall image ATX and the aggressor characteristic information AFJA and AFJB. A specific example of such processing will be described below.
 まず、入力受付部21は、ネットワークドメインND1に対する攻撃に応じて実際に観測されたイベント等が記録されている観測ログL1の入力を受け付ける(ステップS21)。 First, the input receiving unit 21 receives an input of the observation log L1 in which the events actually observed in response to the attack on the network domain ND1 are recorded (step S21).
 次に、推論部31は、ステップS21において入力された観測ログL1に基づいて推論処理を行うことにより、当該観測ログL1に対応する攻撃の手口が階層的に抽象化された攻撃の全体像ATXに相当する推論結果HRXを取得する(ステップS22)。 Next, the inference unit 31 performs inference processing based on the observation log L1 input in step S21, thereby obtaining an overall image ATX of the attack in which the modus operandi of the attack corresponding to the observation log L1 is hierarchically abstracted. (step S22).
 ここで、推論結果HRXは、可能な限り仮説を含まずかつ観測ログL1に近いものとして取得される。そのため、ステップS22においては、図6の推論結果HRAと同様の推論結果HRXが取得される。 Here, the inference result HRX is obtained as close to the observation log L1 as possible without including hypotheses. Therefore, in step S22, an inference result HRX similar to the inference result HRA in FIG. 6 is obtained.
 次に、類似度取得部32は、ステップS22において得られた推論結果HRXと、攻撃者特徴情報AFJAと、に基づき、全体像ATXと、当該攻撃者特徴情報AFJAにより示される当該攻撃者Aの特徴と、がどの程度類似しているかを示す値である類似度DSCを取得する(ステップS23)。また、類似度取得部32は、ステップS22において得られた推論結果HRXと、攻撃者特徴情報AFJBと、に基づき、全体像ATXと、当該攻撃者特徴情報AFJBにより示される当該攻撃者Bの特徴と、がどの程度類似しているかを示す値である類似度DSDを取得する(ステップS23)。 Next, based on the inference result HRX obtained in step S22 and the aggressor characteristic information AFJA, the similarity acquisition unit 32 determines the overall image ATX and the aggressor A indicated by the aggressor characteristic information AFJA. A similarity DSC, which is a value indicating how similar the features are, is obtained (step S23). Further, based on the inference result HRX obtained in step S22 and the aggressor characteristic information AFJB, the similarity acquisition unit 32 determines the overall image ATX and the characteristics of the aggressor B indicated by the aggressor characteristic information AFJB. , acquires a similarity DSD, which is a value indicating the degree of similarity between , and (step S23).
 ステップS23においては、前述の方法と同様の方法を用いて類似度を取得することができる。そのため、ステップS23においては、類似度DSCの値として0が取得されるとともに、類似度DSDの値として1/√2が取得される。 In step S23, the degree of similarity can be obtained using a method similar to the method described above. Therefore, in step S23, 0 is acquired as the value of the similarity DSC, and 1/√2 is acquired as the value of the similarity DSD.
 類似度取得部32は、ステップS23において得られた類似度DSC及びDSDを降順に並べた攻撃者推定情報ASKを生成し、当該生成した攻撃者推定情報ASKを情報出力部23へ出力する(ステップS24)。そして、このような類似度取得部32の処理に応じ、攻撃者推定情報ASKに含まれるランキング表が表示装置に表示される。なお、攻撃者推定情報ASKは、図8に例示した攻撃者推定情報ASJと同様のものとして生成される。 The similarity acquisition unit 32 generates aggressor estimation information ASK in which the similarities DSC and DSD obtained in step S23 are arranged in descending order, and outputs the generated aggressor estimation information ASK to the information output unit 23 (step S24). Then, the ranking table included in the aggressor estimation information ASK is displayed on the display device in accordance with such processing of the similarity acquisition unit 32 . Note that the aggressor estimation information ASK is generated as the same as the aggressor estimation information ASJ illustrated in FIG.
 以上に述べたように、本変形例によれば、サイバー攻撃に係る情報が記録された観測ログに基づいて推論処理を行うとともに、当該推論処理により得られた攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度似ているかを推定することができる。また、以上に述べたように、本変形例によれば、例えば、大規模圧縮ファイルの作成等のような、明確な痕跡を残さない攻撃の手口が一連の攻撃プロセスに含まれている場合であっても、当該一連の攻撃プロセスを実際に行った攻撃者の推定に有用な情報を得ることができる。そのため、本変形例によれば、サイバー攻撃を行う攻撃者の推定に係る推定精度を向上させることができる。 As described above, according to this modification, inference processing is performed based on observation logs that record information related to cyberattacks, and the overall picture of attacks obtained by the inference processing and past attacks It is possible to estimate how similar the characteristics of the attackers inferred from the incident are. Also, as described above, according to this modified example, even if a series of attack processes includes an attack method that does not leave a clear trace, such as creating a large-scale compressed file. Even if there is, it is possible to obtain useful information for estimating the attacker who actually performed the series of attack processes. Therefore, according to this modified example, it is possible to improve the estimation accuracy related to the estimation of the attacker who carries out the cyber attack.
 <第2の実施形態>
 図12は、第2の実施形態に係る推論装置の機能構成を示すブロック図である。 <Second embodiment>
FIG. 12 is a block diagram showing the functional configuration of an inference device according to the second embodiment.
 本実施形態に係る推論装置100Aは、推論装置100と同様のハードウェア構成を有している。また、推論装置100Aは、推論手段41と、類似度取得手段42と、を有している。 The inference device 100A according to this embodiment has the same hardware configuration as the inference device 100. The inference device 100A also has inference means 41 and similarity acquisition means 42 .
 図13は、第2の実施形態に係る推論装置において行われる処理を説明するためのフローチャートである。 FIG. 13 is a flowchart for explaining the processing performed by the inference device according to the second embodiment.
 推論手段41は、サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得する(ステップS41)。 The inference means 41 performs inference processing based on an observation log in which information related to a cyberattack is recorded and the characteristics of an attacker inferred from past attack cases, so that the attacker corresponds to the observation log. An overall picture of the attack by the attacker is obtained, in which the method of the attack is hierarchically abstracted assuming that the information is left (step S41).
 類似度取得手段42は、攻撃者による攻撃の全体像と、攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する(ステップS42)。 The similarity acquisition means 42 acquires a similarity, which is a value indicating how similar the overall image of the attack by the attacker and the characteristics of the attacker are (step S42).
 本実施形態によれば、サイバー攻撃を行う攻撃者の推定に係る推定精度を向上させることができる。 According to this embodiment, it is possible to improve the estimation accuracy related to estimation of attackers who carry out cyber attacks.
 <第3の実施形態>
 図14は、第3の実施形態に係る推論装置の機能構成を示すブロック図である。 <Third Embodiment>
FIG. 14 is a block diagram showing the functional configuration of an inference device according to the third embodiment.
 本実施形態に係る推論装置100Bは、推論装置100と同様のハードウェア構成を有している。また、推論装置100Bは、推論手段51と、類似度取得手段52と、を有している。 The inference device 100B according to this embodiment has the same hardware configuration as the inference device 100. The inference device 100B also has an inference means 51 and a similarity acquisition means 52 .
 図15は、第3の実施形態に係る推論装置において行われる処理を説明するためのフローチャートである。 FIG. 15 is a flowchart for explaining the processing performed by the inference device according to the third embodiment.
 推論手段51は、サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得する(ステップS51)。 The inference means 51 performs inference processing based on an observation log in which information related to a cyberattack is recorded, thereby obtaining an overall image of the attack in which the modus operandi of the attack corresponding to the observation log is hierarchically abstracted. (Step S51).
 類似度取得手段52は、攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する(ステップS52)。 The similarity acquisition means 52 acquires a similarity, which is a value that indicates the degree of similarity between the overall attack and the characteristics of the attackers inferred from past attack cases (step S52).
 本実施形態によれば、サイバー攻撃を行う攻撃者の推定に係る推定精度を向上させることができる。 According to this embodiment, it is possible to improve the estimation accuracy related to estimation of attackers who carry out cyber attacks.
 上記の実施形態の一部又は全部は、以下の付記のようにも記載されうるが、以下には限られない。 Some or all of the above embodiments can also be described as the following additional remarks, but are not limited to the following.
 (付記1)
 サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得する推論手段と、
 前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する類似度取得手段と、
 を備える推論装置。 (Appendix 1)
Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. an inference means for obtaining an overall picture of the attack by the attacker, in which the attack modus operandi is hierarchically abstracted in the case of
A similarity acquisition means for acquiring a similarity, which is a value indicating how similar the overall image of the attack by the attacker and the characteristics of the attacker are,
A reasoning device with
 (付記2)
 サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得する推論手段と、
 前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する類似度取得手段と、
 を備える推論装置。 (Appendix 2)
an inference means for obtaining an overall picture of an attack, in which the modus operandi of an attack corresponding to the observation log is hierarchically abstracted by performing inference processing based on an observation log in which information related to a cyber attack is recorded;
a similarity acquisition means for acquiring a similarity, which is a value indicating the degree of similarity between the overall image of the attack and the characteristics of the attacker inferred from past attack incidents;
A reasoning device with
 (付記3)
 前記類似度取得手段は、さらに、前記攻撃者の特徴に類似している他の過去の攻撃事案を取得する付記1または2の推論装置。 (Appendix 3)
3. The reasoning device according to supplementary note 1 or 2, wherein the similarity obtaining means further obtains other past attack incidents similar to the characteristics of the attacker.
 (付記4)
 前記類似度取得手段は、前記類似度に基づき、前記攻撃者が実際に攻撃を行った可能性の度合いを表す確率値を算出する付記1または2の推論装置。 (Appendix 4)
3. The reasoning device according to Supplementary Note 1 or 2, wherein the similarity obtaining means calculates a probability value representing a degree of possibility that the attacker has actually attacked based on the similarity.
 (付記5)
 前記攻撃者の特徴には、前記攻撃者により行われた攻撃の痕跡を示す痕跡情報が含まれている付記1または2の推論装置。 (Appendix 5)
3. The reasoning device according to appendix 1 or 2, wherein the characteristics of the attacker include trace information indicating traces of attacks performed by the attacker.
 (付記6)
 複数の前記攻撃者各々に対応する複数の前記類似度が取得された場合に、各類似度を降順に並べたランキングを表示するための表示画面を生成する表示画面生成手段をさらに有する付記1または2の推論装置。 (Appendix 6)
Supplementary note 1 or further comprising display screen generation means for generating a display screen for displaying a ranking in which the degrees of similarity are arranged in descending order when a plurality of degrees of similarity corresponding to each of the plurality of attackers is obtained; 2 reasoning device.
 (付記7)
 前記攻撃者による攻撃の全体像を表示するための表示画面を生成する表示画面生成手段をさらに有する付記1の推論装置。 (Appendix 7)
1. The reasoning apparatus according to Supplementary Note 1, further comprising display screen generation means for generating a display screen for displaying an overall image of the attack by the attacker.
 (付記8)
 サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得し、
 前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する推論方法。 (Appendix 8)
Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted,
An inference method for obtaining a similarity, which is a value indicating how similar an overview of an attack by the attacker and the characteristics of the attacker are.
 (付記9)
 サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得し、
 前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する推論方法。 (Appendix 9)
By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted,
An inference method for acquiring a degree of similarity, which is a value indicating the degree of similarity between the overall picture of the attack and the features of the attacker inferred from past attack incidents.
 (付記10)
 サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得し、
 前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する処理をコンピュータに実行させるプログラムを記録した記録媒体。 (Appendix 10)
Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted,
A recording medium recording a program for causing a computer to execute a process of obtaining a similarity, which is a value indicating how similar an overview of an attack by the attacker and the characteristics of the attacker are.
 (付記11)
 サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得し、
 前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する処理をコンピュータに実行させるプログラムを記録した記録媒体。 (Appendix 11)
By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted,
A recording medium recording a program that causes a computer to execute a process of obtaining a similarity, which is a value indicating how similar the overall image of the attack and the characteristics of the attacker inferred from past attacks are.
 以上、実施形態及び実施例を参照して本開示を説明したが、本開示は上記実施形態及び実施例に限定されるものではない。本開示の構成や詳細には、本開示のスコープ内で当業者が理解し得る様々な変更をすることができる。 Although the present disclosure has been described above with reference to the embodiments and examples, the present disclosure is not limited to the above embodiments and examples. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present disclosure within the scope of the present disclosure.
 12 プロセッサ
 21 入力受付部
 22 攻撃者推定部
 23 情報出力部
 31 推論部
 32 類似度取得部
 33 攻撃者データベース 12 processor 21 input receiving unit 22 aggressor estimation unit 23 information output unit 31 inference unit 32 similarity acquisition unit 33 aggressor database

Claims (11)

  1.  サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得する推論手段と、
     前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する類似度取得手段と、
     を備える推論装置。     Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. an inference means for obtaining an overall picture of the attack by the attacker, in which the attack modus operandi is hierarchically abstracted in the case of
    A similarity acquisition means for acquiring a similarity, which is a value indicating how similar the overall image of the attack by the attacker and the characteristics of the attacker are,
    A reasoning device with
  2.  サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得する推論手段と、
     前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する類似度取得手段と、
     を備える推論装置。     an inference means for obtaining an overall picture of an attack, in which the modus operandi of an attack corresponding to the observation log is hierarchically abstracted by performing inference processing based on an observation log in which information related to a cyber attack is recorded;
    a similarity acquisition means for acquiring a similarity, which is a value indicating the degree of similarity between the overall image of the attack and the characteristics of the attacker inferred from past attack incidents;
    A reasoning device with
  3.  前記類似度取得手段は、さらに、前記攻撃者の特徴に類似している他の過去の攻撃事案を取得する請求項1または2に記載の推論装置。 The inference device according to claim 1 or 2, wherein the similarity acquisition means further acquires other past attack incidents similar to the characteristics of the attacker.
  4.  前記類似度取得手段は、前記類似度に基づき、前記攻撃者が実際に攻撃を行った可能性の度合いを表す確率値を算出する請求項1または2に記載の推論装置。 The inference device according to claim 1 or 2, wherein the similarity acquisition means calculates a probability value representing the degree of possibility that the attacker actually made an attack based on the similarity.
  5.  前記攻撃者の特徴には、前記攻撃者により行われた攻撃の痕跡を示す痕跡情報が含まれている請求項1または2に記載の推論装置。 The reasoning device according to claim 1 or 2, wherein the characteristics of the attacker include trace information indicating traces of attacks made by the attacker.
  6.  複数の前記攻撃者各々に対応する複数の前記類似度が取得された場合に、各類似度を降順に並べたランキングを表示するための表示画面を生成する表示画面生成手段をさらに有する請求項1または2に記載の推論装置。 2. A display screen generating means for generating a display screen for displaying a ranking in which the degrees of similarity are arranged in descending order when a plurality of degrees of similarity corresponding to each of the plurality of attackers are obtained. 3. Or the inference device according to 2.
  7.  前記攻撃者による攻撃の全体像を表示するための表示画面を生成する表示画面生成手段をさらに有する請求項1に記載の推論装置。 The reasoning apparatus according to claim 1, further comprising display screen generation means for generating a display screen for displaying the overall image of the attack by the attacker.
  8.  サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得し、
     前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する推論方法。     Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted,
    An inference method for obtaining a similarity, which is a value indicating how similar an overview of an attack by the attacker and the characteristics of the attacker are.
  9.  サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得し、
     前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する推論方法。     By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted,
    An inference method for acquiring a degree of similarity, which is a value indicating the degree of similarity between the overall picture of the attack and the features of the attacker inferred from past attack incidents.
  10.  サイバー攻撃に係る情報が記録された観測ログと、過去の攻撃事案から類推した攻撃者の特徴と、に基づく推論処理を行うことにより、前記攻撃者が前記観測ログに相当する情報を残したと仮定した場合における攻撃の手口が階層的に抽象化された、前記攻撃者による攻撃の全体像を取得し、
     前記攻撃者による攻撃の全体像と、前記攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する処理をコンピュータに実行させるプログラムを記録した記録媒体。     Assuming that the attacker left information corresponding to the observation log by performing inference processing based on the observation log in which information related to cyberattacks was recorded and the characteristics of the attacker inferred from past attack incidents. Obtaining an overall picture of the attack by the attacker, in which the attack modus operandi in the case of is hierarchically abstracted,
    A recording medium recording a program for causing a computer to execute a process of obtaining a similarity, which is a value indicating how similar an overview of an attack by the attacker and the characteristics of the attacker are.
  11.  サイバー攻撃に係る情報が記録された観測ログに基づく推論処理を行うことにより、前記観測ログに対応する攻撃の手口が階層的に抽象化された、攻撃の全体像を取得し、
     前記攻撃の全体像と、過去の攻撃事案から類推した攻撃者の特徴と、がどの程度類似しているかを示す値である類似度を取得する処理をコンピュータに実行させるプログラムを記録した記録媒体。     By performing inference processing based on observation logs in which information related to cyberattacks is recorded, obtaining an overall picture of attacks in which the modus operandi of attacks corresponding to the observation logs are hierarchically abstracted,
    A recording medium recording a program that causes a computer to execute a process of obtaining a similarity, which is a value indicating how similar the overall image of the attack and the characteristics of the attacker inferred from past attacks are.
PCT/JP2021/028549 2021-08-02 2021-08-02 Inference device, inference method, and storage medium WO2023012849A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023539222A JPWO2023012849A5 (en) 2021-08-02 Inference device, inference method, and program
PCT/JP2021/028549 WO2023012849A1 (en) 2021-08-02 2021-08-02 Inference device, inference method, and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/028549 WO2023012849A1 (en) 2021-08-02 2021-08-02 Inference device, inference method, and storage medium

Publications (1)

Publication Number Publication Date
WO2023012849A1 true WO2023012849A1 (en) 2023-02-09

Family

ID=85155379

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/028549 WO2023012849A1 (en) 2021-08-02 2021-08-02 Inference device, inference method, and storage medium

Country Status (1)

Country Link
WO (1) WO2023012849A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102653193B1 (en) * 2023-12-08 2024-03-29 충북대학교 산학협력단 Method for determining false flags of cyber attacks and apparatus for executing the method

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018005282A (en) * 2016-06-27 2018-01-11 日本電信電話株式会社 Management device and management method
WO2020161780A1 (en) * 2019-02-04 2020-08-13 日本電気株式会社 Action plan estimation device, action plan estimation method, and computer-readable recording medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2018005282A (en) * 2016-06-27 2018-01-11 日本電信電話株式会社 Management device and management method
WO2020161780A1 (en) * 2019-02-04 2020-08-13 日本電気株式会社 Action plan estimation device, action plan estimation method, and computer-readable recording medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR102653193B1 (en) * 2023-12-08 2024-03-29 충북대학교 산학협력단 Method for determining false flags of cyber attacks and apparatus for executing the method

Also Published As

Publication number Publication date
JPWO2023012849A1 (en) 2023-02-09

Similar Documents

Publication Publication Date Title
CN110417721B (en) Security risk assessment method, device, equipment and computer readable storage medium
CN111431915B (en) Lateral movement detection
US11188643B2 (en) Methods and apparatus for detecting a side channel attack using hardware performance counters
Yu et al. Alert confidence fusion in intrusion detection systems with extended Dempster-Shafer theory
EP2347366B1 (en) Improvements in or relating to digital forensics
US20210392152A1 (en) Intrusion detection using robust singular value decomposition
US8713535B2 (en) Reliable and accurate usage detection of a software application
US7861299B1 (en) Threat detection in a network security system
US7647524B2 (en) Anomaly detection
EP2814218A1 (en) Detecting anomalies in work practice data by combining multiple domains of information
Yasasin et al. Forecasting IT security vulnerabilities–An empirical analysis
CN112822206B (en) Network cooperative attack behavior prediction method and device and electronic equipment
US20120036550A1 (en) System and Method to Measure and Track Trust
US20200334498A1 (en) User behavior risk analytic system with multiple time intervals and shared data extraction
Anawar et al. Analysis of phishing susceptibility in a workplace: a big-five personality perspectives
Bhatt et al. Exploitability prediction of software vulnerabilities
US9009819B1 (en) Method and system for detecting rogue security software that displays frequent misleading warnings
CA3078261A1 (en) Systems and methods for cybersecurity risk assessment of users of a computer network
Lévesque et al. Age and gender as independent risk factors for malware victimisation
WO2023012849A1 (en) Inference device, inference method, and storage medium
CN114615016A (en) Enterprise network security assessment method and device, mobile terminal and storage medium
Santos et al. Intelligence analyses and the insider threat
CN117501658A (en) Evaluation of likelihood of security event alarms
Tudor et al. Infodemiological study on the impact of the COVID-19 pandemic on increased headache incidences at the world level
CN114553596B (en) Multi-dimensional security condition real-time display method and system suitable for network security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21952680

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023539222

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE