WO2023112382A1 - 分析支援方法、分析支援装置、およびプログラム - Google Patents

分析支援方法、分析支援装置、およびプログラム Download PDF

Info

Publication number
WO2023112382A1
WO2023112382A1 PCT/JP2022/030663 JP2022030663W WO2023112382A1 WO 2023112382 A1 WO2023112382 A1 WO 2023112382A1 JP 2022030663 W JP2022030663 W JP 2022030663W WO 2023112382 A1 WO2023112382 A1 WO 2023112382A1
Authority
WO
WIPO (PCT)
Prior art keywords
raw data
acquired
past
content
event information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2022/030663
Other languages
English (en)
French (fr)
Japanese (ja)
Inventor
貴佳 伊藤
翔一朗 関屋
唯之 鳥崎
薫 横田
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Panasonic Intellectual Property Management Co Ltd
Original Assignee
Panasonic Intellectual Property Management Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Panasonic Intellectual Property Management Co Ltd filed Critical Panasonic Intellectual Property Management Co Ltd
Priority to JP2023567533A priority Critical patent/JPWO2023112382A1/ja
Publication of WO2023112382A1 publication Critical patent/WO2023112382A1/ja
Priority to US18/733,447 priority patent/US20240320325A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system

Definitions

  • the present disclosure relates to an analysis support method, an analysis support device, and a program.
  • Patent Document 1 discloses a process of registering an event to be analyzed, a process of collecting raw data of the registered event, analyzing the raw data, and analyzing the registered event. A step of acquiring location information of an attack target on a network, a step of determining whether or not an analysis target event is valid based on the acquired location information, and a case where it is determined that the analysis target event is not valid. and generating and sending an exception handling message for the event to be analyzed to a security management server.
  • the present disclosure provides an analysis support method and the like that can suppress an increase in the number of analyzes of one or more raw data related to an event that occurred in a monitoring target.
  • An analysis support method is an analysis support method performed in an analysis support device that supports analysis of an attack scenario in an event that is performed based on raw data regarding an event that has occurred in a monitoring target, Obtaining the raw data by communicating with a monitoring target or communicating with a database that records the raw data obtained from the monitoring target, and obtaining the raw data similar to the obtained raw data and previously obtained Output past analysis results for data.
  • these generic or specific aspects may be realized by a system, method, integrated circuit, computer program, or a recording medium such as a computer-readable CD-ROM. and any combination of recording media.
  • the recording medium may be a non-temporary recording medium.
  • the analysis support method and the like of the present disclosure can suppress an increase in the number of analyzes of one or more raw data related to an event that occurred in a monitoring target.
  • FIG. 1 is a block diagram showing the functional configuration of an analysis support device etc. according to the first embodiment.
  • FIG. 2 is a flow chart showing an example of the operation of the analysis support device of FIG.
  • FIG. 3 is a table showing event information acquired by the analysis support device of FIG.
  • FIG. 4 is a table showing event information groups stored in the analysis support apparatus of FIG.
  • FIG. 5 is a flowchart showing an example of operations included in step S3 of FIG.
  • FIG. 6 is a flow chart showing another example of the operation included in step S3 of FIG.
  • FIG. 7 is a table for explaining another example of the operation included in step S3 of FIG. 8 is a flow chart showing another example of the operation of the analysis support apparatus of FIG. 1.
  • FIG. FIG. 9 is a table showing one or more groups.
  • FIG. 10 is a flow chart showing still another example of the operation included in step S3 of FIG.
  • FIG. 11 is a flow chart showing still another example of the operation included in step S3 of FIG. 12 is a table showing an example of a display displayed on the analysis support apparatus of FIG. 1;
  • FIG. 13 is a table showing another example of display displayed on the analysis support apparatus of FIG. 1.
  • FIG. FIG. 14 is a block diagram showing the functional configuration of an analysis support device etc. according to the second embodiment. 15 is a flow chart showing an example of the operation of the analysis support device of FIG. 14.
  • FIG. 11 is a flow chart showing still another example of the operation included in step S3 of FIG.
  • FIG. 12 is a table showing an example of a display displayed on the analysis support apparatus of FIG. 1
  • FIG. 13 is a table showing another example of display displayed on the analysis support apparatus of FIG. 1.
  • FIG. FIG. 14 is a block diagram showing the functional configuration of an analysis support device etc. according to the second embodiment.
  • 15 is
  • an analysis support method is performed in an analysis support device that supports analysis of an attack scenario in an event that has occurred in a monitoring target based on raw data.
  • the raw data is acquired by communicating with the monitored object or by communicating with a database that records the raw data acquired from the monitored object, and similar to the acquired raw data Moreover, it outputs past analysis results for the raw data acquired in the past.
  • an analysis support method is an analysis support device that supports attack scenario analysis in an event that is performed based on raw data regarding an event that occurred in a monitoring target. wherein the raw data and a determination result determined by a security information event management device based on the raw data are acquired, and the obtained raw data and the determination result are similar to and past outputs the past analysis results for the raw data and the determination results obtained in the above.
  • the acquired raw data and the one or more raw data acquired in the past are collated, and the raw data similar to the acquired raw data among the one or more raw data acquired in the past is checked. It may be determined whether or not there is raw data, and if there is the raw data, the analysis result for the raw data may be output.
  • the analysis results for the raw data can be output. can be output, and an increase in the number of analyzes of one or more raw data related to an event occurring in the monitored object can be suppressed.
  • the raw data includes a plurality of items, and the content of the plurality of items included in the acquired raw data and the plurality of items included in each of the one or more raw data acquired in the past.
  • the raw data includes the plurality of items having the same content as the content of the plurality of items included in the acquired raw data among the one or more raw data acquired in the past. In this case, it may be determined that there is the raw data similar to the raw data acquired among the one or more raw data acquired in the past.
  • the raw data includes a plurality of items, and the content of the plurality of items included in the acquired raw data and the plurality of items included in each of the one or more raw data acquired in the past.
  • the content of each of the plurality of items included in the acquired raw data is matched with the item among the plurality of items included in each of the one or more raw data acquired in the past If the content of the item is the same as the content of the item, add points, and the content of each of the plurality of items included in the acquired raw data and the content of each of the one or more raw data acquired in the past If the contents of the same item among the multiple items are not the same, the score is not added or deducted, so that the score of each of the one or more raw data obtained in the past is calculated, and the score is calculated in the past If there is raw data with a calculated score equal to or higher than a predetermined threshold among the one or more raw data that has been obtained, the raw data is similar to the raw data that has been obtained among the one or more raw data that have been obtained in the
  • the raw data includes a plurality of items, and the one or more raw data acquired in the past are divided into one or more groups for each content of the plurality of items, and the one or more If there is a group related to the same content as the content of the plurality of items included in the acquired raw data among the groups, the acquired raw data is made to belong to the group, and among the one or more groups If there is no group related to the same content as the content of the plurality of items included in the acquired raw data, the acquired raw data may belong to a new group.
  • the content of the plurality of items included in the acquired raw data is compared with the content of the plurality of items related to each of the one or more groups, and the row data acquired from the one or more groups is checked. If there is a group related to the same content as the content of the plurality of items included in the data, it is determined that there is the raw data similar to the acquired raw data among the one or more raw data acquired in the past. You may
  • the content of the plurality of items included in the acquired raw data is compared with the content of the plurality of items related to each of the one or more groups, and the plurality of items included in the acquired raw data is the same as the content of the same item among the plurality of items related to each of the one or more groups, points are added, and the plurality of items included in the acquired raw data are the same If the content of each of the items of and the content of the same item among the plurality of items related to each of the one or more groups are not the same, no points are added or points are subtracted, so that the one or more and if there is a group for which the calculated score is equal to or greater than a predetermined threshold among the one or more groups, the one or more raw data acquired in the past It may be determined that there is the raw data similar to the raw data.
  • the acquired raw data and the one or more raw data acquired in the past are collated, and the raw data similar to the acquired raw data among the one or more raw data acquired in the past is checked. Determining whether or not there is raw data, if there is such raw data, determining whether or not there is an authority to view the results of the analysis on the raw data, and if there is such authority, the analysis on the raw data You can print the result.
  • the analysis results of the raw data can be output, so it is possible to prevent unauthorized persons from viewing the analysis results.
  • an analysis support device that supports analysis of an attack scenario in an event that is performed based on raw data regarding an event that occurred in a monitoring target.
  • an acquisition unit that acquires the raw data by communicating with the monitoring target or by communicating with a database that records the raw data acquired from the monitoring target; and an output unit that outputs a past analysis result for the raw data acquired in the above.
  • a program according to one aspect of the present disclosure is a program for causing a computer to execute the above analysis support method.
  • each figure is a schematic diagram and is not necessarily strictly illustrated. Moreover, in each figure, the same code
  • FIG. 1 is a block diagram showing the functional configuration of an analysis support device 20 etc. according to the first embodiment. A functional configuration of the analysis support device 20 and the like will be described with reference to FIG.
  • an SOC (Security Operation Center) 10 is a security operation center that monitors the monitored object 1.
  • the monitored object 1 is a vehicle, a mobile terminal, a building, a ship, or the like.
  • the monitoring target 1 includes an IDS (Intrusion Detection System) 2, an IDS (Intrusion Detection System) 3, and an IPS (Intrusion Prevention System) 4.
  • IDS Intrusion Detection System
  • IPS Intrusion Prevention System
  • Each of the IDS2, IDS3, and IPS4 detects an event occurring in the monitored object 1.
  • an event that occurred in the monitoring target 1 is an unauthorized intrusion into the monitoring target 1, an attack on the monitoring target 1, and the like.
  • each of the IDS2, IDS3, and IPS4 monitors communication between the monitoring target 1 and an external device or the like, and outputs raw data related to the event when an event occurring in the monitoring target 1 is detected.
  • raw data about the event is a log about the event.
  • monitored object 1 transmits to SOC 10 a plurality of raw data regarding one event that occurred in monitored object 1 .
  • the SOC 10 includes an analysis support device 20, and the SOC 10 analyzes events occurring in the monitored object 1. Note that the analysis support device 20 may not be provided in the SOC 10 .
  • the analysis support device 20 is a device that supports analysis of events occurring in the monitoring target 1 .
  • the analysis support device 20 supports analysis of an attack scenario in an event that occurred in the monitoring target 1 based on raw data.
  • an analysis of an event that occurred in a monitoring target 1 is performed by, for example, an analyst with security expertise checking one or more pieces of raw data related to the event one by one to determine whether there is an attack, how to attack it, and how vulnerable it is. This is done by judging the nature of the event, integrating the judgment results for each piece of raw data, and specifying an attack scenario, etc. for the event.
  • the analysis support apparatus 20 adds the past raw data to the previously acquired raw data. Output analysis results. This eliminates the need to analyze all of the one or more raw data related to the event that occurred in the monitoring target 1, thereby suppressing an increase in the number of analyzes of the one or more raw data.
  • the analysis support device 20 includes a matching section 21 , a storage section 22 and a display section 23 .
  • the collation unit 21 is an example of an acquisition unit that acquires raw data related to an event that occurred in the monitoring target 1 .
  • the matching unit 21 acquires the raw data by communicating with the monitoring target 1 or by communicating with a database that records the raw data acquired from the monitoring target 1 .
  • the collating unit 21 further acquires the determination result determined by the security information event management device (not shown) based on the raw data.
  • the collating unit 21 may acquire only the raw data among the raw data related to the event that occurred in the monitoring target 1 and the determination result determined by the security information event management device based on the raw data.
  • the collation unit 21 acquires information including raw data regarding an event that has occurred in the monitoring target 1 and the determination result determined by the security information event management device based on the raw data. In this embodiment, the information may be called event information.
  • the raw data includes multiple items.
  • the plurality of items indicate the content of an event that occurred in the monitoring target 1, an item indicating the type of the monitoring target 1, an item indicating the location where the event occurred in the monitoring target 1, and an event occurring in the monitoring target 1. It includes items such as the type of event.
  • the determination result is a determination result or the like indicating what kind of content the event that occurred in the monitoring target 1 is.
  • the matching unit 21 is an example of an output unit that outputs past analysis results for raw data similar to the acquired raw data and acquired in the past.
  • the past analysis results are machine analysis results or human analysis results.
  • one or more pieces of event information acquired in the past and past analysis results for each of the one or more pieces of event information are stored in the storage unit 22 .
  • the collation unit 21 reads one or more pieces of event information acquired in the past from the storage unit 22, and collates the acquired event information with the one or more pieces of event information read.
  • the matching unit 21 selects raw data similar to the raw data included in the acquired event information and determination results similar to the determination results included in the acquired event information from among the read one or more pieces of event information. It is determined whether or not there is event information to be included, and if there is such event information, the past analysis result for the event information is output.
  • the collating unit 21 compares the content of the raw data included in the acquired event information with the raw data included in the read event information. It is determined that the raw data contained in the event information received is similar. Further, for example, when the content of the determination result included in the acquired event information and the content of the determination result included in the read event information are the same, the collation unit 21 compares the determination result included in the acquired event information. It is determined that the determination result included in the read event information is similar.
  • the display unit 23 displays the analysis results output by the matching unit 21.
  • the matching unit 21 is realized by a processor or the like
  • the storage unit 22 is realized by a memory or the like
  • the display unit 23 is realized by a liquid crystal display or an organic EL display or the like.
  • FIG. 2 is a flow chart showing an example of the operation of the analysis support device 20 of FIG.
  • FIG. 3 is a table showing event information acquired by the analysis support device 20 of FIG.
  • FIG. 4 is a table showing event information groups stored in the analysis support device 20 of FIG. An example of the operation of the analysis support device 20 will be described with reference to FIGS. 2 to 4.
  • FIG. 3 is a table showing event information acquired by the analysis support device 20 of FIG.
  • FIG. 4 is a table showing event information groups stored in the analysis support device 20 of FIG.
  • the matching unit 21 acquires event information regarding an event that has occurred in the monitoring target 1 (step S1).
  • an event that occurred in the monitoring target 1 is an unauthorized intrusion into the monitoring target 1, an attack on the monitoring target 1, and the like.
  • the event information includes one piece of raw data regarding an event that occurred in the monitoring target 1 and one piece of determination result determined by the security information event management device based on the raw data.
  • the raw data regarding an event that occurred in the monitoring target 1 is a log regarding the event. For example, when an event occurs in the monitoring target 1, the monitoring target 1 outputs raw data related to the event, the security information event management device makes a determination based on the raw data, and outputs the determination result.
  • the collation unit 21 acquires raw data related to an event that occurred in the monitoring target 1 and a determination result determined by the security information event management device based on the raw data.
  • the matching unit 21 may acquire only the raw data out of the raw data and the determination result.
  • event information includes raw data and determination results.
  • Raw data contains multiple items.
  • the plurality of items are the OEM (original equipment manufacturer) manufacturer of the monitoring target 1, the model of the monitoring target 1, the grade of the monitoring target 1, the ECU of the monitoring target 1, and the IDS/IPS monitoring method of the monitoring target 1. , and the type of abnormality in the monitored object 1 .
  • the determination result is a determination result determined by the security information event management device based on the raw data.
  • the matching unit 21 when acquiring event information, the matching unit 21 reads one or more pieces of event information acquired in the past (step S2). As described above, for example, one or more pieces of event information acquired in the past are stored in the storage unit 22, and the matching unit 21 extracts one or more pieces of event information acquired in the past from the storage unit 22. load.
  • the storage unit 22 stores one or more pieces of event information, past analysis results for each of the one or more pieces of event information, and determination results as to whether or not an attack has occurred. . That is, the analysis result is the result of analysis based on the event information, and the determination result is the result of determination based on the event information.
  • the matching unit 21 reads one or more pieces of event information as shown in FIG.
  • the collation unit 21 collates the event information acquired in step S1 (step S3).
  • the collating unit 21 collates the acquired event information with one or more read event information, and compares the one or more read event information with the raw data included in the acquired event information. It is determined whether or not there is similar raw data and event information including determination results similar to those included in the acquired event information.
  • the matching unit 21 may acquire only the raw data out of the raw data and the determination result, and compare the acquired raw data with one or more previously acquired raw data.
  • raw data similar to raw data included in the acquired event information and event information including determination results similar to those included in the acquired event information.
  • the collating unit 21 determines whether there is event information including raw data similar to raw data contained in the acquired event information among the read one or more pieces of event information. (step S4). Note that, for example, the matching unit 21 acquires only the raw data out of the raw data and the determination result, and determines whether or not there is raw data similar to the acquired raw data out of one or more raw data acquired in the past. may be determined.
  • the matching unit 21 acquires event information as shown in FIG. 3 and reads one or more pieces of event information as shown in FIG. The contents of the raw data included in the received event information of ID1 are the same. Therefore, the matching unit 21 determines that the read event information includes raw data similar to the raw data included in the acquired event information, and determines that the read event information includes the acquired event information. It is determined that there is event information including raw data similar to raw data included in the information.
  • the matching unit 21 outputs the past analysis results for the read event information (step S5).
  • the collating unit 21 includes raw data similar to raw data included in the acquired event information among the read one or more event information, and determines similar to the determination result included in the event information.
  • Past analysis results for event information including results that is, past analysis results for raw data and determination results that are similar to the acquired raw data and determination results and that were acquired in the past may be output.
  • the matching unit 21 acquires only raw data out of the raw data and the determination result, and if there is raw data similar to the acquired raw data out of one or more raw data acquired in the past, You may output past analysis results for raw data.
  • the matching unit 21 does not output the analysis result. .
  • FIG. 5 is a flow chart showing an example of the operation included in step S3 of FIG. An example of the operation included in step S3 of FIG. 2 will be described with reference to FIGS.
  • the collation unit 21 collates the contents of multiple items included in the acquired event information with the contents of multiple items included in each of the read one or more pieces of event information. Note that, for example, the collating unit 21 acquires only raw data out of the raw data and the determination result, and compares each of the content of a plurality of items included in the acquired raw data and the one or more raw data acquired in the past. It may be collated against the contents of multiple items included.
  • the matching unit 21 compares the content of the first item among the plurality of items included in the first event information among the read one or more event information and the plurality of items included in the acquired event information. It is determined whether or not the content of the first item among the items is the same (step S11).
  • the matching unit 21 acquires event information as shown in FIG. 3 and reads one or more pieces of event information as shown in FIG. , determines whether or not the contents of the OEM included in the acquired event information are the same.
  • the collating unit 21 compares the content of the first item among the plurality of items included in the first event information among the read one or more event information, and the content of the first item among the plurality of items included in the acquired event information. If the content of the second item is the same as the content of the second item (Yes in step S11), the content of the second item among the plurality of items included in the first event information among the read one or more event information, and It is determined whether or not the content of the second item among the plurality of items included in the acquired event information is the same (step S11).
  • the matching unit 21 compares the content of the n-th item among the plurality of items included in the first event information among the read one or more event information and the plurality of items included in the acquired event information. If the content of the n-th item among the items is the same (Yes in step S11), the (n+1)-th item among the plurality of items included in the first event information among the read one or more event information It is determined whether or not the content of the item matches the content of the (n+1)th item among the plurality of items included in the acquired event information.
  • the matching unit 21 If the contents of a plurality of items included in the first event information among the read one or more pieces of event information are the same as the contents of a plurality of items included in the acquired event information, the matching unit 21 The first event information among the read one or more event information is added to the match list (step S12).
  • the collating unit 21 compares the content of the first item among the plurality of items included in the first event information among the read one or more event information, and the content of the first item among the plurality of items included in the acquired event information. If the contents of the 1st item are not the same (No in step S11), and if the 1st event information among the read one or more pieces of event information is added to the matching list (step S12), the read 1 The content of the first item among the multiple items included in the second event information among the event information of 1 or more is the same as the content of the first item among the multiple items included in the acquired event information. It is determined whether or not (step S11).
  • the matching unit 21 compares the content of the plurality of items included in the acquired event information with the content of the plurality of items included in each of the read one or more pieces of event information, and finds the event information added to the matching list. Output the past analysis results for In this way, if there is event information including raw data similar to raw data included in the acquired event information among the read one or more event information, the matching unit 21 checks the read one or more event information. It is determined that there is event information including raw data similar to raw data included in the acquired event information among the information, and a past analysis result for the event information is output.
  • the matching unit 21 acquires only the raw data out of the raw data and the determination result, and the contents of a plurality of items included in the raw data acquired out of one or more raw data acquired in the past are the same. , it may be determined that there is raw data similar to the acquired raw data among one or more raw data acquired in the past. Then, the matching unit 21 may output past analysis results for the raw data.
  • step S3 of FIG. 2 An example of the operation included in step S3 of FIG. 2 has been described above.
  • FIG. 6 is a flow chart showing another example of the operation included in step S3 of FIG.
  • FIG. 7 is a table for explaining another example of the operation included in step S3 of FIG. Another example of the operation included in step S3 of FIG. 2 will be described with reference to FIGS.
  • the collation unit 21 collates the contents of multiple items included in the acquired event information with the contents of multiple items included in each of the read one or more pieces of event information. Then, the matching unit 21 compares the content of each of the plurality of items included in the acquired event information with the content of the same item among the plurality of items included in each of the read one or more pieces of event information. are the same, points are added, and the same item among the multiple items included in each of the content of each of the multiple items included in the acquired event information and the multiple items included in each of the read one or more event information If the content of the event information is not the same as the content of the read event information, the score is calculated for each of the read one or more event information by not adding points or subtracting points.
  • the matching unit 21 initializes the score of the first event information among the one or more pieces of event information acquired in the past (step S21). For example, the collation part 21 sets the score of the 1st event information to 0 among the one or more event information acquired in the past.
  • the matching unit 21 compares the content of the first item of the plurality of items included in the first event information among the one or more pieces of event information acquired in the past and the plurality of items included in the acquired event information. It is determined whether or not the content of the first item among the items is the same (step S22).
  • the matching unit 21 compares the content of the first item of the plurality of items included in the first event information among the one or more pieces of event information acquired in the past and the plurality of items included in the acquired event information. If the contents of the first item are the same (Yes in step S22), points are added (step S23).
  • the matching unit 21 checks the content of the OEM, which is the first item among a plurality of items included in the first event information among the one or more pieces of event information acquired in the past. is the same as the content of OEM, which is the first item among a plurality of items included in the acquired event information, points are added. For example, points calculated by 1 ⁇ weighting factor are added. For example, weighting factors are preset.
  • the matching unit 21 compares the content of the first item among the plurality of items included in the first event information among the one or more pieces of event information acquired in the past, and the acquired event information. (No in step S22), points are not added or points are subtracted (step S24).
  • the collating unit 21 adds points, does not add points, or subtracts points for the first item among the plurality of items included in the first event information among the one or more pieces of event information acquired in the past. , the content of the second item among the plurality of items included in the first event information among the one or more event information acquired in the past, and the second item among the plurality of items included in the acquired event information It is determined whether or not the content of the item is the same (step S22).
  • the matching unit 21 After calculating the score of the first event information among the one or more pieces of event information acquired in the past, the matching unit 21 determines whether or not the score is equal to or greater than a predetermined threshold (step S25).
  • the matching unit 21 adds the first event information among the one or more pieces of event information acquired in the past to the matching list (step S26). .
  • step S25 If the score is not equal to or greater than the predetermined threshold (No in step S25), and if the first event information among the one or more pieces of event information acquired in the past is added to the match list (step S26 ), the score of the second event information among the one or more pieces of event information acquired in the past is initialized (step S21), and the score of the second event information is calculated.
  • the matching unit 21 calculates scores for each of the read one or more pieces of event information, it outputs past analysis results for the event information added to the match list. In this way, when there is event information whose calculated score is equal to or greater than a predetermined threshold among the read one or more event information, the collation unit 21 determines whether the acquired one or more of the read event information It is determined that there is event information containing raw data similar to the raw data contained in the event information, and a past analysis result for the event information is output.
  • the collating unit 21 acquires only raw data out of the raw data and the determination result, and compares each of the content of a plurality of items included in the acquired raw data and the one or more raw data acquired in the past. It may be collated against the contents of multiple items included. Then, the matching unit 21 compares the content of each of the plurality of items included in the acquired raw data and the content of the same item among the plurality of items included in each of the one or more raw data acquired in the past.
  • the matching unit 21 acquires the raw data from the one or more raw data acquired in the past It may be determined that there is raw data similar to the raw data obtained, and the past analysis results for the raw data may be output.
  • step S3 of FIG. 2 Another example of the operation included in step S3 of FIG. 2 has been described above.
  • FIG. 8 is a flow chart showing another example of the operation of the analysis support device 20 of FIG.
  • FIG. 9 is a table showing one or more groups. Another example of the operation of the analysis support device 20 will be described with reference to FIGS. 8 and 9.
  • FIG. 8 is a flow chart showing another example of the operation of the analysis support device 20 of FIG.
  • FIG. 9 is a table showing one or more groups. Another example of the operation of the analysis support device 20 will be described with reference to FIGS. 8 and 9.
  • FIG. 9 is a flow chart showing another example of the operation of the analysis support device 20 of FIG.
  • FIG. 9 is a table showing one or more groups. Another example of the operation of the analysis support device 20 will be described with reference to FIGS. 8 and 9.
  • one or more pieces of event information acquired in the past are divided into one or more groups for each content of multiple items. That is, for example, one or more pieces of event information belonging to the same group have the same items, and one or more pieces of event information belonging to different groups have items that have different items.
  • the matching unit 21 causes the acquired event information to belong to the group, and one or more If there is no group related to the same content as the content of a plurality of items included in the acquired event information among the groups, the acquired event information is made to belong to a new group.
  • the matching unit 21 acquires event information (step S31) and reads the database (step S32).
  • the database is a database containing one or more pieces of event information divided into one or more groups according to the contents of multiple items.
  • the collation unit 21 collates the acquired event information with one or more groups included in the read database (step S33).
  • the collating unit 21 determines whether or not there is a group having the same contents as the contents of the plurality of items included in the acquired event information among the one or more groups stored in the database (step S34). .
  • the collation unit 21 By adding the event information to the group, it belongs to the group (step S35).
  • the matching unit 21 checks the acquired event information. By adding the event information to a new group, it is made to belong to the group (step S36).
  • one or more raw data acquired in the past Only the data may be divided into one or more groups for each content of multiple items. Then, if there is a group related to the same content as the content of a plurality of items included in the acquired raw data among the one or more groups, the collating unit 21 causes the acquired raw data to belong to the group. If there is no group related to the same contents as the contents of multiple items included in the acquired raw data among the one or more groups, the acquired raw data may belong to a new group.
  • FIG. 10 is a flow chart showing still another example of the operation included in step S3 of FIG. Still another example of the operation included in step S3 of FIG. 2 will be described with reference to FIG.
  • the collation unit 21 collates the contents of a plurality of items included in the acquired event information with the contents of a plurality of items relating to each of one or more groups.
  • the matching unit 21 acquires only the raw data out of the raw data and the determination result, and compares the content of a plurality of items included in the acquired raw data with the content of a plurality of items related to each of one or more groups. may be matched with
  • the matching unit 21 compares the content of the first item among the plurality of items related to the first group among the one or more groups and the first item among the plurality of items included in the acquired event information. is the same as the contents of (step S61).
  • the collating unit 21 acquires event information as shown in FIG. 3 and reads one or more groups as shown in FIG. It is determined whether or not the content of the OEM included in the information is the same.
  • the matching unit 21 compares the content of the first item among the plurality of items included in the first group among the one or more groups and the content of the first item among the plurality of items included in the acquired event information. are the same (Yes in step S61), the content of the second item among the plurality of items included in the first group among the one or more groups, and the content of the plurality of items included in the acquired event information. It is determined whether or not the contents of the second item are the same (step S61).
  • the matching unit 21 compares the content of the n-th item among the plurality of items included in the first group among the one or more groups and the n-th item among the plurality of items included in the acquired event information. (Yes in step S61), the content of the n+1th item among the plurality of items included in the first group out of the one or more groups and the acquired event information It is determined whether or not the content of the n+1th item among the multiple items included matches.
  • the collation unit 21 checks the read one.
  • the first event information among the above event information is added to the match list (step S62).
  • the matching unit 21 compares the content of the first item among the plurality of items included in the first group among the one or more groups and the content of the first item among the plurality of items included in the acquired event information. are not the same (No in step S61), and if the first group among the one or more groups is added to the match list (step S62), then the second group among the one or more groups includes It is determined whether or not the content of the first item out of the plurality of items is the same as the content of the first item out of the plurality of items included in the acquired event information (step S61).
  • the matching unit 21 compares the contents of the plurality of items included in the acquired event information with the contents of the plurality of items included in each of the one or more groups, and analyzes the past of the event information added to the matching list. Print the result. In this way, if there is a group related to content that matches the content of a plurality of items included in the acquired event information among the one or more groups, the matching unit 21 checks the acquired event information among the one or more groups. It determines that there is event information containing raw data similar to the raw data contained in the event information, and outputs the past analysis result for the event information.
  • the matching unit 21 acquires only the raw data out of the raw data and the determination result, and compares the content of a plurality of items included in the acquired raw data with the content of a plurality of items related to each of one or more groups. may be matched with Then, if there is a group related to the same content as the content of a plurality of items included in the acquired raw data among the one or more groups, the collating unit 21 selects It may be determined that there is raw data similar to the acquired raw data, and past analysis results for the raw data may be output.
  • step S3 of FIG. 2 So far, still another example of the operation included in step S3 of FIG. 2 has been described.
  • FIG. 11 is a flow chart showing still another example of the operation included in step S3 of FIG. Still another example of the operation included in step S3 of FIG. 2 will be described with reference to FIG.
  • the collation unit 21 collates the contents of multiple items included in the acquired event information with the contents of multiple items related to one or more groups. Then, if the content of each of the plurality of items included in the acquired event information is the same as the content of the same item among the plurality of items related to each of the one or more groups, the matching unit 21 , and points are added if the content of each of the multiple items included in the acquired event information and the content of the same item among the multiple items related to each of the one or more groups are not the same. Calculate scores for each of the one or more groups by not or by deduction.
  • the matching unit 21 initializes the score of the first group among the one or more groups (step S41). For example, the matching unit 21 sets the score of the first group to 0 among the one or more groups.
  • the matching unit 21 compares the content of the first item among the plurality of items related to the first group among the one or more groups and the content of the first item among the plurality of items included in the acquired event information. are the same (step S42).
  • the matching unit 21 compares the content of the first item among the plurality of items related to the first group among the one or more groups and the content of the first item among the plurality of items included in the acquired event information. matches (Yes in step S42), points are added (step S43).
  • the collation unit 21 compares the content of OEM, which is the first item among a plurality of items related to the first group among the one or more groups, and the event information included in the acquired event information. Points are added if the content of the first item, the OEM, is the same among the items listed. For example, points calculated by 1 ⁇ weighting factor are added. For example, weighting factors are preset.
  • the matching unit 21 compares the content of the first item among the plurality of items related to the first group among the one or more groups and the plurality of items included in the acquired event information. If the contents of the first item do not match (No in step S42), points are not added or points are subtracted (step S44).
  • the collation unit 21 compares one of the one or more groups. determining whether or not the content of the second item out of the plurality of items related to the second group matches the content of the second item out of the plurality of items included in the acquired event information (step S42).
  • the matching unit 21 determines whether the score is equal to or greater than a predetermined threshold (step S45).
  • the matching unit 21 adds the first group among the one or more groups to the matching list (step S46).
  • the matching unit 21 selects one or more groups. , the score of the second group is initialized (step S41), and the score of the second group is calculated.
  • the matching unit 21 After calculating the scores of one or more groups, the matching unit 21 outputs past analysis results for the groups added to the match list. In this way, if there is a group whose calculated score is equal to or greater than a predetermined threshold among one or more groups, the collating unit 21 performs raw data included in the acquired event information and event information belonging to the group. It is determined that there is event information containing raw data similar to the raw data included in the acquired event information among one or more pieces of event information acquired in the past. , outputs the past analysis results for the event information.
  • the matching unit 21 acquires only the raw data out of the raw data and the determination result, and compares the content of a plurality of items included in the acquired raw data with the content of a plurality of items related to each of one or more groups. may be matched with Then, if the content of each of the plurality of items included in the acquired raw data is the same as the content of the same item among the plurality of items related to each of the one or more groups, the matching unit 21 , and points are added if the content of each of the multiple items included in the acquired raw data and the content of the same item among the multiple items related to each of one or more groups are not the same.
  • a score for each of one or more groups may be calculated by omitting or deducting points.
  • the matching unit 21 selects a row similar to the acquired raw data among the one or more raw data acquired in the past. It may be determined that there is data, and past analysis results for the raw data may be output.
  • step S3 of FIG. 2 So far, still another example of the operation included in step S3 of FIG. 2 has been described.
  • FIG. 12 is a table showing an example of display displayed on the analysis support device 20 of FIG. An example of a display displayed on the analysis support device 20 will be described with reference to FIG. 12 .
  • the display unit 23 arranges and displays one or more pieces of event information acquired in the past in descending order of score. That is, for example, the display unit 23 preferentially displays past analysis results for event information having a high degree of similarity to the acquired event information.
  • FIG. 13 is a table showing another example of the display displayed on the analysis support device 20 of FIG. Another example of the display displayed on the analysis support apparatus 20 will be described with reference to FIG. 13 .
  • the display unit 23 displays one or more pieces of event information having similar contents or one or more pieces of event information having similar analysis results among a plurality of pieces of event information acquired in the past. display them together.
  • the analysis support method it is possible to suppress an increase in the number of analyzes of one or more raw data related to an event that occurred in the monitoring target 1, and It is possible to suppress an increase in the operating time of a device, etc., which is used by the user, and to suppress an increase in the consumption of electric power used for the operation of the device.
  • the analysis support method is an analysis support method performed in the analysis support device 20 for supporting the analysis of the attack scenario in the event that occurred in the monitoring target 1 based on the raw data. Then, by communicating with the monitoring target 1 or communicating with a database that records the raw data acquired from the monitoring target 1 (step S1), the raw data that is similar to the acquired raw data and has been recorded in the past A past analysis result for the obtained raw data is output (step S5).
  • the analysis support method according to the first embodiment is an analysis support method performed in the analysis support device 20 that supports analysis of an attack scenario in an event that has occurred in the monitoring target 1 based on raw data. acquires the raw data and the determination result determined by the security information event management device based on the raw data, and obtains the raw data and the determination similar to the acquired raw data and the determination result and obtained in the past Output the past analysis result for the result.
  • each of the acquired raw data and one or more raw data acquired in the past is collated (step S3), and the one or more raw data acquired in the past are compared.
  • the raw data it is determined whether or not there is raw data similar to the acquired raw data (step S4), and if there is the raw data, the analysis result for the raw data is output (step S5).
  • the analysis results for the raw data can be output. can be output, and an increase in the number of analyzes of a plurality of raw data related to an event occurring in the monitoring target 1 can be suppressed.
  • the raw data includes a plurality of items, and the content of the plurality of items included in the acquired raw data and one or more raw data acquired in the past.
  • the contents of a plurality of items included in each are collated (step S11), and a plurality of items having the same content as the contents of the plurality of items included in the acquired raw data out of one or more raw data acquired in the past. If there is raw data including an item, it is determined that there is raw data similar to the raw data acquired among one or more pieces of event information acquired in the past (Yes in step S4).
  • the raw data includes a plurality of items, and the content of the plurality of items included in the acquired raw data and one or more raw data acquired in the past.
  • the content of each of the plurality of items included in each of the raw data is collated (step S22), and the content of each of the plurality of items included in the acquired raw data and the plurality of items included in each of the one or more raw data acquired in the past are compared.
  • points are added (step S23), and the content of each of the plurality of items included in the acquired raw data and one or more items acquired in the past
  • points are not added or deducted (step S24), so that one or more rows acquired in the past
  • the score of each piece of data is calculated, and if there is raw data whose calculated score is equal to or higher than a predetermined threshold among one or more pieces of raw data acquired in the past (Yes in step S25), It is determined that there is raw data similar to the acquired raw data among the one or more raw data (Yes in step S4).
  • the raw data includes a plurality of items, and the one or more raw data acquired in the past are divided into one or more groups for each content of the plurality of items. If there is a group related to the same content as the content of multiple items included in the acquired raw data among the one or more groups, the acquired raw data is made to belong to the group (step S35 ), and if there is no group having the same contents as the contents of a plurality of items included in the acquired raw data among the one or more groups, the acquired raw data is made to belong to a new group (step S36).
  • the contents of a plurality of items included in the acquired raw data are collated with the contents of a plurality of items relating to each of the one or more groups (step S42).
  • points are added (step S43)
  • points are not added, if the content of each of the plurality of items included in the acquired raw data and the content of the same item among the plurality of items associated with each of the one or more groups are not the same, points are not added, or
  • the score of each of one or more groups is calculated, and if there is a group whose calculated score is equal to or higher than a predetermined threshold among the one or more groups (Yes in step S45), It is determined that there is raw data similar to the raw data acquired among the one or more raw data acquired in the past (Yes in step S4).
  • the analysis support device 20 is an analysis support device that communicates with the monitoring target 1 and supports attack scenario analysis in the event that occurred in the monitoring target 1 based on raw data. It includes an acquisition unit (collation unit 21) that acquires the raw data, and an output unit (collation unit 21) that outputs analysis results for raw data that is similar to the acquired raw data and has been acquired in the past.
  • acquisition unit that acquires the raw data
  • output unit that outputs analysis results for raw data that is similar to the acquired raw data and has been acquired in the past.
  • FIG. 14 is a block diagram showing the functional configuration of the analysis support device 20a etc. according to the second embodiment. A functional configuration of the analysis support device 20a and the like will be described with reference to FIG.
  • the SOC 10a is mainly different from the SOC 10 in that it includes an analysis support device 20a instead of the analysis support device 20.
  • the analysis support device 20a mainly differs from the analysis support device 20 in that it further includes an authority determination unit 24 .
  • the authority determination unit 24 includes raw data similar to raw data included in the acquired event information and determination results similar to the determination results included in the acquired event information among the read one or more event information. If there is event information, it is determined whether or not there is an authority to browse past analysis results for the event information. Further, for example, the collation unit 21 acquires only raw data out of the raw data and the determination result, and the authority determination unit 24 acquires raw data similar to the acquired raw data out of one or more raw data acquired in the past. If there is data, it is determined whether or not there is an authority to browse past analysis results for the raw data.
  • the analysis support apparatus 20a receives input of login information for the user to use the analysis support apparatus 20a, and the authority determination unit 24 refers to the input login information to determine if the user can access the event information or the raw data. Determines whether or not there is an authority to view the past analysis results for For example, the login information with the authority to browse is stored in advance, and if the input login information matches the pre-stored login information, the event information or the raw data If the entered login information and the pre-stored login information do not match, the past analysis results for the event information or raw data are browsed. determine that you do not have the authority to do so.
  • FIG. 15 is a flow chart showing an example of the operation of the analysis support device 20a of FIG. An example of the operation of the analysis support device 20a will be described with reference to FIG. In addition, below, it demonstrates centering on a different point from an example of the operation
  • the authority determination unit 24 It is determined whether or not there is an authority to browse past analysis results for event information (step S51).
  • step S5 If the collation unit 21 is authorized to view the past analysis results of the read event information (Yes in step S51), it outputs the past analysis results of the event information (step S5).
  • the verification unit 21 does not have the authority to view the past analysis results for the read event information (No in step S51), it does not output the past analysis results for the event information.
  • the matching unit 21 acquires only the raw data out of the raw data and the determination result, compares the acquired raw data with one or more raw data acquired in the past, and Alternatively, it may be determined whether or not there is raw data similar to the acquired raw data among the one or more raw data. Then, if the raw data exists, the authority determination unit 24 determines whether or not the user has the authority to view the analysis results of the raw data. You may output the analysis result of
  • the acquired raw data and one or more raw data acquired in the past are compared (step S3), and the one or more raw data acquired in the past are compared.
  • Determine whether or not there is raw data similar to the acquired raw data among the data step S4), and if there is the raw data (Yes in step S4), browse past analysis results for the raw data It is determined whether or not there is authority (step S51), and if there is the authority, the analysis result for the raw data is output (step S5).
  • the analysis results of the raw data can be output, so it is possible to prevent unauthorized persons from viewing the analysis results.
  • the existence and type of authority required for viewing may be set individually for each of one or more pieces of event information acquired in the past.
  • the display unit 23 may preferentially display past analysis results with many "likes" by people.
  • matching of raw data may be performed by clustering determination using artificial intelligence.
  • each component may be configured by dedicated hardware or implemented by executing a software program suitable for each component.
  • Each component may be implemented by a program execution unit such as a CPU (Central Processing Unit) or processor reading and executing a software program recorded on a recording medium such as a hard disk or semiconductor memory. 2, 5, 6, 8, 10, 11, and 15, each step of the flowchart shown in FIG. 2, FIG. 5, FIG. 6, FIG. 8, FIG. It is a computer program that is executed by
  • the at least one device is specifically a computer system composed of a microprocessor, ROM, RAM, hard disk unit, display unit, keyboard, mouse, and the like.
  • a computer program is stored in the RAM or hard disk unit.
  • At least one of the above devices achieves its functions by a microprocessor operating according to a computer program.
  • the computer program is constructed by combining a plurality of instruction codes indicating instructions to the computer in order to achieve a predetermined function.
  • a part or all of the components that constitute the at least one device may be composed of one system LSI (Large Scale Integration).
  • a system LSI is an ultra-multifunctional LSI manufactured by integrating multiple components on a single chip. Specifically, it is a computer system that includes a microprocessor, ROM, RAM, etc. . A computer program is stored in the RAM. The system LSI achieves its functions by the microprocessor operating according to the computer program.
  • a part or all of the components constituting at least one of the above devices may be composed of an IC card or a single module that can be attached to and detached from the device.
  • An IC card or module is a computer system that consists of a microprocessor, ROM, RAM, and so on.
  • the IC card or module may include the super multifunctional LSI described above.
  • the IC card or module achieves its function by the microprocessor operating according to the computer program. This IC card or this module may be tamper resistant.
  • the present disclosure may be the method shown above. Moreover, it may be a computer program for realizing these methods by a computer, or it may be a digital signal composed of a computer program.
  • the present disclosure includes computer-readable recording media for computer programs or digital signals, such as flexible discs, hard disks, CD (Compact Disc)-ROM, DVD, DVD-ROM, DVD-RAM, BD (Blu-ray ( (registered trademark) Disc), semiconductor memory, etc. Alternatively, it may be a digital signal recorded on these recording media.
  • the present disclosure may transmit computer programs or digital signals via electric communication lines, wireless or wired communication lines, networks typified by the Internet, data broadcasting, and the like.
  • it may be implemented by another independent computer system by recording the program or digital signal on a recording medium and transferring it, or by transferring the program or digital signal via a network or the like.
  • the analysis support method, etc. of the present disclosure can be applied to a method, etc., for supporting event analysis for a monitoring target.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
PCT/JP2022/030663 2021-12-15 2022-08-10 分析支援方法、分析支援装置、およびプログラム Ceased WO2023112382A1 (ja)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2023567533A JPWO2023112382A1 (https=) 2021-12-15 2022-08-10
US18/733,447 US20240320325A1 (en) 2021-12-15 2024-06-04 Analysis support method and analysis support device

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2021-203570 2021-12-15
JP2021203570 2021-12-15

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US18/733,447 Continuation US20240320325A1 (en) 2021-12-15 2024-06-04 Analysis support method and analysis support device

Publications (1)

Publication Number Publication Date
WO2023112382A1 true WO2023112382A1 (ja) 2023-06-22

Family

ID=86774224

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2022/030663 Ceased WO2023112382A1 (ja) 2021-12-15 2022-08-10 分析支援方法、分析支援装置、およびプログラム

Country Status (3)

Country Link
US (1) US20240320325A1 (https=)
JP (1) JPWO2023112382A1 (https=)
WO (1) WO2023112382A1 (https=)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006318442A (ja) * 2005-04-13 2006-11-24 Forval Telecom Inc イベントログ管理サーバ装置、イベント管理システム、イベントログ収集サーバ装置、イベントログ蓄積サーバ装置、イベントログ管理方法およびそのプログラム
JP2010039878A (ja) * 2008-08-07 2010-02-18 Hitachi Ltd ログ管理システムおよびログ表示システム
JP2017068748A (ja) * 2015-10-01 2017-04-06 富士通株式会社 クラスタリングプログラム、クラスタリング方法、および情報処理装置
JP2019028891A (ja) * 2017-08-02 2019-02-21 三菱電機株式会社 情報処理装置、情報処理方法及び情報処理プログラム

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR101677559B1 (ko) * 2013-03-22 2016-11-18 한국전자통신연구원 영상 정합 장치 및 그것의 동작 방법
JP6932779B2 (ja) * 2016-11-23 2021-09-08 Line株式会社 検知結果が有効であるかないかを検証する方法およびシステム
US11089035B2 (en) * 2017-12-11 2021-08-10 Radware Ltd. Techniques for predicting subsequent attacks in attack campaigns
US11093634B1 (en) * 2018-10-18 2021-08-17 Palantir Technologies Inc. Data security
US11055405B1 (en) * 2019-04-30 2021-07-06 Splunk Inc. Anomaly event detection using frequent patterns
US20210256401A1 (en) * 2020-02-18 2021-08-19 Crowdstrike, Inc. Embedding networks to extract malware family information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006318442A (ja) * 2005-04-13 2006-11-24 Forval Telecom Inc イベントログ管理サーバ装置、イベント管理システム、イベントログ収集サーバ装置、イベントログ蓄積サーバ装置、イベントログ管理方法およびそのプログラム
JP2010039878A (ja) * 2008-08-07 2010-02-18 Hitachi Ltd ログ管理システムおよびログ表示システム
JP2017068748A (ja) * 2015-10-01 2017-04-06 富士通株式会社 クラスタリングプログラム、クラスタリング方法、および情報処理装置
JP2019028891A (ja) * 2017-08-02 2019-02-21 三菱電機株式会社 情報処理装置、情報処理方法及び情報処理プログラム

Also Published As

Publication number Publication date
JPWO2023112382A1 (https=) 2023-06-22
US20240320325A1 (en) 2024-09-26

Similar Documents

Publication Publication Date Title
US7676695B2 (en) Resolution of computer operations problems using fault trend analysis
CN108885659B (zh) 用于分析第一数字交互或移动设备应用程序交互的计算机实现的方法和系统
US9460310B2 (en) Method and apparatus for substitution scheme for anonymizing personally identifiable information
US20100146622A1 (en) Security system and method for detecting intrusion in a computerized system
US20170041337A1 (en) Systems, Methods, Apparatuses, And Computer Program Products For Forensic Monitoring
US20080184058A1 (en) Analysis of event information to perform contextual audit
KR20180013998A (ko) 계정 도난 위험 식별 방법, 식별 장치, 예방 및 통제 시스템
CN116668185B (zh) 一种api异常访问行为的检测方法和系统
US20100281043A1 (en) Fuzzy Database Matching
CN111221722A (zh) 行为检测方法、装置、电子设备及存储介质
US8145913B1 (en) System and method for password protection
CN106789837A (zh) 网络异常行为检测方法及检测装置
JP7070994B2 (ja) 処理装置、処理方法及びプログラム
US20150220850A1 (en) System and Method for Generation of a Heuristic
WO2023112382A1 (ja) 分析支援方法、分析支援装置、およびプログラム
CN115834124A (zh) 异常用户检测方法、装置以及计算机程序产品
US20250061192A1 (en) Surfacing reasons for anomalous multivariate sessions in audit and security logs
US12423705B2 (en) Fingerprinting account activity habits in order to discover fraudulent usage
Patterson et al. A cyber-threat analytic model for autonomous detection of virtual property theft
US20240403159A1 (en) Monitoring apparatus, monitoring method, and computer-readable storage medium
JP2022115654A (ja) 原因提示プログラム、原因提示方法、及び情報処理装置
US10049208B2 (en) Intrusion assessment system
US12615282B2 (en) Security incident ranking and ranking explanation
US20250030729A1 (en) Security Incident Ranking and Ranking Explanation
US20250030713A1 (en) Stems and methods for securing a service by detecting client-side web page tampering

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22906918

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2023567533

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 22906918

Country of ref document: EP

Kind code of ref document: A1