WO2023223515A1 - Attack path estimation system, attack path estimation device, attack path estimation method, and program - Google Patents

Attack path estimation system, attack path estimation device, attack path estimation method, and program Download PDF

Info

Publication number
WO2023223515A1
WO2023223515A1 PCT/JP2022/020883 JP2022020883W WO2023223515A1 WO 2023223515 A1 WO2023223515 A1 WO 2023223515A1 JP 2022020883 W JP2022020883 W JP 2022020883W WO 2023223515 A1 WO2023223515 A1 WO 2023223515A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
route
information
target system
weighted
Prior art date
Application number
PCT/JP2022/020883
Other languages
French (fr)
Japanese (ja)
Inventor
靖 岡野
勝 松林
政志 田中
卓麻 小山
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/020883 priority Critical patent/WO2023223515A1/en
Priority to PCT/JP2023/011701 priority patent/WO2023223668A1/en
Publication of WO2023223515A1 publication Critical patent/WO2023223515A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present disclosure relates to an attack route estimation system, an attack route estimation device, an attack route estimation method, and a program.
  • connected cars vehicles equipped with the function of constantly connecting to external networks
  • Connected cars are expected to offer improved convenience, such as obtaining the latest traffic information, remote control of door locks and air conditioners, and software updates for electronic control units (ECUs).
  • ECUs electronice control units
  • Non-Patent Document 1 in an intranet, a monitor that monitors the startup of processes and communications sent and received by processes is installed on PCs, and by analyzing the logs output by the monitor, it is possible to detect attack communications and malicious files.
  • a method is disclosed that, when a process is detected, traces the communications and processes related to it and identifies the attack route and source of the attack.
  • the starting point of an attack route is the source of the attack, so in the following, identifying the attack route includes identifying the source of the attack.
  • logs may be missing due to vehicle malfunctions, deterioration of communication conditions due to the driving environment (for example, deterioration of communication conditions due to driving in a tunnel), or due to monitoring interference due to attacks. Some logs may become unobtainable. These deficiencies (including the inability to obtain logs) make log analysis even more difficult.
  • Non-Patent Document 1 when an attack communication or a malicious file/process is detected, the process of the communication partner, its parent process, the previous communication, etc. are tracked one after another. By doing so, you can identify the attack route. For this reason, missing logs make tracking them extremely difficult and greatly impede identification of attack routes.
  • the present disclosure has been made in view of the above points, and provides a technique for estimating an attack route.
  • An attack path estimation system is an attack path estimation system that estimates an attack path in a target system, and the attack path estimation system estimates a configuration of the target system using at least one of design information and operation history log of the target system.
  • a configuration information creation unit configured to create configuration information representing a configuration information, and an expected route representing an expected path of an attack on the target system using the configuration information and an attack pattern assumed on the target system.
  • an expected route information creation unit configured to create information; and when an attack on the target system is detected, the expected route information is created using a log acquired from the target system and a predetermined weighting condition.
  • a weighted predicted route information creation unit configured to create weighted predicted route information weighted for the target route information, and a route search based on the weighted predicted route information, are used to perform a route search from the source of the attack to the attack destination. and a route search unit configured to estimate an attack route representing the route.
  • a technique for estimating attack routes is provided.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of an attack path estimation device according to an embodiment.
  • FIG. 1 is a diagram illustrating an example of a functional configuration of an attack route estimating device according to an embodiment.
  • 7 is a flowchart illustrating an example of predicted route information creation processing according to the present embodiment. 7 is a flowchart illustrating an example of attack route estimation processing according to the present embodiment.
  • 1 is a diagram showing a vehicle control system in Example 1.
  • FIG. 3 is a diagram showing an example of an attack in Example 1.
  • FIG. FIG. 3 is a diagram showing an example of attack detection in the first embodiment.
  • 3 is a diagram showing vehicle configuration information in Example 1.
  • FIG. 3 is a diagram showing a predicted route in Example 1.
  • FIG. 3 is a diagram showing predicted route information in Example 1.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of an attack path estimation device according to an embodiment.
  • FIG. 1 is a diagram illustrating an example of a functional configuration
  • FIG. 3 is a diagram showing observation information in Example 1.
  • FIG. 3 is a diagram showing a weighted predicted route in Example 1.
  • FIG. 3 is a diagram showing weighted predicted route information in Example 1.
  • FIG. 2 is a diagram (part 1) showing an estimated attack route in Example 1;
  • FIG. 3 is a diagram (Part 2) showing an estimated attack route in Example 1;
  • 3 is a diagram showing an estimated attack route, its score, and cost in Example 1.
  • FIG. 7 is a diagram showing an assumed attack pattern in Example 2.
  • FIG. FIG. 7 is a diagram showing a weighted predicted route in Example 2;
  • FIG. 7 is a diagram showing weighted predicted route information in Example 2;
  • FIG. 7 is a diagram showing a weighted predicted route in Example 3;
  • FIG. 7 is a diagram showing a predicted route in Example 4.
  • FIG. 7 is a diagram showing a weighted predicted route in Example 4.
  • FIG. 7 is a diagram showing weighted predicted route information in Example 4;
  • FIG. 7 is a diagram (part 1) showing estimated attack routes, their scores, and costs in Example 4;
  • FIG. 7 is a diagram (Part 2) showing estimated attack routes, their scores, and costs in Example 4;
  • the attack route can be estimated even if the log is missing (data missing) when some kind of attack is detected, mainly targeting the vehicle control system.
  • the attack route estimation device 10 will be explained.
  • the attack path is a path from the attack source (attack source malicious process, malicious ECU, etc.) to the attack target (attack destination).
  • the vehicle control system is a system that includes an electronic control unit (ECU), CAN, etc., and controls various functions of a vehicle (for example, a car, a special vehicle, a motorcycle, a bicycle, etc.).
  • ECU electronice control unit
  • this embodiment is not limited to vehicle control systems, but is applicable to machines installed in machinery (e.g., machine tools, construction machinery, agricultural machinery, industrial machinery, etc.) and configured with an electronic control unit (ECU), CAN, etc. It is similarly applicable to control systems.
  • the present invention can be similarly applied to IoT systems configured with IoT devices and arbitrary communication networks.
  • FIG. 1 shows an example of the hardware configuration of an attack path estimation device 10 according to this embodiment.
  • the attack path estimation device 10 includes an input device 101, a display device 102, an external I/F 103, a communication I/F 104, and a RAM (Random Access Memory) 105. It has a ROM (Read Only Memory) 106, an auxiliary storage device 107, and a processor 108. Each of these pieces of hardware is communicably connected via a bus 109.
  • the input device 101 is, for example, a keyboard, a mouse, a touch panel, a physical button, or the like.
  • the display device 102 is, for example, a display, a display panel, or the like. Note that the attack route estimation device 10 may not include at least one of the input device 101 and the display device 102, for example.
  • the external I/F 103 is an interface with an external device such as the recording medium 103a.
  • the attack route estimation device 10 can read and write data on the recording medium 103a via the external I/F 103.
  • Examples of the recording medium 103a include a flexible disk, a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), and a USB (Universal Serial Bus) memory card.
  • the communication I/F 104 is an interface for connecting the attack path estimation device 10 to a communication network.
  • the RAM 105 is a volatile semiconductor memory (storage device) that temporarily holds programs and data.
  • the ROM 106 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off.
  • the auxiliary storage device 107 is, for example, a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory.
  • the processor 108 is, for example, an arithmetic device such as a CPU (Central Processing Unit).
  • the attack route estimation device 10 can realize expected route information creation processing and attack route estimation processing, which will be described later.
  • the hardware configuration shown in FIG. 1 is an example, and the hardware configuration of the attack route estimation device 10 is not limited to this.
  • the attack path estimation device 10 may include multiple auxiliary storage devices 107 and multiple processors 108, may not include a part of the illustrated hardware, or may include the illustrated hardware. It may also include various other hardware.
  • FIG. 2 shows an example of the functional configuration of the attack route estimation device 10 according to this embodiment.
  • the attack route estimation device 10 includes an expected route configuration section 110 and an attack route estimation section 120. Each of these units is realized, for example, by one or more programs installed in the attack path estimation device 10 causing the processor 108 to execute the process.
  • the attack route estimation device 10 includes an expected route information storage unit 130.
  • the predicted route information storage unit 130 is realized by, for example, the auxiliary storage device 107.
  • the expected route information storage unit 130 may be realized, for example, by a storage device such as a database that is connected to the attack route estimation device 10 via a communication network.
  • the predicted route configuration unit 110 uses information obtained in advance to create predicted route information representing the predicted route of the attack. As a result, even if there is data missing in the log when an attack was detected (hereinafter also referred to as attack detection log), the attack route can be estimated by filling in the missing part with the predicted route. becomes.
  • the information obtained in advance includes design information such as the ECUs installed in the vehicle, the processes executed by those ECUs, communication, network connections, etc., and the processes and information of each EUC obtained in advance. It is assumed that an operation history log representing a communication log and an assumed attack pattern representing a previously assumed attack path of a malicious EUC or a malicious process are used.
  • the expected route configuration section 110 includes a vehicle configuration information creation section 111 and an expected route information creation section 112.
  • the vehicle configuration information creation unit 111 creates vehicle configuration information using design information and operation history logs.
  • Vehicle configuration information refers to the processes executed in the EUC, the ECU itself, the communications and network connections sent and received by them, objects related to those processes and ECUs (e.g. data, files, etc.), and the associations between nodes. This is information expressed in a graph structure with edges.
  • the expected route information creation unit 112 creates expected route information using the vehicle configuration information and the assumed attack pattern. Further, the predicted route information creation unit 112 stores the generated predicted route information in the predicted route information storage unit 130.
  • the assumed attack pattern refers to the malicious processes and ECUs that are assumed in advance, the malicious communications and network connections that they send and receive, and the objects (e.g., data, files, etc.) related to these malicious processes and ECUs that are connected to nodes, This is information expressed in a graph structure with edges representing associations between nodes. Further, the expected route information is obtained by adding a graph represented by an assumed attack pattern to the graph represented by the vehicle structure information. In other words, the expected route information is information expressed in a graph structure in which nodes and edges of the assumed attack pattern are added to the nodes and edges of the vehicle structure information.
  • expected route information is created by adding the graph represented by the assumed attack pattern to the graph represented by vehicle configuration information.
  • an attack route first passes through a normal route, that is, a route in the graph represented by the vehicle configuration information, and then, at the time of the attack, nodes (malicious processes, malicious communications, malicious files, etc.) that are not in the graph represented by the vehicle configuration information.
  • nodes malware processes, malicious communications, malicious files, etc.
  • a malicious object such as a malicious object
  • the attack route estimation unit 120 estimates an attack route using the expected route information, the attack detection log, and the weighting rule, and creates attack route information representing the attack route.
  • the attack detection log is a log collected when an IDS or the like of a vehicle control system detects an attack.
  • the attack detection log may be collected by the vehicle control system and sent to the attack route estimation device 10 when the IDS or the like of the vehicle control system detects an attack, or the attack detection log may be collected by the attack route estimation device 10 from the vehicle control system. You may.
  • the weighting rule is information representing weighting conditions (rules) used when creating weighted predicted route information, which will be described later.
  • the attack route estimation unit 120 includes a weighted expected route information creation unit 121 and a route search unit 122.
  • the weighted expected route information creation unit 121 acquires attack detection logs, creates attack observation information using these attack detection logs, and adds/overwrites the observed information to the expected route information. Further, the weighted predicted route information creation unit 121 weights the edges of the predicted route information after addition/overwriting using a weighting rule, and creates weighted predicted route information.
  • Observation information includes processes and ECUs that appear in attack detection logs (including malicious processes and malicious ECUs), communications and network connections sent and received by them, objects related to those processes and ECUs (e.g., data, files, etc.) It is information expressed in a graph structure with nodes as nodes and edges as associations between nodes. In other words, the observation information is graph information representing the route of an attack observed as an attack detection log.
  • the missing portion can be supplemented with predicted route information.
  • multiple attack paths can be estimated in the complementary part, but by weighting the edges, it is possible to estimate a more likely path as the attack path.
  • the weight represents the strength of association between nodes.
  • the weight may be, for example, a cost that is assigned a smaller value as the association between nodes is stronger, or a transition probability that represents the probability that the edge can be used. Further, for example, some of the weights may be given in advance by the predicted route configuration unit 110 (in particular, the vehicle configuration information creation unit 111).
  • the route search unit 122 starts from a node representing a malicious process or malicious communication detected by an IDS or the like of a vehicle control system (hereinafter also referred to as a detection node), and searches backward from the detection node using weighted predicted route information. Perform route search and estimate attack route (including attack source). The route search unit 122 also outputs attack route information representing the estimated attack route to a predetermined output destination (for example, the display device 102 such as a display, the auxiliary storage device 107, another terminal connected via a communication network, etc.). Output to.
  • a shortest route search method such as Dijkstra's method can be used.
  • a plurality of attack routes estimated by the route search unit 122 can be estimated as routes from different attack source nodes to the same detection node. For this reason, the route search unit 122 may output the most probable attack route information among the plurality of pieces of attack route information to a predetermined output destination, for example, using a predetermined score. Alternatively, the route search unit 122 may output a plurality of pieces of attack route information and their scores to a predetermined output destination.
  • the score is, for example, the sum of costs given to edges on the attack route, this sum divided by the number of nodes on the attack route, and the score from the start point to the end point (detected node) of the attack route. The transition probability of , etc. can be used.
  • the predicted route information storage unit 130 stores predicted route information. Note that the predicted route information storage unit 130 may store predicted route information corresponding to each type or type of vehicle, for example. In this case, the attack route estimation unit 120 uses predicted route information corresponding to the type and type of vehicle in which the attack was detected.
  • the vehicle configuration information creation unit 111 of the predicted route configuration unit 110 creates vehicle configuration information using the design information and the operation history log (step S101). Note that the vehicle configuration information creation unit 111 may use both the design information and the operation history log, or may use only one of them.
  • the predicted route information creation unit 112 of the predicted route configuration unit 110 creates predicted route information using the vehicle configuration information and the assumed attack pattern, and stores this predicted route information in the predicted route information storage unit 130 (step S102). .
  • Attack route estimation processing is executed every time an attack is detected by the vehicle control system.
  • the weighted predicted route information creation unit 121 of the attack route estimation unit 120 acquires attack detection logs, creates attack observation information using those attack detection logs, and adds/overwrites the observation information to the expected route information. After that, weighted predicted route information is created using a weighting rule (step S201).
  • the route search unit 122 of the attack route estimation unit 120 estimates an attack route by searching the weighted expected route information from the detection node back, and then outputs attack route information representing the estimated attack route as a predetermined output. It is output first (step S202). Note that at this time, the route search unit 122 may output the most probable attack route information among the plurality of attack route information using a predetermined score, or may output the most probable attack route information among the plurality of attack route information and their scores. You can also output it.
  • Example 1 ⁇ Example 1 Example 1 will be described below.
  • an attack route is estimated using a comprehensive assumed attack pattern. That is, in this embodiment, a case will be described in which a variety of attacks are comprehensively assumed without assuming a specific attack, and the attack route can be estimated even for an unknown attack.
  • FIG. 5 shows the configuration of the vehicle control system in this embodiment.
  • the vehicle control system in this embodiment uses a smartphone or the like to perform remote operations such as locking/unlocking the doors of the target vehicle and turning on/off the air conditioner.
  • an OEM site accepts instructions from a smartphone.
  • the TCUctrl process on the TCU which is the telematics control unit, periodically makes HTTPS access (URLOEM) to the OEM site to receive commands.
  • the command is communicated via Ethernet (IPCGW), converted into CAN communication (CAN6AA) by the central gateway CGW, and executed by the ECU 1 corresponding to the CAN communication.
  • IPCGW Ethernet
  • CAN6AA CAN communication
  • the OEM site and TCU are connected by NWEXT, which is an external wireless IP network, and the TCU and CGW are connected by NWINT, which is an in-vehicle Ethernet network. Further, the CGW and each ECU are connected by CANBUS, which is an in-vehicle CAN network. Furthermore, the TCU and each ECU are also connected via CANBUS for purposes such as remote diagnosis and measurement.
  • NWEXT may include, for example, devices such as a router and an HTTPS proxy, but a description thereof will be omitted.
  • NWINT may include, for example, equipment such as an Ethernet switch, but a description thereof will be omitted.
  • CANBUS may include devices such as a CAN gateway, but a description thereof will be omitted.
  • ECU1 will be mainly explained among the ECUs, and the explanation of the other ECUs will be omitted.
  • monitors and detectors are installed at NWEXT, TCU, NWINT, and CANBUS, and each outputs a log.
  • NWEXT URL access log
  • TCU process startup log (startup process and its parent process)
  • NWINT attack communication detection alert log by Ethernet-IDS
  • CANBUS attack communication detection alert log for CAN-IDS. It shall be output.
  • FIG. 6 An example of an attack on the vehicle control system in this embodiment is shown in FIG.
  • the attack example shown in FIG. 6 is a Drive by Download attack in which an illegal command is executed.
  • fraudulent information that attacks the TCUctrl vulnerability is embedded on the OEM site.
  • TCUctrl accesses (URLOEM) the unauthorized information on the TCU
  • a mal1 process which is an unauthorized process, is generated and activated on the TCU due to the vulnerability.
  • the mal1 process accesses the attacker's site (URLmal), downloads an attack program to the TCU, and uses the attack program to generate and start a mal2 process, which is an unauthorized process.
  • the mal2 process sends an unauthorized CAN message CAN6AA' to CANBUS (CAN message insertion attack) and causes the ECU 1 to execute an unauthorized command.
  • CANBUS CAN message insertion attack
  • FIG. 7 shows a graphical representation of the log output during the above attack.
  • NWEXT outputs URL access logs to URLOEM and URLmal
  • TCU outputs mal1 boot logs of TCUctrl and mal2 boot logs of mal1
  • CANBUS outputs attack communication detection alert logs related to CAN6AA'.
  • NWEXT URL access log it is known that the access was made from the TCU, but it is not possible to specify from which process of the TCU the access was made.
  • CANBUS attack communication detection alert log it is known that CAN6AA' was used in the attack, but the device and process that was the source of the attack cannot be identified. Note that since there is no attack communication in NWINT, no log is output.
  • the attack route is estimated by tracing back from CANBUS CAN6AA' where the attack was detected.
  • predicted route information is created in advance by the predicted route configuration unit 110.
  • the vehicle configuration information shown in FIG. 8 is created by the vehicle configuration information creation section 111, and then the expected route information creation section 112 creates expected route information from the vehicle configuration information and the assumed attack pattern.
  • the vehicle configuration information shown in FIG. 8 is a graph structure related to each device or process and communication in the vehicle control system shown in FIG. 5 expressed as an adjacency matrix.
  • the source node (Src.) is assigned to the row
  • the destination node (Dst.) is assigned to the column. Elements between nodes that have a relationship (edge) are expressed as 1, and elements between nodes that are not related are expressed as 0. do.
  • a node representing a process is also referred to as a process node
  • a node representing communication is also referred to as a communication node.
  • the assumed attack pattern in this example was set as follows, allowing a comprehensive assumption of attack routes.
  • edges to wildcard nodes are set along each device/network connection.
  • a wildcard node for a process has an edge that means a startup relationship with all other process nodes in the device where the process is executed, and also communicates with all communication nodes on the network connected to the device. Give it an edge that signifies a relationship.
  • a communication wildcard node has an edge indicating a communication relationship with all process nodes on a device connected to the network where the communication is performed.
  • FIG. 9 shows a graph representing a predicted route incorporating such a comprehensive assumed attack pattern. Further, information (expected route information) expressing the graph structure as an adjacency matrix is shown in FIG.
  • the nodes NWEXT * , TCU*, NWINT * , and CANBUS * added on NWEXT, TCU, NWINT , and CANBUS, respectively, are wildcard nodes.
  • the wildcard node TCU * has a bidirectional edge representing a startup relationship with the process TCUctrl on the TCU, and since the TCU is also connected to NWEXT, NWINT, and CANBUS, the communication nodes URLOEM, NWEXT * , and IPCGW of those networks are connected to the wildcard node TCU*.
  • NWINT * , CAN6AA, and CANBUS * are all set to have bidirectional edges representing communication relationships.
  • the wildcard node of a certain device or network may be omitted, a wildcard node may be added, or the number of edges connected to the wildcard node may be reduced or increased. For example, it is not necessary to set a process wildcard node in a device that performs very strict forced access control and is certain that unauthorized process startup cannot occur. Furthermore, if network communication is restricted and controlled by a firewall with strong security, the edges connected to wildcard nodes may be reduced or made unidirectional edges according to the restrictions and controls.
  • the attack route estimation unit 120 estimates the attack route using the expected route information.
  • the weighted expected route information creation unit 121 acquires attack detection logs, creates observation information from these attack detection logs, adds and overwrites the observed information to the expected route information, and then sets weights using weighting rules. Create predicted route information.
  • FIG. 11 shows observation information created from the attack detection log when the attack example shown in FIG. 6 was detected.
  • URLs mal, mal1, mal2, and CAN6AA' are nodes that are not in the vehicle configuration information, and are replaced as wild card nodes NWEXT * , TCU * , and CANBUS * , respectively. Note that both TCUs mal1 and mal2 are substituted as TCU * . Therefore, the process activation relationship TCUctrl ⁇ mal1 ⁇ mal2 is replaced by TCUctrl ⁇ TCU * .
  • the following rules 1 to 5 are used as weighting rules for edges of predicted route information.
  • FIG. 12 shows a graph in which predicted route information is weighted using the above weighting rule. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. In FIG. 12, edges with high cost are represented by broken lines, edges with medium cost are represented by solid lines, and edges with low cost are represented by solid thick lines. Further, in FIG. 13, large cost is set as 100, medium cost as 10, and small cost as 1.
  • weighting rules may be changed, added, or deleted depending on the characteristics of the system. For example, rules such as uniformly reducing the cost of all edges connected to nodes that exist in observation information, reducing the cost of edges with wildcard nodes for process nodes that communicate with each other that are susceptible to threats, etc. May be added. Furthermore, if there are a plurality of CAN buses and attacks can be detected for each CAN bus, a rule may be added that particularly reduces the cost of an edge connected to the CAN bus where an attack has been detected. Further, in a system where there is a high possibility of failure in detecting an attack, the above rule 2 may be deleted. Furthermore, an appropriate value may be set as appropriate regarding the actual value of cost.
  • weighting may be performed in advance by the predicted route configuration unit 110.
  • the weighting according to the above rules 3 to 5 is performed in advance in the expected route configuration unit 110, and only the above rules 1 to 2 are performed in the attack route estimation unit 120 (the weighted expected route information creation unit 121). You may go.
  • the route search unit 122 uses the weighted expected route information to estimate an attack route tracing back from the CANBUS network where the CAN-IDS attack communication detection alert has occurred. That is, the wild card node CANBUS * corresponding to the attack communication detection alert is set as a target, and a route to reach the target from other nodes and a score of the route are determined. The score is the sum of the costs of edges in the route divided by the number of edges in the route.
  • a shortest route search method such as Dijkstra's method can be used. An example of the route searched in this example is shown in FIGS. 14 and 15. In the example shown in FIG.
  • the attack path URLOEM ⁇ TCLctrl ⁇ TCU * ⁇ CANBUS * is searched.
  • the attack route NWEXT * ⁇ TCU * ⁇ CANBUS * is searched.
  • FIG. 16 shows a list of attack routes estimated in this example, their scores, and costs.
  • the route search unit 122 selects an appropriate attack route from among these attack routes, and outputs attack route information representing the selected attack route to a predetermined output destination.
  • Various methods can be considered to select an appropriate attack route, such as an attack route whose score is within a certain predetermined range, an attack route whose score is greater than or equal to a certain predetermined threshold, etc.
  • the score may be the sum of the costs of edges on the route divided by the number of nodes on the route, or the transition probability from the start point to the end point (detection node, target) of the attack route may be used as the score.
  • vehicle configuration information and a comprehensive assumed attack pattern are created in advance as expected route information, and then weighted expected route information is created from this expected route information, attack detection log, and weighting rule. . This allows the attack route to be estimated even if the attack detection log is incomplete.
  • the processes and communications that are the targets of log output are used as nodes, but if the target of log output changes, the nodes and edges may be changed accordingly.
  • nodes include files, system calls, signals, and the like.
  • the representation of the graph is not limited to an adjacency matrix, and may be represented in other formats such as a connection matrix, a Laplacian matrix, a list representation, and the like. Furthermore, it may be expressed as a bipartite graph instead of a one-part bluff.
  • Example 2 ⁇ Example 2 Example 2 will be described below.
  • an attack route is estimated using a known assumed attack pattern.
  • vehicle configuration information is created by the vehicle configuration information creation unit 111.
  • the predicted route information creation unit 112 creates predicted route information from the vehicle configuration information and the assumed attack pattern.
  • Assumed attack patterns may be given, for example, as a graph model representing the relationship between threats and vulnerabilities (also called an attack graph), or as indicators of compromise information (IoC). May be given. Below, a case will be described in which the assumed attack pattern is given by IoC.
  • FIG. 17 shows an example of IoC and its representation as an attack graph.
  • the attack graph is expressed as an adjacency matrix, all processes and communications that appear during IoC are described as nodes, and edges between associated nodes are set.
  • This IoC and attack graph are stored together with vehicle configuration information in the expected route information storage unit 130 as expected route information.
  • TCUctrl which is vulnerable to URLEM, is not described. This is because, for example, if a library has a vulnerability, all programs that use the library will be affected, so the program/process name may not be written in the IoC.
  • the attack route estimation unit 120 estimates the attack route using the expected route information.
  • the weighted predicted route information creation unit 121 acquires attack detection logs and creates observation information from these attack detection logs. Furthermore, the weighted predicted route information creation unit 121 obtains from the predicted route information storage unit 130 an attack graph representing the IoC that most matches those attack detection logs. Then, the weighted predicted route information creation unit 121 adds and overwrites the observation information and the attack graph to the vehicle configuration information, and then creates weighted predicted route information using the weighting rule.
  • the following rules 1 to 4 are used as weighting rules for the edges of the predicted route information. Note that, as in the embodiment, the weighting rules may be changed, added, or deleted depending on the characteristics of the system.
  • FIG. 18 shows a graph in which predicted route information is weighted using the above weighting rule. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. In FIG. 18, edges with high cost are represented by broken lines, edges with medium cost are represented by solid lines, and edges with low cost are represented by solid thick lines. Further, in FIG. 19, large cost is set as 100, medium cost as 10, and small cost as 1. Note that there are no edges with large costs in FIGS. 18 and 19.
  • the route search unit 122 may use this weighted expected route information to estimate the attack route going back from the CANBUS network where the CAN-IDS attack communication detection alert has occurred.
  • Example 3 will be described below.
  • the comprehensive assumed attack pattern of the first embodiment and the known assumed attack pattern of the second embodiment may be combined.
  • Example 2 if mal2 and CAN6AA' are not included in the known expected attack pattern (in FIG. 17, if the IoC matches that of No. 2), then wildcard nodes TCU * and CAN6AA' are used instead, respectively. It may also be comprehensively expressed as CANBUS * .
  • FIG. 20 shows an example of a graph represented by weighted expected route information when a comprehensive assumed attack pattern and a known assumed attack pattern are used. Thereafter, similarly to the first and second embodiments, the route search unit 122 may estimate an attack route using this weighted expected route information.
  • Example 4 will be described below. In this embodiment, a case will be described in which an attack route is estimated only by network monitoring without performing process monitoring. It is assumed that the configuration of the vehicle control system, attack examples, and attack detection conditions are the same as in the first embodiment.
  • FIG. 21 shows a graph of the predicted route information created by the predicted route information creation unit 112. Unlike the first embodiment, since process monitoring is not performed, there are no processes TCUctrl and TCU * nodes, and instead the TCU itself becomes a node, and the node TCU is the node URLOEM, NWEXT * , IPCGW, NWINT * , CAN6AA, CANBUS * and has an edge.
  • FIG. 22 shows a graph in which predicted route information is weighted using the same weighting rules as in Example 1 when an attack is detected. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. Further, FIG. 24 shows the route searched back from the detection node CANBUS * (estimated attack route) using the shortest route search method, and its score and cost.
  • FIG. 25 shows attack routes (estimated attack routes) searched by the multiple route search method, their scores, and costs.
  • the shortest route search is performed from each node one edge back from the target node.
  • the target node is the detection node CANBUS *
  • the shortest route search is performed from each of the nodes TCU and CGW that are one edge back from that node.
  • Example 5 will be described below.
  • Logs that have been observed for a long time may contain multiple attack communication detection alerts. Therefore, if such a log is acquired as an attack detection log, it may be difficult to estimate the attack route. Therefore, when a log that has been observed for a long time is acquired as an attack detection log, the attack detection log may be appropriately divided and the present embodiment may be applied to each of the divided logs.
  • a method for dividing the attack detection log for example, methods such as extracting a portion of a specific period before and after the attack communication detection alert, dividing using a clustering method, etc. can be used.
  • the same alert when the same alert occurs continuously, in order to further improve the accuracy of estimating the attack path, for example, the same alerts may be grouped together into one representative, or the start and end of the period in which the same alert occurs continuously. Alerts other than these two points may be deleted and then divided.
  • the attack route estimation device 10 creates expected route information expressed in a discrete graph from vehicle configuration information and an assumed attack pattern in advance, and then uses the attack detection information obtained at the time of attack detection.
  • the attack route is estimated by creating weighted expected route information from logs and weighting rules, and performing a route search using the weighted expected route information from the attack detection node. This makes it possible to estimate the attack route even if there is data loss in the log obtained at the time of attack detection (attack detection log). Therefore, for example, when an attack on a vehicle control system is detected, it becomes possible to efficiently analyze the range of its influence.
  • the vehicle control system has been described as an example, but the present embodiment is not limited to this, and can be applied to other communication systems with communication functions such as machine control systems. Forms may also be applied. For example, communications consisting of industrial control equipment such as robots in factories, sensors placed in various places, audio equipment, home appliances, information processing terminals (smartphones, tablets, etc.), equipment generally called IoT equipment, etc. This embodiment may be applied to a system.
  • industrial control equipment such as robots in factories, sensors placed in various places, audio equipment, home appliances, information processing terminals (smartphones, tablets, etc.), equipment generally called IoT equipment, etc.
  • This embodiment may be applied to a system.
  • attack detection logs include, for example, alert logs of network attack detection functions such as CAN-IDS and in-vehicle Ethernet IDS, communication rejection logs and communication statistics logs of CAN communication gateways and IP firewalls, and communication statistics logs of ECUs and terminals.
  • System logs from OS (Operating System) security audits, malware scan reports from anti-virus software, application logs such as proxy server access logs, etc. can be used.
  • Attack route estimation device 101 Input device 102 Display device 103 External I/F 103a Recording medium 104 Communication I/F 105 RAM 106 ROM 107 Auxiliary storage device 108 Processor 109 Bus 110 Expected route configuration unit 111 Vehicle configuration information creation unit 112 Expected route information creation unit 120 Attack route estimation unit 121 Weighted expected route information creation unit 122 Route search unit 130 Expected route information storage unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

An attack path estimation system according to one embodiment of the present disclosure estimates an attack path in a subject system, and has: a configuration information creation unit configured so as to use at least one of an operation history log and design information about the subject system to create configuration information representing the configuration of the subject system; a predicted path information creation unit configured so as to use the configuration information and an attack pattern postulated by the subject system to create predicted path information representing predicted paths for an attack on the subject system; a weighted predicted path information creation unit configured so as to use a log obtained from the subject system and a prescribed weighting rule to create weighted predicted path information in which the predicted path information has been weighted, when an attack on the subject system has been detected; and a path retrieval unit configured so as to estimate an attack path representing the path from the source of the attack to the attack destination by means of a path search with respect to the weighted predicted path information.

Description

攻撃経路推定システム、攻撃経路推定装置、攻撃経路推定方法及びプログラムAttack route estimation system, attack route estimation device, attack route estimation method and program
 本開示は、攻撃経路推定システム、攻撃経路推定装置、攻撃経路推定方法及びプログラムに関する。 The present disclosure relates to an attack route estimation system, an attack route estimation device, an attack route estimation method, and a program.
 近年、外部ネットワークへの常時接続機能を具備した車両(いわゆるコネクテッドカー)の普及が見込まれている。コネクテッドカーでは、最新の交通情報の入手、ドアロックやエアコンディショナー等の遠隔操作、電子制御装置(ECU:Electronic Control Unit)のソフトウェアアップデート等といった利便性の向上が期待されている。 In recent years, vehicles equipped with the function of constantly connecting to external networks (so-called connected cars) are expected to become popular. Connected cars are expected to offer improved convenience, such as obtaining the latest traffic information, remote control of door locks and air conditioners, and software updates for electronic control units (ECUs).
 一方で、車両やその電子制御装置が外部ネットワークに接続されることにより、従来のIT機器と同様に、悪意のある攻撃者からのサイバー攻撃の対象となり得ることが懸念されている。実際に車両に搭載されたコントローラを外部ネットワークからのアクセスによって不正に改ざんし、コントローラからECUに対して偽指令を行うことで車両制御を乗っ取ることが可能であったとする研究も報告されている。このため、車両へのサイバー攻撃を検知するために、車両の制御情報ネットワークであるCAN(Controller Area Network)に対する異常を検知するIDS(Intrusion Detection System)も研究されている。 On the other hand, there are concerns that by connecting vehicles and their electronic control devices to external networks, they could become targets of cyberattacks from malicious attackers, just like conventional IT devices. Research has also reported that it was possible to hijack vehicle control by illegally tampering with the controller installed in a vehicle through access from an external network and sending false commands from the controller to the ECU. Therefore, in order to detect cyber-attacks on vehicles, research is also being conducted on IDS (Intrusion Detection Systems) that detect abnormalities in CAN (Controller Area Network), which is a vehicle control information network.
 ところで、サイバー攻撃が検知された場合にはその攻撃の分析が行われるが、サイバー攻撃分析の重要な目的の1つは、攻撃元の機器やその機器内のマルウェアプロセス・プログラムを特定し、攻撃経路を明らかにすることである。なお、複数の機器が接続されたイントラネットやサーバシステムにおいては、SIEM(Security Information Event Management)等といったネットワーク・機器の監視により得られるログを分析する手法がよく用いられる。例えば、非特許文献1には、イントラネットにおいて、プロセスの起動やプロセスが送受信する通信等を監視するモニタをPCに導入し、そのモニタが出力するログを分析することで、攻撃通信や悪性ファイル・プロセスが検知された場合にそれに関連する通信・プロセスを追跡し、攻撃経路と攻撃の発生源を特定する手法が開示されている。なお、一般に、攻撃経路の始点が攻撃の発生源であるため、以下では、攻撃経路を特定することには攻撃の発生源を特定することも含まれるものとする。 By the way, when a cyber attack is detected, the attack is analyzed, and one of the important purposes of cyber attack analysis is to identify the device that is the source of the attack and the malware process/program within that device, and to identify the attack source. It is to clarify the route. Note that in intranets and server systems to which a plurality of devices are connected, a method of analyzing logs obtained by monitoring networks and devices, such as SIEM (Security Information Event Management), is often used. For example, in Non-Patent Document 1, in an intranet, a monitor that monitors the startup of processes and communications sent and received by processes is installed on PCs, and by analyzing the logs output by the monitor, it is possible to detect attack communications and malicious files. A method is disclosed that, when a process is detected, traces the communications and processes related to it and identifies the attack route and source of the attack. Note that, in general, the starting point of an attack route is the source of the attack, so in the following, identifying the attack route includes identifying the source of the attack.
 複数のECUがCANやEthernet等により接続された車両制御システムでも、攻撃経路の特定にログ分析を用いるのは有効であると思われる。しかしながら、EUCはPCやサーバ等と比較して安価・低性能であるため、ECUへのモニタ導入が困難な場合がある。また、ログを収集するためのネットワーク帯域もコスト面から制限されるため、収集対象のログも厳選されることが多い。加えて、CANは送信元アドレス及び送信先アドレスを持たないプロトコルであるため、CANバスを監視するCAN-IDSやCAN通信モニタでは送信元ECU及び送信先ECUの特定が困難である。このように、車両制御システムでは、一般的なITシステムと比較して取得可能なログやその種類が少なくなり得る。 Even in vehicle control systems in which multiple ECUs are connected via CAN, Ethernet, etc., it seems effective to use log analysis to identify attack paths. However, since EUCs are cheaper and have lower performance than PCs, servers, etc., it may be difficult to introduce a monitor into the ECU. Additionally, the network bandwidth for collecting logs is limited due to cost considerations, so the logs to be collected are often carefully selected. In addition, since CAN is a protocol that does not have a source address or a destination address, it is difficult to identify the source ECU and destination ECU using a CAN-IDS or CAN communication monitor that monitors the CAN bus. In this way, in a vehicle control system, the number of logs and types thereof that can be obtained may be smaller than in a general IT system.
 また、車両故障、走行環境を原因とした通信状況の悪化(例えば、トンネル内を走行していることによる通信状況の悪化)等によってログに欠損が発生し得るし、攻撃による監視妨害等によっても一部のログが取得不能となり得る。これらの欠損(ログの取得不能も含む)はログ分析を更に困難にする。 In addition, logs may be missing due to vehicle malfunctions, deterioration of communication conditions due to the driving environment (for example, deterioration of communication conditions due to driving in a tunnel), or due to monitoring interference due to attacks. Some logs may become unobtainable. These deficiencies (including the inability to obtain logs) make log analysis even more difficult.
 例えば、非特許文献1に開示されている手法では、攻撃通信や悪性ファイル・プロセスが検知された場合にその通信相手のプロセス、その親プロセス又はその1つ前の通信等を次々に追跡していくことで、攻撃経路を特定する。このため、ログの欠損はその追跡を著しく困難なものとし、攻撃経路の特定に大きな妨げとなる。 For example, in the method disclosed in Non-Patent Document 1, when an attack communication or a malicious file/process is detected, the process of the communication partner, its parent process, the previous communication, etc. are tracked one after another. By doing so, you can identify the attack route. For this reason, missing logs make tracking them extremely difficult and greatly impede identification of attack routes.
 なお、上記のような課題は、車両制御システムに限られず、ネットワークで接続される各種機器に関しても共通の課題であると考えられる。例えば、IoT(Internet of Things)機器に関しても、既製品に新たにモニタを導入することは困難であるため、攻撃経路を特定するためのログ分析に必要なログを得られない恐れがある。 Note that the above-mentioned problems are considered to be common not only to vehicle control systems but also to various devices connected via a network. For example, with regard to IoT (Internet of Things) equipment, it is difficult to introduce a new monitor to an existing product, so there is a risk that logs necessary for log analysis to identify attack routes may not be obtained.
 本開示は、上記の点に鑑みてなされたもので、攻撃経路を推定する技術を提供する。 The present disclosure has been made in view of the above points, and provides a technique for estimating an attack route.
 本開示の一態様による攻撃経路推定システムは、対象システムにおける攻撃経路を推定する攻撃経路推定システムであって、前記対象システムの設計情報と動作履歴ログの少なくとも一方を用いて、前記対象システムの構成を表す構成情報を作成するように構成されている構成情報作成部と、前記構成情報と、前記対象システムで想定される攻撃パターンとを用いて、前記対象システムに対する攻撃の予想経路を表す予想経路情報を作成するように構成されている予想経路情報作成部と、前記対象システムに対する攻撃が検知された場合、前記対象システムから取得されたログと所定の重み付け条件とを用いて、前記予想経路情報に対して重み付け行った重み付き予想経路情報を作成するように構成されている重み付き予想経路情報作成部と、前記重み付き予想経路情報に対する経路探索により、前記攻撃の発生源から攻撃先までの経路を表す攻撃経路を推定するように構成されている経路探索部と、を有する。 An attack path estimation system according to an aspect of the present disclosure is an attack path estimation system that estimates an attack path in a target system, and the attack path estimation system estimates a configuration of the target system using at least one of design information and operation history log of the target system. a configuration information creation unit configured to create configuration information representing a configuration information, and an expected route representing an expected path of an attack on the target system using the configuration information and an attack pattern assumed on the target system. an expected route information creation unit configured to create information; and when an attack on the target system is detected, the expected route information is created using a log acquired from the target system and a predetermined weighting condition. A weighted predicted route information creation unit configured to create weighted predicted route information weighted for the target route information, and a route search based on the weighted predicted route information, are used to perform a route search from the source of the attack to the attack destination. and a route search unit configured to estimate an attack route representing the route.
 攻撃経路を推定する技術が提供される。 A technique for estimating attack routes is provided.
本実施形態に係る攻撃経路推定装置のハードウェア構成の一例を示す図である。1 is a diagram illustrating an example of a hardware configuration of an attack path estimation device according to an embodiment. FIG. 本実施形態に係る攻撃経路推定装置の機能構成の一例を示す図である。1 is a diagram illustrating an example of a functional configuration of an attack route estimating device according to an embodiment. 本実施形態に係る予想経路情報作成処理の一例を示すフローチャートである。7 is a flowchart illustrating an example of predicted route information creation processing according to the present embodiment. 本実施形態に係る攻撃経路推定処理の一例を示すフローチャートである。7 is a flowchart illustrating an example of attack route estimation processing according to the present embodiment. 実施例1における車両制御システムを示す図である。1 is a diagram showing a vehicle control system in Example 1. FIG. 実施例1における攻撃例を示す図である。3 is a diagram showing an example of an attack in Example 1. FIG. 実施例1における攻撃検知例を示す図である。FIG. 3 is a diagram showing an example of attack detection in the first embodiment. 実施例1における車両構成情報を示す図である。3 is a diagram showing vehicle configuration information in Example 1. FIG. 実施例1における予想経路を示す図である。3 is a diagram showing a predicted route in Example 1. FIG. 実施例1における予想経路情報を示す図である。3 is a diagram showing predicted route information in Example 1. FIG. 実施例1における観測情報を示す図である。3 is a diagram showing observation information in Example 1. FIG. 実施例1における重み付き予想経路を示す図である。3 is a diagram showing a weighted predicted route in Example 1. FIG. 実施例1における重み付き予想経路情報を示す図である。3 is a diagram showing weighted predicted route information in Example 1. FIG. 実施例1における推定攻撃経路を示す図(その1)である。FIG. 2 is a diagram (part 1) showing an estimated attack route in Example 1; 実施例1における推定攻撃経路を示す図(その2)である。FIG. 3 is a diagram (Part 2) showing an estimated attack route in Example 1; 実施例1における推定攻撃経路とそのスコア及びコストを示す図である。3 is a diagram showing an estimated attack route, its score, and cost in Example 1. FIG. 実施例2における想定攻撃パターンを示す図である。7 is a diagram showing an assumed attack pattern in Example 2. FIG. 実施例2における重み付き予想経路を示す図である。FIG. 7 is a diagram showing a weighted predicted route in Example 2; 実施例2における重み付き予想経路情報を示す図である。FIG. 7 is a diagram showing weighted predicted route information in Example 2; 実施例3における重み付き予想経路を示す図である。FIG. 7 is a diagram showing a weighted predicted route in Example 3; 実施例4における予想経路を示す図である。FIG. 7 is a diagram showing a predicted route in Example 4. 実施例4における重み付き予想経路を示す図である。FIG. 7 is a diagram showing a weighted predicted route in Example 4. 実施例4における重み付き予想経路情報を示す図である。FIG. 7 is a diagram showing weighted predicted route information in Example 4; 実施例4における推定攻撃経路とそのスコア及びコストを示す図(その1)である。FIG. 7 is a diagram (part 1) showing estimated attack routes, their scores, and costs in Example 4; 実施例4における推定攻撃経路とそのスコア及びコストを示す図(その2)である。FIG. 7 is a diagram (Part 2) showing estimated attack routes, their scores, and costs in Example 4;
 以下、本発明の一実施形態について説明する。以下の実施形態では、主に、車両制御システムを対象として、何等かの攻撃が検知されたときにログに欠損(データ欠損)がある場合であっても、その攻撃経路を推定することができる攻撃経路推定装置10について説明する。攻撃経路とは、攻撃の発生源(攻撃元の悪性プロセスや悪性ECU等)から攻撃対象(攻撃先)までの経路のことである。攻撃経路が推定されることで、例えば、車両制御システムに対する攻撃が検知された場合に、その影響範囲等を効率的に分析することが可能となる。 An embodiment of the present invention will be described below. In the following embodiments, the attack route can be estimated even if the log is missing (data missing) when some kind of attack is detected, mainly targeting the vehicle control system. The attack route estimation device 10 will be explained. The attack path is a path from the attack source (attack source malicious process, malicious ECU, etc.) to the attack target (attack destination). By estimating the attack route, for example, when an attack on a vehicle control system is detected, it becomes possible to efficiently analyze the range of its influence.
 なお、車両制御システムは電子制御装置(ECU)やCAN等で構成され、車両(例えば、自動車、特殊車両、自動二輪車、自転車等)の各種機能を制御するシステムである。ただし、本実施形態は、車両制御システムに限らず、機械類(例えば、工作機械、建設機械、農業機械、産業機械等)に搭載され、電子制御装置(ECU)やCAN等で構成される機械制御システムを対象とする場合にも同様に適用可能である。更に、IoT機器や任意の通信ネットワークで構成されるIoTシステム等を対象とする場合にも同様に適用可能である。 Note that the vehicle control system is a system that includes an electronic control unit (ECU), CAN, etc., and controls various functions of a vehicle (for example, a car, a special vehicle, a motorcycle, a bicycle, etc.). However, this embodiment is not limited to vehicle control systems, but is applicable to machines installed in machinery (e.g., machine tools, construction machinery, agricultural machinery, industrial machinery, etc.) and configured with an electronic control unit (ECU), CAN, etc. It is similarly applicable to control systems. Furthermore, the present invention can be similarly applied to IoT systems configured with IoT devices and arbitrary communication networks.
 <攻撃経路推定装置10のハードウェア構成>
 本実施形態に係る攻撃経路推定装置10のハードウェア構成例を図1に示す。図1に示すように、本実施形態に係る攻撃経路推定装置10は、入力装置101と、表示装置102と、外部I/F103と、通信I/F104と、RAM(Random Access Memory)105と、ROM(Read Only Memory)106と、補助記憶装置107と、プロセッサ108とを有する。これらの各ハードウェアは、それぞれがバス109を介して通信可能に接続されている。 <Hardware configuration of attack route estimation device 10>
FIG. 1 shows an example of the hardware configuration of an attack path estimation device 10 according to this embodiment. As shown in FIG. 1, the attack path estimation device 10 according to the present embodiment includes an input device 101, a display device 102, an external I/F 103, a communication I/F 104, and a RAM (Random Access Memory) 105. It has a ROM (Read Only Memory) 106, an auxiliary storage device 107, and a processor 108. Each of these pieces of hardware is communicably connected via a bus 109.
 入力装置101は、例えば、キーボード、マウス、タッチパネル、物理ボタン等である。表示装置102は、例えば、ディスプレイ、表示パネル等である。なお、攻撃経路推定装置10は、例えば、入力装置101及び表示装置102の少なくとも一方を有していなくてもよい。 The input device 101 is, for example, a keyboard, a mouse, a touch panel, a physical button, or the like. The display device 102 is, for example, a display, a display panel, or the like. Note that the attack route estimation device 10 may not include at least one of the input device 101 and the display device 102, for example.
 外部I/F103は、記録媒体103a等の外部装置とのインタフェースである。攻撃経路推定装置10は、外部I/F103を介して、記録媒体103aの読み取りや書き込み等を行うことができる。記録媒体103aとしては、例えば、フレキシブルディスク、CD(Compact Disc)、DVD(Digital Versatile Disk)、SDメモリカード(Secure Digital memory card)、USB(Universal Serial Bus)メモリカード等が挙げられる。 The external I/F 103 is an interface with an external device such as the recording medium 103a. The attack route estimation device 10 can read and write data on the recording medium 103a via the external I/F 103. Examples of the recording medium 103a include a flexible disk, a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), and a USB (Universal Serial Bus) memory card.
 通信I/F104は、攻撃経路推定装置10を通信ネットワークに接続するためのインタフェースである。RAM105は、プログラムやデータを一時保持する揮発性の半導体メモリ(記憶装置)である。ROM106は、電源を切ってもプログラムやデータを保持することができる不揮発性の半導体メモリ(記憶装置)である。補助記憶装置107は、例えば、HDD(Hard Disk Drive)、SSD(Solid State Drive)、フラッシュメモリ等のストレージ装置(記憶装置)である。プロセッサ108は、例えば、CPU(Central Processing Unit)等の演算装置である。 The communication I/F 104 is an interface for connecting the attack path estimation device 10 to a communication network. The RAM 105 is a volatile semiconductor memory (storage device) that temporarily holds programs and data. The ROM 106 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off. The auxiliary storage device 107 is, for example, a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory. The processor 108 is, for example, an arithmetic device such as a CPU (Central Processing Unit).
 本実施形態に係る攻撃経路推定装置10は、図1に示すハードウェア構成を有することにより、後述する予想経路情報作成処理及び攻撃経路推定処理を実現することができる。なお、図1に示すハードウェア構成は一例であって、攻撃経路推定装置10のハードウェア構成はこれに限られるものではない。例えば、攻撃経路推定装置10は、複数の補助記憶装置107や複数のプロセッサ108を有していてもよいし、図示したハードウェアの一部を有していなくてもよいし、図示したハードウェア以外の様々なハードウェアを有していてもよい。 By having the hardware configuration shown in FIG. 1, the attack route estimation device 10 according to the present embodiment can realize expected route information creation processing and attack route estimation processing, which will be described later. Note that the hardware configuration shown in FIG. 1 is an example, and the hardware configuration of the attack route estimation device 10 is not limited to this. For example, the attack path estimation device 10 may include multiple auxiliary storage devices 107 and multiple processors 108, may not include a part of the illustrated hardware, or may include the illustrated hardware. It may also include various other hardware.
 <攻撃経路推定装置10の機能構成>
 本実施形態に係る攻撃経路推定装置10の機能構成例を図2に示す。図2に示すように、本実施形態に係る攻撃経路推定装置10は、予想経路構成部110と、攻撃経路推定部120とを有する。これら各部は、例えば、攻撃経路推定装置10にインストールされた1以上のプログラムが、プロセッサ108に実行させる処理により実現される。また、本実施形態に係る攻撃経路推定装置10は、予想経路情報記憶部130を有する。予想経路情報記憶部130は、例えば、補助記憶装置107により実現される。なお、予想経路情報記憶部130は、例えば、攻撃経路推定装置10と通信ネットワークを介して接続されるデータベース等の記憶装置により実現されてもよい。 <Functional configuration of attack route estimation device 10>
FIG. 2 shows an example of the functional configuration of the attack route estimation device 10 according to this embodiment. As shown in FIG. 2, the attack route estimation device 10 according to this embodiment includes an expected route configuration section 110 and an attack route estimation section 120. Each of these units is realized, for example, by one or more programs installed in the attack path estimation device 10 causing the processor 108 to execute the process. Furthermore, the attack route estimation device 10 according to the present embodiment includes an expected route information storage unit 130. The predicted route information storage unit 130 is realized by, for example, the auxiliary storage device 107. Note that the expected route information storage unit 130 may be realized, for example, by a storage device such as a database that is connected to the attack route estimation device 10 via a communication network.
 予想経路構成部110は、事前に得られる情報を用いて、攻撃の予想経路を表す予想経路情報を作成する。これにより、攻撃が検知されたときのログ(以下、攻撃検知ログともいう。)にデータ欠損がある場合であっても、その欠損部分を予想経路により補完することで、攻撃経路の推定が可能となる。以下、本実施形態では、事前に得られる情報として、車両に搭載されているECUやそれらのECUが実行するプロセス、通信、ネットワーク接続等の設計情報と、事前に得られた各EUCのプロセスや通信のログを表す動作履歴ログと、事前に想定される悪性EUCや悪性プロセスの攻撃経路等を表す想定攻撃パターンとを用いるものとする。 The predicted route configuration unit 110 uses information obtained in advance to create predicted route information representing the predicted route of the attack. As a result, even if there is data missing in the log when an attack was detected (hereinafter also referred to as attack detection log), the attack route can be estimated by filling in the missing part with the predicted route. becomes. In the following, in this embodiment, the information obtained in advance includes design information such as the ECUs installed in the vehicle, the processes executed by those ECUs, communication, network connections, etc., and the processes and information of each EUC obtained in advance. It is assumed that an operation history log representing a communication log and an assumed attack pattern representing a previously assumed attack path of a malicious EUC or a malicious process are used.
 ここで、予想経路構成部110には、車両構成情報作成部111と、予想経路情報作成部112とが含まれる。 Here, the expected route configuration section 110 includes a vehicle configuration information creation section 111 and an expected route information creation section 112.
 車両構成情報作成部111は、設計情報や動作履歴ログを用いて、車両構成情報を作成する。車両構成情報とは、EUCで実行されるプロセスやECU自体、それらが送受信する通信やネットワーク接続、それらのプロセスやECUに関連するオブジェクト等(例えば、データ、ファイル等)をノード、ノード間の関連付けをエッジとしたグラフ構造で表される情報のことである。 The vehicle configuration information creation unit 111 creates vehicle configuration information using design information and operation history logs. Vehicle configuration information refers to the processes executed in the EUC, the ECU itself, the communications and network connections sent and received by them, objects related to those processes and ECUs (e.g. data, files, etc.), and the associations between nodes. This is information expressed in a graph structure with edges.
 予想経路情報作成部112は、車両構成情報と想定攻撃パターンとを用いて、予想経路情報を作成する。また、予想経路情報作成部112は、作成した予想経路情報を予想経路情報記憶部130に格納する。想定攻撃パターンとは、事前に想定される悪性プロセスや悪性ECU、それらが送受信する悪性通信やネットワーク接続、それらの悪性プロセスや悪性ECUに関連するオブジェクト等(例えば、データ、ファイル等)をノード、ノード間の関連付けをエッジとしたグラフ構造で表される情報のことである。また、予想経路情報とは、車両構造情報が表すグラフに対して、想定攻撃パターンが表すグラフを追加したものである。言い換えれば、予想経路情報とは、車両構造情報のノード及びエッジに対して、想定攻撃パターンのノード及びエッジを追加したグラフ構造で表される情報である。 The expected route information creation unit 112 creates expected route information using the vehicle configuration information and the assumed attack pattern. Further, the predicted route information creation unit 112 stores the generated predicted route information in the predicted route information storage unit 130. The assumed attack pattern refers to the malicious processes and ECUs that are assumed in advance, the malicious communications and network connections that they send and receive, and the objects (e.g., data, files, etc.) related to these malicious processes and ECUs that are connected to nodes, This is information expressed in a graph structure with edges representing associations between nodes. Further, the expected route information is obtained by adding a graph represented by an assumed attack pattern to the graph represented by the vehicle structure information. In other words, the expected route information is information expressed in a graph structure in which nodes and edges of the assumed attack pattern are added to the nodes and edges of the vehicle structure information.
 このように、車両構成情報が表すグラフに対して、想定攻撃パターンが表すグラフを追加することで、予想経路情報が作成される。これは、一般に、攻撃経路はまずは通常の経路、すなわち車両構成情報が表すグラフ内の経路を通り、その後、攻撃時には車両構成情報が表すグラフにはないノード(悪性プロセス、悪性通信、悪性ファイル等の悪性オブジェクト等)が出現し、そのような悪性ノードを経由した経路となるためである。 In this way, expected route information is created by adding the graph represented by the assumed attack pattern to the graph represented by vehicle configuration information. This is because, in general, an attack route first passes through a normal route, that is, a route in the graph represented by the vehicle configuration information, and then, at the time of the attack, nodes (malicious processes, malicious communications, malicious files, etc.) that are not in the graph represented by the vehicle configuration information. This is because a malicious object (such as a malicious object) appears, and the route passes through such a malicious node.
 攻撃経路推定部120は、予想経路情報と攻撃検知ログと重み付けルールとを用いて攻撃経路を推定し、その攻撃経路を表す攻撃経路情報を作成する。攻撃検知ログとは、車両制御システムのIDS等が攻撃を検知した際に収集されたログのことである。攻撃検知ログは、車両制御システムのIDS等が攻撃を検知した場合に、車両制御システムで収集して攻撃経路推定装置10に送信されてもよいし、攻撃経路推定装置10が車両制御システムから収集してもよい。重み付けルールは、後述する重み付き予想経路情報を作成する際に用いられる重み付けの条件(ルール)を表す情報のことである。 The attack route estimation unit 120 estimates an attack route using the expected route information, the attack detection log, and the weighting rule, and creates attack route information representing the attack route. The attack detection log is a log collected when an IDS or the like of a vehicle control system detects an attack. The attack detection log may be collected by the vehicle control system and sent to the attack route estimation device 10 when the IDS or the like of the vehicle control system detects an attack, or the attack detection log may be collected by the attack route estimation device 10 from the vehicle control system. You may. The weighting rule is information representing weighting conditions (rules) used when creating weighted predicted route information, which will be described later.
 ここで、攻撃経路推定部120には、重み付き予想経路情報作成部121と、経路探索部122とが含まれる。 Here, the attack route estimation unit 120 includes a weighted expected route information creation unit 121 and a route search unit 122.
 重み付き予想経路情報作成部121は、攻撃検知ログを取得すると共にそれらの攻撃検知ログを用いて攻撃の観測情報を作成した上で、その観測情報を予想経路情報に追加・上書きする。また、重み付き予想経路情報作成部121は、重み付けルールを用いて、追加・上書き後の予想経路情報のエッジに重み付けを行い、重み付き予想経路情報を作成する。観測情報とは、攻撃検知ログに現れるプロセスやECU(悪性プロセスや悪性ECUも含む)、それらが送受信する通信やネットワーク接続、それらのプロセスやECUに関連するオブジェクト等(例えば、データ、ファイル等)をノード、ノード間の関連付けをエッジとしたグラフ構造で表される情報のことである。すなわち、観測情報とは、攻撃検知ログとして観測された攻撃の経路を表すグラフの情報である。 The weighted expected route information creation unit 121 acquires attack detection logs, creates attack observation information using these attack detection logs, and adds/overwrites the observed information to the expected route information. Further, the weighted predicted route information creation unit 121 weights the edges of the predicted route information after addition/overwriting using a weighting rule, and creates weighted predicted route information. Observation information includes processes and ECUs that appear in attack detection logs (including malicious processes and malicious ECUs), communications and network connections sent and received by them, objects related to those processes and ECUs (e.g., data, files, etc.) It is information expressed in a graph structure with nodes as nodes and edges as associations between nodes. In other words, the observation information is graph information representing the route of an attack observed as an attack detection log.
 これにより、攻撃検知ログにデータ欠損が存在し、当該攻撃検知ログから得られる観測情報によって表されるグラフが不完全であっても、その欠損部分を予想経路情報で補完することができる。一方で、補完部分では複数の攻撃経路が推定され得るが、エッジに重み付けを行うことで、より確からしい経路を攻撃経路として推定することが可能となる。なお、重みはノード間の関連付けの強さを表している。重みとしては、例えば、ノード間の関連付けが強いほど小さな値が付与されるコストでもよいし、当該エッジが利用され得る確率を表す遷移確率でもよい。また、例えば、重みの一部は、予想経路構成部110(特に、車両構成情報作成部111)によって予め付与されてもよい。 As a result, even if there is data loss in the attack detection log and the graph represented by the observation information obtained from the attack detection log is incomplete, the missing portion can be supplemented with predicted route information. On the other hand, multiple attack paths can be estimated in the complementary part, but by weighting the edges, it is possible to estimate a more likely path as the attack path. Note that the weight represents the strength of association between nodes. The weight may be, for example, a cost that is assigned a smaller value as the association between nodes is stronger, or a transition probability that represents the probability that the edge can be used. Further, for example, some of the weights may be given in advance by the predicted route configuration unit 110 (in particular, the vehicle configuration information creation unit 111).
 経路探索部122は、車両制御システムのIDS等によって検知された悪性プロセス又は悪性通信を表すノード(以下、検知ノードともいう。)を起点として、重み付き予想経路情報を用いて検知ノードから遡って経路探索を行い、攻撃経路(攻撃元も含む。)を推定する。また、経路探索部122は、推定した攻撃経路を表す攻撃経路情報を所定の出力先(例えば、ディスプレイ等の表示装置102、補助記憶装置107、通信ネットワークを介して接続される他の端末等)に出力する。経路探索手法には、例えば、ダイクストラ法に代表される最短経路探索法等を用いることができる。 The route search unit 122 starts from a node representing a malicious process or malicious communication detected by an IDS or the like of a vehicle control system (hereinafter also referred to as a detection node), and searches backward from the detection node using weighted predicted route information. Perform route search and estimate attack route (including attack source). The route search unit 122 also outputs attack route information representing the estimated attack route to a predetermined output destination (for example, the display device 102 such as a display, the auxiliary storage device 107, another terminal connected via a communication network, etc.). Output to. As the route search method, for example, a shortest route search method such as Dijkstra's method can be used.
 経路探索部122によって推定される攻撃経路は、それぞれ異なる攻撃元ノードから同一の検知ノードを経由する経路として複数推定され得る。このため、経路探索部122は、例えば、所定のスコアを用いて、複数の攻撃経路情報のうち最も確からしい攻撃経路情報を所定の出力先に出力してもよい。又は、経路探索部122は、複数の攻撃経路情報とそれらのスコアとを所定の出力先に出力してもよい。ここで、スコアとしては、例えば、攻撃経路上の辺(エッジ)に付与されたコストの総和、この総和を攻撃経路上のノード数で割ったもの、攻撃経路の始点から終点(検知ノード)までの遷移確率等を用いることができる。 A plurality of attack routes estimated by the route search unit 122 can be estimated as routes from different attack source nodes to the same detection node. For this reason, the route search unit 122 may output the most probable attack route information among the plurality of pieces of attack route information to a predetermined output destination, for example, using a predetermined score. Alternatively, the route search unit 122 may output a plurality of pieces of attack route information and their scores to a predetermined output destination. Here, the score is, for example, the sum of costs given to edges on the attack route, this sum divided by the number of nodes on the attack route, and the score from the start point to the end point (detected node) of the attack route. The transition probability of , etc. can be used.
 予想経路情報記憶部130は、予想経路情報を記憶する。なお、予想経路情報記憶部130は、例えば、車両の種類や種別毎に、その種類や種別に対応する予想経路情報を記憶していてもよい。この場合、攻撃経路推定部120は、攻撃が検知された車両の種類や種別に対応する予想経路情報を用いる。 The predicted route information storage unit 130 stores predicted route information. Note that the predicted route information storage unit 130 may store predicted route information corresponding to each type or type of vehicle, for example. In this case, the attack route estimation unit 120 uses predicted route information corresponding to the type and type of vehicle in which the attack was detected.
 <予想経路情報作成処理>
 本実施形態に係る予想経路情報作成処理について、図3を参照しながら説明する。なお、予想経路情報作成処理は、後述する攻撃経路推定処理が実行されるよりも前に実行される。 <Expected route information creation process>
The predicted route information creation process according to this embodiment will be described with reference to FIG. 3. Note that the expected route information creation process is executed before the attack route estimation process, which will be described later, is executed.
 予想経路構成部110の車両構成情報作成部111は、設計情報や動作履歴ログを用いて、車両構成情報を作成する(ステップS101)。なお、車両構成情報作成部111は、設計情報と動作履歴ログの両方を用いてもよいし、いずれか一方のみを用いてもよい。 The vehicle configuration information creation unit 111 of the predicted route configuration unit 110 creates vehicle configuration information using the design information and the operation history log (step S101). Note that the vehicle configuration information creation unit 111 may use both the design information and the operation history log, or may use only one of them.
 予想経路構成部110の予想経路情報作成部112は、車両構成情報と想定攻撃パターンとを用いて予想経路情報を作成し、この予想経路情報を予想経路情報記憶部130に格納する(ステップS102)。 The predicted route information creation unit 112 of the predicted route configuration unit 110 creates predicted route information using the vehicle configuration information and the assumed attack pattern, and stores this predicted route information in the predicted route information storage unit 130 (step S102). .
 <攻撃経路推定処理>
 本実施形態に係る攻撃経路推定処理について、図4を参照しながら説明する。なお、攻撃経路推定処理は、車両制御システムで攻撃が検知される毎に実行される。 <Attack route estimation processing>
Attack route estimation processing according to this embodiment will be described with reference to FIG. 4. Note that the attack route estimation process is executed every time an attack is detected by the vehicle control system.
 攻撃経路推定部120の重み付き予想経路情報作成部121は、攻撃検知ログを取得すると共にそれらの攻撃検知ログを用いて攻撃の観測情報を作成し、その観測情報を予想経路情報に追加・上書きした上で、重み付けルールを用いて重み付き予想経路情報を作成する(ステップS201)。 The weighted predicted route information creation unit 121 of the attack route estimation unit 120 acquires attack detection logs, creates attack observation information using those attack detection logs, and adds/overwrites the observation information to the expected route information. After that, weighted predicted route information is created using a weighting rule (step S201).
 攻撃経路推定部120の経路探索部122は、重み付き予想経路情報を検知ノードから遡って経路探索を行うことで攻撃経路を推定した上で、推定した攻撃経路を表す攻撃経路情報を所定の出力先に出力する(ステップS202)。なお、このとき、経路探索部122は、所定のスコアを用いて、複数の攻撃経路情報のうち最も確からしい攻撃経路情報を出力してもよいし、複数の攻撃経路情報とそれらのスコアとを出力してもよい。 The route search unit 122 of the attack route estimation unit 120 estimates an attack route by searching the weighted expected route information from the detection node back, and then outputs attack route information representing the estimated attack route as a predetermined output. It is output first (step S202). Note that at this time, the route search unit 122 may output the most probable attack route information among the plurality of attack route information using a predetermined score, or may output the most probable attack route information among the plurality of attack route information and their scores. You can also output it.
 <実施例>
 以下、本実施形態の実施例について説明する。 <Example>
Examples of this embodiment will be described below.
 ・実施例1
 以下、実施例1について説明する。本実施例は、包括的な想定攻撃パターンを用いて攻撃経路を推定する場合である。すなわち、本実施例では、特定の攻撃を想定せず、様々な攻撃を包括的に想定し、未知の攻撃に対してもその攻撃経路を推定可能とする場合について説明する。 ・Example 1
Example 1 will be described below. In this embodiment, an attack route is estimated using a comprehensive assumed attack pattern. That is, in this embodiment, a case will be described in which a variety of attacks are comprehensively assumed without assuming a specific attack, and the attack route can be estimated even for an unknown attack.
 本実施例における車両制御システムの構成を図5に示す。本実施例における車両制御システムは、スマートフォン等を用いて、対象車両のドアロック/アンロックや空調のON/OFF等の遠隔操作を行うものである。例えば、スマートフォンからの指令をOEMサイトが受け付ける。テレマティクス制御ユニットであるTCU上にあるTCUctrlプロセスがOEMサイトに定期的にHTTPSアクセス(URLOEM)して指令を受領する。指令はEthernet通信(IPCGW)され、セントラルゲートウェイであるCGWにてCAN通信(CAN6AA)に変換され、そのCAN通信に対応するECU1にてその指令が実行される。OEMサイトとTCUは外部ワイヤレスIP網であるNWEXTで接続され、TCUとCGWは車載Ethernet網であるNWINTで接続される。また、CGWと各ECUは車載CAN網であるCANBUSで接続される。更に、TCUと各ECUは、遠隔診断や測定等の目的のためにCANBUSでも接続される。 FIG. 5 shows the configuration of the vehicle control system in this embodiment. The vehicle control system in this embodiment uses a smartphone or the like to perform remote operations such as locking/unlocking the doors of the target vehicle and turning on/off the air conditioner. For example, an OEM site accepts instructions from a smartphone. The TCUctrl process on the TCU, which is the telematics control unit, periodically makes HTTPS access (URLOEM) to the OEM site to receive commands. The command is communicated via Ethernet (IPCGW), converted into CAN communication (CAN6AA) by the central gateway CGW, and executed by the ECU 1 corresponding to the CAN communication. The OEM site and TCU are connected by NWEXT, which is an external wireless IP network, and the TCU and CGW are connected by NWINT, which is an in-vehicle Ethernet network. Further, the CGW and each ECU are connected by CANBUS, which is an in-vehicle CAN network. Furthermore, the TCU and each ECU are also connected via CANBUS for purposes such as remote diagnosis and measurement.
 なお、NWEXTには、例えば、ルータやHTTPSプロキシ等の機器が含まれ得るがその説明を省略する。同様に、NWINTには、例えば、Ethernetスイッチ等の機器が含まれ得るがその説明を省略する。同様に、CANBUSには、例えば、CANゲートウェイ等の機器が含まれ得るがその説明を省略する。また、以下では、主に、各ECUのうちECU1に関して説明し、それ以外のECUに関してはその説明を省略する。 Note that NWEXT may include, for example, devices such as a router and an HTTPS proxy, but a description thereof will be omitted. Similarly, NWINT may include, for example, equipment such as an Ethernet switch, but a description thereof will be omitted. Similarly, CANBUS may include devices such as a CAN gateway, but a description thereof will be omitted. Moreover, below, ECU1 will be mainly explained among the ECUs, and the explanation of the other ECUs will be omitted.
 本実施例における車両制御システムにおいては、NWEXT、TCU、NWINT、CANBUSにてモニタ・検知器が搭載されており、それぞれログを出力するものとする。NWEXTにおいてはURLアクセスログ、TCUにおいてはプロセスの起動ログ(起動プロセスとその親プロセス)、NWINTにおいてはEthernet-IDSによる攻撃通信検知アラートログ、CANBUSにおいてはCAN-IDSによる攻撃通信検知アラートログがそれぞれ出力されるものとする。 In the vehicle control system in this embodiment, monitors and detectors are installed at NWEXT, TCU, NWINT, and CANBUS, and each outputs a log. For NWEXT, URL access log, for TCU, process startup log (startup process and its parent process), for NWINT, attack communication detection alert log by Ethernet-IDS, and for CANBUS, attack communication detection alert log for CAN-IDS. It shall be output.
 本実施例における車両制御システムへの攻撃例を図6に示す。図6に示す攻撃例は、Drive by Download攻撃により、不正な指令が実行されるというものである。まず、OEMサイトにTCUctrlの脆弱性を攻撃する不正な情報が埋め込まれる。TCUにおいてTCUctrlがその不正な情報にアクセス(URLOEM)すると、脆弱性により、不正なプロセスであるmal1プロセスがTCU上で生成・起動される。mal1プロセスは攻撃者サイトにアクセス(URLmal)し、攻撃プログラムをTCUにダウンロードし、その攻撃プログラムにより、不正なプロセスであるmal2プロセスを生成・起動する。mal2プロセスは、不正なCANメッセージCAN6AA'をCANBUSへ送信(CANメッセージ挿入攻撃)し、ECU1に不正な指令を実行させる。 An example of an attack on the vehicle control system in this embodiment is shown in FIG. The attack example shown in FIG. 6 is a Drive by Download attack in which an illegal command is executed. First, fraudulent information that attacks the TCUctrl vulnerability is embedded on the OEM site. When TCUctrl accesses (URLOEM) the unauthorized information on the TCU, a mal1 process, which is an unauthorized process, is generated and activated on the TCU due to the vulnerability. The mal1 process accesses the attacker's site (URLmal), downloads an attack program to the TCU, and uses the attack program to generate and start a mal2 process, which is an unauthorized process. The mal2 process sends an unauthorized CAN message CAN6AA' to CANBUS (CAN message insertion attack) and causes the ECU 1 to execute an unauthorized command.
 上記の攻撃時に出力されるログをグラフ表現したものを図7に示す。NWEXTにてURLOEMとURLmalへのURLアクセスログ、TCUにてTCUctrlのmal1起動ログとmal1のmal2起動ログ、CANBUSにてCAN6AA'に関する攻撃通信検知アラートログがそれぞれ出力される。ただし、NWEXTのURLアクセスログからは、TCUからアクセスされたことはわかるが、TCUのどのプロセスからアクセスされたかは特定できない。また、CANBUSの攻撃通信検知アラートログからは、CAN6AA'が攻撃に使用されたことはわかるが、攻撃元の装置及びプロセスは特定できない。なお、NWINTでは攻撃通信がないためログは出力されない。 Figure 7 shows a graphical representation of the log output during the above attack. NWEXT outputs URL access logs to URLOEM and URLmal, TCU outputs mal1 boot logs of TCUctrl and mal2 boot logs of mal1, and CANBUS outputs attack communication detection alert logs related to CAN6AA'. However, from the NWEXT URL access log, it is known that the access was made from the TCU, but it is not possible to specify from which process of the TCU the access was made. Further, from the CANBUS attack communication detection alert log, it is known that CAN6AA' was used in the attack, but the device and process that was the source of the attack cannot be identified. Note that since there is no attack communication in NWINT, no log is output.
 上記の状況の下、攻撃が検知されたCANBUSのCAN6AA'から遡り、攻撃経路を推定する。 Under the above circumstances, the attack route is estimated by tracing back from CANBUS CAN6AA' where the attack was detected.
 まず、予想経路構成部110により予測経路情報を事前に作成する。本実施例では、図8に示す車両構成情報を車両構成情報作成部111により作成した上で、予想経路情報作成部112により車両構成情報と想定攻撃パターンから予想経路情報を作成する。図8に示す車両構成情報は、図5に示す車両制御システムにおける各装置又はプロセスと通信に関するグラフ構造を隣接行列で表現したものである。行には関連元(Src.)のノード、列には関連先(Dst.)のノードを割り当て、関連(エッジ)があるノード間の要素は1、関連がないノード間の要素は0で表現する。以下、プロセスを表すノードをプロセスノード、通信を表すノードを通信ノードともいう。 First, predicted route information is created in advance by the predicted route configuration unit 110. In this embodiment, the vehicle configuration information shown in FIG. 8 is created by the vehicle configuration information creation section 111, and then the expected route information creation section 112 creates expected route information from the vehicle configuration information and the assumed attack pattern. The vehicle configuration information shown in FIG. 8 is a graph structure related to each device or process and communication in the vehicle control system shown in FIG. 5 expressed as an adjacency matrix. The source node (Src.) is assigned to the row, and the destination node (Dst.) is assigned to the column. Elements between nodes that have a relationship (edge) are expressed as 1, and elements between nodes that are not related are expressed as 0. do. Hereinafter, a node representing a process is also referred to as a process node, and a node representing communication is also referred to as a communication node.
 本実施例における想定攻撃パターンは、以下の通りに設定し、包括的に攻撃経路を想定可能とした。まず、ログの出力対象である各装置・網(つまり、NWEXT、TCU、NWINT、CANBUS)のそれぞれにおいて、車両構成情報では想定されない(すなわち、攻撃で使用されたと疑われる)プロセス・通信を代表するノードであるワイルドカードノードを設定する。次に、各装置・網の接続に沿ってワイルドカードノードへのエッジを設定する。プロセスのワイルドカードノードはそのプロセスが実行される装置内の他のプロセスノードのすべてに対して起動関係を意味するエッジを持たせ、加えて当該装置に接続する網上の通信ノードのすべてに通信関係を意味するエッジを持たせる。通信のワイルドカードノードは、その通信が行われる網に接続する装置上のプロセスノードのすべてに対して通信関係を意味するエッジを持たせる。このように包括的な想定攻撃パターンを組み込んだ予想経路を表すグラフを図9に示す。また、そのグラフ構造を隣接行列で表現した情報(予想経路情報)を図10に示す。NWEXT、TCU、NWINT、CANBUS上にそれぞれ追加されたノードNWEXT、TCU、NWINT、CANBUSがワイルドカードノードである。例えば、ワイルドカードノードTCUは、TCU上のプロセスTCUctrlと起動関係を表す双方向エッジを持ち、更にTCUはNWEXT、NWINT、CANBUSと接続するため、それらの網の通信ノードURLOEM、NWEXT、IPCGW、NWINT、CAN6AA、CANBUSとも通信関係を表す双方向エッジを持つように設定する。 The assumed attack pattern in this example was set as follows, allowing a comprehensive assumption of attack routes. First, for each device/network for which logs are output (i.e., NWEXT, TCU, NWINT, CANBUS), represent processes/communications that are not expected in the vehicle configuration information (i.e., suspected to have been used in the attack). Set a wildcard node that is a node. Next, edges to wildcard nodes are set along each device/network connection. A wildcard node for a process has an edge that means a startup relationship with all other process nodes in the device where the process is executed, and also communicates with all communication nodes on the network connected to the device. Give it an edge that signifies a relationship. A communication wildcard node has an edge indicating a communication relationship with all process nodes on a device connected to the network where the communication is performed. FIG. 9 shows a graph representing a predicted route incorporating such a comprehensive assumed attack pattern. Further, information (expected route information) expressing the graph structure as an adjacency matrix is shown in FIG. The nodes NWEXT * , TCU*, NWINT * , and CANBUS * added on NWEXT, TCU, NWINT , and CANBUS, respectively, are wildcard nodes. For example, the wildcard node TCU * has a bidirectional edge representing a startup relationship with the process TCUctrl on the TCU, and since the TCU is also connected to NWEXT, NWINT, and CANBUS, the communication nodes URLOEM, NWEXT * , and IPCGW of those networks are connected to the wildcard node TCU*. , NWINT * , CAN6AA, and CANBUS * are all set to have bidirectional edges representing communication relationships.
 なお、システムの特性等に応じて、或る装置・網のワイルドカードノードを省略したり、ワイルドカードノードを追加したり、ワイルドカードノードに接続するエッジを削減又は増加させたりしてもよい。例えば、非常に厳密な強制アクセス制御を行っており、未認可のプロセス起動が確実に起こり得ない装置ではプロセスのワイルドカードノードを設定しなくてもよい。また、セキュリティ的に頑強なファイアウォールにて網の通信が制限・制御される場合には、ワイルドカードノードに接続するエッジをその制限・制御に従って削減したり、片方向エッジにしたりしてもよい。 Note that depending on the characteristics of the system, the wildcard node of a certain device or network may be omitted, a wildcard node may be added, or the number of edges connected to the wildcard node may be reduced or increased. For example, it is not necessary to set a process wildcard node in a device that performs very strict forced access control and is certain that unauthorized process startup cannot occur. Furthermore, if network communication is restricted and controlled by a firewall with strong security, the edges connected to wildcard nodes may be reduced or made unidirectional edges according to the restrictions and controls.
 以上の方法により、包括的な攻撃パターンを想定した予想経路情報を作成することができる。 With the above method, it is possible to create expected route information assuming a comprehensive attack pattern.
 次に、予想経路情報を用いて、攻撃経路推定部120により攻撃経路を推定する。 Next, the attack route estimation unit 120 estimates the attack route using the expected route information.
 重み付き予想経路情報作成部121は、攻撃検知ログを取得すると共にそれらの攻撃検知ログから観測情報を作成し、その観測情報を予想経路情報に追加・上書きした上で、重み付けルールを用いて重み付き予想経路情報を作成する。図6に示す攻撃例が検知されたときの攻撃検知ログから作成された観測情報を図11に示す。URLmal、mal1及びmal2、CAN6AA'は車両構成情報にはないノードであり、それぞれワイルドカードノードNWEXT、TCU、CANBUSとして代替される。TCUのmal1及びmal2の2つは共にTCUとして代替されることに注意する。このため、TCUctrl→mal1→mal2というプロセス起動の関連はTCUctrl→TCUで代替される。 The weighted expected route information creation unit 121 acquires attack detection logs, creates observation information from these attack detection logs, adds and overwrites the observed information to the expected route information, and then sets weights using weighting rules. Create predicted route information. FIG. 11 shows observation information created from the attack detection log when the attack example shown in FIG. 6 was detected. URLs mal, mal1, mal2, and CAN6AA' are nodes that are not in the vehicle configuration information, and are replaced as wild card nodes NWEXT * , TCU * , and CANBUS * , respectively. Note that both TCUs mal1 and mal2 are substituted as TCU * . Therefore, the process activation relationship TCUctrl→mal1→mal2 is replaced by TCUctrl→TCU * .
 予想経路情報のエッジに対する重み付けルールとしては以下のルール1~ルール5を用いる。 The following rules 1 to 5 are used as weighting rules for edges of predicted route information.
 ルール1:観測情報に存在するエッジ(起動関係、通信関係等)はコスト小
 ルール2:観測されなかったワイルドカードノードのエッジは削除
 ルール3:車両構成情報に存在するエッジはコスト中
 ルール4:ワイルドカードノード間の得時はコスト中
 ルール5:それ以外のエッジはコスト大
 上記の重み付けルールを用いて、予想経路情報を重み付けしたグラフを図12に示す。また、このグラフを隣接行列で表現した情報(重み付け予想経路情報)を図13に示す。図12では、コスト大のエッジを破線、コスト中のエッジを実線、コスト小のエッジを実太線で表している。また、図13では、コスト大を100、コスト中を10、コスト小を1として設定している。 Rule 1: Edges that exist in observation information (start-up related, communication related, etc.) have a low cost Rule 2: Edges of wildcard nodes that are not observed are deleted Rule 3: Edges that exist in vehicle configuration information have a medium cost Rule 4: The advantageous time between wildcard nodes is medium in cost. Rule 5: Other edges are costly. FIG. 12 shows a graph in which predicted route information is weighted using the above weighting rule. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. In FIG. 12, edges with high cost are represented by broken lines, edges with medium cost are represented by solid lines, and edges with low cost are represented by solid thick lines. Further, in FIG. 13, large cost is set as 100, medium cost as 10, and small cost as 1.
 なお、重み付けルールは、システムの特性等に応じて変更・追加・削除してもよい。例えば、観測情報に存在するノードに接続されるすべてのエッジのコストを一律に減少させる、脅威を受けやすい通信を行うプロセスノードに関してはワイルドカードノードとのエッジのコストを減少させる、等といったルールを追加してもよい。また、CANバスが複数存在し、CANバス毎に攻撃検知を行える場合、攻撃を検知したCANバスに接続されるエッジのコストを特に減少させるルールを追加してもよい。また、攻撃の検知を失敗する可能性が高いシステムにおいては、上記のルール2を削除してもよい。更に、コストの実際の値に関しても、適宜、適切な値を設定してもよい。加えて、重み付けの一部は予想経路構成部110にて事前に行われてもよい。例えば、上記のルール3~ルール5による重み付けは予想経路構成部110にて事前に行い、上記のルール1~ルール2のみを攻撃経路推定部120(の重み付き予想経路情報作成部121)にて行ってもよい。 Note that the weighting rules may be changed, added, or deleted depending on the characteristics of the system. For example, rules such as uniformly reducing the cost of all edges connected to nodes that exist in observation information, reducing the cost of edges with wildcard nodes for process nodes that communicate with each other that are susceptible to threats, etc. May be added. Furthermore, if there are a plurality of CAN buses and attacks can be detected for each CAN bus, a rule may be added that particularly reduces the cost of an edge connected to the CAN bus where an attack has been detected. Further, in a system where there is a high possibility of failure in detecting an attack, the above rule 2 may be deleted. Furthermore, an appropriate value may be set as appropriate regarding the actual value of cost. In addition, some of the weighting may be performed in advance by the predicted route configuration unit 110. For example, the weighting according to the above rules 3 to 5 is performed in advance in the expected route configuration unit 110, and only the above rules 1 to 2 are performed in the attack route estimation unit 120 (the weighted expected route information creation unit 121). You may go.
 次に、経路探索部122は、重み付き予想経路情報を用いて、CAN-IDSの攻撃通信検知アラートが発生したCANBUS網から遡って攻撃経路を推定する。すなわち、攻撃通信検知アラートに対応するワイルドカードノードCANBUSを目標(Target)として、その他のノードからその目標へ到達する経路とその経路のスコアとを求める。スコアとしては、経路中のエッジのコストの総和÷経路中のエッジ数とする。なお、経路の探索には、例えば、ダイクストラ法を代表とする最短経路探索法等を用いることができる。本実施例で探索された経路の一例を図14及び図15に示す。図14に示す例ではURLOEM→TCLctrl→TCU→CANBUSという攻撃経路が探索されている。一方で、図15に示す例ではNWEXT→TCU→CANBUSという攻撃経路が探索されている。これらが推定された攻撃経路である。 Next, the route search unit 122 uses the weighted expected route information to estimate an attack route tracing back from the CANBUS network where the CAN-IDS attack communication detection alert has occurred. That is, the wild card node CANBUS * corresponding to the attack communication detection alert is set as a target, and a route to reach the target from other nodes and a score of the route are determined. The score is the sum of the costs of edges in the route divided by the number of edges in the route. Note that for the route search, for example, a shortest route search method such as Dijkstra's method can be used. An example of the route searched in this example is shown in FIGS. 14 and 15. In the example shown in FIG. 14, the attack path URLOEM→TCLctrl→TCU * →CANBUS * is searched. On the other hand, in the example shown in FIG. 15, the attack route NWEXT * →TCU * →CANBUS * is searched. These are the estimated attack routes.
 本実施例で推定された攻撃経路の一覧とそれらのスコア及びコストを図16に示す。経路探索部122は、例えば、これらの攻撃経路の中から適切な攻撃経路を選択し、選択した攻撃経路を表す攻撃経路情報を所定の出力先に出力する。適切な攻撃経路の選択方法は様々に考えられるが、例えば、スコアが或る所定の範囲内にある攻撃経路、スコアが或る所定の閾値以上の攻撃経路等が考えられる。 FIG. 16 shows a list of attack routes estimated in this example, their scores, and costs. For example, the route search unit 122 selects an appropriate attack route from among these attack routes, and outputs attack route information representing the selected attack route to a predetermined output destination. Various methods can be considered to select an appropriate attack route, such as an attack route whose score is within a certain predetermined range, an attack route whose score is greater than or equal to a certain predetermined threshold, etc.
 なお、スコアはシステムの特性等に応じて適切なものを用いる。例えば、経路中のエッジのコストの総和÷経路中のノード数をスコアとしてもよいし、攻撃経路の始点から終点(検知ノード、目標)までの遷移確率等をスコアに用いてもよい。 Note that an appropriate score is used depending on the characteristics of the system. For example, the score may be the sum of the costs of edges on the route divided by the number of nodes on the route, or the transition probability from the start point to the end point (detection node, target) of the attack route may be used as the score.
 このように、本実施例では、車両構成情報と包括的な想定攻撃パターンを予想経路情報として予め作成した上で、この予想経路情報と攻撃検知ログと重み付けルールから重み付き予想経路情報を作成する。これにより、攻撃検知ログが不完全であっても攻撃経路を推定することができる。 In this way, in this embodiment, vehicle configuration information and a comprehensive assumed attack pattern are created in advance as expected route information, and then weighted expected route information is created from this expected route information, attack detection log, and weighting rule. . This allows the attack route to be estimated even if the attack detection log is incomplete.
 なお、本実施例では、ログの出力対象であるプロセスと通信をノードとしているが、ログの出力対象が変わればそれに応じてノードやエッジを変更してもよい。ノードの例としては、ファイル、システムコール、シグナル等が挙げられる。また、グラフの表現は隣接行列に限られず、例えば、接続行列、ラプラシアン行列、リスト表現等といった他の形式で表現されてもよい。また、1部ブラフの代わりに2部グラフとして表現されてもよい。 Note that in this embodiment, the processes and communications that are the targets of log output are used as nodes, but if the target of log output changes, the nodes and edges may be changed accordingly. Examples of nodes include files, system calls, signals, and the like. Further, the representation of the graph is not limited to an adjacency matrix, and may be represented in other formats such as a connection matrix, a Laplacian matrix, a list representation, and the like. Furthermore, it may be expressed as a bipartite graph instead of a one-part bluff.
 ・実施例2
 以下、実施例2について説明する。本実施例は、既知の想定攻撃パターンを用いて攻撃経路を推定する場合である。 ・Example 2
Example 2 will be described below. In this embodiment, an attack route is estimated using a known assumed attack pattern.
 本実施例では、車両制御システムの構成、モニタ・検知器とその出力ログ、攻撃例は実施例1と同様であるものとする。 In this embodiment, it is assumed that the configuration of the vehicle control system, the monitor/detector and its output log, and the attack example are the same as in the first embodiment.
 実施例1と同様に、車両構成情報作成部111により車両構成情報を作成する。次に、予想経路情報作成部112により車両構成情報と想定攻撃パターンから予想経路情報を作成する。想定攻撃パターンとしては、例えば、脅威と脆弱性との関係をグラフモデルで表現したもの(これはアタックグラフとも呼ばれる。)で与えられてもよいし、侵害痕跡情報(IoC:Indicators of Compromise)で与えられてもよい。以下では、想定攻撃パターンがIoCで与えられた場合について説明する。 Similarly to the first embodiment, vehicle configuration information is created by the vehicle configuration information creation unit 111. Next, the predicted route information creation unit 112 creates predicted route information from the vehicle configuration information and the assumed attack pattern. Assumed attack patterns may be given, for example, as a graph model representing the relationship between threats and vulnerabilities (also called an attack graph), or as indicators of compromise information (IoC). May be given. Below, a case will be described in which the assumed attack pattern is given by IoC.
 IoCの一例とそのIoCをアタックグラフで表現したものを図17に示す。図17に示す例では、アタックグラフを隣接行列で表現し、IoC中に出現したプロセスと通信をすべてノードとして記述した上で、関連付けられるノード間のエッジを設定している。このIoCとアタックグラフとを車両構成情報と共に予想経路情報として予想経路情報記憶部130に格納する。なお、本実施例におけるIoCでは、URLOEMによって脆弱性を突かれるTCUctrlを記載しない例を挙げている。これは、例えば、ライブラリに脆弱性がある場合、そのライブラリを利用するプログラム全般が影響を受けることから、あえてプログラム・プロセス名をIoCに記載しないことがあるためである。 FIG. 17 shows an example of IoC and its representation as an attack graph. In the example shown in FIG. 17, the attack graph is expressed as an adjacency matrix, all processes and communications that appear during IoC are described as nodes, and edges between associated nodes are set. This IoC and attack graph are stored together with vehicle configuration information in the expected route information storage unit 130 as expected route information. Note that in the IoC in this embodiment, an example is given in which TCUctrl, which is vulnerable to URLEM, is not described. This is because, for example, if a library has a vulnerability, all programs that use the library will be affected, so the program/process name may not be written in the IoC.
 次に、予想経路情報を用いて、攻撃経路推定部120により攻撃経路を推定する。 Next, the attack route estimation unit 120 estimates the attack route using the expected route information.
 重み付き予想経路情報作成部121は、攻撃検知ログを取得すると共にそれらの攻撃検知ログから観測情報を作成する。また、重み付き予想経路情報作成部121は、それらの攻撃検知ログと最も合致するIoCを表現するアタックグラフを予想経路情報記憶部130から取得する。そして、重み付き予想経路情報作成部121は、車両構成情報に対して観測情報及びアタックグラフを追加・上書きした上で、重み付けルールを用いて重み付き予想経路情報を作成する。ここで、予想経路情報のエッジに対する重み付けルールとしては以下のルール1~ルール4を用いる。なお、システムの特性等に応じて、重み付けルールを変更・追加・削除してもよいことは実施例と同様である。 The weighted predicted route information creation unit 121 acquires attack detection logs and creates observation information from these attack detection logs. Furthermore, the weighted predicted route information creation unit 121 obtains from the predicted route information storage unit 130 an attack graph representing the IoC that most matches those attack detection logs. Then, the weighted predicted route information creation unit 121 adds and overwrites the observation information and the attack graph to the vehicle configuration information, and then creates weighted predicted route information using the weighting rule. Here, the following rules 1 to 4 are used as weighting rules for the edges of the predicted route information. Note that, as in the embodiment, the weighting rules may be changed, added, or deleted depending on the characteristics of the system.
 ルール1:観測情報に存在するエッジ(起動関係、通信関係等)はコスト小
 ルール2:アタックグラフのエッジのうち、観測されなかったエッジはコスト中
 ルール3:車両構成情報に存在するエッジはコスト中
 ルール4:それ以外のエッジはコスト大
 上記の重み付けルールを用いて、予想経路情報を重み付けしたグラフを図18に示す。また、このグラフを隣接行列で表現した情報(重み付け予想経路情報)を図19に示す。図18では、コスト大のエッジを破線、コスト中のエッジを実線、コスト小のエッジを実太線で表している。また、図19では、コスト大を100、コスト中を10、コスト小を1として設定している。なお、図18及び図19ではコスト大のエッジは存在していないことに注意されたい。 Rule 1: Edges that exist in observation information (start-up related, communication related, etc.) have a low cost. Rule 2: Among edges in the attack graph, unobserved edges have a medium cost. Rule 3: Edges that exist in vehicle configuration information have a low cost. Medium Rule 4: Other edges are costly FIG. 18 shows a graph in which predicted route information is weighted using the above weighting rule. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. In FIG. 18, edges with high cost are represented by broken lines, edges with medium cost are represented by solid lines, and edges with low cost are represented by solid thick lines. Further, in FIG. 19, large cost is set as 100, medium cost as 10, and small cost as 1. Note that there are no edges with large costs in FIGS. 18 and 19.
 以降は、実施例1と同様に、経路探索部122が、この重み付き予想経路情報を用いて、CAN-IDSの攻撃通信検知アラートが発生したCANBUS網から遡って攻撃経路を推定すればよい。 Thereafter, similarly to the first embodiment, the route search unit 122 may use this weighted expected route information to estimate the attack route going back from the CANBUS network where the CAN-IDS attack communication detection alert has occurred.
 ・実施例3
 以下、実施例3について説明する。実施例3として、実施例1の包括的な想定攻撃パターンと実施例2の既知の想定攻撃パターンとを組み合わせてもよい。例えば、実施例2において、mal2とCAN6AA'が既知の想定攻撃パターンに含まれていない場合(図17において、IoCがNo.2のものに合致する場合)、代わりにそれぞれワイルドカードノードTCU及びCANBUSとして包括的に表現してもよい。包括的な想定攻撃パターンと既知の想定攻撃パターンとを用いた場合の重み付き予想経路情報が表すグラフの例を図20に示す。以降は実施例1や実施例2と同様に、この重み付き予想経路情報を用いて、経路探索部122で攻撃経路を推定すればよい。 ・Example 3
Example 3 will be described below. As a third embodiment, the comprehensive assumed attack pattern of the first embodiment and the known assumed attack pattern of the second embodiment may be combined. For example, in Example 2, if mal2 and CAN6AA' are not included in the known expected attack pattern (in FIG. 17, if the IoC matches that of No. 2), then wildcard nodes TCU * and CAN6AA' are used instead, respectively. It may also be comprehensively expressed as CANBUS * . FIG. 20 shows an example of a graph represented by weighted expected route information when a comprehensive assumed attack pattern and a known assumed attack pattern are used. Thereafter, similarly to the first and second embodiments, the route search unit 122 may estimate an attack route using this weighted expected route information.
 ・実施例4
 以下、実施例4について説明する。本実施例では、プロセス監視を行わず、ネットワーク監視のみで攻撃経路を推定する場合について説明する。車両制御システムの構成、攻撃例、攻撃検知の条件は実施例1と同様であるものとする。 ・Example 4
Example 4 will be described below. In this embodiment, a case will be described in which an attack route is estimated only by network monitoring without performing process monitoring. It is assumed that the configuration of the vehicle control system, attack examples, and attack detection conditions are the same as in the first embodiment.
 予想経路情報作成部112によって作成された予想経路情報のグラフを図21に示す。実施例1と異なり、プロセス監視が行われないため、プロセスTCUctrl及びTCUノードがなく、代わりにTCU自体がノードとなり、そのノードTCUはノードURLOEM、NWEXT、IPCGW、NWINT、CAN6AA、CANBUSとエッジを持つ。 FIG. 21 shows a graph of the predicted route information created by the predicted route information creation unit 112. Unlike the first embodiment, since process monitoring is not performed, there are no processes TCUctrl and TCU * nodes, and instead the TCU itself becomes a node, and the node TCU is the node URLOEM, NWEXT * , IPCGW, NWINT * , CAN6AA, CANBUS * and has an edge.
 攻撃が検知された場合に、実施例1と同様の重み付けルールにより予想経路情報を重み付けしたグラフを図22に示す。また、このグラフを隣接行列で表現した情報(重み付き予想経路情報)を図23に示す。更に、最短経路探索法により、検知ノードCANBUSから遡って探索した経路(推定した攻撃経路)とそのスコア及びコストを図24に示す。 FIG. 22 shows a graph in which predicted route information is weighted using the same weighting rules as in Example 1 when an attack is detected. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. Further, FIG. 24 shows the route searched back from the detection node CANBUS * (estimated attack route) using the shortest route search method, and its score and cost.
 ここで、プロセス監視を行わないため、攻撃経路を推定し損なうことも考えられる。そこで、検知ノードCANBUSから遡って経路を探索(推定)する際に、最短経路探索法を応用した複数経路探索法を用いる。複数経路探索法により探索した攻撃経路(推定した攻撃経路)とそのスコア及びコストを図25に示す。本実施例における複数経路探索法では対象ノードからエッジ1つ遡ったそれぞれのノードから最短経路探索を行う。図22において、対象ノードは検知ノードCANBUSであり、そのノードから1エッジ遡ったノードTCU、CGWそれぞれから最短経路探索を行う。 Here, since process monitoring is not performed, it is possible that the attack route may not be estimated. Therefore, when searching for (estimating) a route going back from the detection node CANBUS * , a multiple route search method is used, which is an application of the shortest route search method. FIG. 25 shows attack routes (estimated attack routes) searched by the multiple route search method, their scores, and costs. In the multiple route search method in this embodiment, the shortest route search is performed from each node one edge back from the target node. In FIG. 22, the target node is the detection node CANBUS * , and the shortest route search is performed from each of the nodes TCU and CGW that are one edge back from that node.
 図25において、始点・終点が同一の経路のうち、スコアはCGWを経由する経路の方が小さいが、コストはTCUを経由する経路の方が小さい。このような場合は両方とも攻撃経路の候補とし、別途、例えば、デジタルフォレンジック等の追加調査を行って経路を確定する。これにより、もれなく攻撃経路の調査・推定が行える。 In FIG. 25, among routes with the same starting and ending points, the route that goes through the CGW has a lower score, but the cost of the route that goes through the TCU is lower. In such a case, both are considered as attack route candidates, and additional investigation such as digital forensics is conducted to determine the route. This allows for thorough investigation and estimation of attack routes.
 ・実施例5
 以下、実施例5について説明する。長時間観測されたログの中には複数の攻撃通信検知アラートが含まれている可能性がある。このため、このようなログが攻撃検知ログとして取得された場合には、攻撃経路の推定が困難となり得る。そこで、長時間観測されたログが攻撃検知ログとして取得された場合には、その攻撃検知ログを適度に分割した上で、分割したログのそれぞれに対して本実施形態を適用すればよい。 ・Example 5
Example 5 will be described below. Logs that have been observed for a long time may contain multiple attack communication detection alerts. Therefore, if such a log is acquired as an attack detection log, it may be difficult to estimate the attack route. Therefore, when a log that has been observed for a long time is acquired as an attack detection log, the attack detection log may be appropriately divided and the present embodiment may be applied to each of the divided logs.
 攻撃検知ログの分割方法としては、例えば、攻撃通信検知アラートの前後の特定期間の部分を抽出する、クラスタリング手法を用いて分割する、等といった方法を利用できる。また、同一アラートが連続して発生する場合、攻撃経路の推定精度をより高めるために、例えば、同一アラートを1つの代表にまとめたり、同一アラートが連続して発生している期間の開始と終了の2点以外のアラートは削除した上で分割を行ったりしてもよい。 As a method for dividing the attack detection log, for example, methods such as extracting a portion of a specific period before and after the attack communication detection alert, dividing using a clustering method, etc. can be used. In addition, when the same alert occurs continuously, in order to further improve the accuracy of estimating the attack path, for example, the same alerts may be grouped together into one representative, or the start and end of the period in which the same alert occurs continuously. Alerts other than these two points may be deleted and then divided.
 <まとめ>
 以上のように、本実施形態に係る攻撃経路推定装置10は、車両構成情報と想定攻撃パターンから離散グラフで表現された予想経路情報を事前に作成した上で、攻撃検知時に得られた攻撃検知ログと重み付けルールから重み付き予想経路情報を作成し、その重み付き予想経路情報を攻撃検知ノードから遡って経路探索することで、攻撃経路を推定する。これにより、攻撃検知時に得られるログ(攻撃検知ログ)にデータ欠損がある場合であっても、攻撃経路を推定することが可能となる。このため、例えば、車両制御システムに対する攻撃が検知された場合に、その影響範囲等を効率的に分析することが可能となる。 <Summary>
As described above, the attack route estimation device 10 according to the present embodiment creates expected route information expressed in a discrete graph from vehicle configuration information and an assumed attack pattern in advance, and then uses the attack detection information obtained at the time of attack detection. The attack route is estimated by creating weighted expected route information from logs and weighting rules, and performing a route search using the weighted expected route information from the attack detection node. This makes it possible to estimate the attack route even if there is data loss in the log obtained at the time of attack detection (attack detection log). Therefore, for example, when an attack on a vehicle control system is detected, it becomes possible to efficiently analyze the range of its influence.
 なお、上記の実施形態では、一例として、車両制御システムを対象に説明したが、これに限られるものではなく、例えば、機械制御システム等といった通信機能を備える他の通信システムを対象として、本実施形態が適用されてもよい。例えば、工場におけるロボット等の産業用制御機器、各地に配置されたセンサ、オーディオ機器、家電製品、情報処理端末(スマートフォン、タブレット端末等)、一般的にIoT機器と呼ばれる機器等で構成される通信システムを対象として、本実施形態が適用されてもよい。 In the above embodiment, the vehicle control system has been described as an example, but the present embodiment is not limited to this, and can be applied to other communication systems with communication functions such as machine control systems. Forms may also be applied. For example, communications consisting of industrial control equipment such as robots in factories, sensors placed in various places, audio equipment, home appliances, information processing terminals (smartphones, tablets, etc.), equipment generally called IoT equipment, etc. This embodiment may be applied to a system.
 また、攻撃検知ログとしては、例えば、CAN-IDSや車載EthernetのIDS等といったネットワーク攻撃検知機能のアラートログ、CAN通信のゲートウェイやIPファイアウォール等の通信拒絶ログや通信統計ログ、ECUや端末でのOS(Operating System)セキュリティ監査等によるシステムログ、アンチウィルスソフトによるマルウェアスキャンレポートやプロキシサーバのアクセスログ等のアプリケーションログ等を用いることができる。 In addition, attack detection logs include, for example, alert logs of network attack detection functions such as CAN-IDS and in-vehicle Ethernet IDS, communication rejection logs and communication statistics logs of CAN communication gateways and IP firewalls, and communication statistics logs of ECUs and terminals. System logs from OS (Operating System) security audits, malware scan reports from anti-virus software, application logs such as proxy server access logs, etc. can be used.
 本発明は、具体的に開示された上記の実施形態に限定されるものではなく、請求の範囲の記載から逸脱することなく、種々の変形や変更、既知の技術との組み合わせ等が可能である。 The present invention is not limited to the above-described specifically disclosed embodiments, and various modifications and changes, combinations with known techniques, etc. are possible without departing from the scope of the claims. .
 10    攻撃経路推定装置
 101   入力装置
 102   表示装置
 103   外部I/F
 103a  記録媒体
 104   通信I/F
 105   RAM
 106   ROM
 107   補助記憶装置
 108   プロセッサ
 109   バス
 110   予想経路構成部
 111   車両構成情報作成部
 112   予想経路情報作成部
 120   攻撃経路推定部
 121   重み付き予想経路情報作成部
 122   経路探索部
 130   予想経路情報記憶部 10 Attack route estimation device 101 Input device 102 Display device 103 External I/F
103a Recording medium 104 Communication I/F
105 RAM
106 ROM
107 Auxiliary storage device 108 Processor 109 Bus 110 Expected route configuration unit 111 Vehicle configuration information creation unit 112 Expected route information creation unit 120 Attack route estimation unit 121 Weighted expected route information creation unit 122 Route search unit 130 Expected route information storage unit

Claims (8)

  1.  対象システムにおける攻撃経路を推定する攻撃経路推定システムであって、
     前記対象システムの設計情報と動作履歴ログの少なくとも一方を用いて、前記対象システムの構成を表す構成情報を作成するように構成されている構成情報作成部と、
     前記構成情報と、前記対象システムで想定される攻撃パターンとを用いて、前記対象システムに対する攻撃の予想経路を表す予想経路情報を作成するように構成されている予想経路情報作成部と、
     前記対象システムに対する攻撃が検知された場合、前記対象システムから取得されたログと所定の重み付け条件とを用いて、前記予想経路情報に対して重み付け行った重み付き予想経路情報を作成するように構成されている重み付き予想経路情報作成部と、
     前記重み付き予想経路情報に対する経路探索により、前記攻撃の発生源から攻撃先までの経路を表す攻撃経路を推定するように構成されている経路探索部と、
     を有する攻撃経路推定システム。     An attack path estimation system that estimates an attack path in a target system,
    a configuration information creation unit configured to create configuration information representing a configuration of the target system using at least one of design information and operation history log of the target system;
    an expected route information creation unit configured to create expected route information representing an expected route of an attack on the target system using the configuration information and an attack pattern assumed on the target system;
    When an attack on the target system is detected, weighted predicted route information is created by weighting the predicted route information using a log acquired from the target system and a predetermined weighting condition. A weighted predicted route information creation unit that is
    a route search unit configured to estimate an attack route representing a route from the attack source to the attack destination by searching the weighted expected route information;
    An attack route estimation system with
  2.  前記重み付き予想経路情報作成部は、
     前記対象システムに対する攻撃が検知された場合、前記対象システムから取得されたログを用いて、前記攻撃の観測経路を表す観測情報を作成し、
     前記観測情報を前記予想経路情報に対して追加及び上書きした上で、前記重み付け条件を用いて、前記追加及び上書き後の予想経路情報に対して重み付け行った重み付き予想経路情報を作成するように構成されている、請求項1に記載の攻撃経路推定システム。     The weighted predicted route information creation unit includes:
    When an attack on the target system is detected, creating observation information representing an observation route of the attack using logs obtained from the target system,
    After adding and overwriting the observed information to the predicted route information, weighted predicted route information is created in which the predicted route information after the addition and overwriting is weighted using the weighting condition. The attack path estimation system according to claim 1, wherein the attack path estimation system is configured.
  3.  前記構成情報作成部は、
     前記設計情報と前記動作履歴ログの少なくとも一方を用いて、前記対象システムの構成をグラフ構造で表現した前記構成情報を作成するように構成されており、
     前記予想経路情報作成部は、
     前記構成情報に対して、グラフ構造で表現された前記攻撃パターンを追加することで、グラフ構造で表現された前記予想経路情報を作成するように構成されており、
     前記重み付き予想経路情報作成部は、
     前記ログと前記重み付け条件とを用いて、前記予想経路情報が表すグラフのエッジに対して重みを付与した前記重み付き予想経路情報を作成するように構成されている、請求項1又は2に記載の攻撃経路推定システム。     The configuration information creation unit includes:
    The configuration information is configured to create the configuration information expressing the configuration of the target system in a graph structure using at least one of the design information and the operation history log,
    The predicted route information creation unit includes:
    The configuration information is configured to create the expected route information expressed in a graph structure by adding the attack pattern expressed in a graph structure to the configuration information,
    The weighted predicted route information creation unit includes:
    3. The weighted predicted route information is configured to create the weighted predicted route information in which an edge of a graph represented by the predicted route information is weighted using the log and the weighting condition. attack path estimation system.
  4.  前記経路探索部は、
     前記攻撃が検知されたプロセス、装置又は通信を表すノードを前記攻撃先として、前記攻撃先から遡った前記経路探索により、前記攻撃経路を推定するように構成されている、請求項3に記載の攻撃経路推定システム。     The route search unit includes:
    4. The attack route according to claim 3, wherein the attack route is estimated by the route search tracing back from the attack target, with a node representing a process, device, or communication in which the attack has been detected as the attack target. Attack route estimation system.
  5.  前記経路探索部は、
     前記攻撃経路に含まれるエッジに付与された重みを用いて、前記攻撃経路に対するスコアを算出し、
     複数の前記攻撃経路が推定された場合、前記スコアを用いて、複数の前記攻撃経路の中から1以上の攻撃経路を所定の出力先に出力する、請求項4に記載の攻撃経路推定システム。     The route search unit includes:
    calculating a score for the attack route using weights given to edges included in the attack route;
    5. The attack route estimation system according to claim 4, wherein when a plurality of attack routes are estimated, one or more attack routes from among the plurality of attack routes are output to a predetermined output destination using the score.
  6.  対象システムにおける攻撃経路を推定する攻撃経路推定装置であって、
     前記対象システムの設計情報と動作履歴ログの少なくとも一方を用いて、前記対象システムの構成を表す構成情報を作成するように構成されている構成情報作成部と、
     前記構成情報と、前記対象システムで想定される攻撃パターンとを用いて、前記対象システムに対する攻撃の予想経路を表す予想経路情報を作成するように構成されている予想経路情報作成部と、
     前記対象システムに対する攻撃が検知された場合、前記対象システムから取得されたログと所定の重み付け条件とを用いて、前記予想経路情報に対して重み付け行った重み付き予想経路情報を作成するように構成されている重み付き予想経路情報作成部と、
     前記重み付き予想経路情報に対する経路探索により、前記攻撃の発生源から攻撃先までの経路を表す攻撃経路を推定するように構成されている経路探索部と、
     を有する攻撃経路推定装置。     An attack path estimation device for estimating an attack path in a target system,
    a configuration information creation unit configured to create configuration information representing a configuration of the target system using at least one of design information and operation history log of the target system;
    an expected route information creation unit configured to create expected route information representing an expected route of an attack on the target system using the configuration information and an attack pattern assumed on the target system;
    When an attack on the target system is detected, weighted predicted route information is created by weighting the predicted route information using a log acquired from the target system and a predetermined weighting condition. A weighted predicted route information creation unit that is
    a route search unit configured to estimate an attack route representing a route from the attack source to the attack destination by searching the weighted expected route information;
    An attack route estimation device having
  7.  対象システムにおける攻撃経路を推定する攻撃経路推定方法であって、
     前記対象システムの設計情報と動作履歴ログの少なくとも一方を用いて、前記対象システムの構成を表す構成情報を作成する構成情報作成手順と、
     前記構成情報と、前記対象システムで想定される攻撃パターンとを用いて、前記対象システムに対する攻撃の予想経路を表す予想経路情報を作成する予想経路情報作成手順と、
     前記対象システムに対する攻撃が検知された場合、前記対象システムから取得されたログと所定の重み付け条件とを用いて、前記予想経路情報に対して重み付け行った重み付き予想経路情報を作成する重み付き予想経路情報作成手順と、
     前記重み付き予想経路情報に対する経路探索により、前記攻撃の発生源から攻撃先までの経路を表す攻撃経路を推定する経路探索手順と、
     をコンピュータが実行する攻撃経路推定方法。     An attack route estimation method for estimating an attack route in a target system, the method comprising:
    a configuration information creation step of creating configuration information representing a configuration of the target system using at least one of design information and operation history log of the target system;
    an expected route information creation step of creating expected route information representing a expected route of an attack on the target system using the configuration information and an attack pattern assumed on the target system;
    When an attack on the target system is detected, weighted prediction creates weighted predicted route information in which the predicted route information is weighted using a log obtained from the target system and a predetermined weighting condition. Route information creation procedure,
    a route search procedure for estimating an attack route representing a route from the attack source to the attack destination by searching the weighted expected route information;
    An attack route estimation method that is executed by a computer.
  8.  対象システムにおける攻撃経路を推定するプログラムであって、
     前記対象システムの設計情報と動作履歴ログの少なくとも一方を用いて、前記対象システムの構成を表す構成情報を作成する構成情報作成手順と、
     前記構成情報と、前記対象システムで想定される攻撃パターンとを用いて、前記対象システムに対する攻撃の予想経路を表す予想経路情報を作成する予想経路情報作成手順と、
     前記対象システムに対する攻撃が検知された場合、前記対象システムから取得されたログと所定の重み付け条件とを用いて、前記予想経路情報に対して重み付け行った重み付き予想経路情報を作成する重み付き予想経路情報作成手順と、
     前記重み付き予想経路情報に対する経路探索により、前記攻撃の発生源から攻撃先までの経路を表す攻撃経路を推定する経路探索手順と、
     をコンピュータに実行させるプログラム。     A program that estimates an attack route in a target system,
    a configuration information creation step of creating configuration information representing a configuration of the target system using at least one of design information and operation history log of the target system;
    an expected route information creation step of creating expected route information representing a expected route of an attack on the target system using the configuration information and an attack pattern assumed on the target system;
    When an attack on the target system is detected, weighted prediction creates weighted predicted route information in which the predicted route information is weighted using a log obtained from the target system and a predetermined weighting condition. Route information creation procedure,
    a route search procedure for estimating an attack route representing a route from the attack source to the attack destination by searching the weighted expected route information;
    A program that causes a computer to execute.
PCT/JP2022/020883 2022-05-19 2022-05-19 Attack path estimation system, attack path estimation device, attack path estimation method, and program WO2023223515A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2022/020883 WO2023223515A1 (en) 2022-05-19 2022-05-19 Attack path estimation system, attack path estimation device, attack path estimation method, and program
PCT/JP2023/011701 WO2023223668A1 (en) 2022-05-19 2023-03-24 Attack path estimation system, attack path estimation device, attack path estimation method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/020883 WO2023223515A1 (en) 2022-05-19 2022-05-19 Attack path estimation system, attack path estimation device, attack path estimation method, and program

Publications (1)

Publication Number Publication Date
WO2023223515A1 true WO2023223515A1 (en) 2023-11-23

Family

ID=88835040

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/JP2022/020883 WO2023223515A1 (en) 2022-05-19 2022-05-19 Attack path estimation system, attack path estimation device, attack path estimation method, and program
PCT/JP2023/011701 WO2023223668A1 (en) 2022-05-19 2023-03-24 Attack path estimation system, attack path estimation device, attack path estimation method, and program

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/011701 WO2023223668A1 (en) 2022-05-19 2023-03-24 Attack path estimation system, attack path estimation device, attack path estimation method, and program

Country Status (1)

Country Link
WO (2) WO2023223515A1 (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117787195A (en) * 2023-12-28 2024-03-29 苏州异格技术有限公司 Wiring design method, wiring design device, computer equipment and storage medium

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016076207A1 (en) * 2014-11-10 2016-05-19 日本電信電話株式会社 Optimization device, optimization method, and optimization program
WO2020075808A1 (en) * 2018-10-11 2020-04-16 日本電信電話株式会社 Information processing device, log analysis method, and program
WO2020183615A1 (en) * 2019-03-12 2020-09-17 三菱電機株式会社 Attack estimation device, attack control method, and attack estimation program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016076207A1 (en) * 2014-11-10 2016-05-19 日本電信電話株式会社 Optimization device, optimization method, and optimization program
WO2020075808A1 (en) * 2018-10-11 2020-04-16 日本電信電話株式会社 Information processing device, log analysis method, and program
WO2020183615A1 (en) * 2019-03-12 2020-09-17 三菱電機株式会社 Attack estimation device, attack control method, and attack estimation program

Also Published As

Publication number Publication date
WO2023223668A1 (en) 2023-11-23

Similar Documents

Publication Publication Date Title
JP6239215B2 (en) Information processing apparatus, information processing method, and information processing program
US9032521B2 (en) Adaptive cyber-security analytics
JP7056752B2 (en) Analytical instruments, analytical systems, analytical methods and programs
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
US8561179B2 (en) Method for identifying undesirable features among computing nodes
CN114006723B (en) Network security prediction method, device and system based on threat information
US20040111638A1 (en) Rule-based network survivability framework
US11568053B2 (en) Automated malware monitoring and data extraction
KR102005107B1 (en) Method and Apparatus for Analyzing Malicious Code Using API Call Sequence
JP2021530807A (en) Systems and methods for reporting computer security incidents
WO2023223668A1 (en) Attack path estimation system, attack path estimation device, attack path estimation method, and program
CN113660115A (en) Network security data processing method, device and system based on alarm
JP2006146600A (en) Operation monitoring server, terminal apparatus and operation monitoring system
EP4111660B1 (en) Cyberattack identification in a network environment
Uhříček et al. BOTA: Explainable IoT malware detection in large networks
EP3848806A1 (en) Information processing device, log analysis method, and program
CN113660223B (en) Network security data processing method, device and system based on alarm information
JP6813451B2 (en) Anomaly detection system and anomaly detection method
CN114172881B (en) Network security verification method, device and system based on prediction
KR102538540B1 (en) Cyber attack detection method of electronic apparatus
US11763004B1 (en) System and method for bootkit detection
WO2024071049A1 (en) Attack analysis device, attack analysis method, and attack analysis program
CN111586020B (en) Probability model construction method and device, electronic equipment and storage medium
US11503046B2 (en) Cyber attack evaluation method and information processing apparatus
JP2024052533A (en) Attack analysis device, attack analysis method, and attack analysis program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22942719

Country of ref document: EP

Kind code of ref document: A1