WO2023223515A1 - Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme - Google Patents

Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme Download PDF

Info

Publication number
WO2023223515A1
WO2023223515A1 PCT/JP2022/020883 JP2022020883W WO2023223515A1 WO 2023223515 A1 WO2023223515 A1 WO 2023223515A1 JP 2022020883 W JP2022020883 W JP 2022020883W WO 2023223515 A1 WO2023223515 A1 WO 2023223515A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
route
information
target system
weighted
Prior art date
Application number
PCT/JP2022/020883
Other languages
English (en)
Japanese (ja)
Inventor
靖 岡野
勝 松林
政志 田中
卓麻 小山
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2022/020883 priority Critical patent/WO2023223515A1/fr
Priority to PCT/JP2023/011701 priority patent/WO2023223668A1/fr
Publication of WO2023223515A1 publication Critical patent/WO2023223515A1/fr

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present disclosure relates to an attack route estimation system, an attack route estimation device, an attack route estimation method, and a program.
  • connected cars vehicles equipped with the function of constantly connecting to external networks
  • Connected cars are expected to offer improved convenience, such as obtaining the latest traffic information, remote control of door locks and air conditioners, and software updates for electronic control units (ECUs).
  • ECUs electronice control units
  • Non-Patent Document 1 in an intranet, a monitor that monitors the startup of processes and communications sent and received by processes is installed on PCs, and by analyzing the logs output by the monitor, it is possible to detect attack communications and malicious files.
  • a method is disclosed that, when a process is detected, traces the communications and processes related to it and identifies the attack route and source of the attack.
  • the starting point of an attack route is the source of the attack, so in the following, identifying the attack route includes identifying the source of the attack.
  • logs may be missing due to vehicle malfunctions, deterioration of communication conditions due to the driving environment (for example, deterioration of communication conditions due to driving in a tunnel), or due to monitoring interference due to attacks. Some logs may become unobtainable. These deficiencies (including the inability to obtain logs) make log analysis even more difficult.
  • Non-Patent Document 1 when an attack communication or a malicious file/process is detected, the process of the communication partner, its parent process, the previous communication, etc. are tracked one after another. By doing so, you can identify the attack route. For this reason, missing logs make tracking them extremely difficult and greatly impede identification of attack routes.
  • the present disclosure has been made in view of the above points, and provides a technique for estimating an attack route.
  • An attack path estimation system is an attack path estimation system that estimates an attack path in a target system, and the attack path estimation system estimates a configuration of the target system using at least one of design information and operation history log of the target system.
  • a configuration information creation unit configured to create configuration information representing a configuration information, and an expected route representing an expected path of an attack on the target system using the configuration information and an attack pattern assumed on the target system.
  • an expected route information creation unit configured to create information; and when an attack on the target system is detected, the expected route information is created using a log acquired from the target system and a predetermined weighting condition.
  • a weighted predicted route information creation unit configured to create weighted predicted route information weighted for the target route information, and a route search based on the weighted predicted route information, are used to perform a route search from the source of the attack to the attack destination. and a route search unit configured to estimate an attack route representing the route.
  • a technique for estimating attack routes is provided.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of an attack path estimation device according to an embodiment.
  • FIG. 1 is a diagram illustrating an example of a functional configuration of an attack route estimating device according to an embodiment.
  • 7 is a flowchart illustrating an example of predicted route information creation processing according to the present embodiment. 7 is a flowchart illustrating an example of attack route estimation processing according to the present embodiment.
  • 1 is a diagram showing a vehicle control system in Example 1.
  • FIG. 3 is a diagram showing an example of an attack in Example 1.
  • FIG. FIG. 3 is a diagram showing an example of attack detection in the first embodiment.
  • 3 is a diagram showing vehicle configuration information in Example 1.
  • FIG. 3 is a diagram showing a predicted route in Example 1.
  • FIG. 3 is a diagram showing predicted route information in Example 1.
  • FIG. 1 is a diagram illustrating an example of a hardware configuration of an attack path estimation device according to an embodiment.
  • FIG. 1 is a diagram illustrating an example of a functional configuration
  • FIG. 3 is a diagram showing observation information in Example 1.
  • FIG. 3 is a diagram showing a weighted predicted route in Example 1.
  • FIG. 3 is a diagram showing weighted predicted route information in Example 1.
  • FIG. 2 is a diagram (part 1) showing an estimated attack route in Example 1;
  • FIG. 3 is a diagram (Part 2) showing an estimated attack route in Example 1;
  • 3 is a diagram showing an estimated attack route, its score, and cost in Example 1.
  • FIG. 7 is a diagram showing an assumed attack pattern in Example 2.
  • FIG. FIG. 7 is a diagram showing a weighted predicted route in Example 2;
  • FIG. 7 is a diagram showing weighted predicted route information in Example 2;
  • FIG. 7 is a diagram showing a weighted predicted route in Example 3;
  • FIG. 7 is a diagram showing a predicted route in Example 4.
  • FIG. 7 is a diagram showing a weighted predicted route in Example 4.
  • FIG. 7 is a diagram showing weighted predicted route information in Example 4;
  • FIG. 7 is a diagram (part 1) showing estimated attack routes, their scores, and costs in Example 4;
  • FIG. 7 is a diagram (Part 2) showing estimated attack routes, their scores, and costs in Example 4;
  • the attack route can be estimated even if the log is missing (data missing) when some kind of attack is detected, mainly targeting the vehicle control system.
  • the attack route estimation device 10 will be explained.
  • the attack path is a path from the attack source (attack source malicious process, malicious ECU, etc.) to the attack target (attack destination).
  • the vehicle control system is a system that includes an electronic control unit (ECU), CAN, etc., and controls various functions of a vehicle (for example, a car, a special vehicle, a motorcycle, a bicycle, etc.).
  • ECU electronice control unit
  • this embodiment is not limited to vehicle control systems, but is applicable to machines installed in machinery (e.g., machine tools, construction machinery, agricultural machinery, industrial machinery, etc.) and configured with an electronic control unit (ECU), CAN, etc. It is similarly applicable to control systems.
  • the present invention can be similarly applied to IoT systems configured with IoT devices and arbitrary communication networks.
  • FIG. 1 shows an example of the hardware configuration of an attack path estimation device 10 according to this embodiment.
  • the attack path estimation device 10 includes an input device 101, a display device 102, an external I/F 103, a communication I/F 104, and a RAM (Random Access Memory) 105. It has a ROM (Read Only Memory) 106, an auxiliary storage device 107, and a processor 108. Each of these pieces of hardware is communicably connected via a bus 109.
  • the input device 101 is, for example, a keyboard, a mouse, a touch panel, a physical button, or the like.
  • the display device 102 is, for example, a display, a display panel, or the like. Note that the attack route estimation device 10 may not include at least one of the input device 101 and the display device 102, for example.
  • the external I/F 103 is an interface with an external device such as the recording medium 103a.
  • the attack route estimation device 10 can read and write data on the recording medium 103a via the external I/F 103.
  • Examples of the recording medium 103a include a flexible disk, a CD (Compact Disc), a DVD (Digital Versatile Disk), an SD memory card (Secure Digital memory card), and a USB (Universal Serial Bus) memory card.
  • the communication I/F 104 is an interface for connecting the attack path estimation device 10 to a communication network.
  • the RAM 105 is a volatile semiconductor memory (storage device) that temporarily holds programs and data.
  • the ROM 106 is a nonvolatile semiconductor memory (storage device) that can retain programs and data even when the power is turned off.
  • the auxiliary storage device 107 is, for example, a storage device such as an HDD (Hard Disk Drive), an SSD (Solid State Drive), or a flash memory.
  • the processor 108 is, for example, an arithmetic device such as a CPU (Central Processing Unit).
  • the attack route estimation device 10 can realize expected route information creation processing and attack route estimation processing, which will be described later.
  • the hardware configuration shown in FIG. 1 is an example, and the hardware configuration of the attack route estimation device 10 is not limited to this.
  • the attack path estimation device 10 may include multiple auxiliary storage devices 107 and multiple processors 108, may not include a part of the illustrated hardware, or may include the illustrated hardware. It may also include various other hardware.
  • FIG. 2 shows an example of the functional configuration of the attack route estimation device 10 according to this embodiment.
  • the attack route estimation device 10 includes an expected route configuration section 110 and an attack route estimation section 120. Each of these units is realized, for example, by one or more programs installed in the attack path estimation device 10 causing the processor 108 to execute the process.
  • the attack route estimation device 10 includes an expected route information storage unit 130.
  • the predicted route information storage unit 130 is realized by, for example, the auxiliary storage device 107.
  • the expected route information storage unit 130 may be realized, for example, by a storage device such as a database that is connected to the attack route estimation device 10 via a communication network.
  • the predicted route configuration unit 110 uses information obtained in advance to create predicted route information representing the predicted route of the attack. As a result, even if there is data missing in the log when an attack was detected (hereinafter also referred to as attack detection log), the attack route can be estimated by filling in the missing part with the predicted route. becomes.
  • the information obtained in advance includes design information such as the ECUs installed in the vehicle, the processes executed by those ECUs, communication, network connections, etc., and the processes and information of each EUC obtained in advance. It is assumed that an operation history log representing a communication log and an assumed attack pattern representing a previously assumed attack path of a malicious EUC or a malicious process are used.
  • the expected route configuration section 110 includes a vehicle configuration information creation section 111 and an expected route information creation section 112.
  • the vehicle configuration information creation unit 111 creates vehicle configuration information using design information and operation history logs.
  • Vehicle configuration information refers to the processes executed in the EUC, the ECU itself, the communications and network connections sent and received by them, objects related to those processes and ECUs (e.g. data, files, etc.), and the associations between nodes. This is information expressed in a graph structure with edges.
  • the expected route information creation unit 112 creates expected route information using the vehicle configuration information and the assumed attack pattern. Further, the predicted route information creation unit 112 stores the generated predicted route information in the predicted route information storage unit 130.
  • the assumed attack pattern refers to the malicious processes and ECUs that are assumed in advance, the malicious communications and network connections that they send and receive, and the objects (e.g., data, files, etc.) related to these malicious processes and ECUs that are connected to nodes, This is information expressed in a graph structure with edges representing associations between nodes. Further, the expected route information is obtained by adding a graph represented by an assumed attack pattern to the graph represented by the vehicle structure information. In other words, the expected route information is information expressed in a graph structure in which nodes and edges of the assumed attack pattern are added to the nodes and edges of the vehicle structure information.
  • expected route information is created by adding the graph represented by the assumed attack pattern to the graph represented by vehicle configuration information.
  • an attack route first passes through a normal route, that is, a route in the graph represented by the vehicle configuration information, and then, at the time of the attack, nodes (malicious processes, malicious communications, malicious files, etc.) that are not in the graph represented by the vehicle configuration information.
  • nodes malware processes, malicious communications, malicious files, etc.
  • a malicious object such as a malicious object
  • the attack route estimation unit 120 estimates an attack route using the expected route information, the attack detection log, and the weighting rule, and creates attack route information representing the attack route.
  • the attack detection log is a log collected when an IDS or the like of a vehicle control system detects an attack.
  • the attack detection log may be collected by the vehicle control system and sent to the attack route estimation device 10 when the IDS or the like of the vehicle control system detects an attack, or the attack detection log may be collected by the attack route estimation device 10 from the vehicle control system. You may.
  • the weighting rule is information representing weighting conditions (rules) used when creating weighted predicted route information, which will be described later.
  • the attack route estimation unit 120 includes a weighted expected route information creation unit 121 and a route search unit 122.
  • the weighted expected route information creation unit 121 acquires attack detection logs, creates attack observation information using these attack detection logs, and adds/overwrites the observed information to the expected route information. Further, the weighted predicted route information creation unit 121 weights the edges of the predicted route information after addition/overwriting using a weighting rule, and creates weighted predicted route information.
  • Observation information includes processes and ECUs that appear in attack detection logs (including malicious processes and malicious ECUs), communications and network connections sent and received by them, objects related to those processes and ECUs (e.g., data, files, etc.) It is information expressed in a graph structure with nodes as nodes and edges as associations between nodes. In other words, the observation information is graph information representing the route of an attack observed as an attack detection log.
  • the missing portion can be supplemented with predicted route information.
  • multiple attack paths can be estimated in the complementary part, but by weighting the edges, it is possible to estimate a more likely path as the attack path.
  • the weight represents the strength of association between nodes.
  • the weight may be, for example, a cost that is assigned a smaller value as the association between nodes is stronger, or a transition probability that represents the probability that the edge can be used. Further, for example, some of the weights may be given in advance by the predicted route configuration unit 110 (in particular, the vehicle configuration information creation unit 111).
  • the route search unit 122 starts from a node representing a malicious process or malicious communication detected by an IDS or the like of a vehicle control system (hereinafter also referred to as a detection node), and searches backward from the detection node using weighted predicted route information. Perform route search and estimate attack route (including attack source). The route search unit 122 also outputs attack route information representing the estimated attack route to a predetermined output destination (for example, the display device 102 such as a display, the auxiliary storage device 107, another terminal connected via a communication network, etc.). Output to.
  • a shortest route search method such as Dijkstra's method can be used.
  • a plurality of attack routes estimated by the route search unit 122 can be estimated as routes from different attack source nodes to the same detection node. For this reason, the route search unit 122 may output the most probable attack route information among the plurality of pieces of attack route information to a predetermined output destination, for example, using a predetermined score. Alternatively, the route search unit 122 may output a plurality of pieces of attack route information and their scores to a predetermined output destination.
  • the score is, for example, the sum of costs given to edges on the attack route, this sum divided by the number of nodes on the attack route, and the score from the start point to the end point (detected node) of the attack route. The transition probability of , etc. can be used.
  • the predicted route information storage unit 130 stores predicted route information. Note that the predicted route information storage unit 130 may store predicted route information corresponding to each type or type of vehicle, for example. In this case, the attack route estimation unit 120 uses predicted route information corresponding to the type and type of vehicle in which the attack was detected.
  • the vehicle configuration information creation unit 111 of the predicted route configuration unit 110 creates vehicle configuration information using the design information and the operation history log (step S101). Note that the vehicle configuration information creation unit 111 may use both the design information and the operation history log, or may use only one of them.
  • the predicted route information creation unit 112 of the predicted route configuration unit 110 creates predicted route information using the vehicle configuration information and the assumed attack pattern, and stores this predicted route information in the predicted route information storage unit 130 (step S102). .
  • Attack route estimation processing is executed every time an attack is detected by the vehicle control system.
  • the weighted predicted route information creation unit 121 of the attack route estimation unit 120 acquires attack detection logs, creates attack observation information using those attack detection logs, and adds/overwrites the observation information to the expected route information. After that, weighted predicted route information is created using a weighting rule (step S201).
  • the route search unit 122 of the attack route estimation unit 120 estimates an attack route by searching the weighted expected route information from the detection node back, and then outputs attack route information representing the estimated attack route as a predetermined output. It is output first (step S202). Note that at this time, the route search unit 122 may output the most probable attack route information among the plurality of attack route information using a predetermined score, or may output the most probable attack route information among the plurality of attack route information and their scores. You can also output it.
  • Example 1 ⁇ Example 1 Example 1 will be described below.
  • an attack route is estimated using a comprehensive assumed attack pattern. That is, in this embodiment, a case will be described in which a variety of attacks are comprehensively assumed without assuming a specific attack, and the attack route can be estimated even for an unknown attack.
  • FIG. 5 shows the configuration of the vehicle control system in this embodiment.
  • the vehicle control system in this embodiment uses a smartphone or the like to perform remote operations such as locking/unlocking the doors of the target vehicle and turning on/off the air conditioner.
  • an OEM site accepts instructions from a smartphone.
  • the TCUctrl process on the TCU which is the telematics control unit, periodically makes HTTPS access (URLOEM) to the OEM site to receive commands.
  • the command is communicated via Ethernet (IPCGW), converted into CAN communication (CAN6AA) by the central gateway CGW, and executed by the ECU 1 corresponding to the CAN communication.
  • IPCGW Ethernet
  • CAN6AA CAN communication
  • the OEM site and TCU are connected by NWEXT, which is an external wireless IP network, and the TCU and CGW are connected by NWINT, which is an in-vehicle Ethernet network. Further, the CGW and each ECU are connected by CANBUS, which is an in-vehicle CAN network. Furthermore, the TCU and each ECU are also connected via CANBUS for purposes such as remote diagnosis and measurement.
  • NWEXT may include, for example, devices such as a router and an HTTPS proxy, but a description thereof will be omitted.
  • NWINT may include, for example, equipment such as an Ethernet switch, but a description thereof will be omitted.
  • CANBUS may include devices such as a CAN gateway, but a description thereof will be omitted.
  • ECU1 will be mainly explained among the ECUs, and the explanation of the other ECUs will be omitted.
  • monitors and detectors are installed at NWEXT, TCU, NWINT, and CANBUS, and each outputs a log.
  • NWEXT URL access log
  • TCU process startup log (startup process and its parent process)
  • NWINT attack communication detection alert log by Ethernet-IDS
  • CANBUS attack communication detection alert log for CAN-IDS. It shall be output.
  • FIG. 6 An example of an attack on the vehicle control system in this embodiment is shown in FIG.
  • the attack example shown in FIG. 6 is a Drive by Download attack in which an illegal command is executed.
  • fraudulent information that attacks the TCUctrl vulnerability is embedded on the OEM site.
  • TCUctrl accesses (URLOEM) the unauthorized information on the TCU
  • a mal1 process which is an unauthorized process, is generated and activated on the TCU due to the vulnerability.
  • the mal1 process accesses the attacker's site (URLmal), downloads an attack program to the TCU, and uses the attack program to generate and start a mal2 process, which is an unauthorized process.
  • the mal2 process sends an unauthorized CAN message CAN6AA' to CANBUS (CAN message insertion attack) and causes the ECU 1 to execute an unauthorized command.
  • CANBUS CAN message insertion attack
  • FIG. 7 shows a graphical representation of the log output during the above attack.
  • NWEXT outputs URL access logs to URLOEM and URLmal
  • TCU outputs mal1 boot logs of TCUctrl and mal2 boot logs of mal1
  • CANBUS outputs attack communication detection alert logs related to CAN6AA'.
  • NWEXT URL access log it is known that the access was made from the TCU, but it is not possible to specify from which process of the TCU the access was made.
  • CANBUS attack communication detection alert log it is known that CAN6AA' was used in the attack, but the device and process that was the source of the attack cannot be identified. Note that since there is no attack communication in NWINT, no log is output.
  • the attack route is estimated by tracing back from CANBUS CAN6AA' where the attack was detected.
  • predicted route information is created in advance by the predicted route configuration unit 110.
  • the vehicle configuration information shown in FIG. 8 is created by the vehicle configuration information creation section 111, and then the expected route information creation section 112 creates expected route information from the vehicle configuration information and the assumed attack pattern.
  • the vehicle configuration information shown in FIG. 8 is a graph structure related to each device or process and communication in the vehicle control system shown in FIG. 5 expressed as an adjacency matrix.
  • the source node (Src.) is assigned to the row
  • the destination node (Dst.) is assigned to the column. Elements between nodes that have a relationship (edge) are expressed as 1, and elements between nodes that are not related are expressed as 0. do.
  • a node representing a process is also referred to as a process node
  • a node representing communication is also referred to as a communication node.
  • the assumed attack pattern in this example was set as follows, allowing a comprehensive assumption of attack routes.
  • edges to wildcard nodes are set along each device/network connection.
  • a wildcard node for a process has an edge that means a startup relationship with all other process nodes in the device where the process is executed, and also communicates with all communication nodes on the network connected to the device. Give it an edge that signifies a relationship.
  • a communication wildcard node has an edge indicating a communication relationship with all process nodes on a device connected to the network where the communication is performed.
  • FIG. 9 shows a graph representing a predicted route incorporating such a comprehensive assumed attack pattern. Further, information (expected route information) expressing the graph structure as an adjacency matrix is shown in FIG.
  • the nodes NWEXT * , TCU*, NWINT * , and CANBUS * added on NWEXT, TCU, NWINT , and CANBUS, respectively, are wildcard nodes.
  • the wildcard node TCU * has a bidirectional edge representing a startup relationship with the process TCUctrl on the TCU, and since the TCU is also connected to NWEXT, NWINT, and CANBUS, the communication nodes URLOEM, NWEXT * , and IPCGW of those networks are connected to the wildcard node TCU*.
  • NWINT * , CAN6AA, and CANBUS * are all set to have bidirectional edges representing communication relationships.
  • the wildcard node of a certain device or network may be omitted, a wildcard node may be added, or the number of edges connected to the wildcard node may be reduced or increased. For example, it is not necessary to set a process wildcard node in a device that performs very strict forced access control and is certain that unauthorized process startup cannot occur. Furthermore, if network communication is restricted and controlled by a firewall with strong security, the edges connected to wildcard nodes may be reduced or made unidirectional edges according to the restrictions and controls.
  • the attack route estimation unit 120 estimates the attack route using the expected route information.
  • the weighted expected route information creation unit 121 acquires attack detection logs, creates observation information from these attack detection logs, adds and overwrites the observed information to the expected route information, and then sets weights using weighting rules. Create predicted route information.
  • FIG. 11 shows observation information created from the attack detection log when the attack example shown in FIG. 6 was detected.
  • URLs mal, mal1, mal2, and CAN6AA' are nodes that are not in the vehicle configuration information, and are replaced as wild card nodes NWEXT * , TCU * , and CANBUS * , respectively. Note that both TCUs mal1 and mal2 are substituted as TCU * . Therefore, the process activation relationship TCUctrl ⁇ mal1 ⁇ mal2 is replaced by TCUctrl ⁇ TCU * .
  • the following rules 1 to 5 are used as weighting rules for edges of predicted route information.
  • FIG. 12 shows a graph in which predicted route information is weighted using the above weighting rule. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. In FIG. 12, edges with high cost are represented by broken lines, edges with medium cost are represented by solid lines, and edges with low cost are represented by solid thick lines. Further, in FIG. 13, large cost is set as 100, medium cost as 10, and small cost as 1.
  • weighting rules may be changed, added, or deleted depending on the characteristics of the system. For example, rules such as uniformly reducing the cost of all edges connected to nodes that exist in observation information, reducing the cost of edges with wildcard nodes for process nodes that communicate with each other that are susceptible to threats, etc. May be added. Furthermore, if there are a plurality of CAN buses and attacks can be detected for each CAN bus, a rule may be added that particularly reduces the cost of an edge connected to the CAN bus where an attack has been detected. Further, in a system where there is a high possibility of failure in detecting an attack, the above rule 2 may be deleted. Furthermore, an appropriate value may be set as appropriate regarding the actual value of cost.
  • weighting may be performed in advance by the predicted route configuration unit 110.
  • the weighting according to the above rules 3 to 5 is performed in advance in the expected route configuration unit 110, and only the above rules 1 to 2 are performed in the attack route estimation unit 120 (the weighted expected route information creation unit 121). You may go.
  • the route search unit 122 uses the weighted expected route information to estimate an attack route tracing back from the CANBUS network where the CAN-IDS attack communication detection alert has occurred. That is, the wild card node CANBUS * corresponding to the attack communication detection alert is set as a target, and a route to reach the target from other nodes and a score of the route are determined. The score is the sum of the costs of edges in the route divided by the number of edges in the route.
  • a shortest route search method such as Dijkstra's method can be used. An example of the route searched in this example is shown in FIGS. 14 and 15. In the example shown in FIG.
  • the attack path URLOEM ⁇ TCLctrl ⁇ TCU * ⁇ CANBUS * is searched.
  • the attack route NWEXT * ⁇ TCU * ⁇ CANBUS * is searched.
  • FIG. 16 shows a list of attack routes estimated in this example, their scores, and costs.
  • the route search unit 122 selects an appropriate attack route from among these attack routes, and outputs attack route information representing the selected attack route to a predetermined output destination.
  • Various methods can be considered to select an appropriate attack route, such as an attack route whose score is within a certain predetermined range, an attack route whose score is greater than or equal to a certain predetermined threshold, etc.
  • the score may be the sum of the costs of edges on the route divided by the number of nodes on the route, or the transition probability from the start point to the end point (detection node, target) of the attack route may be used as the score.
  • vehicle configuration information and a comprehensive assumed attack pattern are created in advance as expected route information, and then weighted expected route information is created from this expected route information, attack detection log, and weighting rule. . This allows the attack route to be estimated even if the attack detection log is incomplete.
  • the processes and communications that are the targets of log output are used as nodes, but if the target of log output changes, the nodes and edges may be changed accordingly.
  • nodes include files, system calls, signals, and the like.
  • the representation of the graph is not limited to an adjacency matrix, and may be represented in other formats such as a connection matrix, a Laplacian matrix, a list representation, and the like. Furthermore, it may be expressed as a bipartite graph instead of a one-part bluff.
  • Example 2 ⁇ Example 2 Example 2 will be described below.
  • an attack route is estimated using a known assumed attack pattern.
  • vehicle configuration information is created by the vehicle configuration information creation unit 111.
  • the predicted route information creation unit 112 creates predicted route information from the vehicle configuration information and the assumed attack pattern.
  • Assumed attack patterns may be given, for example, as a graph model representing the relationship between threats and vulnerabilities (also called an attack graph), or as indicators of compromise information (IoC). May be given. Below, a case will be described in which the assumed attack pattern is given by IoC.
  • FIG. 17 shows an example of IoC and its representation as an attack graph.
  • the attack graph is expressed as an adjacency matrix, all processes and communications that appear during IoC are described as nodes, and edges between associated nodes are set.
  • This IoC and attack graph are stored together with vehicle configuration information in the expected route information storage unit 130 as expected route information.
  • TCUctrl which is vulnerable to URLEM, is not described. This is because, for example, if a library has a vulnerability, all programs that use the library will be affected, so the program/process name may not be written in the IoC.
  • the attack route estimation unit 120 estimates the attack route using the expected route information.
  • the weighted predicted route information creation unit 121 acquires attack detection logs and creates observation information from these attack detection logs. Furthermore, the weighted predicted route information creation unit 121 obtains from the predicted route information storage unit 130 an attack graph representing the IoC that most matches those attack detection logs. Then, the weighted predicted route information creation unit 121 adds and overwrites the observation information and the attack graph to the vehicle configuration information, and then creates weighted predicted route information using the weighting rule.
  • the following rules 1 to 4 are used as weighting rules for the edges of the predicted route information. Note that, as in the embodiment, the weighting rules may be changed, added, or deleted depending on the characteristics of the system.
  • FIG. 18 shows a graph in which predicted route information is weighted using the above weighting rule. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. In FIG. 18, edges with high cost are represented by broken lines, edges with medium cost are represented by solid lines, and edges with low cost are represented by solid thick lines. Further, in FIG. 19, large cost is set as 100, medium cost as 10, and small cost as 1. Note that there are no edges with large costs in FIGS. 18 and 19.
  • the route search unit 122 may use this weighted expected route information to estimate the attack route going back from the CANBUS network where the CAN-IDS attack communication detection alert has occurred.
  • Example 3 will be described below.
  • the comprehensive assumed attack pattern of the first embodiment and the known assumed attack pattern of the second embodiment may be combined.
  • Example 2 if mal2 and CAN6AA' are not included in the known expected attack pattern (in FIG. 17, if the IoC matches that of No. 2), then wildcard nodes TCU * and CAN6AA' are used instead, respectively. It may also be comprehensively expressed as CANBUS * .
  • FIG. 20 shows an example of a graph represented by weighted expected route information when a comprehensive assumed attack pattern and a known assumed attack pattern are used. Thereafter, similarly to the first and second embodiments, the route search unit 122 may estimate an attack route using this weighted expected route information.
  • Example 4 will be described below. In this embodiment, a case will be described in which an attack route is estimated only by network monitoring without performing process monitoring. It is assumed that the configuration of the vehicle control system, attack examples, and attack detection conditions are the same as in the first embodiment.
  • FIG. 21 shows a graph of the predicted route information created by the predicted route information creation unit 112. Unlike the first embodiment, since process monitoring is not performed, there are no processes TCUctrl and TCU * nodes, and instead the TCU itself becomes a node, and the node TCU is the node URLOEM, NWEXT * , IPCGW, NWINT * , CAN6AA, CANBUS * and has an edge.
  • FIG. 22 shows a graph in which predicted route information is weighted using the same weighting rules as in Example 1 when an attack is detected. Further, information (weighted predicted route information) representing this graph as an adjacency matrix is shown in FIG. Further, FIG. 24 shows the route searched back from the detection node CANBUS * (estimated attack route) using the shortest route search method, and its score and cost.
  • FIG. 25 shows attack routes (estimated attack routes) searched by the multiple route search method, their scores, and costs.
  • the shortest route search is performed from each node one edge back from the target node.
  • the target node is the detection node CANBUS *
  • the shortest route search is performed from each of the nodes TCU and CGW that are one edge back from that node.
  • Example 5 will be described below.
  • Logs that have been observed for a long time may contain multiple attack communication detection alerts. Therefore, if such a log is acquired as an attack detection log, it may be difficult to estimate the attack route. Therefore, when a log that has been observed for a long time is acquired as an attack detection log, the attack detection log may be appropriately divided and the present embodiment may be applied to each of the divided logs.
  • a method for dividing the attack detection log for example, methods such as extracting a portion of a specific period before and after the attack communication detection alert, dividing using a clustering method, etc. can be used.
  • the same alert when the same alert occurs continuously, in order to further improve the accuracy of estimating the attack path, for example, the same alerts may be grouped together into one representative, or the start and end of the period in which the same alert occurs continuously. Alerts other than these two points may be deleted and then divided.
  • the attack route estimation device 10 creates expected route information expressed in a discrete graph from vehicle configuration information and an assumed attack pattern in advance, and then uses the attack detection information obtained at the time of attack detection.
  • the attack route is estimated by creating weighted expected route information from logs and weighting rules, and performing a route search using the weighted expected route information from the attack detection node. This makes it possible to estimate the attack route even if there is data loss in the log obtained at the time of attack detection (attack detection log). Therefore, for example, when an attack on a vehicle control system is detected, it becomes possible to efficiently analyze the range of its influence.
  • the vehicle control system has been described as an example, but the present embodiment is not limited to this, and can be applied to other communication systems with communication functions such as machine control systems. Forms may also be applied. For example, communications consisting of industrial control equipment such as robots in factories, sensors placed in various places, audio equipment, home appliances, information processing terminals (smartphones, tablets, etc.), equipment generally called IoT equipment, etc. This embodiment may be applied to a system.
  • industrial control equipment such as robots in factories, sensors placed in various places, audio equipment, home appliances, information processing terminals (smartphones, tablets, etc.), equipment generally called IoT equipment, etc.
  • This embodiment may be applied to a system.
  • attack detection logs include, for example, alert logs of network attack detection functions such as CAN-IDS and in-vehicle Ethernet IDS, communication rejection logs and communication statistics logs of CAN communication gateways and IP firewalls, and communication statistics logs of ECUs and terminals.
  • System logs from OS (Operating System) security audits, malware scan reports from anti-virus software, application logs such as proxy server access logs, etc. can be used.
  • Attack route estimation device 101 Input device 102 Display device 103 External I/F 103a Recording medium 104 Communication I/F 105 RAM 106 ROM 107 Auxiliary storage device 108 Processor 109 Bus 110 Expected route configuration unit 111 Vehicle configuration information creation unit 112 Expected route information creation unit 120 Attack route estimation unit 121 Weighted expected route information creation unit 122 Route search unit 130 Expected route information storage unit

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Un système d'estimation de chemin d'attaque selon un mode de réalisation de la présente invention estime un chemin d'attaque dans un système sujet, et comprend : une unité de création d'informations de configuration configurée de façon à utiliser un journal d'historique d'opérations et/ou des informations de conception concernant le système sujet pour créer des informations de configuration représentant la configuration du système sujet; une unité de création d'informations de chemin prédit configurée de façon à utiliser les informations de configuration et un motif d'attaque postulé par le système sujet pour créer des informations de chemin prédit représentant des chemins prédits pour une attaque sur le système sujet; une unité de création d'informations de chemin prédit pondérées configurée de façon à utiliser un journal obtenu auprès du système sujet et une règle de pondération prescrite pour créer des informations de chemin prédit pondérées dans lesquelles les informations de chemin prédit ont été pondérées, lorsqu'une attaque sur le système sujet a été détectée; et une unité de récupération de chemin configurée de façon à estimer un chemin d'attaque représentant le chemin allant de la source de l'attaque à la destination d'attaque au moyen d'une recherche de chemin relativement aux informations de chemin prédit pondérées.
PCT/JP2022/020883 2022-05-19 2022-05-19 Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme WO2023223515A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2022/020883 WO2023223515A1 (fr) 2022-05-19 2022-05-19 Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme
PCT/JP2023/011701 WO2023223668A1 (fr) 2022-05-19 2023-03-24 Système d'estimation de trajet d'attaque, dispositif d'estimation de trajet d'attaque, procédé d'estimation de trajet d'attaque et programme

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2022/020883 WO2023223515A1 (fr) 2022-05-19 2022-05-19 Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme

Publications (1)

Publication Number Publication Date
WO2023223515A1 true WO2023223515A1 (fr) 2023-11-23

Family

ID=88835040

Family Applications (2)

Application Number Title Priority Date Filing Date
PCT/JP2022/020883 WO2023223515A1 (fr) 2022-05-19 2022-05-19 Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme
PCT/JP2023/011701 WO2023223668A1 (fr) 2022-05-19 2023-03-24 Système d'estimation de trajet d'attaque, dispositif d'estimation de trajet d'attaque, procédé d'estimation de trajet d'attaque et programme

Family Applications After (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/011701 WO2023223668A1 (fr) 2022-05-19 2023-03-24 Système d'estimation de trajet d'attaque, dispositif d'estimation de trajet d'attaque, procédé d'estimation de trajet d'attaque et programme

Country Status (1)

Country Link
WO (2) WO2023223515A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016076207A1 (fr) * 2014-11-10 2016-05-19 日本電信電話株式会社 Dispositif d'optimisation, procédé d'optimisation et programme d'optimisation
WO2020075808A1 (fr) * 2018-10-11 2020-04-16 日本電信電話株式会社 Dispositif de traitement d'informations, procédé d'analyse de journal, et programme
WO2020183615A1 (fr) * 2019-03-12 2020-09-17 三菱電機株式会社 Dispositif d'estimation d'attaque, procédé de commande d'attaque et programme d'estimation d'attaque

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016076207A1 (fr) * 2014-11-10 2016-05-19 日本電信電話株式会社 Dispositif d'optimisation, procédé d'optimisation et programme d'optimisation
WO2020075808A1 (fr) * 2018-10-11 2020-04-16 日本電信電話株式会社 Dispositif de traitement d'informations, procédé d'analyse de journal, et programme
WO2020183615A1 (fr) * 2019-03-12 2020-09-17 三菱電機株式会社 Dispositif d'estimation d'attaque, procédé de commande d'attaque et programme d'estimation d'attaque

Also Published As

Publication number Publication date
WO2023223668A1 (fr) 2023-11-23

Similar Documents

Publication Publication Date Title
JP6239215B2 (ja) 情報処理装置、情報処理方法及び情報処理プログラム
US9032521B2 (en) Adaptive cyber-security analytics
JP7056752B2 (ja) 分析装置、分析システム、分析方法及びプログラム
CN113660224B (zh) 基于网络漏洞扫描的态势感知防御方法、装置及系统
US8561179B2 (en) Method for identifying undesirable features among computing nodes
CN114006723B (zh) 基于威胁情报的网络安全预测方法、装置及系统
US20040111638A1 (en) Rule-based network survivability framework
JP7069399B2 (ja) コンピュータセキュリティインシデントを報告するためのシステムおよび方法
KR102005107B1 (ko) Api 호출 시퀀스를 이용한 악성코드의 기능 분석 방법 및 장치
CN113660115A (zh) 基于告警的网络安全数据处理方法、装置及系统
JP2006146600A (ja) 動作監視サーバ、端末装置及び動作監視システム
EP4111660B1 (fr) Identification de cyberattaques dans un environnement de réseau
WO2023223515A1 (fr) Système d'estimation de chemin d'attaque, dispositif d'estimation de chemin d'attaque, procédé d'estimation de chemin d'attaque et programme
EP3848806A1 (fr) Dispositif de traitement d'informations, procédé d'analyse de journal, et programme
CN113660223B (zh) 基于告警信息的网络安全数据处理方法、装置及系统
JP6813451B2 (ja) 異常検知システム及び異常検知方法
CN114172881B (zh) 基于预测的网络安全验证方法、装置及系统
KR102538540B1 (ko) 전자 장치의 사이버 공격 탐지 방법
US11763004B1 (en) System and method for bootkit detection
WO2024071049A1 (fr) Dispositif, procédé et programme d'analyse d'attaque
CN111586020B (zh) 一种概率模型构建方法、装置、电子设备及存储介质
US11503046B2 (en) Cyber attack evaluation method and information processing apparatus
CN114006720B (zh) 网络安全态势感知方法、装置及系统
JP2024052533A (ja) 攻撃分析装置、攻撃分析方法、及び攻撃分析プログラム
JP7230147B1 (ja) 車両セキュリティ分析装置、方法およびそのプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22942719

Country of ref document: EP

Kind code of ref document: A1