WO2024079972A1 - Cyber attack countermeasure assistance system, cyber attack countermeasure assistance method, and cyber attack countermeasure assistance program - Google Patents

Cyber attack countermeasure assistance system, cyber attack countermeasure assistance method, and cyber attack countermeasure assistance program Download PDF

Info

Publication number
WO2024079972A1
WO2024079972A1 PCT/JP2023/029177 JP2023029177W WO2024079972A1 WO 2024079972 A1 WO2024079972 A1 WO 2024079972A1 JP 2023029177 W JP2023029177 W JP 2023029177W WO 2024079972 A1 WO2024079972 A1 WO 2024079972A1
Authority
WO
WIPO (PCT)
Prior art keywords
countermeasure
defender
attack
attacker
cyber
Prior art date
Application number
PCT/JP2023/029177
Other languages
French (fr)
Japanese (ja)
Inventor
大輔 辻
英光 納谷
浩通 遠藤
悠 田村
イェンス デーンホフ
倫宏 重本
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2024079972A1 publication Critical patent/WO2024079972A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to technology that helps respond to cyber attacks in systems that include information devices.
  • industrial control systems are composed of highly reliable information devices specialized for specific control processes, including PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interfaces).
  • Industrial control systems play an important role in monitoring and controlling social infrastructure such as electricity, railways, water, and gas, as well as production facilities such as factories and plants. For this reason, it is important for industrial control systems to continue to operate stably (availability) even when abnormal situations occur.
  • an effective way to improve an organization's response capabilities is to deploy both an attacker group, consisting of experts who imitate attackers and launch attacks, and a defender group, consisting of experts (including the organization's security personnel) who thwart attacks, and to improve the defender group's decision-making and response capabilities through practical exercises involving both groups.
  • the attacker group repeat practical exercises, imitating attacker profiles consisting of multiple attack objectives and attack methods, based on actual APT attack cases.
  • the defender group can also change its defender profile, consisting of defensive objectives and defensive methods, depending on the situation, and repeat training under different conditions.
  • the attacker group is called the red team and the defender group is called the blue team, and strengthening the organizational structure for responding to cyber attacks through joint practical exercises by both teams is sometimes called purple teaming.
  • Patent Document 1 discloses a technology that, when a cyber attack is detected, presents the most appropriate countermeasure from among multiple predefined countermeasure templates, taking into account the impact of the countermeasure on the system's business.
  • Patent Document 1 when a cyber attack is detected, it is possible to automate support for decision-making and response measures from the perspective of a defender group when a cyber attack occurs. However, since the response is from the defender's perspective, it is not necessarily an appropriate response, and it is not possible to present countermeasures that anticipate the actions of an attacker.
  • the present invention was developed in consideration of the above circumstances, and its purpose is to provide technology that makes it possible to design appropriate countermeasures against cyber attacks.
  • one aspect of the cyber attack response support system is a cyber attack response support system that designs countermeasures against cyber attacks on a specified target system, and includes a storage unit that stores one or more attacker profiles including the attack objectives and attack methods of an attacker who carries out a cyber attack, and one or more defender profiles including the defense objectives and defense methods of a defender who defends against the cyber attack, and a countermeasure design unit that reproduces the state of the target system and designs countermeasures for each combination of the attacker profile and the defender profile using a system model that reproduces the state of the target system and outputs index values of one or more indexes that indicate the performance of the target system corresponding to the state of the target system.
  • the present invention makes it possible to design appropriate countermeasures against cyber attacks.
  • FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
  • FIG. 2 is a diagram illustrating a system model according to the first embodiment.
  • FIG. 3 is a diagram illustrating a time series transition of production volume according to the first embodiment.
  • FIG. 4 is a diagram showing the configuration of an attacker profile according to the first embodiment.
  • FIG. 5 is a diagram showing the configuration of a defender profile according to the first embodiment.
  • FIG. 6 is a flowchart of a countermeasure design process according to the first embodiment.
  • FIG. 7 is a diagram showing a system configuration of a system model that reflects anomaly detection information according to the first embodiment.
  • FIG. 8 is a diagram for explaining prediction of an attacker's behavior with respect to the system model according to the first embodiment.
  • FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
  • FIG. 2 is a diagram illustrating a system model according to the first embodiment.
  • FIG. 3
  • FIG. 9 is a diagram illustrating a prediction of a defender's behavior with respect to a system model according to the first embodiment.
  • FIG. 10 is a configuration diagram of a list of countermeasures according to the first embodiment.
  • FIG. 11 is a configuration diagram of statistical information of countermeasures according to the first embodiment.
  • FIG. 12 is a configuration diagram of information indicating the relationship between the observed attacker behavior and the match with the attacker profile according to the first embodiment.
  • FIG. 13 is a functional block diagram of a cyber-attack response support system according to the second embodiment.
  • FIG. 14 is a diagram showing the configuration of an output table of countermeasures according to the second embodiment.
  • FIG. 15 is a functional block diagram of a cyber-attack response support system according to the third embodiment.
  • FIG. 16 is a diagram illustrating a defender model according to the third embodiment.
  • FIG. 17 is a flowchart of the defender model generation process according to the third embodiment.
  • FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
  • the cyber-attack response support system 1000 includes a cyber-attack response support device 10, an anomaly detection system 11, an input/output device 12, and an industrial control system 13.
  • the cyber-attack response support device 10 is configured, for example, as a computer equipped with a processor, memory, storage device, etc., and has a processing unit 110 and a storage unit 120.
  • the processing unit 110 is a functional unit that is realized by the processor executing a program (cyber-attack response support program) deployed in memory.
  • the processing unit 110 includes a countermeasure design unit 111, a countermeasure selection unit 112 as an example of a reception unit and display unit, and a countermeasure execution unit 113.
  • the memory unit 120 is composed of a storage device that stores data.
  • the storage device is, for example, a memory such as a RAM (Random Access Memory), a HDD (Hard Disk Drive), or an SSD (Solid State Drive).
  • the memory unit 120 may be constructed using an external storage medium such as an HDD or SSD that is independent of the cyber attack response support device 10.
  • the memory unit 120 stores a system model 121, one or more attacker profiles 122, and one or more defender profiles 123.
  • the anomaly detection system 11 is a system that detects anomalies in the industrial control system 13 (target system) and is composed of a Network-based Intrusion Detection System (NIDS), which detects signs of attack by monitoring network communications in real time, and a Host-based Intrusion Detection System (HIDS), which detects signs of attack using software running within a computer.
  • NIDS Network-based Intrusion Detection System
  • HIDS Host-based Intrusion Detection System
  • the input/output device 12 is a device that allows the user to interactively input and output data to the cyber-attack response support device 10, and is composed of a keyboard, mouse, display, etc.
  • the industrial control system 13 includes a plurality of information devices 130, a robot (not shown) controlled by the information devices 130, etc.
  • the plurality of information devices 130 includes computer devices such as PLCs and HMIs, and network devices such as switches and firewalls that connect and disconnect the network between the computer devices.
  • processing unit 110 and memory unit 120 will be described in detail.
  • the countermeasure design unit 111 When the countermeasure design unit 111 receives anomaly detection information of the target system transmitted from the anomaly detection system 11, it starts its operation, reads the system model 121, the attacker profile 122, and the defender profile 123 from the storage unit 120, and executes a process of designing countermeasures in the industrial control system 13.
  • the countermeasure selection unit 112 displays information on the designed countermeasures (countermeasure information) on the input/output device 12, and accepts designation of the countermeasure to be applied from the user via the input/output device 12.
  • the countermeasure execution unit 113 performs a process of applying the countermeasure accepted by the countermeasure selection unit 112 to the industrial control system 13 and executing it.
  • the system model 121 is a model that includes configuration information of information devices in the target system and can reproduce the target system by being executed by the processing unit 110.
  • the system model 121 also has a calculation function that quantifies the performance of the target system with one or more types of indexes depending on the state of the information devices.
  • the configuration information includes, for example, the hardware, software, vulnerability information, logical configuration, physical configuration, and dependency information between information devices for the information devices to operate normally, of the information devices.
  • the configuration information also has attributes for expressing the state of the information devices, and it is possible to reflect anomaly detection information detected by the anomaly detection system 11 in the information devices.
  • FIG. 2 is a diagram illustrating the system model according to the first embodiment.
  • system model 121 When status information 21 of information equipment 130 is input, system model 121 (strictly speaking, processing unit 110 using system model 121) outputs performance 23 of the target system quantified by one or more types of indexes.
  • status information 21 indicates that information equipment with identification name PLC1 is in normal operation, information equipment with identification name PLC2 is in DoS (Denial of Service) state, and information equipment with identification name HMI is in a state where the equipment operation mode has been changed.
  • system model 121 outputs, for example, an index representing the performance of the target system and its value, such as production volume of 50%, confidentiality protection rate of 20%, and safety risk avoidance rate of 80%.
  • safety risk avoidance rate indicates the percentage of avoidance of a state that poses a risk in terms of safety.
  • the system model 121 may, for example, calculate the percentage of information devices in a normal operating state as the production volume. For example, if 100 information devices are operating in the target system and 50 of the information devices are in a normal operating state, the production volume may be calculated as 50%. In this example, the system model 121 calculates a unique production volume based only on the state information 21 of the information devices at a certain time, regardless of the time series transition of the state of the information devices. Note that this is not limited to this, and for example, the production volume may be calculated taking into account the history effect regarding the time series transition of the state of the information devices.
  • FIG. 3 is a diagram illustrating the time series transition of production volume according to the first embodiment.
  • the horizontal axis represents time
  • the vertical axis represents production volume.
  • all information devices are in a normal operating state from time 0 to t1
  • half of the information devices are in a normal operating state from time t1 to t2
  • all information devices are in a normal operating state from time t2 onwards.
  • the production volume is 100% until time t1
  • the production volume is a continuously decreasing value from time t1 to t2
  • the production volume is a continuously recovering value from time t2 onwards.
  • a confidentiality protection score may be set for each information device 130 in the industrial control system 13, and the ratio of the total scores of information devices 130 for which confidentiality protection is ensured to the total scores of all information devices 130 may be calculated.
  • a score for safety risk may be set for each information device 130 in the industrial control system 13, and the ratio of the total score of the information devices 130 for which safety risk has been avoided to the total score of all the information devices 130 may be calculated.
  • the calculations performed by the calculation function of the system model 121 are not limited to the above examples, and can be anything that can input information 21 about the status of the information device and output performance 23 of the target system quantified using one or more types of indices, and a different index may be used to calculate a certain index.
  • FIG. 4 is a diagram showing the configuration of an attacker profile according to the first embodiment.
  • the attacker profile 122 is information that defines the type of attacker that is assumed.
  • the attacker profile 122 is stored in the memory unit 120.
  • the memory unit 120 stores multiple (Ni) patterns of attacker profiles 122.
  • the attacker profile 122 includes an identifier, an identification name, an attack purpose, and an attack method.
  • the attacker profile 122 may also include identification information of an APT group that has a similar attack purpose and attack method.
  • the identifier information capable of uniquely identifying the attacker profile 122 is defined. For example, an integer value from 1 to Ni is assigned as the identifier.
  • the identification name a name that identifies the attacker profile 122 is defined. Note that in this embodiment, the identification name is also capable of uniquely identifying the attacker profile 122.
  • Attack methods are defined as specific attack methods that attackers can use, such as DoS and changing control parameters.
  • the attack objective defines the percentage (target value) of one or more indicators (attack objective indicators) that are considered important when carrying out an attack. This means that the attacker aims to maximize the change in this indicator.
  • the attack objective is defined as "production volume (100%)", which means that the attack objective aims only to affect production volume. This means that the attacker of attacker profile 122-1 does not aim to affect other indicators such as confidentiality protection rate or safety risk avoidance rate.
  • attack objective is defined as "production volume (30%), confidentiality protection rate (40%), safety risk avoidance rate (30%)," which means that the objective is to affect production volume, confidentiality protection rate, and safety risk avoidance rate in a ratio of 3:4:3.
  • the cumulative amount represented by the area of the shaded area in the figure can be used as the impact on the production volume, or the maximum instantaneous change can be used.
  • the influence of production volume, confidentiality protection rate, and safety risk aversion rate will be represented as X, Y, and Z.
  • the objective is to maximize 1X
  • the objective is to maximize 0.3X + 0.4Y + 0.3Z.
  • FIG. 5 is a diagram showing the configuration of a defender profile according to the first embodiment.
  • the defender profile 123 is information that defines the type of defender that is assumed.
  • the defender profile 123 is stored in the memory unit 120.
  • the memory unit 120 stores multiple (Nj) patterns of defender profiles 123.
  • the defender profile 123 includes an identifier, an identification name, a defense purpose, and a defense method.
  • the identifier information capable of uniquely identifying the defender profile 123 is defined. For example, an integer value from 1 to Nj is assigned as the identifier.
  • the identification name a name that identifies the defender profile 123 is defined. Note that in this embodiment, the identification name is also capable of uniquely identifying the defender profile 123.
  • Defensive methods define specific defensive techniques that defenders can use, such as changing the operating mode of a device or shutting down the device.
  • the defense objective defines the ratio (target value) of one or more indicators (defense objective indicators) that are considered important when implementing defense. This means that the defender aims to minimize the change in this indicator. For example, in the defender profile 123-1, whose identification name is safety risk avoidance rate specialization, the defense objective is defined as "safety risk avoidance rate (100%)", and therefore the defender of the defender profile 123-1 aims to minimize 1Z.
  • the defense objectives are defined as "production volume (10%), confidentiality protection rate (70%), safety risk avoidance rate (20%)" and the objective is to minimize 0.1X + 0.7Y + 0.2Z.
  • the attack purpose of the attacker profile 122 and the defense purpose of the defender profile 123 are the same, it means that they are trying to achieve completely opposite goals. Note that it is not necessary for the attack purpose of the attacker profile 122 and the defense purpose of the defender profile 123 to be the same.
  • FIG. 6 is a flowchart of the countermeasure design process according to the first embodiment.
  • the countermeasure design process is executed when the countermeasure design unit 111 of the cyber-attack countermeasure support device 10 receives anomaly detection information about the target system (industrial control system 13) from the anomaly detection system 11.
  • the countermeasure design unit 111 reads the system model 121 from the memory unit 120 and reflects the state corresponding to the received abnormality detection information in the system model 121 (S61).
  • FIG. 7 is a diagram showing the system configuration of a system model that reflects anomaly detection information according to the first embodiment.
  • the industrial control system 13 includes, as information devices 130, a monitoring terminal connected via a network, control server 1, control server 2, PLC 1, PLC 2, and an HMI, and the anomaly detection information includes information that an abnormal intrusion has been detected in the monitoring terminal.
  • step S61 as shown in FIG. 7, in the system model 121, the attribute representing the state of the monitoring terminal is set to "unauthorized intrusion.”
  • the countermeasure design unit 111 defines integer variables i and j and sets their values to 1 (S62).
  • the countermeasure design unit 111 reads the attacker profile 122 with identifier i and the defender profile 123 with identifier j from the storage unit 120 (S63).
  • the countermeasure design unit 111 uses the system model 121 to predict the behavior of the attacker based on the loaded attacker profile 122. Note that the attacker's behavior changes depending on the loaded attacker profile 122 because the attacker's purpose and attack method differ.
  • FIG. 8 is a diagram illustrating the prediction of an attacker's behavior against the system model according to the first embodiment.
  • the attacker's behavior predicted from the production volume-specialized attacker profile 122-1 is that an attacker who has illegally intruded into a monitoring terminal will then attack the control server 1 using a "control parameter change” attack method, and finally attack the PLC 1 using a "DoS” attack method.
  • the attack method is selected from the attack methods defined in the attacker profile 122-1.
  • the attacker's behavior is derived so as to maximize the impact on the target system, represented by 1X, which corresponds to the purpose of the attack.
  • the attacker's behavior predicted from the balanced attacker profile 122-2 is, for example, that an attacker who has illegally invaded a monitoring terminal will then attack the control server 2 using the "control tag information collection” attack method, and finally attack the HMI using the "alarm setting change” attack method.
  • This attacker's behavior is derived so as to maximize the impact on the target system, which is represented by 0.3X + 0.4Y + 0.3Z, which corresponds to the purpose of the attack.
  • the countermeasure design unit 111 uses the system model 121 to derive optimal countermeasures based on the attacker's behavior and the defender profile 123 (S63).
  • FIG. 9 is a diagram illustrating the prediction of the defender's behavior for the system model according to the first embodiment.
  • the behavior of the defender predicted from the safety risk aversion rate specialized defender profile 123-1 is derived to be the optimal countermeasure for defending against PLC1 using the defense method of "stopping equipment.”
  • the defense method is selected from among the defense methods in the defender profile 123-1.
  • the behavior of this defender is derived to minimize the impact on the target system represented by 1Z, which corresponds to the defense objective.
  • the behavior of the defender predicted from the confidentiality protection rate-oriented defender profile 123-2 is derived to be, for example, the optimal countermeasure for defending against the control server 1 using the defense method of "changing access control settings.”
  • This defender's behavior is derived to minimize the impact on the target system, which is represented by 0.1X + 0.7Y + 0.2Z, which corresponds to the defense objective.
  • the countermeasure design unit 111 compares the variable i with Ni and determines whether the variable i is less than Ni (S66). As a result, if the variable i is less than Ni (S66: Y), this means that countermeasures have not been derived for all attacker profiles 122 for one defender profile 123, so the countermeasure design unit 111 adds 1 to the variable i (S67) and proceeds to step S63.
  • step S68 the countermeasure design unit 111 compares the variable j with Nj and determines whether the variable j is less than Nj. As a result, if the variable j is less than Nj (S68: Y), this means that countermeasures have not been derived for all attacker profiles 122 for all defender profiles 123, so the countermeasure design unit 111 sets the variable i to 1, adds 1 to the variable j (S69), and proceeds to step S63.
  • the countermeasure design unit 111 outputs the derived countermeasures of the Ni ⁇ Nj pattern to the countermeasure selection unit 112 and ends the process.
  • This countermeasure design process allows a joint practical exercise between an attacker group and a defender group, which would be difficult to implement in an actual industrial control system 13, to be virtually carried out using the system model 121 with Ni x Nj patterns, and allows the deriving of countermeasures for each.
  • the countermeasure selection unit 112 displays on the input/output device 12 a list 100 (see FIG. 10) of countermeasures for the Ni ⁇ Nj pattern designed and output by the countermeasure design unit 111, and accepts from the user a selection of the countermeasure to be actually applied to the industrial control system 13. The user can compare the countermeasures by referring to the list displayed on the input/output device 12 connected to the countermeasure selection unit 112, and select the optimal countermeasure.
  • FIG. 10 is a diagram showing a list of countermeasures according to the first embodiment.
  • List 100 is a table that displays countermeasures for Ni ⁇ Nj patterns, and includes entries corresponding to each countermeasure for the Ni ⁇ Nj patterns.
  • the entries in list 100 include fields for countermeasure 101, defender profile 102, attacker profile 103, and performance 104.
  • countermeasure 101 the countermeasure corresponding to the entry is displayed.
  • the content of the countermeasure is written before the symbol @, and the identification name of the information device 130 for which the countermeasure is to be taken is written after the symbol @.
  • the defender profile 102 displays information (e.g., an identification name) that can identify the defender profile 123 from which the countermeasure corresponding to the entry was derived.
  • information e.g., an identification name
  • details of the defender profile 123 are displayed as shown in FIG. 5.
  • the attacker profile 103 displays information (e.g., an identification name) that can identify the attacker profile 122 from which the countermeasure corresponding to the entry has been derived.
  • information e.g., an identification name
  • details of the attacker profile 122 are displayed as shown in FIG. 4.
  • Performance 104 displays index values for one or more indicators that indicate performance.
  • Performance 104 includes fields such as production volume 104A, confidentiality protection rate 104B, and safety risk avoidance rate 104C.
  • Production volume 104A displays the production volume when the countermeasure corresponding to the entry is implemented.
  • Confidentiality protection rate 104B displays the confidentiality protection rate when the countermeasure corresponding to the entry is implemented.
  • Safety risk avoidance rate 104C displays the safety risk avoidance rate when the countermeasure corresponding to the entry is implemented.
  • the user can select the countermeasure to be actually applied to the industrial control system 13 from the list 100 via the input/output device 12, taking into consideration the assumed type of attacker, management priority, impact on the target system, etc.
  • the correspondence between the countermeasure and the cost and speed required to apply the countermeasure may be stored in the storage unit 120, and the countermeasure selection unit 112 may display the cost and speed required to apply the countermeasure in the list 100 in association with the countermeasure.
  • the countermeasure selection unit 112 displays statistical information regarding the derived countermeasures.
  • FIG. 11 is a configuration diagram of statistical information on countermeasures in the first embodiment.
  • the statistical information is, for example, information regarding the percentage of overlap between each countermeasure among all countermeasures.
  • the overlap rate of each countermeasure is represented by a pie chart. This statistical information makes it easy to identify countermeasures with a high overlap rate, i.e., countermeasures that are considered to be recommended.
  • the countermeasure execution unit 113 controls the application of the countermeasure selected by the user to the information device 130. Specifically, the countermeasure execution unit 113 transmits a communication command to cause the information device 130 to execute the countermeasure.
  • the countermeasure selection unit 112 may continuously observe the anomaly detection information received from the anomaly detection system 11 and display information on the degree of match between the actually observed attacker behavior and the attacker profile.
  • FIG. 12 is a diagram showing the structure of information indicating the relationship between observed attacker behavior and a match with an attacker profile in the first embodiment.
  • FIG. 13 is a functional block diagram of the cyber-attack response support system according to the second embodiment. Note that in the cyber-attack response support system 1100 according to the second embodiment, components similar to those in the cyber-attack response support system 1000 according to the first embodiment are designated by the same reference numerals.
  • the cyber attack response support system 1100 includes a new impact reassessment unit 114 in the processing unit 110.
  • the impact re-evaluation unit 114 starts operation based on a request from the countermeasure selection unit 112, reads the system model 121 and the attacker profile 122 and defender profile 123 corresponding to the selected countermeasure from the storage unit 120, and performs processing to evaluate the performance of the industrial control system 13.
  • the countermeasure selection unit 112 can accept multiple countermeasures from the user. When multiple countermeasures are accepted, the countermeasure selection unit 112 requests the impact reassessment unit 114 to instruct it to evaluate the impact on the target system when multiple countermeasures are executed simultaneously, and displays the evaluation results from the impact reassessment unit 114 as an output table 1400 (see FIG. 14).
  • the processing operations up to outputting the list 100 of countermeasures for Ni ⁇ Nj patterns in the cyber-attack response support system 1100 are the same as those in the cyber-attack response support system 1000 of the first embodiment.
  • the countermeasure selection unit 112 requests the impact reassessment unit 114 to evaluate the impact on the target system when the selected countermeasures are executed simultaneously.
  • the impact re-evaluation unit 114 When the impact re-evaluation unit 114 receives a request from the countermeasure selection unit 112, it reads the system model 121 and the attacker profile 122 and defender profile 123 corresponding to the selected countermeasures from the storage unit 120, and updates the state of the information device 130 in the system model 121 to a state corresponding to the selected countermeasures. Next, the impact re-evaluation unit 114 uses the calculation function of the system model 121 to quantify the performance of the target system using one or more indicators, and returns the result to the countermeasure selection unit 112.
  • the countermeasure selection unit 112 creates an output table 1400 based on the results from the impact reevaluation unit 114, and displays the output table 1400 on the input/output device 12. The user can refer to this output table 1400 to determine whether or not it is acceptable to apply multiple countermeasures simultaneously.
  • FIG. 14 is a diagram showing the configuration of an output table for countermeasures according to the second embodiment.
  • Output table 1400 is a table that displays information about the impact when multiple selected countermeasures are executed simultaneously.
  • Output table 1400 includes fields for countermeasure 1401, defender profile 1402, attacker profile 1403, and performance 1404.
  • the countermeasures 1401 displays multiple selected countermeasures.
  • the countermeasures are "Stop device @PLC1" and "Change device operation mode @HMI.”
  • the defender profile 1402 displays information (e.g., an identification name) that can identify the defender profile 123 from which each countermeasure was derived.
  • the attacker profile 1403 displays information (e.g., an identification name) that can identify the attacker profile 122 from which each countermeasure was derived.
  • Performance 1404 displays index values for one or more indicators that indicate the performance of the target system when multiple countermeasures are implemented simultaneously.
  • Performance 1404 includes fields such as production volume 1404A, confidentiality protection rate 1404B, and safety risk avoidance rate 1404C.
  • Production volume 1404A displays the production volume when multiple countermeasures are implemented.
  • Confidentiality protection rate 1404B displays the confidentiality protection rate when multiple countermeasures are implemented.
  • Safety risk avoidance rate 1404C displays the safety risk avoidance rate when multiple countermeasures are implemented.
  • the user can refer to the output table 1400 to determine whether or not to execute multiple countermeasures simultaneously.
  • the countermeasure selection unit 112 receives an instruction from the user to execute multiple countermeasures, it notifies the countermeasure execution unit 113 of this, and the countermeasure execution unit 113 controls the application of the notified multiple countermeasures to the information device 130.
  • FIG. 15 is a functional block diagram of a cyber-attack response support system according to the third embodiment. Note that in the cyber-attack response support system 1200 according to the third embodiment, components similar to those in the cyber-attack response support system 1000 according to the first embodiment are designated by the same reference numerals.
  • the cyber-attack response support system 1200 is equipped with a new defender model generation unit 115 in the processing unit 110, some of the processing operations of the countermeasure design unit 116 are changed, and a new defender model 124 is stored in the memory unit 120.
  • the anomaly detection system 11 when the anomaly detection system 11 detects an anomaly, it predicts the attacker's behavior based on the attacker profile, and then derives the defender's behavior, including the optimal countermeasure, based on the defender profile.
  • the anomaly detection system 11 when the anomaly detection system 11 detects an anomaly in the target system, it derives the optimal countermeasure without taking the step of predicting the attacker's behavior.
  • the defender model generation unit 115 reads the system model 121, attacker profile 122, and defender profile 123, and generates a defender model 124 that can input a system model that reflects the anomaly detection information of the anomaly detection system 11 and output countermeasures.
  • the process of generating the defender model 124 by the defender model generation unit 115 (defender model generation process: see Figure 17) is executed at a stage before the anomaly detection system 11 detects an anomaly.
  • One possible method of generating the defender model 124 is to utilize multi-agent reinforcement learning. When utilizing multi-agent reinforcement learning, the defender model generation unit 115 learns the defender model 124, and the countermeasure design unit 111 executes the defender model.
  • FIG. 16 is a diagram explaining the defender model according to the third embodiment.
  • the defender model 124 has a calculation function that inputs a system model 1601 that reflects the anomaly detection information of the anomaly detection system 11, for example, a system model 1601 that is represented by the state of the information devices 130 that make up the target system, and outputs an optimal countermeasure 1603 for the state of the information devices that make up the target system.
  • FIG. 17 is a flowchart of the defender model generation process according to the third embodiment.
  • FIG. 17 shows the defender model generation process that generates a defender model using multi-agent reinforcement learning.
  • the defender model generation unit 115 sets variables i and j to 1 (S1701). Next, the defender model generation unit 115 reads the system model 121, the attacker profile 122 of identifier i, and the defender profile 123 of identifier j from the storage unit 120 (S1702).
  • the defender model generation unit 115 learns optimal behavior by operating an agent simulating an attacker (attacker agent) and an agent simulating a defender (defender agent) in the system model 121 as an environment (S1703).
  • the actions that the attacker agent can execute are defined by the attacking methods in the attacker profile 122, and the reward that the attacker agent receives is determined by the attack objective in the attacker profile 122.
  • the reward that the attacker agent receives is determined according to the amount of change in the indicator defined in the attack objective.
  • an attacker agent generated based on the attacker profile 122-2 may receive a reward that increases with an increase in 0.3X + 0.4Y + 0.3Z.
  • the actions that the defender agent can execute are stipulated by the defense methods of the defender profile 123, and the reward that the defender agent receives is determined by the defense objectives of the defender profile 123.
  • the reward that the defender agent receives is determined according to the amount of change in the indicators defined in the defense objectives.
  • a defender agent generated based on the defender profile 123-2, whose identification name in FIG. 5 is confidentiality protection rate-oriented may receive a reward that increases with a decrease in 0.1X + 0.7Y + 0.2Z.
  • the defender model generation unit 115 stores the defender agent that has completed the multi-agent reinforcement learning and is capable of outputting optimal behavior according to the state of the information device in the system model 121 in the storage unit 120 as the defender model 124 (S1704).
  • the defender model generation unit 115 compares the variable i with Ni and determines whether the variable i is greater than Ni (S1705). As a result, if the variable i is not greater than Ni (S1705: N), this means that a defender model has not been created by performing multi-agent reinforcement learning on all attacker profiles 122 for one defender profile 123, so the defender model generation unit 115 adds 1 to the variable i (S1706) and proceeds to step S1702.
  • variable i is greater than Ni (S1705: Y)
  • step S1707 the defender model generation unit 115 compares the variable j with Nj and determines whether the variable j is greater than Nj. If the result is that the variable j is not greater than Nj (S1707: N), this means that a defender model has not been created by performing multi-agent reinforcement learning on all attacker profiles 122 for all defender profiles 123, so the defender model generation unit 115 sets the variable i to 1 and adds 1 to the variable j (S1708), and proceeds to step S1702.
  • variable j is greater than Nj (S1707: Y)
  • the countermeasure design process is executed by activating the countermeasure design unit 116 when the cyber-attack response support device 10 receives anomaly detection information about the target system (industrial control system 13) from the anomaly detection system 11.
  • the countermeasure design unit 116 reads the system model 121 and the defender model 124 from the storage unit 120, reflects the state corresponding to the received abnormality detection information in the system model 121, inputs the state of the information device in the system model 121 reflecting the abnormality detection information to each of the defender models 124 of the Ni ⁇ Nj pattern, calculates countermeasures of the Ni ⁇ Nj pattern using each defender model 124, and outputs the calculated countermeasures of the Ni ⁇ Nj pattern to the countermeasure selection unit 112.
  • this countermeasure design process a joint practical exercise between an attacker group and a defender group, which is difficult to implement in an actual industrial control system 13, can be virtually implemented using the system model 121 to derive each countermeasure.
  • the processes executed by the countermeasure selection unit 112 and the countermeasure execution unit 113 thereafter are similar to those of the cyber attack response support system 1000 according to the first embodiment.
  • the cyber attack response support system 1200 of this embodiment after the anomaly detection system 11 detects an anomaly, there is no need to take the step of predicting the attacker's behavior, and countermeasures can be derived using the Ni x Nj pattern defender model 124 that has been generated in advance for each combination of the attacker profile and the defender profile. Therefore, when a cyber attack occurs, countermeasures can be quickly presented to the user.
  • an industrial control system 13 is the target, but the present invention is not limited to this and can be applied to general information systems.
  • the anomaly detection system 11 is provided outside the industrial control system 13, but the present invention is not limited to this, and the anomaly detection system 11 may be provided within the industrial control system 13.
  • the processing performed by the processor may be performed by a hardware circuit.
  • the program in the above embodiment may be installed from a program source.
  • the program source may be a program distribution server or a recording medium (e.g., a portable recording medium).
  • 10...cyber attack response support device 11...anomaly detection system, 12...input/output device, 13...industrial control system, 110...processing unit, 111, 116...countermeasure design unit, 112...countermeasure selection unit, 113...countermeasure execution unit, 114...impact reevaluation unit, 115...defender model generation unit 120...storage unit, 121...system model, 122...attacker profile, 123...defender profile, 124...defender model, 1000, 1100, 1200...cyber attack response support system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

In the present invention, an appropriate countermeasure against a cyber attack can be designed. A cyber attack countermeasure assistance system 1000 for designing a countermeasure against a cyber attack on a prescribed object system comprises: a storage unit 120 for storing one or more attacker profiles 122 which include an objective of attack and an attack technique of an attacker who carries out a cyber attack, and one or more defender profiles 123 which include an objective of defense and a defense technique of a defender who carries out a defense against a cyber attack; and a countermeasure design unit 111 for designing a countermeasure against respective combinations between the attacker profiles 122 and the defender profiles 123, by using a system model 121 for reproducing the state of the object system and outputting an index value of one or more indexes which indicate performance of the object system and corresponding to the state of the object system.

Description

サイバー攻撃対処支援システム、サイバー攻撃対処支援方法、及びサイバー攻撃対処支援プログラムCyber attack response support system, cyber attack response support method, and cyber attack response support program
 本発明は、情報機器を含むシステムにおけるサイバー攻撃に対する対処を支援する技術に関する。 The present invention relates to technology that helps respond to cyber attacks in systems that include information devices.
 例えば、産業分野におけるコンピュータシステム(産業制御システム)は、PLC(Programable Logic Controller)やHMI(Human Machine Interface)を始めとして、特定の制御処理に特化した高信頼性の情報機器で構成される。産業制御システムは、電力・鉄道・水道・ガスなどの社会インフラや、工場・プラントなどの生産設備を監視・制御する重要な役割を果たす。そのため、産業制御システムにおいては、異常事態が発生した際でも、システムを安定して稼働し続けること(可用性)が重要視される。 For example, computer systems in the industrial field (industrial control systems) are composed of highly reliable information devices specialized for specific control processes, including PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interfaces). Industrial control systems play an important role in monitoring and controlling social infrastructure such as electricity, railways, water, and gas, as well as production facilities such as factories and plants. For this reason, it is important for industrial control systems to continue to operate stably (availability) even when abnormal situations occur.
 産業制御システムは、従来は外部から隔離された環境で運用することが一般的であったが、近年ではIoT(Internet of Things)技術の進歩に伴い、システムをインターネット等の外部ネットワークに接続するケースが増加している。外部ネットワークとの接続により生産性や利便性が向上した一方、サイバー攻撃のリスクも大幅に増加した。産業制御システムは、稼働停止に陥った際に社会に与える影響が甚大であるため、標的を明確に定めて高度な攻撃を継続的に行うAPT(Advanced Persistent Threat)攻撃の対象となり得る。被害を最小化するために十分なセキュリティ対策を実施することはで必須であるが、APT攻撃はゼロデイ攻撃を伴うケースも少なくなく、攻撃の発生リスクを完全に取り除くことは困難である。そのため、仮に攻撃を受けたとしても、システムへの影響を最小限に留める対処策を迅速に講じられる組織体制を整えることも、セキュリティリスクの低減には重要である。 In the past, industrial control systems were generally operated in an environment isolated from the outside world. However, in recent years, with the advancement of IoT (Internet of Things) technology, there have been an increasing number of cases where systems are connected to external networks such as the Internet. While connecting to external networks has improved productivity and convenience, it has also significantly increased the risk of cyber attacks. Since industrial control systems have a significant impact on society when they stop operating, they can become the target of Advanced Persistent Threat (APT) attacks, which are highly advanced attacks that are clearly targeted and carried out continuously. It is essential to implement sufficient security measures to minimize damage, but APT attacks often involve zero-day attacks, making it difficult to completely eliminate the risk of attacks occurring. Therefore, in order to reduce security risks, it is also important to establish an organizational structure that can quickly take measures to minimize the impact on the system even if an attack occurs.
 一般的な情報システムにおいては、組織の対処能力を向上させるためには、攻撃者を模倣して攻撃を仕掛ける専門家で構成される攻撃者グループと、攻撃を阻止する専門家(組織のセキュリティ担当者を含む)で構成される防御者グループとの両方を配備し、両グループ混合の実践演習を通して防御者グループの意思決定・対処実施に関する能力を向上することが有効手段として挙げられる。攻撃者グループは、実際に発生したAPT攻撃事例を参考に、複数の攻撃目的と攻撃手法からなる攻撃者プロファイルを模倣して、実践演習を繰り返すことが推奨される。防御者グループも、防御目的と防御手法からなる防御者プロファイルを状況に応じて変更し、異なる条件下でのトレーニングを繰り返すことも考えられる。サイバーセキュリティ分野においては、攻撃者グループはレッドチームと呼ばれ、防御者グループはブルーチームと呼ばれ、両チーム合同の実践演習を通してサイバー攻撃に対処するための組織体制を強化することはパープルチーミングと呼ばれることもある。 In a general information system, an effective way to improve an organization's response capabilities is to deploy both an attacker group, consisting of experts who imitate attackers and launch attacks, and a defender group, consisting of experts (including the organization's security personnel) who thwart attacks, and to improve the defender group's decision-making and response capabilities through practical exercises involving both groups. It is recommended that the attacker group repeat practical exercises, imitating attacker profiles consisting of multiple attack objectives and attack methods, based on actual APT attack cases. The defender group can also change its defender profile, consisting of defensive objectives and defensive methods, depending on the situation, and repeat training under different conditions. In the cybersecurity field, the attacker group is called the red team and the defender group is called the blue team, and strengthening the organizational structure for responding to cyber attacks through joint practical exercises by both teams is sometimes called purple teaming.
 しかしながら、産業制御システムにおいては、一般的な情報システムとは異なり、可用性が重要視されるため、可用性に影響を及ぼしかねない実践演習を実システムで行うことが許可されないことが多い。また、産業制御システムでは、高度なセキュリティ知識のみならず、可用性が重要視される特殊なシステム運用まで考慮に入れた対処策の考案が要求されるため、専門家が不足している。これらの理由から、防御者グループのトレーニングが不足し、サイバー攻撃発生時の意思決定・対処実施が遅れ、結果として被害の拡大につながりかねない。 However, unlike general information systems, availability is considered important in industrial control systems, so practical training that may affect availability is often not permitted to be performed on the actual system. In addition, industrial control systems require not only advanced security knowledge, but also the devising of countermeasures that take into account special system operations where availability is important, so there is a shortage of experts. For these reasons, defender groups lack training, which can lead to delays in decision-making and response when a cyber attack occurs, which can ultimately lead to the spread of damage.
 例えば、特許文献1には、サイバー攻撃を検知した際、事前に定義した複数の対処策のテンプレートの中から、対処策がシステムの事業に及ぼす影響を考慮して、最適な対処策を提示する技術が開示されている。 For example, Patent Document 1 discloses a technology that, when a cyber attack is detected, presents the most appropriate countermeasure from among multiple predefined countermeasure templates, taking into account the impact of the countermeasure on the system's business.
特開2018-137500号公報JP 2018-137500 A
 特許文献1に開示された技術を用いれば、サイバー攻撃を検知した際、防御者グループの視点でサイバー攻撃発生時の意思決定と対処実施の支援を自動化できる。しかしながら、防御者の視点からの対処であり、必ずしも適切な対処とは限らないし、攻撃者の行動を先回りした対処策を提示することもできない。 By using the technology disclosed in Patent Document 1, when a cyber attack is detected, it is possible to automate support for decision-making and response measures from the perspective of a defender group when a cyber attack occurs. However, since the response is from the defender's perspective, it is not necessarily an appropriate response, and it is not possible to present countermeasures that anticipate the actions of an attacker.
 本発明は、上記事情に鑑みなされたものであり、その目的は、サイバー攻撃に対する適切な対処を設計することのできる技術を提供することにある。 The present invention was developed in consideration of the above circumstances, and its purpose is to provide technology that makes it possible to design appropriate countermeasures against cyber attacks.
 上記目的を達成するため、一観点に係るサイバー攻撃対処支援システムは、所定の対象システムへのサイバー攻撃に対する対処策を設計するサイバー攻撃対処支援システムであって、サイバー攻撃を行う攻撃者の攻撃目的と攻撃手法とを含む、1以上の攻撃者プロファイルと、サイバー攻撃に対する防御を行う防御者の防御目的と防御手法とを含む、1以上の防御者プロファイルとを記憶する記憶部と、前記対象システムの状態を再現し、前記対象システムの状態に対応する前記対象システムの性能を示す1以上の指標の指標値を出力するシステムモデルを用いて、前記攻撃者プロファイルと前記防御者プロファイルとの組み合わせ毎に対処策を設計する対処策設計部と、を備える。 In order to achieve the above object, one aspect of the cyber attack response support system is a cyber attack response support system that designs countermeasures against cyber attacks on a specified target system, and includes a storage unit that stores one or more attacker profiles including the attack objectives and attack methods of an attacker who carries out a cyber attack, and one or more defender profiles including the defense objectives and defense methods of a defender who defends against the cyber attack, and a countermeasure design unit that reproduces the state of the target system and designs countermeasures for each combination of the attacker profile and the defender profile using a system model that reproduces the state of the target system and outputs index values of one or more indexes that indicate the performance of the target system corresponding to the state of the target system.
 本発明によれば、サイバー攻撃に対する適切な対処を設計することができる。 The present invention makes it possible to design appropriate countermeasures against cyber attacks.
図1は、第1実施形態に係るサイバー攻撃対処支援システムの機能ブロック図である。FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment. 図2は、第1実施形態に係るシステムモデルを説明する図である。FIG. 2 is a diagram illustrating a system model according to the first embodiment. 図3は、第1実施形態に係る生産量の時系列推移を説明する図である。FIG. 3 is a diagram illustrating a time series transition of production volume according to the first embodiment. 図4は、第1実施形態に係る攻撃者プロファイルの構成図である。FIG. 4 is a diagram showing the configuration of an attacker profile according to the first embodiment. 図5は、第1実施形態に係る防御者プロファイルの構成図である。FIG. 5 is a diagram showing the configuration of a defender profile according to the first embodiment. 図6は、第1実施形態に係る対処策設計処理のフローチャートである。FIG. 6 is a flowchart of a countermeasure design process according to the first embodiment. 図7は、第1実施形態に係る異常検知情報を反映したシステムモデルのシステム構成を示す図である。FIG. 7 is a diagram showing a system configuration of a system model that reflects anomaly detection information according to the first embodiment. 図8は、第1実施形態に係るシステムモデルに対する攻撃者の挙動の予測を説明する図である。FIG. 8 is a diagram for explaining prediction of an attacker's behavior with respect to the system model according to the first embodiment. 図9は、第1実施形態に係るシステムモデルに対する防御者の挙動の予測を説明する図である。FIG. 9 is a diagram illustrating a prediction of a defender's behavior with respect to a system model according to the first embodiment. 図10は、第1実施形態に係る対処策の一覧表の構成図である。FIG. 10 is a configuration diagram of a list of countermeasures according to the first embodiment. 図11は、第1実施形態に係る対処策の統計情報の構成図である。FIG. 11 is a configuration diagram of statistical information of countermeasures according to the first embodiment. 図12は、第1実施形態に係る観測された攻撃者の挙動と、攻撃者プロファイルとの一致の関係を示す情報の構成図である。FIG. 12 is a configuration diagram of information indicating the relationship between the observed attacker behavior and the match with the attacker profile according to the first embodiment. 図13は、第2実施形態に係るサイバー攻撃対処支援システムの機能ブロック図である。FIG. 13 is a functional block diagram of a cyber-attack response support system according to the second embodiment. 図14は、第2実施形態に係る対処策の出力表の構成図である。FIG. 14 is a diagram showing the configuration of an output table of countermeasures according to the second embodiment. 図15は、第3実施形態に係るサイバー攻撃対処支援システムの機能ブロック図である。FIG. 15 is a functional block diagram of a cyber-attack response support system according to the third embodiment. 図16は、第3実施形態に係る防御者モデルを説明する図である。FIG. 16 is a diagram illustrating a defender model according to the third embodiment. 図17は、第3実施形態に係る防御者モデル生成処理のフローチャートである。FIG. 17 is a flowchart of the defender model generation process according to the third embodiment.
 実施形態について、図面を参照して説明する。なお、以下に説明する実施形態は特許請求の範囲に係る発明を限定するものではなく、また実施形態の中で説明されている諸要素及びその組み合わせの全てが発明の解決手段に必須であるとは限らない。 The embodiments will be described with reference to the drawings. Note that the embodiments described below do not limit the invention as claimed, and not all of the elements and combinations thereof described in the embodiments are necessarily essential to the solution of the invention.
(第1実施形態)
 図1は、第1実施形態に係るサイバー攻撃対処支援システムの機能ブロック図である。 First Embodiment
FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
 サイバー攻撃対処支援システム1000は、サイバー攻撃対処支援装置10と、異常検知システム11と、入出力装置12と、産業制御システム13とを含む。 The cyber-attack response support system 1000 includes a cyber-attack response support device 10, an anomaly detection system 11, an input/output device 12, and an industrial control system 13.
 サイバー攻撃対処支援装置10は、例えば、プロセッサ、メモリ、記憶装置などを備えるコンピュータで構成され、処理部110と、記憶部120とを有する。 The cyber-attack response support device 10 is configured, for example, as a computer equipped with a processor, memory, storage device, etc., and has a processing unit 110 and a storage unit 120.
 処理部110は、プロセッサがメモリに展開したプログラム(サイバー攻撃対処支援プログラム)を実行することにより実現される機能部である。処理部110は、対処策設計部111と、受付部及び表示部の一例としての対処策選定部112と、対処策実行部113とを含む。 The processing unit 110 is a functional unit that is realized by the processor executing a program (cyber-attack response support program) deployed in memory. The processing unit 110 includes a countermeasure design unit 111, a countermeasure selection unit 112 as an example of a reception unit and display unit, and a countermeasure execution unit 113.
 記憶部120は、データを記憶する記憶装置により構成される。記憶装置は、例えば、RAM(Random Access Memory)等のメモリや、HDD(Hard Disk Drive)やSSD(Solid State Drive)などである。なお、記憶部120をサイバー攻撃対処支援装置10とは独立したHDDやSSD等の外部記憶媒体で構築してもよい。記憶部120は、システムモデル121と、1種以上の攻撃者プロファイル122と、1種以上の防御者プロファイル123とを格納する。 The memory unit 120 is composed of a storage device that stores data. The storage device is, for example, a memory such as a RAM (Random Access Memory), a HDD (Hard Disk Drive), or an SSD (Solid State Drive). The memory unit 120 may be constructed using an external storage medium such as an HDD or SSD that is independent of the cyber attack response support device 10. The memory unit 120 stores a system model 121, one or more attacker profiles 122, and one or more defender profiles 123.
 異常検知システム11は、産業制御システム13(対象システム)についての異常を検知するシステムであり、ネットワーク通信をリアルタイムで監視することで攻撃の兆候を検知するNIDS(Network-based Intrusion Detection System)、コンピュータ内で動作するソフトウェアを使って攻撃の兆候を検知するHIDS(Host-based Intrusion Detection System)等で構成される。異常検知システム11は、対象システムの異常を検知すると、サイバー攻撃対処支援装置10の対処策設計部111に異常の発生箇所、異常の内容等を含む異常検知情報を通知する。 The anomaly detection system 11 is a system that detects anomalies in the industrial control system 13 (target system) and is composed of a Network-based Intrusion Detection System (NIDS), which detects signs of attack by monitoring network communications in real time, and a Host-based Intrusion Detection System (HIDS), which detects signs of attack using software running within a computer. When the anomaly detection system 11 detects an anomaly in the target system, it notifies the countermeasure design unit 111 of the cyber attack response support device 10 of anomaly detection information including the location of the anomaly, the content of the anomaly, etc.
 入出力装置12は、ユーザがサイバー攻撃対処支援装置10に対してデータの入出力をインタラクティブに行うための装置であり、キーボード、マウス、ディスプレイなどから構成される。 The input/output device 12 is a device that allows the user to interactively input and output data to the cyber-attack response support device 10, and is composed of a keyboard, mouse, display, etc.
 産業制御システム13は、複数の情報機器130、情報機器130により制御されるロボット(図示せず)等を含む。複数の情報機器130には、PLCやHMIなどのコンピュータ機器や、スイッチ、ファイアウォールなどコンピュータ機器間のネットワーク接続および遮断を行うネットワーク機器が含まれる。 The industrial control system 13 includes a plurality of information devices 130, a robot (not shown) controlled by the information devices 130, etc. The plurality of information devices 130 includes computer devices such as PLCs and HMIs, and network devices such as switches and firewalls that connect and disconnect the network between the computer devices.
 次に、処理部110及び記憶部120について、詳細に説明する。 Next, the processing unit 110 and memory unit 120 will be described in detail.
 対処策設計部111は、異常検知システム11から発信された対象システムの異常検知情報を受信すると、動作を開始し、記憶部120から、システムモデル121、攻撃者プロファイル122、及び防御者プロファイル123を読み込んで、産業制御システム13における対処策を設計する処理を実行する。対処策選定部112は、設計された対処策の情報(対処策情報)を入出力装置12に表示させるとともに、入出力装置12を介してユーザから適用する対処策の指定を受け付ける。対処策実行部113は、対処策選定部112が受け付けた対処策を産業制御システム13に適用して実行させる処理を行う。 When the countermeasure design unit 111 receives anomaly detection information of the target system transmitted from the anomaly detection system 11, it starts its operation, reads the system model 121, the attacker profile 122, and the defender profile 123 from the storage unit 120, and executes a process of designing countermeasures in the industrial control system 13. The countermeasure selection unit 112 displays information on the designed countermeasures (countermeasure information) on the input/output device 12, and accepts designation of the countermeasure to be applied from the user via the input/output device 12. The countermeasure execution unit 113 performs a process of applying the countermeasure accepted by the countermeasure selection unit 112 to the industrial control system 13 and executing it.
 システムモデル121は、対象システムにおける情報機器の構成情報を含み処理部110により実行されることにより対象システムを再現することのできるモデルである。また、システムモデル121は、情報機器の状態に応じて対象システムのパフォーマンス(性能)を1種類以上の指標で数値化する演算機能を有する。ここで、構成情報は、例えば情報機器のハードウェア、ソフトウェア、脆弱性情報、論理構成、物理構成、情報機器が正常に動作するための情報機器間の依存性情報の情報等を含む。また、構成情報は、情報機器の状態を表現するための属性を有し、異常検知システム11で検知した異常検知情報を情報機器に反映することが可能である。 The system model 121 is a model that includes configuration information of information devices in the target system and can reproduce the target system by being executed by the processing unit 110. The system model 121 also has a calculation function that quantifies the performance of the target system with one or more types of indexes depending on the state of the information devices. Here, the configuration information includes, for example, the hardware, software, vulnerability information, logical configuration, physical configuration, and dependency information between information devices for the information devices to operate normally, of the information devices. The configuration information also has attributes for expressing the state of the information devices, and it is possible to reflect anomaly detection information detected by the anomaly detection system 11 in the information devices.
 次に、システムモデル121の演算機能について説明する。 Next, we will explain the calculation function of the system model 121.
 図2は、第1実施形態に係るシステムモデルを説明する図である。 FIG. 2 is a diagram illustrating the system model according to the first embodiment.
 システムモデル121(厳密には、システムモデル121を使用する処理部110)は、情報機器130の状態情報21が入力されると、1種類以上の指標で数値化された対象システムのパフォーマンス23を出力する。例えば状態情報21は、識別名がPLC1である情報機器は通常稼働の状態であり、識別名がPLC2である情報機器はDoS(Denial of Service)の状態であり、識別名がHMIである情報機器は、機器の動作モード変更の状態であることを意味する。この場合、システムモデル121は、例えば、対象システムのパフォーマンスを表す指標とその値として、生産量を50%、機密性保護率を20%、安全リスク回避率を80%と出力する。ここで、安全リスク回避率は、安全面においてリスクとなる状態を回避する割合を示している。 When status information 21 of information equipment 130 is input, system model 121 (strictly speaking, processing unit 110 using system model 121) outputs performance 23 of the target system quantified by one or more types of indexes. For example, status information 21 indicates that information equipment with identification name PLC1 is in normal operation, information equipment with identification name PLC2 is in DoS (Denial of Service) state, and information equipment with identification name HMI is in a state where the equipment operation mode has been changed. In this case, system model 121 outputs, for example, an index representing the performance of the target system and its value, such as production volume of 50%, confidentiality protection rate of 20%, and safety risk avoidance rate of 80%. Here, safety risk avoidance rate indicates the percentage of avoidance of a state that poses a risk in terms of safety.
 システムモデル121は、例えば、通常稼働の状態である情報機器の割合を生産量として算出してもよい。例えば、対象システムで100個の情報機器が稼働しており、50個の情報機器が通常稼働の状態であれば、生産量を50%と計算してもよい。この例では、システムモデル121は、情報機器の状態の時系列推移によらず、或る時刻の情報機器の状態情報21のみに基づいて一意の生産量を計算している。なお、これに限られず、例えば、情報機器の状態の時系列推移に関する履歴効果を考慮して生産量を計算してもよい。 The system model 121 may, for example, calculate the percentage of information devices in a normal operating state as the production volume. For example, if 100 information devices are operating in the target system and 50 of the information devices are in a normal operating state, the production volume may be calculated as 50%. In this example, the system model 121 calculates a unique production volume based only on the state information 21 of the information devices at a certain time, regardless of the time series transition of the state of the information devices. Note that this is not limited to this, and for example, the production volume may be calculated taking into account the history effect regarding the time series transition of the state of the information devices.
 次に、情報機器の状態情報21の時系列推移を考慮して、生産量を算出する例を示す。 Next, an example of calculating the production volume taking into account the time series changes in the information device status information 21 is shown.
 図3は、第1実施形態に係る生産量の時系列推移を説明する図である。図3において、横軸は時刻を表し、縦軸は生産量を示している。図3の例では、時刻0~t1までは全ての情報機器が通常動作の状態であり、時刻t1~t2までは、半分の情報機器が通常動作の状態であり、時刻t2以降は、全ての情報機器が通常動作の状態である場合の例を示している。この例においては、生産量は、時刻t1までは、100%であり、時刻t1~t2までの間は、生産量が連続的に減少した値となり、時刻t2以降は生産量が連続的に回復した値となる。 FIG. 3 is a diagram illustrating the time series transition of production volume according to the first embodiment. In FIG. 3, the horizontal axis represents time, and the vertical axis represents production volume. In the example of FIG. 3, all information devices are in a normal operating state from time 0 to t1, half of the information devices are in a normal operating state from time t1 to t2, and all information devices are in a normal operating state from time t2 onwards. In this example, the production volume is 100% until time t1, the production volume is a continuously decreasing value from time t1 to t2, and the production volume is a continuously recovering value from time t2 onwards.
 また、システムモデル121が機密性保護率を算出する方法としては、例えば、産業制御システム13における各情報機器130に対して機密性保護についてのスコアを設定しておき、全ての情報機器130のスコアの合計に対する、機密性保護が確保されている情報機器130のスコアの合計の割合を算出するようにしてもよい。 Also, as a method for the system model 121 to calculate the confidentiality protection rate, for example, a confidentiality protection score may be set for each information device 130 in the industrial control system 13, and the ratio of the total scores of information devices 130 for which confidentiality protection is ensured to the total scores of all information devices 130 may be calculated.
 また、システムモデル121が安全リスク回避率を算出する方法としては、例えば、産業制御システム13における各情報機器130に対して安全リスクに対するスコアを設定しておき、全ての情報機器130のスコアの合計に対する、安全リスクが回避されている情報機器130のスコアの合計の割合を算出するようにしてもよい。 Also, as a method for the system model 121 to calculate the safety risk avoidance rate, for example, a score for safety risk may be set for each information device 130 in the industrial control system 13, and the ratio of the total score of the information devices 130 for which safety risk has been avoided to the total score of all the information devices 130 may be calculated.
 システムモデル121の演算機能による演算は、上記の例に限られず、情報機器の状態情報21を入力し、1種類以上の指標で数値化された対象システムのパフォーマンス23を出力できるものであればよく、或る指標を計算するために、別の指標を使用してもよい。 The calculations performed by the calculation function of the system model 121 are not limited to the above examples, and can be anything that can input information 21 about the status of the information device and output performance 23 of the target system quantified using one or more types of indices, and a different index may be used to calculate a certain index.
 次に、攻撃者プロファイル122について説明する。 Next, we will explain the attacker profile 122.
 図4は、第1実施形態に係る攻撃者プロファイルの構成図である。 FIG. 4 is a diagram showing the configuration of an attacker profile according to the first embodiment.
 攻撃者プロファイル122は、想定する攻撃者のタイプを定義した情報である。攻撃者プロファイル122は、記憶部120に格納される。本実施形態では、記憶部120は、複数(Ni)パターンの攻撃者プロファイル122を格納している。 The attacker profile 122 is information that defines the type of attacker that is assumed. The attacker profile 122 is stored in the memory unit 120. In this embodiment, the memory unit 120 stores multiple (Ni) patterns of attacker profiles 122.
 攻撃者プロファイル122は、識別子と、識別名と、攻撃目的と、攻撃手法とを含む。なお、攻撃者プロファイル122に、攻撃目的と攻撃手法とが類似するAPTグループの識別情報を含めてもよい。 The attacker profile 122 includes an identifier, an identification name, an attack purpose, and an attack method. The attacker profile 122 may also include identification information of an APT group that has a similar attack purpose and attack method.
 識別子には、攻撃者プロファイル122を一意に識別可能な情報が定義される。識別子としては、例えば、1からNiの整数値が割り当てられる。識別名には、攻撃者プロファイル122を識別する名前が定義される。なお、本実施形態では、識別名も攻撃者プロファイル122を一意に識別可能となっている。 In the identifier, information capable of uniquely identifying the attacker profile 122 is defined. For example, an integer value from 1 to Ni is assigned as the identifier. In the identification name, a name that identifies the attacker profile 122 is defined. Note that in this embodiment, the identification name is also capable of uniquely identifying the attacker profile 122.
 攻撃手法には、DoS、制御パラメータ変更などの攻撃者が利用可能な具体的な攻撃手法が定義される。 Attack methods are defined as specific attack methods that attackers can use, such as DoS and changing control parameters.
 攻撃目的には、攻撃を実施するにあたって重要視する1以上の指標(攻撃目的指標)の割合(目標値)が定義される。攻撃者はこの指標の変化を最大化することを目的とすることを意味している。例えば、識別名が生産量特化型の攻撃者プロファイル122-1では、攻撃目的が「生産量(100%)」と定義されており、攻撃目的は、生産量に影響を与えることのみを目的としていることを意味している。したがって、攻撃者プロファイル122-1の攻撃者は、機密性保護率や安全リスク回避率などの他の指標に影響を与えることを目的としていないことを意味している。 The attack objective defines the percentage (target value) of one or more indicators (attack objective indicators) that are considered important when carrying out an attack. This means that the attacker aims to maximize the change in this indicator. For example, in attacker profile 122-1, whose identification name is production volume-specialized, the attack objective is defined as "production volume (100%)", which means that the attack objective aims only to affect production volume. This means that the attacker of attacker profile 122-1 does not aim to affect other indicators such as confidentiality protection rate or safety risk avoidance rate.
 また、識別名がバランス型の攻撃者プロファイル122-2では、攻撃目的が「生産量(30%),機密性保護率(40%),安全リスク回避率(30%)」と定義されており、生産量と機密性保護率と安全リスク回避率とが3:4:3の比率で影響を与えることを目的としていることを意味している。 In addition, in attacker profile 122-2, whose identification name is Balanced, the attack objective is defined as "production volume (30%), confidentiality protection rate (40%), safety risk avoidance rate (30%)," which means that the objective is to affect production volume, confidentiality protection rate, and safety risk avoidance rate in a ratio of 3:4:3.
 対象システムでの影響の計算方法については、生産量の影響を例に挙げると、図3のように生産量が変化する場合には、生産量の影響として、図中の斜線部の面積で表される累積量を採用してもよいし、瞬間的な最大変化量を採用してもよい。 As an example of how to calculate the impact on the target system, if the production volume changes as shown in Figure 3, the cumulative amount represented by the area of the shaded area in the figure can be used as the impact on the production volume, or the maximum instantaneous change can be used.
 以後、生産量、機密保護率、安全リスク回避率の影響をX,Y,Zと表すこととする。生産量特化型の攻撃者プロファイル122-1の場合には、1Xを最大化することが目的となり、バランス型の攻撃者プロファイル122-2の場合には、0.3X+0.4Y+0.3Zを最大化することが目的となる。 Hereafter, the influence of production volume, confidentiality protection rate, and safety risk aversion rate will be represented as X, Y, and Z. In the case of the production volume-specialized attacker profile 122-1, the objective is to maximize 1X, and in the case of the balanced attacker profile 122-2, the objective is to maximize 0.3X + 0.4Y + 0.3Z.
 次に、防御者プロファイル123について説明する。 Next, we will explain the defender profile 123.
 図5は、第1実施形態に係る防御者プロファイルの構成図である。 FIG. 5 is a diagram showing the configuration of a defender profile according to the first embodiment.
 防御者プロファイル123は、想定する防御者のタイプを定義した情報である。防御者プロファイル123は、記憶部120に格納される。本実施形態では、記憶部120は、複数(Nj)パターンの防御者プロファイル123を格納している。 The defender profile 123 is information that defines the type of defender that is assumed. The defender profile 123 is stored in the memory unit 120. In this embodiment, the memory unit 120 stores multiple (Nj) patterns of defender profiles 123.
 防御者プロファイル123は、識別子と、識別名と、防御目的と、防御手法とを含む。 The defender profile 123 includes an identifier, an identification name, a defense purpose, and a defense method.
 識別子には、防御者プロファイル123を一意に識別可能な情報が定義される。識別子としては、例えば、1からNjの整数値が割り当てられる。識別名には、防御者プロファイル123を識別する名前が定義される。なお、本実施形態では、識別名も防御者プロファイル123を一意に識別可能となっている。 In the identifier, information capable of uniquely identifying the defender profile 123 is defined. For example, an integer value from 1 to Nj is assigned as the identifier. In the identification name, a name that identifies the defender profile 123 is defined. Note that in this embodiment, the identification name is also capable of uniquely identifying the defender profile 123.
 防御手法には、機器の動作モード変更や、機器の稼働停止などの防御者が利用可能な具体的な防御手法が定義される。 Defensive methods define specific defensive techniques that defenders can use, such as changing the operating mode of a device or shutting down the device.
 防御目的には、防御を実施するにあたって重要視する1以上の指標(防御目的指標)の割合(目標値)が定義される。防御者はこの指標の変化を最小化することを目的とすることを意味している。例えば、識別名が安全リスク回避率特化型の防御者プロファイル123-1では、防御目的が「安全リスク回避率(100%)」と定義されており、したがって、防御者プロファイル123-1の防御者は、1Zを最小化することを目的としている。 The defense objective defines the ratio (target value) of one or more indicators (defense objective indicators) that are considered important when implementing defense. This means that the defender aims to minimize the change in this indicator. For example, in the defender profile 123-1, whose identification name is safety risk avoidance rate specialization, the defense objective is defined as "safety risk avoidance rate (100%)", and therefore the defender of the defender profile 123-1 aims to minimize 1Z.
 また、識別名が機密性保護率重視型の防御者プロファイル123-2では、防御目的が「生産量(10%),機密性保護率(70%),安全リスク回避率(20%)」と定義されており、0.1X+0.7Y+0.2Zを最小化することを目的としている。 Furthermore, in the defender profile 123-2, whose identification name is confidentiality protection rate-oriented, the defense objectives are defined as "production volume (10%), confidentiality protection rate (70%), safety risk avoidance rate (20%)" and the objective is to minimize 0.1X + 0.7Y + 0.2Z.
 ここで、攻撃者プロファイル122の攻撃目的と、防御者プロファイル123防御目的とが同じ場合には、双方は真逆の目的を達成しようとしていることを意味している。なお、攻撃者プロファイル122の攻撃目的と、防御者プロファイル123の防御目的とが同じものが存在していなくてもよい。 Here, if the attack purpose of the attacker profile 122 and the defense purpose of the defender profile 123 are the same, it means that they are trying to achieve completely opposite goals. Note that it is not necessary for the attack purpose of the attacker profile 122 and the defense purpose of the defender profile 123 to be the same.
 次に、サイバー攻撃対処支援装置10の処理動作について説明する。 Next, the processing operation of the cyber attack response support device 10 will be explained.
 図6は、第1実施形態に係る対処策設計処理のフローチャートである。 FIG. 6 is a flowchart of the countermeasure design process according to the first embodiment.
 対処策設計処理は、サイバー攻撃対処支援装置10の対処策設計部111が異常検知システム11から対象システム(産業制御システム13)についての異常検知情報を受信した場合に実行される。 The countermeasure design process is executed when the countermeasure design unit 111 of the cyber-attack countermeasure support device 10 receives anomaly detection information about the target system (industrial control system 13) from the anomaly detection system 11.
 対処策設計部111は、記憶部120からシステムモデル121を読み込み、受信した異常検知情報に対応する状態をシステムモデル121に反映させる(S61)。 The countermeasure design unit 111 reads the system model 121 from the memory unit 120 and reflects the state corresponding to the received abnormality detection information in the system model 121 (S61).
 ここで、図7は、第1実施形態に係る異常検知情報を反映したシステムモデルのシステム構成を示す図である。図7においては、産業制御システム13は、情報機器130として、ネットワークを介して接続された監視端末と、制御サーバ1と、制御サーバ2と、PLC1と、PLC2と、HMIとを含み、異常検知情報は、監視端末における異常侵入が検知されたとの情報を含んでいるものとする。 Here, FIG. 7 is a diagram showing the system configuration of a system model that reflects anomaly detection information according to the first embodiment. In FIG. 7, the industrial control system 13 includes, as information devices 130, a monitoring terminal connected via a network, control server 1, control server 2, PLC 1, PLC 2, and an HMI, and the anomaly detection information includes information that an abnormal intrusion has been detected in the monitoring terminal.
 ステップS61では、図7に示すように、システムモデル121においては、監視端末の状態を表す属性が「不正侵入」と設定される。 In step S61, as shown in FIG. 7, in the system model 121, the attribute representing the state of the monitoring terminal is set to "unauthorized intrusion."
 図6の説明に戻り、対処策設計部111は、整数型の変数i,jを定義して値を1に設定する(S62)。 Returning to the explanation of FIG. 6, the countermeasure design unit 111 defines integer variables i and j and sets their values to 1 (S62).
 次いで、対処策設計部111は、記憶部120から識別子iの攻撃者プロファイル122と、識別子jの防御者プロファイル123とを読み込む(S63)。 Next, the countermeasure design unit 111 reads the attacker profile 122 with identifier i and the defender profile 123 with identifier j from the storage unit 120 (S63).
 次いで、対処策設計部111は、システムモデル121を用い、読み込んだ攻撃者プロファイル122に基づいて、攻撃者の挙動を予想する。なお、読み込んだ攻撃者プロファイル122に応じて、攻撃者の攻撃目的と攻撃手法が異なるため、攻撃者の挙動は変化する。 Then, the countermeasure design unit 111 uses the system model 121 to predict the behavior of the attacker based on the loaded attacker profile 122. Note that the attacker's behavior changes depending on the loaded attacker profile 122 because the attacker's purpose and attack method differ.
 図8は、第1実施形態に係るシステムモデルに対する攻撃者の挙動の予測を説明する図である。 FIG. 8 is a diagram illustrating the prediction of an attacker's behavior against the system model according to the first embodiment.
 例えば、生産量特化型の攻撃者プロファイル122-1から予想される攻撃者の挙動としては、監視端末に不正侵入した攻撃者は、次に制御サーバ1に対して「制御パラメータ変更」の攻撃手法を使って攻撃し、最後にPLC1に対して「DoS」の攻撃手法を使って攻撃することが予想される。攻撃手法は、攻撃者プロファイル122-1で定義された攻撃手法の中から選択される。また、本攻撃者の挙動は、攻撃目的に対応する1Xで表される対象システムへの影響を最大化するように導き出される。 For example, the attacker's behavior predicted from the production volume-specialized attacker profile 122-1 is that an attacker who has illegally intruded into a monitoring terminal will then attack the control server 1 using a "control parameter change" attack method, and finally attack the PLC 1 using a "DoS" attack method. The attack method is selected from the attack methods defined in the attacker profile 122-1. Furthermore, the attacker's behavior is derived so as to maximize the impact on the target system, represented by 1X, which corresponds to the purpose of the attack.
 また、バランス型の攻撃者プロファイル122-2から予想される攻撃者の挙動としては、例えば、監視端末に不正侵入した攻撃者は、次に制御サーバ2に対して「制御タグ情報収集」の攻撃手法を使って攻撃し、最後にHMIに対して「アラーム設定変更」の攻撃手法を使って攻撃することが予想される。本攻撃者の挙動は、攻撃目的に対応する0.3X+0.4Y+0.3Zで表される対象システムへの影響を最大化するように導き出される。 The attacker's behavior predicted from the balanced attacker profile 122-2 is, for example, that an attacker who has illegally invaded a monitoring terminal will then attack the control server 2 using the "control tag information collection" attack method, and finally attack the HMI using the "alarm setting change" attack method. This attacker's behavior is derived so as to maximize the impact on the target system, which is represented by 0.3X + 0.4Y + 0.3Z, which corresponds to the purpose of the attack.
 図6の説明に戻り、対処策設計部111は、システムモデル121を用い、攻撃者の挙動と防御者プロファイル123とに基づいて、最適な対処策を導出する(S63)。 Returning to the explanation of FIG. 6, the countermeasure design unit 111 uses the system model 121 to derive optimal countermeasures based on the attacker's behavior and the defender profile 123 (S63).
 図9は、第1実施形態に係るシステムモデルに対する防御者の挙動の予測を説明する図である。 FIG. 9 is a diagram illustrating the prediction of the defender's behavior for the system model according to the first embodiment.
 例えば、安全リスク回避率特化型の防御者プロファイル123-1から予想される防御者の挙動としては、PLC1に対して「機器の停止」の防御手法を使って防御することが、最適な対処策であると導き出される。防御手法は,防御者プロファイル123-1の防御手法の中から選択される。また、本防御者の挙動は防御目的に対応する1Zで表される対象システムへの影響を最小化するように導き出される。 For example, the behavior of the defender predicted from the safety risk aversion rate specialized defender profile 123-1 is derived to be the optimal countermeasure for defending against PLC1 using the defense method of "stopping equipment." The defense method is selected from among the defense methods in the defender profile 123-1. In addition, the behavior of this defender is derived to minimize the impact on the target system represented by 1Z, which corresponds to the defense objective.
 また、機密性保護率重視型の防御者プロファイル123-2から予想される防御者の挙動としては、例えば、制御サーバ1に対して「アクセス制御の設定変更」の防御手法を使って防御することが、最適な対処策であると導き出される。本防御者の挙動は、防御目的に対応する0.1X+0.7Y+0.2Zで表される対象システムへの影響を最小化するように導き出される。 Furthermore, the behavior of the defender predicted from the confidentiality protection rate-oriented defender profile 123-2 is derived to be, for example, the optimal countermeasure for defending against the control server 1 using the defense method of "changing access control settings." This defender's behavior is derived to minimize the impact on the target system, which is represented by 0.1X + 0.7Y + 0.2Z, which corresponds to the defense objective.
 図6の説明に戻り、対処策設計部111は、変数iとNiとを比較し、変数iがNi未満であるか否かを判定する(S66)。この結果、変数iがNi未満である場合(S66:Y)には、1つの防御者プロファイル123に対して全ての攻撃者プロファイル122を対象として対処策を導出していないことを意味しているので、対処策設計部111は、変数iに1を加算し(S67)、処理をステップS63に進める。 Returning to the explanation of FIG. 6, the countermeasure design unit 111 compares the variable i with Ni and determines whether the variable i is less than Ni (S66). As a result, if the variable i is less than Ni (S66: Y), this means that countermeasures have not been derived for all attacker profiles 122 for one defender profile 123, so the countermeasure design unit 111 adds 1 to the variable i (S67) and proceeds to step S63.
 一方、変数iがNi未満でない場合(S66:N)には、1つの防御者プロファイル123に対して全ての攻撃者プロファイル122を対象として対処策を導出したことを意味しているので、対処策設計部111は、処理をステップS68に進める。 On the other hand, if the variable i is not less than Ni (S66: N), this means that countermeasures have been derived for one defender profile 123, targeting all attacker profiles 122, so the countermeasure design unit 111 proceeds to step S68.
 ステップS68では、対処策設計部111は、変数jとNjとを比較し、変数jがNj未満であるか否かを判定する。この結果、変数jがNj未満である場合(S68:Y)には、全ての防御者プロファイル123に対して全ての攻撃者プロファイル122を対象として対処策を導出していないことを意味しているので、対処策設計部111は、変数iを1に設定し、変数jに1を加算し(S69)、処理をステップS63に進める。 In step S68, the countermeasure design unit 111 compares the variable j with Nj and determines whether the variable j is less than Nj. As a result, if the variable j is less than Nj (S68: Y), this means that countermeasures have not been derived for all attacker profiles 122 for all defender profiles 123, so the countermeasure design unit 111 sets the variable i to 1, adds 1 to the variable j (S69), and proceeds to step S63.
 一方、変数jがNj未満でない場合(S68:N)には、全ての防御者プロファイル123に対して全ての攻撃者プロファイル122を対象として対処策を導出したこと、すなわち、Ni×Njパターンの対処策を導出したことを意味しているので、対処策設計部111は、導出したNi×Njパターンの対処策を対処策選定部112に出力して処理を終了する。 On the other hand, if the variable j is not less than Nj (S68:N), this means that countermeasures have been derived for all attacker profiles 122 for all defender profiles 123, i.e., countermeasures of the Ni×Nj pattern have been derived, so the countermeasure design unit 111 outputs the derived countermeasures of the Ni×Nj pattern to the countermeasure selection unit 112 and ends the process.
 この対処策設計処理によると、実際の産業制御システム13で実施することが困難である、攻撃者グループと防御者グループとの合同実践演習を、システムモデル121を使って仮想的にNi×Njパターンの演習を実施して、それぞれの対応策を導出することができる。 This countermeasure design process allows a joint practical exercise between an attacker group and a defender group, which would be difficult to implement in an actual industrial control system 13, to be virtually carried out using the system model 121 with Ni x Nj patterns, and allows the deriving of countermeasures for each.
 次に、対処策選定部112の処理動作について説明する。 Next, the processing operation of the countermeasure selection unit 112 will be explained.
 対処策選定部112は、対処策設計部111で設計されて出力されたNi×Njパターンの対処策についての一覧表100(図10参照)を入出力装置12に表示させ、実際に産業制御システム13に適用する対処案の選択をユーザから受け付ける。ユーザは対処策選定部112に接続された入出力装置12に表示された一覧表を参照して対処策を比較し、最適な対処案を選択することができる。 The countermeasure selection unit 112 displays on the input/output device 12 a list 100 (see FIG. 10) of countermeasures for the Ni×Nj pattern designed and output by the countermeasure design unit 111, and accepts from the user a selection of the countermeasure to be actually applied to the industrial control system 13. The user can compare the countermeasures by referring to the list displayed on the input/output device 12 connected to the countermeasure selection unit 112, and select the optimal countermeasure.
 図10は、第1実施形態に係る対処策の一覧表の構成図である。 FIG. 10 is a diagram showing a list of countermeasures according to the first embodiment.
 一覧表100は、Ni×Njパターンの対処策を表示する表であり、Ni×Njパターンのそれぞれの対処策に対応するエントリを含む。一覧表100のエントリは、対処策101と、防御者プロファイル102と、攻撃者プロファイル103と、パフォーマンス104とのフィールドを含む。 List 100 is a table that displays countermeasures for Ni×Nj patterns, and includes entries corresponding to each countermeasure for the Ni×Nj patterns. The entries in list 100 include fields for countermeasure 101, defender profile 102, attacker profile 103, and performance 104.
 対処策101には、エントリに対応する対処策が表示される。対処策101においては、記号@の前に対処の内容が記載され、記号@の後ろに対処を行う対象となる情報機器130の識別名が記載されている。 In countermeasure 101, the countermeasure corresponding to the entry is displayed. In countermeasure 101, the content of the countermeasure is written before the symbol @, and the identification name of the information device 130 for which the countermeasure is to be taken is written after the symbol @.
 防御者プロファイル102には、エントリに対応する対処策が導出された防御者プロファイル123を識別可能な情報(例えば、識別名)が表示される。本実施形態では、防御者プロファイル123が押下(クリック)されると、図5に示すような防御者プロファイル123の詳細が表示される。 The defender profile 102 displays information (e.g., an identification name) that can identify the defender profile 123 from which the countermeasure corresponding to the entry was derived. In this embodiment, when the defender profile 123 is pressed (clicked), details of the defender profile 123 are displayed as shown in FIG. 5.
 攻撃者プロファイル103には、エントリに対応する対処策が導出された攻撃者プロファイル122を識別可能な情報(例えば、識別名)が表示される。本実施形態では、攻撃者プロファイル122が押下(クリック)されると、図4に示すような攻撃者プロファイル122の詳細が表示される。 The attacker profile 103 displays information (e.g., an identification name) that can identify the attacker profile 122 from which the countermeasure corresponding to the entry has been derived. In this embodiment, when the attacker profile 122 is pressed (clicked), details of the attacker profile 122 are displayed as shown in FIG. 4.
 パフォーマンス104には、性能を示す1以上の指標に関する指標値が表示される。パフォーマンス104は、生産量104A、機密保護率104B、安全リスク回避率104C等のフィールドを含む。 Performance 104 displays index values for one or more indicators that indicate performance. Performance 104 includes fields such as production volume 104A, confidentiality protection rate 104B, and safety risk avoidance rate 104C.
 生産量104Aには、エントリに対応する対処策を行った場合の生産量が表示される。機密保護率104Bには、エントリに対応する対処策を行った場合の機密保護率が表示される。安全リスク回避率104Cには、エントリに対応する対処策を行った場合の安全リスク回避率が表示される。 Production volume 104A displays the production volume when the countermeasure corresponding to the entry is implemented. Confidentiality protection rate 104B displays the confidentiality protection rate when the countermeasure corresponding to the entry is implemented. Safety risk avoidance rate 104C displays the safety risk avoidance rate when the countermeasure corresponding to the entry is implemented.
 ユーザは、想定する攻撃者のタイプ、経営優先度、対象システムへの影響などを考慮して、一覧表100の中から実際に産業制御システム13に適用する対処策を、入出力装置12を介して選択することができる。 The user can select the countermeasure to be actually applied to the industrial control system 13 from the list 100 via the input/output device 12, taking into consideration the assumed type of attacker, management priority, impact on the target system, etc.
 なお、対処策と、対処策を適用するために必要なコストやスピードと、の対応関係を記憶部120に格納しておき、対処策選定部112は、一覧表100において、対応策を適用するために必要なコストやスピードを、対処策に対応付けて表示させるようにしてもよい。 The correspondence between the countermeasure and the cost and speed required to apply the countermeasure may be stored in the storage unit 120, and the countermeasure selection unit 112 may display the cost and speed required to apply the countermeasure in the list 100 in association with the countermeasure.
 また、一覧表100における対処策には重複している対処策が存在する可能性があるので、本実施形態では、対処策選定部112は、導出された対処策に関する統計情報を表示するようにしている。 In addition, since there may be overlapping countermeasures in the list 100, in this embodiment, the countermeasure selection unit 112 displays statistical information regarding the derived countermeasures.
 図11は、第1実施形態に係る対処策の統計情報の構成図である。 FIG. 11 is a configuration diagram of statistical information on countermeasures in the first embodiment.
 統計情報は、例えば、全体の対処策における各対処策が重複する割合に関する情報である。図11においては、各対処策が重複する重複率を円グラフにより表現したものである。この統計情報によると、重複率が高い対処策、即ち、推奨されていると考えられる対処策を容易に把握することができる。 The statistical information is, for example, information regarding the percentage of overlap between each countermeasure among all countermeasures. In FIG. 11, the overlap rate of each countermeasure is represented by a pie chart. This statistical information makes it easy to identify countermeasures with a high overlap rate, i.e., countermeasures that are considered to be recommended.
 対処策選定部112により、ユーザが対処策の選定を完了すると、対処策実行部113は、ユーザが選定した対処策を情報機器130に適用する制御を行う。具体的には、対処策実行部113は、対処策を情報機器130に対して実行させるための通信コマンドを送信する。 When the user completes the selection of a countermeasure by the countermeasure selection unit 112, the countermeasure execution unit 113 controls the application of the countermeasure selected by the user to the information device 130. Specifically, the countermeasure execution unit 113 transmits a communication command to cause the information device 130 to execute the countermeasure.
 なお、対処策選定部112は、対処策が選択された後に、異常検知システム11から受信する異常検知情報を継続的に観察し、実際に観測されている攻撃者の挙動と、攻撃者プロファイルとの一致度の情報を表示するようにしてもよい。 In addition, after a countermeasure is selected, the countermeasure selection unit 112 may continuously observe the anomaly detection information received from the anomaly detection system 11 and display information on the degree of match between the actually observed attacker behavior and the attacker profile.
 図12は、第1実施形態に係る観測された攻撃者の挙動と、攻撃者プロファイルとの一致の関係を示す情報の構成図である。 FIG. 12 is a diagram showing the structure of information indicating the relationship between observed attacker behavior and a match with an attacker profile in the first embodiment.
 図12においては、攻撃者の実際の挙動のいくつかの内容(攻撃ルート、手法等)に対して、各攻撃者プロファイルで推定された挙動の内容との一致度が棒グラフで表現された統計情報が示されている。この統計情報によると、それぞれの挙動の内容に対して、どの攻撃者プロファイルを用いて推定するのが有効であるかを把握することができる。 In Figure 12, statistical information is shown in the form of a bar graph that represents the degree of agreement between some of the actual attacker behavior (attack route, method, etc.) and the behavior estimated by each attacker profile. This statistical information makes it possible to understand which attacker profile is most effective for estimating each behavior.
(第2実施形態)
 次に、第2実施形態に係るサイバー攻撃対処支援システムについて説明する。 Second Embodiment
Next, a cyber-attack response support system according to the second embodiment will be described.
 図13は、第2実施形態に係るサイバー攻撃対処支援システムの機能ブロック図である。なお、第2実施形態に係るサイバー攻撃対処支援システム1100において、第1実施形態に係るサイバー攻撃対処支援システム1000と同様な構成部分については、同一の符号を用いることとする。 FIG. 13 is a functional block diagram of the cyber-attack response support system according to the second embodiment. Note that in the cyber-attack response support system 1100 according to the second embodiment, components similar to those in the cyber-attack response support system 1000 according to the first embodiment are designated by the same reference numerals.
 サイバー攻撃対処支援システム1100は、処理部110において新たに影響再評価部114を備えている。 The cyber attack response support system 1100 includes a new impact reassessment unit 114 in the processing unit 110.
 影響再評価部114は、対処策選定部112からの要求に基づいて動作を開始し、記憶部120から、システムモデル121と、選択された対処策に対応する攻撃者プロファイル122及び防御者プロファイル123とを読み込んで、産業制御システム13における性能を評価する処理を行う。 The impact re-evaluation unit 114 starts operation based on a request from the countermeasure selection unit 112, reads the system model 121 and the attacker profile 122 and defender profile 123 corresponding to the selected countermeasure from the storage unit 120, and performs processing to evaluate the performance of the industrial control system 13.
 対処策選定部112は、ユーザから複数の対処策を受け付けることが可能である。対処策選定部112は、複数の対処策を受け付けた場合には、影響再評価部114に、複数の対処策を同時に実行した場合の対象システムへの影響を評価する指示を要求し、影響再評価部114からの評価の結果を出力表1400(図14参照)として表示する。 The countermeasure selection unit 112 can accept multiple countermeasures from the user. When multiple countermeasures are accepted, the countermeasure selection unit 112 requests the impact reassessment unit 114 to instruct it to evaluate the impact on the target system when multiple countermeasures are executed simultaneously, and displays the evaluation results from the impact reassessment unit 114 as an output table 1400 (see FIG. 14).
 次に、サイバー攻撃対処支援システム1100の処理動作について説明する。 Next, the processing operation of the cyber attack response support system 1100 will be explained.
 サイバー攻撃対処支援システム1100におけるNi×Njパターンの対処策の一覧表100を出力するまで処理動作は、第1実施形態のサイバー攻撃対処支援システム1000と同様である。 The processing operations up to outputting the list 100 of countermeasures for Ni×Nj patterns in the cyber-attack response support system 1100 are the same as those in the cyber-attack response support system 1000 of the first embodiment.
 対処策選定部112は、一覧表100に対して複数の対処策が選択された場合には、影響再評価部114に、選択された複数の対処策を同時に実行した場合の対象システムへの影響を評価する要求を行う。 If multiple countermeasures are selected for the list 100, the countermeasure selection unit 112 requests the impact reassessment unit 114 to evaluate the impact on the target system when the selected countermeasures are executed simultaneously.
 影響再評価部114は、対処策選定部112から要求を受け取ると、記憶部120からシステムモデル121と、選択された複数の対処策に対応する攻撃者プロファイル122及び防御者プロファイル123とを読み込んで、システムモデル121の情報機器130の状態を、選択した複数の対処案に対応する状態に更新する。次いで、影響再評価部114は、システムモデル121の演算機能により、対象システムのパフォーマンス(性能)を1種類以上の指標で数値化し、対処策選定部112に結果を返す。 When the impact re-evaluation unit 114 receives a request from the countermeasure selection unit 112, it reads the system model 121 and the attacker profile 122 and defender profile 123 corresponding to the selected countermeasures from the storage unit 120, and updates the state of the information device 130 in the system model 121 to a state corresponding to the selected countermeasures. Next, the impact re-evaluation unit 114 uses the calculation function of the system model 121 to quantify the performance of the target system using one or more indicators, and returns the result to the countermeasure selection unit 112.
 対処策選定部112は、影響再評価部114からの結果に基づいて出力表1400を作成して、出力表1400を入出力装置12に表示させる。ユーザは、この出力表1400を参照して複数の対処策を同時に適用してもよいかを判断することができる。 The countermeasure selection unit 112 creates an output table 1400 based on the results from the impact reevaluation unit 114, and displays the output table 1400 on the input/output device 12. The user can refer to this output table 1400 to determine whether or not it is acceptable to apply multiple countermeasures simultaneously.
 図14は、第2実施形態に係る対処策の出力表の構成図である。 FIG. 14 is a diagram showing the configuration of an output table for countermeasures according to the second embodiment.
 出力表1400は、選択された複数の対処策を同時に実行した場合の影響の情報を表示する表である。出力表1400は、対処策1401と、防御者プロファイル1402と、攻撃者プロファイル1403と、パフォーマンス1404とのフィールドを含む。 Output table 1400 is a table that displays information about the impact when multiple selected countermeasures are executed simultaneously. Output table 1400 includes fields for countermeasure 1401, defender profile 1402, attacker profile 1403, and performance 1404.
 対処策1401には、選択された複数の対処策が表示される。図14の例では、対処策は、「機器の停止@PLC1」と「機器の動作モード変更@HMI」とである。 The countermeasures 1401 displays multiple selected countermeasures. In the example of FIG. 14, the countermeasures are "Stop device @PLC1" and "Change device operation mode @HMI."
 防御者プロファイル1402には、各対処策が導出された防御者プロファイル123を識別可能な情報(例えば、識別名)が表示される。 The defender profile 1402 displays information (e.g., an identification name) that can identify the defender profile 123 from which each countermeasure was derived.
 攻撃者プロファイル1403には、各対処策が導出された攻撃者プロファイル122を識別可能な情報(例えば、識別名)が表示される。 The attacker profile 1403 displays information (e.g., an identification name) that can identify the attacker profile 122 from which each countermeasure was derived.
 パフォーマンス1404には、複数の対処策を同時に実行した場合の対象システムの性能を示す1以上の指標に関する指標値が表示される。パフォーマンス1404は、生産量1404A、機密保護率1404B、安全リスク回避率1404C等のフィールドを含む。 Performance 1404 displays index values for one or more indicators that indicate the performance of the target system when multiple countermeasures are implemented simultaneously. Performance 1404 includes fields such as production volume 1404A, confidentiality protection rate 1404B, and safety risk avoidance rate 1404C.
 生産量1404Aには、複数の対処策を行った場合の生産量が表示される。機密保護率1404Bには、複数の対処策を行った場合の機密保護率が表示される。安全リスク回避率1404Cには、複数の対処策を行った場合の安全リスク回避率が表示される。 Production volume 1404A displays the production volume when multiple countermeasures are implemented. Confidentiality protection rate 1404B displays the confidentiality protection rate when multiple countermeasures are implemented. Safety risk avoidance rate 1404C displays the safety risk avoidance rate when multiple countermeasures are implemented.
 ユーザは、出力表1400を参照して、複数の対処策を同時に実行するか否かを判断することができる。対処策選定部112は、ユーザから複数の対処策を実行するとの指示を受け付けた場合には、その旨を対処策実行部113に通知し、対処策実行部113は、通知された複数の対処策を情報機器130に適用する制御を行う。 The user can refer to the output table 1400 to determine whether or not to execute multiple countermeasures simultaneously. When the countermeasure selection unit 112 receives an instruction from the user to execute multiple countermeasures, it notifies the countermeasure execution unit 113 of this, and the countermeasure execution unit 113 controls the application of the notified multiple countermeasures to the information device 130.
(第3実施形態)
 次に、第3実施形態に係るサイバー攻撃対処支援システムについて説明する。 Third Embodiment
Next, a cyber-attack response support system according to the third embodiment will be described.
 図15は、第3実施形態に係るサイバー攻撃対処支援システムの機能ブロック図である。なお、第3実施形態に係るサイバー攻撃対処支援システム1200において、第1実施形態に係るサイバー攻撃対処支援システム1000と同様な構成部分については、同一の符号を用いることとする。 FIG. 15 is a functional block diagram of a cyber-attack response support system according to the third embodiment. Note that in the cyber-attack response support system 1200 according to the third embodiment, components similar to those in the cyber-attack response support system 1000 according to the first embodiment are designated by the same reference numerals.
 サイバー攻撃対処支援システム1200は、サイバー攻撃対処支援システム1000に対して、処理部110に新たに防御者モデル生成部115を備え、対処策設計部116の処理動作の一部を変更し、記憶部120に新たに防御者モデル124を格納するようにしたものである。 Compared to the cyber-attack response support system 1000, the cyber-attack response support system 1200 is equipped with a new defender model generation unit 115 in the processing unit 110, some of the processing operations of the countermeasure design unit 116 are changed, and a new defender model 124 is stored in the memory unit 120.
 第1実施形態に係るサイバー攻撃対処支援システム1000では、異常検知システム11が異常を検知した際に、攻撃者プロファイルに基づいて攻撃者の挙動を予想し、その後、防御者プロファイルに基づいて最適な対処策を含む防御者の挙動を導出するようにしていたが、第3実施形態に係るサイバー攻撃対処支援システム1200では、異常検知システム11が対象システムの異常を検知した際に、攻撃者の挙動を予想するステップを踏まずに最適な対処策を導出する。 In the cyber attack response support system 1000 according to the first embodiment, when the anomaly detection system 11 detects an anomaly, it predicts the attacker's behavior based on the attacker profile, and then derives the defender's behavior, including the optimal countermeasure, based on the defender profile. However, in the cyber attack response support system 1200 according to the third embodiment, when the anomaly detection system 11 detects an anomaly in the target system, it derives the optimal countermeasure without taking the step of predicting the attacker's behavior.
 防御者モデル生成部115は、システムモデル121、攻撃者プロファイル122、及び防御者プロファイル123を読み込み、異常検知システム11の異常検知情報を反映したシステムモデルを入力して対処策を出力できる防御者モデル124を生成する。防御者モデル生成部115による防御者モデル124を生成する処理(防御者モデル生成処理:図17参照)は、異常検知システム11が異常を検知する前の段階に実行される。防御者モデル124を生成する方法としては、マルチエージェント強化学習の活用が考えられる。マルチエージェント強化学習を活用する場合には、防御者モデル生成部115は、防御者モデル124の学習を行い、対処策設計部111は防御者モデルの実行を行う。 The defender model generation unit 115 reads the system model 121, attacker profile 122, and defender profile 123, and generates a defender model 124 that can input a system model that reflects the anomaly detection information of the anomaly detection system 11 and output countermeasures. The process of generating the defender model 124 by the defender model generation unit 115 (defender model generation process: see Figure 17) is executed at a stage before the anomaly detection system 11 detects an anomaly. One possible method of generating the defender model 124 is to utilize multi-agent reinforcement learning. When utilizing multi-agent reinforcement learning, the defender model generation unit 115 learns the defender model 124, and the countermeasure design unit 111 executes the defender model.
 図16は、第3実施形態に係る防御者モデルを説明する図である。 FIG. 16 is a diagram explaining the defender model according to the third embodiment.
 防御者モデル124は、異常検知システム11の異常検知情報が反映されたシステムモデル1601、例えば、対象システムを構成する情報機器130の状態で表されるシステムモデル1601を入力とし、対象システムを構成する情報機器の状態に対して最適な対処策1603を出力する演算機能を有する。 The defender model 124 has a calculation function that inputs a system model 1601 that reflects the anomaly detection information of the anomaly detection system 11, for example, a system model 1601 that is represented by the state of the information devices 130 that make up the target system, and outputs an optimal countermeasure 1603 for the state of the information devices that make up the target system.
 次に、防御者モデルを生成する防御者モデル生成処理について説明する。 Next, we will explain the defender model generation process that generates the defender model.
 図17は、第3実施形態に係る防御者モデル生成処理のフローチャートである。図17は、マルチエージェント強化学習を用いて防御者モデルを生成する防御者モデル生成処理である。 FIG. 17 is a flowchart of the defender model generation process according to the third embodiment. FIG. 17 shows the defender model generation process that generates a defender model using multi-agent reinforcement learning.
 防御者モデル生成部115は、変数i,jを1に設定する(S1701)。次いで、防御者モデル生成部115は、記憶部120からシステムモデル121、識別子iの攻撃者プロファイル122、及び識別子jの防御者プロファイル123を読み込む(S1702)。 The defender model generation unit 115 sets variables i and j to 1 (S1701). Next, the defender model generation unit 115 reads the system model 121, the attacker profile 122 of identifier i, and the defender profile 123 of identifier j from the storage unit 120 (S1702).
 次いで、防御者モデル生成部115は、システムモデル121を環境として、攻撃者を模したエージェント(攻撃者エージェント)と、防御者を模したエージェント(防御者エージェント)と、を動作させることにより最適行動を学習する(S1703)。 Next, the defender model generation unit 115 learns optimal behavior by operating an agent simulating an attacker (attacker agent) and an agent simulating a defender (defender agent) in the system model 121 as an environment (S1703).
 ここで、攻撃者エージェントが実行可能な行動は、攻撃者プロファイル122の攻撃手法により規定され、攻撃者エージェントが得る報酬は、攻撃者プロファイル122の攻撃目的により決定される。例えば、攻撃者エージェントの得る報酬は、攻撃目的で定義されている指標の変化量に応じて報酬が決まる。例えば、図4における識別名がバランス型である攻撃者プロファイル122-2に基づいて生成された攻撃者エージェントは、0.3X+0.4Y+0.3Zが増加すると増加する報酬としてもよい。 Here, the actions that the attacker agent can execute are defined by the attacking methods in the attacker profile 122, and the reward that the attacker agent receives is determined by the attack objective in the attacker profile 122. For example, the reward that the attacker agent receives is determined according to the amount of change in the indicator defined in the attack objective. For example, an attacker agent generated based on the attacker profile 122-2, whose identification name is balanced in FIG. 4, may receive a reward that increases with an increase in 0.3X + 0.4Y + 0.3Z.
 また、防御者エージェントが実行可能な行動は、防御者プロファイル123の防御手法により規定され、防御者エージェントが得る報酬は、防御者プロファイル123の防御目的により決定される。例えば、防御者エージェントの得る報酬は、防御目的で定義されている指標の変化量に応じて報酬が決まる。例えば、図5における識別名が機密性保護率重視型である防御者プロファイル123-2に基づいて生成された防御者エージェントは、0.1X+0.7Y+0.2Zが減少すると増加する報酬としてもよい。 Furthermore, the actions that the defender agent can execute are stipulated by the defense methods of the defender profile 123, and the reward that the defender agent receives is determined by the defense objectives of the defender profile 123. For example, the reward that the defender agent receives is determined according to the amount of change in the indicators defined in the defense objectives. For example, a defender agent generated based on the defender profile 123-2, whose identification name in FIG. 5 is confidentiality protection rate-oriented, may receive a reward that increases with a decrease in 0.1X + 0.7Y + 0.2Z.
 次いで、防御者モデル生成部115は、マルチエージェント強化学習が完了し、システムモデル121における情報機器の状態に応じて最適な行動を出力できる防御者エージェントを、防御者モデル124として記憶部120に格納する(S1704)。 Then, the defender model generation unit 115 stores the defender agent that has completed the multi-agent reinforcement learning and is capable of outputting optimal behavior according to the state of the information device in the system model 121 in the storage unit 120 as the defender model 124 (S1704).
 次いで、防御者モデル生成部115は、変数iとNiとを比較し、変数iがNiより大きいか否かを判定する(S1705)。この結果、変数iがNiより大きくない場合(S1705:N)には、1つの防御者プロファイル123に対して全ての攻撃者プロファイル122を対象としてマルチエージェント強化学習を実施して防御者モデルを作成していないことを意味しているので、防御者モデル生成部115は、変数iに1を加算し(S1706)、処理をステップS1702に進める。 Then, the defender model generation unit 115 compares the variable i with Ni and determines whether the variable i is greater than Ni (S1705). As a result, if the variable i is not greater than Ni (S1705: N), this means that a defender model has not been created by performing multi-agent reinforcement learning on all attacker profiles 122 for one defender profile 123, so the defender model generation unit 115 adds 1 to the variable i (S1706) and proceeds to step S1702.
 一方、変数iがNiより大きい場合(S1705:Y)には、1つの防御者プロファイル123に対して全ての攻撃者プロファイル122を対象としてマルチエージェント強化学習を実施して防御者モデルを作成したことを意味しているので、防御者モデル生成部115は、処理をステップS1707に進める。 On the other hand, if the variable i is greater than Ni (S1705: Y), this means that a defender model has been created by performing multi-agent reinforcement learning on all attacker profiles 122 for one defender profile 123, so the defender model generation unit 115 proceeds to step S1707.
 ステップS1707では、防御者モデル生成部115は、変数jとNjとを比較し、変数jがNjより大きいか否かを判定する。この結果、変数jがNjより大きくない場合(S1707:N)には、全ての防御者プロファイル123に対して全ての攻撃者プロファイル122を対象としてマルチエージェント強化学習を実施して防御者モデルを作成していないことを意味しているので、防御者モデル生成部115は、変数iを1に設定し、変数jに1を加算し(S1708)、処理をステップS1702に進める。 In step S1707, the defender model generation unit 115 compares the variable j with Nj and determines whether the variable j is greater than Nj. If the result is that the variable j is not greater than Nj (S1707: N), this means that a defender model has not been created by performing multi-agent reinforcement learning on all attacker profiles 122 for all defender profiles 123, so the defender model generation unit 115 sets the variable i to 1 and adds 1 to the variable j (S1708), and proceeds to step S1702.
 一方、変数jがNjより大きい場合(S1707:Y)には、全ての防御者プロファイル123に対して全ての攻撃者プロファイル122を対象としてマルチエージェント強化学習を実施して防御者モデルを作成したこと、すなわち、Ni×Njパターンの防御者モデル124を導出したことを意味しているので、防御者モデル生成部115は、導出したNi×Njパターンの防御者モデル124を記憶部120に格納して処理を終了する。 On the other hand, if the variable j is greater than Nj (S1707: Y), this means that a defender model has been created by performing multi-agent reinforcement learning on all attacker profiles 122 for all defender profiles 123, i.e., a defender model 124 of the Ni×Nj pattern has been derived, so the defender model generation unit 115 stores the derived defender model 124 of the Ni×Nj pattern in the memory unit 120 and terminates the process.
 次に、サイバー攻撃対処支援システム1200による対処策設計処理について説明する。 Next, we will explain the countermeasure design process performed by the cyber attack response support system 1200.
 対処策設計処理は、サイバー攻撃対処支援装置10が異常検知システム11から対象システム(産業制御システム13)についての異常検知情報を受信した場合に対処策設計部116が起動されて実行される。 The countermeasure design process is executed by activating the countermeasure design unit 116 when the cyber-attack response support device 10 receives anomaly detection information about the target system (industrial control system 13) from the anomaly detection system 11.
 対処策設計部116は、記憶部120からシステムモデル121と防御者モデル124とを読み込み、受信した異常検知情報に対応する状態をシステムモデル121に反映させ、異常検知情報を反映したシステムモデル121における情報機器の状態を、Ni×Njパターンの防御者モデル124のそれぞれに入力し、それぞれの防御者モデル124により、Ni×Njパターンの対処策を算出し、算出されたNi×Njパターンの対処策を対処策選定部112に出力する。この対処策設計処理によると、実際の産業制御システム13で実施することが困難である、攻撃者グループと防御者グループとの合同実践演習を、システムモデル121を使って仮想的にNi×Njパターンの演習を実施して、それぞれの対応策を導出することができる。なお、これ以降に実行される対処策選定部112及び対処策実行部113による処理は、第1実施形態に係るサイバー攻撃対処支援システム1000と同様である。 The countermeasure design unit 116 reads the system model 121 and the defender model 124 from the storage unit 120, reflects the state corresponding to the received abnormality detection information in the system model 121, inputs the state of the information device in the system model 121 reflecting the abnormality detection information to each of the defender models 124 of the Ni×Nj pattern, calculates countermeasures of the Ni×Nj pattern using each defender model 124, and outputs the calculated countermeasures of the Ni×Nj pattern to the countermeasure selection unit 112. According to this countermeasure design process, a joint practical exercise between an attacker group and a defender group, which is difficult to implement in an actual industrial control system 13, can be virtually implemented using the system model 121 to derive each countermeasure. Note that the processes executed by the countermeasure selection unit 112 and the countermeasure execution unit 113 thereafter are similar to those of the cyber attack response support system 1000 according to the first embodiment.
 本実施形態に係るサイバー攻撃対処支援システム1200によると、異常検知システム11が異常を検知した後に、攻撃者の挙動を予想するステップを踏む必要がなく、事前に攻撃者プロファイルと防御者プロファイルとの組み合わせ毎に生成しておいたNi×Njパターンの防御者モデル124を使って対処策を導出できる。このため、サイバー攻撃発生時において、迅速に対処策をユーザに提示することができる。 According to the cyber attack response support system 1200 of this embodiment, after the anomaly detection system 11 detects an anomaly, there is no need to take the step of predicting the attacker's behavior, and countermeasures can be derived using the Ni x Nj pattern defender model 124 that has been generated in advance for each combination of the attacker profile and the defender profile. Therefore, when a cyber attack occurs, countermeasures can be quickly presented to the user.
 なお、本発明は、上述の実施形態に限定されるものではなく、本発明の趣旨を逸脱しない範囲で、適宜変形して実施することが可能である。 The present invention is not limited to the above-described embodiment, and can be modified as appropriate without departing from the spirit of the present invention.
 例えば、上記実施形態では、産業制御システム13を対象とした例を示しているが、本発明はこれに限られず、一般的な情報システムに適用可能である。 For example, in the above embodiment, an example is shown in which an industrial control system 13 is the target, but the present invention is not limited to this and can be applied to general information systems.
 また、上記実施形態では、異常検知システム11を産業制御システム13の外部に設けた例を示しているが、本発明はこれに限られず、異常検知システム11を産業制御システム13内に設けるようにしてもよい。 In addition, in the above embodiment, an example is shown in which the anomaly detection system 11 is provided outside the industrial control system 13, but the present invention is not limited to this, and the anomaly detection system 11 may be provided within the industrial control system 13.
 また、上記実施形態において、プロセッサが行っていた処理の一部又は全部を、ハードウェア回路で行うようにしてもよい。また、上記実施形態におけるプログラムは、プログラムソースからインストールされてよい。プログラムソースは、プログラム配布サーバ又は記録メディア(例えば可搬型の記録メディア)であってもよい。 Furthermore, in the above embodiment, some or all of the processing performed by the processor may be performed by a hardware circuit. Furthermore, the program in the above embodiment may be installed from a program source. The program source may be a program distribution server or a recording medium (e.g., a portable recording medium).
 10…サイバー攻撃対処支援装置、11…異常検知システム、12…入出力装置、13…産業制御システム、110…処理部、111,116…対処策設計部、112…対処策選定部、113…対処策実行部、114…影響再評価部、115…防御者モデル生成部120…記憶部、121…システムモデル、122…攻撃者プロファイル、123…防御者プロファイル、124…防御者モデル、1000,1100,1200…サイバー攻撃対処支援システム
  10...cyber attack response support device, 11...anomaly detection system, 12...input/output device, 13...industrial control system, 110...processing unit, 111, 116...countermeasure design unit, 112...countermeasure selection unit, 113...countermeasure execution unit, 114...impact reevaluation unit, 115...defender model generation unit 120...storage unit, 121...system model, 122...attacker profile, 123...defender profile, 124...defender model, 1000, 1100, 1200...cyber attack response support system

Claims (14)

  1.  所定の対象システムへのサイバー攻撃に対する対処策を設計するサイバー攻撃対処支援システムであって、
     サイバー攻撃を行う攻撃者の攻撃目的と攻撃手法とを含む、1以上の攻撃者プロファイルと、サイバー攻撃に対する防御を行う防御者の防御目的と防御手法とを含む、1以上の防御者プロファイルとを記憶する記憶部と、
     前記対象システムの状態を再現し、前記対象システムの状態に対応する前記対象システムの性能を示す1以上の指標の指標値を出力するシステムモデルを用いて、前記攻撃者プロファイルと前記防御者プロファイルとの組み合わせ毎に対処策を設計する対処策設計部と、
    を備えるサイバー攻撃対処支援システム。     A cyber attack response support system that designs countermeasures against a cyber attack on a specified target system,
    A storage unit that stores one or more attacker profiles including an attack purpose and an attack method of an attacker who conducts a cyber attack, and one or more defender profiles including a defense purpose and a defense method of a defender who defends against a cyber attack;
    a countermeasure design unit that uses a system model that reproduces a state of the target system and outputs index values of one or more indexes that indicate the performance of the target system corresponding to the state of the target system to design a countermeasure for each combination of the attacker profile and the defender profile;
    A cyber attack response support system equipped with
  2.  前記対処策設計部は、前記対象システムに対するサイバー攻撃の検知情報を受信した場合に、前記システムモデルに前記検知情報を反映させて、前記対処策を設計する
    請求項1に記載のサイバー攻撃対処支援システム。     The cyber attack response support system of claim 1, wherein the countermeasure design unit, when receiving detection information of a cyber attack against the target system, reflects the detection information in the system model and designs the countermeasure.
  3.  前記攻撃者プロファイルの前記攻撃目的は、前記システムモデルが出力する前記指標値の指標の中の1以上の指標である攻撃目的指標及びその目標値を含み、
     前記対処策設計部は、前記攻撃目的指標への影響を最大化する攻撃者の挙動を予測し、前記システムモデルを用いて、前記予測した挙動に対する前記対処策を決定する
    請求項1に記載のサイバー攻撃対処支援システム。     The attack purpose of the attacker profile includes an attack purpose index, which is one or more indexes among the index values output by the system model, and a target value thereof;
    The cyber attack response support system of claim 1, wherein the countermeasure design unit predicts the attacker's behavior that will maximize the impact on the attack purpose indicator, and uses the system model to determine the countermeasure for the predicted behavior.
  4.  前記防御者プロファイルの前記防御目的は、前記システムモデルが出力する前記指標値の指標の中の1以上の指標である防御目的指標及びその目標値を含み、
     前記対処策設計部は、前記防御目的指標への影響を最小化する防御者の挙動を予測し、前記システムモデルを用いて、前記予測した挙動に対する前記対処策を決定する
    請求項1に記載のサイバー攻撃対処支援システム。     The defense objective of the defender profile includes a defense objective indicator, which is one or more indicators among the indicator values output by the system model, and a target value thereof;
    The cyber attack response support system of claim 1, wherein the countermeasure design unit predicts the behavior of a defender that minimizes the impact on the defense objective index, and uses the system model to determine the countermeasure for the predicted behavior.
  5.  設計された前記対処策についての情報である対処策情報を表示させる表示部を更に備え、
     前記対処策情報は、
      前記対処策の内容と、対応する前記攻撃者プロファイルと前記防御者プロファイルとの情報と、前記対処策を実行した際の前記対象システムにおける性能に関する情報とを含む
    請求項1に記載のサイバー攻撃対処支援システム。     The device further includes a display unit that displays countermeasure information, which is information about the designed countermeasure,
    The countermeasure information is
    The cyber attack response support system of claim 1, comprising information on the content of the countermeasure, the corresponding attacker profile and defender profile, and information on the performance of the target system when the countermeasure is executed.
  6.  前記対処策情報の中から前記対象システムに適用する対処策の選択を受け付ける受付部と、
     前記受け付けた対処策を前記対象システムに適用する対処策実行部と、
    を備える
    請求項5に記載のサイバー攻撃対処支援システム。     a reception unit that receives a selection of a countermeasure to be applied to the target system from the countermeasure information;
    a countermeasure execution unit that applies the received countermeasure to the target system;
    The cyber attack response support system according to claim 5 .
  7.  前記表示部は、
      前記対処策についての統計情報を表示させる
    請求項5に記載のサイバー攻撃対処支援システム。     The display unit is
    The cyber-attack countermeasure support system according to claim 5, which displays statistical information regarding the countermeasures.
  8.  前記システムモデルは、前記対象システムを構成する情報機器のハードウェア、ソフトウェア、脆弱性情報、論理構成、物理構成、及び情報機器が正常に動作するための情報機器間の依存性情報に基づいて構成されている
    請求項1に記載のサイバー攻撃対処支援システム。     2. The cyber attack response support system of claim 1, wherein the system model is constructed based on the hardware, software, vulnerability information, logical configuration, physical configuration, and dependency information between information devices for the normal operation of the information devices of the target system.
  9.  前記表示部は、
      前記対象システムに対するサイバー攻撃の検知情報に基づいて、実際の攻撃者の挙動と、前記攻撃者プロファイルとの一致に関する統計情報を表示させる
    請求項5に記載のサイバー攻撃対処支援システム。     The display unit is
    The cyber attack response support system of claim 5, which displays statistical information regarding the match between actual attacker behavior and the attacker profile based on detection information of a cyber attack against the target system.
  10.  前記受付部は、
      設計された福栖の前記対処策の中から前記対象システムに適用する複数の対処策の選択を受け付け、
     受け付けた前記複数の対処策を実行した際の前記対象システムにおける性能に関する情報を算出する影響再評価部を更に備える
    請求項6に記載のサイバー攻撃対処支援システム。     The reception unit is
    Accepting a selection of a plurality of countermeasures to be applied to the target system from among the countermeasures designed by Fukusu;
    The cyber attack response support system according to claim 6 , further comprising an impact re-evaluation unit that calculates information regarding performance of the target system when the received countermeasures are executed.
  11.  前記対象システムに対するサイバー攻撃による検知情報を入力として、前記攻撃者プロファイルと前記防御者プロファイルとの組み合わせ毎の対処策を出力する防御者モデルを有し、
     前記対処策設計部は、前記防御者モデルにより、前記対処策を設計する
    請求項1に記載のサイバー攻撃対処支援システム。     a defender model that receives detection information of a cyber attack against the target system as an input and outputs a countermeasure for each combination of the attacker profile and the defender profile;
    The cyber attack response support system according to claim 1 , wherein the countermeasure design unit designs the countermeasure using the defender model.
  12.  それぞれの前記攻撃者プロファイルに基づいて行動する攻撃者エージェントと、それぞれの前記防御者プロファイルに基づいて行動する防御者エージェントとの最適行動を学習することにより、それぞれの組み合わせ毎に、前記対処策を出力する前記防御者モデルを作成する防御者モデル生成部を有する
    請求項11に記載のサイバー攻撃対処支援システム。     The cyber attack response support system according to claim 11, further comprising a defender model generation unit that creates the defender model that outputs the countermeasure for each combination by learning the optimal behavior of an attacker agent that acts based on each of the attacker profiles and a defender agent that acts based on each of the defender profiles.
  13.  所定の対象システムへのサイバー攻撃に対する対処策を設計するサイバー攻撃対処支援システムによるサイバー攻撃対処支援方法であって、
     サイバー攻撃を行う攻撃者の攻撃目的と攻撃手法とを含む、1以上の攻撃者プロファイルと、サイバー攻撃に対する防御を行う防御者の防御目的と防御手法とを含む、1以上の防御者プロファイルとを記憶し、
     前記対象システムの状態を再現し、前記対象システムの状態に対応する前記対象システムのパフォーマンスを示す1以上の指標の指標値を出力するシステムモデルを用いて、前記攻撃者プロファイルと、前記防御者プロファイルと組み合わせ毎に対処策を設計する
    サイバー攻撃対処支援方法。     A cyber-attack response support method by a cyber-attack response support system that designs countermeasures against a cyber-attack on a predetermined target system,
    storing one or more attacker profiles including an attack purpose and an attack method of an attacker who performs a cyber attack, and one or more defender profiles including a defense purpose and a defense method of a defender who performs defense against the cyber attack;
    A cyber attack response support method that uses a system model that reproduces the state of the target system and outputs index values of one or more indicators that indicate the performance of the target system corresponding to the state of the target system, and designs countermeasures for each combination of the attacker profile and the defender profile.
  14.  所定の対象システムへのサイバー攻撃に対する対処策を設計するコンピュータに実行させるサイバー攻撃対処支援プログラムであって、
     前記コンピュータを、
     サイバー攻撃を行う攻撃者の攻撃目的と攻撃手法とを含む、1以上の攻撃者プロファイルと、サイバー攻撃に対する防御を行う防御者の防御目的と防御手法とを含む、1以上の防御者プロファイルとを記憶する記憶部と、
     前記対象システムの状態を再現し、前記対象システムの状態に対応する前記対象システムのパフォーマンスを示す1以上の指標の指標値を出力するシステムモデルを用いて、前記攻撃者プロファイルと、前記防御者プロファイルと組み合わせ毎に対処策を設計する対処策設計部として機能させる
    サイバー攻撃対処支援プログラム。
     
     
          A cyber-attack response support program for causing a computer to execute a countermeasure against a cyber-attack on a predetermined target system,
    The computer,
    A storage unit that stores one or more attacker profiles including an attack purpose and an attack method of an attacker who conducts a cyber attack, and one or more defender profiles including a defense purpose and a defense method of a defender who defends against a cyber attack;
    A cyber attack response support program that functions as a countermeasure design unit that designs countermeasures for each combination of the attacker profile and the defender profile using a system model that reproduces the state of the target system and outputs index values of one or more indicators that indicate the performance of the target system corresponding to the state of the target system.
PCT/JP2023/029177 2022-10-11 2023-08-09 Cyber attack countermeasure assistance system, cyber attack countermeasure assistance method, and cyber attack countermeasure assistance program WO2024079972A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022-163555 2022-10-11
JP2022163555A JP2024056559A (en) 2022-10-11 2022-10-11 Cyber attack countermeasure support system, cyber attack countermeasure support method, and cyber attack countermeasure support program

Publications (1)

Publication Number Publication Date
WO2024079972A1 true WO2024079972A1 (en) 2024-04-18

Family

ID=90669424

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/029177 WO2024079972A1 (en) 2022-10-11 2023-08-09 Cyber attack countermeasure assistance system, cyber attack countermeasure assistance method, and cyber attack countermeasure assistance program

Country Status (2)

Country Link
JP (1) JP2024056559A (en)
WO (1) WO2024079972A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011192105A (en) * 2010-03-16 2011-09-29 Mitsubishi Electric Information Systems Corp System for support of creating security countermeasure standard, program, and security countermeasure standard creation support method
JP2015130152A (en) * 2013-12-06 2015-07-16 三菱電機株式会社 Information processing device and program
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
JP2018137500A (en) * 2017-02-20 2018-08-30 日本電信電話株式会社 Security management plan design device, security management plan evaluation device, security management plan design method and security management plan evaluation method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011192105A (en) * 2010-03-16 2011-09-29 Mitsubishi Electric Information Systems Corp System for support of creating security countermeasure standard, program, and security countermeasure standard creation support method
JP2015130152A (en) * 2013-12-06 2015-07-16 三菱電機株式会社 Information processing device and program
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
JP2018137500A (en) * 2017-02-20 2018-08-30 日本電信電話株式会社 Security management plan design device, security management plan evaluation device, security management plan design method and security management plan evaluation method

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HU, H. ET AL.: "Optimal Decision Making Approach for Cyber Security Defense Using Evolutionary Game", IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, vol. 17, no. 3, September 2020 (2020-09-01), pages 1683 - 1700, XP011807745, DOI: 10.1109/TNSM.2020.2995713 *

Also Published As

Publication number Publication date
JP2024056559A (en) 2024-04-23

Similar Documents

Publication Publication Date Title
Alexander et al. MITRE ATT&CK for industrial control systems: Design and philosophy
Cook et al. The industrial control system cyber defence triage process
Orojloo et al. A game-theoretic approach to model and quantify the security of cyber-physical systems
Li et al. False sequential logic attack on SCADA system and its physical impact analysis
EP3063694B1 (en) Cyber defense
Zarreh et al. A game theory based cybersecurity assessment model for advanced manufacturing systems
Wu et al. Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities
Zhong et al. An efficient parallel reinforcement learning approach to cross-layer defense mechanism in industrial control systems
Hadar et al. Cyber digital twin simulator for automatic gathering and prioritization of security controls’ requirements
Ashley et al. Gamification of cybersecurity for workforce development in critical infrastructure
Zhou et al. Petri-net based attack time analysis in the context of chemical process security
Feng et al. Game theory in network security for digital twins in industry
Eid et al. IIoT network intrusion detection using machine learning
WO2024079972A1 (en) Cyber attack countermeasure assistance system, cyber attack countermeasure assistance method, and cyber attack countermeasure assistance program
Hankin Game theory and industrial control systems
Tsuji et al. 3-layer modelling method to improve the cyber resilience in Industrial Control Systems
Fielder et al. Modelling cost-effectiveness of defenses in industrial control systems
Boehmer Dynamic systems approach to analyzing event risks and behavioral risks with game theory
Trifonov et al. An adequate response to new Cyber Security challenges through Artificial Intelligence methods. Applications in Business and Economics
Smidts et al. Next-Generation Architecture and Autonomous Cyber-Defense
Abakumov et al. Combining Experimental and Analytical Methods for Penetration Testing of AI-Powered Robotic Systems.
Zhang et al. Quantitatively Assessing the Cyber-to-Physical Risk of Industrial Cyber-Physical Systems
Oruganti et al. The impact of network design interventions on the security of interdependent systems
Chockalingam et al. Influence Diagrams in Cyber Security: Conceptualization and Potential Applications
Ota Human Resource Development to Improve Organizational Resilience to Cyber Incidents

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23876981

Country of ref document: EP

Kind code of ref document: A1