WO2024079972A1 - Système, procédé et programme d'aide aux contre-mesures en cas de cyberattaque - Google Patents

Système, procédé et programme d'aide aux contre-mesures en cas de cyberattaque Download PDF

Info

Publication number
WO2024079972A1
WO2024079972A1 PCT/JP2023/029177 JP2023029177W WO2024079972A1 WO 2024079972 A1 WO2024079972 A1 WO 2024079972A1 JP 2023029177 W JP2023029177 W JP 2023029177W WO 2024079972 A1 WO2024079972 A1 WO 2024079972A1
Authority
WO
WIPO (PCT)
Prior art keywords
countermeasure
defender
attack
attacker
cyber
Prior art date
Application number
PCT/JP2023/029177
Other languages
English (en)
Japanese (ja)
Inventor
大輔 辻
英光 納谷
浩通 遠藤
悠 田村
イェンス デーンホフ
倫宏 重本
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2024079972A1 publication Critical patent/WO2024079972A1/fr

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • the present invention relates to technology that helps respond to cyber attacks in systems that include information devices.
  • industrial control systems are composed of highly reliable information devices specialized for specific control processes, including PLCs (Programmable Logic Controllers) and HMIs (Human Machine Interfaces).
  • Industrial control systems play an important role in monitoring and controlling social infrastructure such as electricity, railways, water, and gas, as well as production facilities such as factories and plants. For this reason, it is important for industrial control systems to continue to operate stably (availability) even when abnormal situations occur.
  • an effective way to improve an organization's response capabilities is to deploy both an attacker group, consisting of experts who imitate attackers and launch attacks, and a defender group, consisting of experts (including the organization's security personnel) who thwart attacks, and to improve the defender group's decision-making and response capabilities through practical exercises involving both groups.
  • the attacker group repeat practical exercises, imitating attacker profiles consisting of multiple attack objectives and attack methods, based on actual APT attack cases.
  • the defender group can also change its defender profile, consisting of defensive objectives and defensive methods, depending on the situation, and repeat training under different conditions.
  • the attacker group is called the red team and the defender group is called the blue team, and strengthening the organizational structure for responding to cyber attacks through joint practical exercises by both teams is sometimes called purple teaming.
  • Patent Document 1 discloses a technology that, when a cyber attack is detected, presents the most appropriate countermeasure from among multiple predefined countermeasure templates, taking into account the impact of the countermeasure on the system's business.
  • Patent Document 1 when a cyber attack is detected, it is possible to automate support for decision-making and response measures from the perspective of a defender group when a cyber attack occurs. However, since the response is from the defender's perspective, it is not necessarily an appropriate response, and it is not possible to present countermeasures that anticipate the actions of an attacker.
  • the present invention was developed in consideration of the above circumstances, and its purpose is to provide technology that makes it possible to design appropriate countermeasures against cyber attacks.
  • one aspect of the cyber attack response support system is a cyber attack response support system that designs countermeasures against cyber attacks on a specified target system, and includes a storage unit that stores one or more attacker profiles including the attack objectives and attack methods of an attacker who carries out a cyber attack, and one or more defender profiles including the defense objectives and defense methods of a defender who defends against the cyber attack, and a countermeasure design unit that reproduces the state of the target system and designs countermeasures for each combination of the attacker profile and the defender profile using a system model that reproduces the state of the target system and outputs index values of one or more indexes that indicate the performance of the target system corresponding to the state of the target system.
  • the present invention makes it possible to design appropriate countermeasures against cyber attacks.
  • FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
  • FIG. 2 is a diagram illustrating a system model according to the first embodiment.
  • FIG. 3 is a diagram illustrating a time series transition of production volume according to the first embodiment.
  • FIG. 4 is a diagram showing the configuration of an attacker profile according to the first embodiment.
  • FIG. 5 is a diagram showing the configuration of a defender profile according to the first embodiment.
  • FIG. 6 is a flowchart of a countermeasure design process according to the first embodiment.
  • FIG. 7 is a diagram showing a system configuration of a system model that reflects anomaly detection information according to the first embodiment.
  • FIG. 8 is a diagram for explaining prediction of an attacker's behavior with respect to the system model according to the first embodiment.
  • FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
  • FIG. 2 is a diagram illustrating a system model according to the first embodiment.
  • FIG. 3
  • FIG. 9 is a diagram illustrating a prediction of a defender's behavior with respect to a system model according to the first embodiment.
  • FIG. 10 is a configuration diagram of a list of countermeasures according to the first embodiment.
  • FIG. 11 is a configuration diagram of statistical information of countermeasures according to the first embodiment.
  • FIG. 12 is a configuration diagram of information indicating the relationship between the observed attacker behavior and the match with the attacker profile according to the first embodiment.
  • FIG. 13 is a functional block diagram of a cyber-attack response support system according to the second embodiment.
  • FIG. 14 is a diagram showing the configuration of an output table of countermeasures according to the second embodiment.
  • FIG. 15 is a functional block diagram of a cyber-attack response support system according to the third embodiment.
  • FIG. 16 is a diagram illustrating a defender model according to the third embodiment.
  • FIG. 17 is a flowchart of the defender model generation process according to the third embodiment.
  • FIG. 1 is a functional block diagram of a cyber-attack response support system according to the first embodiment.
  • the cyber-attack response support system 1000 includes a cyber-attack response support device 10, an anomaly detection system 11, an input/output device 12, and an industrial control system 13.
  • the cyber-attack response support device 10 is configured, for example, as a computer equipped with a processor, memory, storage device, etc., and has a processing unit 110 and a storage unit 120.
  • the processing unit 110 is a functional unit that is realized by the processor executing a program (cyber-attack response support program) deployed in memory.
  • the processing unit 110 includes a countermeasure design unit 111, a countermeasure selection unit 112 as an example of a reception unit and display unit, and a countermeasure execution unit 113.
  • the memory unit 120 is composed of a storage device that stores data.
  • the storage device is, for example, a memory such as a RAM (Random Access Memory), a HDD (Hard Disk Drive), or an SSD (Solid State Drive).
  • the memory unit 120 may be constructed using an external storage medium such as an HDD or SSD that is independent of the cyber attack response support device 10.
  • the memory unit 120 stores a system model 121, one or more attacker profiles 122, and one or more defender profiles 123.
  • the anomaly detection system 11 is a system that detects anomalies in the industrial control system 13 (target system) and is composed of a Network-based Intrusion Detection System (NIDS), which detects signs of attack by monitoring network communications in real time, and a Host-based Intrusion Detection System (HIDS), which detects signs of attack using software running within a computer.
  • NIDS Network-based Intrusion Detection System
  • HIDS Host-based Intrusion Detection System
  • the input/output device 12 is a device that allows the user to interactively input and output data to the cyber-attack response support device 10, and is composed of a keyboard, mouse, display, etc.
  • the industrial control system 13 includes a plurality of information devices 130, a robot (not shown) controlled by the information devices 130, etc.
  • the plurality of information devices 130 includes computer devices such as PLCs and HMIs, and network devices such as switches and firewalls that connect and disconnect the network between the computer devices.
  • processing unit 110 and memory unit 120 will be described in detail.
  • the countermeasure design unit 111 When the countermeasure design unit 111 receives anomaly detection information of the target system transmitted from the anomaly detection system 11, it starts its operation, reads the system model 121, the attacker profile 122, and the defender profile 123 from the storage unit 120, and executes a process of designing countermeasures in the industrial control system 13.
  • the countermeasure selection unit 112 displays information on the designed countermeasures (countermeasure information) on the input/output device 12, and accepts designation of the countermeasure to be applied from the user via the input/output device 12.
  • the countermeasure execution unit 113 performs a process of applying the countermeasure accepted by the countermeasure selection unit 112 to the industrial control system 13 and executing it.
  • the system model 121 is a model that includes configuration information of information devices in the target system and can reproduce the target system by being executed by the processing unit 110.
  • the system model 121 also has a calculation function that quantifies the performance of the target system with one or more types of indexes depending on the state of the information devices.
  • the configuration information includes, for example, the hardware, software, vulnerability information, logical configuration, physical configuration, and dependency information between information devices for the information devices to operate normally, of the information devices.
  • the configuration information also has attributes for expressing the state of the information devices, and it is possible to reflect anomaly detection information detected by the anomaly detection system 11 in the information devices.
  • FIG. 2 is a diagram illustrating the system model according to the first embodiment.
  • system model 121 When status information 21 of information equipment 130 is input, system model 121 (strictly speaking, processing unit 110 using system model 121) outputs performance 23 of the target system quantified by one or more types of indexes.
  • status information 21 indicates that information equipment with identification name PLC1 is in normal operation, information equipment with identification name PLC2 is in DoS (Denial of Service) state, and information equipment with identification name HMI is in a state where the equipment operation mode has been changed.
  • system model 121 outputs, for example, an index representing the performance of the target system and its value, such as production volume of 50%, confidentiality protection rate of 20%, and safety risk avoidance rate of 80%.
  • safety risk avoidance rate indicates the percentage of avoidance of a state that poses a risk in terms of safety.
  • the system model 121 may, for example, calculate the percentage of information devices in a normal operating state as the production volume. For example, if 100 information devices are operating in the target system and 50 of the information devices are in a normal operating state, the production volume may be calculated as 50%. In this example, the system model 121 calculates a unique production volume based only on the state information 21 of the information devices at a certain time, regardless of the time series transition of the state of the information devices. Note that this is not limited to this, and for example, the production volume may be calculated taking into account the history effect regarding the time series transition of the state of the information devices.
  • FIG. 3 is a diagram illustrating the time series transition of production volume according to the first embodiment.
  • the horizontal axis represents time
  • the vertical axis represents production volume.
  • all information devices are in a normal operating state from time 0 to t1
  • half of the information devices are in a normal operating state from time t1 to t2
  • all information devices are in a normal operating state from time t2 onwards.
  • the production volume is 100% until time t1
  • the production volume is a continuously decreasing value from time t1 to t2
  • the production volume is a continuously recovering value from time t2 onwards.
  • a confidentiality protection score may be set for each information device 130 in the industrial control system 13, and the ratio of the total scores of information devices 130 for which confidentiality protection is ensured to the total scores of all information devices 130 may be calculated.
  • a score for safety risk may be set for each information device 130 in the industrial control system 13, and the ratio of the total score of the information devices 130 for which safety risk has been avoided to the total score of all the information devices 130 may be calculated.
  • the calculations performed by the calculation function of the system model 121 are not limited to the above examples, and can be anything that can input information 21 about the status of the information device and output performance 23 of the target system quantified using one or more types of indices, and a different index may be used to calculate a certain index.
  • FIG. 4 is a diagram showing the configuration of an attacker profile according to the first embodiment.
  • the attacker profile 122 is information that defines the type of attacker that is assumed.
  • the attacker profile 122 is stored in the memory unit 120.
  • the memory unit 120 stores multiple (Ni) patterns of attacker profiles 122.
  • the attacker profile 122 includes an identifier, an identification name, an attack purpose, and an attack method.
  • the attacker profile 122 may also include identification information of an APT group that has a similar attack purpose and attack method.
  • the identifier information capable of uniquely identifying the attacker profile 122 is defined. For example, an integer value from 1 to Ni is assigned as the identifier.
  • the identification name a name that identifies the attacker profile 122 is defined. Note that in this embodiment, the identification name is also capable of uniquely identifying the attacker profile 122.
  • Attack methods are defined as specific attack methods that attackers can use, such as DoS and changing control parameters.
  • the attack objective defines the percentage (target value) of one or more indicators (attack objective indicators) that are considered important when carrying out an attack. This means that the attacker aims to maximize the change in this indicator.
  • the attack objective is defined as "production volume (100%)", which means that the attack objective aims only to affect production volume. This means that the attacker of attacker profile 122-1 does not aim to affect other indicators such as confidentiality protection rate or safety risk avoidance rate.
  • attack objective is defined as "production volume (30%), confidentiality protection rate (40%), safety risk avoidance rate (30%)," which means that the objective is to affect production volume, confidentiality protection rate, and safety risk avoidance rate in a ratio of 3:4:3.
  • the cumulative amount represented by the area of the shaded area in the figure can be used as the impact on the production volume, or the maximum instantaneous change can be used.
  • the influence of production volume, confidentiality protection rate, and safety risk aversion rate will be represented as X, Y, and Z.
  • the objective is to maximize 1X
  • the objective is to maximize 0.3X + 0.4Y + 0.3Z.
  • FIG. 5 is a diagram showing the configuration of a defender profile according to the first embodiment.
  • the defender profile 123 is information that defines the type of defender that is assumed.
  • the defender profile 123 is stored in the memory unit 120.
  • the memory unit 120 stores multiple (Nj) patterns of defender profiles 123.
  • the defender profile 123 includes an identifier, an identification name, a defense purpose, and a defense method.
  • the identifier information capable of uniquely identifying the defender profile 123 is defined. For example, an integer value from 1 to Nj is assigned as the identifier.
  • the identification name a name that identifies the defender profile 123 is defined. Note that in this embodiment, the identification name is also capable of uniquely identifying the defender profile 123.
  • Defensive methods define specific defensive techniques that defenders can use, such as changing the operating mode of a device or shutting down the device.
  • the defense objective defines the ratio (target value) of one or more indicators (defense objective indicators) that are considered important when implementing defense. This means that the defender aims to minimize the change in this indicator. For example, in the defender profile 123-1, whose identification name is safety risk avoidance rate specialization, the defense objective is defined as "safety risk avoidance rate (100%)", and therefore the defender of the defender profile 123-1 aims to minimize 1Z.
  • the defense objectives are defined as "production volume (10%), confidentiality protection rate (70%), safety risk avoidance rate (20%)" and the objective is to minimize 0.1X + 0.7Y + 0.2Z.
  • the attack purpose of the attacker profile 122 and the defense purpose of the defender profile 123 are the same, it means that they are trying to achieve completely opposite goals. Note that it is not necessary for the attack purpose of the attacker profile 122 and the defense purpose of the defender profile 123 to be the same.
  • FIG. 6 is a flowchart of the countermeasure design process according to the first embodiment.
  • the countermeasure design process is executed when the countermeasure design unit 111 of the cyber-attack countermeasure support device 10 receives anomaly detection information about the target system (industrial control system 13) from the anomaly detection system 11.
  • the countermeasure design unit 111 reads the system model 121 from the memory unit 120 and reflects the state corresponding to the received abnormality detection information in the system model 121 (S61).
  • FIG. 7 is a diagram showing the system configuration of a system model that reflects anomaly detection information according to the first embodiment.
  • the industrial control system 13 includes, as information devices 130, a monitoring terminal connected via a network, control server 1, control server 2, PLC 1, PLC 2, and an HMI, and the anomaly detection information includes information that an abnormal intrusion has been detected in the monitoring terminal.
  • step S61 as shown in FIG. 7, in the system model 121, the attribute representing the state of the monitoring terminal is set to "unauthorized intrusion.”
  • the countermeasure design unit 111 defines integer variables i and j and sets their values to 1 (S62).
  • the countermeasure design unit 111 reads the attacker profile 122 with identifier i and the defender profile 123 with identifier j from the storage unit 120 (S63).
  • the countermeasure design unit 111 uses the system model 121 to predict the behavior of the attacker based on the loaded attacker profile 122. Note that the attacker's behavior changes depending on the loaded attacker profile 122 because the attacker's purpose and attack method differ.
  • FIG. 8 is a diagram illustrating the prediction of an attacker's behavior against the system model according to the first embodiment.
  • the attacker's behavior predicted from the production volume-specialized attacker profile 122-1 is that an attacker who has illegally intruded into a monitoring terminal will then attack the control server 1 using a "control parameter change” attack method, and finally attack the PLC 1 using a "DoS” attack method.
  • the attack method is selected from the attack methods defined in the attacker profile 122-1.
  • the attacker's behavior is derived so as to maximize the impact on the target system, represented by 1X, which corresponds to the purpose of the attack.
  • the attacker's behavior predicted from the balanced attacker profile 122-2 is, for example, that an attacker who has illegally invaded a monitoring terminal will then attack the control server 2 using the "control tag information collection” attack method, and finally attack the HMI using the "alarm setting change” attack method.
  • This attacker's behavior is derived so as to maximize the impact on the target system, which is represented by 0.3X + 0.4Y + 0.3Z, which corresponds to the purpose of the attack.
  • the countermeasure design unit 111 uses the system model 121 to derive optimal countermeasures based on the attacker's behavior and the defender profile 123 (S63).
  • FIG. 9 is a diagram illustrating the prediction of the defender's behavior for the system model according to the first embodiment.
  • the behavior of the defender predicted from the safety risk aversion rate specialized defender profile 123-1 is derived to be the optimal countermeasure for defending against PLC1 using the defense method of "stopping equipment.”
  • the defense method is selected from among the defense methods in the defender profile 123-1.
  • the behavior of this defender is derived to minimize the impact on the target system represented by 1Z, which corresponds to the defense objective.
  • the behavior of the defender predicted from the confidentiality protection rate-oriented defender profile 123-2 is derived to be, for example, the optimal countermeasure for defending against the control server 1 using the defense method of "changing access control settings.”
  • This defender's behavior is derived to minimize the impact on the target system, which is represented by 0.1X + 0.7Y + 0.2Z, which corresponds to the defense objective.
  • the countermeasure design unit 111 compares the variable i with Ni and determines whether the variable i is less than Ni (S66). As a result, if the variable i is less than Ni (S66: Y), this means that countermeasures have not been derived for all attacker profiles 122 for one defender profile 123, so the countermeasure design unit 111 adds 1 to the variable i (S67) and proceeds to step S63.
  • step S68 the countermeasure design unit 111 compares the variable j with Nj and determines whether the variable j is less than Nj. As a result, if the variable j is less than Nj (S68: Y), this means that countermeasures have not been derived for all attacker profiles 122 for all defender profiles 123, so the countermeasure design unit 111 sets the variable i to 1, adds 1 to the variable j (S69), and proceeds to step S63.
  • the countermeasure design unit 111 outputs the derived countermeasures of the Ni ⁇ Nj pattern to the countermeasure selection unit 112 and ends the process.
  • This countermeasure design process allows a joint practical exercise between an attacker group and a defender group, which would be difficult to implement in an actual industrial control system 13, to be virtually carried out using the system model 121 with Ni x Nj patterns, and allows the deriving of countermeasures for each.
  • the countermeasure selection unit 112 displays on the input/output device 12 a list 100 (see FIG. 10) of countermeasures for the Ni ⁇ Nj pattern designed and output by the countermeasure design unit 111, and accepts from the user a selection of the countermeasure to be actually applied to the industrial control system 13. The user can compare the countermeasures by referring to the list displayed on the input/output device 12 connected to the countermeasure selection unit 112, and select the optimal countermeasure.
  • FIG. 10 is a diagram showing a list of countermeasures according to the first embodiment.
  • List 100 is a table that displays countermeasures for Ni ⁇ Nj patterns, and includes entries corresponding to each countermeasure for the Ni ⁇ Nj patterns.
  • the entries in list 100 include fields for countermeasure 101, defender profile 102, attacker profile 103, and performance 104.
  • countermeasure 101 the countermeasure corresponding to the entry is displayed.
  • the content of the countermeasure is written before the symbol @, and the identification name of the information device 130 for which the countermeasure is to be taken is written after the symbol @.
  • the defender profile 102 displays information (e.g., an identification name) that can identify the defender profile 123 from which the countermeasure corresponding to the entry was derived.
  • information e.g., an identification name
  • details of the defender profile 123 are displayed as shown in FIG. 5.
  • the attacker profile 103 displays information (e.g., an identification name) that can identify the attacker profile 122 from which the countermeasure corresponding to the entry has been derived.
  • information e.g., an identification name
  • details of the attacker profile 122 are displayed as shown in FIG. 4.
  • Performance 104 displays index values for one or more indicators that indicate performance.
  • Performance 104 includes fields such as production volume 104A, confidentiality protection rate 104B, and safety risk avoidance rate 104C.
  • Production volume 104A displays the production volume when the countermeasure corresponding to the entry is implemented.
  • Confidentiality protection rate 104B displays the confidentiality protection rate when the countermeasure corresponding to the entry is implemented.
  • Safety risk avoidance rate 104C displays the safety risk avoidance rate when the countermeasure corresponding to the entry is implemented.
  • the user can select the countermeasure to be actually applied to the industrial control system 13 from the list 100 via the input/output device 12, taking into consideration the assumed type of attacker, management priority, impact on the target system, etc.
  • the correspondence between the countermeasure and the cost and speed required to apply the countermeasure may be stored in the storage unit 120, and the countermeasure selection unit 112 may display the cost and speed required to apply the countermeasure in the list 100 in association with the countermeasure.
  • the countermeasure selection unit 112 displays statistical information regarding the derived countermeasures.
  • FIG. 11 is a configuration diagram of statistical information on countermeasures in the first embodiment.
  • the statistical information is, for example, information regarding the percentage of overlap between each countermeasure among all countermeasures.
  • the overlap rate of each countermeasure is represented by a pie chart. This statistical information makes it easy to identify countermeasures with a high overlap rate, i.e., countermeasures that are considered to be recommended.
  • the countermeasure execution unit 113 controls the application of the countermeasure selected by the user to the information device 130. Specifically, the countermeasure execution unit 113 transmits a communication command to cause the information device 130 to execute the countermeasure.
  • the countermeasure selection unit 112 may continuously observe the anomaly detection information received from the anomaly detection system 11 and display information on the degree of match between the actually observed attacker behavior and the attacker profile.
  • FIG. 12 is a diagram showing the structure of information indicating the relationship between observed attacker behavior and a match with an attacker profile in the first embodiment.
  • FIG. 13 is a functional block diagram of the cyber-attack response support system according to the second embodiment. Note that in the cyber-attack response support system 1100 according to the second embodiment, components similar to those in the cyber-attack response support system 1000 according to the first embodiment are designated by the same reference numerals.
  • the cyber attack response support system 1100 includes a new impact reassessment unit 114 in the processing unit 110.
  • the impact re-evaluation unit 114 starts operation based on a request from the countermeasure selection unit 112, reads the system model 121 and the attacker profile 122 and defender profile 123 corresponding to the selected countermeasure from the storage unit 120, and performs processing to evaluate the performance of the industrial control system 13.
  • the countermeasure selection unit 112 can accept multiple countermeasures from the user. When multiple countermeasures are accepted, the countermeasure selection unit 112 requests the impact reassessment unit 114 to instruct it to evaluate the impact on the target system when multiple countermeasures are executed simultaneously, and displays the evaluation results from the impact reassessment unit 114 as an output table 1400 (see FIG. 14).
  • the processing operations up to outputting the list 100 of countermeasures for Ni ⁇ Nj patterns in the cyber-attack response support system 1100 are the same as those in the cyber-attack response support system 1000 of the first embodiment.
  • the countermeasure selection unit 112 requests the impact reassessment unit 114 to evaluate the impact on the target system when the selected countermeasures are executed simultaneously.
  • the impact re-evaluation unit 114 When the impact re-evaluation unit 114 receives a request from the countermeasure selection unit 112, it reads the system model 121 and the attacker profile 122 and defender profile 123 corresponding to the selected countermeasures from the storage unit 120, and updates the state of the information device 130 in the system model 121 to a state corresponding to the selected countermeasures. Next, the impact re-evaluation unit 114 uses the calculation function of the system model 121 to quantify the performance of the target system using one or more indicators, and returns the result to the countermeasure selection unit 112.
  • the countermeasure selection unit 112 creates an output table 1400 based on the results from the impact reevaluation unit 114, and displays the output table 1400 on the input/output device 12. The user can refer to this output table 1400 to determine whether or not it is acceptable to apply multiple countermeasures simultaneously.
  • FIG. 14 is a diagram showing the configuration of an output table for countermeasures according to the second embodiment.
  • Output table 1400 is a table that displays information about the impact when multiple selected countermeasures are executed simultaneously.
  • Output table 1400 includes fields for countermeasure 1401, defender profile 1402, attacker profile 1403, and performance 1404.
  • the countermeasures 1401 displays multiple selected countermeasures.
  • the countermeasures are "Stop device @PLC1" and "Change device operation mode @HMI.”
  • the defender profile 1402 displays information (e.g., an identification name) that can identify the defender profile 123 from which each countermeasure was derived.
  • the attacker profile 1403 displays information (e.g., an identification name) that can identify the attacker profile 122 from which each countermeasure was derived.
  • Performance 1404 displays index values for one or more indicators that indicate the performance of the target system when multiple countermeasures are implemented simultaneously.
  • Performance 1404 includes fields such as production volume 1404A, confidentiality protection rate 1404B, and safety risk avoidance rate 1404C.
  • Production volume 1404A displays the production volume when multiple countermeasures are implemented.
  • Confidentiality protection rate 1404B displays the confidentiality protection rate when multiple countermeasures are implemented.
  • Safety risk avoidance rate 1404C displays the safety risk avoidance rate when multiple countermeasures are implemented.
  • the user can refer to the output table 1400 to determine whether or not to execute multiple countermeasures simultaneously.
  • the countermeasure selection unit 112 receives an instruction from the user to execute multiple countermeasures, it notifies the countermeasure execution unit 113 of this, and the countermeasure execution unit 113 controls the application of the notified multiple countermeasures to the information device 130.
  • FIG. 15 is a functional block diagram of a cyber-attack response support system according to the third embodiment. Note that in the cyber-attack response support system 1200 according to the third embodiment, components similar to those in the cyber-attack response support system 1000 according to the first embodiment are designated by the same reference numerals.
  • the cyber-attack response support system 1200 is equipped with a new defender model generation unit 115 in the processing unit 110, some of the processing operations of the countermeasure design unit 116 are changed, and a new defender model 124 is stored in the memory unit 120.
  • the anomaly detection system 11 when the anomaly detection system 11 detects an anomaly, it predicts the attacker's behavior based on the attacker profile, and then derives the defender's behavior, including the optimal countermeasure, based on the defender profile.
  • the anomaly detection system 11 when the anomaly detection system 11 detects an anomaly in the target system, it derives the optimal countermeasure without taking the step of predicting the attacker's behavior.
  • the defender model generation unit 115 reads the system model 121, attacker profile 122, and defender profile 123, and generates a defender model 124 that can input a system model that reflects the anomaly detection information of the anomaly detection system 11 and output countermeasures.
  • the process of generating the defender model 124 by the defender model generation unit 115 (defender model generation process: see Figure 17) is executed at a stage before the anomaly detection system 11 detects an anomaly.
  • One possible method of generating the defender model 124 is to utilize multi-agent reinforcement learning. When utilizing multi-agent reinforcement learning, the defender model generation unit 115 learns the defender model 124, and the countermeasure design unit 111 executes the defender model.
  • FIG. 16 is a diagram explaining the defender model according to the third embodiment.
  • the defender model 124 has a calculation function that inputs a system model 1601 that reflects the anomaly detection information of the anomaly detection system 11, for example, a system model 1601 that is represented by the state of the information devices 130 that make up the target system, and outputs an optimal countermeasure 1603 for the state of the information devices that make up the target system.
  • FIG. 17 is a flowchart of the defender model generation process according to the third embodiment.
  • FIG. 17 shows the defender model generation process that generates a defender model using multi-agent reinforcement learning.
  • the defender model generation unit 115 sets variables i and j to 1 (S1701). Next, the defender model generation unit 115 reads the system model 121, the attacker profile 122 of identifier i, and the defender profile 123 of identifier j from the storage unit 120 (S1702).
  • the defender model generation unit 115 learns optimal behavior by operating an agent simulating an attacker (attacker agent) and an agent simulating a defender (defender agent) in the system model 121 as an environment (S1703).
  • the actions that the attacker agent can execute are defined by the attacking methods in the attacker profile 122, and the reward that the attacker agent receives is determined by the attack objective in the attacker profile 122.
  • the reward that the attacker agent receives is determined according to the amount of change in the indicator defined in the attack objective.
  • an attacker agent generated based on the attacker profile 122-2 may receive a reward that increases with an increase in 0.3X + 0.4Y + 0.3Z.
  • the actions that the defender agent can execute are stipulated by the defense methods of the defender profile 123, and the reward that the defender agent receives is determined by the defense objectives of the defender profile 123.
  • the reward that the defender agent receives is determined according to the amount of change in the indicators defined in the defense objectives.
  • a defender agent generated based on the defender profile 123-2, whose identification name in FIG. 5 is confidentiality protection rate-oriented may receive a reward that increases with a decrease in 0.1X + 0.7Y + 0.2Z.
  • the defender model generation unit 115 stores the defender agent that has completed the multi-agent reinforcement learning and is capable of outputting optimal behavior according to the state of the information device in the system model 121 in the storage unit 120 as the defender model 124 (S1704).
  • the defender model generation unit 115 compares the variable i with Ni and determines whether the variable i is greater than Ni (S1705). As a result, if the variable i is not greater than Ni (S1705: N), this means that a defender model has not been created by performing multi-agent reinforcement learning on all attacker profiles 122 for one defender profile 123, so the defender model generation unit 115 adds 1 to the variable i (S1706) and proceeds to step S1702.
  • variable i is greater than Ni (S1705: Y)
  • step S1707 the defender model generation unit 115 compares the variable j with Nj and determines whether the variable j is greater than Nj. If the result is that the variable j is not greater than Nj (S1707: N), this means that a defender model has not been created by performing multi-agent reinforcement learning on all attacker profiles 122 for all defender profiles 123, so the defender model generation unit 115 sets the variable i to 1 and adds 1 to the variable j (S1708), and proceeds to step S1702.
  • variable j is greater than Nj (S1707: Y)
  • the countermeasure design process is executed by activating the countermeasure design unit 116 when the cyber-attack response support device 10 receives anomaly detection information about the target system (industrial control system 13) from the anomaly detection system 11.
  • the countermeasure design unit 116 reads the system model 121 and the defender model 124 from the storage unit 120, reflects the state corresponding to the received abnormality detection information in the system model 121, inputs the state of the information device in the system model 121 reflecting the abnormality detection information to each of the defender models 124 of the Ni ⁇ Nj pattern, calculates countermeasures of the Ni ⁇ Nj pattern using each defender model 124, and outputs the calculated countermeasures of the Ni ⁇ Nj pattern to the countermeasure selection unit 112.
  • this countermeasure design process a joint practical exercise between an attacker group and a defender group, which is difficult to implement in an actual industrial control system 13, can be virtually implemented using the system model 121 to derive each countermeasure.
  • the processes executed by the countermeasure selection unit 112 and the countermeasure execution unit 113 thereafter are similar to those of the cyber attack response support system 1000 according to the first embodiment.
  • the cyber attack response support system 1200 of this embodiment after the anomaly detection system 11 detects an anomaly, there is no need to take the step of predicting the attacker's behavior, and countermeasures can be derived using the Ni x Nj pattern defender model 124 that has been generated in advance for each combination of the attacker profile and the defender profile. Therefore, when a cyber attack occurs, countermeasures can be quickly presented to the user.
  • an industrial control system 13 is the target, but the present invention is not limited to this and can be applied to general information systems.
  • the anomaly detection system 11 is provided outside the industrial control system 13, but the present invention is not limited to this, and the anomaly detection system 11 may be provided within the industrial control system 13.
  • the processing performed by the processor may be performed by a hardware circuit.
  • the program in the above embodiment may be installed from a program source.
  • the program source may be a program distribution server or a recording medium (e.g., a portable recording medium).
  • 10...cyber attack response support device 11...anomaly detection system, 12...input/output device, 13...industrial control system, 110...processing unit, 111, 116...countermeasure design unit, 112...countermeasure selection unit, 113...countermeasure execution unit, 114...impact reevaluation unit, 115...defender model generation unit 120...storage unit, 121...system model, 122...attacker profile, 123...defender profile, 124...defender model, 1000, 1100, 1200...cyber attack response support system

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer And Data Communications (AREA)
  • Stored Programmes (AREA)

Abstract

Dans la présente invention, une contre-mesure appropriée contre une cyberattaque peut être conçue. Un système d'aide aux contre-mesures en cas de cyberattaque (1000) pour concevoir une contre-mesure en cas de cyberattaque contre un système d'objet déterminé, comprend : une unité de stockage (120) pour stocker au moins un profil d'attaquant (122) comprenant un objectif d'attaque et une technique d'attaque d'un attaquant réalisant une cyberattaque, et au moins un profil de défenseur (123) comprenant un objectif de défense et une technique de défense d'un défense réalisant une défense contre une cyberattaque; et une unité de conception de contre-mesure (111) pour concevoir une contre-mesure contre des combinaisons respectives des profils de l'attaquant (122) et du défenseur (123), au moyen d'un modèle de système (121) pour reproduire l'état du système d'objet et émettre en sortie la valeur d'au moins un indice indiquant les performances du système d'objet et correspondant à l'état du système d'objet.
PCT/JP2023/029177 2022-10-11 2023-08-09 Système, procédé et programme d'aide aux contre-mesures en cas de cyberattaque WO2024079972A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2022-163555 2022-10-11
JP2022163555A JP2024056559A (ja) 2022-10-11 2022-10-11 サイバー攻撃対処支援システム、サイバー攻撃対処支援方法、及びサイバー攻撃対処支援プログラム

Publications (1)

Publication Number Publication Date
WO2024079972A1 true WO2024079972A1 (fr) 2024-04-18

Family

ID=90669424

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2023/029177 WO2024079972A1 (fr) 2022-10-11 2023-08-09 Système, procédé et programme d'aide aux contre-mesures en cas de cyberattaque

Country Status (2)

Country Link
JP (1) JP2024056559A (fr)
WO (1) WO2024079972A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011192105A (ja) * 2010-03-16 2011-09-29 Mitsubishi Electric Information Systems Corp セキュリティ対策基準作成支援システム及びプログラム及びセキュリティ対策基準作成支援方法
JP2015130152A (ja) * 2013-12-06 2015-07-16 三菱電機株式会社 情報処理装置及びプログラム
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
JP2018137500A (ja) * 2017-02-20 2018-08-30 日本電信電話株式会社 セキュリティ対処案設計装置、セキュリティ対処案評価装置、セキュリティ対処案設計方法及びセキュリティ対処案評価方法

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2011192105A (ja) * 2010-03-16 2011-09-29 Mitsubishi Electric Information Systems Corp セキュリティ対策基準作成支援システム及びプログラム及びセキュリティ対策基準作成支援方法
JP2015130152A (ja) * 2013-12-06 2015-07-16 三菱電機株式会社 情報処理装置及びプログラム
US20180096153A1 (en) * 2015-03-04 2018-04-05 Secure-Nok As System and Method for Responding to a Cyber-Attack-Related Incident Against an Industrial Control System
JP2018137500A (ja) * 2017-02-20 2018-08-30 日本電信電話株式会社 セキュリティ対処案設計装置、セキュリティ対処案評価装置、セキュリティ対処案設計方法及びセキュリティ対処案評価方法

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
HU, H. ET AL.: "Optimal Decision Making Approach for Cyber Security Defense Using Evolutionary Game", IEEE TRANSACTIONS ON NETWORK AND SERVICE MANAGEMENT, vol. 17, no. 3, September 2020 (2020-09-01), pages 1683 - 1700, XP011807745, DOI: 10.1109/TNSM.2020.2995713 *

Also Published As

Publication number Publication date
JP2024056559A (ja) 2024-04-23

Similar Documents

Publication Publication Date Title
Cook et al. The industrial control system cyber defence triage process
Orojloo et al. A game-theoretic approach to model and quantify the security of cyber-physical systems
Li et al. False sequential logic attack on SCADA system and its physical impact analysis
EP3063694B1 (fr) Cyberdéfense
Zarreh et al. A game theory based cybersecurity assessment model for advanced manufacturing systems
Wu et al. Risk assessment method for cybersecurity of cyber-physical systems based on inter-dependency of vulnerabilities
Zhong et al. An efficient parallel reinforcement learning approach to cross-layer defense mechanism in industrial control systems
Hadar et al. Cyber digital twin simulator for automatic gathering and prioritization of security controls’ requirements
Ashley et al. Gamification of cybersecurity for workforce development in critical infrastructure
Zhou et al. Petri-net based attack time analysis in the context of chemical process security
Feng et al. Game theory in network security for digital twins in industry
Eid et al. IIoT network intrusion detection using machine learning
WO2024079972A1 (fr) Système, procédé et programme d'aide aux contre-mesures en cas de cyberattaque
Hankin Game theory and industrial control systems
Kiesling et al. Evolving secure information systems through attack simulation
Tsuji et al. 3-layer modelling method to improve the cyber resilience in Industrial Control Systems
Fielder et al. Modelling cost-effectiveness of defenses in industrial control systems
Abakumov et al. Combining Experimental and Analytical Methods for Penetration Testing of AI-Powered Robotic Systems.
Boehmer Dynamic systems approach to analyzing event risks and behavioral risks with game theory
Trifonov et al. An adequate response to new Cyber Security challenges through Artificial Intelligence methods. Applications in Business and Economics
Smidts et al. Next-Generation Architecture and Autonomous Cyber-Defense
Oruganti et al. The impact of network design interventions on the security of interdependent systems
Ekisa et al. Leveraging the MITRE ATT&CK Framework for Threat Identification and Evaluation in Industrial Control System Simulations
Chockalingam et al. Influence Diagrams in Cyber Security: Conceptualization and Potential Applications
Ota Human Resource Development to Improve Organizational Resilience to Cyber Incidents

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23876981

Country of ref document: EP

Kind code of ref document: A1