+

WO2018163274A1 - Dispositif, procédé et programme d'analyse de risque - Google Patents

Dispositif, procédé et programme d'analyse de risque Download PDF

Info

Publication number
WO2018163274A1
WO2018163274A1 PCT/JP2017/008945 JP2017008945W WO2018163274A1 WO 2018163274 A1 WO2018163274 A1 WO 2018163274A1 JP 2017008945 W JP2017008945 W JP 2017008945W WO 2018163274 A1 WO2018163274 A1 WO 2018163274A1
Authority
WO
WIPO (PCT)
Prior art keywords
possibility
threat
occurrence
risk
unit
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/JP2017/008945
Other languages
English (en)
Japanese (ja)
Inventor
泉 幸雄
健志 浅井
河内 清人
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Mitsubishi Electric Corp
Original Assignee
Mitsubishi Electric Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mitsubishi Electric Corp filed Critical Mitsubishi Electric Corp
Priority to JP2018541441A priority Critical patent/JP6425865B1/ja
Priority to PCT/JP2017/008945 priority patent/WO2018163274A1/fr
Publication of WO2018163274A1 publication Critical patent/WO2018163274A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • This invention relates to a technique for analyzing system security risk.
  • a security threat (hereinafter referred to as a threat) that requires countermeasures in components such as a server, a terminal, and a communication path constituting the analysis target system is clarified.
  • a security threat (hereinafter referred to as a threat) that requires countermeasures in components such as a server, a terminal, and a communication path constituting the analysis target system is clarified.
  • threats to the components of the analysis target system are identified.
  • the possibility of occurrence of the threat and the impact of the occurrence of the threat are set.
  • the impact of the occurrence of a threat is represented by the asset value of the component that generates the threat.
  • the risk value of the identified threat is derived from the set possibility of occurrence and the impact of the threat occurrence. And measures are taken against high-risk threats.
  • Patent Document 1 describes that the possibility of occurrence of a threat is manually set. Further, Patent Document 2 describes that the possibility of occurrence of a threat is set to a preset fixed value.
  • Patent Document 1 since the possibility of occurrence of a threat is manually set, there are problems that man-hours for analysis increase and human error occurs. Further, in Patent Document 2, since a fixed value set in advance is used as the possibility of occurrence of a threat, there is a problem that the possibility of occurrence does not become an appropriate value and the risk value of the threat cannot be calculated accurately. As a result, Patent Documents 1 and 2 may eventually lead to excessive or insufficient measures.
  • An object of the present invention is to enable appropriate analysis of security risks of a system to be analyzed.
  • the risk analysis apparatus is: A possibility identifying unit that identifies the possibility of occurrence of a threat that may occur in the analysis target system according to the security measures implemented for the component that is the location of the threat; A risk value calculation unit that calculates a risk value indicating a magnitude of a risk with respect to the threat of the analysis target system from the occurrence possibility specified by the possibility specifying unit.
  • the possibility of occurrence is specified according to the security measures implemented for the component that is the place where the threat occurs. Thereby, it is possible to appropriately analyze the security risk of the analysis target system.
  • FIG. 1 is a configuration diagram of a risk analysis device 10 according to Embodiment 1.
  • FIG. FIG. 2 is a configuration diagram of an analysis target system 50 used for explanation in the first embodiment.
  • 3 is a flowchart of overall operation of the risk analysis apparatus 10 according to the first embodiment.
  • FIG. 5 is a diagram showing possibility setting information 312 according to the first embodiment.
  • FIG. 5 shows configuration information 322 according to the first embodiment.
  • FIG. The flowchart of the possibility specific process of step S3 which concerns on Embodiment 1.
  • FIG. The figure which shows the possibility information 323 which concerns on Embodiment 1.
  • FIG. The figure which shows the risk analysis information 324 which concerns on Embodiment 1.
  • FIG. 1 The block diagram of the risk analyzer 10 which concerns on the modification 2.
  • FIG. The block diagram of the risk analyzer 10 which concerns on Embodiment 2.
  • FIG. The figure which shows the connection destination information 325 which concerns on Embodiment 2.
  • FIG. The figure which shows the communication control information 326 which concerns on Embodiment 2.
  • FIG. The flowchart of the possibility specific process of step S3 which concerns on Embodiment 2.
  • FIG. The figure which shows the threat extraction result 321 which concerns on Embodiment 2.
  • FIG. The figure which shows the possibility setting information 312 which concerns on Embodiment 2.
  • FIG. The flowchart of the communication control determination process of step S25 which concerns on Embodiment 2.
  • FIG. The figure which shows the possibility information 323 which concerns on Embodiment 2.
  • FIG. FIG. 1 The flowchart of the possibility specific process of step S3 which concerns on Embodiment 2.
  • FIG. The figure which shows the threat extraction result 321 which concerns on Embodiment 2.
  • FIG. The
  • FIG. 4 is a configuration diagram of a risk analysis apparatus 10 according to a third embodiment.
  • FIG. 10 is a flowchart of possibility specifying processing in step S3 according to the third embodiment.
  • FIG. The figure which shows the possibility setting information 312 which concerns on Embodiment 3.
  • FIG. 10 shows configuration information 322 according to the third embodiment.
  • Embodiment 1 FIG. *** Explanation of configuration *** With reference to FIG. 1, the structure of the risk analyzer 10 which concerns on Embodiment 1 is demonstrated.
  • the risk analysis apparatus 10 is a computer.
  • the risk analysis apparatus 10 includes hardware including a processor 11, a memory 12, a storage 13, and a communication interface 14.
  • the processor 11 is connected to other hardware via a signal line, and controls these other hardware.
  • the processor 11 is an IC (Integrated Circuit) that performs processing, and is a device that controls the entire risk analysis apparatus 10.
  • Specific examples of the processor 11 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • the memory 12 is a storage device that temporarily stores data.
  • the memory 12 is an SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
  • the storage 13 is a storage device that stores data.
  • the storage 13 is an HDD (Hard Disk Drive) or an SSD (Solid State Drive).
  • the storage 13 is a portable storage such as an SD (registered trademark, Secure Digital) memory card, CF (CompactFlash), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, DVD (Digital Versatile Disk). It may be a medium.
  • the communication interface 14 is an interface for communicating with external devices such as an input device and a display device.
  • the communication interface 14 is a port of Ethernet (registered trademark), USB (Universal Serial Bus), or HDMI (registered trademark, High-Definition Multimedia Interface).
  • the risk analysis apparatus 10 includes an information acquisition unit 21, a threat extraction unit 22, a possibility identification unit 23, and a risk value calculation unit 24 as functional components.
  • the possibility identifying unit 23 includes a rule extracting unit 25 and a condition determining unit 26.
  • the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized by software.
  • the storage 13 stores programs that realize the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26. Has been.
  • This program is read into the memory 12 by the processor 11 and executed by the processor 11. Thereby, the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized.
  • the storage 13 realizes the functions of the common information storage unit 31 and the analysis target storage unit 32.
  • the common information storage unit 31 stores threat data 311 and possibility setting information 312.
  • the analysis target storage unit 32 stores a threat extraction result 321, configuration information 322, occurrence possibility information 323, and risk analysis information 324.
  • the risk analysis apparatus 10 may include a plurality of processors that replace the processor 11.
  • the plurality of processors share execution of functional components included in the operating system 20.
  • Each processor is an IC that performs processing in the same manner as the processor 11.
  • the analysis target system 50 includes a server_01, a server_02, a firewall FW_01, a network NW_01, a network NW_02, a network NW_03, an external network, a terminal_01, and a terminal_02.
  • Server_01 is connected to server_02 via NW_01, connected to FW_01 via NW_02, and connected to terminal_01 and terminal_02 via NW_03.
  • the server_01 is connected to the outside via the FW_01 and an external network.
  • the FW_01 performs communication control so that data from the server_01 to the external network passes but data from the external network to the server_01 does not pass.
  • the operation of the risk analysis apparatus 10 according to the first embodiment corresponds to the risk analysis method according to the first embodiment.
  • the operation of the risk analysis apparatus 10 according to the first embodiment corresponds to the processing of the risk analysis program according to the first embodiment.
  • Step S1 Information acquisition process in FIG. 3
  • the information acquisition unit 21 acquires the possibility setting information 312 and the configuration information 322 via the communication interface 14.
  • the information acquisition unit 21 writes the possibility setting information 312 to the common information storage unit 31 and the configuration information 322 to the analysis target storage unit 32.
  • the possibility setting information 312 is information in which the possibility of occurrence is defined for each combination of the identifier of the threat and the security measures implemented for the component that is the place where the threat occurs.
  • the possibility setting information 312 indicates the threat ID, one or more conditions, and the possibility of occurrence for each rule No.
  • the rule No is a rule identifier.
  • the threat ID is an identifier of a threat to which the rule is applied.
  • a condition is a condition to which the rule is applied.
  • conditions including security measures that are implemented for components that are the places where threats occur are defined.
  • the possibility of occurrence is the possibility of occurrence of a threat when the rule is applied.
  • the condition is indicated by a configuration of “item: content”.
  • the rule applied to the threat ID 10 has three conditions, and the rule applied to the threat ID 20 has two conditions.
  • the first embodiment three stages of the possibility of occurrence are assumed, and a value of 1 is used when the possibility of occurrence is low, 2 when it is medium, and 3 when it is high. Note that the number of possible stages and the value are not limited thereto.
  • the configuration information 322 indicates information on each component of the analysis target system 50. As shown in FIG. 5, in the first embodiment, the configuration information 322 indicates the type, physical access permission, security measure, encryption measure, and asset value for each element name.
  • the element name is the name of the component.
  • the type is a component classification. Whether or not physical access is possible is whether or not physical access to a component is possible.
  • the encryption countermeasure is whether or not encrypted communication is possible. Asset value is the value of a component.
  • the configuration information 322 may indicate other information related to security measures such as presence / absence of user authentication and the type of OS used.
  • Step S2 in FIG. 3 threat extraction processing
  • the threat extraction unit 22 extracts threats that may occur in the analysis target system 50 based on the threat data 311 stored in the common information storage unit 31.
  • the threat data 311 is a threat model.
  • a specific method for extracting a threat may be realized by a method described in JP-A-2016-105233.
  • the threat extraction unit 22 writes the extracted threat as a threat extraction result 321 in the analysis target storage unit 32.
  • the threat extraction result 321 indicates the element name, threat ID, access source, and threat content for each No. No is a number uniquely assigned to the extracted threat.
  • the element name is a name of a component that is a place where a threat occurs.
  • the threat ID is an identifier of the extracted threat.
  • the access source indicates the name of the component that is the source of access when the threat is related to remote access via the network.
  • terminal_01 is shown as an access source of a threat of unauthorized access to server_01 that misuses terminal_01.
  • the threat content is the content of the extracted threat.
  • the threat extraction result 321 may also indicate information indicating the location of each component and the type of component.
  • the No. 1 threat and the No. 2 threat are the same threat IDs, although they are different threats, but are represented by the same threat ID. However, a threat ID that distinguishes these threats may be used.
  • Step S3 in FIG. 3 Possibility identification processing
  • the possibility identifying unit 23 determines the threat according to the combination of the identifier of the threat and the security measures implemented for the component that is the location where the threat occurs. Identify the probability of occurrence of.
  • Step S11 in FIG. 7 result reading process
  • the possibility identifying unit 23 reads information about one threat from the threat extraction result 321 in the analysis target storage unit 32 and writes the information in the memory 12. That is, the possibility identifying unit 23 reads one record of the threat extraction result 321 and writes it in the memory 12.
  • Step S12 in FIG. 7 rule extraction process
  • the rule extraction unit 25 extracts a rule having a threat ID included in the information read out in step S11 from the possibility setting information 312 in the common information storage unit 31.
  • the threat ID No. 10 is No. 1 in FIG. Therefore, the rule extraction unit 25 extracts two rules, rule No1 and rule No2, in FIG.
  • Step S13 in FIG. 7 first rule determination process
  • the rule extraction unit 25 determines whether or not a rule has been extracted in step S12. When the rule is extracted, the rule extraction unit 25 advances the process to step S14. On the other hand, if the rule is not extracted, the rule extraction unit 25 cannot determine the possibility of occurrence, and the process proceeds to step S17.
  • Step S14 in FIG. 7 Condition determination processing
  • the condition determination unit 26 determines, for each rule extracted in step S12, whether or not the record read in step S11 matches each condition of the rule. Specifically, the condition determining unit 26 refers to the configuration information 322 about the component indicated by the element name read in step S11, and determines whether or not each condition is met. For example, the threat No. 1 in FIG. 6 does not match the condition 3 for the rule No 1 in FIG. 4, although the conditions 1 and 2 match. On the other hand, the threat No. 1 in FIG. 6 satisfies all the conditions 1 to 3 for the rule No. 2 in FIG.
  • Step S15 in FIG. 7 second rule determination process
  • the condition determination unit 26 determines whether or not there is a rule in which the component matches all the conditions in step S14. If there is a rule that matches, the condition determination unit 26 advances the process to step S16. On the other hand, if there is no matching rule, the condition determination unit 26 cannot specify the possibility of occurrence, and thus the process proceeds to step S17.
  • Step S16 in FIG. 7 Possibility reading process
  • the condition determination unit 26 reads out the possibility of occurrence of a rule whose component matches all the conditions in step S ⁇ b> 14, and writes it in the analysis target storage unit 32 as occurrence possibility information 323.
  • the possibility information 323 has no information on the access source of the threat extraction result 321, and the possibility of occurrence is added.
  • the occurrence possibility information 323 may indicate access source information or may indicate other information.
  • the condition determination unit 26 writes the read possibility of occurrence in the corresponding threat record. That is, when the No. 1 record in FIG. 6 is read in step S11, the condition determination unit 26 writes the read possibility of occurrence in the No. 1 record in FIG.
  • Step S17 in FIG. 7 end determination processing
  • the rule extraction unit 25 determines whether information about all threats has been read from the threat extraction result 321 in step S11. The rule extraction unit 25 ends the process when the information about all threats has been read. On the other hand, if the information about all threats has not been read, the rule extraction unit 25 returns the process to step S11 to read information about the next threat.
  • Step S4 in FIG. 3 Risk value calculation process
  • the risk value calculation unit 24 calculates a risk value indicating the magnitude of the risk for the threat of the analysis target system 50 from the possibility of occurrence identified in step S3. Specifically, for each threat extracted in step S2, the risk value calculation unit 24 uses the product of the probability of occurrence of the threat and the asset value of the component that is the location of the threat as the risk value. calculate.
  • the risk value calculation unit 24 writes risk analysis information 324 indicating the calculated risk value in the analysis target storage unit 32.
  • the asset value and risk value of the constituent elements are added to the possibility information 323.
  • the risk value of the threat No. 1 in FIG. 9 is the product “9” of the probability of occurrence “3” and the asset value “3” of the server_01 that is a component.
  • the threat extraction result 321, the possibility information 323, and the risk analysis information 324 are treated as separate information.
  • one format indicating all information of the threat extraction result 321, the possibility information 323, and the risk analysis information 324 may be prepared. And according to progress of processing, information may be sequentially added to the format.
  • the risk analysis apparatus 10 identifies the possibility of the occurrence of a threat according to the security measures implemented for the component that is the place where the threat occurs. Thereby, the possibility of occurrence of a threat can be appropriately identified. As a result, the security risk of the analysis target system can be analyzed appropriately.
  • the analyst since the possibility of occurrence is specified based on the possibility setting information 312, the analyst does not include arbitrary information on the possibility of occurrence of a threat. Therefore, it is possible to appropriately identify the possibility of occurrence of a threat.
  • one possibility setting information 312 is stored in the common information storage unit 31.
  • the possibility setting information 312 for each type of system may be stored in the common information storage unit 31.
  • the possibility setting information 312 may be stored for each type, such as an information system, an in-vehicle device system, and an FA (Factory Automation) system.
  • the possibility identifying unit 23 identifies the possibility of occurrence of a threat using the possibility setting information 312 corresponding to the type of the analysis target system 50. This makes it possible to more appropriately identify the possibility of occurrence of a threat.
  • the common information storage unit 31 may store possibility setting information 312 for each role such as a system administrator and maintenance personnel.
  • the possibility identifying unit 23 identifies the possibility of occurrence for each role using the possibility setting information 312 corresponding to each role.
  • the risk value calculation part 24 calculates the risk value of a threat for every role. Thereby, the risk value for every role can be known.
  • the apparatus 10 includes a processing circuit 15 instead of the processor 11, the memory 12, and the storage 13.
  • the processing circuit 15 includes an information acquisition unit 21, a threat extraction unit 22, a possibility identification unit 23, a risk value calculation unit 24, a rule extraction unit 25, a condition determination unit 26, a memory 12, and a storage 13. It is a dedicated electronic circuit that realizes the function.
  • the processing circuit 15 is assumed to be a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array). Is done. Even if the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are realized by one processing circuit 15. Alternatively, the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are distributed to a plurality of processing circuits 15. May be realized.
  • ⁇ Modification 3> As a third modification, some functions may be realized by hardware, and other functions may be realized by software. That is, some of the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the rule extraction unit 25, the condition determination unit 26, and the risk value calculation unit 24 are hardware. And other functions may be realized by software.
  • the processor 11, the memory 12, the storage 13, and the processing circuit 15 are collectively referred to as “processing circuitries”. That is, the function of each functional component is realized by the processing circuitry.
  • Embodiment 2 is different from the first embodiment in that the possibility of occurrence is specified according to the communication control of the communication path in the analysis target system 50 to the component that is the generation location. In the second embodiment, this different point will be described, and the description of the same point will be omitted.
  • the risk analysis apparatus 10 has a risk analysis in which a point including the communication determination unit 27 as a functional component and a point that the analysis target storage unit 32 stores the connection destination information 325 and the communication control information 326 are illustrated in FIG. Different from the device 10.
  • the communication determination unit 27 is realized by software in the same manner as other functional components. Moreover, the communication determination part 27 may be implement
  • the operation of the risk analysis apparatus 10 according to the second embodiment will be described with reference to FIG. 3 and FIGS. 12 to 18.
  • the operation of the risk analysis apparatus 10 according to the second embodiment corresponds to the risk analysis method according to the second embodiment.
  • the operation of the risk analysis apparatus 10 according to the second embodiment corresponds to the processing of the risk analysis program according to the second embodiment.
  • Steps S2 and S4 are the same as those in the first embodiment.
  • Step S1 Information acquisition process in FIG. 3
  • the information acquisition unit 21 acquires the possibility setting information 312, the configuration information 322, the connection destination information 325, and the communication control information 326 via the communication interface 14.
  • the information acquisition unit 21 writes the possibility setting information 312 in the common information storage unit 31, and writes the configuration information 322, connection destination information 325, and communication control information 326 in the analysis target storage unit 32.
  • the connection destination information 325 indicates a connection relationship between the components of the analysis target system 50. As shown in FIG. 12, in the second embodiment, the connection destination information 325 indicates a type, presence / absence of communication control, and a communication path for each element name. As shown in FIG. 2, the communication path of the analysis target system 50 is NW_01, NW_02, NW_03, and an external network. In FIG. 12, ⁇ indicates that the component is connected to the communication path.
  • the communication control information 326 indicates the content of communication control. As shown in FIG. 13, in the second embodiment, the communication control information 326 indicates whether data flow from the access source (FROM) to the access destination (TO) is permitted. In FIG. 13, FW_01 indicates that data is allowed to flow from NW_02 to the external network, and data is not allowed to flow from the external network to NW_02.
  • step S3 With reference to FIG. 14, the possibility specifying process in step S3 according to the second embodiment will be described.
  • the processing from step S21 to step S23 is the same as the processing from step S11 to step S13 in FIG.
  • the processing from step S26 to step S29 is the same as the processing from step S14 to step S17 in FIG.
  • Step S24 in FIG. 14 Communication Item Determination Process
  • the communication determination unit 27 determines whether or not there is communication control as a condition item for each rule extracted in step S22.
  • the communication determination part 27 advances a process to step S25, when there exists communication control.
  • the communication determination part 27 advances a process to step S26, when there is no communication control.
  • step S25 As a specific example, it is assumed that the possibility setting information 312 is as shown in FIG. 15 and the threat extraction result 321 is as shown in FIG. Assume that the No. 1 record of the threat extraction result 321 is read in step S21. In this case, since the threat ID is 10 in step S22, three rules No. 1 to No. 3 in FIG. 16 are extracted. Then, communication control is an item of Condition 1 in the three rules No. 1 to No. 3. Therefore, the process proceeds to step S25.
  • Step S25 in FIG. 14 Communication Control Determination Process
  • the communication determination unit 27 extracts, from the rule extracted in step S22, a rule corresponding to the presence / absence of communication control of the communication path in the analysis target system 50 to the component that is the place where the threat occurs.
  • Step S31 in FIG. 17 route specifying process
  • the communication determination unit 27 refers to the connection destination information 325 and identifies a communication path from the access source of the record read in step S21 to the component indicated by the element name. For example, if the record is No. 1 in the threat extraction result 321 in FIG. 15, the communication path from the access source terminal — 01 to the component server — 01 is identified as NW — 03. Further, in the case of No. 3 record of the threat extraction result 321 in FIG. 15, the communication path from the outside of the access source to the server_01 which is a component is specified as the external network, FW_01, and NW02.
  • Step S32 in FIG. 17 control element processing
  • the communication determination unit 27 determines whether there is a component that performs communication control on the communication path specified in step S31.
  • the communication determination part 27 advances a process to step S33, when the component which performs communication control exists.
  • the communication determination unit 27 sets communication control possible when there is no component that performs communication control. For example, in the case of the No. 1 record of the threat extraction result 321 in FIG. 15, since the communication path is NW_03, it is determined that there is no component that performs communication control. Therefore, communication control is set to be possible. Further, in the case of the No. 3 record of the threat extraction result 321 in FIG. 15, the communication path is the external network, FW_01, and NW02, and FW_01 performs communication control, so it is determined that there is a component that performs communication control. The Therefore, the process proceeds to step S33.
  • Step S33 in FIG. 17 control element processing
  • the communication determination unit 27 determines whether or not data is allowed to flow from the access source of the record read in step S21 to the component indicated by the element name.
  • the communication determination unit 27 sets the communication control to be possible when the data flow is permitted.
  • the communication determination unit 27 sets the communication control to be impossible when the data flow is not permitted. For example, in the case of the No. 3 record of the threat extraction result 321 in FIG. 15, FW_01 does not permit data to flow in the direction from the outside of the access source to the component server_01. For this reason, communication control is disabled.
  • Step S34 in FIG. 17 corresponding rule extraction process
  • the communication determination unit 27 extracts a rule corresponding to communication control enabled or communication control disabled set in step S32 to step S33. For example, in the case of the No1 record of the threat extraction result 321 in FIG. 15, since the communication control is enabled, rule No1 and rule No2 in which communication control is enabled under the condition 1 in FIG. 16 are extracted. . Further, in the case of the record No. 3 in the threat extraction result 321 in FIG. 15, since the communication control is set to be impossible, the rule No. 3 in which the communication control is disabled under the condition 1 in FIG. 16 is extracted.
  • the possibility of occurrence corresponding to each No is specified as the possibility information 323 as shown in FIG.
  • the risk analysis apparatus 10 can generate a threat depending on whether or not communication control is performed on a communication path from an access source to a component that is a threat generation location. Identify gender. Thereby, it is possible to specify the possibility of occurrence of a threat in consideration of the data flow of the analysis target system 50.
  • the content of the communication control is determined after determining that the rule extracted in step S22 has communication control as an item.
  • the flow of processing may be changed so that the content of communication control is determined for the threat that has the access source among the threats extracted as the threat extraction result 321.
  • ⁇ Modification 5> there is one component that performs communication control.
  • communication control information to which identification information is added may be used so that each component can be identified.
  • Sex instead of simply identifying the possibility of threat generation based on whether or not communication control is performed on the communication path, it is possible to generate threats based on how many communication controls are performed on the communication path. Sex may be specified.
  • Embodiment 3 FIG.
  • the third embodiment is different from the first embodiment in that the possibility of occurrence of a threat is specified in accordance with the possibility of occurrence of another threat that may occur with respect to a component that is a place where the threat occurs. .
  • this different point will be described, and the description of the same point will be omitted. Note that Embodiment 3 can be combined with Embodiment 2.
  • the risk analysis device 10 is different from the risk analysis device 10 shown in FIG. 1 in that the common information storage unit 31 stores the correspondence information 313.
  • the operation of the risk analysis apparatus 10 according to the third embodiment corresponds to the risk analysis method according to the third embodiment.
  • the operation of the risk analysis apparatus 10 according to the third embodiment corresponds to the processing of the risk analysis program according to the third embodiment.
  • Steps S2 and S4 are the same as those in the first embodiment.
  • Step S1 Information acquisition process in FIG. 3
  • the information acquisition unit 21 acquires possibility setting information 312, correspondence information 313, and configuration information 322 via the communication interface 14.
  • the information acquisition unit 21 writes the possibility setting information 312 and the correspondence information 313 to the common information storage unit 31, and writes the configuration information 322 to the analysis target storage unit 32.
  • the correspondence information 313 is information in which a security measure and a threat ID are associated with each other. As shown in FIG. 20, in the third embodiment, the correspondence information 313 indicates a threat ID for each condition item for security measures.
  • step S3 With reference to FIG. 21, the possibility identification process of step S3 according to Embodiment 3 will be described.
  • the processing from step S41 to step S47 is the same as the processing from step S11 to step S17 in FIG. However, in step S45, the condition determination unit 26 advances the process to step S48 if there is no matching rule.
  • Step S48 correspondence information determination process
  • the condition determination unit 26 determines whether or not the condition information included in the rule is included in the correspondence information 313 for each rule extracted in step S42. Specifically, the condition determination unit 26 searches the correspondence information 313 using each condition item included in each rule as a keyword, and determines whether or not a record is extracted. If the condition item is included in the correspondence information 313, the condition determination unit 26 advances the process to step S49. On the other hand, if the condition item is not included in the correspondence information 313, the condition determination unit 26 cannot determine the possibility of occurrence, and the process proceeds to step S47.
  • the threat extraction result 321 is as shown in FIG. 22, the possibility setting information 312 is as shown in FIG. 23, and the configuration information 322 is as shown in FIG.
  • the No. 5 record of the threat extraction result 321 is read in step S41.
  • the threat ID is 11 in step S42
  • two rules of rule No50 and rule No51 in FIG. 23 are extracted.
  • rule No. 50 and rule No. 51 there is a malware infection of the access source as a condition item of condition 3.
  • the configuration information 322 does not have an item of malware infection, and does not match the condition 3 of either rule No50 or rule No51. Therefore, the process proceeds to step S28.
  • the condition determination unit 26 searches the correspondence information 313 using the malware infection that is the condition item of the condition 3 as a keyword.
  • the record shown in FIG. 20 is extracted. Therefore, the process proceeds to step S49.
  • Step S49 Rule re-extraction process
  • the condition determination unit 26 has a rule that has the threat ID of the record extracted in step S48 from the possibility setting information 312 in the common information storage unit 31, and the record read in step S41 matches all the conditions. To extract. If the rule is extracted, the condition determination unit 26 advances the process to step S50. On the other hand, if the rule is not extracted, the condition determination unit 26 advances the process to step S47.
  • Step S50 Condition specifying process
  • the condition determination unit 26 reads the possibility of occurrence of the rule extracted in step S49. Then, the process returns to step S44, and the record read out in step S41 matches each condition of the rule for each rule extracted in step S42 again using the read possibility. It is determined whether or not.
  • the risk analysis apparatus 10 may generate a threat according to the possibility of occurrence of another threat that may occur with respect to a component that is a place where the threat is generated. Is identified. Thereby, it is possible to specify the possibility of occurrence of a threat by using the possibility of occurrence of another threat that is a source of the threat.
  • 10 risk analysis device 11 processor, 12 memory, 13 storage, 14 communication interface, 15 processing circuit, 21 information acquisition unit, 22 threat extraction unit, 23 possibility identification unit, 24 risk value calculation unit, 25 rule extraction unit, 26 Condition determination unit, 27 communication determination unit, 31 common information storage unit, 311, threat data, 312 possibility setting information, 313 correspondence information, 32 analysis target storage unit, 321 threat extraction result, 322 configuration information, 323 occurrence possibility information, 324 Risk analysis information, 325 connection destination information, 326 communication control information, 50 analysis target systems.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Dans ce dispositif d'analyse de risque (10), une unité d'extraction de menace (22) extrait une menace qui peut survenir sur un système cible d'analyse. Une unité de spécification de possibilité (23) spécifie la probabilité d'occurrence de la menace extraite par l'unité d'extraction de menace (22) en fonction de mesures de sécurité qui sont exécutées pour un élément constitutif qui est l'emplacement sur lequel survient la menace. Une unité de calcul de valeur de risque (24) calcule une valeur de risque indiquant le niveau du risque de la menace pour le système cible d'analyse à partir de la probabilité d'occurrence spécifiée par l'unité de spécification de possibilité (23).
PCT/JP2017/008945 2017-03-07 2017-03-07 Dispositif, procédé et programme d'analyse de risque Ceased WO2018163274A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2018541441A JP6425865B1 (ja) 2017-03-07 2017-03-07 リスク分析装置、リスク分析方法及びリスク分析プログラム
PCT/JP2017/008945 WO2018163274A1 (fr) 2017-03-07 2017-03-07 Dispositif, procédé et programme d'analyse de risque

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2017/008945 WO2018163274A1 (fr) 2017-03-07 2017-03-07 Dispositif, procédé et programme d'analyse de risque

Publications (1)

Publication Number Publication Date
WO2018163274A1 true WO2018163274A1 (fr) 2018-09-13

Family

ID=63449041

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/008945 Ceased WO2018163274A1 (fr) 2017-03-07 2017-03-07 Dispositif, procédé et programme d'analyse de risque

Country Status (2)

Country Link
JP (1) JP6425865B1 (fr)
WO (1) WO2018163274A1 (fr)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020052686A (ja) * 2018-09-26 2020-04-02 クラリオン株式会社 脆弱性評価装置、脆弱性評価システム及びその方法
WO2021075577A1 (fr) * 2019-10-18 2021-04-22 ソフトバンク株式会社 Dispositif de génération, programme et procédé de génération

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007156816A (ja) * 2005-12-05 2007-06-21 Nec Corp リスク分析装置、リスク分析方法およびリスク分析用プログラム
JP2008129648A (ja) * 2006-11-16 2008-06-05 Nec Corp セキュリティリスク管理システム、セキュリティリスク管理方法およびセキュリティリスク管理用プログラム
JP2015095159A (ja) * 2013-11-13 2015-05-18 日本電信電話株式会社 評価方法及び評価装置
JP2015130153A (ja) * 2013-12-06 2015-07-16 三菱電機株式会社 リスク分析装置及びリスク分析方法及びリスク分析プログラム

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012093804A (ja) * 2010-10-22 2012-05-17 Hitachi Ltd セキュリティポリシーに基づくセキュリティ監視装置、セキュリティ監視方法及びセキュリティ監視プログラム
US20140137257A1 (en) * 2012-11-12 2014-05-15 Board Of Regents, The University Of Texas System System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007156816A (ja) * 2005-12-05 2007-06-21 Nec Corp リスク分析装置、リスク分析方法およびリスク分析用プログラム
JP2008129648A (ja) * 2006-11-16 2008-06-05 Nec Corp セキュリティリスク管理システム、セキュリティリスク管理方法およびセキュリティリスク管理用プログラム
JP2015095159A (ja) * 2013-11-13 2015-05-18 日本電信電話株式会社 評価方法及び評価装置
JP2015130153A (ja) * 2013-12-06 2015-07-16 三菱電機株式会社 リスク分析装置及びリスク分析方法及びリスク分析プログラム

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020052686A (ja) * 2018-09-26 2020-04-02 クラリオン株式会社 脆弱性評価装置、脆弱性評価システム及びその方法
WO2021075577A1 (fr) * 2019-10-18 2021-04-22 ソフトバンク株式会社 Dispositif de génération, programme et procédé de génération
JP2021068031A (ja) * 2019-10-18 2021-04-30 ソフトバンク株式会社 生成装置、プログラム、及び生成方法

Also Published As

Publication number Publication date
JPWO2018163274A1 (ja) 2019-03-22
JP6425865B1 (ja) 2018-11-21

Similar Documents

Publication Publication Date Title
JP6636226B2 (ja) 対策立案支援装置、対策立案支援方法及び対策立案支援プログラム
JP6762455B2 (ja) 設置場所選定支援装置、設置場所選定支援方法及び設置場所選定支援プログラム
US9519780B1 (en) Systems and methods for identifying malware
JP6928265B2 (ja) 情報処理装置及び情報処理方法
US20210092135A1 (en) System and method for generating and storing forensics-specific metadata
EP3848835B1 (fr) Systèmes et procédés de protection contre la modification non autorisée de vidage de mémoire
US10970415B2 (en) Sensitive data redaction in memory dump
JP6425865B1 (ja) リスク分析装置、リスク分析方法及びリスク分析プログラム
JP6579995B2 (ja) 静観候補特定装置、静観候補特定方法及び静観候補特定プログラム
US11140186B2 (en) Identification of deviant engineering modifications to programmable logic controllers
US11366902B2 (en) System and method of detecting malicious files based on file fragments
JP2017107405A (ja) セキュリティ対策立案支援方式
JP6018344B2 (ja) 動的読み込みコード解析装置、動的読み込みコード解析方法及び動的読み込みコード解析プログラム
JP7195384B1 (ja) 導入支援装置、導入支援方法及び導入支援プログラム
CN115225328B (zh) 页面访问数据的处理方法、装置、电子设备以及存储介质
JPWO2019142469A1 (ja) セキュリティ設計装置、セキュリティ設計方法およびセキュリティ設計プログラム
JP5679347B2 (ja) 障害検知装置、障害検知方法、及びプログラム
US20240202345A1 (en) Attack scenario generation apparatus, attack scenario generation method, and computer readable medium
JP6599053B1 (ja) 情報処理装置、情報処理方法及び情報処理プログラム
CN115495758B (zh) 应用程序凭证存储脆弱性检测方法及装置
US20250181710A1 (en) Information processing apparatus, information processing method, and computer-readable recording medium
JPWO2019138540A1 (ja) 脅威特定装置、脅威特定方法及び脅威特定プログラム
CN111984944B (zh) 一种源代码处理方法、相关装置及存储介质
EP3767510A1 (fr) Système et procédé permettant de détecter des fichiers malveillants sur la base de fragments de fichiers
US20210224408A1 (en) Non-transitory computer-readable recording medium having stored therein screen displaying program, method for screen displaying, and screen displaying apparatus

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2018541441

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17900245

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17900245

Country of ref document: EP

Kind code of ref document: A1

点击 这是indexloc提供的php浏览器服务,不要输入任何密码和下载