The present invention relates to an analysis system, analysis method, and analysis program for analyzing attacks on systems to be diagnosed.
An information processing system that includes multiple computers is required to take security measures to protect information assets from cyber attacks. Security measures include assessing the vulnerability of the target system and removing vulnerability as necessary.
Patent literature 1 describes a system that generates a list of threats to a control model by extracting the corresponding threat data from a threat database that holds data on one or more threats for each component of the control model that simulates the development target.
A system that is a target of security diagnosis is referred to as a system to be diagnosed. It is desirable to be able to present the analysis results for the system to be diagnosed in an easy-to-understand manner for a security administrator.
Therefore, the purpose of the present invention is to provide an analysis system, analysis method, and analysis program that can present analysis results for a system to be diagnosed in an easy-to-understand manner.
An analysis system according to the present invention comprises a fact generation unit which generates a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and an analysis unit which generates one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyzes, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
An analysis system according to the present invention comprises an input unit to which an attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph are input; and an analysis unit which searches for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
In an analysis method according to the present invention, one or more computers generate a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and generate one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyze, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generate an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
In an analysis method according to the present invention, one or more computers receive an input of an attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph; and search for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generate an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
An analysis program according to the present invention causes a computer to execute: a fact generation process of generating a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and an analysis process of generating one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyzing, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generating an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
An analysis program according to the present invention causes a computer to execute: a receiving input process of receiving an input of an attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph; and an analysis process of searching for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generating an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
According to the present invention, it is possible to present analysis results for a system to be diagnosed in an easy-to-understand manner.
The analysis system described in the following example embodiment is a system for analyzing cyber attacks on the system to be diagnosed (assessed). As described above, a system to be diagnosed is a system that is a target of security diagnosis. Examples of systems to be diagnosed include information technology (IT) systems in a company and so-called operational technology (OT) systems for controlling a factory, a plant or the like. However, the systems to be diagnosed are not limited to these systems. A system in which multiple devices are connected through a communication network can be a system to be diagnosed.
Each device included in the system to be diagnosed is connected through a communication network. Examples of devices included in the system to be diagnosed include personal computers, servers, switches, routers, machine tools installed in factories, and control devices for machine tools. However, the devices are not limited to the above examples. The devices may be physical devices or virtual devices.
A way to analyze attacks on the system to be diagnosed is to use an attack graph. An attack graph is a graph that can show the state of a device, such as the presence or the absence of vulnerability, and a relationship between an attack that can be executed on one device and an attack that can be executed on other devices based on the attack that can be executed on the one device. An attack graph is represented as a directed graph where any state (device, network, vulnerability, security settings, etc.), that may relate to security, is defined as a fact, the states are nodes, and the relationships between facts are edges.
Here, a fact is data that represents the security situation of the system to be diagnosed. As a more detailed example, a fact represents some state of the system to be diagnosed, or a device included in the system to be diagnosed, that may relate to security mainly. As another detailed example, a fact represents an attack that may be performed on each device included in the system to be diagnosed. In this case, the fact is expressed in the form of a combination of a device and an attack state, or a combination of a device, an attack state and privileges, as described below. In the analysis of attack, it is assumed that some attacks can be carried out on the devices included in the system to be diagnosed. Such an assumption may be treated as a fact.
The facts can be determined from information obtained from each device included in the system to be diagnosed. In addition, a rule for deriving new facts from existing facts (hereinafter, referred to as an analysis rule) can be used to derive a new fact from one or more existing facts. The rules for deriving new facts from existing facts (hereinafter, referred to as analysis rules) can be used to derive new facts from one or more existing facts. For example, a new fact can be derived based on the facts determined from information obtained from each device in the system to be diagnosed, using the analysis rule. Furthermore, another new fact can be derived based on the facts determined from information obtained from each device and a newly obtained fact. This process is repeated until no new fact can be derived from the analysis rule. Then, an attack graph can be generated by setting each fact to a node, connecting each node corresponding to a fact with an edge extending from a node corresponding to the fact that is the basis of a newly obtained fact to the node corresponding to the newly obtained fact.
The following analysis system of example embodiment below generates an attack pattern that includes at least an attack condition, an attack result, and an attack means. The attack pattern may include other information. The details of the attack pattern are described later.
Hereinafter, an example embodiment of the present invention will be described with reference to the drawings.
The analysis system of the first example embodiment of the present invention generates one or more pairs of facts that are the starting and ending points, and for each pair, generates an attack pattern. Note that there may be some pairs for which no attack pattern is generated.
The data collection unit 2 collects information regarding each device included in the system to be diagnosed.
The information regarding the device is information that can be related to the security of the device. Examples of information regarding the device that the data collection unit 2 collects include an operating system (OS) installed on the device and its version information, hardware configuration information installed on the device, software installed on the device and its version information, information on the communication data exchanged between the device and other devices and the communication protocol used to exchange the communication data, information on the status of ports of the device (which ports are open) and so on, for example. The communication data includes information on a source and a destination of the communication data. The data collection unit 2 collects the above information. However, examples of the information collected by the data collection unit 2 are not limited to the above examples. The data collection unit 2 may also collect other information that may be relevant to the security of the device as information regarding the device.
The data collection unit 2 may collect information regarding the devices directly from each device included in the system to be diagnosed. In this case, the analysis system 1 is connected to each device through a communication network, and the data collection unit 2 can collect information from each device through the communication network.
Alternatively, the data collection unit 2 may obtain information regarding each device from an information collection server that collects information regarding each device. In this case, the analysis system 1 is connected to the information collection server through a communication network, and the data collection unit 2 can collect information regarding each device from the information collection server through the communication network.
When each device has an agent, the data collection unit 2 may collect information regarding each device through the agent. In other words, the data collection unit 2 may obtain information regarding each device from the information collection server that collects information regarding each device through the agent.
Each agent installed in each device may transmit information regarding the device to the information collection server, and the data collection unit 2 may collect information regarding each device included in the system to be diagnosed from that information collection server. In this case, for example, the analysis system 1 is connected to the information collection server through a communication network, and the data collection unit 2 may collect information regarding each device from that information collection server through the communication network.
When the data collection unit 2 collects information regarding each device included in the system to be diagnosed, the data collection unit 2 stores the information in the data storage unit 3.
The data storage unit 3 is a storage device that stores the information regarding each device collected by the data collection unit 2.
The fact generation unit 4 generates one or more facts based on the information regarding each device collected by the data collection unit 2. As already explained, the fact represents the security situation of the system to be diagnosed. The fact generated by the fact generation unit 4 represents some state mainly related to security of one or more devices included in the system to be diagnosed, derived from the specific information obtained from each device.
For example, the fact generation unit 4 generates one or more facts by referring to the rule for generating facts that include one or more templates representing the facts to be generated, which have been prepared in advance, and determining whether or not the information regarding each device matches the respective template. Information regarding each device is applied to the parameters of the generated facts as appropriate.
In
The fact shown as Example 1 in
The fact shown as Example 2 in
The fact shown as Example 3 in
The description format of the fact is not limited to the example shown in
The analysis rule storage unit 5 is a storage device that stores analysis rules. An analysis rule is a rule for deriving a new fact from an existing fact. The fact derived using the analysis rule is mainly a fact that represents an attack that can be performed on each device included in the system to be diagnosed. The analysis rule storage unit 5 stores one or more analysis rules according to the system to be diagnosed.
In
The analysis rules shown in
In
In the example shown in
In the analysis rule shown in
The description format of the analysis rules is not limited to the example shown in
The analysis unit 6 generates an attack pattern for a pair which is possible to derive a fact that is the end point from a fact that is the start point among one or more pairs of a fact that is the start point and a fact that is the end point. As an example, the analysis unit 6 analyzes whether or not it is possible to derive a fact that is the end point from a fact that is the start point. When the fact that is the end point can be derived from the fact that is the start point, then the analysis unit 6 generates an attack pattern. The analysis unit 6 analyzes whether or not it is possible to derive the fact that is the end point from the fact that is the start point using the fact generated from the information regarding the device that is the start point and the device that is the end point, the fact that is the start point, and the analysis rule stored in the analysis rule storage unit 5. In this analysis, the analysis unit 6 does not use facts generated from information regarding devices that do not correspond to either the device that is the start point or the device that is the end point. When it is possible to derive a fact that is the end point from a fact that is the start point, then the pattern table stored in the pattern table storage unit 11 is used to generate the attack pattern. The pattern table will be described later.
The fact that is the start point may be referred to simply as a start point fact. Similarly, the fact that is the end point may be referred to simply as an end point fact.
Each of the fact that is the start point and the fact that is the end point is usually a fact (a fact that represents the possibility of an attack) that represents an attack that can be performed on each device in the system to be diagnosed. In other words, the ability to derive a fact that is the end point from a fact that is the start point indicates that if some attack is possible on the device that is the start point, another attack is possible on the device that is the end point. The inability to derive the fact that is the end point from the fact that is the start point indicates that even if some attack is possible on the device that is the start point, another attack represented by the fact that is the end point cannot be executed on the device fact that is the end point.
An example of an operation to analyze whether or not it is possible to derive a fact that is the end point from a fact that is the start point will be described.
The analysis unit 6 generates one or more pairs of a fact that is the start point of an attack graph and a fact that is the end point of the attack graph. The fact that is the start point and the fact that is the end point are facts that represent an attack that can take place on the device that is the start point and the device that is the end point, respectively.
The analysis unit 6 analyzes whether or not it is possible to derive the fact that is the end point from the fact that is the start point, based on the fact generated from the information regarding the device that is the start point and the device that is the end point, the fact that is the start point, and the analysis rule stored in the analysis rule storage unit 5, for each pair of the fact that is the start point of the attack graph and the fact that is the end point of the attack graph. In this analysis, the analysis unit 6 does not use facts generated from information regarding devices that do not correspond to either the device that is the start point or the device that is the end point.
The fact that is the start point of the attack graph and the fact that is the end point of the attack graph will be described.
There are multiple types of attacks, and the attacks that a device may be subjected to vary depending on the vulnerability the which device has. Therefore, in the example embodiments of the present invention, the state of a device that may be attacked by vulnerability is defined as the attack state. For example, as the attack state, “a state in which code can be executed (hereinafter, referred to as “arbitrary code execution”)“, “a state in which data can be tampered with (hereinafter, referred to as “data tampering”), “a state in which files can be accessed (hereinafter, referred to as “file accessible”)“, “a state in which account information has held (hereinafter, referred to as “account holding”)“, “a state in which a DoS (Denial of Service) attack can be carried out (hereinafter, referred to as “dos”)“, etc. are given. In the present example embodiment, there are five attack states “arbitrary code execution”, “data tampering”, “file accessible”, “account holding”, and “dos” as an example. However, the attack states are not limited to the above five types. Other types of attack states may be given depending on the attacks that may occur in the system to be diagnosed. An attack state that includes multiple attack states may also be defined. For example, an attack state called “all” may be defined as a state that includes all of the attack states “arbitrary code execution”, “data tampering”, “file accessible”, and “account holding”.
The analysis unit 6 generates a combination of one of the device IDs of devices included in the system to be diagnosed, one of the multiple predetermined attack states, and one of the privileges that can correspond to the attack states as the fact that is the start point of the attack graph.
Similarly, the analysis unit 6 generates a combination of one of the device IDs of devices included in the system to be diagnosed, one of the multiple predetermined attack states, and one of the privileges that can correspond to the attack states as the fact that is the end point of the attack graph.
Here, “privileges” includes privileges when the attack indicated by the attack state is performed. In this case, the privilege is, for example, either administrative privileges or general privileges. In addition, “privileges” may include the fact that privilege is not relevant when the attack indicated by the attack state is performed (hereinafter, referred to as “no relevant privileges”). Therefore, the predetermined multiple types of privileges are, as an example, “administrative privileges”, “general privileges”, and “no relevant privileges”.
The combination of attack state and privileges can be determined according to the specific content of the attack state. For example, each of the attacks indicated by “arbitrary code execution,” “data tampering,” “file accessible,” and “account holding” can be performed under some privileges, such as administrative or general privileges. Therefore, for each attack state of “arbitrary code execution,” “data tampering,” “file accessibility,” and “account holding” appropriate privileges such as “administrative privileges” or “general privileges” can be combined, depending on the specifics of each attack state. A DoS attack is not related to administrative privileges, general privileges, or other privileges. Therefore, the attack condition “dos” will be combined with “no relevant privileges”.
Under such a combination of attack state and privileges, the analysis unit 6 generates a combination of a device corresponding to one of the devices included in the system to be diagnosed, one of the multiple types of attack states, and one of the privileges that can correspond to the attack state, as the fact that is the start point of the attack graph under such a combination of attack states and privileges. Similarly, the analysis unit 6 generates a combination of a device corresponding to one of the devices included in the system to be diagnosed, one of the multiple types of attack states, and one of the multiple types of privileges that can correspond to the attack state, as a fact that is the end point of the attack graph under such a combination of attack states and privileges.
In this way, the combination of “device, attack state, and privileges” is treated as a fact that is the start point of the attack graph or a fact that is the end point of the attack graph. The device included in a fact is represented by a device ID, for example. In other words, each of a fact that is the start point or a fact that is the end point is a fact that indicates possibility under the attack represented by the attack state in the device represented by the device ID.
Furthermore, the analysis unit 6 determines a pair of a fact (a combination of “device, attack state, and privileges”) that is the start point of the attack graph and a fact (a combinations of “device, attack state, and privileges”) that is the end point of the attack graph. In this case, the analysis unit 6 may exhaustively determine all pairs of facts that are the start points and facts that are the end points in the system to be diagnosed, or some of all pairs. In the case of defining some of all pairs, the analysis unit 6 may determine a pair of the fact that is the start point and the fact that is the end point based on some of the devices included in the system to be diagnosed, such as devices included in a specific subnet in the system to be diagnosed. That is, when the analysis unit 6 generates the fact that is the start point and the fact that is the end point based on some of the devices included in the system to be diagnosed, the analysis unit 6 may regard the devices included in the same subnet of the system to be diagnosed as some of the devices. The analysis unit 6 may also determine the pair of the fact that is the start point and the fact that is the end point by excluding pairs of devices that need to go through other devices for communication, i.e., pairs of devices that cannot communicate directly. In other words, when the analysis unit 6 generates the fact that is the start point and the fact that is the end point based on some of the devices included in the system to be diagnosed, the analysis unit 6 may regard the devices that can communicate directly as some of the devices.
In this case, the analysis unit 6 may determine combinations of the devices that are the start points and the devices that are the end points, and under each combination of devices, determine the fact (a combination of “device, attack state, and privileges”) that is the start point and the fact (a combination of “device, attack state, and privileges”) that is the end point.
The device included in the fact that is the start point and the device included in the fact that is the end point may be the same device. In this case, the analysis unit 6 can also analyze whether it is possible to reach from one attack state of a device to another attack state, in other words, if a certain attack is possible on a device, whether another attack is possible on the device.
After defining one or more pairs of the fact that is the start point and the fact that is the end point as described above, the analysis unit 6 analyzes, for each pair, whether or not it is possible to derive the fact that is the end point from the fact that is the start point, based on the fact representing the state of each device generated from the information regarding the device that is the start point and the information regarding the device that is the end point, the fact that is the start point, and one or more predetermined analysis rules. In this case, the analysis unit 6 can apply an inference algorithm based on the analysis rule stored in the analysis rule storage unit 5, for example. The device that is the start point is a device indicated by the device ID included in the fact that is the start point, and the device that is the end point is a device indicated by the device ID included in the fact that is the end point. Accordingly, for example, when the device ID in the fact that is the start point is ‘Host A’ and the device ID in the fact that is the end point is ‘Host B’, the analysis unit 6 analyzes whether or not it is possible to derive the fact that is the end point based on facts representing states of ‘Host A’ and ‘Host B’ generated from information regarding device ‘Host A’ and information regarding device ‘Host W. Therefore, the analysis unit 6 can analyze whether or not it is possible to derive a fact that is the end point from a fact that is the start point for the focused pair, without deriving facts related to devices other than the device that is the start point and the device that is the end point or deriving the same facts repeatedly. In other words, by restricting facts to be referenced as described above, the analysis unit 6 can analyze whether or not it is possible to derive a fact that is the end point from a fact that is the start point without deriving redundant facts.
At the time of starting the analysis of whether or not it is possible to derive a fact that is the end point by focusing on a single pair, the analysis unit 6 regards a fact generated from the information regarding the device that is the start point and the information regarding the device that is the end point, and the fact that is the start point as the existing facts. The analysis unit 6 does not include facts generated by the fact generation unit 4 from information regarding devices other than the device that is the start point and device that is the end point to the existing facts. The analysis unit 6 determines whether or not a fact that matches the condition of the analysis rule is included in the existing facts. Then, the analysis unit 6 derives a new fact based on the analysis rules when the respective facts that match the respective conditions included in the analysis rule exist in the existing facts. The analysis unit 6 adds the derived new fact to the existing facts. The analysis unit 6 repeats this operation. The analysis unit 6 determines that it is possible to derive a fact that is the end point from a fact that is the start point when the derived new fact matches the fact that is the end point in the focused pair.
Hereinafter, a more detailed explanation of an example of the operation of the analysis unit 6 to derive new facts will be described, referring to the analysis rule illustrated in
For example, assume that the existing facts include the three facts illustrated in
When the conditions included in the analysis rule do not match the existing facts, the analysis unit 6 will not derive a new fact based on the analysis rule. This means that the fact represented by the analysis rule will not be derived when the existing fact is premised.
The analysis unit 6 performs the same process for each analysis rule.
The analysis unit 6 repeats derivation of new facts until a new fact corresponds to the fact that is the end point in the pair that is being focused on. If the fact that is the end point in the focused pair is not obtained even after repeating the derivation of new facts until no new fact can be derived, the analysis unit 6 determines that the fact that is the end point cannot be derived from the fact that is the start point for the focused pair. This corresponds to the matter where no attack occurs on the device that is the end point due to the attack state on the device that is the start point.
The analysis unit 6 may use other methods to analyze whether it is possible to derive the fact that is the end point from the fact that is the start point. In this case, when the analysis unit 6 is able to determine that the fact that is the end point cannot be derived from the fact that is the start point, the analysis unit 6 may terminate the analysis for the pair.
Next, generation of attack patterns will be described. When the analysis unit 6 determines that it is possible to derive a fact that is the end point from the fact that is the start point, the analysis unit 6 generates an attack pattern for the pair of facts. As described above, the attack pattern is information that includes at least an attack condition, an attack result, and an attack means. Here, the attack condition is a pair of the attack state and privileges at the start point, and the attack result is a pair of the attack state and privileges at the end point. The attack means is vulnerability or an attack method (for example, ArpSpoofing etc.) that an attacker uses to attack. The attack pattern may include information other than an attack condition, an attack result and an attack means.
As mentioned above, the attack condition is a pair of an attack state and privileges at the start point, and the attack result is a pair of an attack state and privileges at the end point. The attack condition can be identified from the attack state and privileges included in the fact that is the start point. The attack result can be identified from the attack state and privileges included in the fact that is the end point.
The pattern overview is a summarized description of the attack pattern. In
The attack risk is a value that indicates the degree of impact of an attack on the system to be diagnosed.
The user involvement indicates whether the attack requires an operation by the attacker himself or herself from the local environment, for example, through USB (Universal Serial Bus).
As mentioned above, the attack means is vulnerability or an attack method (for example, ArpSpoofing etc.) that an attacker uses to attack.
There are two main types of security vulnerabilities. The first is vulnerability caused by software or device (routers, etc.) problems. Information on this vulnerability is collected and classified by various organizations, and the vulnerabilities are numbered accordingly. As an example, in the common vulnerability identifier CVE, an identifier in the form of “CVE-****-****” is assigned to each discovered vulnerability. The second is a vulnerability caused by a protocol specification. Examples of the vulnerability are “FTP (File Transfer Protocol) malicious use”, “Telnet malicious use” and “SMB (Server Message Block) malicious use”, etc.
In the example embodiment of the present invention, the vulnerabilities include the first vulnerability and the second vulnerability.
The segment is a path between a device and other devices in the system to be diagnosed, and a path between a device and itself. To each segment in the system to be diagnosed, identification information is assigned in advance. “S1” and so on, shown as a segment illustrated in
In the attack pattern, an attack means is defined according to the analysis rule used to derive the fact that is the end point. However, the attack means may be predetermined for a pair of an attack state and an attack result.
In the attack pattern, the segment is defined according to the fact that is the start point and the fact that is the end point.
A table in which the attack means defined according to the analysis rule used to derive the fact that is the end point is set to be pending, the segment is set to be pending, and other matters being not pending that are included in the attack pattern are stored is called a pattern table. The pattern table is predetermined and stored in the pattern table storage unit 11.
When the analysis unit 6 determines that it is possible to derive the fact that is the end point from the fact that is the start point, the analysis unit 6 searches the pattern table (refer to
In the pattern table illustrated in
In the above, examples of the operation of identifying the attack means have been shown, using the analysis rule illustrated in
In some cases, such as the record “3” shown in
When identifying the segment, the analysis unit 6 may identify the identification information of the segment that shows the path from the device included in the fact that is the start point to the device included in the fact that is the end point.
When the analysis unit 6 determines that it is possible to derive the fact that is the end point from the fact that is the start point, the analysis unit 6 generates an attack pattern that includes the attack state and privileges included in the fact that is the start point, the attack state and privileges included in the fact that is the end point, the decided information included in the record corresponding to the analysis rule used to derive the fact that is the end point, and the attack means and the segment identified described above.
Here, the attack condition included in the generated attack pattern corresponds to the attack state and privileges included in the fact that is the start point, and the attack result included in the attack pattern corresponds to the attack state and privileges included in the fact that is the end point.
The analysis unit 6 generates one or more pairs of a fact that is the start and a fact that is the end point. Therefore, it is possible that the same record may be retrieved from the pattern table multiple times. In such a case, the analysis unit 6 can identify the pending matter in the record each time it is retrieved, and add the newly identified matter to the attack pattern. This is also the case in the second example embodiment described below.
The analysis unit 6 stores the generated attack pattern in the attack pattern storage unit 7. The attack pattern storage unit 7 is a storage device that stores the attack patterns.
The display control unit 8 displays each attack pattern generated by the analysis unit 6 on the display device 9. The display control unit 8 can read each attack pattern from the attack pattern storage unit 7 and display each attack pattern on the display device 9.
The display device 9 is a device that displays information, and can be a general display device. When the analysis system 1 exists in the cloud, the display device 9 may be a display device of a terminal connected to the cloud.
The data collection unit 2 is realized by the CPU (Central Processing Unit) of a computer that operates according to the analysis program and the communication interface of the computer, for example. For example, the CPU can read the analysis program from a program storage medium such as a program storage device, etc. of the computer, and operate as the data collection unit 2 according to the analysis program and using the communication interface. In addition, the fact generation unit 4, analysis unit 6, and display control unit 8 can be realized by the CPU of the computer operating according to the analysis program, for example. For example, the CPU reads the analysis program from the program recording medium as described above, and operates as the fact generation unit 4, analysis unit 6, and display control unit 8 according to the analysis program. For example, the data storage unit 3, the analysis rule storage unit 5, the pattern table storage unit 11 and the attack pattern storage unit 7 are realized by the storage device provided by the computer.
Next, the processing process will be described.
First, the data collection unit 2 collects information regarding each device included in the system to be diagnosed (step S1). The data collection unit 2 stores the collected data in the data storage unit 3.
Next, the fact generation unit 4 generates one or more facts based on the information regarding each device (step S2).
Next, the analysis unit 6 generates a combination of one of the devices, one of the multiple types of attack states, and one of the privileges that can correspond to the attack state as the fact that is the start point of the attack graph. Similarly, the analysis unit 6 generates a combination of one of the devices, one of the multiple types of attack states, and one of the privileges that can correspond to the attack state as a fact that is the end point of the attack graph (step S3).
Next, the analysis unit 6 generates one or more pairs of a fact that is the start point of the attack graph and a fact that is the end point of the attack graph (step S4).
Next, the analysis unit 6 determines whether all the pairs generated in step S4 have already been selected in step S6 (step S5). When there are unselected pairs (No in step S5), the process moves to step S6. When the process first moves to step S5 from step S4, not a single pair has been selected. Therefore, in this case, the process moves to step S6.
In step S6, the analysis unit 6 selects one of the pairs generated in step S4 that has not yet been selected.
Following step S6, the analysis unit 6 sifts through the facts (step S6a). In step S6a, the analysis unit 6 selects facts to be used in the analysis of step S7, and does not select facts that are not used in the analysis of step S7. Specifically, the analysis unit 6 selects the fact generated from the information regarding the device that is the start point and the information regarding the device that is the end point, and the fact that is the start point. The analysis unit 6 does not select a fact generated based on information regarding a device that does not correspond to either the device that is the start point or the device that is the end point. The fact generated based on information regarding a device that does not correspond to either the device that is the start point or the device that is the end point is not used in the analysis of step S7.
After step S6a, the analysis unit 6 analyzes whether or not it is possible to derive the fact that is the end point from the fact that is the start point for the selected pair (step S7). At the start of step S7, the analysis unit 6 regards a fact generated from the information regarding the device that is the start point and the information regarding the device that is the end point, and the fact that is the start point (i.e., the fact selected in step S6a) as the existing facts (facts for reference). Then, when the analysis unit 6 derives a new fact based on the analysis rule, the analysis unit 6 adds the new fact to the above existing facts (facts for reference). The analysis unit 6 analyzes whether or not it is possible to derive the fact that is the end point by repeating the derivation of a new fact based on the existing facts (facts for reference) and the analysis rule.
When the fact that is the end point in the selected pair cannot be obtained even after repeating the derivation of a new fact until no new facts can be derived, the analysis unit 6 determines that the fact that is the end point cannot be derived from the fact that is the start point.
When the fact that is the end point cannot be derived from the fact that is the start point (No of step S8), the analysis unit 6 repeats the process from step S5.
When the fact that is the end point can be derived from the fact that is the start point (Yes of step S8), the analysis unit 6 generates an attack pattern for the selected pair and stores the attack pattern in the attack pattern storage unit 7 (step S9). After step S9, the analysis unit 6 repeats the process from step S5.
When the analysis unit 6 determines that all the pairs generated in step S4 have already been selected in step S6 (Yes of step S5), the display control unit 8 reads each attack pattern stored in the attack pattern storage unit 7, and displays each attack pattern on the display device 9 (Step S10, refer to
According to the present example embodiment, the analysis unit 6 generates an attack pattern that includes at least the attack condition, the attack result, and the attack means. Therefore, such attack patterns can be presented to a security administrator (hereinafter referred to simply as administrator). Therefore, the analysis results of attacks on the system to be diagnosed can be presented to the administrator in an easy-to-understand manner.
In the above example embodiment, a case where the generated attack pattern includes the pattern number, the pattern overview, the attack risk, the user involvement, and the segment as well as the attack condition, the attack result, and the attack means has been shown. The attack pattern includes the attack condition, the attack result, and the attack means, and may include some of the pattern number, the pattern overview, the attack risk, the user involvement, and the segment. The attack pattern may also include other information different from the example shown, such as pattern overview, as long as it contains the attack condition, the attack result, and the attack means. This is also the case in the second example embodiment described below.
As a result of the analysis, an attack graph generated based on the facts generated by the fact generation unit 4 and the analysis rules could be presented to the administrator. However, as the number of devices included in the system to be diagnosed increases, the amount of computation required to generate the attack graph increases, and the number of nodes included in the attack graph becomes huge.
Even if an attack graph including a huge number of nodes is presented to the administrator, it may not be easy for the administrator to grasp the analysis results of the attacks on the system to be diagnosed.
In the present example embodiment, the attack patterns including at least the attack condition, attack result, and attack means are presented to the administrator, so that the administrator can easily understand the analysis results of the attacks on the system to be diagnosed.
The analysis unit 6 may first generate combinations that exclude privileges as the fact that is the start point and the fact that is the end point, analyze whether it is possible to derive the fact that is the end point from the fact that is the start point, and when it is determined that it is possible to derive the fact that is the end point from the fact that is the start point, the analysis unit 6 may newly generate a combination including the device, attack state, and privileges for the fact that is the start point and the fact that is the end point. Then, the analysis unit 6 may analyze whether or not it is possible to derive the fact that is the end point from the fact that is the start point again. This process can efficiently generate an attack pattern while preventing redundant analysis that may occur when generating a combination that excludes privileges for the fact that is the start point or the fact that is the end point. When generating combination that exclude privileges as the fact that is the start point or the end point, it is sufficient to exclude privileges from the attack condition and the attack result in the pattern table as well.
The analysis system of the second example embodiment of the present invention is input with an attack graph and the analysis rules used to derive the facts corresponding to the nodes included in the attack graph. Then, based on the attack graph, the analysis system of the second example embodiment determines pairs of combination nodes, which are nodes that indicate combinations of devices, attack states, and privileges, and generates an attack pattern for each pair of combination nodes. The attack pattern is the same as the attack pattern in the first example embodiment.
The attack graph for the system to be diagnosed and the analysis rules used to derive the facts corresponding to the nodes included in the attack graph are input to the input unit 12. The input unit 12 is realized by an input device (e.g., a data reader that reads data recorded on a recording medium) that serves as an input interface for the attack graph and each analysis rule. The analysis unit 6 receives the input of the attack graph and each analysis rule via the input unit 12.
The attack graphs that are input to the input unit 12 are generated in advance.
The input attack graph includes nodes corresponding to facts generated based on information about each device in the system to be diagnosed, and nodes corresponding to facts generated based on already-generated nodes and analysis rules. In
In
The attack graph also includes a plurality of combination nodes. A combination node is a node that represents a combination of a device, an attack state, and privileges. In other words, a combination node is a node that corresponds to a fact that corresponds to a combination of a device, an attack state, and privileges. The device indicated by a node is represented, for example, by a device ID. In addition, the attack state and the privileges are the same as the attack state and the privileges shown in the first example embodiment. In
When the analysis unit 6 receives the input of the attack graph and each analysis rule via the input unit 12, it searches for all pairs of a combination node and the next combination node of the combination node from the attack graph. When searching for pairs of combination nodes, the analysis unit 6 searches for pairs consisting of two combination nodes so that the condition that there are no other combination nodes on the path between the two combination nodes is satisfied. For example, when the attack graph illustrated in
Pairs that do not satisfy the above conditions include, for example, a pair of combination nodes 91, 94. There are other combination nodes 92 on the path between the combination nodes 91, 94 (refer to
Of the two paired combination nodes, the upstream combination node in the attack graph is denoted as a start point combination node. Of the two paired combination nodes, the downstream combination node in the attack graph is denoted as an end point combination node. For example, in a pair consisting of combination nodes 91, 92, the combination node 91 is the start point combination node, and the combination node 92 is the end point combination node.
The analysis unit 6 generates an attack pattern (at least, information that includes the attack condition, attack result, and attack means) for each obtained pair.
When focusing on one pair of combination nodes, the analysis unit 6 generates an attack pattern based on the attack state and the privileges indicated by the start point combination node in the pair, the attack state and the privileges indicated by the end point combination node in the pair, and the analysis rule used to derive the fact corresponding to the end point combination node. The analysis rule used to derive the fact corresponding to the end point combination node is associated with that end point combination node. Therefore, the analysis unit 6 is able to identify the analysis rule used to derive the fact corresponding to the end point combination node.
The operation of generating the attack pattern based on the attack state and the privileges indicated by the start point combination node in the pair, the attack state and the privileges indicated by the end point combination node in the pair, and the analysis rule used to derive the fact corresponding to the end point combination node is same as the operation of generating the attack pattern based on the attack state and privileges included in the fact that is the start point, the attack state and privileges included in the fact that is the end point, and the analysis rule used to derive the fact that is the end point in the first example embodiment. In other words, the analysis unit 6 searches a record, from the pattern table (refer to
The analysis unit 6 determines the attack means included in the attack pattern based on the analysis rule used to derive the fact corresponding to the end point combination node in the pair. This operation is similar to the operation of determining the attack means based on the analysis rule in the first example embodiment. In the first example embodiment, the operation of determining the attack means based on the analysis rules is described, for example, with reference to
In some cases, such as the record “3” shown in
When identifying a segment, the analysis unit 6 may identify the identification information of the segment that indicates the route from the device indicated by the start point combination node in the pair to the device indicated by the end point combination node in the pair.
The analysis unit 6 then generates an attack pattern that includes the determined information included in the searched record and the identified attack means and the segment.
Here, the attack condition included in the generated attack pattern is the attack state and privileges indicated by the start point combination node in the pair, and the attack result included in the attack pattern is the attack state and privileges indicated by the end point combination node in the pair.
The analysis unit 6 stores the attack pattern generated for each pair of combination nodes in the attack pattern storage unit 7.
In the second example embodiment, the analysis unit 6 and the display control unit 8 are realized, for example, by a CPU of a computer that operates according to an analysis program. For example, the CPU can read the analysis program from a program storage medium such as a program storage device of the computer, and operate as the analysis unit 6 and display control unit 8 according to the analysis program. The pattern table storage unit 11 and the attack pattern storage unit 7 are realized, for example, by the storage device provided by the computer.
Next, the processing process will be described.
First, the analysis unit 6 receives the input of the attack graph and each analysis rule via the input unit 12 (Step S21).
The analysis unit 6 searches for all pairs of a combination node and the next combination node, from the attack graph (Step S22).
Next, the analysis unit 6 determines whether or not all the pairs of combination nodes obtained in step S22 have been selected in step S24 (step S23). If there are unselected pairs (No in Step S23), the process moves to Step S24.
In step S24, the analysis unit 6 selects one of the pairs of combination nodes obtained in step S22 that has not yet been selected.
Next, the analysis unit 6 generates an attack pattern for the pair selected in step S24, and stores the attack pattern in the attack pattern storage unit 7 (step S25). After step S25, the analysis unit 6 repeats the process from step S23.
If the analysis unit 6 determines that all the pairs of combination nodes obtained in step S22 have already been selected in step S24 (Yes in step S23), the display control unit 8 reads each attack pattern stored in the attack pattern storage unit 7 and displays each attack pattern on the display device 9 (Step S26).
In the second example embodiment, the analysis unit 6 generates an attack pattern that includes at least the attack condition, the attack result, and the attack means, as in the first example embodiment. Therefore, such an attack pattern can be presented to the administrator. Therefore, the analysis results of attacks on the system to be diagnosed can be presented to the administrator in an easy-to-understand manner.
The analysis system 1 of the example embodiment of the present invention is realized by a computer 1000. The operation of the analysis system 1 is stored in the auxiliary memory 1003 in the form of an analysis program. The CPU 1001 reads the analysis program from the auxiliary memory 1003, deploys the program to the main memory 1002, and executes the processes described in the above example embodiments according to the analysis program.
The auxiliary memory 1003 is an example of a non-transitory tangible medium. Other examples of non-transitory tangible media are a magnetic disk, an optical magnetic disk, a CD-ROM (Compact Disk Read Only Memory), a DVD-ROM (Digital Versatile Disk Read Only Memory), a semiconductor memory, and the like, which are connected through the interface 1004. When the program is delivered to the computer 1000 through a communication line, the computer 1000 that receives the delivery may develop the program into the main memory 1002 and operate according to the program.
Some or all of the components may be realized by general-purpose or dedicated circuitry, processors, or a combination of these. They may be configured by a single chip or by multiple chips connected through a bus. Some or all of the components may be realized by a combination of the above-mentioned circuitry, etc. and a program.
When some or all of each component is realized by multiple information processing devices, circuits, etc., the multiple information processing devices, circuits, etc. may be centrally located or distributed. For example, the information processing devices, circuits, etc. may be implemented as a client-and-server system, cloud computing system, etc., each of which is connected through a communication network.
Next, a summary of the present invention will be described.
The fact generation unit 4 generates a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed.
The analysis unit 6 generates one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyzes, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
With such a configuration, it is possible to present analysis results for the system to be diagnosed in an easy-to-understand manner.
An attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph are input to the input unit 12.
The analysis unit 6 searches for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
With such a configuration, it is possible to present analysis results for the system to be diagnosed in an easy-to-understand manner.
The example embodiments of the present invention described above may also be described as supplementary notes below, but is not limited to the following.
(Supplementary note 1)
An Analysis System Comprising:
a fact generation unit which generates a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and
an analysis unit which generates one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyzes, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
(Supplementary note 2)
The analysis system according to supplementary note 1, wherein the analysis unit
generates a combination of one of the devices, one of multiple types of attack states defined in advance, and one of privileges that can correspond to the attack state, as the start point fact,
generates a combination of one of the devices, one of the multiple types of the attack states, and one of privileges that can correspond to the attack state, as the end point fact, and generates, in the case where it is possible to derive the end point fact from the start point fact, the attack pattern based on the attack state and privilege included in the start point fact, the attack state and privilege included in the end point, and an analysis rule used to derive the end point fact.
(Supplementary note 3)
The analysis system according to supplementary note 2, wherein
the analysis unit determines the attack means based on the analysis rule used to derive the end point fact, and generates the attack pattern including the attack means.
(Supplementary note 4)
The analysis system according to supplementary note 3, wherein when the attack means corresponding to a combination of the attack state and privilege included in the start point fact and the attack state and privilege included in the end point fact is defined in advance, the analysis unit generates the attack pattern including the attack means.
(Supplementary note 5)
The analysis system according to any one of supplementary notes 2 to 4, wherein
the analysis unit generates the attack pattern which includes, as the attack condition, the attack state and privilege included in the start point and includes, as the attack result, the attack state and privilege included in the end point.
(Supplementary note 6)
The analysis system according to any one of supplementary notes 1 to 5, wherein
the analysis rule includes an element corresponding a condition, and an element representing a new fact,
wherein the analysis unit repeats operation of deriving a new fact based on the analysis rule if there is an existing fact which matches the element corresponding the condition, and adding the new fact to existing facts, and
determines that it is possible to derive the end point fact from the start point fact if the new fact corresponds to the end point fact.
(Supplementary note 7)
An Analysis System Comprising:
an input unit to which an attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph are input; and
an analysis unit which searches for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generates an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
(Supplementary note 8)
The analysis system according to supplementary note 7, wherein
the analysis unit generates the attack pattern, for each pair of combination nodes, based on the attack state and privilege indicated by a start point combination node, the attack state and privilege indicated by an end point combination node, and the analysis rule used to derive the fact corresponding to the end point combination node.
(Supplementary note 9)
The analysis system according to supplementary note 8, wherein
the analysis unit determines the attack means based on the analysis rule used to derive the fact corresponding to the end point combination node, and generates the attack pattern including the attack means.
(Supplementary note 10)
The analysis system according to supplementary note 9, wherein
when the attack means corresponding to a combination of the attack state and privilege indicated by the start point combination node and the attack state and privilege indicated by the end point combination node is defined in advance, the analysis unit generates the attack pattern including the attack means.
(Supplementary note 11)
The analysis system according to any one of supplementary notes 7 to 10, wherein
the analysis unit generates the attack pattern which includes, as the attack condition, the attack state and privilege indicated by the start point combination node and includes, as the attack result, the attack state and privilege indicated by the end point combination node.
(Supplementary note 12)
The analysis system according to any one of supplementary notes 1 to 11, further comprising:
a display control unit which displays the attack pattern generated by the analysis unit on a display device.
(Supplementary note 13)
An analysis method, wherein one or more computers
generate a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and
generate one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyze, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generate an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
(Supplementary note 14)
An analysis method, wherein one or more computers
receive an input of an attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph; and
search for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generate an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
(Supplementary note 15)
An analysis program causing a computer to execute:
a fact generation process of generating a fact which is data representing security situation of a system to be diagnosed, based on information regarding each device included in the system to be diagnosed; and
an analysis process of generating one or more pairs of a start point fact which is a fact representing possibility of attack in a device that is a start point and an end point fact which is a fact representing possibility of attack in a device that is an end point, analyzing, for each pair, whether or not it is possible to derive the end point fact from the start point fact, based on facts representing states of the devices generated based on information regarding the device that is the start point and information regarding the device that is the end point, the start point fact, and one or more analysis rules for analyzing the attack, and generating an attack pattern that includes at least an attack condition, an attack result, and an attack means, in a case where it is possible to derive the end point fact from the start point fact.
(Supplementary note 16)
An analysis program causing a computer to execute:
a receiving input process of receiving an input of an attack graph regarding a system to be diagnosed and analysis rules used to derive facts corresponding nodes in the attack graph; and
an analysis process of searching for a pair of a combination node indicating a combination of a device, an attack state, and a privilege, and a combination node next to the combination node, and generating an attack pattern that includes at least an attack condition, an attack result, and an attack means, for each pair of combination nodes.
Although the invention of the present application has been described above with reference to the example embodiments, the present invention is not limited to the above example embodiments. Various changes can be made to the configuration and details of the present invention that can be understood by those skilled in the art within the scope of the present invention.
The present invention is suitably applied to an analysis system that analyzes attacks on systems to be diagnosed.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2019/038325 | 9/27/2019 | WO |