The present invention relates to a management apparatus, a management method, and a program that perform management of address information as a management target for access control via a communication network.
In recent years, cyberattacks on the government, corporations, and the like have been increasing. Accordingly, cases that cause severe damage frequently occur. Defensive measures against such cyberattacks have been studied.
For example, as an example of the defensive measures, there are measures to repel cyberattacks, utilizing cyber threat intelligence (hereinafter also referred to as CTI). CTI is threat information gathering the origins of attacks, types, techniques, and the like of cyberattacks targeting the government and corporations. The government and corporations take countermeasures to forestall cyberattacks by utilizing CTI.
In CTI, pieces of information such as an IP address of the origin of an attack and a hash value indicating malware are mainly used. Such pieces of information are referred to as a block list, for example. In other words, the government and corporations use such a block list as, for example, an access control list (ACL) of a firewall, that is, a list of IP addresses to be repelled.
As a technique of generating an appropriate block list, for example, PTL 1 discloses that an attack type, an address of the origin of an attack, and the number of times of attacks are calculated from threat information and the like, and an address of the origin of an attack that satisfies a condition of exceeding a certain estimate cover rate can be registered as a block list.
[PTL 1] JP 2019-004339 A
However, the block list may have a considerable volume. Thus, if all of the pieces of address information included in the block list are continuously managed as targets of access control, for example, performance of a firewall may deteriorate.
An example object of the present invention is to provide a management apparatus, a management method, and a program that enable appropriate management of address information that may be a target of access control.
An example object of the present disclosure is to provide a management apparatus, an obtain section configured to obtain address information as a management target for access control via a communication network; and a setting section configured to set, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
An example object of the present disclosure is to provide a management method, obtaining address information as a management target for access control via a communication network; and setting, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
An example object of the present disclosure is to provide a program for causing a computer to execute, obtaining address information as a management target for access control via a communication network; and setting, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
According to an example aspect of the present disclosure, it is possible to appropriate management of address information that may be a target of access control. Note that the present disclosure may exert other advantageous effects instead of the above advantageous effects or together with the above advantageous effects.
Hereinafter, example embodiments of the present invention will be described in detail with reference to the accompanying drawings. Note that, in the Specification and drawings, elements to which similar descriptions are applicable are denoted by the same reference signs, and overlapping descriptions may hence be omitted.
Descriptions will be given in the following order.
1. Overview of Example Embodiments of Present Invention
2. First Example Embodiment
3. Second Example Embodiment
4. Other Example Embodiments
First, an overview of example embodiments of the present invention will be described.
In recent years, cyberattacks on the government, corporations, and the like have been increasing. Accordingly, cases that cause severe damage frequently occur. Defensive measures against such cyberattacks have been studied.
For example, as an example of the defensive measures, there are measures to repel cyberattacks, utilizing cyber threat intelligence (hereinafter also referred to as CTI). CTI is threat information gathering the origins of attacks, types, techniques, and the like of cyberattacks targeting the government and corporations. The government and corporations take countermeasures to forestall cyberattacks by utilizing CTI.
In CTI, pieces of information such as an IP address of the origin of an attack and a hash value indicating malware are mainly used. Such pieces of information are referred to as a block list, for example. In other words, the government and corporations use such a block list as, for example, an access control list (ACL) of a firewall, that is, a list of IP addresses to be repelled.
However, the block list may have a considerable volume. Thus, if all of the pieces of address information included in the block list are continuously managed as targets of access control, for example, performance of a firewall may deteriorate.
In particular, having the IP address of the origin of an attack recognized is fatal to cyberattackers, and thus the IP address of the origin of an attack tends to be rarely continuously used. Thus, it is highly likely that the IP address of the origin of an attack is deleted immediately after the attack. In other words, it is highly likely that the cyberattacker carries out a new attack using another IP address. It is hence highly likely that the generated block list immediately becomes obsolete.
In view of this, the present example embodiments have an example object to appropriately manage address information that may be a target of access control. More specifically, the present example embodiments have an example object to appropriately determine whether or not it is effective for management of address information that may be a target of access control.
In the example embodiments of the present invention, address information as a management target for access control via a communication network is obtained, and an effective management period of the management target for the access control is set for the address information, based on information related to the address information.
With this configuration, for example, the address information that may be a target of the access control can be appropriately managed. Note that the technical features described above are a specific example of the example embodiments of the present invention, and as a matter of course, the example embodiments of the present invention are not limited to the technical features described above.
Next, with reference to
With reference to
The network communication section 110 receives a signal from a network and transmits a signal to the network.
The storage section 120 temporarily or permanently stores programs (instructions) and parameters for operations of the management apparatus 100a as well as various data. The programs include one or more instructions for the operations of the management apparatus 100a.
The processing section 130 provides various functions of the management apparatus 100a. The processing section 130 includes an address information obtain section 131, a setting section 133, a risk information obtain section 135, a determining section 137, and a generation section 139. Note that the processing section 130 may further include constituent elements other than these constituent elements. In other words, the processing section 130 may also perform operations other than the operations of these constituent elements. Specific operations of the address information obtain section 131, the setting section 133, the risk information obtain section 135, the determining section 137, and the generation section 139 will be described later in detail.
The network communication section 110 may be implemented with a network adapter and/or a network interface card, and the like. The storage section 120 may be implemented with a memory (e.g., a nonvolatile memory and/or a volatile memory) and/or a hard disk, and the like. The processing section 130 may be implemented with one or more processors. The address information obtain section 131, the setting section 133, the risk information obtain section 135, the determining section 137, and the generation section 139 may be implemented with the same processor, or may be separately implemented with different processors. The memory (storage section 120) may be included in the one or more processors or may be provided outside the one or more processors.
The management apparatus 100a may include a memory that stores programs (instructions), and one or more processors that can execute the programs (instructions). The one or more processors may execute the programs to thereby perform the operations of the processing section 130 (operations of the address information obtain section 131, the setting section 133, the risk information obtain section 135, the determining section 137, and/or the generation section 139). The programs may be programs for causing the processor(s) to execute the operations of the processing section 130 (operations of the address information obtain section 131, the setting section 133, the risk information obtain section 135, the determining section 137, and/or the generation section 139).
Next, an operation example according to the first example embodiment will be described.
According to the first example embodiment, the management apparatus 100a (address information obtain section 131) obtains address information as a management target for access control via a communication network. The management apparatus 100a (setting section 133) sets, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
According to the first example embodiment, by setting the effective management period of the management target for the access control for the address information, the address information that may be a target of the access control can be appropriately managed.
Specifically, examples of the address information include pieces of information (an IP address, a domain name, and the like) included in threat information as described below. Specifically, the threat information is a list that suggests cyberattacks, and is a list of pieces of information related to attacks.
The threat information 200 described above is, for example, collected by the address information obtain section 131. In other words, the address information obtain section 131 receives the threat information 200 through crawling for automated collection, or receives the threat information 200 from another system. For example, the address information obtain section 131 causes the storage section 120 to store the collected threat information 200.
The information related to the address information includes, for example, location information assigned to the address. Specifically, examples of the location information assigned to the address information include country information and area information specified based on the address information (for example, the IP address) and the like.
The information related to the address information may include attack history information related to a cyberattack from a network node specified by the address information.
Specifically, the attack history information is history information acquired based on a plurality of pieces of threat information having different obtaining paths and obtaining timings as will be specifically described later. More specifically, the attack history information includes information related to the number of appearances (hereinafter also referred to as appearance frequency) of the address information appearing as the threat information in the plurality of pieces of threat information collected by a plurality of observation points on the communication network. For example, it can be determined that the address collected as the threat information by the plurality of observation points is highly likely to be the origin of the attack of the cyberattack. Each of the observation points is, for example, specified by the type included in the threat information 200 illustrated in
Note that the attack history information may include information (attack frequency) related to the number of times of attacks of the cyberattacks in a predetermined period.
The effective management period includes a period from a time point when the address information becomes the management target to a time point when the address information is to be excluded from the management target. Such a period corresponds to, specifically, an effective management period for a hard timeout, in which validity forcibly expires at designated time.
The effective management period may include a period from a time point when last communication is performed from the network node specified by the address information to a time point when the address information is to be excluded from the management target. Such a period corresponds to, specifically, an effective management period for an idle timeout, in which validity is extended if there is an access that satisfies a predetermined condition from the network node before the designated time.
As the first specific example, setting processing of the effective management period for an idle timeout will be described.
First, with reference to
Next, the management apparatus 100a (setting section 133) refers to geopolitical risk information, and specifies a risk value associated with the location information (for example, the country information) assigned to the address information (Step S303). Here, the geopolitical risk information is, for example, information that is subjected to information update on a monthly or daily basis, and is information including a geopolitical risk value of each country. Such information is, for example, obtained by the risk information obtain section 135, and is stored in the storage section 120.
Next, the management apparatus 100a (setting section 133) sets the effective management period for a hard timeout, based on the risk value associated with the location information (Step S305). For example, the set effective management period for a hard timeout is stored in the storage section 120. With this, the processing illustrated in
In contrast, a case 420 is an example of the effective management period for a hard timeout that is calculated based on the risk value at a time point (October 20xx) after the elapse of eight months since the case 410. In the case 420, in comparison to the case 410, the risk value of “country X” being a country assigned to the IP address is high, in other words, the risk value changes from “81.94” to “210.6”, and the effective management period for a hard timeout is thus set to “231.3 days”.
In the example illustrated in
In this manner, according to the first specific example, the management apparatus 100a (setting section 133) can appropriately set the effective management period for a hard timeout by taking the geopolitical risk information into consideration.
With reference to
With reference to
Next, the management apparatus 100a (setting section 133) calculates the appearance frequency of addresses (for example, IP addresses) included in the address information as a setting target of the effective management period, based on the plurality of pieces of threat information (Step S503).
Next, the management apparatus 100a (setting section 133) sets the effective management period for an idle timeout, based on the calculated appearance frequency of the addresses (Step S505). For example, it is assumed that, as the appearance frequency is higher, the risk is higher, in other words, necessity as an access target is higher. Thus, as the appearance frequency of an address is higher, the management apparatus 100a (setting section 133) sets the effective management period for an idle timeout so that the period is longer. In a case of application to the calculation case 600 illustrated in
For example, the set effective management periods for an idle timeout are stored in the storage section 120. With this, the processing illustrated in
For example, in addition to the first and second specific examples described above, various modifications can be made. For example, the management apparatus 100a (setting section 133) may calculate the effective management period for a hard timeout based on the appearance frequency of addresses, or may calculate the effective management period for an idle timeout based on the geopolitical risk information.
Next, with reference to
With reference to
Next, the management apparatus 100a (setting section 133) accesses the storage section 120, and determines whether or not the effective management period for an idle timeout has been set regarding the address information as a setting target of the effective management period, for example (Step S707). Then, when the effective management period for an idle timeout has been set (S707: Yes), the management apparatus 100a (setting section 133) updates the effective management period for an idle timeout (Step S709), and terminates the processing illustrated in
The management apparatus 100a (determining section 137) may determine whether or not communication can be performed with the network node specified by the address information.
With reference to
Next, the management apparatus 100a (determining section 137) determines whether or not communication to the IP address can be performed (Step S903). Specifically, the management apparatus 100a (determining section 137) may determine whether or not communication to the IP address can be performed by using a typical communication check tool such as ping and Traceroute. Note that not only the above examples but also other communication check tools may be used.
When it is determined that communication can be performed (S903: Yes), the management apparatus 100a (determining section 137) registers information indicating that communication can be performed (Step S905). In other words, information indicating that communication can be performed is stored in the storage section 120. With this, the processing illustrated in
In contrast, when it is determined that communication cannot be performed (S903: No), the management apparatus 100a (determining section 137) registers information indicating that communication cannot be performed (Step S907). In other words, information indicating that communication cannot be performed is stored in the storage section 120. With this, the processing illustrated in
As illustrated in
The management apparatus 100a (generation section 139) generates information indicating correspondence between the address information and the effective management period set for the address. The information generated as described above is stored in the storage section 120, and thereby the information is managed.
Next, the management apparatus 100a (setting section 133) sets the effective management period for a hard timeout related to the address information, based on the geopolitical risk information and the like (S1107). The set effective management period is stored (registered) in the storage section 120. Next, the management apparatus 100a (setting section 133) sets the effective management period for an idle timeout related to the address information, based on the threat information and the like (S1109). The set effective management period is stored (registered) in the storage section 120.
Next, the information indicating the correspondence between the address information and the effective management period, which is the information generated by the management apparatus 100a (generation section 139), is stored (registered) in the storage section 120 as information related to the effective management period (S1111). Subsequently, the processing illustrated in
According to the processing illustrated in
In addition, by utilizing the latest threat information, the management apparatus 100a can manage the effective management period by taking update of each of the effective management periods described above and information indicating whether or not communication to the IP address can be performed into consideration. In this manner, the management apparatus 100a can appropriately manage validity of the block list, for example.
Next, with reference to
Specifically, the management apparatus 100b (management control section 141) performs processing of excluding the address information from the management target in a case that the effective management period set for the address information elapses.
As an example, the management apparatus 100b (management control section 141) activates a timer function for the hard timeout and the idle timeout set for the IP address, and at the moment that respective effective management periods have elapsed, the management apparatus 100b (management control section 141) instructs a security device (for example, a device configuring a firewall) capable of communicating with the management apparatus 100b to delete the IP address from the block list.
When information related to the effective management period is registered (S1311), for example, the management apparatus 100b (management control section 141) manages the effective management periods such as by activating a timer function for the hard timeout and the idle timeout (S1313). Then, the management apparatus 100b (management control section 141) performs access control, such as instructing a security device to delete the IP address, based on the timer function (S1315).
According to the processing illustrated in
Next, with reference to
The obtain section 151 and the setting section 153 may be implemented with one or more processors, a memory (e.g., a nonvolatile memory and/or a volatile memory), and/or a hard disk. The obtain section 151 and the setting section 153 may be implemented with the same processor, or may be separately implemented with different processors. The memory may be included in the one or more processors or may be provided outside the one or more processors.
An operation example according to the second example embodiment will be described.
According to the second example embodiment, the management apparatus 100c (obtain section 151) obtains address information as a management target for access control via a communication network. The management apparatus 100c (setting section 153) sets, for the address information, an effective management period as the management target for the access control, based on information related to the address information.
As an example, the obtain section 151 and the setting section 153 included in the management apparatus 100c according to the second example embodiment may perform the operations of the address information obtain section 131 and the setting section 133 included in the management apparatuses 100a and 100b according to the first example embodiment, respectively. In this case, description regarding the first example embodiment may also be applied to the second example embodiment. Note that the second example embodiment is not limited to this example.
The second example embodiment has been described above. According to the second example embodiment, the address information that may be a target of access control can be appropriately managed.
Descriptions have been given above of the example embodiments of the present invention. However, the present invention is not limited to these example embodiments. It should be understood by those of ordinary skill in the art that these example embodiments are merely examples and that various alterations are possible without departing from the scope and the spirit of the present invention.
For example, the steps in the processing described in the Specification may not necessarily be executed in time series in the order described in the corresponding sequence diagram. For example, the steps in the processing may be executed in an order different from that described in the corresponding sequence diagram or may be executed in parallel. Some of the steps in the processing may be deleted, or more steps may be added to the processing.
An apparatus including constituent elements (e.g., the obtain section and/or the setting section) of the management apparatus described in the Specification (e.g., one or more apparatuses (or units) among a plurality of apparatuses (or units) constituting the management apparatus or a module for one of the plurality of apparatuses (or units)) may be provided. Moreover, methods including processing of the constituent elements may be provided, and programs for causing a processor to execute processing of the constituent elements may be provided. Moreover, non-transitory computer readable recording media (non-transitory computer readable media) having recorded thereon the programs may be provided. It is apparent that such apparatuses, modules, methods, programs, and non-transitory computer readable recording media are also included in the present invention.
Some of or all the above-described example embodiments can be described as in the following Supplementary Notes, but are not limited to the following.
A management apparatus including:
an obtain section configured to obtain address information as a management target for access control via a communication network; and
a setting section configured to set, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
The management apparatus according to supplementary note 1, wherein
the information related to the address information includes location information assigned to the address information.
The management apparatus according to supplementary note 1, wherein
the information related to the address information includes attack history information related to a cyberattack from a network node specified by the address information.
The management apparatus according to supplementary note 3, wherein
the attack history information includes information related to the number of appearances of the address information appearing as threat information in a plurality of pieces of threat information collected by a plurality of observation points on the communication network.
The management apparatus according to any one of supplementary notes 1 to 4, further including
a determining section configured to determine whether or not communication can be performed with a network node specified by the address information, wherein
the setting section is configured to set the effective management period, based on the information related to the address information and the result of the determination.
The management apparatus according to any one of supplementary notes 1 to 5, wherein
the effective management period includes a period from a time point when the address information becomes the management target to a time point when the address information is to be excluded from the management target.
The management apparatus according to any one of supplementary notes 1 to 5, wherein
the effective management period includes a period from a time point when last communication is performed from the network node specified by the address information to a time point when the address information is to be excluded from the management target.
The management apparatus according to any one of supplementary notes 1 to 7, further including
a management control section configured to manage the address information as the management target, based on the effective management period.
The management apparatus according to supplementary note 8, wherein
the management control section is configured to perform processing of excluding the address information from the management target after the effective management period set for the address information elapses.
The management apparatus according to any one of supplementary notes 1 to 9, further including
a generation section configured to generate information indicating correspondence relation between the address information and the effective management period.
A management method including:
obtaining address information as a management target for access control via a communication network; and
setting, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
A program for causing a computer to execute:
obtaining address information as a management target for access control via a communication network; and
setting, for the address information, an effective management period of the management target for the access control, based on information related to the address information.
In access management via a communication network, address information that may be a target of access control can be appropriately managed.
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/JP2019/049650 | 12/18/2019 | WO |