Patent Application
20240403070
The present disclosure relates to a technology of managing a system using configuration information.
When an anomaly occurs in the system, it is required to quickly deal with the anomaly that has occurred. PTL 1 discloses a technology of managing a system that operates a plurality of virtual servers using a configuration information database indicating the configuration of the servers. In particular, PTL 1 discloses that when a failure is detected, the servers including a server in which the failure is detected are identified from the configuration information database using an identifier (ID) of the server in which the failure is detected, and an operation management access to the identified servers is received.
As described above, in the technology disclosed in PTL 1, when an anomaly occurs in the system, a location where the anomaly has occurred is addressed. On the other hand, there is a concern that a similar anomaly occurs in other locations in the same system. Therefore, it is required to ascertain the location where the similar anomaly may occur. In PTL 1, the description of the location where the similar anomaly may occur is not disclosed.
The present disclosure has been made in consideration of the problems described above, and one object of the present disclosure is to provide a management device and the like capable of ascertaining a location where an anomaly may occur in a system.
A management device according to one aspect of the present disclosure includes a storage means that stores configuration information that is related to each constituent element of a system and indicates a configuration of each of the constituent elements, a first identification means that identifies configuration information of a first constituent element which is a constituent element in which an anomaly has occurred, and a second identification means that identifies a second constituent element which is a constituent element that is related to configuration information including information common to the configuration information of the first constituent element, from the stored configuration information.
A management method according to one aspect of the present disclosure stores configuration information that is related to each constituent element of a system and indicates a configuration of each of the constituent elements, identifies configuration information of a first constituent element which is a constituent element in which an anomaly has occurred, and identifies a second constituent element which is a constituent element that is related to configuration information including information common to the configuration information of the first constituent element, from the stored configuration information.
A computer-readable storage medium according to one aspect of the present disclosure stores a program for allowing a computer to execute processing of storing configuration information that is related to each constituent element of a system and indicates a configuration of each of the constituent elements, processing of identifying configuration information of a first constituent element which is a constituent element in which an anomaly has occurred, and processing of identifying a second constituent element which is a constituent element that is related to configuration information including information common to the configuration information of the first constituent element, from the stored configuration information.
According to the present disclosure, it is possible to ascertain the location where the anomaly may occur in the system.
Hereinafter, example embodiments of the present disclosure will be described with reference to the drawings.
The outline of a management device of the present disclosure will be described.
The management device 100 manages a system including the communication device 200. The system including the communication device 200 is a system that provides a service via a network. The communication device 200 is a device constituting the system. The communication device 200 includes a network device, a server device, a storage device, and the like. The system including the communication device 200 may be, for example, a system that constructs an in-house network of a company, or a system that controls a machine tool, a sensor, or the like used in a factory. The system including the communication device 200 may be a system that constructs a network of communication lines. In the case of constructing the network of the communication lines, the communication device 200 may be, for example, a device having the function of a base station, a core, a switch, and the like, including a radio unit (RU), a distributed unit (DU), a central unit (CU), and the like.
In the present disclosure, a resource existing in the system is referred to as a constituent element. The constituent elements include hardware and software constituting the system. The hardware is, for example, a device, a central processing unit (CPU), a memory, or the like included in the device. The software is, for example, software installed in a device. That is, the communication device 200 is one of the constituent elements, and the software installed in the communication device 200 is also one of the constituent elements.
The storage unit 110 stores configuration information. The configuration information is information indicating the configuration of the constituent element of the system. For example, the configuration information of the communication device 200 includes information of electronic components mounted on the communication device 200, information of a list of the software installed in the communication device 200, and the like. For example, in the case of configuration information of software, information relevant to software design, such as software version information and information of a library to be referred to, is included.
The storage unit 110 stores configuration information related to each constituent element. At this time, for example, the storage unit 110 may store the configuration information by the input of a user who operates the management device 100. In this manner, the storage unit 110 stores the configuration information that is information related to each of the constituent elements of the system and indicates the configuration of the constituent element. The storage unit 110 is an example of a storage means.
The first identification unit 120 identifies configuration information of a constituent element in which an anomaly has occurred. For example, it is assumed that an anomaly has occurred in software executed in the communication device 200-1. In this case, for example, an alert relevant to the software in which an anomaly has occurred is notified from the communication device 200-1 to the management device 100. The first identification unit 120 identifies the configuration information of the software executed in the communication device 200-1, for example, based on such an alert, from the configuration information stored by the storage unit 110. In the present disclosure, the constituent element in which an anomaly has occurred is also referred to as a first constituent element. In this manner, the first identification unit 120 identifies the configuration information of the first constituent element that is the constituent element in which an anomaly has occurred. The first identification unit 120 is an example of a first identification means.
The second identification unit 130 identifies a constituent element similar to the first constituent element using the configuration information identified by the first identification unit 120. The constituent element similar to the first constituent element is, for example, a constituent element in which the same anomaly may occur. Specifically, for example, the second identification unit 130 identifies configuration information relevant to the configuration information identified by the first identification unit 120. For example, the second identification unit 130 compares the configuration information of the first constituent element identified by the first identification unit 120 with the configuration information stored in the storage unit 110. Then, for example, as a result of the comparison, the second identification unit 130 identifies a constituent element related to configuration information including information common to the configuration information of the first constituent element. In the present disclosure, a constituent element identified by the second identification unit 130 is also referred to as a second constituent element. In this manner, the second identification unit 130 identifies the second constituent element that is a constituent element related to the configuration information including the information common to the configuration information of the first constituent element, from the stored configuration information. The second identification unit 130 is an example of a second identification means.
Next, an example of the operation of the management device 100 will be described with reference to
As described above, the management device 100 according to the first example embodiment stores the configuration information that is the information related to each of the constituent elements of the system and indicates the configuration of the constituent element, and identifies the configuration information of the first constituent element that is the constituent element in which an anomaly occurs. Then, the management device 100 identifies the second constituent element that is the constituent element related to the configuration information including the information common to the configuration information of the first constituent element, from the stored configuration information. When the configuration information of each of a plurality of constituent elements includes common information, there is a high possibility that a similar anomaly occurs in each of the constituent elements. With the above configuration, the management device 100 may identify the constituent element in which an anomaly has occurred and the constituent element in which a similar anomaly may occur. That is, the management device 100 of the first example embodiment may ascertain a location where an anomaly may occur, in the system.
Next, a management device according to a second example embodiment will be described. In the second example embodiment, the management device 100 described in the first example embodiment will be described in more detail.
The storage unit 110 stores the configuration information related to the constituent element of the system. The configuration information includes, for example, system configuration information, device configuration information, model configuration information, and software configuration information. The system configuration information is information indicating the configuration of the system. For example, the system configuration information includes information indicating each of the communication devices 200 included in the system. The device configuration information is information uniquely created for each of the communication devices 200. The device configuration information indicates information set in the communication device 200. For example, the device configuration information may include information such as an address set in the device. The storage unit 110 stores device configuration information related to each of the communication devices 200.
The model configuration information is information relevant to an element mounted on the communication device 200. The element is, for example, an electronic component such as a CPU and a memory, software, and the like. That is, the model configuration information includes, for example, information relevant to an electronic component mounted on the communication device 200 and information indicating the software installed in the communication device 200. Not limited to this, the model configuration information may include information such as a model number and a serial number of the communication device. The model configuration information may be information created for each production lot of the device. That is, the model configuration information related to the communication devices 200 produced in the same production lot may be the same. The storage unit 110 stores model configuration information related to each of the communication devices 200.
The software configuration information is information indicating the configuration of the software. Hereinafter, the software configuration information is also referred to as SW configuration information. The SW configuration information may be information created for each version of the software. The SW configuration information is, for example, a software bill of materials (SBOM). The SW configuration information may include authenticity information and vulnerability information of the software. The storage unit 110 stores SW configuration information related to each piece of software included in the communication device 200.
Here, the storage unit 110 stores related configuration information in association with each other. Processing of associating the configuration information is, for example, processing of including information that is accessible to the related configuration information in the configuration information.
For example, it is assumed that an anomaly has occurred in the software of the communication device 200-1. Here, in a case where another device is of the same type as the communication device 200-1, there is a high possibility that the another device has the same software as the software in which an anomaly has occurred. As described above, by storing the constituent elements in association with each other, it is also possible to quickly identify the same type of device as the device in which an anomaly has occurred.
As illustrated in
The first identification unit 120 identifies the constituent element in which an anomaly has occurred as the first constituent element and identifies the configuration information of the first constituent element. At this time, the first identification unit 120 identifies the constituent element in which an anomaly has occurred based on the detection result of the detection unit 140.
The detection unit 140 detects an anomaly. Specifically, the detection unit 140 detects an anomaly based on the information acquired from the communication device 200. For example, the detection unit 140 may detect a failure of a constituent element of the communication device 200, from a signal periodically acquired from the communication device 200. Furthermore, for example, the detection unit 140 may detect an anomaly by acquiring information indicating that an unauthorized access, a cyberattack, or the like with respect to the communication device 200 has occurred, from the communication device 200. The detection unit 140 may be enabled by, for example, an intrusion detection system (IDS) or an intrusion prevention system (IPS). A method for detecting an anomaly is not limited to a specific method. The method for detecting an anomaly may be any method as long as the method may recognize the location where an anomaly has occurred and the type of anomaly. When detecting an anomaly, the detection unit 140 may generate information relevant to the anomaly. The information relevant to the anomaly includes information indicating the constituent element in which an anomaly has occurred and the type of anomaly that has occurred. In this manner, the detection unit 140 detects an anomaly that has occurred in the constituent element of the system. The detection unit 140 is an example of a detection means.
When the detection unit detects an anomaly, the first identification unit 120 sets a constituent element in which the detected anomaly has occurred as the first constituent element and identifies configuration information related to the first constituent element. For example, when the detection unit 140 detects that an anomaly has occurred in the software installed in the communication device 200-1, the first identification unit 120 identifies configuration information of the software from the configuration information stored in the storage unit 110.
The second identification unit 130 identifies a constituent element similar to the first constituent element as the second constituent element. First, the second identification unit 130 identifies configuration information including information common to the configuration information of the first constituent element, from the configuration information stored in the storage unit 110. For example, the second identification unit 130 compares the configuration information of the first constituent element with each piece of the configuration information stored in the storage unit 110. As a result of the comparison, the second identification unit 130 identifies the configuration information including the information common to the configuration information of the first constituent element. At this time, the second identification unit 130 may identify the same configuration information as the configuration information of the first constituent element, from the stored configuration information. For example, it is assumed that an anomaly has occurred in the behavior of the communication device 200-1. In this case, the second identification unit 130 identifies model configuration information of another device having the same model configuration information as the model configuration information of the communication device 200-1.
In addition, the second identification unit 130 may identify the configuration information in which the information relevant to an anomaly is common, among the information included in the configuration information of the first constituent element, from the stored configuration information. For example, it is assumed that in predetermined software, an anomaly has occurred in a library referred to by the predetermined software. In this case, the second identification unit 130 identifies SW configuration information of another software that refers to the predetermined library, among the stored configuration information. For example, when an anomaly has occurred in the predetermined software, the second identification unit 130 may identify SW configuration information including the same version information as version information of the predetermined software, from the stored configuration information.
The second identification unit 130 may calculate a similarity between the configuration information of the first constituent element and each piece of the configuration information stored in the storage unit 110. At this time, the second identification unit 130 determines, for example, whether to match up with each item of the configuration information. Then, for example, the second identification unit 130 may calculate a ratio of matched items among all the items as the similarity. As described above, the second identification unit 130 is based on the number of pieces of information common to the configuration information of the first constituent element and the configuration information stored in the storage unit 110. The similarity is calculated. A method for calculating the similarity is not limited to this example. Then, the second identification unit 130 identifies a constituent element having a similarity equal to or more than a threshold value, among the stored configuration information.
Then, the second identification unit 130 identifies the constituent element related to the configuration information including the information common to the configuration information of the first constituent element, as the second constituent element. The second identification unit 130 may output the information relevant to the second constituent element to a terminal (not illustrated) connected to the management device 100. For example, the second identification unit 130 may display information indicating the second constituent element such as the name, the ID, or the like of the second constituent element and the configuration information of the second constituent element on a display included in the terminal.
The countermeasure implementation unit 150 of the countermeasure implementation server 102 implements a countermeasure for an anomaly via the shared server 101. When an anomaly is detected by the detection unit 140, the countermeasure implementation unit 150 may implement a countermeasure for the constituent element in which an anomaly has occurred (that is, the first constituent element). The countermeasure implementation unit 150 may implement a countermeasure for the constituent element (that is, the second constituent element) identified by the second identification unit 130. The countermeasure implementation unit 150 may implement a countermeasure according to an instruction from the user who operates the management device 100.
For example, when an anomaly has occurred in the communication device 200-1, the countermeasure implementation unit 150 may stop a service relevant to the communication device 200-1. When an anomaly occurs in the software and there is a correction program of the software, the countermeasure implementation unit 150 may apply the correction program and update the software. At this time, the countermeasure implementation unit 150 may similarly update software (that is, the constituent elements identified by the second identification unit 130) similar to the software in which an anomaly has occurred. As described above, the countermeasure implementation unit 150 may implement, on the second constituent element, a countermeasure related to the anomaly that has occurred in the first constituent element. The countermeasure implementation unit 150 is an example of a countermeasure implementation means.
When the software is updated, the SW configuration information is changed. When the software is updated, the countermeasure implementation unit 150 updates the SW configuration information of the updated software, among the configuration information stored by the storage unit 110.
In addition, the countermeasure implementation unit 150 may implement a countermeasure in consideration of the influence on the system. For example, in a case where the software is updated, it is assumed that it is necessary to stop a service provided in the software. Here, for example, the countermeasure implementation unit 150 may perform a countermeasure capable of continuing the service provided in the software identified as the second constituent element. Specifically, for example, the countermeasure implementation unit 150 may temporarily stop the authority to change the setting of the system to an administrator of the system, or restrict the administrator from remotely connecting to the console of the system. The countermeasure capable of continuing the service may include a countermeasure for stopping the service. For example, the countermeasure capable of continuing the service includes a countermeasure that substantially has little influence on the provision of the service, such as stopping the service for 1 minute or stopping the service outside the service providing time. As described above, the countermeasure implementation unit 150 may implement, on the second constituent element, the countermeasure capable of continuing the service relevant to the second constituent element.
In addition, the countermeasure implementation unit 150 may implement a countermeasure for the second constituent element based on the operation information. For example, the countermeasure implementation unit 150 refers to the operation information associated with the configuration information of the second constituent element. The operation information may include a history on which an inspection relevant to an anomaly has been implemented. In a case where the inspection relevant to an anomaly has been implemented, the countermeasure implementation unit 150 may defer the implementation of the countermeasure for the second constituent element. On the other hand, when the inspection is not performed with respect to the second constituent element, the countermeasure implementation unit 150 may implement the countermeasure for the second constituent element. As described above, the countermeasure implementation unit 150 may determine a countermeasure to be implemented on the second constituent element according to whether the inspection relevant to the anomaly that has occurred in the first constituent element has been performed with respect to the second constituent element.
Next, an example of the operation of the management device 100 according to the second example embodiment will be described with reference to
When the detection unit 140 detects an anomaly (“Yes” in S101), the first identification unit 120 identifies the configuration information of the constituent element in which an anomaly has occurred (that is, the first constituent element) (S102). When the detection unit 140 does not detect an anomaly (“No” in S101), the management device 100 may not proceed with the processing. After the processing of S102, the countermeasure implementation unit 150 performs a countermeasure for the first constituent element (S103).
Next, the second identification unit 130 compares the configuration information of the first constituent element with the configuration information stored in the storage unit 110 (S104). When there is the configuration information having the similarity equal to or more than the threshold value (“Yes” in S105), the second identification unit 130 identifies the constituent element related to the configuration information having the similarity equal to or more than the threshold value as the second constituent element. Then, the countermeasure implementation unit 150 performs the countermeasure for the second constituent element (S107).
This operation example is an example, and the operation of the management device 100 is not limited to this example. For example, the processing of S103 may be performed after the processing of S104. Instead of the processing of S105 and S106, processing of identifying a constituent element related to configuration information in which the configuration information of the first constituent element and specific information are common as the second constituent element may be performed.
As described above, the management device 100 according to the second example embodiment stores the configuration information that is the information related to each of the constituent elements of the system and indicates the configuration of the constituent element, and identifies the configuration information of the first constituent element that is the constituent element in which an anomaly occurs. Then, the management device 100 identifies the second constituent element that is the constituent element related to the configuration information including the information common to the configuration information of the first constituent element, from the stored configuration information. When the configuration information of each of a plurality of constituent elements includes common information, there is a high possibility that a similar anomaly occurs in each of the constituent elements. With the above configuration, the management device 100 may identify the constituent element in which an anomaly has occurred and the constituent element in which a similar anomaly may occur. That is, the management device 100 of the first example embodiment may ascertain a location where an anomaly may occur, in the system.
The management device 100 according to the second example embodiment may calculate a similarity based on the number of pieces of information common to the configuration information of the first constituent element and the stored configuration information, and identify, as the second constituent element, a constituent element related to configuration information of which the calculated similarity is equal to or more than a threshold value, among the stored configuration information. For example, even in a case where a predetermined constituent element is not exactly the same as the constituent element in which an anomaly has occurred, the predetermined constituent element may behave as with the constituent element in which an anomaly has occurred. The management device 100 may identify such a constituent element.
In addition, in the second example embodiment, the constituent elements of the system include a plurality of devices and software included in each of the plurality of devices, and the management device 100 stores configuration information pieces relevant to the same device, among the plurality of devices, in association with each other. With this configuration, the management device 100 may quickly identify the configuration information of the device in which an anomaly is detected.
The management device 100 may implement, on the second constituent element, the countermeasure related to the anomaly that has occurred in the first constituent element. As a result, the management device 100 may perform a preventive countermeasure for the constituent element in which an anomaly does not occur but an anomaly may occur. That is, the management device 100 may perform the countermeasure for the anomaly even in a location where the anomaly is not actualized, in the system.
In the above example embodiments, the configuration has been described in which the management device 100 includes the shared server 101 and the countermeasure implementation server 102. The configuration of the management device 100 is not limited to this example. For example, the management device 100 may include one server. In this case, the storage unit 110, the first identification unit 120, the second identification unit 130, the detection unit 140, and the countermeasure implementation unit 150 may be enabled in one server. In addition, the management device 100 may include three or more servers. In this case, the storage unit 110, the first identification unit 120, the second identification unit 130, the detection unit 140, and the countermeasure implementation unit 150 may be enabled in any of the three or more servers.
In the above example embodiments, an example has been described in which the configuration information of the first constituent element is compared with the configuration information stored in the storage unit 110 when the second constituent element is identified. When an attack on the software is detected and the vulnerability information in each piece of software is included in the configuration information, the second constituent element may be identified based on the vulnerability information.
For example, the second identification unit 130 compares the vulnerability information included in the configuration information of the first constituent element with the vulnerability information included in the stored configuration information. Then, in a case where there is configuration information including vulnerability information in which the type and the number of vulnerabilities match at a predetermined rate or more, the second identification unit 130 identifies a constituent element related to the configuration information as the second constituent element.
In this manner, the management device 100 may calculate the similarity between the vulnerability information included in the configuration information of the first constituent element and the vulnerability information included in each of the stored configuration information pieces, and identify, as the second constituent element, the constituent element related to the configuration information of which the calculated similarity is equal to or more than the threshold value, among the stored configuration information.
In a case where the vulnerability information of the software is disclosed, the management device 100 may identify the constituent element based on the disclosed vulnerability information. For example, the second identification unit 130 identifies the configuration information having the vulnerability from the configuration information stored in the storage unit 110, based on the disclosed vulnerability information. Then, the second identification unit 130 identifies a constituent element related to the identified configuration information as the second constituent element.
When the vulnerability information is disclosed, it is necessary to quickly address the vulnerability. On the other hand, since the management device 100 manages the configuration information pieces relevant to the same device in association with each other, it is possible to quickly identify the constituent element having the vulnerability.
The hardware constituting the management device according to the above-described first and second example embodiments will be described.
As illustrated in
The storage device 94 stores a program (computer program) 98. The processor 91 executes the program 98 of the management device by using the RAM 92. Specifically, for example, the program 98 includes a program for allowing a computer to execute the processing illustrated in
The input/output interface 95 exchanges data with a peripheral device (a keyboard, a mouse, a display device, or the like) 99. The input/output interface 95 functions as a means that acquires or outputs data. The bus 96 connects the constituents to each other.
There are various modification examples of a method for enabling the management device. For example, the management device can be enabled as a dedicated device. In addition, the management device can be enabled based on a combination of a plurality of devices.
A processing method for recording, in a storage medium, a program for enabling each of the constituents in the functions of each of the example embodiments, reading the program recorded in the storage medium as a code, and executing the program in a computer is also included in the scope of each of the example embodiments. That is, a computer-readable storage medium is also included in the scope of each of the example embodiments. A storage medium in which the above-described program is recorded and the program itself is also included in each of the example embodiments.
The storage medium is, for example, a floppy (Registered Trademark) disk, a hard disk, an optical disk, a magneto-optical disk, a compact disc (CD)-ROM, a magnetic tape, a nonvolatile memory card, or a ROM, but is not limited to this example. The program recorded in the storage medium is not limited to a program that executes processing alone, and programs that are operated on an operating system (OS) to execute processing in cooperation with other software and the function of an extension board are also included in the scope of each of the example embodiments.
While the invention has been particularly shown and described with reference to exemplary embodiments thereof, the invention is not limited to these embodiments. It will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the claims.
The above-described example embodiments and modification examples can be appropriately combined.
The whole or part of the example embodiments disclosed above can be described as, but not limited to, the following supplementary notes.
A management device including:
The management device according to supplementary note 1,
The management device according to supplementary note 1 or 2,
The management device according to any one of supplementary notes 1 to 3,
The management device according to any one of supplementary notes 1 to 4, further including
The management device according to any one of supplementary notes 1 to 5, further including
The management device according to supplementary note 6,
The management device according to supplementary note 6 or 7,
A management method including:
The management method according to supplementary note 9,
The management method according to supplementary note 9 or 10,
The management method according to any one of supplementary notes 9 to 11,
The management method according to any one of supplementary notes 9 to 12, further including
The management method according to any one of supplementary notes 9 to 13, further including
The management method according to supplementary note 14,
The management method according to supplementary note 14 or 15,
A computer-readable storage medium storing a program for allowing a computer to execute:
The computer-readable storage medium according to supplementary note 17,
The computer-readable storage medium according to supplementary note 17 or 18,
The computer-readable storage medium according to any one of supplementary notes 17 to 19,
The computer-readable storage medium according to any one of supplementary notes 17 to 20, storing the program for allowing the computer to further execute
The computer-readable storage medium according to any one of supplementary notes 17 to 21, storing the program for allowing the computer to further execute
The computer-readable storage medium according to supplementary note 22,
The computer-readable storage medium according to supplementary note 22 or 23,
| Filing Document | Filing Date | Country | Kind |
|---|---|---|---|
| PCT/JP2021/041480 | 11/11/2021 | WO |
