[go: up one dir, main page]

WO2018163274A1 - Risk analysis device, risk analysis method and risk analysis program - Google Patents

Risk analysis device, risk analysis method and risk analysis program Download PDF

Info

Publication number
WO2018163274A1
WO2018163274A1 PCT/JP2017/008945 JP2017008945W WO2018163274A1 WO 2018163274 A1 WO2018163274 A1 WO 2018163274A1 JP 2017008945 W JP2017008945 W JP 2017008945W WO 2018163274 A1 WO2018163274 A1 WO 2018163274A1
Authority
WO
WIPO (PCT)
Prior art keywords
possibility
threat
occurrence
risk
unit
Prior art date
Application number
PCT/JP2017/008945
Other languages
French (fr)
Japanese (ja)
Inventor
泉 幸雄
健志 浅井
河内 清人
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to JP2018541441A priority Critical patent/JP6425865B1/en
Priority to PCT/JP2017/008945 priority patent/WO2018163274A1/en
Publication of WO2018163274A1 publication Critical patent/WO2018163274A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Definitions

  • This invention relates to a technique for analyzing system security risk.
  • a security threat (hereinafter referred to as a threat) that requires countermeasures in components such as a server, a terminal, and a communication path constituting the analysis target system is clarified.
  • a security threat (hereinafter referred to as a threat) that requires countermeasures in components such as a server, a terminal, and a communication path constituting the analysis target system is clarified.
  • threats to the components of the analysis target system are identified.
  • the possibility of occurrence of the threat and the impact of the occurrence of the threat are set.
  • the impact of the occurrence of a threat is represented by the asset value of the component that generates the threat.
  • the risk value of the identified threat is derived from the set possibility of occurrence and the impact of the threat occurrence. And measures are taken against high-risk threats.
  • Patent Document 1 describes that the possibility of occurrence of a threat is manually set. Further, Patent Document 2 describes that the possibility of occurrence of a threat is set to a preset fixed value.
  • Patent Document 1 since the possibility of occurrence of a threat is manually set, there are problems that man-hours for analysis increase and human error occurs. Further, in Patent Document 2, since a fixed value set in advance is used as the possibility of occurrence of a threat, there is a problem that the possibility of occurrence does not become an appropriate value and the risk value of the threat cannot be calculated accurately. As a result, Patent Documents 1 and 2 may eventually lead to excessive or insufficient measures.
  • An object of the present invention is to enable appropriate analysis of security risks of a system to be analyzed.
  • the risk analysis apparatus is: A possibility identifying unit that identifies the possibility of occurrence of a threat that may occur in the analysis target system according to the security measures implemented for the component that is the location of the threat; A risk value calculation unit that calculates a risk value indicating a magnitude of a risk with respect to the threat of the analysis target system from the occurrence possibility specified by the possibility specifying unit.
  • the possibility of occurrence is specified according to the security measures implemented for the component that is the place where the threat occurs. Thereby, it is possible to appropriately analyze the security risk of the analysis target system.
  • FIG. 1 is a configuration diagram of a risk analysis device 10 according to Embodiment 1.
  • FIG. FIG. 2 is a configuration diagram of an analysis target system 50 used for explanation in the first embodiment.
  • 3 is a flowchart of overall operation of the risk analysis apparatus 10 according to the first embodiment.
  • FIG. 5 is a diagram showing possibility setting information 312 according to the first embodiment.
  • FIG. 5 shows configuration information 322 according to the first embodiment.
  • FIG. The flowchart of the possibility specific process of step S3 which concerns on Embodiment 1.
  • FIG. The figure which shows the possibility information 323 which concerns on Embodiment 1.
  • FIG. The figure which shows the risk analysis information 324 which concerns on Embodiment 1.
  • FIG. 1 The block diagram of the risk analyzer 10 which concerns on the modification 2.
  • FIG. The block diagram of the risk analyzer 10 which concerns on Embodiment 2.
  • FIG. The figure which shows the connection destination information 325 which concerns on Embodiment 2.
  • FIG. The figure which shows the communication control information 326 which concerns on Embodiment 2.
  • FIG. The flowchart of the possibility specific process of step S3 which concerns on Embodiment 2.
  • FIG. The figure which shows the threat extraction result 321 which concerns on Embodiment 2.
  • FIG. The figure which shows the possibility setting information 312 which concerns on Embodiment 2.
  • FIG. The flowchart of the communication control determination process of step S25 which concerns on Embodiment 2.
  • FIG. The figure which shows the possibility information 323 which concerns on Embodiment 2.
  • FIG. FIG. 1 The flowchart of the possibility specific process of step S3 which concerns on Embodiment 2.
  • FIG. The figure which shows the threat extraction result 321 which concerns on Embodiment 2.
  • FIG. The
  • FIG. 4 is a configuration diagram of a risk analysis apparatus 10 according to a third embodiment.
  • FIG. 10 is a flowchart of possibility specifying processing in step S3 according to the third embodiment.
  • FIG. The figure which shows the possibility setting information 312 which concerns on Embodiment 3.
  • FIG. 10 shows configuration information 322 according to the third embodiment.
  • Embodiment 1 FIG. *** Explanation of configuration *** With reference to FIG. 1, the structure of the risk analyzer 10 which concerns on Embodiment 1 is demonstrated.
  • the risk analysis apparatus 10 is a computer.
  • the risk analysis apparatus 10 includes hardware including a processor 11, a memory 12, a storage 13, and a communication interface 14.
  • the processor 11 is connected to other hardware via a signal line, and controls these other hardware.
  • the processor 11 is an IC (Integrated Circuit) that performs processing, and is a device that controls the entire risk analysis apparatus 10.
  • Specific examples of the processor 11 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
  • the memory 12 is a storage device that temporarily stores data.
  • the memory 12 is an SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
  • the storage 13 is a storage device that stores data.
  • the storage 13 is an HDD (Hard Disk Drive) or an SSD (Solid State Drive).
  • the storage 13 is a portable storage such as an SD (registered trademark, Secure Digital) memory card, CF (CompactFlash), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, DVD (Digital Versatile Disk). It may be a medium.
  • the communication interface 14 is an interface for communicating with external devices such as an input device and a display device.
  • the communication interface 14 is a port of Ethernet (registered trademark), USB (Universal Serial Bus), or HDMI (registered trademark, High-Definition Multimedia Interface).
  • the risk analysis apparatus 10 includes an information acquisition unit 21, a threat extraction unit 22, a possibility identification unit 23, and a risk value calculation unit 24 as functional components.
  • the possibility identifying unit 23 includes a rule extracting unit 25 and a condition determining unit 26.
  • the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized by software.
  • the storage 13 stores programs that realize the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26. Has been.
  • This program is read into the memory 12 by the processor 11 and executed by the processor 11. Thereby, the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized.
  • the storage 13 realizes the functions of the common information storage unit 31 and the analysis target storage unit 32.
  • the common information storage unit 31 stores threat data 311 and possibility setting information 312.
  • the analysis target storage unit 32 stores a threat extraction result 321, configuration information 322, occurrence possibility information 323, and risk analysis information 324.
  • the risk analysis apparatus 10 may include a plurality of processors that replace the processor 11.
  • the plurality of processors share execution of functional components included in the operating system 20.
  • Each processor is an IC that performs processing in the same manner as the processor 11.
  • the analysis target system 50 includes a server_01, a server_02, a firewall FW_01, a network NW_01, a network NW_02, a network NW_03, an external network, a terminal_01, and a terminal_02.
  • Server_01 is connected to server_02 via NW_01, connected to FW_01 via NW_02, and connected to terminal_01 and terminal_02 via NW_03.
  • the server_01 is connected to the outside via the FW_01 and an external network.
  • the FW_01 performs communication control so that data from the server_01 to the external network passes but data from the external network to the server_01 does not pass.
  • the operation of the risk analysis apparatus 10 according to the first embodiment corresponds to the risk analysis method according to the first embodiment.
  • the operation of the risk analysis apparatus 10 according to the first embodiment corresponds to the processing of the risk analysis program according to the first embodiment.
  • Step S1 Information acquisition process in FIG. 3
  • the information acquisition unit 21 acquires the possibility setting information 312 and the configuration information 322 via the communication interface 14.
  • the information acquisition unit 21 writes the possibility setting information 312 to the common information storage unit 31 and the configuration information 322 to the analysis target storage unit 32.
  • the possibility setting information 312 is information in which the possibility of occurrence is defined for each combination of the identifier of the threat and the security measures implemented for the component that is the place where the threat occurs.
  • the possibility setting information 312 indicates the threat ID, one or more conditions, and the possibility of occurrence for each rule No.
  • the rule No is a rule identifier.
  • the threat ID is an identifier of a threat to which the rule is applied.
  • a condition is a condition to which the rule is applied.
  • conditions including security measures that are implemented for components that are the places where threats occur are defined.
  • the possibility of occurrence is the possibility of occurrence of a threat when the rule is applied.
  • the condition is indicated by a configuration of “item: content”.
  • the rule applied to the threat ID 10 has three conditions, and the rule applied to the threat ID 20 has two conditions.
  • the first embodiment three stages of the possibility of occurrence are assumed, and a value of 1 is used when the possibility of occurrence is low, 2 when it is medium, and 3 when it is high. Note that the number of possible stages and the value are not limited thereto.
  • the configuration information 322 indicates information on each component of the analysis target system 50. As shown in FIG. 5, in the first embodiment, the configuration information 322 indicates the type, physical access permission, security measure, encryption measure, and asset value for each element name.
  • the element name is the name of the component.
  • the type is a component classification. Whether or not physical access is possible is whether or not physical access to a component is possible.
  • the encryption countermeasure is whether or not encrypted communication is possible. Asset value is the value of a component.
  • the configuration information 322 may indicate other information related to security measures such as presence / absence of user authentication and the type of OS used.
  • Step S2 in FIG. 3 threat extraction processing
  • the threat extraction unit 22 extracts threats that may occur in the analysis target system 50 based on the threat data 311 stored in the common information storage unit 31.
  • the threat data 311 is a threat model.
  • a specific method for extracting a threat may be realized by a method described in JP-A-2016-105233.
  • the threat extraction unit 22 writes the extracted threat as a threat extraction result 321 in the analysis target storage unit 32.
  • the threat extraction result 321 indicates the element name, threat ID, access source, and threat content for each No. No is a number uniquely assigned to the extracted threat.
  • the element name is a name of a component that is a place where a threat occurs.
  • the threat ID is an identifier of the extracted threat.
  • the access source indicates the name of the component that is the source of access when the threat is related to remote access via the network.
  • terminal_01 is shown as an access source of a threat of unauthorized access to server_01 that misuses terminal_01.
  • the threat content is the content of the extracted threat.
  • the threat extraction result 321 may also indicate information indicating the location of each component and the type of component.
  • the No. 1 threat and the No. 2 threat are the same threat IDs, although they are different threats, but are represented by the same threat ID. However, a threat ID that distinguishes these threats may be used.
  • Step S3 in FIG. 3 Possibility identification processing
  • the possibility identifying unit 23 determines the threat according to the combination of the identifier of the threat and the security measures implemented for the component that is the location where the threat occurs. Identify the probability of occurrence of.
  • Step S11 in FIG. 7 result reading process
  • the possibility identifying unit 23 reads information about one threat from the threat extraction result 321 in the analysis target storage unit 32 and writes the information in the memory 12. That is, the possibility identifying unit 23 reads one record of the threat extraction result 321 and writes it in the memory 12.
  • Step S12 in FIG. 7 rule extraction process
  • the rule extraction unit 25 extracts a rule having a threat ID included in the information read out in step S11 from the possibility setting information 312 in the common information storage unit 31.
  • the threat ID No. 10 is No. 1 in FIG. Therefore, the rule extraction unit 25 extracts two rules, rule No1 and rule No2, in FIG.
  • Step S13 in FIG. 7 first rule determination process
  • the rule extraction unit 25 determines whether or not a rule has been extracted in step S12. When the rule is extracted, the rule extraction unit 25 advances the process to step S14. On the other hand, if the rule is not extracted, the rule extraction unit 25 cannot determine the possibility of occurrence, and the process proceeds to step S17.
  • Step S14 in FIG. 7 Condition determination processing
  • the condition determination unit 26 determines, for each rule extracted in step S12, whether or not the record read in step S11 matches each condition of the rule. Specifically, the condition determining unit 26 refers to the configuration information 322 about the component indicated by the element name read in step S11, and determines whether or not each condition is met. For example, the threat No. 1 in FIG. 6 does not match the condition 3 for the rule No 1 in FIG. 4, although the conditions 1 and 2 match. On the other hand, the threat No. 1 in FIG. 6 satisfies all the conditions 1 to 3 for the rule No. 2 in FIG.
  • Step S15 in FIG. 7 second rule determination process
  • the condition determination unit 26 determines whether or not there is a rule in which the component matches all the conditions in step S14. If there is a rule that matches, the condition determination unit 26 advances the process to step S16. On the other hand, if there is no matching rule, the condition determination unit 26 cannot specify the possibility of occurrence, and thus the process proceeds to step S17.
  • Step S16 in FIG. 7 Possibility reading process
  • the condition determination unit 26 reads out the possibility of occurrence of a rule whose component matches all the conditions in step S ⁇ b> 14, and writes it in the analysis target storage unit 32 as occurrence possibility information 323.
  • the possibility information 323 has no information on the access source of the threat extraction result 321, and the possibility of occurrence is added.
  • the occurrence possibility information 323 may indicate access source information or may indicate other information.
  • the condition determination unit 26 writes the read possibility of occurrence in the corresponding threat record. That is, when the No. 1 record in FIG. 6 is read in step S11, the condition determination unit 26 writes the read possibility of occurrence in the No. 1 record in FIG.
  • Step S17 in FIG. 7 end determination processing
  • the rule extraction unit 25 determines whether information about all threats has been read from the threat extraction result 321 in step S11. The rule extraction unit 25 ends the process when the information about all threats has been read. On the other hand, if the information about all threats has not been read, the rule extraction unit 25 returns the process to step S11 to read information about the next threat.
  • Step S4 in FIG. 3 Risk value calculation process
  • the risk value calculation unit 24 calculates a risk value indicating the magnitude of the risk for the threat of the analysis target system 50 from the possibility of occurrence identified in step S3. Specifically, for each threat extracted in step S2, the risk value calculation unit 24 uses the product of the probability of occurrence of the threat and the asset value of the component that is the location of the threat as the risk value. calculate.
  • the risk value calculation unit 24 writes risk analysis information 324 indicating the calculated risk value in the analysis target storage unit 32.
  • the asset value and risk value of the constituent elements are added to the possibility information 323.
  • the risk value of the threat No. 1 in FIG. 9 is the product “9” of the probability of occurrence “3” and the asset value “3” of the server_01 that is a component.
  • the threat extraction result 321, the possibility information 323, and the risk analysis information 324 are treated as separate information.
  • one format indicating all information of the threat extraction result 321, the possibility information 323, and the risk analysis information 324 may be prepared. And according to progress of processing, information may be sequentially added to the format.
  • the risk analysis apparatus 10 identifies the possibility of the occurrence of a threat according to the security measures implemented for the component that is the place where the threat occurs. Thereby, the possibility of occurrence of a threat can be appropriately identified. As a result, the security risk of the analysis target system can be analyzed appropriately.
  • the analyst since the possibility of occurrence is specified based on the possibility setting information 312, the analyst does not include arbitrary information on the possibility of occurrence of a threat. Therefore, it is possible to appropriately identify the possibility of occurrence of a threat.
  • one possibility setting information 312 is stored in the common information storage unit 31.
  • the possibility setting information 312 for each type of system may be stored in the common information storage unit 31.
  • the possibility setting information 312 may be stored for each type, such as an information system, an in-vehicle device system, and an FA (Factory Automation) system.
  • the possibility identifying unit 23 identifies the possibility of occurrence of a threat using the possibility setting information 312 corresponding to the type of the analysis target system 50. This makes it possible to more appropriately identify the possibility of occurrence of a threat.
  • the common information storage unit 31 may store possibility setting information 312 for each role such as a system administrator and maintenance personnel.
  • the possibility identifying unit 23 identifies the possibility of occurrence for each role using the possibility setting information 312 corresponding to each role.
  • the risk value calculation part 24 calculates the risk value of a threat for every role. Thereby, the risk value for every role can be known.
  • the apparatus 10 includes a processing circuit 15 instead of the processor 11, the memory 12, and the storage 13.
  • the processing circuit 15 includes an information acquisition unit 21, a threat extraction unit 22, a possibility identification unit 23, a risk value calculation unit 24, a rule extraction unit 25, a condition determination unit 26, a memory 12, and a storage 13. It is a dedicated electronic circuit that realizes the function.
  • the processing circuit 15 is assumed to be a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array). Is done. Even if the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are realized by one processing circuit 15. Alternatively, the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are distributed to a plurality of processing circuits 15. May be realized.
  • ⁇ Modification 3> As a third modification, some functions may be realized by hardware, and other functions may be realized by software. That is, some of the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the rule extraction unit 25, the condition determination unit 26, and the risk value calculation unit 24 are hardware. And other functions may be realized by software.
  • the processor 11, the memory 12, the storage 13, and the processing circuit 15 are collectively referred to as “processing circuitries”. That is, the function of each functional component is realized by the processing circuitry.
  • Embodiment 2 is different from the first embodiment in that the possibility of occurrence is specified according to the communication control of the communication path in the analysis target system 50 to the component that is the generation location. In the second embodiment, this different point will be described, and the description of the same point will be omitted.
  • the risk analysis apparatus 10 has a risk analysis in which a point including the communication determination unit 27 as a functional component and a point that the analysis target storage unit 32 stores the connection destination information 325 and the communication control information 326 are illustrated in FIG. Different from the device 10.
  • the communication determination unit 27 is realized by software in the same manner as other functional components. Moreover, the communication determination part 27 may be implement
  • the operation of the risk analysis apparatus 10 according to the second embodiment will be described with reference to FIG. 3 and FIGS. 12 to 18.
  • the operation of the risk analysis apparatus 10 according to the second embodiment corresponds to the risk analysis method according to the second embodiment.
  • the operation of the risk analysis apparatus 10 according to the second embodiment corresponds to the processing of the risk analysis program according to the second embodiment.
  • Steps S2 and S4 are the same as those in the first embodiment.
  • Step S1 Information acquisition process in FIG. 3
  • the information acquisition unit 21 acquires the possibility setting information 312, the configuration information 322, the connection destination information 325, and the communication control information 326 via the communication interface 14.
  • the information acquisition unit 21 writes the possibility setting information 312 in the common information storage unit 31, and writes the configuration information 322, connection destination information 325, and communication control information 326 in the analysis target storage unit 32.
  • the connection destination information 325 indicates a connection relationship between the components of the analysis target system 50. As shown in FIG. 12, in the second embodiment, the connection destination information 325 indicates a type, presence / absence of communication control, and a communication path for each element name. As shown in FIG. 2, the communication path of the analysis target system 50 is NW_01, NW_02, NW_03, and an external network. In FIG. 12, ⁇ indicates that the component is connected to the communication path.
  • the communication control information 326 indicates the content of communication control. As shown in FIG. 13, in the second embodiment, the communication control information 326 indicates whether data flow from the access source (FROM) to the access destination (TO) is permitted. In FIG. 13, FW_01 indicates that data is allowed to flow from NW_02 to the external network, and data is not allowed to flow from the external network to NW_02.
  • step S3 With reference to FIG. 14, the possibility specifying process in step S3 according to the second embodiment will be described.
  • the processing from step S21 to step S23 is the same as the processing from step S11 to step S13 in FIG.
  • the processing from step S26 to step S29 is the same as the processing from step S14 to step S17 in FIG.
  • Step S24 in FIG. 14 Communication Item Determination Process
  • the communication determination unit 27 determines whether or not there is communication control as a condition item for each rule extracted in step S22.
  • the communication determination part 27 advances a process to step S25, when there exists communication control.
  • the communication determination part 27 advances a process to step S26, when there is no communication control.
  • step S25 As a specific example, it is assumed that the possibility setting information 312 is as shown in FIG. 15 and the threat extraction result 321 is as shown in FIG. Assume that the No. 1 record of the threat extraction result 321 is read in step S21. In this case, since the threat ID is 10 in step S22, three rules No. 1 to No. 3 in FIG. 16 are extracted. Then, communication control is an item of Condition 1 in the three rules No. 1 to No. 3. Therefore, the process proceeds to step S25.
  • Step S25 in FIG. 14 Communication Control Determination Process
  • the communication determination unit 27 extracts, from the rule extracted in step S22, a rule corresponding to the presence / absence of communication control of the communication path in the analysis target system 50 to the component that is the place where the threat occurs.
  • Step S31 in FIG. 17 route specifying process
  • the communication determination unit 27 refers to the connection destination information 325 and identifies a communication path from the access source of the record read in step S21 to the component indicated by the element name. For example, if the record is No. 1 in the threat extraction result 321 in FIG. 15, the communication path from the access source terminal — 01 to the component server — 01 is identified as NW — 03. Further, in the case of No. 3 record of the threat extraction result 321 in FIG. 15, the communication path from the outside of the access source to the server_01 which is a component is specified as the external network, FW_01, and NW02.
  • Step S32 in FIG. 17 control element processing
  • the communication determination unit 27 determines whether there is a component that performs communication control on the communication path specified in step S31.
  • the communication determination part 27 advances a process to step S33, when the component which performs communication control exists.
  • the communication determination unit 27 sets communication control possible when there is no component that performs communication control. For example, in the case of the No. 1 record of the threat extraction result 321 in FIG. 15, since the communication path is NW_03, it is determined that there is no component that performs communication control. Therefore, communication control is set to be possible. Further, in the case of the No. 3 record of the threat extraction result 321 in FIG. 15, the communication path is the external network, FW_01, and NW02, and FW_01 performs communication control, so it is determined that there is a component that performs communication control. The Therefore, the process proceeds to step S33.
  • Step S33 in FIG. 17 control element processing
  • the communication determination unit 27 determines whether or not data is allowed to flow from the access source of the record read in step S21 to the component indicated by the element name.
  • the communication determination unit 27 sets the communication control to be possible when the data flow is permitted.
  • the communication determination unit 27 sets the communication control to be impossible when the data flow is not permitted. For example, in the case of the No. 3 record of the threat extraction result 321 in FIG. 15, FW_01 does not permit data to flow in the direction from the outside of the access source to the component server_01. For this reason, communication control is disabled.
  • Step S34 in FIG. 17 corresponding rule extraction process
  • the communication determination unit 27 extracts a rule corresponding to communication control enabled or communication control disabled set in step S32 to step S33. For example, in the case of the No1 record of the threat extraction result 321 in FIG. 15, since the communication control is enabled, rule No1 and rule No2 in which communication control is enabled under the condition 1 in FIG. 16 are extracted. . Further, in the case of the record No. 3 in the threat extraction result 321 in FIG. 15, since the communication control is set to be impossible, the rule No. 3 in which the communication control is disabled under the condition 1 in FIG. 16 is extracted.
  • the possibility of occurrence corresponding to each No is specified as the possibility information 323 as shown in FIG.
  • the risk analysis apparatus 10 can generate a threat depending on whether or not communication control is performed on a communication path from an access source to a component that is a threat generation location. Identify gender. Thereby, it is possible to specify the possibility of occurrence of a threat in consideration of the data flow of the analysis target system 50.
  • the content of the communication control is determined after determining that the rule extracted in step S22 has communication control as an item.
  • the flow of processing may be changed so that the content of communication control is determined for the threat that has the access source among the threats extracted as the threat extraction result 321.
  • ⁇ Modification 5> there is one component that performs communication control.
  • communication control information to which identification information is added may be used so that each component can be identified.
  • Sex instead of simply identifying the possibility of threat generation based on whether or not communication control is performed on the communication path, it is possible to generate threats based on how many communication controls are performed on the communication path. Sex may be specified.
  • Embodiment 3 FIG.
  • the third embodiment is different from the first embodiment in that the possibility of occurrence of a threat is specified in accordance with the possibility of occurrence of another threat that may occur with respect to a component that is a place where the threat occurs. .
  • this different point will be described, and the description of the same point will be omitted. Note that Embodiment 3 can be combined with Embodiment 2.
  • the risk analysis device 10 is different from the risk analysis device 10 shown in FIG. 1 in that the common information storage unit 31 stores the correspondence information 313.
  • the operation of the risk analysis apparatus 10 according to the third embodiment corresponds to the risk analysis method according to the third embodiment.
  • the operation of the risk analysis apparatus 10 according to the third embodiment corresponds to the processing of the risk analysis program according to the third embodiment.
  • Steps S2 and S4 are the same as those in the first embodiment.
  • Step S1 Information acquisition process in FIG. 3
  • the information acquisition unit 21 acquires possibility setting information 312, correspondence information 313, and configuration information 322 via the communication interface 14.
  • the information acquisition unit 21 writes the possibility setting information 312 and the correspondence information 313 to the common information storage unit 31, and writes the configuration information 322 to the analysis target storage unit 32.
  • the correspondence information 313 is information in which a security measure and a threat ID are associated with each other. As shown in FIG. 20, in the third embodiment, the correspondence information 313 indicates a threat ID for each condition item for security measures.
  • step S3 With reference to FIG. 21, the possibility identification process of step S3 according to Embodiment 3 will be described.
  • the processing from step S41 to step S47 is the same as the processing from step S11 to step S17 in FIG. However, in step S45, the condition determination unit 26 advances the process to step S48 if there is no matching rule.
  • Step S48 correspondence information determination process
  • the condition determination unit 26 determines whether or not the condition information included in the rule is included in the correspondence information 313 for each rule extracted in step S42. Specifically, the condition determination unit 26 searches the correspondence information 313 using each condition item included in each rule as a keyword, and determines whether or not a record is extracted. If the condition item is included in the correspondence information 313, the condition determination unit 26 advances the process to step S49. On the other hand, if the condition item is not included in the correspondence information 313, the condition determination unit 26 cannot determine the possibility of occurrence, and the process proceeds to step S47.
  • the threat extraction result 321 is as shown in FIG. 22, the possibility setting information 312 is as shown in FIG. 23, and the configuration information 322 is as shown in FIG.
  • the No. 5 record of the threat extraction result 321 is read in step S41.
  • the threat ID is 11 in step S42
  • two rules of rule No50 and rule No51 in FIG. 23 are extracted.
  • rule No. 50 and rule No. 51 there is a malware infection of the access source as a condition item of condition 3.
  • the configuration information 322 does not have an item of malware infection, and does not match the condition 3 of either rule No50 or rule No51. Therefore, the process proceeds to step S28.
  • the condition determination unit 26 searches the correspondence information 313 using the malware infection that is the condition item of the condition 3 as a keyword.
  • the record shown in FIG. 20 is extracted. Therefore, the process proceeds to step S49.
  • Step S49 Rule re-extraction process
  • the condition determination unit 26 has a rule that has the threat ID of the record extracted in step S48 from the possibility setting information 312 in the common information storage unit 31, and the record read in step S41 matches all the conditions. To extract. If the rule is extracted, the condition determination unit 26 advances the process to step S50. On the other hand, if the rule is not extracted, the condition determination unit 26 advances the process to step S47.
  • Step S50 Condition specifying process
  • the condition determination unit 26 reads the possibility of occurrence of the rule extracted in step S49. Then, the process returns to step S44, and the record read out in step S41 matches each condition of the rule for each rule extracted in step S42 again using the read possibility. It is determined whether or not.
  • the risk analysis apparatus 10 may generate a threat according to the possibility of occurrence of another threat that may occur with respect to a component that is a place where the threat is generated. Is identified. Thereby, it is possible to specify the possibility of occurrence of a threat by using the possibility of occurrence of another threat that is a source of the threat.
  • 10 risk analysis device 11 processor, 12 memory, 13 storage, 14 communication interface, 15 processing circuit, 21 information acquisition unit, 22 threat extraction unit, 23 possibility identification unit, 24 risk value calculation unit, 25 rule extraction unit, 26 Condition determination unit, 27 communication determination unit, 31 common information storage unit, 311, threat data, 312 possibility setting information, 313 correspondence information, 32 analysis target storage unit, 321 threat extraction result, 322 configuration information, 323 occurrence possibility information, 324 Risk analysis information, 325 connection destination information, 326 communication control information, 50 analysis target systems.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

In this risk analysis device (10), a threat extraction unit (22) extracts a threat which can occur on an analysis target system. A possibility specifying unit (23) specifies the probability of occurrence of the threat extracted by the threat extraction unit (22) according to security measures which are being executed for a constituent element that is the location on which the threat occurs. A risk value calculation unit (24) calculates a risk value which indicates the level of the risk of the threat to the analysis target system from the probability of occurrence specified by the possibility specifying unit (23).

Description

リスク分析装置、リスク分析方法及びリスク分析プログラムRisk analysis apparatus, risk analysis method, and risk analysis program
 この発明は、システムのセキュリティリスクを分析する技術に関する。 This invention relates to a technique for analyzing system security risk.
 分析対象システムのセキュリティ設計を行うためには、まず、システムに実装するセキュリティ対策を明らかにする必要がある。そのため、分析対象システムに対して、セキュリティリスクの分析が行われる。これにより、分析対象システムを構成するサーバと端末と通信路といった構成要素における対策が必要なセキュリティ脅威(以下、脅威と呼ぶ)が明確にされる。
 セキュリティリスクの分析では、分析対象システムの構成要素に対する脅威が特定される。特定された脅威に対し、脅威の発生可能性と脅威発生による影響とが設定される。脅威発生による影響は、脅威が発生する構成要素の資産価値等によって表される。設定された発生可能性と脅威発生による影響とから、特定された脅威のリスク値が導出される。そして、リスクの高い脅威に対して対策が定められる。 In order to design the security of the system to be analyzed, it is first necessary to clarify the security measures implemented in the system. Therefore, security risk analysis is performed on the analysis target system. As a result, a security threat (hereinafter referred to as a threat) that requires countermeasures in components such as a server, a terminal, and a communication path constituting the analysis target system is clarified.
In the security risk analysis, threats to the components of the analysis target system are identified. For the identified threat, the possibility of occurrence of the threat and the impact of the occurrence of the threat are set. The impact of the occurrence of a threat is represented by the asset value of the component that generates the threat. The risk value of the identified threat is derived from the set possibility of occurrence and the impact of the threat occurrence. And measures are taken against high-risk threats.
 特許文献1では、脅威の発生可能性を人手で設定することが記載されている。また、特許文献2では、脅威の発生可能性を予め設定された固定値とすることが記載されている。 Patent Document 1 describes that the possibility of occurrence of a threat is manually set. Further, Patent Document 2 describes that the possibility of occurrence of a threat is set to a preset fixed value.
特開2009-230278号公報JP 2009-230278 A 特開2001-155081号公報JP 2001-155081 A
 特許文献1では、脅威の発生可能性を人手で設定しているため、分析にかかる工数が大きくなるとともに、人為的なミスが発生するという課題があった。また、特許文献2では、脅威の発生可能性として予め設定した固定値を用いているため、発生可能性が適切な値にならず、脅威のリスク値を正確に計算できないという課題があった。その結果、特許文献1,2では、最終的に対策の過不足を導く恐れがあった。
 この発明は、分析対象システムのセキュリティリスクを適切に分析可能にすることを目的とする。 In patent document 1, since the possibility of occurrence of a threat is manually set, there are problems that man-hours for analysis increase and human error occurs. Further, in Patent Document 2, since a fixed value set in advance is used as the possibility of occurrence of a threat, there is a problem that the possibility of occurrence does not become an appropriate value and the risk value of the threat cannot be calculated accurately. As a result, Patent Documents 1 and 2 may eventually lead to excessive or insufficient measures.
An object of the present invention is to enable appropriate analysis of security risks of a system to be analyzed.
 この発明に係るリスク分析装置は、
 分析対象システムに対して発生する可能性のある脅威の発生可能性を、前記脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて特定する可能性特定部と、
 前記可能性特定部によって特定された前記発生可能性から、前記分析対象システムの脅威に対するリスクの大きさを示すリスク値を計算するリスク値計算部と
を備える。 The risk analysis apparatus according to the present invention is:
A possibility identifying unit that identifies the possibility of occurrence of a threat that may occur in the analysis target system according to the security measures implemented for the component that is the location of the threat;
A risk value calculation unit that calculates a risk value indicating a magnitude of a risk with respect to the threat of the analysis target system from the occurrence possibility specified by the possibility specifying unit.
 この発明では、脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて、発生可能性が特定される。これにより、分析対象システムのセキュリティリスクを適切に分析可能である。 In the present invention, the possibility of occurrence is specified according to the security measures implemented for the component that is the place where the threat occurs. Thereby, it is possible to appropriately analyze the security risk of the analysis target system.
実施の形態1に係るリスク分析装置10の構成図。1 is a configuration diagram of a risk analysis device 10 according to Embodiment 1. FIG. 実施の形態1で説明に用いる分析対象システム50の構成図。FIG. 2 is a configuration diagram of an analysis target system 50 used for explanation in the first embodiment. 実施の形態1に係るリスク分析装置10の全体的な動作のフローチャート。3 is a flowchart of overall operation of the risk analysis apparatus 10 according to the first embodiment. 実施の形態1に係る可能性設定情報312を示す図。FIG. 5 is a diagram showing possibility setting information 312 according to the first embodiment. 実施の形態1に係る構成情報322を示す図。FIG. 5 shows configuration information 322 according to the first embodiment. 実施の形態1に係る脅威抽出結果321を示す図。The figure which shows the threat extraction result 321 which concerns on Embodiment 1. FIG. 実施の形態1に係るステップS3の可能性特定処理のフローチャート。The flowchart of the possibility specific process of step S3 which concerns on Embodiment 1. FIG. 実施の形態1に係る発生可能性情報323を示す図。The figure which shows the possibility information 323 which concerns on Embodiment 1. FIG. 実施の形態1に係るリスク分析情報324を示す図。The figure which shows the risk analysis information 324 which concerns on Embodiment 1. FIG. 変形例2に係るリスク分析装置10の構成図。The block diagram of the risk analyzer 10 which concerns on the modification 2. FIG. 実施の形態2に係るリスク分析装置10の構成図。The block diagram of the risk analyzer 10 which concerns on Embodiment 2. FIG. 実施の形態2に係る接続先情報325を示す図。The figure which shows the connection destination information 325 which concerns on Embodiment 2. FIG. 実施の形態2に係る通信制御情報326を示す図。The figure which shows the communication control information 326 which concerns on Embodiment 2. FIG. 実施の形態2に係るステップS3の可能性特定処理のフローチャート。The flowchart of the possibility specific process of step S3 which concerns on Embodiment 2. FIG. 実施の形態2に係る脅威抽出結果321を示す図。The figure which shows the threat extraction result 321 which concerns on Embodiment 2. FIG. 実施の形態2に係る可能性設定情報312を示す図。The figure which shows the possibility setting information 312 which concerns on Embodiment 2. FIG. 実施の形態2に係るステップS25の通信制御判定処理のフローチャート。The flowchart of the communication control determination process of step S25 which concerns on Embodiment 2. FIG. 実施の形態2に係る発生可能性情報323を示す図。The figure which shows the possibility information 323 which concerns on Embodiment 2. FIG. 実施の形態3に係るリスク分析装置10の構成図。FIG. 4 is a configuration diagram of a risk analysis apparatus 10 according to a third embodiment. 実施の形態3に係る対応情報313を示す図。The figure which shows the correspondence information 313 which concerns on Embodiment 3. FIG. 実施の形態3に係るステップS3の可能性特定処理のフローチャート。10 is a flowchart of possibility specifying processing in step S3 according to the third embodiment. 実施の形態3に係る脅威抽出結果321を示す図。The figure which shows the threat extraction result 321 which concerns on Embodiment 3. FIG. 実施の形態3に係る可能性設定情報312を示す図。The figure which shows the possibility setting information 312 which concerns on Embodiment 3. FIG. 実施の形態3に係る構成情報322を示す図。FIG. 10 shows configuration information 322 according to the third embodiment. 実施の形態3に係る発生可能性情報323を示す図。The figure which shows the possibility information 323 which concerns on Embodiment 3. FIG.
 実施の形態1.
 ***構成の説明***
 図1を参照して、実施の形態1に係るリスク分析装置10の構成を説明する。
 リスク分析装置10は、コンピュータである。
 リスク分析装置10は、プロセッサ11と、メモリ12と、ストレージ13と、通信インタフェース14とのハードウェアを備える。プロセッサ11は、信号線を介して他のハードウェアと接続され、これら他のハードウェアを制御する。 Embodiment 1 FIG.
*** Explanation of configuration ***
With reference to FIG. 1, the structure of the risk analyzer 10 which concerns on Embodiment 1 is demonstrated.
The risk analysis apparatus 10 is a computer.
The risk analysis apparatus 10 includes hardware including a processor 11, a memory 12, a storage 13, and a communication interface 14. The processor 11 is connected to other hardware via a signal line, and controls these other hardware.
 プロセッサ11は、プロセッシングを行うIC(Integrated Circuit)であり、リスク分析装置10全体の制御を行う装置である。プロセッサ11は、具体例としては、CPU(Central Processing Unit)、DSP(Digital Signal Processor)、GPU(Graphics Processing Unit)である。 The processor 11 is an IC (Integrated Circuit) that performs processing, and is a device that controls the entire risk analysis apparatus 10. Specific examples of the processor 11 are a CPU (Central Processing Unit), a DSP (Digital Signal Processor), and a GPU (Graphics Processing Unit).
 メモリ12は、データを一時的に記憶する記憶装置である。メモリ12は、具体例としては、SRAM(Static Random Access Memory)、DRAM(Dynamic Random Access Memory)である。 The memory 12 is a storage device that temporarily stores data. As a specific example, the memory 12 is an SRAM (Static Random Access Memory) or a DRAM (Dynamic Random Access Memory).
 ストレージ13は、データを保管する記憶装置である。ストレージ13は、具体例としては、HDD(Hard Disk Drive)、又は、SSD(Solid State Drive)である。また、ストレージ13は、SD(登録商標,Secure Digital)メモリカード、CF(CompactFlash)、NANDフラッシュ、フレキシブルディスク、光ディスク、コンパクトディスク、ブルーレイ(登録商標)ディスク、DVD(Digital Versatile Disk)といった可搬記憶媒体であってもよい。 The storage 13 is a storage device that stores data. As a specific example, the storage 13 is an HDD (Hard Disk Drive) or an SSD (Solid State Drive). Further, the storage 13 is a portable storage such as an SD (registered trademark, Secure Digital) memory card, CF (CompactFlash), NAND flash, flexible disk, optical disk, compact disk, Blu-ray (registered trademark) disk, DVD (Digital Versatile Disk). It may be a medium.
 通信インタフェース14は、入力装置と表示装置といった外部の装置と通信するためのインタフェースである。通信インタフェース14は、具体例としては、Ethernet(登録商標)、USB(Universal Serial Bus)、HDMI(登録商標,High-Definition Multimedia Interface)のポートである。 The communication interface 14 is an interface for communicating with external devices such as an input device and a display device. As a specific example, the communication interface 14 is a port of Ethernet (registered trademark), USB (Universal Serial Bus), or HDMI (registered trademark, High-Definition Multimedia Interface).
 リスク分析装置10は、機能構成要素として、情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24とを備える。可能性特定部23は、ルール抽出部25と、条件判定部26とを備える。情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能はソフトウェアにより実現される。
 ストレージ13には、情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能を実現するプログラムが記憶されている。このプログラムは、プロセッサ11によりメモリ12に読み込まれ、プロセッサ11によって実行される。これにより、情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能が実現される。 The risk analysis apparatus 10 includes an information acquisition unit 21, a threat extraction unit 22, a possibility identification unit 23, and a risk value calculation unit 24 as functional components. The possibility identifying unit 23 includes a rule extracting unit 25 and a condition determining unit 26. The functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized by software.
The storage 13 stores programs that realize the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26. Has been. This program is read into the memory 12 by the processor 11 and executed by the processor 11. Thereby, the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized.
 ストレージ13は、共通情報記憶部31と、分析対象記憶部32との機能を実現する。共通情報記憶部31は、脅威データ311と、可能性設定情報312とを記憶する。分析対象記憶部32は、脅威抽出結果321と、構成情報322と、発生可能性情報323と、リスク分析情報324とを記憶する。 The storage 13 realizes the functions of the common information storage unit 31 and the analysis target storage unit 32. The common information storage unit 31 stores threat data 311 and possibility setting information 312. The analysis target storage unit 32 stores a threat extraction result 321, configuration information 322, occurrence possibility information 323, and risk analysis information 324.
 図1では、プロセッサ11は、1つだけ示されている。しかし、リスク分析装置10は、プロセッサ11を代替する複数のプロセッサを備えていてもよい。これら複数のプロセッサは、オペレーティングシステム20が備える機能構成要素の実行を分担する。それぞれのプロセッサは、プロセッサ11と同じように、プロセッシングを行うICである。 In FIG. 1, only one processor 11 is shown. However, the risk analysis apparatus 10 may include a plurality of processors that replace the processor 11. The plurality of processors share execution of functional components included in the operating system 20. Each processor is an IC that performs processing in the same manner as the processor 11.
 図2を参照して、実施の形態1で説明に用いる分析対象システム50の構成を説明する。
 分析対象システム50は、サーバ_01と、サーバ_02と、ファイアウォールであるFW_01と、ネットワークであるNW_01と、ネットワークであるNW_02と、ネットワークであるNW_03と、外部ネットワークと、端末_01と、端末_02とを備える。
 サーバ_01は、NW_01を介してサーバ_02と接続され、NW_02を介してFW_01と接続され、NW_03を介して端末_01及び端末_02と接続されている。また、サーバ_01は、FW_01と外部ネットワークとを介して外部と接続されている。FW_01は、サーバ_01から外部ネットワークへのデータは通すが、外部ネットワークからサーバ_01へのデータは通さないように通信制御を行う。 With reference to FIG. 2, the structure of the analysis object system 50 used for description in Embodiment 1 is demonstrated.
The analysis target system 50 includes a server_01, a server_02, a firewall FW_01, a network NW_01, a network NW_02, a network NW_03, an external network, a terminal_01, and a terminal_02. Prepare.
Server_01 is connected to server_02 via NW_01, connected to FW_01 via NW_02, and connected to terminal_01 and terminal_02 via NW_03. The server_01 is connected to the outside via the FW_01 and an external network. The FW_01 performs communication control so that data from the server_01 to the external network passes but data from the external network to the server_01 does not pass.
 ***動作の説明***
 図3から図9を参照して、実施の形態1に係るリスク分析装置10の動作を説明する。
 実施の形態1に係るリスク分析装置10の動作は、実施の形態1に係るリスク分析方法に相当する。また、実施の形態1に係るリスク分析装置10の動作は、実施の形態1に係るリスク分析プログラムの処理に相当する。 *** Explanation of operation ***
With reference to FIGS. 3 to 9, the operation of the risk analysis apparatus 10 according to the first embodiment will be described.
The operation of the risk analysis apparatus 10 according to the first embodiment corresponds to the risk analysis method according to the first embodiment. The operation of the risk analysis apparatus 10 according to the first embodiment corresponds to the processing of the risk analysis program according to the first embodiment.
 図3を参照して、実施の形態1に係るリスク分析装置10の全体的な動作を説明する。
 (図3のステップS1:情報取得処理)
 情報取得部21は、通信インタフェース14を介して、可能性設定情報312及び構成情報322を取得する。情報取得部21は、可能性設定情報312を共通情報記憶部31に書き込み、構成情報322を分析対象記憶部32に書き込む。 With reference to FIG. 3, the overall operation of the risk analysis apparatus 10 according to the first embodiment will be described.
(Step S1: Information acquisition process in FIG. 3)
The information acquisition unit 21 acquires the possibility setting information 312 and the configuration information 322 via the communication interface 14. The information acquisition unit 21 writes the possibility setting information 312 to the common information storage unit 31 and the configuration information 322 to the analysis target storage unit 32.
 可能性設定情報312は、脅威の識別子と、脅威の発生場所となる構成要素に対して実施されているセキュリティ対策との組合せ毎に、発生可能性が定義された情報である。
 図4に示すように、実施の形態1では、可能性設定情報312は、ルールNo毎に、脅威IDと、1つ以上の条件と、発生可能性とを示す。ルールNoは、ルールの識別子である。脅威IDは、そのルールが適用される脅威の識別子である。条件は、そのルールが適用される条件である。実施の形態1では、脅威の発生場所である構成要素に対して実施されているセキュリティ対策を含む条件が定められている。発生可能性は、そのルールが適用された場合の脅威の発生可能性である。
 実施の形態1では、条件が「項目:内容」という構成で示される。図4では、脅威ID10に適用されるルールは3個の条件であり、脅威ID20に適用されるルールは2個の条件である。実施の形態1では、発生可能性は3段階が想定されており、発生する可能性が低い場合に1、中である場合に2、高い場合に3の値が用いられる。なお、発生可能性の段階数及び値は、これに限定されるものではない。 The possibility setting information 312 is information in which the possibility of occurrence is defined for each combination of the identifier of the threat and the security measures implemented for the component that is the place where the threat occurs.
As shown in FIG. 4, in the first embodiment, the possibility setting information 312 indicates the threat ID, one or more conditions, and the possibility of occurrence for each rule No. The rule No is a rule identifier. The threat ID is an identifier of a threat to which the rule is applied. A condition is a condition to which the rule is applied. In the first embodiment, conditions including security measures that are implemented for components that are the places where threats occur are defined. The possibility of occurrence is the possibility of occurrence of a threat when the rule is applied.
In the first embodiment, the condition is indicated by a configuration of “item: content”. In FIG. 4, the rule applied to the threat ID 10 has three conditions, and the rule applied to the threat ID 20 has two conditions. In the first embodiment, three stages of the possibility of occurrence are assumed, and a value of 1 is used when the possibility of occurrence is low, 2 when it is medium, and 3 when it is high. Note that the number of possible stages and the value are not limited thereto.
 構成情報322は、分析対象システム50の各構成要素の情報を示す。
 図5に示すように、実施の形態1では、構成情報322は、要素名毎に、種別と、物理アクセスの可否と、セキュリティ対策と、暗号対策と、資産価値とを示す。要素名は、構成要素の名称である。種別は、構成要素の分類である。物理アクセスの可否は、構成要素に対して物理アクセス可能か否かである。暗号対策は、暗号化通信が可能であるか否かである。資産価値は、構成要素の価値である。
 なお、構成情報322は、他にも、利用者認証の有無と、使用しているOSの種別といったセキュリティ対策に関する情報を示してもよい。 The configuration information 322 indicates information on each component of the analysis target system 50.
As shown in FIG. 5, in the first embodiment, the configuration information 322 indicates the type, physical access permission, security measure, encryption measure, and asset value for each element name. The element name is the name of the component. The type is a component classification. Whether or not physical access is possible is whether or not physical access to a component is possible. The encryption countermeasure is whether or not encrypted communication is possible. Asset value is the value of a component.
In addition, the configuration information 322 may indicate other information related to security measures such as presence / absence of user authentication and the type of OS used.
 (図3のステップS2:脅威抽出処理)
 脅威抽出部22は、共通情報記憶部31に記憶された脅威データ311に基づき、分析対象システム50に対して発生する可能性のある脅威を抽出する。脅威データ311は、脅威の雛形である。具体的な脅威を抽出する方法については、特開2016-105233号公報に記載された方法等により実現すればよい。脅威抽出部22は、抽出された脅威を脅威抽出結果321として、分析対象記憶部32に書き込む。 (Step S2 in FIG. 3: threat extraction processing)
The threat extraction unit 22 extracts threats that may occur in the analysis target system 50 based on the threat data 311 stored in the common information storage unit 31. The threat data 311 is a threat model. A specific method for extracting a threat may be realized by a method described in JP-A-2016-105233. The threat extraction unit 22 writes the extracted threat as a threat extraction result 321 in the analysis target storage unit 32.
 図6に示すように、実施の形態1では、脅威抽出結果321は、No毎に、要素名と、脅威IDと、アクセス元と、脅威の内容とを示す。Noは、抽出された脅威に一意に割り当てられる番号である。要素名は、脅威の発生場所となる構成要素の名称である。脅威IDは、抽出された脅威の識別子である。アクセス元は、脅威がネットワークを介したリモートアクセスに関するものである場合に、アクセスの元となる構成要素の名称が示される。例えば、図6では、端末_01を悪用したサーバ_01への不正アクセスという脅威のアクセス元として、端末_01が示されている。脅威の内容は、抽出された脅威の内容である。
 なお、脅威抽出結果321は、他にも、各構成要素の存在箇所と、構成要素の種別とを表す情報とを示してもよい。また、本実施の形態では、No1の脅威とNo2の脅威とは、悪用する端末は異なるが同じ内容の脅威であるため、同じ脅威IDで表している。しかし、これらの脅威を区別する脅威IDを用いてもよい。 As shown in FIG. 6, in the first embodiment, the threat extraction result 321 indicates the element name, threat ID, access source, and threat content for each No. No is a number uniquely assigned to the extracted threat. The element name is a name of a component that is a place where a threat occurs. The threat ID is an identifier of the extracted threat. The access source indicates the name of the component that is the source of access when the threat is related to remote access via the network. For example, in FIG. 6, terminal_01 is shown as an access source of a threat of unauthorized access to server_01 that misuses terminal_01. The threat content is the content of the extracted threat.
In addition, the threat extraction result 321 may also indicate information indicating the location of each component and the type of component. Further, in the present embodiment, the No. 1 threat and the No. 2 threat are the same threat IDs, although they are different threats, but are represented by the same threat ID. However, a threat ID that distinguishes these threats may be used.
 (図3のステップS3:可能性特定処理)
 可能性特定部23は、ステップS2で抽出された脅威それぞれについて、その脅威の識別子と、その脅威の発生場所となる構成要素に対して実施されているセキュリティ対策との組合せに応じて、その脅威が発生する発生可能性を特定する。 (Step S3 in FIG. 3: Possibility identification processing)
For each threat extracted in step S2, the possibility identifying unit 23 determines the threat according to the combination of the identifier of the threat and the security measures implemented for the component that is the location where the threat occurs. Identify the probability of occurrence of.
 図7を参照して、実施の形態1に係るステップS3の可能性特定処理を説明する。
 (図7のステップS11:結果読出処理)
 可能性特定部23は、分析対象記憶部32の脅威抽出結果321から1つの脅威についての情報を読み出し、メモリ12に書き込む。つまり、可能性特定部23は、脅威抽出結果321の1つのレコードを読み出し、メモリ12に書き込む。 With reference to FIG. 7, the possibility specifying process of step S3 according to the first embodiment will be described.
(Step S11 in FIG. 7: result reading process)
The possibility identifying unit 23 reads information about one threat from the threat extraction result 321 in the analysis target storage unit 32 and writes the information in the memory 12. That is, the possibility identifying unit 23 reads one record of the threat extraction result 321 and writes it in the memory 12.
 (図7のステップS12:ルール抽出処理)
 ルール抽出部25は、共通情報記憶部31の可能性設定情報312から、ステップS11で読み出された情報に含まれる脅威IDを持つルールを抽出する。
 例えば、図6のNo1の脅威は、脅威IDが10である。そのため、ルール抽出部25は、図4のルールNo1とルールNo2との2つのルールを抽出する。 (Step S12 in FIG. 7: rule extraction process)
The rule extraction unit 25 extracts a rule having a threat ID included in the information read out in step S11 from the possibility setting information 312 in the common information storage unit 31.
For example, the threat ID No. 10 is No. 1 in FIG. Therefore, the rule extraction unit 25 extracts two rules, rule No1 and rule No2, in FIG.
 (図7のステップS13:第1ルール判定処理)
 ルール抽出部25は、ステップS12でルールが抽出されたか否かを判定する。
 ルール抽出部25は、ルールが抽出された場合には、処理をステップS14に進める。一方、ルール抽出部25は、ルールが抽出されなかった場合には、発生可能性を特定できないので、処理をステップS17に進める。 (Step S13 in FIG. 7: first rule determination process)
The rule extraction unit 25 determines whether or not a rule has been extracted in step S12.
When the rule is extracted, the rule extraction unit 25 advances the process to step S14. On the other hand, if the rule is not extracted, the rule extraction unit 25 cannot determine the possibility of occurrence, and the process proceeds to step S17.
 (図7のステップS14:条件判定処理)
 条件判定部26は、ステップS12で抽出された各ルールについて、ステップS11で読み出されたレコードが、そのルールの各条件に合致するか否かを判定する。具体的には、条件判定部26は、ステップS11で読み出された要素名が示す構成要素についての構成情報322を参照して、各条件に合致するか否かを判定する。
 例えば、図6のNo1の脅威は、図4のルールNo1については、条件1及び条件2は合致するものの、条件3が合致しない。一方、図6のNo1の脅威は、図4のルールNo2については、条件1~3の全てが合致する。 (Step S14 in FIG. 7: Condition determination processing)
The condition determination unit 26 determines, for each rule extracted in step S12, whether or not the record read in step S11 matches each condition of the rule. Specifically, the condition determining unit 26 refers to the configuration information 322 about the component indicated by the element name read in step S11, and determines whether or not each condition is met.
For example, the threat No. 1 in FIG. 6 does not match the condition 3 for the rule No 1 in FIG. 4, although the conditions 1 and 2 match. On the other hand, the threat No. 1 in FIG. 6 satisfies all the conditions 1 to 3 for the rule No. 2 in FIG.
 (図7のステップS15:第2ルール判定処理)
 条件判定部26は、ステップS14で構成要素が全ての条件に合致するルールがあったか否かを判定する。
 条件判定部26は、合致するルールがあった場合には、処理をステップS16に進める。一方、条件判定部26は、合致するルールがなかった場合には、発生可能性を特定できないので、処理をステップS17に進める。 (Step S15 in FIG. 7: second rule determination process)
The condition determination unit 26 determines whether or not there is a rule in which the component matches all the conditions in step S14.
If there is a rule that matches, the condition determination unit 26 advances the process to step S16. On the other hand, if there is no matching rule, the condition determination unit 26 cannot specify the possibility of occurrence, and thus the process proceeds to step S17.
 (図7のステップS16:可能性読出処理)
 条件判定部26は、ステップS14で構成要素が全ての条件に合致するルールの発生可能性を読み出し、発生可能性情報323として分析対象記憶部32に書き込む。 (Step S16 in FIG. 7: Possibility reading process)
The condition determination unit 26 reads out the possibility of occurrence of a rule whose component matches all the conditions in step S <b> 14, and writes it in the analysis target storage unit 32 as occurrence possibility information 323.
 図8に示すように、実施の形態1では、発生可能性情報323は、脅威抽出結果321のアクセス元の情報がなくなり、発生可能性が追加されている。なお、発生可能性情報323は、アクセス元の情報を示してもよいし、さらに他の情報を示してもよい。
 条件判定部26は、読み出された発生可能性を、対応する脅威のレコードに書き込む。つまり、ステップS11で図6のNo1のレコードが読み出された場合には、条件判定部26は、読み出された発生可能性を、図8のNo1のレコードに書き込む。 As shown in FIG. 8, in the first embodiment, the possibility information 323 has no information on the access source of the threat extraction result 321, and the possibility of occurrence is added. The occurrence possibility information 323 may indicate access source information or may indicate other information.
The condition determination unit 26 writes the read possibility of occurrence in the corresponding threat record. That is, when the No. 1 record in FIG. 6 is read in step S11, the condition determination unit 26 writes the read possibility of occurrence in the No. 1 record in FIG.
 (図7のステップS17:終了判定処理)
 ルール抽出部25は、ステップS11で脅威抽出結果321から全ての脅威についての情報が読み出し済であるか否かを判定する。
 ルール抽出部25は、全ての脅威についての情報が読み出し済である場合には、処理を終了する。一方、ルール抽出部25は、全ての脅威についての情報が読み出し済でない場合には、処理をステップS11に戻して、次の脅威についての情報を読み出す。 (Step S17 in FIG. 7: end determination processing)
The rule extraction unit 25 determines whether information about all threats has been read from the threat extraction result 321 in step S11.
The rule extraction unit 25 ends the process when the information about all threats has been read. On the other hand, if the information about all threats has not been read, the rule extraction unit 25 returns the process to step S11 to read information about the next threat.
 (図3のステップS4:リスク値計算処理)
 リスク値計算部24は、ステップS2で抽出された脅威それぞれについて、ステップS3で特定された発生可能性から、分析対象システム50のその脅威に対するリスクの大きさを示すリスク値を計算する。具体的には、リスク値計算部24は、ステップS2で抽出された脅威それぞれについて、その脅威の発生可能性と、その脅威の発生場所となる構成要素の資産価値との積を、リスク値として計算する。リスク値計算部24は、計算されたリスク値を示すリスク分析情報324を分析対象記憶部32に書き込む。
 図9に示すように、実施の形態1では、リスク分析情報324は、発生可能性情報323に、構成要素の資産価値と、リスク値とが追加されている。例えば、図9のNo1の脅威のリスク値は、発生可能性“3”と、構成要素であるサーバ_01の資産価値“3”との積“9”となっている。 (Step S4 in FIG. 3: Risk value calculation process)
For each threat extracted in step S2, the risk value calculation unit 24 calculates a risk value indicating the magnitude of the risk for the threat of the analysis target system 50 from the possibility of occurrence identified in step S3. Specifically, for each threat extracted in step S2, the risk value calculation unit 24 uses the product of the probability of occurrence of the threat and the asset value of the component that is the location of the threat as the risk value. calculate. The risk value calculation unit 24 writes risk analysis information 324 indicating the calculated risk value in the analysis target storage unit 32.
As shown in FIG. 9, in the first embodiment, in the risk analysis information 324, the asset value and risk value of the constituent elements are added to the possibility information 323. For example, the risk value of the threat No. 1 in FIG. 9 is the product “9” of the probability of occurrence “3” and the asset value “3” of the server_01 that is a component.
 なお、上記説明では、脅威抽出結果321と発生可能性情報323とリスク分析情報324とを別々の情報として扱った。しかし、脅威抽出結果321と発生可能性情報323とリスク分析情報324との全ての情報を示す1つのフォーマットを用意しておいてもよい。そして、処理の経過に応じて、そのフォーマットに順次情報が追加されてもよい。 In the above description, the threat extraction result 321, the possibility information 323, and the risk analysis information 324 are treated as separate information. However, one format indicating all information of the threat extraction result 321, the possibility information 323, and the risk analysis information 324 may be prepared. And according to progress of processing, information may be sequentially added to the format.
 ***実施の形態1の効果***
 以上のように、実施の形態1に係るリスク分析装置10は、脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて、脅威の発生可能性を特定する。これにより、脅威の発生可能性を適切に特定可能である。その結果、分析対象システムのセキュリティリスクを適切に分析可能である。 *** Effects of Embodiment 1 ***
As described above, the risk analysis apparatus 10 according to the first embodiment identifies the possibility of the occurrence of a threat according to the security measures implemented for the component that is the place where the threat occurs. Thereby, the possibility of occurrence of a threat can be appropriately identified. As a result, the security risk of the analysis target system can be analyzed appropriately.
 特に、実施の形態1に係るリスク分析装置10では、可能性設定情報312に基づき発生可能性が特定されるため、脅威の発生可能性に分析者に恣意が含まれることがない。そのため、脅威の発生可能性を適切に特定可能である。 Particularly, in the risk analysis apparatus 10 according to the first embodiment, since the possibility of occurrence is specified based on the possibility setting information 312, the analyst does not include arbitrary information on the possibility of occurrence of a threat. Therefore, it is possible to appropriately identify the possibility of occurrence of a threat.
 また、脅威の発生可能性を人手で設定する必要がないため、作業ミスが発生することがない。また、分析対象システム50が大規模なシステムであっても、効率的に分析が可能である。 Also, there is no need to manually set the possibility of threats, so there will be no work errors. Even if the analysis target system 50 is a large-scale system, it is possible to analyze efficiently.
 ***他の構成***
 <変形例1>
 実施の形態1では、共通情報記憶部31には1つの可能性設定情報312が記憶されていた。しかし、共通情報記憶部31に、システムの種別毎の可能性設定情報312が記憶されていてもよい。例えば、情報システムと、車載機器システムと、FA(Factory Automation)システムといった種別毎に、可能性設定情報312が記憶されてもよい。
 この場合、可能性特定部23は、分析対象システム50の種別に対応する可能性設定情報312を用いて、脅威の発生可能性を特定する。これにより、より適切に脅威の発生可能性を特定することが可能になる。 *** Other configurations ***
<Modification 1>
In the first embodiment, one possibility setting information 312 is stored in the common information storage unit 31. However, the possibility setting information 312 for each type of system may be stored in the common information storage unit 31. For example, the possibility setting information 312 may be stored for each type, such as an information system, an in-vehicle device system, and an FA (Factory Automation) system.
In this case, the possibility identifying unit 23 identifies the possibility of occurrence of a threat using the possibility setting information 312 corresponding to the type of the analysis target system 50. This makes it possible to more appropriately identify the possibility of occurrence of a threat.
 また、共通情報記憶部31に、システム管理者と保守員といった役割毎の可能性設定情報312が記憶されてもよい。
 この場合、可能性特定部23は、各役割に対応する可能性設定情報312を用いて、役割毎に発生可能性を特定する。そして、リスク値計算部24は、役割毎に脅威のリスク値を計算する。これにより、役割毎のリスク値を知ることができる。 The common information storage unit 31 may store possibility setting information 312 for each role such as a system administrator and maintenance personnel.
In this case, the possibility identifying unit 23 identifies the possibility of occurrence for each role using the possibility setting information 312 corresponding to each role. And the risk value calculation part 24 calculates the risk value of a threat for every role. Thereby, the risk value for every role can be known.
 <変形例2>
 実施の形態1では、情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能がソフトウェアで実現された。しかし、変形例2として、情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能はハードウェアで実現されてもよい。この変形例2について、実施の形態1と異なる点を説明する。 <Modification 2>
In the first embodiment, the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the risk value calculation unit 24, the rule extraction unit 25, and the condition determination unit 26 are realized by software. It was. However, as Modification 2, the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are hardware. It may be realized. The second modification will be described with respect to differences from the first embodiment.
 図10を参照して、変形例2に係るリスク分析装置10の構成を説明する。
 情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能がハードウェアで実現される場合、リスク分析装置10は、プロセッサ11とメモリ12とストレージ13とに代えて、処理回路15を備える。処理回路15は情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能と、メモリ12とストレージ13との機能とを実現する専用の電子回路である。 With reference to FIG. 10, the structure of the risk analyzer 10 which concerns on the modification 2 is demonstrated.
When the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are realized by hardware, risk analysis The apparatus 10 includes a processing circuit 15 instead of the processor 11, the memory 12, and the storage 13. The processing circuit 15 includes an information acquisition unit 21, a threat extraction unit 22, a possibility identification unit 23, a risk value calculation unit 24, a rule extraction unit 25, a condition determination unit 26, a memory 12, and a storage 13. It is a dedicated electronic circuit that realizes the function.
 処理回路15は、単一回路、複合回路、プログラム化したプロセッサ、並列プログラム化したプロセッサ、ロジックIC、GA(Gate Array)、ASIC(Application Specific Integrated Circuit)、FPGA(Field-Programmable Gate Array)が想定される。
 情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能を1つの処理回路15で実現してもよいし、情報取得部21と、脅威抽出部22と、可能性特定部23と、リスク値計算部24と、ルール抽出部25と、条件判定部26との機能を複数の処理回路15に分散させて実現してもよい。 The processing circuit 15 is assumed to be a single circuit, a composite circuit, a programmed processor, a parallel programmed processor, a logic IC, a GA (Gate Array), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array). Is done.
Even if the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are realized by one processing circuit 15. Alternatively, the functions of the information acquisition unit 21, threat extraction unit 22, possibility identification unit 23, risk value calculation unit 24, rule extraction unit 25, and condition determination unit 26 are distributed to a plurality of processing circuits 15. May be realized.
 <変形例3>
 変形例3として、一部の機能がハードウェアで実現され、他の機能がソフトウェアで実現されてもよい。つまり、情報取得部21と、脅威抽出部22と、可能性特定部23と、ルール抽出部25と、条件判定部26と、リスク値計算部24とのうち、一部の機能がハードウェアで実現され、他の機能がソフトウェアで実現されてもよい。 <Modification 3>
As a third modification, some functions may be realized by hardware, and other functions may be realized by software. That is, some of the functions of the information acquisition unit 21, the threat extraction unit 22, the possibility identification unit 23, the rule extraction unit 25, the condition determination unit 26, and the risk value calculation unit 24 are hardware. And other functions may be realized by software.
 プロセッサ11とメモリ12とストレージ13と処理回路15とを、総称して「プロセッシングサーキットリー」という。つまり、各機能構成要素の機能は、プロセッシングサーキットリーにより実現される。 The processor 11, the memory 12, the storage 13, and the processing circuit 15 are collectively referred to as “processing circuitries”. That is, the function of each functional component is realized by the processing circuitry.
 実施の形態2.
 実施の形態2は、発生場所となる構成要素への分析対象システム50における通信経路の通信制御に応じて、発生可能性を特定する点が実施の形態1と異なる。実施の形態2では、この異なる点を説明し、同一の点については説明を省略する。 Embodiment 2. FIG.
The second embodiment is different from the first embodiment in that the possibility of occurrence is specified according to the communication control of the communication path in the analysis target system 50 to the component that is the generation location. In the second embodiment, this different point will be described, and the description of the same point will be omitted.
 ***構成の説明***
 図11を参照して、実施の形態2に係るリスク分析装置10の構成を説明する。
 リスク分析装置10は、機能構成要素として、通信判定部27を備える点と、分析対象記憶部32が接続先情報325と通信制御情報326とを記憶する点とが図1に示されたリスク分析装置10と異なる。
 通信判定部27は、他の機能構成要素と同様にソフトウェアにより実現される。また、通信判定部27は、他の機能構成要素と同様にハードウェアで実現されてもよい。 *** Explanation of configuration ***
With reference to FIG. 11, the structure of the risk analyzer 10 which concerns on Embodiment 2 is demonstrated.
The risk analysis apparatus 10 has a risk analysis in which a point including the communication determination unit 27 as a functional component and a point that the analysis target storage unit 32 stores the connection destination information 325 and the communication control information 326 are illustrated in FIG. Different from the device 10.
The communication determination unit 27 is realized by software in the same manner as other functional components. Moreover, the communication determination part 27 may be implement | achieved by the hardware similarly to another functional component.
 ***動作の説明***
 図3と図12から図18とを参照して、実施の形態2に係るリスク分析装置10の動作を説明する。
 実施の形態2に係るリスク分析装置10の動作は、実施の形態2に係るリスク分析方法に相当する。また、実施の形態2に係るリスク分析装置10の動作は、実施の形態2に係るリスク分析プログラムの処理に相当する。 *** Explanation of operation ***
The operation of the risk analysis apparatus 10 according to the second embodiment will be described with reference to FIG. 3 and FIGS. 12 to 18.
The operation of the risk analysis apparatus 10 according to the second embodiment corresponds to the risk analysis method according to the second embodiment. The operation of the risk analysis apparatus 10 according to the second embodiment corresponds to the processing of the risk analysis program according to the second embodiment.
 図3を参照して、実施の形態2に係るリスク分析装置10の全体的な動作を説明する。
 ステップS2とステップS4の処理は、実施の形態1と同じである。 With reference to FIG. 3, the overall operation of the risk analysis apparatus 10 according to the second embodiment will be described.
Steps S2 and S4 are the same as those in the first embodiment.
 (図3のステップS1:情報取得処理)
 情報取得部21は、通信インタフェース14を介して、可能性設定情報312と構成情報322と接続先情報325と通信制御情報326とを取得する。情報取得部21は、可能性設定情報312を共通情報記憶部31に書き込み、構成情報322と接続先情報325と通信制御情報326とを分析対象記憶部32に書き込む。 (Step S1: Information acquisition process in FIG. 3)
The information acquisition unit 21 acquires the possibility setting information 312, the configuration information 322, the connection destination information 325, and the communication control information 326 via the communication interface 14. The information acquisition unit 21 writes the possibility setting information 312 in the common information storage unit 31, and writes the configuration information 322, connection destination information 325, and communication control information 326 in the analysis target storage unit 32.
 接続先情報325は、分析対象システム50の構成要素間の接続関係を示す。
 図12に示すように、実施の形態2では、接続先情報325は、要素名毎に、種別と、通信制御の有無と、通信路とを示す。図2に示されたように、分析対象システム50の通信路は、NW_01と、NW_02と、NW_03と、外部ネットワークとである。図12では、○は、その構成要素がその通信路に接続されていることを示す。 The connection destination information 325 indicates a connection relationship between the components of the analysis target system 50.
As shown in FIG. 12, in the second embodiment, the connection destination information 325 indicates a type, presence / absence of communication control, and a communication path for each element name. As shown in FIG. 2, the communication path of the analysis target system 50 is NW_01, NW_02, NW_03, and an external network. In FIG. 12, ◯ indicates that the component is connected to the communication path.
 通信制御情報326は、通信制御の内容を示す。
 図13に示すように、実施の形態2では、通信制御情報326は、アクセス元(FROM)からアクセス先(TO)へのデータの流れが許されているか否かを示す。図13では、FW_01によって、NW_02から外部ネットワークへデータを流すことは許可され、外部ネットワークからNW_02へデータを流すことは許可されていないことが示されている。 The communication control information 326 indicates the content of communication control.
As shown in FIG. 13, in the second embodiment, the communication control information 326 indicates whether data flow from the access source (FROM) to the access destination (TO) is permitted. In FIG. 13, FW_01 indicates that data is allowed to flow from NW_02 to the external network, and data is not allowed to flow from the external network to NW_02.
 図14を参照して、実施の形態2に係るステップS3の可能性特定処理を説明する。
 ステップS21からステップS23の処理は、図7のステップS11からステップS13の処理と同じである。また、ステップS26からステップS29の処理は、図7のステップS14からステップS17の処理と同じである。 With reference to FIG. 14, the possibility specifying process in step S3 according to the second embodiment will be described.
The processing from step S21 to step S23 is the same as the processing from step S11 to step S13 in FIG. The processing from step S26 to step S29 is the same as the processing from step S14 to step S17 in FIG.
 (図14のステップS24:通信項目判定処理)
 通信判定部27は、ステップS22で抽出された各ルールについて、条件の項目として通信制御があるか否かを判定する。
 通信判定部27は、通信制御がある場合には、処理をステップS25に進める。一方、通信判定部27は、通信制御がない場合には、処理をステップS26に進める。 (Step S24 in FIG. 14: Communication Item Determination Process)
The communication determination unit 27 determines whether or not there is communication control as a condition item for each rule extracted in step S22.
The communication determination part 27 advances a process to step S25, when there exists communication control. On the other hand, the communication determination part 27 advances a process to step S26, when there is no communication control.
 具体例としては、可能性設定情報312が図15に示す通りであり、脅威抽出結果321が図16に示す通りであるとする。ステップS21で脅威抽出結果321のNo1のレコードが読み出されたとする。
 この場合、ステップS22では、脅威IDが10であるので、図16のルールNo1~ルールNo3の3つのルールが抽出される。すると、ルールNo1~ルールNo3の3つのルールには、条件1の項目として通信制御がある。そのため、処理がステップS25に進められる。 As a specific example, it is assumed that the possibility setting information 312 is as shown in FIG. 15 and the threat extraction result 321 is as shown in FIG. Assume that the No. 1 record of the threat extraction result 321 is read in step S21.
In this case, since the threat ID is 10 in step S22, three rules No. 1 to No. 3 in FIG. 16 are extracted. Then, communication control is an item of Condition 1 in the three rules No. 1 to No. 3. Therefore, the process proceeds to step S25.
 (図14のステップS25:通信制御判定処理)
 通信判定部27は、ステップS22で抽出されたルールから、脅威の発生場所となる構成要素への分析対象システム50における通信経路の通信制御の有無に対応するルールを抽出する。 (Step S25 in FIG. 14: Communication Control Determination Process)
The communication determination unit 27 extracts, from the rule extracted in step S22, a rule corresponding to the presence / absence of communication control of the communication path in the analysis target system 50 to the component that is the place where the threat occurs.
 図17を参照して、実施の形態2に係るステップS25の通信制御判定処理を説明する。
 (図17のステップS31:経路特定処理)
 通信判定部27は、接続先情報325を参照して、ステップS21で読み出されたレコードのアクセス元から要素名が示す構成要素への通信経路を特定する。
 例えば、図15の脅威抽出結果321のNo1のレコードであれば、アクセス元の端末_01から構成要素であるサーバ_01までの通信経路は、NW_03であると特定される。また、図15の脅威抽出結果321のNo3のレコードであれば、アクセス元の外部から構成要素であるサーバ_01までの通信経路は、外部ネットワークとFW_01とNW02とであると特定される。 With reference to FIG. 17, the communication control determination process in step S25 according to the second embodiment will be described.
(Step S31 in FIG. 17: route specifying process)
The communication determination unit 27 refers to the connection destination information 325 and identifies a communication path from the access source of the record read in step S21 to the component indicated by the element name.
For example, if the record is No. 1 in the threat extraction result 321 in FIG. 15, the communication path from the access source terminal — 01 to the component server — 01 is identified as NW — 03. Further, in the case of No. 3 record of the threat extraction result 321 in FIG. 15, the communication path from the outside of the access source to the server_01 which is a component is specified as the external network, FW_01, and NW02.
 (図17のステップS32:制御要素処理)
 通信判定部27は、ステップS31で特定された通信経路上に、通信制御を行う構成要素が存在するか否かを判定する。
 通信判定部27は、通信制御を行う構成要素が存在する場合には、処理をステップS33に進める。一方、通信判定部27は、通信制御を行う構成要素が存在しない場合には、通信制御可と設定する。
 例えば、図15の脅威抽出結果321のNo1のレコードの場合には、通信経路はNW_03であるため、通信制御を行う構成要素が存在しないと判定される。したがって、通信制御可と設定される。また、図15の脅威抽出結果321のNo3のレコードの場合には、通信経路は外部ネットワークとFW_01とNW02とであり、FW_01が通信制御をするので、通信制御を行う構成要素が存在すると判定される。したがって、処理がステップS33に進められる。 (Step S32 in FIG. 17: control element processing)
The communication determination unit 27 determines whether there is a component that performs communication control on the communication path specified in step S31.
The communication determination part 27 advances a process to step S33, when the component which performs communication control exists. On the other hand, the communication determination unit 27 sets communication control possible when there is no component that performs communication control.
For example, in the case of the No. 1 record of the threat extraction result 321 in FIG. 15, since the communication path is NW_03, it is determined that there is no component that performs communication control. Therefore, communication control is set to be possible. Further, in the case of the No. 3 record of the threat extraction result 321 in FIG. 15, the communication path is the external network, FW_01, and NW02, and FW_01 performs communication control, so it is determined that there is a component that performs communication control. The Therefore, the process proceeds to step S33.
 (図17のステップS33:制御要素処理)
 通信判定部27は、ステップS21で読み出されたレコードのアクセス元から要素名が示す構成要素へデータを流すことが許可されるか否かを判定する。
 通信判定部27は、データを流すことが許可される場合には、通信制御可と設定する。一方、通信判定部27は、データを流すことが許可されない場合には、通信制御不可と設定する。
 例えば、図15の脅威抽出結果321のNo3のレコードの場合には、FW_01により、アクセス元の外部から構成要素であるサーバ_01への方向にはデータを流すことが許可されていない。そのため、通信制御不可と設定される。 (Step S33 in FIG. 17: control element processing)
The communication determination unit 27 determines whether or not data is allowed to flow from the access source of the record read in step S21 to the component indicated by the element name.
The communication determination unit 27 sets the communication control to be possible when the data flow is permitted. On the other hand, the communication determination unit 27 sets the communication control to be impossible when the data flow is not permitted.
For example, in the case of the No. 3 record of the threat extraction result 321 in FIG. 15, FW_01 does not permit data to flow in the direction from the outside of the access source to the component server_01. For this reason, communication control is disabled.
 (図17のステップS34:対応ルール抽出処理)
 通信判定部27は、ステップS32からステップS33で設定された通信制御可又は通信制御不可に対応するルールを抽出する。
 例えば、図15の脅威抽出結果321のNo1のレコードの場合には、通信制御可と設定されたため、図16の条件1で通信制御:可となっているルールNo1とルールNo2とが抽出される。また、図15の脅威抽出結果321のNo3のレコードの場合には、通信制御不可と設定されたため、図16の条件1で通信制御:不可となっているルールNo3が抽出される。 (Step S34 in FIG. 17: corresponding rule extraction process)
The communication determination unit 27 extracts a rule corresponding to communication control enabled or communication control disabled set in step S32 to step S33.
For example, in the case of the No1 record of the threat extraction result 321 in FIG. 15, since the communication control is enabled, rule No1 and rule No2 in which communication control is enabled under the condition 1 in FIG. 16 are extracted. . Further, in the case of the record No. 3 in the threat extraction result 321 in FIG. 15, since the communication control is set to be impossible, the rule No. 3 in which the communication control is disabled under the condition 1 in FIG. 16 is extracted.
 その結果、発生可能性情報323として、図18に示すように、各Noに対応した発生可能性が特定される。 As a result, the possibility of occurrence corresponding to each No is specified as the possibility information 323 as shown in FIG.
 ***実施の形態2の効果***
 以上のように、実施の形態2に係るリスク分析装置10は、脅威の発生場所となる構成要素へのアクセス元からの通信経路で通信制御がされているか否かに応じて、脅威の発生可能性を特定する。これにより、分析対象システム50のデータの流れを考慮して脅威の発生可能性を特定することが可能である。 *** Effects of Embodiment 2 ***
As described above, the risk analysis apparatus 10 according to the second embodiment can generate a threat depending on whether or not communication control is performed on a communication path from an access source to a component that is a threat generation location. Identify gender. Thereby, it is possible to specify the possibility of occurrence of a threat in consideration of the data flow of the analysis target system 50.
 ***他の構成***
 <変形例4>
 実施の形態2では、ステップS22で抽出されたルールに項目として通信制御があることが判定された後に、通信制御の内容を判定した。しかし、脅威抽出結果321として抽出された脅威のうち、アクセス元が存在している脅威に対して、通信制御の内容を判定するように処理の流れを変えてもよい。 *** Other configurations ***
<Modification 4>
In the second embodiment, the content of the communication control is determined after determining that the rule extracted in step S22 has communication control as an item. However, the flow of processing may be changed so that the content of communication control is determined for the threat that has the access source among the threats extracted as the threat extraction result 321.
 <変形例5>
 実施の形態2では、通信制御を行う構成要素が1つであった。通信制御を行う構成要素が複数ある場合には、各構成要素を識別できるように識別情報を付与した通信制御情報を用いればよい。
 また、この場合、単に通信経路で通信制御がされているか否かに応じて脅威の発生可能性を特定するのではなく、通信経路でいくつの通信制御がされているかに応じて脅威の発生可能性を特定してもよい。 <Modification 5>
In the second embodiment, there is one component that performs communication control. When there are a plurality of components that perform communication control, communication control information to which identification information is added may be used so that each component can be identified.
Also, in this case, instead of simply identifying the possibility of threat generation based on whether or not communication control is performed on the communication path, it is possible to generate threats based on how many communication controls are performed on the communication path. Sex may be specified.
 実施の形態3.
 実施の形態3は、脅威の発生場所となる構成要素に対して発生する可能性のある別の脅威の発生可能性に応じて、脅威の発生可能性を特定する点が実施の形態1と異なる。実施の形態3では、この異なる点を説明し、同一の点については説明を省略する。
 なお、実施の形態3を実施の形態2と組み合わせることも可能である。 Embodiment 3 FIG.
The third embodiment is different from the first embodiment in that the possibility of occurrence of a threat is specified in accordance with the possibility of occurrence of another threat that may occur with respect to a component that is a place where the threat occurs. . In the third embodiment, this different point will be described, and the description of the same point will be omitted.
Note that Embodiment 3 can be combined with Embodiment 2.
 ***構成の説明***
 図19を参照して、実施の形態3に係るリスク分析装置10の構成を説明する。
 リスク分析装置10は、共通情報記憶部31が対応情報313を記憶する点が、図1に示されたリスク分析装置10と異なる。 *** Explanation of configuration ***
With reference to FIG. 19, the structure of the risk analyzer 10 which concerns on Embodiment 3 is demonstrated.
The risk analysis device 10 is different from the risk analysis device 10 shown in FIG. 1 in that the common information storage unit 31 stores the correspondence information 313.
 ***動作の説明***
 図3と図20から図25とを参照して、実施の形態3に係るリスク分析装置10の動作を説明する。
 実施の形態3に係るリスク分析装置10の動作は、実施の形態3に係るリスク分析方法に相当する。また、実施の形態3に係るリスク分析装置10の動作は、実施の形態3に係るリスク分析プログラムの処理に相当する。 *** Explanation of operation ***
With reference to FIG. 3 and FIGS. 20 to 25, the operation of the risk analysis apparatus 10 according to the third embodiment will be described.
The operation of the risk analysis apparatus 10 according to the third embodiment corresponds to the risk analysis method according to the third embodiment. The operation of the risk analysis apparatus 10 according to the third embodiment corresponds to the processing of the risk analysis program according to the third embodiment.
 図3を参照して、実施の形態3に係るリスク分析装置10の全体的な動作を説明する。
 ステップS2とステップS4の処理は、実施の形態1と同じである。 With reference to FIG. 3, the overall operation of the risk analysis apparatus 10 according to the third embodiment will be described.
Steps S2 and S4 are the same as those in the first embodiment.
 (図3のステップS1:情報取得処理)
 情報取得部21は、通信インタフェース14を介して、可能性設定情報312と対応情報313と構成情報322とを取得する。情報取得部21は、可能性設定情報312と対応情報313とを共通情報記憶部31に書き込み、構成情報322を分析対象記憶部32に書き込む。 (Step S1: Information acquisition process in FIG. 3)
The information acquisition unit 21 acquires possibility setting information 312, correspondence information 313, and configuration information 322 via the communication interface 14. The information acquisition unit 21 writes the possibility setting information 312 and the correspondence information 313 to the common information storage unit 31, and writes the configuration information 322 to the analysis target storage unit 32.
 対応情報313は、セキュリティ対策と脅威IDとを対応付けた情報である。
 図20に示すように、実施の形態3では、対応情報313は、セキュリティ対策の条件項目毎に、脅威IDを示す。 The correspondence information 313 is information in which a security measure and a threat ID are associated with each other.
As shown in FIG. 20, in the third embodiment, the correspondence information 313 indicates a threat ID for each condition item for security measures.
 図21を参照して、実施の形態3に係るステップS3の可能性特定処理を説明する。
 ステップS41からステップS47の処理は、図7のステップS11からステップS17の処理と同じである。但し、ステップS45では、条件判定部26は、合致するルールがなかった場合には、処理をステップS48に進める。 With reference to FIG. 21, the possibility identification process of step S3 according to Embodiment 3 will be described.
The processing from step S41 to step S47 is the same as the processing from step S11 to step S17 in FIG. However, in step S45, the condition determination unit 26 advances the process to step S48 if there is no matching rule.
 (ステップS48:対応情報判定処理)
 条件判定部26は、ステップS42で抽出された各ルールについて、そのルールに含まれる条件項目が対応情報313に含まれているか否かを判定する。具体的には、条件判定部26は、各ルールに含まれる各条件項目をキーワードとして、対応情報313を検索して、レコードが抽出されるか否かを判定する。
 条件判定部26は、条件項目が対応情報313に含まれている場合には、処理をステップS49に進める。一方、条件判定部26は、条件項目が対応情報313に含まれていない場合には、発生可能性を特定できないので、処理をステップS47に進める。 (Step S48: correspondence information determination process)
The condition determination unit 26 determines whether or not the condition information included in the rule is included in the correspondence information 313 for each rule extracted in step S42. Specifically, the condition determination unit 26 searches the correspondence information 313 using each condition item included in each rule as a keyword, and determines whether or not a record is extracted.
If the condition item is included in the correspondence information 313, the condition determination unit 26 advances the process to step S49. On the other hand, if the condition item is not included in the correspondence information 313, the condition determination unit 26 cannot determine the possibility of occurrence, and the process proceeds to step S47.
 具体例としては、脅威抽出結果321が図22に示す通りであり、可能性設定情報312が図23に示す通りであり、構成情報322が図24に示す通りであるとする。ステップS41で脅威抽出結果321のNo5のレコードが読み出されたとする。
 この場合、ステップS42では、脅威IDが11であるので、図23のルールNo50とルールNo51との2つのルールが抽出される。
 ルールNo50とルールNo51とには、条件3の条件項目として、アクセス元のマルウェア感染がある。しかし、構成情報322には、マルウェア感染という項目がなく、ルールNo50とルールNo51とのどちらの条件3にも合致しない。そのため、処理がステップS28に進められる。
 条件判定部26は、条件3の条件項目であるマルウェア感染をキーワードとして、対応情報313を検索する。すると、図20に示すレコードが抽出される。したがって、処理がステップS49に進められる。 As a specific example, it is assumed that the threat extraction result 321 is as shown in FIG. 22, the possibility setting information 312 is as shown in FIG. 23, and the configuration information 322 is as shown in FIG. Assume that the No. 5 record of the threat extraction result 321 is read in step S41.
In this case, since the threat ID is 11 in step S42, two rules of rule No50 and rule No51 in FIG. 23 are extracted.
In rule No. 50 and rule No. 51, there is a malware infection of the access source as a condition item of condition 3. However, the configuration information 322 does not have an item of malware infection, and does not match the condition 3 of either rule No50 or rule No51. Therefore, the process proceeds to step S28.
The condition determination unit 26 searches the correspondence information 313 using the malware infection that is the condition item of the condition 3 as a keyword. Then, the record shown in FIG. 20 is extracted. Therefore, the process proceeds to step S49.
 (ステップS49:ルール再抽出処理)
 条件判定部26は、共通情報記憶部31の可能性設定情報312から、ステップS48で抽出されたレコードの脅威IDを持ち、かつ、ステップS41で読み出されたレコードが全ての条件に合致するルールを抽出する。
 条件判定部26は、ルールが抽出された場合には、処理をステップS50に進める。一方、条件判定部26は、ルールが抽出されなかった場合には、処理をステップS47に進める。 (Step S49: Rule re-extraction process)
The condition determination unit 26 has a rule that has the threat ID of the record extracted in step S48 from the possibility setting information 312 in the common information storage unit 31, and the record read in step S41 matches all the conditions. To extract.
If the rule is extracted, the condition determination unit 26 advances the process to step S50. On the other hand, if the rule is not extracted, the condition determination unit 26 advances the process to step S47.
 上述した例であれば、図20に示すレコードの脅威IDは30である。そのため、ルールNo80とルールNo81との2つのルールが該当する。図24に示すように、端末_02はマルウェア対策ありのため、ステップS44でルール80の条件に合致する。その結果、ルール80が抽出される。 In the above example, the threat ID of the record shown in FIG. Therefore, two rules of rule No80 and rule No81 correspond. As shown in FIG. 24, since terminal_02 has a countermeasure against malware, the condition of rule 80 is met in step S44. As a result, the rule 80 is extracted.
 (ステップS50:条件特定処理)
 条件判定部26は、ステップS49で抽出されたルールの発生可能性を読み出す。そして、処理をステップS44に戻して、読み出された発生可能性を用いて、再びステップS42で抽出された各ルールについて、ステップS41で読み出されたレコードが、そのルールの各条件に合致するか否かを判定する。 (Step S50: Condition specifying process)
The condition determination unit 26 reads the possibility of occurrence of the rule extracted in step S49. Then, the process returns to step S44, and the record read out in step S41 matches each condition of the rule for each rule extracted in step S42 again using the read possibility. It is determined whether or not.
 上述した例であれば、発生可能性として1が読み出される。つまり、マルウェア感染の発生可能性は1となる。この情報に基づき、再びルールNo50とルールNo51とについて、各条件に合致するか否かが判定される。すると、図22のNo5の脅威は、ルールNo50については、条件1~3の全てが合致する。
 その結果、図25に示すように、図22のNo5の脅威の発生可能性は1と特定される。 In the example described above, 1 is read as the possibility of occurrence. That is, the possibility of malware infection is 1. Based on this information, it is determined again whether rule No50 and rule No51 meet each condition. Then, the threat No. 5 in FIG. 22 satisfies all the conditions 1 to 3 for the rule No50.
As a result, as shown in FIG. 25, the possibility of occurrence of the No. 5 threat in FIG.
 以上のように、実施の形態3に係るリスク分析装置10は、脅威の発生場所となる構成要素に対して発生する可能性のある別の脅威の発生可能性に応じて、脅威の発生可能性を特定する。これにより、脅威の発生源となる別の脅威の発生可能性を利用して、脅威の発生可能性を特定することが可能である。 As described above, the risk analysis apparatus 10 according to the third embodiment may generate a threat according to the possibility of occurrence of another threat that may occur with respect to a component that is a place where the threat is generated. Is identified. Thereby, it is possible to specify the possibility of occurrence of a threat by using the possibility of occurrence of another threat that is a source of the threat.
 10 リスク分析装置、11 プロセッサ、12 メモリ、13 ストレージ、14 通信インタフェース、15 処理回路、21 情報取得部、22 脅威抽出部、23 可能性特定部、24 リスク値計算部、25 ルール抽出部、26 条件判定部、27 通信判定部、31 共通情報記憶部、311 脅威データ、312 可能性設定情報、313 対応情報、32 分析対象記憶部、321 脅威抽出結果、322 構成情報、323 発生可能性情報、324 リスク分析情報、325 接続先情報、326 通信制御情報、50 分析対象システム。 10 risk analysis device, 11 processor, 12 memory, 13 storage, 14 communication interface, 15 processing circuit, 21 information acquisition unit, 22 threat extraction unit, 23 possibility identification unit, 24 risk value calculation unit, 25 rule extraction unit, 26 Condition determination unit, 27 communication determination unit, 31 common information storage unit, 311, threat data, 312 possibility setting information, 313 correspondence information, 32 analysis target storage unit, 321 threat extraction result, 322 configuration information, 323 occurrence possibility information, 324 Risk analysis information, 325 connection destination information, 326 communication control information, 50 analysis target systems.

Claims (9)

  1.  分析対象システムに対する脅威の発生可能性を、前記脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて特定する可能性特定部と、
     前記可能性特定部によって特定された前記発生可能性から、前記分析対象システムの前記脅威に対するリスクの大きさを示すリスク値を計算するリスク値計算部と
    を備えるリスク分析装置。     A possibility identifying unit that identifies the possibility of occurrence of a threat to the analysis target system according to the security measures implemented for the component that is the place where the threat occurs;
    A risk analysis apparatus comprising: a risk value calculation unit that calculates a risk value indicating a magnitude of risk for the threat of the analysis target system from the occurrence possibility specified by the possibility specification unit.
  2.  前記可能性特定部は、前記脅威の識別子と、前記セキュリティ対策との組合せに応じて、前記発生可能性を特定する
    請求項1に記載のリスク分析装置。     The risk analysis apparatus according to claim 1, wherein the possibility identifying unit identifies the possibility of occurrence according to a combination of the threat identifier and the security countermeasure.
  3.  前記可能性特定部は、システムの種別毎に用意された可能性設定情報であって、前記脅威の識別子と、実施されているセキュリティ対策との組合せ毎に、前記発生可能性が定義された可能性設定情報のうち、前記分析対象システムの種別に対応する可能性設定情報を用いて、前記発生可能性を特定する
    請求項2に記載のリスク分析装置。     The possibility specifying unit is possibility setting information prepared for each type of system, and the possibility of occurrence is defined for each combination of the identifier of the threat and the implemented security measure. The risk analysis device according to claim 2, wherein the possibility of occurrence is specified by using possibility setting information corresponding to a type of the analysis target system in the sex setting information.
  4.  前記リスク値計算部は、前記発生可能性と、前記発生場所となる構成要素の資産価値とから、前記リスク値を計算する
    請求項1から3までのいずれか1項に記載のリスク分析装置。     The risk analysis device according to any one of claims 1 to 3, wherein the risk value calculation unit calculates the risk value from the occurrence possibility and the asset value of the component that is the generation location.
  5.  前記可能性特定部は、前記発生場所となる構成要素への前記分析対象システムにおける通信経路の通信制御に応じて、前記発生可能性を特定する
    請求項1から4までのいずれか1項に記載のリスク分析装置。     The said possibility specific | specification part specifies the said possibility of occurrence according to the communication control of the communication path in the said analysis object system to the component used as the said generation | occurrence | production location. Risk analysis equipment.
  6.  前記可能性特定部は、前記脅威を対象脅威として、前記対象脅威の発生場所となる構成要素に対する別の脅威の発生可能性に応じて、前記対象脅威の発生可能性を特定する
    請求項1から5までのいずれか1項に記載のリスク分析装置。     The possibility identification unit identifies the possibility of occurrence of the target threat according to the possibility of occurrence of another threat to the component that is the occurrence location of the target threat, with the threat as the target threat. The risk analysis apparatus according to any one of 5 to 5.
  7.  前記可能性特定部は、前記別の脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて、前記別の脅威の前記発生可能性を特定した上で、特定された前記別の脅威の前記発生可能性に応じて、前記対象脅威の発生可能性を特定する
    請求項6に記載のリスク分析装置。     The possibility identifying unit identifies the occurrence possibility of the another threat according to the security measures implemented for the component that is the place where the another threat is generated, and then identifies the occurrence possibility. The risk analysis apparatus according to claim 6, wherein the possibility of occurrence of the target threat is specified according to the possibility of occurrence of another threat.
  8.  コンピュータが、分析対象システムに対する脅威の発生可能性を、前記脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて特定し、
     コンピュータが、特定された前記発生可能性から、前記分析対象システムの前記脅威に対するリスクの大きさを示すリスク値を計算するリスク分析方法。     The computer identifies the possibility of occurrence of a threat to the analysis target system according to the security measures implemented for the component that is the location of the threat,
    A risk analysis method in which a computer calculates a risk value indicating a magnitude of a risk for the threat of the analysis target system from the identified possibility of occurrence.
  9.  分析対象システムに対する脅威の発生可能性を、前記脅威の発生場所となる構成要素に対して実施されているセキュリティ対策に応じて特定する可能性特定処理と、
     前記可能性特定処理によって特定された前記発生可能性から、前記分析対象システムの前記脅威に対するリスクの大きさを示すリスク値を計算するリスク値計算処理と
    をコンピュータに実行させるリスク分析プログラム。     Possibility identification processing for identifying the possibility of occurrence of a threat to the analysis target system according to the security measures implemented for the component that is the place where the threat occurs,
    A risk analysis program for causing a computer to execute a risk value calculation process for calculating a risk value indicating a magnitude of a risk for the threat of the analysis target system from the occurrence possibility specified by the possibility specifying process.
PCT/JP2017/008945 2017-03-07 2017-03-07 Risk analysis device, risk analysis method and risk analysis program WO2018163274A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2018541441A JP6425865B1 (en) 2017-03-07 2017-03-07 Risk analysis device, risk analysis method and risk analysis program
PCT/JP2017/008945 WO2018163274A1 (en) 2017-03-07 2017-03-07 Risk analysis device, risk analysis method and risk analysis program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2017/008945 WO2018163274A1 (en) 2017-03-07 2017-03-07 Risk analysis device, risk analysis method and risk analysis program

Publications (1)

Publication Number Publication Date
WO2018163274A1 true WO2018163274A1 (en) 2018-09-13

Family

ID=63449041

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/008945 WO2018163274A1 (en) 2017-03-07 2017-03-07 Risk analysis device, risk analysis method and risk analysis program

Country Status (2)

Country Link
JP (1) JP6425865B1 (en)
WO (1) WO2018163274A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020052686A (en) * 2018-09-26 2020-04-02 クラリオン株式会社 Vulnerability evaluating device, vulnerability evaluating system, and method thereof
WO2021075577A1 (en) * 2019-10-18 2021-04-22 ソフトバンク株式会社 Generating device, program, and generating method

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007156816A (en) * 2005-12-05 2007-06-21 Nec Corp Risk analyzing device, risk analyzing method and risk analyzing program
JP2008129648A (en) * 2006-11-16 2008-06-05 Nec Corp Security risk management system, method and program
JP2015095159A (en) * 2013-11-13 2015-05-18 日本電信電話株式会社 Evaluation method and evaluation device
JP2015130153A (en) * 2013-12-06 2015-07-16 三菱電機株式会社 Risk analyzer, risk analysis method and risk analysis program

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012093804A (en) * 2010-10-22 2012-05-17 Hitachi Ltd Security monitoring device, security monitoring method and security monitoring program based on security policy
US20140137257A1 (en) * 2012-11-12 2014-05-15 Board Of Regents, The University Of Texas System System, Method and Apparatus for Assessing a Risk of One or More Assets Within an Operational Technology Infrastructure

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007156816A (en) * 2005-12-05 2007-06-21 Nec Corp Risk analyzing device, risk analyzing method and risk analyzing program
JP2008129648A (en) * 2006-11-16 2008-06-05 Nec Corp Security risk management system, method and program
JP2015095159A (en) * 2013-11-13 2015-05-18 日本電信電話株式会社 Evaluation method and evaluation device
JP2015130153A (en) * 2013-12-06 2015-07-16 三菱電機株式会社 Risk analyzer, risk analysis method and risk analysis program

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2020052686A (en) * 2018-09-26 2020-04-02 クラリオン株式会社 Vulnerability evaluating device, vulnerability evaluating system, and method thereof
WO2021075577A1 (en) * 2019-10-18 2021-04-22 ソフトバンク株式会社 Generating device, program, and generating method
JP2021068031A (en) * 2019-10-18 2021-04-30 ソフトバンク株式会社 Generation device, program, and generation method

Also Published As

Publication number Publication date
JPWO2018163274A1 (en) 2019-03-22
JP6425865B1 (en) 2018-11-21

Similar Documents

Publication Publication Date Title
US11991206B2 (en) Installation location selection assistance apparatus, installation location selection assistance method, and computer readable medium
JP6636226B2 (en) Countermeasure planning support device, countermeasure planning support method, and countermeasure planning support program
CN105683910B (en) System and method for updating the system-level service in read-only system image
US20210117536A1 (en) Information processing device and information processing method
US11601443B2 (en) System and method for generating and storing forensics-specific metadata
EP3848835B1 (en) Systems and methods for protecting against unauthorized memory dump modification
WO2018163274A1 (en) Risk analysis device, risk analysis method and risk analysis program
JP6579995B2 (en) Still-view candidate identification device, still-view candidate identification method and still-view candidate identification program
US11140186B2 (en) Identification of deviant engineering modifications to programmable logic controllers
JP2017107405A (en) Security measure planning support method
US11722511B2 (en) Information processing device and non-transitory computer readable storage medium
US11366902B2 (en) System and method of detecting malicious files based on file fragments
JP6018344B2 (en) Dynamic reading code analysis apparatus, dynamic reading code analysis method, and dynamic reading code analysis program
JP5679347B2 (en) Failure detection device, failure detection method, and program
JP7195384B1 (en) Introduction support device, introduction support method, and introduction support program
US20240202345A1 (en) Attack scenario generation apparatus, attack scenario generation method, and computer readable medium
JP6599053B1 (en) Information processing apparatus, information processing method, and information processing program
CN111984944B (en) Source code processing method, related device and storage medium
US20250181710A1 (en) Information processing apparatus, information processing method, and computer-readable recording medium
US11163909B2 (en) Using multiple signatures on a signed log
JPWO2019138540A1 (en) Threat identification device, threat identification method, and threat identification program
EP3767510A1 (en) System and method of detecting malicious files based on file fragments
JP6554764B2 (en) Modified region extraction system, modified region extraction method, and modified region extraction program
CN119862592A (en) Code protection method, device, equipment, medium and product

Legal Events

Date Code Title Description
ENP Entry into the national phase

Ref document number: 2018541441

Country of ref document: JP

Kind code of ref document: A

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17900245

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 17900245

Country of ref document: EP

Kind code of ref document: A1